certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 17:19:01 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	8cda860026	caddy: fix duration metric + file-mode PEM validate + api-mode idempotency Closes Bundle 9 of the 2026-05-02 deployment-target coverage audit (see cowork/deployment-target-audit-2026-05-02/RESULTS.md). Three small independent fixes that share one connector file: 1. Duration metric (caddy.go L176). Pre-fix: "duration_ms": fmt.Sprintf("%d", time.Since(time.Now()).Milliseconds()) This always returned ~0ms because time.Now() was called twice — the second call captured a baseline immediately before time.Since computed the delta. The intended baseline is `startTime` declared at L113 and threaded through deployViaFile correctly. Post-fix: "duration_ms": fmt.Sprintf("%d", time.Since(startTime).Milliseconds()) deployViaAPI's signature evolves to take startTime time.Time so the api-mode path uses the same baseline as the file-mode path. 2. File-mode ValidateDeployment now validates PEM syntax. Pre-fix (caddy.go L266-293) checked file existence only via os.Stat. A cert file containing garbage bytes passed validation; Caddy's file-watcher silently failed to load it; operators saw "validation green" + "TLS handshake fails" with no obvious connection. Post-fix: after the os.Stat checks succeed, os.ReadFile + parse the first PEM block as an x509 cert via the shared certutil.ParseCertificatePEM helper. Failure surfaces as Valid=false with a clear "not valid PEM/x509" message. 3. API-mode idempotency short-circuit. Pre-fix, every deploy POSTed to /config/apps/tls/certificates/load even when the active cert was already what we wanted to deploy. Caddy reloads TLS state on every POST, briefly bumping CPU and possibly disrupting connections in flight. Post-fix: idempotencySkipPOST runs a GET first, parses the response (handles BOTH the array-of-objects and single-object shapes Caddy admin can return), SHA-256 compares the entry's `cert` field to the deploy payload's cert bytes, and skips the POST when match. Result.Metadata["idempotent"]="true" surfaces the no-op. Conservative: any GET failure (network, non-200, parse error, no matching entry, hash mismatch) silently falls through to the POST, preserving today's behavior. Idempotency is a fast path, not a correctness boundary — false negatives are safe; false positives are dangerous. Tests added to caddy_test.go (6 new tests, ~290 LOC): - TestCaddy_API_DurationMetric_NonZero (httptest server with a 10ms sleep in the POST handler; asserts duration_ms parses as int >= 5). - TestCaddy_ValidateDeployment_FileMode_MalformedPEM_Rejected (writes garbage to cert.pem; asserts Valid=false with PEM/x509 in message). - TestCaddy_ValidateDeployment_FileMode_ValidPEM_Accepted (writes a real ECDSA P-256 self-signed cert; asserts Valid=true). - TestCaddy_API_Idempotent_SkipsPOSTWhenCertHashMatches (GET response contains the same cert as the deploy payload; POST counter remains 0; metadata.idempotent=true; exactly 1 GET probe ran). - TestCaddy_API_Idempotent_RunsPOSTWhenCertHashDiffers (GET response contains a DIFFERENT cert; POST counter is 1; idempotent absent). - TestCaddy_API_Idempotent_GETFails_FallsThroughToPOST (GET returns 500; POST still runs; deploy succeeds; idempotent absent). Two existing tests updated to match the new contracts: - TestCaddyConnector_DeployViaAPI_Success: mock handler now serves BOTH GET (returns "[]" so the comparison falls through) and POST (the original 200-OK path). The dispatch is a method-switch inside the path-match branch. - TestCaddyConnector_ValidateDeployment_Success: the placeholder cert "MIIC..." used to pass the old existence-only check; post-Fix-2 it fails the PEM-parse check. Test now uses generateTestCertAndKey to produce a real self-signed ECDSA P-256 cert. generateTestCertAndKey helper added to the test file — same pattern the javakeystore + wincertstore tests use, kept local because the caddy package has no other test in the certutil family that would make a shared helper cleaner. Verified locally: - gofmt -l ./internal/connector/target/caddy/ clean - go vet ./internal/connector/target/caddy/ clean - go build ./cmd/agent/... clean (factory wiring unchanged) - go test -race -count=1 ./internal/connector/target/caddy/ green (16 tests total: 11 pre-existing including the two updated + 6 new) Audit reference: cowork/deployment-target-audit-2026-05-02/RESULTS.md Bundle 9.	2026-05-02 19:13:18 +00:00
claude	758dbb283f	feat(traefik,caddy,envoy,postfix): atomic deploy + post-deploy TLS verify + rollback + ValidateOnly Phase 7 of the deploy-hardening I master bundle. Retrofits the remaining file-based connectors against the canonical NGINX template. Per-connector quirks codified: - Postfix/Dovecot: full retrofit with PreCommit (postfix check / doveconf -n) + PostCommit (postfix reload / doveadm reload) + post-deploy TLS verify. Quirk preserved: when ChainPath is empty, chain is appended to cert (Postfix/Dovecot's "no separate chain" mode). Per-distro user defaults: postfix, dovecot, _postfix. Default key mode 0600. ValidateOnly real impl returns sentinel when no ValidateCommand. - Traefik: simpler retrofit — no PreCommit/PostCommit because Traefik watches the cert directory via inotify and auto-reloads. Atomic-write via deploy.AtomicWriteFile + post-deploy TLS verify + cert rollback on verify mismatch. Default key mode 0600. ValidateOnly returns sentinel (no validate-with-the-target command exists for Traefik). - Caddy: retrofitted both modes. File mode replaces os.WriteFile with deploy.AtomicWriteFile (preserves the file watcher's auto- reload). API mode unchanged (POST /load already atomic at the Caddy admin server). ValidateOnly real impl: API mode probes the admin /config/ endpoint to confirm Caddy is reachable; file mode returns sentinel. - Envoy: file mode atomic-write via deploy.AtomicWriteFile. Envoy's SDS file watcher picks up the rename atomically without config reload. ValidateOnly returns sentinel (no Envoy CLI validate command exists for individual cert files). Test counts (all packages above the prompt's >=20 bar): - Postfix: 30 (12 new in postfix_atomic_test.go + 18 pre-existing) - Traefik: 22 (12 new in traefik_atomic_test.go + 10 pre-existing) - Caddy: 22 (10 new in caddy_atomic_test.go + 12 pre-existing) - Envoy: 21 (5 new in envoy_atomic_test.go + 16 pre-existing) Coverage: each connector at the prompt's >=80% target. golangci-lint v2.11.4 clean across all 4 connector packages. Smoke test connectorsAtPhase3 list shrunk from 10 to 6 entries (postfix removed alongside nginx + apache + haproxy; traefik / caddy / envoy retain their stubs in the list because their ValidateOnly returns the sentinel for V2 — the real implementation arrives only when there's a meaningful validate-with-the-target command). Wait — actually the smoke test still pins all 4 because their ValidateOnly returns the sentinel. Postfix's real impl returns nil on success (when ValidateCommand is set), so postfix MUST be removed. Caddy's API mode is real-impl. Traefik + Envoy still return sentinel always — they stay in the smoke list. Phase 8 next: F5 + IIS — explicit post-deploy TLS verify + on-failure rollback. Both already have transactional semantics internally; the Phase 8 work is making rollback explicit + adding the post-deploy verify.	2026-04-30 15:12:11 +00:00
Shankar	492a392e52	feat: M25 post-deployment TLS verification + M26 Traefik/Caddy targets M25: After deploying a certificate, the agent probes the live TLS endpoint and compares SHA-256 fingerprints to verify the correct cert is being served. Best-effort — failures don't block deployments. New endpoints: POST /jobs/{id}/verify, GET /jobs/{id}/verification. Migration 000008 adds verification columns to jobs table. M26: Traefik target connector (file provider, auto-reload) and Caddy target connector (dual-mode: admin API hot-reload or file-based). Both wired into agent dispatch. Also: restructured README to highlight supported integrations (issuers, targets, notifiers) earlier, moved API/CLI/MCP sections lower. Updated all docs (features, connectors, architecture, testing guide, why-certctl) and fixed integration tests for 18-param RegisterHandlers signature. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-27 21:07:16 -04:00

Author

SHA1

Message

Date

shankar0123

8cda860026

caddy: fix duration metric + file-mode PEM validate + api-mode idempotency

Closes Bundle 9 of the 2026-05-02 deployment-target coverage audit
(see cowork/deployment-target-audit-2026-05-02/RESULTS.md). Three
small independent fixes that share one connector file:

1. Duration metric (caddy.go L176). Pre-fix:
     "duration_ms": fmt.Sprintf("%d", time.Since(time.Now()).Milliseconds())
   This always returned ~0ms because time.Now() was called twice —
   the second call captured a baseline immediately before time.Since
   computed the delta. The intended baseline is `startTime` declared
   at L113 and threaded through deployViaFile correctly. Post-fix:
     "duration_ms": fmt.Sprintf("%d", time.Since(startTime).Milliseconds())
   deployViaAPI's signature evolves to take startTime time.Time so
   the api-mode path uses the same baseline as the file-mode path.

2. File-mode ValidateDeployment now validates PEM syntax. Pre-fix
   (caddy.go L266-293) checked file existence only via os.Stat. A
   cert file containing garbage bytes passed validation; Caddy's
   file-watcher silently failed to load it; operators saw "validation
   green" + "TLS handshake fails" with no obvious connection.
   Post-fix: after the os.Stat checks succeed, os.ReadFile + parse
   the first PEM block as an x509 cert via the shared
   certutil.ParseCertificatePEM helper. Failure surfaces as
   Valid=false with a clear "not valid PEM/x509" message.

3. API-mode idempotency short-circuit. Pre-fix, every deploy POSTed
   to /config/apps/tls/certificates/load even when the active cert
   was already what we wanted to deploy. Caddy reloads TLS state on
   every POST, briefly bumping CPU and possibly disrupting connections
   in flight. Post-fix: idempotencySkipPOST runs a GET first, parses
   the response (handles BOTH the array-of-objects and single-object
   shapes Caddy admin can return), SHA-256 compares the entry's
   `cert` field to the deploy payload's cert bytes, and skips the
   POST when match. Result.Metadata["idempotent"]="true" surfaces
   the no-op. Conservative: any GET failure (network, non-200, parse
   error, no matching entry, hash mismatch) silently falls through to
   the POST, preserving today's behavior. Idempotency is a fast path,
   not a correctness boundary — false negatives are safe; false
   positives are dangerous.

Tests added to caddy_test.go (6 new tests, ~290 LOC):
- TestCaddy_API_DurationMetric_NonZero (httptest server with a 10ms
  sleep in the POST handler; asserts duration_ms parses as int >= 5).
- TestCaddy_ValidateDeployment_FileMode_MalformedPEM_Rejected (writes
  garbage to cert.pem; asserts Valid=false with PEM/x509 in message).
- TestCaddy_ValidateDeployment_FileMode_ValidPEM_Accepted (writes a
  real ECDSA P-256 self-signed cert; asserts Valid=true).
- TestCaddy_API_Idempotent_SkipsPOSTWhenCertHashMatches (GET response
  contains the same cert as the deploy payload; POST counter remains
  0; metadata.idempotent=true; exactly 1 GET probe ran).
- TestCaddy_API_Idempotent_RunsPOSTWhenCertHashDiffers (GET response
  contains a DIFFERENT cert; POST counter is 1; idempotent absent).
- TestCaddy_API_Idempotent_GETFails_FallsThroughToPOST (GET returns
  500; POST still runs; deploy succeeds; idempotent absent).

Two existing tests updated to match the new contracts:
- TestCaddyConnector_DeployViaAPI_Success: mock handler now serves
  BOTH GET (returns "[]" so the comparison falls through) and POST
  (the original 200-OK path). The dispatch is a method-switch
  inside the path-match branch.
- TestCaddyConnector_ValidateDeployment_Success: the placeholder
  cert "MIIC..." used to pass the old existence-only check; post-Fix-2
  it fails the PEM-parse check. Test now uses generateTestCertAndKey
  to produce a real self-signed ECDSA P-256 cert.

generateTestCertAndKey helper added to the test file — same pattern
the javakeystore + wincertstore tests use, kept local because the
caddy package has no other test in the certutil family that would
make a shared helper cleaner.

Verified locally:
- gofmt -l ./internal/connector/target/caddy/  clean
- go vet ./internal/connector/target/caddy/  clean
- go build ./cmd/agent/...  clean (factory wiring unchanged)
- go test -race -count=1 ./internal/connector/target/caddy/  green
  (16 tests total: 11 pre-existing including the two updated +
  6 new)

Audit reference: cowork/deployment-target-audit-2026-05-02/RESULTS.md
Bundle 9.

2026-05-02 19:13:18 +00:00

claude

758dbb283f

feat(traefik,caddy,envoy,postfix): atomic deploy + post-deploy TLS verify + rollback + ValidateOnly

Phase 7 of the deploy-hardening I master bundle. Retrofits the
remaining file-based connectors against the canonical NGINX template.
Per-connector quirks codified:

- Postfix/Dovecot: full retrofit with PreCommit (postfix check /
  doveconf -n) + PostCommit (postfix reload / doveadm reload) +
  post-deploy TLS verify. Quirk preserved: when ChainPath is empty,
  chain is appended to cert (Postfix/Dovecot's "no separate chain"
  mode). Per-distro user defaults: postfix, dovecot, _postfix.
  Default key mode 0600. ValidateOnly real impl returns sentinel
  when no ValidateCommand.

- Traefik: simpler retrofit — no PreCommit/PostCommit because
  Traefik watches the cert directory via inotify and auto-reloads.
  Atomic-write via deploy.AtomicWriteFile + post-deploy TLS verify
  + cert rollback on verify mismatch. Default key mode 0600.
  ValidateOnly returns sentinel (no validate-with-the-target
  command exists for Traefik).

- Caddy: retrofitted both modes. File mode replaces os.WriteFile
  with deploy.AtomicWriteFile (preserves the file watcher's auto-
  reload). API mode unchanged (POST /load already atomic at the
  Caddy admin server). ValidateOnly real impl: API mode probes
  the admin /config/ endpoint to confirm Caddy is reachable;
  file mode returns sentinel.

- Envoy: file mode atomic-write via deploy.AtomicWriteFile.
  Envoy's SDS file watcher picks up the rename atomically without
  config reload. ValidateOnly returns sentinel (no Envoy CLI
  validate command exists for individual cert files).

Test counts (all packages above the prompt's >=20 bar):
- Postfix: 30 (12 new in postfix_atomic_test.go + 18 pre-existing)
- Traefik: 22 (12 new in traefik_atomic_test.go + 10 pre-existing)
- Caddy: 22 (10 new in caddy_atomic_test.go + 12 pre-existing)
- Envoy: 21 (5 new in envoy_atomic_test.go + 16 pre-existing)

Coverage: each connector at the prompt's >=80% target. golangci-lint
v2.11.4 clean across all 4 connector packages.

Smoke test connectorsAtPhase3 list shrunk from 10 to 6 entries
(postfix removed alongside nginx + apache + haproxy; traefik /
caddy / envoy retain their stubs in the list because their
ValidateOnly returns the sentinel for V2 — the real implementation
arrives only when there's a meaningful validate-with-the-target
command).

Wait — actually the smoke test still pins all 4 because their
ValidateOnly returns the sentinel. Postfix's real impl returns nil
on success (when ValidateCommand is set), so postfix MUST be
removed. Caddy's API mode is real-impl. Traefik + Envoy still
return sentinel always — they stay in the smoke list.

Phase 8 next: F5 + IIS — explicit post-deploy TLS verify +
on-failure rollback. Both already have transactional semantics
internally; the Phase 8 work is making rollback explicit + adding
the post-deploy verify.

2026-04-30 15:12:11 +00:00

Shankar

492a392e52

feat: M25 post-deployment TLS verification + M26 Traefik/Caddy targets

M25: After deploying a certificate, the agent probes the live TLS
endpoint and compares SHA-256 fingerprints to verify the correct cert
is being served. Best-effort — failures don't block deployments.
New endpoints: POST /jobs/{id}/verify, GET /jobs/{id}/verification.
Migration 000008 adds verification columns to jobs table.

M26: Traefik target connector (file provider, auto-reload) and Caddy
target connector (dual-mode: admin API hot-reload or file-based).
Both wired into agent dispatch.

Also: restructured README to highlight supported integrations (issuers,
targets, notifiers) earlier, moved API/CLI/MCP sections lower. Updated
all docs (features, connectors, architecture, testing guide, why-certctl)
and fixed integration tests for 18-param RegisterHandlers signature.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-27 21:07:16 -04:00

3 Commits