Add record-level authorization for system accounts

Record mutations (create, update, delete) no longer require admin role. Authorization rules: - admin: full access (unchanged) - system mcp-agent: create/delete any record - system account α: create/delete records named α only - human users: read-only (unchanged) Zone mutations remain admin-only. Both REST and gRPC paths enforce the same rules. Update checks authorization against both old and new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 15:52:43 -07:00
parent baa058d4a4
commit 871b1fb8f4
7 changed files with 120 additions and 21 deletions
--- a/internal/server/handlers_test.go
+++ b/internal/server/handlers_test.go
@@ -42,6 +42,7 @@ func createTestZone(t *testing.T, database *db.DB) *db.Zone {
 }

 // newChiRequest builds a request with chi URL params injected into the context.
+// An admin TokenInfo is added so that handler-level authorization passes.
 func newChiRequest(method, target string, body string, params map[string]string) *http.Request {
 	var r *http.Request
 	if body != "" {
@@ -51,14 +52,21 @@ func newChiRequest(method, target string, body string, params map[string]string)
 	}
 	r.Header.Set("Content-Type", "application/json")

+	ctx := r.Context()
 	if len(params) > 0 {
 		rctx := chi.NewRouteContext()
 		for k, v := range params {
 			rctx.URLParams.Add(k, v)
 		}
-		r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, rctx))
+		ctx = context.WithValue(ctx, chi.RouteCtxKey, rctx)
 	}
-	return r
+
+	// Inject admin TokenInfo for handler-level authorization.
+	ctx = context.WithValue(ctx, tokenInfoKey, &mcdslauth.TokenInfo{
+		Username: "testadmin",
+		IsAdmin:  true,
+	})
+	return r.WithContext(ctx)
 }

 // decodeJSON decodes the response body into v.
--- a/internal/server/middleware.go
+++ b/internal/server/middleware.go
@@ -48,6 +48,29 @@ func requireAdmin(next http.Handler) http.Handler {
 	})
 }

+// authorizeRecordMutation checks whether the caller may create, update,
+// or delete a DNS record with the given name. The rules are:
+//
+//   - admin role: always allowed
+//   - system account "mcp-agent": allowed for any record name
+//   - system account α: allowed only when recordName == α
+//   - all others: denied
+func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
+	if info == nil {
+		return false
+	}
+	if info.IsAdmin {
+		return true
+	}
+	if info.AccountType != "system" {
+		return false
+	}
+	if info.Username == "mcp-agent" {
+		return true
+	}
+	return recordName == info.Username
+}
+
 // tokenInfoFromContext extracts the TokenInfo from the request context.
 func tokenInfoFromContext(ctx context.Context) *mcdslauth.TokenInfo {
 	info, _ := ctx.Value(tokenInfoKey).(*mcdslauth.TokenInfo)
--- a/internal/server/records.go
+++ b/internal/server/records.go
@@ -86,6 +86,11 @@ func createRecordHandler(database *db.DB) http.HandlerFunc {
 			return
 		}

+		if !authorizeRecordMutation(tokenInfoFromContext(r.Context()), req.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+
 		record, err := database.CreateRecord(zoneName, req.Name, req.Type, req.Value, req.TTL)
 		if errors.Is(err, db.ErrNotFound) {
 			writeError(w, http.StatusNotFound, "zone not found")
@@ -132,6 +137,18 @@ func updateRecordHandler(database *db.DB) http.HandlerFunc {
 			return
 		}

+		// Authorize against both old and new record names.
+		info := tokenInfoFromContext(r.Context())
+		existing, lookupErr := database.GetRecord(id)
+		if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+		if !authorizeRecordMutation(info, req.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+
 		record, err := database.UpdateRecord(id, req.Name, req.Type, req.Value, req.TTL)
 		if errors.Is(err, db.ErrNotFound) {
 			writeError(w, http.StatusNotFound, "record not found")
@@ -159,6 +176,13 @@ func deleteRecordHandler(database *db.DB) http.HandlerFunc {
 			return
 		}

+		// Look up the record to authorize by name.
+		existing, lookupErr := database.GetRecord(id)
+		if lookupErr == nil && !authorizeRecordMutation(tokenInfoFromContext(r.Context()), existing.Name) {
+			writeError(w, http.StatusForbidden, "not authorized for record name")
+			return
+		}
+
 		err = database.DeleteRecord(id)
 		if errors.Is(err, db.ErrNotFound) {
 			writeError(w, http.StatusNotFound, "record not found")
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -44,14 +44,14 @@ func NewRouter(deps Deps) *chi.Mux {
 		r.With(requireAdmin).Put("/v1/zones/{zone}", updateZoneHandler(deps.DB))
 		r.With(requireAdmin).Delete("/v1/zones/{zone}", deleteZoneHandler(deps.DB))

-		// Record endpoints — reads for all authenticated users, writes for admin.
+		// Record endpoints — reads for all authenticated users.
 		r.Get("/v1/zones/{zone}/records", listRecordsHandler(deps.DB))
 		r.Get("/v1/zones/{zone}/records/{id}", getRecordHandler(deps.DB))

-		// Admin-only record mutations.
-		r.With(requireAdmin).Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
-		r.With(requireAdmin).Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
-		r.With(requireAdmin).Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
+		// Record mutations — admin, mcp-agent (any name), or system account (own name).
+		r.Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
+		r.Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
+		r.Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
 	})

 	return r