gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:12:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9ef9f3cde301fb92cb7451aee5ac12b368ce5ef7
certctl/internal/service/bulk_revocation.go
T
shankar0123 8b75e0311b chore: rename Go module path to github.com/certctl-io/certctl 
Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol
sub-module's go.mod, every Go file's import path (361 files), and a rebuild of
the checked-in f5-mock-icontrol binary so its embedded build-info reflects the
new module path. No behavior change.

Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A
(keep module path declared as github.com/shankar0123/certctl regardless of
repo URL) shipped on the day of the org transfer (2026-05-03) since we had no
external Go consumers; this commit closes that deferral.

Backward-compat: GitHub HTTP redirects continue to forward
github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL
level, but Go's module proxy uses the path declared in go.mod as the
canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...`
hit a "module path mismatch" error because go.mod said
github.com/shankar0123/certctl and the URL they fetched it from said
certctl-io/certctl. Post-fix, the canonical name and the URL agree, so
go get / go install / external Go consumers / Go-tooling integrations
work cleanly via either the new path (preferred) or the old path (which
redirects and Go follows the redirect for source fetch).

Anyone still importing the old path inside their own code keeps working
provided they update their go.mod's `require` line to match — the module
path declared in their consumer's go.sum / go.mod is the authoritative
import name, so a mass sed across their import statements is the migration
on the consumer side. No external consumers exist today.

Diff shape:
  361 *.go files  — import path replacement only
    2 go.mod     — module declaration replacement only
    1 binary     — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt
                   so embedded build-info reflects the new path (8618965 vs
                   8618933 bytes; 32-byte diff is the build-info change)

  Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure
  mechanical substitution.

Verification:
  gofmt: 17 files needed re-alignment after sed (the new path is one char
    shorter than the old, so column-aligned import groups drifted). Applied
    `gofmt -w` to fix.
  go mod tidy: clean exit on both modules.
  go vet ./...: clean exit.
  go build ./...: clean exit.
  go test -short -count=1 on representative packages: all green
    (internal/domain, internal/validation, internal/crypto, internal/crypto/signer,
    cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...`
    confirming the module path resolves correctly.
  binary: f5-mock-icontrol rebuilt; `strings | grep shankar0123` returns
    nothing; `strings | grep certctl-io/certctl` shows the new module path
    embedded in build-info.

Files intentionally NOT touched in this commit:
  README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io
    URLs in commit 0729ee4 (the post-transfer URL refresh). This commit is
    purely the Go-tooling layer.
  Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account
    namespace, not a Go import or GitHub repo URL. Stays.

This is a non-blocking, non-customer-impacting change. Operators pulling
container images, running `make verify`, hitting the API, or installing the
agent see no functional difference. Only Go-tooling consumers (none today)
are affected, and they're enabled — not broken — by this commit.
2026-05-04 00:30:29 +00:00

200 lines
6.3 KiB
Go
Raw Blame History

package service
import (
"context"
"fmt"
"log/slog"
"strings"
"github.com/certctl-io/certctl/internal/domain"
"github.com/certctl-io/certctl/internal/repository"
)
// BulkRevocationService coordinates bulk certificate revocation operations.
// It builds on the single-cert RevokeCertificateWithActor flow — no duplicate logic.
type BulkRevocationService struct {
revSvc *RevocationSvc
certRepo repository.CertificateRepository
auditService *AuditService
logger *slog.Logger
}
// NewBulkRevocationService creates a new BulkRevocationService.
func NewBulkRevocationService(
revSvc *RevocationSvc,
certRepo repository.CertificateRepository,
auditService *AuditService,
logger *slog.Logger,
) *BulkRevocationService {
return &BulkRevocationService{
revSvc: revSvc,
certRepo: certRepo,
auditService: auditService,
logger: logger,
}
}
// BulkRevoke revokes all certificates matching the given criteria.
// It reuses RevokeCertificateWithActor for each cert — partial failures don't abort the batch.
func (s *BulkRevocationService) BulkRevoke(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
// Validate inputs
if criteria.IsEmpty() {
return nil, fmt.Errorf("at least one filter criterion is required")
}
if reason == "" {
return nil, fmt.Errorf("revocation reason is required")
}
if !domain.IsValidRevocationReason(reason) {
return nil, fmt.Errorf("invalid revocation reason: %s", reason)
}
// Resolve matching certificates
certs, err := s.resolveCertificates(ctx, criteria)
if err != nil {
return nil, fmt.Errorf("failed to resolve certificates: %w", err)
}
result := &domain.BulkRevocationResult{
TotalMatched: len(certs),
}
// Revoke each certificate, continuing on individual failures
for _, cert := range certs {
// Skip already-revoked or archived certs
if cert.Status == domain.CertificateStatusRevoked {
result.TotalSkipped++
continue
}
if cert.Status == domain.CertificateStatusArchived {
result.TotalSkipped++
continue
}
err := s.revSvc.RevokeCertificateWithActor(ctx, cert.ID, reason, actor)
if err != nil {
result.TotalFailed++
result.Errors = append(result.Errors, domain.BulkRevocationError{
CertificateID: cert.ID,
Error: err.Error(),
})
s.logger.Warn("bulk revocation: individual cert failed",
"certificate_id", cert.ID,
"error", err)
} else {
result.TotalRevoked++
}
}
// Record audit event for the bulk operation
criteriaDetails := s.buildAuditDetails(criteria)
criteriaDetails["reason"] = reason
criteriaDetails["total_matched"] = result.TotalMatched
criteriaDetails["total_revoked"] = result.TotalRevoked
criteriaDetails["total_skipped"] = result.TotalSkipped
criteriaDetails["total_failed"] = result.TotalFailed
if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
"bulk_revocation_initiated", "certificate", "bulk",
criteriaDetails); err != nil {
s.logger.Error("failed to record bulk revocation audit event", "error", err)
}
return result, nil
}
// resolveCertificates fetches the set of certificates matching the bulk revocation criteria.
// When CertificateIDs are provided, it fetches each cert by ID individually.
// When filter criteria (profile, owner, etc.) are provided, it uses the repository List method.
// When both are provided, it intersects: only IDs that also match the filter criteria.
func (s *BulkRevocationService) resolveCertificates(ctx context.Context, criteria domain.BulkRevocationCriteria) ([]*domain.ManagedCertificate, error) {
hasFilterCriteria := criteria.ProfileID != "" || criteria.OwnerID != "" ||
criteria.AgentID != "" || criteria.IssuerID != "" || criteria.TeamID != ""
hasExplicitIDs := len(criteria.CertificateIDs) > 0
if hasExplicitIDs && !hasFilterCriteria {
// Only explicit IDs — fetch each cert by ID
var certs []*domain.ManagedCertificate
for _, id := range criteria.CertificateIDs {
cert, err := s.certRepo.Get(ctx, id)
if err != nil {
// Skip not-found certs — they'll count as "matched" but skipped
continue
}
certs = append(certs, cert)
}
return certs, nil
}
// Use filter-based query
filter := &repository.CertificateFilter{
OwnerID: criteria.OwnerID,
TeamID: criteria.TeamID,
IssuerID: criteria.IssuerID,
AgentID: criteria.AgentID,
ProfileID: criteria.ProfileID,
PerPage: 10000, // High limit to get all matching certs in one query
}
certs, _, err := s.certRepo.List(ctx, filter)
if err != nil {
return nil, err
}
// If explicit IDs also provided, intersect
if hasExplicitIDs {
idSet := make(map[string]bool, len(criteria.CertificateIDs))
for _, id := range criteria.CertificateIDs {
idSet[id] = true
}
var filtered []*domain.ManagedCertificate
for _, cert := range certs {
if idSet[cert.ID] {
filtered = append(filtered, cert)
}
}
certs = filtered
}
// EST RFC 7030 hardening master bundle Phase 11.2: per-source
// post-filter. Empty Source matches anything (back-compat); a
// non-empty Source narrows the result set to only certs stamped
// with that provenance value. Filter is applied here rather than
// in the SQL query so existing CertificateFilter callers are
// unaffected; the small per-cert pass is fine because bulk-revoke
// is already a low-frequency operation.
if criteria.Source != "" {
var bySource []*domain.ManagedCertificate
for _, cert := range certs {
if cert.Source == criteria.Source {
bySource = append(bySource, cert)
}
}
certs = bySource
}
return certs, nil
}
// buildAuditDetails constructs a map of criteria fields for the audit event.
func (s *BulkRevocationService) buildAuditDetails(criteria domain.BulkRevocationCriteria) map[string]interface{} {
details := map[string]interface{}{}
if criteria.ProfileID != "" {
details["profile_id"] = criteria.ProfileID
}
if criteria.OwnerID != "" {
details["owner_id"] = criteria.OwnerID
}
if criteria.AgentID != "" {
details["agent_id"] = criteria.AgentID
}
if criteria.IssuerID != "" {
details["issuer_id"] = criteria.IssuerID
}
if criteria.TeamID != "" {
details["team_id"] = criteria.TeamID
}
if len(criteria.CertificateIDs) > 0 {
details["certificate_ids"] = strings.Join(criteria.CertificateIDs, ",")
}
return details
}
Reference in New Issue View Git Blame Copy Permalink