gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 23:39:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(V2.2): bulk revocation — filter-based fleet-wide certificate revocation

Browse Source 
Add POST /api/v1/certificates/bulk-revoke with filter criteria (profile_id,
owner_id, agent_id, issuer_id, team_id, certificate_ids), partial-failure
tolerance, and audit trail. Includes MCP tool, CLI command (certs bulk-revoke),
server-side bulk modal in GUI replacing client-side sequential loop, OpenAPI
spec, compliance mapping updates, and 21 new tests (12 service, 7 handler,
1 CLI, 1 frontend).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Shankar
2026-04-16 00:06:34 -04:00
parent cdb448dfe5
commit 4e3927e8b4
25 changed files with 1264 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/service/bulk_revocation.go
+182
View File
@@ -0,0 +1,182 @@
package service
import (
"context"
"fmt"
"log/slog"
"strings"
"github.com/shankar0123/certctl/internal/domain"
"github.com/shankar0123/certctl/internal/repository"
)
// BulkRevocationService coordinates bulk certificate revocation operations.
// It builds on the single-cert RevokeCertificateWithActor flow — no duplicate logic.
type BulkRevocationService struct {
revSvc *RevocationSvc
certRepo repository.CertificateRepository
auditService *AuditService
logger *slog.Logger
}
// NewBulkRevocationService creates a new BulkRevocationService.
func NewBulkRevocationService(
revSvc *RevocationSvc,
certRepo repository.CertificateRepository,
auditService *AuditService,
logger *slog.Logger,
) *BulkRevocationService {
return &BulkRevocationService{
revSvc: revSvc,
certRepo: certRepo,
auditService: auditService,
logger: logger,
}
}
// BulkRevoke revokes all certificates matching the given criteria.
// It reuses RevokeCertificateWithActor for each cert — partial failures don't abort the batch.
func (s *BulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
// Validate inputs
if criteria.IsEmpty() {
return nil, fmt.Errorf("at least one filter criterion is required")
}
if reason == "" {
return nil, fmt.Errorf("revocation reason is required")
}
if !domain.IsValidRevocationReason(reason) {
return nil, fmt.Errorf("invalid revocation reason: %s", reason)
}
// Resolve matching certificates
certs, err := s.resolveCertificates(ctx, criteria)
if err != nil {
return nil, fmt.Errorf("failed to resolve certificates: %w", err)
}
result := &domain.BulkRevocationResult{
TotalMatched: len(certs),
}
// Revoke each certificate, continuing on individual failures
for _, cert := range certs {
// Skip already-revoked or archived certs
if cert.Status == domain.CertificateStatusRevoked {
result.TotalSkipped++
continue
}
if cert.Status == domain.CertificateStatusArchived {
result.TotalSkipped++
continue
}
err := s.revSvc.RevokeCertificateWithActor(ctx, cert.ID, reason, actor)
if err != nil {
result.TotalFailed++
result.Errors = append(result.Errors, domain.BulkRevocationError{
CertificateID: cert.ID,
Error: err.Error(),
})
s.logger.Warn("bulk revocation: individual cert failed",
"certificate_id", cert.ID,
"error", err)
} else {
result.TotalRevoked++
}
}
// Record audit event for the bulk operation
criteriaDetails := s.buildAuditDetails(criteria)
criteriaDetails["reason"] = reason
criteriaDetails["total_matched"] = result.TotalMatched
criteriaDetails["total_revoked"] = result.TotalRevoked
criteriaDetails["total_skipped"] = result.TotalSkipped
criteriaDetails["total_failed"] = result.TotalFailed
if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
"bulk_revocation_initiated", "certificate", "bulk",
criteriaDetails); err != nil {
s.logger.Error("failed to record bulk revocation audit event", "error", err)
}
return result, nil
}
// resolveCertificates fetches the set of certificates matching the bulk revocation criteria.
// When CertificateIDs are provided, it fetches each cert by ID individually.
// When filter criteria (profile, owner, etc.) are provided, it uses the repository List method.
// When both are provided, it intersects: only IDs that also match the filter criteria.
func (s *BulkRevocationService) resolveCertificates(ctx context.Context, criteria domain.BulkRevocationCriteria) ([]*domain.ManagedCertificate, error) {
hasFilterCriteria := criteria.ProfileID != "" || criteria.OwnerID != "" ||
criteria.AgentID != "" || criteria.IssuerID != "" || criteria.TeamID != ""
hasExplicitIDs := len(criteria.CertificateIDs) > 0
if hasExplicitIDs && !hasFilterCriteria {
// Only explicit IDs — fetch each cert by ID
var certs []*domain.ManagedCertificate
for _, id := range criteria.CertificateIDs {
cert, err := s.certRepo.Get(ctx, id)
if err != nil {
// Skip not-found certs — they'll count as "matched" but skipped
continue
}
certs = append(certs, cert)
}
return certs, nil
}
// Use filter-based query
filter := &repository.CertificateFilter{
OwnerID: criteria.OwnerID,
TeamID: criteria.TeamID,
IssuerID: criteria.IssuerID,
AgentID: criteria.AgentID,
ProfileID: criteria.ProfileID,
PerPage: 10000, // High limit to get all matching certs in one query
}
certs, _, err := s.certRepo.List(ctx, filter)
if err != nil {
return nil, err
}
// If explicit IDs also provided, intersect
if hasExplicitIDs {
idSet := make(map[string]bool, len(criteria.CertificateIDs))
for _, id := range criteria.CertificateIDs {
idSet[id] = true
}
var filtered []*domain.ManagedCertificate
for _, cert := range certs {
if idSet[cert.ID] {
filtered = append(filtered, cert)
}
}
return filtered, nil
}
return certs, nil
}
// buildAuditDetails constructs a map of criteria fields for the audit event.
func (s *BulkRevocationService) buildAuditDetails(criteria domain.BulkRevocationCriteria) map[string]interface{} {
details := map[string]interface{}{}
if criteria.ProfileID != "" {
details["profile_id"] = criteria.ProfileID
}
if criteria.OwnerID != "" {
details["owner_id"] = criteria.OwnerID
}
if criteria.AgentID != "" {
details["agent_id"] = criteria.AgentID
}
if criteria.IssuerID != "" {
details["issuer_id"] = criteria.IssuerID
}
if criteria.TeamID != "" {
details["team_id"] = criteria.TeamID
}
if len(criteria.CertificateIDs) > 0 {
details["certificate_ids"] = strings.Join(criteria.CertificateIDs, ",")
}
return details
}
internal/service/bulk_revocation_test.go
+379
View File
@@ -0,0 +1,379 @@
package service
import (
"context"
"errors"
"log/slog"
"strings"
"testing"
"time"
"github.com/shankar0123/certctl/internal/domain"
)
// helper to create a test BulkRevocationService wired for bulk revocation tests
func newBulkRevocationTestService() (*BulkRevocationService, *mockCertRepo, *mockRevocationRepo, *mockAuditRepo) {
certRepo := newMockCertificateRepository()
auditRepo := newMockAuditRepository()
revocationRepo := newMockRevocationRepository()
auditService := NewAuditService(auditRepo)
// Create RevocationSvc (underlying single-cert revocation)
revSvc := NewRevocationSvc(certRepo, revocationRepo, auditService)
registry := NewIssuerRegistry(slog.Default())
registry.Set("iss-local", &mockIssuerConnector{})
revSvc.SetIssuerRegistry(registry)
bulkSvc := NewBulkRevocationService(revSvc, certRepo, auditService, slog.Default())
return bulkSvc, certRepo, revocationRepo, auditRepo
}
func addTestCert(repo *mockCertRepo, id, status, issuerID string) {
cert := &domain.ManagedCertificate{
ID: id,
CommonName: id + ".example.com",
Status: domain.CertificateStatus(status),
IssuerID: issuerID,
ExpiresAt: time.Now().AddDate(0, 6, 0),
}
repo.AddCert(cert)
// Add a version with serial number (needed by RevokeCertificateWithActor)
repo.Versions[id] = []*domain.CertificateVersion{
{
ID: "ver-" + id,
CertificateID: id,
SerialNumber: "serial-" + id,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(1, 0, 0),
CreatedAt: time.Now(),
},
}
}
func addTestCertWithProfile(repo *mockCertRepo, id, status, issuerID, profileID, ownerID string) {
cert := &domain.ManagedCertificate{
ID: id,
CommonName: id + ".example.com",
Status: domain.CertificateStatus(status),
IssuerID: issuerID,
CertificateProfileID: profileID,
OwnerID: ownerID,
ExpiresAt: time.Now().AddDate(0, 6, 0),
}
repo.AddCert(cert)
repo.Versions[id] = []*domain.CertificateVersion{
{
ID: "ver-" + id,
CertificateID: id,
SerialNumber: "serial-" + id,
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(1, 0, 0),
CreatedAt: time.Now(),
},
}
}
func TestBulkRevoke_ByExplicitIDs(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
addTestCert(certRepo, "mc-1", "Active", "iss-local")
addTestCert(certRepo, "mc-2", "Active", "iss-local")
addTestCert(certRepo, "mc-3", "Active", "iss-local")
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-1", "mc-2", "mc-3"},
}
result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if result.TotalMatched != 3 {
t.Errorf("expected TotalMatched=3, got %d", result.TotalMatched)
}
if result.TotalRevoked != 3 {
t.Errorf("expected TotalRevoked=3, got %d", result.TotalRevoked)
}
if result.TotalSkipped != 0 {
t.Errorf("expected TotalSkipped=0, got %d", result.TotalSkipped)
}
if result.TotalFailed != 0 {
t.Errorf("expected TotalFailed=0, got %d", result.TotalFailed)
}
// Verify certs are revoked
for _, id := range []string{"mc-1", "mc-2", "mc-3"} {
cert, _ := certRepo.Get(context.Background(), id)
if cert.Status != domain.CertificateStatusRevoked {
t.Errorf("expected cert %s to be Revoked, got %s", id, cert.Status)
}
}
}
func TestBulkRevoke_ByProfile(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
// The mock List returns all certs regardless of filter (mock limitation).
// We test the code path — real repo would filter by profile.
addTestCert(certRepo, "mc-1", "Active", "iss-local")
addTestCert(certRepo, "mc-2", "Active", "iss-local")
criteria := domain.BulkRevocationCriteria{
ProfileID: "prof-tls",
}
result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if result.TotalMatched != 2 {
t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
}
if result.TotalRevoked != 2 {
t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
}
}
func TestBulkRevoke_ByOwner(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
addTestCertWithProfile(certRepo, "mc-1", "Active", "iss-local", "", "o-alice")
addTestCertWithProfile(certRepo, "mc-2", "Active", "iss-local", "", "o-alice")
criteria := domain.BulkRevocationCriteria{
OwnerID: "o-alice",
}
result, err := svc.BulkRevoke(context.Background(), criteria, "cessationOfOperation", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if result.TotalRevoked != 2 {
t.Errorf("expected TotalRevoked=2, got %d", result.TotalRevoked)
}
}
func TestBulkRevoke_MultipleCriteria(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
addTestCertWithProfile(certRepo, "mc-1", "Active", "iss-local", "prof-tls", "o-alice")
addTestCertWithProfile(certRepo, "mc-2", "Active", "iss-local", "prof-tls", "o-bob")
criteria := domain.BulkRevocationCriteria{
ProfileID: "prof-tls",
CertificateIDs: []string{"mc-1"}, // Intersect: only mc-1 from the filter results
}
result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
// Both certs match the filter, but intersection with IDs gives 1
if result.TotalMatched != 1 {
t.Errorf("expected TotalMatched=1, got %d", result.TotalMatched)
}
if result.TotalRevoked != 1 {
t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
}
// mc-1 should be revoked, mc-2 should not
cert1, _ := certRepo.Get(context.Background(), "mc-1")
if cert1.Status != domain.CertificateStatusRevoked {
t.Errorf("expected mc-1 to be Revoked, got %s", cert1.Status)
}
cert2, _ := certRepo.Get(context.Background(), "mc-2")
if cert2.Status == domain.CertificateStatusRevoked {
t.Error("expected mc-2 to NOT be revoked")
}
}
func TestBulkRevoke_EmptyCriteria_Error(t *testing.T) {
svc, _, _, _ := newBulkRevocationTestService()
criteria := domain.BulkRevocationCriteria{}
_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err == nil {
t.Fatal("expected error for empty criteria")
}
if !strings.Contains(err.Error(), "at least one filter criterion") {
t.Errorf("expected 'at least one filter criterion' error, got: %v", err)
}
}
func TestBulkRevoke_InvalidReason_Error(t *testing.T) {
svc, _, _, _ := newBulkRevocationTestService()
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-1"},
}
_, err := svc.BulkRevoke(context.Background(), criteria, "totallyBogus", "admin")
if err == nil {
t.Fatal("expected error for invalid reason")
}
if !strings.Contains(err.Error(), "invalid revocation reason") {
t.Errorf("expected 'invalid revocation reason' error, got: %v", err)
}
}
func TestBulkRevoke_EmptyReason_Error(t *testing.T) {
svc, _, _, _ := newBulkRevocationTestService()
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-1"},
}
_, err := svc.BulkRevoke(context.Background(), criteria, "", "admin")
if err == nil {
t.Fatal("expected error for empty reason")
}
if !strings.Contains(err.Error(), "revocation reason is required") {
t.Errorf("expected 'revocation reason is required' error, got: %v", err)
}
}
func TestBulkRevoke_SkipsRevokedAndArchived(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
addTestCert(certRepo, "mc-active", "Active", "iss-local")
addTestCert(certRepo, "mc-revoked", "Revoked", "iss-local")
addTestCert(certRepo, "mc-archived", "Archived", "iss-local")
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-active", "mc-revoked", "mc-archived"},
}
result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if result.TotalMatched != 3 {
t.Errorf("expected TotalMatched=3, got %d", result.TotalMatched)
}
if result.TotalRevoked != 1 {
t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
}
if result.TotalSkipped != 2 {
t.Errorf("expected TotalSkipped=2, got %d", result.TotalSkipped)
}
}
func TestBulkRevoke_PartialFailure(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
// mc-1 is active with version — will succeed
addTestCert(certRepo, "mc-1", "Active", "iss-local")
// mc-2 is active but has NO version — RevokeCertificateWithActor will fail on GetLatestVersion
cert2 := &domain.ManagedCertificate{
ID: "mc-2",
CommonName: "mc-2.example.com",
Status: domain.CertificateStatusActive,
IssuerID: "iss-local",
ExpiresAt: time.Now().AddDate(0, 6, 0),
}
certRepo.AddCert(cert2)
// Don't add versions for mc-2 so GetLatestVersion returns errNotFound
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-1", "mc-2"},
}
result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error (partial failure is ok), got: %v", err)
}
if result.TotalMatched != 2 {
t.Errorf("expected TotalMatched=2, got %d", result.TotalMatched)
}
if result.TotalRevoked != 1 {
t.Errorf("expected TotalRevoked=1, got %d", result.TotalRevoked)
}
if result.TotalFailed != 1 {
t.Errorf("expected TotalFailed=1, got %d", result.TotalFailed)
}
if len(result.Errors) != 1 {
t.Fatalf("expected 1 error entry, got %d", len(result.Errors))
}
if result.Errors[0].CertificateID != "mc-2" {
t.Errorf("expected error for mc-2, got %s", result.Errors[0].CertificateID)
}
}
func TestBulkRevoke_AuditEvent(t *testing.T) {
svc, certRepo, _, auditRepo := newBulkRevocationTestService()
addTestCert(certRepo, "mc-1", "Active", "iss-local")
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-1"},
}
_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
// Find the bulk_revocation_initiated audit event
var found bool
for _, event := range auditRepo.Events {
if event.Action == "bulk_revocation_initiated" {
found = true
if event.Actor != "admin" {
t.Errorf("expected actor 'admin', got '%s'", event.Actor)
}
if event.ResourceType != "certificate" {
t.Errorf("expected resource type 'certificate', got '%s'", event.ResourceType)
}
break
}
}
if !found {
t.Error("expected bulk_revocation_initiated audit event")
}
}
func TestBulkRevoke_NoMatches(t *testing.T) {
svc, _, _, _ := newBulkRevocationTestService()
// IDs that don't exist in the repo
criteria := domain.BulkRevocationCriteria{
CertificateIDs: []string{"mc-nonexistent-1", "mc-nonexistent-2"},
}
result, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if result.TotalMatched != 0 {
t.Errorf("expected TotalMatched=0, got %d", result.TotalMatched)
}
if result.TotalRevoked != 0 {
t.Errorf("expected TotalRevoked=0, got %d", result.TotalRevoked)
}
}
func TestBulkRevoke_ListError(t *testing.T) {
svc, certRepo, _, _ := newBulkRevocationTestService()
certRepo.ListErr = errors.New("database connection failed")
criteria := domain.BulkRevocationCriteria{
ProfileID: "prof-tls",
}
_, err := svc.BulkRevoke(context.Background(), criteria, "keyCompromise", "admin")
if err == nil {
t.Fatal("expected error from list failure")
}
if !strings.Contains(err.Error(), "failed to resolve certificates") {
t.Errorf("expected 'failed to resolve certificates' error, got: %v", err)
}
}