feat: M15a — certificate revocation API, CRL endpoint, and revocation notifications

Implements core revocation infrastructure: POST /api/v1/certificates/{id}/revoke with all 8 RFC 5280 reason codes, JSON-formatted CRL at GET /api/v1/crl, webhook and email revocation notifications, best-effort issuer notification, and immutable revocation audit trail. Includes 48 new tests across service, handler, integration, and domain layers (600+ total). Fixes 3 pre-existing test bugs (team_test error matching, agent_group delete status code, team handler per_page validation). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-10 07:19:00 +00:00 · 2026-03-22 10:59:18 -04:00
parent d881403d11
commit 5d98e373e3
27 changed files with 1710 additions and 37 deletions
@@ -85,7 +85,7 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 	offset := (filter.Page - 1) * filter.PerPage
 	query := fmt.Sprintf(`
 		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
-		       certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		       certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, revoked_at, revocation_reason, created_at, updated_at
 		FROM managed_certificates
 		%s
 		ORDER BY created_at DESC
@@ -120,7 +120,7 @@ func (r *CertificateRepository) List(ctx context.Context, filter *repository.Cer
 func (r *CertificateRepository) Get(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
 	row := r.db.QueryRowContext(ctx, `
 		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
-		       certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		       certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, revoked_at, revocation_reason, created_at, updated_at
 		FROM managed_certificates
 		WHERE id = $1
 	`, id)
@@ -152,16 +152,23 @@ func (r *CertificateRepository) Create(ctx context.Context, cert *domain.Managed
 		profileID = &cert.CertificateProfileID
 	}

+	var revocationReason *string
+	if cert.RevocationReason != "" {
+		revocationReason = &cert.RevocationReason
+	}
+
 	err = r.db.QueryRowContext(ctx, `
 		INSERT INTO managed_certificates (
 			id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
-			certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
-		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)
+			certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, revoked_at, revocation_reason, created_at, updated_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19)
 		RETURNING id
 	`, cert.ID, cert.Name, cert.CommonName, pq.Array(cert.SANs), cert.Environment,
 		cert.OwnerID, cert.TeamID, cert.IssuerID, cert.RenewalPolicyID, profileID,
 		cert.Status, cert.ExpiresAt,
-		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt, cert.CreatedAt, cert.UpdatedAt).Scan(&cert.ID)
+		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt,
+		cert.RevokedAt, revocationReason,
+		cert.CreatedAt, cert.UpdatedAt).Scan(&cert.ID)

 	if err != nil {
 		return fmt.Errorf("failed to create certificate: %w", err)
@@ -182,6 +189,11 @@ func (r *CertificateRepository) Update(ctx context.Context, cert *domain.Managed
 		profileID = &cert.CertificateProfileID
 	}

+	var revocationReason *string
+	if cert.RevocationReason != "" {
+		revocationReason = &cert.RevocationReason
+	}
+
 	result, err := r.db.ExecContext(ctx, `
 		UPDATE managed_certificates SET
 			name = $1,
@@ -197,11 +209,14 @@ func (r *CertificateRepository) Update(ctx context.Context, cert *domain.Managed
 			tags = $11,
 			last_renewal_at = $12,
 			last_deployment_at = $13,
-			updated_at = $14
-		WHERE id = $15
+			revoked_at = $14,
+			revocation_reason = $15,
+			updated_at = $16
+		WHERE id = $17
 	`, cert.Name, cert.CommonName, pq.Array(cert.SANs), cert.Environment,
 		cert.OwnerID, cert.TeamID, cert.IssuerID, profileID, cert.Status, cert.ExpiresAt,
-		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt, cert.UpdatedAt, cert.ID)
+		tagsJSON, cert.LastRenewalAt, cert.LastDeploymentAt,
+		cert.RevokedAt, revocationReason, cert.UpdatedAt, cert.ID)

 	if err != nil {
 		return fmt.Errorf("failed to update certificate: %w", err)
@@ -299,7 +314,7 @@ func (r *CertificateRepository) CreateVersion(ctx context.Context, version *doma
 func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, before time.Time) ([]*domain.ManagedCertificate, error) {
 	rows, err := r.db.QueryContext(ctx, `
 		SELECT id, name, common_name, sans, environment, owner_id, team_id, issuer_id, renewal_policy_id,
-		       certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, created_at, updated_at
+		       certificate_profile_id, status, expires_at, tags, last_renewal_at, last_deployment_at, revoked_at, revocation_reason, created_at, updated_at
 		FROM managed_certificates
 		WHERE expires_at < $1 AND status != $2
 		ORDER BY expires_at ASC
@@ -326,6 +341,26 @@ func (r *CertificateRepository) GetExpiringCertificates(ctx context.Context, bef
 	return certs, nil
 }

+// GetLatestVersion returns the most recent certificate version for a certificate.
+func (r *CertificateRepository) GetLatestVersion(ctx context.Context, certID string) (*domain.CertificateVersion, error) {
+	var v domain.CertificateVersion
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, certificate_id, serial_number, not_before, not_after,
+		       fingerprint_sha256, pem_chain, csr_pem, key_algorithm, key_size, created_at
+		FROM certificate_versions
+		WHERE certificate_id = $1
+		ORDER BY created_at DESC
+		LIMIT 1
+	`, certID).Scan(&v.ID, &v.CertificateID, &v.SerialNumber, &v.NotBefore, &v.NotAfter,
+		&v.FingerprintSHA256, &v.PEMChain, &v.CSRPEM, &v.KeyAlgorithm, &v.KeySize, &v.CreatedAt)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get latest certificate version: %w", err)
+	}
+
+	return &v, nil
+}
+
 // scanCertificate scans a certificate from a row or rows
 func scanCertificate(scanner interface {
 	Scan(...interface{}) error
@@ -334,12 +369,14 @@ func scanCertificate(scanner interface {
 	var tagsJSON []byte
 	var sans pq.StringArray
 	var profileID sql.NullString
+	var revocationReason sql.NullString

 	err := scanner.Scan(
 		&cert.ID, &cert.Name, &cert.CommonName, &sans, &cert.Environment, &cert.OwnerID,
 		&cert.TeamID, &cert.IssuerID, &cert.RenewalPolicyID, &profileID,
 		&cert.Status, &cert.ExpiresAt, &tagsJSON,
-		&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.CreatedAt, &cert.UpdatedAt)
+		&cert.LastRenewalAt, &cert.LastDeploymentAt, &cert.RevokedAt, &revocationReason,
+		&cert.CreatedAt, &cert.UpdatedAt)

 	if err != nil {
 		return nil, fmt.Errorf("failed to scan certificate: %w", err)
@@ -349,6 +386,9 @@ func scanCertificate(scanner interface {
 	if profileID.Valid {
 		cert.CertificateProfileID = profileID.String
 	}
+	if revocationReason.Valid {
+		cert.RevocationReason = revocationReason.String
+	}

 	// Unmarshal tags
 	if len(tagsJSON) > 0 {
@@ -0,0 +1,130 @@
+package postgres
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// RevocationRepository implements repository.RevocationRepository using PostgreSQL.
+type RevocationRepository struct {
+	db *sql.DB
+}
+
+// NewRevocationRepository creates a new RevocationRepository.
+func NewRevocationRepository(db *sql.DB) *RevocationRepository {
+	return &RevocationRepository{db: db}
+}
+
+// Create records a new certificate revocation.
+func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
+	_, err := r.db.ExecContext(ctx, `
+		INSERT INTO certificate_revocations (
+			id, certificate_id, serial_number, reason, revoked_by, revoked_at,
+			issuer_id, issuer_notified, created_at
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+		ON CONFLICT (serial_number) DO NOTHING
+	`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
+		revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
+		revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
+
+	if err != nil {
+		return fmt.Errorf("failed to create revocation record: %w", err)
+	}
+
+	return nil
+}
+
+// GetBySerial retrieves a revocation by serial number.
+func (r *RevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
+	var rev domain.CertificateRevocation
+	err := r.db.QueryRowContext(ctx, `
+		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
+		       issuer_id, issuer_notified, created_at
+		FROM certificate_revocations
+		WHERE serial_number = $1
+	`, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
+		&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
+		&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to get revocation by serial: %w", err)
+	}
+
+	return &rev, nil
+}
+
+// ListAll returns all revocations ordered by revocation time (for CRL generation).
+func (r *RevocationRepository) ListAll(ctx context.Context) ([]*domain.CertificateRevocation, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
+		       issuer_id, issuer_notified, created_at
+		FROM certificate_revocations
+		ORDER BY revoked_at ASC
+	`)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list revocations: %w", err)
+	}
+	defer rows.Close()
+
+	return scanRevocations(rows)
+}
+
+// ListByCertificate returns all revocations for a certificate.
+func (r *RevocationRepository) ListByCertificate(ctx context.Context, certID string) ([]*domain.CertificateRevocation, error) {
+	rows, err := r.db.QueryContext(ctx, `
+		SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
+		       issuer_id, issuer_notified, created_at
+		FROM certificate_revocations
+		WHERE certificate_id = $1
+		ORDER BY revoked_at ASC
+	`, certID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list revocations by certificate: %w", err)
+	}
+	defer rows.Close()
+
+	return scanRevocations(rows)
+}
+
+// MarkIssuerNotified updates the issuer_notified flag for a revocation.
+func (r *RevocationRepository) MarkIssuerNotified(ctx context.Context, id string) error {
+	result, err := r.db.ExecContext(ctx, `
+		UPDATE certificate_revocations SET issuer_notified = TRUE WHERE id = $1
+	`, id)
+	if err != nil {
+		return fmt.Errorf("failed to mark issuer notified: %w", err)
+	}
+
+	rows, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("failed to get rows affected: %w", err)
+	}
+
+	if rows == 0 {
+		return fmt.Errorf("revocation not found")
+	}
+
+	return nil
+}
+
+func scanRevocations(rows *sql.Rows) ([]*domain.CertificateRevocation, error) {
+	var revocations []*domain.CertificateRevocation
+	for rows.Next() {
+		var rev domain.CertificateRevocation
+		if err := rows.Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
+			&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
+			&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt); err != nil {
+			return nil, fmt.Errorf("failed to scan revocation: %w", err)
+		}
+		revocations = append(revocations, &rev)
+	}
+
+	if err := rows.Err(); err != nil {
+		return nil, fmt.Errorf("error iterating revocation rows: %w", err)
+	}
+
+	return revocations, nil
+}