mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 21:21:40 +00:00
shankar0123
a4df1f86ae
Phase 5 (admin endpoint slice) + Phase 6 (e2e test stub) of the
CRL/OCSP responder bundle. Closes the deferred items from the
backend-slice merge (77d6326).
What landed:
Phase 5 — admin observability:
* GET /api/v1/admin/crl/cache (handler.AdminCRLCacheHandler):
- Per-issuer cache state + most recent N generation events
- Admin-gated via middleware.IsAdmin (M-003 pattern); non-admin
callers get 403 + the service is never invoked
- Reveals issuer set + CRL cadence, hence the gate
- Returns CachePresent=false rows for never-generated issuers so
the GUI can show 'not yet generated' instead of 404
- Per-issuer Get failures decorate the row's RecentEvents rather
than failing the whole response
* AdminCRLCacheServiceImpl: thin handler-side composition over
repository.CRLCacheRepository + an issuer-IDs callback (avoids
importing internal/service from internal/api/handler)
* M-008 admin-gate pin updated: admin_crl_cache.go added to
AdminGatedHandlers; full triplet of tests
(NonAdmin_Returns403, AdminExplicitFalse_Returns403,
AdminPermitted_ForwardsActor) + RejectsNonGetMethod +
PropagatesServiceError
* Router registration + HandlerRegistry field + main.go wiring
(callback closure over issuerRegistry.List)
* OpenAPI entry under CRL & OCSP tag
Phase 6 — e2e scaffold:
* deploy/test/crl_ocsp_e2e_test.go with TestCRLOCSPLifecycle +
TestCRLOCSPPostEndpoint
* Lifecycle test exercises issue → fetch OCSP (Good) → revoke →
wait → fetch CRL (entry present) → fetch OCSP (Revoked) →
verify dedicated responder cert + id-pkix-ocsp-nocheck
* Helpers (issueLocalCert, revokeCertViaAPI, fetchCRL, fetchOCSP,
fetchCACert) currently call t.Skip with TODO markers — sandbox
has no Docker so the harness can't be wired end-to-end here;
when CI / a fresh dev workstation runs, the implementer wires
each helper to the existing integration_test.go primitives
* Build-tagged //go:build integration so the standard go test
sweep skips it; runs via the deploy/test integration workflow
Coverage: handler 80.6% (above 75 floor; was 79.8% pre-Phase-5).
All other packages unchanged.
Backward compat: admin endpoint inert until an admin Bearer key is
configured. The e2e test stub is no-op (skips) until wired.
Deferred:
* GUI cert-detail-page revocation panel — pure frontend work, no
backend impact, separate session
* E2E test helper wiring — depends on extracting the existing
integration-test harness primitives into shared helpers; doable
in a follow-up that has Docker available
* V3-Pro polish (delta CRLs, OCSP rate-limiting, OCSP stapling)
172 lines
5.6 KiB
Go
172 lines
5.6 KiB
Go
package handler
|
|
|
|
import (
|
|
"go/parser"
|
|
"go/token"
|
|
"os"
|
|
"path/filepath"
|
|
"sort"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
// Bundle C / Audit M-008: pin the admin-gated handler set.
|
|
//
|
|
// The audit's request is "Admin-gated operation role-gate test coverage
|
|
// needs verification". Verified-already-clean recon: only one handler
|
|
// in internal/api/handler/ calls middleware.IsAdmin to gate access:
|
|
// bulk_revocation.go — which has 3 dedicated tests
|
|
// (NonAdmin_Returns403, AdminExplicitFalse_Returns403,
|
|
// AdminPermitted_ForwardsActor) covering all three branches.
|
|
//
|
|
// This test enforces the invariant going forward by walking every
|
|
// .go file in this package, finding every middleware.IsAdmin call
|
|
// site, and asserting the file appears in AdminGatedHandlers below.
|
|
// Adding a new middleware.IsAdmin call without updating the constant
|
|
// AND adding a parallel test triplet fails CI.
|
|
|
|
// AdminGatedHandlers is the documented allowlist of handler files that
|
|
// gate access on middleware.IsAdmin. Every entry MUST have:
|
|
// - a non-admin-rejection test ("_NonAdmin_Returns403")
|
|
// - an explicit-false-admin-rejection test ("_AdminExplicitFalse_Returns403")
|
|
// - an admin-allowed actor-attribution test ("_AdminPermitted_ForwardsActor")
|
|
//
|
|
// Keys are the handler filenames; values are short descriptions of why
|
|
// the gate exists. health.go is an INFORMATIONAL caller of IsAdmin (it
|
|
// surfaces the flag to the GUI but does not gate) — explicitly excluded.
|
|
var AdminGatedHandlers = map[string]string{
|
|
"bulk_revocation.go": "M-003: bulk revocation is fleet-scale destructive — admin-only",
|
|
"admin_crl_cache.go": "CRL/OCSP-Responder Phase 5: cache state reveals issuer set + CRL cadence — admin-only",
|
|
}
|
|
|
|
// InformationalIsAdminCallers is the documented allowlist of files that
|
|
// call middleware.IsAdmin without using the result to gate access. The
|
|
// only legitimate use of an informational call is reporting the flag to
|
|
// a downstream consumer (e.g. health.go::AuthCheck reports admin to the
|
|
// GUI so it can hide admin-only buttons).
|
|
var InformationalIsAdminCallers = map[string]string{
|
|
"health.go": "informational: reports admin flag to GUI for affordance gating, no server-side gate",
|
|
}
|
|
|
|
func TestM008_AdminGatedHandlers_PinExpectedSet(t *testing.T) {
|
|
actual, err := scanIsAdminCallers(".")
|
|
if err != nil {
|
|
t.Fatalf("scan handler dir: %v", err)
|
|
}
|
|
|
|
expected := append([]string(nil), keys(AdminGatedHandlers)...)
|
|
expected = append(expected, keys(InformationalIsAdminCallers)...)
|
|
sort.Strings(actual)
|
|
sort.Strings(expected)
|
|
|
|
if !slicesEqual008(actual, expected) {
|
|
t.Errorf(
|
|
"middleware.IsAdmin call sites changed:\n"+
|
|
" actual: %v\n"+
|
|
" expected: %v\n"+
|
|
"\n"+
|
|
"If you added a new admin gate, append it to AdminGatedHandlers AND\n"+
|
|
"add the 3-test triplet (_NonAdmin_Returns403 / _AdminExplicitFalse_Returns403 /\n"+
|
|
"_AdminPermitted_ForwardsActor) — see bulk_revocation_handler_test.go for\n"+
|
|
"the template.\n"+
|
|
"\n"+
|
|
"If you added an informational caller (no gating), append to\n"+
|
|
"InformationalIsAdminCallers with a justification.",
|
|
actual, expected)
|
|
}
|
|
}
|
|
|
|
func TestM008_AdminGatedHandlers_HaveTripletTests(t *testing.T) {
|
|
for handlerFile := range AdminGatedHandlers {
|
|
base := strings.TrimSuffix(handlerFile, ".go")
|
|
// Look for the 3-test triplet in the corresponding _test.go file
|
|
// or in any test file in the package — bulk_revocation_handler_test.go
|
|
// follows a slightly different naming convention.
|
|
matches, err := filepath.Glob("*_test.go")
|
|
if err != nil {
|
|
t.Fatalf("glob: %v", err)
|
|
}
|
|
var foundNonAdmin, foundExplicitFalse, foundAdminPermitted bool
|
|
for _, m := range matches {
|
|
body, err := os.ReadFile(m)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
s := string(body)
|
|
// Look for tests that mention the handler base name + the
|
|
// expected suffix. Loose match because some test files use
|
|
// _Handler_NonAdmin and others use _NonAdmin.
|
|
if strings.Contains(s, "NonAdmin_Returns403") {
|
|
foundNonAdmin = true
|
|
}
|
|
if strings.Contains(s, "AdminExplicitFalse_Returns403") {
|
|
foundExplicitFalse = true
|
|
}
|
|
if strings.Contains(s, "AdminPermitted_ForwardsActor") {
|
|
foundAdminPermitted = true
|
|
}
|
|
}
|
|
if !foundNonAdmin {
|
|
t.Errorf("admin-gated handler %s lacks a *_NonAdmin_Returns403 test", base)
|
|
}
|
|
if !foundExplicitFalse {
|
|
t.Errorf("admin-gated handler %s lacks a *_AdminExplicitFalse_Returns403 test", base)
|
|
}
|
|
if !foundAdminPermitted {
|
|
t.Errorf("admin-gated handler %s lacks a *_AdminPermitted_ForwardsActor test", base)
|
|
}
|
|
}
|
|
}
|
|
|
|
// --- helpers --------------------------------------------------------------
|
|
|
|
func scanIsAdminCallers(dir string) ([]string, error) {
|
|
entries, err := os.ReadDir(dir)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
var out []string
|
|
fset := token.NewFileSet()
|
|
for _, e := range entries {
|
|
name := e.Name()
|
|
if !strings.HasSuffix(name, ".go") || strings.HasSuffix(name, "_test.go") {
|
|
continue
|
|
}
|
|
body, err := os.ReadFile(filepath.Join(dir, name))
|
|
if err != nil {
|
|
continue
|
|
}
|
|
_, parseErr := parser.ParseFile(fset, filepath.Join(dir, name), body, parser.SkipObjectResolution)
|
|
if parseErr != nil {
|
|
continue
|
|
}
|
|
// Substring-match middleware.IsAdmin — cheap and sufficient
|
|
// because the import path is fixed and there's no aliasing
|
|
// shenanigans elsewhere in this package.
|
|
if strings.Contains(string(body), "middleware.IsAdmin(") {
|
|
out = append(out, name)
|
|
}
|
|
}
|
|
return out, nil
|
|
}
|
|
|
|
func keys(m map[string]string) []string {
|
|
out := make([]string, 0, len(m))
|
|
for k := range m {
|
|
out = append(out, k)
|
|
}
|
|
return out
|
|
}
|
|
|
|
func slicesEqual008(a, b []string) bool {
|
|
if len(a) != len(b) {
|
|
return false
|
|
}
|
|
for i := range a {
|
|
if a[i] != b[i] {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|