mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:21:35 +00:00
shankar0123
8b75e0311b
Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol
sub-module's go.mod, every Go file's import path (361 files), and a rebuild of
the checked-in f5-mock-icontrol binary so its embedded build-info reflects the
new module path. No behavior change.
Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A
(keep module path declared as github.com/shankar0123/certctl regardless of
repo URL) shipped on the day of the org transfer (2026-05-03) since we had no
external Go consumers; this commit closes that deferral.
Backward-compat: GitHub HTTP redirects continue to forward
github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL
level, but Go's module proxy uses the path declared in go.mod as the
canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...`
hit a "module path mismatch" error because go.mod said
github.com/shankar0123/certctl and the URL they fetched it from said
certctl-io/certctl. Post-fix, the canonical name and the URL agree, so
go get / go install / external Go consumers / Go-tooling integrations
work cleanly via either the new path (preferred) or the old path (which
redirects and Go follows the redirect for source fetch).
Anyone still importing the old path inside their own code keeps working
provided they update their go.mod's `require` line to match — the module
path declared in their consumer's go.sum / go.mod is the authoritative
import name, so a mass sed across their import statements is the migration
on the consumer side. No external consumers exist today.
Diff shape:
361 *.go files — import path replacement only
2 go.mod — module declaration replacement only
1 binary — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt
so embedded build-info reflects the new path (8618965 vs
8618933 bytes; 32-byte diff is the build-info change)
Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure
mechanical substitution.
Verification:
gofmt: 17 files needed re-alignment after sed (the new path is one char
shorter than the old, so column-aligned import groups drifted). Applied
`gofmt -w` to fix.
go mod tidy: clean exit on both modules.
go vet ./...: clean exit.
go build ./...: clean exit.
go test -short -count=1 on representative packages: all green
(internal/domain, internal/validation, internal/crypto, internal/crypto/signer,
cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...`
confirming the module path resolves correctly.
binary: f5-mock-icontrol rebuilt; `strings | grep shankar0123` returns
nothing; `strings | grep certctl-io/certctl` shows the new module path
embedded in build-info.
Files intentionally NOT touched in this commit:
README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io
URLs in commit 0729ee4 (the post-transfer URL refresh). This commit is
purely the Go-tooling layer.
Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account
namespace, not a Go import or GitHub repo URL. Stays.
This is a non-blocking, non-customer-impacting change. Operators pulling
container images, running `make verify`, hitting the API, or installing the
agent see no functional difference. Only Go-tooling consumers (none today)
are affected, and they're enabled — not broken — by this commit.
366 lines
11 KiB
Go
366 lines
11 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// StatsService provides statistics and observability data for dashboards and monitoring.
|
|
type StatsService struct {
|
|
certRepo repository.CertificateRepository
|
|
jobRepo repository.JobRepository
|
|
agentRepo repository.AgentRepository
|
|
// notifRepo is injected post-construction via SetNotifRepo so that
|
|
// NewStatsService's nine call sites (main.go + stats_test.go + 8 digest
|
|
// tests) keep their existing signatures. When nil, the dead-letter count
|
|
// falls through to zero — see GetDashboardSummary. I-005 coverage-gap
|
|
// closure.
|
|
notifRepo repository.NotificationRepository
|
|
}
|
|
|
|
// NewStatsService creates a new stats service.
|
|
func NewStatsService(
|
|
certRepo repository.CertificateRepository,
|
|
jobRepo repository.JobRepository,
|
|
agentRepo repository.AgentRepository,
|
|
) *StatsService {
|
|
return &StatsService{
|
|
certRepo: certRepo,
|
|
jobRepo: jobRepo,
|
|
agentRepo: agentRepo,
|
|
}
|
|
}
|
|
|
|
// SetNotifRepo injects the notification repository used to populate
|
|
// DashboardSummary.NotificationsDead. Setter pattern (matching the
|
|
// certificateService.SetTargetRepo / SetProfileRepo / SetDigestService
|
|
// precedent) keeps the NewStatsService signature stable across its
|
|
// pre-existing call sites. I-005 coverage-gap closure.
|
|
func (s *StatsService) SetNotifRepo(notifRepo repository.NotificationRepository) {
|
|
s.notifRepo = notifRepo
|
|
}
|
|
|
|
// DashboardSummary represents a high-level summary of system state.
|
|
type DashboardSummary struct {
|
|
TotalCertificates int64 `json:"total_certificates"`
|
|
ExpiringCertificates int64 `json:"expiring_certificates"`
|
|
ExpiredCertificates int64 `json:"expired_certificates"`
|
|
RevokedCertificates int64 `json:"revoked_certificates"`
|
|
ActiveAgents int64 `json:"active_agents"`
|
|
OfflineAgents int64 `json:"offline_agents"`
|
|
TotalAgents int64 `json:"total_agents"`
|
|
PendingJobs int64 `json:"pending_jobs"`
|
|
FailedJobs int64 `json:"failed_jobs"`
|
|
CompleteJobs int64 `json:"complete_jobs"`
|
|
// NotificationsDead is the number of notification_events rows currently
|
|
// in the terminal "dead" status (I-005 dead-letter queue). Exposed here
|
|
// so the metrics handler can derive the Prometheus counter
|
|
// certctl_notification_dead_total from the same snapshot used by the
|
|
// dashboard. DB-COUNT rather than in-memory — notifications can grow
|
|
// without bound, and filter-based List() is PerPage-capped to 50.
|
|
NotificationsDead int64 `json:"notifications_dead"`
|
|
CompletedAt time.Time `json:"completed_at"`
|
|
}
|
|
|
|
// GetDashboardSummary returns a summary of key metrics.
|
|
func (s *StatsService) GetDashboardSummary(ctx context.Context) (interface{}, error) {
|
|
summary := &DashboardSummary{
|
|
CompletedAt: time.Now(),
|
|
}
|
|
|
|
// Get all certificates
|
|
allCerts, total, err := s.certRepo.List(ctx, &repository.CertificateFilter{Page: 1, PerPage: 10000})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list certificates: %w", err)
|
|
}
|
|
summary.TotalCertificates = int64(total)
|
|
|
|
now := time.Now()
|
|
thirtyDaysFromNow := now.AddDate(0, 0, 30)
|
|
|
|
for _, cert := range allCerts {
|
|
normalizedStatus := strings.ToLower(string(cert.Status))
|
|
if normalizedStatus == "revoked" {
|
|
summary.RevokedCertificates++
|
|
} else if normalizedStatus == "expired" || (!cert.ExpiresAt.IsZero() && cert.ExpiresAt.Before(now)) {
|
|
summary.ExpiredCertificates++
|
|
} else if !cert.ExpiresAt.IsZero() && cert.ExpiresAt.Before(thirtyDaysFromNow) && cert.ExpiresAt.After(now) {
|
|
summary.ExpiringCertificates++
|
|
}
|
|
}
|
|
|
|
// Get all agents
|
|
allAgents, err := s.agentRepo.List(ctx)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list agents: %w", err)
|
|
}
|
|
summary.TotalAgents = int64(len(allAgents))
|
|
|
|
// Count active agents (heartbeat within last 5 minutes)
|
|
fiveMinutesAgo := now.Add(-5 * time.Minute)
|
|
for _, agent := range allAgents {
|
|
if agent.LastHeartbeatAt != nil && agent.LastHeartbeatAt.After(fiveMinutesAgo) {
|
|
summary.ActiveAgents++
|
|
} else {
|
|
summary.OfflineAgents++
|
|
}
|
|
}
|
|
|
|
// Get all jobs
|
|
allJobs, err := s.jobRepo.List(ctx)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list jobs: %w", err)
|
|
}
|
|
|
|
for _, job := range allJobs {
|
|
switch job.Status {
|
|
case domain.JobStatusPending, domain.JobStatusAwaitingCSR, domain.JobStatusAwaitingApproval, domain.JobStatusRunning:
|
|
summary.PendingJobs++
|
|
case domain.JobStatusFailed:
|
|
summary.FailedJobs++
|
|
case domain.JobStatusCompleted:
|
|
summary.CompleteJobs++
|
|
}
|
|
}
|
|
|
|
// I-005: dead-letter count for certctl_notification_dead_total. nil-safe
|
|
// so the nine existing NewStatsService call sites that haven't yet been
|
|
// updated to call SetNotifRepo keep working — they'll simply report
|
|
// NotificationsDead=0, which is the correct value on a system without a
|
|
// notification repository wired in. A CountByStatus error is non-fatal:
|
|
// the dashboard summary is best-effort for this field.
|
|
if s.notifRepo != nil {
|
|
deadCount, err := s.notifRepo.CountByStatus(ctx, string(domain.NotificationStatusDead))
|
|
if err == nil {
|
|
summary.NotificationsDead = deadCount
|
|
}
|
|
}
|
|
|
|
return summary, nil
|
|
}
|
|
|
|
// CertificateStatusCount represents count of certificates by status.
|
|
type CertificateStatusCount struct {
|
|
Status string `json:"status"`
|
|
Count int64 `json:"count"`
|
|
}
|
|
|
|
// GetCertificatesByStatus returns certificate counts grouped by status.
|
|
func (s *StatsService) GetCertificatesByStatus(ctx context.Context) (interface{}, error) {
|
|
allCerts, _, err := s.certRepo.List(ctx, &repository.CertificateFilter{Page: 1, PerPage: 10000})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list certificates: %w", err)
|
|
}
|
|
|
|
counts := make(map[string]int64)
|
|
now := time.Now()
|
|
thirtyDaysFromNow := now.AddDate(0, 0, 30)
|
|
|
|
for _, cert := range allCerts {
|
|
status := string(cert.Status)
|
|
// Normalize status to PascalCase to handle legacy lowercase values in the database
|
|
switch strings.ToLower(status) {
|
|
case "", "active":
|
|
if !cert.ExpiresAt.IsZero() {
|
|
if cert.ExpiresAt.Before(now) {
|
|
status = "Expired"
|
|
} else if cert.ExpiresAt.Before(thirtyDaysFromNow) {
|
|
status = "Expiring"
|
|
} else {
|
|
status = "Active"
|
|
}
|
|
} else {
|
|
status = "Active"
|
|
}
|
|
case "expiring":
|
|
status = "Expiring"
|
|
case "expired":
|
|
status = "Expired"
|
|
case "renewalinprogress", "renewal_in_progress":
|
|
status = "RenewalInProgress"
|
|
case "failed":
|
|
status = "Failed"
|
|
case "revoked":
|
|
status = "Revoked"
|
|
case "archived":
|
|
status = "Archived"
|
|
case "pending":
|
|
status = "Pending"
|
|
}
|
|
counts[status]++
|
|
}
|
|
|
|
result := make([]CertificateStatusCount, 0, len(counts))
|
|
for status, count := range counts {
|
|
result = append(result, CertificateStatusCount{Status: status, Count: count})
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// ExpirationBucket represents certificates expiring on a specific date.
|
|
type ExpirationBucket struct {
|
|
Date string `json:"date"`
|
|
Count int64 `json:"count"`
|
|
}
|
|
|
|
// GetExpirationTimeline returns certificates expiring over the next N days, bucketed by day.
|
|
func (s *StatsService) GetExpirationTimeline(ctx context.Context, days int) (interface{}, error) {
|
|
if days <= 0 {
|
|
days = 30
|
|
}
|
|
|
|
allCerts, _, err := s.certRepo.List(ctx, &repository.CertificateFilter{Page: 1, PerPage: 10000})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list certificates: %w", err)
|
|
}
|
|
|
|
buckets := make(map[string]int64)
|
|
now := time.Now()
|
|
endDate := now.AddDate(0, 0, days)
|
|
|
|
for _, cert := range allCerts {
|
|
if cert.ExpiresAt.IsZero() {
|
|
continue
|
|
}
|
|
if cert.ExpiresAt.After(now) && cert.ExpiresAt.Before(endDate) {
|
|
dateStr := cert.ExpiresAt.Format("2006-01-02")
|
|
buckets[dateStr]++
|
|
}
|
|
}
|
|
|
|
result := make([]ExpirationBucket, 0, days)
|
|
for i := 0; i < days; i++ {
|
|
date := now.AddDate(0, 0, i)
|
|
dateStr := date.Format("2006-01-02")
|
|
if count, exists := buckets[dateStr]; exists {
|
|
result = append(result, ExpirationBucket{Date: dateStr, Count: count})
|
|
} else {
|
|
result = append(result, ExpirationBucket{Date: dateStr, Count: 0})
|
|
}
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// JobTrendDataPoint represents success/failure counts for a specific day.
|
|
type JobTrendDataPoint struct {
|
|
Date string `json:"date"`
|
|
CompletedCount int64 `json:"completed_count"`
|
|
FailedCount int64 `json:"failed_count"`
|
|
SuccessRate float64 `json:"success_rate"`
|
|
}
|
|
|
|
// GetJobStats returns job success/failure trends over the past N days.
|
|
func (s *StatsService) GetJobStats(ctx context.Context, days int) (interface{}, error) {
|
|
if days <= 0 {
|
|
days = 30
|
|
}
|
|
|
|
allJobs, err := s.jobRepo.List(ctx)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list jobs: %w", err)
|
|
}
|
|
|
|
type dayData struct {
|
|
completed int64
|
|
failed int64
|
|
}
|
|
buckets := make(map[string]*dayData)
|
|
now := time.Now()
|
|
|
|
for _, job := range allJobs {
|
|
if job.Status != domain.JobStatusCompleted && job.Status != domain.JobStatusFailed {
|
|
continue
|
|
}
|
|
if job.CompletedAt == nil {
|
|
continue
|
|
}
|
|
if job.CompletedAt.Before(now.AddDate(0, 0, -days)) {
|
|
continue
|
|
}
|
|
|
|
dateStr := job.CompletedAt.Format("2006-01-02")
|
|
if _, exists := buckets[dateStr]; !exists {
|
|
buckets[dateStr] = &dayData{}
|
|
}
|
|
|
|
if job.Status == domain.JobStatusCompleted {
|
|
buckets[dateStr].completed++
|
|
} else {
|
|
buckets[dateStr].failed++
|
|
}
|
|
}
|
|
|
|
result := make([]JobTrendDataPoint, 0, days)
|
|
for i := 0; i < days; i++ {
|
|
date := now.AddDate(0, 0, -days+i+1)
|
|
dateStr := date.Format("2006-01-02")
|
|
point := JobTrendDataPoint{Date: dateStr}
|
|
|
|
if data, exists := buckets[dateStr]; exists {
|
|
point.CompletedCount = data.completed
|
|
point.FailedCount = data.failed
|
|
total := data.completed + data.failed
|
|
if total > 0 {
|
|
point.SuccessRate = (float64(data.completed) / float64(total)) * 100
|
|
}
|
|
}
|
|
result = append(result, point)
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// IssuanceRateDataPoint represents new certificates issued on a specific day.
|
|
type IssuanceRateDataPoint struct {
|
|
Date string `json:"date"`
|
|
IssuedCount int64 `json:"issued_count"`
|
|
}
|
|
|
|
// GetIssuanceRate returns the rate of new certificate issuance over the past N days.
|
|
func (s *StatsService) GetIssuanceRate(ctx context.Context, days int) (interface{}, error) {
|
|
if days <= 0 {
|
|
days = 30
|
|
}
|
|
|
|
allCerts, _, err := s.certRepo.List(ctx, &repository.CertificateFilter{Page: 1, PerPage: 10000})
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list certificates: %w", err)
|
|
}
|
|
|
|
buckets := make(map[string]int64)
|
|
now := time.Now()
|
|
|
|
for _, cert := range allCerts {
|
|
if cert.CreatedAt.IsZero() {
|
|
continue
|
|
}
|
|
if cert.CreatedAt.Before(now.AddDate(0, 0, -days)) {
|
|
continue
|
|
}
|
|
|
|
dateStr := cert.CreatedAt.Format("2006-01-02")
|
|
buckets[dateStr]++
|
|
}
|
|
|
|
result := make([]IssuanceRateDataPoint, 0, days)
|
|
for i := 0; i < days; i++ {
|
|
date := now.AddDate(0, 0, -days+i+1)
|
|
dateStr := date.Format("2006-01-02")
|
|
point := IssuanceRateDataPoint{Date: dateStr}
|
|
|
|
if count, exists := buckets[dateStr]; exists {
|
|
point.IssuedCount = count
|
|
}
|
|
result = append(result, point)
|
|
}
|
|
|
|
return result, nil
|
|
}
|