a68e882092
Closes structural weakness #4 from the audit (single global key, no rotation, no KMS path). Customer secrets now use envelope encryption with a real rotation story. Model: KEK — Key Encryption Key, 32 bytes from env (SECRETS_ENCRYPTION_KEY). Never stored in the DB. Root of trust. DEK — Data Encryption Key, 32 random bytes we generate, stored in the new encryption_keys table *wrapped* (AES-256-GCM encrypted) with the KEK. Secrets are encrypted with the DEK. Schema: - encryption_keys (version, wrappedDek, active, rotatedBy, createdAt, retiredAt) - secrets.keyId — which DEK encrypted this row. NULL = legacy (KEK-direct, pre-envelope); decryptSecret handles both and the first rotation migrates legacy rows onto a DEK. crypto.ts (full rewrite): - ensureActiveKey() — boot-time, loads keys + creates v1 if none. Fail-closed: index.ts process.exit(1) if it throws — the API will not serve if encryption can't initialize. - encryptSecret() — encrypts with the active DEK, returns { value, keyId }. - decryptSecret(value, keyId) — DEK path or legacy KEK-direct path. - rotateKeys() — mints a fresh DEK, re-encrypts EVERY secret under it inside a single transaction (decrypt-old / encrypt-new per row), retires the old key, activates the new one. A partial failure is recoverable because every row carries its own keyId. - encryptionStatus() — active version, key history, secret + legacy counts. Admin: - GET /v1/admin/encryption — status - POST /v1/admin/encryption/rotate — triggers rotateKeys, audit-logged as admin.encryption.rotate with { newVersion, reEncrypted }. - /admin/encryption page — active-key/secret/legacy cards, Rotate button with confirm, key-history table, plain-English how-it-works. Added to admin nav. Verified end-to-end: - boot → encryption_keys v1 active, '[crypto] envelope encryption ready' - created a server with secret MY_API_KEY → stored ciphertext, keyId = v1 - POST rotate → { newVersion: 2, reEncrypted: 1 }; ciphertext changed, keyId now v2, v1 retired, v2 active. The decrypt-then-reencrypt round-trip succeeded (rotation throws otherwise) — the secret is provably recoverable. - admin UI renders the status + history correctly. Deferred, named honestly (not built this iteration): - worker reads secrets from the DB instead of the BullMQ job-data plaintext copy — would also remove plaintext secrets from Redis. Separate change with its own risk surface on the iterate/fork flows. - per-server secret-value rotation UI - audit_log hash-chaining (tamper-evidence) - rate limiting on auth endpoints
164 lines
5.4 KiB
TypeScript
164 lines
5.4 KiB
TypeScript
'use client';
|
|
|
|
import Link from 'next/link';
|
|
import { usePathname, useRouter } from 'next/navigation';
|
|
import { useEffect, useState } from 'react';
|
|
import {
|
|
LayoutGrid,
|
|
Users,
|
|
Building2,
|
|
Server,
|
|
Hammer,
|
|
FileClock,
|
|
Activity,
|
|
Wand2,
|
|
LogOut,
|
|
ShieldAlert,
|
|
Package,
|
|
KeyRound,
|
|
} from 'lucide-react';
|
|
import { apiFetch } from '@/lib/api';
|
|
import { cn } from '@/lib/cn';
|
|
import { Logo } from '@/components/logo';
|
|
|
|
interface MeUser {
|
|
userId: string;
|
|
email: string;
|
|
isAdmin: boolean;
|
|
}
|
|
|
|
const NAV: { href: string; label: string; icon: React.ComponentType<{ size?: number }> }[] = [
|
|
{ href: '/admin', label: 'Overview', icon: LayoutGrid },
|
|
{ href: '/admin/users', label: 'Users', icon: Users },
|
|
{ href: '/admin/orgs', label: 'Organizations', icon: Building2 },
|
|
{ href: '/admin/servers', label: 'MCP servers', icon: Server },
|
|
{ href: '/admin/templates', label: 'Templates', icon: Package },
|
|
{ href: '/admin/builds', label: 'Builds', icon: Hammer },
|
|
{ href: '/admin/audit', label: 'Audit log', icon: FileClock },
|
|
{ href: '/admin/system', label: 'System health', icon: Activity },
|
|
{ href: '/admin/encryption', label: 'Encryption', icon: KeyRound },
|
|
{ href: '/admin/prompt', label: 'AI prompt', icon: Wand2 },
|
|
];
|
|
|
|
export default function AdminLayout({ children }: { children: React.ReactNode }) {
|
|
const pathname = usePathname();
|
|
const router = useRouter();
|
|
const [user, setUser] = useState<MeUser | null>(null);
|
|
const [authState, setAuthState] = useState<'checking' | 'ok' | 'forbidden'>('checking');
|
|
|
|
useEffect(() => {
|
|
if (pathname === '/admin/login') {
|
|
setAuthState('ok');
|
|
return;
|
|
}
|
|
apiFetch<{ user: MeUser }>('/v1/auth/me')
|
|
.then((r) => {
|
|
if (r.user.isAdmin) {
|
|
setUser(r.user);
|
|
setAuthState('ok');
|
|
} else {
|
|
setAuthState('forbidden');
|
|
}
|
|
})
|
|
.catch(() => setAuthState('forbidden'));
|
|
}, [pathname]);
|
|
|
|
useEffect(() => {
|
|
if (authState === 'forbidden' && pathname !== '/admin/login') {
|
|
router.replace('/admin/login');
|
|
}
|
|
}, [authState, pathname, router]);
|
|
|
|
async function logout() {
|
|
await apiFetch('/v1/auth/logout', { method: 'POST' }).catch(() => undefined);
|
|
router.replace('/admin/login');
|
|
}
|
|
|
|
if (pathname === '/admin/login') return <>{children}</>;
|
|
|
|
if (authState === 'checking') {
|
|
return (
|
|
<div className="flex min-h-screen items-center justify-center">
|
|
<p className="mono text-[12px] text-[--color-fg-subtle]">verifying admin…</p>
|
|
</div>
|
|
);
|
|
}
|
|
if (authState === 'forbidden') {
|
|
return (
|
|
<div className="flex min-h-screen flex-col items-center justify-center gap-3">
|
|
<ShieldAlert size={24} className="text-[--color-danger]" />
|
|
<p className="text-[14px]">Admin access required.</p>
|
|
<Link
|
|
href="/admin/login"
|
|
className="mono text-[12px] text-[--color-accent] underline hover:text-white"
|
|
>
|
|
/admin/login
|
|
</Link>
|
|
</div>
|
|
);
|
|
}
|
|
|
|
return (
|
|
<div className="flex min-h-screen">
|
|
<aside className="sticky top-0 flex h-screen w-[230px] shrink-0 flex-col border-r border-[--color-border] bg-[--color-bg-elevated]">
|
|
<div className="flex h-12 items-center gap-2 border-b border-[--color-border] px-4">
|
|
<Logo />
|
|
<span className="mono text-[10.5px] uppercase tracking-wider text-[--color-fg-subtle]">
|
|
/ admin
|
|
</span>
|
|
</div>
|
|
<nav className="flex-1 overflow-y-auto p-2">
|
|
<ul className="space-y-0.5">
|
|
{NAV.map((item) => {
|
|
const Icon = item.icon;
|
|
const active =
|
|
pathname === item.href ||
|
|
(item.href !== '/admin' && pathname.startsWith(item.href));
|
|
return (
|
|
<li key={item.href}>
|
|
<Link
|
|
href={item.href}
|
|
className={cn(
|
|
'flex h-8 items-center gap-2 rounded-md px-2.5 text-[12.5px] transition-colors',
|
|
active
|
|
? 'bg-[--color-bg-subtle] text-[--color-fg]'
|
|
: 'text-[--color-fg-muted] hover:bg-[--color-bg-subtle] hover:text-[--color-fg]',
|
|
)}
|
|
>
|
|
<Icon size={13} />
|
|
{item.label}
|
|
</Link>
|
|
</li>
|
|
);
|
|
})}
|
|
</ul>
|
|
</nav>
|
|
<div className="border-t border-[--color-border] p-3 text-[12px]">
|
|
{user && (
|
|
<div className="mb-2 truncate text-[--color-fg-muted]" title={user.email}>
|
|
{user.email}
|
|
</div>
|
|
)}
|
|
<div className="flex gap-1">
|
|
<Link
|
|
href="/dashboard"
|
|
className="flex-1 rounded-md border border-[--color-border] px-2 py-1 text-center text-[11px] text-[--color-fg-muted] transition-colors hover:text-[--color-fg]"
|
|
>
|
|
user view
|
|
</Link>
|
|
<button
|
|
type="button"
|
|
onClick={logout}
|
|
className="rounded-md border border-[--color-border] px-2 py-1 text-[11px] text-[--color-fg-muted] transition-colors hover:text-[--color-danger]"
|
|
aria-label="logout"
|
|
>
|
|
<LogOut size={11} />
|
|
</button>
|
|
</div>
|
|
</div>
|
|
</aside>
|
|
<main className="flex-1 overflow-x-hidden">{children}</main>
|
|
</div>
|
|
);
|
|
}
|