mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-14 19:48:53 +00:00
globalsign,entrust: cache mTLS keypair with mtime-based reload
Closes the #10 acquisition-readiness blocker from the 2026-05-01 issuer coverage audit. Pre-fix, GlobalSign reloaded the mTLS cert/key from disk on every API call (globalsign.go::getHTTPClient) and Entrust loaded once in ValidateConfig with no rotation handling — both shapes were broken for different reasons. Per-call disk reads under a 100- cert renewal sweep meant 200 file opens / parses / tls.X509KeyPair calls in flight, each adding 5–50ms of latency for nothing; the single-load Entrust shape served stale credentials forever after a cert rotation, requiring a process restart. This commit: - Adds a new shared package internal/connector/issuer/mtlscache/ with a Cache type holding a parsed tls.Certificate plus a precomputed *http.Transport. RWMutex serialises reloads; reads are lock-free in the hot path (read lock briefly held to copy out the *http.Client pointer, then released — the HTTP request itself happens with no lock held, per the audit prompt's anti- pattern about holding the write lock across an API call). - RefreshIfStale stats the cert file; if mtime advanced beyond the last load, the keypair is re-parsed and the transport is rebuilt. The fast path (mtime unchanged) takes the read lock for the comparison and returns immediately. Double-checked-lock pattern (read lock → stat → release → write lock → re-stat) prevents two callers who observed the same stale mtime from both reloading. - Options.TLSConfigBuilder lets the caller customise the *tls.Config built around the parsed leaf certificate. GlobalSign uses this to inject the ServerCAPath-pinning RootCAs pool that buildServerTLSConfig already produces; entrust uses the default builder. - New() performs the initial load so a broken cert path fails fast at construction rather than at first API call. - GlobalSign.Connector gains an mtls field. getHTTPClient now: (1) preserves the test-mode short-circuit when httpClient has a non-nil Transport; (2) preserves the bare-default-client short-circuit when cert paths aren't configured; (3) lazy-builds the cache on the first call so the constructor stays cheap; (4) calls RefreshIfStale on every subsequent call. The error wrap preserves the substring "client certificate" so existing TestGlobalsign_GetHTTPClient_MTLSPathConfigured_LoadsKeyPair keeps its assertion. - Entrust.Connector gains an mtls field plus a new getHTTPClient helper mirroring GlobalSign's shape. The three IssueCertificate / RevokeCertificate / pollEnrollmentOnce sites that previously hit c.httpClient.Do(req) directly now route through getHTTPClient, which falls through to the test-injected client (same logic as GlobalSign) and otherwise serves the cached mTLS client. The legacy ValidateConfig flow that pre-built c.httpClient with its own transport stays intact — its transport wins because getHTTPClient short-circuits when c.httpClient.Transport != nil. - Tests at internal/connector/issuer/mtlscache/cache_test.go cover: * fail-fast on missing paths (constructor input validation) * load on construction (positive + negative) * NoReloadWhenMtimeStable — 100 RefreshIfStale calls, LoadedAt must stay equal to the constructor's stamp (the load-bearing regression guard against per-call disk reads) * ReloadsOnMtimeAdvance — os.Chtimes forward, next refresh must observe the new LoadedAt (the load-bearing regression guard for rotation-without-process-restart) * StatErrorBubbles — missing cert file surfaces as an error rather than silently serving stale credentials * ConcurrentNoRace — 100 goroutines × 50 iterations under -race; no race detected, all calls succeed * TLSConfigBuilderUsed — custom builder is invoked at New AND on reload; verifies MinVersion=TLS1.3 takes effect * ClientHonoursTimeout — Options.HTTPTimeout reaches the constructed *http.Client - docs/connectors.md GlobalSign + Entrust sections each gain an "mTLS keypair caching (audit fix #10)" paragraph documenting the steady-state caching, mtime-based rotation contract, and operator workflow (mv -f new.crt /etc/certctl/.../client.crt). Acquirer impact: removes the per-call disk-read latency floor and makes operator-driven cert rotation a no-restart event. Combined with audit fix #9's bounded scheduler concurrency, the renewal sweep's hot path now has predictable steady-state cost: capN concurrent goroutines, each reusing the cached keypair, no per- call file I/O. Verified locally: - gofmt -l . clean - go vet ./... clean - staticcheck ./... clean - go test -race -count=1 ./internal/connector/issuer/mtlscache/... green (8 tests) - go test -count=1 -short across globalsign / entrust / sectigo / ejbca / mtlscache / connector packages: green Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md Top-10 fix #10. Closes the audit's full Top-10 list (fixes #1-10 all shipped to master).
This commit is contained in:
shankar0123
@@ -35,6 +35,7 @@ import (
|
||||
|
||||
"github.com/shankar0123/certctl/internal/connector/issuer"
|
||||
"github.com/shankar0123/certctl/internal/connector/issuer/asyncpoll"
|
||||
"github.com/shankar0123/certctl/internal/connector/issuer/mtlscache"
|
||||
)
|
||||
|
||||
// Config represents the Entrust Certificate Services issuer connector configuration.
|
||||
@@ -85,6 +86,13 @@ type Connector struct {
|
||||
config *Config
|
||||
logger *slog.Logger
|
||||
httpClient *http.Client
|
||||
|
||||
// mtls caches the parsed client keypair + a precomputed
|
||||
// *http.Transport so steady-state API calls don't re-parse
|
||||
// the keypair on every request. nil in test mode
|
||||
// (NewWithHTTPClient) and on the first ValidateConfig call.
|
||||
// Audit fix #10.
|
||||
mtls *mtlscache.Cache
|
||||
}
|
||||
|
||||
// New creates a new Entrust Certificate Services connector with the given configuration and logger.
|
||||
@@ -210,6 +218,47 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
|
||||
return nil
|
||||
}
|
||||
|
||||
// getHTTPClient returns the HTTP client to use for an Entrust API
|
||||
// call. If a test injected a custom client via NewWithHTTPClient (or
|
||||
// ValidateConfig pre-built one with its own transport), that client
|
||||
// is returned as-is — the cache layer must not intercept the test
|
||||
// path. Otherwise a cached mTLS client is returned, refreshing the
|
||||
// keypair from disk if the cert file's mtime has advanced since the
|
||||
// last load — rotation-via-mv-f takes effect on the next call without
|
||||
// a process restart. Audit fix #10.
|
||||
func (c *Connector) getHTTPClient(ctx context.Context) (*http.Client, error) {
|
||||
// Test mode: NewWithHTTPClient + custom transport, OR a
|
||||
// ValidateConfig-built client. Either way, the caller has
|
||||
// already wired the transport they want; don't override.
|
||||
if c.httpClient != nil && c.httpClient.Transport != nil {
|
||||
return c.httpClient, nil
|
||||
}
|
||||
|
||||
if c.config == nil || c.config.ClientCertPath == "" || c.config.ClientKeyPath == "" {
|
||||
// Cert paths not configured — return whatever was supplied
|
||||
// at construction (typically the bare default-timeout
|
||||
// client from New).
|
||||
return c.httpClient, nil
|
||||
}
|
||||
|
||||
// Production mode: lazy-build the cache on the first call so
|
||||
// the constructor stays cheap (no disk I/O). Subsequent calls
|
||||
// take the fast path through the cache's RWMutex.
|
||||
if c.mtls == nil {
|
||||
cache, err := mtlscache.New(c.config.ClientCertPath, c.config.ClientKeyPath, mtlscache.Options{
|
||||
HTTPTimeout: 30 * time.Second,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to build Entrust mTLS cache: %w", err)
|
||||
}
|
||||
c.mtls = cache
|
||||
} else if err := c.mtls.RefreshIfStale(); err != nil {
|
||||
return nil, fmt.Errorf("failed to refresh Entrust mTLS cache: %w", err)
|
||||
}
|
||||
|
||||
return c.mtls.Client(), nil
|
||||
}
|
||||
|
||||
// IssueCertificate submits a certificate enrollment to Entrust.
|
||||
// If the certificate is issued immediately, returns the cert.
|
||||
// If pending, returns OrderID with empty CertPEM for polling.
|
||||
@@ -248,7 +297,11 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
resp, err := c.httpClient.Do(req)
|
||||
client, err := c.getHTTPClient(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Entrust enrollment request failed: %w", err)
|
||||
}
|
||||
@@ -341,7 +394,11 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
|
||||
resp, err := c.httpClient.Do(req)
|
||||
client, err := c.getHTTPClient(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Entrust revoke request failed: %w", err)
|
||||
}
|
||||
@@ -417,7 +474,11 @@ func (c *Connector) pollEnrollmentOnce(ctx context.Context, orderID string) (*is
|
||||
return nil, asyncpoll.Failed, fmt.Errorf("failed to create status request: %w", err)
|
||||
}
|
||||
|
||||
resp, err := c.httpClient.Do(req)
|
||||
client, err := c.getHTTPClient(ctx)
|
||||
if err != nil {
|
||||
return nil, asyncpoll.Failed, fmt.Errorf("Entrust status client init: %w", err)
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return nil, asyncpoll.StillPending, fmt.Errorf("Entrust status request failed: %w", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user