gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0f4a1b268b4e292a74faeb58ab86075a8da3a563
certctl/internal/repository/postgres/revocation.go
T
shankar0123 5d98e373e3 feat: M15a — certificate revocation API, CRL endpoint, and revocation notifications 
Implements core revocation infrastructure: POST /api/v1/certificates/{id}/revoke
with all 8 RFC 5280 reason codes, JSON-formatted CRL at GET /api/v1/crl, webhook
and email revocation notifications, best-effort issuer notification, and immutable
revocation audit trail. Includes 48 new tests across service, handler, integration,
and domain layers (600+ total). Fixes 3 pre-existing test bugs (team_test error
matching, agent_group delete status code, team handler per_page validation).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-22 10:59:18 -04:00

131 lines
4.1 KiB
Go
Raw Blame History

package postgres
import (
"context"
"database/sql"
"fmt"
"github.com/shankar0123/certctl/internal/domain"
)
// RevocationRepository implements repository.RevocationRepository using PostgreSQL.
type RevocationRepository struct {
db *sql.DB
}
// NewRevocationRepository creates a new RevocationRepository.
func NewRevocationRepository(db *sql.DB) *RevocationRepository {
return &RevocationRepository{db: db}
}
// Create records a new certificate revocation.
func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
_, err := r.db.ExecContext(ctx, `
INSERT INTO certificate_revocations (
id, certificate_id, serial_number, reason, revoked_by, revoked_at,
issuer_id, issuer_notified, created_at
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
ON CONFLICT (serial_number) DO NOTHING
`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
if err != nil {
return fmt.Errorf("failed to create revocation record: %w", err)
}
return nil
}
// GetBySerial retrieves a revocation by serial number.
func (r *RevocationRepository) GetBySerial(ctx context.Context, serial string) (*domain.CertificateRevocation, error) {
var rev domain.CertificateRevocation
err := r.db.QueryRowContext(ctx, `
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
issuer_id, issuer_notified, created_at
FROM certificate_revocations
WHERE serial_number = $1
`, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)
if err != nil {
return nil, fmt.Errorf("failed to get revocation by serial: %w", err)
}
return &rev, nil
}
// ListAll returns all revocations ordered by revocation time (for CRL generation).
func (r *RevocationRepository) ListAll(ctx context.Context) ([]*domain.CertificateRevocation, error) {
rows, err := r.db.QueryContext(ctx, `
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
issuer_id, issuer_notified, created_at
FROM certificate_revocations
ORDER BY revoked_at ASC
`)
if err != nil {
return nil, fmt.Errorf("failed to list revocations: %w", err)
}
defer rows.Close()
return scanRevocations(rows)
}
// ListByCertificate returns all revocations for a certificate.
func (r *RevocationRepository) ListByCertificate(ctx context.Context, certID string) ([]*domain.CertificateRevocation, error) {
rows, err := r.db.QueryContext(ctx, `
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
issuer_id, issuer_notified, created_at
FROM certificate_revocations
WHERE certificate_id = $1
ORDER BY revoked_at ASC
`, certID)
if err != nil {
return nil, fmt.Errorf("failed to list revocations by certificate: %w", err)
}
defer rows.Close()
return scanRevocations(rows)
}
// MarkIssuerNotified updates the issuer_notified flag for a revocation.
func (r *RevocationRepository) MarkIssuerNotified(ctx context.Context, id string) error {
result, err := r.db.ExecContext(ctx, `
UPDATE certificate_revocations SET issuer_notified = TRUE WHERE id = $1
`, id)
if err != nil {
return fmt.Errorf("failed to mark issuer notified: %w", err)
}
rows, err := result.RowsAffected()
if err != nil {
return fmt.Errorf("failed to get rows affected: %w", err)
}
if rows == 0 {
return fmt.Errorf("revocation not found")
}
return nil
}
func scanRevocations(rows *sql.Rows) ([]*domain.CertificateRevocation, error) {
var revocations []*domain.CertificateRevocation
for rows.Next() {
var rev domain.CertificateRevocation
if err := rows.Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt); err != nil {
return nil, fmt.Errorf("failed to scan revocation: %w", err)
}
revocations = append(revocations, &rev)
}
if err := rows.Err(); err != nil {
return nil, fmt.Errorf("error iterating revocation rows: %w", err)
}
return revocations, nil
}
Reference in New Issue View Git Blame Copy Permalink