Skip to content

feat(staff): bitwise staff permissions + Grafana proxy lockdown#7759

Merged
h0lybyte merged 5 commits intodevfrom
trunk/grafana-lockdown-1772921551
Mar 8, 2026
Merged

feat(staff): bitwise staff permissions + Grafana proxy lockdown#7759
h0lybyte merged 5 commits intodevfrom
trunk/grafana-lockdown-1772921551

Conversation

@h0lybyte
Copy link
Member

@h0lybyte h0lybyte commented Mar 8, 2026

Summary

  • Staff permission proto (kbve.staff): bitwise StaffPermission enum with hex flags organized by bit range (core tiers, feature-scoped, admin ops, superadmin)
  • Staff SQL schema (staff.members + staff.audit_log): all access via SECURITY DEFINER functions, RLS locked to service_role, privilege escalation guards, append-only audit log with immutability triggers
  • JWT cache integration: staff permission bitmask fetched via PostgREST RPC (public.staff_permissions()) and cached alongside token info
  • Grafana proxy lockdown: requires DASHBOARD_VIEW permission flag — returns 403 for unauthorized users
  • Unified dashboard: expanded from 4 to 12 Prometheus metrics across two sections (Nodes + Kubernetes), with 403/forbidden state handling

Test plan

  • cargo check in apps/kbve/axum-kbve/ passes clean
  • Verify proxy returns 403 JSON when user lacks DASHBOARD_VIEW permission
  • Verify proxy passes through when user holds DASHBOARD_VIEW (or SUPERADMIN)
  • Verify dashboard renders forbidden state with ShieldOff icon on 403
  • Verify dashboard shows all 12 metrics in two sections when authorized
  • Review SQL: all functions use SECURITY DEFINER + SET search_path = ''
  • Review SQL: privilege escalation guard prevents granting flags actor doesn't hold
  • Review SQL: audit log triggers block UPDATE/DELETE

@h0lybyte
feat(staff): add bitwise staff permission system and lock down Grafan…
e225c4c 
…a proxy

Implement a staff permission system using bitwise flags for granular access
control. The proto defines the contract, SQL schema enforces it with SECURITY
DEFINER functions and RLS, and the Rust backend caches permissions alongside
JWT tokens. The Grafana proxy now requires DASHBOARD_VIEW permission. The
dashboard component is expanded to a unified view with 12 metrics across
Nodes and Kubernetes sections.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

h0lybyte added 4 commits March 7, 2026 19:36
@h0lybyte
fix(staff): harden authorization scope guards and fix bit numbering
df681f8 
- Fix superadmin bit numbering: 0x40000000 is bit 30 (zero-indexed), not 31
- Add revoke/remove scope guards: actors cannot revoke/remove permissions
  they don't hold, and non-superadmins cannot touch superadmin targets
- Fix proxy_has_permission to require ALL bits in composite masks (= p_flag)
  instead of ANY bit (!= 0)
- Rename granted_by to last_granted_by for clearer semantics
- Add explicit ALTER FUNCTION OWNER TO postgres for all SECURITY DEFINER fns
- Qualify to_hex as pg_catalog.to_hex in SECURITY DEFINER functions
- Document RLS belt-and-suspenders pattern and zero-perms deletion invariant
- Document NULL actor_id as privileged bootstrap-only bypass
@h0lybyte
fix(staff): add row locking, input validation, and idempotent triggers
aafc7c5 
- Add FOR UPDATE row locking in service_grant/revoke/remove to prevent
  lost updates under concurrent modifications
- Guard proxy_has_permission against p_flag <= 0 (prevents silent
  authorization when 0 is passed — (v & 0) = 0 is always true)
- Add negative mask validation to service_revoke (consistency with grant)
- Make triggers idempotent with DROP TRIGGER IF EXISTS before CREATE
- Qualify NOW() as pg_catalog.now() in SECURITY DEFINER trigger functions
@h0lybyte
fix(staff): advisory lock for audit race, idempotent policies, skip c…
1cda980 
…hurn

- Add pg_advisory_xact_lock(hashtext(user_id)) in service_grant to
  serialize concurrent first-insert operations, preventing audit rows
  that record stale old_perms=0 when two grants race for a new user
- Skip UPDATE-then-DELETE in service_revoke when permissions hit zero;
  delete directly to avoid unnecessary trigger churn and WAL writes
- Add DROP POLICY IF EXISTS before CREATE POLICY for full idempotency
@h0lybyte
fix(staff): collision-resistant lock key, audit requested_perms, rena…
b4a23b9 
…me tiers

- Replace hashtext() advisory lock with two-key lock derived from UUID
  halves (64-bit total) to eliminate 32-bit hash collision risk
- Add requested_perms column to audit_log for forensic fidelity — records
  what the actor attempted, not just what changed
- Rename "Core tiers" to "Core role flags" in proto and SQL comments to
  align terminology with the actual bitwise-containment authority model
@h0lybyte h0lybyte merged commit 137a423 into dev Mar 8, 2026
5 checks passed
@h0lybyte h0lybyte deleted the trunk/grafana-lockdown-1772921551 branch March 8, 2026 01:52
@github-actions github-actions bot mentioned this pull request Mar 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h0lybyte