mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 23:51:41 +00:00
Shankar Reddy
49002c8cba
Operator decision answered as full soft-delete with optional forced
cascade — hard-delete is not reachable from any public surface. Prior
to this commit, DELETE /agents/{id} ran a plain `DELETE FROM agents`
whose schema-level `ON DELETE CASCADE` on deployment_targets.agent_id
silently wiped every target, orphaning certs and aborting in-flight
jobs. The finding closure reshapes the agent-removal contract around
soft retirement with explicit preflight counts, an opt-in cascade
gated by a mandatory reason, and unconditional protection for the
four reserved sentinel agents used by discovery sources.
Schema — migration 000015:
migrations/000015_agent_retire.up.sql flips
deployment_targets_agent_id_fkey from ON DELETE CASCADE to ON DELETE
RESTRICT, so a stray `DELETE FROM agents` now errors at the DB
boundary instead of quietly destroying targets. Both `agents` and
`deployment_targets` grow a retired_at TIMESTAMPTZ + retired_reason
TEXT pair (TEXT not VARCHAR so operator comments are never
truncated), indexed via partial indexes WHERE retired_at IS NOT
NULL. The migration is self-healing (ADD COLUMN IF NOT EXISTS, DROP
CONSTRAINT IF EXISTS then ADD CONSTRAINT, CREATE INDEX IF NOT
EXISTS) so repeated runs against partially-migrated databases
converge. migrations/000015_agent_retire.down.sql restores CASCADE
and drops the new columns for clean rollback. A dedicated
repository-layer testcontainers test
(internal/repository/postgres/migration_000015_test.go) asserts the
before/after FK action, column presence, index presence, and
round-trip idempotency under up→down→up.
Domain — sentinel guard + dependency counts:
internal/domain/connector.go gains IsRetired() on Agent, the
exported SentinelAgentIDs slice listing server-scanner,
cloud-aws-sm, cloud-azure-kv, cloud-gcp-sm verbatim (matching the
four reserved IDs documented in CLAUDE.md and created at startup in
cmd/server/main.go), IsSentinelAgent(id string) predicate,
AgentDependencyCounts{ActiveTargets, ActiveCertificates,
PendingJobs} with a HasDependencies() method, and ActorTypeAgent /
ActorTypeSystem enum values used by audit emission downstream.
Coverage locked down by internal/domain/connector_test.go.
Service — 8-step ordered contract:
internal/service/agent_retire.go:RetireAgent(ctx, id, actor,
opts{Force, Reason}) enforces a fixed execution order:
(1) sentinel guard — IsSentinelAgent(id) returns ErrAgentIsSentinel
unconditionally; force=true does NOT bypass it.
(2) fetch — ErrAgentNotFound on miss.
(3) idempotency — if IsRetired() already, return
AgentRetirementResult{AlreadyRetired: true} with no new audit
event and no state change (safe to replay from flaky clients).
(4) preflight counts — collectAgentDependencyCounts runs
ActiveTargets, ActiveCertificates, PendingJobs sequentially
(not in parallel; keeps the per-query timeout predictable and
matches the repo's existing call-chain shape).
(5) force-reason guard — opts.Force=true with empty Reason returns
ErrForceReasonRequired (wired into the 400 status surface).
(6) dependency guard — HasDependencies() with opts.Force=false
returns BlockedByDependenciesError{Counts} (wired into the 409
body with per-bucket counts).
(7) mutation — single pinned retiredAt := time.Now(); agent
retirement first, then cascade target retirement if opts.Force,
all under the repo's single transaction so the two retired_at
stamps match to the second.
(8) best-effort audit — agent_retired always; agent_retirement_
cascaded additionally on the force path. Actor is whatever the
handler resolves from the request; actor type is mapped by
resolveActorType (system/agent-prefix→Agent/else→User). Audit
emission failures are logged via slog.Error but do not abort
the retirement (matches the house convention used by every
other scheduler-emitted event).
BlockedByDependenciesError implements Error() as
"active_targets=%d, active_certificates=%d, pending_jobs=%d" and
Unwrap() → ErrBlockedByDependencies. The single struct satisfies
errors.Is via Unwrap (used by scheduler-level tests) and errors.As
via the concrete type (used by the handler to fish out Counts for
the 409 body). ListRetiredAgents(page, perPage) adds a separate
paginated accessor with page<1→1 and perPage<1→50 normalization so
retired rows are queryable without polluting the default agent
listing.
Sentinel guard coverage is asymmetric by design: all four reserved
IDs are protected, and force=true cannot override. Regression tests
in internal/service/agent_retire_test.go assert each of the eight
steps in order, plus sentinel bypass attempts and idempotency
replay.
Handler + router — status-code surface:
internal/api/handler/agents.go:RetireAgent exposes seven status
codes on DELETE /agents/{id}:
200 on a fresh retirement (body echoes AgentRetirementResult).
204 on idempotent replay (AlreadyRetired=true; no new audit).
400 on ErrForceReasonRequired.
403 on ErrAgentIsSentinel.
404 on ErrAgentNotFound.
409 on BlockedByDependenciesError, with a custom body shape
{error, counts{active_targets, active_certificates,
pending_jobs}} that bypasses the default ErrorWithRequestID
envelope so callers get the per-bucket numbers directly.
500 on any other error.
Heartbeat HandleHeartbeat returns 410 Gone when the agent is
retired (ErrAgentRetired), signalling the agent to shut down.
Query params `force=true` and `reason=<text>` drive the cascade
path; both are forwarded as url.Values through the new MCP
transport.
internal/api/router/router.go registers GET /api/v1/agents/retired
literal-path BEFORE /api/v1/agents/{id} — Go 1.22 ServeMux's
literal-beats-pattern-var precedence routes "retired" to the
paginated retired-agents listing instead of fetching a hypothetical
agent named "retired".
Agent binary — clean shutdown on 410:
cmd/agent/main.go gains the ErrAgentRetired sentinel, a
retiredOnce sync.Once, and a retiredSignal chan struct{}. A
markRetired(source, statusCode, body) helper closes the channel
exactly once; the Run() select loop observes the close and returns
ErrAgentRetired; main() matches via errors.Is(err, ErrAgentRetired)
and exits cleanly instead of spinning in the heartbeat retry loop.
The 410 Gone surface is therefore terminal for the agent process.
MCP transport:
internal/mcp/client.go adds Client.DeleteWithQuery(path, query),
a new additive transport method. Client.Delete is path-only; without
this method the retire tool would silently drop `force` and `reason`,
turning every cascade retire into a default soft-retire. The new
method shares do()'s 204 normalization and 4xx/5xx error
propagation so tool authors get one contract.
internal/mcp/tools.go + internal/mcp/types.go expose the
retire_agent tool with Force+Reason inputs wired through
DeleteWithQuery.
CLI:
cmd/cli/main.go + internal/cli/client.go add two CLI surfaces:
`agents list --retired` (client-side strip of --retired then
delegation to ListRetiredAgents, sharing --page/--per-page parsing
with the default listing) and `agents retire <id> [--force --reason
"…"]` (mirrors ErrForceReasonRequired — force without reason is
rejected client-side before the request is sent). JSON + table
output modes both honor the new columns.
Frontend:
web/src/pages/AgentsPage.tsx surfaces retired/retire affordances.
web/src/api/client.ts + web/src/api/types.ts expose the retire
endpoint and the retired-listing. 4 new Vitest regression cases.
OpenAPI:
api/openapi.yaml documents DELETE /agents/{id} with all seven
status codes, 410 on heartbeat, and the 409 per-bucket body shape.
Regression coverage (six new test files, all green):
internal/service/agent_retire_test.go — 8-step contract + sentinel guards
internal/api/handler/agent_retire_handler_test.go — 7-status-code surface + 410 heartbeat
internal/mcp/retire_agent_test.go — DeleteWithQuery wire-through
internal/cli/agent_retire_test.go — --retired listing + --force/--reason pairing
internal/repository/postgres/migration_000015_test.go — FK flip + columns + indexes + up↔down
internal/domain/connector_test.go — IsRetired, IsSentinelAgent, SentinelAgentIDs, HasDependencies
Files:
api/openapi.yaml — DELETE + 410 + 409 body shape
cmd/agent/main.go — ErrAgentRetired, markRetired, retiredSignal
cmd/cli/main.go — handleAgents list/get/retire dispatch
docs/architecture.md, docs/concepts.md,
docs/testing-guide.md — retirement contract narrative
internal/api/handler/agents.go — RetireAgent, status surface, 410 on heartbeat
internal/api/handler/agent_handler_test.go — extended coverage
internal/api/handler/agent_retire_handler_test.go — new
internal/api/router/router.go — /agents/retired before /agents/{id}
internal/cli/agent_retire_test.go — new
internal/cli/client.go — ListRetiredAgents + RetireAgent
internal/domain/connector.go — IsRetired, SentinelAgentIDs,
IsSentinelAgent, AgentDependencyCounts,
ActorTypeAgent/System
internal/domain/connector_test.go — new
internal/integration/lifecycle_test.go — retirement fixture
internal/mcp/client.go — DeleteWithQuery additive transport
internal/mcp/retire_agent_test.go — new
internal/mcp/tools.go, internal/mcp/types.go — retire_agent tool + Force/Reason inputs
internal/repository/interfaces.go — AgentRepository retirement methods
internal/repository/postgres/agent.go — retire + cascade target retire + counts
internal/repository/postgres/migration_000015_test.go — new
internal/service/agent.go — wire into AgentService surface
internal/service/agent_retire.go — new 8-step contract
internal/service/agent_retire_test.go — new
internal/service/deployment.go — skip retired agents
internal/service/target.go — skip retired agents
internal/service/testutil_test.go — shared mocks extended
migrations/000015_agent_retire.up.sql — new
migrations/000015_agent_retire.down.sql — new
web/src/api/client.ts, types.ts + tests — retire endpoint wiring
web/src/pages/AgentsPage.tsx — retire UI
483 lines
16 KiB
Go
483 lines
16 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/crypto"
|
|
"github.com/shankar0123/certctl/internal/domain"
|
|
"github.com/shankar0123/certctl/internal/repository"
|
|
)
|
|
|
|
// ErrAgentNotFound is returned by [TargetService.CreateTarget] when the caller
|
|
// references an agent_id that is empty or does not correspond to a registered
|
|
// agent. The handler layer maps this to HTTP 400 via [errors.Is]. See C-002 in
|
|
// cowork/certctl-coverage-gap-audit.md — this sentinel replaces a silent
|
|
// Postgres FK violation (23503 → HTTP 500) with a deterministic 400.
|
|
var ErrAgentNotFound = errors.New("referenced agent does not exist")
|
|
|
|
// validTargetTypes is the set of allowed target types for validation.
|
|
var validTargetTypes = map[domain.TargetType]bool{
|
|
domain.TargetTypeNGINX: true,
|
|
domain.TargetTypeApache: true,
|
|
domain.TargetTypeHAProxy: true,
|
|
domain.TargetTypeF5: true,
|
|
domain.TargetTypeIIS: true,
|
|
domain.TargetTypeTraefik: true,
|
|
domain.TargetTypeCaddy: true,
|
|
domain.TargetTypeEnvoy: true,
|
|
domain.TargetTypePostfix: true,
|
|
domain.TargetTypeDovecot: true,
|
|
domain.TargetTypeSSH: true,
|
|
domain.TargetTypeWinCertStore: true,
|
|
domain.TargetTypeJavaKeystore: true,
|
|
domain.TargetTypeKubernetesSecrets: true,
|
|
}
|
|
|
|
// isValidTargetType checks if a type string is a known target type.
|
|
func isValidTargetType(t domain.TargetType) bool {
|
|
return validTargetTypes[t]
|
|
}
|
|
|
|
// TargetService provides business logic for deployment target management.
|
|
//
|
|
// The encryptionKey field holds the raw passphrase (not a pre-derived 32-byte
|
|
// key). Per-ciphertext salt derivation is performed inside
|
|
// [crypto.EncryptIfKeySet] / [crypto.DecryptIfKeySet] on each call. See M-8
|
|
// in certctl-audit-report.md.
|
|
type TargetService struct {
|
|
targetRepo repository.TargetRepository
|
|
agentRepo repository.AgentRepository
|
|
auditService *AuditService
|
|
encryptionKey string
|
|
logger *slog.Logger
|
|
}
|
|
|
|
// NewTargetService creates a new target service. The encryptionKey is the raw
|
|
// passphrase; it MUST NOT be pre-derived via crypto.DeriveKey (that was the
|
|
// v1 behavior, replaced in M-8 with per-ciphertext random salt).
|
|
func NewTargetService(
|
|
targetRepo repository.TargetRepository,
|
|
auditService *AuditService,
|
|
agentRepo repository.AgentRepository,
|
|
encryptionKey string,
|
|
logger *slog.Logger,
|
|
) *TargetService {
|
|
return &TargetService{
|
|
targetRepo: targetRepo,
|
|
agentRepo: agentRepo,
|
|
auditService: auditService,
|
|
encryptionKey: encryptionKey,
|
|
logger: logger,
|
|
}
|
|
}
|
|
|
|
// List returns a paginated list of deployment targets.
|
|
func (s *TargetService) List(ctx context.Context, page, perPage int) ([]*domain.DeploymentTarget, int64, error) {
|
|
if page < 1 {
|
|
page = 1
|
|
}
|
|
if perPage < 1 {
|
|
perPage = 50
|
|
}
|
|
|
|
targets, err := s.targetRepo.List(ctx)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to list targets: %w", err)
|
|
}
|
|
total := int64(len(targets))
|
|
start := (page - 1) * perPage
|
|
if start >= int(total) {
|
|
return nil, total, nil
|
|
}
|
|
end := start + perPage
|
|
if end > int(total) {
|
|
end = int(total)
|
|
}
|
|
return targets[start:end], total, nil
|
|
}
|
|
|
|
// Get retrieves a deployment target by ID.
|
|
func (s *TargetService) Get(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
|
|
target, err := s.targetRepo.Get(ctx, id)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get target %s: %w", id, err)
|
|
}
|
|
return target, nil
|
|
}
|
|
|
|
// Create validates and stores a new deployment target, encrypting sensitive config.
|
|
func (s *TargetService) Create(ctx context.Context, target *domain.DeploymentTarget, actor string) error {
|
|
if target.Name == "" {
|
|
return fmt.Errorf("target name is required")
|
|
}
|
|
if !isValidTargetType(target.Type) {
|
|
return fmt.Errorf("unsupported target type: %s", target.Type)
|
|
}
|
|
|
|
if target.ID == "" {
|
|
target.ID = generateID("target")
|
|
}
|
|
now := time.Now()
|
|
if target.CreatedAt.IsZero() {
|
|
target.CreatedAt = now
|
|
}
|
|
if target.UpdatedAt.IsZero() {
|
|
target.UpdatedAt = now
|
|
}
|
|
if target.TestStatus == "" {
|
|
target.TestStatus = "untested"
|
|
}
|
|
if target.Source == "" {
|
|
target.Source = "database"
|
|
}
|
|
|
|
// Encrypt the full config and store redacted version in config column
|
|
if len(target.Config) > 0 {
|
|
encrypted, _, err := crypto.EncryptIfKeySet([]byte(target.Config), s.encryptionKey)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to encrypt config: %w", err)
|
|
}
|
|
target.EncryptedConfig = encrypted
|
|
target.Config = redactConfigJSON(target.Config)
|
|
}
|
|
|
|
if err := s.targetRepo.Create(ctx, target); err != nil {
|
|
return fmt.Errorf("failed to create target: %w", err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
if auditErr := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "create_target", "target", target.ID, nil); auditErr != nil {
|
|
s.logger.Error("failed to record audit event", "error", auditErr)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Update modifies an existing deployment target. Handles "********" preservation for sensitive fields.
|
|
func (s *TargetService) Update(ctx context.Context, id string, target *domain.DeploymentTarget, actor string) error {
|
|
if target.Name == "" {
|
|
return fmt.Errorf("target name is required")
|
|
}
|
|
|
|
target.ID = id
|
|
target.UpdatedAt = time.Now()
|
|
|
|
// If config contains "********" values, merge with existing decrypted config
|
|
if len(target.Config) > 0 {
|
|
mergedConfig, err := s.mergeRedactedConfig(ctx, id, target.Config)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to merge config: %w", err)
|
|
}
|
|
|
|
// Encrypt the merged config
|
|
encrypted, _, encErr := crypto.EncryptIfKeySet(mergedConfig, s.encryptionKey)
|
|
if encErr != nil {
|
|
return fmt.Errorf("failed to encrypt config: %w", encErr)
|
|
}
|
|
target.EncryptedConfig = encrypted
|
|
target.Config = redactConfigJSON(json.RawMessage(mergedConfig))
|
|
}
|
|
|
|
if err := s.targetRepo.Update(ctx, target); err != nil {
|
|
return fmt.Errorf("failed to update target %s: %w", id, err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
if auditErr := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "update_target", "target", id, nil); auditErr != nil {
|
|
s.logger.Error("failed to record audit event", "error", auditErr)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Delete removes a deployment target.
|
|
func (s *TargetService) Delete(ctx context.Context, id string, actor string) error {
|
|
if err := s.targetRepo.Delete(ctx, id); err != nil {
|
|
return fmt.Errorf("failed to delete target %s: %w", id, err)
|
|
}
|
|
|
|
if s.auditService != nil {
|
|
if auditErr := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser, "delete_target", "target", id, nil); auditErr != nil {
|
|
s.logger.Error("failed to record audit event", "error", auditErr)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// TestConnection tests a target's connectivity by checking the assigned agent's heartbeat status.
|
|
// Target connectors run on agents, not on the server, so we can't instantiate a connector here.
|
|
// Instead, we verify the agent is online and reachable.
|
|
func (s *TargetService) TestConnection(ctx context.Context, id string) error {
|
|
target, err := s.targetRepo.Get(ctx, id)
|
|
if err != nil {
|
|
return fmt.Errorf("target not found: %w", err)
|
|
}
|
|
|
|
if target.AgentID == "" {
|
|
s.updateTestStatus(ctx, target, "failed")
|
|
return fmt.Errorf("target has no assigned agent")
|
|
}
|
|
|
|
agent, err := s.agentRepo.Get(ctx, target.AgentID)
|
|
if err != nil {
|
|
s.updateTestStatus(ctx, target, "failed")
|
|
return fmt.Errorf("assigned agent not found: %w", err)
|
|
}
|
|
|
|
// I-004: AgentRepository.Get intentionally surfaces retired rows (the banner
|
|
// + 410 Gone paths need to see them). A test against a retired agent can
|
|
// never succeed — the agent is tombstoned, will never heartbeat again, and
|
|
// any active targets have already been cascade-retired alongside it. Fail
|
|
// fast with an explicit message instead of falling through to the Status /
|
|
// heartbeat checks, which would produce a misleading "agent is Offline" or
|
|
// "heartbeat stale" diagnostic.
|
|
if agent.IsRetired() {
|
|
s.updateTestStatus(ctx, target, "failed")
|
|
return fmt.Errorf("assigned agent %s is retired", agent.ID)
|
|
}
|
|
|
|
if agent.Status != domain.AgentStatusOnline {
|
|
s.updateTestStatus(ctx, target, "failed")
|
|
return fmt.Errorf("assigned agent %s is %s (expected Online)", agent.ID, agent.Status)
|
|
}
|
|
|
|
// Check heartbeat freshness (agent must have heartbeated within the last 5 minutes)
|
|
if agent.LastHeartbeatAt != nil {
|
|
if time.Since(*agent.LastHeartbeatAt) > 5*time.Minute {
|
|
s.updateTestStatus(ctx, target, "failed")
|
|
return fmt.Errorf("assigned agent %s last heartbeat was %s ago (stale)", agent.ID, time.Since(*agent.LastHeartbeatAt).Round(time.Second))
|
|
}
|
|
}
|
|
|
|
s.updateTestStatus(ctx, target, "success")
|
|
return nil
|
|
}
|
|
|
|
// ListTargets returns paginated targets (handler interface method).
|
|
func (s *TargetService) ListTargets(ctx context.Context, page, perPage int) ([]domain.DeploymentTarget, int64, error) {
|
|
if page < 1 {
|
|
page = 1
|
|
}
|
|
if perPage < 1 {
|
|
perPage = 50
|
|
}
|
|
|
|
targets, err := s.targetRepo.List(ctx)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("failed to list targets: %w", err)
|
|
}
|
|
total := int64(len(targets))
|
|
|
|
var result []domain.DeploymentTarget
|
|
for _, t := range targets {
|
|
if t != nil {
|
|
result = append(result, *t)
|
|
}
|
|
}
|
|
|
|
return result, total, nil
|
|
}
|
|
|
|
// GetTarget returns a single target (handler interface method).
|
|
func (s *TargetService) GetTarget(ctx context.Context, id string) (*domain.DeploymentTarget, error) {
|
|
return s.targetRepo.Get(ctx, id)
|
|
}
|
|
|
|
// CreateTarget creates a new target (handler interface method).
|
|
func (s *TargetService) CreateTarget(ctx context.Context, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
|
|
if !isValidTargetType(target.Type) {
|
|
return nil, fmt.Errorf("unsupported target type: %s", target.Type)
|
|
}
|
|
|
|
// C-002: enforce agent_id FK at service layer so we return a clean 400
|
|
// instead of bubbling a Postgres 23503 foreign-key violation out as 500.
|
|
// The schema (migrations/000001 line 104) declares agent_id TEXT NOT NULL
|
|
// with a FK to agents(id); we mirror that contract here for deterministic
|
|
// error mapping.
|
|
if target.AgentID == "" {
|
|
return nil, fmt.Errorf("%w: agent_id is required", ErrAgentNotFound)
|
|
}
|
|
agent, err := s.agentRepo.Get(ctx, target.AgentID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("%w: %s", ErrAgentNotFound, target.AgentID)
|
|
}
|
|
// I-004: refuse to attach new targets to a retired agent. The agent is
|
|
// tombstoned and no deployments would ever succeed against it; letting a
|
|
// row slip past here would immediately be cascade-retired on the next
|
|
// dependency sweep and confuse operators ("why is this brand-new target
|
|
// already retired?"). Treating retired agents as "not found" for creation
|
|
// purposes keeps the error surface tight and matches the default-list
|
|
// contract established by repository.AgentRepository.List.
|
|
if agent.IsRetired() {
|
|
return nil, fmt.Errorf("%w: %s (retired)", ErrAgentNotFound, target.AgentID)
|
|
}
|
|
|
|
if target.ID == "" {
|
|
target.ID = generateID("target")
|
|
}
|
|
now := time.Now()
|
|
if target.CreatedAt.IsZero() {
|
|
target.CreatedAt = now
|
|
}
|
|
if target.UpdatedAt.IsZero() {
|
|
target.UpdatedAt = now
|
|
}
|
|
if target.TestStatus == "" {
|
|
target.TestStatus = "untested"
|
|
}
|
|
if target.Source == "" {
|
|
target.Source = "database"
|
|
}
|
|
// GUI-created targets should be enabled by default.
|
|
// Go's bool zero value is false, which overrides the DB default when explicitly inserted.
|
|
if target.Source == "database" && !target.Enabled {
|
|
target.Enabled = true
|
|
}
|
|
|
|
// Encrypt config
|
|
if len(target.Config) > 0 {
|
|
encrypted, _, err := crypto.EncryptIfKeySet([]byte(target.Config), s.encryptionKey)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to encrypt config: %w", err)
|
|
}
|
|
target.EncryptedConfig = encrypted
|
|
target.Config = redactConfigJSON(target.Config)
|
|
}
|
|
|
|
if err := s.targetRepo.Create(ctx, &target); err != nil {
|
|
return nil, fmt.Errorf("failed to create target: %w", err)
|
|
}
|
|
return &target, nil
|
|
}
|
|
|
|
// UpdateTarget modifies a target (handler interface method).
|
|
func (s *TargetService) UpdateTarget(ctx context.Context, id string, target domain.DeploymentTarget) (*domain.DeploymentTarget, error) {
|
|
target.ID = id
|
|
target.UpdatedAt = time.Now()
|
|
|
|
// Merge redacted fields with existing config
|
|
if len(target.Config) > 0 {
|
|
mergedConfig, err := s.mergeRedactedConfig(ctx, id, target.Config)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to merge config: %w", err)
|
|
}
|
|
|
|
encrypted, _, encErr := crypto.EncryptIfKeySet(mergedConfig, s.encryptionKey)
|
|
if encErr != nil {
|
|
return nil, fmt.Errorf("failed to encrypt config: %w", encErr)
|
|
}
|
|
target.EncryptedConfig = encrypted
|
|
target.Config = redactConfigJSON(json.RawMessage(mergedConfig))
|
|
}
|
|
|
|
if err := s.targetRepo.Update(ctx, &target); err != nil {
|
|
return nil, fmt.Errorf("failed to update target: %w", err)
|
|
}
|
|
return &target, nil
|
|
}
|
|
|
|
// DeleteTarget removes a target (handler interface method).
|
|
func (s *TargetService) DeleteTarget(ctx context.Context, id string) error {
|
|
return s.targetRepo.Delete(ctx, id)
|
|
}
|
|
|
|
// --- Internal helpers ---
|
|
|
|
// getDecryptedConfig returns the decrypted config JSON for a target.
|
|
func (s *TargetService) getDecryptedConfig(target *domain.DeploymentTarget) (json.RawMessage, error) {
|
|
if len(target.EncryptedConfig) > 0 {
|
|
decrypted, err := crypto.DecryptIfKeySet(target.EncryptedConfig, s.encryptionKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return json.RawMessage(decrypted), nil
|
|
}
|
|
if len(target.Config) > 0 {
|
|
return target.Config, nil
|
|
}
|
|
return json.RawMessage("{}"), nil
|
|
}
|
|
|
|
// mergeRedactedConfig merges incoming config (which may have "********" values)
|
|
// with the existing decrypted config so sensitive fields are preserved.
|
|
func (s *TargetService) mergeRedactedConfig(ctx context.Context, id string, incoming json.RawMessage) ([]byte, error) {
|
|
// Parse incoming config
|
|
var incomingMap map[string]interface{}
|
|
if err := json.Unmarshal(incoming, &incomingMap); err != nil {
|
|
s.logger.Warn("mergeRedactedConfig: incoming config is not a JSON object, using as-is", "target", id, "error", err)
|
|
return incoming, nil
|
|
}
|
|
|
|
// Check if any values are "********"
|
|
hasRedacted := false
|
|
for _, v := range incomingMap {
|
|
if str, ok := v.(string); ok && str == "********" {
|
|
hasRedacted = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !hasRedacted {
|
|
return incoming, nil // No redacted values, use incoming as-is
|
|
}
|
|
|
|
// Load existing target to get real values
|
|
existing, err := s.targetRepo.Get(ctx, id)
|
|
if err != nil {
|
|
s.logger.Warn("mergeRedactedConfig: could not load existing target, redacted values will be lost", "target", id, "error", err)
|
|
return incoming, nil
|
|
}
|
|
|
|
existingConfig, err := s.getDecryptedConfig(existing)
|
|
if err != nil {
|
|
s.logger.Warn("mergeRedactedConfig: could not decrypt existing config, redacted values will be lost", "target", id, "error", err)
|
|
return incoming, nil
|
|
}
|
|
|
|
var existingMap map[string]interface{}
|
|
if err := json.Unmarshal(existingConfig, &existingMap); err != nil {
|
|
s.logger.Warn("mergeRedactedConfig: existing config is not a JSON object, redacted values will be lost", "target", id, "error", err)
|
|
return incoming, nil
|
|
}
|
|
|
|
// Merge: for each "********" value in incoming, use existing value
|
|
for k, v := range incomingMap {
|
|
if str, ok := v.(string); ok && str == "********" {
|
|
if existingVal, exists := existingMap[k]; exists {
|
|
incomingMap[k] = existingVal
|
|
}
|
|
}
|
|
}
|
|
|
|
return json.Marshal(incomingMap)
|
|
}
|
|
|
|
// updateTestStatus updates the test_status and last_tested_at fields in the database
|
|
// and records an audit event.
|
|
func (s *TargetService) updateTestStatus(ctx context.Context, target *domain.DeploymentTarget, status string) {
|
|
now := time.Now()
|
|
target.TestStatus = status
|
|
target.LastTestedAt = &now
|
|
target.UpdatedAt = now
|
|
if err := s.targetRepo.Update(ctx, target); err != nil {
|
|
s.logger.Error("failed to update test status", "target", target.ID, "status", status, "error", err)
|
|
}
|
|
|
|
// Record audit event for connection test
|
|
if s.auditService != nil {
|
|
action := "target_test_connection_" + status
|
|
details := map[string]interface{}{"target_type": string(target.Type), "result": status, "agent_id": target.AgentID}
|
|
if auditErr := s.auditService.RecordEvent(ctx, "system", domain.ActorTypeSystem, action, "target", target.ID, details); auditErr != nil {
|
|
s.logger.Error("failed to record test connection audit event", "error", auditErr)
|
|
}
|
|
}
|
|
}
|