certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:21:30 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	36885da2da	EST RFC 7030 hardening master bundle Phases 8-9: GUI ESTAdminPage (Profiles + Recent Activity + Trust Bundle tabs) + CLI subcommand family `certctl-cli est {cacerts,csrattrs,enroll,reenroll, serverkeygen,test}` + 6 MCP tools. Phase 8 — ESTAdminPage tabbed GUI: - web/src/pages/ESTAdminPage.tsx mirrors SCEPAdminPage's three-tab surface. Profiles tab renders per-profile cards with auth-mode badges (mTLS / Basic / ServerKeygen), mTLS trust-anchor expiry countdown (good ≥30d / warn 7-30d / bad <7d / EXPIRED), 12-cell counter grid (success_simpleenroll/.../internal_error), and the admin-gated "Reload trust anchor" action. Recent Activity tab merges the four EST audit actions (est_simple_enroll + est_simple_reenroll + est_server_keygen + est_auth_failed) across four parallel useQuery calls with chip filters for All/Enrollment/ Re-enrollment/ServerKeygen/AuthFailure. Trust Bundle tab renders per-mTLS-profile cert subjects + expiries. - M-009 useTrackedMutation guard: every mutation routes through the tracked hook so audit/progress hooks fire. - Page-level admin gate renders "Admin access required" banner for non-admin callers + skips underlying API requests so the server never sees a 403-prone request. Server-side enforcement is the M-008 admin gate; this is a UX hint. - Wired into web/src/main.tsx at /est; nav link added to Layout.tsx. - New web/src/api/types.ts types ESTStatsSnapshot + ESTTrustAnchorInfo + ESTProfilesResponse + ESTReloadTrustResponse mirror service.ESTStatsSnapshot 1:1. - New web/src/api/client.ts helpers getAdminESTProfiles + reloadAdminESTTrust. - 14 Vitest cases (admin gate non-admin / non-auth-required deploy / default tab / tab switch / deep-link tab / per-profile card render + counter cells / reload-button mTLS-only / trust-expiry badge band / reload modal Confirm-Cancel-Error paths / Trust Bundle empty-state / Activity filter chip toggle). Phase 9.1 — CLI subcommands: - internal/cli/est.go adds 6 subcommands: cacerts / csrattrs / enroll / reenroll / serverkeygen / test. CSR input via --csr with file-path or '-' for stdin; multipart serverkeygen response is parsed by stdlib mime/multipart and split into <prefix>.cert.pem + <prefix>.key.enveloped so the operator can decrypt the key with openssl smime. EST `test` smoke-tests cacerts + csrattrs + emits one-line OK/FAIL diagnostics. - cmd/cli/main.go grows the `est` dispatch + Usage entries. Phase 9.2 — MCP tools: - internal/mcp/tools_est.go adds 6 tools mapped to the EST endpoints + admin observability: est_list_profiles + est_admin_stats (alias) + est_get_cacerts + est_get_csrattrs + est_enroll + est_reenroll. Tool count grew from 87 → 93 (verified via the registered-vs- covered guard in tools_per_tool_test.go); the per-tool happy/error- path table grew with 6 matching entries so the future-tool-no-test CI guard stays green. - internal/mcp/client.go grows PostRaw — non-JSON POST helper that the EST enroll/reenroll tools use to ship raw application/pkcs10 CSR bytes through the MCP fence-wrapped response. - estRawResultJSON wraps the raw response body in a JSON envelope the MCP consumer can structurally consume (content_type + body_base64 + body_size_bytes). Mirrors the CRL/OCSP MCP tools' binary-DER envelope. Phase 9.3 — Tests: - internal/cli/est_test.go: 8 cases pinning the wire-shape contract on the CLI side without dragging the full ESTHandler into the test build. - internal/mcp/tools_est_test.go: path-builder + JSON-envelope unit tests + end-to-end tool exercise that pins all 5 captured request paths through a fake API. Pre-commit verification (sandbox): gofmt clean, go vet clean (excluding repository/postgres which the sandbox can't build — pre-existing testcontainers limit), staticcheck clean across cli/mcp/cmd/cli, go test -short -count=1 green for every non- postgres Go package, Vitest green for ESTAdminPage (14) + SCEPAdminPage (20) — 34 page tests total. G-3 docs-drift guard reproduced locally clean (Phases 8-9 added zero new env vars). Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases 10-13 (libest sidecar e2e / bulk revocation + audit codes / docs/est.md / release prep + tag) remain — post-2.1.0 work.	2026-04-30 00:20:54 +00:00
shankar0123	52b86a08f4	Bundle K (Coverage Audit Closure): MCP per-tool coverage — C-002 closed internal/mcp line coverage 28.0% -> 93.1% (+65.1pp; +8.1 above target) via internal/mcp/tools_per_tool_test.go (~580 LoC, 4 top-level + 174 sub-tests). Strategy: gomcp.NewInMemoryTransports() wires an in-process client + server pair; RegisterTools(server, client) is invoked against a mock certctl API; every one of 87 registered tools is dispatched via clientSession.CallTool. This is the first test in the package that exercises the closure bodies inside registerTools — existing tests (tools_test.go, injection_regression_test.go, fence_guardrail_test.go, retire_agent_test.go) tested the wrapper + HTTP client in isolation. Tests: TestMCP_AllTools_HappyPath: 87 sub-tests, mock 'ok' mode, asserts response fence end-to-end. TestMCP_AllTools_ErrorPath: 87 sub-tests, mock '5xx' mode, asserts MCP_ERROR fence. TestMCP_FenceInjectionResistance: 50 dispatches; asserts per-call nonce uniqueness (security property). TestMCP_FenceWithPlantedEndMarker: planted attacker nonce does not collide with real RNG nonce. TestMCP_RegisterTools_DispatchableToolCount: tool-inventory check (87 registered == 87 covered). Per-registerTools coverage: registerCertificateTools: 11.2% -> 84.1% registerCRLOCSPTools: 20.0% -> 100.0% registerIssuerTools: 20.0% -> 100.0% registerTargetTools: 20.0% -> 100.0% registerAgentTools: 13.5% -> 86.5% registerJobTools: 15.2% -> 90.9% registerPolicyTools: 19.4% -> 100.0% registerProfileTools: 20.0% -> 100.0% registerTeamTools: 20.0% -> 100.0% registerOwnerTools: 20.0% -> 100.0% registerAgentGroupTools: 20.0% -> 100.0% registerAuditTools: 20.0% -> 100.0% registerNotificationTools: 17.4% -> 95.7% registerStatsTools: 14.7% -> 91.2% registerDigestTools: 20.0% -> 100.0% registerMetricsTools: 20.0% -> 100.0% registerHealthTools: 19.4% -> 100.0% Binary-blob tools (certctl_get_der_crl, certctl_ocsp_check) bypass textResult by design — they return human-readable summaries instead of fenced JSON. Matches the existing fence_guardrail_test.go allowlist. Verification: go vet ./internal/mcp/... clean gofmt -l internal/mcp/ clean staticcheck -checks all clean (only pre-existing S1009 + ST1000 hits in master remain) go test -short -cover 93.1% coverage go test -race -count=1 PASS, 0 races Audit deliverables: findings.yaml: C-002 status open -> closed gap-backlog.md: closure log + C-002 strikethrough coverage-matrix.md: MCP row at 93.1% closure-plan.md: Bundle K [x] closed CHANGELOG.md: [unreleased] Bundle K entry	2026-04-27 16:47:38 +00:00

Author

SHA1

Message

Date

shankar0123

36885da2da

EST RFC 7030 hardening master bundle Phases 8-9: GUI ESTAdminPage

(Profiles + Recent Activity + Trust Bundle tabs) + CLI subcommand
family `certctl-cli est {cacerts,csrattrs,enroll,reenroll,
serverkeygen,test}` + 6 MCP tools.

Phase 8 — ESTAdminPage tabbed GUI:
- web/src/pages/ESTAdminPage.tsx mirrors SCEPAdminPage's three-tab
  surface. Profiles tab renders per-profile cards with auth-mode
  badges (mTLS / Basic / ServerKeygen), mTLS trust-anchor expiry
  countdown (good ≥30d / warn 7-30d / bad <7d / EXPIRED), 12-cell
  counter grid (success_simpleenroll/.../internal_error), and the
  admin-gated "Reload trust anchor" action. Recent Activity tab
  merges the four EST audit actions (est_simple_enroll +
  est_simple_reenroll + est_server_keygen + est_auth_failed) across
  four parallel useQuery calls with chip filters for All/Enrollment/
  Re-enrollment/ServerKeygen/AuthFailure. Trust Bundle tab renders
  per-mTLS-profile cert subjects + expiries.
- M-009 useTrackedMutation guard: every mutation routes through
  the tracked hook so audit/progress hooks fire.
- Page-level admin gate renders "Admin access required" banner for
  non-admin callers + skips underlying API requests so the server
  never sees a 403-prone request. Server-side enforcement is the
  M-008 admin gate; this is a UX hint.
- Wired into web/src/main.tsx at /est; nav link added to Layout.tsx.
- New web/src/api/types.ts types ESTStatsSnapshot +
  ESTTrustAnchorInfo + ESTProfilesResponse + ESTReloadTrustResponse
  mirror service.ESTStatsSnapshot 1:1.
- New web/src/api/client.ts helpers getAdminESTProfiles +
  reloadAdminESTTrust.
- 14 Vitest cases (admin gate non-admin / non-auth-required deploy /
  default tab / tab switch / deep-link tab / per-profile card render
  + counter cells / reload-button mTLS-only / trust-expiry badge
  band / reload modal Confirm-Cancel-Error paths / Trust Bundle
  empty-state / Activity filter chip toggle).

Phase 9.1 — CLI subcommands:
- internal/cli/est.go adds 6 subcommands: cacerts / csrattrs /
  enroll / reenroll / serverkeygen / test. CSR input via --csr
  with file-path or '-' for stdin; multipart serverkeygen response
  is parsed by stdlib mime/multipart and split into <prefix>.cert.pem
  + <prefix>.key.enveloped so the operator can decrypt the key with
  openssl smime. EST `test` smoke-tests cacerts + csrattrs + emits
  one-line OK/FAIL diagnostics.
- cmd/cli/main.go grows the `est` dispatch + Usage entries.

Phase 9.2 — MCP tools:
- internal/mcp/tools_est.go adds 6 tools mapped to the EST endpoints
  + admin observability: est_list_profiles + est_admin_stats (alias)
  + est_get_cacerts + est_get_csrattrs + est_enroll + est_reenroll.
  Tool count grew from 87 → 93 (verified via the registered-vs-
  covered guard in tools_per_tool_test.go); the per-tool happy/error-
  path table grew with 6 matching entries so the future-tool-no-test
  CI guard stays green.
- internal/mcp/client.go grows PostRaw — non-JSON POST helper that
  the EST enroll/reenroll tools use to ship raw application/pkcs10
  CSR bytes through the MCP fence-wrapped response.
- estRawResultJSON wraps the raw response body in a JSON envelope
  the MCP consumer can structurally consume (content_type +
  body_base64 + body_size_bytes). Mirrors the CRL/OCSP MCP tools'
  binary-DER envelope.

Phase 9.3 — Tests:
- internal/cli/est_test.go: 8 cases pinning the wire-shape contract
  on the CLI side without dragging the full ESTHandler into the
  test build.
- internal/mcp/tools_est_test.go: path-builder + JSON-envelope unit
  tests + end-to-end tool exercise that pins all 5 captured request
  paths through a fake API.

Pre-commit verification (sandbox): gofmt clean, go vet clean
(excluding repository/postgres which the sandbox can't build —
pre-existing testcontainers limit), staticcheck clean across
cli/mcp/cmd/cli, go test -short -count=1 green for every non-
postgres Go package, Vitest green for ESTAdminPage (14) +
SCEPAdminPage (20) — 34 page tests total. G-3 docs-drift guard
reproduced locally clean (Phases 8-9 added zero new env vars).

Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases
10-13 (libest sidecar e2e / bulk revocation + audit codes /
docs/est.md / release prep + tag) remain — post-2.1.0 work.

2026-04-30 00:20:54 +00:00

shankar0123

52b86a08f4

Bundle K (Coverage Audit Closure): MCP per-tool coverage — C-002 closed

internal/mcp line coverage 28.0% -> 93.1% (+65.1pp; +8.1 above target)

via internal/mcp/tools_per_tool_test.go (~580 LoC, 4 top-level + 174 sub-tests).

Strategy: gomcp.NewInMemoryTransports() wires an in-process client +

server pair; RegisterTools(server, client) is invoked against a mock

certctl API; every one of 87 registered tools is dispatched via

clientSession.CallTool. This is the first test in the package that

exercises the closure bodies inside register*Tools — existing tests

(tools_test.go, injection_regression_test.go, fence_guardrail_test.go,

retire_agent_test.go) tested the wrapper + HTTP client in isolation.

Tests:

  TestMCP_AllTools_HappyPath:    87 sub-tests, mock 'ok' mode,

                                 asserts response fence end-to-end.

  TestMCP_AllTools_ErrorPath:    87 sub-tests, mock '5xx' mode,

                                 asserts MCP_ERROR fence.

  TestMCP_FenceInjectionResistance: 50 dispatches; asserts per-call

                                 nonce uniqueness (security property).

  TestMCP_FenceWithPlantedEndMarker: planted attacker nonce does not

                                 collide with real RNG nonce.

  TestMCP_RegisterTools_DispatchableToolCount: tool-inventory check

                                 (87 registered == 87 covered).

Per-register*Tools coverage:

  registerCertificateTools:   11.2% -> 84.1%

  registerCRLOCSPTools:       20.0% -> 100.0%

  registerIssuerTools:        20.0% -> 100.0%

  registerTargetTools:        20.0% -> 100.0%

  registerAgentTools:         13.5% -> 86.5%

  registerJobTools:           15.2% -> 90.9%

  registerPolicyTools:        19.4% -> 100.0%

  registerProfileTools:       20.0% -> 100.0%

  registerTeamTools:          20.0% -> 100.0%

  registerOwnerTools:         20.0% -> 100.0%

  registerAgentGroupTools:    20.0% -> 100.0%

  registerAuditTools:         20.0% -> 100.0%

  registerNotificationTools:  17.4% -> 95.7%

  registerStatsTools:         14.7% -> 91.2%

  registerDigestTools:        20.0% -> 100.0%

  registerMetricsTools:       20.0% -> 100.0%

  registerHealthTools:        19.4% -> 100.0%

Binary-blob tools (certctl_get_der_crl, certctl_ocsp_check) bypass

textResult by design — they return human-readable summaries instead

of fenced JSON. Matches the existing fence_guardrail_test.go allowlist.

Verification:

  go vet ./internal/mcp/...           clean

  gofmt -l internal/mcp/              clean

  staticcheck -checks all             clean (only pre-existing S1009 +

                                       ST1000 hits in master remain)

  go test -short -cover               93.1% coverage

  go test -race -count=1              PASS, 0 races

Audit deliverables:

  findings.yaml: C-002 status open -> closed

  gap-backlog.md: closure log + C-002 strikethrough

  coverage-matrix.md: MCP row at 93.1%

  closure-plan.md: Bundle K [x] closed

  CHANGELOG.md: [unreleased] Bundle K entry

2026-04-27 16:47:38 +00:00

2 Commits