Complete RBAC & Audit Integration Across All Endpoints

[mrveiss]

Overview

Issue #8 implemented the RBAC and Audit Logging infrastructure, but the enforcement and logging isn't yet integrated into all API endpoints. This issue tracks completing that integration.

Current State

✅ Implemented (Infrastructure)

• AuthMiddleware enforcing JWT/API key authentication
• Role and Permission models with seeded defaults
• Approval Rules and Approval Workflow system
• Audit logging service (DB + file + SIEM webhook)
• LDAP/AD authentication with group sync
• All management UI pages

❌ Not Yet Integrated

1. Audit Logging Missing From:

Route	Operations to Audit
nodes.py	State transitions, CRUD operations
groups.py	Create, update, delete device groups
storage.py	Storage backend CRUD
templates.py	Template CRUD
workflows.py	Workflow execution
hypervisors.py	Hypervisor CRUD

2. Approval Enforcement Missing:

Critical operations should check approval rules before executing:

• Node state transitions: reprovision, retire, wipe
• Bulk operations on nodes
• Template deletion
• Storage backend deletion

3. Permission Checks Missing:

Endpoints should verify user has required permissions:

• node:read, node:update, node:transition
• group:read, group:update, group:delete
• storage:read, storage:update, storage:delete
• etc.

Implementation Tasks

• Add audit_action() calls to nodes.py for all state transitions
• Add audit_action() calls to groups.py, storage.py, templates.py
• Create require_permission() dependency for permission checks
• Add permission checks to protected endpoints
• Create check_approval_required() helper for approval enforcement
• Integrate approval checks into critical operations (retire, wipe, reprovision)
• Add frontend confirmation dialogs that show approval requirements

Example Integration

Audit Logging

from src.services.audit import audit_action

@router.put("/nodes/{node_id}/state")
async def transition_node_state(...):
    # ... perform transition ...
    
    await audit_action(
        db, request,
        action="node.transition",
        resource_type="node",
        resource_id=node.id,
        resource_name=node.hostname,
        details={"from_state": old_state, "to_state": new_state},
        result="success",
    )

Permission Check

from src.api.dependencies import require_permission

@router.delete("/nodes/{node_id}")
async def delete_node(
    node_id: str,
    user: User = Depends(require_permission("node", "delete")),
    db: AsyncSession = Depends(get_db),
):
    # User is guaranteed to have node:delete permission
    ...

Approval Check

from src.services.approvals import check_approval_required, get_pending_approval

@router.put("/nodes/{node_id}/state")
async def transition_node_state(node_id: str, new_state: str, ...):
    if new_state in ["reprovision", "retired"]:
        approval = await check_approval_required(
            db, user, "node.transition", node_id, {"new_state": new_state}
        )
        if approval and approval.status != "approved":
            raise HTTPException(403, f"Approval required. Approval ID: {approval.id}")
    
    # Proceed with transition
    ...

Acceptance Criteria

• All CRUD operations logged to audit
• All state transitions logged to audit
• Critical operations require approval when rules are configured
• Endpoints enforce permissions based on user's role
• Audit logs show complete history of all changes

Related

• Closes gap identified in Advanced RBAC and Audit Logging #8 implementation
• PRD Section 9 - Security Requirements