feat: agent auth#371
Conversation
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
There was a problem hiding this comment.
Pull request overview
Adds first-class “agent” authentication to support machine-to-machine ingestion, including service-account key management, agent-scoped JWTs, and middleware to protect (or optionally keep public) agent ingest endpoints.
Changes:
- Introduces relational models + migrations for Agents, AgentServiceAccountKeys, and AgentAuthEvents.
- Adds agent JWT generation/verification and a new
/api/auth/agent/tokenendpoint for issuing agent tokens. - Wires new agent ingest middleware into agent batch upsert routes, evidence creation, and heartbeat ingestion; expands integration test coverage accordingly.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/tests/migrate.go | Adds new agent tables to test migrator up/down. |
| internal/tests/integration.go | Adds helpers to create agents/keys and generate agent tokens in integration suites. |
| internal/service/relational/agents.go | New relational models for agents, keys, and auth events (append-only). |
| internal/service/migrator.go | Adds new agent tables to main migrator up/down. |
| internal/config/config.go | Adds StrictDisablePublicAgentEndpoints flag to control agent endpoint exposure. |
| internal/authn/jwt.go | Adds token-kind separation and agent JWT generation/verification. |
| internal/authn/jwt_test.go | Tests that user/agent tokens can’t be verified by the wrong verifier. |
| internal/api/middleware/agent_ingest.go | New middleware to require/optionally allow public agent JWT auth and load agent/key from DB. |
| internal/api/middleware/agent_auth.go | Removes prior no-op agent middleware. |
| internal/api/handler/templates/subject_template.go | Allows injecting middleware into agent batch route registration. |
| internal/api/handler/templates/subject_template_integration_test.go | Uses agent auth for batch upsert by default; tests unsafe/public toggle. |
| internal/api/handler/templates/risk_template.go | Allows injecting middleware into agent batch route registration. |
| internal/api/handler/templates/risk_template_integration_test.go | Uses agent auth for batch upsert by default; tests unsafe/public toggle. |
| internal/api/handler/heartbeat.go | Splits registration to allow middleware per route. |
| internal/api/handler/heartbeat_integration_test.go | Updates setup and adds auth requirement test when unsafe disabled. |
| internal/api/handler/evidence.go | Splits create vs read route registration to apply agent ingest middleware only to create. |
| internal/api/handler/evidence_integration_test.go | Adds agent-auth-required coverage and expired-key rejection coverage. |
| internal/api/handler/auth/auth.go | Registers new /api/auth/agent/token route. |
| internal/api/handler/auth/auth_integration_test.go | Adds integration coverage for agent token issuance and rejection paths. |
| internal/api/handler/auth/agent.go | Implements agent token issuance + auth event logging for key-based auth. |
| internal/api/handler/api.go | Wires agent ingest middleware into ingest endpoints; adds admin agent management routes. |
| internal/api/handler/agents.go | New admin CRUD + key management endpoints for agents. |
| internal/api/handler/agents_integration_test.go | Integration coverage for agent CRUD and key lifecycle. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 36 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 36 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 38 out of 38 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adds endpoints to create & manage agent service accounts, plus adds related middleware