Fix CI for identity/RBAC PR

Author: bb-connor

Cargo.lock

@@ -146,8 +146,21 @@ pub async fn create_scoped_policy(
     actor: Option<axum::extract::Extension<AuthenticatedActor>>,
     Json(request): Json<CreateScopedPolicyRequest>,
 ) -> Result<Json<ScopedPolicy>, (StatusCode, String)> {
+    // RBAC does not currently have a first-class "role" scope type.
+    // Fail closed: only super-admin users may mutate role-scoped policies.
+    let actor_ref = actor.as_ref().map(|e| &e.0);
+    if request.scope.scope_type == PolicyScopeType::Role
+        && matches!(actor_ref, Some(AuthenticatedActor::User(_)))
+        && !actor_is_super_admin(&state, actor_ref)
+    {
+        return Err((
+            StatusCode::FORBIDDEN,
+            "role_scoped_policy_requires_super_admin".to_string(),
+        ));
+    }
+
     require_api_key_scope_or_user_permission_with_context(
-        actor.as_ref().map(|e| &e.0),
+        actor_ref,
         &state.rbac,
         Scope::Admin,
         ResourceRef {
@@ -244,7 +257,7 @@ pub async fn create_scoped_policy(
         "actor": actor_id,
         "policy": policy.clone(),
     }));
-    let _ = state.ledger.record(&audit);
+    state.record_audit_event(audit);
 
     state.broadcast(crate::state::DaemonEvent {
         event_type: "scoped_policy_created".to_string(),
@@ -304,6 +317,7 @@ pub async fn update_scoped_policy(
     Path(id): Path<String>,
     Json(request): Json<UpdateScopedPolicyRequest>,
 ) -> Result<Json<ScopedPolicy>, (StatusCode, String)> {
+    let actor_ref = actor.as_ref().map(|e| &e.0);
     let Some(mut existing) = state
         .policy_resolver
         .store()
@@ -362,8 +376,18 @@ pub async fn update_scoped_policy(
     }
 
     // RBAC: apply scope constraints using the updated policy scope.
+    if existing.scope.scope_type == PolicyScopeType::Role
+        && matches!(actor_ref, Some(AuthenticatedActor::User(_)))
+        && !actor_is_super_admin(&state, actor_ref)
+    {
+        return Err((
+            StatusCode::FORBIDDEN,
+            "role_scoped_policy_requires_super_admin".to_string(),
+        ));
+    }
+
     require_api_key_scope_or_user_permission_with_context(
-        actor.as_ref().map(|e| &e.0),
+        actor_ref,
         &state.rbac,
         Scope::Admin,
         ResourceRef {
@@ -415,7 +439,7 @@ pub async fn update_scoped_policy(
         "before": before,
         "after": after,
     }));
-    let _ = state.ledger.record(&audit);
+    state.record_audit_event(audit);
 
     state.broadcast(crate::state::DaemonEvent {
         event_type: "scoped_policy_updated".to_string(),
@@ -431,15 +455,26 @@ pub async fn delete_scoped_policy(
     actor: Option<axum::extract::Extension<AuthenticatedActor>>,
     Path(id): Path<String>,
 ) -> Result<Json<serde_json::Value>, (StatusCode, String)> {
+    let actor_ref = actor.as_ref().map(|e| &e.0);
     let existing = state
         .policy_resolver
         .store()
         .get_scoped_policy(&id)
         .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
         .ok_or_else(|| (StatusCode::NOT_FOUND, "scoped_policy_not_found".to_string()))?;
 
+    if existing.scope.scope_type == PolicyScopeType::Role
+        && matches!(actor_ref, Some(AuthenticatedActor::User(_)))
+        && !actor_is_super_admin(&state, actor_ref)
+    {
+        return Err((
+            StatusCode::FORBIDDEN,
+            "role_scoped_policy_requires_super_admin".to_string(),
+        ));
+    }
+
     require_api_key_scope_or_user_permission_with_context(
-        actor.as_ref().map(|e| &e.0),
+        actor_ref,
         &state.rbac,
         Scope::Admin,
         ResourceRef {
@@ -491,7 +526,7 @@ pub async fn delete_scoped_policy(
         "actor": actor_string(actor.as_ref().map(|e| &e.0)),
         "policy": existing,
     }));
-    let _ = state.ledger.record(&audit);
+    state.record_audit_event(audit);
 
     state.broadcast(crate::state::DaemonEvent {
         event_type: "scoped_policy_deleted".to_string(),
@@ -963,3 +998,83 @@ pub async fn resolve_policy(
         policy_hash,
     }))
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    use axum::extract::State;
+    use axum::Json;
+
+    fn test_policy_admin(org_id: &str) -> AuthenticatedActor {
+        AuthenticatedActor::User(clawdstrike::IdentityPrincipal {
+            id: "user-1".to_string(),
+            provider: clawdstrike::IdentityProvider::Oidc,
+            issuer: "https://issuer.example".to_string(),
+            display_name: None,
+            email: None,
+            email_verified: None,
+            organization_id: Some(org_id.to_string()),
+            teams: Vec::new(),
+            roles: vec!["policy-admin".to_string()],
+            attributes: std::collections::HashMap::new(),
+            authenticated_at: chrono::Utc::now().to_rfc3339(),
+            auth_method: None,
+            expires_at: None,
+        })
+    }
+
+    #[tokio::test]
+    async fn role_scoped_policy_mutation_requires_super_admin() {
+        let test_dir =
+            std::env::temp_dir().join(format!("hushd-role-scope-test-{}", uuid::Uuid::new_v4()));
+        std::fs::create_dir_all(&test_dir).expect("create temp dir");
+
+        let config = crate::config::Config {
+            cors_enabled: false,
+            audit_db: test_dir.join("audit.db"),
+            control_db: Some(test_dir.join("control.db")),
+            ..Default::default()
+        };
+        let state = AppState::new(config).await.expect("state");
+
+        let role_scope = PolicyScope {
+            scope_type: PolicyScopeType::Role,
+            id: Some("role-1".to_string()),
+            name: Some("Role 1".to_string()),
+            parent: Some(Box::new(PolicyScope {
+                scope_type: PolicyScopeType::Organization,
+                id: Some("org-1".to_string()),
+                name: None,
+                parent: None,
+                conditions: Vec::new(),
+            })),
+            conditions: Vec::new(),
+        };
+
+        let request = CreateScopedPolicyRequest {
+            id: None,
+            name: "role-scoped".to_string(),
+            scope: role_scope,
+            priority: 0,
+            merge_strategy: MergeStrategy::Merge,
+            policy_yaml: Policy::new().to_yaml().expect("serialize default policy"),
+            enabled: true,
+            description: None,
+            tags: None,
+        };
+
+        let res = create_scoped_policy(
+            State(state),
+            Some(axum::extract::Extension(test_policy_admin("org-1"))),
+            Json(request),
+        )
+        .await;
+
+        let (status, msg) = res.expect_err("expected forbidden");
+        assert_eq!(status, StatusCode::FORBIDDEN);
+        assert_eq!(msg, "role_scoped_policy_requires_super_admin");
+
+        let _ = std::fs::remove_dir_all(&test_dir);
+    }
+}

crates/hushd/src/api/policy_scoping.rs

@@ -92,7 +92,7 @@ pub struct OktaConfig {
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct OktaWebhookConfig {
-    /// Shared secret token for verifying Okta event hooks (Authorization: Bearer <token>).
+    /// Shared secret token for verifying Okta event hooks (`Authorization: Bearer <token>`).
     pub verification_key: String,
 }
 
@@ -104,7 +104,7 @@ pub struct Auth0Config {
 
 #[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Auth0LogStreamConfig {
-    /// Shared bearer token for verifying Auth0 log stream webhooks (Authorization: Bearer <token>).
+    /// Shared bearer token for verifying Auth0 log stream webhooks (`Authorization: Bearer <token>`).
     pub authorization: String,
 }
 

crates/hushd/src/config.rs

@@ -229,7 +229,7 @@ impl PolicyScopingStore for SqlitePolicyScopingStore {
         let conn = self.db.lock_conn();
         let mut stmt = conn.prepare(
             r#"
-SELECT name, scope_json, priority, merge_strategy, policy_yaml, enabled, metadata_json, created_at, updated_at
+SELECT id, name, scope_json, priority, merge_strategy, policy_yaml, enabled, metadata_json, created_at, updated_at
 FROM scoped_policies
 WHERE id = ?1
             "#,
@@ -240,28 +240,7 @@ WHERE id = ?1
             return Ok(None);
         };
 
-        let name: String = row.get(0)?;
-        let scope_json: String = row.get(1)?;
-        let priority: i32 = row.get(2)?;
-        let merge_strategy: String = row.get(3)?;
-        let policy_yaml: String = row.get(4)?;
-        let enabled: i64 = row.get(5)?;
-        let metadata_json: Option<String> = row.get(6)?;
-        let created_at: String = row.get(7)?;
-        let updated_at: String = row.get(8)?;
-
-        Ok(Some(scoped_policy_from_row(
-            id.to_string(),
-            name,
-            scope_json,
-            priority,
-            merge_strategy,
-            policy_yaml,
-            enabled != 0,
-            metadata_json,
-            created_at,
-            updated_at,
-        )?))
+        Ok(Some(scoped_policy_from_row(row)?))
     }
 
     fn list_scoped_policies(&self) -> Result<Vec<ScopedPolicy>> {
@@ -277,29 +256,7 @@ ORDER BY id ASC
         let mut rows = stmt.query([])?;
         let mut out = Vec::new();
         while let Some(row) = rows.next()? {
-            let id: String = row.get(0)?;
-            let name: String = row.get(1)?;
-            let scope_json: String = row.get(2)?;
-            let priority: i32 = row.get(3)?;
-            let merge_strategy: String = row.get(4)?;
-            let policy_yaml: String = row.get(5)?;
-            let enabled: i64 = row.get(6)?;
-            let metadata_json: Option<String> = row.get(7)?;
-            let created_at: String = row.get(8)?;
-            let updated_at: String = row.get(9)?;
-
-            out.push(scoped_policy_from_row(
-                id,
-                name,
-                scope_json,
-                priority,
-                merge_strategy,
-                policy_yaml,
-                enabled != 0,
-                metadata_json,
-                created_at,
-                updated_at,
-            )?);
+            out.push(scoped_policy_from_row(row)?);
         }
 
         Ok(out)
@@ -527,18 +484,18 @@ ORDER BY assigned_at DESC
     }
 }
 
-fn scoped_policy_from_row(
-    id: String,
-    name: String,
-    scope_json: String,
-    priority: i32,
-    merge_strategy: String,
-    policy_yaml: String,
-    enabled: bool,
-    metadata_json: Option<String>,
-    created_at: String,
-    updated_at: String,
-) -> Result<ScopedPolicy> {
+fn scoped_policy_from_row(row: &rusqlite::Row<'_>) -> Result<ScopedPolicy> {
+    let id: String = row.get(0)?;
+    let name: String = row.get(1)?;
+    let scope_json: String = row.get(2)?;
+    let priority: i32 = row.get(3)?;
+    let merge_strategy: String = row.get(4)?;
+    let policy_yaml: String = row.get(5)?;
+    let enabled: i64 = row.get(6)?;
+    let metadata_json: Option<String> = row.get(7)?;
+    let created_at: String = row.get(8)?;
+    let updated_at: String = row.get(9)?;
+
     let scope: PolicyScope = serde_json::from_str(&scope_json)?;
     let merge_strategy = merge_strategy_from_str(&merge_strategy);
     let stored_meta: Option<StoredPolicyMetadata> = metadata_json
@@ -561,7 +518,7 @@ fn scoped_policy_from_row(
         priority,
         merge_strategy,
         policy_yaml,
-        enabled,
+        enabled: enabled != 0,
         metadata,
     })
 }

crates/hushd/src/policy_scoping/mod.rs

@@ -6,7 +6,7 @@
 use std::collections::{HashMap, HashSet};
 use std::sync::{Arc, Mutex};
 
-use chrono::{DateTime, Utc};
+use chrono::{DateTime, Datelike, Timelike, Utc};
 use globset::{Glob, GlobMatcher};
 use regex::Regex;
 use serde::{Deserialize, Serialize};
@@ -1601,6 +1601,16 @@ fn builtin_roles(now: String) -> Vec<Role> {
     ]
 }
 
+fn dedupe_strings(input: Vec<String>) -> Vec<String> {
+    sort_strings(input.into_iter().collect())
+}
+
+fn sort_strings(input: HashSet<String>) -> Vec<String> {
+    let mut out: Vec<String> = input.into_iter().collect();
+    out.sort();
+    out
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -1814,16 +1824,3 @@ mod tests {
         assert!(!bad.allowed);
     }
 }
-
-fn dedupe_strings(input: Vec<String>) -> Vec<String> {
-    sort_strings(input.into_iter().collect())
-}
-
-fn sort_strings(input: HashSet<String>) -> Vec<String> {
-    let mut out: Vec<String> = input.into_iter().collect();
-    out.sort();
-    out
-}
-
-// chrono `Datelike/Timelike` helpers
-use chrono::{Datelike, Timelike};

crates/hushd/src/rbac/mod.rs

@@ -37,7 +37,9 @@ db-path = "target/cargo-deny/advisory-dbs"
 unmaintained = "all"
 yanked = "warn"
 ignore = [
-    # (empty)
+    # `atty` is pulled in transitively via `rust-xmlsec` (used for SAML).
+    # It's only used for terminal detection, and has no maintained upgrade path.
+    "RUSTSEC-2024-0375",
 ]
 
 [sources]

deny.toml

@@ -0,0 +1 @@
+{"files":{".cargo_vcs_info.json":"35a894adf25f43d2e0f8788b1768bb632b9121cdfe34240100c6166c848a5b3e","CHANGELOG.md":"70db121262d72acc472ad1a90b78c42de570820e65b566c6b9339b62e636d572","Cargo.lock":"6868f02a96413bcba37a06f01c6bf87e6331dea9461681a47a561cec6acd2546","Cargo.toml":"3af88a07af6a4adb84373fc3cd4920884b0b12b338cdb55ef598fd512ee1a790","Cargo.toml.orig":"e1f972324e35b0de555afb18a8bb041bc092dbb4317f4c1e62a383b4dfb6d1bd","LICENSE":"99fa95ba4e4cdaf71c27d73260ea069fc4515b3d02fde3020c5b562280006cbc","README.md":"e559a69c0b2bd20bffcede64fd548df6c671b0d1504613c5e3e5d884d759caea","examples/atty.rs":"1551387a71474d9ac1b5153231f884e9e05213badcfaa3494ad2cb7ea958374a","rustfmt.toml":"8e6ea1bcb79c505490034020c98e9b472f4ac4113f245bae90f5e1217b1ec65a","src/lib.rs":"d5abf6a54e8c496c486572bdc91eef10480f6ad126c4287f039df5feff7a9bbb"},"package":"d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"}

vendor/atty/.cargo-checksum.json

@@ -0,0 +1,5 @@
+{
+  "git": {
+    "sha1": "7b5df17888997d57c2c1c8f91da1db5691f49953"
+  }
+}