GoSec_Cloud/gsc-ops-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
30268db4be252970e33cc945930e1b4f2f388bab
gsc-ops-api/internal/handler/certs.go
Claude (gsc-ops-api init) 3847eb2036 Initial import — snapshot from admin host /srv/gosec/gsc-ops-api 
This repo had no version control prior to this commit. The import is a
straight snapshot of the working tree at 2026-05-03; the deployed
binary on fihelvop01 was being rebuilt from this source via `make
build` + scp into place, with no upstream review path.

The snapshot already includes one in-flight fix made on 2026-05-03 to
internal/service/persona.go:GetSelfModel — the handler queried
`source` and `strength` columns plus an `is_active = true` filter on
persona.persona_commitments, none of which exist on that table (its
shape is session-bound commitments with `status`, `commitment_meta`,
etc.). The query returned a 500 every time SynapseHub bootstrapped a
persona's self-model, dropping the IdentityConstraints / Commitments /
ConscienceStandards layer from the assembled prompt. The patched
query reads existing columns only (commitment_text, commitment_type),
filters on `status='active'`, and synthesises Source="learned" /
Strength=1.0 to keep the SelfModel response shape stable for callers.

Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now
returns 200 with `{identityConstraints:[],commitments:[],
conscienceStandards:[]}` instead of 500.

Future changes go through PRs against this repo — no more bin-only
deploys.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 20:06:02 +02:00

141 lines
4.4 KiB
Go
Raw Blame History

package handler
import (
"github.com/gofiber/fiber/v2"
"github.com/gosec/gsc-ops-api/internal/middleware"
"github.com/gosec/gsc-ops-api/internal/service"
"github.com/gosec/gsc-ops-api/pkg/types"
)
// CertHandler handles certificate endpoints
type CertHandler struct {
svc *service.CertificateService
}
// NewCertHandler creates a new certificate handler
func NewCertHandler(svc *service.CertificateService) *CertHandler {
return &CertHandler{svc: svc}
}
// List handles GET /api/v1/certs
func (h *CertHandler) List(c *fiber.Ctx) error {
reqID := middleware.GetRequestID(c)
search := c.Query("search")
limit := c.QueryInt("limit", 50)
certs, err := h.svc.ListCertificates(search, limit)
if err != nil {
apiErr := types.NewInternal(err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
return c.JSON(types.NewDataResponse(certs, reqID))
}
// Get handles GET /api/v1/certs/:serialNumber
func (h *CertHandler) Get(c *fiber.Ctx) error {
reqID := middleware.GetRequestID(c)
serialNumber := c.Params("serialNumber")
issuerDN := c.Query("issuerDn")
if issuerDN == "" {
apiErr := types.NewValidation("issuerDn query parameter is required")
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
cert, err := h.svc.GetCertificate(serialNumber, issuerDN)
if err != nil {
apiErr := types.NewInternal(err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
return c.JSON(types.NewDataResponse(cert, reqID))
}
// Request handles POST /api/v1/certs/request
func (h *CertHandler) Request(c *fiber.Ctx) error {
reqID := middleware.GetRequestID(c)
var req types.CertRequest
if err := c.BodyParser(&req); err != nil {
apiErr := types.NewBadRequest("Invalid request body: " + err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
if req.SubjectDN == "" || req.CAName == "" || req.CertProfileName == "" || req.EndEntityName == "" {
apiErr := types.NewValidation("subjectDn, caName, certProfileName, and endEntityName are required")
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
cert, err := h.svc.RequestCertificate(&req)
if err != nil {
apiErr := types.NewInternal(err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
return c.Status(fiber.StatusCreated).JSON(types.NewDataResponse(cert, reqID))
}
// Renew handles POST /api/v1/certs/:serialNumber/renew
func (h *CertHandler) Renew(c *fiber.Ctx) error {
reqID := middleware.GetRequestID(c)
serialNumber := c.Params("serialNumber")
// For renewal, we re-request with the same parameters
// The caller should provide the original cert's issuer DN
issuerDN := c.Query("issuerDn")
if issuerDN == "" {
apiErr := types.NewValidation("issuerDn query parameter is required for renewal")
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
// Get the existing cert to extract parameters
existing, err := h.svc.GetCertificate(serialNumber, issuerDN)
if err != nil {
apiErr := types.NewInternal(err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
// Re-request with same subject
cert, err := h.svc.RequestCertificate(&types.CertRequest{
SubjectDN: existing.SubjectDN,
CAName: existing.CAName,
CertProfileName: "SERVER",
EndEntityName: existing.SubjectDN,
})
if err != nil {
apiErr := types.NewInternal(err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
return c.JSON(types.NewDataResponse(cert, reqID))
}
// Revoke handles POST /api/v1/certs/:serialNumber/revoke
func (h *CertHandler) Revoke(c *fiber.Ctx) error {
reqID := middleware.GetRequestID(c)
serialNumber := c.Params("serialNumber")
var req types.CertRevoke
if err := c.BodyParser(&req); err != nil {
apiErr := types.NewBadRequest("Invalid request body: " + err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
if req.IssuerDN == "" {
apiErr := types.NewValidation("issuerDn is required")
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
if err := h.svc.RevokeCertificate(serialNumber, &req); err != nil {
apiErr := types.NewInternal(err.Error())
return c.Status(apiErr.Status).JSON(types.NewErrorResponse(apiErr, reqID))
}
return c.JSON(types.NewDataResponse(fiber.Map{
"serialNumber": serialNumber,
"revoked": true,
}, reqID))
}
Reference in New Issue View Git Blame Copy Permalink