Initial scaffold: certificate control plane v0.1.0

2026-06-14 12:19:05 +00:00 · 2026-03-14 08:22:17 -04:00
commit d395776a95
57 changed files with 9548 additions and 0 deletions
@@ -0,0 +1,293 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/repository"
+)
+
+// DeploymentService manages certificate deployment to targets via agents.
+type DeploymentService struct {
+	jobRepo         repository.JobRepository
+	targetRepo      repository.TargetRepository
+	agentRepo       repository.AgentRepository
+	certRepo        repository.CertificateRepository
+	auditService    *AuditService
+	notificationSvc *NotificationService
+}
+
+// NewDeploymentService creates a new deployment service.
+func NewDeploymentService(
+	jobRepo repository.JobRepository,
+	targetRepo repository.TargetRepository,
+	agentRepo repository.AgentRepository,
+	certRepo repository.CertificateRepository,
+	auditService *AuditService,
+	notificationSvc *NotificationService,
+) *DeploymentService {
+	return &DeploymentService{
+		jobRepo:         jobRepo,
+		targetRepo:      targetRepo,
+		agentRepo:       agentRepo,
+		certRepo:        certRepo,
+		auditService:    auditService,
+		notificationSvc: notificationSvc,
+	}
+}
+
+// CreateDeploymentJobs creates a job for each target of a certificate.
+func (s *DeploymentService) CreateDeploymentJobs(ctx context.Context, certID string) ([]string, error) {
+	// Fetch all targets for this certificate
+	targets, err := s.targetRepo.ListByCertificate(ctx, certID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list targets: %w", err)
+	}
+
+	if len(targets) == 0 {
+		return nil, fmt.Errorf("no targets found for certificate %s", certID)
+	}
+
+	var jobIDs []string
+
+	// Create a deployment job for each target
+	for _, target := range targets {
+		job := &domain.Job{
+			ID:            generateID("job"),
+			CertificateID: certID,
+			Type:          domain.JobTypeDeployment,
+			Status:        domain.JobStatusPending,
+			ScheduledAt:   time.Now(),
+			CreatedAt:     time.Now(),
+		}
+		// Store target info in TargetID field
+		if target.ID != "" {
+			job.TargetID = &target.ID
+		}
+
+		if err := s.jobRepo.Create(ctx, job); err != nil {
+			fmt.Printf("failed to create deployment job for target %s: %v\n", target.ID, err)
+			continue
+		}
+
+		jobIDs = append(jobIDs, job.ID)
+	}
+
+	if len(jobIDs) == 0 {
+		return nil, fmt.Errorf("failed to create any deployment jobs")
+	}
+
+	// Record audit event
+	_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
+		"deployment_jobs_created", "certificate", certID,
+		map[string]interface{}{"target_count": len(targets), "job_count": len(jobIDs)})
+
+	return jobIDs, nil
+}
+
+// ProcessDeploymentJob handles a deployment job by coordinating with an agent.
+func (s *DeploymentService) ProcessDeploymentJob(ctx context.Context, job *domain.Job) error {
+	// Update job status to in-progress
+	if err := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusRunning, ""); err != nil {
+		return fmt.Errorf("failed to update job status: %w", err)
+	}
+
+	// Fetch certificate
+	cert, err := s.certRepo.Get(ctx, job.CertificateID)
+	if err != nil {
+		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("certificate fetch failed: %v", err))
+		if updateErr != nil {
+			fmt.Printf("failed to update job status: %v\n", updateErr)
+		}
+		return fmt.Errorf("failed to fetch certificate: %w", err)
+	}
+
+	// Fetch target
+	var targetID string
+	if job.TargetID != nil {
+		targetID = *job.TargetID
+	}
+	if targetID == "" {
+		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, "target_id not found in job")
+		if updateErr != nil {
+			fmt.Printf("failed to update job status: %v\n", updateErr)
+		}
+		return fmt.Errorf("target_id not found in job")
+	}
+
+	target, err := s.targetRepo.Get(ctx, targetID)
+	if err != nil {
+		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("target fetch failed: %v", err))
+		if updateErr != nil {
+			fmt.Printf("failed to update job status: %v\n", updateErr)
+		}
+		return fmt.Errorf("failed to fetch target: %w", err)
+	}
+
+	// Verify agent is available
+	agentID := target.AgentID
+	agent, err := s.agentRepo.Get(ctx, agentID)
+	if err != nil {
+		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, fmt.Sprintf("agent fetch failed: %v", err))
+		if updateErr != nil {
+			fmt.Printf("failed to update job status: %v\n", updateErr)
+		}
+		return fmt.Errorf("failed to fetch agent: %w", err)
+	}
+
+	// Check agent heartbeat (must be within last 5 minutes)
+	if agent.LastHeartbeatAt != nil && time.Since(*agent.LastHeartbeatAt) > 5*time.Minute {
+		updateErr := s.jobRepo.UpdateStatus(ctx, job.ID, domain.JobStatusFailed, "agent is offline")
+		if updateErr != nil {
+			fmt.Printf("failed to update job status: %v\n", updateErr)
+		}
+
+		_ = s.notificationSvc.SendDeploymentNotification(ctx, cert, target, false, fmt.Errorf("agent offline"))
+		_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
+			"deployment_job_failed", "certificate", job.CertificateID,
+			map[string]interface{}{"job_id": job.ID, "reason": "agent offline", "target_id": targetID})
+
+		return fmt.Errorf("agent %s is offline", agentID)
+	}
+
+	// In a real implementation, the agent would poll GetPendingWork() to fetch this job.
+	// The control plane would wait for the agent to complete the work asynchronously.
+	// For now, we mark it as pending and rely on agent polling.
+
+	// Record audit event
+	_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
+		"deployment_job_dispatched", "certificate", job.CertificateID,
+		map[string]interface{}{"job_id": job.ID, "target_id": targetID, "agent_id": agentID})
+
+	return nil
+}
+
+// ValidateDeployment checks the deployment status of a certificate on a target.
+func (s *DeploymentService) ValidateDeployment(ctx context.Context, certID string, targetID string) (bool, error) {
+	// List deployment jobs for this certificate and target
+	jobs, err := s.jobRepo.ListByCertificate(ctx, certID)
+	if err != nil {
+		return false, fmt.Errorf("failed to list jobs: %w", err)
+	}
+
+	for _, job := range jobs {
+		if job.Type != domain.JobTypeDeployment {
+			continue
+		}
+
+		// Check if this job is for the target
+		if job.TargetID == nil || *job.TargetID != targetID {
+			continue
+		}
+
+		// Check if the most recent job for this target succeeded
+		if job.Status == domain.JobStatusCompleted {
+			return true, nil
+		}
+
+		if job.Status == domain.JobStatusFailed {
+			if job.LastError != nil {
+				return false, fmt.Errorf("deployment failed: %s", *job.LastError)
+			}
+			return false, fmt.Errorf("deployment failed")
+		}
+
+		// Still in progress
+		return false, fmt.Errorf("deployment in progress")
+	}
+
+	// No deployment job found
+	return false, fmt.Errorf("no deployment job found for target %s", targetID)
+}
+
+// MarkDeploymentComplete marks a deployment job as successfully completed.
+// This is called by agents after they finish deploying a certificate.
+func (s *DeploymentService) MarkDeploymentComplete(ctx context.Context, jobID string) error {
+	job, err := s.jobRepo.Get(ctx, jobID)
+	if err != nil {
+		return fmt.Errorf("failed to fetch job: %w", err)
+	}
+
+	if err := s.jobRepo.UpdateStatus(ctx, jobID, domain.JobStatusCompleted, ""); err != nil {
+		return fmt.Errorf("failed to update job status: %w", err)
+	}
+
+	// Fetch certificate and target for notification
+	cert, err := s.certRepo.Get(ctx, job.CertificateID)
+	if err != nil {
+		fmt.Printf("failed to fetch certificate for notification: %v\n", err)
+		return nil
+	}
+
+	var targetID string
+	if job.TargetID != nil {
+		targetID = *job.TargetID
+	}
+
+	if targetID != "" {
+		target, err := s.targetRepo.Get(ctx, targetID)
+		if err != nil {
+			fmt.Printf("failed to fetch target for notification: %v\n", err)
+			return nil
+		}
+
+		// Send deployment success notification
+		if err := s.notificationSvc.SendDeploymentNotification(ctx, cert, target, true, nil); err != nil {
+			fmt.Printf("failed to send deployment notification: %v\n", err)
+		}
+	}
+
+	// Record audit event
+	_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
+		"deployment_job_completed", "certificate", job.CertificateID,
+		map[string]interface{}{"job_id": jobID, "target_id": targetID})
+
+	return nil
+}
+
+// MarkDeploymentFailed marks a deployment job as failed.
+// Called by agents when deployment fails.
+func (s *DeploymentService) MarkDeploymentFailed(ctx context.Context, jobID string, errMsg string) error {
+	job, err := s.jobRepo.Get(ctx, jobID)
+	if err != nil {
+		return fmt.Errorf("failed to fetch job: %w", err)
+	}
+
+	if err := s.jobRepo.UpdateStatus(ctx, jobID, domain.JobStatusFailed, errMsg); err != nil {
+		return fmt.Errorf("failed to update job status: %w", err)
+	}
+
+	// Fetch certificate and target for notification
+	cert, err := s.certRepo.Get(ctx, job.CertificateID)
+	if err != nil {
+		fmt.Printf("failed to fetch certificate for notification: %v\n", err)
+		return nil
+	}
+
+	var targetID string
+	if job.TargetID != nil {
+		targetID = *job.TargetID
+	}
+
+	if targetID != "" {
+		target, err := s.targetRepo.Get(ctx, targetID)
+		if err != nil {
+			fmt.Printf("failed to fetch target for notification: %v\n", err)
+			return nil
+		}
+
+		// Send deployment failure notification
+		if err := s.notificationSvc.SendDeploymentNotification(ctx, cert, target, false, fmt.Errorf(errMsg)); err != nil {
+			fmt.Printf("failed to send deployment notification: %v\n", err)
+		}
+	}
+
+	// Record audit event
+	_ = s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem,
+		"deployment_job_failed", "certificate", job.CertificateID,
+		map[string]interface{}{"job_id": jobID, "target_id": targetID, "error": errMsg})
+
+	return nil
+}