Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

- Register handleSignCSR route in webserver (was dead code) - Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and PKIService.GetCRL gRPC RPC for DER-encoded CRL generation - Replace admin-only gates on issue/renew/sign-csr with policy-based access control: admins grant-all, authenticated users subject to identifier ownership (CN/SANs not held by another user's active cert) and optional policy overrides via ca/{mount}/id/{identifier} resources - Add PolicyChecker to engine.Request and policy.Match() method to distinguish matched rules from default deny - Update and expand CA engine tests for ownership, revocation freeing, and policy override scenarios Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 15:22:04 -07:00
parent fbd6d1af04
commit ac4577f778
11 changed files with 810 additions and 68 deletions
--- a/internal/grpcserver/ca.go
+++ b/internal/grpcserver/ca.go
@@ -13,6 +13,7 @@ import (
 	pb "git.wntrmute.dev/kyle/metacrypt/gen/metacrypt/v2"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
+	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
 )

 type caServer struct {
@@ -35,6 +36,8 @@ func (cs *caServer) caHandleRequest(ctx context.Context, mount, operation string
 			st = codes.NotFound
 		case errors.Is(err, ca.ErrIssuerExists):
 			st = codes.AlreadyExists
+		case errors.Is(err, ca.ErrIdentifierInUse):
+			st = codes.AlreadyExists
 		case errors.Is(err, ca.ErrUnauthorized):
 			st = codes.Unauthenticated
 		case errors.Is(err, ca.ErrForbidden):
@@ -68,6 +71,26 @@ func (cs *caServer) callerInfo(ctx context.Context) *engine.CallerInfo {
 	}
 }

+func (cs *caServer) policyChecker(ctx context.Context) engine.PolicyChecker {
+	caller := cs.callerInfo(ctx)
+	if caller == nil {
+		return nil
+	}
+	return func(resource, action string) (string, bool) {
+		pReq := &policy.Request{
+			Username: caller.Username,
+			Roles:    caller.Roles,
+			Resource: resource,
+			Action:   action,
+		}
+		effect, matched, err := cs.s.policy.Match(ctx, pReq)
+		if err != nil {
+			return string(policy.EffectDeny), false
+		}
+		return string(effect), matched
+	}
+}
+
 func (cs *caServer) ImportRoot(ctx context.Context, req *pb.ImportRootRequest) (*pb.ImportRootResponse, error) {
 	if req.Mount == "" {
 		return nil, status.Error(codes.InvalidArgument, "mount is required")
@@ -260,9 +283,10 @@ func (cs *caServer) IssueCert(ctx context.Context, req *pb.IssueCertRequest) (*p
 	}

 	resp, err := cs.caHandleRequest(ctx, req.Mount, "issue", &engine.Request{
-		Operation:  "issue",
-		CallerInfo: cs.callerInfo(ctx),
-		Data:       data,
+		Operation:   "issue",
+		CallerInfo:  cs.callerInfo(ctx),
+		CheckPolicy: cs.policyChecker(ctx),
+		Data:        data,
 	})
 	if err != nil {
 		return nil, err
@@ -338,9 +362,10 @@ func (cs *caServer) RenewCert(ctx context.Context, req *pb.RenewCertRequest) (*p
 		return nil, status.Error(codes.InvalidArgument, "mount and serial are required")
 	}
 	resp, err := cs.caHandleRequest(ctx, req.Mount, "renew", &engine.Request{
-		Operation:  "renew",
-		CallerInfo: cs.callerInfo(ctx),
-		Data:       map[string]interface{}{"serial": req.Serial},
+		Operation:   "renew",
+		CallerInfo:  cs.callerInfo(ctx),
+		CheckPolicy: cs.policyChecker(ctx),
+		Data:        map[string]interface{}{"serial": req.Serial},
 	})
 	if err != nil {
 		return nil, err
@@ -389,9 +414,10 @@ func (cs *caServer) SignCSR(ctx context.Context, req *pb.SignCSRRequest) (*pb.Si
 		data["ttl"] = req.Ttl
 	}
 	resp, err := cs.caHandleRequest(ctx, req.Mount, "sign-csr", &engine.Request{
-		Operation:  "sign-csr",
-		CallerInfo: cs.callerInfo(ctx),
-		Data:       data,
+		Operation:   "sign-csr",
+		CallerInfo:  cs.callerInfo(ctx),
+		CheckPolicy: cs.policyChecker(ctx),
+		Data:        data,
 	})
 	if err != nil {
 		return nil, err
--- a/internal/grpcserver/pki.go
+++ b/internal/grpcserver/pki.go
@@ -65,6 +65,27 @@ func (ps *pkiServer) GetIssuerCert(_ context.Context, req *pb.GetIssuerCertReque
 	return &pb.GetIssuerCertResponse{CertPem: certPEM}, nil
 }

+func (ps *pkiServer) GetCRL(ctx context.Context, req *pb.GetCRLRequest) (*pb.GetCRLResponse, error) {
+	if req.Issuer == "" {
+		return nil, status.Error(codes.InvalidArgument, "issuer is required")
+	}
+	caEng, err := ps.getCAEngine(req.Mount)
+	if err != nil {
+		return nil, err
+	}
+	crlDER, err := caEng.GetCRLDER(ctx, req.Issuer)
+	if err != nil {
+		if errors.Is(err, ca.ErrIssuerNotFound) {
+			return nil, status.Error(codes.NotFound, "issuer not found")
+		}
+		if errors.Is(err, ca.ErrSealed) {
+			return nil, status.Error(codes.Unavailable, "sealed")
+		}
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+	return &pb.GetCRLResponse{CrlDer: crlDER}, nil
+}
+
 func (ps *pkiServer) getCAEngine(mountName string) (*ca.CAEngine, error) {
 	mount, err := ps.s.engines.GetMount(mountName)
 	if err != nil {