gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-08 21:58:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gsadmin/certctl:v2.0.21
Branches Tags
gsadmin/certctl:master
gsadmin/certctl:v2.1.7 gsadmin/certctl:v2.1.6 gsadmin/certctl:v2.1.5 gsadmin/certctl:v2.1.4 gsadmin/certctl:v2.1.3 gsadmin/certctl:v2.1.2 gsadmin/certctl:v2.1.1 gsadmin/certctl:v2.1.0 gsadmin/certctl:v2.0.72 gsadmin/certctl:v2.0.71 gsadmin/certctl:v2.0.70 gsadmin/certctl:v2.0.69 gsadmin/certctl:v2.0.68 gsadmin/certctl:v2.0.67 gsadmin/certctl:v2.0.66 gsadmin/certctl:v2.0.65 gsadmin/certctl:v2.0.64 gsadmin/certctl:v2.0.63 gsadmin/certctl:v2.0.62 gsadmin/certctl:v2.0.61 gsadmin/certctl:v2.0.60 gsadmin/certctl:v2.0.59 gsadmin/certctl:v2.0.57 gsadmin/certctl:v2.0.56 gsadmin/certctl:v2.0.55 gsadmin/certctl:v2.0.53 gsadmin/certctl:v2.0.54 gsadmin/certctl:v2.0.51 gsadmin/certctl:v2.0.52 gsadmin/certctl:v2.0.50 gsadmin/certctl:checkpoint/m1-migration-wip gsadmin/certctl:v2.0.49 gsadmin/certctl:v2.0.48 gsadmin/certctl:v2.0.47 gsadmin/certctl:v2.0.46 gsadmin/certctl:v2.0.45 gsadmin/certctl:v2.0.44 gsadmin/certctl:v2.0.43 gsadmin/certctl:v2.0.42 gsadmin/certctl:v2.0.41 gsadmin/certctl:v2.0.40 gsadmin/certctl:v2.0.39 gsadmin/certctl:v2.0.38 gsadmin/certctl:v2.0.37 gsadmin/certctl:v2.0.36 gsadmin/certctl:v2.0.35 gsadmin/certctl:v2.0.34 gsadmin/certctl:v2.0.33 gsadmin/certctl:v2.0.32 gsadmin/certctl:v2.0.31 gsadmin/certctl:v2.0.30 gsadmin/certctl:v2.0.29 gsadmin/certctl:v2.0.28 gsadmin/certctl:v2.0.27 gsadmin/certctl:v2.0.26 gsadmin/certctl:v2.0.25 gsadmin/certctl:v2.0.24 gsadmin/certctl:v2.0.23 gsadmin/certctl:v2.0.22 gsadmin/certctl:v2.0.21 gsadmin/certctl:v2.0.20 gsadmin/certctl:v2.0.19 gsadmin/certctl:v2.0.18 gsadmin/certctl:v2.0.17 gsadmin/certctl:v2.0.16 gsadmin/certctl:v2.0.15 gsadmin/certctl:v2.0.14 gsadmin/certctl:v2.0.13 gsadmin/certctl:v2.0.12 gsadmin/certctl:v2.0.11 gsadmin/certctl:v2.0.10 gsadmin/certctl:v2.0.9 gsadmin/certctl:v2.0.8 gsadmin/certctl:v2.0.7 gsadmin/certctl:v2.0.6 gsadmin/certctl:v2.0.5 gsadmin/certctl:v2.0.4 gsadmin/certctl:v2.0.3 gsadmin/certctl:v2.0.2 gsadmin/certctl:v2.0.1 gsadmin/certctl:v2.0.0 gsadmin/certctl:v1.0.0
..
compare: gsadmin/certctl:v2.0.23
Branches Tags
gsadmin/certctl:master
gsadmin/certctl:v2.1.7 gsadmin/certctl:v2.1.6 gsadmin/certctl:v2.1.5 gsadmin/certctl:v2.1.4 gsadmin/certctl:v2.1.3 gsadmin/certctl:v2.1.2 gsadmin/certctl:v2.1.1 gsadmin/certctl:v2.1.0 gsadmin/certctl:v2.0.72 gsadmin/certctl:v2.0.71 gsadmin/certctl:v2.0.70 gsadmin/certctl:v2.0.69 gsadmin/certctl:v2.0.68 gsadmin/certctl:v2.0.67 gsadmin/certctl:v2.0.66 gsadmin/certctl:v2.0.65 gsadmin/certctl:v2.0.64 gsadmin/certctl:v2.0.63 gsadmin/certctl:v2.0.62 gsadmin/certctl:v2.0.61 gsadmin/certctl:v2.0.60 gsadmin/certctl:v2.0.59 gsadmin/certctl:v2.0.57 gsadmin/certctl:v2.0.56 gsadmin/certctl:v2.0.55 gsadmin/certctl:v2.0.53 gsadmin/certctl:v2.0.54 gsadmin/certctl:v2.0.51 gsadmin/certctl:v2.0.52 gsadmin/certctl:v2.0.50 gsadmin/certctl:checkpoint/m1-migration-wip gsadmin/certctl:v2.0.49 gsadmin/certctl:v2.0.48 gsadmin/certctl:v2.0.47 gsadmin/certctl:v2.0.46 gsadmin/certctl:v2.0.45 gsadmin/certctl:v2.0.44 gsadmin/certctl:v2.0.43 gsadmin/certctl:v2.0.42 gsadmin/certctl:v2.0.41 gsadmin/certctl:v2.0.40 gsadmin/certctl:v2.0.39 gsadmin/certctl:v2.0.38 gsadmin/certctl:v2.0.37 gsadmin/certctl:v2.0.36 gsadmin/certctl:v2.0.35 gsadmin/certctl:v2.0.34 gsadmin/certctl:v2.0.33 gsadmin/certctl:v2.0.32 gsadmin/certctl:v2.0.31 gsadmin/certctl:v2.0.30 gsadmin/certctl:v2.0.29 gsadmin/certctl:v2.0.28 gsadmin/certctl:v2.0.27 gsadmin/certctl:v2.0.26 gsadmin/certctl:v2.0.25 gsadmin/certctl:v2.0.24 gsadmin/certctl:v2.0.23 gsadmin/certctl:v2.0.22 gsadmin/certctl:v2.0.21 gsadmin/certctl:v2.0.20 gsadmin/certctl:v2.0.19 gsadmin/certctl:v2.0.18 gsadmin/certctl:v2.0.17 gsadmin/certctl:v2.0.16 gsadmin/certctl:v2.0.15 gsadmin/certctl:v2.0.14 gsadmin/certctl:v2.0.13 gsadmin/certctl:v2.0.12 gsadmin/certctl:v2.0.11 gsadmin/certctl:v2.0.10 gsadmin/certctl:v2.0.9 gsadmin/certctl:v2.0.8 gsadmin/certctl:v2.0.7 gsadmin/certctl:v2.0.6 gsadmin/certctl:v2.0.5 gsadmin/certctl:v2.0.4 gsadmin/certctl:v2.0.3 gsadmin/certctl:v2.0.2 gsadmin/certctl:v2.0.1 gsadmin/certctl:v2.0.0 gsadmin/certctl:v1.0.0

5 Commits
v2.0.21 .. v2.0.23

Author SHA1 Message Date
shankar0123 9feb6c796d feat(M42): Postfix/Dovecot mail server target connector 
Dual-mode TLS connector for mail servers — single package with mode
field selecting Postfix or Dovecot defaults. File-based cert/key
deployment with correct permissions (cert 0644, key 0600), optional
chain append, shell injection prevention, and configurable
reload/validate commands. 18 tests covering config validation,
deployment, and security. GUI wizard fields and OpenAPI enum updated.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-03 01:46:15 -04:00
shankar0123 fd05bacb76 feat(M41): Envoy target connector with SDS support 
File-based deployment for Envoy service mesh — writes cert/key/chain
to watched directory with optional SDS JSON config for xDS bootstrap.
Path traversal prevention, configurable filenames, 15 tests passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-03 01:23:35 -04:00
shankar0123 f51571297d docs: update README for M39 WinRM completion 
Update test count (1,521+), IIS target description (local + WinRM),
architecture section (proxy agent mention), and integration list.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-02 21:00:39 -04:00
shankar0123 9a41d0ca39 feat(M39): IIS WinRM proxy agent mode + front-to-back wiring 
Complete the IIS target connector with dual-mode deployment:
- WinRM proxy agent mode via masterzen/winrm for remote Windows servers
- Base64 PFX transfer with try/finally cleanup on remote host
- GUI wizard updated with 13 IIS config fields including WinRM settings
- TargetDetailPage sensitive field redaction (password/secret/token/key)
- OpenAPI TargetType enum updated (added Traefik, Caddy)
- connectors.md fully documented with WinRM proxy config example
- 38 total IIS tests (10 new WinRM tests), all passing with race detection

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-02 20:53:20 -04:00
shankar0123 8b52da6aef feat(M39): IIS target connector + README overhaul 
Implement full IIS target connector with PEM-to-PFX conversion via
go-pkcs12, PowerShell-based deployment (Import-PfxCertificate, IIS
binding management), SHA-1 thumbprint computation, and SNI support.
Injectable PowerShellExecutor interface enables cross-platform testing.
Regex-validated config fields prevent PowerShell injection. 28 tests.

Restructure README from 563 to 313 lines: outcome-focused feature
descriptions, "Who Is This For" persona section, examples promoted
above the fold, configuration/API/security reference moved to docs.
All numbers verified against repo (25 GUI pages, 97 OpenAPI ops,
CI thresholds service 55%/handler 60%/domain 40%/middleware 30%).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-02 20:27:27 -04:00
18 changed files with 3786 additions and 450 deletions
Expand all files Collapse all files
README.md
+91 -336
View File
@@ -14,7 +14,7 @@
TLS certificate lifespans are shrinking fast. The CA/Browser Forum passed [Ballot SC-081v3](https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/) unanimously in April 2025, setting a phased reduction: **200 days** by March 2026, **100 days** by March 2027, and **47 days** by March 2029. Organizations managing dozens or hundreds of certificates can no longer rely on spreadsheets, calendar reminders, or manual renewal workflows. The math doesn't work — at 47-day lifespans, a team managing 100 certificates is processing 7+ renewals per week, every week, forever.
certctl is a self-hosted platform that automates the entire certificate lifecycle — from issuance through renewal to deployment — with zero human intervention. It works with any certificate authority, deploys to any server, and keeps private keys on your infrastructure where they belong.
certctl is a self-hosted platform that automates the entire certificate lifecycle — from issuance through renewal to deployment — with zero human intervention. It works with any certificate authority, deploys to any server, and keeps private keys on your infrastructure where they belong. It's free, self-hosted, and covers the same lifecycle that enterprise platforms charge $100K+/year for.
```mermaid
gantt
@@ -36,53 +36,41 @@ gantt
47 days :crit, 2020-01-01, 47d
```
## Documentation
| Guide | Description |
|-------|-------------|
| [Why certctl?](docs/why-certctl.md) | Competitive positioning — how certctl compares to open-source and enterprise certificate management platforms |
| [Concepts](docs/concepts.md) | TLS certificates explained from scratch — for beginners who know nothing about certs |
| [Quick Start](docs/quickstart.md) | Get running in 5 minutes — dashboard, API, CLI, discovery, stakeholder demo flow |
| [Advanced Demo](docs/demo-advanced.md) | Issue a certificate end-to-end with technical deep-dives |
| [Architecture](docs/architecture.md) | System design, data flow diagrams, security model |
| [Feature Inventory](docs/features.md) | Complete reference of all V2 capabilities, API endpoints, and configuration |
| [Connectors](docs/connectors.md) | Build custom issuer, target, and notifier connectors |
| [Compliance Mapping](docs/compliance.md) | SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides |
| [Migrate from Certbot](docs/migrate-from-certbot.md) | Step-by-step migration from Certbot/Let's Encrypt cron jobs |
| [Migrate from acme.sh](docs/migrate-from-acmesh.md) | Migration guide for acme.sh users with DNS-01 scripts |
| [certctl for cert-manager Users](docs/certctl-for-cert-manager-users.md) | Using certctl alongside cert-manager for non-Kubernetes infrastructure |
> **Next release:** v2.1.0 will be tagged after the full V2 feature suite passes manual QA across all 34 sections of the [testing guide](docs/testing-guide.md). Automated CI (1,300+ Go tests + 211 frontend tests) gates every commit; the manual playbook covers integration, deployment, and UX verification that unit tests can't reach.
> **Actively maintained — shipping weekly.** Found something? [Open a GitHub issue](https://github.com/shankar0123/certctl/issues) — issues get triaged same-day. CI runs 1,554+ tests with race detection, static analysis, and vulnerability scanning on every commit.
## Why certctl Exists
Certificate lifecycle tooling today falls into two camps: expensive enterprise platforms (Venafi, Keyfactor, Sectigo) that cost six figures and take months to deploy, or single-purpose tools (cert-manager, certbot) that handle one slice of the problem. If you run a mixed infrastructure — some NGINX, some Apache, a few HAProxy nodes, maybe an F5 — and you need to manage certificates from multiple CAs, there's nothing self-hosted that covers the full lifecycle without vendor lock-in.
Certificate lifecycle tooling today falls into two camps: expensive enterprise platforms (Venafi, Keyfactor, Sectigo) that cost six figures and take months to deploy, or single-purpose tools (cert-manager, certbot) that handle one slice of the problem. If you run a mixed infrastructure — some NGINX, some Apache, a few HAProxy nodes, IIS on Windows, maybe an F5 — and you need to manage certificates from multiple CAs, there's nothing self-hosted that covers the full lifecycle without vendor lock-in.
certctl fills that gap. It's **CA-agnostic** the issuer connector interface means you can plug in any certificate authority: a self-signed local CA for dev, Let's Encrypt via ACME for public certs, Smallstep step-ca for your private PKI, your enterprise ADCS via sub-CA mode, or any custom CA through a shell script adapter. You're never locked to a single CA vendor, and you can run multiple issuers simultaneously for different certificate types.
certctl fills that gap. It's **CA-agnostic** — plug in any certificate authority: Let's Encrypt via ACME, Smallstep step-ca, HashiCorp Vault PKI, DigiCert CertCentral, your enterprise ADCS via sub-CA mode, or any custom CA through a shell script adapter. Run multiple issuers simultaneously for different certificate types.
It's also **target-agnostic**. Agents deploy certificates to NGINX, Apache, HAProxy, Traefik, and Caddy — all using the same pluggable connector model for any server that accepts cert files. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.
It's **target-agnostic**. Agents deploy certificates to NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, and IIS (local PowerShell or remote WinRM) — all using the same pluggable connector model. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.
For a detailed comparison with CertKit, KeyTalk, and enterprise platforms (Venafi, Keyfactor), see [Why certctl?](docs/why-certctl.md)
For a detailed comparison with CertKit, KeyTalk, and enterprise platforms, see [Why certctl?](docs/why-certctl.md)
## Who Is This For
**Platform engineering and DevOps teams** managing 10500+ certificates across mixed infrastructure who need automated renewal, deployment, and a single dashboard for visibility. If you're currently running certbot cron jobs, manually renewing certs, or stitching together scripts — certctl replaces all of that.
**Security and compliance teams** who need an immutable audit trail, certificate ownership tracking, policy enforcement, and evidence for SOC 2, PCI-DSS 4.0, or NIST SP 800-57 audits.
**Small teams without enterprise budgets** who need the lifecycle automation that Venafi and Keyfactor provide but can't justify six-figure licensing for a 50-server environment.
## What It Does
certctl gives you a single pane of glass for every TLS certificate in your organization:
- **Certificates renew and deploy themselves.** The scheduler monitors expiration, creates renewal jobs, issues certificates through your CA, and deploys them to target servers — all without human intervention. ACME ARI (RFC 9702) lets your CA tell certctl exactly when to renew.
- **Web dashboard** 24 operational pages: certificate inventory, deployment timeline with TLS verification, bulk operations (renew/revoke/reassign), discovery triage, network scan management, approval workflows, audit trail with CSV/JSON export, agent fleet overview with OS/arch grouping, short-lived credential monitoring, digest email preview
- **REST API** — 97 endpoints under `/api/v1/` + `/.well-known/est/` for complete automation, with sparse fields, sort, cursor pagination, and time-range filters
- **Agents** — generate private keys locally (ECDSA P-256), discover existing certs on disk (PEM/DER), submit CSRs only (private keys never leave your servers)
- **Network scanner** — discovers certificates on TLS endpoints across CIDR ranges without requiring agents, concurrent scanning with configurable timeouts
- **Certificate export** — PEM (JSON or file download) and PKCS#12 formats, with audit trail; private keys never included
- **S/MIME + EKU support** — issue certificates with emailProtection, codeSigning, timeStamping, clientAuth EKUs; email SAN routing for S/MIME
- **EST server** (RFC 7030) — device and WiFi certificate enrollment via industry-standard protocol
- **Post-deployment verification** — agent-side TLS probe confirms the target serves the correct certificate by SHA-256 fingerprint match
- **Approval workflows** — require human sign-off on renewals before deployment
- **Background scheduler** — 7 automated loops: renewal checks, job processing, agent health, notifications, short-lived cert expiry, network scanning, and scheduled certificate digest emails
- **ACME Renewal Information (ARI, RFC 9702)** — CA-directed renewal timing; certctl asks the CA when to renew instead of using fixed thresholds
- **Scheduled certificate digest emails** — HTML digest with certificate stats, expiration timeline, and job health; optional daily briefing via SMTP
- **Helm chart** — Production-ready Kubernetes deployment with server, PostgreSQL, and agent DaemonSet
- **You see everything in one place.** A 25-page operational dashboard shows every certificate across every server: status, ownership, expiration timeline, deployment history with TLS verification, discovery triage, and real-time agent fleet health. Bulk operations (renew, revoke, reassign) work across selections.
For the full capability breakdown — revocation infrastructure, policy engine, observability, EST enrollment, and more — see the [Feature Inventory](docs/features.md).
- **Private keys never leave your servers.** Agents generate ECDSA P-256 keys locally and submit only the CSR. The control plane never touches private keys. Post-deployment TLS verification confirms the right certificate is actually being served.
- **Discover what you don't know about.** Agents scan filesystems for existing PEM/DER certificates. The network scanner probes TLS endpoints across CIDR ranges without requiring agents. Both feed into a triage workflow where you claim, dismiss, or import discovered certificates.
- **Everything is auditable.** Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Certificate digest emails deliver daily briefings. Prometheus metrics endpoint for Grafana dashboards.
- **Multiple interfaces for different workflows.** REST API (97 endpoints) for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), EST server (RFC 7030) for device enrollment, Helm chart for Kubernetes, and the web dashboard for day-to-day operations.
For the full capability breakdown — revocation infrastructure (CRL + OCSP), policy engine, certificate profiles, S/MIME support, approval workflows, and more — see the [Feature Inventory](docs/features.md).
## Supported Integrations
@@ -109,8 +97,11 @@ For the full capability breakdown — revocation infrastructure, policy engine,
| HAProxy | Implemented | `HAProxy` |
| Traefik | Implemented | `Traefik` |
| Caddy | Implemented | `Caddy` |
| Envoy | Implemented | `Envoy` |
| Postfix | Implemented | `Postfix` |
| Dovecot | Implemented | `Dovecot` |
| Microsoft IIS | Implemented (local + WinRM) | `IIS` |
| F5 BIG-IP | Interface only | `F5` |
| Microsoft IIS | Interface only | `IIS` |
### Notifiers
| Notifier | Status | Type |
@@ -143,7 +134,7 @@ All connectors are pluggable — build your own by implementing the [connector i
<td><a href="docs/screenshots/v2-issuers.png"><img src="docs/screenshots/v2-issuers.png" width="270" alt="Issuers"></a><br><b>Issuers</b><br><sub>Local CA, ACME, step-ca, Vault PKI, DigiCert</sub></td>
</tr>
<tr>
<td><a href="docs/screenshots/v2-targets.png"><img src="docs/screenshots/v2-targets.png" width="270" alt="Targets"></a><br><b>Targets</b><br><sub>NGINX, Apache, HAProxy, Traefik, Caddy deployment</sub></td>
<td><a href="docs/screenshots/v2-targets.png"><img src="docs/screenshots/v2-targets.png" width="270" alt="Targets"></a><br><b>Targets</b><br><sub>NGINX, Apache, HAProxy, Traefik, Caddy, IIS deployment</sub></td>
<td><a href="docs/screenshots/v2-owners.png"><img src="docs/screenshots/v2-owners.png" width="270" alt="Owners"></a><br><b>Owners</b><br><sub>Cert ownership with team assignment</sub></td>
<td><a href="docs/screenshots/v2-teams.png"><img src="docs/screenshots/v2-teams.png" width="270" alt="Teams"></a><br><b>Teams</b><br><sub>Org grouping for notification routing</sub></td>
</tr>
@@ -154,17 +145,8 @@ All connectors are pluggable — build your own by implementing the [connector i
</tr>
</table>
> **24 operational GUI pages** covering the full certificate lifecycle: dashboard, certificates (list + detail with EKU badges, deployment timeline, TLS verification status), agents, fleet overview, jobs (list + detail with approval workflow), notifications, policies, profiles, issuers (catalog + detail), targets (list + detail + wizard), owners, teams, agent groups, audit trail, short-lived credentials, discovery triage, network scan management, digest email preview, and observability metrics.
## Quick Start
### Docker Pull
```bash
docker pull shankar0123.docker.scarf.sh/certctl-server
docker pull shankar0123.docker.scarf.sh/certctl-agent
```
### Docker Compose (Recommended)
```bash
@@ -177,7 +159,6 @@ Wait ~30 seconds, then open **http://localhost:8443** in your browser.
The dashboard comes pre-loaded with 32 demo certificates across 7 issuers, 8 agents, 180 days of job history, discovery scan data, and network scan targets — a realistic snapshot of a certificate inventory that looks like it's been running for months.
Verify the API:
```bash
curl http://localhost:8443/health
# {"status":"healthy"}
@@ -194,32 +175,30 @@ curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-a
Detects your OS and architecture, downloads the binary, configures systemd (Linux) or launchd (macOS), and starts the agent. See [install-agent.sh](install-agent.sh) for details.
### Manual Build
### Docker Pull
```bash
# Prerequisites: Go 1.25+, PostgreSQL 16+, Docker (for testcontainers-go)
go mod download
make build
# Set up database
export CERTCTL_DATABASE_URL="postgres://certctl:certctl@localhost:5432/certctl?sslmode=disable"
export CERTCTL_AUTH_TYPE=none
make migrate-up
# Start server
./bin/server
# Start agent (separate terminal)
export CERTCTL_SERVER_URL=http://localhost:8443
export CERTCTL_API_KEY=change-me-in-production
export CERTCTL_AGENT_NAME=local-agent
export CERTCTL_AGENT_ID=agent-local-01
./bin/agent --agent-id=agent-local-01
docker pull shankar0123.docker.scarf.sh/certctl-server
docker pull shankar0123.docker.scarf.sh/certctl-agent
```
## Examples
Pick the scenario closest to your setup and have it running in 2 minutes.
| Example | Scenario |
|---------|----------|
| [`examples/acme-nginx/`](examples/acme-nginx/) | Let's Encrypt + NGINX, HTTP-01 challenges |
| [`examples/acme-wildcard-dns01/`](examples/acme-wildcard-dns01/) | Wildcard certs via DNS-01 (Cloudflare hook included) |
| [`examples/private-ca-traefik/`](examples/private-ca-traefik/) | Local CA (self-signed or sub-CA) + Traefik file provider |
| [`examples/step-ca-haproxy/`](examples/step-ca-haproxy/) | Smallstep step-ca + HAProxy combined PEM |
| [`examples/multi-issuer/`](examples/multi-issuer/) | ACME for public + Local CA for internal, one dashboard |
Each directory contains a `docker-compose.yml` and a `README.md` explaining the scenario, prerequisites, and customization.
## Architecture
**Control plane** (Go 1.25 net/http) → **PostgreSQL 16** (21 tables, TEXT primary keys) → **Agents** (key generation, CSR submission, cert deployment). Background scheduler runs 7 loops: renewal checks (1h), job processing (30s), agent health (2m), notifications (1m), short-lived cert expiry (30s), network scanning (6h), certificate digest (24h). See [Architecture Guide](docs/architecture.md) for full system diagrams and data flow.
**Control plane** (Go 1.25 net/http) → **PostgreSQL 16** (21 tables, TEXT primary keys) → **Agents** (key generation, CSR submission, cert deployment). For Windows servers without a local agent, a proxy agent in the same network zone handles deployment via WinRM. Background scheduler runs 7 loops: renewal checks (1h), job processing (30s), agent health (2m), notifications (1m), short-lived cert expiry (30s), network scanning (6h), certificate digest (24h). See [Architecture Guide](docs/architecture.md) for full system diagrams and data flow.
### Key Design Decisions
@@ -228,206 +207,23 @@ export CERTCTL_AGENT_ID=agent-local-01
- **Handler → Service → Repository layering.** Handlers define their own service interfaces for clean dependency inversion. No global service singletons.
- **Idempotent migrations.** All schema uses `IF NOT EXISTS` and seed data uses `ON CONFLICT (id) DO NOTHING`, safe for repeated execution.
PostgreSQL 16 with 21 tables covering certificates, versions, policies, issuers, targets, agents, jobs, teams, owners, profiles, agent groups, revocations, discovery, network scans, and audit events. See the [Architecture Guide](docs/architecture.md) for the full schema.
## Documentation
## Configuration
All environment variables use the `CERTCTL_` prefix. Full reference below (39 variables across server, agent, and connector config).
### Server — Core
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SERVER_HOST` | `127.0.0.1` | Server bind address |
| `CERTCTL_SERVER_PORT` | `8080` | Server listen port (165535) |
| `CERTCTL_DATABASE_URL` | `postgres://localhost/certctl` | PostgreSQL connection string (required) |
| `CERTCTL_DATABASE_MAX_CONNS` | `25` | PostgreSQL connection pool size (min 1) |
| `CERTCTL_DATABASE_MIGRATIONS_PATH` | `./migrations` | Path to migration SQL files |
| `CERTCTL_MAX_BODY_SIZE` | `1048576` | Max HTTP request body in bytes (default 1MB) |
| `CERTCTL_LOG_LEVEL` | `info` | Log verbosity: `debug`, `info`, `warn`, `error` |
| `CERTCTL_LOG_FORMAT` | `json` | Log format: `json` (structured) or `text` (human-readable) |
### Server — Auth, CORS, Rate Limiting
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_AUTH_TYPE` | `api-key` | Auth mode: `api-key`, `jwt`, or `none` (demo only) |
| `CERTCTL_AUTH_SECRET` | — | Required for `api-key` and `jwt` auth types |
| `CERTCTL_CORS_ORIGINS` | *(empty = deny all)* | Comma-separated allowed origins, or `*` for dev |
| `CERTCTL_RATE_LIMIT_ENABLED` | `true` | Enable token bucket rate limiting |
| `CERTCTL_RATE_LIMIT_RPS` | `50` | Requests per second per client |
| `CERTCTL_RATE_LIMIT_BURST` | `100` | Max burst size |
| `CERTCTL_KEYGEN_MODE` | `agent` | Key generation: `agent` (production) or `server` (demo only) |
### Server — Scheduler
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SCHEDULER_RENEWAL_CHECK_INTERVAL` | `1h` | How often to check expiring certs (min 1m) |
| `CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL` | `30s` | How often to process pending jobs (min 1s) |
| `CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL` | `2m` | Agent heartbeat check frequency (min 1s) |
| `CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL` | `1m` | Notification send frequency (min 1s) |
### Server — Sub-CA Mode
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_CA_CERT_PATH` | — | PEM-encoded CA certificate for sub-CA mode |
| `CERTCTL_CA_KEY_PATH` | — | PEM-encoded CA private key (RSA, ECDSA, PKCS#8) |
### Server — Feature Flags
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_EST_ENABLED` | `false` | Enable RFC 7030 EST enrollment endpoints |
| `CERTCTL_EST_ISSUER_ID` | `iss-local` | Which issuer processes EST enrollments |
| `CERTCTL_EST_PROFILE_ID` | — | Constrain EST to a specific certificate profile |
| `CERTCTL_NETWORK_SCAN_ENABLED` | `false` | Enable server-side TLS network scanning |
| `CERTCTL_NETWORK_SCAN_INTERVAL` | `6h` | How often scheduled scans run |
| `CERTCTL_VERIFY_DEPLOYMENT` | `true` | TLS verification after certificate deployment |
| `CERTCTL_VERIFY_TIMEOUT` | `10s` | TLS probe timeout |
| `CERTCTL_VERIFY_DELAY` | `2s` | Delay before verification probe |
### Server — Notification Connectors
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SLACK_WEBHOOK_URL` | — | Slack incoming webhook URL (enables Slack) |
| `CERTCTL_SLACK_CHANNEL` | — | Override default webhook channel |
| `CERTCTL_SLACK_USERNAME` | `certctl` | Bot display name |
| `CERTCTL_TEAMS_WEBHOOK_URL` | — | Microsoft Teams webhook URL (enables Teams) |
| `CERTCTL_PAGERDUTY_ROUTING_KEY` | — | PagerDuty Events API v2 key (enables PagerDuty) |
| `CERTCTL_PAGERDUTY_SEVERITY` | `warning` | Event severity: `info`, `warning`, `error`, `critical` |
| `CERTCTL_OPSGENIE_API_KEY` | — | OpsGenie Alert API key (enables OpsGenie) |
| `CERTCTL_OPSGENIE_PRIORITY` | `P3` | Alert priority: `P1``P5` |
### Agent
| Variable | Default | Description |
|----------|---------|-------------|
| `CERTCTL_SERVER_URL` | `http://localhost:8080` | Control plane URL |
| `CERTCTL_API_KEY` | — | Agent API key for authentication |
| `CERTCTL_AGENT_ID` | — | Registered agent ID (required) |
| `CERTCTL_KEY_DIR` | `/var/lib/certctl/keys` | Private key storage directory (0600 perms) |
| `CERTCTL_DISCOVERY_DIRS` | — | Directories to scan for existing certs (comma-separated) |
Docker Compose overrides for the demo stack are in `deploy/docker-compose.yml`.
## Development
```bash
# Install dev tools (golangci-lint, migrate CLI, air)
make install-tools
# Run tests
make test
# Run tests with race detection (same as CI)
go test -race ./internal/service/... ./internal/api/handler/... ./internal/api/middleware/... ./internal/scheduler/... ./internal/connector/... ./internal/domain/... ./internal/validation/...
# Run with coverage
make test-coverage
# Lint (runs golangci-lint with project config)
make lint
# Vulnerability scan
govulncheck ./...
# Format
make fmt
```
### CI Pipeline
Every push and PR runs: `go vet`, `go test -race` (race detection), `golangci-lint` (11 linters including gosec and bodyclose), `govulncheck` (dependency CVE scanning), and per-layer coverage thresholds (service 60%, handler 60%, domain 40%, middleware 50%). Frontend CI runs TypeScript type checking, Vitest tests, and Vite production build. See `.github/workflows/ci.yml` for details.
### Docker Compose
```bash
make docker-up # Start stack (server + postgres + agent)
make docker-down # Stop stack
make docker-logs-server # Server logs
make docker-logs-agent # Agent logs
make docker-clean # Stop + remove volumes
```
## Security
### Private Key Management
- **Agent keygen mode (default)**: Agents generate ECDSA P-256 keys locally and store them with 0600 permissions in `CERTCTL_KEY_DIR` (default `/var/lib/certctl/keys`). Only the CSR (public key) is sent to the control plane. Private keys never leave agent infrastructure.
- **Server keygen mode (demo only)**: Set `CERTCTL_KEYGEN_MODE=server` for development/demo with Local CA. The control plane generates RSA-2048 keys server-side. A log warning is emitted at startup.
### Authentication
- Agent-to-server: API key (registered at agent creation)
- API key and JWT auth types supported; `none` for demo/development
- Auth type and secret configured via `CERTCTL_AUTH_TYPE` and `CERTCTL_AUTH_SECRET`
### CORS
- **Deny-by-default**: Empty `CERTCTL_CORS_ORIGINS` blocks all cross-origin requests. Operators must explicitly list allowed origins (comma-separated) or set `*` for development.
### Input Validation
- Shell command injection prevention on all connector scripts (strict character whitelist, no metacharacters)
- RFC 1123 domain name validation, base64url ACME token validation
- SSRF protection in network scanner (loopback, link-local, multicast, broadcast ranges filtered)
### Concurrency Safety
- Scheduler loops protected by `sync/atomic.Bool` idempotency guards — duplicate ticks are skipped
- Graceful shutdown waits up to 30 seconds for in-flight work before database close
### Audit Trail
- Immutable append-only log in PostgreSQL (`audit_events` table)
- Every lifecycle action attributed to an actor with timestamp and resource reference
- No update or delete operations on audit records
- Every API call recorded to audit trail with method, path, actor, SHA-256 body hash, response status, and latency
## API Overview
97 endpoints under `/api/v1/` + `/.well-known/est/`, all returning JSON. List endpoints support pagination, sparse field selection (`?fields=`), sort (`?sort=-notAfter`), time-range filters, and cursor-based pagination. Full request/response schemas in the [OpenAPI 3.1 spec](api/openapi.yaml).
### Key Endpoints
```
# Certificate lifecycle
GET /api/v1/certificates List (filter, sort, cursor, sparse fields)
POST /api/v1/certificates/{id}/renew Trigger renewal → 202 Accepted
POST /api/v1/certificates/{id}/revoke Revoke with RFC 5280 reason code
GET /api/v1/certificates/{id}/export/pem Export PEM (JSON or file download)
POST /api/v1/certificates/{id}/export/pkcs12 Export PKCS#12 bundle (no private key)
GET /api/v1/crl/{issuer_id} DER-encoded X.509 CRL
GET /api/v1/ocsp/{issuer_id}/{serial} OCSP responder (good/revoked/unknown)
# Agent operations
POST /api/v1/agents/{id}/csr Submit CSR for issuance
GET /api/v1/agents/{id}/work Poll for pending deployment jobs
POST /api/v1/agents/{id}/discoveries Submit certificate discovery scan results
# Discovery & network scanning
GET /api/v1/discovered-certificates List discovered certs (?agent_id, ?status)
POST /api/v1/discovered-certificates/{id}/claim Link to managed cert
POST /api/v1/network-scan-targets/{id}/scan Trigger immediate TLS scan
# Jobs & approval
POST /api/v1/jobs/{id}/approve Approve interactive renewal
POST /api/v1/jobs/{id}/reject Reject interactive renewal
# Post-deployment verification
POST /api/v1/jobs/{id}/verify Submit TLS verification result
GET /api/v1/jobs/{id}/verification Get verification status
# Observability
GET /api/v1/metrics/prometheus Prometheus exposition format
GET /api/v1/stats/summary Dashboard summary
# Digest emails (scheduled briefing)
GET /api/v1/digest/preview HTML email preview
POST /api/v1/digest/send Send digest immediately
# EST enrollment (RFC 7030)
POST /.well-known/est/simpleenroll Device certificate enrollment
GET /.well-known/est/cacerts CA certificate chain (PKCS#7)
```
Full CRUD is available for certificates, agents, issuers, targets, teams, owners, policies, profiles, agent groups, notifications, and audit events. See the [OpenAPI spec](api/openapi.yaml) or [Feature Inventory](docs/features.md) for the complete endpoint reference.
| Guide | Description |
|-------|-------------|
| [Why certctl?](docs/why-certctl.md) | How certctl compares to open-source and enterprise certificate management platforms |
| [Concepts](docs/concepts.md) | TLS certificates explained from scratch — for beginners who know nothing about certs |
| [Quick Start](docs/quickstart.md) | Extended quickstart — dashboard, API, CLI, discovery, stakeholder demo flow |
| [Advanced Demo](docs/demo-advanced.md) | Issue a certificate end-to-end with technical deep-dives |
| [Architecture](docs/architecture.md) | System design, data flow diagrams, security model |
| [Feature Inventory](docs/features.md) | Complete reference of all V2 capabilities, API endpoints, and configuration |
| [Configuration Reference](docs/features.md) | All 39 environment variables across server, agent, and connector config |
| [Connectors](docs/connectors.md) | Build custom issuer, target, and notifier connectors |
| [Compliance Mapping](docs/compliance.md) | SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides |
| [Migrate from Certbot](docs/migrate-from-certbot.md) | Step-by-step migration from Certbot/Let's Encrypt cron jobs |
| [Migrate from acme.sh](docs/migrate-from-acmesh.md) | Migration guide for acme.sh users with DNS-01 scripts |
| [certctl for cert-manager Users](docs/certctl-for-cert-manager-users.md) | Using certctl alongside cert-manager for non-Kubernetes infrastructure |
| [OpenAPI 3.1 Spec](api/openapi.yaml) | 97 operations, full request/response schemas |
## CLI
@@ -439,38 +235,26 @@ go install github.com/shankar0123/certctl/cmd/cli@latest
export CERTCTL_SERVER_URL=http://localhost:8443
export CERTCTL_API_KEY=your-api-key
# Certificate commands
# Usage
certctl-cli certs list # List all certificates
certctl-cli certs get mc-api-prod # Get certificate details
certctl-cli certs renew mc-api-prod # Trigger renewal
certctl-cli certs revoke mc-api-prod --reason keyCompromise
# Agent and job commands
certctl-cli agents list # List registered agents
certctl-cli jobs list # List jobs
certctl-cli jobs cancel job-123 # Cancel a pending job
# Operations
certctl-cli status # Server health + summary stats
certctl-cli import certs.pem # Bulk import from PEM file
# Output formats
certctl-cli certs list --format json # JSON output (default: table)
```
## MCP Server (AI Integration)
certctl ships a standalone MCP (Model Context Protocol) server that exposes all 80 API endpoints as tools for AI assistants — Claude, Cursor, Windsurf, OpenClaw, VS Code Copilot, and any MCP-compatible client.
certctl ships a standalone MCP (Model Context Protocol) server that exposes all API endpoints as tools for AI assistants — Claude, Cursor, Windsurf, OpenClaw, VS Code Copilot, and any MCP-compatible client.
```bash
# Install
# Install and run
go install github.com/shankar0123/certctl/cmd/mcp-server@latest
# Configure
export CERTCTL_SERVER_URL=http://localhost:8443
export CERTCTL_API_KEY=your-api-key
# Run (stdio transport — add to your AI client config)
mcp-server
```
@@ -489,73 +273,44 @@ mcp-server
}
```
## Security
certctl is designed with a security-first architecture. Agents generate ECDSA P-256 keys locally — private keys never touch the control plane. API key auth is enforced by default with SHA-256 hashing and constant-time comparison. CORS is deny-by-default. All connector scripts are validated against shell injection. The network scanner filters reserved IP ranges (SSRF protection). Scheduler loops use atomic idempotency guards. Every API call is recorded to an immutable audit trail with actor attribution, SHA-256 body hash, and latency tracking. See the [Architecture Guide](docs/architecture.md) for the full security model.
## Development
```bash
make build # Build server + agent binaries
make test # Run tests
make lint # golangci-lint (11 linters)
govulncheck ./... # Vulnerability scan
make docker-up # Start Docker Compose stack
```
CI runs on every push: `go vet`, `go test -race`, `golangci-lint`, `govulncheck`, and per-layer coverage thresholds (service 55%, handler 60%, domain 40%, middleware 30%). Frontend CI runs TypeScript type checking, Vitest tests, and Vite production build.
## Roadmap
### V1 (v1.0.0)
### V1 (v1.0.0) — Shipped
Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector, agent-side key generation, API auth + rate limiting, React dashboard, CI pipeline with coverage gates, Docker images on GHCR.
### V2: Operational Maturity
### V2: Operational Maturity — Shipped
30+ milestones, 1,554+ tests. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01, step-ca, Vault PKI, DigiCert CertCentral, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS targets. RFC 5280 revocation with CRL + OCSP. Certificate profiles, ownership tracking, approval workflows. Filesystem and network certificate discovery. Prometheus metrics, dashboard charts, agent fleet overview. EST server (RFC 7030), ACME ARI (RFC 9702), certificate export, S/MIME support, Helm chart, MCP server, CLI, scheduled digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). See the [Feature Inventory](docs/features.md) for details.
30+ milestones complete, 1,500+ tests. See the [Feature Inventory](docs/features.md) for details on every capability.
**What shipped (all ✅):**
- **Issuers** — Sub-CA mode (enterprise root chains), ACME DNS-01 + DNS-PERSIST-01 (wildcard certs, any DNS provider), step-ca (native /sign API), OpenSSL/Custom CA (script-based signing), ACME ARI (RFC 9702, CA-directed renewal timing)
- **Revocation** — RFC 5280 reason codes, DER-encoded X.509 CRL, embedded OCSP responder, short-lived cert exemption
- **Profiles + Ownership** — certificate profiles (key types, max TTL, crypto constraints), ownership tracking (owners + teams), dynamic agent groups, interactive renewal approval
- **GUI Operations** — bulk renew/revoke/reassign, deployment timeline, inline policy editor, target wizard, audit export (CSV/JSON), short-lived credentials view
- **Discovery** — filesystem scanning (PEM/DER) + network TLS scanning (CIDR ranges), triage workflow (claim/dismiss), network scan target management
- **Observability** — Prometheus + JSON metrics, 5 stats API endpoints, dashboard charts (heatmap, trends, distribution), agent fleet overview, structured logging
- **EST Server** (RFC 7030) — device/WiFi certificate enrollment, PKCS#7 wire format, configurable issuer + profile binding
- **MCP Server** — 78 API operations as AI tools for Claude, Cursor, and any MCP-compatible client
- **CLI** — 10 subcommands (list/get/renew/revoke certs, list agents/jobs, import, status, health, metrics), JSON/table output
- **Notifications** — Email (SMTP), Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie connectors
- **API Enhancements** — sparse fields, sort, time-range filters, cursor pagination, immutable API audit logging
- **Compliance Mapping** — SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 alignment guides
- **Post-Deployment TLS Verification** — agent-side TLS probe confirms the target is serving the correct certificate by SHA-256 fingerprint match, verification status visible in deployment timeline
- **Traefik + Caddy Targets** — Traefik (file provider, auto-reload) and Caddy (Admin API hot-reload or file-based), both in target wizard GUI
- **Certificate Export** — PEM (JSON or file download) and PKCS#12 formats, private keys never included (agent-side only), audit trail, GUI export buttons
- **S/MIME Support** — EKU-aware issuance (emailProtection, codeSigning, timeStamping), adaptive KeyUsage flags, email SAN routing, EKU badges in GUI
- **ACME ARI (RFC 9702)** — CA-directed renewal timing: the CA tells certctl the optimal renewal window, gracefully degrading to fixed thresholds when ARI is unavailable
- **Scheduled Certificate Digest** — HTML email digests with certificate stats, expiration timeline, job trends, and agent health; configurable daily/hourly/weekly briefings via SMTP
- **Helm Chart** — Production-ready Kubernetes with server Deployment, PostgreSQL StatefulSet with PVC, Agent DaemonSet, security contexts, resource limits, optional Ingress
**Also shipped:**
- Issuer catalog page (see all supported CAs, configure from dashboard)
- Vault PKI and DigiCert CertCentral issuer connectors (Beta)
- Turnkey deployment examples (ACME+NGINX, wildcard+DNS-01, private CA+Traefik, step-ca+HAProxy, multi-issuer)
- Migration guides (Certbot, acme.sh, cert-manager complement)
- One-line agent install script with cross-compiled binaries
**Coming in v2.1.0:**
- Dynamic issuer and target configuration via GUI (no env var restarts)
- First-run onboarding wizard
**Coming in v2.1.0:** Dynamic issuer and target configuration via GUI (no env var restarts), first-run onboarding wizard.
### V3: certctl Pro
Team access controls, identity provider integration, enterprise deployment targets, compliance and risk scoring, advanced fleet operations, event-driven architecture, advanced search, real-time operational views.
Team access controls and identity provider integration (OIDC/SSO). Role-based access control with profile-gating. Event-driven architecture (NATS) with real-time operational views. Advanced search DSL, compliance and risk scoring, bulk fleet operations.
### V4+: Cloud, Scale & Passive Discovery
Passive network discovery (TLS listener), Kubernetes integration (cert-manager external issuer, Secrets target), cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support (Google CAS, EJBCA, Sectigo), and platform-scale features (Terraform provider, multi-tenancy, HSM support).
## Examples
Turnkey Docker Compose configurations for common scenarios — pick the one closest to your setup and have it running in 2 minutes.
| Example | Scenario |
|---------|----------|
| [`examples/acme-nginx/`](examples/acme-nginx/) | Let's Encrypt + NGINX, HTTP-01 challenges |
| [`examples/acme-wildcard-dns01/`](examples/acme-wildcard-dns01/) | Wildcard certs via DNS-01 (Cloudflare hook included) |
| [`examples/private-ca-traefik/`](examples/private-ca-traefik/) | Local CA (self-signed or sub-CA) + Traefik file provider |
| [`examples/step-ca-haproxy/`](examples/step-ca-haproxy/) | Smallstep step-ca + HAProxy combined PEM |
| [`examples/multi-issuer/`](examples/multi-issuer/) | ACME for public + Local CA for internal, one dashboard |
Each directory contains a `docker-compose.yml` and a `README.md` explaining the scenario, prerequisites, and customization.
## License
Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not offer certctl as a managed/hosted certificate management service to third parties. The BSL 1.1 license converts automatically to Apache 2.0 on March 1, 2033, providing perpetual freedom.
For licensing inquiries: certctl@proton.me
---
If certctl solves a problem you have, [star the repo](https://github.com/shankar0123/certctl) to help others find it. Questions, bugs, or feature requests — [open an issue](https://github.com/shankar0123/certctl/issues).
api/openapi.yaml
+1 -1
View File
@@ -2669,7 +2669,7 @@ components:
# ─── Targets ─────────────────────────────────────────────────────
TargetType:
type: string
enum: [NGINX, Apache, HAProxy, F5, IIS]
enum: [NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS, F5]
DeploymentTarget:
type: object
cmd/agent/main.go
+32 -1
View File
@@ -29,6 +29,8 @@ import (
"github.com/shankar0123/certctl/internal/connector/target"
"github.com/shankar0123/certctl/internal/connector/target/apache"
"github.com/shankar0123/certctl/internal/connector/target/caddy"
"github.com/shankar0123/certctl/internal/connector/target/envoy"
pf "github.com/shankar0123/certctl/internal/connector/target/postfix"
"github.com/shankar0123/certctl/internal/connector/target/f5"
"github.com/shankar0123/certctl/internal/connector/target/haproxy"
"github.com/shankar0123/certctl/internal/connector/target/iis"
@@ -592,7 +594,7 @@ func (a *Agent) createTargetConnector(targetType string, configJSON json.RawMess
return nil, fmt.Errorf("invalid IIS config: %w", err)
}
}
return iis.New(&cfg, a.logger), nil
return iis.New(&cfg, a.logger)
case "Traefik":
var cfg traefik.Config
@@ -612,6 +614,35 @@ func (a *Agent) createTargetConnector(targetType string, configJSON json.RawMess
}
return caddy.New(&cfg, a.logger), nil
case "Envoy":
var cfg envoy.Config
if len(configJSON) > 0 {
if err := json.Unmarshal(configJSON, &cfg); err != nil {
return nil, fmt.Errorf("invalid Envoy config: %w", err)
}
}
return envoy.New(&cfg, a.logger), nil
case "Postfix":
var cfg pf.Config
cfg.Mode = "postfix"
if len(configJSON) > 0 {
if err := json.Unmarshal(configJSON, &cfg); err != nil {
return nil, fmt.Errorf("invalid Postfix config: %w", err)
}
}
return pf.New(&cfg, a.logger), nil
case "Dovecot":
var cfg pf.Config
cfg.Mode = "dovecot"
if len(configJSON) > 0 {
if err := json.Unmarshal(configJSON, &cfg); err != nil {
return nil, fmt.Errorf("invalid Dovecot config: %w", err)
}
}
return pf.New(&cfg, a.logger), nil
default:
return nil, fmt.Errorf("unsupported target type: %s", targetType)
}
docs/architecture.md
+1 -1
View File
@@ -417,7 +417,7 @@ The agent deploys certificates using target connectors. Each connector knows how
- **Apache httpd**: Writes separate cert/chain/key files, validates with `apachectl configtest`, graceful reload
- **HAProxy**: Builds a combined PEM file (cert + chain + key), optionally validates config, reloads via systemctl or signal
- **F5 BIG-IP** (planned): A proxy agent in the same network zone calls the iControl REST API to upload certificate and update SSL profile bindings. The server assigns the work; the proxy agent executes it.
- **IIS** (planned, dual-mode): (1) Agent-local (recommended) — a Windows agent on the IIS box runs PowerShell `Import-PfxCertificate` + `Set-WebBinding` directly. (2) Proxy agent WinRM — for agentless IIS targets, a nearby Windows agent reaches the IIS box via WinRM.
- **IIS** (implemented, dual-mode): (1) Agent-local (recommended) — a Windows agent on the IIS box runs PowerShell `Import-PfxCertificate` + `Set-WebBinding` directly with PFX conversion and SHA-1 thumbprint computation. (2) Proxy agent WinRM — for agentless IIS targets, a nearby Windows agent reaches the IIS box via WinRM.
The agent handles both the certificate (public) and the private key (read from local key store at `CERTCTL_KEY_DIR`). The control plane never sees the private key and never initiates outbound connections to agents or targets (pull-only model).
docs/connectors.md
+134 -14
View File
@@ -21,9 +21,11 @@ Connectors extend certctl to integrate with external systems for certificate iss
- [Built-in: Apache httpd](#built-in-apache-httpd)
- [Built-in: HAProxy](#built-in-haproxy)
- [Built-in: Traefik](#built-in-traefik)
- [Built-in: Envoy](#built-in-envoy)
- [Built-in: Postfix / Dovecot](#built-in-postfix--dovecot)
- [Built-in: Caddy](#built-in-caddy)
- [F5 BIG-IP (Interface Only)](#f5-big-ip-interface-only)
- [IIS (Interface Only, Dual-Mode)](#iis-interface-only-dual-mode)
- [IIS (Implemented, Dual-Mode)](#iis-implemented-dual-mode)
4. [Notifier Connector](#notifier-connector)
- [Interface](#interface-2)
5. [Registering a Connector](#registering-a-connector)
@@ -52,7 +54,7 @@ Connectors extend certctl to integrate with external systems for certificate iss
Three types of connectors:
1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA implemented; additional CA integrations planned)
2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy implemented; F5 via proxy agent, IIS dual-mode interface only; additional cloud and network targets planned)
2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, IIS implemented; F5 via proxy agent planned; additional cloud and network targets planned)
3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie implemented)
All connectors accept JSON configuration at initialization, support config validation, and are registered in the service layer. Issuer connectors run on the control plane; target connectors run on agents. For network appliances where agents can't be installed, a **proxy agent** in the same network zone handles deployment — the server never initiates outbound connections.
@@ -590,6 +592,78 @@ When `mode` is `"api"`, the connector posts the certificate to the admin API end
Location: `internal/connector/target/caddy/caddy.go`
### Built-in: Envoy
The Envoy connector uses file-based certificate delivery — it writes certificate and key files to a directory that Envoy watches via its SDS (Secret Discovery Service) file-based configuration or static `filename` references in the bootstrap config. When files change, Envoy automatically picks up the new certificates without requiring a reload command.
Configuration:
```json
{
"cert_dir": "/etc/envoy/certs",
"cert_filename": "cert.pem",
"key_filename": "key.pem",
"chain_filename": "chain.pem",
"sds_config": true
}
```
| Field | Type | Default | Description |
|-------|------|---------|-------------|
| `cert_dir` | string | (required) | Directory where Envoy watches for certificate files |
| `cert_filename` | string | `cert.pem` | Filename for the certificate (leaf + chain unless `chain_filename` is set) |
| `key_filename` | string | `key.pem` | Filename for the private key |
| `chain_filename` | string | (empty) | If set, chain is written to a separate file instead of appended to the cert |
| `sds_config` | bool | `false` | If true, writes an `sds.json` file for Envoy's file-based SDS provider |
When `sds_config` is `true`, the connector writes an SDS JSON file (`{cert_dir}/sds.json`) containing a `tls_certificate` resource that points to the cert and key file paths. Envoy's file-based SDS (`path_config_source`) watches this file for changes, providing automatic hot-reload of certificates. This is the recommended approach for production Envoy deployments using dynamic TLS configuration.
When `sds_config` is `false` (the default), the connector simply writes cert and key files. Use this mode when Envoy's bootstrap config references the cert/key files directly via static `filename` fields in the TLS context.
Location: `internal/connector/target/envoy/envoy.go`
### Built-in: Postfix / Dovecot
The Postfix/Dovecot connector is a dual-mode mail server TLS connector. It writes certificate, key, and chain files to configured paths and reloads the mail service. The `mode` field selects between Postfix MTA and Dovecot IMAP/POP3, which determines default file paths and reload commands.
This connector pairs with certctl's S/MIME certificate support (email protection EKU, email SAN routing) for a complete email infrastructure story — TLS for transport encryption, S/MIME for end-to-end message signing and encryption.
**Postfix configuration:**
```json
{
"mode": "postfix",
"cert_path": "/etc/postfix/certs/cert.pem",
"key_path": "/etc/postfix/certs/key.pem",
"chain_path": "/etc/postfix/certs/chain.pem",
"reload_command": "postfix reload",
"validate_command": "postfix check"
}
```
**Dovecot configuration:**
```json
{
"mode": "dovecot",
"cert_path": "/etc/dovecot/certs/cert.pem",
"key_path": "/etc/dovecot/certs/key.pem",
"chain_path": "/etc/dovecot/certs/chain.pem",
"reload_command": "doveadm reload",
"validate_command": "doveconf -n"
}
```
| Field | Type | Default (Postfix) | Default (Dovecot) | Description |
|-------|------|-------------------|-------------------|-------------|
| `mode` | string | `postfix` | `dovecot` | Service mode — determines defaults |
| `cert_path` | string | `/etc/postfix/certs/cert.pem` | `/etc/dovecot/certs/cert.pem` | Path for certificate file |
| `key_path` | string | `/etc/postfix/certs/key.pem` | `/etc/dovecot/certs/key.pem` | Path for private key (0600 permissions) |
| `chain_path` | string | (empty) | (empty) | If set, chain written separately; otherwise appended to cert |
| `reload_command` | string | `postfix reload` | `doveadm reload` | Command to reload the mail service |
| `validate_command` | string | `postfix check` | `doveconf -n` | Optional config validation before reload |
All commands are validated against shell injection via `validation.ValidateShellCommand()`. File permissions: cert/chain 0644, key 0600.
Location: `internal/connector/target/postfix/postfix.go`
### F5 BIG-IP (Interface Only)
The F5 BIG-IP target connector interface is defined with the iControl REST flow mapped out, but the actual API calls are not yet implemented. F5 appliances can't run agents directly, so this connector uses the **proxy agent pattern**: a designated agent in the same network zone picks up F5 deployment jobs and calls the iControl REST API. The server assigns the work; the proxy agent executes it.
@@ -611,30 +685,76 @@ Note: F5 credentials are stored on the proxy agent, not on the control plane ser
Location: `internal/connector/target/f5/f5.go`
### IIS (Interface Only, Dual-Mode)
### IIS (Implemented, Dual-Mode)
The IIS target connector supports two planned deployment modes:
The IIS target connector supports two deployment modes — agent-local (recommended) and proxy agent WinRM for agentless targets.
**Agent-local (recommended):** A Windows agent runs directly on the IIS server and deploys certificates using PowerShell — `Import-PfxCertificate` to install into the certificate store and `Set-WebBinding` to bind to the IIS site. This is the preferred approach: no remote access needed, no credential management, same pull-based model as NGINX/Apache/HAProxy.
**Agent-local (recommended):** A Windows agent runs directly on the IIS server and deploys certificates using PowerShell — `Import-PfxCertificate` to install into the certificate store and `Set-WebBinding` to bind to the IIS site. The agent handles PEM-to-PFX conversion via `go-pkcs12`, computes SHA-1 thumbprint from the certificate, and executes parameterized PowerShell scripts for injection-safe binding management. This is the preferred approach: no remote access needed, no credential management, same pull-based model as NGINX/Apache/HAProxy.
**Proxy agent WinRM (for agentless targets):** For Windows servers where you don't want to install an agent, a nearby Windows agent acts as a proxy and reaches the IIS box via WinRM. The proxy agent picks up the deployment job, transfers the PFX bundle over WinRM, and runs the PowerShell commands remotely. WinRM credentials are stored on the proxy agent, not on the control plane.
**Proxy agent WinRM (for agentless targets):** For Windows servers where you don't want to install an agent, a Linux or Windows proxy agent in the same network zone connects via WinRM (Windows Remote Management) and executes PowerShell commands remotely. The PFX bundle is base64-encoded, transferred inline in the WinRM session, decoded to a temp file on the remote host, imported, and the temp file is cleaned up in a `try/finally` block. WinRM credentials are configured on the target, not on the control plane. Uses the `masterzen/winrm` Go library with support for Basic, NTLM, and Kerberos authentication.
Configuration (defined, not yet functional):
**Agent-local configuration:**
```json
{
"mode": "local",
"hostname": "iis-server.example.com",
"site_name": "Default Web Site",
"cert_store": "WebHosting",
"winrm_host": "",
"winrm_username": "",
"winrm_password": "",
"winrm_use_https": true
"port": 443,
"sni": true,
"ip_address": "*",
"binding_info": "www.example.com"
}
```
When `mode` is `"local"`, the `winrm_*` fields are ignored. When `mode` is `"proxy"`, the agent connects to the remote IIS server via WinRM using the provided credentials.
**WinRM proxy configuration:**
```json
{
"hostname": "iis-server.example.com",
"site_name": "Default Web Site",
"cert_store": "WebHosting",
"port": 443,
"sni": true,
"ip_address": "*",
"mode": "winrm",
"winrm": {
"winrm_host": "iis-server.example.com",
"winrm_port": 5985,
"winrm_username": "Administrator",
"winrm_password": "...",
"winrm_https": false,
"winrm_insecure": false,
"winrm_timeout": 60
}
}
```
Location: `internal/connector/target/iis/iis.go`
**Configuration Fields:**
- `hostname` (string, required): IIS server hostname or FQDN
- `site_name` (string, required): IIS website name (e.g., "Default Web Site")
- `cert_store` (string, required): Certificate store for import (e.g., "WebHosting", "My")
- `port` (number, default 443): HTTPS binding port
- `sni` (boolean, default false): Enable Server Name Indication (SNI)
- `ip_address` (string, default "*"): Specific IP to bind to, or "*" for all IPs
- `binding_info` (string, optional): Host header for SNI bindings
- `mode` (string, default "local"): Deployment mode — `local` (agent-local PowerShell) or `winrm` (remote via WinRM)
**WinRM fields (required when `mode` is `winrm`):**
- `winrm.winrm_host` (string, required): Remote Windows server hostname or IP
- `winrm.winrm_port` (number, default 5985 HTTP / 5986 HTTPS): WinRM listener port
- `winrm.winrm_username` (string, required): Windows account with admin privileges
- `winrm.winrm_password` (string, required): Account password
- `winrm.winrm_https` (boolean, default false): Use HTTPS transport
- `winrm.winrm_insecure` (boolean, default false): Skip TLS certificate verification
- `winrm.winrm_timeout` (number, default 60): Operation timeout in seconds
**Security Model:**
- PFX files are transient — generated with random passwords, deleted after import
- In WinRM mode, PFX data is base64-encoded and transferred inline (no SMB/file share needed), with remote temp file cleanup in `try/finally`
- PowerShell commands use parameterized values — IIS names and cert stores are regex-validated before script execution
- Field names are validated against `^[a-zA-Z0-9 _\-\.]+$` to prevent PowerShell injection
- Certificate thumbprints computed via SHA-1 for IIS binding lookups
Location: `internal/connector/target/iis/iis.go`, `internal/connector/target/iis/winrm.go`
## Notifier Connector
docs/testing-guide.md
+132
View File
@@ -46,6 +46,7 @@ Comprehensive manual testing playbook. Every test has a concrete command, an exp
- [Part 39: DigiCert Connector (M37)](#part-39-digicert-connector-m37)
- [Part 40: Issuer Catalog Page (M33)](#part-40-issuer-catalog-page-m33)
- [Part 41: Frontend Audit Fixes](#part-41-frontend-audit-fixes)
- [Part 42: IIS Target Connector (M39)](#part-42-iis-target-connector-m39)
- [Release Sign-Off](#release-sign-off)
---
@@ -5557,6 +5558,137 @@ Comprehensive frontend coverage audit closed 60 gaps between backend capabilitie
---
## Part 42: IIS Target Connector (M39)
The IIS target connector (M39) brings Windows infrastructure lifecycle management to certctl. Dual-mode implementation: agent-local PowerShell (primary) for servers with certctl agent, proxy agent WinRM for agentless Windows targets. Full test suite (28 tests) with mock executor pattern for cross-platform testing. Supports PEM-to-PFX conversion, SHA-1 thumbprint computation, and parameterized PowerShell execution.
### Test Suite Coverage
| Layer | Test Count | Focus | Cross-Platform |
|-------|-----------|-------|-----------------|
| ValidateConfig | 9 | Field validation, defaults, regex enforcement | Yes |
| DeployCertificate | 7 | PFX conversion, script execution, error handling | Yes |
| ValidateDeployment | 5 | Thumbprint verification, binding checks | Mock executor |
| PFX Conversion | 4 | Certificate chain handling, password generation | Yes |
| Helpers | 3 | Thumbprint computation, Windows time conversion | Yes |
| **Total** | **28** | | **26 pass, 2 skip on non-Windows** |
### Automated Tests (qa-smoke-test.sh Part 42)
| # | Test | Assertion |
|---|------|-----------|
| 42.1 | IIS connector imports without error | `internal/connector/target/iis/` builds cleanly |
| 42.2 | ValidateConfig rejects missing hostname | Validation fails when `hostname` absent |
| 42.3 | ValidateConfig rejects missing site_name | Validation fails when `site_name` absent |
| 42.4 | ValidateConfig applies defaults | `port` defaults to 443, `ip_address` to "*" |
| 42.5 | ValidateConfig validates field regex | Rejects field names with invalid characters |
| 42.6 | PEM-to-PFX conversion succeeds | PKCS#12 bundle created with random password |
| 42.7 | SHA-1 thumbprint computed correctly | Matches Go crypto/sha1 output, hex-encoded |
| 42.8 | PowerShell script is parameterized | No unescaped interpolation in generated commands |
| 42.9 | Mock executor pattern works cross-platform | Tests pass on Linux/macOS via mock executor |
| 42.10 | DeployCertificate calls Import-PfxCertificate | PowerShell command includes correct cert store |
| 42.11 | DeployCertificate calls Set-WebBinding | PowerShell command includes site name + thumbprint |
| 42.12 | ValidateDeployment executes Get-IISSiteBinding | Thumbprint comparison happens post-deployment |
| 42.13 | Error cases logged and propagated | TLS verify failure, script timeout errors handled |
| 42.14 | Windows time conversion helpers work | FileTime ↔ time.Time round-trip accurate |
### Manual Tests (Windows Only)
These tests require a real Windows Server 2019+ environment with IIS 10+. Skip on non-Windows platforms.
**42.M1: Agent-Local Deployment — Happy Path**
1. Provision a Windows Server 2019+ VM with IIS installed
2. Download and install certctl-agent binary for windows-amd64
3. Register agent with certctl server via heartbeat endpoint
4. Create IIS target in certctl dashboard:
```json
{
"hostname": "iis-server.local",
"site_name": "Default Web Site",
"cert_store": "WebHosting",
"port": 443,
"sni": true,
"ip_address": "*"
}
```
5. Issue a certificate (e.g., via Local CA)
6. Create deployment job targeting the IIS target
7. Agent polls work endpoint, executes PowerShell
8. Verify on IIS: `Get-IISSiteBinding` shows new binding with correct thumbprint
9. Verify in dashboard: Deployment job shows status=Completed, verified_at timestamp present
**PASS if** certificate deployed to IIS binding with matching thumbprint, deployment job shows Completed with verification success.
**42.M2: Agent-Local Deployment — Renewal**
1. On the same IIS target, trigger renewal of the certificate
2. Verify old certificate remains bound during renewal (until new one succeeds)
3. Verify new certificate is imported and bound after deployment
4. Verify old binding removed or updated in IIS
**PASS if** renewal completes without downtime, old binding replaced with new.
**42.M3: PFX Import to WebHosting Store**
1. Manually generate a test PKCS#12 certificate
2. Via certctl-agent on Windows, verify PowerShell can import to WebHosting store:
```powershell
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.Import([System.IO.File]::ReadAllBytes("C:\temp\test.pfx"), $password, "Exportable")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("WebHosting", "LocalMachine")
$store.Open("MaxAllowed")
$store.Add($pfx)
```
3. Verify certificate appears in IIS Certificate Manager
**PASS if** certificate imports to WebHosting store successfully.
**42.M4: Binding Verification — Thumbprint Match**
1. Deploy a certificate to an IIS site via certctl
2. Manually run on IIS server:
```powershell
Get-IISSiteBinding -Name "Default Web Site" | Select-Object Thumbprint
```
3. Verify thumbprint matches certificate's SHA-1 hash (as shown in certctl GUI)
**PASS if** thumbprints match exactly (hex-encoded, no colons).
**42.M5: Error Handling — Invalid Site Name**
1. Create IIS target with non-existent site name (e.g., "NonExistentSite")
2. Trigger deployment
3. Verify job fails with error message about invalid site
4. Verify error is logged in agent and audit trail
**PASS if** error handled gracefully, job marked Failed with reason.
**42.M6: Field Validation — Config Injection Attempt**
1. Try to create IIS target with site_name containing PowerShell metacharacters:
```json
{
"site_name": "Default Web Site'; Get-Process; #"
}
```
2. Verify regex validation rejects this (field validation error, not API error)
3. Verify no PowerShell execution occurs
**PASS if** injection attempt blocked by field validation.
**42.M7: SNI vs Non-SNI Binding**
1. Create two IIS targets: one with `sni: true`, one with `sni: false`
2. Deploy certificates to both
3. Verify Set-WebBinding with `-SslFlags 1` (SNI) for first target
4. Verify Set-WebBinding without SslFlags (no SNI) for second target
5. Test TLS connection to both sites, verify SNI-enabled site handles multiple domains correctly
**PASS if** SNI bindings configured correctly per target config.
---
## Release Sign-Off
All tests below must pass before tagging v2.1.0. Each row is one individual test from the guide above. The **Method** column indicates whether `qa-smoke-test.sh` covers the test automatically (**Auto**) or requires hands-on verification (**Manual**).
go.mod
+18
View File
@@ -17,7 +17,11 @@ require (
require (
dario.cat/mergo v1.0.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/bodgit/ntlmssp v0.0.0-20240506230425-31973bb52d9b // indirect
github.com/bodgit/windows v1.0.1 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/containerd/containerd v1.7.18 // indirect
github.com/containerd/log v0.1.0 // indirect
@@ -32,12 +36,23 @@ require (
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/gofrs/uuid v4.4.0+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/jsonschema-go v0.4.2 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
github.com/jcmturner/gofork v1.7.6 // indirect
github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 // indirect
github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/patternmatcher v0.6.0 // indirect
github.com/moby/sys/sequential v0.5.0 // indirect
@@ -55,6 +70,7 @@ require (
github.com/shoenig/go-m1cpu v0.1.6 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/stretchr/testify v1.9.0 // indirect
github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde // indirect
github.com/tklauser/go-sysconf v0.3.12 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
@@ -63,7 +79,9 @@ require (
go.opentelemetry.io/otel v1.24.0 // indirect
go.opentelemetry.io/otel/metric v1.24.0 // indirect
go.opentelemetry.io/otel/trace v1.24.0 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/oauth2 v0.34.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/text v0.21.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
go.sum
+59
View File
@@ -4,8 +4,16 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6 h1:w0E0fgc1YafGEh5cROhlROMWXiNoZqApk2PDN0M1+Ns=
github.com/ChrisTrenkamp/goxpath v0.0.0-20210404020558-97928f7e12b6/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
github.com/bodgit/ntlmssp v0.0.0-20240506230425-31973bb52d9b h1:baFN6AnR0SeC194X2D292IUZcHDs4JjStpqtE70fjXE=
github.com/bodgit/ntlmssp v0.0.0-20240506230425-31973bb52d9b/go.mod h1:Ram6ngyPDmP+0t6+4T2rymv0w0BS9N8Ch5vvUJccw5o=
github.com/bodgit/windows v1.0.1 h1:tF7K6KOluPYygXa3Z2594zxlkbKPAOvqr97etrGNIz4=
github.com/bodgit/windows v1.0.1/go.mod h1:a6JLwrB4KrTR5hBpp8FI9/9W9jJfeQ2h4XDXU74ZCdM=
github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/containerd/containerd v1.7.18 h1:jqjZTQNfXGoEaZdW1WwPU0RqSn1Bm2Ay/KJPUuO8nao=
@@ -39,6 +47,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
@@ -52,8 +62,27 @@ github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbc
github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
@@ -68,6 +97,10 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 h1:2ZKn+w/BJeL43sCxI2jhPLRv73oVVOjEKZjKkflyqxg=
github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786/go.mod h1:kCEbxUJlNDEBNbdQMkPSp6yaKcRXVI6f4ddk8Riv4bc=
github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321 h1:AKIJL2PfBX2uie0Mn5pxtG1+zut3hAVMZbRfoXecFzI=
github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321/go.mod h1:JajVhkiG2bYSNYYPYuWG7WZHr42CTjMTcCjfInRNCqc=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
@@ -111,14 +144,18 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/testcontainers/testcontainers-go v0.35.0 h1:uADsZpTKFAtp8SLK+hMwSaa+X+JiERHtd4sQAFmXeMo=
github.com/testcontainers/testcontainers-go v0.35.0/go.mod h1:oEVBj5zrfJTrgjwONs1SsRbnBtH9OKl+IGl3UMcr2B4=
github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde h1:AMNpJRc7P+GTwVbl8DkK2I9I8BBUzNiHuH/tlxrpan0=
github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde/go.mod h1:MvrEmduDUz4ST5pGZ7CABCnOU5f3ZiOAZzT6b1A6nX8=
github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
@@ -127,6 +164,7 @@ github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zI
github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
@@ -148,14 +186,22 @@ go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v8
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
@@ -163,22 +209,33 @@ golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwE
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
@@ -187,6 +244,7 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -205,6 +263,7 @@ google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
internal/connector/target/envoy/envoy.go
+318
View File
@@ -0,0 +1,318 @@
package envoy
import (
"context"
"encoding/json"
"fmt"
"log/slog"
"os"
"path/filepath"
"strings"
"time"
"github.com/shankar0123/certctl/internal/connector/target"
)
// Config represents the Envoy deployment target configuration.
// Envoy uses file-based certificate delivery — the agent writes cert/key files
// to a directory that Envoy watches via its SDS (Secret Discovery Service)
// file-based configuration or static filename references in the bootstrap config.
type Config struct {
CertDir string `json:"cert_dir"` // Directory where Envoy watches for cert files (required)
CertFilename string `json:"cert_filename"` // Filename for certificate (default: cert.pem)
KeyFilename string `json:"key_filename"` // Filename for private key (default: key.pem)
ChainFilename string `json:"chain_filename"` // Optional filename for chain (if set, chain written separately)
SDSConfig bool `json:"sds_config"` // If true, write an SDS discovery JSON file for file-based SDS
}
// SDSResource represents an Envoy SDS tls_certificate resource for file-based SDS.
// This matches Envoy's expected format for file-based Secret Discovery Service.
type SDSResource struct {
Resources []SDSTLSCertificate `json:"resources"`
}
// SDSTLSCertificate represents a single SDS tls_certificate entry.
type SDSTLSCertificate struct {
Type string `json:"@type"`
Name string `json:"name"`
TLSCertificate TLSCertificate `json:"tls_certificate"`
}
// TLSCertificate contains the file paths for cert and key in Envoy's SDS format.
type TLSCertificate struct {
CertificateChain DataSource `json:"certificate_chain"`
PrivateKey DataSource `json:"private_key"`
}
// DataSource represents an Envoy data source pointing to a file path.
type DataSource struct {
Filename string `json:"filename"`
}
// Connector implements the target.Connector interface for Envoy proxy servers.
// This connector runs on the AGENT side and handles local certificate deployment.
// Envoy watches the configured directory via its file-based SDS or static config
// and automatically picks up certificate changes without an explicit reload.
type Connector struct {
config *Config
logger *slog.Logger
}
// New creates a new Envoy target connector with the given configuration and logger.
func New(config *Config, logger *slog.Logger) *Connector {
return &Connector{
config: config,
logger: logger,
}
}
// ValidateConfig checks that the certificate directory is configured and valid.
func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
var cfg Config
if err := json.Unmarshal(rawConfig, &cfg); err != nil {
return fmt.Errorf("invalid Envoy config: %w", err)
}
if cfg.CertDir == "" {
return fmt.Errorf("Envoy cert_dir is required")
}
// Default filenames if not provided
if cfg.CertFilename == "" {
cfg.CertFilename = "cert.pem"
}
if cfg.KeyFilename == "" {
cfg.KeyFilename = "key.pem"
}
// Validate filenames don't contain path separators (prevent path traversal)
if strings.Contains(cfg.CertFilename, "/") || strings.Contains(cfg.CertFilename, "\\") {
return fmt.Errorf("Envoy cert_filename must not contain path separators")
}
if strings.Contains(cfg.KeyFilename, "/") || strings.Contains(cfg.KeyFilename, "\\") {
return fmt.Errorf("Envoy key_filename must not contain path separators")
}
if cfg.ChainFilename != "" && (strings.Contains(cfg.ChainFilename, "/") || strings.Contains(cfg.ChainFilename, "\\")) {
return fmt.Errorf("Envoy chain_filename must not contain path separators")
}
c.logger.Info("validating Envoy configuration",
"cert_dir", cfg.CertDir,
"cert_filename", cfg.CertFilename,
"key_filename", cfg.KeyFilename,
"chain_filename", cfg.ChainFilename,
"sds_config", cfg.SDSConfig)
// Verify directory exists and is writable
if _, err := os.Stat(cfg.CertDir); os.IsNotExist(err) {
return fmt.Errorf("Envoy cert directory does not exist: %s", cfg.CertDir)
}
// Try to write a test file to verify directory is writable
testFile := filepath.Join(cfg.CertDir, ".certctl-write-test")
if err := os.WriteFile(testFile, []byte("test"), 0644); err != nil {
return fmt.Errorf("Envoy cert directory is not writable: %s (%w)", cfg.CertDir, err)
}
os.Remove(testFile)
c.config = &cfg
c.logger.Info("Envoy configuration validated")
return nil
}
// DeployCertificate writes the certificate and key files to the configured directory.
// Envoy watches this directory via file-based SDS or static config references
// and automatically picks up changes without requiring a reload command.
//
// Steps:
// 1. Write certificate (+ chain if chain_filename not set) to cert_filename with mode 0644
// 2. Write private key to key_filename with mode 0600
// 3. If chain_filename set and chain provided, write chain separately with mode 0644
// 4. If sds_config is true, write SDS JSON file pointing to cert/key paths
func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
c.logger.Info("deploying certificate to Envoy",
"cert_dir", c.config.CertDir,
"cert_filename", c.config.CertFilename,
"key_filename", c.config.KeyFilename)
startTime := time.Now()
certPath := filepath.Join(c.config.CertDir, c.config.CertFilename)
keyPath := filepath.Join(c.config.CertDir, c.config.KeyFilename)
// Build certificate data: if chain_filename is set, write chain separately;
// otherwise append chain to cert file (standard fullchain behavior)
certData := request.CertPEM + "\n"
if request.ChainPEM != "" && c.config.ChainFilename == "" {
certData += request.ChainPEM + "\n"
}
// Write certificate with mode 0644 (readable by Envoy process)
if err := os.WriteFile(certPath, []byte(certData), 0644); err != nil {
errMsg := fmt.Sprintf("failed to write certificate: %v", err)
c.logger.Error("certificate deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: certPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Write private key with secure permissions (0600: rw-------)
if request.KeyPEM != "" {
if err := os.WriteFile(keyPath, []byte(request.KeyPEM), 0600); err != nil {
errMsg := fmt.Sprintf("failed to write private key: %v", err)
c.logger.Error("key deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: keyPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
// Write chain separately if chain_filename is configured
if c.config.ChainFilename != "" && request.ChainPEM != "" {
chainPath := filepath.Join(c.config.CertDir, c.config.ChainFilename)
if err := os.WriteFile(chainPath, []byte(request.ChainPEM+"\n"), 0644); err != nil {
errMsg := fmt.Sprintf("failed to write chain: %v", err)
c.logger.Error("chain deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: chainPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
// Write SDS JSON file if configured
if c.config.SDSConfig {
if err := c.writeSDSConfig(); err != nil {
errMsg := fmt.Sprintf("failed to write SDS config: %v", err)
c.logger.Error("SDS config deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: certPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
deploymentDuration := time.Since(startTime)
c.logger.Info("certificate deployed to Envoy successfully",
"duration", deploymentDuration.String(),
"cert_path", certPath,
"key_path", keyPath,
"sds_config", c.config.SDSConfig)
metadata := map[string]string{
"cert_path": certPath,
"key_path": keyPath,
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
}
if c.config.SDSConfig {
metadata["sds_config_path"] = filepath.Join(c.config.CertDir, "sds.json")
}
return &target.DeploymentResult{
Success: true,
TargetAddress: certPath,
DeploymentID: fmt.Sprintf("envoy-%d", time.Now().Unix()),
Message: "Certificate deployed to Envoy (file-based SDS will auto-reload)",
DeployedAt: time.Now(),
Metadata: metadata,
}, nil
}
// writeSDSConfig writes an Envoy SDS JSON file that references the cert/key file paths.
// This file is consumed by Envoy's file-based SDS provider (path_config_source).
func (c *Connector) writeSDSConfig() error {
certPath := filepath.Join(c.config.CertDir, c.config.CertFilename)
keyPath := filepath.Join(c.config.CertDir, c.config.KeyFilename)
sdsResource := SDSResource{
Resources: []SDSTLSCertificate{
{
Type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
Name: "server_cert",
TLSCertificate: TLSCertificate{
CertificateChain: DataSource{Filename: certPath},
PrivateKey: DataSource{Filename: keyPath},
},
},
},
}
sdsJSON, err := json.MarshalIndent(sdsResource, "", " ")
if err != nil {
return fmt.Errorf("failed to marshal SDS config: %w", err)
}
sdsPath := filepath.Join(c.config.CertDir, "sds.json")
if err := os.WriteFile(sdsPath, sdsJSON, 0644); err != nil {
return fmt.Errorf("failed to write SDS config file: %w", err)
}
c.logger.Info("SDS config file written", "path", sdsPath)
return nil
}
// ValidateDeployment verifies that the deployed certificate files are readable.
// It checks that both the certificate and key files exist and are accessible.
func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
c.logger.Info("validating Envoy deployment",
"certificate_id", request.CertificateID,
"serial", request.Serial)
startTime := time.Now()
certPath := filepath.Join(c.config.CertDir, c.config.CertFilename)
keyPath := filepath.Join(c.config.CertDir, c.config.KeyFilename)
// Verify certificate file exists and is readable
if _, err := os.Stat(certPath); os.IsNotExist(err) {
errMsg := fmt.Sprintf("certificate file not found: %s", certPath)
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: certPath,
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Verify key file exists and is readable
if _, err := os.Stat(keyPath); os.IsNotExist(err) {
errMsg := fmt.Sprintf("private key file not found: %s", keyPath)
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: keyPath,
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
validationDuration := time.Since(startTime)
c.logger.Info("Envoy deployment validated successfully",
"duration", validationDuration.String())
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: certPath,
Message: "Certificate and key files accessible",
ValidatedAt: time.Now(),
Metadata: map[string]string{
"cert_path": certPath,
"key_path": keyPath,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
}
internal/connector/target/envoy/envoy_test.go
+394
View File
@@ -0,0 +1,394 @@
package envoy_test
import (
"context"
"encoding/json"
"log/slog"
"os"
"path/filepath"
"testing"
"github.com/shankar0123/certctl/internal/connector/target"
"github.com/shankar0123/certctl/internal/connector/target/envoy"
)
func testLogger() *slog.Logger {
return slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
}
func TestEnvoyConnector_ValidateConfig_Success(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{
CertDir: tmpDir,
CertFilename: "cert.pem",
KeyFilename: "key.pem",
}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
}
func TestEnvoyConnector_ValidateConfig_InvalidJSON(t *testing.T) {
ctx := context.Background()
connector := envoy.New(&envoy.Config{}, testLogger())
if err := connector.ValidateConfig(ctx, json.RawMessage(`{invalid}`)); err == nil {
t.Fatal("expected error for invalid JSON")
}
}
func TestEnvoyConnector_ValidateConfig_MissingCertDir(t *testing.T) {
ctx := context.Background()
cfg := envoy.Config{CertFilename: "cert.pem", KeyFilename: "key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
t.Fatal("expected error for missing cert_dir")
}
}
func TestEnvoyConnector_ValidateConfig_DirectoryNotExists(t *testing.T) {
ctx := context.Background()
cfg := envoy.Config{CertDir: "/nonexistent/directory"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
t.Fatal("expected error for non-existent directory")
}
}
func TestEnvoyConnector_ValidateConfig_PathTraversal_CertFilename(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, CertFilename: "../../../etc/passwd"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
t.Fatal("expected error for path traversal in cert_filename")
}
}
func TestEnvoyConnector_ValidateConfig_PathTraversal_KeyFilename(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, KeyFilename: "sub/key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
t.Fatal("expected error for path traversal in key_filename")
}
}
func TestEnvoyConnector_ValidateConfig_PathTraversal_ChainFilename(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, ChainFilename: "../chain.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err == nil {
t.Fatal("expected error for path traversal in chain_filename")
}
}
func TestEnvoyConnector_ValidateConfig_DefaultFilenames(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir} // No filenames — should use defaults
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
t.Fatalf("ValidateConfig with defaults failed: %v", err)
}
}
func TestEnvoyConnector_DeployCertificate_Success(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
request := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
ChainPEM: "-----BEGIN CERTIFICATE-----\nCAcert...\n-----END CERTIFICATE-----",
}
result, err := connector.DeployCertificate(ctx, request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("deployment should succeed, got: %s", result.Message)
}
// Verify cert file was created with chain appended (no chain_filename set)
certData, err := os.ReadFile(filepath.Join(tmpDir, "cert.pem"))
if err != nil {
t.Fatalf("failed to read cert file: %v", err)
}
if got := string(certData); got != "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nCAcert...\n-----END CERTIFICATE-----\n" {
t.Fatalf("cert content mismatch: got %q", got)
}
// Verify key file created with correct permissions
keyPath := filepath.Join(tmpDir, "key.pem")
keyInfo, err := os.Stat(keyPath)
if err != nil {
t.Fatalf("key file not found: %v", err)
}
if perms := keyInfo.Mode().Perm(); perms != 0600 {
t.Fatalf("key permissions are %o, expected 0600", perms)
}
}
func TestEnvoyConnector_DeployCertificate_WithoutChain(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
request := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
}
result, err := connector.DeployCertificate(ctx, request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("deployment should succeed, got: %s", result.Message)
}
// Cert file should only contain the leaf cert (no chain)
certData, _ := os.ReadFile(filepath.Join(tmpDir, "cert.pem"))
if got := string(certData); got != "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----\n" {
t.Fatalf("cert content mismatch: got %q", got)
}
}
func TestEnvoyConnector_DeployCertificate_SeparateChainFile(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{
CertDir: tmpDir,
CertFilename: "cert.pem",
KeyFilename: "key.pem",
ChainFilename: "chain.pem",
}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
request := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\nleaf...\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
ChainPEM: "-----BEGIN CERTIFICATE-----\nCA...\n-----END CERTIFICATE-----",
}
result, err := connector.DeployCertificate(ctx, request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("deployment should succeed, got: %s", result.Message)
}
// Cert file should only contain leaf (chain is separate)
certData, _ := os.ReadFile(filepath.Join(tmpDir, "cert.pem"))
if got := string(certData); got != "-----BEGIN CERTIFICATE-----\nleaf...\n-----END CERTIFICATE-----\n" {
t.Fatalf("cert should not contain chain when chain_filename is set: got %q", got)
}
// Chain file should exist with chain data
chainData, err := os.ReadFile(filepath.Join(tmpDir, "chain.pem"))
if err != nil {
t.Fatalf("chain file not found: %v", err)
}
if got := string(chainData); got != "-----BEGIN CERTIFICATE-----\nCA...\n-----END CERTIFICATE-----\n" {
t.Fatalf("chain content mismatch: got %q", got)
}
}
func TestEnvoyConnector_DeployCertificate_WithSDSConfig(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{
CertDir: tmpDir,
CertFilename: "cert.pem",
KeyFilename: "key.pem",
SDSConfig: true,
}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
request := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
}
result, err := connector.DeployCertificate(ctx, request)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("deployment should succeed, got: %s", result.Message)
}
// Verify SDS JSON file was created
sdsPath := filepath.Join(tmpDir, "sds.json")
sdsData, err := os.ReadFile(sdsPath)
if err != nil {
t.Fatalf("SDS config file not found: %v", err)
}
// Parse and verify SDS JSON structure
var sdsResource envoy.SDSResource
if err := json.Unmarshal(sdsData, &sdsResource); err != nil {
t.Fatalf("invalid SDS JSON: %v", err)
}
if len(sdsResource.Resources) != 1 {
t.Fatalf("expected 1 SDS resource, got %d", len(sdsResource.Resources))
}
res := sdsResource.Resources[0]
if res.Type != "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" {
t.Fatalf("wrong @type: %s", res.Type)
}
if res.Name != "server_cert" {
t.Fatalf("wrong name: %s", res.Name)
}
expectedCertPath := filepath.Join(tmpDir, "cert.pem")
expectedKeyPath := filepath.Join(tmpDir, "key.pem")
if res.TLSCertificate.CertificateChain.Filename != expectedCertPath {
t.Fatalf("cert chain path mismatch: got %s, want %s", res.TLSCertificate.CertificateChain.Filename, expectedCertPath)
}
if res.TLSCertificate.PrivateKey.Filename != expectedKeyPath {
t.Fatalf("private key path mismatch: got %s, want %s", res.TLSCertificate.PrivateKey.Filename, expectedKeyPath)
}
// Verify SDS path is in metadata
if result.Metadata["sds_config_path"] != sdsPath {
t.Fatalf("SDS config path not in metadata")
}
}
func TestEnvoyConnector_DeployCertificate_WriteError(t *testing.T) {
ctx := context.Background()
cfg := envoy.Config{
CertDir: "/root/envoy/certs",
CertFilename: "cert.pem",
KeyFilename: "key.pem",
}
connector := envoy.New(&cfg, testLogger())
request := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
}
result, err := connector.DeployCertificate(ctx, request)
if err == nil {
t.Fatal("expected error for write failure")
}
if result.Success {
t.Fatal("deployment should fail")
}
}
func TestEnvoyConnector_ValidateDeployment_Success(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
// First deploy
deployReq := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----",
}
connector.DeployCertificate(ctx, deployReq)
// Then validate
validateReq := target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123456",
}
result, err := connector.ValidateDeployment(ctx, validateReq)
if err != nil {
t.Fatalf("ValidateDeployment failed: %v", err)
}
if !result.Valid {
t.Fatalf("validation should succeed, got: %s", result.Message)
}
if result.Serial != "123456" {
t.Fatalf("serial mismatch: expected 123456, got %s", result.Serial)
}
}
func TestEnvoyConnector_ValidateDeployment_CertFileNotFound(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
validateReq := target.ValidationRequest{CertificateID: "mc-test", Serial: "123456"}
result, err := connector.ValidateDeployment(ctx, validateReq)
if err == nil {
t.Fatal("expected error for missing certificate file")
}
if result.Valid {
t.Fatal("validation should fail")
}
}
func TestEnvoyConnector_ValidateDeployment_KeyFileNotFound(t *testing.T) {
ctx := context.Background()
tmpDir := t.TempDir()
cfg := envoy.Config{CertDir: tmpDir, CertFilename: "cert.pem", KeyFilename: "key.pem"}
connector := envoy.New(&cfg, testLogger())
rawConfig, _ := json.Marshal(cfg)
_ = connector.ValidateConfig(ctx, rawConfig)
// Write cert but not key
os.WriteFile(filepath.Join(tmpDir, "cert.pem"), []byte("cert"), 0644)
validateReq := target.ValidationRequest{CertificateID: "mc-test", Serial: "123456"}
result, err := connector.ValidateDeployment(ctx, validateReq)
if err == nil {
t.Fatal("expected error for missing key file")
}
if result.Valid {
t.Fatal("validation should fail")
}
}
internal/connector/target/iis/iis.go
+566 -88
View File
@@ -2,101 +2,241 @@ package iis
import (
"context"
"crypto/rand"
"crypto/sha1"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"encoding/json"
"encoding/pem"
"fmt"
"log/slog"
"runtime"
"os"
"os/exec"
"regexp"
"strings"
"time"
"github.com/shankar0123/certctl/internal/connector/target"
pkcs12 "software.sslmate.com/src/go-pkcs12"
)
// Config represents the IIS deployment target configuration.
// This configuration is for Windows agents that manage IIS servers.
// Supports two modes:
// - "local" (default): runs PowerShell locally on a Windows agent
// - "winrm": connects to a remote Windows server via WinRM (proxy agent pattern)
type Config struct {
Hostname string `json:"hostname"` // Target hostname or IP
SiteName string `json:"site_name"` // IIS site name (e.g., "Default Web Site")
CertStore string `json:"cert_store"` // Windows cert store (e.g., "My", "WebHosting")
BindingInfo string `json:"binding_info"` // Binding info (e.g., "*.example.com")
Port int `json:"port"` // HTTPS port (default 443)
SNI bool `json:"sni"` // Enable Server Name Indication
IPAddress string `json:"ip_address"` // Bind to specific IP (default "*")
Mode string `json:"mode"` // "local" (default) or "winrm"
// WinRM settings (only used when Mode is "winrm")
WinRM WinRMConfig `json:"winrm"`
}
// PowerShellExecutor abstracts PowerShell command execution for testability.
// On real Windows deployments, the realExecutor calls powershell.exe directly.
// Tests inject a mock executor to verify command construction without Windows.
type PowerShellExecutor interface {
Execute(ctx context.Context, script string) (string, error)
}
// realExecutor calls powershell.exe on the local system.
type realExecutor struct{}
func (e *realExecutor) Execute(ctx context.Context, script string) (string, error) {
cmd := exec.CommandContext(ctx, "powershell.exe", "-NoProfile", "-NonInteractive", "-Command", script)
output, err := cmd.CombinedOutput()
return string(output), err
}
// Connector implements the target.Connector interface for IIS (Internet Information Services).
// This connector runs on Windows agents and manages certificate deployment via IIS.
// This connector runs on Windows agents and manages certificate deployment via PowerShell.
//
// IIS certificate management requires:
// - Windows Server with IIS installed
// - PowerShell execution available
// - Administrative privileges
// - Windows Server with IIS installed
// - PowerShell execution available
// - Administrative privileges
//
// TODO: Implement actual PowerShell command execution for:
// - Certificate import: Import-PfxCertificate
// - IIS binding update: New-WebBinding, Set-WebBinding
// - Validation: Get-WebBinding
// Deployment flow:
// 1. Convert PEM cert+key to PFX (PKCS#12) format via go-pkcs12
// 2. Import PFX to Windows certificate store via Import-PfxCertificate
// 3. Compute SHA-1 thumbprint (IIS certificate identifier)
// 4. Update IIS HTTPS binding via New-WebBinding + AddSslCertificate
// 5. Verify binding is active via Get-WebBinding
type Connector struct {
config *Config
logger *slog.Logger
config *Config
logger *slog.Logger
executor PowerShellExecutor
}
// New creates a new IIS target connector with the given configuration and logger.
func New(config *Config, logger *slog.Logger) *Connector {
// In "local" mode (default), uses the real PowerShell executor.
// In "winrm" mode, creates a WinRM client for remote execution.
func New(config *Config, logger *slog.Logger) (*Connector, error) {
mode := config.Mode
if mode == "" {
mode = "local"
}
var executor PowerShellExecutor
switch mode {
case "local":
executor = &realExecutor{}
case "winrm":
winrmExec, err := newWinRMExecutor(&config.WinRM)
if err != nil {
return nil, fmt.Errorf("failed to initialize WinRM executor: %w", err)
}
executor = winrmExec
default:
return nil, fmt.Errorf("unsupported IIS connector mode %q (must be 'local' or 'winrm')", mode)
}
return &Connector{
config: config,
logger: logger,
config: config,
logger: logger,
executor: executor,
}, nil
}
// NewWithExecutor creates a new IIS target connector with an injected executor.
// Used in tests to mock PowerShell execution on non-Windows platforms.
func NewWithExecutor(config *Config, logger *slog.Logger, executor PowerShellExecutor) *Connector {
return &Connector{
config: config,
logger: logger,
executor: executor,
}
}
// validIISName matches safe IIS site names and cert store names.
// Allows alphanumeric, spaces, underscores, hyphens, and dots.
var validIISName = regexp.MustCompile(`^[a-zA-Z0-9 _\-\.]+$`)
// validateIISName checks that an IIS name field contains only safe characters.
// This prevents PowerShell injection via malicious site or store names.
func validateIISName(name, field string) error {
if name == "" {
return fmt.Errorf("%s is required", field)
}
if len(name) > 256 {
return fmt.Errorf("%s exceeds maximum length (256 characters)", field)
}
if !validIISName.MatchString(name) {
return fmt.Errorf("%s contains invalid characters (allowed: alphanumeric, space, underscore, hyphen, dot)", field)
}
return nil
}
// validIPOrWildcard matches valid IP addresses or the wildcard "*".
var validIPOrWildcard = regexp.MustCompile(`^(\*|(\d{1,3}\.){3}\d{1,3})$`)
// ValidateConfig checks that the IIS configuration is valid and accessible.
// It verifies that we're on Windows and that the IIS site exists.
//
// TODO: Implement actual PowerShell checks.
// It verifies field values, PowerShell availability, and optionally checks that
// the IIS site exists and the cert store is accessible.
func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
var cfg Config
if err := json.Unmarshal(rawConfig, &cfg); err != nil {
return fmt.Errorf("invalid IIS config: %w", err)
}
if cfg.SiteName == "" || cfg.CertStore == "" {
return fmt.Errorf("IIS site_name and cert_store are required")
// Validate required fields
if err := validateIISName(cfg.SiteName, "site_name"); err != nil {
return err
}
if err := validateIISName(cfg.CertStore, "cert_store"); err != nil {
return err
}
// Verify we're on Windows
if runtime.GOOS != "windows" {
return fmt.Errorf("IIS connector only runs on Windows, got %s", runtime.GOOS)
// Apply defaults
if cfg.Port == 0 {
cfg.Port = 443
}
if cfg.IPAddress == "" {
cfg.IPAddress = "*"
}
// Validate port range
if cfg.Port < 1 || cfg.Port > 65535 {
return fmt.Errorf("port must be between 1 and 65535, got %d", cfg.Port)
}
// Validate IP address format
if !validIPOrWildcard.MatchString(cfg.IPAddress) {
return fmt.Errorf("ip_address must be a valid IPv4 address or '*', got %q", cfg.IPAddress)
}
// Validate binding_info if provided (safe characters only)
if cfg.BindingInfo != "" {
if len(cfg.BindingInfo) > 512 {
return fmt.Errorf("binding_info exceeds maximum length (512 characters)")
}
// Allow typical binding chars: alphanumeric, *, :, ., -
validBinding := regexp.MustCompile(`^[a-zA-Z0-9\*\:\.\-]+$`)
if !validBinding.MatchString(cfg.BindingInfo) {
return fmt.Errorf("binding_info contains invalid characters")
}
}
// Apply mode default
if cfg.Mode == "" {
cfg.Mode = "local"
}
if cfg.Mode != "local" && cfg.Mode != "winrm" {
return fmt.Errorf("unsupported mode %q (must be 'local' or 'winrm')", cfg.Mode)
}
c.logger.Info("validating IIS configuration",
"site_name", cfg.SiteName,
"cert_store", cfg.CertStore,
"hostname", cfg.Hostname)
"hostname", cfg.Hostname,
"port", cfg.Port,
"mode", cfg.Mode)
// TODO: Implement PowerShell check
// In production:
// 1. Run PowerShell command: Get-IISSite -Name {SiteName}
// 2. Verify site exists and is running
// 3. Check cert store: Get-Item -Path "Cert:\LocalMachine\{CertStore}"
// Verify PowerShell is available (only in local mode — WinRM handles this remotely)
if cfg.Mode == "local" {
if _, err := exec.LookPath("powershell.exe"); err != nil {
return fmt.Errorf("powershell.exe not found in PATH: %w", err)
}
}
c.logger.Warn("IIS validation not yet fully implemented",
"site_name", cfg.SiteName)
// Verify IIS site exists
siteCheckScript := fmt.Sprintf(`Get-Website -Name '%s' | Select-Object -ExpandProperty Name`, cfg.SiteName)
output, err := c.executor.Execute(ctx, siteCheckScript)
if err != nil {
return fmt.Errorf("IIS site %q not found or inaccessible: %s (error: %w)", cfg.SiteName, strings.TrimSpace(output), err)
}
// Verify cert store is accessible
storeCheckScript := fmt.Sprintf(`Test-Path 'Cert:\LocalMachine\%s'`, cfg.CertStore)
output, err = c.executor.Execute(ctx, storeCheckScript)
if err != nil || !strings.Contains(strings.TrimSpace(output), "True") {
return fmt.Errorf("certificate store %q is not accessible: %s", cfg.CertStore, strings.TrimSpace(output))
}
c.config = &cfg
c.logger.Info("IIS configuration validated",
"site_name", cfg.SiteName,
"cert_store", cfg.CertStore)
return nil
}
// DeployCertificate imports a certificate to the Windows certificate store and updates
// the IIS binding to use the new certificate.
//
// The IIS deployment process (via PowerShell):
// 1. Create a temporary PFX file from the certificate and existing private key
// (Note: The private key is managed by the agent, not provided by the control plane)
// 2. Import the PFX to the Windows certificate store (My store by default)
// 3. Get the certificate thumbprint
// 4. Update the IIS binding to use the new certificate by thumbprint
// 5. Verify the binding is active
//
// TODO: Implement actual PowerShell commands:
// - Import-PfxCertificate -FilePath {pfxPath} -CertStoreLocation "Cert:\LocalMachine\My"
// - Get-ChildItem -Path "Cert:\LocalMachine\My" | Where {$_.Subject -eq "CN=..."}
// - Set-WebBinding -Name {SiteName} -BindingInformation "{BindingInfo}" -Protocol https -SslFlags 1 -CertificateThumbprint {thumbprint}
// Deployment flow:
// 1. Convert PEM cert+key+chain to PFX format (go-pkcs12 with random password)
// 2. Write PFX to temp file (cleaned up on exit, even on error)
// 3. Compute SHA-1 thumbprint from DER cert (matches Windows certutil output)
// 4. Import PFX to Windows cert store via Import-PfxCertificate
// 5. Update IIS HTTPS binding via New-WebBinding + AddSslCertificate
// 6. Return result with thumbprint in metadata
func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
c.logger.Info("deploying certificate to IIS",
"site_name", c.config.SiteName,
@@ -104,44 +244,204 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
startTime := time.Now()
// TODO: Implement IIS certificate deployment
// In production:
// 1. Create temporary PFX from CertPEM and ChainPEM
// (Private key should already exist on the agent)
// 2. Import certificate:
// PowerShell: Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation "Cert:\LocalMachine\{CertStore}" -Password $password
// 3. Get certificate thumbprint:
// PowerShell: (Get-ChildItem -Path "Cert:\LocalMachine\{CertStore}" | Where {$_.Subject -like "*CN=*"}).Thumbprint
// 4. Update IIS binding:
// PowerShell: Set-WebBinding -Name "{SiteName}" -BindingInformation "{BindingInfo}:443:*.example.com" -Protocol https -CertificateThumbprint $thumbprint
// 5. Remove temporary PFX file
// Validate we have a private key (required for PFX creation)
if request.KeyPEM == "" {
errMsg := "private key (KeyPEM) is required for IIS deployment"
c.logger.Error("deployment failed", "error", errMsg)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 1: Create PFX from PEM inputs
pfxPassword, err := generateRandomPassword(32)
if err != nil {
errMsg := fmt.Sprintf("failed to generate PFX password: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
pfxData, err := createPFX(request.CertPEM, request.KeyPEM, request.ChainPEM, pfxPassword)
if err != nil {
errMsg := fmt.Sprintf("failed to create PFX: %v", err)
c.logger.Error("PFX creation failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Step 2+3: Compute thumbprint and import PFX
// In local mode: write PFX to temp file, import via file path
// In WinRM mode: base64-encode PFX, decode on remote side to temp file, import, clean up
thumbprint, err := computeThumbprint(request.CertPEM)
if err != nil {
errMsg := fmt.Sprintf("failed to compute certificate thumbprint: %v", err)
c.logger.Error("deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
c.logger.Debug("certificate thumbprint computed", "thumbprint", thumbprint)
// Step 4: Import PFX to Windows certificate store
var importScript string
mode := c.config.Mode
if mode == "" {
mode = "local"
}
if mode == "winrm" {
// WinRM mode: base64-encode PFX, decode on remote, import, cleanup
pfxBase64 := base64.StdEncoding.EncodeToString(pfxData)
importScript = fmt.Sprintf(
`$pfxPath = [System.IO.Path]::GetTempFileName() + '.pfx'; `+
`[System.IO.File]::WriteAllBytes($pfxPath, [System.Convert]::FromBase64String('%s')); `+
`try { `+
`$password = ConvertTo-SecureString -String '%s' -AsPlainText -Force; `+
`Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation 'Cert:\LocalMachine\%s' -Password $password `+
`} finally { Remove-Item -Path $pfxPath -Force -ErrorAction SilentlyContinue }`,
pfxBase64, pfxPassword, c.config.CertStore,
)
} else {
// Local mode: write PFX to local temp file
tmpFile, fileErr := os.CreateTemp("", "certctl-*.pfx")
if fileErr != nil {
errMsg := fmt.Sprintf("failed to create temp PFX file: %v", fileErr)
c.logger.Error("deployment failed", "error", fileErr)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
pfxPath := tmpFile.Name()
defer os.Remove(pfxPath) // Always clean up temp PFX
if _, writeErr := tmpFile.Write(pfxData); writeErr != nil {
tmpFile.Close()
errMsg := fmt.Sprintf("failed to write temp PFX file: %v", writeErr)
c.logger.Error("deployment failed", "error", writeErr)
return &target.DeploymentResult{
Success: false,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
tmpFile.Close()
importScript = fmt.Sprintf(
`$password = ConvertTo-SecureString -String '%s' -AsPlainText -Force; `+
`Import-PfxCertificate -FilePath '%s' -CertStoreLocation 'Cert:\LocalMachine\%s' -Password $password`,
pfxPassword, pfxPath, c.config.CertStore,
)
}
output, err := c.executor.Execute(ctx, importScript)
if err != nil {
errMsg := fmt.Sprintf("PFX import failed: %v (output: %s)", err, strings.TrimSpace(output))
c.logger.Error("PFX import failed",
"error", err,
"output", strings.TrimSpace(output),
"cert_store", c.config.CertStore)
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
c.logger.Info("PFX imported to certificate store",
"cert_store", c.config.CertStore,
"thumbprint", thumbprint)
// Step 5: Update IIS HTTPS binding
port := c.config.Port
if port == 0 {
port = 443
}
ipAddress := c.config.IPAddress
if ipAddress == "" {
ipAddress = "*"
}
hostHeader := c.config.BindingInfo
sniFlag := 0
if c.config.SNI {
sniFlag = 1
}
bindingScript := fmt.Sprintf(
// Remove existing HTTPS binding on this port (if any), then create new one
`$existing = Get-WebBinding -Name '%s' -Protocol 'https' -Port %d -ErrorAction SilentlyContinue; `+
`if ($existing) { $existing | Remove-WebBinding }; `+
`New-WebBinding -Name '%s' -Protocol 'https' -Port %d -IPAddress '%s' -HostHeader '%s' -SslFlags %d; `+
`$binding = Get-WebBinding -Name '%s' -Protocol 'https' -Port %d; `+
`$binding.AddSslCertificate('%s', '%s')`,
c.config.SiteName, port,
c.config.SiteName, port, ipAddress, hostHeader, sniFlag,
c.config.SiteName, port,
thumbprint, c.config.CertStore,
)
output, err = c.executor.Execute(ctx, bindingScript)
if err != nil {
errMsg := fmt.Sprintf("IIS binding update failed: %v (output: %s)", err, strings.TrimSpace(output))
c.logger.Error("IIS binding update failed",
"error", err,
"output", strings.TrimSpace(output),
"site_name", c.config.SiteName)
// Cert is imported but binding failed — partial success
return &target.DeploymentResult{
Success: false,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
DeployedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": thumbprint,
"cert_store": c.config.CertStore,
"import_success": "true",
"binding_error": strings.TrimSpace(output),
},
}, fmt.Errorf("%s", errMsg)
}
deploymentDuration := time.Since(startTime)
c.logger.Warn("IIS deployment not yet implemented",
"site_name", c.config.SiteName)
c.logger.Info("certificate deployed to IIS successfully",
"duration", deploymentDuration.String(),
"site_name", c.config.SiteName,
"thumbprint", thumbprint)
return &target.DeploymentResult{
Success: true,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
DeploymentID: fmt.Sprintf("iis-%d", time.Now().Unix()),
Message: "Certificate deployment to IIS initiated (stub)",
DeploymentID: fmt.Sprintf("iis-%s-%d", thumbprint[:8], time.Now().Unix()),
Message: "Certificate imported and IIS binding updated successfully",
DeployedAt: time.Now(),
Metadata: map[string]string{
"hostname": c.config.Hostname,
"site_name": c.config.SiteName,
"cert_store": c.config.CertStore,
"thumbprint": thumbprint,
"port": fmt.Sprintf("%d", port),
"sni": fmt.Sprintf("%t", c.config.SNI),
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
},
}, nil
}
// ValidateDeployment verifies that the certificate is properly deployed in IIS.
// It checks the IIS binding configuration to ensure it's active with the correct certificate.
//
// TODO: Implement actual PowerShell validation.
// PowerShell command:
// - Get-IISSiteBinding -Name {SiteName} | Where {$_.protocol -eq "https"}
// It checks the IIS binding to ensure it's active with the correct certificate thumbprint.
func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
c.logger.Info("validating IIS deployment",
"certificate_id", request.CertificateID,
@@ -150,33 +450,211 @@ func (c *Connector) ValidateDeployment(ctx context.Context, request target.Valid
startTime := time.Now()
// TODO: Implement IIS deployment validation
// In production:
// 1. Query IIS binding status:
// PowerShell: Get-WebBinding -Name "{SiteName}" -Protocol "https"
// 2. Verify binding exists and is active
// 3. Extract certificate thumbprint from binding
// 4. Query certificate store to verify thumbprint matches expected certificate
// 5. Check certificate validity dates and key match
port := c.config.Port
if port == 0 {
port = 443
}
// Query IIS binding for HTTPS on the configured port
bindingScript := fmt.Sprintf(
`$binding = Get-WebBinding -Name '%s' -Protocol 'https' -Port %d -ErrorAction SilentlyContinue; `+
`if ($binding) { $binding.certificateHash } else { 'NO_BINDING' }`,
c.config.SiteName, port,
)
output, err := c.executor.Execute(ctx, bindingScript)
if err != nil {
errMsg := fmt.Sprintf("failed to query IIS binding: %v (output: %s)", err, strings.TrimSpace(output))
c.logger.Error("validation failed", "error", err, "output", strings.TrimSpace(output))
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
bindingHash := strings.TrimSpace(output)
if bindingHash == "NO_BINDING" || bindingHash == "" {
errMsg := fmt.Sprintf("no HTTPS binding found on IIS site %q port %d", c.config.SiteName, port)
c.logger.Error("validation failed", "error", errMsg)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Verify the certificate exists in the store
certCheckScript := fmt.Sprintf(
`$cert = Get-ChildItem -Path 'Cert:\LocalMachine\%s\%s' -ErrorAction SilentlyContinue; `+
`if ($cert -and $cert.NotAfter -gt (Get-Date)) { 'VALID' } `+
`elseif ($cert) { 'EXPIRED' } `+
`else { 'NOT_FOUND' }`,
c.config.CertStore, bindingHash,
)
output, err = c.executor.Execute(ctx, certCheckScript)
if err != nil {
errMsg := fmt.Sprintf("failed to verify certificate in store: %v", err)
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
certStatus := strings.TrimSpace(output)
validationDuration := time.Since(startTime)
c.logger.Warn("IIS validation not yet implemented",
"site_name", c.config.SiteName)
switch certStatus {
case "VALID":
c.logger.Info("IIS deployment validated successfully",
"duration", validationDuration.String(),
"thumbprint", bindingHash)
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: "Certificate is bound to IIS site and valid",
ValidatedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": bindingHash,
"site_name": c.config.SiteName,
"cert_store": c.config.CertStore,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: "Certificate deployment validation initiated (stub)",
ValidatedAt: time.Now(),
Metadata: map[string]string{
"hostname": c.config.Hostname,
"site_name": c.config.SiteName,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
case "EXPIRED":
errMsg := fmt.Sprintf("certificate %s is expired in store %q", bindingHash, c.config.CertStore)
c.logger.Error("validation failed: certificate expired", "thumbprint", bindingHash)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": bindingHash,
"status": "expired",
},
}, fmt.Errorf("%s", errMsg)
default: // NOT_FOUND or unexpected
errMsg := fmt.Sprintf("certificate %s not found in store %q", bindingHash, c.config.CertStore)
c.logger.Error("validation failed: certificate not in store", "thumbprint", bindingHash)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: fmt.Sprintf("%s (IIS: %s)", c.config.Hostname, c.config.SiteName),
Message: errMsg,
ValidatedAt: time.Now(),
Metadata: map[string]string{
"thumbprint": bindingHash,
"status": "not_found",
},
}, fmt.Errorf("%s", errMsg)
}
}
// executePowerShellCommand will be implemented in V3 when IIS target connector ships.
// Pattern: exec.CommandContext(ctx, "powershell", "-NoProfile", "-Command", psCommand)
// createPFX converts PEM-encoded cert, key, and chain into PKCS#12 (PFX) format.
// IIS requires PFX for certificate import. Uses go-pkcs12 Modern encoder
// with strong encryption (same library used by M27 export service).
func createPFX(certPEM, keyPEM, chainPEM string, password string) ([]byte, error) {
// Parse leaf certificate
certBlock, _ := pem.Decode([]byte(certPEM))
if certBlock == nil || certBlock.Type != "CERTIFICATE" {
return nil, fmt.Errorf("failed to decode certificate PEM")
}
leafCert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse leaf certificate: %w", err)
}
// Parse private key (supports PKCS#8, PKCS#1 RSA, and EC)
keyBlock, _ := pem.Decode([]byte(keyPEM))
if keyBlock == nil {
return nil, fmt.Errorf("failed to decode private key PEM")
}
privateKey, err := parsePrivateKey(keyBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse private key: %w", err)
}
// Parse CA chain certificates (optional)
var caCerts []*x509.Certificate
if chainPEM != "" {
rest := []byte(chainPEM)
for {
var block *pem.Block
block, rest = pem.Decode(rest)
if block == nil {
break
}
if block.Type != "CERTIFICATE" {
continue
}
caCert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse CA certificate: %w", err)
}
caCerts = append(caCerts, caCert)
}
}
// Encode as PKCS#12 with Modern encryption
pfxData, err := pkcs12.Modern.Encode(privateKey, leafCert, caCerts, password)
if err != nil {
return nil, fmt.Errorf("failed to encode PKCS#12: %w", err)
}
return pfxData, nil
}
// parsePrivateKey attempts to parse a DER-encoded private key.
// Tries PKCS#8, PKCS#1 RSA, and EC formats in order.
func parsePrivateKey(der []byte) (interface{}, error) {
if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, nil
}
if key, err := x509.ParseECPrivateKey(der); err == nil {
return key, nil
}
return nil, fmt.Errorf("unsupported private key format")
}
// computeThumbprint calculates the SHA-1 thumbprint of a PEM-encoded certificate.
// IIS uses SHA-1 thumbprints as the primary certificate identifier.
// Returns uppercase hex string matching Windows certutil output.
func computeThumbprint(certPEM string) (string, error) {
block, _ := pem.Decode([]byte(certPEM))
if block == nil || block.Type != "CERTIFICATE" {
return "", fmt.Errorf("failed to decode certificate PEM for thumbprint")
}
hash := sha1.Sum(block.Bytes)
return strings.ToUpper(hex.EncodeToString(hash[:])), nil
}
// generateRandomPassword creates a random alphanumeric password for transient PFX encryption.
// The password is only used between PFX creation and import — it never persists.
func generateRandomPassword(length int) (string, error) {
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
b := make([]byte, length)
if _, err := rand.Read(b); err != nil {
return "", fmt.Errorf("failed to read random bytes: %w", err)
}
for i := range b {
b[i] = charset[int(b[i])%len(charset)]
}
return string(b), nil
}
internal/connector/target/iis/iis_test.go
+1058
View File
File diff suppressed because it is too large Load Diff
internal/connector/target/iis/winrm.go
+89
View File
@@ -0,0 +1,89 @@
package iis
import (
"context"
"fmt"
"time"
"github.com/masterzen/winrm"
)
// WinRMConfig holds WinRM connection settings for remote IIS management.
// Used when Mode is "winrm" — the proxy agent connects to a remote Windows
// server over WinRM and executes PowerShell commands remotely.
type WinRMConfig struct {
Host string `json:"winrm_host"` // WinRM target hostname or IP (required)
Port int `json:"winrm_port"` // WinRM port (default 5985 for HTTP, 5986 for HTTPS)
Username string `json:"winrm_username"` // Windows user (e.g., "Administrator")
Password string `json:"winrm_password"` // Windows password
UseHTTPS bool `json:"winrm_https"` // Use HTTPS (port 5986) instead of HTTP (port 5985)
Insecure bool `json:"winrm_insecure"` // Skip TLS certificate verification (for self-signed certs)
Timeout int `json:"winrm_timeout"` // Operation timeout in seconds (default 60)
}
// winrmExecutor implements PowerShellExecutor by running PowerShell commands
// on a remote Windows server via WinRM. This enables the proxy agent pattern:
// a Linux agent in the same network zone manages Windows IIS servers remotely.
type winrmExecutor struct {
client *winrm.Client
}
// newWinRMExecutor creates a WinRM client and returns a PowerShellExecutor.
func newWinRMExecutor(cfg *WinRMConfig) (*winrmExecutor, error) {
if cfg.Host == "" {
return nil, fmt.Errorf("winrm_host is required for WinRM mode")
}
if cfg.Username == "" {
return nil, fmt.Errorf("winrm_username is required for WinRM mode")
}
if cfg.Password == "" {
return nil, fmt.Errorf("winrm_password is required for WinRM mode")
}
port := cfg.Port
if port == 0 {
if cfg.UseHTTPS {
port = 5986
} else {
port = 5985
}
}
timeout := time.Duration(cfg.Timeout) * time.Second
if cfg.Timeout == 0 {
timeout = 60 * time.Second
}
endpoint := winrm.NewEndpoint(
cfg.Host,
port,
cfg.UseHTTPS,
cfg.Insecure,
nil, // CA cert
nil, // Client cert
nil, // Client key
timeout,
)
client, err := winrm.NewClient(endpoint, cfg.Username, cfg.Password)
if err != nil {
return nil, fmt.Errorf("failed to create WinRM client: %w", err)
}
return &winrmExecutor{client: client}, nil
}
// Execute runs a PowerShell script on the remote Windows server via WinRM.
// The script is wrapped in powershell.exe invocation on the remote side.
func (e *winrmExecutor) Execute(ctx context.Context, script string) (string, error) {
// RunPSWithContext returns (stdout, stderr, exitCode, error)
stdout, stderr, exitCode, err := e.client.RunPSWithContext(ctx, script)
if err != nil {
return stdout + stderr, fmt.Errorf("WinRM command failed: %w", err)
}
if exitCode != 0 {
return stdout + stderr, fmt.Errorf("PowerShell exited with code %d: %s", exitCode, stdout+stderr)
}
return stdout, nil
}
internal/connector/target/postfix/postfix.go
+310
View File
@@ -0,0 +1,310 @@
package postfix
import (
"context"
"encoding/json"
"fmt"
"log/slog"
"os"
"os/exec"
"path/filepath"
"time"
"github.com/shankar0123/certctl/internal/connector/target"
"github.com/shankar0123/certctl/internal/validation"
)
// Config represents the Postfix/Dovecot deployment target configuration.
// This connector supports dual-mode operation: "postfix" for Postfix MTA
// and "dovecot" for Dovecot IMAP/POP3. The mode determines default file
// paths and reload commands. Both modes write cert/key/chain files and
// reload the mail service.
type Config struct {
Mode string `json:"mode"` // "postfix" (default) or "dovecot"
CertPath string `json:"cert_path"` // Path where cert will be written
KeyPath string `json:"key_path"` // Path where private key will be written
ChainPath string `json:"chain_path"` // Path where CA chain will be written (optional — if empty, chain appended to cert)
ReloadCommand string `json:"reload_command"` // Command to reload service
ValidateCommand string `json:"validate_command"` // Optional command to validate config before reload
}
// Connector implements the target.Connector interface for Postfix and Dovecot
// mail servers. This connector runs on the AGENT side and handles local
// certificate deployment for mail server TLS (STARTTLS, SMTPS, IMAPS, POP3S).
type Connector struct {
config *Config
logger *slog.Logger
}
// New creates a new Postfix/Dovecot target connector with the given configuration and logger.
func New(config *Config, logger *slog.Logger) *Connector {
return &Connector{
config: config,
logger: logger,
}
}
// applyDefaults sets mode-specific default values for any unconfigured fields.
func applyDefaults(cfg *Config) {
if cfg.Mode == "" {
cfg.Mode = "postfix"
}
switch cfg.Mode {
case "dovecot":
if cfg.CertPath == "" {
cfg.CertPath = "/etc/dovecot/certs/cert.pem"
}
if cfg.KeyPath == "" {
cfg.KeyPath = "/etc/dovecot/certs/key.pem"
}
if cfg.ReloadCommand == "" {
cfg.ReloadCommand = "doveadm reload"
}
if cfg.ValidateCommand == "" {
cfg.ValidateCommand = "doveconf -n"
}
default: // "postfix"
if cfg.CertPath == "" {
cfg.CertPath = "/etc/postfix/certs/cert.pem"
}
if cfg.KeyPath == "" {
cfg.KeyPath = "/etc/postfix/certs/key.pem"
}
if cfg.ReloadCommand == "" {
cfg.ReloadCommand = "postfix reload"
}
if cfg.ValidateCommand == "" {
cfg.ValidateCommand = "postfix check"
}
}
}
// ValidateConfig checks that the configuration is valid for the selected mode.
// It applies mode-specific defaults, validates shell commands against injection,
// and verifies the certificate directory exists.
func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
var cfg Config
if err := json.Unmarshal(rawConfig, &cfg); err != nil {
return fmt.Errorf("invalid mail server config: %w", err)
}
// Validate mode
if cfg.Mode != "" && cfg.Mode != "postfix" && cfg.Mode != "dovecot" {
return fmt.Errorf("invalid mode %q: must be \"postfix\" or \"dovecot\"", cfg.Mode)
}
// Apply mode-specific defaults
applyDefaults(&cfg)
// Validate commands to prevent injection attacks
if err := validation.ValidateShellCommand(cfg.ReloadCommand); err != nil {
return fmt.Errorf("invalid reload_command: %w", err)
}
if cfg.ValidateCommand != "" {
if err := validation.ValidateShellCommand(cfg.ValidateCommand); err != nil {
return fmt.Errorf("invalid validate_command: %w", err)
}
}
c.logger.Info("validating mail server configuration",
"mode", cfg.Mode,
"cert_path", cfg.CertPath,
"key_path", cfg.KeyPath,
"chain_path", cfg.ChainPath)
// Verify certificate directory exists
certDir := filepath.Dir(cfg.CertPath)
if _, err := os.Stat(certDir); os.IsNotExist(err) {
return fmt.Errorf("%s cert directory does not exist: %s", cfg.Mode, certDir)
}
// Verify validate command works (best-effort — service might not be installed yet)
if cfg.ValidateCommand != "" {
cmd := exec.CommandContext(ctx, "sh", "-c", cfg.ValidateCommand)
if err := cmd.Run(); err != nil {
c.logger.Warn("config validation command failed during config check",
"error", err,
"mode", cfg.Mode,
"validate_command", cfg.ValidateCommand)
}
}
c.config = &cfg
c.logger.Info("mail server configuration validated", "mode", cfg.Mode)
return nil
}
// DeployCertificate writes the certificate, key, and chain to the configured paths
// and reloads the mail service to pick up the new certificates.
//
// Steps:
// 1. Write certificate to cert_path with mode 0644 (if chain_path empty, append chain)
// 2. Write private key to key_path with mode 0600
// 3. If chain_path is set, write chain separately with mode 0644
// 4. Validate configuration (if validate_command is set)
// 5. Reload service
func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
c.logger.Info("deploying certificate to mail server",
"mode", c.config.Mode,
"cert_path", c.config.CertPath,
"key_path", c.config.KeyPath)
startTime := time.Now()
// Build certificate data: if chain_path is set, write chain separately;
// otherwise append chain to cert file (fullchain behavior)
certData := request.CertPEM
if request.ChainPEM != "" && c.config.ChainPath == "" {
certData += "\n" + request.ChainPEM
}
// Write certificate with mode 0644 (rw-r--r--)
if err := os.WriteFile(c.config.CertPath, []byte(certData), 0644); err != nil {
errMsg := fmt.Sprintf("failed to write certificate: %v", err)
c.logger.Error("certificate deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.CertPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
// Write private key with secure permissions (0600: rw-------)
if c.config.KeyPath != "" && request.KeyPEM != "" {
if err := os.WriteFile(c.config.KeyPath, []byte(request.KeyPEM), 0600); err != nil {
errMsg := fmt.Sprintf("failed to write private key: %v", err)
c.logger.Error("key deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.KeyPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
c.logger.Info("private key written", "key_path", c.config.KeyPath)
}
// Write chain separately if chain_path is configured
if c.config.ChainPath != "" && request.ChainPEM != "" {
if err := os.WriteFile(c.config.ChainPath, []byte(request.ChainPEM), 0644); err != nil {
errMsg := fmt.Sprintf("failed to write chain: %v", err)
c.logger.Error("chain deployment failed", "error", err)
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.ChainPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
// Validate configuration before reload
if c.config.ValidateCommand != "" {
c.logger.Debug("validating configuration", "validate_command", c.config.ValidateCommand)
validateCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ValidateCommand)
if output, err := validateCmd.CombinedOutput(); err != nil {
errMsg := fmt.Sprintf("%s config validation failed: %v (output: %s)", c.config.Mode, err, string(output))
c.logger.Error("config validation failed", "error", err, "output", string(output))
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.CertPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
// Reload service
c.logger.Debug("reloading service", "reload_command", c.config.ReloadCommand)
reloadCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ReloadCommand)
if output, err := reloadCmd.CombinedOutput(); err != nil {
errMsg := fmt.Sprintf("%s reload failed: %v (output: %s)", c.config.Mode, err, string(output))
c.logger.Error("service reload failed", "error", err, "output", string(output))
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.CertPath,
Message: errMsg,
DeployedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
deploymentDuration := time.Since(startTime)
c.logger.Info("certificate deployed to mail server successfully",
"mode", c.config.Mode,
"duration", deploymentDuration.String(),
"cert_path", c.config.CertPath)
return &target.DeploymentResult{
Success: true,
TargetAddress: c.config.CertPath,
DeploymentID: fmt.Sprintf("%s-%d", c.config.Mode, time.Now().Unix()),
Message: fmt.Sprintf("Certificate deployed and %s reloaded successfully", c.config.Mode),
DeployedAt: time.Now(),
Metadata: map[string]string{
"cert_path": c.config.CertPath,
"key_path": c.config.KeyPath,
"mode": c.config.Mode,
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
},
}, nil
}
// ValidateDeployment verifies that the deployed certificate is valid and accessible.
// It runs the validate command (if configured) and checks that the cert file exists.
func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
c.logger.Info("validating mail server deployment",
"mode", c.config.Mode,
"certificate_id", request.CertificateID,
"serial", request.Serial)
startTime := time.Now()
// Validate configuration if validate command is set
if c.config.ValidateCommand != "" {
validateCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ValidateCommand)
if output, err := validateCmd.CombinedOutput(); err != nil {
errMsg := fmt.Sprintf("%s config validation failed: %v (output: %s)", c.config.Mode, err, string(output))
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: c.config.CertPath,
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
}
// Verify certificate file exists and is readable
if _, err := os.Stat(c.config.CertPath); os.IsNotExist(err) {
errMsg := fmt.Sprintf("certificate file not found: %s", c.config.CertPath)
c.logger.Error("validation failed", "error", err)
return &target.ValidationResult{
Valid: false,
Serial: request.Serial,
TargetAddress: c.config.CertPath,
Message: errMsg,
ValidatedAt: time.Now(),
}, fmt.Errorf("%s", errMsg)
}
validationDuration := time.Since(startTime)
c.logger.Info("mail server deployment validated successfully",
"mode", c.config.Mode,
"duration", validationDuration.String())
return &target.ValidationResult{
Valid: true,
Serial: request.Serial,
TargetAddress: c.config.CertPath,
Message: fmt.Sprintf("%s configuration valid and certificate accessible", c.config.Mode),
ValidatedAt: time.Now(),
Metadata: map[string]string{
"mode": c.config.Mode,
"validate_command": c.config.ValidateCommand,
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
},
}, nil
}
internal/connector/target/postfix/postfix_test.go
+530
View File
@@ -0,0 +1,530 @@
package postfix_test
import (
"context"
"encoding/json"
"log/slog"
"os"
"path/filepath"
"strings"
"testing"
"github.com/shankar0123/certctl/internal/connector/target"
"github.com/shankar0123/certctl/internal/connector/target/postfix"
)
// --- Config Validation Tests ---
func TestPostfixConnector_ValidateConfig_Success(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ChainPath: filepath.Join(tmpDir, "chain.pem"),
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
}
}
func TestPostfixConnector_ValidateConfig_DovecotMode(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := postfix.Config{
Mode: "dovecot",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err != nil {
t.Fatalf("ValidateConfig for dovecot mode failed: %v", err)
}
}
func TestPostfixConnector_ValidateConfig_InvalidJSON(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
connector := postfix.New(&postfix.Config{}, logger)
err := connector.ValidateConfig(ctx, json.RawMessage(`{invalid}`))
if err == nil {
t.Fatal("expected error for invalid JSON")
}
}
func TestPostfixConnector_ValidateConfig_InvalidMode(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
cfg := postfix.Config{
Mode: "nginx",
CertPath: "/tmp/cert.pem",
ReloadCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error for invalid mode")
}
if !strings.Contains(err.Error(), "invalid mode") {
t.Fatalf("expected 'invalid mode' error, got: %v", err)
}
}
func TestPostfixConnector_ValidateConfig_DirectoryNotExists(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
cfg := postfix.Config{
Mode: "postfix",
CertPath: "/nonexistent/directory/cert.pem",
KeyPath: "/nonexistent/directory/key.pem",
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error for non-existent cert directory")
}
}
func TestPostfixConnector_ValidateConfig_MissingCertPath(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
// An empty config with mode=postfix will get defaults applied.
// The defaults point to /etc/postfix/certs/ which won't exist in test,
// so this will fail at directory check — which is fine; it validates that
// defaults are applied and path validation catches missing dirs.
cfg := postfix.Config{
Mode: "postfix",
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error when default cert directory doesn't exist")
}
}
func TestPostfixConnector_ValidateConfig_DefaultsApplied(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
// Create a directory matching the postfix default path structure
tmpDir := t.TempDir()
certDir := filepath.Join(tmpDir, "postfix", "certs")
os.MkdirAll(certDir, 0755)
cfg := postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(certDir, "cert.pem"),
KeyPath: filepath.Join(certDir, "key.pem"),
// Leave ReloadCommand and ValidateCommand empty to get defaults
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
// Defaults will be applied for reload/validate commands.
// The validate command will be "postfix check" which won't exist in test env
// but ValidateConfig only warns on validate command failure (doesn't error).
// The reload command "postfix reload" will be validated by ValidateShellCommand.
err := connector.ValidateConfig(ctx, rawConfig)
if err != nil {
t.Fatalf("ValidateConfig with defaults failed: %v", err)
}
}
// --- Deployment Tests ---
func TestPostfixConnector_DeployCertificate_Success(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := &postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ChainPath: filepath.Join(tmpDir, "chain.pem"),
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(cfg, logger)
req := target.DeploymentRequest{
CertPEM: "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----",
KeyPEM: "-----BEGIN PRIVATE KEY-----\nkey\n-----END PRIVATE KEY-----",
ChainPEM: "-----BEGIN CERTIFICATE-----\nchain\n-----END CERTIFICATE-----",
}
result, err := connector.DeployCertificate(ctx, req)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("expected success, got: %s", result.Message)
}
// Verify cert file was written (just cert, not chain — since chain_path is set)
certData, err := os.ReadFile(cfg.CertPath)
if err != nil {
t.Fatalf("failed to read cert file: %v", err)
}
if string(certData) != req.CertPEM {
t.Errorf("cert content mismatch: got %q", string(certData))
}
// Verify key file was written
keyData, err := os.ReadFile(cfg.KeyPath)
if err != nil {
t.Fatalf("failed to read key file: %v", err)
}
if string(keyData) != req.KeyPEM {
t.Errorf("key content mismatch")
}
// Verify chain file was written
chainData, err := os.ReadFile(cfg.ChainPath)
if err != nil {
t.Fatalf("failed to read chain file: %v", err)
}
if string(chainData) != req.ChainPEM {
t.Errorf("chain content mismatch")
}
// Verify cert has correct permissions (0644)
info, err := os.Stat(cfg.CertPath)
if err != nil {
t.Fatalf("failed to stat cert file: %v", err)
}
if info.Mode().Perm() != 0644 {
t.Errorf("expected cert permissions 0644, got %v", info.Mode().Perm())
}
// Verify key has correct permissions (0600)
info, err = os.Stat(cfg.KeyPath)
if err != nil {
t.Fatalf("failed to stat key file: %v", err)
}
if info.Mode().Perm() != 0600 {
t.Errorf("expected key permissions 0600, got %v", info.Mode().Perm())
}
// Verify metadata
if result.Metadata == nil {
t.Fatal("expected metadata in result")
}
if result.Metadata["cert_path"] != cfg.CertPath {
t.Errorf("expected cert_path in metadata")
}
if result.Metadata["mode"] != "postfix" {
t.Errorf("expected mode=postfix in metadata, got %s", result.Metadata["mode"])
}
if _, ok := result.Metadata["duration_ms"]; !ok {
t.Errorf("expected duration_ms in metadata")
}
}
func TestPostfixConnector_DeployCertificate_ChainAppendedToCert(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := &postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ChainPath: "", // No chain_path — chain should be appended to cert
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(cfg, logger)
certPEM := "-----BEGIN CERTIFICATE-----\ncert\n-----END CERTIFICATE-----"
chainPEM := "-----BEGIN CERTIFICATE-----\nchain\n-----END CERTIFICATE-----"
req := target.DeploymentRequest{
CertPEM: certPEM,
KeyPEM: "-----BEGIN PRIVATE KEY-----\nkey\n-----END PRIVATE KEY-----",
ChainPEM: chainPEM,
}
result, err := connector.DeployCertificate(ctx, req)
if err != nil {
t.Fatalf("DeployCertificate failed: %v", err)
}
if !result.Success {
t.Fatalf("expected success, got: %s", result.Message)
}
// Verify cert file contains both cert and chain (fullchain)
certData, err := os.ReadFile(cfg.CertPath)
if err != nil {
t.Fatalf("failed to read cert file: %v", err)
}
expected := certPEM + "\n" + chainPEM
if string(certData) != expected {
t.Errorf("expected fullchain content, got: %q", string(certData))
}
}
func TestPostfixConnector_DeployCertificate_CertWriteFail(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
cfg := &postfix.Config{
Mode: "postfix",
CertPath: "/nonexistent/directory/cert.pem",
KeyPath: "/nonexistent/directory/key.pem",
ReloadCommand: "true",
ValidateCommand: "true",
}
connector := postfix.New(cfg, logger)
req := target.DeploymentRequest{
CertPEM: "cert",
ChainPEM: "chain",
}
result, err := connector.DeployCertificate(ctx, req)
if err == nil {
t.Fatal("expected error when cert write fails")
}
if result.Success {
t.Fatal("expected failure result")
}
}
func TestPostfixConnector_DeployCertificate_ValidateCommandFails(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := &postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "true",
ValidateCommand: "false", // Exits with code 1
}
connector := postfix.New(cfg, logger)
req := target.DeploymentRequest{
CertPEM: "cert",
ChainPEM: "chain",
}
result, err := connector.DeployCertificate(ctx, req)
if err == nil {
t.Fatal("expected error when validate command fails")
}
if result.Success {
t.Fatal("expected failure result")
}
}
func TestPostfixConnector_DeployCertificate_ReloadCommandFails(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := &postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "false", // Exits with code 1
ValidateCommand: "true",
}
connector := postfix.New(cfg, logger)
req := target.DeploymentRequest{
CertPEM: "cert",
ChainPEM: "chain",
}
result, err := connector.DeployCertificate(ctx, req)
if err == nil {
t.Fatal("expected error when reload command fails")
}
if result.Success {
t.Fatal("expected failure result")
}
}
// --- Validation Tests ---
func TestPostfixConnector_ValidateDeployment_Success(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
certPath := filepath.Join(tmpDir, "cert.pem")
os.WriteFile(certPath, []byte("cert"), 0644)
cfg := &postfix.Config{
Mode: "postfix",
CertPath: certPath,
ValidateCommand: "true",
}
connector := postfix.New(cfg, logger)
result, err := connector.ValidateDeployment(ctx, target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123",
})
if err != nil {
t.Fatalf("ValidateDeployment failed: %v", err)
}
if !result.Valid {
t.Fatal("expected valid deployment")
}
if result.Metadata == nil {
t.Fatal("expected metadata in result")
}
if result.Metadata["mode"] != "postfix" {
t.Errorf("expected mode=postfix in metadata")
}
}
func TestPostfixConnector_ValidateDeployment_CertNotFound(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
cfg := &postfix.Config{
Mode: "postfix",
CertPath: "/nonexistent/cert.pem",
ValidateCommand: "true",
}
connector := postfix.New(cfg, logger)
result, err := connector.ValidateDeployment(ctx, target.ValidationRequest{
CertificateID: "mc-test",
Serial: "123",
})
if err == nil {
t.Fatal("expected error for missing cert file")
}
if result.Valid {
t.Fatal("expected invalid result")
}
}
// --- Security Tests (Command Injection Prevention) ---
func TestPostfixConnector_ValidateConfig_RejectCommandInjectionSemicolon(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "postfix reload; rm -rf /",
ValidateCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error for command injection in reload_command")
}
}
func TestPostfixConnector_ValidateConfig_RejectCommandInjectionPipe(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "true",
ValidateCommand: "postfix check | cat /etc/passwd",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error for command injection in validate_command")
}
}
func TestPostfixConnector_ValidateConfig_RejectCommandSubstitution(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "echo $(whoami)",
ValidateCommand: "true",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error for command substitution in reload_command")
}
}
func TestPostfixConnector_ValidateConfig_RejectBackticks(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
ctx := context.Background()
tmpDir := t.TempDir()
cfg := postfix.Config{
Mode: "postfix",
CertPath: filepath.Join(tmpDir, "cert.pem"),
KeyPath: filepath.Join(tmpDir, "key.pem"),
ReloadCommand: "true",
ValidateCommand: "postfix check `whoami`",
}
connector := postfix.New(&cfg, logger)
rawConfig, _ := json.Marshal(cfg)
err := connector.ValidateConfig(ctx, rawConfig)
if err == nil {
t.Fatal("expected error for backtick injection in validate_command")
}
}
internal/domain/connector.go
+3
View File
@@ -84,4 +84,7 @@ const (
TargetTypeIIS TargetType = "IIS"
TargetTypeTraefik TargetType = "Traefik"
TargetTypeCaddy TargetType = "Caddy"
TargetTypeEnvoy TargetType = "Envoy"
TargetTypePostfix TargetType = "Postfix"
TargetTypeDovecot TargetType = "Dovecot"
)
web/src/pages/TargetDetailPage.tsx
+10 -5
View File
@@ -164,11 +164,16 @@ export default function TargetDetailPage() {
<h3 className="text-sm font-semibold text-ink-muted mb-4">Configuration</h3>
{target.config && Object.keys(target.config).length > 0 ? (
<div className="space-y-0">
{Object.entries(target.config).map(([key, val]) => (
<InfoRow key={key} label={key.replace(/_/g, ' ')} value={
<span className="font-mono text-xs truncate max-w-xs inline-block">{String(val)}</span>
} />
))}
{Object.entries(target.config).map(([key, val]) => {
const sensitiveKeys = ['password', 'secret', 'token', 'key', 'winrm_password'];
const isSensitive = sensitiveKeys.some(s => key.toLowerCase().includes(s));
const displayVal = isSensitive && val ? '********' : String(val);
return (
<InfoRow key={key} label={key.replace(/_/g, ' ')} value={
<span className="font-mono text-xs truncate max-w-xs inline-block">{displayVal}</span>
} />
);
})}
</div>
) : (
<div className="text-sm text-ink-faint py-4 text-center">No configuration data</div>
web/src/pages/TargetsPage.tsx
+40 -4
View File
@@ -16,6 +16,9 @@ const typeLabels: Record<string, string> = {
haproxy: 'HAProxy',
traefik: 'Traefik',
caddy: 'Caddy',
envoy: 'Envoy',
postfix: 'Postfix',
dovecot: 'Dovecot',
f5_bigip: 'F5 BIG-IP',
iis: 'IIS',
};
@@ -26,8 +29,11 @@ const TARGET_TYPES = [
{ value: 'haproxy', label: 'HAProxy', description: 'Combined PEM file (cert+chain+key), optional validate, reload' },
{ value: 'traefik', label: 'Traefik', description: 'File provider deployment — writes cert/key to watched directory, auto-reload' },
{ value: 'caddy', label: 'Caddy', description: 'Admin API hot-reload or file-based deployment with configurable mode' },
{ value: 'envoy', label: 'Envoy', description: 'File-based deployment — writes cert/key to watched directory. Optional SDS file generation.' },
{ value: 'postfix', label: 'Postfix', description: 'Postfix MTA — file write + postfix reload' },
{ value: 'dovecot', label: 'Dovecot', description: 'Dovecot IMAP/POP3 — file write + doveadm reload' },
{ value: 'f5_bigip', label: 'F5 BIG-IP', description: 'iControl REST via proxy agent (V3 implementation)' },
{ value: 'iis', label: 'IIS', description: 'Windows IIS via agent-local PowerShell or proxy WinRM (V3 implementation)' },
{ value: 'iis', label: 'IIS', description: 'Windows IIS via agent-local PowerShell or remote WinRM proxy agent' },
];
const CONFIG_FIELDS: Record<string, { key: string; label: string; placeholder: string; required?: boolean }[]> = {
@@ -60,6 +66,27 @@ const CONFIG_FIELDS: Record<string, { key: string; label: string; placeholder: s
{ key: 'cert_file', label: 'Certificate Filename', placeholder: 'cert.pem (default)' },
{ key: 'key_file', label: 'Key Filename', placeholder: 'key.pem (default)' },
],
envoy: [
{ key: 'cert_dir', label: 'Certificate Directory', placeholder: '/etc/envoy/certs', required: true },
{ key: 'cert_filename', label: 'Certificate Filename', placeholder: 'cert.pem (default)' },
{ key: 'key_filename', label: 'Key Filename', placeholder: 'key.pem (default)' },
{ key: 'chain_filename', label: 'Chain Filename (optional)', placeholder: 'chain.pem (leave empty to append to cert)' },
{ key: 'sds_config', label: 'Generate SDS Config', placeholder: 'true or false' },
],
postfix: [
{ key: 'cert_path', label: 'Certificate Path', placeholder: '/etc/postfix/certs/cert.pem' },
{ key: 'key_path', label: 'Key Path', placeholder: '/etc/postfix/certs/key.pem' },
{ key: 'chain_path', label: 'Chain Path (optional)', placeholder: '/etc/postfix/certs/chain.pem' },
{ key: 'reload_command', label: 'Reload Command', placeholder: 'postfix reload' },
{ key: 'validate_command', label: 'Validate Command', placeholder: 'postfix check' },
],
dovecot: [
{ key: 'cert_path', label: 'Certificate Path', placeholder: '/etc/dovecot/certs/cert.pem' },
{ key: 'key_path', label: 'Key Path', placeholder: '/etc/dovecot/certs/key.pem' },
{ key: 'chain_path', label: 'Chain Path (optional)', placeholder: '/etc/dovecot/certs/chain.pem' },
{ key: 'reload_command', label: 'Reload Command', placeholder: 'doveadm reload' },
{ key: 'validate_command', label: 'Validate Command', placeholder: 'doveconf -n' },
],
f5_bigip: [
{ key: 'management_ip', label: 'Management IP', placeholder: '192.168.1.100', required: true },
{ key: 'partition', label: 'Partition', placeholder: 'Common' },
@@ -67,9 +94,18 @@ const CONFIG_FIELDS: Record<string, { key: string; label: string; placeholder: s
],
iis: [
{ key: 'site_name', label: 'IIS Site Name', placeholder: 'Default Web Site', required: true },
{ key: 'binding_ip', label: 'Binding IP', placeholder: '*' },
{ key: 'binding_port', label: 'Binding Port', placeholder: '443' },
{ key: 'cert_store', label: 'Certificate Store', placeholder: 'My' },
{ key: 'cert_store', label: 'Certificate Store', placeholder: 'My', required: true },
{ key: 'port', label: 'HTTPS Port', placeholder: '443' },
{ key: 'ip_address', label: 'Binding IP', placeholder: '*' },
{ key: 'binding_info', label: 'Host Header (SNI)', placeholder: 'www.example.com' },
{ key: 'sni', label: 'Enable SNI', placeholder: 'true or false' },
{ key: 'mode', label: 'Deployment Mode', placeholder: 'local (default) or winrm' },
{ key: 'winrm.winrm_host', label: 'WinRM Host (remote mode)', placeholder: 'iis-server.example.com' },
{ key: 'winrm.winrm_port', label: 'WinRM Port', placeholder: '5985 (HTTP) or 5986 (HTTPS)' },
{ key: 'winrm.winrm_username', label: 'WinRM Username', placeholder: 'Administrator' },
{ key: 'winrm.winrm_password', label: 'WinRM Password', placeholder: '(sensitive)' },
{ key: 'winrm.winrm_https', label: 'WinRM Use HTTPS', placeholder: 'true or false' },
{ key: 'winrm.winrm_insecure', label: 'WinRM Skip TLS Verify', placeholder: 'false' },
],
};