Add policy CRUD, cert management, and web UI updates

- Add PUT /v1/policy/rule endpoint for updating policy rules; expose full policy CRUD through the web UI with a dedicated policy page - Add certificate revoke, delete, and get-cert to CA engine and wire REST + gRPC routes; fix missing interceptor registrations - Update ARCHITECTURE.md to reflect v2 gRPC as the active implementation, document ACME endpoints, correct CA permission levels, and add policy/cert management route tables - Add POLICY.md documenting the priority-based ACL engine design - Add web/templates/policy.html for policy management UI Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 19:41:11 -07:00
parent 02ee538213
commit fbd6d1af04
17 changed files with 1055 additions and 58 deletions
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -15,6 +15,7 @@ import (

 	"github.com/go-chi/chi/v5"

+	mcias "git.wntrmute.dev/kyle/mcias/clients/go"
 	"git.wntrmute.dev/kyle/metacrypt/internal/config"
 	webui "git.wntrmute.dev/kyle/metacrypt/web"
 )
@@ -40,23 +41,69 @@ type vaultBackend interface {
 	ListCerts(ctx context.Context, token, mount string) ([]CertSummary, error)
 	RevokeCert(ctx context.Context, token, mount, serial string) error
 	DeleteCert(ctx context.Context, token, mount, serial string) error
+	ListPolicies(ctx context.Context, token string) ([]PolicyRule, error)
+	GetPolicy(ctx context.Context, token, id string) (*PolicyRule, error)
+	CreatePolicy(ctx context.Context, token string, rule PolicyRule) (*PolicyRule, error)
+	DeletePolicy(ctx context.Context, token, id string) error
 	Close() error
 }

+const userCacheTTL = 5 * time.Minute
+
 // tgzEntry holds a cached tgz archive pending download.
 type tgzEntry struct {
 	filename string
 	data     []byte
 }

+// cachedUsername holds a resolved UUID→username entry with an expiry.
+type cachedUsername struct {
+	username  string
+	expiresAt time.Time
+}
+
 // WebServer is the standalone web UI server.
 type WebServer struct {
-	cfg      *config.Config
-	vault    vaultBackend
-	logger   *slog.Logger
-	httpSrv  *http.Server
-	staticFS fs.FS
-	tgzCache sync.Map // key: UUID string → *tgzEntry
+	cfg       *config.Config
+	vault     vaultBackend
+	mcias     *mcias.Client // optional; nil when no service_token is configured
+	logger    *slog.Logger
+	httpSrv   *http.Server
+	staticFS  fs.FS
+	tgzCache  sync.Map // key: UUID string → *tgzEntry
+	userCache sync.Map // key: UUID string → *cachedUsername
+}
+
+// resolveUser returns the display name for a user ID. If the ID is already a
+// human-readable username (i.e. not a UUID), it is returned unchanged. When the
+// webserver has an MCIAS client configured it will look up unknown IDs and cache
+// the result; otherwise the raw ID is returned as a fallback.
+func (ws *WebServer) resolveUser(id string) string {
+	if id == "" {
+		return id
+	}
+	if v, ok := ws.userCache.Load(id); ok {
+		if entry := v.(*cachedUsername); time.Now().Before(entry.expiresAt) {
+			ws.logger.Info("webserver: resolved user ID from cache", "id", id, "username", entry.username)
+			return entry.username
+		}
+	}
+	if ws.mcias == nil {
+		ws.logger.Warn("webserver: no MCIAS client available, cannot resolve user ID", "id", id)
+		return id
+	}
+	ws.logger.Info("webserver: looking up user ID via MCIAS", "id", id)
+	acct, err := ws.mcias.GetAccount(id)
+	if err != nil {
+		ws.logger.Warn("webserver: failed to resolve user ID", "id", id, "error", err)
+		return id
+	}
+	ws.logger.Info("webserver: resolved user ID", "id", id, "username", acct.Username)
+	ws.userCache.Store(id, &cachedUsername{
+		username:  acct.Username,
+		expiresAt: time.Now().Add(userCacheTTL),
+	})
+	return acct.Username
 }

 // New creates a new WebServer. It dials the vault gRPC endpoint.
@@ -73,12 +120,35 @@ func New(cfg *config.Config, logger *slog.Logger) (*WebServer, error) {
 		return nil, fmt.Errorf("webserver: static FS: %w", err)
 	}

-	return &WebServer{
+	ws := &WebServer{
 		cfg:      cfg,
 		vault:    vault,
 		logger:   logger,
 		staticFS: staticFS,
-	}, nil
+	}
+
+	if tok := cfg.MCIAS.ServiceToken; tok != "" {
+		mc, err := mcias.New(cfg.MCIAS.ServerURL, mcias.Options{
+			CACertPath: cfg.MCIAS.CACert,
+			Token:      tok,
+		})
+		if err != nil {
+			logger.Warn("webserver: failed to create MCIAS client for user resolution", "error", err)
+		} else {
+			claims, err := mc.ValidateToken(tok)
+			switch {
+			case err != nil:
+				logger.Warn("webserver: MCIAS service token validation failed", "error", err)
+			case !claims.Valid:
+				logger.Warn("webserver: MCIAS service token is invalid or expired")
+			default:
+				logger.Info("webserver: MCIAS service token valid", "sub", claims.Sub, "roles", claims.Roles)
+				ws.mcias = mc
+			}
+		}
+	}
+
+	return ws, nil
 }

 // loggingMiddleware logs each incoming HTTP request.