gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
374ec574c5606908b4bc0f55de4eaa71003d4bfc
certctl/internal/api/acme/errors_test.go
T
shankar0123 ec88a61274 acme-server: foundation — directory + new-nonce + per-profile routing (Phase 1a/7) 
First slice of the RFC 8555 ACME server endpoint (master plan at
cowork/acme-server-endpoint-prompt.md, per-phase prompts at
cowork/acme-server-prompts/). This commit lands the smallest viable
end-to-end deployable slice: an ACME client running

  curl -sk https://certctl/acme/profile/<id>/directory
  curl -sk -I https://certctl/acme/profile/<id>/new-nonce

successfully fetches the directory document and a Replay-Nonce.
Account creation, JWS verification, orders, challenges, and
revocation are all out of scope for this phase and arrive in Phases
1b–4.

Closes the Rank 1 LHF from the 2026-05-03 Infisical deep-research
(cowork/infisical-deep-research-results.md). Pre-fix, certctl was an
ACME consumer only — no /acme/directory endpoint, no JWS verifier,
no challenge validators. K8s customers running cert-manager could
not point at certctl as an ACME issuer; they had to deploy a certctl
agent on every node.

What ships:
  - internal/api/acme/{directory,nonce,errors}.go (+ tests).
  - internal/api/handler/acme.go + acme_handler_test.go.
  - internal/repository/postgres/acme.go (nonce ops only — Phase 1b
    extends with account CRUD; Phases 2-4 extend with order / authz /
    challenge CRUD).
  - internal/service/acme.go (BuildDirectory + IssueNonce stubs;
    Phase 1b adds VerifyJWS / NewAccount / etc.).
  - migrations/000025_acme_server.{up,down}.sql ships the full 5-table
    ACME schema (acme_accounts / acme_orders / acme_authorizations /
    acme_challenges / acme_nonces) PLUS the per-profile
    certificate_profiles.acme_auth_mode column. Phase 1a actively
    uses only acme_nonces; remaining tables are empty until Phases
    1b-4 plug in.
  - internal/config/config.go: ACMEServerConfig struct + ACMEServer
    field on Config. Env vars use CERTCTL_ACME_SERVER_* prefix to
    avoid colliding with the existing consumer-side ACMEConfig at
    config.go:1746 (CERTCTL_ACME_DIRECTORY_URL / PROFILE /
    CHALLENGE_TYPE etc.). Phase 1a wires Enabled +
    DefaultAuthMode + DefaultProfileID + NonceTTL + DirectoryMeta;
    Order/Authz TTLs + per-challenge-type concurrency caps + DNS01
    resolver are reserved fields parsed in 1a so operators can set
    them ahead of Phases 2/3.
  - cmd/server/main.go: wire ACMEHandler into the HandlerRegistry
    literal alongside the existing certificate / EST / SCEP / etc.
    handlers.
  - internal/api/router/router.go: HandlerRegistry.ACME field + 6
    Register calls (3 per-profile + 3 shorthand).
  - internal/api/router/openapi_parity_test.go: 6 new entries in
    SpecParityExceptions. ACME is a wire-protocol surface (JWS-signed
    JSON over HTTPS per RFC 7515) whose semantics are dictated by
    RFC 8555 + RFC 9773 rather than by an OpenAPI document, same
    precedent as SCEP/EST. The canonical reference is
    docs/acme-server.md.
  - docs/acme-server.md: Phase-1a-shaped reference. Configuration
    table for every CERTCTL_ACME_SERVER_* env var. Per-profile
    auth-mode decision tree skeleton. TLS trust bootstrap section
    flagging cert-manager's ClusterIssuer.spec.acme.caBundle
    requirement (the single biggest first-time-deploy footgun;
    the full cert-manager walkthrough lands in Phase 6 but the
    requirement is documented up front).

Architecture decisions baked in:
  - URL family is /acme/profile/<id>/* (per-profile, canonical) with
    /acme/* shorthand active when CERTCTL_ACME_SERVER_DEFAULT_PROFILE_ID
    is set. Path matches existing per-profile precedent in EST + SCEP.
  - Auth mode is per-profile (acme_auth_mode column on
    certificate_profiles), NOT server-wide. One certctl-server can
    serve trust_authenticated for an internal-PKI profile and
    challenge for a public-trust-style profile simultaneously. The
    column is read at request time, not cached at server start —
    operators flipping a profile's mode via SQL take effect on the
    next order without restart.
  - Nonces are DB-backed (acme_nonces table). Survive server restart.
    The RFC 8555 §6.5 replay defense requires the store to outlast
    the client's nonce caching window; an in-memory-only nonce
    store would lose every in-flight order on restart.
  - Per-op atomic counters on service.ACMEService.Metrics() —
    certctl_acme_directory_total, certctl_acme_directory_failures_total,
    certctl_acme_new_nonce_total, certctl_acme_new_nonce_failures_total.
    Naming follows certctl frozen decision 0.10 cardinality discipline.
    Phase 1b will extend with new_account counters; Phase 2 with
    order / finalize / cert; Phase 3 with per-challenge-type counters.

Audit fixes #11 + #12 (cowork/acme-server-prompts/audit-additions.md)
applied:
  - #11: CERTCTL_ACME_SERVER_* prefix avoids the consumer-side
    CERTCTL_ACME_* namespace collision.
  - #12: prior-attempt WIP from two failed Phase-1 dispatches was
    discarded at phase start; this commit starts from a clean tree.

Tests:
  - 14 unit tests in internal/api/acme/ (directory, nonce, errors).
  - 7 handler-level tests via httptest.NewServer + mockACMEService
    (mirrors the mockSCEPService pattern at scep_handler_test.go).
  - 7 service-layer tests with mocked repo + injected profileLookup.
  - All pass under -race -count=1 -short.

Deferred to Phase 1b:
  - JWS verification (go-jose v4 — see master-prompt §8a for the API
    surface and audit doc for the speculation pitfalls).
  - new-account / account/<id> endpoints + AccountService.
  - Nonce *consumption* path (issue path is in this commit; consume
    is only invoked by JWS-verified POSTs which Phase 1b adds).

Engineering history: cowork/WORKSPACE-CHANGELOG.md "ACME-Server-1a".
Per-phase implementation plan: cowork/acme-server-prompts/.
Master plan + audit fixes: cowork/acme-server-endpoint-prompt.md +
cowork/acme-server-prompt-audit.md +
cowork/acme-server-prompts/audit-additions.md.
2026-05-03 12:55:40 +00:00

107 lines
3.4 KiB
Go
Raw Blame History

// Copyright (c) certctl
// SPDX-License-Identifier: BSL-1.1
package acme
import (
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"testing"
)
func TestProblem_Malformed_Shape(t *testing.T) {
p := Malformed("payload was not valid JSON")
if p.Status != http.StatusBadRequest {
t.Errorf("status = %d, want %d", p.Status, http.StatusBadRequest)
}
if p.Type != "urn:ietf:params:acme:error:malformed" {
t.Errorf("type = %q", p.Type)
}
if p.Detail != "payload was not valid JSON" {
t.Errorf("detail = %q", p.Detail)
}
// Subproblems and Identifier are Phase-2 extensions; both stay empty
// for a Phase-1a-emitted problem.
if len(p.Subproblems) != 0 {
t.Errorf("subproblems should be empty; got %v", p.Subproblems)
}
if p.Identifier != nil {
t.Errorf("identifier should be nil; got %+v", p.Identifier)
}
}
func TestProblem_AllHelperShapes(t *testing.T) {
cases := []struct {
name string
p Problem
wantType string
wantStatus int
}{
{"Malformed", Malformed("x"), "urn:ietf:params:acme:error:malformed", http.StatusBadRequest},
{"ServerInternal", ServerInternal("x"), "urn:ietf:params:acme:error:serverInternal", http.StatusInternalServerError},
{"UserActionRequired", UserActionRequired("x"), "urn:ietf:params:acme:error:userActionRequired", http.StatusForbidden},
{"AccountDoesNotExist", AccountDoesNotExist("x"), "urn:ietf:params:acme:error:accountDoesNotExist", http.StatusBadRequest},
{"BadNonce", BadNonce("x"), "urn:ietf:params:acme:error:badNonce", http.StatusBadRequest},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
if tc.p.Type != tc.wantType {
t.Errorf("type = %q, want %q", tc.p.Type, tc.wantType)
}
if tc.p.Status != tc.wantStatus {
t.Errorf("status = %d, want %d", tc.p.Status, tc.wantStatus)
}
})
}
}
func TestProblem_UnsupportedContentType(t *testing.T) {
p := UnsupportedContentType("application/json")
if p.Status != http.StatusUnsupportedMediaType {
t.Errorf("status = %d, want 415", p.Status)
}
if p.Type != "about:blank" {
t.Errorf("UnsupportedContentType uses RFC 7807 about:blank; got %q", p.Type)
}
if !strings.Contains(p.Detail, "application/json") {
t.Errorf("detail should echo content-type; got %q", p.Detail)
}
}
func TestWriteProblem_Headers(t *testing.T) {
rec := httptest.NewRecorder()
WriteProblem(rec, Malformed("oops"))
if got, want := rec.Code, http.StatusBadRequest; got != want {
t.Errorf("status = %d, want %d", got, want)
}
if got, want := rec.Header().Get("Content-Type"), ProblemContentType; got != want {
t.Errorf("content-type = %q, want %q", got, want)
}
var p Problem
if err := json.NewDecoder(rec.Body).Decode(&p); err != nil {
t.Fatalf("Decode: %v", err)
}
if p.Type != "urn:ietf:params:acme:error:malformed" {
t.Errorf("decoded type = %q", p.Type)
}
}
func TestWriteProblem_NilStatusFallsBackTo500(t *testing.T) {
// Defensive check: a hand-constructed Problem with Status=0 (e.g.
// from a forgotten error path) still renders cleanly as 500 +
// serverInternal rather than emitting an HTTP/0 response.
rec := httptest.NewRecorder()
WriteProblem(rec, Problem{})
if got, want := rec.Code, http.StatusInternalServerError; got != want {
t.Errorf("status = %d, want %d", got, want)
}
if got, want := rec.Header().Get("Content-Type"), ProblemContentType; got != want {
t.Errorf("content-type = %q, want %q", got, want)
}
}
Reference in New Issue View Git Blame Copy Permalink