mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add policy CRUD, cert management, and web UI updates

Browse Source 
- Add PUT /v1/policy/rule endpoint for updating policy rules; expose
  full policy CRUD through the web UI with a dedicated policy page
- Add certificate revoke, delete, and get-cert to CA engine and wire
  REST + gRPC routes; fix missing interceptor registrations
- Update ARCHITECTURE.md to reflect v2 gRPC as the active implementation,
  document ACME endpoints, correct CA permission levels, and add policy/cert
  management route tables
- Add POLICY.md documenting the priority-based ACL engine design
- Add web/templates/policy.html for policy management UI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-15 19:41:11 -07:00
parent 02ee538213
commit fbd6d1af04
17 changed files with 1055 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
internal/server/routes.go
View File

@@ -269,6 +269,25 @@ func (s *Server) handleEngineRequest(w http.ResponseWriter, r *http.Request) {
}
info := TokenInfoFromContext(r.Context())
// Evaluate policy before dispatching to the engine.
policyReq := &policy.Request{
Username: info.Username,
Roles: info.Roles,
Resource: "engine/" + req.Mount + "/" + req.Operation,
Action: operationAction(req.Operation),
}
effect, err := s.policy.Evaluate(r.Context(), policyReq)
if err != nil {
s.logger.Error("policy evaluation failed", "error", err)
http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
return
}
if effect != policy.EffectAllow {
http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
return
}
engReq := &engine.Request{
Operation: req.Operation,
Path: req.Path,
@@ -547,6 +566,16 @@ func (s *Server) getCAEngine(mountName string) (*ca.CAEngine, error) {
return caEng, nil
}
// operationAction maps an engine operation name to a policy action ("read" or "write").
func operationAction(op string) string {
switch op {
case "list-issuers", "list-certs", "get-cert", "get-root", "get-chain", "get-issuer":
return "read"
default:
return "write"
}
}
func writeJSON(w http.ResponseWriter, status int, v interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)