mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:41:29 +00:00
shankar0123
52248be717
Breaking change release. Plaintext HTTP listener removed. The certctl control plane now terminates TLS 1.3 on :8443 via http.Server.ListenAndServeTLS. No CERTCTL_TLS_ENABLED=false escape hatch. No dual-listener mode. One-step cutover per docs/upgrade-to-tls.md. Server - cmd/server/tls.go: certHolder with SIGHUP hot-reload + atomic cert swap, buildServerTLSConfig (TLS 1.3 min, GetCertificate callback), preflightServerTLS validation - cmd/server/main.go: ListenAndServeTLS in place of ListenAndServe, watchSIGHUP wiring, cert/key path config threading - tls_test.go: 418-line regression coverage of reload, preflight, callback behavior, SAN validation Config - CERTCTL_TLS_CERT_PATH / CERTCTL_TLS_KEY_PATH (required) - Plaintext rejection: agents/CLI/MCP pre-flight-fail on http:// URLs with a pointer to docs/upgrade-to-tls.md Agents, CLI, MCP - All three pre-flight-reject http:// URLs with fail-loud diagnostic - CERTCTL_SERVER_CA_BUNDLE_PATH for private-CA trust - CERTCTL_SERVER_TLS_INSECURE_SKIP_VERIFY for dev-only bypass (loud warning on startup) - install-agent.sh emits both vars as commented template lines docker-compose - certctl-tls-init sidecar generates SAN-valid self-signed cert into deploy/test/certs/ on first boot - All demo-stack curls pin against ca.crt with --cacert Helm chart - Three TLS provisioning modes, exactly one required: - server.tls.existingSecret (operator-supplied) - server.tls.certManager.enabled (cert-manager integration) - server.tls.selfSigned.enabled (eval only — not for production) - server-certificate.yaml template for cert-manager mode - helm install without a TLS source fails at template render with a pointer to docs/tls.md CI - .github/workflows/ci.yml Helm Chart Validation step renders the chart in both existingSecret and cert-manager modes, plus an inverse guard-regression test that asserts helm template MUST refuse to render when no TLS source is configured. Previously the single `helm template` invocation hit the certctl.tls.required fail-loud guard and exit-1'd CI. Four invocations now: lint (existingSecret), template (existingSecret), template (cert-manager), template (no args — must fail). Integration tests - deploy/test/integration_test.go stands up the Compose stack over HTTPS, extracts the CA bundle, and exercises every certctl API over https://localhost:8443 - All 34 integration subtests green (per Phase 8 local CI-parity) Documentation - New: docs/tls.md (provisioning patterns, rotation, SIGHUP reload) - New: docs/upgrade-to-tls.md (one-step cutover, no-downgrade warnings, fleet-roll sequencing) - CHANGELOG.md: v2.2.0 "HTTPS Everywhere — The Irony" entry (file heading unchanged; release tag is v2.0.47) - All curls in docs/, examples/, deploy/helm/ guides use https://localhost:8443 --cacert Verification - grep -rn "ListenAndServe[^T]" cmd/ internal/ → 0 hits - grep -rn "\"http://" cmd/ internal/ → 2 benign hits (Caddy admin API default, SSRF doc comment) — zero certctl endpoints - Tasks #197–#206 (Phases 0–8) all closed in the tracker Files: 65 changed, 3489 insertions, 372 deletions (pre-CI-fix).
229 lines
7.7 KiB
Go
229 lines
7.7 KiB
Go
package cli
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
)
|
|
|
|
// TestClient_RetireAgent_Success pins the I-004 CLI happy path: the operator
|
|
// runs `certctl-cli agents retire <id>` and the client issues a DELETE to
|
|
// /api/v1/agents/{id}, parses the 200 JSON body (retired_at, already_retired,
|
|
// cascade, counts), and reports success. The handler test already covers the
|
|
// server-side contract; this test covers the client-side wire formatting so a
|
|
// refactor of the server's 200 body shape can't silently break the CLI.
|
|
func TestClient_RetireAgent_Success(t *testing.T) {
|
|
var (
|
|
sawMethod string
|
|
sawPath string
|
|
sawForce string
|
|
sawReason string
|
|
)
|
|
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
sawMethod = r.Method
|
|
sawPath = r.URL.Path
|
|
sawForce = r.URL.Query().Get("force")
|
|
sawReason = r.URL.Query().Get("reason")
|
|
|
|
if r.Method != "DELETE" || r.URL.Path != "/api/v1/agents/ag-1" {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"retired_at": "2026-04-18T12:00:00Z",
|
|
"already_retired": false,
|
|
"cascade": false,
|
|
"counts": map[string]interface{}{
|
|
"active_targets": 0,
|
|
"active_certificates": 0,
|
|
"pending_jobs": 0,
|
|
},
|
|
})
|
|
}))
|
|
defer server.Close()
|
|
|
|
client, _ := NewClient(server.URL, "", "table", "", false)
|
|
// Positional arg: the agent ID. No --force, no --reason — the default
|
|
// soft-retire path. Compile-fail until client.RetireAgent exists.
|
|
if err := client.RetireAgent([]string{"ag-1"}); err != nil {
|
|
t.Fatalf("RetireAgent(ag-1) err=%v want nil", err)
|
|
}
|
|
|
|
if sawMethod != "DELETE" {
|
|
t.Errorf("method=%q want DELETE", sawMethod)
|
|
}
|
|
if sawPath != "/api/v1/agents/ag-1" {
|
|
t.Errorf("path=%q want /api/v1/agents/ag-1", sawPath)
|
|
}
|
|
if sawForce != "" {
|
|
t.Errorf("force query=%q want empty (default path sends no force)", sawForce)
|
|
}
|
|
if sawReason != "" {
|
|
t.Errorf("reason query=%q want empty (default path sends no reason)", sawReason)
|
|
}
|
|
}
|
|
|
|
// TestClient_RetireAgent_Force_WithReason_Success pins the ?force=true&reason=...
|
|
// escape hatch wiring. Operators who supply --force + --reason get their values
|
|
// propagated as URL query parameters exactly once, so the server sees the same
|
|
// contract the handler test expects. Also verifies the cascade=true response
|
|
// body parses cleanly.
|
|
func TestClient_RetireAgent_Force_WithReason_Success(t *testing.T) {
|
|
var (
|
|
sawForce string
|
|
sawReason string
|
|
)
|
|
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
sawForce = r.URL.Query().Get("force")
|
|
sawReason = r.URL.Query().Get("reason")
|
|
|
|
if r.Method != "DELETE" || r.URL.Path != "/api/v1/agents/ag-1" {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusOK)
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"retired_at": "2026-04-18T12:00:00Z",
|
|
"already_retired": false,
|
|
"cascade": true,
|
|
"counts": map[string]interface{}{
|
|
"active_targets": 2,
|
|
"active_certificates": 5,
|
|
"pending_jobs": 1,
|
|
},
|
|
})
|
|
}))
|
|
defer server.Close()
|
|
|
|
client, _ := NewClient(server.URL, "", "table", "", false)
|
|
if err := client.RetireAgent([]string{"ag-1", "--force", "--reason", "decommissioning rack 7"}); err != nil {
|
|
t.Fatalf("RetireAgent(force+reason) err=%v want nil", err)
|
|
}
|
|
if sawForce != "true" {
|
|
t.Errorf("force query=%q want \"true\"", sawForce)
|
|
}
|
|
if sawReason != "decommissioning rack 7" {
|
|
t.Errorf("reason query=%q want %q", sawReason, "decommissioning rack 7")
|
|
}
|
|
}
|
|
|
|
// TestClient_RetireAgent_Force_RequiresReason pins the client-side guard: using
|
|
// --force without --reason must fail BEFORE any HTTP request is made. Without
|
|
// this, the client would bounce off the server's 400 ErrForceReasonRequired
|
|
// only after a round trip — slow feedback, wasted audit-trail noise, and a
|
|
// worse operator experience. requestCount=0 enforces that no HTTP call happens.
|
|
func TestClient_RetireAgent_Force_RequiresReason(t *testing.T) {
|
|
var requestCount int
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
requestCount++
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer server.Close()
|
|
|
|
client, _ := NewClient(server.URL, "", "table", "", false)
|
|
err := client.RetireAgent([]string{"ag-1", "--force"})
|
|
if err == nil {
|
|
t.Fatalf("RetireAgent(force, no reason) err=nil want client-side error")
|
|
}
|
|
if !containsStr(err.Error(), "reason") {
|
|
t.Errorf("err=%q should mention --reason to guide operator", err.Error())
|
|
}
|
|
if requestCount != 0 {
|
|
t.Fatalf("requestCount=%d want 0; client must short-circuit before HTTP call", requestCount)
|
|
}
|
|
}
|
|
|
|
// TestClient_RetireAgent_MissingID covers the other common operator mistake:
|
|
// invoking `certctl-cli agents retire` with no agent ID. Must be caught by the
|
|
// client with a clear error, not a malformed DELETE to /api/v1/agents/.
|
|
func TestClient_RetireAgent_MissingID(t *testing.T) {
|
|
var requestCount int
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
requestCount++
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
defer server.Close()
|
|
|
|
client, _ := NewClient(server.URL, "", "table", "", false)
|
|
err := client.RetireAgent([]string{})
|
|
if err == nil {
|
|
t.Fatalf("RetireAgent([]) err=nil want missing-id error")
|
|
}
|
|
if requestCount != 0 {
|
|
t.Fatalf("requestCount=%d want 0; client must reject missing-id before HTTP", requestCount)
|
|
}
|
|
}
|
|
|
|
// TestClient_ListRetiredAgents_Success pins the audit/forensics CLI surface:
|
|
// `certctl-cli agents list-retired` must GET /api/v1/agents/retired and render
|
|
// the paged response. The server returns a PagedResponse; the client is
|
|
// responsible for printing it in table or JSON format, same as ListAgents.
|
|
func TestClient_ListRetiredAgents_Success(t *testing.T) {
|
|
var (
|
|
sawMethod string
|
|
sawPath string
|
|
)
|
|
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
sawMethod = r.Method
|
|
sawPath = r.URL.Path
|
|
|
|
if r.Method != "GET" || r.URL.Path != "/api/v1/agents/retired" {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"data": []map[string]interface{}{
|
|
{
|
|
"id": "ag-old-01",
|
|
"name": "decom-01",
|
|
"hostname": "server-old",
|
|
"status": "Offline",
|
|
"registered_at": "2024-01-01T00:00:00Z",
|
|
"retired_at": "2026-01-01T00:00:00Z",
|
|
"retired_reason": "old hardware",
|
|
},
|
|
},
|
|
"total": 1,
|
|
"page": 1,
|
|
"per_page": 50,
|
|
})
|
|
}))
|
|
defer server.Close()
|
|
|
|
client, _ := NewClient(server.URL, "", "table", "", false)
|
|
if err := client.ListRetiredAgents([]string{}); err != nil {
|
|
t.Fatalf("ListRetiredAgents err=%v want nil", err)
|
|
}
|
|
if sawMethod != "GET" {
|
|
t.Errorf("method=%q want GET", sawMethod)
|
|
}
|
|
if sawPath != "/api/v1/agents/retired" {
|
|
t.Errorf("path=%q want /api/v1/agents/retired", sawPath)
|
|
}
|
|
}
|
|
|
|
// TestClient_ListRetiredAgents_ServerError covers the non-happy path: server
|
|
// returns 5xx → client surfaces the error rather than silently printing an
|
|
// empty list. Without this, operators running the command as part of a
|
|
// compliance audit could miss a backend outage.
|
|
func TestClient_ListRetiredAgents_ServerError(t *testing.T) {
|
|
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
http.Error(w, "db unreachable", http.StatusInternalServerError)
|
|
}))
|
|
defer server.Close()
|
|
|
|
client, _ := NewClient(server.URL, "", "table", "", false)
|
|
err := client.ListRetiredAgents([]string{})
|
|
if err == nil {
|
|
t.Fatalf("ListRetiredAgents(500) err=nil want propagated error")
|
|
}
|
|
}
|