fix(security): restrict auth-config mutations to Admin role (#5)

Restrict manager-wide authentication configuration mutations (OIDC, SMTP, IP allowlist) to Admin role. Operators now receive 403 forbidden_role. - New admin_required helper in settings.rs - 4 gate changes: update_settings, discover_oidc, test_oidc, update_ip_whitelist - 5 new AuditAction variants + migration 019 - SPA friendly error message on 403 - 3 admin_required unit tests pass (43/43) - Full integration tests deferred to issue #15 Closes #5
2026-06-03 09:16:41 -05:00
parent f58d7a6f17
commit 88b190ac8d
8 changed files with 436 additions and 12 deletions
--- a/docs/REST_API.md
+++ b/docs/REST_API.md
@ -112,10 +112,10 @@ Security: JWT Bearer Token (except Public Endpoints)
 | Method | Endpoint | Description |
 |--------|----------|-------------|
 | GET | `/settings` | Get system settings |
-| PUT | `/settings` | Update system settings |
+| PUT | `/settings` | Update system settings **(Admin only — Operators receive `403 forbidden_role`)** |
 | POST | `/settings/smtp/test` | Test SMTP configuration |
-| POST | `/settings/sso/discover` | Discover OIDC provider config |
-| POST | `/settings/sso/test` | Test SSO connection |
+| POST | `/settings/sso/discover` | Discover OIDC provider config **(Admin only — Operators receive `403 forbidden_role`)** |
+| POST | `/settings/sso/test` | Test SSO connection **(Admin only — Operators receive `403 forbidden_role`)** |
 | POST | `/settings/azure-sso/test` | Test Azure SSO compatibility |
 | POST | `/settings/audit-integrity` | Verify audit log integrity |

--- a/docs/security-review.md
+++ b/docs/security-review.md
@ -85,6 +85,7 @@ verifying that all mandated security controls are implemented and operational.
 | Admin: full rights | ✅ Verified | Admin role bypasses group scoping; access to all resources |
 | Operator: group-scoped | ✅ Verified | Operators can only manage hosts in their assigned groups; middleware enforces on every request |
 | RBAC middleware | ✅ Verified | Axum middleware extracts role from JWT; enforces before route handler execution |
+| **Manager-wide auth config is Admin-only (issue #5 fix)** | ✅ Verified | `admin_required` gate in `crates/pm-web/src/routes/settings.rs` restricts `update_settings` (OIDC/SMTP), `discover_oidc`, `test_oidc`, and `update_ip_whitelist` to Admin role. Operators receive `403 forbidden_role`. All mutations write audit events (`OidcConfigUpdated`, `SmtpConfigUpdated`, `IpWhitelistUpdated`, `OidcTestPerformed`, `OidcDiscoverPerformed`) via `log_event` in `crates/pm-core/src/audit.rs`. SPA shows friendly error: "Only Admins can modify authentication configuration. Contact an Admin to make this change." Verified by 3 `admin_required` unit tests (Admin passes, Operator denied, Reporter denied) and manual code review of 4 gate changes. Full integration tests deferred to [issue #15](https://github.com/Draco-Lunaris/Linux-Patch-Manager/issues/15). |

 ### 2.5 Azure SSO
 | Control | Status | Evidence |