[roadmap] Add agent PKI CSR governance#45
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2f63cf1d96
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| agent_id = excluded.agent_id, | ||
| ca_provider_id = excluded.ca_provider_id, | ||
| serial_number_hash = excluded.serial_number_hash, |
There was a problem hiding this comment.
Preserve existing certificate metadata on PATCH
The status route is registered as PATCH and every field in AgentCertificateStatusUpdateRequest is optional, but a client that sends only a status change like {"certificate_status":"active"} reaches this conflict update with excluded.agent_id = NULL, excluded.ca_provider_id = '', empty fingerprints/evidence IDs, etc. That turns a status-only update into a destructive rewrite of the certificate’s existing agent/provider binding and evidence metadata; merge omitted fields from the current row or only update fields present in the payload.
Useful? React with 👍 / 👎.
| payload.ca_provider_id = Some(ca_provider_id.to_string()); | ||
| create_provider_sqlite(pool, tenant_id, actor_id, payload) | ||
| .await |
There was a problem hiding this comment.
Preserve provider fields during PATCH updates
PATCH /api/v1/agents/pki/providers/{id} accepts a sparse AgentPkiProviderWriteRequest, but this forwards the sparse payload into create_provider, whose normalizer fills omitted fields with defaults. A status-only provider patch therefore resets the provider name, trust domain, policies, lifetimes, and limitations to default text, losing existing CA governance metadata; merge the payload with the current provider first or make this a full replace operation.
Useful? React with 👍 / 👎.
| mtls_binding_status, | ||
| rotation_status, | ||
| revocation_status, | ||
| evidence_ids_json: json_i64_array(payload.evidence_ids, 50)?, |
There was a problem hiding this comment.
Validate evidence IDs against the tenant before persisting
When a certificate status includes evidence_ids, the payload only filters to positive integers and serializes them; no tenant-scoped lookup of evidence_evidenceitem is performed before the value is stored and returned. A tenant contributor can therefore attach arbitrary or another tenant’s private Evidence IDs to their certificate status, corrupting governance/review data and violating the evidence tenant-boundary invariant; validate each ID with tenant_id before accepting it.
Useful? React with 👍 / 👎.
| "cancelled" => "csr_status = 'cancelled', rejected_by = rejected_by, rejection_reason = CASE WHEN ?2 = '' THEN rejection_reason ELSE ?2 END, approved_by = approved_by + (?1 - ?1)", | ||
| _ => "csr_status = 'failed', rejected_by = rejected_by, rejection_reason = CASE WHEN ?2 = '' THEN rejection_reason ELSE ?2 END, approved_by = approved_by + (?1 - ?1)", | ||
| }; | ||
| format!("UPDATE agent_certificate_request SET {assignment}, updated_at = CURRENT_TIMESTAMP WHERE tenant_id = ?3 AND csr_id = ?4 RETURNING {CSR_COLUMNS}") |
There was a problem hiding this comment.
Restrict CSR decisions to pending requests
These transition updates match only tenant_id and csr_id, so any existing CSR can be approved, rejected, or cancelled regardless of its current status. For example, an already approved CSR can later be rejected or cancelled through the new endpoints, rewriting the approval/rejection fields and audit state; add a current-status predicate such as pending_review or enforce an explicit transition matrix in both query builders.
Useful? React with 👍 / 👎.
Problemstellung und Ziel
ISCY soll die Zero-Trust-Agent-Governance um eine CA-/PKI-/CSR-Schicht erweitern, ohne produktive CA-Secrets, private Schluessel, echte Zertifikatsausstellung oder automatische mTLS-Aktivierung einzufuehren. Ziel ist ein tenantgebundenes Governance- und Statusmodell fuer CA-Provider, CSR-Review, Zertifikatsstatus, mTLS-Bindung, Rotation und Widerruf.
Geaenderte Funktionen
Betroffene Dateien
rust/iscy-backend/src/agent_pki_store.rsrust/iscy-backend/src/db_admin.rsrust/iscy-backend/src/lib.rsrust/iscy-backend/src/main.rsrust/iscy-backend/src/report_store.rsrust/iscy-backend/tests/http_tests.rsCHANGELOG.mddocs/ZERO_TRUST_AGENT.mddocs/ISCY_Handbuch.mddocs/ISCY_Handbuch.pdfdocs/ISCY_STRATEGIC_ROADMAP.mddocs/GUI_SCREENSHOTS.mdDatenbankmigrationen
0037_rust_agent_pki_csr_governance.agent_pki_provider,agent_certificate_request,agent_certificate_status,agent_pki_event.Neue oder geaenderte API-Endpunkte
GET/POST /api/v1/agents/pki/providersGET/PATCH /api/v1/agents/pki/providers/{provider_id}GET/POST /api/v1/agents/pki/csrsGET /api/v1/agents/pki/csrs/{csr_id}POST /api/v1/agents/pki/csrs/{csr_id}/approvePOST /api/v1/agents/pki/csrs/{csr_id}/rejectPOST /api/v1/agents/pki/csrs/{csr_id}/cancelGET /api/v1/agents/pki/certificatesGET /api/v1/agents/pki/certificates/{certificate_id}PATCH /api/v1/agents/pki/certificates/{certificate_id}/statusPOST /api/v1/agents/pki/certificates/{certificate_id}/rotation-requiredPOST /api/v1/agents/pki/certificates/{certificate_id}/revocation-requestGET /api/v1/agents/{agent_id}/pkiGET /api/v1/agents/onboarding/pkiGUI-Aenderungen
/zero-trust/zeigt Agent-PKI, CSR und mTLS-Governance mit Provider-, CSR-, Zertifikats-, Rotation- und Widerrufstatus.Tenant- und Berechtigungsgrenzen
Security-Entscheidungen
Ausgefuehrte Tests
cargo fmt --manifest-path rust/iscy-backend/Cargo.toml -- --checkcargo clippy --locked --manifest-path rust/iscy-backend/Cargo.toml --all-targets -- -D warningscargo test --locked --manifest-path rust/iscy-backend/Cargo.tomlcargo audit --file rust/iscy-backend/Cargo.lock --ignore RUSTSEC-2023-0071cargo deny --manifest-path rust/iscy-backend/Cargo.toml check advisories licenses sourcesmake rust-smokemake rust-restore-smokenix flake checkmake docs-pdfconfigfuer dev, stage, prod, prod+llm und monitoring mit temporaerer Dummy-Env.0037und vier neue PKI-Tabellen im Restore verifiziert.git diff --checkHinweis: Der lokale hardened Docker-Build konnte nicht ausgefuehrt werden, weil auf diesem Rechner kein Docker-Daemon/Sockel unter
/var/run/docker.sockverfuegbar ist. Die GitHub-CI wird dafuer abgewartet.Bekannte Einschraenkungen
Bewusst nicht umgesetzt