Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 07b0744c78 | |||
| 871b1fb8f4 | |||
| baa058d4a4 | |||
| 363c680530 | |||
| 115802cbe2 | |||
| 42fff97e17 | |||
| 0fe2e90d9a | |||
| 94aa3a9002 | |||
| 1455ce6e0f |
@@ -58,7 +58,7 @@ deploy/ Docker, systemd, install scripts, examples
|
||||
|
||||
## Shared Library
|
||||
|
||||
MCNS uses `mcdsl` (git.wntrmute.dev/kyle/mcdsl) for shared platform packages:
|
||||
MCNS uses `mcdsl` (git.wntrmute.dev/mc/mcdsl) for shared platform packages:
|
||||
auth, db, config, httpserver, grpcserver. These provide MCIAS authentication,
|
||||
SQLite database helpers, TOML config loading, and TLS-configured HTTP/gRPC
|
||||
server scaffolding.
|
||||
|
||||
14
Dockerfile
14
Dockerfile
@@ -13,26 +13,14 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}"
|
||||
|
||||
FROM alpine:3.21
|
||||
|
||||
RUN apk add --no-cache ca-certificates tzdata \
|
||||
&& addgroup -S mcns \
|
||||
&& adduser -S -G mcns -h /srv/mcns -s /sbin/nologin mcns \
|
||||
&& mkdir -p /srv/mcns && chown mcns:mcns /srv/mcns
|
||||
RUN apk add --no-cache ca-certificates tzdata
|
||||
|
||||
COPY --from=builder /build/mcns /usr/local/bin/mcns
|
||||
|
||||
# /srv/mcns is the single volume mount point.
|
||||
# It must contain:
|
||||
# mcns.toml — configuration file
|
||||
# certs/ — TLS certificate and key
|
||||
# mcns.db — created automatically on first run
|
||||
VOLUME /srv/mcns
|
||||
WORKDIR /srv/mcns
|
||||
|
||||
EXPOSE 53/udp 53/tcp
|
||||
EXPOSE 8443
|
||||
EXPOSE 9443
|
||||
|
||||
USER mcns
|
||||
|
||||
ENTRYPOINT ["mcns"]
|
||||
CMD ["server", "--config", "/srv/mcns/mcns.toml"]
|
||||
|
||||
15
Makefile
15
Makefile
@@ -1,6 +1,8 @@
|
||||
.PHONY: build test vet lint proto proto-lint clean docker all devserver
|
||||
.PHONY: build test vet lint proto proto-lint clean docker push all devserver
|
||||
|
||||
LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(shell git describe --tags --always --dirty)"
|
||||
MCR := mcr.svc.mcp.metacircular.net:8443
|
||||
VERSION := $(shell git describe --tags --always --dirty)
|
||||
LDFLAGS := -trimpath -ldflags="-s -w -X main.version=$(VERSION)"
|
||||
|
||||
mcns:
|
||||
CGO_ENABLED=0 go build $(LDFLAGS) -o mcns ./cmd/mcns
|
||||
@@ -18,8 +20,8 @@ lint:
|
||||
golangci-lint run ./...
|
||||
|
||||
proto:
|
||||
protoc --go_out=. --go_opt=module=git.wntrmute.dev/kyle/mcns \
|
||||
--go-grpc_out=. --go-grpc_opt=module=git.wntrmute.dev/kyle/mcns \
|
||||
protoc --go_out=. --go_opt=module=git.wntrmute.dev/mc/mcns \
|
||||
--go-grpc_out=. --go-grpc_opt=module=git.wntrmute.dev/mc/mcns \
|
||||
proto/mcns/v1/*.proto
|
||||
|
||||
proto-lint:
|
||||
@@ -30,7 +32,10 @@ clean:
|
||||
rm -f mcns
|
||||
|
||||
docker:
|
||||
docker build --build-arg VERSION=$(shell git describe --tags --always --dirty) -t mcns -f Dockerfile .
|
||||
docker build --build-arg VERSION=$(VERSION) -t $(MCR)/mcns:$(VERSION) -f Dockerfile .
|
||||
|
||||
push: docker
|
||||
docker push $(MCR)/mcns:$(VERSION)
|
||||
|
||||
devserver: mcns
|
||||
@mkdir -p srv
|
||||
|
||||
22
RUNBOOK.md
22
RUNBOOK.md
@@ -230,6 +230,28 @@ Symptoms: MCNS fails to start with "address already in use" on port 53.
|
||||
`[dns] listen_addr` in `mcns.toml` to a different address.
|
||||
4. Restart MCNS and verify DNS is responding.
|
||||
|
||||
## Deployment with MCP
|
||||
|
||||
MCNS runs on rift as a single container managed by MCP. The service
|
||||
definition lives at `~/.config/mcp/services/mcns.toml` on the operator's
|
||||
machine. A reference copy is maintained at `deploy/mcns-rift.toml` in
|
||||
this repository.
|
||||
|
||||
The container image is pulled from MCR. The container mounts `/srv/mcns`
|
||||
and runs as `--user 0:0`. DNS listens on port 53 (UDP+TCP) on both
|
||||
192.168.88.181 and 100.95.252.120, with the management API on 8443/9443.
|
||||
|
||||
Note: the operator's `~/.config/mcp/services/mcns.toml` may still
|
||||
reference the old CoreDNS image and needs updating to the new MCNS image.
|
||||
|
||||
### Key Operations
|
||||
|
||||
1. Deploy or update: `mcp deploy mcns`
|
||||
2. Restart: `mcp restart mcns`
|
||||
3. Stop: `mcp stop mcns` (WARNING: stops DNS for all internal zones)
|
||||
4. Check status: `mcp ps` or `mcp status mcns`
|
||||
5. View logs: `ssh rift 'doas su - mcp -s /bin/sh -c "podman logs mcns"'`
|
||||
|
||||
## Escalation
|
||||
|
||||
Escalate when:
|
||||
|
||||
@@ -16,14 +16,14 @@ import (
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdsldb "git.wntrmute.dev/kyle/mcdsl/db"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
mcdsldb "git.wntrmute.dev/mc/mcdsl/db"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcns/internal/config"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
mcnsdns "git.wntrmute.dev/kyle/mcns/internal/dns"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/grpcserver"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/server"
|
||||
"git.wntrmute.dev/mc/mcns/internal/config"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
mcnsdns "git.wntrmute.dev/mc/mcns/internal/dns"
|
||||
"git.wntrmute.dev/mc/mcns/internal/grpcserver"
|
||||
"git.wntrmute.dev/mc/mcns/internal/server"
|
||||
)
|
||||
|
||||
var version = "dev"
|
||||
|
||||
17
deploy/mcns-rift.toml
Normal file
17
deploy/mcns-rift.toml
Normal file
@@ -0,0 +1,17 @@
|
||||
name = "mcns"
|
||||
node = "rift"
|
||||
active = true
|
||||
|
||||
[[components]]
|
||||
name = "dns"
|
||||
image = "mcr.svc.mcp.metacircular.net:8443/mcns:latest"
|
||||
user = "0:0"
|
||||
restart = "unless-stopped"
|
||||
ports = [
|
||||
"192.168.88.181:53:53/tcp",
|
||||
"192.168.88.181:53:53/udp",
|
||||
"100.95.252.120:53:53/tcp",
|
||||
"100.95.252.120:53:53/udp",
|
||||
]
|
||||
volumes = ["/srv/mcns:/srv/mcns"]
|
||||
cmd = ["server", "--config", "/srv/mcns/mcns.toml"]
|
||||
@@ -110,7 +110,7 @@ const file_proto_mcns_v1_admin_proto_rawDesc = "" +
|
||||
"\x0eHealthResponse\x12\x16\n" +
|
||||
"\x06status\x18\x01 \x01(\tR\x06status2I\n" +
|
||||
"\fAdminService\x129\n" +
|
||||
"\x06Health\x12\x16.mcns.v1.HealthRequest\x1a\x17.mcns.v1.HealthResponseB/Z-git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
"\x06Health\x12\x16.mcns.v1.HealthRequest\x1a\x17.mcns.v1.HealthResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
|
||||
var (
|
||||
file_proto_mcns_v1_admin_proto_rawDescOnce sync.Once
|
||||
|
||||
@@ -222,7 +222,7 @@ const file_proto_mcns_v1_auth_proto_rawDesc = "" +
|
||||
"\x0eLogoutResponse2\x80\x01\n" +
|
||||
"\vAuthService\x126\n" +
|
||||
"\x05Login\x12\x15.mcns.v1.LoginRequest\x1a\x16.mcns.v1.LoginResponse\x129\n" +
|
||||
"\x06Logout\x12\x16.mcns.v1.LogoutRequest\x1a\x17.mcns.v1.LogoutResponseB/Z-git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
"\x06Logout\x12\x16.mcns.v1.LogoutRequest\x1a\x17.mcns.v1.LogoutResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
|
||||
var (
|
||||
file_proto_mcns_v1_auth_proto_rawDescOnce sync.Once
|
||||
|
||||
@@ -551,7 +551,7 @@ const file_proto_mcns_v1_record_proto_rawDesc = "" +
|
||||
"\fCreateRecord\x12\x1c.mcns.v1.CreateRecordRequest\x1a\x0f.mcns.v1.Record\x127\n" +
|
||||
"\tGetRecord\x12\x19.mcns.v1.GetRecordRequest\x1a\x0f.mcns.v1.Record\x12=\n" +
|
||||
"\fUpdateRecord\x12\x1c.mcns.v1.UpdateRecordRequest\x1a\x0f.mcns.v1.Record\x12K\n" +
|
||||
"\fDeleteRecord\x12\x1c.mcns.v1.DeleteRecordRequest\x1a\x1d.mcns.v1.DeleteRecordResponseB/Z-git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
"\fDeleteRecord\x12\x1c.mcns.v1.DeleteRecordRequest\x1a\x1d.mcns.v1.DeleteRecordResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
|
||||
var (
|
||||
file_proto_mcns_v1_record_proto_rawDescOnce sync.Once
|
||||
|
||||
@@ -595,7 +595,7 @@ const file_proto_mcns_v1_zone_proto_rawDesc = "" +
|
||||
"\n" +
|
||||
"UpdateZone\x12\x1a.mcns.v1.UpdateZoneRequest\x1a\r.mcns.v1.Zone\x12E\n" +
|
||||
"\n" +
|
||||
"DeleteZone\x12\x1a.mcns.v1.DeleteZoneRequest\x1a\x1b.mcns.v1.DeleteZoneResponseB/Z-git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
"DeleteZone\x12\x1a.mcns.v1.DeleteZoneRequest\x1a\x1b.mcns.v1.DeleteZoneResponseB-Z+git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1b\x06proto3"
|
||||
|
||||
var (
|
||||
file_proto_mcns_v1_zone_proto_rawDescOnce sync.Once
|
||||
|
||||
4
go.mod
4
go.mod
@@ -1,9 +1,9 @@
|
||||
module git.wntrmute.dev/kyle/mcns
|
||||
module git.wntrmute.dev/mc/mcns
|
||||
|
||||
go 1.25.7
|
||||
|
||||
require (
|
||||
git.wntrmute.dev/kyle/mcdsl v1.0.0
|
||||
git.wntrmute.dev/mc/mcdsl v1.2.0
|
||||
github.com/go-chi/chi/v5 v5.2.5
|
||||
github.com/miekg/dns v1.1.66
|
||||
github.com/spf13/cobra v1.10.2
|
||||
|
||||
4
go.sum
4
go.sum
@@ -1,5 +1,5 @@
|
||||
git.wntrmute.dev/kyle/mcdsl v1.0.0 h1:YB7dx4gdNYKKcVySpL6UkwHqdCJ9Nl1yS0+eHk0hNtk=
|
||||
git.wntrmute.dev/kyle/mcdsl v1.0.0/go.mod h1:wo0tGfUAxci3XnOe4/rFmR0RjUElKdYUazc+Np986sg=
|
||||
git.wntrmute.dev/mc/mcdsl v1.2.0 h1:41hep7/PNZJfN0SN/nM+rQpyF1GSZcvNNjyVG81DI7U=
|
||||
git.wntrmute.dev/mc/mcdsl v1.2.0/go.mod h1:lXYrAt74ZUix6rx9oVN8d2zH1YJoyp4uxPVKQ+SSxuM=
|
||||
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
|
||||
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
|
||||
|
||||
@@ -3,7 +3,7 @@ package config
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
mcdslconfig "git.wntrmute.dev/kyle/mcdsl/config"
|
||||
mcdslconfig "git.wntrmute.dev/mc/mcdsl/config"
|
||||
)
|
||||
|
||||
// Config is the top-level MCNS configuration.
|
||||
|
||||
@@ -4,7 +4,7 @@ import (
|
||||
"database/sql"
|
||||
"fmt"
|
||||
|
||||
mcdsldb "git.wntrmute.dev/kyle/mcdsl/db"
|
||||
mcdsldb "git.wntrmute.dev/mc/mcdsl/db"
|
||||
)
|
||||
|
||||
// DB wraps a SQLite database connection.
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
package db
|
||||
|
||||
import (
|
||||
mcdsldb "git.wntrmute.dev/kyle/mcdsl/db"
|
||||
mcdsldb "git.wntrmute.dev/mc/mcdsl/db"
|
||||
)
|
||||
|
||||
// Migrations is the ordered list of MCNS schema migrations.
|
||||
|
||||
@@ -10,7 +10,7 @@ import (
|
||||
|
||||
"github.com/miekg/dns"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// Server is the MCNS DNS server. It listens on both UDP and TCP.
|
||||
|
||||
@@ -6,7 +6,7 @@ import (
|
||||
|
||||
"github.com/miekg/dns"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
"log/slog"
|
||||
)
|
||||
|
||||
|
||||
@@ -3,8 +3,8 @@ package grpcserver
|
||||
import (
|
||||
"context"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
type adminService struct {
|
||||
|
||||
@@ -4,11 +4,11 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
)
|
||||
|
||||
type authService struct {
|
||||
|
||||
@@ -16,10 +16,10 @@ import (
|
||||
"google.golang.org/grpc/metadata"
|
||||
"google.golang.org/grpc/status"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// mockMCIAS starts a fake MCIAS HTTP server for token validation.
|
||||
@@ -769,6 +769,9 @@ func TestMethodMapCompleteness(t *testing.T) {
|
||||
"/mcns.v1.ZoneService/GetZone",
|
||||
"/mcns.v1.RecordService/ListRecords",
|
||||
"/mcns.v1.RecordService/GetRecord",
|
||||
"/mcns.v1.RecordService/CreateRecord",
|
||||
"/mcns.v1.RecordService/UpdateRecord",
|
||||
"/mcns.v1.RecordService/DeleteRecord",
|
||||
}
|
||||
for _, method := range expectedAuth {
|
||||
if !mm.AuthRequired[method] {
|
||||
@@ -783,9 +786,6 @@ func TestMethodMapCompleteness(t *testing.T) {
|
||||
"/mcns.v1.ZoneService/CreateZone",
|
||||
"/mcns.v1.ZoneService/UpdateZone",
|
||||
"/mcns.v1.ZoneService/DeleteZone",
|
||||
"/mcns.v1.RecordService/CreateRecord",
|
||||
"/mcns.v1.RecordService/UpdateRecord",
|
||||
"/mcns.v1.RecordService/DeleteRecord",
|
||||
}
|
||||
for _, method := range expectedAdmin {
|
||||
if !mm.AdminRequired[method] {
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
package grpcserver
|
||||
|
||||
import (
|
||||
mcdslgrpc "git.wntrmute.dev/kyle/mcdsl/grpcserver"
|
||||
mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
|
||||
)
|
||||
|
||||
// methodMap builds the mcdsl grpcserver.MethodMap for MCNS.
|
||||
@@ -30,6 +30,9 @@ func authRequiredMethods() map[string]bool {
|
||||
"/mcns.v1.ZoneService/GetZone": true,
|
||||
"/mcns.v1.RecordService/ListRecords": true,
|
||||
"/mcns.v1.RecordService/GetRecord": true,
|
||||
"/mcns.v1.RecordService/CreateRecord": true,
|
||||
"/mcns.v1.RecordService/UpdateRecord": true,
|
||||
"/mcns.v1.RecordService/DeleteRecord": true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -38,8 +41,5 @@ func adminRequiredMethods() map[string]bool {
|
||||
"/mcns.v1.ZoneService/CreateZone": true,
|
||||
"/mcns.v1.ZoneService/UpdateZone": true,
|
||||
"/mcns.v1.ZoneService/DeleteZone": true,
|
||||
"/mcns.v1.RecordService/CreateRecord": true,
|
||||
"/mcns.v1.RecordService/UpdateRecord": true,
|
||||
"/mcns.v1.RecordService/DeleteRecord": true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -10,10 +10,36 @@ import (
|
||||
"google.golang.org/grpc/status"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
|
||||
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// authorizeRecordMutation checks whether the caller may create, update,
|
||||
// or delete a DNS record with the given name. The rules are:
|
||||
//
|
||||
// - admin role: always allowed
|
||||
// - system account "mcp-agent": allowed for any record name
|
||||
// - system account α: allowed only when recordName == α
|
||||
// - all others: denied
|
||||
func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
|
||||
if info == nil {
|
||||
return false
|
||||
}
|
||||
if info.IsAdmin {
|
||||
return true
|
||||
}
|
||||
if info.AccountType != "system" {
|
||||
return false
|
||||
}
|
||||
if info.Username == "mcp-agent" {
|
||||
return true
|
||||
}
|
||||
return recordName == info.Username
|
||||
}
|
||||
|
||||
type recordService struct {
|
||||
pb.UnimplementedRecordServiceServer
|
||||
db *db.DB
|
||||
@@ -55,7 +81,7 @@ func (s *recordService) GetRecord(_ context.Context, req *pb.GetRecordRequest) (
|
||||
return s.recordToProto(*record), nil
|
||||
}
|
||||
|
||||
func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
|
||||
func (s *recordService) CreateRecord(ctx context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
|
||||
if req.Zone == "" {
|
||||
return nil, status.Error(codes.InvalidArgument, "zone is required")
|
||||
}
|
||||
@@ -69,6 +95,10 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
|
||||
return nil, status.Error(codes.InvalidArgument, "value is required")
|
||||
}
|
||||
|
||||
if !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), req.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
|
||||
record, err := s.db.CreateRecord(req.Zone, req.Name, req.Type, req.Value, int(req.Ttl))
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "zone not found")
|
||||
@@ -82,7 +112,7 @@ func (s *recordService) CreateRecord(_ context.Context, req *pb.CreateRecordRequ
|
||||
return s.recordToProto(*record), nil
|
||||
}
|
||||
|
||||
func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
|
||||
func (s *recordService) UpdateRecord(ctx context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
|
||||
if req.Id <= 0 {
|
||||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||||
}
|
||||
@@ -96,6 +126,15 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
|
||||
return nil, status.Error(codes.InvalidArgument, "value is required")
|
||||
}
|
||||
|
||||
info := mcdslgrpc.TokenInfoFromContext(ctx)
|
||||
existing, lookupErr := s.db.GetRecord(req.Id)
|
||||
if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
if !authorizeRecordMutation(info, req.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
|
||||
record, err := s.db.UpdateRecord(req.Id, req.Name, req.Type, req.Value, int(req.Ttl))
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "record not found")
|
||||
@@ -109,11 +148,16 @@ func (s *recordService) UpdateRecord(_ context.Context, req *pb.UpdateRecordRequ
|
||||
return s.recordToProto(*record), nil
|
||||
}
|
||||
|
||||
func (s *recordService) DeleteRecord(_ context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
|
||||
func (s *recordService) DeleteRecord(ctx context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
|
||||
if req.Id <= 0 {
|
||||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||||
}
|
||||
|
||||
existing, lookupErr := s.db.GetRecord(req.Id)
|
||||
if lookupErr == nil && !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), existing.Name) {
|
||||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||||
}
|
||||
|
||||
err := s.db.DeleteRecord(req.Id)
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
return nil, status.Error(codes.NotFound, "record not found")
|
||||
|
||||
@@ -4,11 +4,11 @@ import (
|
||||
"log/slog"
|
||||
"net"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdslgrpc "git.wntrmute.dev/kyle/mcdsl/grpcserver"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// Deps holds the dependencies injected into the gRPC server.
|
||||
@@ -24,7 +24,7 @@ type Server struct {
|
||||
|
||||
// New creates a configured gRPC server with MCNS services registered.
|
||||
func New(certFile, keyFile string, deps Deps, logger *slog.Logger) (*Server, error) {
|
||||
srv, err := mcdslgrpc.New(certFile, keyFile, deps.Authenticator, methodMap(), logger)
|
||||
srv, err := mcdslgrpc.New(certFile, keyFile, deps.Authenticator, methodMap(), logger, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -9,8 +9,8 @@ import (
|
||||
"google.golang.org/grpc/status"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
|
||||
pb "git.wntrmute.dev/kyle/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
type zoneService struct {
|
||||
|
||||
@@ -5,7 +5,7 @@ import (
|
||||
"errors"
|
||||
"net/http"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
)
|
||||
|
||||
type loginRequest struct {
|
||||
|
||||
@@ -12,8 +12,8 @@ import (
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// openTestDB creates a temporary SQLite database with all migrations applied.
|
||||
@@ -42,6 +42,7 @@ func createTestZone(t *testing.T, database *db.DB) *db.Zone {
|
||||
}
|
||||
|
||||
// newChiRequest builds a request with chi URL params injected into the context.
|
||||
// An admin TokenInfo is added so that handler-level authorization passes.
|
||||
func newChiRequest(method, target string, body string, params map[string]string) *http.Request {
|
||||
var r *http.Request
|
||||
if body != "" {
|
||||
@@ -51,14 +52,21 @@ func newChiRequest(method, target string, body string, params map[string]string)
|
||||
}
|
||||
r.Header.Set("Content-Type", "application/json")
|
||||
|
||||
ctx := r.Context()
|
||||
if len(params) > 0 {
|
||||
rctx := chi.NewRouteContext()
|
||||
for k, v := range params {
|
||||
rctx.URLParams.Add(k, v)
|
||||
}
|
||||
r = r.WithContext(context.WithValue(r.Context(), chi.RouteCtxKey, rctx))
|
||||
ctx = context.WithValue(ctx, chi.RouteCtxKey, rctx)
|
||||
}
|
||||
return r
|
||||
|
||||
// Inject admin TokenInfo for handler-level authorization.
|
||||
ctx = context.WithValue(ctx, tokenInfoKey, &mcdslauth.TokenInfo{
|
||||
Username: "testadmin",
|
||||
IsAdmin: true,
|
||||
})
|
||||
return r.WithContext(ctx)
|
||||
}
|
||||
|
||||
// decodeJSON decodes the response body into v.
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
)
|
||||
|
||||
type contextKey string
|
||||
@@ -48,6 +48,29 @@ func requireAdmin(next http.Handler) http.Handler {
|
||||
})
|
||||
}
|
||||
|
||||
// authorizeRecordMutation checks whether the caller may create, update,
|
||||
// or delete a DNS record with the given name. The rules are:
|
||||
//
|
||||
// - admin role: always allowed
|
||||
// - system account "mcp-agent": allowed for any record name
|
||||
// - system account α: allowed only when recordName == α
|
||||
// - all others: denied
|
||||
func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
|
||||
if info == nil {
|
||||
return false
|
||||
}
|
||||
if info.IsAdmin {
|
||||
return true
|
||||
}
|
||||
if info.AccountType != "system" {
|
||||
return false
|
||||
}
|
||||
if info.Username == "mcp-agent" {
|
||||
return true
|
||||
}
|
||||
return recordName == info.Username
|
||||
}
|
||||
|
||||
// tokenInfoFromContext extracts the TokenInfo from the request context.
|
||||
func tokenInfoFromContext(ctx context.Context) *mcdslauth.TokenInfo {
|
||||
info, _ := ctx.Value(tokenInfoKey).(*mcdslauth.TokenInfo)
|
||||
|
||||
@@ -8,7 +8,7 @@ import (
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
type createRecordRequest struct {
|
||||
@@ -86,6 +86,11 @@ func createRecordHandler(database *db.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
if !authorizeRecordMutation(tokenInfoFromContext(r.Context()), req.Name) {
|
||||
writeError(w, http.StatusForbidden, "not authorized for record name")
|
||||
return
|
||||
}
|
||||
|
||||
record, err := database.CreateRecord(zoneName, req.Name, req.Type, req.Value, req.TTL)
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
writeError(w, http.StatusNotFound, "zone not found")
|
||||
@@ -132,6 +137,18 @@ func updateRecordHandler(database *db.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
// Authorize against both old and new record names.
|
||||
info := tokenInfoFromContext(r.Context())
|
||||
existing, lookupErr := database.GetRecord(id)
|
||||
if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
|
||||
writeError(w, http.StatusForbidden, "not authorized for record name")
|
||||
return
|
||||
}
|
||||
if !authorizeRecordMutation(info, req.Name) {
|
||||
writeError(w, http.StatusForbidden, "not authorized for record name")
|
||||
return
|
||||
}
|
||||
|
||||
record, err := database.UpdateRecord(id, req.Name, req.Type, req.Value, req.TTL)
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
writeError(w, http.StatusNotFound, "record not found")
|
||||
@@ -159,6 +176,13 @@ func deleteRecordHandler(database *db.DB) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
// Look up the record to authorize by name.
|
||||
existing, lookupErr := database.GetRecord(id)
|
||||
if lookupErr == nil && !authorizeRecordMutation(tokenInfoFromContext(r.Context()), existing.Name) {
|
||||
writeError(w, http.StatusForbidden, "not authorized for record name")
|
||||
return
|
||||
}
|
||||
|
||||
err = database.DeleteRecord(id)
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
writeError(w, http.StatusNotFound, "record not found")
|
||||
|
||||
@@ -7,10 +7,10 @@ import (
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
|
||||
mcdslauth "git.wntrmute.dev/kyle/mcdsl/auth"
|
||||
"git.wntrmute.dev/kyle/mcdsl/health"
|
||||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||||
"git.wntrmute.dev/mc/mcdsl/health"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
// Deps holds dependencies injected into the REST handlers.
|
||||
@@ -44,14 +44,14 @@ func NewRouter(deps Deps) *chi.Mux {
|
||||
r.With(requireAdmin).Put("/v1/zones/{zone}", updateZoneHandler(deps.DB))
|
||||
r.With(requireAdmin).Delete("/v1/zones/{zone}", deleteZoneHandler(deps.DB))
|
||||
|
||||
// Record endpoints — reads for all authenticated users, writes for admin.
|
||||
// Record endpoints — reads for all authenticated users.
|
||||
r.Get("/v1/zones/{zone}/records", listRecordsHandler(deps.DB))
|
||||
r.Get("/v1/zones/{zone}/records/{id}", getRecordHandler(deps.DB))
|
||||
|
||||
// Admin-only record mutations.
|
||||
r.With(requireAdmin).Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
|
||||
r.With(requireAdmin).Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
|
||||
r.With(requireAdmin).Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
|
||||
// Record mutations — admin, mcp-agent (any name), or system account (own name).
|
||||
r.Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
|
||||
r.Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
|
||||
r.Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
|
||||
})
|
||||
|
||||
return r
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcns/internal/db"
|
||||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||||
)
|
||||
|
||||
type createZoneRequest struct {
|
||||
|
||||
@@ -2,7 +2,7 @@ syntax = "proto3";
|
||||
|
||||
package mcns.v1;
|
||||
|
||||
option go_package = "git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1";
|
||||
option go_package = "git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1";
|
||||
|
||||
// AdminService exposes server health and administrative operations.
|
||||
service AdminService {
|
||||
|
||||
@@ -2,7 +2,7 @@ syntax = "proto3";
|
||||
|
||||
package mcns.v1;
|
||||
|
||||
option go_package = "git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1";
|
||||
option go_package = "git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1";
|
||||
|
||||
// AuthService handles authentication by delegating to MCIAS.
|
||||
service AuthService {
|
||||
|
||||
@@ -2,7 +2,7 @@ syntax = "proto3";
|
||||
|
||||
package mcns.v1;
|
||||
|
||||
option go_package = "git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1";
|
||||
option go_package = "git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1";
|
||||
|
||||
import "google/protobuf/timestamp.proto";
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@ syntax = "proto3";
|
||||
|
||||
package mcns.v1;
|
||||
|
||||
option go_package = "git.wntrmute.dev/kyle/mcns/gen/mcns/v1;mcnsv1";
|
||||
option go_package = "git.wntrmute.dev/mc/mcns/gen/mcns/v1;mcnsv1";
|
||||
|
||||
import "google/protobuf/timestamp.proto";
|
||||
|
||||
|
||||
Reference in New Issue
Block a user