fix: remove dead min_tls_version config field, TLS 1.3 is only supported version (closes #16 )

Co-authored-by: git-echo <git-echo@moon-dragon.us>
feat: add rate limiting and job queue depth cap (closes #15 )
2026-06-06 16:50:55 -05:00 · 2026-06-06 15:39:49 -05:00
10 changed files with 45 additions and 17 deletions
--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@ -181,7 +181,7 @@ tls:
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 jobs:
  max_concurrent: 5
--- a/README.md
+++ b/README.md
@ -395,7 +395,7 @@ tls:
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 # Job Configuration
 jobs:
--- a/configs/config.yaml.example
+++ b/configs/config.yaml.example
@ -14,7 +14,7 @@ tls:
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
-  min_tls_version: "1.3"
+  # TLS 1.3 is the only supported version (hardcoded, not configurable)
 # Job Configuration
 jobs:
--- a/src/auth/mtls.rs
+++ b/src/auth/mtls.rs
@ -143,12 +143,14 @@ impl ClientCertVerifier for CrlAwareVerifier {
 }
 /// mTLS Configuration
 ///
 /// TLS 1.3 is the only supported protocol version — this is hardcoded
 /// in `build_rustls_config()` and cannot be configured via this struct.
 #[derive(Debug, Clone)]
 pub struct MtlsConfig {
    pub ca_cert_path: String,
    pub server_cert_path: String,
    pub server_key_path: String,
    pub min_tls_version: String,
 }
 /// Build a rustls ServerConfig with client certificate verification.
--- a/src/config/loader.rs
+++ b/src/config/loader.rs
@ -33,8 +33,6 @@ pub struct TlsConfig {
    pub ca_cert: String,
    pub server_cert: String,
    pub server_key: String,
    #[serde(default = "default_tls_version")]
    pub min_tls_version: String,
    /// Path to persist the CRL fetched from the manager.
    /// Defaults to /etc/linux_patch_api/certs/crl.pem
    #[serde(default = "default_crl_path")]
@ -49,10 +47,6 @@ fn default_true() -> bool {
    true
 }
 fn default_tls_version() -> String {
    "1.3".to_string()
 }
 /// Jobs configuration
 #[derive(Debug, Deserialize, Serialize, Clone)]
 pub struct JobsConfig {
@ -501,6 +495,19 @@ impl AppConfig {
        let content = std::fs::read_to_string(path)
            .with_context(|| format!("Failed to read config file: {}", path))?;
        // Check for deprecated fields before typed parsing
        if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(&content) {
            if let Some(tls) = value.get("tls") {
                if tls.get("min_tls_version").is_some() {
                    tracing::warn!(
                        "Config contains deprecated 'tls.min_tls_version' field. \
                         This field is ignored — TLS 1.3 is the only supported version. \
                         Remove it from your config to silence this warning."
                    );
                }
            }
        }
        let config: AppConfig = serde_yaml::from_str(&content)
            .with_context(|| format!("Failed to parse config file: {}", path))?;
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@ -8,4 +8,5 @@
 pub mod loader;
 pub use loader::{validate_certs, AppConfig, CertStatus, EnrollmentConfig, RateLimitConfig};
 pub mod validator;
 pub use validator::validate_config_warnings;
 pub mod watcher;
--- a/src/config/validator.rs
+++ b/src/config/validator.rs
@ -1,3 +1,25 @@
 //! Configuration Validator
 //!
-//! Placeholder - implementation in future phases
+//! Validates configuration values and warns about deprecated fields.
 use tracing::warn;
 /// Validate configuration for deprecated or unknown fields.
 ///
 /// This is called after config loading to emit warnings for fields
 /// that are no longer functional but may still be present in operator
 /// config files.
 pub fn validate_config_warnings(config_yaml: &str) {
    // Check for deprecated tls.min_tls_version field
    if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(config_yaml) {
        if let Some(tls) = value.get("tls") {
            if tls.get("min_tls_version").is_some() {
                warn!(
                    "Config contains deprecated 'tls.min_tls_version' field. \
                     This field is ignored — TLS 1.3 is the only supported version. \
                     Remove it from your config to silence this warning."
                );
            }
        }
    }
 }
--- a/src/main.rs
+++ b/src/main.rs
@ -368,16 +368,15 @@ async fn main() -> Result<()> {
            ca_cert = %tls_config.ca_cert,
            server_cert = %tls_config.server_cert,
            server_key = %tls_config.server_key,
            min_tls_version = %tls_config.min_tls_version,
            crl_path = %tls_config.crl_path,
-            "Initializing mTLS authentication with TLS binding"
+            "Initializing mTLS authentication with TLS 1.3 binding"
        );
        // TLS 1.3 is the only supported version — hardcoded in build_rustls_config()
        let mtls_config = mtls::MtlsConfig {
            ca_cert_path: tls_config.ca_cert.clone(),
            server_cert_path: tls_config.server_cert.clone(),
            server_key_path: tls_config.server_key.clone(),
            min_tls_version: tls_config.min_tls_version.clone(),
        };
        // Load CRL from disk into the shared CRL state
--- a/tests/e2e/test_enrollment_e2e.rs
+++ b/tests/e2e/test_enrollment_e2e.rs
@ -77,7 +77,6 @@ fn build_tls_config(cert_dir: &std::path::Path) -> TlsConfig {
            .join("server.key.pem")
            .to_string_lossy()
            .to_string(),
        min_tls_version: "1.3".to_string(),
        crl_path: String::new(), // No CRL in E2E tests
    }
 }
--- a/tests/integration/auth_test.rs
+++ b/tests/integration/auth_test.rs
@ -15,7 +15,6 @@ mod mtls_tests {
            ca_cert_path: "/etc/linux_patch_api/certs/ca.pem".to_string(),
            server_cert_path: "/etc/linux_patch_api/certs/server.pem".to_string(),
            server_key_path: "/etc/linux_patch_api/certs/server.key".to_string(),
            min_tls_version: "1.3".to_string(),
        };
        assert_eq!(config.ca_cert_path, "/etc/linux_patch_api/certs/ca.pem");
@ -27,7 +26,6 @@ mod mtls_tests {
            config.server_key_path,
            "/etc/linux_patch_api/certs/server.key"
        );
        assert_eq!(config.min_tls_version, "1.3");
    }
    #[test]
Author	SHA1	Message	Date
Draco-Lunaris-Echo	eac05ad1eb	fix: remove dead min_tls_version config field, TLS 1.3 is only supported version (closes #16 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 4s CI/CD Pipeline / Clippy Lints (push) Successful in 44s CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s CI/CD Pipeline / Security Audit (push) Successful in 4s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m15s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s CI/CD Pipeline / Build Debian Package (push) Failing after 4s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Build RPM Package (push) Successful in 2m17s CI/CD Pipeline / Build Arch Package (push) Successful in 2m25s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m15s Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 16:50:55 -05:00
Draco-Lunaris-Echo	df2f4c70c9	feat: add rate limiting and job queue depth cap (closes #15 ) Some checks failed CI/CD Pipeline / Code Format (push) Successful in 3s CI/CD Pipeline / Clippy Lints (push) Successful in 45s CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s CI/CD Pipeline / Security Audit (push) Successful in 4s CI/CD Pipeline / Enrollment Tests (push) Successful in 1m14s CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s CI/CD Pipeline / Build Debian Package (push) Failing after 5s CI/CD Pipeline / Build Arch Package (push) Successful in 2m24s CI/CD Pipeline / Build RPM Package (push) Successful in 2m15s CI/CD Pipeline / Build Alpine Package (push) Failing after 3m19s - Add custom RateLimitMiddleware using governor crate for per-IP rate limiting - Two-tier rate limiting: destructive (20 req/min, burst 10) and read (120 req/min, burst 30) - Health endpoints (/health, /api/v1/system/info) exempt from rate limiting - Add max_queue_depth to JobManager (default: 100, configurable via config.yaml) - Return 429 Too Many Requests with Retry-After header when queue is full - Add RateLimitConfig to config.yaml with all rate limit settings - Add 10 tests covering rate limiting, queue depth, and configuration defaults Co-authored-by: git-echo <git-echo@moon-dragon.us>	2026-06-06 15:39:49 -05:00