mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:01:32 +00:00
shankar0123
8043e2bbac
Rank 7 of the 2026-05-03 Infisical deep-research deliverable, commit 2 of 4
(cowork/rank-7-approval-workflow-primitive-prompt.md). Builds on the
foundation in commit 2025275 — wires the service layer that drives the
approval workflow. Still no handler / integration wiring; commits 3-4
land that.
Files added:
internal/service/approval.go - ApprovalService struct + 6
methods: RequestApproval,
Approve, Reject, ListPending,
List, Get, ExpireStale.
Same-actor RBAC check
(ErrApproveBySameActor) at
both Approve and Reject; the
load-bearing two-person
integrity gate. Bypass mode
short-circuits via
approveInternal(outcome=
"bypassed", actorType=System).
Audit + metric emission per
decision via shared
recordAudit helper. Tolerates
nil AuditService for tests.
Service depends on a narrow
JobStatusUpdater interface
(single-method) rather than
the full repository.JobRepository
— production wiring satisfies
it implicitly via postgres'
existing UpdateStatus.
internal/service/approval_metrics.go - ApprovalMetrics: thread-safe
counter table (decisions
counter dimensioned by
outcome × profile_id) + a
custom durationHistogram for
pending-age (le buckets:
60, 300, 1800, 3600, 21600,
86400, +Inf — 1m, 5m, 30m,
1h, 6h, 24h, beyond).
Snapshot* methods return the
Prometheus exposer's input
shapes. Mirrors the
ExpiryAlertMetrics +
VaultRenewalMetrics pattern
from prior ranks.
internal/service/approval_test.go - 8 table-driven tests with
tight in-package fakes
(fakeApprovalRepo +
fakeJobStateRepo):
TestApproval_RequestCreatesPendingRow_BypassDisabled
TestApproval_BypassMode_AutoApprovesWithSystemBypassActor
TestApproval_Approve_TransitionsJobFromAwaitingApprovalToPending
TestApproval_Reject_TransitionsJobFromAwaitingApprovalToCancelled
TestApproval_Approve_RejectsSameActor
↑ THE LOAD-BEARING TWO-PERSON
INTEGRITY TEST. PCI-DSS 6.4.5
/ NIST 800-53 SA-15 / SOC 2
CC6.1 compliance auditors
pattern-match against this.
Pins same-actor rejection on
both Approve and Reject paths;
pins success when a different
actor approves.
TestApproval_Approve_RejectsAlreadyDecided
TestApproval_ExpireStale_TransitionsPendingToExpired_AndCancelsJob
TestApproval_MetricCounterIncrements
Verified:
gofmt: clean.
go vet ./internal/service/...: exit 0.
go test -short -count=1 -run TestApproval ./internal/service/...:
ok 0.005s — all 8 tests green.
Out of scope for this commit (lands in commits 3-4):
- api/handler/approval.go (5 endpoints + handler-side RBAC).
- api/openapi.yaml extensions.
- Integration into CertificateService.TriggerRenewal +
RenewalService.CheckExpiringCertificates + Scheduler.ReapTimedOutJobs.
- cmd/server/main.go wiring of ApprovalService + ApprovalMetrics.
- Config.Approval.BypassEnabled + CERTCTL_APPROVAL_BYPASS env var.
- docs/connectors.md row + docs/approval-workflow.md runbook.
Reference: cowork/rank-7-approval-workflow-primitive-prompt.md.
373 lines
14 KiB
Go
373 lines
14 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// ApprovalService manages the issuance approval-workflow primitive.
|
|
// Rank 7 of the 2026-05-03 Infisical deep-research deliverable.
|
|
//
|
|
// Lifecycle: a profile with RequiresApproval=true causes the renewal
|
|
// entry points (TriggerRenewal + CheckExpiringCertificates) to call
|
|
// RequestApproval; the resulting Job is created at
|
|
// JobStatusAwaitingApproval; the scheduler does NOT dispatch until
|
|
// Approve transitions the job to Pending.
|
|
//
|
|
// RBAC contract: the requester cannot approve their own request.
|
|
// Approve checks decidedBy != request.RequestedBy and rejects with
|
|
// ErrApproveBySameActor otherwise. This is the load-bearing two-
|
|
// person integrity check; compliance auditors pattern-match against
|
|
// it.
|
|
//
|
|
// Bypass mode: if CERTCTL_APPROVAL_BYPASS=true at boot, every
|
|
// RequestApproval call immediately auto-approves with
|
|
// decidedBy="system-bypass". Used by dev / CI to keep renewal-
|
|
// scheduler tests fast without standing up an approver. Production
|
|
// deploys MUST leave this unset; the bypass emits an audit row with
|
|
// ActorType=System so a downstream auditor can grep for
|
|
// "system-bypass" approvals and confirm none happened in production.
|
|
type ApprovalService struct {
|
|
approvalRepo repository.ApprovalRepository
|
|
jobRepo JobStatusUpdater
|
|
auditService *AuditService
|
|
metrics *ApprovalMetrics
|
|
|
|
bypassEnabled bool
|
|
}
|
|
|
|
// JobStatusUpdater is the narrow interface ApprovalService depends on
|
|
// from JobRepository. Accepting the small interface (rather than the
|
|
// full repository.JobRepository) keeps the test mock surface tiny —
|
|
// real JobRepository implementations (postgres + any future) satisfy
|
|
// it implicitly because they implement UpdateStatus already.
|
|
type JobStatusUpdater interface {
|
|
UpdateStatus(ctx context.Context, id string, status domain.JobStatus, errMsg string) error
|
|
}
|
|
|
|
// NewApprovalService constructs an ApprovalService. metrics may be nil
|
|
// for tests that don't need Prometheus integration; auditService should
|
|
// not be nil in production but is tolerated for unit tests that don't
|
|
// care about audit-row emission.
|
|
func NewApprovalService(
|
|
approvalRepo repository.ApprovalRepository,
|
|
jobRepo JobStatusUpdater,
|
|
auditService *AuditService,
|
|
metrics *ApprovalMetrics,
|
|
bypassEnabled bool,
|
|
) *ApprovalService {
|
|
return &ApprovalService{
|
|
approvalRepo: approvalRepo,
|
|
jobRepo: jobRepo,
|
|
auditService: auditService,
|
|
metrics: metrics,
|
|
bypassEnabled: bypassEnabled,
|
|
}
|
|
}
|
|
|
|
// Sentinels for handler-side dispatch via errors.Is.
|
|
var (
|
|
// ErrApprovalNotFound is returned when the request ID does not exist.
|
|
// Handlers map to HTTP 404.
|
|
ErrApprovalNotFound = errors.New("approval request not found")
|
|
|
|
// ErrApprovalAlreadyDecided is returned when Approve / Reject is called
|
|
// on a request whose State is already terminal. Handlers map to HTTP 409.
|
|
ErrApprovalAlreadyDecided = errors.New("approval request already decided")
|
|
|
|
// ErrApproveBySameActor is the load-bearing two-person integrity check.
|
|
// Returned when the supplied decidedBy equals request.RequestedBy.
|
|
// Handlers map to HTTP 403.
|
|
ErrApproveBySameActor = errors.New("approver cannot be the same as requester (two-person integrity)")
|
|
)
|
|
|
|
// RequestApproval creates a pending ApprovalRequest row and is invoked
|
|
// from the renewal entry points after they have created the Job at
|
|
// Status=AwaitingApproval. Returns the request ID for handler /
|
|
// caller use.
|
|
//
|
|
// If bypassEnabled is true, this method synchronously calls Approve
|
|
// internally with decidedBy=ApprovalActorSystemBypass and returns the
|
|
// resulting (now-approved) request ID. The audit row records
|
|
// ActorType=System so a downstream auditor can confirm bypass-mode
|
|
// was off in production via a single SQL query.
|
|
func (s *ApprovalService) RequestApproval(
|
|
ctx context.Context,
|
|
cert *domain.ManagedCertificate,
|
|
jobID, profileID, requestedBy string,
|
|
metadata map[string]string,
|
|
) (string, error) {
|
|
if cert == nil {
|
|
return "", fmt.Errorf("approval: nil certificate")
|
|
}
|
|
if jobID == "" || profileID == "" || requestedBy == "" {
|
|
return "", fmt.Errorf("approval: jobID, profileID, requestedBy required")
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
req := &domain.ApprovalRequest{
|
|
CertificateID: cert.ID,
|
|
JobID: jobID,
|
|
ProfileID: profileID,
|
|
RequestedBy: requestedBy,
|
|
State: domain.ApprovalStatePending,
|
|
Metadata: metadata,
|
|
CreatedAt: now,
|
|
UpdatedAt: now,
|
|
}
|
|
if err := s.approvalRepo.Create(ctx, req); err != nil {
|
|
return "", fmt.Errorf("approval: create request: %w", err)
|
|
}
|
|
|
|
// Audit the request creation. Bypass-mode logs both the request and
|
|
// the auto-approval as separate rows so the timeline is honest.
|
|
s.recordAudit(ctx, requestedBy, domain.ActorTypeUser, "approval_requested", req, nil)
|
|
|
|
if s.bypassEnabled {
|
|
if err := s.approveInternal(ctx, req.ID, domain.ApprovalActorSystemBypass,
|
|
"auto-approved by CERTCTL_APPROVAL_BYPASS — dev/CI mode",
|
|
domain.ApprovalOutcomeBypassed, domain.ActorTypeSystem); err != nil {
|
|
return req.ID, fmt.Errorf("approval: bypass auto-approve: %w", err)
|
|
}
|
|
}
|
|
|
|
return req.ID, nil
|
|
}
|
|
|
|
// Approve transitions a pending request to approved AND the linked Job
|
|
// from AwaitingApproval to Pending so the job processor picks it up.
|
|
// RBAC: rejects if decidedBy == request.RequestedBy.
|
|
func (s *ApprovalService) Approve(ctx context.Context, requestID, decidedBy, note string) error {
|
|
req, err := s.approvalRepo.Get(ctx, requestID)
|
|
if err != nil {
|
|
if errors.Is(err, repository.ErrNotFound) {
|
|
return ErrApprovalNotFound
|
|
}
|
|
return fmt.Errorf("approval: get for approve: %w", err)
|
|
}
|
|
if req.State.IsTerminal() {
|
|
return ErrApprovalAlreadyDecided
|
|
}
|
|
if decidedBy == req.RequestedBy {
|
|
return ErrApproveBySameActor
|
|
}
|
|
return s.approveInternal(ctx, requestID, decidedBy, note,
|
|
domain.ApprovalOutcomeApproved, domain.ActorTypeUser)
|
|
}
|
|
|
|
// approveInternal is the shared transition path for both human-Approve
|
|
// and bypass-mode auto-approve. Same DB transition + audit + metric
|
|
// recording, but the outcome label + actorType differ.
|
|
func (s *ApprovalService) approveInternal(
|
|
ctx context.Context, requestID, decidedBy, note, outcome string,
|
|
actorType domain.ActorType,
|
|
) error {
|
|
now := time.Now().UTC()
|
|
|
|
// Re-fetch the request after the state-transition guards in Approve so
|
|
// we can stamp the metric's pending-age + transition the job. For the
|
|
// bypass path, this is the first read.
|
|
req, err := s.approvalRepo.Get(ctx, requestID)
|
|
if err != nil {
|
|
if errors.Is(err, repository.ErrNotFound) {
|
|
return ErrApprovalNotFound
|
|
}
|
|
return fmt.Errorf("approval: get for transition: %w", err)
|
|
}
|
|
if req.State.IsTerminal() {
|
|
return ErrApprovalAlreadyDecided
|
|
}
|
|
|
|
if err := s.approvalRepo.UpdateState(ctx, requestID,
|
|
domain.ApprovalStateApproved, decidedBy, now, note); err != nil {
|
|
if errors.Is(err, repository.ErrNotFound) {
|
|
return ErrApprovalNotFound
|
|
}
|
|
if errors.Is(err, repository.ErrAlreadyExists) {
|
|
return ErrApprovalAlreadyDecided
|
|
}
|
|
return fmt.Errorf("approval: update state to approved: %w", err)
|
|
}
|
|
|
|
// Transition the linked Job from AwaitingApproval to Pending so the
|
|
// scheduler picks it up. Best-effort — if the Job has already been
|
|
// cancelled or otherwise mutated externally, log via audit and move on.
|
|
if err := s.jobRepo.UpdateStatus(ctx, req.JobID, domain.JobStatusPending, ""); err != nil {
|
|
s.recordAudit(ctx, decidedBy, actorType, "approval_job_transition_failed", req,
|
|
map[string]interface{}{"target_status": string(domain.JobStatusPending), "error": err.Error()})
|
|
return fmt.Errorf("approval: transition job to Pending: %w", err)
|
|
}
|
|
|
|
s.recordAudit(ctx, decidedBy, actorType, "approval_"+outcome, req,
|
|
map[string]interface{}{"note": note, "outcome": outcome})
|
|
if s.metrics != nil {
|
|
s.metrics.RecordDecision(outcome, req.ProfileID)
|
|
s.metrics.ObservePendingAge(now.Sub(req.CreatedAt).Seconds())
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Reject transitions a pending request to rejected AND the linked Job
|
|
// from AwaitingApproval to Cancelled. RBAC: same-actor check applies.
|
|
func (s *ApprovalService) Reject(ctx context.Context, requestID, decidedBy, note string) error {
|
|
req, err := s.approvalRepo.Get(ctx, requestID)
|
|
if err != nil {
|
|
if errors.Is(err, repository.ErrNotFound) {
|
|
return ErrApprovalNotFound
|
|
}
|
|
return fmt.Errorf("approval: get for reject: %w", err)
|
|
}
|
|
if req.State.IsTerminal() {
|
|
return ErrApprovalAlreadyDecided
|
|
}
|
|
if decidedBy == req.RequestedBy {
|
|
return ErrApproveBySameActor
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
if err := s.approvalRepo.UpdateState(ctx, requestID,
|
|
domain.ApprovalStateRejected, decidedBy, now, note); err != nil {
|
|
if errors.Is(err, repository.ErrNotFound) {
|
|
return ErrApprovalNotFound
|
|
}
|
|
if errors.Is(err, repository.ErrAlreadyExists) {
|
|
return ErrApprovalAlreadyDecided
|
|
}
|
|
return fmt.Errorf("approval: update state to rejected: %w", err)
|
|
}
|
|
|
|
if err := s.jobRepo.UpdateStatus(ctx, req.JobID, domain.JobStatusCancelled,
|
|
"approval rejected: "+note); err != nil {
|
|
s.recordAudit(ctx, decidedBy, domain.ActorTypeUser, "approval_job_transition_failed", req,
|
|
map[string]interface{}{"target_status": string(domain.JobStatusCancelled), "error": err.Error()})
|
|
return fmt.Errorf("approval: transition job to Cancelled: %w", err)
|
|
}
|
|
|
|
s.recordAudit(ctx, decidedBy, domain.ActorTypeUser, "approval_rejected", req,
|
|
map[string]interface{}{"note": note, "outcome": domain.ApprovalOutcomeRejected})
|
|
if s.metrics != nil {
|
|
s.metrics.RecordDecision(domain.ApprovalOutcomeRejected, req.ProfileID)
|
|
s.metrics.ObservePendingAge(now.Sub(req.CreatedAt).Seconds())
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ListPending returns approval requests in state=pending, paginated.
|
|
// Operators reading the dashboard call this on every page load.
|
|
func (s *ApprovalService) ListPending(ctx context.Context, page, perPage int) ([]*domain.ApprovalRequest, error) {
|
|
return s.approvalRepo.List(ctx, &repository.ApprovalFilter{
|
|
State: string(domain.ApprovalStatePending),
|
|
Page: page,
|
|
PerPage: perPage,
|
|
})
|
|
}
|
|
|
|
// List returns approval requests filtered by the supplied filter. Used
|
|
// by handler GET /api/v1/approvals with arbitrary state.
|
|
func (s *ApprovalService) List(ctx context.Context, filter *repository.ApprovalFilter) ([]*domain.ApprovalRequest, error) {
|
|
return s.approvalRepo.List(ctx, filter)
|
|
}
|
|
|
|
// Get returns a single approval request by ID, or ErrApprovalNotFound.
|
|
func (s *ApprovalService) Get(ctx context.Context, id string) (*domain.ApprovalRequest, error) {
|
|
req, err := s.approvalRepo.Get(ctx, id)
|
|
if err != nil {
|
|
if errors.Is(err, repository.ErrNotFound) {
|
|
return nil, ErrApprovalNotFound
|
|
}
|
|
return nil, err
|
|
}
|
|
return req, nil
|
|
}
|
|
|
|
// ExpireStale runs from the scheduler's reaper loop. Calls the
|
|
// repository's ExpireStale (bulk pending→expired transition) +
|
|
// transitions matching jobs from AwaitingApproval to Cancelled.
|
|
// Records one audit row per expiry. Returns the count expired.
|
|
//
|
|
// Operators alert when this is non-zero — it means an approval
|
|
// request timed out without human review.
|
|
func (s *ApprovalService) ExpireStale(ctx context.Context, before time.Time) (int, error) {
|
|
// Find pending requests older than `before` so we can record the
|
|
// audit + metric per expiry. ExpireStale on the repo bulk-mutates
|
|
// the rows; we read first to capture the per-row metadata for
|
|
// auditing, then call the repo's bulk update.
|
|
pending, err := s.approvalRepo.List(ctx, &repository.ApprovalFilter{
|
|
State: string(domain.ApprovalStatePending),
|
|
PerPage: 500,
|
|
})
|
|
if err != nil {
|
|
return 0, fmt.Errorf("approval: list pending for expiry: %w", err)
|
|
}
|
|
|
|
var stale []*domain.ApprovalRequest
|
|
for _, req := range pending {
|
|
if req.CreatedAt.Before(before) || req.CreatedAt.Equal(before) {
|
|
stale = append(stale, req)
|
|
}
|
|
}
|
|
if len(stale) == 0 {
|
|
return 0, nil
|
|
}
|
|
|
|
count, err := s.approvalRepo.ExpireStale(ctx, before)
|
|
if err != nil {
|
|
return 0, fmt.Errorf("approval: bulk expire: %w", err)
|
|
}
|
|
|
|
now := time.Now().UTC()
|
|
for _, req := range stale {
|
|
// Cancel the linked job — best-effort. The scheduler's existing
|
|
// ReapTimedOutJobs already handles AwaitingApproval timeouts on
|
|
// the job side; this is a defensive double-cancel that's
|
|
// idempotent if the scheduler already ran.
|
|
if err := s.jobRepo.UpdateStatus(ctx, req.JobID, domain.JobStatusCancelled,
|
|
"approval expired: timed out without review"); err != nil {
|
|
// Log via audit and continue — don't fail the whole sweep on
|
|
// one bad job.
|
|
s.recordAudit(ctx, "system-reaper", domain.ActorTypeSystem, "approval_job_transition_failed", req,
|
|
map[string]interface{}{"target_status": string(domain.JobStatusCancelled), "error": err.Error()})
|
|
}
|
|
|
|
s.recordAudit(ctx, "system-reaper", domain.ActorTypeSystem, "approval_expired", req,
|
|
map[string]interface{}{"outcome": domain.ApprovalOutcomeExpired, "before_cutoff": before.Format(time.RFC3339)})
|
|
if s.metrics != nil {
|
|
s.metrics.RecordDecision(domain.ApprovalOutcomeExpired, req.ProfileID)
|
|
s.metrics.ObservePendingAge(now.Sub(req.CreatedAt).Seconds())
|
|
}
|
|
}
|
|
|
|
return count, nil
|
|
}
|
|
|
|
// recordAudit is the shared audit-emission helper. Tolerates a nil
|
|
// AuditService (unit tests that don't wire it) and discards errors —
|
|
// audit failures must not block the primary state transition.
|
|
func (s *ApprovalService) recordAudit(ctx context.Context, actor string, actorType domain.ActorType,
|
|
action string, req *domain.ApprovalRequest, extra map[string]interface{}) {
|
|
if s.auditService == nil || req == nil {
|
|
return
|
|
}
|
|
details := map[string]interface{}{
|
|
"approval_id": req.ID,
|
|
"certificate_id": req.CertificateID,
|
|
"job_id": req.JobID,
|
|
"profile_id": req.ProfileID,
|
|
"requested_by": req.RequestedBy,
|
|
"state": string(req.State),
|
|
}
|
|
for k, v := range req.Metadata {
|
|
details["metadata_"+k] = v
|
|
}
|
|
for k, v := range extra {
|
|
details[k] = v
|
|
}
|
|
_ = s.auditService.RecordEvent(ctx, actor, actorType, action,
|
|
"approval_request", req.ID, details)
|
|
}
|