mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:51:30 +00:00
shankar0123
f0865bb051
Two audit findings, both category cat-l, both rooted in
web/src/pages/CertificatesPage.tsx. Pre-L-1 the GUI looped per-cert
HTTP calls — 100 selected certs = 100 sequential round-trips × ~50–200
ms each = a 5–20-second wedge during which the operator stared at a
progress bar. Post-L-1 each workflow is a single POST.
cat-l-fa0c1ac07ab5 [P1, primary] — bulk renew loop
handleBulkRenewal: for/await triggerRenewal(id)
cat-l-8a1fb258a38a [P2] — bulk reassign loop
handleReassign: for/await updateCertificate(id, {owner_id})
The bulk-revoke endpoint (POST /api/v1/certificates/bulk-revoke +
BulkRevocationCriteria/Result) already existed as the canonical shape
in v2.0.x — L-1 ports that pattern to renew + reassign with per-action
twists.
Backend (Go)
- internal/domain/bulk_renewal.go: BulkRenewalCriteria mirrors
BulkRevocationCriteria (criteria + IDs modes); BulkRenewalResult
envelope adds EnqueuedJobs[] for per-cert {certificate_id, job_id};
shared BulkOperationError type for all bulk paths.
- internal/domain/bulk_reassignment.go: narrower shape — IDs-only,
owner_id required, team_id optional.
- internal/service/bulk_renewal.go::BulkRenewalService.BulkRenew:
resolves criteria → status filter (Archived/Revoked/Expired/
RenewalInProgress all silent-skip) → per-cert status flip + job
create. Keygen-mode-aware so jobs land in the same initial status
as single-cert TriggerRenewal. Single bulk audit event per call,
not N.
- internal/service/bulk_reassignment.go::BulkReassignmentService.
BulkReassign: validates owner_id upfront via the
ErrBulkReassignOwnerNotFound typed sentinel — non-existent owner
returns 400 before any cert is touched. Already-owned-by-target
is silent-skip. Single bulk audit event.
- internal/api/handler/{bulk_renewal,bulk_reassignment}.go: HTTP
shape mirrors bulk_revocation.go. NOT admin-gated (renew is non-
destructive; reassign is a common-case workflow). Sentinel-error
→ 400 mapping for OwnerNotFound.
- internal/api/router/router.go: three bulk-* routes registered as a
block before the {id} routes. HandlerRegistry gains BulkRenewal +
BulkReassignment fields.
- cmd/server/main.go: NewBulkRenewalService threads cfg.Keygen.Mode
so bulk-renew jobs land in same initial state as single-cert path.
Frontend
- web/src/api/client.ts: bulkRenewCertificates(criteria) +
bulkReassignCertificates(request) functions with full TS types.
- web/src/pages/CertificatesPage.tsx: handleBulkRenewal + handleReassign
rewritten from N-call loops to single calls. Result envelope drives
progress UI; first-error message surfaced when total_failed > 0.
Stale triggerRenewal + updateCertificate imports removed.
MCP
- internal/mcp/types.go: BulkRenewCertificatesInput +
BulkReassignCertificatesInput.
- internal/mcp/tools.go: certctl_bulk_renew_certificates +
certctl_bulk_reassign_certificates tools mirroring the existing
certctl_bulk_revoke_certificates pattern.
OpenAPI
- api/openapi.yaml: two new operations (bulkRenewCertificates,
bulkReassignCertificates) under Certificates tag. Four new schemas
(BulkRenewRequest, BulkRenewResult, BulkEnqueuedJob,
BulkReassignRequest, BulkReassignResult).
Tests
- Domain: BulkRenewalCriteria.IsEmpty + BulkReassignmentRequest.IsEmpty
IsEmpty contracts; JSON round-trip shape pinning.
- Service: 7 BulkRenew tests (happy/criteria-mode/skips-RenewalInProgress/
skips-revoked-archived/empty-criteria-error/partial-failure/
audit-event-emitted) + 8 BulkReassign tests (happy/skips-already-
owned/owner-required/empty-IDs/owner-not-found-sentinel/team-id-
optional/team-id-provided/partial-failure/audit-event-emitted).
- Handler: 5 BulkRenew handler tests (happy/empty-body-400/wrong-
method-405/actor-attribution/service-error-500) + 6 BulkReassign
handler tests (happy/empty-IDs-400/missing-owner-400/owner-not-
found-400-via-sentinel/wrong-method-405/generic-error-500).
CI guardrail
- .github/workflows/ci.yml: 'Forbidden client-side bulk-action loop
regression guard (L-1)'. Greps web/src/pages/CertificatesPage.tsx
for 'for(...) await triggerRenewal(...)' and 'for(...) await
updateCertificate(...)' patterns; comment lines exempt; test files
exempt. Verified locally (passes against post-fix tree, fires
against synthetic regression).
Counts (deltas)
- Routes: 119 → 121 (+2)
- OpenAPI operations: 123 → 125 (+2)
- MCP tools: 83 → 85 (+2)
Performance
- 100-cert bulk-renew: ~10s of sequential HTTP → ~100ms (99% latency
reduction on the canonical operator workflow).
- Audit event volume: 1 + N per operation → 1.
Out of scope (deferred follow-ups)
- cat-b-31ceb6aaa9f1: updateOwner/updateTeam/updateAgentGroup orphan
(different shape — wire existing PUT to GUI, not new bulk endpoint).
- cat-k-e85d1099b2d7: CertificatesPage no pagination UI.
- cat-i-b0924b6675f8: MCP missing claim/dismiss/acknowledge (L-1 added
2 new tools but does not close that finding).
Verification
- go build / vet / test -short / test -short -race all clean.
- web tsc --noEmit + vitest run all clean (296 tests passing).
- OpenAPI YAML parses (89 paths, 125 ops).
- L-1 CI guardrail passes against post-fix tree, fires against
synthetic regression.
No push.
52 lines
2.5 KiB
Go
52 lines
2.5 KiB
Go
package domain
|
|
|
|
// BulkReassignmentRequest is the input to POST /api/v1/certificates/bulk-reassign.
|
|
//
|
|
// L-2 closure (cat-l-8a1fb258a38a): the GUI used to loop
|
|
// `await updateCertificate(id, { owner_id: ownerId })` over the selection
|
|
// at `web/src/pages/CertificatesPage.tsx::handleReassign`. Post-L-2 it
|
|
// POSTs once.
|
|
//
|
|
// Narrower than BulkRenewalCriteria — the operator workflow is "I have N
|
|
// certs selected and I want them all owned by Alice now". Criteria-mode
|
|
// reassignment doesn't have a strong use case (operators query first,
|
|
// then reassign by ID), so the request is IDs-only. OwnerID is required;
|
|
// TeamID is optional and the cert's team_id is updated only when TeamID
|
|
// is non-empty (matches the existing per-cert PUT behaviour where empty
|
|
// fields leave the existing value unchanged).
|
|
type BulkReassignmentRequest struct {
|
|
CertificateIDs []string `json:"certificate_ids"`
|
|
OwnerID string `json:"owner_id"`
|
|
TeamID string `json:"team_id,omitempty"`
|
|
}
|
|
|
|
// IsEmpty returns true if no IDs are provided. The service layer rejects
|
|
// empty IDs with a 400 — explicit-IDs is the only selection mode for
|
|
// reassignment (no criteria-mode). Naming mirrors BulkRevocationCriteria
|
|
// + BulkRenewalCriteria.IsEmpty so the validate-and-reject pattern is
|
|
// the same across all three bulk endpoints.
|
|
func (r BulkReassignmentRequest) IsEmpty() bool {
|
|
return len(r.CertificateIDs) == 0
|
|
}
|
|
|
|
// BulkReassignmentResult mirrors BulkRevocationResult / BulkRenewalResult
|
|
// envelope shape so the frontend's bulk-result rendering is one helper.
|
|
//
|
|
// Counters semantics:
|
|
// - TotalMatched: number of certs resolved from CertificateIDs
|
|
// - TotalReassigned: number where owner_id (and optionally team_id)
|
|
// was actually mutated
|
|
// - TotalSkipped: certs already owned by the target OwnerID — no-op
|
|
// skip rather than a fake "succeeded" count, so operators see "5 of
|
|
// your 10 selections were no-ops" without triaging fake errors
|
|
// - TotalFailed: certs where the per-cert update returned an error
|
|
// (e.g., the cert no longer exists, the repo update failed)
|
|
// - Errors: per-cert error details for the failure path
|
|
type BulkReassignmentResult struct {
|
|
TotalMatched int `json:"total_matched"`
|
|
TotalReassigned int `json:"total_reassigned"`
|
|
TotalSkipped int `json:"total_skipped"`
|
|
TotalFailed int `json:"total_failed"`
|
|
Errors []BulkOperationError `json:"errors,omitempty"`
|
|
}
|