mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:51:33 +00:00
shankar0123
52248be717
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
97 lines
2.8 KiB
Go
97 lines
2.8 KiB
Go
package main
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
// TestValidateHTTPSScheme pins the pre-flight URL-scheme guard that the
|
|
// HTTPS-Everywhere milestone (v2.2, §3.2) requires on the certctl-cli binary
|
|
// startup path. The CLI's diagnostic is distinct from the agent and MCP server
|
|
// because it surfaces the --server flag alongside CERTCTL_SERVER_URL — so the
|
|
// empty-URL case pins that flag-name substring separately. Every other case
|
|
// mirrors the dispatch arms in cmd/cli/main.go:validateHTTPSScheme; drifting
|
|
// the substrings is what this test is here to catch.
|
|
func TestValidateHTTPSScheme(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
serverURL string
|
|
wantErr bool
|
|
wantErrSub string // substring that MUST appear in the error message
|
|
}{
|
|
{
|
|
name: "https URL passes",
|
|
serverURL: "https://certctl-server:8443",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "https URL with path passes",
|
|
serverURL: "https://certctl.example.com/api/v1",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "uppercase HTTPS scheme passes (url.Parse lowercases)",
|
|
serverURL: "HTTPS://certctl-server:8443",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "empty URL rejected mentions --server flag",
|
|
serverURL: "",
|
|
wantErr: true,
|
|
wantErrSub: "--server",
|
|
},
|
|
{
|
|
name: "empty URL rejected also mentions CERTCTL_SERVER_URL",
|
|
serverURL: "",
|
|
wantErr: true,
|
|
wantErrSub: "CERTCTL_SERVER_URL",
|
|
},
|
|
{
|
|
name: "plaintext http rejected",
|
|
serverURL: "http://certctl-server:8443",
|
|
wantErr: true,
|
|
wantErrSub: "plaintext http://",
|
|
},
|
|
{
|
|
name: "bare host missing scheme rejected",
|
|
serverURL: "localhost:8443",
|
|
wantErr: true,
|
|
// url.Parse treats "localhost:8443" as scheme=localhost, opaque=8443
|
|
// — exercises the default arm (unsupported scheme) rather than the
|
|
// empty-scheme arm. Both are fail-closed, which is what we care about.
|
|
wantErrSub: "unsupported scheme",
|
|
},
|
|
{
|
|
name: "path-only URL rejected",
|
|
serverURL: "//certctl-server:8443",
|
|
wantErr: true,
|
|
wantErrSub: "missing a scheme",
|
|
},
|
|
{
|
|
name: "unsupported scheme rejected",
|
|
serverURL: "ftp://certctl-server:8443",
|
|
wantErr: true,
|
|
wantErrSub: "unsupported scheme",
|
|
},
|
|
{
|
|
name: "ws scheme rejected",
|
|
serverURL: "ws://certctl-server:8443",
|
|
wantErr: true,
|
|
wantErrSub: "unsupported scheme",
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
err := validateHTTPSScheme(tt.serverURL)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Fatalf("validateHTTPSScheme(%q) err=%v wantErr=%v", tt.serverURL, err, tt.wantErr)
|
|
}
|
|
if tt.wantErr && tt.wantErrSub != "" && !strings.Contains(err.Error(), tt.wantErrSub) {
|
|
t.Errorf("validateHTTPSScheme(%q) err=%q must contain %q so operators see the right diagnostic",
|
|
tt.serverURL, err.Error(), tt.wantErrSub)
|
|
}
|
|
})
|
|
}
|
|
}
|