3847eb2036
This repo had no version control prior to this commit. The import is a
straight snapshot of the working tree at 2026-05-03; the deployed
binary on fihelvop01 was being rebuilt from this source via `make
build` + scp into place, with no upstream review path.
The snapshot already includes one in-flight fix made on 2026-05-03 to
internal/service/persona.go:GetSelfModel — the handler queried
`source` and `strength` columns plus an `is_active = true` filter on
persona.persona_commitments, none of which exist on that table (its
shape is session-bound commitments with `status`, `commitment_meta`,
etc.). The query returned a 500 every time SynapseHub bootstrapped a
persona's self-model, dropping the IdentityConstraints / Commitments /
ConscienceStandards layer from the assembled prompt. The patched
query reads existing columns only (commitment_text, commitment_type),
filters on `status='active'`, and synthesises Source="learned" /
Strength=1.0 to keep the SelfModel response shape stable for callers.
Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now
returns 200 with `{identityConstraints:[],commitments:[],
conscienceStandards:[]}` instead of 500.
Future changes go through PRs against this repo — no more bin-only
deploys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
189 lines
5.4 KiB
Go
189 lines
5.4 KiB
Go
package client
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/rs/zerolog"
|
|
|
|
"github.com/gosec/gsc-ops-api/internal/config"
|
|
)
|
|
|
|
// EJBCAClient is an mTLS HTTP client for the EJBCA REST API
|
|
type EJBCAClient struct {
|
|
baseURL string
|
|
client *http.Client
|
|
logger zerolog.Logger
|
|
}
|
|
|
|
// NewEJBCAClient creates a new EJBCA client with mTLS
|
|
func NewEJBCAClient(cfg config.EJBCAConfig, logger zerolog.Logger) (*EJBCAClient, error) {
|
|
cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load EJBCA client cert: %w", err)
|
|
}
|
|
|
|
tlsCfg := &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
|
|
if cfg.CAFile != "" {
|
|
caCert, err := os.ReadFile(cfg.CAFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read EJBCA CA file: %w", err)
|
|
}
|
|
pool := x509.NewCertPool()
|
|
pool.AppendCertsFromPEM(caCert)
|
|
tlsCfg.RootCAs = pool
|
|
}
|
|
|
|
return &EJBCAClient{
|
|
baseURL: cfg.BaseURL,
|
|
client: &http.Client{
|
|
Timeout: 30 * time.Second,
|
|
Transport: &http.Transport{TLSClientConfig: tlsCfg},
|
|
},
|
|
logger: logger.With().Str("component", "ejbca").Logger(),
|
|
}, nil
|
|
}
|
|
|
|
// EJBCACert represents a certificate from EJBCA
|
|
type EJBCACert struct {
|
|
SerialNumber string `json:"serial_number"`
|
|
SubjectDN string `json:"subject_dn"`
|
|
IssuerDN string `json:"issuer_dn"`
|
|
Status string `json:"status"`
|
|
NotBefore string `json:"not_before"`
|
|
NotAfter string `json:"not_after"`
|
|
CertificateData string `json:"certificate"`
|
|
CAName string `json:"ca_name,omitempty"`
|
|
}
|
|
|
|
// CertSearchRequest is the request body for searching certificates
|
|
type CertSearchRequest struct {
|
|
MaxResults int `json:"max_number_of_results"`
|
|
Criteria []CertSearchCriterion `json:"criteria"`
|
|
}
|
|
|
|
// CertSearchCriterion is a single search criterion
|
|
type CertSearchCriterion struct {
|
|
Property string `json:"property"`
|
|
Value string `json:"value"`
|
|
Operation string `json:"operation"`
|
|
}
|
|
|
|
// CertEnrollRequest is the request body for enrolling a certificate
|
|
type CertEnrollRequest struct {
|
|
CertificateRequest string `json:"certificate_request,omitempty"`
|
|
CertificateProfileName string `json:"certificate_profile_name"`
|
|
EndEntityProfileName string `json:"end_entity_profile_name"`
|
|
CAName string `json:"certificate_authority_name"`
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
IncludeChain bool `json:"include_chain"`
|
|
SubjectAltName string `json:"subject_alternative_name,omitempty"`
|
|
}
|
|
|
|
// CertRevokeRequest is the request body for revoking a certificate
|
|
type CertRevokeRequest struct {
|
|
IssuerDN string `json:"issuer_dn"`
|
|
SerialNumber string `json:"serial_number"`
|
|
Reason string `json:"reason"`
|
|
}
|
|
|
|
func (c *EJBCAClient) do(method, path string, body interface{}, result interface{}) error {
|
|
url := c.baseURL + path
|
|
|
|
var reqBody io.Reader
|
|
if body != nil {
|
|
data, err := json.Marshal(body)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal request: %w", err)
|
|
}
|
|
reqBody = bytes.NewReader(data)
|
|
}
|
|
|
|
req, err := http.NewRequest(method, url, reqBody)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create request: %w", err)
|
|
}
|
|
req.Header.Set("Content-Type", "application/json")
|
|
req.Header.Set("Accept", "application/json")
|
|
|
|
resp, err := c.client.Do(req)
|
|
if err != nil {
|
|
return fmt.Errorf("request failed: %w", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
respBody, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read response: %w", err)
|
|
}
|
|
|
|
if resp.StatusCode >= 400 {
|
|
return fmt.Errorf("EJBCA error %d: %s", resp.StatusCode, string(respBody))
|
|
}
|
|
|
|
if result != nil && len(respBody) > 0 {
|
|
if err := json.Unmarshal(respBody, result); err != nil {
|
|
return fmt.Errorf("failed to parse response: %w", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SearchCertificates searches for certificates matching criteria
|
|
func (c *EJBCAClient) SearchCertificates(req *CertSearchRequest) ([]EJBCACert, error) {
|
|
var result struct {
|
|
Certificates []EJBCACert `json:"certificates"`
|
|
}
|
|
err := c.do("POST", "/ejbca/ejbca-rest-api/v1/certificate/search", req, &result)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return result.Certificates, nil
|
|
}
|
|
|
|
// GetCertificate gets a certificate by serial number and issuer DN
|
|
func (c *EJBCAClient) GetCertificate(issuerDN, serialNumber string) (*EJBCACert, error) {
|
|
path := fmt.Sprintf("/ejbca/ejbca-rest-api/v1/certificate/%s/%s", issuerDN, serialNumber)
|
|
var cert EJBCACert
|
|
err := c.do("GET", path, nil, &cert)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &cert, nil
|
|
}
|
|
|
|
// EnrollCertificate requests a new certificate
|
|
func (c *EJBCAClient) EnrollCertificate(req *CertEnrollRequest) (*EJBCACert, error) {
|
|
var cert EJBCACert
|
|
err := c.do("POST", "/ejbca/ejbca-rest-api/v1/certificate/enrollkeystore", req, &cert)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &cert, nil
|
|
}
|
|
|
|
// RevokeCertificate revokes a certificate
|
|
func (c *EJBCAClient) RevokeCertificate(issuerDN, serialNumber, reason string) error {
|
|
path := fmt.Sprintf("/ejbca/ejbca-rest-api/v1/certificate/%s/%s/revoke?reason=%s",
|
|
issuerDN, serialNumber, reason)
|
|
return c.do("PUT", path, nil, nil)
|
|
}
|
|
|
|
// Health checks EJBCA connectivity
|
|
func (c *EJBCAClient) Health() error {
|
|
return c.do("GET", "/ejbca/ejbca-rest-api/v1/certificate/status", nil, nil)
|
|
}
|