gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP

Browse Source 
Breaking change release. Plaintext HTTP listener removed. The certctl
control plane now terminates TLS 1.3 on :8443 via
http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape
hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md.

Server
- cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert
  swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback),
  preflightServerTLS validation
- cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe,
  watchSIGHUP wiring, cert/key path config threading
- tls_test.go: 418-line regression coverage of reload, preflight,
  callback behavior, SAN validation

Config
- CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required)
- Plaintext rejection: agents/CLI/MCP pre-flight-fail on http://
  URLs with a pointer to docs/upgrade-to-tls.md

Agents, CLI, MCP
- All three pre-flight-reject http:// URLs with fail-loud diagnostic
- CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust
- CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass
  (loud warning on startup)
- install-agent.sh emits both vars as commented template lines

docker-compose
- certctl-tls-init sidecar generates SAN-valid self-signed cert into
  deploy/test/certs/ on first boot
- All demo-stack curls pin against ca.crt with --cacert

Helm chart
- Three TLS provisioning modes, exactly one required:
  - server.tls.existingSecret (operator-supplied)
  - server.tls.certManager.enabled (cert-manager integration)
  - server.tls.selfSigned.enabled (eval only — not for production)
- server-certificate.yaml template for cert-manager mode
- helm install without a TLS source fails at template render with
  a pointer to docs/tls.md

CI
- .github/workflows/ci.yml Helm Chart Validation step renders the
  chart in both existingSecret and cert-manager modes, plus an
  inverse guard-regression test that asserts helm template MUST
  refuse to render when no TLS source is configured. Previously
  the single `helm template` invocation hit the certctl.tls.required
  fail-loud guard and exit-1'd CI. Four invocations now: lint
  (existingSecret), template (existingSecret), template
  (cert-manager), template (no args — must fail).

Integration tests
- deploy/test/integration_test.go stands up the Compose stack over
  HTTPS, extracts the CA bundle, and exercises every certctl API
  over https://localhost:8443
- All 34 integration subtests green (per Phase 8 local CI-parity)

Documentation
- New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload)
- New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade
  warnings, fleet-roll sequencing)
- CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry
  (file heading unchanged; release tag is v2.0.47)
- All curls in docs/, examples/, deploy/helm/ guides use
  https://localhost:8443 --cacert

Verification
- grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits
- grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin
  API default, SSRF doc comment) — zero certctl endpoints
- Tasks #197–#206 (Phases 0–8) all closed in the tracker

Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
This commit is contained in:
shankar0123
2026-04-20 03:31:05 +00:00
parent 04c7eca615
commit 52248be717
66 changed files with 3518 additions and 375 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/cli/agent_retire_test.go
+6 -6
View File
@@ -46,7 +46,7 @@ func TestClient_RetireAgent_Success(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
// Positional arg: the agent ID. No --force, no --reason — the default
// soft-retire path. Compile-fail until client.RetireAgent exists.
if err := client.RetireAgent([]string{"ag-1"}); err != nil {
@@ -101,7 +101,7 @@ func TestClient_RetireAgent_Force_WithReason_Success(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
if err := client.RetireAgent([]string{"ag-1", "--force", "--reason", "decommissioning rack 7"}); err != nil {
t.Fatalf("RetireAgent(force+reason) err=%v want nil", err)
}
@@ -126,7 +126,7 @@ func TestClient_RetireAgent_Force_RequiresReason(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.RetireAgent([]string{"ag-1", "--force"})
if err == nil {
t.Fatalf("RetireAgent(force, no reason) err=nil want client-side error")
@@ -150,7 +150,7 @@ func TestClient_RetireAgent_MissingID(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.RetireAgent([]string{})
if err == nil {
t.Fatalf("RetireAgent([]) err=nil want missing-id error")
@@ -198,7 +198,7 @@ func TestClient_ListRetiredAgents_Success(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
if err := client.ListRetiredAgents([]string{}); err != nil {
t.Fatalf("ListRetiredAgents err=%v want nil", err)
}
@@ -220,7 +220,7 @@ func TestClient_ListRetiredAgents_ServerError(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ListRetiredAgents([]string{})
if err == nil {
t.Fatalf("ListRetiredAgents(500) err=nil want propagated error")
internal/cli/client.go
+35 -5
View File
@@ -2,6 +2,7 @@ package cli
import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/json"
"encoding/pem"
@@ -19,22 +20,51 @@ import (
// Client is the CLI HTTP client that communicates with the certctl server.
type Client struct {
baseURL string
apiKey string
format string
baseURL string
apiKey string
format string
httpClient *http.Client
}
// NewClient creates a new CLI client.
func NewClient(baseURL, apiKey, format string) *Client {
//
// HTTPS-Everywhere (v2.2): the certctl control plane is HTTPS-only. caBundlePath,
// when non-empty, points at a PEM bundle used to verify the server cert; otherwise
// the system trust store is used. insecure skips cert verification — dev only,
// never enable in production. The TLS config is attached to *http.Transport so
// every call goes through the same verified socket.
func NewClient(baseURL, apiKey, format, caBundlePath string, insecure bool) (*Client, error) {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS13,
InsecureSkipVerify: insecure, //nolint:gosec // opt-in dev toggle, documented in docs/tls.md
}
if caBundlePath != "" {
pemBytes, err := os.ReadFile(caBundlePath)
if err != nil {
return nil, fmt.Errorf("reading CA bundle at %q: %w", caBundlePath, err)
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(pemBytes) {
return nil, fmt.Errorf("CA bundle at %q contains no valid PEM-encoded certificates", caBundlePath)
}
tlsConfig.RootCAs = pool
}
return &Client{
baseURL: baseURL,
apiKey: apiKey,
format: format,
httpClient: &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
ForceAttemptHTTP2: true,
MaxIdleConns: 10,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
},
}
}, nil
}
// do performs an HTTP request and returns the parsed JSON response.
internal/cli/client_test.go
+207 -15
View File
@@ -3,6 +3,7 @@ package cli
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
@@ -39,7 +40,7 @@ func TestClient_ListCertificates(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ListCertificates([]string{})
if err != nil {
t.Fatalf("ListCertificates failed: %v", err)
@@ -64,7 +65,7 @@ func TestClient_GetCertificate(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "json")
client, _ := NewClient(server.URL, "", "json", "", false)
err := client.GetCertificate("mc-1")
if err != nil {
t.Fatalf("GetCertificate failed: %v", err)
@@ -86,7 +87,7 @@ func TestClient_RenewCertificate(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.RenewCertificate("mc-1")
if err != nil {
t.Fatalf("RenewCertificate failed: %v", err)
@@ -107,7 +108,7 @@ func TestClient_RevokeCertificate(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.RevokeCertificate("mc-1", "cessationOfOperation")
if err != nil {
t.Fatalf("RevokeCertificate failed: %v", err)
@@ -141,7 +142,7 @@ func TestClient_BulkRevokeCertificates(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.BulkRevokeCertificates([]string{
"--reason", "keyCompromise",
"--profile-id", "prof-tls",
@@ -175,7 +176,7 @@ func TestClient_ListAgents(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ListAgents([]string{})
if err != nil {
t.Fatalf("ListAgents failed: %v", err)
@@ -201,7 +202,7 @@ func TestClient_GetAgent(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "json")
client, _ := NewClient(server.URL, "", "json", "", false)
err := client.GetAgent("ag-1")
if err != nil {
t.Fatalf("GetAgent failed: %v", err)
@@ -232,7 +233,7 @@ func TestClient_ListJobs(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ListJobs([]string{})
if err != nil {
t.Fatalf("ListJobs failed: %v", err)
@@ -258,7 +259,7 @@ func TestClient_GetJob(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "json")
client, _ := NewClient(server.URL, "", "json", "", false)
err := client.GetJob("job-1")
if err != nil {
t.Fatalf("GetJob failed: %v", err)
@@ -276,7 +277,7 @@ func TestClient_CancelJob(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.CancelJob("job-1")
if err != nil {
t.Fatalf("CancelJob failed: %v", err)
@@ -308,7 +309,7 @@ func TestClient_GetStatus(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.GetStatus()
if err != nil {
t.Fatalf("GetStatus failed: %v", err)
@@ -381,7 +382,7 @@ func TestClient_AuthHeader(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "testkey123", "json")
client, _ := NewClient(server.URL, "testkey123", "json", "", false)
client.do("GET", "/api/v1/certificates", nil, nil)
if authHeader != "Bearer testkey123" {
@@ -439,7 +440,7 @@ func TestClient_ImportCertificates_MissingRequiredFlags(t *testing.T) {
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ImportCertificates(tc.args)
if err == nil {
t.Fatalf("expected error for %s, got nil", tc.name)
@@ -468,7 +469,7 @@ func TestClient_ImportCertificates_MissingPositionalArgs(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ImportCertificates([]string{
"--owner-id", "o-alice",
"--team-id", "t-platform",
@@ -513,7 +514,7 @@ func TestClient_ImportCertificates_SixFieldPayload(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "", "table")
client, _ := NewClient(server.URL, "", "table", "", false)
err := client.ImportCertificates([]string{
"--owner-id", "o-alice",
"--team-id", "t-platform",
@@ -583,3 +584,194 @@ func generateTestCert() *x509.Certificate {
return cert
}
// -----------------------------------------------------------------------------
// HTTPS-Everywhere milestone (v2.2, §3.2 + §7 Phase 5):
// The CLI binary now talks HTTPS-only to the control plane. These tests pin the
// three contracts the milestone requires every client binary (agent, CLI, MCP)
// to satisfy in lock-step:
// (a) CA bundle load success — PEM loads, RootCAs + MinVersion=TLS1.3 wired
// through the injected *http.Transport so the httpClient actually uses them.
// (b) CA bundle load failure — missing file and malformed/empty PEM each fail
// loud with a pinned substring so operators get a useful diagnostic instead
// of a later TLS-handshake-error mystery.
// (c) End-to-end TLS round-trip — an httptest.NewTLSServer whose own cert is
// written out as the CA bundle validates that every TLS-config knob is
// actually reaching the wire, not just surviving into the struct.
// Each of the three client binaries pins the same three contracts against its
// own NewClient signature; drifting any of them in isolation is exactly what
// this suite is here to catch. The error-string substrings below must stay in
// sync with the fmt.Errorf messages in internal/cli/client.go:NewClient.
// -----------------------------------------------------------------------------
// writeCABundle PEM-encodes a DER cert and writes it to a temp file under the
// test's own TempDir. Returns the absolute path of the written bundle so test
// callers can pass it straight into NewClient(..., caBundlePath, ...).
func writeCABundle(t *testing.T, dir string, certDER []byte, filename string) string {
t.Helper()
path := filepath.Join(dir, filename)
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
t.Fatalf("writing CA bundle to %q: %v", path, err)
}
return path
}
// TestNewClient_CABundle_Success pins the happy path: a valid PEM CA bundle
// loads, populates RootCAs on the client's TLS config, and leaves
// MinVersion=TLS1.3 intact. Regression guard: if a future edit accidentally
// swaps the transport after TLS config setup (or forgets to re-attach the
// *tls.Config to *http.Transport), this test catches it before ops does.
func TestNewClient_CABundle_Success(t *testing.T) {
cert := generateTestCert()
tmp := t.TempDir()
bundlePath := writeCABundle(t, tmp, cert.Raw, "ca.pem")
client, err := NewClient("https://certctl-server:8443", "test-key", "table", bundlePath, false)
if err != nil {
t.Fatalf("NewClient with valid CA bundle err=%v want nil", err)
}
if client == nil {
t.Fatal("NewClient returned nil client on happy path")
}
transport, ok := client.httpClient.Transport.(*http.Transport)
if !ok {
t.Fatalf("httpClient.Transport type=%T want *http.Transport (TLS config injection broke)", client.httpClient.Transport)
}
if transport.TLSClientConfig == nil {
t.Fatal("transport.TLSClientConfig is nil; TLS config must be set on every client")
}
if transport.TLSClientConfig.RootCAs == nil {
t.Fatal("transport.TLSClientConfig.RootCAs is nil; CA bundle path was ignored")
}
if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
t.Errorf("MinVersion=%d want tls.VersionTLS13 (%d); HTTPS-Everywhere requires TLS1.3 floor",
transport.TLSClientConfig.MinVersion, tls.VersionTLS13)
}
if transport.TLSClientConfig.InsecureSkipVerify {
t.Error("InsecureSkipVerify=true with insecure=false arg; flag wiring crossed")
}
}
// TestNewClient_CABundle_MissingFile pins the fail-loud path for a nonexistent
// bundle path. The error surface must include "reading CA bundle" so operators
// see the right diagnostic instead of a downstream TLS-handshake-error.
func TestNewClient_CABundle_MissingFile(t *testing.T) {
_, err := NewClient("https://certctl-server:8443", "test-key", "table", "/nonexistent/path/ca.pem", false)
if err == nil {
t.Fatal("NewClient with missing CA bundle err=nil; must fail loud so operators see the right diagnostic")
}
if !containsStr(err.Error(), "reading CA bundle") {
t.Errorf("err=%q must contain %q so operators can locate the misconfigured path", err.Error(), "reading CA bundle")
}
}
// TestNewClient_CABundle_EmptyPEM pins the fail-loud path for a file whose
// contents are not valid PEM certificate data. AppendCertsFromPEM returning
// false is the signal we need to surface — otherwise the client would silently
// ship with an empty cert pool and every TLS handshake would fail downstream.
func TestNewClient_CABundle_EmptyPEM(t *testing.T) {
tmp := t.TempDir()
garbagePath := filepath.Join(tmp, "garbage.pem")
if err := os.WriteFile(garbagePath, []byte("not a pem certificate, just bytes"), 0o600); err != nil {
t.Fatalf("writing garbage file: %v", err)
}
_, err := NewClient("https://certctl-server:8443", "test-key", "table", garbagePath, false)
if err == nil {
t.Fatal("NewClient with malformed PEM err=nil; must fail loud, not silently skip")
}
if !containsStr(err.Error(), "no valid PEM-encoded certificates") {
t.Errorf("err=%q must contain %q so operators know the file parsed but held no certs",
err.Error(), "no valid PEM-encoded certificates")
}
}
// TestNewClient_TLSRoundTrip validates that the TLS config knobs we set on
// NewClient actually reach the wire. An httptest.NewTLSServer signs its own
// self-signed leaf; we PEM-encode that server cert, write it as the CA bundle,
// and issue a real HTTPS call through ListCertificates. A successful round-trip
// proves RootCAs + MinVersion are flowing through *http.Transport into the
// dialer, not just surviving into the client struct.
func TestNewClient_TLSRoundTrip(t *testing.T) {
var handlerHit int
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == "GET" && r.URL.Path == "/api/v1/certificates" {
handlerHit++
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]interface{}{
"data": []map[string]interface{}{},
"total": 0,
})
return
}
w.WriteHeader(http.StatusNotFound)
}))
defer server.Close()
serverCert := server.Certificate()
if serverCert == nil {
t.Fatal("httptest.NewTLSServer.Certificate() returned nil; cannot build CA bundle")
}
tmp := t.TempDir()
bundlePath := writeCABundle(t, tmp, serverCert.Raw, "server-ca.pem")
client, err := NewClient(server.URL, "test-key", "table", bundlePath, false)
if err != nil {
t.Fatalf("NewClient(TLS server) err=%v want nil", err)
}
if err := client.ListCertificates([]string{}); err != nil {
t.Fatalf("ListCertificates over HTTPS err=%v; TLS config must reach the wire", err)
}
if handlerHit != 1 {
t.Errorf("handlerHit=%d want 1; request did not reach the TLS server", handlerHit)
}
}
// TestNewClient_InsecureSkipVerify pins the dev-only escape hatch: an untrusted
// TLS server (cert NOT in the client's root pool) must be reachable when
// insecure=true. This is the only path in the control plane that disables
// certificate verification; it's documented in docs/tls.md and gated by the
// CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY env var so it never slips into
// production silently.
func TestNewClient_InsecureSkipVerify(t *testing.T) {
var handlerHit int
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handlerHit++
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]interface{}{
"data": []map[string]interface{}{},
"total": 0,
})
}))
defer server.Close()
// No CA bundle → system roots, which will NOT trust the self-signed
// httptest cert. insecure=true is the only thing keeping this call from
// failing with an x509-unknown-authority error.
client, err := NewClient(server.URL, "test-key", "table", "", true)
if err != nil {
t.Fatalf("NewClient(insecure=true) err=%v want nil", err)
}
transport, ok := client.httpClient.Transport.(*http.Transport)
if !ok {
t.Fatalf("httpClient.Transport type=%T want *http.Transport", client.httpClient.Transport)
}
if !transport.TLSClientConfig.InsecureSkipVerify {
t.Fatal("insecure=true arg did not set TLSClientConfig.InsecureSkipVerify; flag wiring broken")
}
if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
t.Errorf("MinVersion=%d want tls.VersionTLS13 even with insecure=true (TLS1.3 floor is not optional)",
transport.TLSClientConfig.MinVersion)
}
if err := client.ListCertificates([]string{}); err != nil {
t.Fatalf("ListCertificates(insecure=true) err=%v; escape hatch must still complete the round-trip", err)
}
if handlerHit != 1 {
t.Errorf("handlerHit=%d want 1; insecure round-trip did not reach the server", handlerHit)
}
}
internal/config/config.go
+63 -3
View File
@@ -1,6 +1,7 @@
package config
import (
"crypto/tls"
"fmt"
"log/slog"
"os"
@@ -677,9 +678,30 @@ type VerificationConfig struct {
// ServerConfig contains HTTP server configuration.
type ServerConfig struct {
Host string // Server host (default: 127.0.0.1). Set via CERTCTL_SERVER_HOST.
Port int // Server port (default: 8080). Set via CERTCTL_SERVER_PORT.
MaxBodySize int64 // Maximum request body size in bytes (default: 1MB). Set via CERTCTL_MAX_BODY_SIZE.
Host string // Server host (default: 127.0.0.1). Set via CERTCTL_SERVER_HOST.
Port int // Server port (default: 8080). Set via CERTCTL_SERVER_PORT.
MaxBodySize int64 // Maximum request body size in bytes (default: 1MB). Set via CERTCTL_MAX_BODY_SIZE.
TLS ServerTLSConfig // HTTPS-only TLS configuration. Both CertPath and KeyPath are required.
}
// ServerTLSConfig holds the server-side TLS material.
//
// The control plane is HTTPS-only as of the HTTPS-everywhere milestone
// (§3 locked decisions: no `http` mode, no dual-listener, TLS 1.3 only).
// Both CertPath and KeyPath are required; an empty value causes
// Config.Validate() to return a fail-loud error and the server refuses
// to start. There is no plaintext HTTP fallback, no N-release migration
// bridge, and no auto-generated self-signed cert — operators either
// supply a cert on disk (docker-compose init container, operator-managed
// file, cert-manager mount) or the process exits non-zero.
type ServerTLSConfig struct {
// CertPath is the filesystem path to the server's PEM-encoded X.509
// certificate. Set via CERTCTL_SERVER_TLS_CERT_PATH. Required.
CertPath string
// KeyPath is the filesystem path to the server's PEM-encoded private
// key that signs CertPath. Set via CERTCTL_SERVER_TLS_KEY_PATH. Required.
KeyPath string
}
// DatabaseConfig contains database connection configuration.
@@ -841,6 +863,13 @@ func Load() (*Config, error) {
Host: getEnv("CERTCTL_SERVER_HOST", "127.0.0.1"),
Port: getEnvInt("CERTCTL_SERVER_PORT", 8080),
MaxBodySize: getEnvInt64("CERTCTL_MAX_BODY_SIZE", 1024*1024), // 1MB default
// HTTPS-everywhere milestone §2.1: both paths REQUIRED. Empty defaults
// are intentional so Validate() emits a fail-loud error pointing at
// docs/tls.md rather than silently binding plaintext HTTP.
TLS: ServerTLSConfig{
CertPath: getEnv("CERTCTL_SERVER_TLS_CERT_PATH", ""),
KeyPath: getEnv("CERTCTL_SERVER_TLS_KEY_PATH", ""),
},
},
Database: DatabaseConfig{
URL: getEnv("CERTCTL_DATABASE_URL", "postgres://localhost/certctl"),
@@ -1059,6 +1088,37 @@ func (c *Config) Validate() error {
return fmt.Errorf("invalid server port: %d", c.Server.Port)
}
// HTTPS-everywhere milestone §2.1 + §3 locked decisions: the control plane
// is TLS-only and refuses to start without a cert. No plaintext HTTP fallback,
// no auto-generated self-signed cert, no N-release migration window. An empty
// CertPath or KeyPath is operator-visible misconfiguration, not a soft warning.
if c.Server.TLS.CertPath == "" {
return fmt.Errorf("server TLS cert path is required — refuse to start (HTTPS-only: set CERTCTL_SERVER_TLS_CERT_PATH to a PEM-encoded certificate; see docs/tls.md)")
}
if c.Server.TLS.KeyPath == "" {
return fmt.Errorf("server TLS key path is required — refuse to start (HTTPS-only: set CERTCTL_SERVER_TLS_KEY_PATH to the PEM-encoded private key matching CERTCTL_SERVER_TLS_CERT_PATH; see docs/tls.md)")
}
// Files must exist and be readable. Catches typos and missing mount paths
// up-front so the operator gets a structured error on startup instead of
// a deferred ListenAndServeTLS failure after the scheduler has already
// fanned out its goroutines.
if _, err := os.Stat(c.Server.TLS.CertPath); err != nil {
return fmt.Errorf("server TLS cert file unreadable at %q: %w — refuse to start (HTTPS-only; see docs/tls.md)", c.Server.TLS.CertPath, err)
}
if _, err := os.Stat(c.Server.TLS.KeyPath); err != nil {
return fmt.Errorf("server TLS key file unreadable at %q: %w — refuse to start (HTTPS-only; see docs/tls.md)", c.Server.TLS.KeyPath, err)
}
// Parse the cert+key pair up-front. tls.LoadX509KeyPair verifies that the
// key signs the cert (prevents the classic footgun of shipping a pair
// whose private key doesn't match). Discard the returned Certificate — the
// server constructs its own holder from fresh reads so SIGHUP reload is
// authoritative.
if _, err := tls.LoadX509KeyPair(c.Server.TLS.CertPath, c.Server.TLS.KeyPath); err != nil {
return fmt.Errorf("server TLS cert/key pair invalid (cert=%q key=%q): %w — refuse to start (HTTPS-only; see docs/tls.md)", c.Server.TLS.CertPath, c.Server.TLS.KeyPath, err)
}
// Validate database configuration
if c.Database.URL == "" {
return fmt.Errorf("database URL is required")
internal/config/config_test.go
+256 -13
View File
@@ -1,10 +1,18 @@
package config
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"log/slog"
"math/big"
"os"
"testing"
"path/filepath"
"strings"
"testing"
"time"
)
@@ -26,10 +34,76 @@ func clearCertctlEnv(t *testing.T) {
}
// setMinimalValidEnv sets the minimum env vars needed for Load() to succeed (Validate passes).
//
// HTTPS-everywhere milestone (§2.1 + §3 locked decisions): the control plane
// is TLS-only and Validate() refuses to pass without a readable cert/key pair
// on disk. setMinimalValidEnv therefore materializes a throwaway ECDSA P-256
// self-signed pair in t.TempDir() and points the two TLS env vars at it so
// every Load-based test inherits a valid HTTPS posture without each caller
// having to spell out cert generation. The temp dir is cleaned up by
// testing.T at end-of-test.
func setMinimalValidEnv(t *testing.T) {
t.Helper()
// api-key auth requires a secret
t.Setenv("CERTCTL_AUTH_SECRET", "test-secret-key")
// HTTPS-only control plane requires a real cert/key pair on disk.
certPath, keyPath := generateTestTLSPair(t)
t.Setenv("CERTCTL_SERVER_TLS_CERT_PATH", certPath)
t.Setenv("CERTCTL_SERVER_TLS_KEY_PATH", keyPath)
}
// generateTestTLSPair writes an ECDSA P-256 self-signed certificate + private
// key pair to files inside t.TempDir() and returns the paths. Same shape used
// by cmd/server/tls_test.go — this duplicates the generator rather than
// importing it so the config package tests stay independent of cmd/server.
func generateTestTLSPair(t *testing.T) (certPath, keyPath string) {
t.Helper()
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey: %v", err)
}
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "certctl-config-test"},
NotBefore: time.Now().Add(-time.Hour),
NotAfter: time.Now().Add(time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
t.Fatalf("x509.CreateCertificate: %v", err)
}
dir := t.TempDir()
certPath = filepath.Join(dir, "cert.pem")
keyPath = filepath.Join(dir, "key.pem")
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
if err := os.WriteFile(certPath, certPEM, 0o600); err != nil {
t.Fatalf("write cert: %v", err)
}
keyDER, err := x509.MarshalECPrivateKey(key)
if err != nil {
t.Fatalf("x509.MarshalECPrivateKey: %v", err)
}
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
if err := os.WriteFile(keyPath, keyPEM, 0o600); err != nil {
t.Fatalf("write key: %v", err)
}
return certPath, keyPath
}
// validServerConfig returns a ServerConfig with Port=8080 plus a freshly
// minted TLS cert/key pair on disk, so Validate() passes the HTTPS-only
// preflight (cert empty → stat → tls.LoadX509KeyPair round-trip). Every
// struct-based Validate test uses this so they fail for the reason they
// claim to test, not for a missing TLS pair.
func validServerConfig(t *testing.T) ServerConfig {
t.Helper()
certPath, keyPath := generateTestTLSPair(t)
return ServerConfig{
Port: 8080,
TLS: ServerTLSConfig{CertPath: certPath, KeyPath: keyPath},
}
}
func TestLoad_DefaultValues(t *testing.T) {
@@ -135,6 +209,13 @@ func TestLoad_DefaultValues(t *testing.T) {
func TestLoad_AllEnvVarsSet(t *testing.T) {
clearCertctlEnv(t)
// HTTPS-only control plane: Load() → Validate() refuses an empty cert path.
// Materialize a throwaway ECDSA P-256 pair and point the two TLS env vars
// at it before setting every other CERTCTL_* var this test cares about.
certPath, keyPath := generateTestTLSPair(t)
t.Setenv("CERTCTL_SERVER_TLS_CERT_PATH", certPath)
t.Setenv("CERTCTL_SERVER_TLS_KEY_PATH", keyPath)
t.Setenv("CERTCTL_SERVER_HOST", "0.0.0.0")
t.Setenv("CERTCTL_SERVER_PORT", "9090")
t.Setenv("CERTCTL_MAX_BODY_SIZE", "2097152")
@@ -319,7 +400,7 @@ func TestLoad_CommaSeparatedList(t *testing.T) {
func TestValidate_ValidConfig(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "test-secret"},
@@ -329,6 +410,7 @@ func TestValidate_ValidConfig(t *testing.T) {
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
NotificationRetryInterval: 2 * time.Minute,
RetryInterval: 5 * time.Minute,
JobTimeoutInterval: 10 * time.Minute,
AwaitingCSRTimeout: 24 * time.Hour,
@@ -342,7 +424,7 @@ func TestValidate_ValidConfig(t *testing.T) {
func TestValidate_AuthTypeNone(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "none", Secret: ""},
@@ -352,6 +434,7 @@ func TestValidate_AuthTypeNone(t *testing.T) {
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
NotificationRetryInterval: 2 * time.Minute,
RetryInterval: 5 * time.Minute,
JobTimeoutInterval: 10 * time.Minute,
AwaitingCSRTimeout: 24 * time.Hour,
@@ -365,7 +448,7 @@ func TestValidate_AuthTypeNone(t *testing.T) {
func TestValidate_InvalidAuthType(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "oauth", Secret: "key"},
@@ -384,7 +467,7 @@ func TestValidate_InvalidAuthType(t *testing.T) {
func TestValidate_APIKeyAuth_MissingSecret(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: ""},
@@ -403,7 +486,7 @@ func TestValidate_APIKeyAuth_MissingSecret(t *testing.T) {
func TestValidate_JWTAuth_MissingSecret(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "jwt", Secret: ""},
@@ -422,7 +505,7 @@ func TestValidate_JWTAuth_MissingSecret(t *testing.T) {
func TestValidate_InvalidKeygenMode(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
@@ -470,9 +553,168 @@ func TestValidate_InvalidPort(t *testing.T) {
}
}
// TestValidate_TLSCertPathEmpty pins the first of the HTTPS-only fail-loud
// gates in Validate(): an empty CertPath must produce the operator-facing
// "server TLS cert path is required" error. Per §2.1 + §3 locked decisions,
// there is no plaintext HTTP fallback — missing TLS config is a hard startup
// refusal, not a warning.
func TestValidate_TLSCertPathEmpty(t *testing.T) {
_, keyPath := generateTestTLSPair(t)
cfg := &Config{
Server: ServerConfig{
Port: 8080,
TLS: ServerTLSConfig{CertPath: "", KeyPath: keyPath},
},
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
Keygen: KeygenConfig{Mode: "agent"},
Scheduler: SchedulerConfig{
RenewalCheckInterval: 1 * time.Hour,
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() should return error for empty TLS cert path")
}
if !strings.Contains(err.Error(), "server TLS cert path is required") {
t.Errorf("error = %q, want substring %q", err.Error(), "server TLS cert path is required")
}
}
// TestValidate_TLSKeyPathEmpty pins the second HTTPS-only gate: empty KeyPath
// must produce the "server TLS key path is required" error. Runs with a valid
// CertPath so the cert-empty gate (which fires first) is cleanly bypassed —
// proves the key-empty gate is actually reached.
func TestValidate_TLSKeyPathEmpty(t *testing.T) {
certPath, _ := generateTestTLSPair(t)
cfg := &Config{
Server: ServerConfig{
Port: 8080,
TLS: ServerTLSConfig{CertPath: certPath, KeyPath: ""},
},
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
Keygen: KeygenConfig{Mode: "agent"},
Scheduler: SchedulerConfig{
RenewalCheckInterval: 1 * time.Hour,
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() should return error for empty TLS key path")
}
if !strings.Contains(err.Error(), "server TLS key path is required") {
t.Errorf("error = %q, want substring %q", err.Error(), "server TLS key path is required")
}
}
// TestValidate_TLSCertFileMissing pins the os.Stat gate on the cert path. A
// non-existent path must surface "server TLS cert file unreadable" so the
// operator sees the bad path in the error (file=%q) instead of a deferred
// ListenAndServeTLS panic after the scheduler has already fanned out.
func TestValidate_TLSCertFileMissing(t *testing.T) {
_, keyPath := generateTestTLSPair(t)
missingCert := filepath.Join(t.TempDir(), "does-not-exist.pem")
cfg := &Config{
Server: ServerConfig{
Port: 8080,
TLS: ServerTLSConfig{CertPath: missingCert, KeyPath: keyPath},
},
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
Keygen: KeygenConfig{Mode: "agent"},
Scheduler: SchedulerConfig{
RenewalCheckInterval: 1 * time.Hour,
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() should return error for missing TLS cert file")
}
if !strings.Contains(err.Error(), "server TLS cert file unreadable") {
t.Errorf("error = %q, want substring %q", err.Error(), "server TLS cert file unreadable")
}
}
// TestValidate_TLSKeyFileMissing pins the os.Stat gate on the key path. Uses a
// valid CertPath so the cert-missing gate does not pre-empt; proves the key
// gate is reached and reports the bad key path.
func TestValidate_TLSKeyFileMissing(t *testing.T) {
certPath, _ := generateTestTLSPair(t)
missingKey := filepath.Join(t.TempDir(), "does-not-exist.key")
cfg := &Config{
Server: ServerConfig{
Port: 8080,
TLS: ServerTLSConfig{CertPath: certPath, KeyPath: missingKey},
},
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
Keygen: KeygenConfig{Mode: "agent"},
Scheduler: SchedulerConfig{
RenewalCheckInterval: 1 * time.Hour,
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() should return error for missing TLS key file")
}
if !strings.Contains(err.Error(), "server TLS key file unreadable") {
t.Errorf("error = %q, want substring %q", err.Error(), "server TLS key file unreadable")
}
}
// TestValidate_TLSMismatchedPair pins the tls.LoadX509KeyPair gate — the
// classic "you shipped the wrong private key" footgun. Generates two
// independent ECDSA pairs and crosses them (pair1 cert + pair2 key). Both
// files exist and parse as PEM, so os.Stat passes; only the cryptographic
// round-trip inside LoadX509KeyPair catches the mismatch.
func TestValidate_TLSMismatchedPair(t *testing.T) {
certPath1, _ := generateTestTLSPair(t)
_, keyPath2 := generateTestTLSPair(t)
cfg := &Config{
Server: ServerConfig{
Port: 8080,
TLS: ServerTLSConfig{CertPath: certPath1, KeyPath: keyPath2},
},
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
Keygen: KeygenConfig{Mode: "agent"},
Scheduler: SchedulerConfig{
RenewalCheckInterval: 1 * time.Hour,
JobProcessorInterval: 30 * time.Second,
AgentHealthCheckInterval: 2 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() should return error for mismatched TLS cert/key pair")
}
if !strings.Contains(err.Error(), "server TLS cert/key pair invalid") {
t.Errorf("error = %q, want substring %q", err.Error(), "server TLS cert/key pair invalid")
}
}
func TestValidate_EmptyDatabaseURL(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
@@ -491,7 +733,7 @@ func TestValidate_EmptyDatabaseURL(t *testing.T) {
func TestValidate_InvalidLogLevel(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "verbose", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
@@ -510,7 +752,7 @@ func TestValidate_InvalidLogLevel(t *testing.T) {
func TestValidate_InvalidLogFormat(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "yaml"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
@@ -572,7 +814,7 @@ func TestValidate_SchedulerIntervalTooSmall(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
@@ -588,7 +830,7 @@ func TestValidate_SchedulerIntervalTooSmall(t *testing.T) {
func TestValidate_DatabaseMaxConnectionsZero(t *testing.T) {
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 0},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "key"},
@@ -795,7 +1037,7 @@ func TestConfig_Scheduler_JobTimeoutValidation(t *testing.T) {
// Start from a fully valid config so the I-003 timeout checks
// are the only potential failure point.
cfg := &Config{
Server: ServerConfig{Port: 8080},
Server: validServerConfig(t),
Database: DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
Log: LogConfig{Level: "info", Format: "json"},
Auth: AuthConfig{Type: "api-key", Secret: "test-secret"},
@@ -805,6 +1047,7 @@ func TestConfig_Scheduler_JobTimeoutValidation(t *testing.T) {
JobProcessorInterval: 1 * time.Minute,
AgentHealthCheckInterval: 1 * time.Minute,
NotificationProcessInterval: 1 * time.Minute,
NotificationRetryInterval: 2 * time.Minute,
RetryInterval: 1 * time.Minute,
JobTimeoutInterval: 10 * time.Minute,
AwaitingCSRTimeout: 24 * time.Hour,
internal/mcp/client.go
+36 -3
View File
@@ -2,11 +2,14 @@ package mcp
import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"os"
"time"
)
@@ -18,15 +21,45 @@ type Client struct {
httpClient *http.Client
}
// NewClient creates a new certctl API client.
func NewClient(baseURL, apiKey string) *Client {
// NewClient creates a new certctl API client. The control plane is HTTPS-only
// as of v2.2, so the transport is pinned to TLS 1.3 and optionally loads a
// PEM-encoded CA bundle from caBundlePath (empty means "trust the system
// roots"). The insecure flag disables certificate verification and is a
// dev-only opt-in documented in docs/tls.md — it must never be set in
// production. Returns an error if the CA bundle path is non-empty but the
// file is missing or contains no valid PEM-encoded certificates, so the
// caller can fail loud before any network call.
func NewClient(baseURL, apiKey, caBundlePath string, insecure bool) (*Client, error) {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS13,
InsecureSkipVerify: insecure, //nolint:gosec // opt-in dev toggle, documented in docs/tls.md
}
if caBundlePath != "" {
pemBytes, err := os.ReadFile(caBundlePath)
if err != nil {
return nil, fmt.Errorf("reading CA bundle at %q: %w", caBundlePath, err)
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(pemBytes) {
return nil, fmt.Errorf("CA bundle at %q contains no valid PEM-encoded certificates", caBundlePath)
}
tlsConfig.RootCAs = pool
}
return &Client{
baseURL: baseURL,
apiKey: apiKey,
httpClient: &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
ForceAttemptHTTP2: true,
MaxIdleConns: 10,
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
},
}
}, nil
}
// Get performs an HTTP GET and returns the raw JSON response body.
internal/mcp/client_test.go
+248 -15
View File
@@ -1,17 +1,30 @@
package mcp
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"io"
"math/big"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"testing"
"time"
)
func TestNewClient(t *testing.T) {
c := NewClient("http://localhost:8443", "test-key")
if c.baseURL != "http://localhost:8443" {
t.Errorf("expected baseURL http://localhost:8443, got %s", c.baseURL)
c, err := NewClient("https://localhost:8443", "test-key", "", false)
if err != nil {
t.Fatalf("NewClient err=%v want nil", err)
}
if c.baseURL != "https://localhost:8443" {
t.Errorf("expected baseURL https://localhost:8443, got %s", c.baseURL)
}
if c.apiKey != "test-key" {
t.Errorf("expected apiKey test-key, got %s", c.apiKey)
@@ -44,7 +57,7 @@ func TestClient_Get(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
data, err := c.Get("/api/v1/certificates", map[string][]string{"status": {"Active"}})
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -64,7 +77,7 @@ func TestClient_Get_NoAuth(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "")
c, _ := NewClient(server.URL, "", "", false)
_, err := c.Get("/api/v1/certificates", nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -95,7 +108,7 @@ func TestClient_Post(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
data, err := c.Post("/api/v1/certificates", map[string]string{"name": "test-cert"})
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -120,7 +133,7 @@ func TestClient_Put(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
data, err := c.Put("/api/v1/certificates/mc-test", map[string]string{"name": "updated"})
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -139,7 +152,7 @@ func TestClient_Delete_204(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
data, err := c.Delete("/api/v1/certificates/mc-test")
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -161,7 +174,7 @@ func TestClient_ErrorResponse(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
_, err := c.Get("/api/v1/certificates/nonexistent", nil)
if err == nil {
t.Fatal("expected error for 404 response")
@@ -179,7 +192,7 @@ func TestClient_ServerError(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
_, err := c.Post("/api/v1/certificates", map[string]string{"name": "test"})
if err == nil {
t.Fatal("expected error for 500 response")
@@ -202,7 +215,7 @@ func TestClient_GetRaw(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
data, contentType, err := c.GetRaw("/.well-known/pki/crl/iss-local")
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -222,7 +235,7 @@ func TestClient_GetRaw_Error(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
_, _, err := c.GetRaw("/.well-known/pki/crl/nonexistent")
if err == nil {
t.Fatal("expected error for 404 response")
@@ -230,7 +243,7 @@ func TestClient_GetRaw_Error(t *testing.T) {
}
func TestClient_ConnectionRefused(t *testing.T) {
c := NewClient("http://localhost:1", "test-key")
c, _ := NewClient("https://localhost:1", "test-key", "", false)
_, err := c.Get("/api/v1/certificates", nil)
if err == nil {
t.Fatal("expected error for connection refused")
@@ -247,7 +260,7 @@ func TestClient_PostNilBody(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
data, err := c.Post("/api/v1/certificates/mc-test/renew", nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -270,7 +283,7 @@ func TestClient_QueryParams(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
q := paginationQuery(2, 10)
_, err := c.Get("/api/v1/certificates", q)
if err != nil {
@@ -287,3 +300,223 @@ func containsStr(s, substr string) bool {
}
return false
}
// generateTestCert produces a short-lived self-signed RSA-2048 certificate for
// tests that need a PEM-encodable cert. Mirrors the helper used in
// internal/cli/client_test.go so the two packages pin the same HTTPS-Everywhere
// TLS-wiring contract against matching test fixtures.
func generateTestCert() *x509.Certificate {
now := time.Now()
template := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: "test.certctl.local",
},
NotBefore: now,
NotAfter: now.Add(365 * 24 * time.Hour),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{"test.certctl.local"},
}
privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
certBytes, _ := x509.CreateCertificate(rand.Reader, template, template, &privateKey.PublicKey, privateKey)
cert, _ := x509.ParseCertificate(certBytes)
return cert
}
// -----------------------------------------------------------------------------
// HTTPS-Everywhere milestone (v2.2, §3.2 + §7 Phase 5):
// The MCP server binary talks HTTPS-only to the certctl control plane. These
// tests pin the three contracts every client binary (agent, CLI, MCP) must
// satisfy in lock-step:
// (a) CA bundle load success — PEM loads, RootCAs + MinVersion=TLS1.3 wired
// through the injected *http.Transport so the httpClient actually uses
// them on the wire, not just in the struct.
// (b) CA bundle load failure — missing file and malformed/empty PEM each fail
// loud with a pinned substring so operators get a useful diagnostic.
// (c) End-to-end TLS round-trip — an httptest.NewTLSServer whose own cert is
// written out as the CA bundle validates that every TLS-config knob
// actually flows into the dialer.
// The substrings below must stay in sync with internal/mcp/client.go:NewClient;
// drifting them in isolation is exactly what this suite is here to catch.
// -----------------------------------------------------------------------------
// writeCABundle PEM-encodes a DER cert and writes it to a temp file under the
// test's own TempDir. Returns the absolute path for piping into NewClient.
func writeCABundle(t *testing.T, dir string, certDER []byte, filename string) string {
t.Helper()
path := filepath.Join(dir, filename)
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
t.Fatalf("writing CA bundle to %q: %v", path, err)
}
return path
}
// TestNewClient_CABundle_Success pins the happy path: a valid PEM CA bundle
// loads, populates RootCAs on the client's TLS config, and leaves
// MinVersion=TLS1.3 intact. Regression guard for any future edit that
// accidentally swaps the transport or detaches *tls.Config from *http.Transport.
func TestNewClient_CABundle_Success(t *testing.T) {
cert := generateTestCert()
tmp := t.TempDir()
bundlePath := writeCABundle(t, tmp, cert.Raw, "ca.pem")
client, err := NewClient("https://certctl-server:8443", "test-key", bundlePath, false)
if err != nil {
t.Fatalf("NewClient with valid CA bundle err=%v want nil", err)
}
if client == nil {
t.Fatal("NewClient returned nil client on happy path")
}
transport, ok := client.httpClient.Transport.(*http.Transport)
if !ok {
t.Fatalf("httpClient.Transport type=%T want *http.Transport (TLS config injection broke)", client.httpClient.Transport)
}
if transport.TLSClientConfig == nil {
t.Fatal("transport.TLSClientConfig is nil; TLS config must be set on every client")
}
if transport.TLSClientConfig.RootCAs == nil {
t.Fatal("transport.TLSClientConfig.RootCAs is nil; CA bundle path was ignored")
}
if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
t.Errorf("MinVersion=%d want tls.VersionTLS13 (%d); HTTPS-Everywhere requires TLS1.3 floor",
transport.TLSClientConfig.MinVersion, tls.VersionTLS13)
}
if transport.TLSClientConfig.InsecureSkipVerify {
t.Error("InsecureSkipVerify=true with insecure=false arg; flag wiring crossed")
}
}
// TestNewClient_CABundle_MissingFile pins the fail-loud path for a nonexistent
// bundle path. The error surface must include "reading CA bundle" so operators
// see the right diagnostic instead of a downstream TLS-handshake-error.
func TestNewClient_CABundle_MissingFile(t *testing.T) {
_, err := NewClient("https://certctl-server:8443", "test-key", "/nonexistent/path/ca.pem", false)
if err == nil {
t.Fatal("NewClient with missing CA bundle err=nil; must fail loud so operators see the right diagnostic")
}
if !containsStr(err.Error(), "reading CA bundle") {
t.Errorf("err=%q must contain %q so operators can locate the misconfigured path", err.Error(), "reading CA bundle")
}
}
// TestNewClient_CABundle_EmptyPEM pins the fail-loud path for a file whose
// contents are not valid PEM. AppendCertsFromPEM returning false is the signal
// we need to surface — otherwise the client would silently ship with an empty
// cert pool and every TLS handshake would fail downstream.
func TestNewClient_CABundle_EmptyPEM(t *testing.T) {
tmp := t.TempDir()
garbagePath := filepath.Join(tmp, "garbage.pem")
if err := os.WriteFile(garbagePath, []byte("not a pem certificate, just bytes"), 0o600); err != nil {
t.Fatalf("writing garbage file: %v", err)
}
_, err := NewClient("https://certctl-server:8443", "test-key", garbagePath, false)
if err == nil {
t.Fatal("NewClient with malformed PEM err=nil; must fail loud, not silently skip")
}
if !containsStr(err.Error(), "no valid PEM-encoded certificates") {
t.Errorf("err=%q must contain %q so operators know the file parsed but held no certs",
err.Error(), "no valid PEM-encoded certificates")
}
}
// TestNewClient_TLSRoundTrip validates that the TLS config knobs we set on
// NewClient actually reach the wire. An httptest.NewTLSServer signs its own
// self-signed leaf; we PEM-encode that server cert, write it as the CA bundle,
// and issue a real HTTPS GET via c.Get. A successful round-trip proves RootCAs
// + MinVersion are flowing through *http.Transport into the dialer, not just
// surviving into the client struct.
func TestNewClient_TLSRoundTrip(t *testing.T) {
var handlerHit int
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodGet && r.URL.Path == "/api/v1/certificates" {
handlerHit++
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]interface{}{
"data": []interface{}{},
"total": 0,
})
return
}
w.WriteHeader(http.StatusNotFound)
}))
defer server.Close()
serverCert := server.Certificate()
if serverCert == nil {
t.Fatal("httptest.NewTLSServer.Certificate() returned nil; cannot build CA bundle")
}
tmp := t.TempDir()
bundlePath := writeCABundle(t, tmp, serverCert.Raw, "server-ca.pem")
client, err := NewClient(server.URL, "test-key", bundlePath, false)
if err != nil {
t.Fatalf("NewClient(TLS server) err=%v want nil", err)
}
data, err := client.Get("/api/v1/certificates", nil)
if err != nil {
t.Fatalf("Get over HTTPS err=%v; TLS config must reach the wire", err)
}
if data == nil {
t.Fatal("Get over HTTPS returned nil data; want non-empty JSON body")
}
if handlerHit != 1 {
t.Errorf("handlerHit=%d want 1; request did not reach the TLS server", handlerHit)
}
}
// TestNewClient_InsecureSkipVerify pins the dev-only escape hatch: an untrusted
// TLS server (cert NOT in the client's root pool) must be reachable when
// insecure=true. This is the only path in the control plane that disables
// certificate verification; it's documented in docs/tls.md and gated by the
// CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY env var so it never slips into
// production silently.
func TestNewClient_InsecureSkipVerify(t *testing.T) {
var handlerHit int
server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handlerHit++
w.Header().Set("Content-Type", "application/json")
_ = json.NewEncoder(w).Encode(map[string]interface{}{
"data": []interface{}{},
"total": 0,
})
}))
defer server.Close()
// No CA bundle → system roots, which will NOT trust the self-signed
// httptest cert. insecure=true is the only thing keeping this call from
// failing with an x509-unknown-authority error.
client, err := NewClient(server.URL, "test-key", "", true)
if err != nil {
t.Fatalf("NewClient(insecure=true) err=%v want nil", err)
}
transport, ok := client.httpClient.Transport.(*http.Transport)
if !ok {
t.Fatalf("httpClient.Transport type=%T want *http.Transport", client.httpClient.Transport)
}
if !transport.TLSClientConfig.InsecureSkipVerify {
t.Fatal("insecure=true arg did not set TLSClientConfig.InsecureSkipVerify; flag wiring broken")
}
if transport.TLSClientConfig.MinVersion != tls.VersionTLS13 {
t.Errorf("MinVersion=%d want tls.VersionTLS13 even with insecure=true (TLS1.3 floor is not optional)",
transport.TLSClientConfig.MinVersion)
}
data, err := client.Get("/api/v1/certificates", nil)
if err != nil {
t.Fatalf("Get(insecure=true) err=%v; escape hatch must still complete the round-trip", err)
}
if data == nil {
t.Fatal("Get(insecure=true) returned nil data; want non-empty JSON body")
}
if handlerHit != 1 {
t.Errorf("handlerHit=%d want 1; insecure round-trip did not reach the server", handlerHit)
}
}
internal/mcp/retire_agent_test.go
+4 -4
View File
@@ -44,7 +44,7 @@ func TestClient_DeleteWithQuery_ForceRetire(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "test-key")
c, _ := NewClient(server.URL, "test-key", "", false)
// Compile-fail until Phase 2b grows Client.DeleteWithQuery. Passing the
// query as a url.Values is the established pattern (matches Get's shape).
query := url.Values{}
@@ -87,7 +87,7 @@ func TestClient_DeleteWithQuery_NoQuery(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "")
c, _ := NewClient(server.URL, "", "", false)
if _, err := c.DeleteWithQuery("/api/v1/agents/ag-1", nil); err != nil {
t.Fatalf("DeleteWithQuery(nil query) err=%v want nil", err)
}
@@ -108,7 +108,7 @@ func TestClient_DeleteWithQuery_204ReturnsMinimalBody(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "")
c, _ := NewClient(server.URL, "", "", false)
data, err := c.DeleteWithQuery("/api/v1/agents/ag-1", nil)
if err != nil {
t.Fatalf("DeleteWithQuery(204) err=%v want nil (idempotent)", err)
@@ -141,7 +141,7 @@ func TestClient_DeleteWithQuery_409PropagatesError(t *testing.T) {
}))
defer server.Close()
c := NewClient(server.URL, "")
c, _ := NewClient(server.URL, "", "", false)
_, err := c.DeleteWithQuery("/api/v1/agents/ag-1", nil)
if err == nil {
t.Fatalf("DeleteWithQuery(409) err=nil; 409 must propagate as Go error")
internal/mcp/tools_test.go
+10 -10
View File
@@ -88,7 +88,7 @@ func TestRegisterTools_ToolCount(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
RegisterTools(server, client)
// The server should have tools registered — we can verify by listing them
@@ -166,7 +166,7 @@ func TestToolEndToEnd_ListCertificates(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
// Manually call the handler logic that would be registered as a tool
q := paginationQuery(1, 50)
@@ -204,7 +204,7 @@ func TestToolEndToEnd_CreateCertificate(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
input := CreateCertificateInput{
Name: "API Production",
@@ -244,7 +244,7 @@ func TestToolEndToEnd_TriggerRenewal(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
data, err := client.Post("/api/v1/certificates/mc-api-prod/renew", nil)
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -272,7 +272,7 @@ func TestToolEndToEnd_DeleteTarget(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
data, err := client.Delete("/api/v1/targets/t-platform")
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -300,7 +300,7 @@ func TestToolEndToEnd_RevokeCertificate(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
input := RevokeCertificateInput{
ID: "mc-api-prod",
Reason: "keyCompromise",
@@ -327,7 +327,7 @@ func TestToolEndToEnd_AgentHeartbeat(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
_, err := client.Post("/api/v1/agents/agent-001/heartbeat", map[string]string{
"os": "linux",
"architecture": "amd64",
@@ -347,7 +347,7 @@ func TestToolEndToEnd_ListWithFilters(t *testing.T) {
api := mockCertctlAPI(log)
defer api.Close()
client := NewClient(api.URL, "test-key")
client, _ := NewClient(api.URL, "test-key", "", false)
q := paginationQuery(1, 25)
q.Set("status", "Pending")
q.Set("type", "Renewal")
@@ -377,7 +377,7 @@ func TestToolEndToEnd_GetRawBinary(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "test-key")
client, _ := NewClient(server.URL, "test-key", "", false)
data, ct, err := client.GetRaw("/.well-known/pki/crl/iss-local")
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -397,7 +397,7 @@ func TestToolEndToEnd_ErrorPropagation(t *testing.T) {
}))
defer server.Close()
client := NewClient(server.URL, "test-key")
client, _ := NewClient(server.URL, "test-key", "", false)
_, err := client.Get("/api/v1/certificates", nil)
if err == nil {
t.Fatal("expected error for 403 response")