mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:41:30 +00:00
shankar0123
8bc9f4eed8
+ profile-driven csrattrs + admin observability with per-status counters + reload-trust endpoint. Phase 5 — RFC 7030 §4.4 server-driven key generation: - internal/pkcs7/envelopeddata_builder.go is the inverse of the existing parser/decryptor: AES-256-CBC content cipher + RSA PKCS#1 v1.5 keyTrans + per-call random IV. Round-trip pinned in test (BuildEnvelopedData → ParseEnvelopedData → Decrypt returns the original plaintext byte-for-byte). - ESTService.SimpleServerKeygen runs the full §4.4 flow: parse client CSR → require RSA pubkey for keyTrans → resolve per-profile algorithm (RSA-2048 default; honors AllowedKeyAlgorithms) → in- memory keygen → re-build CSR with server pubkey → run existing issuer pipeline → marshal PKCS#8 → CMS-EnvelopedData wrap to a synthetic recipient cert wrapping the device's CSR-supplied pubkey → zeroize plaintext + PKCS#8 bytes → return CertPEM + ChainPEM + EncryptedKey. Typed sentinels ErrServerKeygenRequiresKey- Encipherment / ErrServerKeygenUnsupportedAlgorithm / ErrServerKeygenDisabled. - ESTHandler.ServerKeygen + ServerKeygenMTLS emit RFC 7030 §4.4.2 multipart/mixed with random per-response boundary; per-profile SetServerKeygenEnabled gate returns 404 when off (defense in depth even if the route was registered). - New routes POST /.well-known/est/[<PathID>/]serverkeygen + /.well-known/est-mtls/<PathID>/serverkeygen; openapi.yaml + openapi-parity guard updated. Phase 6 — Real csrattrs implementation: - New CertificateProfile.RequiredCSRAttributes []string + migration 000022_certificate_profiles_csrattrs.up.sql. The migration also lands the previously-unwired must_staple column (closes the 5.6 follow-up loop where the field shipped at the domain + service layer but the postgres scan/insert/update never persisted it). - domain.EKUStringToOID + AttributeStringToOID lookup tables: id-kp-* EKUs (RFC 5280 §4.2.1.12) + RFC 5280 DN attributes + RFC 2985 PKCS#10 attributes + Microsoft Intune device-serial OID. - ESTService.GetCSRAttrs replaces the v2.0.x nil/204 stub with a profile-derived SEQUENCE OF OID ASN.1 marshal. Unknown EKU / attribute strings dropped + warning-logged so a typo doesn't take down the entire endpoint. Phase 7 — Admin observability + counters + reload-trust: - internal/service/est_counters.go: estCounterTab (sync/atomic; 12 named labels) + ESTStatsSnapshot per-profile shape + ESTService.Stats(now) zero-allocation accessor + ReloadTrust() SIGHUP-equivalent + SetESTAdminMetadata setter. - Counter ticks wired into processEnrollment + SimpleServerKeygen at every success/failure leg. - internal/api/handler/admin_est.go mirrors AdminSCEPIntune verbatim: Profiles + ReloadTrust handlers + AdminESTServiceImpl. Both endpoints admin-gated (M-008 triplet pinned + admin_est.go added to AdminGatedHandlers). - New routes GET /api/v1/admin/est/profiles + POST /api/v1/admin/ est/reload-trust; openapi.yaml documented; openapi-parity guard reproduced clean. - cmd/server/main.go grows estServices map populated by the per- profile EST loop + handed to AdminEST. New MTLSTrust() + HasMTLSTrust() accessors on ESTHandler so main.go can pull the trust holder for the admin-metadata wire-up. - Per-profile counter isolation regression test (internal/service/est_profile_counter_isolation_test.go) proves a future shared-counter refactor would fail at compile-time pointer-identity check. Pre-commit verification (sandbox): gofmt clean, go vet clean (excluding repository/postgres which the sandbox can't build — disk-space testcontainers download), staticcheck clean across cms/trustanchor/api/handler/api/router/scep/intune/ratelimit/ service/pkcs7/domain/cmd/server, go test -short -count=1 green for every non-postgres package. G-3 docs-drift guard reproduced locally clean (Phases 5-7 added zero new env vars; Phase 1 already documented per-profile SERVER_KEYGEN_ENABLED). Spec preserved at cowork/est-rfc7030-hardening-prompt.md. Phases 8-13 (GUI ESTAdminPage / CLI+MCP / libest e2e / bulk revocation / docs/est.md / release prep) remain — post-2.1.0 work.
183 lines
6.5 KiB
Go
183 lines
6.5 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/api/middleware"
|
|
"github.com/shankar0123/certctl/internal/service"
|
|
)
|
|
|
|
// EST RFC 7030 hardening master bundle Phase 7.2 — admin observability
|
|
// endpoints for the EST Administration GUI.
|
|
//
|
|
// Endpoints:
|
|
//
|
|
// GET /api/v1/admin/est/profiles — Phase 7.2 (per-profile snapshot)
|
|
// POST /api/v1/admin/est/reload-trust — Phase 7.2 (JSON body: {"path_id":"corp"})
|
|
//
|
|
// All endpoints are admin-gated (M-008 pattern). Non-admin Bearer
|
|
// callers get 403 — the profiles endpoint reveals the operator's
|
|
// profile set + trust-anchor expiries (sensitive operational metadata),
|
|
// the reload endpoint is a privileged action that swaps the in-memory
|
|
// trust pool.
|
|
|
|
// AdminESTService is the slice of the per-profile ESTService set the
|
|
// admin handler needs. The handler depends on this narrow interface
|
|
// rather than the concrete *service.ESTService set so wiring stays
|
|
// service-side and the handler stays test-friendly.
|
|
type AdminESTService interface {
|
|
// Profiles returns one snapshot per configured EST profile. Walks
|
|
// the per-PathID service map under the hood.
|
|
Profiles(ctx context.Context, now time.Time) ([]service.ESTStatsSnapshot, error)
|
|
|
|
// ReloadTrust triggers the SIGHUP-equivalent Reload on the named
|
|
// profile's trust holder. Returns ErrAdminESTProfileNotFound if the
|
|
// PathID isn't known, or service.ErrESTMTLSDisabled if the profile
|
|
// exists but mTLS isn't configured, or the underlying parse error
|
|
// from trustanchor.LoadBundle on a bad reload (the holder retains
|
|
// the OLD pool either way — fail-safe enforced one layer down).
|
|
ReloadTrust(ctx context.Context, pathID string) error
|
|
}
|
|
|
|
// ErrAdminESTProfileNotFound is returned by AdminESTService implementations
|
|
// when the operator targets a PathID that doesn't map to any configured
|
|
// EST profile. The handler maps this to HTTP 404.
|
|
var ErrAdminESTProfileNotFound = errors.New("admin est: profile not found for the given path_id")
|
|
|
|
// AdminESTHandler serves the per-profile EST observability endpoints.
|
|
type AdminESTHandler struct {
|
|
svc AdminESTService
|
|
}
|
|
|
|
// NewAdminESTHandler creates a new admin handler.
|
|
func NewAdminESTHandler(svc AdminESTService) AdminESTHandler {
|
|
return AdminESTHandler{svc: svc}
|
|
}
|
|
|
|
// adminESTReloadRequest is the POST body shape for the reload-trust
|
|
// endpoint. PathID="" targets the legacy /.well-known/est root profile
|
|
// (the one with empty PathID), matching the convention used elsewhere
|
|
// in the per-profile dispatch.
|
|
type adminESTReloadRequest struct {
|
|
PathID string `json:"path_id"`
|
|
}
|
|
|
|
// Profiles handles GET /api/v1/admin/est/profiles.
|
|
//
|
|
// Mirrors AdminSCEPIntuneHandler.Profiles. Returns one snapshot per
|
|
// configured EST profile in ESTStatsSnapshot shape (always-present
|
|
// per-profile fields + optional trust-anchor sub-block).
|
|
func (h AdminESTHandler) Profiles(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
if !middleware.IsAdmin(r.Context()) {
|
|
Error(w, http.StatusForbidden, "Admin access required")
|
|
return
|
|
}
|
|
|
|
now := time.Now()
|
|
rows, err := h.svc.Profiles(r.Context(), now)
|
|
if err != nil {
|
|
Error(w, http.StatusInternalServerError, "Failed to read EST profiles")
|
|
return
|
|
}
|
|
if rows == nil {
|
|
// Avoid serialising as `null` — the GUI expects an array.
|
|
rows = []service.ESTStatsSnapshot{}
|
|
}
|
|
_ = JSON(w, http.StatusOK, map[string]any{
|
|
"profiles": rows,
|
|
"profile_count": len(rows),
|
|
"generated_at": now.UTC(),
|
|
})
|
|
}
|
|
|
|
// ReloadTrust handles POST /api/v1/admin/est/reload-trust.
|
|
func (h AdminESTHandler) ReloadTrust(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
Error(w, http.StatusMethodNotAllowed, "Method not allowed")
|
|
return
|
|
}
|
|
if !middleware.IsAdmin(r.Context()) {
|
|
Error(w, http.StatusForbidden, "Admin access required")
|
|
return
|
|
}
|
|
|
|
var body adminESTReloadRequest
|
|
// An empty body is permitted: it implicitly targets the legacy
|
|
// /.well-known/est root profile (PathID=""). Operators with multi-
|
|
// profile deploys MUST supply a path_id JSON field.
|
|
if r.ContentLength > 0 {
|
|
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
|
Error(w, http.StatusBadRequest, "Invalid JSON body: "+err.Error())
|
|
return
|
|
}
|
|
}
|
|
|
|
err := h.svc.ReloadTrust(r.Context(), body.PathID)
|
|
switch {
|
|
case err == nil:
|
|
_ = JSON(w, http.StatusOK, map[string]any{
|
|
"reloaded": true,
|
|
"path_id": body.PathID,
|
|
"reloaded_at": time.Now().UTC(),
|
|
})
|
|
case errors.Is(err, ErrAdminESTProfileNotFound):
|
|
Error(w, http.StatusNotFound, "EST profile not found for path_id="+body.PathID)
|
|
case errors.Is(err, service.ErrESTMTLSDisabled):
|
|
// 409 Conflict: profile exists but mTLS isn't enabled, so
|
|
// there's no trust anchor to reload. Distinct from 404 so the
|
|
// operator can correct the request without re-checking the
|
|
// profile list.
|
|
Error(w, http.StatusConflict, "EST profile path_id="+body.PathID+" does not have mTLS enabled")
|
|
default:
|
|
// Underlying trustanchor.LoadBundle errors (parse failure,
|
|
// expired cert, missing file). The holder retains its previous
|
|
// pool — the operator's enrollments keep working off the old
|
|
// trust anchor while the operator fixes the file.
|
|
Error(w, http.StatusInternalServerError, "Trust anchor reload failed: "+err.Error())
|
|
}
|
|
}
|
|
|
|
// AdminESTServiceImpl is the production implementation of AdminESTService.
|
|
// Walks the per-profile ESTService set built by cmd/server/main.go.
|
|
type AdminESTServiceImpl struct {
|
|
services map[string]*service.ESTService
|
|
}
|
|
|
|
// NewAdminESTServiceImpl constructs the handler-side service from the
|
|
// per-profile ESTService map built at startup.
|
|
func NewAdminESTServiceImpl(services map[string]*service.ESTService) *AdminESTServiceImpl {
|
|
if services == nil {
|
|
services = map[string]*service.ESTService{}
|
|
}
|
|
return &AdminESTServiceImpl{services: services}
|
|
}
|
|
|
|
// Profiles implements AdminESTService.
|
|
func (s *AdminESTServiceImpl) Profiles(_ context.Context, now time.Time) ([]service.ESTStatsSnapshot, error) {
|
|
out := make([]service.ESTStatsSnapshot, 0, len(s.services))
|
|
for _, svc := range s.services {
|
|
out = append(out, svc.Stats(now))
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
// ReloadTrust implements AdminESTService.
|
|
func (s *AdminESTServiceImpl) ReloadTrust(_ context.Context, pathID string) error {
|
|
svc, ok := s.services[pathID]
|
|
if !ok {
|
|
return ErrAdminESTProfileNotFound
|
|
}
|
|
return svc.ReloadTrust()
|
|
}
|
|
|
|
// Compile-time interface check.
|
|
var _ AdminESTService = (*AdminESTServiceImpl)(nil)
|