feat(opsserver): add health, audit, cluster health, and durable credential management hardening

2026-04-30 07:10:21 +00:00
parent c3e5cabe3d
commit f4e5f02d0c
34 changed files with 1722 additions and 320 deletions
@@ -1,7 +1,7 @@
 import * as plugins from '../../plugins.ts';
 import type { OpsServer } from '../classes.opsserver.ts';
 import * as interfaces from '../../../ts_interfaces/index.ts';
-import { requireValidIdentity } from '../helpers/guards.ts';
+import { requireAdminIdentity, requireValidIdentity } from '../helpers/guards.ts';

 export class PoliciesHandler {
  public typedrouter = new plugins.typedrequest.TypedRouter();
@@ -30,8 +30,15 @@ export class PoliciesHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_CreateNamedPolicy>(
        'createNamedPolicy',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const policy = await pm().createPolicy(dataArg.name, dataArg.description, dataArg.statements);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.create',
+            targetType: 'policy',
+            targetId: policy.id,
+            success: true,
+          });
          return { policy };
        },
      ),
@@ -42,8 +49,15 @@ export class PoliciesHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_UpdateNamedPolicy>(
        'updateNamedPolicy',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          const policy = await pm().updatePolicy(dataArg.policyId, dataArg.name, dataArg.description, dataArg.statements);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.update',
+            targetType: 'policy',
+            targetId: dataArg.policyId,
+            success: true,
+          });
          return { policy };
        },
      ),
@@ -54,8 +68,15 @@ export class PoliciesHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DeleteNamedPolicy>(
        'deleteNamedPolicy',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await pm().deletePolicy(dataArg.policyId);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.delete',
+            targetType: 'policy',
+            targetId: dataArg.policyId,
+            success: true,
+          });
          return { ok: true };
        },
      ),
@@ -77,8 +98,16 @@ export class PoliciesHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_AttachPolicyToBucket>(
        'attachPolicyToBucket',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await pm().attachPolicyToBucket(dataArg.policyId, dataArg.bucketName);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.attach',
+            targetType: 'bucket',
+            targetId: dataArg.bucketName,
+            success: true,
+            metadata: { policyId: dataArg.policyId },
+          });
          return { ok: true };
        },
      ),
@@ -89,8 +118,16 @@ export class PoliciesHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_DetachPolicyFromBucket>(
        'detachPolicyFromBucket',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await pm().detachPolicyFromBucket(dataArg.policyId, dataArg.bucketName);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.detach',
+            targetType: 'bucket',
+            targetId: dataArg.bucketName,
+            success: true,
+            metadata: { policyId: dataArg.policyId },
+          });
          return { ok: true };
        },
      ),
@@ -118,8 +155,16 @@ export class PoliciesHandler {
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_SetPolicyBuckets>(
        'setPolicyBuckets',
        async (dataArg) => {
-          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          await requireAdminIdentity(this.opsServerRef.adminHandler, dataArg);
          await pm().setPolicyBuckets(dataArg.policyId, dataArg.bucketNames);
+          await this.opsServerRef.objectStorageRef.auditLogger.log({
+            actorUserId: dataArg.identity.userId,
+            action: 'policy.setBuckets',
+            targetType: 'policy',
+            targetId: dataArg.policyId,
+            success: true,
+            metadata: { bucketCount: dataArg.bucketNames.length },
+          });
          return { ok: true };
        },
      ),