mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:02:43 +00:00
shankar0123
3094010880
Phase 9 ARCH-M2 closure Sprint 12 — the LAST of the audit's named
hotspot sub-splits. Splits cmd/agent/main.go (1489 LOC, the
sixth-largest backend hotspot at audit time) via the Option B
sibling-file pattern (mirrors the Sprint 8 cmd/server cut). Package
stays `main`; every method is still defined on *Agent so each call
site continues to resolve through Go's same-package method-set —
no import-path or signature change.
Audit prescription vs reality
=============================
The audit's Tasks-Deferred row prescribed
"main + poll + deploy + register sibling files." The actual
cmd/agent/main.go has no `register` function — agent registration
happens via the control-plane REST API (POST /api/v1/agents)
before the agent process starts. The closest analogue in the agent
binary is the filesystem-discovery scan (runDiscoveryScan + the
parsePEMFile / parseDERFile / certToEntry / sha256Sum / certKeyInfo
helpers), which is the agent's other "outbound report-to-server"
surface alongside the inbound work-poll path.
Sprint 12 substitutes `discovery` for `register` in the prescription
and keeps the other three buckets as named: `main` (lifecycle + HTTP
infrastructure + entrypoint), `poll` (work-poll + CSR-job execution),
`deploy` (deployment-job execution + target connector factory).
What moved
==========
New `cmd/agent/poll.go` (279 LOC) — work-poll + CSR-job execution:
- pollForWork: GET /api/v1/agents/{id}/work each tick; dispatches
each returned JobItem to the right executor.
- executeCSRJob: handles AwaitingCSR jobs by generating an ECDSA
P-256 key locally, persisting it with 0600 permissions (key
NEVER leaves the agent — CLAUDE.md "Agent-based key
management"), creating + submitting the CSR.
New `cmd/agent/deploy.go` (443 LOC) — deployment + target factory:
- executeDeploymentJob: handles Pending deployment jobs by
fetching the cert PEM, loading the locally-held private key
(agent keygen mode), instantiating the appropriate target
connector, calling DeployCertificate, and reporting status.
- createTargetConnector: the 170-LOC switch over target_type
that instantiates 14 different target connectors (apache /
awsacm / azurekv / caddy / envoy / f5 / haproxy / iis /
javakeystore / k8ssecret / nginx / postfix / ssh / traefik /
wincertstore). Context is threaded through to SDK-driven
connectors (AWSACM, AzureKeyVault) per the contextcheck linter
fix in CI commit 502823d.
- splitPEMChain + fetchCertificate (deploy-only helpers).
New `cmd/agent/discovery.go` (275 LOC) — filesystem cert discovery:
- runDiscoveryScan: walks each configured discovery directory,
dispatches each candidate file to parsePEMFile / parseDERFile,
batches the parsed entries, and POSTs them to
/api/v1/agents/{id}/discoveries (the machine-to-machine surface
that is intentionally NOT exposed via MCP).
- parsePEMFile + parseDERFile + certToEntry + sha256Sum +
certKeyInfo + the discoveredCertEntry struct that ties them
together.
What stays in main.go (644 LOC, down from 1489)
================================================
- Types: AgentConfig, Agent struct, ErrAgentRetired var,
WorkResponse, JobItem.
- Lifecycle: NewAgent constructor, Run, markRetired,
sendHeartbeat, getOutboundIP, targetDeployMutex method.
- Shared HTTP infrastructure: makeRequest (consumed by poll +
deploy + discovery + lifecycle), reportJobStatus (consumed by
poll + deploy).
- Entrypoint: main(), getEnvDefault, getEnvBoolDefault,
validateHTTPSScheme.
Side-effect import cleanup
==========================
21 imports drop from cmd/agent/main.go as a clean side effect:
Standard library (7):
- crypto/ecdsa, crypto/elliptic (poll only)
- crypto/rand (poll only)
- crypto/rsa (discovery only)
- crypto/sha256 (discovery only)
- crypto/x509/pkix (poll only)
- encoding/pem (poll + deploy + discovery)
- path/filepath (poll + deploy + discovery)
Target connectors (14):
- internal/connector/target + apache + awsacm + azurekv + caddy +
envoy + f5 + haproxy + iis + javakeystore + k8ssecret + nginx +
postfix + ssh + traefik + wincertstore — all 14 were used ONLY
by createTargetConnector and moved with the factory to deploy.go.
The surviving main.go now imports 20 stdlib packages + zero
internal packages — the leanest the agent binary's entrypoint has
been since the agent first shipped target-connector orchestration.
Per-import audit on every new sibling file is in the diff:
- poll.go: context, crypto/ecdsa, crypto/elliptic, crypto/rand,
crypto/x509, crypto/x509/pkix, encoding/json, encoding/pem,
fmt, io, net/http, os, path/filepath, strings (no sync — the
sync.Once / sync.Mutex / sync.Map usages all live in the
surviving main.go's lifecycle code).
- deploy.go: context, encoding/json, encoding/pem, fmt, io,
net/http, os, path/filepath, strings + target + 14 connector
packages.
- discovery.go: context, crypto/ecdsa, crypto/rsa, crypto/sha256,
crypto/x509, encoding/pem, fmt, io, net/http, os,
path/filepath, strings, time.
Net effect
==========
main.go: 1489 → 644 LOC (-845 = -56.7%). Three new sibling files at
997 LOC total (845 moved + ~152 LOC of header + Phase 9 doc-comment
overhead). Matches the Sprint 8 cmd/server pattern in shape (main +
wire + migrations) and size reduction (-23.8% there vs -56.7% here —
the agent had more concentrated single-purpose functions than the
server's wiring-heavy main).
Cumulative Phase 9 progress (all 6 named hotspots)
==================================================
config.go 3403 → 1342 (-60.6%, Sprints 1-7)
cmd/server/main.go 2966 → 2260 (-23.8%, Sprints 8 + 8b)
service/acme.go 1965 → 1162 (-40.9%, Sprints 9 + 9b)
mcp/tools.go 1867 → 109 (-94.2%, Sprint 10)
auth_session_oidc 1577 → 452 (-71.3%, Sprint 11)
cmd/agent/main.go 1489 → 644 (-56.7%, Sprint 12)
TOTAL across 6 files: 13,267 → 5,969 LOC = -7,298 (-55.0%)
All 6 named hotspots from the audit's top-6 list are now below
1,500 LOC. The largest remaining hotspot from the top-6 is
cmd/server/main.go at 2,260 LOC (intentional — every backend
service the server wires is one line in main(), so the size is
roughly proportional to surface area, not concern-tangling).
Behavior preservation contract
==============================
1. gofmt -l clean across all 4 affected files.
2. go vet ./cmd/agent/... — no findings.
3. staticcheck ./cmd/agent/... — no findings.
4. go test -short -count=1 ./cmd/agent/... — green (includes
agent_test.go 1716-LOC suite that pins every moved function:
pollForWork / executeCSRJob / executeDeploymentJob /
createTargetConnector / runDiscoveryScan plus dispatch_test.go,
deploy_mutex_test.go, keymem_test.go).
5. Broader-importer build green: go build ./... .
Same-package resolution means every cross-file call (poll →
makeRequest, deploy → makeRequest + reportJobStatus + verifyAnd-
ReportDeployment in verify.go, discovery → makeRequest) resolves
through Go's package-level method-set with zero compile-time cost
+ zero runtime overhead. The public surface of the cmd/agent
binary is unchanged.
What this commit closes
=======================
Sprint 12 is the LAST of the audit's named top-6 hotspot sub-splits.
The ARCH-M2 finding now reflects:
- 6 of 6 named backend hotspots below 1,500 LOC.
- 24 of 24 named sub-splits shipped across Sprints 1-12 (config
family ×7 + cmd/server ×2 + service/acme ×2 + mcp/tools ×6 +
auth_session_oidc ×4 + cmd/agent ×3).
- 7,298 LOC of code-locality concentration removed across the
top 6 files.
Whether to flip ARCH-M2 from 🛠 Scaffolded to ✓ Shipped is now an
operator-discretion call — every named target landed, but the
finding's spirit ("split god-files by responsibility") is a
continuous discipline rather than a binary done/not-done.
Refs: ARCH-M2 (god-files), Phase 9 audit. Sprint 12 is the named-
hotspot conclusion of Phase 9.
279 lines
9.8 KiB
Go
279 lines
9.8 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
// Phase 9 ARCH-M2 closure Sprint 12 (2026-05-14): extracted from
|
|
// cmd/agent/main.go via the Option B sibling-file pattern (mirrors
|
|
// the Sprint 8 cmd/server cut). Package stays `main`; all methods
|
|
// are still defined on *Agent so every call site continues to
|
|
// resolve through Go's same-package method-set without any
|
|
// import-path change.
|
|
//
|
|
// This file holds the WORK-POLLING entry point + CSR-job execution
|
|
// — the inbound side of the agent's pull-only deployment model
|
|
// (per CLAUDE.md "Pull-only deployment model" architecture
|
|
// decision):
|
|
//
|
|
// - pollForWork: queries GET /api/v1/agents/{id}/work each tick;
|
|
// dispatches each returned JobItem to the appropriate
|
|
// executor (CSR vs deployment).
|
|
// - executeCSRJob: handles AwaitingCSR jobs by generating an
|
|
// ECDSA P-256 key locally, persisting it to keyDir/<certID>.key
|
|
// with 0600 permissions (key NEVER leaves the agent — see
|
|
// CLAUDE.md "Agent-based key management"), creating the CSR,
|
|
// and POSTing it to the control plane for signing.
|
|
//
|
|
// The deployment-job executor lives in deploy.go alongside the
|
|
// target connector factory + deploy-only helpers (splitPEMChain,
|
|
// fetchCertificate). The discovery scan lives in discovery.go.
|
|
|
|
// pollForWork queries the control plane for actionable jobs and processes them.
|
|
// Jobs may be deployment jobs (Pending) or CSR jobs (AwaitingCSR).
|
|
// GET /api/v1/agents/{agentID}/work
|
|
func (a *Agent) pollForWork(ctx context.Context) {
|
|
a.logger.Debug("polling for work", "agent_id", a.config.AgentID)
|
|
|
|
path := fmt.Sprintf("/api/v1/agents/%s/work", a.config.AgentID)
|
|
resp, err := a.makeRequest(ctx, http.MethodGet, path, nil)
|
|
if err != nil {
|
|
a.logger.Error("work poll failed", "error", err)
|
|
a.consecutiveFailures++
|
|
return
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
// I-004: same terminal-retirement handling as sendHeartbeat. Work-poll is the
|
|
// other hot path that can observe an agent's soft-retirement; if the
|
|
// heartbeat tick happens to fire after a work-poll tick within the same
|
|
// retirement window, this branch catches it first. markRetired's sync.Once
|
|
// guards idempotency so racing both paths in the same tick only closes the
|
|
// signal channel once. No consecutiveFailures increment — retirement is
|
|
// not a transient failure.
|
|
if resp.StatusCode == http.StatusGone {
|
|
body, _ := io.ReadAll(resp.Body)
|
|
a.markRetired("work_poll", resp.StatusCode, string(body))
|
|
return
|
|
}
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
body, _ := io.ReadAll(resp.Body)
|
|
a.logger.Error("work poll rejected",
|
|
"status", resp.StatusCode,
|
|
"body", string(body))
|
|
a.consecutiveFailures++
|
|
return
|
|
}
|
|
|
|
var workResp WorkResponse
|
|
if err := json.NewDecoder(resp.Body).Decode(&workResp); err != nil {
|
|
a.logger.Error("failed to decode work response", "error", err)
|
|
a.consecutiveFailures++
|
|
return
|
|
}
|
|
|
|
a.consecutiveFailures = 0
|
|
|
|
if workResp.Count == 0 {
|
|
a.logger.Debug("no pending work")
|
|
return
|
|
}
|
|
|
|
a.logger.Info("received work", "job_count", workResp.Count)
|
|
|
|
// Process each job based on type and status
|
|
for _, job := range workResp.Jobs {
|
|
switch {
|
|
case job.Status == "AwaitingCSR":
|
|
// Agent keygen mode: generate key locally, create CSR, submit to server
|
|
a.executeCSRJob(ctx, job)
|
|
case job.Type == "Deployment":
|
|
a.executeDeploymentJob(ctx, job)
|
|
}
|
|
}
|
|
}
|
|
|
|
// executeCSRJob handles an AwaitingCSR job: generates a private key locally, creates a CSR,
|
|
// and submits it to the control plane for signing. The private key is stored on the local
|
|
// filesystem with 0600 permissions and NEVER sent to the server.
|
|
//
|
|
// Flow:
|
|
// 1. Generate ECDSA P-256 key pair
|
|
// 2. Store private key to disk (keyDir/certID.key) with 0600 permissions
|
|
// 3. Create CSR with common name and SANs from work response
|
|
// 4. Submit CSR to control plane via POST /agents/{id}/csr
|
|
// 5. Server signs the CSR and creates a cert version + deployment jobs
|
|
func (a *Agent) executeCSRJob(ctx context.Context, job JobItem) {
|
|
a.logger.Info("executing CSR job (agent-side key generation)",
|
|
"job_id", job.ID,
|
|
"certificate_id", job.CertificateID,
|
|
"common_name", job.CommonName)
|
|
|
|
// Step 1: Generate ECDSA P-256 key pair
|
|
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
a.logger.Error("failed to generate private key",
|
|
"job_id", job.ID,
|
|
"error", err)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("key generation failed: %v", err)); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
|
|
a.logger.Info("generated ECDSA P-256 key pair locally",
|
|
"job_id", job.ID,
|
|
"certificate_id", job.CertificateID)
|
|
|
|
// Step 2: Store private key to disk with secure permissions.
|
|
//
|
|
// Bundle-9 / Audit L-002 + L-003: marshal+write through helpers that
|
|
// (a) zeroize the in-heap DER buffer immediately after the PEM block is
|
|
// constructed so the private scalar's exposure window is bounded by
|
|
// this function call, and (b) assert the key directory is mode 0700
|
|
// before any write touches disk. Also defer-clear the PEM buffer for
|
|
// the same reason — the encoded key isn't sensitive in transit (it's
|
|
// going to disk) but lingers on the heap if we don't.
|
|
keyPath := filepath.Join(a.config.KeyDir, job.CertificateID+".key")
|
|
if err := ensureAgentKeyDirSecure(filepath.Dir(keyPath)); err != nil {
|
|
a.logger.Error("agent key dir hardening failed", "job_id", job.ID, "error", err)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("key dir hardening failed: %v", err)); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
var privKeyPEM []byte
|
|
if marshalErr := marshalAgentKeyAndZeroize(privKey, func(der []byte) error {
|
|
privKeyPEM = pem.EncodeToMemory(&pem.Block{
|
|
Type: "EC PRIVATE KEY",
|
|
Bytes: der,
|
|
})
|
|
return nil
|
|
}); marshalErr != nil {
|
|
a.logger.Error("failed to marshal private key",
|
|
"job_id", job.ID,
|
|
"error", marshalErr)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("key marshal failed: %v", marshalErr)); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
defer clear(privKeyPEM)
|
|
|
|
if err := os.WriteFile(keyPath, privKeyPEM, 0600); err != nil {
|
|
a.logger.Error("failed to write private key to disk",
|
|
"job_id", job.ID,
|
|
"key_path", keyPath,
|
|
"error", err)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("key storage failed: %v", err)); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
|
|
a.logger.Info("private key stored securely",
|
|
"job_id", job.ID,
|
|
"key_path", keyPath,
|
|
"permissions", "0600")
|
|
|
|
// Validate common name is present
|
|
if job.CommonName == "" {
|
|
a.logger.Error("empty common name in CSR job", "job_id", job.ID)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", "empty common name"); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
|
|
// Step 3: Create CSR with common name and SANs
|
|
// Split SANs into DNS names and email addresses for proper CSR encoding
|
|
var dnsNames []string
|
|
var emailAddresses []string
|
|
for _, san := range job.SANs {
|
|
if strings.Contains(san, "@") {
|
|
emailAddresses = append(emailAddresses, san)
|
|
} else {
|
|
dnsNames = append(dnsNames, san)
|
|
}
|
|
}
|
|
|
|
csrTemplate := &x509.CertificateRequest{
|
|
Subject: pkix.Name{
|
|
CommonName: job.CommonName,
|
|
},
|
|
DNSNames: dnsNames,
|
|
EmailAddresses: emailAddresses,
|
|
}
|
|
|
|
csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
|
|
if err != nil {
|
|
a.logger.Error("failed to create CSR",
|
|
"job_id", job.ID,
|
|
"error", err)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("CSR creation failed: %v", err)); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
|
|
csrPEM := string(pem.EncodeToMemory(&pem.Block{
|
|
Type: "CERTIFICATE REQUEST",
|
|
Bytes: csrDER,
|
|
}))
|
|
|
|
// Step 4: Submit CSR to the control plane (only the public key leaves the agent)
|
|
a.logger.Info("submitting CSR to control plane",
|
|
"job_id", job.ID,
|
|
"certificate_id", job.CertificateID)
|
|
|
|
submitPath := fmt.Sprintf("/api/v1/agents/%s/csr", a.config.AgentID)
|
|
resp, err := a.makeRequest(ctx, http.MethodPost, submitPath, map[string]string{
|
|
"csr_pem": csrPEM,
|
|
"certificate_id": job.CertificateID,
|
|
})
|
|
if err != nil {
|
|
a.logger.Error("failed to submit CSR",
|
|
"job_id", job.ID,
|
|
"error", err)
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("CSR submission failed: %v", err)); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusAccepted {
|
|
body, _ := io.ReadAll(resp.Body)
|
|
a.logger.Error("CSR submission rejected",
|
|
"job_id", job.ID,
|
|
"status", resp.StatusCode,
|
|
"body", string(body))
|
|
if reportErr := a.reportJobStatus(ctx, job.ID, "Failed", fmt.Sprintf("CSR rejected: %s", string(body))); reportErr != nil {
|
|
a.logger.Error("failed to report job status to server", "job_id", job.ID, "status", "Failed", "error", reportErr)
|
|
}
|
|
return
|
|
}
|
|
|
|
a.logger.Info("CSR submitted and signed successfully",
|
|
"job_id", job.ID,
|
|
"certificate_id", job.CertificateID,
|
|
"key_path", keyPath)
|
|
}
|