Kyle Isom
871b1fb8f4
Record mutations (create, update, delete) no longer require admin role. Authorization rules: - admin: full access (unchanged) - system mcp-agent: create/delete any record - system account α: create/delete records named α only - human users: read-only (unchanged) Zone mutations remain admin-only. Both REST and gRPC paths enforce the same rules. Update checks authorization against both old and new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
196 lines
5.8 KiB
Go
196 lines
5.8 KiB
Go
package grpcserver
|
||
|
||
import (
|
||
"context"
|
||
"errors"
|
||
"log/slog"
|
||
"time"
|
||
|
||
"google.golang.org/grpc/codes"
|
||
"google.golang.org/grpc/status"
|
||
"google.golang.org/protobuf/types/known/timestamppb"
|
||
|
||
mcdslauth "git.wntrmute.dev/mc/mcdsl/auth"
|
||
mcdslgrpc "git.wntrmute.dev/mc/mcdsl/grpcserver"
|
||
|
||
pb "git.wntrmute.dev/mc/mcns/gen/mcns/v1"
|
||
"git.wntrmute.dev/mc/mcns/internal/db"
|
||
)
|
||
|
||
// authorizeRecordMutation checks whether the caller may create, update,
|
||
// or delete a DNS record with the given name. The rules are:
|
||
//
|
||
// - admin role: always allowed
|
||
// - system account "mcp-agent": allowed for any record name
|
||
// - system account α: allowed only when recordName == α
|
||
// - all others: denied
|
||
func authorizeRecordMutation(info *mcdslauth.TokenInfo, recordName string) bool {
|
||
if info == nil {
|
||
return false
|
||
}
|
||
if info.IsAdmin {
|
||
return true
|
||
}
|
||
if info.AccountType != "system" {
|
||
return false
|
||
}
|
||
if info.Username == "mcp-agent" {
|
||
return true
|
||
}
|
||
return recordName == info.Username
|
||
}
|
||
|
||
type recordService struct {
|
||
pb.UnimplementedRecordServiceServer
|
||
db *db.DB
|
||
logger *slog.Logger
|
||
}
|
||
|
||
func (s *recordService) ListRecords(_ context.Context, req *pb.ListRecordsRequest) (*pb.ListRecordsResponse, error) {
|
||
if req.Zone == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "zone is required")
|
||
}
|
||
|
||
records, err := s.db.ListRecords(req.Zone, req.Name, req.Type)
|
||
if errors.Is(err, db.ErrNotFound) {
|
||
return nil, status.Error(codes.NotFound, "zone not found")
|
||
}
|
||
if err != nil {
|
||
return nil, status.Error(codes.Internal, "failed to list records")
|
||
}
|
||
|
||
resp := &pb.ListRecordsResponse{}
|
||
for _, r := range records {
|
||
resp.Records = append(resp.Records, s.recordToProto(r))
|
||
}
|
||
return resp, nil
|
||
}
|
||
|
||
func (s *recordService) GetRecord(_ context.Context, req *pb.GetRecordRequest) (*pb.Record, error) {
|
||
if req.Id <= 0 {
|
||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||
}
|
||
|
||
record, err := s.db.GetRecord(req.Id)
|
||
if errors.Is(err, db.ErrNotFound) {
|
||
return nil, status.Error(codes.NotFound, "record not found")
|
||
}
|
||
if err != nil {
|
||
return nil, status.Error(codes.Internal, "failed to get record")
|
||
}
|
||
return s.recordToProto(*record), nil
|
||
}
|
||
|
||
func (s *recordService) CreateRecord(ctx context.Context, req *pb.CreateRecordRequest) (*pb.Record, error) {
|
||
if req.Zone == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "zone is required")
|
||
}
|
||
if req.Name == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "name is required")
|
||
}
|
||
if req.Type == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "type is required")
|
||
}
|
||
if req.Value == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "value is required")
|
||
}
|
||
|
||
if !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), req.Name) {
|
||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||
}
|
||
|
||
record, err := s.db.CreateRecord(req.Zone, req.Name, req.Type, req.Value, int(req.Ttl))
|
||
if errors.Is(err, db.ErrNotFound) {
|
||
return nil, status.Error(codes.NotFound, "zone not found")
|
||
}
|
||
if errors.Is(err, db.ErrConflict) {
|
||
return nil, status.Error(codes.AlreadyExists, err.Error())
|
||
}
|
||
if err != nil {
|
||
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||
}
|
||
return s.recordToProto(*record), nil
|
||
}
|
||
|
||
func (s *recordService) UpdateRecord(ctx context.Context, req *pb.UpdateRecordRequest) (*pb.Record, error) {
|
||
if req.Id <= 0 {
|
||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||
}
|
||
if req.Name == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "name is required")
|
||
}
|
||
if req.Type == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "type is required")
|
||
}
|
||
if req.Value == "" {
|
||
return nil, status.Error(codes.InvalidArgument, "value is required")
|
||
}
|
||
|
||
info := mcdslgrpc.TokenInfoFromContext(ctx)
|
||
existing, lookupErr := s.db.GetRecord(req.Id)
|
||
if lookupErr == nil && !authorizeRecordMutation(info, existing.Name) {
|
||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||
}
|
||
if !authorizeRecordMutation(info, req.Name) {
|
||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||
}
|
||
|
||
record, err := s.db.UpdateRecord(req.Id, req.Name, req.Type, req.Value, int(req.Ttl))
|
||
if errors.Is(err, db.ErrNotFound) {
|
||
return nil, status.Error(codes.NotFound, "record not found")
|
||
}
|
||
if errors.Is(err, db.ErrConflict) {
|
||
return nil, status.Error(codes.AlreadyExists, err.Error())
|
||
}
|
||
if err != nil {
|
||
return nil, status.Error(codes.InvalidArgument, err.Error())
|
||
}
|
||
return s.recordToProto(*record), nil
|
||
}
|
||
|
||
func (s *recordService) DeleteRecord(ctx context.Context, req *pb.DeleteRecordRequest) (*pb.DeleteRecordResponse, error) {
|
||
if req.Id <= 0 {
|
||
return nil, status.Error(codes.InvalidArgument, "id must be positive")
|
||
}
|
||
|
||
existing, lookupErr := s.db.GetRecord(req.Id)
|
||
if lookupErr == nil && !authorizeRecordMutation(mcdslgrpc.TokenInfoFromContext(ctx), existing.Name) {
|
||
return nil, status.Error(codes.PermissionDenied, "not authorized for record name")
|
||
}
|
||
|
||
err := s.db.DeleteRecord(req.Id)
|
||
if errors.Is(err, db.ErrNotFound) {
|
||
return nil, status.Error(codes.NotFound, "record not found")
|
||
}
|
||
if err != nil {
|
||
return nil, status.Error(codes.Internal, "failed to delete record")
|
||
}
|
||
return &pb.DeleteRecordResponse{}, nil
|
||
}
|
||
|
||
func (s *recordService) recordToProto(r db.Record) *pb.Record {
|
||
return &pb.Record{
|
||
Id: r.ID,
|
||
Zone: r.ZoneName,
|
||
Name: r.Name,
|
||
Type: r.Type,
|
||
Value: r.Value,
|
||
Ttl: int32(r.TTL),
|
||
CreatedAt: s.parseRecordTimestamp(r.CreatedAt),
|
||
UpdatedAt: s.parseRecordTimestamp(r.UpdatedAt),
|
||
}
|
||
}
|
||
|
||
func (s *recordService) parseRecordTimestamp(v string) *timestamppb.Timestamp {
|
||
t, err := parseTime(v)
|
||
if err != nil {
|
||
s.logger.Warn("failed to parse record timestamp", "value", v, "error", err)
|
||
return nil
|
||
}
|
||
return timestamppb.New(t)
|
||
}
|
||
|
||
func parseTime(s string) (time.Time, error) {
|
||
return time.Parse("2006-01-02T15:04:05Z", s)
|
||
}
|