gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

C-001 scope expansion: tighten parallel POST /api/v1/certificates call sites to six-field contract

Browse Source 
Problem:
a53a4b8 closed C-001 at the handler boundary by tightening the
ValidateRequired contract on POST /api/v1/certificates to require six
fields: name, common_name, renewal_policy_id, issuer_id, owner_id,
team_id. (Correction re-derived from source: the handler
ValidateRequired calls on owner_id/team_id/renewal_policy_id were
actually installed in 3287e17 under M-002/M-003/M-006 auth unification
— a53a4b8's commit message overstates scope.) Post-audit on
2026-04-18 found three parallel call sites still shipping
three-to-four-field payloads that the newly strict handler would
reject with HTTP 400:
  - GUI: OnboardingWizard CertificateStep (common_name + sans +
    issuer_id + environment only)
  - CLI: certctl-cli import (common_name + issuer_id + status only;
    no required-flag gating)
  - Tests: deploy/test/qa_test.go Part03 positive paths

Scope:
Bring every POST /api/v1/certificates caller to six-field parity. No
handler changes — the contract is authoritative; the callers must
conform.

Implementation:

  GUI — OnboardingWizard CertificateStep expansion:
    web/src/pages/OnboardingWizard.tsx adds name/owner_id/team_id/
    renewal_policy_id state. React Query hooks for getOwners/
    getTeams/getPolicies use per_page: '500' to populate dropdowns
    without pagination-driven truncation. Payload ships all six
    required fields plus sans/certificate_profile_id/environment.
    nextDisabled gate enforces all six before the Continue button
    activates.

  CLI — ImportCertificates rewrite:
    internal/cli/client.go rewrites ImportCertificates with
    flag.NewFlagSet("import", flag.ContinueOnError). Required flags:
    --owner-id, --team-id, --renewal-policy-id, --issuer-id. Optional:
    --name-template (default {cn}, templated via strings.ReplaceAll
    against cert.Subject.CommonName), --environment (default
    imported). Missing required flags fail pre-HTTP with a clear
    error. Request map ships all six required fields plus sans/
    environment/status/optional serial_number.
    cmd/cli/main.go — usage string updated to document the new
    required/optional flags.

  Tests — qa_test.go Part03 positive paths:
    deploy/test/qa_test.go Part03 Create_Minimal and Create_Full
    updated to include all six fields. Uses seed_demo.sql-supplied IDs
    (o-alice, t-platform, rp-standard) — docker-compose.demo.yml is
    the run context. C-001 explanatory comment added above
    Create_Minimal so future readers understand why the minimal
    payload is no longer minimal.

  MCP parity:
    Verified no-op. internal/mcp/types.go:28 CreateCertificateInput
    already declares all six fields; internal/mcp/tools.go:102
    forwards the typed struct unchanged.

Verification:

  Go CLI regression tests (internal/cli/client_test.go):
    * TestClient_ImportCertificates_MissingRequiredFlags — 5 subtests,
      one per missing required flag, confirms flag.ContinueOnError
      rejects with non-nil error before any HTTP call is attempted.
    * TestClient_ImportCertificates_MissingPositionalArgs — confirms
      the "usage: import <file>" error path when no PEM file is
      supplied after the flags.
    * TestClient_ImportCertificates_SixFieldPayload — uses httptest
      to decode the POST body and assert all six required fields
      plus sans/environment are present on the wire.

  Frontend regression test (web/src/api/client.test.ts):
    'createCertificate accepts and transmits all six required fields'
    pins the wire shape for both GUI call sites (OnboardingWizard
    CertificateStep + CertificatesPage CreateCertificateModal). If
    either UI surface accidentally drops a field, this assertion
    fails in CI rather than surfacing as a 400 at runtime.

  Grep-based call-site sweep:
    Enumerated every POST /api/v1/certificates create caller. Four
    total: OnboardingWizard, CertificatesPage, MCP tools, CLI import.
    All four now ship six-field payloads. Claim path
    (internal/service/discovery.go) updates existing rows and does
    not POST. EST/SCEP handlers invoke internal
    certService.CreateVersion, not the public API. Negative-path
    tests (qa_test.go:1085/1267/1274/1288/1298) remain valid: they
    assert 400/non-500 on oversized/malformed/missing-CN/UTF-8/empty
    bodies, and these properties still hold under the stricter
    handler.

  Static gates:
    go build ./..., go vet ./..., go test ./internal/cli/..., and
    cd web && npm run test deferred to operator pre-push — the Go
    toolchain is not available in the session sandbox. Grep-based
    verification confirms the syntactic shape of every changed file.

Residual:
None. Every POST /api/v1/certificates call site now conforms to the
six-field contract; the wire shape is pinned by both Go and
TypeScript regression tests.

Commit:
TBD-SHA (audit doc + CLAUDE.md carry TBD-SHA placeholders to be
amended after commit)
This commit is contained in:
shankar0123
2026-04-19 00:25:10 +00:00
parent 0200c7f4a4
commit 91642e2860
6 changed files with 372 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/api/client.test.ts
+33
View File
@@ -288,6 +288,39 @@ describe('API Client', () => {
expect(JSON.parse(init.body)).toEqual(certData);
});
// C-001 scope-expansion regression: the OnboardingWizard CertificateStep
// and the CertificatesPage CreateCertificateModal must both ship the full
// six-field required payload (name, common_name, renewal_policy_id,
// issuer_id, owner_id, team_id) — the handler's ValidateRequired contract
// rejects anything less with HTTP 400. This test pins the wire shape so
// that accidentally dropping a field from either UI surface fails CI
// rather than only surfacing as a 400 at runtime.
it('createCertificate accepts and transmits all six required fields', async () => {
const wizardPayload = {
name: 'API Production Cert',
common_name: 'api.example.com',
sans: ['www.example.com'],
issuer_id: 'iss-local',
owner_id: 'o-alice',
team_id: 't-platform',
renewal_policy_id: 'rp-standard',
environment: 'production',
};
mockFetch.mockReturnValueOnce(mockJsonResponse({ id: 'mc-new', ...wizardPayload }));
await createCertificate(wizardPayload);
const [url, init] = mockFetch.mock.calls[0];
expect(url).toBe('/api/v1/certificates');
expect(init.method).toBe('POST');
const body = JSON.parse(init.body);
// Assert every required field is present and intact
expect(body.name).toBe('API Production Cert');
expect(body.common_name).toBe('api.example.com');
expect(body.issuer_id).toBe('iss-local');
expect(body.owner_id).toBe('o-alice');
expect(body.team_id).toBe('t-platform');
expect(body.renewal_policy_id).toBe('rp-standard');
});
it('updateCertificate sends PUT', async () => {
mockFetch.mockReturnValueOnce(mockJsonResponse({ id: 'mc-test', status: 'Active' }));
await updateCertificate('mc-test', { status: 'Active' });
web/src/pages/OnboardingWizard.tsx
+91 -13
View File
@@ -2,7 +2,7 @@ import { useState } from 'react';
import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
import { useNavigate, Link } from 'react-router-dom';
import {
getIssuers, getAgents, getProfiles, getOwners,
getIssuers, getAgents, getProfiles, getOwners, getTeams, getPolicies,
createIssuer, testIssuerConnection,
createCertificate, triggerRenewal,
getApiKey,
@@ -400,18 +400,28 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
createdIssuerId: string | null;
}) {
const queryClient = useQueryClient();
const [name, setName] = useState('');
const [commonName, setCommonName] = useState('');
const [sans, setSans] = useState('');
const [issuerId, setIssuerId] = useState(createdIssuerId || '');
const [profileId, setProfileId] = useState('');
const [ownerId, setOwnerId] = useState('');
const [teamId, setTeamId] = useState('');
const [renewalPolicyId, setRenewalPolicyId] = useState('');
const [error, setError] = useState('');
const [created, setCreated] = useState(false);
// C-001: the server requires name, common_name, issuer_id, owner_id,
// team_id, and renewal_policy_id (handler in
// internal/api/handler/certificates.go + ManagedCertificate.required in
// api/openapi.yaml). The wizard must collect the same six fields so that
// "Issue Certificate" doesn't 400 at the API boundary.
const { data: issuers } = useQuery({ queryKey: ['issuers'], queryFn: () => getIssuers() });
const { data: profiles } = useQuery({ queryKey: ['profiles'], queryFn: () => getProfiles() });
const { data: agents } = useQuery({ queryKey: ['agents'], queryFn: () => getAgents() });
const { data: owners } = useQuery({ queryKey: ['owners'], queryFn: () => getOwners() });
const { data: owners } = useQuery({ queryKey: ['owners'], queryFn: () => getOwners({ per_page: '500' }) });
const { data: teams } = useQuery({ queryKey: ['teams'], queryFn: () => getTeams({ per_page: '500' }) });
const { data: policies } = useQuery({ queryKey: ['renewal-policies'], queryFn: () => getPolicies({ per_page: '500' }) });
const hasAgents = (agents?.data?.length ?? 0) > 0;
@@ -419,11 +429,14 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
mutationFn: async () => {
const sanList = sans.split(',').map(s => s.trim()).filter(Boolean);
const cert = await createCertificate({
name,
common_name: commonName,
sans: sanList,
issuer_id: issuerId,
certificate_profile_id: profileId || undefined,
owner_id: ownerId,
team_id: teamId,
renewal_policy_id: renewalPolicyId,
environment: 'production',
});
// Trigger issuance
@@ -465,6 +478,19 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
</p>
<div className="space-y-5">
<div>
<label className="block text-sm font-medium text-ink mb-2">
Name <span className="text-red-600">*</span>
</label>
<input
type="text"
value={name}
onChange={e => setName(e.target.value)}
placeholder="API Production Cert"
className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink placeholder-ink-faint focus:outline-none focus:border-brand-500 transition-colors"
/>
</div>
<div>
<label className="block text-sm font-medium text-ink mb-2">
Common Name <span className="text-red-600">*</span>
@@ -525,25 +551,69 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
</div>
</div>
<div className="grid grid-cols-2 gap-4">
<div>
<label className="block text-sm font-medium text-ink mb-2">
Owner <span className="text-red-600">*</span>
</label>
<select
value={ownerId}
onChange={e => setOwnerId(e.target.value)}
className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink focus:outline-none focus:border-brand-500 transition-colors"
>
<option value="">Select owner...</option>
{owners?.data?.map(o => (
<option key={o.id} value={o.id}>
{o.name}{o.email ? ` (${o.email})` : ''}
</option>
))}
</select>
{(owners?.data?.length ?? 0) === 0 && (
<p className="mt-1 text-xs text-ink-muted">
No owners yet create one from the <Link to="/owners" className="underline hover:text-ink">Owners page</Link> first, then return here.
</p>
)}
</div>
<div>
<label className="block text-sm font-medium text-ink mb-2">
Team <span className="text-red-600">*</span>
</label>
<select
value={teamId}
onChange={e => setTeamId(e.target.value)}
className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink focus:outline-none focus:border-brand-500 transition-colors"
>
<option value="">Select team...</option>
{teams?.data?.map(t => (
<option key={t.id} value={t.id}>{t.name}</option>
))}
</select>
{(teams?.data?.length ?? 0) === 0 && (
<p className="mt-1 text-xs text-ink-muted">
No teams yet create one from the <Link to="/teams" className="underline hover:text-ink">Teams page</Link> first, then return here.
</p>
)}
</div>
</div>
<div>
<label className="block text-sm font-medium text-ink mb-2">
Owner <span className="text-red-600">*</span>
Renewal Policy <span className="text-red-600">*</span>
</label>
<select
value={ownerId}
onChange={e => setOwnerId(e.target.value)}
value={renewalPolicyId}
onChange={e => setRenewalPolicyId(e.target.value)}
className="w-full px-3 py-2 bg-surface border border-surface-border rounded text-ink focus:outline-none focus:border-brand-500 transition-colors"
>
<option value="">Select owner...</option>
{owners?.data?.map(o => (
<option key={o.id} value={o.id}>
{o.name}{o.email ? ` (${o.email})` : ''}
</option>
<option value="">Select renewal policy...</option>
{policies?.data?.map(p => (
<option key={p.id} value={p.id}>{p.name}</option>
))}
</select>
{(owners?.data?.length ?? 0) === 0 && (
{(policies?.data?.length ?? 0) === 0 && (
<p className="mt-1 text-xs text-ink-muted">
No owners yet create one from the <Link to="/owners" className="underline hover:text-ink">Owners page</Link> first, then return here.
No renewal policies yet create one from the <Link to="/policies" className="underline hover:text-ink">Policies page</Link> first, then return here.
</p>
)}
</div>
@@ -573,7 +643,15 @@ function CertificateStep({ onNext, onSkip, createdIssuerId }: {
onSkip={onSkip}
onNext={() => createMutation.mutate()}
nextLabel={createMutation.isPending ? 'Creating...' : 'Issue Certificate'}
nextDisabled={!commonName || !issuerId || !ownerId || createMutation.isPending}
nextDisabled={
!name ||
!commonName ||
!issuerId ||
!ownerId ||
!teamId ||
!renewalPolicyId ||
createMutation.isPending
}
/>
</div>
);