mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CRL endpoint, sign-CSR web route, and policy-based issuance authorization

Browse Source 
- Register handleSignCSR route in webserver (was dead code)
- Add GET /v1/pki/{mount}/issuer/{name}/crl REST endpoint and
  PKIService.GetCRL gRPC RPC for DER-encoded CRL generation
- Replace admin-only gates on issue/renew/sign-csr with policy-based
  access control: admins grant-all, authenticated users subject to
  identifier ownership (CN/SANs not held by another user's active cert)
  and optional policy overrides via ca/{mount}/id/{identifier} resources
- Add PolicyChecker to engine.Request and policy.Match() method to
  distinguish matched rules from default deny
- Update and expand CA engine tests for ownership, revocation freeing,
  and policy override scenarios

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-16 15:22:04 -07:00
parent fbd6d1af04
commit ac4577f778
11 changed files with 810 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
internal/policy/policy.go
View File

@@ -55,16 +55,23 @@ func NewEngine(b barrier.Barrier) *Engine {
// Otherwise: collect matching rules, sort by priority (lower = higher priority),
// first match wins, default deny.
func (e *Engine) Evaluate(ctx context.Context, req *Request) (Effect, error) {
effect, _, err := e.Match(ctx, req)
return effect, err
}
// Match checks whether a policy rule matches the request.
// Returns the effect, whether a rule actually matched (vs default deny), and any error.
func (e *Engine) Match(ctx context.Context, req *Request) (Effect, bool, error) {
// Admin bypass.
for _, r := range req.Roles {
if r == "admin" {
return EffectAllow, nil
return EffectAllow, true, nil
}
}
rules, err := e.listRules(ctx)
if err != nil {
return EffectDeny, err
return EffectDeny, false, err
}
// Sort by priority ascending (lower number = higher priority).
@@ -74,11 +81,11 @@ func (e *Engine) Evaluate(ctx context.Context, req *Request) (Effect, error) {
for _, rule := range rules {
if matchesRule(&rule, req) {
return rule.Effect, nil
return rule.Effect, true, nil
}
}
return EffectDeny, nil // default deny
return EffectDeny, false, nil // default deny, no matching rule
}
// CreateRule stores a new policy rule.