feat: CryptoOfficer role with optional split-key ceremony

.gitmodules

@@ -7,3 +7,6 @@
 [submodule "kmip"]
     path = kmip
     url = https://github.com/Cosmian/kmip.git
+[submodule "standards"]
+    path = standards
+    url = https://github.com/Cosmian/standards.git

CHANGELOG/feat_split_key.md

@@ -0,0 +1,162 @@
+# CHANGELOG — feat/split_key
+
+## Documentation
+
+- **Four-role ceremony guide** (`documentation/docs/configuration/authorization/key_ceremony.md`):
+  renamed from "Administrator Key Ceremony" to "Role Management and Key Ceremonies"; added full
+  **Auditor role** section (NIST SP 800-57 Part 2 Rev 1 §4.9) covering both config-only
+  and ceremony-gated modes, 4-phase Mermaid sequence diagrams, `x-cosmian-auditor-ceremony` vendor
+  attribute tag, CLI quick reference (`ckms access-rights auditor status/disable`), and updated
+  Security Properties and Permission Model sections. Updated normative requirements table with
+  NIST SP 800-57 Part 2 Rev 1 §4.9 entries.
+- **Administrator key ceremony guide** (same file):
+  full explanation of privilege escalation via split-key ceremony, normative references (NIST SP 800-57 Part 2 Rev 1 §4.6,
+  ISO/IEC 19790 §7.4, ANSI/INCITS 359-2004), role operation tables, 4-phase Mermaid sequence diagrams, and
+  permission evaluation flowchart. Registered in `documentation/mkdocs.yml`.
+- `documentation/docs/configuration/authorization.md`: replaced stale **Super-admin role** section
+  with correct **Administrator role** section covering `administrator_*` config keys, activation
+  modes, ceremony flow, disable procedures, actual REST endpoints (`/access/administrator/*`),
+  and updated permission evaluation order table.
+
+## Features — Web UI
+
+- **Administrator Role page** (`/ui/access-rights/administrator`): new status page showing role
+  configuration, ceremony activation state, list of admin users, and a Disable button (visible
+  only when a ceremony is active; requires active Administrator privileges to use).
+- **Auditor Role page** (`/ui/access-rights/auditor`): equivalent status page for the Auditor role;
+  Disable button requires active Administrator privileges (an Auditor cannot revoke their own
+  ceremony — enforced in both UI and server).
+- Both pages wired into the **Access Rights** sidebar section with two new menu items and
+  React Router routes. No server-side SPA route change needed (existing wildcard covers them).
+
+## Features — CLI
+
+- `ckms access-rights administrator status` — print Administrator role configuration and
+  ceremony activation status (calls `GET /access/administrator/status`).
+- `ckms access-rights administrator disable` — revoke an active Administrator ceremony
+  (calls `POST /access/administrator/disable`; requires active Administrator).
+- `ckms access-rights auditor status` — print Auditor role configuration and ceremony status.
+- `ckms access-rights auditor disable` — revoke an active Auditor ceremony (requires active
+  Administrator; an Auditor cannot disable their own ceremony).
+- CLI docs regenerated in `cli_documentation/docs/main_commands.md`.
+
+- **Unified Administrator role**: merged the separate `SuperAdminConfig` and
+  `administrator_users` into a single `AdministratorConfig` within `RoleConfig`.
+  The Administrator role now provides both operation bypass (all 23 KMIP ops) AND
+  ownership bypass (access any object without grant) in one coherent concept.
+  References: NIST SP 800-57 Part 2 Rev 1 §4.6 (Dual Control), ANSI/INCITS 359-2004 §4.3.
+- **Renamed `super_admin` → `administrator` across the entire stack**: DB trait methods,
+  route paths, ceremony attributes, config fields, test infra, SQL table
+  (`administrator_activations`), SQL query names, test vector directories, and config files.
+  Removed residual `SuperAdminConfig` dead code (`super_admin_config.rs`).
+
+## Security
+
+- Administrator access is audit-logged at `WARN` level (`ADMINISTRATOR_ACCESS`, `ADMINISTRATOR_DISABLED`).
+- Ceremony activation record stores a SHA-256 fingerprint of the reconstructed secret.
+- Config-only mode provides always-on access; ceremony mode provides defence-in-depth.
+- **Fail-secure unenrolled users**: when role enforcement is active, users not listed in any
+  role now default to Operator (minimum privilege) instead of being unrestricted.
+  Per NIST SP 800-57 Part 2 Rev 1 §4.8 (access control / need-to-know).
+- **Ceremony initiator check**: `JoinSplitKey` verifies the **assembling user** is in
+  `administrator_users` before activating the Administrator ceremony.
+- **Administrator bypass excludes HSM-backed keys**: HSM objects continue to use their own
+  admin rules; the Administrator bypass applies only to non-HSM Managed Objects.
+- **`role_for()` ceremony guard**: when `administrator_require_ceremony = true`, ceremony
+  candidates are not granted Administrator privileges at dispatch time until the DB-backed
+  `is_administrator()` check confirms the ceremony has been completed.
+- **Role separation validation**: `RoleConfig::validate()` rejects configs where a user
+  appears in multiple role lists (ISO/IEC 19790 §7.4 separation of duty).
+
+## Bug Fixes
+
+- **`create_split_key`: ceremony auto-tag now applies regardless of caller identity**:
+  Previously, the server only auto-tagged split-key shares with the ceremony
+  attribute when the *calling user* was in `super_admin.users`. Because the master key is always
+  created by the *owner* (not the super-admin user), the auto-tag was silently skipped and the
+  ceremony could never activate. Fixed: when `require_ceremony = true`, every
+  `CreateSplitKey` operation produces ceremony-tagged shares unconditionally.
+
+## Features
+
+- **3-role RBAC system** (ISO/IEC 19790 §7.4, KMIP 2.1 §9, ANSI/INCITS 359-2004): introduced
+  `Role` enum and `RoleConfig` struct with `AdministratorConfig`. `privileged_users` renamed
+  to `crypto_officer_users`; new `operator_users` and `administrator` fields.
+  Role enforcement happens at dispatch time before any object-level permission check.
+  ([#651](https://github.com/Cosmian/kms/issues/651))
+- **Administrator role**: server-wide privilege granting full owner-equivalent access to all
+  Managed Objects in the KMS, regardless of ownership or delegation grants. Bypasses
+  `user_has_permission()` and the `Locate` ownership filter.
+- **Split-key ceremony (XOR n-of-n)**: two KMIP 2.1 operations —
+  `CreateSplitKey` and `JoinSplitKey` — implement XOR-based split knowledge (all shares required).
+  The ceremony mode requires all $n$ custodians to submit shares before the Administrator role activates.
+- **`GET /access/administrator/status`**: returns current Administrator configuration and
+  ceremony activation state (available to any authenticated user).
+- **`POST /access/administrator/disable`**: revokes an active ceremony activation (caller must
+  be an active Administrator; ceremony mode only).
+- **`super_admin_activations` table**: DB table (SQLite / PostgreSQL / MySQL) persisting
+  ceremony activation events (activated\_by, participants, key\_hash, revoked\_at / revoked\_by).
+- **`find_all()`** on `ObjectsStore` / database: super-admin `Locate` path that returns all
+  matching objects without user ownership filtering.
+- **`[super_admin]` TOML section**: new server configuration block with `users`,
+  `require_split_key_ceremony`, `split_key_threshold`, and `split_key_total_parts` fields.
+
+## Testing
+
+- **7 new test vectors** for the super-admin and split-key ceremony feature:
+    - `access_control/super_admin_config_only` — config-only mode, user Gets owner's key
+    - `access_control/super_admin_locate_all` — super-admin Locate sees all owners' objects
+    - `access_control/super_admin_ceremony_disable` — full ceremony lifecycle: activate → access → disable → denied
+    - `fips/kmip_operations/create_split_key_xor` — XOR n-of-n round-trip (CreateSplitKey + JoinSplitKey)
+    - `fips/kmip_operations/create_split_key_xor` — XOR 2-of-2 round-trip
+    - `negative/create_split_key_threshold_too_low` — threshold=1 → InvalidRequest
+    - `negative/create_split_key_parts_less_than_threshold` — parts(3) < threshold(5) → InvalidRequest
+- New `CaptureNthEntry` / `capture_nth` manifest field in the vector runner to capture the Nth
+  occurrence of a repeated TTLV tag (needed for individual share UIDs from `CreateSplitKeyResponse`).
+- New `SuperAdminStatus` / `SuperAdminDisable` step operations in the vector runner routing to
+  the flat-JSON REST endpoints (`GET /access/super-admin/status`, `POST /access/super-admin/disable`).
+- Two new server config TOMLs: `cert_auth_super_admin.toml` (config-only, port 9997) and
+  `cert_auth_super_admin_ceremony.toml` (ceremony mode, port 9996).
+
+## Features — Auditor Role
+
+- **Auditor role** (NIST SP 800-57 Part 2 Rev 1 §4.9): new read-only role that
+  can inspect metadata on **all** objects in the KMS (Locate, GetAttributes, Validate only).
+  Strictly blocked from key material access (Get, Export), crypto ops (Encrypt, Decrypt,
+  Sign, MAC), and lifecycle mutations (Create, Destroy, Revoke, Activate).
+- **Config-only mode**: `auditor_users = ["user@example.com"]` with
+  `auditor_require_ceremony = false` grants immediate Auditor access.
+- **Ceremony mode**: `auditor_require_ceremony = true` + split-key ceremony activation
+  via `JoinSplitKey` (same pattern as Administrator ceremony but with
+  `x-cosmian-auditor-ceremony` vendor attribute).
+- **`GET /access/auditor/status`**: returns current Auditor configuration and ceremony
+  activation state.
+- **`POST /access/auditor/disable`**: revokes an active Auditor ceremony (caller must be
+  an active Administrator).
+- **Role enforcement in RequestMessage path**: `check_role_permission` is now called from
+  `process_operation()` (message.rs) in addition to `dispatch_inner()`, ensuring consistent
+  RBAC enforcement regardless of request format (single-operation TTLV or batched RequestMessage).
+
+## Security — Auditor
+
+- Auditor role is **dispatch-gated**: unlike Operator/CryptoOfficer which defer to handler
+  checks, Auditor operations are blocked at the dispatch layer (the only gate).
+- Auditor ceremony candidates are exempt from the `JoinSplitKey` create-permission check
+  (same pattern as Administrator candidates).
+- Non-auditor users cannot complete the Auditor ceremony (`JoinSplitKey` rejects if the
+  assembling user is not in `auditor.users`).
+- Role separation enforced: `RoleConfig::validate()` rejects configs where a user appears
+  in both `auditor_users` and any other role list.
+
+## Testing — Auditor
+
+- **7 new test vectors** for the Auditor role and role-separation-of-duty:
+    - `access_control/auditor_config_only_allowed` — Auditor can Locate and GetAttributes on any object
+    - `access_control/auditor_config_only_blocked_keymat` — Auditor blocked from Get, Encrypt, Create, Destroy
+    - `access_control/auditor_ceremony_activate` — full ceremony lifecycle: split → grant → join → audit → blocked
+    - `access_control/auditor_ceremony_blocked_before_activation` — Auditor candidate has no bypass before ceremony
+    - `access_control/operator_role_blocked_lifecycle` — Operator cannot CreateKeyPair or CreateSplitKey
+    - `access_control/crypto_officer_role_allowed_ops` — CryptoOfficer can Create, CreateKeyPair, Get, Destroy
+    - `access_control/privilege_escalation_auditor_ceremony_wrong_user` — non-auditor cannot activate ceremony
+- 4 new server config TOMLs: `cert_auth_auditor.toml`, `cert_auth_auditor_ceremony.toml`,
+  `cert_auth_auditor_ceremony_fresh.toml`, `cert_auth_operator_and_crypto_officer.toml`.