feat: CryptoOfficer role with optional split-key ceremony#991
Open
Manuthor wants to merge 7 commits into
Open
Conversation
Manuthor
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a 3-role RBAC model (Operator / Crypto Officer / Administrator) and adds split-key (Shamir/XOR) KMIP operations to support an “Administrator key ceremony” activation flow, alongside broad documentation updates.
Changes:
- Add server-level RBAC configuration (operator/crypto officer/admin) and enforce role permissions during KMIP dispatch.
- Implement KMIP 2.1
CreateSplitKey/JoinSplitKeyoperations plus DB persistence for Administrator ceremony activation and runtime disable/status endpoints. - Extend test infrastructure and vectors to cover Administrator behavior and split-key round-trips.
Reviewed changes
Copilot reviewed 64 out of 65 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/kms.toml | Updates sample config comments for new RBAC keys (operator/crypto officer/administrator). |
| documentation/mkdocs.yml | Adds nav entry for the new key ceremony documentation page. |
| documentation/docs/configuration/server_configuration_file.md | Updates server config reference comments for RBAC keys. |
| documentation/docs/configuration/authorization/key_ceremony.md | New detailed documentation page for Administrator split-key ceremony flow. |
| documentation/docs/configuration/authorization.md | Updates authorization docs (RBAC + additional role documentation). |
| documentation/docs/certifications_and_compliance/audit/owasp_security_audit.md | Updates audit doc references from privileged_users to crypto_officer_users. |
| documentation/docs/certifications_and_compliance/audit/multi_framework_security_audit.md | Same terminology update for audit/compliance mapping. |
| deny.toml | Adds ignored advisory entry for an unmaintained transitive dependency. |
| crate/test_kms_server/src/vector_runner.rs | Adds vector-runner support for administrator REST steps and capturing repeated TTLV tags. |
| crate/test_kms_server/src/test_server.rs | Renames privileged-users test server helpers to crypto-officer equivalents; switches to PEM to avoid macOS PKCS#12 concurrency issues. |
| crate/test_kms_server/src/lib.rs | Re-exports renamed test server helpers. |
| crate/test_kms_server/README.md | Documents new Administrator and split-key vectors. |
| crate/server/src/tests/test_utils.rs | Injects RoleConfig into test Actix app state instead of privileged_users. |
| crate/server/src/start_kms_server.rs | Wires RoleConfig into server scope state; adds Administrator status/disable endpoints. |
| crate/server/src/routes/access.rs | Updates access routes to use RoleConfig; adds Administrator status/disable handlers. |
| crate/server/src/main.rs | Updates ClapConfig test initializer for new RBAC fields. |
| crate/server/src/core/retrieve_object_utils.rs | Adds Administrator bypass to per-object permission checks. |
| crate/server/src/core/operations/rekey.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/operations/rekey_keypair.rs | Same renaming for ReKeyKeyPair path. |
| crate/server/src/core/operations/register.rs | Same renaming for Register path. |
| crate/server/src/core/operations/mod.rs | Registers new split-key operation handlers. |
| crate/server/src/core/operations/message.rs | Adds split-key ops to KMIP message processing; refactors futures pinning. |
| crate/server/src/core/operations/locate.rs | Adds Administrator Locate bypass path using DB find_all(). |
| crate/server/src/core/operations/join_split_key.rs | Implements JoinSplitKey operation and Administrator ceremony activation hook. |
| crate/server/src/core/operations/import.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/operations/dispatch.rs | Adds RBAC gate at dispatch time; routes new split-key operations. |
| crate/server/src/core/operations/create.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/operations/create_split_key.rs | Implements CreateSplitKey operation and ceremony tagging. |
| crate/server/src/core/operations/create_key_pair.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/operations/certify/resolve_subject.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/operations/certify/certify_op.rs | Same renaming and pinning update. |
| crate/server/src/core/kms/permissions.rs | Renames privileged user parameter; introduces KMS::is_administrator() runtime check. |
| crate/server/src/core/kms/other_kms_methods.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/kms/kmip.rs | Adds KMS wrappers for split-key ops; refactors pinning and renames privileged user plumbing. |
| crate/server/src/core/cover_crypt/rekey_keys.rs | Renames privileged user parameter to crypto officer users. |
| crate/server/src/core/cover_crypt/create_user_decryption_key.rs | Same renaming for Covercrypt USK creation flow. |
| crate/server/src/config/wizard/mod.rs | Wizard now captures RBAC lists (operator/crypto officer/admin). |
| crate/server/src/config/wizard/advanced_wizard.rs | Implements wizard prompts for new RBAC keys. |
| crate/server/src/config/params/server_params.rs | Replaces privileged_users with role_config: RoleConfig and validates role separation. |
| crate/server/src/config/command_line/super_admin_config.rs | Adds a SuperAdminConfig type (currently appears unused). |
| crate/server/src/config/command_line/clap_config.rs | Adds new CLI config fields for RBAC and admin ceremony parameters; updates Debug output. |
| crate/server/Cargo.toml | Adds crypto crate dependency and rand dependencies; extends non-fips features. |
| crate/server_database/src/stores/sql/sqlite.rs | Adds administrator_activations table init; implements find_all() and activation persistence methods. |
| crate/server_database/src/stores/sql/query.sql | Adds SQL schema + queries for administrator activations. |
| crate/server_database/src/stores/sql/query_mysql.sql | Adds MySQL schema + queries for administrator activations. |
| crate/server_database/src/stores/sql/pgsql.rs | Adds find_all() and administrator activation persistence for Postgres. |
| crate/server_database/src/stores/sql/mysql.rs | Adds find_all() and administrator activation persistence for MySQL. |
| crate/server_database/src/stores/sql/locate_query.rs | Adds query_all_from_attributes() for admin locate. |
| crate/server_database/src/stores/redis/redis_with_findex.rs | Adds find_all() behavior for Redis-findex; stubs/blocks ceremony persistence. |
| crate/server_database/src/core/database_permissions.rs | Exposes administrator activation APIs on Database. |
| crate/server_database/src/core/database_objects.rs | Adds Database::find_all() aggregator. |
| crate/kmip/src/kmip_2_1/kmip_operations.rs | Adds KMIP operation structs/enums for CreateSplitKey/JoinSplitKey. |
| crate/kmip/src/kmip_2_1/kmip_messages.rs | Adds (de)serialization support for CreateSplitKey/JoinSplitKey operations. |
| crate/interfaces/src/stores/permissions_store.rs | Extends PermissionsStore trait for admin ceremony persistence. |
| crate/interfaces/src/stores/objects_store.rs | Extends ObjectsStore trait with find_all() for admin locate. |
| crate/interfaces/src/hsm/hsm_store.rs | Implements find_all() for HSM store via admin-owner find(). |
| crate/crypto/src/crypto/split_key/mod.rs | New split-key cryptographic primitives (SSS over GF(2^8) + XOR) with tests. |
| crate/crypto/src/crypto/mod.rs | Exposes new split_key module. |
| crate/crypto/Cargo.toml | Adds rand_core dependency. |
| crate/clients/ckms/src/tests/security/privilege_bypass.rs | Updates tests for crypto_officer_users naming. |
| crate/clients/ckms/src/tests/access.rs | Renames privileged-users test to crypto-officer variant. |
| crate/access/src/access.rs | Introduces Role/RoleConfig/AdministratorConfig and role validation logic. |
| CHANGELOG/feat_split_key.md | Adds branch changelog for the feature (contains “super-admin” naming claims). |
| Cargo.lock | Updates lockfile for new dependencies (crypto + rand_core). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Manuthor
added a commit
that referenced
this pull request
Jun 11, 2026
- dispatch: make check_role_permission async; remove dispatch-level blocking for KmipOperation-mapped ops (handlers enforce crypto_officer_users + explicit grants); LIFECYCLE_OPERATION_TAGS now allow through if user has explicit Create grant in DB -- fixes regression in test_crypto_officer_users - access: role_for() only returns Administrator when require_ceremony=false; ceremony candidates are not elevated at dispatch before ceremony completes - retrieve_object_utils: Administrator bypass limited to non-HSM objects - join_split_key: add split_key_method validation; add crypto_officer check before database.create(); fix doc comment wording - database_objects: find_all() propagates errors instead of swallowing - locate_query: rewrite query_all_from_attributes with full attribute filters - permissions_store: update revoke_administrator_activation doc contract - routes/access: fix config key reference in error msg (administrator_users) - documentation: replace Super-admin section with correct Administrator role docs - remove dead super_admin_config.rs file - CHANGELOG: fix log names and claims about rename completion
Manuthor
changed the title
Manuthor
added a commit
that referenced
this pull request
Jun 14, 2026
- dispatch: make check_role_permission async; remove dispatch-level blocking for KmipOperation-mapped ops (handlers enforce crypto_officer_users + explicit grants); LIFECYCLE_OPERATION_TAGS now allow through if user has explicit Create grant in DB -- fixes regression in test_crypto_officer_users - access: role_for() only returns Administrator when require_ceremony=false; ceremony candidates are not elevated at dispatch before ceremony completes - retrieve_object_utils: Administrator bypass limited to non-HSM objects - join_split_key: add split_key_method validation; add crypto_officer check before database.create(); fix doc comment wording - database_objects: find_all() propagates errors instead of swallowing - locate_query: rewrite query_all_from_attributes with full attribute filters - permissions_store: update revoke_administrator_activation doc contract - routes/access: fix config key reference in error msg (administrator_users) - documentation: replace Super-admin section with correct Administrator role docs - remove dead super_admin_config.rs file - CHANGELOG: fix log names and claims about rename completion
Manuthor
changed the title
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…pdate test_toml - Add count_non_destroyed_keys() to SQLite, PostgreSQL, and MySQL ObjectsStore implementations using JSON extraction to filter key-type objects (SymmetricKey, PrivateKey, PublicKey, SplitKey) in non-destroyed states. The default implementation returned 0, causing kms_keys_active_count metric to always show 0 in the otel integration test. - Update test_toml expected TOML string in main.rs to include new config fields added since last snapshot: hsm_instances, rate_limit_per_second, otlp_allow_insecure, and [roles] section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Object variant is serialized as the top-level JSON key (e.g.
{"SymmetricKey": {...}}), not as an "object_type" field.
Use json_type() IS NOT NULL (SQLite/MySQL) and the JSONB ? operator
(PostgreSQL) to detect key-type objects by variant name.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/access/crypto_officer/status|disablefor ceremony management.check_role_permission.