fix: events create rbac role removed cause its pointless (#2795)

Author: kmendell

backend/api/api.go

@@ -285,7 +285,7 @@ func registerHandlersInternal(api huma.API, svc *di.Services, handlerAppCtx hand
 	handlers.RegisterUsers(api, svc.User, svc.Auth)
 	handlers.RegisterProjects(api, svc.Project, svc.Activity, handlerAppCtx)
 	handlers.RegisterVersion(api, svc.Version)
-	handlers.RegisterEvents(api, svc.Event, svc.ApiKey)
+	handlers.RegisterEvents(api, svc.Event)
 	handlers.RegisterActivities(api, svc.Activity, svc.Environment)
 	handlers.RegisterOidc(api, svc.Auth, svc.Oidc, svc.Role, svc.User, cfg)
 	handlers.RegisterEnvironments(api, svc.Environment, svc.Settings, svc.ApiKey, svc.Event, cfg)

backend/api/api_test.go

@@ -168,3 +168,15 @@ func TestSetupAPIForSpec_TemplateReadRoutesProtected(t *testing.T) {
 		})
 	}
 }
+
+func TestSetupAPIForSpec_DoesNotRegisterPublicCreateEvent(t *testing.T) {
+	api := SetupAPIForSpec()
+
+	pathItem := api.OpenAPI().Paths["/events"]
+	if pathItem == nil {
+		t.Fatal("expected /events path to be registered for list events")
+	}
+	if pathItem.Post != nil {
+		t.Fatal("expected POST /events to be absent from the public API")
+	}
+}

backend/api/handlers/environments.go

@@ -156,7 +156,7 @@ type DeploymentSnippet struct {
 type DeploymentSnippetFile struct {
 	Name          string `json:"name" doc:"Suggested filename"`
 	Content       string `json:"content,omitempty" doc:"PEM file contents. Omitted for sensitive files such as private keys; use downloadUrl instead."`
-	DownloadURL   string `json:"downloadUrl,omitempty" doc:"Admin-only endpoint to download this file when content is withheld"`
+	DownloadURL   string `json:"downloadUrl,omitempty" doc:"Pairing-permission endpoint to download this file when content is withheld"`
 	Sensitive     bool   `json:"sensitive,omitempty" doc:"True when this file is sensitive and must be fetched via downloadUrl"`
 	ContainerPath string `json:"containerPath" doc:"Container mount path expected by the mTLS snippet"`
 	Permissions   string `json:"permissions" doc:"Suggested file mode"`
@@ -358,7 +358,7 @@ func RegisterEnvironments(api huma.API, environmentService *services.Environment
 			{"BearerAuth": {}},
 			{"ApiKeyAuth": {}},
 		},
-		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsRead),
+		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsPair),
 	}, h.GetDeploymentSnippets)
 
 	huma.Register(api, huma.Operation{
@@ -372,7 +372,7 @@ func RegisterEnvironments(api huma.API, environmentService *services.Environment
 			{"BearerAuth": {}},
 			{"ApiKeyAuth": {}},
 		},
-		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsRead),
+		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsPair),
 	}, h.DownloadEnvironmentMTLSBundle)
 
 	huma.Register(api, huma.Operation{
@@ -386,7 +386,7 @@ func RegisterEnvironments(api huma.API, environmentService *services.Environment
 			{"BearerAuth": {}},
 			{"ApiKeyAuth": {}},
 		},
-		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsRead),
+		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsPair),
 	}, h.DownloadEnvironmentMTLSFile)
 
 	huma.Register(api, huma.Operation{
@@ -414,7 +414,7 @@ func RegisterEnvironments(api huma.API, environmentService *services.Environment
 			{"BearerAuth": {}},
 			{"ApiKeyAuth": {}},
 		},
-		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsRead),
+		Middlewares: humamw.RequirePermission(api, authz.PermEnvironmentsPair),
 	}, h.DownloadEdgeMTLSCA)
 }
 

backend/api/handlers/environments_test.go

@@ -1,17 +1,62 @@
 package handlers
 
 import (
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"testing"
 	"time"
 
 	"github.com/getarcaneapp/arcane/backend/internal/models"
 	"github.com/getarcaneapp/arcane/backend/internal/services"
+	"github.com/getarcaneapp/arcane/backend/pkg/authz"
 	"github.com/getarcaneapp/arcane/backend/pkg/libarcane/edge"
 	envtypes "github.com/getarcaneapp/arcane/types/environment"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
+func TestEnvironmentSecretDeploymentRoutesRequirePairPermission(t *testing.T) {
+	testCases := []struct {
+		name string
+		path string
+	}{
+		{name: "deployment snippets", path: "/api/environments/env-1/deployment"},
+		{name: "mtls bundle", path: "/api/environments/env-1/deployment/mtls/bundle"},
+		{name: "mtls file", path: "/api/environments/env-1/deployment/mtls/agent.key"},
+		{name: "edge ca", path: "/api/edge-mtls/ca"},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name+" read denied", func(t *testing.T) {
+			ps := authz.NewPermissionSet()
+			ps.AddGlobal(authz.PermEnvironmentsRead)
+			router, api := newPermissionGatingRouterInternal(t, ps)
+			RegisterEnvironments(api, nil, nil, nil, nil, nil)
+
+			req := httptest.NewRequest(http.MethodGet, testCase.path, nil)
+			rec := httptest.NewRecorder()
+			router.ServeHTTP(rec, req)
+
+			require.Equal(t, http.StatusForbidden, rec.Code)
+			require.Contains(t, rec.Body.String(), authz.PermEnvironmentsPair)
+		})
+
+		t.Run(testCase.name+" pair allowed", func(t *testing.T) {
+			ps := authz.NewPermissionSet()
+			ps.AddGlobal(authz.PermEnvironmentsPair)
+			router, api := newPermissionGatingRouterInternal(t, ps)
+			RegisterEnvironments(api, nil, nil, nil, nil, nil)
+
+			req := httptest.NewRequest(http.MethodGet, testCase.path, nil)
+			rec := httptest.NewRecorder()
+			router.ServeHTTP(rec, req)
+
+			require.NotEqual(t, http.StatusForbidden, rec.Code)
+		})
+	}
+}
+
 func TestEnvironmentMTLSAssetDownloadName(t *testing.T) {
 	env := &models.Environment{Name: "Lab Server"}
 	env.ID = "env-123"

backend/api/handlers/events.go

@@ -2,20 +2,26 @@ package handlers
 
 import (
 	"context"
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strings"
 
 	"github.com/danielgtaylor/huma/v2"
 	humamw "github.com/getarcaneapp/arcane/backend/api/middleware"
 	"github.com/getarcaneapp/arcane/backend/internal/common"
+	"github.com/getarcaneapp/arcane/backend/internal/config"
 	"github.com/getarcaneapp/arcane/backend/internal/services"
 	"github.com/getarcaneapp/arcane/backend/pkg/authz"
+	pkgutils "github.com/getarcaneapp/arcane/backend/pkg/utils"
 	"github.com/getarcaneapp/arcane/types/base"
 	"github.com/getarcaneapp/arcane/types/event"
+	"github.com/labstack/echo/v4"
 )
 
 // EventHandler handles event management endpoints.
 type EventHandler struct {
 	eventService *services.EventService
-	apiKeySvc    *services.ApiKeyService
 }
 
 // ============================================================================
@@ -58,15 +64,6 @@ type GetEventsByEnvironmentOutput struct {
 	Body EventPaginatedResponse
 }
 
-type CreateEventInput struct {
-	XAPIKey string `header:"X-API-Key" doc:"API key for environment-scoped event forwarding"`
-	Body    event.CreateEvent
-}
-
-type CreateEventOutput struct {
-	Body base.ApiResponse[event.Event]
-}
-
 type DeleteEventInput struct {
 	EventID string `path:"eventId" doc:"Event ID"`
 }
@@ -79,11 +76,72 @@ type DeleteEventOutput struct {
 // Registration
 // ============================================================================
 
+// RegisterAgentEventIngestion registers the manager ingestion endpoint used by
+// direct agents when no edge tunnel is active. This route is not part of the
+// Huma/OpenAPI surface and authenticates only with the configured agent token.
+func RegisterAgentEventIngestion(g *echo.Group, eventService *services.EventService, cfg *config.Config) {
+	g.POST("/events", func(c echo.Context) error {
+		if eventService == nil {
+			return c.JSON(http.StatusInternalServerError, base.ApiResponse[base.MessageResponse]{
+				Success: false,
+				Data:    base.MessageResponse{Message: "service not available"},
+			})
+		}
+		if cfg == nil || strings.TrimSpace(cfg.AgentToken) == "" {
+			slog.Warn("agent event ingestion is disabled because agent token is not configured")
+			return c.JSON(http.StatusServiceUnavailable, base.ApiResponse[base.MessageResponse]{
+				Success: false,
+				Data:    base.MessageResponse{Message: "agent event ingestion is not configured"},
+			})
+		}
+		if !validAgentEventIngestionTokenInternal(c.Request(), cfg) {
+			return c.JSON(http.StatusUnauthorized, base.ApiResponse[base.MessageResponse]{
+				Success: false,
+				Data:    base.MessageResponse{Message: "invalid agent token"},
+			})
+		}
+
+		var input services.CreateEventRequest
+		decoder := json.NewDecoder(http.MaxBytesReader(c.Response(), c.Request().Body, 1<<20))
+		if err := decoder.Decode(&input); err != nil {
+			return c.JSON(http.StatusBadRequest, base.ApiResponse[base.MessageResponse]{
+				Success: false,
+				Data:    base.MessageResponse{Message: "invalid event payload"},
+			})
+		}
+		if strings.TrimSpace(string(input.Type)) == "" || strings.TrimSpace(input.Title) == "" {
+			return c.JSON(http.StatusBadRequest, base.ApiResponse[base.MessageResponse]{
+				Success: false,
+				Data:    base.MessageResponse{Message: "event type and title are required"},
+			})
+		}
+
+		if _, err := eventService.CreateEvent(c.Request().Context(), input); err != nil {
+			return c.JSON(http.StatusInternalServerError, base.ApiResponse[base.MessageResponse]{
+				Success: false,
+				Data:    base.MessageResponse{Message: (&common.EventCreationError{Err: err}).Error()},
+			})
+		}
+
+		return c.JSON(http.StatusAccepted, base.ApiResponse[base.MessageResponse]{
+			Success: true,
+			Data:    base.MessageResponse{Message: "event ingested"},
+		})
+	})
+}
+
+func validAgentEventIngestionTokenInternal(r *http.Request, cfg *config.Config) bool {
+	if cfg == nil {
+		return false
+	}
+	token := r.Header.Get(pkgutils.HeaderAgentToken)
+	return token != "" && token == cfg.AgentToken
+}
+
 // RegisterEvents registers all event management endpoints.
-func RegisterEvents(api huma.API, eventService *services.EventService, apiKeySvc *services.ApiKeyService) {
+func RegisterEvents(api huma.API, eventService *services.EventService) {
 	h := &EventHandler{
 		eventService: eventService,
-		apiKeySvc:    apiKeySvc,
 	}
 
 	huma.Register(api, huma.Operation{
@@ -100,23 +158,6 @@ func RegisterEvents(api huma.API, eventService *services.EventService, apiKeySvc
 		Middlewares: humamw.RequirePermission(api, authz.PermEventsRead),
 	}, h.ListEvents)
 
-	huma.Register(api, huma.Operation{
-		OperationID: "createEvent",
-		Method:      "POST",
-		Path:        "/events",
-		Summary:     "Create an event",
-		Description: "Create a new system event",
-		Tags:        []string{"Events"},
-		Security: []map[string][]string{
-			{"BearerAuth": {}},
-			{"ApiKeyAuth": {}},
-		},
-		// TODO: introduce a dedicated PermEventsCreate (and PermEventsDelete)
-		// permission. Today the events taxonomy only exposes PermEventsRead,
-		// so admin-level write actions reuse the read permission.
-		Middlewares: humamw.RequirePermission(api, authz.PermEventsRead),
-	}, h.CreateEvent)
-
 	huma.Register(api, huma.Operation{
 		OperationID: "deleteEvent",
 		Method:      "DELETE",
@@ -128,10 +169,7 @@ func RegisterEvents(api huma.API, eventService *services.EventService, apiKeySvc
 			{"BearerAuth": {}},
 			{"ApiKeyAuth": {}},
 		},
-		// TODO: introduce a dedicated PermEventsDelete permission. Today the
-		// events taxonomy only exposes PermEventsRead, so admin-level write
-		// actions reuse the read permission.
-		Middlewares: humamw.RequirePermission(api, authz.PermEventsRead),
+		Middlewares: humamw.RequirePermission(api, authz.PermEventsDelete),
 	}, h.DeleteEvent)
 
 	huma.Register(api, huma.Operation{
@@ -227,35 +265,6 @@ func (h *EventHandler) GetEventsByEnvironment(ctx context.Context, input *GetEve
 	}, nil
 }
 
-// CreateEvent creates a new event.
-func (h *EventHandler) CreateEvent(ctx context.Context, input *CreateEventInput) (*CreateEventOutput, error) {
-	if h.eventService == nil {
-		return nil, huma.Error500InternalServerError("service not available")
-	}
-
-	if h.apiKeySvc != nil && input.XAPIKey != "" {
-		resolvedEnvironmentID, err := h.apiKeySvc.GetEnvironmentByApiKey(ctx, input.XAPIKey)
-		if err != nil {
-			return nil, huma.Error401Unauthorized("invalid environment API key")
-		}
-		if resolvedEnvironmentID != nil && *resolvedEnvironmentID != "" {
-			input.Body.EnvironmentID = new(*resolvedEnvironmentID)
-		}
-	}
-
-	evt, err := h.eventService.CreateEventFromDto(ctx, input.Body)
-	if err != nil {
-		return nil, huma.Error500InternalServerError((&common.EventCreationError{Err: err}).Error())
-	}
-
-	return &CreateEventOutput{
-		Body: base.ApiResponse[event.Event]{
-			Success: true,
-			Data:    *evt,
-		},
-	}, nil
-}
-
 // DeleteEvent deletes an event.
 func (h *EventHandler) DeleteEvent(ctx context.Context, input *DeleteEventInput) (*DeleteEventOutput, error) {
 	if h.eventService == nil {