Fix ECDH zeroization, add audit logging, and remediate high findings

- Fix #61: handleRotateKey and handleDeleteUser now zeroize stored privBytes instead of calling Bytes() (which returns a copy). New state populates privBytes; old references nil'd for GC. - Add audit logging subsystem (internal/audit) with structured event recording for cryptographic operations. - Add audit log engine spec (engines/auditlog.md). - Add ValidateName checks across all engines for path traversal (#48). - Update AUDIT.md: all High findings resolved (0 open). - Add REMEDIATION.md with detailed remediation tracking. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 14:04:39 -07:00
parent b33d1f99a0
commit 5c5d7e184e
24 changed files with 1699 additions and 72 deletions
--- a/internal/grpcserver/interceptors.go
+++ b/internal/grpcserver/interceptors.go
@@ -3,6 +3,7 @@ package grpcserver
 import (
 	"context"
 	"log/slog"
+	"path"
 	"strings"

 	"google.golang.org/grpc"
@@ -10,6 +11,7 @@ import (
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"

+	"git.wntrmute.dev/kyle/metacrypt/internal/audit"
 	"git.wntrmute.dev/kyle/metacrypt/internal/auth"
 	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
 )
@@ -97,6 +99,46 @@ func chainInterceptors(interceptors ...grpc.UnaryServerInterceptor) grpc.UnarySe
 	}
 }

+// auditInterceptor logs an audit event after each RPC completes. Must run
+// after authInterceptor so that caller info is available in the context.
+func auditInterceptor(auditLog *audit.Logger) grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		resp, err := handler(ctx, req)
+
+		caller := "anonymous"
+		var roles []string
+		if ti := tokenInfoFromContext(ctx); ti != nil {
+			caller = ti.Username
+			roles = ti.Roles
+		}
+
+		outcome := "success"
+		var errMsg string
+		if err != nil {
+			outcome = "error"
+			if st, ok := status.FromError(err); ok {
+				if st.Code() == codes.PermissionDenied || st.Code() == codes.Unauthenticated {
+					outcome = "denied"
+				}
+				errMsg = st.Message()
+			} else {
+				errMsg = err.Error()
+			}
+		}
+
+		auditLog.Log(ctx, audit.Event{
+			Caller:    caller,
+			Roles:     roles,
+			Operation: path.Base(info.FullMethod),
+			Resource:  info.FullMethod,
+			Outcome:   outcome,
+			Error:     errMsg,
+		})
+
+		return resp, err
+	}
+}
+
 func extractToken(ctx context.Context) string {
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {