feat: M15a — certificate revocation API, CRL endpoint, and revocation notifications

Implements core revocation infrastructure: POST /api/v1/certificates/{id}/revoke with all 8 RFC 5280 reason codes, JSON-formatted CRL at GET /api/v1/crl, webhook and email revocation notifications, best-effort issuer notification, and immutable revocation audit trail. Includes 48 new tests across service, handler, integration, and domain layers (600+ total). Fixes 3 pre-existing test bugs (team_test error matching, agent_group delete status code, team handler per_page validation). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-07 17:41:29 +00:00 · 2026-03-22 10:59:18 -04:00
parent d881403d11
commit 5d98e373e3
27 changed files with 1710 additions and 37 deletions
@@ -248,8 +248,8 @@ func TestDeleteAgentGroup_Success(t *testing.T) {

 	h.DeleteAgentGroup(w, req)

-	if w.Code != http.StatusOK {
-		t.Fatalf("expected status 200, got %d", w.Code)
+	if w.Code != http.StatusNoContent {
+		t.Fatalf("expected status 204, got %d", w.Code)
 	}
 	if deletedID != "ag-linux" {
 		t.Errorf("expected deleted ID 'ag-linux', got '%s'", deletedID)
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -23,6 +24,8 @@ type MockCertificateService struct {
 	GetCertificateVersionsFn func(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
 	TriggerRenewalFn         func(certID string) error
 	TriggerDeploymentFn      func(certID string, targetID string) error
+	RevokeCertificateFn      func(certID string, reason string) error
+	GetRevokedCertificatesFn func() ([]*domain.CertificateRevocation, error)
 }

 func (m *MockCertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
@@ -81,6 +84,20 @@ func (m *MockCertificateService) TriggerDeployment(certID string, targetID strin
 	return nil
 }

+func (m *MockCertificateService) RevokeCertificate(certID string, reason string) error {
+	if m.RevokeCertificateFn != nil {
+		return m.RevokeCertificateFn(certID, reason)
+	}
+	return nil
+}
+
+func (m *MockCertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
+	if m.GetRevokedCertificatesFn != nil {
+		return m.GetRevokedCertificatesFn()
+	}
+	return nil, nil
+}
+
 // Helper function to create context with request ID.
 func contextWithRequestID() context.Context {
 	return context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-123")
@@ -708,3 +725,320 @@ func TestListCertificates_PerPageExceedsMax(t *testing.T) {
 		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
 	}
 }
+
+// === Revocation Handler Tests ===
+
+func TestRevokeCertificate_Handler_Success(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			if certID != "mc-prod-001" {
+				t.Errorf("expected certID mc-prod-001, got %s", certID)
+			}
+			if reason != "keyCompromise" {
+				t.Errorf("expected reason keyCompromise, got %s", reason)
+			}
+			return nil
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	body := `{"reason":"keyCompromise"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-prod-001/revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
+	}
+
+	var resp map[string]string
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["status"] != "revoked" {
+		t.Errorf("expected status 'revoked', got %s", resp["status"])
+	}
+}
+
+func TestRevokeCertificate_Handler_NoBody(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			// Empty reason is OK — service defaults to "unspecified"
+			return nil
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-prod-001/revoke", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_AlreadyRevoked(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			return fmt.Errorf("certificate is already revoked")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	body := `{"reason":"keyCompromise"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-prod-001/revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_NotFound(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			return fmt.Errorf("failed to fetch certificate: not found")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/nonexistent/revoke", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_InvalidReason(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			return fmt.Errorf("invalid revocation reason: badReason")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	body := `{"reason":"badReason"}`
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-prod-001/revoke", bytes.NewBufferString(body))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_InvalidBody(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-prod-001/revoke", bytes.NewBufferString("{invalid json"))
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_MethodNotAllowed(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/mc-prod-001/revoke", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_EmptyID(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates//revoke", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_CannotRevokeArchived(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			return fmt.Errorf("cannot revoke archived certificate")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-archived/revoke", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code)
+	}
+}
+
+func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
+	mock := &MockCertificateService{
+		RevokeCertificateFn: func(certID string, reason string) error {
+			return fmt.Errorf("database connection lost")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/mc-prod-001/revoke", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.RevokeCertificate(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
+	}
+}
+
+// === CRL Handler Tests ===
+
+func TestGetCRL_Success(t *testing.T) {
+	mock := &MockCertificateService{
+		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+			return []*domain.CertificateRevocation{
+				{
+					ID:            "rev-1",
+					CertificateID: "cert-1",
+					SerialNumber:  "ABC123",
+					Reason:        "keyCompromise",
+					RevokedAt:     time.Date(2026, 3, 20, 10, 0, 0, 0, time.UTC),
+				},
+				{
+					ID:            "rev-2",
+					CertificateID: "cert-2",
+					SerialNumber:  "DEF456",
+					Reason:        "superseded",
+					RevokedAt:     time.Date(2026, 3, 21, 14, 30, 0, 0, time.UTC),
+				},
+			}, nil
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetCRL(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
+	}
+
+	var resp map[string]interface{}
+	json.NewDecoder(w.Body).Decode(&resp)
+
+	if resp["version"] != float64(1) {
+		t.Errorf("expected version 1, got %v", resp["version"])
+	}
+	if resp["total"] != float64(2) {
+		t.Errorf("expected total 2, got %v", resp["total"])
+	}
+
+	entries, ok := resp["entries"].([]interface{})
+	if !ok {
+		t.Fatal("expected entries to be an array")
+	}
+	if len(entries) != 2 {
+		t.Errorf("expected 2 entries, got %d", len(entries))
+	}
+
+	entry1 := entries[0].(map[string]interface{})
+	if entry1["serial_number"] != "ABC123" {
+		t.Errorf("expected serial ABC123, got %v", entry1["serial_number"])
+	}
+	if entry1["revocation_reason"] != "keyCompromise" {
+		t.Errorf("expected reason keyCompromise, got %v", entry1["revocation_reason"])
+	}
+}
+
+func TestGetCRL_Empty(t *testing.T) {
+	mock := &MockCertificateService{
+		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+			return nil, nil
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetCRL(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
+	}
+
+	var resp map[string]interface{}
+	json.NewDecoder(w.Body).Decode(&resp)
+	if resp["total"] != float64(0) {
+		t.Errorf("expected total 0, got %v", resp["total"])
+	}
+}
+
+func TestGetCRL_ServiceError(t *testing.T) {
+	mock := &MockCertificateService{
+		GetRevokedCertificatesFn: func() ([]*domain.CertificateRevocation, error) {
+			return nil, fmt.Errorf("revocation repository not configured")
+		},
+	}
+
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetCRL(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
+	}
+}
+
+func TestGetCRL_MethodNotAllowed(t *testing.T) {
+	mock := &MockCertificateService{}
+	handler := NewCertificateHandler(mock)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/crl", nil)
+	req = req.WithContext(contextWithRequestID())
+	w := httptest.NewRecorder()
+
+	handler.GetCRL(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
+	}
+}
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
@@ -20,6 +21,8 @@ type CertificateService interface {
 	GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error)
 	TriggerRenewal(certID string) error
 	TriggerDeployment(certID string, targetID string) error
+	RevokeCertificate(certID string, reason string) error
+	GetRevokedCertificates() ([]*domain.CertificateRevocation, error)
 }

 // CertificateHandler handles HTTP requests for certificate operations.
@@ -350,3 +353,94 @@ func (h CertificateHandler) TriggerDeployment(w http.ResponseWriter, r *http.Req

 	JSON(w, http.StatusAccepted, response)
 }
+
+// RevokeCertificate revokes a certificate with an optional reason code.
+// POST /api/v1/certificates/{id}/revoke
+func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	// Extract certificate ID from path /api/v1/certificates/{id}/revoke
+	path := strings.TrimPrefix(r.URL.Path, "/api/v1/certificates/")
+	parts := strings.Split(path, "/")
+	if len(parts) < 2 || parts[0] == "" {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Certificate ID is required", requestID)
+		return
+	}
+	certID := parts[0]
+
+	// Parse optional reason from request body
+	var req struct {
+		Reason string `json:"reason"`
+	}
+	if r.Body != nil && r.Header.Get("Content-Type") == "application/json" {
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
+			return
+		}
+	}
+
+	if err := h.svc.RevokeCertificate(certID, req.Reason); err != nil {
+		// Distinguish between client errors and server errors
+		errMsg := err.Error()
+		if strings.Contains(errMsg, "already revoked") ||
+			strings.Contains(errMsg, "cannot revoke") ||
+			strings.Contains(errMsg, "invalid revocation reason") {
+			ErrorWithRequestID(w, http.StatusBadRequest, errMsg, requestID)
+			return
+		}
+		if strings.Contains(errMsg, "not found") || strings.Contains(errMsg, "failed to fetch") {
+			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to revoke certificate", requestID)
+		return
+	}
+
+	JSON(w, http.StatusOK, map[string]string{"status": "revoked"})
+}
+
+// GetCRL returns the Certificate Revocation List as structured JSON.
+// GET /api/v1/crl
+// Note: DER-encoded X.509 CRL generation (requiring CA key access) is planned for M15b
+// alongside the embedded OCSP responder. This endpoint provides the same data in JSON format.
+func (h CertificateHandler) GetCRL(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	revocations, err := h.svc.GetRevokedCertificates()
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to generate CRL", requestID)
+		return
+	}
+
+	type CRLEntry struct {
+		SerialNumber     string `json:"serial_number"`
+		RevocationDate   string `json:"revocation_date"`
+		RevocationReason string `json:"revocation_reason"`
+	}
+
+	entries := make([]CRLEntry, 0, len(revocations))
+	for _, rev := range revocations {
+		entries = append(entries, CRLEntry{
+			SerialNumber:     rev.SerialNumber,
+			RevocationDate:   rev.RevokedAt.Format("2006-01-02T15:04:05Z"),
+			RevocationReason: rev.Reason,
+		})
+	}
+
+	JSON(w, http.StatusOK, map[string]interface{}{
+		"version":      1,
+		"entries":      entries,
+		"total":        len(entries),
+		"generated_at": time.Now().UTC().Format("2006-01-02T15:04:05Z"),
+	})
+}
@@ -2,14 +2,12 @@ package handler

 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"

-	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
 )

@@ -551,8 +549,3 @@ func TestDeleteOwner_MethodNotAllowed(t *testing.T) {
 		t.Fatalf("expected status 405, got %d", w.Code)
 	}
 }
-
-// contextWithRequestID returns a context with a test request ID for use in tests.
-func contextWithRequestID() context.Context {
-	return context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-123")
-}
@@ -2,14 +2,12 @@ package handler

 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"

-	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
 )

@@ -133,7 +131,8 @@ func TestListTeams_WithQueryParams(t *testing.T) {
 	}
 }

-// TestListTeams_PerPageMaxLimit tests that per_page is capped at 500.
+// TestListTeams_PerPageMaxLimit tests that per_page values exceeding 500 are rejected
+// and fall back to the default of 50 (the handler ignores invalid per_page values).
 func TestListTeams_PerPageMaxLimit(t *testing.T) {
 	var capturedPerPage int
 	mock := &MockTeamService{
@@ -150,8 +149,9 @@ func TestListTeams_PerPageMaxLimit(t *testing.T) {

 	handler.ListTeams(w, req)

-	if capturedPerPage != 500 {
-		t.Errorf("expected per_page capped at 500, got %d", capturedPerPage)
+	// Handler rejects per_page > 500 and falls back to default (50)
+	if capturedPerPage != 50 {
+		t.Errorf("expected per_page to fall back to default 50 for values > 500, got %d", capturedPerPage)
 	}
 }