Allow system accounts to issue certificates

Service tokens from MCIAS have account_type "system" but no roles. Thread AccountType through CallerInfo and treat system accounts as users for certificate issuance. This allows services to request their own TLS certificates without admin credentials. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 20:07:22 -07:00
parent 656f22e19b
commit a5bb366558
2 changed files with 13 additions and 7 deletions
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -47,15 +47,20 @@ func ValidateName(name string) error {
 // CallerInfo carries authentication context into engines.
 type CallerInfo struct {
 	Username    string
+	AccountType string // "human" or "system"
 	Roles       []string
 	IsAdmin     bool
 }

-// IsUser returns true if the caller has the "user" or "admin" role (i.e. not guest-only).
+// IsUser returns true if the caller is a human user with the "user" or
+// "admin" role, or a system (service) account. Guest-only humans are excluded.
 func (c *CallerInfo) IsUser() bool {
 	if c.IsAdmin {
 		return true
 	}
+	if c.AccountType == "system" {
+		return true
+	}
 	for _, r := range c.Roles {
 		if r == "user" {
 			return true
--- a/internal/grpcserver/ca.go
+++ b/internal/grpcserver/ca.go
@@ -66,6 +66,7 @@ func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo {
 	}
 	return &engine.CallerInfo{
 		Username:    ti.Username,
+		AccountType: ti.AccountType,
 		Roles:       ti.Roles,
 		IsAdmin:     ti.IsAdmin,
 	}