certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:31:30 +00:00

Author	SHA1	Message	Date
shankar0123	0e06f6c4fc	cli: promote --force on renew + require --reason on revoke (closes P3-1, P3-2) Closes findings P3-1 and P3-2 from the 2026-05-05 CLI/API/MCP↔GUI parity audit (cowork/cli-gui-parity-audit-2026-05-05/RESULTS.md). Both findings flagged hidden defaults that the CLI was sending without exposing them to operators: `force=false` baked into every renew payload, and a silent fallback to `reason="unspecified"` whenever --reason was omitted. P3-1 — promote --force on `certs renew` (full end-to-end plumbing) The pre-2026-05-05 CLI sent `{"force": false}` in the renew body. The API handler never decoded it — a textbook "lying field" per the operator's CLAUDE.md "complete path, not the easy path" rule: the body field stored a value, claimed to do something, and silently did nothing because the wire never reached the consumer. Adding a --force flag that also went unread would have created another lying field. This commit takes the complete path: service.CertificateService.TriggerRenewal grew a `force bool` parameter (internal/service/certificate.go). When force=true, the RenewalInProgress block is overridden so operators can recover stuck in-flight renewals where a previous job hung without releasing the status flag. Archived and Expired remain terminal blockers regardless of force — those are semantic dead-ends that --force should not paper over (archived = decommissioned, expired = issue a new cert instead of renewing a dead one). handler.CertificateHandler.TriggerRenewal parses force from ?force=true (or ?force=1) query param, OR {"force": true} JSON body, whichever the client picks. Defaults to false. Passes through to the service. internal/cli/client.go::RenewCertificate(id, force bool) sends ?force=true on the URL when --force is set. The historical hardcoded `{"force": false}` body is gone — no more lying field. cmd/cli/main.go dispatches `certs renew <id> [--force]` (ID-first flag-second convention matches the existing `agents retire <id> [--force]`). P3-2 — require --reason on `certs revoke` (Option A: strict refusal) The pre-2026-05-05 CLI dropped to `--reason unspecified` whenever the operator omitted the flag. Compliance reporting (RFC 5280 §5.3.1, PCI- DSS §3.6, HIPAA §164.312) relies on the reason code being meaningful; silent fallback defeats the audit trail because every revocation looks identical. cmd/cli/main.go dispatch refuses to send when --reason is empty, prints the canonical RFC 5280 §5.3.1 reason-code menu, and exits non-zero. internal/cli/client.go exposes ValidRevokeReasons() returning the canonical camelCase list (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aaCompromise) and NormalizeRevokeReason() that accepts both camelCase and snake_case inputs and normalises to the canonical wire form. Off-list reasons are rejected at dispatch with the menu re-printed. Test pins: internal/cli/client_test.go::TestClient_RenewCertificate_ForceFlag — --force=true sends ?force=true with empty body; --force=false sends no query and no body. internal/cli/client_test.go::TestNormalizeRevokeReason + TestValidRevokeReasons — canonical-camelCase + snake_case + reject- off-enum behaviour. cmd/cli/dispatch_test.go::TestHandleCerts_Revoke_RequiresReason + TestHandleCerts_Revoke_RejectsUnknownReason + TestHandleCerts_Renew_ForceFlag — dispatch-layer pins for the same contracts. internal/api/handler/certificate_handler_test.go::TestTriggerRenewal_ ForceQueryParam — query-param passthrough (no-flag, force=true, force=1, force=false) flows through to the service-layer parameter. internal/service/certificate_test.go::TestTriggerRenewal_ ForceOverridesInProgress — force=false preserves the RenewalInProgress block; force=true clears it. Existing TestTriggerRenewal_Archived extended to assert force=true still blocks Archived (terminal-state guarantee). Docs: docs/reference/cli.md updated with the --force example for renew and the strict --reason semantics for revoke (including snake_case input acceptance). Acceptance gate (verified): - go build ./cmd/server/... ./cmd/agent/... ./cmd/cli/... ./cmd/mcp-server/... clean. - go vet ./... clean. - go test -short -count=1 ./... pass repo-wide. - bash scripts/ci-guards/openapi-handler-parity.sh clean (router 178, OpenAPI 144, exceptions 36 — unchanged; we add parameter parsing, not routes). - gofmt -l clean.	2026-05-05 19:49:34 +00:00
shankar0123	1ee67b7792	D-1: correct certctl-cli status endpoint path (/api/v1/health -> /health) The CLI's GetStatus() was issuing GET /api/v1/health, but the real liveness route is GET /health at internal/api/router/router.go:76 (mounted at root, not under /api/v1/). Every 'certctl-cli status' invocation 404'd since M16b. The regression was masked because TestClient_GetStatus encoded the same wrong path on both sides of the contract -- the mock server also dispatched on /api/v1/health -- so the production request matched the test's buggy dispatch and the green bar hid the bug. Two-line fix: - internal/cli/client.go:615: "/api/v1/health" -> "/health" - internal/cli/client_test.go:296: mock dispatch to match Red receipt captured before the green fix: with the test fixture corrected but production still wrong, TestClient_GetStatus fails 'parsing response: unexpected end of JSON input' (the client falls through the mock's if/else to the default 200 OK empty body and the JSON decoder chokes). After the production edit the test passes. GetStatus()'s response decoder is already compatible with the real /health shape (graceful 'ok' check on health["status"], optional health["timestamp"]). No interface change. No migration. No frontend change. No OpenAPI delta -- /health is a root-level liveness probe, not part of the /api/v1/ surface.	2026-04-20 19:40:58 +00:00
shankar0123	52248be717	v2.0.47: HTTPS Everywhere — TLS-only control plane, agents/CLI/MCP Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).	2026-04-20 03:43:10 +00:00
shankar0123	469611650c	fix(cli): add missing os + path/filepath imports to client_test.go Follow-up to `91642e2`. TestClient_ImportCertificates_SixFieldPayload uses filepath.Join(t.TempDir(), ...) and os.WriteFile to stage a test PEM, but the import block only listed encoding/json, encoding/pem, net/http, etc. — neither os nor path/filepath was imported. go vet rejected the package with 'undefined: filepath' (and would have caught 'undefined: os' next). Add both imports. No behavioral change — the referenced symbols are the standard library's usual names for their respective packages, so the test compiles and runs exactly as intended. CI should now pass go build + go vet on the cli package.	2026-04-19 00:27:11 +00:00
shankar0123	91642e2860	C-001 scope expansion: tighten parallel POST /api/v1/certificates call sites to six-field contract Problem: `a53a4b8` closed C-001 at the handler boundary by tightening the ValidateRequired contract on POST /api/v1/certificates to require six fields: name, common_name, renewal_policy_id, issuer_id, owner_id, team_id. (Correction re-derived from source: the handler ValidateRequired calls on owner_id/team_id/renewal_policy_id were actually installed in `3287e17` under M-002/M-003/M-006 auth unification — a53a4b8's commit message overstates scope.) Post-audit on 2026-04-18 found three parallel call sites still shipping three-to-four-field payloads that the newly strict handler would reject with HTTP 400: - GUI: OnboardingWizard CertificateStep (common_name + sans + issuer_id + environment only) - CLI: certctl-cli import (common_name + issuer_id + status only; no required-flag gating) - Tests: deploy/test/qa_test.go Part03 positive paths Scope: Bring every POST /api/v1/certificates caller to six-field parity. No handler changes — the contract is authoritative; the callers must conform. Implementation: GUI — OnboardingWizard CertificateStep expansion: web/src/pages/OnboardingWizard.tsx adds name/owner_id/team_id/ renewal_policy_id state. React Query hooks for getOwners/ getTeams/getPolicies use per_page: '500' to populate dropdowns without pagination-driven truncation. Payload ships all six required fields plus sans/certificate_profile_id/environment. nextDisabled gate enforces all six before the Continue button activates. CLI — ImportCertificates rewrite: internal/cli/client.go rewrites ImportCertificates with flag.NewFlagSet("import", flag.ContinueOnError). Required flags: --owner-id, --team-id, --renewal-policy-id, --issuer-id. Optional: --name-template (default {cn}, templated via strings.ReplaceAll against cert.Subject.CommonName), --environment (default imported). Missing required flags fail pre-HTTP with a clear error. Request map ships all six required fields plus sans/ environment/status/optional serial_number. cmd/cli/main.go — usage string updated to document the new required/optional flags. Tests — qa_test.go Part03 positive paths: deploy/test/qa_test.go Part03 Create_Minimal and Create_Full updated to include all six fields. Uses seed_demo.sql-supplied IDs (o-alice, t-platform, rp-standard) — docker-compose.demo.yml is the run context. C-001 explanatory comment added above Create_Minimal so future readers understand why the minimal payload is no longer minimal. MCP parity: Verified no-op. internal/mcp/types.go:28 CreateCertificateInput already declares all six fields; internal/mcp/tools.go:102 forwards the typed struct unchanged. Verification: Go CLI regression tests (internal/cli/client_test.go): * TestClient_ImportCertificates_MissingRequiredFlags — 5 subtests, one per missing required flag, confirms flag.ContinueOnError rejects with non-nil error before any HTTP call is attempted. * TestClient_ImportCertificates_MissingPositionalArgs — confirms the "usage: import <file>" error path when no PEM file is supplied after the flags. * TestClient_ImportCertificates_SixFieldPayload — uses httptest to decode the POST body and assert all six required fields plus sans/environment are present on the wire. Frontend regression test (web/src/api/client.test.ts): 'createCertificate accepts and transmits all six required fields' pins the wire shape for both GUI call sites (OnboardingWizard CertificateStep + CertificatesPage CreateCertificateModal). If either UI surface accidentally drops a field, this assertion fails in CI rather than surfacing as a 400 at runtime. Grep-based call-site sweep: Enumerated every POST /api/v1/certificates create caller. Four total: OnboardingWizard, CertificatesPage, MCP tools, CLI import. All four now ship six-field payloads. Claim path (internal/service/discovery.go) updates existing rows and does not POST. EST/SCEP handlers invoke internal certService.CreateVersion, not the public API. Negative-path tests (qa_test.go:1085/1267/1274/1288/1298) remain valid: they assert 400/non-500 on oversized/malformed/missing-CN/UTF-8/empty bodies, and these properties still hold under the stricter handler. Static gates: go build ./..., go vet ./..., go test ./internal/cli/..., and cd web && npm run test deferred to operator pre-push — the Go toolchain is not available in the session sandbox. Grep-based verification confirms the syntactic shape of every changed file. Residual: None. Every POST /api/v1/certificates call site now conforms to the six-field contract; the wire shape is pinned by both Go and TypeScript regression tests. Commit: TBD-SHA (audit doc + CLAUDE.md carry TBD-SHA placeholders to be amended after commit)	2026-04-19 00:25:10 +00:00
shankar0123	13cd4d98ba	feat(V2.2): bulk revocation — filter-based fleet-wide certificate revocation Add POST /api/v1/certificates/bulk-revoke with filter criteria (profile_id, owner_id, agent_id, issuer_id, team_id, certificate_ids), partial-failure tolerance, and audit trail. Includes MCP tool, CLI command (certs bulk-revoke), server-side bulk modal in GUI replacing client-side sequential loop, OpenAPI spec, compliance mapping updates, and 21 new tests (12 service, 7 handler, 1 CLI, 1 frontend). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 00:06:34 -04:00
shankar0123	df1aaa37f8	feat: M17 OpenSSL/Custom CA issuer connector + M16b CLI tool with bulk import M17: Script-based issuer connector delegating sign/revoke/CRL to user-provided scripts. Compatible with any CA tooling (OpenSSL, cfssl, custom PKI). Configurable timeout, environment variable passthrough. 14 tests including timeout enforcement. M16b: certctl-cli wraps all 76 REST API endpoints for terminal workflows. Supports certs/agents/jobs list/get/renew/revoke/cancel, bulk PEM import with progress reporting, server health status, table and JSON output formats. Zero external dependencies (stdlib only). 14 tests with mock HTTP server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-23 18:12:40 -04:00

7 Commits