Add record-level authorization for system accounts

Record mutations (create, update, delete) no longer require admin role. Authorization rules: - admin: full access (unchanged) - system mcp-agent: create/delete any record - system account α: create/delete records named α only - human users: read-only (unchanged) Zone mutations remain admin-only. Both REST and gRPC paths enforce the same rules. Update checks authorization against both old and new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 15:52:43 -07:00
parent baa058d4a4
commit 871b1fb8f4
7 changed files with 120 additions and 21 deletions
--- a/internal/server/middleware.go
+++ b/internal/server/middleware.go
@@ -48,6 +48,29 @@ func requireAdmin(next http.Handler) http.Handler {
 	})
 }

+// authorizeRecordMutation checks whether the caller may create, update,
+// or delete a DNS record with the given name. The rules are:
+//
+//   - admin role: always allowed
+//   - system account "mcp-agent": allowed for any record name
+//   - system account α: allowed only when recordName == α
+//   - all others: denied
+func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
+	if info == nil {
+		return false
+	}
+	if info.IsAdmin {
+		return true
+	}
+	if info.AccountType != "system" {
+		return false
+	}
+	if info.Username == "mcp-agent" {
+		return true
+	}
+	return recordName == info.Username
+}
+
 // tokenInfoFromContext extracts the TokenInfo from the request context.
 func tokenInfoFromContext(ctx context.Context) *mcdslauth.TokenInfo {
 	info, _ := ctx.Value(tokenInfoKey).(*mcdslauth.TokenInfo)