OPC # 0007: Patch FDEV provisioning for local aspire development

Co-authored-by: Copilot <copilot@github.com>
2026-04-26 12:48:07 -04:00
parent e8ac7b017c
commit b9f0f6dd5f
7 changed files with 137 additions and 31 deletions
@@ -1,6 +1,9 @@
 using ControlPlane.Core.Interfaces;
 using ControlPlane.Core.Models;
+using System.Net.Http.Headers;
+using System.Text;
 using System.Text.Json;
+using System.Text.Json.Nodes;

 namespace ControlPlane.Worker.Steps;

@@ -8,38 +11,117 @@ public class VaultStep(ILogger<VaultStep> logger, IConfiguration config) : ISaga
 {
    public string StepName => "Cryptographic Pre-Flight (Vault)";

-    public Task ExecuteAsync(SagaContext context, CancellationToken cancellationToken)
+    // Policy grants the tenant token exactly the three Transit operations Clarity.Server needs:
+    //   GenerateTenantKEKAsync  → datakey/plaintext  (first boot only)
+    //   DecryptTenantKEKAsync   → decrypt            (every restart)
+    //   RewrapTenantKEKAsync    → rewrap             (key rotation)
+    private const string PolicyTemplate = """
+        path "clarity-transit/datakey/plaintext/master-key" {
+          capabilities = ["update"]
+        }
+        path "clarity-transit/decrypt/master-key" {
+          capabilities = ["update"]
+        }
+        path "clarity-transit/rewrap/master-key" {
+          capabilities = ["update"]
+        }
+        """;
+
+    public async Task ExecuteAsync(SagaContext context, CancellationToken cancellationToken)
    {
-        // TODO: VaultSharp
-        // 1. Assert Transit engine is active and healthy
-        // 2. Derive/validate TenantContextId (e.g. FL_COM_001)
-        // 3. Register TenantContextId in a KV entry or TenantRegistry table
-        //    so Clarity.Server can resolve the derivation path later
-        //
-        // Root token is read at runtime from the persisted init.json on the Vault volume:
-        //   var token = ReadRootToken();
-        logger.LogInformation("[{JobId}] Vault step is a stub - VaultSharp not yet wired.", context.Job.Id);
+        var rootToken = ReadRootToken();
+        var vaultAddr = (config["Vault:Address"] ?? "http://localhost:8200").TrimEnd('/');
+        var subdomain = context.Job.Subdomain.ToLowerInvariant();
+        var policyName = $"clarity-tenant-{subdomain}";
+
+        using var http = new HttpClient { BaseAddress = new Uri(vaultAddr) };
+        http.DefaultRequestHeaders.Add("X-Vault-Token", rootToken);
+
+        // ── 1. Assert Transit engine + master-key are healthy ─────────────────
+        logger.LogInformation("[{JobId}] Verifying Vault Transit engine and master-key.", context.Job.Id);
+        var healthRes = await http.GetAsync("v1/clarity-transit/keys/master-key", cancellationToken);
+        if (!healthRes.IsSuccessStatusCode)
+            throw new InvalidOperationException(
+                $"Vault Transit master-key not found at {vaultAddr}. " +
+                "Ensure OPC infra is running and the entrypoint has bootstrapped Vault.");
+
+        // ── 2. Upsert per-tenant policy (idempotent PUT) ──────────────────────
+        logger.LogInformation("[{JobId}] Writing Vault policy '{Policy}'.", context.Job.Id, policyName);
+        var policyBody = JsonSerializer.Serialize(new { policy = PolicyTemplate });
+        var policyRes = await http.PutAsync(
+            $"v1/sys/policies/acl/{policyName}",
+            new StringContent(policyBody, Encoding.UTF8, "application/json"),
+            cancellationToken);
+        policyRes.EnsureSuccessStatusCode();
+
+        // ── 3. Create scoped periodic token bound to tenant policy ────────────
+        logger.LogInformation("[{JobId}] Creating scoped Vault token for policy '{Policy}'.", context.Job.Id, policyName);
+        var tokenBody = JsonSerializer.Serialize(new
+        {
+            policies  = new[] { policyName },
+            period    = "72h",
+            renewable = true,
+            metadata  = new Dictionary<string, string>
+            {
+                ["tenant"]    = subdomain,
+                ["createdBy"] = "ControlPlane.Worker",
+            },
+        });
+        var tokenRes = await http.PostAsync(
+            "v1/auth/token/create",
+            new StringContent(tokenBody, Encoding.UTF8, "application/json"),
+            cancellationToken);
+        tokenRes.EnsureSuccessStatusCode();
+
+        var tokenJson = JsonNode.Parse(await tokenRes.Content.ReadAsStringAsync(cancellationToken))!;
+        context.VaultToken         = tokenJson["auth"]!["client_token"]!.GetValue<string>();
+        context.VaultTokenAccessor = tokenJson["auth"]!["accessor"]!.GetValue<string>();
+
+        logger.LogInformation("[{JobId}] Vault step complete. Token accessor: {Accessor}",
+            context.Job.Id, context.VaultTokenAccessor);
+
        context.Job.CompletedSteps |= CompletedSteps.VaultVerified;
-        return Task.CompletedTask;
    }

-    public Task CompensateAsync(SagaContext context, CancellationToken cancellationToken)
+    public async Task CompensateAsync(SagaContext context, CancellationToken cancellationToken)
    {
-        logger.LogInformation("[{JobId}] Vault step: no compensation needed.", context.Job.Id);
-        return Task.CompletedTask;
+        if (string.IsNullOrWhiteSpace(context.VaultTokenAccessor)) return;
+
+        logger.LogWarning("[{JobId}] Compensating Vault — revoking token accessor {Accessor}.",
+            context.Job.Id, context.VaultTokenAccessor);
+
+        try
+        {
+            var rootToken = ReadRootToken();
+            var vaultAddr = (config["Vault:Address"] ?? "http://localhost:8200").TrimEnd('/');
+            using var http = new HttpClient { BaseAddress = new Uri(vaultAddr) };
+            http.DefaultRequestHeaders.Add("X-Vault-Token", rootToken);
+
+            var body = JsonSerializer.Serialize(new { accessor = context.VaultTokenAccessor });
+            await http.PostAsync(
+                "v1/auth/token/revoke-accessor",
+                new StringContent(body, Encoding.UTF8, "application/json"),
+                cancellationToken);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "[{JobId}] Failed to revoke Vault token accessor {Accessor} during compensation.",
+                context.Job.Id, context.VaultTokenAccessor);
+        }
    }

-    /// <summary>
-    /// Reads the root token from the init.json written by the Vault entrypoint on first boot.
-    /// Path is injected via Vault__KeysFile config.
-    /// </summary>
    internal string ReadRootToken()
    {
-        var path = config["Vault__KeysFile"]
-            ?? throw new InvalidOperationException("Vault__KeysFile is not configured.");
+        var path = config["Vault:KeysFile"] ?? config["Vault__KeysFile"];
+        if (!string.IsNullOrWhiteSpace(path) && File.Exists(path))
+        {
+            using var doc = JsonDocument.Parse(File.ReadAllText(path));
+            if (doc.RootElement.TryGetProperty("root_token", out var tok))
+                return tok.GetString()!;
+        }

-        using var doc = JsonDocument.Parse(File.ReadAllText(path));
-        return doc.RootElement.GetProperty("root_token").GetString()
-            ?? throw new InvalidOperationException("root_token not found in Vault init.json.");
+        return config["Vault:Token"]
+            ?? throw new InvalidOperationException(
+                "Cannot resolve Vault root token: neither Vault:KeysFile nor Vault:Token is configured.");
    }
 }