From a5bb366558208ca53e9ae99f0ea244425984d0d3 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Wed, 25 Mar 2026 20:07:22 -0700 Subject: [PATCH] Allow system accounts to issue certificates Service tokens from MCIAS have account_type "system" but no roles. Thread AccountType through CallerInfo and treat system accounts as users for certificate issuance. This allows services to request their own TLS certificates without admin credentials. Co-Authored-By: Claude Opus 4.6 (1M context) --- internal/engine/engine.go | 13 +++++++++---- internal/grpcserver/ca.go | 7 ++++--- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/internal/engine/engine.go b/internal/engine/engine.go index 3dc32c0..34905f8 100644 --- a/internal/engine/engine.go +++ b/internal/engine/engine.go @@ -46,16 +46,21 @@ func ValidateName(name string) error { // CallerInfo carries authentication context into engines. type CallerInfo struct { - Username string - Roles []string - IsAdmin bool + Username string + AccountType string // "human" or "system" + Roles []string + IsAdmin bool } -// IsUser returns true if the caller has the "user" or "admin" role (i.e. not guest-only). +// IsUser returns true if the caller is a human user with the "user" or +// "admin" role, or a system (service) account. Guest-only humans are excluded. func (c *CallerInfo) IsUser() bool { if c.IsAdmin { return true } + if c.AccountType == "system" { + return true + } for _, r := range c.Roles { if r == "user" { return true diff --git a/internal/grpcserver/ca.go b/internal/grpcserver/ca.go index 10a1ee8..b2f679b 100644 --- a/internal/grpcserver/ca.go +++ b/internal/grpcserver/ca.go @@ -65,9 +65,10 @@ func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo { return nil } return &engine.CallerInfo{ - Username: ti.Username, - Roles: ti.Roles, - IsAdmin: ti.IsAdmin, + Username: ti.Username, + AccountType: ti.AccountType, + Roles: ti.Roles, + IsAdmin: ti.IsAdmin, } }