mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
56b5bae1f64c883c4cc43f8aea080f53fc79561d
metacrypt/internal/grpcserver/interceptors.go
Kyle Isom 5c5d7e184e Fix ECDH zeroization, add audit logging, and remediate high findings 
- Fix #61: handleRotateKey and handleDeleteUser now zeroize stored
  privBytes instead of calling Bytes() (which returns a copy). New
  state populates privBytes; old references nil'd for GC.
- Add audit logging subsystem (internal/audit) with structured event
  recording for cryptographic operations.
- Add audit log engine spec (engines/auditlog.md).
- Add ValidateName checks across all engines for path traversal (#48).
- Update AUDIT.md: all High findings resolved (0 open).
- Add REMEDIATION.md with detailed remediation tracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 14:04:39 -07:00

157 lines
5.0 KiB
Go
Raw Blame History

package grpcserver
import (
"context"
"log/slog"
"path"
"strings"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
"git.wntrmute.dev/kyle/metacrypt/internal/audit"
"git.wntrmute.dev/kyle/metacrypt/internal/auth"
"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)
type contextKey int
const tokenInfoKey contextKey = iota
func tokenInfoFromContext(ctx context.Context) *auth.TokenInfo {
v, _ := ctx.Value(tokenInfoKey).(*auth.TokenInfo)
return v
}
// authInterceptor validates the Bearer token from gRPC metadata and injects
// *auth.TokenInfo into the context. The set of method full names that require
// auth is passed in; all others pass through without validation.
func authInterceptor(authenticator *auth.Authenticator, logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
if !methods[info.FullMethod] {
return handler(ctx, req)
}
token := extractToken(ctx)
if token == "" {
logger.Debug("grpc request rejected: missing token", "method", info.FullMethod)
return nil, status.Error(codes.Unauthenticated, "missing authorization token")
}
tokenInfo, err := authenticator.ValidateToken(token)
if err != nil {
logger.Debug("grpc request rejected: invalid token", "method", info.FullMethod, "error", err)
return nil, status.Error(codes.Unauthenticated, "invalid token")
}
logger.Debug("grpc request authenticated", "method", info.FullMethod, "username", tokenInfo.Username)
ctx = context.WithValue(ctx, tokenInfoKey, tokenInfo)
return handler(ctx, req)
}
}
// adminInterceptor requires IsAdmin on the token info for the listed methods.
// Must run after authInterceptor.
func adminInterceptor(logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
if !methods[info.FullMethod] {
return handler(ctx, req)
}
ti := tokenInfoFromContext(ctx)
if ti == nil || !ti.IsAdmin {
logger.Debug("grpc request rejected: admin required", "method", info.FullMethod)
return nil, status.Error(codes.PermissionDenied, "admin required")
}
logger.Debug("grpc admin request authorized", "method", info.FullMethod, "username", ti.Username)
return handler(ctx, req)
}
}
// sealInterceptor rejects calls with FailedPrecondition when the vault is
// sealed, for the listed methods.
func sealInterceptor(sealMgr *seal.Manager, logger *slog.Logger, methods map[string]bool) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
if !methods[info.FullMethod] {
return handler(ctx, req)
}
if sealMgr.State() != seal.StateUnsealed {
logger.Debug("grpc request rejected: vault sealed", "method", info.FullMethod)
return nil, status.Error(codes.FailedPrecondition, "vault is sealed")
}
return handler(ctx, req)
}
}
// chainInterceptors reduces a slice of interceptors into a single one.
func chainInterceptors(interceptors ...grpc.UnaryServerInterceptor) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
chain := handler
for i := len(interceptors) - 1; i >= 0; i-- {
next := chain
ic := interceptors[i]
chain = func(ctx context.Context, req interface{}) (interface{}, error) {
return ic(ctx, req, info, next)
}
}
return chain(ctx, req)
}
}
// auditInterceptor logs an audit event after each RPC completes. Must run
// after authInterceptor so that caller info is available in the context.
func auditInterceptor(auditLog *audit.Logger) grpc.UnaryServerInterceptor {
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
resp, err := handler(ctx, req)
caller := "anonymous"
var roles []string
if ti := tokenInfoFromContext(ctx); ti != nil {
caller = ti.Username
roles = ti.Roles
}
outcome := "success"
var errMsg string
if err != nil {
outcome = "error"
if st, ok := status.FromError(err); ok {
if st.Code() == codes.PermissionDenied || st.Code() == codes.Unauthenticated {
outcome = "denied"
}
errMsg = st.Message()
} else {
errMsg = err.Error()
}
}
auditLog.Log(ctx, audit.Event{
Caller: caller,
Roles: roles,
Operation: path.Base(info.FullMethod),
Resource: info.FullMethod,
Outcome: outcome,
Error: errMsg,
})
return resp, err
}
}
func extractToken(ctx context.Context) string {
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return ""
}
vals := md.Get("authorization")
if len(vals) == 0 {
return ""
}
v := vals[0]
if strings.HasPrefix(v, "Bearer ") {
return strings.TrimPrefix(v, "Bearer ")
}
return v
}
Reference in New Issue View Git Blame Copy Permalink