mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-09 13:48:52 +00:00
shankar0123
8b75e0311b
Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol
sub-module's go.mod, every Go file's import path (361 files), and a rebuild of
the checked-in f5-mock-icontrol binary so its embedded build-info reflects the
new module path. No behavior change.
Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A
(keep module path declared as github.com/shankar0123/certctl regardless of
repo URL) shipped on the day of the org transfer (2026-05-03) since we had no
external Go consumers; this commit closes that deferral.
Backward-compat: GitHub HTTP redirects continue to forward
github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL
level, but Go's module proxy uses the path declared in go.mod as the
canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...`
hit a "module path mismatch" error because go.mod said
github.com/shankar0123/certctl and the URL they fetched it from said
certctl-io/certctl. Post-fix, the canonical name and the URL agree, so
go get / go install / external Go consumers / Go-tooling integrations
work cleanly via either the new path (preferred) or the old path (which
redirects and Go follows the redirect for source fetch).
Anyone still importing the old path inside their own code keeps working
provided they update their go.mod's `require` line to match — the module
path declared in their consumer's go.sum / go.mod is the authoritative
import name, so a mass sed across their import statements is the migration
on the consumer side. No external consumers exist today.
Diff shape:
361 *.go files — import path replacement only
2 go.mod — module declaration replacement only
1 binary — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt
so embedded build-info reflects the new path (8618965 vs
8618933 bytes; 32-byte diff is the build-info change)
Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure
mechanical substitution.
Verification:
gofmt: 17 files needed re-alignment after sed (the new path is one char
shorter than the old, so column-aligned import groups drifted). Applied
`gofmt -w` to fix.
go mod tidy: clean exit on both modules.
go vet ./...: clean exit.
go build ./...: clean exit.
go test -short -count=1 on representative packages: all green
(internal/domain, internal/validation, internal/crypto, internal/crypto/signer,
cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...`
confirming the module path resolves correctly.
binary: f5-mock-icontrol rebuilt; `strings | grep shankar0123` returns
nothing; `strings | grep certctl-io/certctl` shows the new module path
embedded in build-info.
Files intentionally NOT touched in this commit:
README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io
URLs in commit 0729ee4 (the post-transfer URL refresh). This commit is
purely the Go-tooling layer.
Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account
namespace, not a Go import or GitHub repo URL. Stays.
This is a non-blocking, non-customer-impacting change. Operators pulling
container images, running `make verify`, hitting the API, or installing the
agent see no functional difference. Only Go-tooling consumers (none today)
are affected, and they're enabled — not broken — by this commit.
382 lines
13 KiB
Go
382 lines
13 KiB
Go
package postgres
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/lib/pq"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// RenewalPolicyRepository implements repository.RenewalPolicyRepository.
|
|
type RenewalPolicyRepository struct {
|
|
db *sql.DB
|
|
}
|
|
|
|
// NewRenewalPolicyRepository creates a new RenewalPolicyRepository.
|
|
func NewRenewalPolicyRepository(db *sql.DB) *RenewalPolicyRepository {
|
|
return &RenewalPolicyRepository{db: db}
|
|
}
|
|
|
|
// SELECT column order is the shared contract between scanRenewalPolicy and
|
|
// every SELECT/RETURNING in this file. Keep them in lockstep; if you add a
|
|
// new column, add it to all SELECTs, all scan calls, and scanRenewalPolicy.
|
|
//
|
|
// Note: certificate_profile_id and agent_group_id live on renewal_policies
|
|
// (migrations 000003 and 000004) but are deliberately NOT read here — that
|
|
// pre-existing drift is out of G-1's minimum-viable-delta and is tracked in
|
|
// the design doc §8. Introducing them would change struct shapes / JSON tags
|
|
// and require domain-layer churn we're not taking on in this change.
|
|
//
|
|
// alert_channels / alert_severity_map (migration 000026) ARE read here —
|
|
// they're the per-policy channel matrix that drives multi-channel expiry
|
|
// alert routing (Rank 4 of the 2026-05-03 Infisical deep-research
|
|
// deliverable). Both default to '{}' at the DB level; scanRenewalPolicy
|
|
// unmarshals an empty map into nil so domain.EffectiveAlertChannels /
|
|
// EffectiveAlertSeverityMap fall through to the back-compat defaults.
|
|
const renewalPolicyColumns = `
|
|
id, name, renewal_window_days, auto_renew, max_retries,
|
|
retry_interval_seconds, alert_thresholds_days,
|
|
alert_channels, alert_severity_map,
|
|
created_at, updated_at
|
|
`
|
|
|
|
// scanRenewalPolicy decodes one renewal_policies row from a Row or Rows
|
|
// scanner, unmarshaling alert_thresholds_days JSONB into the domain slice.
|
|
// Malformed JSONB silently falls back to DefaultAlertThresholds() — same
|
|
// behavior as the pre-G-1 code so we don't change observable semantics.
|
|
//
|
|
// alert_channels + alert_severity_map (migration 000026) follow the same
|
|
// "malformed → fall through to default" rule. The default-fallthrough
|
|
// happens at read time in domain.EffectiveAlertChannels /
|
|
// EffectiveAlertSeverity, so populating these fields with nil on parse
|
|
// failure is the correct shape — the runtime still gets the back-compat
|
|
// Email-only matrix.
|
|
func scanRenewalPolicy(scanner interface {
|
|
Scan(dest ...any) error
|
|
}) (*domain.RenewalPolicy, error) {
|
|
var policy domain.RenewalPolicy
|
|
var thresholdsJSON []byte
|
|
var channelsJSON []byte
|
|
var severityJSON []byte
|
|
|
|
if err := scanner.Scan(
|
|
&policy.ID, &policy.Name, &policy.RenewalWindowDays, &policy.AutoRenew,
|
|
&policy.MaxRetries, &policy.RetryInterval, &thresholdsJSON,
|
|
&channelsJSON, &severityJSON,
|
|
&policy.CreatedAt, &policy.UpdatedAt,
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(thresholdsJSON) > 0 {
|
|
if err := json.Unmarshal(thresholdsJSON, &policy.AlertThresholdsDays); err != nil {
|
|
policy.AlertThresholdsDays = domain.DefaultAlertThresholds()
|
|
}
|
|
}
|
|
|
|
if len(channelsJSON) > 0 && string(channelsJSON) != "{}" {
|
|
if err := json.Unmarshal(channelsJSON, &policy.AlertChannels); err != nil {
|
|
policy.AlertChannels = nil // EffectiveAlertChannels falls through to default
|
|
}
|
|
}
|
|
|
|
if len(severityJSON) > 0 && string(severityJSON) != "{}" {
|
|
// JSONB stores int keys as string; unmarshal via a string-keyed map
|
|
// then convert. JSON does not support non-string object keys, so
|
|
// the wire representation is e.g. {"30":"informational"}.
|
|
stringKeyed := map[string]string{}
|
|
if err := json.Unmarshal(severityJSON, &stringKeyed); err == nil {
|
|
converted := make(map[int]string, len(stringKeyed))
|
|
for k, v := range stringKeyed {
|
|
var threshold int
|
|
if _, scanErr := fmt.Sscanf(k, "%d", &threshold); scanErr == nil {
|
|
converted[threshold] = v
|
|
}
|
|
}
|
|
policy.AlertSeverityMap = converted
|
|
}
|
|
}
|
|
|
|
return &policy, nil
|
|
}
|
|
|
|
// marshalSeverityMap converts the domain's int-keyed map into the
|
|
// string-keyed form Postgres JSONB stores. Mirror of the inverse
|
|
// conversion in scanRenewalPolicy. Returns "{}" for nil/empty maps so
|
|
// the DB never sees null where NOT NULL is required.
|
|
func marshalSeverityMap(m map[int]string) ([]byte, error) {
|
|
if len(m) == 0 {
|
|
return []byte("{}"), nil
|
|
}
|
|
stringKeyed := make(map[string]string, len(m))
|
|
for k, v := range m {
|
|
stringKeyed[fmt.Sprintf("%d", k)] = v
|
|
}
|
|
return json.Marshal(stringKeyed)
|
|
}
|
|
|
|
// marshalAlertChannels marshals the channel matrix as JSONB. nil/empty
|
|
// returns "{}" so the DB NOT NULL constraint is satisfied.
|
|
func marshalAlertChannels(m map[string][]string) ([]byte, error) {
|
|
if len(m) == 0 {
|
|
return []byte("{}"), nil
|
|
}
|
|
return json.Marshal(m)
|
|
}
|
|
|
|
// Get retrieves a renewal policy by ID.
|
|
func (r *RenewalPolicyRepository) Get(ctx context.Context, id string) (*domain.RenewalPolicy, error) {
|
|
row := r.db.QueryRowContext(ctx, `SELECT `+renewalPolicyColumns+` FROM renewal_policies WHERE id = $1`, id)
|
|
policy, err := scanRenewalPolicy(row)
|
|
if err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, fmt.Errorf("renewal policy not found: %w", repository.ErrNotFound)
|
|
}
|
|
return nil, fmt.Errorf("failed to query renewal policy: %w", err)
|
|
}
|
|
return policy, nil
|
|
}
|
|
|
|
// List returns all renewal policies, ordered by name (matches the index on
|
|
// renewal_policies.name from migration 000001 so ORDER BY is index-served).
|
|
func (r *RenewalPolicyRepository) List(ctx context.Context) ([]*domain.RenewalPolicy, error) {
|
|
rows, err := r.db.QueryContext(ctx, `SELECT `+renewalPolicyColumns+` FROM renewal_policies ORDER BY name`)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to query renewal policies: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
var policies []*domain.RenewalPolicy
|
|
for rows.Next() {
|
|
policy, err := scanRenewalPolicy(rows)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to scan renewal policy: %w", err)
|
|
}
|
|
policies = append(policies, policy)
|
|
}
|
|
|
|
if err := rows.Err(); err != nil {
|
|
return nil, fmt.Errorf("error iterating renewal policy rows: %w", err)
|
|
}
|
|
|
|
return policies, nil
|
|
}
|
|
|
|
// slugRegex matches non-alphanumeric characters that slugifyPolicyName strips.
|
|
var slugRegex = regexp.MustCompile(`[^a-z0-9-]+`)
|
|
|
|
// slugifyPolicyName produces `rp-<slug>` for an auto-generated policy ID.
|
|
// Slug: lowercase, spaces→hyphens, non-alphanumeric stripped, trimmed to 64
|
|
// chars. Matches the existing seed convention (rp-default, rp-standard,
|
|
// rp-urgent). Collision resolution is handled by Create's retry loop.
|
|
func slugifyPolicyName(name string) string {
|
|
slug := strings.ToLower(strings.TrimSpace(name))
|
|
slug = strings.ReplaceAll(slug, " ", "-")
|
|
slug = slugRegex.ReplaceAllString(slug, "")
|
|
slug = strings.Trim(slug, "-")
|
|
if slug == "" {
|
|
slug = "policy"
|
|
}
|
|
if len(slug) > 64 {
|
|
slug = slug[:64]
|
|
}
|
|
return "rp-" + slug
|
|
}
|
|
|
|
// isUniqueViolation reports whether err is a PostgreSQL 23505 unique_violation.
|
|
// Used by Create/Update to translate name-collision errors onto the typed
|
|
// ErrRenewalPolicyDuplicateName sentinel.
|
|
func isUniqueViolation(err error) bool {
|
|
var pqErr *pq.Error
|
|
return errors.As(err, &pqErr) && pqErr.Code == "23505"
|
|
}
|
|
|
|
// isForeignKeyViolation reports whether err is a PostgreSQL 23503
|
|
// foreign_key_violation. Used by Delete to translate ON DELETE RESTRICT
|
|
// failures onto the typed ErrRenewalPolicyInUse sentinel.
|
|
func isForeignKeyViolation(err error) bool {
|
|
var pqErr *pq.Error
|
|
return errors.As(err, &pqErr) && pqErr.Code == "23503"
|
|
}
|
|
|
|
// Create inserts a new renewal policy. If policy.ID is empty, auto-generates
|
|
// `rp-<slug(name)>` with -2/-3/... suffixes on collision (up to 10 attempts).
|
|
// Returns ErrRenewalPolicyDuplicateName on pg 23505 (name collision).
|
|
//
|
|
// alert_thresholds_days is marshaled to JSONB here rather than relying on the
|
|
// DB default because the service layer already applies DefaultAlertThresholds
|
|
// for empty input — the DB default is a safety net, not the primary path.
|
|
func (r *RenewalPolicyRepository) Create(ctx context.Context, policy *domain.RenewalPolicy) error {
|
|
if policy == nil {
|
|
return errors.New("renewal policy is nil")
|
|
}
|
|
|
|
thresholdsJSON, err := json.Marshal(policy.AlertThresholdsDays)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal alert thresholds: %w", err)
|
|
}
|
|
|
|
channelsJSON, err := marshalAlertChannels(policy.AlertChannels)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal alert channels: %w", err)
|
|
}
|
|
|
|
severityJSON, err := marshalSeverityMap(policy.AlertSeverityMap)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal alert severity map: %w", err)
|
|
}
|
|
|
|
// ID auto-generation with collision retry. We attempt up to 10 suffix
|
|
// variants (rp-foo, rp-foo-2, ..., rp-foo-10) before giving up — the
|
|
// 23505 error the caller gets back past that point is on Name (their
|
|
// job to fix) rather than on a slug-collision we swallowed.
|
|
baseID := policy.ID
|
|
if baseID == "" {
|
|
baseID = slugifyPolicyName(policy.Name)
|
|
}
|
|
|
|
insertSQL := `
|
|
INSERT INTO renewal_policies (
|
|
id, name, renewal_window_days, auto_renew, max_retries,
|
|
retry_interval_seconds, alert_thresholds_days,
|
|
alert_channels, alert_severity_map,
|
|
created_at, updated_at
|
|
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, NOW(), NOW())
|
|
RETURNING ` + renewalPolicyColumns
|
|
|
|
maxAttempts := 10
|
|
if policy.ID != "" {
|
|
// Caller supplied a specific ID — no collision-retry, just one shot.
|
|
maxAttempts = 1
|
|
}
|
|
|
|
for attempt := 1; attempt <= maxAttempts; attempt++ {
|
|
candidateID := baseID
|
|
if attempt > 1 {
|
|
candidateID = fmt.Sprintf("%s-%d", baseID, attempt)
|
|
}
|
|
|
|
row := r.db.QueryRowContext(ctx, insertSQL,
|
|
candidateID, policy.Name, policy.RenewalWindowDays, policy.AutoRenew,
|
|
policy.MaxRetries, policy.RetryInterval, thresholdsJSON,
|
|
channelsJSON, severityJSON,
|
|
)
|
|
|
|
inserted, scanErr := scanRenewalPolicy(row)
|
|
if scanErr == nil {
|
|
*policy = *inserted
|
|
return nil
|
|
}
|
|
|
|
if isUniqueViolation(scanErr) {
|
|
// Determine which unique constraint — if it's the name UNIQUE
|
|
// we can't recover (caller has to pick a new name); if it's the
|
|
// primary-key slug collision we loop to the next suffix.
|
|
var pqErr *pq.Error
|
|
errors.As(scanErr, &pqErr)
|
|
// Postgres reports the constraint name in pqErr.Constraint;
|
|
// renewal_policies_name_key is the name UNIQUE, renewal_policies_pkey
|
|
// is the PK. Name collision is terminal, PK collision is retryable.
|
|
if pqErr.Constraint != "" && !strings.Contains(pqErr.Constraint, "pkey") {
|
|
return repository.ErrRenewalPolicyDuplicateName
|
|
}
|
|
// PK collision — try next suffix.
|
|
continue
|
|
}
|
|
|
|
return fmt.Errorf("failed to insert renewal policy: %w", scanErr)
|
|
}
|
|
|
|
// Exhausted retry budget on PK collisions — surface as duplicate so the
|
|
// caller at least gets a 409 rather than a mysterious 500.
|
|
return repository.ErrRenewalPolicyDuplicateName
|
|
}
|
|
|
|
// Update modifies an existing renewal policy by ID. Returns an error wrapping
|
|
// sql.ErrNoRows when id is unknown (detected by RETURNING returning zero rows),
|
|
// or ErrRenewalPolicyDuplicateName on pg 23505 (name collision with another row).
|
|
func (r *RenewalPolicyRepository) Update(ctx context.Context, id string, policy *domain.RenewalPolicy) error {
|
|
if policy == nil {
|
|
return errors.New("renewal policy is nil")
|
|
}
|
|
|
|
thresholdsJSON, err := json.Marshal(policy.AlertThresholdsDays)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal alert thresholds: %w", err)
|
|
}
|
|
|
|
channelsJSON, err := marshalAlertChannels(policy.AlertChannels)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal alert channels: %w", err)
|
|
}
|
|
|
|
severityJSON, err := marshalSeverityMap(policy.AlertSeverityMap)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal alert severity map: %w", err)
|
|
}
|
|
|
|
row := r.db.QueryRowContext(ctx, `
|
|
UPDATE renewal_policies SET
|
|
name = $2,
|
|
renewal_window_days = $3,
|
|
auto_renew = $4,
|
|
max_retries = $5,
|
|
retry_interval_seconds = $6,
|
|
alert_thresholds_days = $7,
|
|
alert_channels = $8,
|
|
alert_severity_map = $9,
|
|
updated_at = NOW()
|
|
WHERE id = $1
|
|
RETURNING `+renewalPolicyColumns,
|
|
id, policy.Name, policy.RenewalWindowDays, policy.AutoRenew,
|
|
policy.MaxRetries, policy.RetryInterval, thresholdsJSON,
|
|
channelsJSON, severityJSON,
|
|
)
|
|
|
|
updated, err := scanRenewalPolicy(row)
|
|
if err != nil {
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return fmt.Errorf("renewal policy not found: %w", repository.ErrNotFound)
|
|
}
|
|
if isUniqueViolation(err) {
|
|
return repository.ErrRenewalPolicyDuplicateName
|
|
}
|
|
return fmt.Errorf("failed to update renewal policy: %w", err)
|
|
}
|
|
|
|
*policy = *updated
|
|
return nil
|
|
}
|
|
|
|
// Delete removes a renewal policy by ID. Returns ErrRenewalPolicyInUse when
|
|
// the policy is still referenced by rows in managed_certificates (pg 23503
|
|
// foreign_key_violation against the ON DELETE RESTRICT FK from
|
|
// managed_certificates.renewal_policy_id). Returns an error wrapping
|
|
// sql.ErrNoRows when id is unknown.
|
|
func (r *RenewalPolicyRepository) Delete(ctx context.Context, id string) error {
|
|
result, err := r.db.ExecContext(ctx, `DELETE FROM renewal_policies WHERE id = $1`, id)
|
|
if err != nil {
|
|
if isForeignKeyViolation(err) {
|
|
return repository.ErrRenewalPolicyInUse
|
|
}
|
|
return fmt.Errorf("failed to delete renewal policy: %w", err)
|
|
}
|
|
|
|
rows, err := result.RowsAffected()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read RowsAffected for delete: %w", err)
|
|
}
|
|
if rows == 0 {
|
|
return fmt.Errorf("renewal policy not found: %w", repository.ErrNotFound)
|
|
}
|
|
return nil
|
|
}
|