mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:41:30 +00:00
shankar0123
21aeed4f4e
Phase 0 closure (Path B2, post-rewrite):
addlicense sweep — adds the canonical certctl LLC copyright + BUSL-1.1
SPDX header to every production Go file. Template:
// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
Coverage: 338 / 338 production Go files (cmd/ + internal/, excluding
*_test.go and **/testdata/**). Pre-sweep coverage was 22 / 338 (6.5%);
post-sweep is 338 / 338 (100%).
Normalized 22 pre-existing legacy headers (`// Copyright (c) certctl`
+ `// SPDX-License-Identifier: BSL-1.1`) and 1 file using a
`Certctl Contributors` attribution. The legacy SPDX ID `BSL-1.1`
is non-standard; the official SPDX identifier for Business Source
License 1.1 is `BUSL-1.1` (capital U). All 338 files now share the
canonical form.
Generated via:
addlicense -c "certctl LLC" -y 2026 \
-f cowork/legal/copyright-header.tpl \
-ignore '**/testdata/**' -ignore '**/*_test.go' \
cmd/ internal/
Verification:
find cmd internal -name '*.go' -not -name '*_test.go' \
-not -path '*/testdata/*' \
-exec grep -L '^// Copyright 2026 certctl LLC' {} \; | wc -l
Returns: 0
gofmt clean. Header additions are comments only, no compile impact.
Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-4
284 lines
9.8 KiB
Go
284 lines
9.8 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package service
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"time"
|
|
|
|
"github.com/certctl-io/certctl/internal/auth"
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// ErrProfileEditPendingApproval (Bundle 1 Phase 9) is returned by
|
|
// UpdateProfile when the live profile (or the proposed update) carries
|
|
// RequiresApproval=true. The handler maps this to HTTP 202 Accepted +
|
|
// {pending_approval_id} so the operator knows to chase a second-admin
|
|
// approve. See docs/reference/profiles.md.
|
|
var ErrProfileEditPendingApproval = errors.New("profile edit gated by approval workflow")
|
|
|
|
// ProfileEditApprovalRequester is the slice of ApprovalService the
|
|
// ProfileService consumes when a profile edit triggers the gate.
|
|
// Pulled out as a small interface so unit tests can drive the gate
|
|
// without the full ApprovalService dependency tree.
|
|
type ProfileEditApprovalRequester interface {
|
|
RequestProfileEditApproval(ctx context.Context, profileID, requestedBy string, payload []byte) (string, error)
|
|
}
|
|
|
|
// ProfileService provides business logic for certificate profile management.
|
|
type ProfileService struct {
|
|
profileRepo repository.CertificateProfileRepository
|
|
auditService *AuditService
|
|
approvalService ProfileEditApprovalRequester // Bundle 1 Phase 9; nil disables the gate
|
|
}
|
|
|
|
// NewProfileService creates a new profile service.
|
|
func NewProfileService(
|
|
profileRepo repository.CertificateProfileRepository,
|
|
auditService *AuditService,
|
|
) *ProfileService {
|
|
return &ProfileService{
|
|
profileRepo: profileRepo,
|
|
auditService: auditService,
|
|
}
|
|
}
|
|
|
|
// SetApprovalService wires the Bundle 1 Phase 9 gate. cmd/server/main.go
|
|
// calls this after both ProfileService and ApprovalService are
|
|
// constructed. nil disables the gate (preserving pre-Phase-9 behaviour
|
|
// for any test fixture or alternate boot path that doesn't wire it).
|
|
func (s *ProfileService) SetApprovalService(a ProfileEditApprovalRequester) {
|
|
s.approvalService = a
|
|
}
|
|
|
|
// ListProfiles returns all profiles (handler interface method).
|
|
func (s *ProfileService) ListProfiles(ctx context.Context, page, perPage int) ([]domain.CertificateProfile, int64, error) {
|
|
// Bundle E / Audit L-020: page/perPage are unused; the underlying repo
|
|
// List() does not yet take pagination params. Marked explicitly so
|
|
// ineffassign sees no dead store and future maintainers see the
|
|
// vestigial params rather than a misleading default-applied clamp.
|
|
_ = page
|
|
_ = perPage
|
|
|
|
profiles, err := s.profileRepo.List(ctx)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to list profiles: %w", err)
|
|
}
|
|
total := int64(len(profiles))
|
|
|
|
var result []domain.CertificateProfile
|
|
for _, p := range profiles {
|
|
if p != nil {
|
|
result = append(result, *p)
|
|
}
|
|
}
|
|
|
|
return result, total, nil
|
|
}
|
|
|
|
// GetProfile returns a single profile (handler interface method).
|
|
func (s *ProfileService) GetProfile(ctx context.Context, id string) (*domain.CertificateProfile, error) {
|
|
return s.profileRepo.Get(ctx, id)
|
|
}
|
|
|
|
// CreateProfile creates a new profile with validation (handler interface method).
|
|
func (s *ProfileService) CreateProfile(ctx context.Context, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
|
|
if err := validateProfile(&profile); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if profile.ID == "" {
|
|
profile.ID = generateID("prof")
|
|
}
|
|
now := time.Now()
|
|
if profile.CreatedAt.IsZero() {
|
|
profile.CreatedAt = now
|
|
}
|
|
if profile.UpdatedAt.IsZero() {
|
|
profile.UpdatedAt = now
|
|
}
|
|
|
|
// Apply defaults if not set
|
|
if len(profile.AllowedKeyAlgorithms) == 0 {
|
|
profile.AllowedKeyAlgorithms = domain.DefaultKeyAlgorithms()
|
|
}
|
|
if len(profile.AllowedEKUs) == 0 {
|
|
profile.AllowedEKUs = domain.DefaultEKUs()
|
|
}
|
|
|
|
if err := s.profileRepo.Create(ctx, &profile); err != nil {
|
|
return nil, fmt.Errorf("failed to create profile: %w", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
if auditErr := s.auditService.RecordEvent(context.WithoutCancel(ctx), "api", domain.ActorTypeUser,
|
|
"create_profile", "certificate_profile", profile.ID, nil); auditErr != nil {
|
|
slog.Error("failed to record audit event", "error", auditErr)
|
|
}
|
|
}
|
|
|
|
return &profile, nil
|
|
}
|
|
|
|
// UpdateProfile modifies an existing profile (handler interface method).
|
|
//
|
|
// Bundle 1 Phase 9 (approval-bypass closure): if the LIVE profile has
|
|
// RequiresApproval=true OR the proposed update would set it true, the
|
|
// edit is NOT applied directly. Instead it is serialized to a pending
|
|
// ApprovalRequest with Kind=profile_edit and the caller receives
|
|
// ErrProfileEditPendingApproval. The handler maps this to HTTP 202 +
|
|
// the new approval ID. A non-requester admin then approves via the
|
|
// existing /v1/approvals/{id}/approve endpoint, which deserializes
|
|
// the payload and persists the diff via the profile-edit-apply
|
|
// callback registered in main.go. This closes the flip-flop loophole
|
|
// where an admin could disable RequiresApproval, mutate, re-enable.
|
|
//
|
|
// SetApprovalService(nil) disables the gate (test fixtures); the
|
|
// pre-Phase-9 direct-apply path is preserved.
|
|
func (s *ProfileService) UpdateProfile(ctx context.Context, id string, profile domain.CertificateProfile) (*domain.CertificateProfile, error) {
|
|
if err := validateProfile(&profile); err != nil {
|
|
return nil, err
|
|
}
|
|
profile.ID = id
|
|
|
|
if s.approvalService != nil {
|
|
live, err := s.profileRepo.Get(ctx, id)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load live profile: %w", err)
|
|
}
|
|
// Gate when the live profile is approval-tier OR the edit
|
|
// would flip it on. Both arms close the loophole: a flip-
|
|
// flop attacker can't set false→mutate→true because every
|
|
// transition through an approval-tier profile triggers the
|
|
// gate.
|
|
if (live != nil && live.RequiresApproval) || profile.RequiresApproval {
|
|
payload, perr := json.Marshal(profile)
|
|
if perr != nil {
|
|
return nil, fmt.Errorf("marshal profile for approval payload: %w", perr)
|
|
}
|
|
requester := actorFromContext(ctx)
|
|
approvalID, gerr := s.approvalService.RequestProfileEditApproval(ctx, id, requester, payload)
|
|
if gerr != nil {
|
|
return nil, fmt.Errorf("approval gate: %w", gerr)
|
|
}
|
|
if s.auditService != nil {
|
|
// Audit 2026-05-10 HIGH-6 partial closure — emit WARN on
|
|
// audit-write failure so the silent row-miss is observable.
|
|
if err := s.auditService.RecordEventWithCategory(
|
|
context.WithoutCancel(ctx),
|
|
requester, domain.ActorTypeUser,
|
|
"profile.edit_request", domain.EventCategoryAuth,
|
|
"certificate_profile", id,
|
|
map[string]interface{}{"approval_id": approvalID},
|
|
); err != nil {
|
|
slog.WarnContext(ctx, "profile.edit_request audit write failed (approval requested; audit row may be missing)",
|
|
"profile_id", id,
|
|
"approval_id", approvalID,
|
|
"requester", requester,
|
|
"err", err)
|
|
}
|
|
}
|
|
return nil, fmt.Errorf("%w: approval=%s", ErrProfileEditPendingApproval, approvalID)
|
|
}
|
|
}
|
|
|
|
if err := s.profileRepo.Update(ctx, &profile); err != nil {
|
|
return nil, fmt.Errorf("failed to update profile: %w", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
if auditErr := s.auditService.RecordEvent(context.WithoutCancel(ctx), "api", domain.ActorTypeUser,
|
|
"update_profile", "certificate_profile", id, nil); auditErr != nil {
|
|
slog.Error("failed to record audit event", "error", auditErr)
|
|
}
|
|
}
|
|
|
|
return &profile, nil
|
|
}
|
|
|
|
// actorFromContext pulls the caller's actor ID from the
|
|
// auth-middleware ActorIDKey populated by NewAuthWithKeyStore /
|
|
// NewDemoModeAuth. Falls back to "api" so legacy test fixtures that
|
|
// don't wire the auth context still record meaningful audit rows.
|
|
func actorFromContext(ctx context.Context) string {
|
|
if ctx == nil {
|
|
return "api"
|
|
}
|
|
if id := auth.GetActorID(ctx); id != "" {
|
|
return id
|
|
}
|
|
if id, ok := ctx.Value(auth.UserKey{}).(string); ok && id != "" {
|
|
return id
|
|
}
|
|
return "api"
|
|
}
|
|
|
|
// DeleteProfile removes a profile (handler interface method).
|
|
func (s *ProfileService) DeleteProfile(ctx context.Context, id string) error {
|
|
if err := s.profileRepo.Delete(ctx, id); err != nil {
|
|
return fmt.Errorf("failed to delete profile: %w", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
if auditErr := s.auditService.RecordEvent(context.WithoutCancel(ctx), "api", domain.ActorTypeUser,
|
|
"delete_profile", "certificate_profile", id, nil); auditErr != nil {
|
|
slog.Error("failed to record audit event", "error", auditErr)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Get retrieves a profile by ID (used by other services like RenewalService).
|
|
func (s *ProfileService) Get(ctx context.Context, id string) (*domain.CertificateProfile, error) {
|
|
return s.profileRepo.Get(ctx, id)
|
|
}
|
|
|
|
// validateProfile checks that a profile's configuration is valid.
|
|
func validateProfile(p *domain.CertificateProfile) error {
|
|
if p.Name == "" {
|
|
return fmt.Errorf("profile name is required")
|
|
}
|
|
if len(p.Name) > 255 {
|
|
return fmt.Errorf("profile name exceeds 255 characters")
|
|
}
|
|
|
|
// Validate key algorithms
|
|
for _, alg := range p.AllowedKeyAlgorithms {
|
|
if !domain.ValidKeyAlgorithms[alg.Algorithm] {
|
|
return fmt.Errorf("invalid key algorithm: %s (allowed: RSA, ECDSA, Ed25519)", alg.Algorithm)
|
|
}
|
|
if alg.Algorithm == domain.KeyAlgorithmRSA && alg.MinSize < 2048 {
|
|
return fmt.Errorf("RSA minimum key size must be at least 2048, got %d", alg.MinSize)
|
|
}
|
|
if alg.Algorithm == domain.KeyAlgorithmECDSA && alg.MinSize < 256 {
|
|
return fmt.Errorf("ECDSA minimum key size must be at least 256, got %d", alg.MinSize)
|
|
}
|
|
}
|
|
|
|
// Validate EKUs
|
|
for _, eku := range p.AllowedEKUs {
|
|
if !domain.ValidEKUs[eku] {
|
|
return fmt.Errorf("invalid EKU: %s", eku)
|
|
}
|
|
}
|
|
|
|
// Validate max TTL
|
|
if p.MaxTTLSeconds < 0 {
|
|
return fmt.Errorf("max_ttl_seconds cannot be negative")
|
|
}
|
|
|
|
// Validate short-lived consistency
|
|
if p.AllowShortLived && p.MaxTTLSeconds >= 3600 {
|
|
return fmt.Errorf("allow_short_lived is true but max_ttl_seconds (%d) is >= 3600; short-lived certs must have TTL under 1 hour", p.MaxTTLSeconds)
|
|
}
|
|
|
|
return nil
|
|
}
|