certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:01:37 +00:00

Author	SHA1	Message	Date
shankar0123	21aeed4f4e	legal: addlicense headers + normalize legacy variants (Phase 0 RED-4) Phase 0 closure (Path B2, post-rewrite): addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1 SPDX header to every production Go file. Template: // Copyright 2026 certctl LLC. All rights reserved. // SPDX-License-Identifier: BUSL-1.1 Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding _test.go and /testdata/). Pre-sweep coverage was 22 / 338 (6.5%); post-sweep is 338 / 338 (100%). Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl` + `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a `Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1` is non-standard; the official SPDX identifier for Business Source License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the canonical form. Generated via: addlicense -c "certctl LLC" -y 2026 \ -f cowork/legal/copyright-header.tpl \ -ignore '/testdata/' -ignore '/_test.go' \ cmd/ internal/ Verification: find cmd internal -name '.go' -not -name '_test.go' \ -not -path '/testdata/' \ -exec grep -L '^// Copyright 2026 certctl LLC' {} \; \| wc -l Returns: 0 gofmt clean. Header additions are comments only, no compile impact. Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4	2026-05-13 21:23:35 +00:00
shankar0123	8b75e0311b	chore: rename Go module path to github.com/certctl-io/certctl Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol sub-module's go.mod, every Go file's import path (361 files), and a rebuild of the checked-in f5-mock-icontrol binary so its embedded build-info reflects the new module path. No behavior change. Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A (keep module path declared as github.com/shankar0123/certctl regardless of repo URL) shipped on the day of the org transfer (2026-05-03) since we had no external Go consumers; this commit closes that deferral. Backward-compat: GitHub HTTP redirects continue to forward github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL level, but Go's module proxy uses the path declared in go.mod as the canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...` hit a "module path mismatch" error because go.mod said github.com/shankar0123/certctl and the URL they fetched it from said certctl-io/certctl. Post-fix, the canonical name and the URL agree, so go get / go install / external Go consumers / Go-tooling integrations work cleanly via either the new path (preferred) or the old path (which redirects and Go follows the redirect for source fetch). Anyone still importing the old path inside their own code keeps working provided they update their go.mod's `require` line to match — the module path declared in their consumer's go.sum / go.mod is the authoritative import name, so a mass sed across their import statements is the migration on the consumer side. No external consumers exist today. Diff shape: 361 *.go files — import path replacement only 2 go.mod — module declaration replacement only 1 binary — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt so embedded build-info reflects the new path (8618965 vs 8618933 bytes; 32-byte diff is the build-info change) Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure mechanical substitution. Verification: gofmt: 17 files needed re-alignment after sed (the new path is one char shorter than the old, so column-aligned import groups drifted). Applied `gofmt -w` to fix. go mod tidy: clean exit on both modules. go vet ./...: clean exit. go build ./...: clean exit. go test -short -count=1 on representative packages: all green (internal/domain, internal/validation, internal/crypto, internal/crypto/signer, cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...` confirming the module path resolves correctly. binary: f5-mock-icontrol rebuilt; `strings \| grep shankar0123` returns nothing; `strings \| grep certctl-io/certctl` shows the new module path embedded in build-info. Files intentionally NOT touched in this commit: README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io URLs in commit `0729ee4` (the post-transfer URL refresh). This commit is purely the Go-tooling layer. Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account namespace, not a Go import or GitHub repo URL. Stays. This is a non-blocking, non-customer-impacting change. Operators pulling container images, running `make verify`, hitting the API, or installing the agent see no functional difference. Only Go-tooling consumers (none today) are affected, and they're enabled — not broken — by this commit.	2026-05-04 00:30:29 +00:00
shankar0123	c351bba41a	acme-server: orders + authorizations + finalize + cert download (Phase 2/7) Closes the issuance loop in trust_authenticated mode (commits `ec88a61` + `44a85d6` wired the foundation + JWS-verified account resource). After this commit, an ACME client running against a profile with acme_auth_mode='trust_authenticated' end-to-end-issues a real cert: POST /acme/profile/<id>/new-order → 201 + order URL (status=ready) POST /acme/profile/<id>/order/<oid> → POST-as-GET fetch POST /acme/profile/<id>/order/<oid>/finalize → 200 + status=valid + cert URL POST /acme/profile/<id>/cert/<cid> → 200 + PEM chain Profiles with acme_auth_mode='challenge' get the same code path with authz/challenge rows in `pending` state until Phase 3's validators wire up. The mode is read from the bound profile's column at request time, NOT cached at server start — operators flipping the column via SQL take effect on the next order without restart. Architecture (the load-bearing part): - Finalize routes through service.CertificateService.Create — the canonical certctl issuance entry point that wraps the managed_certificates row insert + audit row in s.tx.WithinTx. RenewalPolicy / CertificateProfile / per-issuer-type Prometheus metrics / audit rows all apply uniformly to ACME-issued certs via the same code path that already serves EST/SCEP/agent/REST issuance. - Identifier validation runs BEFORE order creation. Rejected identifiers return RFC 7807 with per-identifier subproblems and create no order row. - Source stamp on managed_certificates: domain.CertificateSourceACME. Operators bulk-revoke ACME-issued certs by filtering on Source=ACME. - 3-step atomicity boundary documented in code + this commit msg: (A) WithinTx-A marks order processing + audit row. (B) IssuerConnector.IssueCertificate + CertificateService.Create (each in its own WithinTx — Create wraps cert row + audit atomically). (C) WithinTx-C creates certificate_versions row + transitions order to valid + sets certificate_id + audit row. The brief window between B and C can leave a managed_certificates row whose order is still in `processing`. Phase 5's GC scheduler reconciles. Documented inline. What ships: - internal/api/acme/order.go: OrderResponseJSON + AuthorizationResponseJSON + ChallengeResponseJSON + NewOrderRequest + FinalizeRequest wire shapes; ValidateIdentifiers (Phase 2 syntactic checks, dns-only); CSRMatchesIdentifiers (RFC 8555 §7.4 strict equality, case-folded). - internal/domain/acme.go: ACMEOrder + ACMEAuthorization + ACMEChallenge + ACMEIdentifier + ACMEProblem domain types + closed status enums for each (order: pending\|ready\|processing\|valid\|invalid; authz: pending\|valid\|invalid\|deactivated\|expired\|revoked; challenge: pending\|processing\|valid\|invalid; challenge type: http-01\|dns-01\| tls-alpn-01). - internal/domain/profile.go: new ACMEAuthMode field reading from certificate_profiles.acme_auth_mode (added in migration 25). - internal/domain/certificate.go: new CertificateSourceACME enum value. - internal/repository/postgres/profile.go: extended SELECT/scanProfile to read the per-profile acme_auth_mode column with a COALESCE default of trust_authenticated. - internal/repository/postgres/acme.go: full order/authz/challenge CRUD (CreateOrderWithTx + GetOrderByID + UpdateOrderWithTx + CreateAuthzWithTx + GetAuthzByID + ListAuthzsByOrder + ListChallengesByAuthz + CreateChallengeWithTx) with proper sql.NullTime + JSONB handling. scanACMEOrder / scanACMEAuthz / scanACMEChallenge helpers. - internal/service/acme.go: extended ACMERepo interface; new SetIssuancePipeline wires certificateService + certificateRepo + issuerRegistry. CreateOrder (auth-mode-dispatched: trust_authenticated auto-marks order ready + authz valid + 1 placeholder http-01 challenge valid; challenge mode keeps everything pending). LookupOrder (with account-ownership assertion). LookupAuthz. ListAuthzsByOrder. FinalizeOrder (3-step atomicity boundary as above; CSR-vs-order SAN strict-equality check before issuance; persists FinalizeOrderResult {Order, CertID}). LookupCertificate. randIDSuffix + base32encode helpers for the human-readable acme-ord-* / acme-authz-* / acme-chall-* prefixes (CLAUDE.md "TEXT primary keys with human- readable prefixes" architecture decision). 8 new per-op metrics. - internal/service/acme_test.go: extended fakeACMERepo with Phase 2 interface stubs; new orderTrackingRepo for observable persistence; 2 new tests asserting trust_authenticated → auto-ready/valid and challenge → stays-pending. - internal/api/handler/acme.go: NewOrder + Order + OrderFinalize + Authz + Cert handler methods. orderURL / authzURL / certURL / challengeURLBuilder helpers; marshalOrderForResponse fetches per-order authzs to populate the URL list. parseOptionalTime for notBefore / notAfter. - internal/api/handler/acme_handler_test.go: extended mockACMEService with Phase 2 method stubs; 4 new handler tests (NewOrder happy + rejected-identifier + OrderFinalize bad-CSR + Cert happy). - internal/api/router/router.go: 10 new Register calls (5 per-profile + 5 shorthand) for new-order, order/{ord_id}, order/{ord_id}/finalize, authz/{authz_id}, cert/{cert_id}. - internal/api/router/openapi_parity_test.go + api/openapi-handler-exceptions.yaml: 10 new exception entries. - cmd/server/main.go: SetIssuancePipeline at startup, threading certificateService + certificateRepo + issuerRegistry into ACMEService. - docs/acme-server.md: phase status updated; endpoints table grows 5 rows for new-order/order/finalize/authz/cert (per-profile + shorthand variants); new section "Finalize routing through CertificateService.Create" documenting the 3-step atomicity boundary + the actor-string convention `acme:<account-id>`. Tests: ACME package + service + handler + router + config + domain all green under -short. New cases: - TestCreateOrder_TrustAuthenticated_AutoReady (asserts auto-ready transition + valid-status authz/challenge + audit row + metric bump). - TestCreateOrder_ChallengeMode_StaysPending (asserts pending-status cascading authz/challenge for challenge mode). - TestACMEHandler_NewOrder_HappyPath (asserts 201 + Location + finalize URL shape). - TestACMEHandler_NewOrder_RejectedIdentifier (asserts 400 + RFC 7807 rejectedIdentifier + per-identifier subproblems for type=ip). - TestACMEHandler_OrderFinalize_BadCSR (asserts 400 + badCSR for non-base64 CSR field). - TestACMEHandler_Cert_HappyPath (asserts 200 + PEM content-type + PEM chain in body). Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-2".	2026-05-03 13:46:10 +00:00
shankar0123	43075a1b5c	EST RFC 7030 hardening master bundle Phases 5-7: end-to-end serverkeygen + profile-driven csrattrs + admin observability with per-status counters + reload-trust endpoint. Phase 5 — RFC 7030 §4.4 server-driven key generation: - internal/pkcs7/envelopeddata_builder.go is the inverse of the existing parser/decryptor: AES-256-CBC content cipher + RSA PKCS#1 v1.5 keyTrans + per-call random IV. Round-trip pinned in test (BuildEnvelopedData → ParseEnvelopedData → Decrypt returns the original plaintext byte-for-byte). - ESTService.SimpleServerKeygen runs the full §4.4 flow: parse client CSR → require RSA pubkey for keyTrans → resolve per-profile algorithm (RSA-2048 default; honors AllowedKeyAlgorithms) → in- memory keygen → re-build CSR with server pubkey → run existing issuer pipeline → marshal PKCS#8 → CMS-EnvelopedData wrap to a synthetic recipient cert wrapping the device's CSR-supplied pubkey → zeroize plaintext + PKCS#8 bytes → return CertPEM + ChainPEM + EncryptedKey. Typed sentinels ErrServerKeygenRequiresKey- Encipherment / ErrServerKeygenUnsupportedAlgorithm / ErrServerKeygenDisabled. - ESTHandler.ServerKeygen + ServerKeygenMTLS emit RFC 7030 §4.4.2 multipart/mixed with random per-response boundary; per-profile SetServerKeygenEnabled gate returns 404 when off (defense in depth even if the route was registered). - New routes POST /.well-known/est/[<PathID>/]serverkeygen + /.well-known/est-mtls/<PathID>/serverkeygen; openapi.yaml + openapi-parity guard updated. Phase 6 — Real csrattrs implementation: - New CertificateProfile.RequiredCSRAttributes []string + migration 000022_certificate_profiles_csrattrs.up.sql. The migration also lands the previously-unwired must_staple column (closes the 5.6 follow-up loop where the field shipped at the domain + service layer but the postgres scan/insert/update never persisted it). - domain.EKUStringToOID + AttributeStringToOID lookup tables: id-kp-* EKUs (RFC 5280 §4.2.1.12) + RFC 5280 DN attributes + RFC 2985 PKCS#10 attributes + Microsoft Intune device-serial OID. - ESTService.GetCSRAttrs replaces the v2.0.x nil/204 stub with a profile-derived SEQUENCE OF OID ASN.1 marshal. Unknown EKU / attribute strings dropped + warning-logged so a typo doesn't take down the entire endpoint. Phase 7 — Admin observability + counters + reload-trust: - internal/service/est_counters.go: estCounterTab (sync/atomic; 12 named labels) + ESTStatsSnapshot per-profile shape + ESTService.Stats(now) zero-allocation accessor + ReloadTrust() SIGHUP-equivalent + SetESTAdminMetadata setter. - Counter ticks wired into processEnrollment + SimpleServerKeygen at every success/failure leg. - internal/api/handler/admin_est.go mirrors AdminSCEPIntune verbatim: Profiles + ReloadTrust handlers + AdminESTServiceImpl. Both endpoints admin-gated (M-008 triplet pinned + admin_est.go added to AdminGatedHandlers). - New routes GET /api/v1/admin/est/profiles + POST /api/v1/admin/ est/reload-trust; openapi.yaml documented; openapi-parity guard reproduced clean. - cmd/server/main.go grows estServices map populated by the per- profile EST loop + handed to AdminEST. New MTLSTrust() + HasMTLSTrust() accessors on ESTHandler so main.go can pull the trust holder for the admin-metadata wire-up. - Per-profile counter isolation regression test (internal/service/est_profile_counter_isolation_test.go) proves a future shared-counter refactor would fail at compile-time pointer-identity check. Pre-commit verification (sandbox): gofmt clean, go vet clean (excluding repository/postgres which the sandbox can't build — disk-space testcontainers download), staticcheck clean across cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/ service/pkcs7/domain/cmd/server, go test -short -count=1 green for every non-postgres package. G-3 docs-drift guard reproduced locally clean (Phases 5-7 added zero new env vars; Phase 1 already documented per-profile SERVER_KEYGEN_ENABLED). Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases 8-13 (GUI ESTAdminPage / CLI+MCP / libest e2e / bulk revocation / docs/est.md / release prep) remain — post-2.1.0 work.	2026-04-29 23:57:45 +00:00
shankar0123	0e29c416b1	refactor(handler,repo): replace strings.Contains error dispatch with typed sentinels (S-2) Closes one 2026-04-24 audit finding (P2): - cat-s6-efc7f6f6bd50: 30 strings.Contains(err.Error(), ...) sites in internal/api/handler/ — brittle to repository-layer message changes, untyped against the actual failure mode. Approach (Option B from prompt design notes): - New typed sentinels in internal/repository/errors.go: ErrNotFound, ErrForeignKeyConstraint IsForeignKeyError(err) helper (the only place substring matching at the lib/pq boundary is allowed; isolates the DB-driver string knowledge to one function). - New typed sentinel in internal/domain/errors.go: ErrValidation (reserved for future per-entity validation wrappers; not yet used by all handlers). - 49 sites in internal/repository/postgres/*.go updated to wrap sql.ErrNoRows-derived errors via fmt.Errorf("...: %w", repository.ErrNotFound). - 18 not-found handler sites + 2 FK-constraint handler sites refactored to errors.Is(err, repository.ErrNotFound) / repository.IsForeignKeyError(err). - 23 inline `fmt.Errorf("X not found")` test fixtures across handler tests rewrapped to wrap repository.ErrNotFound. - test_utils.go::ErrMockNotFound rewrapped to wrap repository.ErrNotFound; renewal_policy.go closure docblock updated to reflect the new convention. - integration test mockJobRepository.Get wraps repository.ErrNotFound. CI regression guardrail: - .github/workflows/ci.yml::"Forbidden strings.Contains(err.Error()) regression guard (S-2)" greps for the three patterns ("not found", "violates foreign key", "RESTRICT") under internal/api/handler/ and fails the build on regression. Verification: - go build ./... — clean - go vet ./... — clean - go test ./... -short -count=1 — all packages pass (handler + repository + service + integration) - golangci-lint v2.11.4 run ./... — 0 issues - S-2 guardrail dry-run on post-fix tree → empty (good) - All sibling guardrails (S-1, G-3, D-1+D-2, B-1, L-1, H-1, C-1, F-1, P-1) pass Audit findings closed: - cat-s6-efc7f6f6bd50 (P2) Deferred follow-ups: - 6 domain-specific substring patterns still inline in handlers ("cannot approve", "cannot reject", "cannot be parsed", "no certificates found", "challenge password", "invalid"/ "required" validation chains in profiles + agent_groups). Each needs its own typed sentinel, scoped per service. Documented by the S-2 CI guardrail's allowlist for closure-comments only. - Per-entity not-found sentinels (Option A — ErrCertificateNotFound, ErrAgentNotFound, etc.) deferred. Generic ErrNotFound covers the current dispatch needs; per-entity precision would let handlers return entity-aware error bodies without a domain.Type field, but not blocking.	2026-04-25 17:54:14 +00:00
shankar0123	a579a84c7f	feat: M11a — certificate profiles, crypto policy enforcement, short-lived cert expiry Add certificate profiles as named enrollment templates that control allowed key algorithms, max TTL, permitted EKUs, required SAN patterns, and optional SPIFFE URI SANs. CSR submissions are validated against profile rules at signing time (key type + minimum size). Short-lived certs (TTL < 1 hour) auto-expire via a new scheduler loop — expiry acts as revocation, no CRL/OCSP needed. New files: - Migration 000003: certificate_profiles table, FK columns on managed_certificates/renewal_policies, key metadata on certificate_versions - domain/profile.go: CertificateProfile + KeyAlgorithmRule structs - repository/postgres/profile.go: full CRUD with JSONB marshaling - service/profile.go: ProfileService with validation + audit logging - service/crypto_validation.go: CSR-against-profile validation (RSA/ECDSA/Ed25519) - handler/profiles.go: 5 HTTP endpoints under /api/v1/profiles - web/src/pages/ProfilesPage.tsx: profiles management page Modified: - renewal.go: CSR validation in CompleteAgentCSRRenewal, ExpireShortLivedCertificates - scheduler.go: 30s short-lived expiry check loop - certificate.go (repo): nullable profile FK, key metadata on versions - main.go: profile repo/service/handler wiring, 8-param NewRenewalService - router.go: 12-param RegisterHandlers with profile routes - seed_demo.sql: 4 demo profiles (standard, mtls, short-lived, high-security) - Frontend: types, API client, routing, sidebar nav Tests: 40 new tests across handler (15), service (13), crypto validation (12) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-20 20:39:49 -04:00

6 Commits