certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 20:21:29 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	99a012e3be	auth-bundle-1 Phase 0: extract internal/auth/ from middleware package Bundle 1 / Phase 0: pure refactor splitting auth surface out of internal/api/middleware so Bundle 2 (OIDC + sessions) and the broader RBAC primitive (roles, permissions, scoped grants) have a clean home. Moved to internal/auth/: NamedAPIKey, HashAPIKey, AuthConfig, NewAuthWithNamedKeys, NewAuth, UserKey, AdminKey, GetUser, IsAdmin. Added testfixtures.go (WithActor / WithAdmin / WithActorAdmin) so handler tests don't construct context manually. Stayed in internal/api/middleware/: RequestID, Logging, NewLogging, Recovery, RateLimitConfig, NewRateLimiter (now imports auth.GetUser for per-user keying per audit Category C), CORSConfig, NewCORS, ContentType, CORS, GetRequestID, responseWriter, Chain, audit middleware (now imports auth.GetUser). Updated 22 caller files across cmd/, internal/api/handler/, internal/api/middleware/, internal/mcp/. Existing m008_admin_gate_test.go now scans for auth.IsAdmin( substring; Phase 3 will further evolve to track auth.RequirePermission. Behavior unchanged: all handler / middleware / service / connector / cmd / mcp tests pass with no test-logic edits, only import-path renames. Phase 0 exit criteria: internal/auth/ exists with 6 files; middleware.go went 575 -> 422 lines (auth-related ~150 lines moved out); grep -rE 'middleware\.(GetUser\|IsAdmin\|UserKey\|AdminKey\|NamedAPIKey\|HashAPIKey\|NewAuth)' returns 0 hits; context.WithValue(.*middleware.UserKey/AdminKey) returns 0 hits; go vet ./... clean; go test -short ./... green across all packages tested. Branch: dev/auth-bundle-1. Per cowork/auth-bundle-1-prompt.md, do not merge to master without (1) make verify green, (2) >= 2 external testers confirm, (3) >= 90% coverage on internal/auth/ in .github/coverage-thresholds.yml.	2026-05-09 15:51:31 +00:00
shankar0123	34adcfbbe5	api, handler: 4 admin-gated CA hierarchy endpoints + OpenAPI (Rank 8 commit 4) Rank 8 commit 4 of 5. The API + RBAC layer that operators drive the new hierarchy management surface from. Endpoints (all admin-gated via middleware.IsAdmin; non-admin Bearer callers get 403): POST /api/v1/issuers/{id}/intermediates Discriminator on body shape: empty parent_ca_id + root_cert_pem + key_driver_id → CreateRoot (registers operator-supplied root CA). parent_ca_id non-empty → CreateChild (signs new sub-CA cert under parent). Service-layer error → HTTP code mapping: ErrCANotSelfSigned → 400 ErrCAKeyMismatch → 400 ErrPathLenExceeded → 400 ErrNameConstraintExceeded → 400 ErrInvalidCertPEM → 400 ErrParentCANotActive → 409 ErrIntermediateCANotFound → 404 (other) → 500 GET /api/v1/issuers/{id}/intermediates Returns flat list ordered by created_at; caller renders the tree from each row's parent_ca_id (nil = root). GET /api/v1/intermediates/{id} Single-row detail. POST /api/v1/intermediates/{id}/retire Two-phase: confirm=false → active→retiring; confirm=true → retiring→retired with active-children check (drain-first semantics; ErrCAStillHasActiveChildren → 409). Files changed: internal/api/handler/intermediate_ca.go — 4 handlers + handler-defined service interface (dependency inversion). internal/api/handler/intermediate_ca_test.go — 8 test variants (M-008 admin- gate triplet complete). internal/api/handler/m008_admin_gate_test.go — register the new admin-gated handler in AdminGatedHandlers so the M-008 coherence scanner stays green. internal/api/router/router.go — 4 r.Register calls + new IntermediateCAs field on HandlerRegistry. cmd/server/main.go — wire the postgres repo + service + handler. Reuses the same signer.FileDriver instance the OCSP responder bootstrap path feeds. api/openapi.yaml — 4 new operationIds, full body schema + status- code dispatch. Tests (8 in this commit): TestIntermediateCA_Handler_NonAdmin_Returns403 (admin gate — table-driven across all 4 endpoints) TestIntermediateCA_Handler_AdminExplicitFalse_Returns403 (defensive: AdminKey present but false ≠ AdminKey absent) TestIntermediateCA_Handler_AdminPermitted_ForwardsActor (admin actor forwarded to service for audit attribution) TestIntermediateCA_HandlerCreate_RootDispatch (body discriminator: empty parent_ca_id → CreateRoot) TestIntermediateCA_HandlerCreate_ChildDispatch (body discriminator: parent_ca_id present → CreateChild) TestIntermediateCA_HandlerCreate_BadRequestOnMissingRootBundle (validation: no parent + no root bundle → 400) TestIntermediateCA_HandlerCreate_ServiceErrorMappings (table-driven: 7 service errors → expected HTTP codes) TestIntermediateCA_HandlerRetire_TwoPhaseConfirm (confirm=false then confirm=true forwarded correctly) TestIntermediateCA_HandlerRetire_StillHasActiveChildren_Returns409 (drain-first contract — 409 not 500) Verified locally: gofmt: clean. go vet ./...: exit 0. go test -short -count=1 ./internal/api/handler/...: ok 4.498s. bash scripts/ci-guards/openapi-handler-parity.sh: clean (router routes: 182, openapi operations: 148; the +4 new routes have +4 new operationIds — parity preserved). bash scripts/ci-guards/* (all 24 guards): clean. Out of scope of THIS commit (commit 5): - web/src/pages/IssuerHierarchyPage.tsx (recursive tree render). - docs/intermediate-ca-hierarchy.md sysadmin runbook (FedRAMP / financial-services / internal-PKI patterns). - docs/connectors.md hierarchy_mode row. - WORKSPACE-ROADMAP entries (HSM-backed roots, automated rotation, CRL chaining, NameConstraints templates, D3 dendrogram). Reference: cowork/rank-8-intermediate-ca-hierarchy-prompt.md, commit 4.	2026-05-04 02:26:24 +00:00

Author

SHA1

Message

Date

shankar0123

99a012e3be

auth-bundle-1 Phase 0: extract internal/auth/ from middleware package

Bundle 1 / Phase 0: pure refactor splitting auth surface out of internal/api/middleware so Bundle 2 (OIDC + sessions) and the broader RBAC primitive (roles, permissions, scoped grants) have a clean home.

Moved to internal/auth/: NamedAPIKey, HashAPIKey, AuthConfig, NewAuthWithNamedKeys, NewAuth, UserKey, AdminKey, GetUser, IsAdmin. Added testfixtures.go (WithActor / WithAdmin / WithActorAdmin) so handler tests don't construct context manually.

Stayed in internal/api/middleware/: RequestID, Logging, NewLogging, Recovery, RateLimitConfig, NewRateLimiter (now imports auth.GetUser for per-user keying per audit Category C), CORSConfig, NewCORS, ContentType, CORS, GetRequestID, responseWriter, Chain, audit middleware (now imports auth.GetUser).

Updated 22 caller files across cmd/, internal/api/handler/, internal/api/middleware/, internal/mcp/. Existing m008_admin_gate_test.go now scans for auth.IsAdmin( substring; Phase 3 will further evolve to track auth.RequirePermission. Behavior unchanged: all handler / middleware / service / connector / cmd / mcp tests pass with no test-logic edits, only import-path renames.

Phase 0 exit criteria: internal/auth/ exists with 6 files; middleware.go went 575 -> 422 lines (auth-related ~150 lines moved out); grep -rE 'middleware\.(GetUser|IsAdmin|UserKey|AdminKey|NamedAPIKey|HashAPIKey|NewAuth)' returns 0 hits; context.WithValue(.*middleware.UserKey/AdminKey) returns 0 hits; go vet ./... clean; go test -short ./... green across all packages tested.

Branch: dev/auth-bundle-1. Per cowork/auth-bundle-1-prompt.md, do not merge to master without (1) make verify green, (2) >= 2 external testers confirm, (3) >= 90% coverage on internal/auth/ in .github/coverage-thresholds.yml.

2026-05-09 15:51:31 +00:00

shankar0123

34adcfbbe5

api, handler: 4 admin-gated CA hierarchy endpoints + OpenAPI (Rank 8 commit 4)

Rank 8 commit 4 of 5. The API + RBAC layer that operators drive
the new hierarchy management surface from.

Endpoints (all admin-gated via middleware.IsAdmin; non-admin Bearer
callers get 403):
  POST /api/v1/issuers/{id}/intermediates
       Discriminator on body shape:
         empty parent_ca_id + root_cert_pem + key_driver_id
           → CreateRoot (registers operator-supplied root CA).
         parent_ca_id non-empty
           → CreateChild (signs new sub-CA cert under parent).
       Service-layer error → HTTP code mapping:
         ErrCANotSelfSigned         → 400
         ErrCAKeyMismatch           → 400
         ErrPathLenExceeded         → 400
         ErrNameConstraintExceeded  → 400
         ErrInvalidCertPEM          → 400
         ErrParentCANotActive       → 409
         ErrIntermediateCANotFound  → 404
         (other)                    → 500
  GET  /api/v1/issuers/{id}/intermediates
       Returns flat list ordered by created_at; caller renders the
       tree from each row's parent_ca_id (nil = root).
  GET  /api/v1/intermediates/{id}
       Single-row detail.
  POST /api/v1/intermediates/{id}/retire
       Two-phase: confirm=false → active→retiring; confirm=true →
       retiring→retired with active-children check (drain-first
       semantics; ErrCAStillHasActiveChildren → 409).

Files changed:
  internal/api/handler/intermediate_ca.go            — 4 handlers
                                                       + handler-defined
                                                       service interface
                                                       (dependency
                                                       inversion).
  internal/api/handler/intermediate_ca_test.go       — 8 test variants
                                                       (M-008 admin-
                                                       gate triplet
                                                       complete).
  internal/api/handler/m008_admin_gate_test.go       — register the
                                                       new admin-gated
                                                       handler in
                                                       AdminGatedHandlers
                                                       so the M-008
                                                       coherence
                                                       scanner stays
                                                       green.
  internal/api/router/router.go                      — 4 r.Register
                                                       calls + new
                                                       IntermediateCAs
                                                       field on
                                                       HandlerRegistry.
  cmd/server/main.go                                 — wire the
                                                       postgres repo +
                                                       service +
                                                       handler. Reuses
                                                       the same
                                                       signer.FileDriver
                                                       instance the
                                                       OCSP responder
                                                       bootstrap path
                                                       feeds.
  api/openapi.yaml                                   — 4 new
                                                       operationIds,
                                                       full body
                                                       schema + status-
                                                       code dispatch.

Tests (8 in this commit):
  TestIntermediateCA_Handler_NonAdmin_Returns403       (admin gate
    — table-driven across all 4 endpoints)
  TestIntermediateCA_Handler_AdminExplicitFalse_Returns403
    (defensive: AdminKey present but false ≠ AdminKey absent)
  TestIntermediateCA_Handler_AdminPermitted_ForwardsActor
    (admin actor forwarded to service for audit attribution)
  TestIntermediateCA_HandlerCreate_RootDispatch
    (body discriminator: empty parent_ca_id → CreateRoot)
  TestIntermediateCA_HandlerCreate_ChildDispatch
    (body discriminator: parent_ca_id present → CreateChild)
  TestIntermediateCA_HandlerCreate_BadRequestOnMissingRootBundle
    (validation: no parent + no root bundle → 400)
  TestIntermediateCA_HandlerCreate_ServiceErrorMappings
    (table-driven: 7 service errors → expected HTTP codes)
  TestIntermediateCA_HandlerRetire_TwoPhaseConfirm
    (confirm=false then confirm=true forwarded correctly)
  TestIntermediateCA_HandlerRetire_StillHasActiveChildren_Returns409
    (drain-first contract — 409 not 500)

Verified locally:
  gofmt: clean.
  go vet ./...: exit 0.
  go test -short -count=1 ./internal/api/handler/...: ok 4.498s.
  bash scripts/ci-guards/openapi-handler-parity.sh: clean
    (router routes: 182, openapi operations: 148; the +4 new routes
    have +4 new operationIds — parity preserved).
  bash scripts/ci-guards/* (all 24 guards): clean.

Out of scope of THIS commit (commit 5):
  - web/src/pages/IssuerHierarchyPage.tsx (recursive tree render).
  - docs/intermediate-ca-hierarchy.md sysadmin runbook (FedRAMP /
    financial-services / internal-PKI patterns).
  - docs/connectors.md hierarchy_mode row.
  - WORKSPACE-ROADMAP entries (HSM-backed roots, automated
    rotation, CRL chaining, NameConstraints templates, D3
    dendrogram).

Reference: cowork/rank-8-intermediate-ca-hierarchy-prompt.md, commit 4.

2026-05-04 02:26:24 +00:00

2 Commits