Checkpoint: auth, engine, seal, server, grpc updates

Co-authored-by: Junie <junie@jetbrains.com>

internal/seal/seal.go

@@ -6,6 +6,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"log/slog"
 	"sync"
 	"time"
 
@@ -51,6 +52,7 @@ var (
 type Manager struct {
 	db      *sql.DB
 	barrier *barrier.AESGCMBarrier
+	logger  *slog.Logger
 
 	mu    sync.RWMutex
 	state ServiceState
@@ -63,10 +65,11 @@ type Manager struct {
 }
 
 // NewManager creates a new seal manager.
-func NewManager(db *sql.DB, b *barrier.AESGCMBarrier) *Manager {
+func NewManager(db *sql.DB, b *barrier.AESGCMBarrier, logger *slog.Logger) *Manager {
 	return &Manager{
 		db:      db,
 		barrier: b,
+		logger:  logger,
 		state:   StateUninitialized,
 	}
 }
@@ -98,8 +101,10 @@ func (m *Manager) CheckInitialized() error {
 	}
 	if count > 0 {
 		m.state = StateSealed
+		m.logger.Debug("seal config found, state set to sealed")
 	} else {
 		m.state = StateUninitialized
+		m.logger.Debug("no seal config found, state set to uninitialized")
 	}
 	return nil
 }
@@ -114,6 +119,7 @@ func (m *Manager) Initialize(ctx context.Context, password []byte, params crypto
 		return ErrAlreadyInitialized
 	}
 
+	m.logger.Debug("initializing seal manager")
 	m.state = StateInitializing
 	defer func() {
 		if m.mek == nil {
@@ -162,6 +168,7 @@ func (m *Manager) Initialize(ctx context.Context, password []byte, params crypto
 
 	m.mek = mek
 	m.state = StateUnsealed
+	m.logger.Debug("seal initialization complete, barrier unsealed")
 	return nil
 }
 
@@ -177,9 +184,11 @@ func (m *Manager) Unseal(password []byte) error {
 		return ErrNotSealed
 	}
 
+	m.logger.Debug("unseal attempt")
 	// Rate limiting.
 	now := time.Now()
 	if now.Before(m.lockoutUntil) {
+		m.logger.Debug("unseal attempt rate limited")
 		return ErrRateLimited
 	}
 	if now.Sub(m.lastAttempt) > time.Minute {
@@ -190,6 +199,7 @@ func (m *Manager) Unseal(password []byte) error {
 	if m.unsealAttempts > 5 {
 		m.lockoutUntil = now.Add(60 * time.Second)
 		m.unsealAttempts = 0
+		m.logger.Debug("unseal attempts exceeded, locking out")
 		return ErrRateLimited
 	}
 
@@ -215,6 +225,7 @@ func (m *Manager) Unseal(password []byte) error {
 
 	mek, err := crypto.Decrypt(kwk, encryptedMEK)
 	if err != nil {
+		m.logger.Debug("unseal failed: invalid password")
 		return ErrInvalidPassword
 	}
 
@@ -227,6 +238,7 @@ func (m *Manager) Unseal(password []byte) error {
 	m.mek = mek
 	m.state = StateUnsealed
 	m.unsealAttempts = 0
+	m.logger.Debug("unseal succeeded, barrier unsealed")
 	return nil
 }
 
@@ -239,11 +251,13 @@ func (m *Manager) Seal() error {
 		return ErrNotSealed
 	}
 
+	m.logger.Debug("sealing service")
 	if m.mek != nil {
 		crypto.Zeroize(m.mek)
 		m.mek = nil
 	}
 	m.barrier.Seal()
 	m.state = StateSealed
+	m.logger.Debug("service sealed")
 	return nil
 }

internal/seal/seal_test.go

@@ -2,6 +2,7 @@ package seal
 
 import (
 	"context"
+	"log/slog"
 	"path/filepath"
 	"testing"
 
@@ -21,7 +22,7 @@ func setupSeal(t *testing.T) (*Manager, func()) {
 		t.Fatalf("migrate: %v", err)
 	}
 	b := barrier.NewAESGCMBarrier(database)
-	mgr := NewManager(database, b)
+	mgr := NewManager(database, b, slog.Default())
 	return mgr, func() { database.Close() }
 }
 
@@ -101,7 +102,7 @@ func TestSealCheckInitializedPersists(t *testing.T) {
 	database, _ := db.Open(dbPath)
 	db.Migrate(database)
 	b := barrier.NewAESGCMBarrier(database)
-	mgr := NewManager(database, b)
+	mgr := NewManager(database, b, slog.Default())
 	mgr.CheckInitialized()
 	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
 	mgr.Initialize(context.Background(), []byte("password"), params)
@@ -111,7 +112,7 @@ func TestSealCheckInitializedPersists(t *testing.T) {
 	database2, _ := db.Open(dbPath)
 	defer database2.Close()
 	b2 := barrier.NewAESGCMBarrier(database2)
-	mgr2 := NewManager(database2, b2)
+	mgr2 := NewManager(database2, b2, slog.Default())
 	mgr2.CheckInitialized()
 	if mgr2.State() != StateSealed {
 		t.Fatalf("state after reopen: got %v, want Sealed", mgr2.State())