mc/mcns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add record-level authorization for system accounts

Browse Source 
Record mutations (create, update, delete) no longer require admin role.
Authorization rules:
  - admin: full access (unchanged)
  - system mcp-agent: create/delete any record
  - system account α: create/delete records named α only
  - human users: read-only (unchanged)

Zone mutations remain admin-only. Both REST and gRPC paths enforce the
same rules. Update checks authorization against both old and new names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-28 15:52:43 -07:00
parent baa058d4a4
commit 871b1fb8f4
7 changed files with 120 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
internal/server/records.go
View File

@@ -86,6 +86,11 @@ func createRecordHandler(database *db.DB) http.HandlerFunc {
return
}
if !authorizeRecordMutation(tokenInfoFromContext(r.Context()), req.Name) {
writeError(w, http.StatusForbidden, "not authorized for record name")
return
}
record, err := database.CreateRecord(zoneName, req.Name, req.Type, req.Value, req.TTL)
if errors.Is(err, db.ErrNotFound) {
writeError(w, http.StatusNotFound, "zone not found")
@@ -132,6 +137,18 @@ func updateRecordHandler(database *db.DB) http.HandlerFunc {
return
}
// Authorize against both old and new record names.
info := tokenInfoFromContext(r.Context())
existing, lookupErr := database.GetRecord(id)
if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
writeError(w, http.StatusForbidden, "not authorized for record name")
return
}
if !authorizeRecordMutation(info, req.Name) {
writeError(w, http.StatusForbidden, "not authorized for record name")
return
}
record, err := database.UpdateRecord(id, req.Name, req.Type, req.Value, req.TTL)
if errors.Is(err, db.ErrNotFound) {
writeError(w, http.StatusNotFound, "record not found")
@@ -159,6 +176,13 @@ func deleteRecordHandler(database *db.DB) http.HandlerFunc {
return
}
// Look up the record to authorize by name.
existing, lookupErr := database.GetRecord(id)
if lookupErr == nil && !authorizeRecordMutation(tokenInfoFromContext(r.Context()), existing.Name) {
writeError(w, http.StatusForbidden, "not authorized for record name")
return
}
err = database.DeleteRecord(id)
if errors.Is(err, db.ErrNotFound) {
writeError(w, http.StatusNotFound, "record not found")