mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:41:30 +00:00
shankar0123
5a682db8e2
+ Cisco IOS quirk fixtures + ManagedCertificate.Source provenance + EST bulk-revoke endpoint + 13 typed audit action codes. Phase 10.1 — libest reference-client sidecar: - deploy/test/libest/Dockerfile: multi-stage Debian-bookworm-slim build of Cisco's libest v3.2.0-2 from source (autoconf/automake/ libtool + libcurl4-openssl-dev + libssl-dev). Runtime stage carries only estclient + bash + openssl + ca-certificates so the exec surface stays small + predictable. - docker-compose.test.yml libest-client entry (profiles: [est-e2e]) with bind mounts for /config/est (test workspace) + /config/certs (certctl CA bundle for TLS pinning); IP 10.30.50.9 (10.30.50.8 was already taken by certctl-agent). - deploy/test/est/.gitkeep keeps the bind-mount target tracked. Phase 10.2 — 5 integration tests (//go:build integration) in deploy/test/est_e2e_test.go: - TestEST_LibESTClient_Enrollment_Integration (cacerts → simpleenroll → cert-shape assertion) - TestEST_LibESTClient_MTLSEnrollment_Integration (mTLS sibling-route cert auth; skip when bootstrap cert absent) - TestEST_LibESTClient_ServerKeygen_Integration (RFC 7030 §4.4 multipart; skip when profile gate disabled) - TestEST_LibESTClient_RateLimited_Integration (4th enroll trips per-principal cap, asserts 429-shaped error) - TestEST_LibESTClient_ChannelBinding_Integration (libest --tls-exporter; skip when libest build lacks the flag). - requireESTSidecar guard skips the suite when the operator forgot --profile est-e2e; helpful error message includes the exact command to bring the sidecar up. Phase 10.3 — Cisco IOS quirk fixtures + 3 unit tests in internal/api/handler/cisco_ios_quirks_test.go: - testdata/cisco_ios_15x_pem_csr.txt: PEM body sent with Content-Type application/x-pem-file. Handler dispatches on body-prefix not Content-Type — accepts cleanly. - testdata/cisco_ios_16x_trailing_newline_csr.txt: extra trailing newlines after base64 body. strings.TrimSpace tolerates. - testdata/cisco_ios_crlf_b64_csr.txt: CRLF-wrapped base64. base64.StdEncoding handles CRLF + LF identically. Phase 11.1 — ManagedCertificate.Source provenance: - New domain.CertificateSource enum (Unspecified/EST/SCEP/API/Agent). - Migration 000023_managed_certificates_source.up.sql adds source TEXT NOT NULL DEFAULT '' so existing rows scan as CertificateSourceUnspecified — back-compat: bulk-revoke filter treats empty as "any source". - Postgres repo Insert/Update/scan paths all wire the new column. Phase 11.2 — EST bulk-revoke endpoint: - BulkRevocationCriteria.Source field (Source-only requests rejected as too broad — must accompany at least one narrower criterion). - service.bulk_revocation.resolveCertificates post-filter by Source (empty=any, no SQL change so existing CertificateFilter callers unaffected). - New BulkRevocationHandler.BulkRevokeEST method pins Source=EST + dispatches; new route POST /api/v1/est/certificates/bulk-revoke (M-008 admin-gated). openapi.yaml documented + parity-guard green. Phase 11.3 — 13 typed audit action codes in internal/service/est_audit_actions.go: - est_simple_enroll_success / _failed - est_simple_reenroll_success / _failed - est_server_keygen_success / _failed - est_auth_failed_basic / _mtls / _channel_binding - est_rate_limited - est_csr_policy_violation - est_bulk_revoke - est_trust_anchor_reloaded - ESTService.processEnrollment + SimpleServerKeygen + ReloadTrust split-emit BOTH the legacy bare action codes (back-compat for the GUI activity-tab chip filters that match by exact string + existing audit-log analysers) AND the new typed _success / _failed variants (operator grep target + per-failure-mode counter). Tests: - internal/api/handler/bulk_revocation_est_test.go — 5 cases (admin-true happy path pins Source=EST + non-admin 403 + empty-criteria 400 + invalid-reason 400 + method-not-allowed). - internal/service/est_audit_actions_test.go — 5 cases (SimpleEnroll legacy+typed emission / SimpleReEnroll typed / IssuerError typed-failed / PolicyViolation triple-emit / unique-string invariant). Pre-commit verification (sandbox): gofmt clean, go vet clean (excluding repository/postgres testcontainers limit), staticcheck clean across api/handler/api/router/domain/service/deploy/test, go test -short -count=1 green for every non-postgres Go package + integration build (`go build -tags integration ./deploy/test/...`) clean. G-3 docs-drift guard reproduced locally clean (Phases 10-11 added zero new env vars). Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases 12-13 (docs/est.md + WiFi/802.1X / IoT bootstrap / FreeRADIUS recipes; release prep + tag) remain — post-2.1.0 work.
223 lines
8.3 KiB
Go
223 lines
8.3 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"sync/atomic"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/trustanchor"
|
|
)
|
|
|
|
// EST RFC 7030 hardening master bundle Phase 7.1.
|
|
//
|
|
// estCounterTab is the in-memory equivalent of a Prometheus
|
|
// `certctl_est_enrollments_total{status="..."}` metric. We don't take a
|
|
// Prometheus dependency here (the project doesn't expose /metrics today;
|
|
// that's a separate decision). The admin GUI's "EST Profiles" tab calls
|
|
// the GET /api/v1/admin/est/profiles endpoint, which calls
|
|
// ESTService.Stats() to render the counter snapshot.
|
|
//
|
|
// Concurrency: every field is read/written via sync/atomic so the
|
|
// service hot path stays lock-free.
|
|
|
|
// Counter labels — keep in sync with snapshot() + the admin GUI's
|
|
// counter-grid renderer. New labels MUST be added in three places:
|
|
// constants below, snapshot()'s map, and inc()'s switch.
|
|
const (
|
|
estCounterSuccessSimpleEnroll = "success_simpleenroll"
|
|
estCounterSuccessSimpleReEnroll = "success_simplereenroll"
|
|
estCounterSuccessServerKeygen = "success_serverkeygen"
|
|
estCounterAuthFailedBasic = "auth_failed_basic"
|
|
estCounterAuthFailedMTLS = "auth_failed_mtls"
|
|
estCounterAuthFailedChannelBind = "auth_failed_channel_binding"
|
|
estCounterCSRInvalid = "csr_invalid"
|
|
estCounterCSRPolicyViolation = "csr_policy_violation"
|
|
estCounterCSRSignatureMismatch = "csr_signature_mismatch"
|
|
estCounterRateLimited = "rate_limited"
|
|
estCounterIssuerError = "issuer_error"
|
|
estCounterInternalError = "internal_error"
|
|
)
|
|
|
|
type estCounterTab struct {
|
|
successSimpleEnroll atomic.Uint64
|
|
successSimpleReEnroll atomic.Uint64
|
|
successServerKeygen atomic.Uint64
|
|
authFailedBasic atomic.Uint64
|
|
authFailedMTLS atomic.Uint64
|
|
authFailedChannelBind atomic.Uint64
|
|
csrInvalid atomic.Uint64
|
|
csrPolicyViolation atomic.Uint64
|
|
csrSignatureMismatch atomic.Uint64
|
|
rateLimited atomic.Uint64
|
|
issuerError atomic.Uint64
|
|
internalError atomic.Uint64
|
|
}
|
|
|
|
// snapshot returns a zero-allocation copy of the current counter values
|
|
// keyed by the same label strings inc() accepts.
|
|
func (c *estCounterTab) snapshot() map[string]uint64 {
|
|
if c == nil {
|
|
return map[string]uint64{}
|
|
}
|
|
return map[string]uint64{
|
|
estCounterSuccessSimpleEnroll: c.successSimpleEnroll.Load(),
|
|
estCounterSuccessSimpleReEnroll: c.successSimpleReEnroll.Load(),
|
|
estCounterSuccessServerKeygen: c.successServerKeygen.Load(),
|
|
estCounterAuthFailedBasic: c.authFailedBasic.Load(),
|
|
estCounterAuthFailedMTLS: c.authFailedMTLS.Load(),
|
|
estCounterAuthFailedChannelBind: c.authFailedChannelBind.Load(),
|
|
estCounterCSRInvalid: c.csrInvalid.Load(),
|
|
estCounterCSRPolicyViolation: c.csrPolicyViolation.Load(),
|
|
estCounterCSRSignatureMismatch: c.csrSignatureMismatch.Load(),
|
|
estCounterRateLimited: c.rateLimited.Load(),
|
|
estCounterIssuerError: c.issuerError.Load(),
|
|
estCounterInternalError: c.internalError.Load(),
|
|
}
|
|
}
|
|
|
|
// inc advances the counter matching the given label. Unknown labels
|
|
// fall through to internal_error so an enum drift doesn't silently
|
|
// lose counts.
|
|
func (c *estCounterTab) inc(label string) {
|
|
if c == nil {
|
|
return
|
|
}
|
|
switch label {
|
|
case estCounterSuccessSimpleEnroll:
|
|
c.successSimpleEnroll.Add(1)
|
|
case estCounterSuccessSimpleReEnroll:
|
|
c.successSimpleReEnroll.Add(1)
|
|
case estCounterSuccessServerKeygen:
|
|
c.successServerKeygen.Add(1)
|
|
case estCounterAuthFailedBasic:
|
|
c.authFailedBasic.Add(1)
|
|
case estCounterAuthFailedMTLS:
|
|
c.authFailedMTLS.Add(1)
|
|
case estCounterAuthFailedChannelBind:
|
|
c.authFailedChannelBind.Add(1)
|
|
case estCounterCSRInvalid:
|
|
c.csrInvalid.Add(1)
|
|
case estCounterCSRPolicyViolation:
|
|
c.csrPolicyViolation.Add(1)
|
|
case estCounterCSRSignatureMismatch:
|
|
c.csrSignatureMismatch.Add(1)
|
|
case estCounterRateLimited:
|
|
c.rateLimited.Add(1)
|
|
case estCounterIssuerError:
|
|
c.issuerError.Add(1)
|
|
default:
|
|
c.internalError.Add(1)
|
|
}
|
|
}
|
|
|
|
// ESTStatsSnapshot is the per-profile observability view the admin
|
|
// GET endpoint renders. Mirrors IntuneStatsSnapshot's shape so the GUI
|
|
// can re-use the same counter-grid component.
|
|
//
|
|
// EST RFC 7030 hardening master bundle Phase 7.1.
|
|
type ESTStatsSnapshot struct {
|
|
PathID string `json:"path_id"`
|
|
IssuerID string `json:"issuer_id"`
|
|
ProfileID string `json:"profile_id,omitempty"`
|
|
Counters map[string]uint64 `json:"counters"`
|
|
MTLSEnabled bool `json:"mtls_enabled"`
|
|
BasicConfigured bool `json:"basic_auth_configured"`
|
|
ServerKeygen bool `json:"server_keygen_enabled"`
|
|
TrustAnchors []ESTTrustAnchorInfo `json:"trust_anchors,omitempty"`
|
|
TrustAnchorPath string `json:"trust_anchor_path,omitempty"`
|
|
Now time.Time `json:"now"`
|
|
}
|
|
|
|
// ESTTrustAnchorInfo is the per-cert public summary of one trust anchor
|
|
// in the holder's pool. Same shape as IntuneTrustAnchorInfo.
|
|
type ESTTrustAnchorInfo struct {
|
|
Subject string `json:"subject"`
|
|
NotBefore time.Time `json:"not_before"`
|
|
NotAfter time.Time `json:"not_after"`
|
|
DaysToExpiry int `json:"days_to_expiry"`
|
|
Expired bool `json:"expired"`
|
|
}
|
|
|
|
// Stats returns the per-profile observability snapshot. Safe for
|
|
// concurrent callers — every counter access is atomic + the trust-
|
|
// anchor walk is a per-snapshot copy.
|
|
func (s *ESTService) Stats(now time.Time) ESTStatsSnapshot {
|
|
out := ESTStatsSnapshot{
|
|
PathID: s.estPathIDForLog,
|
|
IssuerID: s.issuerID,
|
|
ProfileID: s.profileID,
|
|
Counters: s.counters.snapshot(),
|
|
MTLSEnabled: s.estMTLSConfigured,
|
|
BasicConfigured: s.estBasicConfigured,
|
|
ServerKeygen: s.estServerKeygenEnabled,
|
|
Now: now,
|
|
}
|
|
if s.estTrustAnchor != nil {
|
|
out.TrustAnchorPath = s.estTrustAnchor.Path()
|
|
for _, c := range s.estTrustAnchor.Get() {
|
|
daysToExpiry := int(c.NotAfter.Sub(now).Hours() / 24)
|
|
out.TrustAnchors = append(out.TrustAnchors, ESTTrustAnchorInfo{
|
|
Subject: c.Subject.CommonName,
|
|
NotBefore: c.NotBefore,
|
|
NotAfter: c.NotAfter,
|
|
DaysToExpiry: daysToExpiry,
|
|
Expired: now.After(c.NotAfter),
|
|
})
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
// ReloadTrust forces a SIGHUP-equivalent reload of the per-profile
|
|
// EST mTLS trust anchor pool. Returns nil on success; the configured
|
|
// holder error otherwise (typically a parse error from a half-rotated
|
|
// bundle file). Mirror of SCEPService.ReloadIntuneTrust.
|
|
//
|
|
// Returns ErrESTMTLSDisabled when the profile doesn't have an mTLS
|
|
// trust anchor configured (admin handler maps to HTTP 409).
|
|
//
|
|
// Phase 11.3: emits AuditActionESTTrustAnchorReloaded on successful
|
|
// reload so operators have a typed grep target for "who rotated the
|
|
// trust bundle for which profile + when".
|
|
func (s *ESTService) ReloadTrust() error {
|
|
if s.estTrustAnchor == nil {
|
|
return ErrESTMTLSDisabled
|
|
}
|
|
if err := s.estTrustAnchor.Reload(); err != nil {
|
|
return err
|
|
}
|
|
if s.auditService != nil {
|
|
details := map[string]interface{}{
|
|
"path_id": s.estPathIDForLog,
|
|
"trust_anchor_path": s.estTrustAnchor.Path(),
|
|
"protocol": "EST",
|
|
}
|
|
_ = s.auditService.RecordEvent(context.Background(), "est-admin", "system",
|
|
AuditActionESTTrustAnchorReloaded, "trust_anchor", s.estPathIDForLog, details)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ErrESTMTLSDisabled signals the admin handler that an EST profile
|
|
// doesn't have mTLS configured. Maps to HTTP 409 Conflict.
|
|
var ErrESTMTLSDisabled = newESTAdminError("EST profile mTLS not enabled — no trust anchor to reload")
|
|
|
|
func newESTAdminError(msg string) error { return &estAdminError{msg: msg} }
|
|
|
|
type estAdminError struct{ msg string }
|
|
|
|
func (e *estAdminError) Error() string { return e.msg }
|
|
|
|
// SetESTAdminMetadata records the per-profile observability hints the
|
|
// AdminEST handler needs to render the Profiles tab. cmd/server/main.go
|
|
// invokes this once at startup with the data already in scope from the
|
|
// per-profile loop. Idempotent. Consolidated into one setter so the
|
|
// public surface stays narrow + every metadata field moves together.
|
|
func (s *ESTService) SetESTAdminMetadata(pathID string, mtlsEnabled, basicConfigured, serverKeygenEnabled bool, trustAnchor *trustanchor.Holder) {
|
|
s.estPathIDForLog = pathID
|
|
s.estMTLSConfigured = mtlsEnabled
|
|
s.estBasicConfigured = basicConfigured
|
|
s.estServerKeygenEnabled = serverKeygenEnabled
|
|
s.estTrustAnchor = trustAnchor
|
|
}
|