gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:21:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
67dbd18fda647a4c3fdac1263a315dddbd23ca3c
certctl/cmd/agent/discovery.go
T
shankar0123 3094010880 refactor(cmd/agent): split main.go into poll + deploy + discovery sibling files (Phase 9, 12 of N — LAST hotspot) 
Phase 9 ARCH-M2 closure Sprint 12 — the LAST of the audit's named
hotspot sub-splits. Splits cmd/agent/main.go (1489 LOC, the
sixth-largest backend hotspot at audit time) via the Option B
sibling-file pattern (mirrors the Sprint 8 cmd/server cut). Package
stays `main`; every method is still defined on *Agent so each call
site continues to resolve through Go's same-package method-set —
no import-path or signature change.

Audit prescription vs reality
=============================
The audit's Tasks-Deferred row prescribed
"main + poll + deploy + register sibling files." The actual
cmd/agent/main.go has no `register` function — agent registration
happens via the control-plane REST API (POST /api/v1/agents)
before the agent process starts. The closest analogue in the agent
binary is the filesystem-discovery scan (runDiscoveryScan + the
parsePEMFile / parseDERFile / certToEntry / sha256Sum / certKeyInfo
helpers), which is the agent's other "outbound report-to-server"
surface alongside the inbound work-poll path.

Sprint 12 substitutes `discovery` for `register` in the prescription
and keeps the other three buckets as named: `main` (lifecycle + HTTP
infrastructure + entrypoint), `poll` (work-poll + CSR-job execution),
`deploy` (deployment-job execution + target connector factory).

What moved
==========

New `cmd/agent/poll.go` (279 LOC) — work-poll + CSR-job execution:
  - pollForWork: GET /api/v1/agents/{id}/work each tick; dispatches
    each returned JobItem to the right executor.
  - executeCSRJob: handles AwaitingCSR jobs by generating an ECDSA
    P-256 key locally, persisting it with 0600 permissions (key
    NEVER leaves the agent — CLAUDE.md "Agent-based key
    management"), creating + submitting the CSR.

New `cmd/agent/deploy.go` (443 LOC) — deployment + target factory:
  - executeDeploymentJob: handles Pending deployment jobs by
    fetching the cert PEM, loading the locally-held private key
    (agent keygen mode), instantiating the appropriate target
    connector, calling DeployCertificate, and reporting status.
  - createTargetConnector: the 170-LOC switch over target_type
    that instantiates 14 different target connectors (apache /
    awsacm / azurekv / caddy / envoy / f5 / haproxy / iis /
    javakeystore / k8ssecret / nginx / postfix / ssh / traefik /
    wincertstore). Context is threaded through to SDK-driven
    connectors (AWSACM, AzureKeyVault) per the contextcheck linter
    fix in CI commit 502823d.
  - splitPEMChain + fetchCertificate (deploy-only helpers).

New `cmd/agent/discovery.go` (275 LOC) — filesystem cert discovery:
  - runDiscoveryScan: walks each configured discovery directory,
    dispatches each candidate file to parsePEMFile / parseDERFile,
    batches the parsed entries, and POSTs them to
    /api/v1/agents/{id}/discoveries (the machine-to-machine surface
    that is intentionally NOT exposed via MCP).
  - parsePEMFile + parseDERFile + certToEntry + sha256Sum +
    certKeyInfo + the discoveredCertEntry struct that ties them
    together.

What stays in main.go (644 LOC, down from 1489)
================================================
  - Types: AgentConfig, Agent struct, ErrAgentRetired var,
    WorkResponse, JobItem.
  - Lifecycle: NewAgent constructor, Run, markRetired,
    sendHeartbeat, getOutboundIP, targetDeployMutex method.
  - Shared HTTP infrastructure: makeRequest (consumed by poll +
    deploy + discovery + lifecycle), reportJobStatus (consumed by
    poll + deploy).
  - Entrypoint: main(), getEnvDefault, getEnvBoolDefault,
    validateHTTPSScheme.

Side-effect import cleanup
==========================
21 imports drop from cmd/agent/main.go as a clean side effect:

Standard library (7):
  - crypto/ecdsa, crypto/elliptic (poll only)
  - crypto/rand (poll only)
  - crypto/rsa (discovery only)
  - crypto/sha256 (discovery only)
  - crypto/x509/pkix (poll only)
  - encoding/pem (poll + deploy + discovery)
  - path/filepath (poll + deploy + discovery)

Target connectors (14):
  - internal/connector/target + apache + awsacm + azurekv + caddy +
    envoy + f5 + haproxy + iis + javakeystore + k8ssecret + nginx +
    postfix + ssh + traefik + wincertstore — all 14 were used ONLY
    by createTargetConnector and moved with the factory to deploy.go.

The surviving main.go now imports 20 stdlib packages + zero
internal packages — the leanest the agent binary's entrypoint has
been since the agent first shipped target-connector orchestration.

Per-import audit on every new sibling file is in the diff:
  - poll.go: context, crypto/ecdsa, crypto/elliptic, crypto/rand,
    crypto/x509, crypto/x509/pkix, encoding/json, encoding/pem,
    fmt, io, net/http, os, path/filepath, strings (no sync — the
    sync.Once / sync.Mutex / sync.Map usages all live in the
    surviving main.go's lifecycle code).
  - deploy.go: context, encoding/json, encoding/pem, fmt, io,
    net/http, os, path/filepath, strings + target + 14 connector
    packages.
  - discovery.go: context, crypto/ecdsa, crypto/rsa, crypto/sha256,
    crypto/x509, encoding/pem, fmt, io, net/http, os,
    path/filepath, strings, time.

Net effect
==========
main.go: 1489 → 644 LOC (-845 = -56.7%). Three new sibling files at
997 LOC total (845 moved + ~152 LOC of header + Phase 9 doc-comment
overhead). Matches the Sprint 8 cmd/server pattern in shape (main +
wire + migrations) and size reduction (-23.8% there vs -56.7% here —
the agent had more concentrated single-purpose functions than the
server's wiring-heavy main).

Cumulative Phase 9 progress (all 6 named hotspots)
==================================================
  config.go          3403 → 1342 (-60.6%, Sprints 1-7)
  cmd/server/main.go 2966 → 2260 (-23.8%, Sprints 8 + 8b)
  service/acme.go    1965 → 1162 (-40.9%, Sprints 9 + 9b)
  mcp/tools.go       1867 →  109 (-94.2%, Sprint 10)
  auth_session_oidc  1577 →  452 (-71.3%, Sprint 11)
  cmd/agent/main.go  1489 →  644 (-56.7%, Sprint 12)
  TOTAL across 6 files: 13,267 → 5,969 LOC = -7,298 (-55.0%)

All 6 named hotspots from the audit's top-6 list are now below
1,500 LOC. The largest remaining hotspot from the top-6 is
cmd/server/main.go at 2,260 LOC (intentional — every backend
service the server wires is one line in main(), so the size is
roughly proportional to surface area, not concern-tangling).

Behavior preservation contract
==============================
1. gofmt -l clean across all 4 affected files.
2. go vet ./cmd/agent/... — no findings.
3. staticcheck ./cmd/agent/... — no findings.
4. go test -short -count=1 ./cmd/agent/... — green (includes
   agent_test.go 1716-LOC suite that pins every moved function:
   pollForWork / executeCSRJob / executeDeploymentJob /
   createTargetConnector / runDiscoveryScan plus dispatch_test.go,
   deploy_mutex_test.go, keymem_test.go).
5. Broader-importer build green: go build ./... .

Same-package resolution means every cross-file call (poll →
makeRequest, deploy → makeRequest + reportJobStatus + verifyAnd-
ReportDeployment in verify.go, discovery → makeRequest) resolves
through Go's package-level method-set with zero compile-time cost
+ zero runtime overhead. The public surface of the cmd/agent
binary is unchanged.

What this commit closes
=======================
Sprint 12 is the LAST of the audit's named top-6 hotspot sub-splits.
The ARCH-M2 finding now reflects:
  - 6 of 6 named backend hotspots below 1,500 LOC.
  - 24 of 24 named sub-splits shipped across Sprints 1-12 (config
    family ×7 + cmd/server ×2 + service/acme ×2 + mcp/tools ×6 +
    auth_session_oidc ×4 + cmd/agent ×3).
  - 7,298 LOC of code-locality concentration removed across the
    top 6 files.

Whether to flip ARCH-M2 from 🛠 Scaffolded to ✓ Shipped is now an
operator-discretion call — every named target landed, but the
finding's spirit ("split god-files by responsibility") is a
continuous discipline rather than a binary done/not-done.

Refs: ARCH-M2 (god-files), Phase 9 audit. Sprint 12 is the named-
hotspot conclusion of Phase 9.
2026-05-14 10:36:08 +00:00

276 lines
8.4 KiB
Go
Raw Blame History

// Copyright 2026 certctl LLC. All rights reserved.
// SPDX-License-Identifier: BUSL-1.1
package main
import (
"context"
"crypto/ecdsa"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/pem"
"fmt"
"io"
"net/http"
"os"
"path/filepath"
"strings"
"time"
)
// Phase 9 ARCH-M2 closure Sprint 12 (2026-05-14): extracted from
// cmd/agent/main.go via the Option B sibling-file pattern.
//
// This file holds the filesystem DISCOVERY scan — the agent's
// outbound surface for reporting pre-existing certificates it
// finds on disk back to the control plane (POST /api/v1/agents/
// {id}/discoveries, a machine-to-machine flow NOT exposed via the
// MCP surface per the comment in
// internal/mcp/tools.go::RegisterTools):
//
// - runDiscoveryScan: walks each configured discovery directory,
// dispatches each candidate file to parsePEMFile or parseDERFile
// depending on extension, batches the parsed entries, and POSTs
// them in one report.
// - parsePEMFile / parseDERFile: extract every X.509 certificate
// from a candidate file in either encoding.
// - certToEntry: project a parsed *x509.Certificate into the
// discoveredCertEntry shape the control plane expects.
// - discoveredCertEntry struct + sha256Sum + certKeyInfo helpers
// consumed only by the discovery path; co-locating them keeps
// this file self-contained.
// runDiscoveryScan walks configured directories, parses certificate files, and reports
// discovered certificates to the control plane.
// Supports PEM and DER encoded X.509 certificates.
func (a *Agent) runDiscoveryScan(ctx context.Context) {
a.logger.Info("starting filesystem certificate discovery scan",
"directories", a.config.DiscoveryDirs)
startTime := time.Now()
var certs []discoveredCertEntry
var scanErrors []string
for _, dir := range a.config.DiscoveryDirs {
a.logger.Debug("scanning directory", "path", dir)
err := filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
if err != nil {
scanErrors = append(scanErrors, fmt.Sprintf("walk error at %s: %v", path, err))
return nil // continue walking
}
if info.IsDir() {
return nil
}
// Skip files larger than 1MB (unlikely to be a certificate)
if info.Size() > 1*1024*1024 {
return nil
}
// Check file extension
ext := strings.ToLower(filepath.Ext(path))
switch ext {
case ".pem", ".crt", ".cer", ".cert":
found := a.parsePEMFile(path)
certs = append(certs, found...)
case ".der":
if entry, err := a.parseDERFile(path); err == nil {
certs = append(certs, entry)
} else {
a.logger.Debug("skipping non-cert DER file", "path", path, "error", err)
}
default:
// Try PEM parsing for extensionless files or unknown extensions
if ext == "" || ext == ".key" {
return nil // skip key files and extensionless
}
found := a.parsePEMFile(path)
if len(found) > 0 {
certs = append(certs, found...)
}
}
return nil
})
if err != nil {
scanErrors = append(scanErrors, fmt.Sprintf("failed to walk %s: %v", dir, err))
}
}
scanDuration := time.Since(startTime)
a.logger.Info("discovery scan completed",
"certificates_found", len(certs),
"errors", len(scanErrors),
"duration_ms", scanDuration.Milliseconds())
if len(certs) == 0 && len(scanErrors) == 0 {
a.logger.Debug("no certificates found and no errors, skipping report")
return
}
// Build report payload
entries := make([]map[string]interface{}, len(certs))
for i, c := range certs {
entries[i] = map[string]interface{}{
"fingerprint_sha256": c.FingerprintSHA256,
"common_name": c.CommonName,
"sans": c.SANs,
"serial_number": c.SerialNumber,
"issuer_dn": c.IssuerDN,
"subject_dn": c.SubjectDN,
"not_before": c.NotBefore,
"not_after": c.NotAfter,
"key_algorithm": c.KeyAlgorithm,
"key_size": c.KeySize,
"is_ca": c.IsCA,
"pem_data": c.PEMData,
"source_path": c.SourcePath,
"source_format": c.SourceFormat,
}
}
report := map[string]interface{}{
"agent_id": a.config.AgentID,
"directories": a.config.DiscoveryDirs,
"certificates": entries,
"errors": scanErrors,
"scan_duration_ms": int(scanDuration.Milliseconds()),
}
// Submit to control plane
path := fmt.Sprintf("/api/v1/agents/%s/discoveries", a.config.AgentID)
resp, err := a.makeRequest(ctx, http.MethodPost, path, report)
if err != nil {
a.logger.Error("failed to submit discovery report", "error", err)
return
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusAccepted {
body, _ := io.ReadAll(resp.Body)
a.logger.Error("discovery report rejected",
"status", resp.StatusCode,
"body", string(body))
return
}
a.logger.Info("discovery report submitted successfully",
"certificates", len(certs),
"errors", len(scanErrors))
}
// discoveredCertEntry holds parsed certificate metadata for reporting.
type discoveredCertEntry struct {
FingerprintSHA256 string `json:"fingerprint_sha256"`
CommonName string `json:"common_name"`
SANs []string `json:"sans"`
SerialNumber string `json:"serial_number"`
IssuerDN string `json:"issuer_dn"`
SubjectDN string `json:"subject_dn"`
NotBefore string `json:"not_before"`
NotAfter string `json:"not_after"`
KeyAlgorithm string `json:"key_algorithm"`
KeySize int `json:"key_size"`
IsCA bool `json:"is_ca"`
PEMData string `json:"pem_data"`
SourcePath string `json:"source_path"`
SourceFormat string `json:"source_format"`
}
// parsePEMFile reads a file and extracts all X.509 certificates from PEM blocks.
func (a *Agent) parsePEMFile(path string) []discoveredCertEntry {
data, err := os.ReadFile(path)
if err != nil {
a.logger.Debug("failed to read file", "path", path, "error", err)
return nil
}
var entries []discoveredCertEntry
rest := data
for {
var block *pem.Block
block, rest = pem.Decode(rest)
if block == nil {
break
}
if block.Type != "CERTIFICATE" {
continue
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
a.logger.Debug("failed to parse certificate in PEM", "path", path, "error", err)
continue
}
pemStr := string(pem.EncodeToMemory(block))
entries = append(entries, certToEntry(cert, path, "PEM", pemStr))
}
return entries
}
// parseDERFile reads a DER-encoded certificate file.
func (a *Agent) parseDERFile(path string) (discoveredCertEntry, error) {
data, err := os.ReadFile(path)
if err != nil {
return discoveredCertEntry{}, fmt.Errorf("read failed: %w", err)
}
cert, err := x509.ParseCertificate(data)
if err != nil {
return discoveredCertEntry{}, fmt.Errorf("parse failed: %w", err)
}
// Convert to PEM for storage
pemStr := string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: data}))
return certToEntry(cert, path, "DER", pemStr), nil
}
// certToEntry converts a parsed x509.Certificate into a discoveredCertEntry.
func certToEntry(cert *x509.Certificate, path, format, pemData string) discoveredCertEntry {
// Compute SHA-256 fingerprint
fingerprint := fmt.Sprintf("%x", sha256Sum(cert.Raw))
// Determine key algorithm and size
keyAlg, keySize := certKeyInfo(cert)
return discoveredCertEntry{
FingerprintSHA256: fingerprint,
CommonName: cert.Subject.CommonName,
SANs: cert.DNSNames,
SerialNumber: cert.SerialNumber.Text(16),
IssuerDN: cert.Issuer.String(),
SubjectDN: cert.Subject.String(),
NotBefore: cert.NotBefore.UTC().Format(time.RFC3339),
NotAfter: cert.NotAfter.UTC().Format(time.RFC3339),
KeyAlgorithm: keyAlg,
KeySize: keySize,
IsCA: cert.IsCA,
PEMData: pemData,
SourcePath: path,
SourceFormat: format,
}
}
// sha256Sum returns the SHA-256 hash of data.
func sha256Sum(data []byte) [32]byte {
return sha256.Sum256(data)
}
// certKeyInfo extracts key algorithm name and size from a certificate.
func certKeyInfo(cert *x509.Certificate) (string, int) {
switch pub := cert.PublicKey.(type) {
case *ecdsa.PublicKey:
return "ECDSA", pub.Curve.Params().BitSize
case *rsa.PublicKey:
return "RSA", pub.N.BitLen()
default:
switch cert.PublicKeyAlgorithm {
case x509.Ed25519:
return "Ed25519", 256
default:
return cert.PublicKeyAlgorithm.String(), 0
}
}
}
Reference in New Issue View Git Blame Copy Permalink