From aa0cb9ab3c1f55f73eecd7201d6f98d054a9027d Mon Sep 17 00:00:00 2001 From: Echo Date: Tue, 5 May 2026 23:06:48 +0000 Subject: [PATCH] feat: cert bundle download with CA root, re-issue endpoint, and enhanced cert UI --- crates/pm-core/src/audit.rs | 2 + crates/pm-web/src/routes/ca.rs | 79 +++++++++ frontend/package-lock.json | 87 ++++++++++ frontend/package.json | 1 + frontend/src/api/client.ts | 4 + frontend/src/pages/CertificatesPage.tsx | 158 ++++++++++++++---- frontend/src/pages/HostDetailPage.tsx | 130 +++++++++++++- frontend/src/types/index.ts | 1 + migrations/010_cert_reissued_audit_action.sql | 2 + 9 files changed, 426 insertions(+), 38 deletions(-) create mode 100644 migrations/010_cert_reissued_audit_action.sql diff --git a/crates/pm-core/src/audit.rs b/crates/pm-core/src/audit.rs index 1878cd3..b96bd8b 100644 --- a/crates/pm-core/src/audit.rs +++ b/crates/pm-core/src/audit.rs @@ -50,6 +50,7 @@ pub enum AuditAction { HealthCheckCreated, HealthCheckUpdated, HealthCheckDeleted, + CertificateReissued, } impl AuditAction { @@ -86,6 +87,7 @@ impl AuditAction { Self::HealthCheckCreated => "health_check_created", Self::HealthCheckUpdated => "health_check_updated", Self::HealthCheckDeleted => "health_check_deleted", + Self::CertificateReissued => "certificate_reissued", } } } diff --git a/crates/pm-web/src/routes/ca.rs b/crates/pm-web/src/routes/ca.rs index 57dd4dd..545022c 100644 --- a/crates/pm-web/src/routes/ca.rs +++ b/crates/pm-web/src/routes/ca.rs @@ -11,6 +11,7 @@ //! host_cert_router() → merged under /api/v1/hosts //! GET /:host_id/client.crt download_client_cert (admin only) //! POST /:host_id/certificates issue_client_cert (admin only) +//! POST /:host_id/certificates/reissue reissue_host_cert (admin only) use axum::{ body::Body, @@ -50,6 +51,7 @@ pub fn host_cert_router() -> Router { Router::new() .route("/{host_id}/client.crt", get(download_client_cert)) .route("/{host_id}/certificates", post(issue_client_cert)) + .route("/{host_id}/certificates/reissue", post(reissue_host_cert)) } // ── Shared types ────────────────────────────────────────────────────────────── @@ -311,6 +313,7 @@ async fn issue_client_cert( "key_pem": issued.key_pem, "serial_number": issued.serial_number, "expires_at": issued.expires_at, + "ca_root_pem": state.ca.root_cert_pem(), }))) } @@ -360,6 +363,82 @@ async fn renew_cert( "key_pem": issued.key_pem, "serial_number": issued.serial_number, "expires_at": issued.expires_at, + "ca_root_pem": state.ca.root_cert_pem(), + }))) +} + +// ── POST /api/v1/hosts/:host_id/certificates/reissue ──────────────────────── + +/// Revoke ALL active certificates for a host and issue a new one. +/// The private key is returned only once — the caller must save it. +async fn reissue_host_cert( + State(state): State, + auth: AuthUser, + Path(host_id): Path, +) -> Result, (StatusCode, Json)> { + require_admin(&auth)?; + + // Look up the host's FQDN for the new certificate CN. + let fqdn: String = sqlx::query_scalar("SELECT fqdn FROM hosts WHERE id = $1") + .bind(host_id) + .fetch_one(&state.db) + .await + .map_err(|e| { + tracing::error!(error = %e, %host_id, "Failed to fetch host FQDN"); + if e.to_string().contains("no rows") { + ( + StatusCode::NOT_FOUND, + Json(json!({ "error": { "code": "not_found", "message": "Host not found" } })), + ) + } else { + db_error(e) + } + })?; + + // Revoke all active certificates for this host. + let revoked = sqlx::query( + "UPDATE certificates SET status = 'revoked'::cert_status, revoked_at = NOW() \ + WHERE host_id = $1 AND status = 'active'::cert_status", + ) + .bind(host_id) + .execute(&state.db) + .await + .map_err(db_error)?; + + tracing::info!(%host_id, rows_revoked = revoked.rows_affected(), "Revoked all active certs for host"); + + // Issue a new certificate using the host's FQDN. + let issued = state + .ca + .issue_client_cert(host_id, &fqdn, &state.db) + .await + .map_err(|e| { + tracing::error!(error = %e, %host_id, "Failed to issue new cert during reissue"); + ( + StatusCode::INTERNAL_SERVER_ERROR, + Json(json!({ "error": { "code": "internal_error", "message": e.to_string() } })), + ) + })?; + + log_event( + &state.db, + AuditAction::CertificateReissued, + Some(auth.user_id), + Some(&auth.username), + Some("certificate"), + Some(&host_id.to_string()), + json!({ "hostname": &fqdn, "serial_number": issued.serial_number, "rows_revoked": revoked.rows_affected() }), + None, + None, + ) + .await; + + Ok(Json(json!({ + "cert_pem": issued.cert_pem, + "key_pem": issued.key_pem, + "serial_number": issued.serial_number, + "expires_at": issued.expires_at, + "ca_root_pem": state.ca.root_cert_pem(), }))) } diff --git a/frontend/package-lock.json b/frontend/package-lock.json index 602d5a9..8e23b98 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -13,6 +13,7 @@ "@mui/icons-material": "^7.0.0", "@mui/material": "^7.0.0", "axios": "^1.9.0", + "jszip": "^3.10.1", "react": "^19.0.0", "react-dom": "^19.0.0", "react-router-dom": "^7.5.3", @@ -2317,6 +2318,11 @@ "url": "https://opencollective.com/express" } }, + "node_modules/core-util-is": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", + "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" + }, "node_modules/cosmiconfig": { "version": "7.1.0", "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-7.1.0.tgz", @@ -3035,6 +3041,11 @@ "node": ">= 4" } }, + "node_modules/immediate": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz", + "integrity": "sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==" + }, "node_modules/import-fresh": { "version": "3.3.1", "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz", @@ -3059,6 +3070,11 @@ "node": ">=0.8.19" } }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" + }, "node_modules/is-arrayish": { "version": "0.2.1", "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz", @@ -3099,6 +3115,11 @@ "node": ">=0.10.0" } }, + "node_modules/isarray": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", + "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" + }, "node_modules/isexe": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", @@ -3168,6 +3189,17 @@ "node": ">=6" } }, + "node_modules/jszip": { + "version": "3.10.1", + "resolved": "https://registry.npmjs.org/jszip/-/jszip-3.10.1.tgz", + "integrity": "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==", + "dependencies": { + "lie": "~3.3.0", + "pako": "~1.0.2", + "readable-stream": "~2.3.6", + "setimmediate": "^1.0.5" + } + }, "node_modules/keyv": { "version": "4.5.4", "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz", @@ -3190,6 +3222,14 @@ "node": ">= 0.8.0" } }, + "node_modules/lie": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/lie/-/lie-3.3.0.tgz", + "integrity": "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==", + "dependencies": { + "immediate": "~3.0.5" + } + }, "node_modules/lines-and-columns": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", @@ -3368,6 +3408,11 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/pako": { + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz", + "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==" + }, "node_modules/parent-module": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz", @@ -3481,6 +3526,11 @@ "node": ">= 0.8.0" } }, + "node_modules/process-nextick-args": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", + "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" + }, "node_modules/prop-types": { "version": "15.8.1", "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz", @@ -3597,6 +3647,20 @@ "react-dom": ">=16.6.0" } }, + "node_modules/readable-stream": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", + "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", + "dependencies": { + "core-util-is": "~1.0.0", + "inherits": "~2.0.3", + "isarray": "~1.0.0", + "process-nextick-args": "~2.0.0", + "safe-buffer": "~5.1.1", + "string_decoder": "~1.1.1", + "util-deprecate": "~1.0.1" + } + }, "node_modules/resolve": { "version": "1.22.12", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz", @@ -3669,6 +3733,11 @@ "fsevents": "~2.3.2" } }, + "node_modules/safe-buffer": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", + "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" + }, "node_modules/scheduler": { "version": "0.27.0", "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.27.0.tgz", @@ -3691,6 +3760,11 @@ "resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-2.7.2.tgz", "integrity": "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==" }, + "node_modules/setimmediate": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz", + "integrity": "sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==" + }, "node_modules/shebang-command": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", @@ -3729,6 +3803,14 @@ "node": ">=0.10.0" } }, + "node_modules/string_decoder": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", + "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", + "dependencies": { + "safe-buffer": "~5.1.0" + } + }, "node_modules/strip-json-comments": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", @@ -3861,6 +3943,11 @@ "punycode": "^2.1.0" } }, + "node_modules/util-deprecate": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" + }, "node_modules/vite": { "version": "6.4.2", "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz", diff --git a/frontend/package.json b/frontend/package.json index fef666d..c08a8b0 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -16,6 +16,7 @@ "@mui/icons-material": "^7.0.0", "@mui/material": "^7.0.0", "axios": "^1.9.0", + "jszip": "^3.10.1", "react": "^19.0.0", "react-dom": "^19.0.0", "react-router-dom": "^7.5.3", diff --git a/frontend/src/api/client.ts b/frontend/src/api/client.ts index d1f7290..0045c38 100644 --- a/frontend/src/api/client.ts +++ b/frontend/src/api/client.ts @@ -176,6 +176,10 @@ export const certsApi = { // Download host client cert as blob downloadClientCert: (hostId: string) => apiClient.get(`/hosts/${hostId}/client.crt`, { responseType: 'blob' }), + + // Re-issue all certs for a host — revokes all active certs and issues a new one + reissue: (hostId: string) => + apiClient.post(`/hosts/${hostId}/certificates/reissue`), } // ── Reports API (M9) ───────────────────────────────────────────────────────── diff --git a/frontend/src/pages/CertificatesPage.tsx b/frontend/src/pages/CertificatesPage.tsx index f179a44..1a4918e 100644 --- a/frontend/src/pages/CertificatesPage.tsx +++ b/frontend/src/pages/CertificatesPage.tsx @@ -1,3 +1,4 @@ +import JSZip from 'jszip' import { useCallback, useEffect, useState } from 'react' import { Alert, @@ -143,17 +144,33 @@ function IssueDialog({ open, onClose, onIssued }: IssueDialogProps) { interface KeyDisplayDialogProps { open: boolean cert: IssuedCert | null + hostname?: string onClose: () => void } -function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) { - const [copied, setCopied] = useState(false) +function KeyDisplayDialog({ open, cert, hostname, onClose }: KeyDisplayDialogProps) { + const [copiedField, setCopiedField] = useState<'cert' | 'key' | 'ca' | null>(null) + const [downloading, setDownloading] = useState(false) - const handleCopy = async () => { - if (!cert?.key_pem) return - await navigator.clipboard.writeText(cert.key_pem) - setCopied(true) - setTimeout(() => setCopied(false), 2000) + const handleCopy = async (text: string, field: 'cert' | 'key' | 'ca') => { + await navigator.clipboard.writeText(text) + setCopiedField(field) + setTimeout(() => setCopiedField(null), 2000) + } + + const handleDownloadBundle = async () => { + if (!cert) return + setDownloading(true) + try { + const zip = new JSZip() + zip.file('ca.crt', cert.ca_root_pem) + zip.file('client.crt', cert.cert_pem) + zip.file('client.key', cert.key_pem) + const blob = await zip.generateAsync({ type: 'blob' }) + downloadBlob(blob, `${hostname || 'host'}-certs.zip`) + } finally { + setDownloading(false) + } } return ( @@ -165,36 +182,115 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) { before closing this dialog. {cert && ( - + <> Serial: {cert.serial_number}  |  Expires: {fmtDate(cert.expires_at)} - - {cert.key_pem} + + + CA Root Certificate (ca.crt) + + + + + + {cert.ca_root_pem} + - + + + Certificate (client.crt) + + + + + + {cert.cert_pem} + + + + + Private Key (client.key) + + + + + + {cert.key_pem} + + + )} - - - - + + diff --git a/frontend/src/pages/HostDetailPage.tsx b/frontend/src/pages/HostDetailPage.tsx index 211e879..3c5fad3 100644 --- a/frontend/src/pages/HostDetailPage.tsx +++ b/frontend/src/pages/HostDetailPage.tsx @@ -1,4 +1,5 @@ import { useEffect, useState, useCallback } from 'react' +import JSZip from 'jszip' import { useParams, useNavigate } from 'react-router-dom' import { Alert, @@ -314,18 +315,40 @@ function HealthCheckFormDialog({ open, title, initial, onClose, onSubmit }: Heal interface KeyDisplayDialogProps { open: boolean cert: IssuedCert | null + hostname?: string onClose: () => void } -function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) { - const [copiedField, setCopiedField] = useState<'cert' | 'key' | null>(null) +function KeyDisplayDialog({ open, cert, hostname, onClose }: KeyDisplayDialogProps) { + const [copiedField, setCopiedField] = useState<'cert' | 'key' | 'ca' | null>(null) + const [downloading, setDownloading] = useState(false) - const handleCopy = async (text: string, field: 'cert' | 'key') => { + const handleCopy = async (text: string, field: 'cert' | 'key' | 'ca') => { await navigator.clipboard.writeText(text) setCopiedField(field) setTimeout(() => setCopiedField(null), 2000) } + const handleDownloadBundle = async () => { + if (!cert) return + setDownloading(true) + try { + const zip = new JSZip() + zip.file('ca.crt', cert.ca_root_pem) + zip.file('client.crt', cert.cert_pem) + zip.file('client.key', cert.key_pem) + const blob = await zip.generateAsync({ type: 'blob' }) + const url = URL.createObjectURL(blob) + const a = document.createElement('a') + a.href = url + a.download = `${hostname || 'host'}-certs.zip` + a.click() + URL.revokeObjectURL(url) + } finally { + setDownloading(false) + } + } + return ( Certificate Issued — Save Your Private Key @@ -341,7 +364,38 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) { - Certificate (cert.pem) + CA Root Certificate (ca.crt) + + + + + + {cert.ca_root_pem} + + + + + Certificate (client.crt) @@ -567,6 +628,11 @@ export default function HostDetailPage() { const [issueCertHostname, setIssueCertHostname] = useState('') const [issueCertError, setIssueCertError] = useState(null) + // Re-issue certificate state + const [reissueConfirmOpen, setReissueConfirmOpen] = useState(false) + const [reissueLoading, setReissueLoading] = useState(false) + const [reissueError, setReissueError] = useState(null) + // ── Fetch host ──────────────────────────────────────────────────────────── useEffect(() => { if (id === 'new') { setLoading(false); return } @@ -717,6 +783,26 @@ export default function HostDetailPage() { } } + // ── Re-issue certificate ──────────────────────────────────────────────── + const handleReissue = async () => { + if (!id) return + setReissueLoading(true) + setReissueError(null) + try { + const res = await certsApi.reissue(id) + setIssuedCert(res.data) + setReissueConfirmOpen(false) + setKeyDialogOpen(true) + setCertExists(true) + } catch (e: unknown) { + const msg = (e as { response?: { data?: { error?: { message?: string } } } }) + ?.response?.data?.error?.message ?? 'Failed to re-issue certificate' + setReissueError(msg) + } finally { + setReissueLoading(false) + } + } + // ── Create health check ────────────────────────────────────────────────── const handleHcCreateSubmit = async (values: HealthCheckFormValues) => { if (!id) return @@ -848,7 +934,18 @@ export default function HostDetailPage() { Issue Certificate )} - + {certExists && ( + + )} + @@ -1147,10 +1244,29 @@ export default function HostDetailPage() { + {/* Re-issue Certificate Confirmation Dialog */} + setReissueConfirmOpen(false)} maxWidth="sm" fullWidth> + Re-issue Certificate + + {reissueError && {reissueError}} + + This will revoke all existing certificates for this host and issue a new set. + {' '}The new private key will only be shown once. Continue? + + + + + + + + {/* One-time key display dialog */} setKeyDialogOpen(false)} /> diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts index 2e4c67c..4a56fbd 100644 --- a/frontend/src/types/index.ts +++ b/frontend/src/types/index.ts @@ -203,6 +203,7 @@ export interface IssuedCert { key_pem: string serial_number: string expires_at: string + ca_root_pem: string } // ── Reports (M9) ───────────────────────────────────────────────────────────── diff --git a/migrations/010_cert_reissued_audit_action.sql b/migrations/010_cert_reissued_audit_action.sql new file mode 100644 index 0000000..39e571e --- /dev/null +++ b/migrations/010_cert_reissued_audit_action.sql @@ -0,0 +1,2 @@ +-- Add certificate_reissued audit_action enum value +ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'certificate_reissued';