mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:31:30 +00:00
shankar0123
b0efdbe2f8
Closes the #3 acquisition-readiness blocker from the 2026-05-01 issuer coverage audit (Part 1.5 finding #1: audit row not transactional with issuance). AuditRepository.Create previously ran on the package-level *sql.DB while the certificate insert / version insert / revocation insert ran on independent connections — a failed audit INSERT after a successful operation INSERT was silently lost. SOX §404 over IT general controls, PCI-DSS §10 audit logging, HIPAA §164.312(b) audit controls, and CA/B Forum Baseline Requirements §5.4.1 audit log records all presume audit-with-operation atomicity. Design — Option A (Querier abstraction). The chosen pattern: a shared repository.Querier interface (subset of *sql.DB and *sql.Tx) plus a postgres.WithinTx helper that begins a tx, runs fn, commits on nil error, rolls back on error or panic, and returns the wrapped result. Repository methods that participate in a service-layer transaction expose a *WithTx variant taking repository.Querier; the bare methods remain for stand-alone use. A repository.Transactor abstracts the "begin tx, run fn, commit/rollback" lifecycle so service-layer code runs multi-write operations atomically without holding *sql.DB directly. Option B (UnitOfWork) was considered but adds boilerplate without behavioral benefit for the current scope. Option C (context-carried tx) was explicitly rejected — it hides the transactional boundary from the type system, reproducing the class of bug we're fixing. This commit: - Adds internal/repository/querier.go with the Querier interface (compile-time guards that *sql.DB and *sql.Tx satisfy it) and the Transactor interface for service-layer use. - Adds internal/repository/postgres/tx.go with the WithinTx helper (begin/fn/commit/rollback with panic recovery) and a transactor type that satisfies repository.Transactor. - Adds CreateWithTx variants on AuditRepository, CertificateRepository (Create + Update + CreateVersion), and RevocationRepository. Existing bare methods now delegate to the *WithTx variant using the package-level *sql.DB so existing call sites are behavior-preserving. - Updates repository/interfaces.go: AuditRepository, CertificateRepository, and RevocationRepository declare the new *WithTx methods. Adds an atomicity contract doc-comment on AuditRepository pointing at WithinTx + the audit blocker. - Adds AuditService.RecordEventWithTx, mirroring RecordEvent but routing through CreateWithTx so the audit row is part of the caller's transaction. Same redaction + marshalling contract. - Refactors three audit-emitting service paths to use Transactor.WithinTx when SetTransactor was wired, with a legacy fallback for backward compat: * CertificateService.Create — cert insert + audit row in one tx. * RevocationSvc.RevokeCertificateWithActor — cert status update + revocation row + audit row in one tx. The OCSP cache invalidate remains best-effort (out of scope per the prompt). * RenewalService CompleteServerRenewal — cert version insert + cert update + audit row in one tx. Job status update stays outside the audit-atomicity scope (job state lives outside the operator-facing audit trail). - Adds SetTransactor on CertificateService, RevocationSvc, and RenewalService. cmd/server/main.go wires a single Transactor instance shared across all three so all audit-emitting paths run their writes in transactions backed by the same *sql.DB handle. - Updates 5 mock implementations to satisfy the new interface methods: mockCertRepo (testutil_test.go), mockCertRepoWithGetError (shortlived_test.go), fakeRevocationRepo (crl_cache_test.go), intuneE2EAuditRepo (scep_intune_e2e_test.go), and the integration- test mocks (lifecycle_test.go: mockCertificateRepository, mockAuditRepository, mockRevocationRepository). All *WithTx mocks ignore the Querier and delegate to the bare method (mocks have no DB; in-memory state is shared regardless of "tx"). - Adds a service-layer test mockTransactor with BeginTxErr and CommitErr knobs so the atomic-audit tests can assert error propagation through the transactional boundary. - Adds internal/repository/postgres/tx_test.go: unit-level test that WithinTx surfaces "begin tx" wrap when BeginTx fails, and that Transactor.WithinTx delegates correctly. Real-Postgres rollback semantics are covered by the testcontainers tests in the postgres package — sandbox disk pressure prevented adding a sqlmock dep for the in-fn / commit-failure unit test, so those scenarios are exercised through atomic_audit_test.go using the mockTransactor's CommitErr / BeginTxErr fields. - Adds internal/service/atomic_audit_test.go: * TestCertificateService_Create_AtomicWithTx — asserts audit insert failure inside the tx surfaces as the operation's error (closes the blocker contract). * TestCertificateService_Create_LegacyPathLogs — pins the backward-compat behavior when SetTransactor isn't wired: audit failure is logged-not-failed, matching pre-fix. * TestCertificateService_Create_TransactorBeginFailure — BeginTx error path: operation fails, no cert insert, no audit insert. * TestCertificateService_Create_TransactorCommitFailure — Commit error after successful in-fn writes surfaces as the operation's error. Real Postgres can fail Commit on serialization conflicts; the service must report this. Out of scope (separate follow-up commits, same shape): - Issuer CRUD audit atomicity. - Target CRUD audit atomicity. - Agent retire (already transactional via RetireAgentWithCascade; verified, not changed). - Renewal-policy CRUD audit atomicity. - Owner/team/agent-group CRUD audit atomicity. - Discovery / health-check audit atomicity. Verified locally: - gofmt -l . clean - go vet ./... clean - staticcheck ./... clean - golangci-lint run --timeout 5m ./... → 0 issues - go test -short -count=1 ./internal/service/ green - go test -short -count=1 ./internal/api/handler/ green - go test -short -count=1 ./internal/integration/ green - go test -short -count=1 ./internal/repository/postgres/ green - go build ./... success Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md Top-10 fix #3 (Part 3, narrative section).
172 lines
6.1 KiB
Go
172 lines
6.1 KiB
Go
package postgres
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"fmt"
|
|
"github.com/shankar0123/certctl/internal/repository"
|
|
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
)
|
|
|
|
// RevocationRepository implements repository.RevocationRepository using PostgreSQL.
|
|
type RevocationRepository struct {
|
|
db *sql.DB
|
|
}
|
|
|
|
// NewRevocationRepository creates a new RevocationRepository.
|
|
func NewRevocationRepository(db *sql.DB) *RevocationRepository {
|
|
return &RevocationRepository{db: db}
|
|
}
|
|
|
|
// Create records a new certificate revocation.
|
|
//
|
|
// Uniqueness is scoped to (issuer_id, serial_number) per RFC 5280 §5.2.3.
|
|
// Serial numbers are only unique within an issuer, so certctl supports
|
|
// collisions across different issuer connectors. The composite ON CONFLICT
|
|
// target matches migration 000012's unique index.
|
|
func (r *RevocationRepository) Create(ctx context.Context, revocation *domain.CertificateRevocation) error {
|
|
return r.CreateWithTx(ctx, r.db, revocation)
|
|
}
|
|
|
|
// CreateWithTx records a revocation using the supplied Querier. Closes
|
|
// the audit-atomicity blocker for the revocation path: the
|
|
// certificate_revocations row must be atomic with the managed_certificates
|
|
// status update + audit row insert.
|
|
func (r *RevocationRepository) CreateWithTx(ctx context.Context, q repository.Querier, revocation *domain.CertificateRevocation) error {
|
|
_, err := q.ExecContext(ctx, `
|
|
INSERT INTO certificate_revocations (
|
|
id, certificate_id, serial_number, reason, revoked_by, revoked_at,
|
|
issuer_id, issuer_notified, created_at
|
|
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
|
|
ON CONFLICT (issuer_id, serial_number) DO NOTHING
|
|
`, revocation.ID, revocation.CertificateID, revocation.SerialNumber,
|
|
revocation.Reason, revocation.RevokedBy, revocation.RevokedAt,
|
|
revocation.IssuerID, revocation.IssuerNotified, revocation.CreatedAt)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create revocation record: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetByIssuerAndSerial retrieves a revocation by the (issuer_id, serial) pair.
|
|
//
|
|
// Per RFC 5280 §5.2.3, serial numbers are unique only within a single issuer.
|
|
// Callers (OCSP handlers, CRL generation) always know the issuer because the
|
|
// OCSP URL carries it as a path parameter and CRLs are generated per-issuer.
|
|
func (r *RevocationRepository) GetByIssuerAndSerial(ctx context.Context, issuerID, serial string) (*domain.CertificateRevocation, error) {
|
|
var rev domain.CertificateRevocation
|
|
err := r.db.QueryRowContext(ctx, `
|
|
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
|
|
issuer_id, issuer_notified, created_at
|
|
FROM certificate_revocations
|
|
WHERE issuer_id = $1 AND serial_number = $2
|
|
`, issuerID, serial).Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
|
|
&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
|
|
&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt)
|
|
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get revocation by issuer and serial: %w", err)
|
|
}
|
|
|
|
return &rev, nil
|
|
}
|
|
|
|
// ListAll returns all revocations ordered by revocation time (for CRL generation).
|
|
func (r *RevocationRepository) ListAll(ctx context.Context) ([]*domain.CertificateRevocation, error) {
|
|
rows, err := r.db.QueryContext(ctx, `
|
|
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
|
|
issuer_id, issuer_notified, created_at
|
|
FROM certificate_revocations
|
|
ORDER BY revoked_at ASC
|
|
`)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list revocations: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
return scanRevocations(rows)
|
|
}
|
|
|
|
// ListByIssuer returns all revocations for a single issuer, ordered by revocation time.
|
|
//
|
|
// This is the hot path for CRL generation. Pushing the issuer filter into the
|
|
// SQL query lets the composite index `idx_certificate_revocations_issuer_serial`
|
|
// (migration 000012) drive a prefix scan on issuer_id rather than forcing
|
|
// callers to load every row in the table and discard the ones belonging to
|
|
// other issuers.
|
|
func (r *RevocationRepository) ListByIssuer(ctx context.Context, issuerID string) ([]*domain.CertificateRevocation, error) {
|
|
rows, err := r.db.QueryContext(ctx, `
|
|
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
|
|
issuer_id, issuer_notified, created_at
|
|
FROM certificate_revocations
|
|
WHERE issuer_id = $1
|
|
ORDER BY revoked_at ASC
|
|
`, issuerID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list revocations by issuer: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
return scanRevocations(rows)
|
|
}
|
|
|
|
// ListByCertificate returns all revocations for a certificate.
|
|
func (r *RevocationRepository) ListByCertificate(ctx context.Context, certID string) ([]*domain.CertificateRevocation, error) {
|
|
rows, err := r.db.QueryContext(ctx, `
|
|
SELECT id, certificate_id, serial_number, reason, revoked_by, revoked_at,
|
|
issuer_id, issuer_notified, created_at
|
|
FROM certificate_revocations
|
|
WHERE certificate_id = $1
|
|
ORDER BY revoked_at ASC
|
|
`, certID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to list revocations by certificate: %w", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
return scanRevocations(rows)
|
|
}
|
|
|
|
// MarkIssuerNotified updates the issuer_notified flag for a revocation.
|
|
func (r *RevocationRepository) MarkIssuerNotified(ctx context.Context, id string) error {
|
|
result, err := r.db.ExecContext(ctx, `
|
|
UPDATE certificate_revocations SET issuer_notified = TRUE WHERE id = $1
|
|
`, id)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to mark issuer notified: %w", err)
|
|
}
|
|
|
|
rows, err := result.RowsAffected()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get rows affected: %w", err)
|
|
}
|
|
|
|
if rows == 0 {
|
|
return fmt.Errorf("revocation not found: %w", repository.ErrNotFound)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func scanRevocations(rows *sql.Rows) ([]*domain.CertificateRevocation, error) {
|
|
var revocations []*domain.CertificateRevocation
|
|
for rows.Next() {
|
|
var rev domain.CertificateRevocation
|
|
if err := rows.Scan(&rev.ID, &rev.CertificateID, &rev.SerialNumber,
|
|
&rev.Reason, &rev.RevokedBy, &rev.RevokedAt,
|
|
&rev.IssuerID, &rev.IssuerNotified, &rev.CreatedAt); err != nil {
|
|
return nil, fmt.Errorf("failed to scan revocation: %w", err)
|
|
}
|
|
revocations = append(revocations, &rev)
|
|
}
|
|
|
|
if err := rows.Err(); err != nil {
|
|
return nil, fmt.Errorf("error iterating revocation rows: %w", err)
|
|
}
|
|
|
|
return revocations, nil
|
|
}
|