Rotation Daemon#7926
Draft
Hinton wants to merge 9 commits into
Draft
Conversation
Entities, enums, models, and repository interfaces for credential rotation: target systems, daemon registrations and assignments, rotation configs, jobs (claim-lease semantics), and server-owned attempts, per rotation-server.allium.
26 new AccessAuditEventKind values (rotation lifecycle 50-66, fleet and target administration 70-78) plus nullable rotation subject columns (target system, daemon, config, job, source, sync state) on the append-only event store; names snapshotted at write like RuleName.
Six tables and 38 stored procedures, including the concurrency-critical paths: guarded job creation (one active job per config), atomic first-claim-wins with an org/assignment eligibility join, the atomic cipher-write capability check serialized against the sweeps via a job row lock, retry-budget errored-attempt math, success-wins timeout and lease-respecting release sweeps, and the lease natural-expiry sweep.
MSSQL-only implementations of the four rotation repository interfaces (matching the PAM POC's Dapper-only scope), plus IAccessLeaseRepository.ExpireDueAsync backing the lease natural-expiry sweep.
…tial Daemons authenticate via OAuth client-credentials exactly like Secrets Manager machine accounts, reusing dbo.ApiKey as the credential store (ServiceAccountId null; PamDaemon.ApiKeyId owns the link). The daemon. client-id prefix resolves a new client provider that gates on daemon enrollment and org Enabled/UsePam; every token response returns the wrapped org key (encrypted_payload, zero-knowledge). Adds the api.pam.rotation scope, RotationDaemon client type and claims parsing, an exact-claims authorization policy, a LaunchDarkly context for daemon principals, and the previously missing ApiKey_ReadById procedure.
Commands and queries implementing rotation-server.allium's rules: target/daemon/config administration with per-row org checks and audit emission, OfferRotation as the single job-creation point, the claim/report/cipher-write daemon paths with exact-complement rejection auditing, the access-end trigger handler, cron scheduling via Quartz (UTC, interval floor), and PamRotationOptions with spec defaults. Feature-flagged under pm-39040-pam-rotation.
Admin groups for daemons/target-systems/configs and daemon-facing poll/claim/cipher/report routes behind the PamRotationDaemon policy. Every daemon request re-checks enrollment and org Enabled/UsePam and doubles as a conditional heartbeat. Also fixes PamValidationEndpointFilter's exact-namespace match, which silently skipped DataAnnotations validation for models outside the original Pam.Api.Models.Request namespace.
Two commercial-gated Quartz minute sweeps: rotation (due offers, success-wins timeouts, lease-respecting releases of stale daemons' claims) and lease natural expiry (flips Active leases past NotAfter, emits the long-deferred LeaseExpired audit kind, fires the rotation access-end trigger). RevokeAccessLeaseCommand fires the same trigger on explicit lease ends, isolated so it can never fail the revoke.
171 unit tests (guard matrices with mandatory cross-org 404 cases, retry-budget and success-wins semantics, exact-complement rejections, UTC cron evaluation, sweep phases, daemon filter and client provider) plus 43 database integration tests covering the concurrency paths: concurrent double-claim single-winner, forged cross-org assignment refusal, atomic cipher-write vs release interleaving, and lease-expiry idempotence. Lockfiles pick up the Pam.Domain reference and internal version bump.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
📔 Objective
📸 Screenshots
Entities, enums, models, and repository interfaces for credential
rotation: target systems, daemon registrations and assignments,
rotation configs, jobs (claim-lease semantics), and server-owned
attempts, per rotation-server.allium.