mc/mcns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add record-level authorization for system accounts

Browse Source 
Record mutations (create, update, delete) no longer require admin role.
Authorization rules:
  - admin: full access (unchanged)
  - system mcp-agent: create/delete any record
  - system account α: create/delete records named α only
  - human users: read-only (unchanged)

Zone mutations remain admin-only. Both REST and gRPC paths enforce the
same rules. Update checks authorization against both old and new names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-28 15:52:43 -07:00
parent baa058d4a4
commit 871b1fb8f4
7 changed files with 120 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
internal/grpcserver/records.go
View File

@@ -10,10 +10,36 @@ import (
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
"git.wntrmute.dev/mc/mcns/internal/db"
)
// authorizeRecordMutation checks whether the caller may create, update,
// or delete a DNS record with the given name. The rules are:
//
// - admin role: always allowed
// - system account "mcp-agent": allowed for any record name
// - system account α: allowed only when recordName == α
// - all others: denied
func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
if info == nil {
return false
}
if info.IsAdmin {
return true
}
if info.AccountType != "system" {
return false
}
if info.Username == "mcp-agent" {
return true
}
return recordName == info.Username
}
type recordService struct {
pb.UnimplementedRecordServiceServer
db *db.DB
@@ -55,7 +81,7 @@ func (s *recordService) GetRecord(_ context.Context, req *pb.GetRecordRequest) (
return s.recordToProto(*record), nil
}
func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
func (s *recordService) CreateRecord(ctx context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
if req.Zone == "" {
return nil, status.Error(codes.InvalidArgument, "zone is required")
}
@@ -69,6 +95,10 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
return nil, status.Error(codes.InvalidArgument, "value is required")
}
if !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), req.Name) {
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
}
record, err := s.db.CreateRecord(req.Zone, req.Name, req.Type, req.Value, int(req.Ttl))
if errors.Is(err, db.ErrNotFound) {
return nil, status.Error(codes.NotFound, "zone not found")
@@ -82,7 +112,7 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
return s.recordToProto(*record), nil
}
func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
func (s *recordService) UpdateRecord(ctx context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
if req.Id <= 0 {
return nil, status.Error(codes.InvalidArgument, "id must be positive")
}
@@ -96,6 +126,15 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
return nil, status.Error(codes.InvalidArgument, "value is required")
}
info := mcdslgrpc.TokenInfoFromContext(ctx)
existing, lookupErr := s.db.GetRecord(req.Id)
if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
}
if !authorizeRecordMutation(info, req.Name) {
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
}
record, err := s.db.UpdateRecord(req.Id, req.Name, req.Type, req.Value, int(req.Ttl))
if errors.Is(err, db.ErrNotFound) {
return nil, status.Error(codes.NotFound, "record not found")
@@ -109,11 +148,16 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
return s.recordToProto(*record), nil
}
func (s *recordService) DeleteRecord(_ context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
func (s *recordService) DeleteRecord(ctx context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
if req.Id <= 0 {
return nil, status.Error(codes.InvalidArgument, "id must be positive")
}
existing, lookupErr := s.db.GetRecord(req.Id)
if lookupErr == nil && !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), existing.Name) {
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
}
err := s.db.DeleteRecord(req.Id)
if errors.Is(err, db.ErrNotFound) {
return nil, status.Error(codes.NotFound, "record not found")