Initial import — snapshot from admin host /srv/gosec/gsc-ops-api
This repo had no version control prior to this commit. The import is a
straight snapshot of the working tree at 2026-05-03; the deployed
binary on fihelvop01 was being rebuilt from this source via `make
build` + scp into place, with no upstream review path.
The snapshot already includes one in-flight fix made on 2026-05-03 to
internal/service/persona.go:GetSelfModel — the handler queried
`source` and `strength` columns plus an `is_active = true` filter on
persona.persona_commitments, none of which exist on that table (its
shape is session-bound commitments with `status`, `commitment_meta`,
etc.). The query returned a 500 every time SynapseHub bootstrapped a
persona's self-model, dropping the IdentityConstraints / Commitments /
ConscienceStandards layer from the assembled prompt. The patched
query reads existing columns only (commitment_text, commitment_type),
filters on `status='active'`, and synthesises Source="learned" /
Strength=1.0 to keep the SelfModel response shape stable for callers.
Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now
returns 200 with `{identityConstraints:[],commitments:[],
conscienceStandards:[]}` instead of 500.
Future changes go through PRs against this repo — no more bin-only
deploys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude (gsc-ops-api init)
188
internal/client/ejbca.go
Normal file
188
internal/client/ejbca.go
Normal file
@@ -0,0 +1,188 @@
|
||||
package client
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/rs/zerolog"
|
||||
|
||||
"github.com/gosec/gsc-ops-api/internal/config"
|
||||
)
|
||||
|
||||
// EJBCAClient is an mTLS HTTP client for the EJBCA REST API
|
||||
type EJBCAClient struct {
|
||||
baseURL string
|
||||
client *http.Client
|
||||
logger zerolog.Logger
|
||||
}
|
||||
|
||||
// NewEJBCAClient creates a new EJBCA client with mTLS
|
||||
func NewEJBCAClient(cfg config.EJBCAConfig, logger zerolog.Logger) (*EJBCAClient, error) {
|
||||
cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load EJBCA client cert: %w", err)
|
||||
}
|
||||
|
||||
tlsCfg := &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
|
||||
if cfg.CAFile != "" {
|
||||
caCert, err := os.ReadFile(cfg.CAFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to read EJBCA CA file: %w", err)
|
||||
}
|
||||
pool := x509.NewCertPool()
|
||||
pool.AppendCertsFromPEM(caCert)
|
||||
tlsCfg.RootCAs = pool
|
||||
}
|
||||
|
||||
return &EJBCAClient{
|
||||
baseURL: cfg.BaseURL,
|
||||
client: &http.Client{
|
||||
Timeout: 30 * time.Second,
|
||||
Transport: &http.Transport{TLSClientConfig: tlsCfg},
|
||||
},
|
||||
logger: logger.With().Str("component", "ejbca").Logger(),
|
||||
}, nil
|
||||
}
|
||||
|
||||
// EJBCACert represents a certificate from EJBCA
|
||||
type EJBCACert struct {
|
||||
SerialNumber string `json:"serial_number"`
|
||||
SubjectDN string `json:"subject_dn"`
|
||||
IssuerDN string `json:"issuer_dn"`
|
||||
Status string `json:"status"`
|
||||
NotBefore string `json:"not_before"`
|
||||
NotAfter string `json:"not_after"`
|
||||
CertificateData string `json:"certificate"`
|
||||
CAName string `json:"ca_name,omitempty"`
|
||||
}
|
||||
|
||||
// CertSearchRequest is the request body for searching certificates
|
||||
type CertSearchRequest struct {
|
||||
MaxResults int `json:"max_number_of_results"`
|
||||
Criteria []CertSearchCriterion `json:"criteria"`
|
||||
}
|
||||
|
||||
// CertSearchCriterion is a single search criterion
|
||||
type CertSearchCriterion struct {
|
||||
Property string `json:"property"`
|
||||
Value string `json:"value"`
|
||||
Operation string `json:"operation"`
|
||||
}
|
||||
|
||||
// CertEnrollRequest is the request body for enrolling a certificate
|
||||
type CertEnrollRequest struct {
|
||||
CertificateRequest string `json:"certificate_request,omitempty"`
|
||||
CertificateProfileName string `json:"certificate_profile_name"`
|
||||
EndEntityProfileName string `json:"end_entity_profile_name"`
|
||||
CAName string `json:"certificate_authority_name"`
|
||||
Username string `json:"username"`
|
||||
Password string `json:"password"`
|
||||
IncludeChain bool `json:"include_chain"`
|
||||
SubjectAltName string `json:"subject_alternative_name,omitempty"`
|
||||
}
|
||||
|
||||
// CertRevokeRequest is the request body for revoking a certificate
|
||||
type CertRevokeRequest struct {
|
||||
IssuerDN string `json:"issuer_dn"`
|
||||
SerialNumber string `json:"serial_number"`
|
||||
Reason string `json:"reason"`
|
||||
}
|
||||
|
||||
func (c *EJBCAClient) do(method, path string, body interface{}, result interface{}) error {
|
||||
url := c.baseURL + path
|
||||
|
||||
var reqBody io.Reader
|
||||
if body != nil {
|
||||
data, err := json.Marshal(body)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to marshal request: %w", err)
|
||||
}
|
||||
reqBody = bytes.NewReader(data)
|
||||
}
|
||||
|
||||
req, err := http.NewRequest(method, url, reqBody)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create request: %w", err)
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.Header.Set("Accept", "application/json")
|
||||
|
||||
resp, err := c.client.Do(req)
|
||||
if err != nil {
|
||||
return fmt.Errorf("request failed: %w", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
respBody, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to read response: %w", err)
|
||||
}
|
||||
|
||||
if resp.StatusCode >= 400 {
|
||||
return fmt.Errorf("EJBCA error %d: %s", resp.StatusCode, string(respBody))
|
||||
}
|
||||
|
||||
if result != nil && len(respBody) > 0 {
|
||||
if err := json.Unmarshal(respBody, result); err != nil {
|
||||
return fmt.Errorf("failed to parse response: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// SearchCertificates searches for certificates matching criteria
|
||||
func (c *EJBCAClient) SearchCertificates(req *CertSearchRequest) ([]EJBCACert, error) {
|
||||
var result struct {
|
||||
Certificates []EJBCACert `json:"certificates"`
|
||||
}
|
||||
err := c.do("POST", "/ejbca/ejbca-rest-api/v1/certificate/search", req, &result)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return result.Certificates, nil
|
||||
}
|
||||
|
||||
// GetCertificate gets a certificate by serial number and issuer DN
|
||||
func (c *EJBCAClient) GetCertificate(issuerDN, serialNumber string) (*EJBCACert, error) {
|
||||
path := fmt.Sprintf("/ejbca/ejbca-rest-api/v1/certificate/%s/%s", issuerDN, serialNumber)
|
||||
var cert EJBCACert
|
||||
err := c.do("GET", path, nil, &cert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &cert, nil
|
||||
}
|
||||
|
||||
// EnrollCertificate requests a new certificate
|
||||
func (c *EJBCAClient) EnrollCertificate(req *CertEnrollRequest) (*EJBCACert, error) {
|
||||
var cert EJBCACert
|
||||
err := c.do("POST", "/ejbca/ejbca-rest-api/v1/certificate/enrollkeystore", req, &cert)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &cert, nil
|
||||
}
|
||||
|
||||
// RevokeCertificate revokes a certificate
|
||||
func (c *EJBCAClient) RevokeCertificate(issuerDN, serialNumber, reason string) error {
|
||||
path := fmt.Sprintf("/ejbca/ejbca-rest-api/v1/certificate/%s/%s/revoke?reason=%s",
|
||||
issuerDN, serialNumber, reason)
|
||||
return c.do("PUT", path, nil, nil)
|
||||
}
|
||||
|
||||
// Health checks EJBCA connectivity
|
||||
func (c *EJBCAClient) Health() error {
|
||||
return c.do("GET", "/ejbca/ejbca-rest-api/v1/certificate/status", nil, nil)
|
||||
}
|
||||
Reference in New Issue
Block a user