pki: admin can list/delete any paste

Add is_admin() helper to check if current user is admin.
Update DELETE /<id> to allow admin to delete any paste.
Update GET /pastes to support ?all=1 for admin to list all pastes.
Admin view includes owner fingerprint in paste metadata.

tests/test_pki.py

@@ -619,3 +619,98 @@ class TestPKCS12Creation:
         # Should succeed with correct password
         loaded_key, _, _ = pkcs12.load_key_and_certificates(p12_data, password=b"secret123")
         assert loaded_key is not None
+
+
+class TestAdminPrivileges:
+    """Test admin privileges for list/delete operations."""
+
+    def test_admin_can_list_all_pastes(self, client):
+        """Admin can list all pastes with ?all=1."""
+        # Setup: Create CA and issue admin cert (first user)
+        client.post("/pki/ca")
+        admin_resp = client.post("/pki/issue", json={"common_name": "admin"})
+        admin_fp = admin_resp.get_json()["fingerprint_sha1"]
+
+        # Issue non-admin cert (second user)
+        user_resp = client.post("/pki/issue", json={"common_name": "user"})
+        user_fp = user_resp.get_json()["fingerprint_sha1"]
+
+        # User creates a paste
+        paste_resp = client.post("/", data=b"user content", headers={"X-SSL-Client-SHA1": user_fp})
+        assert paste_resp.status_code == 201
+
+        # User can only see their own pastes
+        user_list = client.get("/pastes", headers={"X-SSL-Client-SHA1": user_fp})
+        assert user_list.status_code == 200
+        assert user_list.get_json()["count"] == 1
+        assert "is_admin" not in user_list.get_json()
+
+        # Admin lists only their own by default (no pastes)
+        admin_list = client.get("/pastes", headers={"X-SSL-Client-SHA1": admin_fp})
+        assert admin_list.status_code == 200
+        assert admin_list.get_json()["count"] == 0
+        assert admin_list.get_json()["is_admin"] is True
+
+        # Admin lists all with ?all=1
+        admin_all = client.get("/pastes?all=1", headers={"X-SSL-Client-SHA1": admin_fp})
+        assert admin_all.status_code == 200
+        assert admin_all.get_json()["count"] == 1
+        # Includes owner info
+        assert "owner" in admin_all.get_json()["pastes"][0]
+        assert admin_all.get_json()["pastes"][0]["owner"] == user_fp
+
+    def test_non_admin_cannot_use_all_param(self, client):
+        """Non-admin ?all=1 is ignored."""
+        client.post("/pki/ca")
+        # First user is admin
+        client.post("/pki/issue", json={"common_name": "admin"})
+        # Second user is not
+        user_resp = client.post("/pki/issue", json={"common_name": "user"})
+        user_fp = user_resp.get_json()["fingerprint_sha1"]
+
+        # User tries ?all=1, should be ignored
+        resp = client.get("/pastes?all=1", headers={"X-SSL-Client-SHA1": user_fp})
+        assert resp.status_code == 200
+        assert "is_admin" not in resp.get_json()
+
+    def test_admin_can_delete_any_paste(self, client):
+        """Admin can delete pastes owned by others."""
+        client.post("/pki/ca")
+        admin_resp = client.post("/pki/issue", json={"common_name": "admin"})
+        admin_fp = admin_resp.get_json()["fingerprint_sha1"]
+
+        user_resp = client.post("/pki/issue", json={"common_name": "user"})
+        user_fp = user_resp.get_json()["fingerprint_sha1"]
+
+        # User creates a paste
+        paste_resp = client.post("/", data=b"user content", headers={"X-SSL-Client-SHA1": user_fp})
+        paste_id = paste_resp.get_json()["id"]
+
+        # Admin deletes it
+        delete_resp = client.delete(f"/{paste_id}", headers={"X-SSL-Client-SHA1": admin_fp})
+        assert delete_resp.status_code == 200
+        assert delete_resp.get_json()["message"] == "Paste deleted"
+
+        # Verify gone
+        get_resp = client.get(f"/{paste_id}")
+        assert get_resp.status_code == 404
+
+    def test_non_admin_cannot_delete_others_paste(self, client):
+        """Non-admin cannot delete pastes owned by others."""
+        client.post("/pki/ca")
+        # First user is admin (create so second is not)
+        admin_resp = client.post("/pki/issue", json={"common_name": "admin"})
+        admin_fp = admin_resp.get_json()["fingerprint_sha1"]
+
+        user_resp = client.post("/pki/issue", json={"common_name": "user"})
+        user_fp = user_resp.get_json()["fingerprint_sha1"]
+
+        # Admin creates a paste
+        paste_resp = client.post(
+            "/", data=b"admin content", headers={"X-SSL-Client-SHA1": admin_fp}
+        )
+        paste_id = paste_resp.get_json()["id"]
+
+        # User tries to delete it
+        delete_resp = client.delete(f"/{paste_id}", headers={"X-SSL-Client-SHA1": user_fp})
+        assert delete_resp.status_code == 403