gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 16:59:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(M40): F5 BIG-IP target connector via iControl REST

Browse Source 
Replace 190-line stub with full iControl REST implementation (~580 lines).
Token auth with 401 auto-retry, file upload + crypto object install,
transaction-based atomic SSL profile updates, cleanup on failure.
Injectable F5Client interface for cross-platform testing. 32 tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Shankar
2026-04-03 22:26:58 -04:00
parent 4cc91d0f28
commit 2a0285f498
8 changed files with 1709 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/target/f5/f5.go
+788 -86
View File
@@ -1,108 +1,269 @@
package f5
import (
"bytes"
"context"
"crypto/tls"
"encoding/json"
"fmt"
"io"
"log/slog"
"net/http"
"regexp"
"strings"
"sync"
"time"
"github.com/shankar0123/certctl/internal/connector/target"
)
// Config represents the F5 BIG-IP deployment target configuration.
// Credentials are stored on the proxy agent, not on the control plane server,
// limiting the credential blast radius to the proxy agent's network zone.
type Config struct {
Host string `json:"host"` // F5 BIG-IP hostname or IP
Port int `json:"port"` // F5 iControl REST API port (default 443)
Host string `json:"host"` // F5 BIG-IP management hostname or IP
Port int `json:"port"` // Management port (default 443)
Username string `json:"username"` // Administrative username
Password string `json:"password"` // Administrative password
Partition string `json:"partition"` // F5 partition name (e.g., "Common")
SSLProfile string `json:"ssl_profile"` // SSL profile name to update
Partition string `json:"partition"` // F5 partition name (default "Common")
SSLProfile string `json:"ssl_profile"` // SSL client profile name to update
Insecure bool `json:"insecure"` // Skip TLS verification for mgmt interface (default true)
Timeout int `json:"timeout"` // HTTP timeout in seconds (default 30)
}
// applyDefaults fills in zero-value fields with sensible defaults.
func (c *Config) applyDefaults() {
if c.Port == 0 {
c.Port = 443
}
if c.Partition == "" {
c.Partition = "Common"
}
if c.Timeout == 0 {
c.Timeout = 30
}
// Insecure defaults to true because F5 management interfaces commonly use
// self-signed certificates. See TICKET-016 precedent for InsecureSkipVerify
// documentation. Operators running proper mgmt certs can set insecure=false.
}
// SSLProfileInfo contains information about an F5 SSL client profile.
type SSLProfileInfo struct {
Name string `json:"name"`
Cert string `json:"cert"`
Key string `json:"key"`
Chain string `json:"chain"`
}
// F5Client abstracts iControl REST API calls for testability.
// The real implementation uses net/http against the F5 management interface.
// Tests inject a mock implementation to verify call sequences without a real F5.
type F5Client interface {
// Authenticate obtains an auth token from the F5. Implementations should
// cache the token and re-authenticate on 401.
Authenticate(ctx context.Context) error
// UploadFile uploads raw bytes to the F5 file transfer endpoint.
// The Content-Range header is required even for single-chunk uploads.
UploadFile(ctx context.Context, filename string, data []byte) error
// InstallCert installs an uploaded file as a crypto cert object.
InstallCert(ctx context.Context, name, localFile string) error
// InstallKey installs an uploaded file as a crypto key object.
InstallKey(ctx context.Context, name, localFile string) error
// CreateTransaction starts an F5 transaction for atomic operations.
// Returns the transaction ID.
CreateTransaction(ctx context.Context) (string, error)
// CommitTransaction commits a transaction. If the commit fails,
// F5 rolls back all operations within the transaction automatically.
CommitTransaction(ctx context.Context, transID string) error
// UpdateSSLProfile updates an SSL client profile's cert, key, and chain
// references. If transID is non-empty, the operation is performed within
// the given transaction.
UpdateSSLProfile(ctx context.Context, partition, profile string, certName, keyName, chainName string, transID string) error
// GetSSLProfile retrieves the current configuration of an SSL client profile.
GetSSLProfile(ctx context.Context, partition, profile string) (*SSLProfileInfo, error)
// DeleteCert removes a crypto cert object from the F5.
DeleteCert(ctx context.Context, partition, name string) error
// DeleteKey removes a crypto key object from the F5.
DeleteKey(ctx context.Context, partition, name string) error
}
// Connector implements the target.Connector interface for F5 BIG-IP load balancers.
// This connector communicates with F5's iControl REST API to upload certificates and manage SSL profiles.
// This connector communicates with F5's iControl REST API to upload certificates,
// manage SSL profiles, and validate deployments. It uses the proxy agent pattern:
// a designated agent in the same network zone polls for F5 deployment jobs and
// executes iControl REST calls on behalf of the control plane.
//
// TODO: Implement actual F5 iControl REST API communication.
// The documented API endpoints and flow are:
// - Authentication: POST /mgmt/shared/authn/login
// - Upload certificate: POST /mgmt/tm/ltm/certificate
// - Update SSL profile: PATCH /mgmt/tm/ltm/profile/client-ssl/{profile_name}
// - Check SSL profile: GET /mgmt/tm/ltm/profile/client-ssl/{profile_name}
// Minimum supported BIG-IP version: 12.0+.
type Connector struct {
config *Config
logger *slog.Logger
client *http.Client
client F5Client
}
// New creates a new F5 target connector with the given configuration and logger.
func New(config *Config, logger *slog.Logger) *Connector {
// The real iControl REST HTTP client is initialized with TLS settings based on config.
func New(config *Config, logger *slog.Logger) (*Connector, error) {
if config == nil {
return nil, fmt.Errorf("F5 config is required")
}
config.applyDefaults()
httpClient := &http.Client{
Timeout: time.Duration(config.Timeout) * time.Second,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// F5 management interfaces commonly use self-signed certificates.
// InsecureSkipVerify is controlled by the config.Insecure field
// (default true). Operators with proper management certs can set
// insecure=false. See TICKET-016 for security rationale.
InsecureSkipVerify: config.Insecure, //nolint:gosec // configurable, documented
},
},
}
realClient := &realF5Client{
baseURL: fmt.Sprintf("https://%s:%d", config.Host, config.Port),
username: config.Username,
password: config.Password,
httpClient: httpClient,
logger: logger,
}
return &Connector{
config: config,
logger: logger,
client: &http.Client{
Timeout: 30 * time.Second,
// TODO: Configure proper TLS verification or skip for self-signed F5 certs
},
client: realClient,
}, nil
}
// NewWithClient creates a new F5 target connector with an injected F5Client.
// Used in tests to mock iControl REST API calls without a real F5 device.
func NewWithClient(config *Config, logger *slog.Logger, client F5Client) *Connector {
if config != nil {
config.applyDefaults()
}
return &Connector{
config: config,
logger: logger,
client: client,
}
}
// Regex validators for config fields to prevent injection.
// Same pattern as IIS validIISName.
var (
// validHost matches hostnames, IPv4, and IPv6 addresses.
validHost = regexp.MustCompile(`^[a-zA-Z0-9\.\-\:\[\]]+$`)
// validPartition matches F5 partition names (alphanumeric, underscore, hyphen).
validPartition = regexp.MustCompile(`^[a-zA-Z0-9_\-]+$`)
// validProfileName matches SSL profile names (alphanumeric, underscore, hyphen, dot).
validProfileName = regexp.MustCompile(`^[a-zA-Z0-9_\-\.]+$`)
)
// ValidateConfig checks that the F5 BIG-IP is reachable and credentials are valid.
// It attempts to authenticate to the F5 iControl REST API.
//
// TODO: Implement actual F5 authentication validation.
// It validates config fields, applies defaults, and tests authentication.
func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
var cfg Config
if err := json.Unmarshal(rawConfig, &cfg); err != nil {
return fmt.Errorf("invalid F5 config: %w", err)
}
if cfg.Host == "" || cfg.Username == "" || cfg.Password == "" {
return fmt.Errorf("F5 host, username, and password are required")
// Validate required fields
if cfg.Host == "" {
return fmt.Errorf("host is required")
}
if cfg.Username == "" {
return fmt.Errorf("username is required")
}
if cfg.Password == "" {
return fmt.Errorf("password is required")
}
if cfg.SSLProfile == "" {
return fmt.Errorf("ssl_profile is required")
}
if cfg.Port == 0 {
cfg.Port = 443 // Default HTTPS port
cfg.applyDefaults()
// Validate field formats (prevent injection)
if !validHost.MatchString(cfg.Host) {
return fmt.Errorf("host contains invalid characters (allowed: alphanumeric, dots, hyphens, colons, brackets)")
}
if len(cfg.Host) > 253 {
return fmt.Errorf("host exceeds maximum length (253 characters)")
}
if !validPartition.MatchString(cfg.Partition) {
return fmt.Errorf("partition contains invalid characters (allowed: alphanumeric, underscore, hyphen)")
}
if len(cfg.Partition) > 64 {
return fmt.Errorf("partition exceeds maximum length (64 characters)")
}
if !validProfileName.MatchString(cfg.SSLProfile) {
return fmt.Errorf("ssl_profile contains invalid characters (allowed: alphanumeric, underscore, hyphen, dot)")
}
if len(cfg.SSLProfile) > 256 {
return fmt.Errorf("ssl_profile exceeds maximum length (256 characters)")
}
if cfg.Partition == "" {
cfg.Partition = "Common"
// Validate port range
if cfg.Port < 1 || cfg.Port > 65535 {
return fmt.Errorf("port must be between 1 and 65535, got %d", cfg.Port)
}
c.logger.Info("validating F5 configuration",
"host", cfg.Host,
"port", cfg.Port,
"partition", cfg.Partition)
"partition", cfg.Partition,
"ssl_profile", cfg.SSLProfile)
// TODO: Implement F5 authentication check
// In production:
// 1. POST to https://{host}:{port}/mgmt/shared/authn/login
// 2. Send credentials in request body
// 3. Verify response contains valid authentication token
// 4. Optionally test connectivity to SSL profile endpoint
c.logger.Warn("F5 validation not yet fully implemented",
"host", cfg.Host)
// Test authentication
if err := c.client.Authenticate(ctx); err != nil {
return fmt.Errorf("F5 authentication failed: %w", err)
}
c.config = &cfg
c.logger.Info("F5 configuration validated",
"host", cfg.Host,
"partition", cfg.Partition,
"ssl_profile", cfg.SSLProfile)
return nil
}
// objectName generates a unique name for F5 crypto objects using nanosecond timestamps.
// Format: certctl-{type}-{unix_nanos}
func objectName(objType string) string {
return fmt.Sprintf("certctl-%s-%d", objType, time.Now().UnixNano())
}
// partitionPath returns the full partition-qualified path for an F5 object reference.
// Used in JSON body values (e.g., "/Common/certctl-cert-xxx").
func partitionPath(partition, name string) string {
return fmt.Sprintf("/%s/%s", partition, name)
}
// DeployCertificate uploads a certificate to the F5 BIG-IP and updates the specified SSL profile.
//
// The F5 deployment process:
// 1. Authenticate to iControl REST API using credentials
// 2. Upload certificate PEM to /mgmt/tm/ltm/certificate
// 3. Upload chain PEM as separate certificate if needed
// 4. Update the target SSL profile to reference the new certificate
// 5. Verify the profile was updated successfully
// The deployment uses F5's transaction API for atomic profile updates:
// 1. Authenticate to iControl REST API
// 2. Upload cert/key/chain PEM files via file transfer endpoint
// 3. Install as crypto objects (cert, key, optionally chain)
// 4. Create a transaction
// 5. Update SSL profile within the transaction
// 6. Commit the transaction (atomic — rolls back on failure)
//
// TODO: Implement actual F5 iControl REST API calls.
// API endpoints used:
// - POST /mgmt/shared/authn/login (authentication)
// - POST /mgmt/tm/ltm/certificate (upload cert)
// - PATCH /mgmt/tm/ltm/profile/client-ssl/{SSLProfile} (update profile)
// On failure after crypto object installation, cleanup removes uploaded objects
// to avoid accumulating orphans on the F5.
func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
c.logger.Info("deploying certificate to F5 BIG-IP",
"host", c.config.Host,
@@ -111,47 +272,233 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
startTime := time.Now()
// TODO: Implement F5 certificate deployment
// In production:
// 1. Authenticate to F5: POST /mgmt/shared/authn/login
// 2. Create certificate object:
// POST /mgmt/tm/ltm/certificate
// Body: {"name": "certctl-cert-{timestamp}", "certificateText": "{CertPEM}"}
// 3. If chain is provided, upload as separate certificate:
// POST /mgmt/tm/ltm/certificate
// Body: {"name": "certctl-chain-{timestamp}", "certificateText": "{ChainPEM}"}
// 4. Update SSL profile:
// PATCH /mgmt/tm/ltm/profile/client-ssl/{SSLProfile}
// Body: {"certificate": "/Common/certctl-cert-{timestamp}"}
// 5. Verify deployment by checking profile status
// Validate we have a private key
if request.KeyPEM == "" {
errMsg := "private key (KeyPEM) is required for F5 deployment"
c.logger.Error("deployment failed", "error", errMsg)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 1: Authenticate
if err := c.client.Authenticate(ctx); err != nil {
errMsg := fmt.Sprintf("F5 authentication failed: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Generate unique object names
certName := objectName("cert")
keyName := objectName("key")
chainName := ""
hasChain := strings.TrimSpace(request.ChainPEM) != ""
if hasChain {
chainName = objectName("chain")
}
// Track installed objects for cleanup on failure
var installedCerts []string
var installedKeys []string
cleanup := func() {
c.cleanupCryptoObjects(ctx, c.config.Partition, installedCerts, installedKeys)
}
// Step 2-3: Upload cert and key PEM files
certFilename := certName + ".pem"
if err := c.client.UploadFile(ctx, certFilename, []byte(request.CertPEM)); err != nil {
errMsg := fmt.Sprintf("failed to upload certificate file: %v", err)
c.logger.Error("cert upload failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
keyFilename := keyName + ".pem"
if err := c.client.UploadFile(ctx, keyFilename, []byte(request.KeyPEM)); err != nil {
errMsg := fmt.Sprintf("failed to upload key file: %v", err)
c.logger.Error("key upload failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 4: Upload chain if present
chainFilename := ""
if hasChain {
chainFilename = chainName + ".pem"
if err := c.client.UploadFile(ctx, chainFilename, []byte(request.ChainPEM)); err != nil {
errMsg := fmt.Sprintf("failed to upload chain file: %v", err)
c.logger.Error("chain upload failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
// Step 5: Install cert crypto object
certLocalFile := "/var/config/rest/downloads/" + certFilename
if err := c.client.InstallCert(ctx, certName, certLocalFile); err != nil {
errMsg := fmt.Sprintf("failed to install cert crypto object: %v", err)
c.logger.Error("cert install failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
installedCerts = append(installedCerts, certName)
// Step 6: Install key crypto object
keyLocalFile := "/var/config/rest/downloads/" + keyFilename
if err := c.client.InstallKey(ctx, keyName, keyLocalFile); err != nil {
errMsg := fmt.Sprintf("failed to install key crypto object: %v", err)
c.logger.Error("key install failed", "error", err)
cleanup()
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
installedKeys = append(installedKeys, keyName)
// Step 7: Install chain crypto object (if present)
if hasChain {
chainLocalFile := "/var/config/rest/downloads/" + chainFilename
if err := c.client.InstallCert(ctx, chainName, chainLocalFile); err != nil {
errMsg := fmt.Sprintf("failed to install chain crypto object: %v", err)
c.logger.Error("chain install failed", "error", err)
cleanup()
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
installedCerts = append(installedCerts, chainName)
}
// Step 8: Create transaction for atomic SSL profile update
transID, err := c.client.CreateTransaction(ctx)
if err != nil {
errMsg := fmt.Sprintf("failed to create F5 transaction: %v", err)
c.logger.Error("transaction creation failed", "error", err)
cleanup()
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 9: Update SSL profile within transaction
profileChainName := chainName
if err := c.client.UpdateSSLProfile(ctx, c.config.Partition, c.config.SSLProfile, certName, keyName, profileChainName, transID); err != nil {
errMsg := fmt.Sprintf("failed to update SSL profile: %v", err)
c.logger.Error("profile update failed", "error", err,
"ssl_profile", c.config.SSLProfile,
"transaction_id", transID)
cleanup()
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 10: Commit transaction
if err := c.client.CommitTransaction(ctx, transID); err != nil {
errMsg := fmt.Sprintf("failed to commit F5 transaction: %v", err)
c.logger.Error("transaction commit failed", "error", err,
"transaction_id", transID)
cleanup()
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
deploymentDuration := time.Since(startTime)
c.logger.Warn("F5 deployment not yet implemented",
c.logger.Info("certificate deployed to F5 BIG-IP successfully",
"duration", deploymentDuration.String(),
"host", c.config.Host,
"ssl_profile", c.config.SSLProfile)
"ssl_profile", c.config.SSLProfile,
"cert_object", certName)
return &target.DeploymentResult{
Success: true,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
DeploymentID: fmt.Sprintf("f5-%d", time.Now().Unix()),
Message: "Certificate deployment to F5 initiated (stub)",
DeploymentID: fmt.Sprintf("f5-%s-%d", certName, time.Now().Unix()),
Message: "Certificate uploaded and SSL profile updated via iControl REST",
DeployedAt: time.Now(),
Metadata: map[string]string{
"host": c.config.Host,
"partition": c.config.Partition,
"ssl_profile": c.config.SSLProfile,
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
"host": c.config.Host,
"partition": c.config.Partition,
"ssl_profile": c.config.SSLProfile,
"cert_object_name": certName,
"key_object_name": keyName,
"chain_object_name": chainName,
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
},
}, nil
}
// cleanupCryptoObjects removes installed crypto objects from the F5 on deployment failure.
// Best-effort: logs warnings on cleanup failures but does not mask the original error.
func (c *Connector) cleanupCryptoObjects(ctx context.Context, partition string, certNames, keyNames []string) {
for _, name := range certNames {
if name == "" {
continue
}
if err := c.client.DeleteCert(ctx, partition, name); err != nil {
c.logger.Warn("cleanup: failed to delete cert crypto object",
"name", name, "partition", partition, "error", err)
} else {
c.logger.Debug("cleanup: deleted cert crypto object",
"name", name, "partition", partition)
}
}
for _, name := range keyNames {
if name == "" {
continue
}
if err := c.client.DeleteKey(ctx, partition, name); err != nil {
c.logger.Warn("cleanup: failed to delete key crypto object",
"name", name, "partition", partition, "error", err)
} else {
c.logger.Debug("cleanup: deleted key crypto object",
"name", name, "partition", partition)
}
}
}
// ValidateDeployment verifies that the certificate is properly deployed on the F5 BIG-IP.
// It checks the SSL profile configuration to ensure it references the correct certificate.
//
// TODO: Implement actual F5 validation via iControl REST API.
// API endpoint used:
// - GET /mgmt/tm/ltm/profile/client-ssl/{SSLProfile}
// It queries the SSL profile and checks that it references a certctl-managed certificate.
func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
c.logger.Info("validating F5 deployment",
"certificate_id", request.CertificateID,
@@ -160,30 +507,385 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid
startTime := time.Now()
// TODO: Implement F5 deployment validation
// In production:
// 1. Authenticate to F5: POST /mgmt/shared/authn/login
// 2. Query SSL profile:
// GET /mgmt/tm/ltm/profile/client-ssl/{SSLProfile}
// 3. Verify the response includes the expected certificate name
// 4. Optionally check certificate validity dates
// 5. Verify the profile is in active use (no errors/warnings)
// Authenticate
if err := c.client.Authenticate(ctx); err != nil {
errMsg := fmt.Sprintf("F5 authentication failed: %v", err)
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Query SSL profile
profile, err := c.client.GetSSLProfile(ctx, c.config.Partition, c.config.SSLProfile)
if err != nil {
errMsg := fmt.Sprintf("failed to get SSL profile %q: %v", c.config.SSLProfile, err)
c.logger.Error("validation failed", "error", err,
"ssl_profile", c.config.SSLProfile)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Verify profile has a cert configured
if profile.Cert == "" {
errMsg := fmt.Sprintf("SSL profile %q has no certificate configured", c.config.SSLProfile)
c.logger.Error("validation failed", "error", errMsg)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
validationDuration := time.Since(startTime)
c.logger.Warn("F5 validation not yet implemented",
"ssl_profile", c.config.SSLProfile)
c.logger.Info("F5 deployment validated",
"duration", validationDuration.String(),
"ssl_profile", c.config.SSLProfile,
"current_cert", profile.Cert)
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s:%d", c.config.Host, c.config.Port),
Message: "Certificate deployment validation initiated (stub)",
Message: fmt.Sprintf("SSL profile %q has cert %q configured", c.config.SSLProfile, profile.Cert),
ValidatedAt: time.Now(),
Metadata: map[string]string{
"host": c.config.Host,
"ssl_profile": c.config.SSLProfile,
"current_cert": profile.Cert,
"current_key": profile.Key,
"current_chain": profile.Chain,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
}
// --- realF5Client: production iControl REST implementation ---
// realF5Client implements F5Client using net/http against the iControl REST API.
type realF5Client struct {
baseURL string
username string
password string
httpClient *http.Client
logger *slog.Logger
mu sync.Mutex
token string
}
// Authenticate obtains a token from POST /mgmt/shared/authn/login.
// The token is cached and reused. On 401 errors in other methods,
// callers should call Authenticate again to refresh.
func (c *realF5Client) Authenticate(ctx context.Context) error {
body := map[string]string{
"username": c.username,
"password": c.password,
"loginProviderName": "tmos",
}
bodyJSON, err := json.Marshal(body)
if err != nil {
return fmt.Errorf("failed to marshal auth body: %w", err)
}
req, err := http.NewRequestWithContext(ctx, http.MethodPost, c.baseURL+"/mgmt/shared/authn/login", bytes.NewReader(bodyJSON))
if err != nil {
return fmt.Errorf("failed to create auth request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
resp, err := c.httpClient.Do(req)
if err != nil {
return fmt.Errorf("F5 auth request failed: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("F5 auth failed with status %d: %s", resp.StatusCode, string(respBody))
}
var result struct {
Token struct {
Token string `json:"token"`
} `json:"token"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return fmt.Errorf("failed to decode auth response: %w", err)
}
if result.Token.Token == "" {
return fmt.Errorf("F5 auth response contained no token")
}
c.mu.Lock()
c.token = result.Token.Token
c.mu.Unlock()
return nil
}
// doRequest executes an HTTP request with the F5 auth token.
// On 401 response, it re-authenticates once and retries.
func (c *realF5Client) doRequest(ctx context.Context, method, url string, body io.Reader, extraHeaders map[string]string) (*http.Response, error) {
return c.doRequestInternal(ctx, method, url, body, extraHeaders, true)
}
func (c *realF5Client) doRequestInternal(ctx context.Context, method, url string, body io.Reader, extraHeaders map[string]string, retryOn401 bool) (*http.Response, error) {
// Buffer body for potential retry
var bodyBytes []byte
if body != nil {
var err error
bodyBytes, err = io.ReadAll(body)
if err != nil {
return nil, fmt.Errorf("failed to read request body: %w", err)
}
}
req, err := http.NewRequestWithContext(ctx, method, url, bytes.NewReader(bodyBytes))
if err != nil {
return nil, fmt.Errorf("failed to create request: %w", err)
}
c.mu.Lock()
token := c.token
c.mu.Unlock()
req.Header.Set("X-F5-Auth-Token", token)
req.Header.Set("Content-Type", "application/json")
for k, v := range extraHeaders {
req.Header.Set(k, v)
}
resp, err := c.httpClient.Do(req)
if err != nil {
return nil, err
}
if resp.StatusCode == http.StatusUnauthorized && retryOn401 {
resp.Body.Close()
c.logger.Warn("F5 request returned 401, re-authenticating", "url", url)
if authErr := c.Authenticate(ctx); authErr != nil {
return nil, fmt.Errorf("F5 re-authentication failed: %w", authErr)
}
return c.doRequestInternal(ctx, method, url, bytes.NewReader(bodyBytes), extraHeaders, false)
}
return resp, nil
}
// UploadFile uploads raw bytes via POST /mgmt/shared/file-transfer/uploads/{filename}.
// The Content-Range header is required even for single-chunk uploads (F5-specific).
func (c *realF5Client) UploadFile(ctx context.Context, filename string, data []byte) error {
url := fmt.Sprintf("%s/mgmt/shared/file-transfer/uploads/%s", c.baseURL, filename)
headers := map[string]string{
"Content-Type": "application/octet-stream",
"Content-Range": fmt.Sprintf("0-%d/%d", len(data)-1, len(data)),
}
resp, err := c.doRequest(ctx, http.MethodPost, url, bytes.NewReader(data), headers)
if err != nil {
return fmt.Errorf("upload file %q failed: %w", filename, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("upload file %q failed with status %d: %s", filename, resp.StatusCode, string(respBody))
}
return nil
}
// InstallCert installs an uploaded file as a crypto cert object.
func (c *realF5Client) InstallCert(ctx context.Context, name, localFile string) error {
url := c.baseURL + "/mgmt/tm/sys/crypto/cert"
body := map[string]string{
"command": "install",
"name": name,
"from-local-file": localFile,
}
bodyJSON, _ := json.Marshal(body)
resp, err := c.doRequest(ctx, http.MethodPost, url, bytes.NewReader(bodyJSON), nil)
if err != nil {
return fmt.Errorf("install cert %q failed: %w", name, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("install cert %q failed with status %d: %s", name, resp.StatusCode, string(respBody))
}
return nil
}
// InstallKey installs an uploaded file as a crypto key object.
func (c *realF5Client) InstallKey(ctx context.Context, name, localFile string) error {
url := c.baseURL + "/mgmt/tm/sys/crypto/key"
body := map[string]string{
"command": "install",
"name": name,
"from-local-file": localFile,
}
bodyJSON, _ := json.Marshal(body)
resp, err := c.doRequest(ctx, http.MethodPost, url, bytes.NewReader(bodyJSON), nil)
if err != nil {
return fmt.Errorf("install key %q failed: %w", name, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("install key %q failed with status %d: %s", name, resp.StatusCode, string(respBody))
}
return nil
}
// CreateTransaction starts an F5 transaction via POST /mgmt/tm/transaction.
func (c *realF5Client) CreateTransaction(ctx context.Context) (string, error) {
url := c.baseURL + "/mgmt/tm/transaction"
resp, err := c.doRequest(ctx, http.MethodPost, url, bytes.NewReader([]byte("{}")), nil)
if err != nil {
return "", fmt.Errorf("create transaction failed: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return "", fmt.Errorf("create transaction failed with status %d: %s", resp.StatusCode, string(respBody))
}
var result struct {
TransID json.Number `json:"transId"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", fmt.Errorf("failed to decode transaction response: %w", err)
}
transID := result.TransID.String()
if transID == "" {
return "", fmt.Errorf("F5 returned empty transaction ID")
}
return transID, nil
}
// CommitTransaction commits a transaction via PATCH /mgmt/tm/transaction/{id}.
func (c *realF5Client) CommitTransaction(ctx context.Context, transID string) error {
url := fmt.Sprintf("%s/mgmt/tm/transaction/%s", c.baseURL, transID)
body := map[string]string{"state": "VALIDATING"}
bodyJSON, _ := json.Marshal(body)
resp, err := c.doRequest(ctx, http.MethodPatch, url, bytes.NewReader(bodyJSON), nil)
if err != nil {
return fmt.Errorf("commit transaction %s failed: %w", transID, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("commit transaction %s failed with status %d: %s", transID, resp.StatusCode, string(respBody))
}
return nil
}
// UpdateSSLProfile updates an SSL client profile's cert/key/chain references.
// Uses tilde ~ as partition separator in the URL, forward slash / in JSON body values.
func (c *realF5Client) UpdateSSLProfile(ctx context.Context, partition, profile string, certName, keyName, chainName string, transID string) error {
url := fmt.Sprintf("%s/mgmt/tm/ltm/profile/client-ssl/~%s~%s", c.baseURL, partition, profile)
body := map[string]string{
"cert": partitionPath(partition, certName),
"key": partitionPath(partition, keyName),
}
if chainName != "" {
body["chain"] = partitionPath(partition, chainName)
}
bodyJSON, _ := json.Marshal(body)
headers := map[string]string{}
if transID != "" {
headers["X-F5-REST-Overriding-Collection"] = fmt.Sprintf("/mgmt/tm/transaction/%s", transID)
}
resp, err := c.doRequest(ctx, http.MethodPatch, url, bytes.NewReader(bodyJSON), headers)
if err != nil {
return fmt.Errorf("update SSL profile %q failed: %w", profile, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("update SSL profile %q failed with status %d: %s", profile, resp.StatusCode, string(respBody))
}
return nil
}
// GetSSLProfile retrieves an SSL client profile's configuration.
func (c *realF5Client) GetSSLProfile(ctx context.Context, partition, profile string) (*SSLProfileInfo, error) {
url := fmt.Sprintf("%s/mgmt/tm/ltm/profile/client-ssl/~%s~%s", c.baseURL, partition, profile)
resp, err := c.doRequest(ctx, http.MethodGet, url, nil, nil)
if err != nil {
return nil, fmt.Errorf("get SSL profile %q failed: %w", profile, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
respBody, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("get SSL profile %q failed with status %d: %s", profile, resp.StatusCode, string(respBody))
}
var info SSLProfileInfo
if err := json.NewDecoder(resp.Body).Decode(&info); err != nil {
return nil, fmt.Errorf("failed to decode SSL profile response: %w", err)
}
return &info, nil
}
// DeleteCert removes a crypto cert object from the F5.
func (c *realF5Client) DeleteCert(ctx context.Context, partition, name string) error {
url := fmt.Sprintf("%s/mgmt/tm/sys/crypto/cert/~%s~%s", c.baseURL, partition, name)
resp, err := c.doRequest(ctx, http.MethodDelete, url, nil, nil)
if err != nil {
return fmt.Errorf("delete cert %q failed: %w", name, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNoContent {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("delete cert %q failed with status %d: %s", name, resp.StatusCode, string(respBody))
}
return nil
}
// DeleteKey removes a crypto key object from the F5.
func (c *realF5Client) DeleteKey(ctx context.Context, partition, name string) error {
url := fmt.Sprintf("%s/mgmt/tm/sys/crypto/key/~%s~%s", c.baseURL, partition, name)
resp, err := c.doRequest(ctx, http.MethodDelete, url, nil, nil)
if err != nil {
return fmt.Errorf("delete key %q failed: %w", name, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusNoContent {
respBody, _ := io.ReadAll(resp.Body)
return fmt.Errorf("delete key %q failed with status %d: %s", name, resp.StatusCode, string(respBody))
}
return nil
}
internal/connector/target/f5/f5_test.go
+813
View File
@@ -0,0 +1,813 @@
package f5
import (
"context"
"encoding/json"
"fmt"
"log/slog"
"os"
"strings"
"testing"
"github.com/shankar0123/certctl/internal/connector/target"
)
// --- Mock F5Client ---
// mockCall records a single method call to the mock F5Client.
type mockCall struct {
Method string
Args []string
}
// mockF5Client records all calls and returns configurable responses.
type mockF5Client struct {
calls []mockCall
// Configurable responses per method
authenticateErr error
authenticateCount int // tracks number of Authenticate calls
uploadFileErr error
uploadFileErrOn string // only error when filename contains this substring
installCertErr error
installCertErrOn string
installKeyErr error
installKeyErrOn string
createTransactionID string
createTransactionErr error
commitTransactionErr error
updateSSLProfileErr error
getSSLProfileResult *SSLProfileInfo
getSSLProfileErr error
deleteCertErr error
deleteKeyErr error
// Track cleanup calls specifically
deletedCerts []string
deletedKeys []string
}
func newMockF5Client() *mockF5Client {
return &mockF5Client{
createTransactionID: "12345",
}
}
func (m *mockF5Client) Authenticate(ctx context.Context) error {
m.calls = append(m.calls, mockCall{Method: "Authenticate"})
m.authenticateCount++
return m.authenticateErr
}
func (m *mockF5Client) UploadFile(ctx context.Context, filename string, data []byte) error {
m.calls = append(m.calls, mockCall{Method: "UploadFile", Args: []string{filename, fmt.Sprintf("%d bytes", len(data))}})
if m.uploadFileErrOn != "" && strings.Contains(filename, m.uploadFileErrOn) {
return m.uploadFileErr
}
if m.uploadFileErrOn == "" && m.uploadFileErr != nil {
return m.uploadFileErr
}
return nil
}
func (m *mockF5Client) InstallCert(ctx context.Context, name, localFile string) error {
m.calls = append(m.calls, mockCall{Method: "InstallCert", Args: []string{name, localFile}})
if m.installCertErrOn != "" && strings.Contains(name, m.installCertErrOn) {
return m.installCertErr
}
if m.installCertErrOn == "" && m.installCertErr != nil {
return m.installCertErr
}
return nil
}
func (m *mockF5Client) InstallKey(ctx context.Context, name, localFile string) error {
m.calls = append(m.calls, mockCall{Method: "InstallKey", Args: []string{name, localFile}})
return m.installKeyErr
}
func (m *mockF5Client) CreateTransaction(ctx context.Context) (string, error) {
m.calls = append(m.calls, mockCall{Method: "CreateTransaction"})
return m.createTransactionID, m.createTransactionErr
}
func (m *mockF5Client) CommitTransaction(ctx context.Context, transID string) error {
m.calls = append(m.calls, mockCall{Method: "CommitTransaction", Args: []string{transID}})
return m.commitTransactionErr
}
func (m *mockF5Client) UpdateSSLProfile(ctx context.Context, partition, profile string, certName, keyName, chainName string, transID string) error {
m.calls = append(m.calls, mockCall{Method: "UpdateSSLProfile", Args: []string{partition, profile, certName, keyName, chainName, transID}})
return m.updateSSLProfileErr
}
func (m *mockF5Client) GetSSLProfile(ctx context.Context, partition, profile string) (*SSLProfileInfo, error) {
m.calls = append(m.calls, mockCall{Method: "GetSSLProfile", Args: []string{partition, profile}})
return m.getSSLProfileResult, m.getSSLProfileErr
}
func (m *mockF5Client) DeleteCert(ctx context.Context, partition, name string) error {
m.calls = append(m.calls, mockCall{Method: "DeleteCert", Args: []string{partition, name}})
m.deletedCerts = append(m.deletedCerts, name)
return m.deleteCertErr
}
func (m *mockF5Client) DeleteKey(ctx context.Context, partition, name string) error {
m.calls = append(m.calls, mockCall{Method: "DeleteKey", Args: []string{partition, name}})
m.deletedKeys = append(m.deletedKeys, name)
return m.deleteKeyErr
}
// hasCalled returns true if the mock received a call to the given method.
func (m *mockF5Client) hasCalled(method string) bool {
for _, c := range m.calls {
if c.Method == method {
return true
}
}
return false
}
// callCount returns the number of times a method was called.
func (m *mockF5Client) callCount(method string) int {
count := 0
for _, c := range m.calls {
if c.Method == method {
count++
}
}
return count
}
func testLogger() *slog.Logger {
return slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelError}))
}
// --- ValidateConfig tests ---
func TestValidateConfig(t *testing.T) {
t.Run("Success", func(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{Host: "f5.test.com", Username: "admin", Password: "secret", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
rawConfig, _ := json.Marshal(map[string]interface{}{
"host": "f5.test.com",
"username": "admin",
"password": "secret",
"ssl_profile": "myprofile",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
if !mock.hasCalled("Authenticate") {
t.Error("expected Authenticate to be called")
}
})
t.Run("DefaultsApplied", func(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{}
conn := NewWithClient(cfg, testLogger(), mock)
rawConfig, _ := json.Marshal(map[string]interface{}{
"host": "f5.test.com",
"username": "admin",
"password": "secret",
"ssl_profile": "myprofile",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
// Check defaults were applied
if conn.config.Port != 443 {
t.Errorf("expected port 443, got %d", conn.config.Port)
}
if conn.config.Partition != "Common" {
t.Errorf("expected partition Common, got %s", conn.config.Partition)
}
if conn.config.Timeout != 30 {
t.Errorf("expected timeout 30, got %d", conn.config.Timeout)
}
})
t.Run("InvalidJSON", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
err := conn.ValidateConfig(context.Background(), json.RawMessage(`{invalid}`))
if err == nil {
t.Fatal("expected error for invalid JSON")
}
if !strings.Contains(err.Error(), "invalid F5 config") {
t.Errorf("expected 'invalid F5 config' in error, got: %v", err)
}
})
t.Run("MissingHost", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"username": "admin", "password": "secret", "ssl_profile": "prof",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "host is required") {
t.Errorf("expected 'host is required', got: %v", err)
}
})
t.Run("MissingUsername", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com", "password": "secret", "ssl_profile": "prof",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "username is required") {
t.Errorf("expected 'username is required', got: %v", err)
}
})
t.Run("MissingPassword", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com", "username": "admin", "ssl_profile": "prof",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "password is required") {
t.Errorf("expected 'password is required', got: %v", err)
}
})
t.Run("MissingSSLProfile", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com", "username": "admin", "password": "secret",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "ssl_profile is required") {
t.Errorf("expected 'ssl_profile is required', got: %v", err)
}
})
t.Run("InvalidPort", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]interface{}{
"host": "f5.test.com", "username": "admin", "password": "secret",
"ssl_profile": "prof", "port": 70000,
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "port must be between") {
t.Errorf("expected port range error, got: %v", err)
}
})
t.Run("AuthFailure", func(t *testing.T) {
mock := newMockF5Client()
mock.authenticateErr = fmt.Errorf("connection refused")
conn := NewWithClient(&Config{}, testLogger(), mock)
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com", "username": "admin", "password": "bad",
"ssl_profile": "prof",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "authentication failed") {
t.Errorf("expected auth failure error, got: %v", err)
}
})
t.Run("InvalidPartitionChars", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com", "username": "admin", "password": "secret",
"ssl_profile": "prof", "partition": "Common; rm -rf /",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "partition contains invalid characters") {
t.Errorf("expected partition validation error, got: %v", err)
}
})
t.Run("InvalidSSLProfileChars", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com", "username": "admin", "password": "secret",
"ssl_profile": "prof; echo pwned",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "ssl_profile contains invalid characters") {
t.Errorf("expected ssl_profile validation error, got: %v", err)
}
})
t.Run("InvalidHostChars", func(t *testing.T) {
conn := NewWithClient(&Config{}, testLogger(), newMockF5Client())
rawConfig, _ := json.Marshal(map[string]string{
"host": "f5.test.com/../../etc/passwd", "username": "admin",
"password": "secret", "ssl_profile": "prof",
})
err := conn.ValidateConfig(context.Background(), rawConfig)
if err == nil || !strings.Contains(err.Error(), "host contains invalid characters") {
t.Errorf("expected host validation error, got: %v", err)
}
})
}
// --- DeployCertificate tests ---
const testCertPEM = `-----BEGIN CERTIFICATE-----
MIIBhTCCASugAwIBAgIRAJ1gCL7hBmSj6g0gYOr2FzMwCgYIKoZIzj0EAwIwEjEQ
MA4GA1UEChMHY2VydGN0bDAeFw0yNTAxMDEwMDAwMDBaFw0yNjAxMDEwMDAwMDBa
MBIxEDAOBgNVBAoTB2NlcnRjdGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQr
H2kMjsgP+FZuyMjJLNfewN0EDkN0s4Lz2Y1IqFqD8DlGN3zI3lPQ7hGdQbiCklPk
1YXNmfmI6L2JKxB/d9Gxo1cwVTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQAAAAAAAAAAAAAAAAA
AAAAADAKBggqhkjOPQQDAgNIADBFAiEA4JIlRKL22y6c2JGwVtM60z2bGm9Lb9rq
3BSSLE8xF3UCIGSKd9bP0BBFIO20daxEP7g3/kTSSYpNMIG6yc6acdHH
-----END CERTIFICATE-----`
const testKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIKj7N0fDjLaI9bGmJ/TY3PBvIxwclLOPIdOi6yWI2B5CoAcGBSuBBAAi
oWQDYgAEhLS0ynMvDJH5o0F5e6jVnXOBqRT2bHkVxQng+eqaXdY3gJoFIIxvR/q0
Vy4p3LZFQsKQfBwt3A8LLvOJY6E8bF4MNPrn0O1bQkeMjb8tSxdKfH0bARJdllD
h9oAPTR1
-----END EC PRIVATE KEY-----`
const testChainPEM = `-----BEGIN CERTIFICATE-----
MIIBYzCCAQmgAwIBAgIRAKR1G0hS1jBOQH2VtNTzpHowCgYIKoZIzj0EAwIwEjEQ
MA4GA1UEChMHY2VydGN0bDAeFw0yNTAxMDEwMDAwMDBaFw0yNjAxMDEwMDAwMDBa
MBIxEDAOBgNVBAoTB2NlcnRjdGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASE
tLTKcy8MkfmjQXl7qNWdc4GpFPZseRXFCeD56ppd1jeAmgUgjG9H+rRXLinctkVC
wpB8HC3cDwsu84ljoTxso0IwQDAOBgNVHQ8BAf8EBAMCAoQwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUAAAAAAAAAAAAAAAAAAAAAAAwCgYIKoZIzj0EAwIDSAAw
RQIhAJ2K5VVTBiWBrZgdxNthZ7FEqrpNL9LiuD3bWx0xCaoAAiAh9+2p4PQmNuqN
R7kSqe/p0W0VnFx1nOJz/sDyPM+2qg==
-----END CERTIFICATE-----`
func TestDeployCertificate(t *testing.T) {
t.Run("FullSuccessWithChain", func(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{
CertPEM: testCertPEM,
KeyPEM: testKeyPEM,
ChainPEM: testChainPEM,
}
result, err := conn.DeployCertificate(context.Background(), request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("expected success, got: %s", result.Message)
}
// Verify call sequence
if !mock.hasCalled("Authenticate") {
t.Error("expected Authenticate call")
}
if mock.callCount("UploadFile") != 3 {
t.Errorf("expected 3 UploadFile calls (cert, key, chain), got %d", mock.callCount("UploadFile"))
}
if mock.callCount("InstallCert") != 2 { // cert + chain
t.Errorf("expected 2 InstallCert calls (cert + chain), got %d", mock.callCount("InstallCert"))
}
if mock.callCount("InstallKey") != 1 {
t.Errorf("expected 1 InstallKey call, got %d", mock.callCount("InstallKey"))
}
if !mock.hasCalled("CreateTransaction") {
t.Error("expected CreateTransaction call")
}
if !mock.hasCalled("UpdateSSLProfile") {
t.Error("expected UpdateSSLProfile call")
}
if !mock.hasCalled("CommitTransaction") {
t.Error("expected CommitTransaction call")
}
// Verify metadata
if result.Metadata["host"] != "f5.test.com" {
t.Errorf("expected host f5.test.com in metadata, got %s", result.Metadata["host"])
}
if result.Metadata["partition"] != "Common" {
t.Errorf("expected partition Common in metadata, got %s", result.Metadata["partition"])
}
if result.Metadata["ssl_profile"] != "myprofile" {
t.Errorf("expected ssl_profile myprofile in metadata, got %s", result.Metadata["ssl_profile"])
}
if result.Metadata["cert_object_name"] == "" {
t.Error("expected cert_object_name in metadata")
}
if result.Metadata["duration_ms"] == "" {
t.Error("expected duration_ms in metadata")
}
})
t.Run("SuccessWithoutChain", func(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{
CertPEM: testCertPEM,
KeyPEM: testKeyPEM,
}
result, err := conn.DeployCertificate(context.Background(), request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("expected success, got: %s", result.Message)
}
// Should only upload cert + key (no chain)
if mock.callCount("UploadFile") != 2 {
t.Errorf("expected 2 UploadFile calls, got %d", mock.callCount("UploadFile"))
}
if mock.callCount("InstallCert") != 1 { // only cert, no chain
t.Errorf("expected 1 InstallCert call (cert only), got %d", mock.callCount("InstallCert"))
}
if result.Metadata["chain_object_name"] != "" {
t.Errorf("expected empty chain_object_name, got %s", result.Metadata["chain_object_name"])
}
})
t.Run("MissingKeyPEM", func(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{
CertPEM: testCertPEM,
}
result, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for missing KeyPEM")
}
if result.Success {
t.Error("expected Success=false")
}
if !strings.Contains(err.Error(), "KeyPEM") {
t.Errorf("expected KeyPEM in error, got: %v", err)
}
})
t.Run("AuthFailure", func(t *testing.T) {
mock := newMockF5Client()
mock.authenticateErr = fmt.Errorf("connection refused")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "bad", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
result, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for auth failure")
}
if result.Success {
t.Error("expected Success=false")
}
if !strings.Contains(err.Error(), "authentication failed") {
t.Errorf("expected auth failure in error, got: %v", err)
}
})
t.Run("CertUploadFailure", func(t *testing.T) {
mock := newMockF5Client()
mock.uploadFileErr = fmt.Errorf("upload timeout")
mock.uploadFileErrOn = "cert"
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
_, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for cert upload failure")
}
// No cleanup needed — nothing installed yet
if len(mock.deletedCerts) > 0 || len(mock.deletedKeys) > 0 {
t.Error("expected no cleanup calls when upload fails before install")
}
})
t.Run("CertInstallFailure", func(t *testing.T) {
mock := newMockF5Client()
mock.installCertErr = fmt.Errorf("install failed")
// Don't set installCertErrOn — all InstallCert calls will fail
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
_, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for cert install failure")
}
if !strings.Contains(err.Error(), "cert crypto object") {
t.Errorf("expected cert install error, got: %v", err)
}
// No cleanup — cert install failed so nothing to clean up
// (the cert object wasn't successfully installed)
})
t.Run("KeyInstallFailure_CleansCert", func(t *testing.T) {
mock := newMockF5Client()
mock.installKeyErr = fmt.Errorf("key install failed")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
_, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for key install failure")
}
// Should have cleaned up the cert that was installed
if len(mock.deletedCerts) != 1 {
t.Errorf("expected 1 cert cleanup, got %d", len(mock.deletedCerts))
}
})
t.Run("TransactionCreateFailure_CleansObjects", func(t *testing.T) {
mock := newMockF5Client()
mock.createTransactionErr = fmt.Errorf("transaction service unavailable")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
_, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for transaction create failure")
}
// Should clean up cert + key
if len(mock.deletedCerts) != 1 {
t.Errorf("expected 1 cert cleanup, got %d", len(mock.deletedCerts))
}
if len(mock.deletedKeys) != 1 {
t.Errorf("expected 1 key cleanup, got %d", len(mock.deletedKeys))
}
})
t.Run("ProfileUpdateFailure_CleansObjects", func(t *testing.T) {
mock := newMockF5Client()
mock.updateSSLProfileErr = fmt.Errorf("profile not found")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "nonexistent"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM, ChainPEM: testChainPEM}
_, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for profile update failure")
}
// Should clean up cert + chain + key
if len(mock.deletedCerts) != 2 { // cert + chain
t.Errorf("expected 2 cert cleanups (cert + chain), got %d", len(mock.deletedCerts))
}
if len(mock.deletedKeys) != 1 {
t.Errorf("expected 1 key cleanup, got %d", len(mock.deletedKeys))
}
})
t.Run("CommitFailure_CleansObjects", func(t *testing.T) {
mock := newMockF5Client()
mock.commitTransactionErr = fmt.Errorf("transaction validation failed")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
_, err := conn.DeployCertificate(context.Background(), request)
if err == nil {
t.Fatal("expected error for commit failure")
}
if !strings.Contains(err.Error(), "commit") {
t.Errorf("expected commit error, got: %v", err)
}
// Should clean up installed objects
if len(mock.deletedCerts) < 1 {
t.Error("expected cert cleanup on commit failure")
}
if len(mock.deletedKeys) < 1 {
t.Error("expected key cleanup on commit failure")
}
})
t.Run("MetadataVerification", func(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{Host: "bigip.prod.internal", Port: 8443, Username: "admin", Password: "secret", Partition: "Production", SSLProfile: "api-ssl"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.DeploymentRequest{CertPEM: testCertPEM, KeyPEM: testKeyPEM}
result, err := conn.DeployCertificate(context.Background(), request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if result.Metadata["host"] != "bigip.prod.internal" {
t.Errorf("expected host bigip.prod.internal, got %s", result.Metadata["host"])
}
if result.Metadata["partition"] != "Production" {
t.Errorf("expected partition Production, got %s", result.Metadata["partition"])
}
if result.Metadata["ssl_profile"] != "api-ssl" {
t.Errorf("expected ssl_profile api-ssl, got %s", result.Metadata["ssl_profile"])
}
if !strings.HasPrefix(result.Metadata["cert_object_name"], "certctl-cert-") {
t.Errorf("expected cert_object_name to start with certctl-cert-, got %s", result.Metadata["cert_object_name"])
}
if result.TargetAddress != "bigip.prod.internal:8443" {
t.Errorf("expected target address bigip.prod.internal:8443, got %s", result.TargetAddress)
}
})
}
// --- ValidateDeployment tests ---
func TestValidateDeployment(t *testing.T) {
t.Run("Success", func(t *testing.T) {
mock := newMockF5Client()
mock.getSSLProfileResult = &SSLProfileInfo{
Name: "myprofile",
Cert: "/Common/certctl-cert-1234567890",
Key: "/Common/certctl-key-1234567890",
Chain: "/Common/certctl-chain-1234567890",
}
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.ValidationRequest{
CertificateID: "mc-test-cert",
Serial: "abc123",
}
result, err := conn.ValidateDeployment(context.Background(), request)
if err != nil {
t.Fatalf("ValidateDeployment failed: %v", err)
}
if !result.Valid {
t.Fatalf("expected valid, got: %s", result.Message)
}
if result.Metadata["current_cert"] != "/Common/certctl-cert-1234567890" {
t.Errorf("expected cert in metadata, got %s", result.Metadata["current_cert"])
}
})
t.Run("ProfileNotFound", func(t *testing.T) {
mock := newMockF5Client()
mock.getSSLProfileErr = fmt.Errorf("object not found (404)")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "nonexistent"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.ValidationRequest{CertificateID: "mc-test", Serial: "abc"}
result, err := conn.ValidateDeployment(context.Background(), request)
if err == nil {
t.Fatal("expected error for profile not found")
}
if result.Valid {
t.Error("expected Valid=false")
}
})
t.Run("AuthFailure", func(t *testing.T) {
mock := newMockF5Client()
mock.authenticateErr = fmt.Errorf("auth failed")
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "bad", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.ValidationRequest{CertificateID: "mc-test", Serial: "abc"}
_, err := conn.ValidateDeployment(context.Background(), request)
if err == nil {
t.Fatal("expected error for auth failure")
}
if !strings.Contains(err.Error(), "authentication failed") {
t.Errorf("expected auth failure error, got: %v", err)
}
})
t.Run("UnexpectedCert_StillValid", func(t *testing.T) {
mock := newMockF5Client()
mock.getSSLProfileResult = &SSLProfileInfo{
Name: "myprofile",
Cert: "/Common/some-other-cert",
Key: "/Common/some-other-key",
}
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.ValidationRequest{CertificateID: "mc-test", Serial: "abc"}
result, err := conn.ValidateDeployment(context.Background(), request)
if err != nil {
t.Fatalf("ValidateDeployment failed: %v", err)
}
// We report what's there — it's valid (profile exists with a cert)
if !result.Valid {
t.Error("expected Valid=true (profile has a cert)")
}
if result.Metadata["current_cert"] != "/Common/some-other-cert" {
t.Errorf("expected current cert reported, got %s", result.Metadata["current_cert"])
}
})
t.Run("EmptyCertField", func(t *testing.T) {
mock := newMockF5Client()
mock.getSSLProfileResult = &SSLProfileInfo{
Name: "myprofile",
Cert: "",
Key: "",
}
cfg := &Config{Host: "f5.test.com", Port: 443, Username: "admin", Password: "secret", Partition: "Common", SSLProfile: "myprofile"}
conn := NewWithClient(cfg, testLogger(), mock)
request := target.ValidationRequest{CertificateID: "mc-test", Serial: "abc"}
result, err := conn.ValidateDeployment(context.Background(), request)
if err == nil {
t.Fatal("expected error for empty cert field")
}
if result.Valid {
t.Error("expected Valid=false")
}
if !strings.Contains(err.Error(), "no certificate configured") {
t.Errorf("expected 'no certificate configured' error, got: %v", err)
}
})
}
// --- Helper tests ---
func TestObjectName(t *testing.T) {
name1 := objectName("cert")
name2 := objectName("cert")
if !strings.HasPrefix(name1, "certctl-cert-") {
t.Errorf("expected prefix certctl-cert-, got %s", name1)
}
// Nanosecond timestamps should produce different names
if name1 == name2 {
t.Error("expected unique names from nanosecond timestamps")
}
}
func TestPartitionPath(t *testing.T) {
path := partitionPath("Common", "certctl-cert-123")
if path != "/Common/certctl-cert-123" {
t.Errorf("expected /Common/certctl-cert-123, got %s", path)
}
path = partitionPath("Production", "my-cert")
if path != "/Production/my-cert" {
t.Errorf("expected /Production/my-cert, got %s", path)
}
}
func TestCleanup_MixedResults(t *testing.T) {
mock := newMockF5Client()
mock.deleteCertErr = fmt.Errorf("cert in use") // cert delete fails
// key delete succeeds (nil error)
cfg := &Config{Host: "f5.test.com", Port: 443, Partition: "Common"}
conn := NewWithClient(cfg, testLogger(), mock)
// Should not panic and should attempt all deletions
conn.cleanupCryptoObjects(context.Background(), "Common",
[]string{"cert1", "cert2"},
[]string{"key1"},
)
// Both cert deletes attempted despite errors
if len(mock.deletedCerts) != 2 {
t.Errorf("expected 2 cert delete attempts, got %d", len(mock.deletedCerts))
}
if len(mock.deletedKeys) != 1 {
t.Errorf("expected 1 key delete attempt, got %d", len(mock.deletedKeys))
}
}
func TestCleanup_EmptyNames(t *testing.T) {
mock := newMockF5Client()
cfg := &Config{Host: "f5.test.com", Port: 443, Partition: "Common"}
conn := NewWithClient(cfg, testLogger(), mock)
// Empty names should be skipped
conn.cleanupCryptoObjects(context.Background(), "Common",
[]string{"", "cert1", ""},
[]string{"", ""},
)
if len(mock.deletedCerts) != 1 {
t.Errorf("expected 1 cert delete (skipping empties), got %d", len(mock.deletedCerts))
}
if len(mock.deletedKeys) != 0 {
t.Errorf("expected 0 key deletes (all empty), got %d", len(mock.deletedKeys))
}
}
func TestNew_NilConfig(t *testing.T) {
_, err := New(nil, testLogger())
if err == nil {
t.Fatal("expected error for nil config")
}
if !strings.Contains(err.Error(), "config is required") {
t.Errorf("expected 'config is required' error, got: %v", err)
}
}