feat(manager-core): admin auth gate (Phase 3a)
Closes the regression risk of the admin API and dashboard being open
to anyone reaching the bound port. Required foundation before v1.1
data-plane services land.
Per-user accounts (admin_users), Argon2id passwords, env-var bootstrap
of the first admin that becomes inert once any admin exists, opaque
32-byte session token doubling as bearer credential, 24h sliding TTL
configurable via PICLOUD_SESSION_TTL_HOURS. is_active column lets
admins be deactivated without losing audit history; last-active-admin
guard on DELETE and on PATCH that flips is_active to false (sessions
also wiped on deactivation).
require_admin middleware fronts every /api/v1/admin/* route. The data
plane (/api/v1/execute/{id}), /healthz, /version, and user routes
stay open. picloud admin reset-password <username> subcommand handles
recovery without going through HTTP.
Dashboard gains /admin/login and /admin/admins surfaces, a top-bar
user menu, and a token store with a localStorage echo so refreshes
don't sign you out. Cookie-based auth works in parallel for non-SPA
clients.
Forward compatibility: future RBAC tables (admin_roles,
admin_user_roles) join on admin_users.id; the auth middleware is the
seam where role checks slot in. Email, 2FA, passkeys, and personal
API tokens are all additive without touching admin_users.
Blueprint §11.4 updated to reflect what actually shipped.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
132
crates/manager-core/src/auth.rs
Normal file
132
crates/manager-core/src/auth.rs
Normal file
@@ -0,0 +1,132 @@
|
||||
//! Pure auth helpers: password hashing, session-token generation, and
|
||||
//! token-to-hash conversion. No DB, no HTTP — repos and middleware live
|
||||
//! in their own modules. Keeping this surface pure also keeps the unit
|
||||
//! tests fast (no Postgres needed).
|
||||
//!
|
||||
//! Hash algorithm is Argon2id with the OWASP default parameters
|
||||
//! (`Argon2::default()`). Tokens are 32 cryptographically random bytes
|
||||
//! base64-url-encoded for the wire; their SHA-256 (hex) is what hits the
|
||||
//! sessions table.
|
||||
|
||||
use argon2::password_hash::rand_core::OsRng as ArgonRng;
|
||||
use argon2::password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString};
|
||||
use argon2::Argon2;
|
||||
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
|
||||
use base64::Engine as _;
|
||||
use rand::rngs::OsRng;
|
||||
use rand::RngCore;
|
||||
use sha2::{Digest, Sha256};
|
||||
|
||||
/// Returned when the supplied password hash string isn't a valid PHC
|
||||
/// Argon2id encoding. Only surfaces at bootstrap time when the operator
|
||||
/// passes `PICLOUD_ADMIN_PASSWORD_HASH`.
|
||||
#[derive(Debug, thiserror::Error)]
|
||||
#[error("invalid Argon2id PHC hash")]
|
||||
pub struct InvalidPasswordHash;
|
||||
|
||||
/// Hash a raw password into an Argon2id PHC-formatted string suitable
|
||||
/// for `admin_users.password_hash`. The output already encodes the salt
|
||||
/// and parameters; nothing else needs to be persisted alongside it.
|
||||
pub fn hash_password(raw: &str) -> Result<String, argon2::password_hash::Error> {
|
||||
let salt = SaltString::generate(&mut ArgonRng);
|
||||
let hash = Argon2::default().hash_password(raw.as_bytes(), &salt)?;
|
||||
Ok(hash.to_string())
|
||||
}
|
||||
|
||||
/// Constant-ish-time verify of a raw password against a PHC hash.
|
||||
/// Returns `false` for any error (including malformed stored hash) —
|
||||
/// callers should treat that case identically to "wrong password" so
|
||||
/// nothing leaks about why auth failed.
|
||||
#[must_use]
|
||||
pub fn verify_password(stored_hash: &str, raw: &str) -> bool {
|
||||
let Ok(parsed) = PasswordHash::new(stored_hash) else {
|
||||
return false;
|
||||
};
|
||||
Argon2::default()
|
||||
.verify_password(raw.as_bytes(), &parsed)
|
||||
.is_ok()
|
||||
}
|
||||
|
||||
/// Validate that a string parses as a PHC Argon2id hash — used at
|
||||
/// bootstrap to fail fast on malformed `PICLOUD_ADMIN_PASSWORD_HASH`
|
||||
/// rather than write garbage into the DB and discover it at first login.
|
||||
pub fn validate_password_hash(stored_hash: &str) -> Result<(), InvalidPasswordHash> {
|
||||
PasswordHash::new(stored_hash).map_err(|_| InvalidPasswordHash)?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Newly minted session token: `raw` goes to the client (cookie + JSON
|
||||
/// response), `hash` is what gets stored. Raw is unrecoverable from hash
|
||||
/// even if the DB leaks.
|
||||
pub struct GeneratedToken {
|
||||
pub raw: String,
|
||||
pub hash: String,
|
||||
}
|
||||
|
||||
/// Generate a fresh session token (32 random bytes base64-url-encoded).
|
||||
/// Always succeeds — `OsRng::fill_bytes` panics on entropy failure
|
||||
/// instead of returning, but that's a non-recoverable system condition.
|
||||
#[must_use]
|
||||
pub fn generate_session_token() -> GeneratedToken {
|
||||
let mut bytes = [0u8; 32];
|
||||
OsRng.fill_bytes(&mut bytes);
|
||||
let raw = URL_SAFE_NO_PAD.encode(bytes);
|
||||
let hash = hash_token(&raw);
|
||||
GeneratedToken { raw, hash }
|
||||
}
|
||||
|
||||
/// SHA-256(raw) as lower-case hex. Stable lookup key for
|
||||
/// `admin_sessions.token_hash`.
|
||||
#[must_use]
|
||||
pub fn hash_token(raw: &str) -> String {
|
||||
let digest = Sha256::digest(raw.as_bytes());
|
||||
hex(&digest)
|
||||
}
|
||||
|
||||
fn hex(bytes: &[u8]) -> String {
|
||||
const HEX: &[u8; 16] = b"0123456789abcdef";
|
||||
let mut out = String::with_capacity(bytes.len() * 2);
|
||||
for &b in bytes {
|
||||
out.push(HEX[(b >> 4) as usize] as char);
|
||||
out.push(HEX[(b & 0x0f) as usize] as char);
|
||||
}
|
||||
out
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
#[test]
|
||||
fn hash_verify_roundtrip() {
|
||||
let h = hash_password("correct horse battery staple").unwrap();
|
||||
assert!(verify_password(&h, "correct horse battery staple"));
|
||||
assert!(!verify_password(&h, "wrong"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn verify_returns_false_on_malformed_hash() {
|
||||
assert!(!verify_password("not-a-phc-string", "anything"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn validate_password_hash_accepts_phc() {
|
||||
let h = hash_password("pw").unwrap();
|
||||
assert!(validate_password_hash(&h).is_ok());
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn validate_password_hash_rejects_garbage() {
|
||||
assert!(validate_password_hash("not a hash").is_err());
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn generate_token_unique_and_hash_stable() {
|
||||
let a = generate_session_token();
|
||||
let b = generate_session_token();
|
||||
assert_ne!(a.raw, b.raw, "tokens must be unique");
|
||||
assert_ne!(a.hash, b.hash, "hashes must differ");
|
||||
assert_eq!(a.hash, hash_token(&a.raw), "hash must be reproducible");
|
||||
assert_eq!(a.hash.len(), 64, "sha256-hex is 64 chars");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user