git-echo/linux_patch_manager
Private
Public Access
1
0
Fork 0
Code Releases 8 Wiki Activity

feat: cert bundle download with CA root, re-issue endpoint, and enhanced cert UI
Some checks failed
CI Pipeline / Rust Format Check (push) Failing after 4s
Details
CI Pipeline / Clippy Lints (push) Successful in 46s
Details
CI Pipeline / Rust Unit Tests (push) Successful in 1m2s
Details
CI Pipeline / Security Audit (push) Successful in 5s
Details
CI Pipeline / Frontend Lint & Type Check (push) Failing after 10s
Details
CI Pipeline / Build .deb & Release (push) Has been skipped
Details

Browse Source
This commit is contained in:
Echo
2026-05-05 23:06:48 +00:00
parent d59597b732
commit aa0cb9ab3c
9 changed files with 426 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/pm-core/src/audit.rs
View File

@ -50,6 +50,7 @@ pub enum AuditAction {
HealthCheckCreated, HealthCheckCreated,
HealthCheckUpdated, HealthCheckUpdated,
HealthCheckDeleted, HealthCheckDeleted,
CertificateReissued,
} }
impl AuditAction { impl AuditAction {
@ -86,6 +87,7 @@ impl AuditAction {
Self::HealthCheckCreated => "health_check_created", Self::HealthCheckCreated => "health_check_created",
Self::HealthCheckUpdated => "health_check_updated", Self::HealthCheckUpdated => "health_check_updated",
Self::HealthCheckDeleted => "health_check_deleted", Self::HealthCheckDeleted => "health_check_deleted",
Self::CertificateReissued => "certificate_reissued",
} }
} }
} }

79
crates/pm-web/src/routes/ca.rs
View File

@ -11,6 +11,7 @@
//! host_cert_router() → merged under /api/v1/hosts //! host_cert_router() → merged under /api/v1/hosts
//! GET /:host_id/client.crt download_client_cert (admin only) //! GET /:host_id/client.crt download_client_cert (admin only)
//! POST /:host_id/certificates issue_client_cert (admin only) //! POST /:host_id/certificates issue_client_cert (admin only)
//! POST /:host_id/certificates/reissue reissue_host_cert (admin only)
use axum::{ use axum::{
body::Body, body::Body,
@ -50,6 +51,7 @@ pub fn host_cert_router() -> Router<AppState> {
Router::new() Router::new()
.route("/{host_id}/client.crt", get(download_client_cert)) .route("/{host_id}/client.crt", get(download_client_cert))
.route("/{host_id}/certificates", post(issue_client_cert)) .route("/{host_id}/certificates", post(issue_client_cert))
.route("/{host_id}/certificates/reissue", post(reissue_host_cert))
} }
// ── Shared types ────────────────────────────────────────────────────────────── // ── Shared types ──────────────────────────────────────────────────────────────
@ -311,6 +313,7 @@ async fn issue_client_cert(
"key_pem": issued.key_pem, "key_pem": issued.key_pem,
"serial_number": issued.serial_number, "serial_number": issued.serial_number,
"expires_at": issued.expires_at, "expires_at": issued.expires_at,
"ca_root_pem": state.ca.root_cert_pem(),
}))) })))
} }
@ -360,6 +363,82 @@ async fn renew_cert(
"key_pem": issued.key_pem, "key_pem": issued.key_pem,
"serial_number": issued.serial_number, "serial_number": issued.serial_number,
"expires_at": issued.expires_at, "expires_at": issued.expires_at,
"ca_root_pem": state.ca.root_cert_pem(),
})))
}
// ── POST /api/v1/hosts/:host_id/certificates/reissue ────────────────────────
/// Revoke ALL active certificates for a host and issue a new one.
/// The private key is returned only once — the caller must save it.
async fn reissue_host_cert(
State(state): State<AppState>,
auth: AuthUser,
Path(host_id): Path<Uuid>,
) -> Result<Json<Value>, (StatusCode, Json<Value>)> {
require_admin(&auth)?;
// Look up the host's FQDN for the new certificate CN.
let fqdn: String = sqlx::query_scalar("SELECT fqdn FROM hosts WHERE id = $1")
.bind(host_id)
.fetch_one(&state.db)
.await
.map_err(|e| {
tracing::error!(error = %e, %host_id, "Failed to fetch host FQDN");
if e.to_string().contains("no rows") {
(
StatusCode::NOT_FOUND,
Json(json!({ "error": { "code": "not_found", "message": "Host not found" } })),
)
} else {
db_error(e)
}
})?;
// Revoke all active certificates for this host.
let revoked = sqlx::query(
"UPDATE certificates SET status = 'revoked'::cert_status, revoked_at = NOW() \
WHERE host_id = $1 AND status = 'active'::cert_status",
)
.bind(host_id)
.execute(&state.db)
.await
.map_err(db_error)?;
tracing::info!(%host_id, rows_revoked = revoked.rows_affected(), "Revoked all active certs for host");
// Issue a new certificate using the host's FQDN.
let issued = state
.ca
.issue_client_cert(host_id, &fqdn, &state.db)
.await
.map_err(|e| {
tracing::error!(error = %e, %host_id, "Failed to issue new cert during reissue");
(
StatusCode::INTERNAL_SERVER_ERROR,
Json(json!({ "error": { "code": "internal_error", "message": e.to_string() } })),
)
})?;
log_event(
&state.db,
AuditAction::CertificateReissued,
Some(auth.user_id),
Some(&auth.username),
Some("certificate"),
Some(&host_id.to_string()),
json!({ "hostname": &fqdn, "serial_number": issued.serial_number, "rows_revoked": revoked.rows_affected() }),
None,
None,
)
.await;
Ok(Json(json!({
"cert_pem": issued.cert_pem,
"key_pem": issued.key_pem,
"serial_number": issued.serial_number,
"expires_at": issued.expires_at,
"ca_root_pem": state.ca.root_cert_pem(),
}))) })))
} }

87
frontend/package-lock.json generated
View File

@ -13,6 +13,7 @@
"@mui/icons-material": "^7.0.0", "@mui/icons-material": "^7.0.0",
"@mui/material": "^7.0.0", "@mui/material": "^7.0.0",
"axios": "^1.9.0", "axios": "^1.9.0",
"jszip": "^3.10.1",
"react": "^19.0.0", "react": "^19.0.0",
"react-dom": "^19.0.0", "react-dom": "^19.0.0",
"react-router-dom": "^7.5.3", "react-router-dom": "^7.5.3",
@ -2317,6 +2318,11 @@
"url": "https://opencollective.com/express" "url": "https://opencollective.com/express"
} }
}, },
"node_modules/core-util-is": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
"integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ=="
},
"node_modules/cosmiconfig": { "node_modules/cosmiconfig": {
"version": "7.1.0", "version": "7.1.0",
"resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-7.1.0.tgz", "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-7.1.0.tgz",
@ -3035,6 +3041,11 @@
"node": ">= 4" "node": ">= 4"
} }
}, },
"node_modules/immediate": {
"version": "3.0.6",
"resolved": "https://registry.npmjs.org/immediate/-/immediate-3.0.6.tgz",
"integrity": "sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ=="
},
"node_modules/import-fresh": { "node_modules/import-fresh": {
"version": "3.3.1", "version": "3.3.1",
"resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz", "resolved": "https://registry.npmjs.org/import-fresh/-/import-fresh-3.3.1.tgz",
@ -3059,6 +3070,11 @@
"node": ">=0.8.19" "node": ">=0.8.19"
} }
}, },
"node_modules/inherits": {
"version": "2.0.4",
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
"integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ=="
},
"node_modules/is-arrayish": { "node_modules/is-arrayish": {
"version": "0.2.1", "version": "0.2.1",
"resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz", "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz",
@ -3099,6 +3115,11 @@
"node": ">=0.10.0" "node": ">=0.10.0"
} }
}, },
"node_modules/isarray": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
"integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ=="
},
"node_modules/isexe": { "node_modules/isexe": {
"version": "2.0.0", "version": "2.0.0",
"resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
@ -3168,6 +3189,17 @@
"node": ">=6" "node": ">=6"
} }
}, },
"node_modules/jszip": {
"version": "3.10.1",
"resolved": "https://registry.npmjs.org/jszip/-/jszip-3.10.1.tgz",
"integrity": "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==",
"dependencies": {
"lie": "~3.3.0",
"pako": "~1.0.2",
"readable-stream": "~2.3.6",
"setimmediate": "^1.0.5"
}
},
"node_modules/keyv": { "node_modules/keyv": {
"version": "4.5.4", "version": "4.5.4",
"resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz", "resolved": "https://registry.npmjs.org/keyv/-/keyv-4.5.4.tgz",
@ -3190,6 +3222,14 @@
"node": ">= 0.8.0" "node": ">= 0.8.0"
} }
}, },
"node_modules/lie": {
"version": "3.3.0",
"resolved": "https://registry.npmjs.org/lie/-/lie-3.3.0.tgz",
"integrity": "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==",
"dependencies": {
"immediate": "~3.0.5"
}
},
"node_modules/lines-and-columns": { "node_modules/lines-and-columns": {
"version": "1.2.4", "version": "1.2.4",
"resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz",
@ -3368,6 +3408,11 @@
"url": "https://github.com/sponsors/sindresorhus" "url": "https://github.com/sponsors/sindresorhus"
} }
}, },
"node_modules/pako": {
"version": "1.0.11",
"resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz",
"integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw=="
},
"node_modules/parent-module": { "node_modules/parent-module": {
"version": "1.0.1", "version": "1.0.1",
"resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz", "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@ -3481,6 +3526,11 @@
"node": ">= 0.8.0" "node": ">= 0.8.0"
} }
}, },
"node_modules/process-nextick-args": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz",
"integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag=="
},
"node_modules/prop-types": { "node_modules/prop-types": {
"version": "15.8.1", "version": "15.8.1",
"resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz", "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz",
@ -3597,6 +3647,20 @@
"react-dom": ">=16.6.0" "react-dom": ">=16.6.0"
} }
}, },
"node_modules/readable-stream": {
"version": "2.3.8",
"resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
"integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
"dependencies": {
"core-util-is": "~1.0.0",
"inherits": "~2.0.3",
"isarray": "~1.0.0",
"process-nextick-args": "~2.0.0",
"safe-buffer": "~5.1.1",
"string_decoder": "~1.1.1",
"util-deprecate": "~1.0.1"
}
},
"node_modules/resolve": { "node_modules/resolve": {
"version": "1.22.12", "version": "1.22.12",
"resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.12.tgz",
@ -3669,6 +3733,11 @@
"fsevents": "~2.3.2" "fsevents": "~2.3.2"
} }
}, },
"node_modules/safe-buffer": {
"version": "5.1.2",
"resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
"integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
},
"node_modules/scheduler": { "node_modules/scheduler": {
"version": "0.27.0", "version": "0.27.0",
"resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.27.0.tgz", "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.27.0.tgz",
@ -3691,6 +3760,11 @@
"resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-2.7.2.tgz", "resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-2.7.2.tgz",
"integrity": "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==" "integrity": "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw=="
}, },
"node_modules/setimmediate": {
"version": "1.0.5",
"resolved": "https://registry.npmjs.org/setimmediate/-/setimmediate-1.0.5.tgz",
"integrity": "sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA=="
},
"node_modules/shebang-command": { "node_modules/shebang-command": {
"version": "2.0.0", "version": "2.0.0",
"resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@ -3729,6 +3803,14 @@
"node": ">=0.10.0" "node": ">=0.10.0"
} }
}, },
"node_modules/string_decoder": {
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
"integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
"dependencies": {
"safe-buffer": "~5.1.0"
}
},
"node_modules/strip-json-comments": { "node_modules/strip-json-comments": {
"version": "3.1.1", "version": "3.1.1",
"resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
@ -3861,6 +3943,11 @@
"punycode": "^2.1.0" "punycode": "^2.1.0"
} }
}, },
"node_modules/util-deprecate": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
"integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="
},
"node_modules/vite": { "node_modules/vite": {
"version": "6.4.2", "version": "6.4.2",
"resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz", "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",

1
frontend/package.json
View File

@ -16,6 +16,7 @@
"@mui/icons-material": "^7.0.0", "@mui/icons-material": "^7.0.0",
"@mui/material": "^7.0.0", "@mui/material": "^7.0.0",
"axios": "^1.9.0", "axios": "^1.9.0",
"jszip": "^3.10.1",
"react": "^19.0.0", "react": "^19.0.0",
"react-dom": "^19.0.0", "react-dom": "^19.0.0",
"react-router-dom": "^7.5.3", "react-router-dom": "^7.5.3",

4
frontend/src/api/client.ts
View File

@ -176,6 +176,10 @@ export const certsApi = {
// Download host client cert as blob // Download host client cert as blob
downloadClientCert: (hostId: string) => downloadClientCert: (hostId: string) =>
apiClient.get(`/hosts/${hostId}/client.crt`, { responseType: 'blob' }), apiClient.get(`/hosts/${hostId}/client.crt`, { responseType: 'blob' }),
// Re-issue all certs for a host — revokes all active certs and issues a new one
reissue: (hostId: string) =>
apiClient.post<IssuedCert>(`/hosts/${hostId}/certificates/reissue`),
} }
// ── Reports API (M9) ───────────────────────────────────────────────────────── // ── Reports API (M9) ─────────────────────────────────────────────────────────

126
frontend/src/pages/CertificatesPage.tsx
View File

@ -1,3 +1,4 @@
import JSZip from 'jszip'
import { useCallback, useEffect, useState } from 'react' import { useCallback, useEffect, useState } from 'react'
import { import {
Alert, Alert,
@ -143,17 +144,33 @@ function IssueDialog({ open, onClose, onIssued }: IssueDialogProps) {
interface KeyDisplayDialogProps { interface KeyDisplayDialogProps {
open: boolean open: boolean
cert: IssuedCert | null cert: IssuedCert | null
hostname?: string
onClose: () => void onClose: () => void
} }
function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) { function KeyDisplayDialog({ open, cert, hostname, onClose }: KeyDisplayDialogProps) {
const [copied, setCopied] = useState(false) const [copiedField, setCopiedField] = useState<'cert' | 'key' | 'ca' | null>(null)
const [downloading, setDownloading] = useState(false)
const handleCopy = async () => { const handleCopy = async (text: string, field: 'cert' | 'key' | 'ca') => {
if (!cert?.key_pem) return await navigator.clipboard.writeText(text)
await navigator.clipboard.writeText(cert.key_pem) setCopiedField(field)
setCopied(true) setTimeout(() => setCopiedField(null), 2000)
setTimeout(() => setCopied(false), 2000) }
const handleDownloadBundle = async () => {
if (!cert) return
setDownloading(true)
try {
const zip = new JSZip()
zip.file('ca.crt', cert.ca_root_pem)
zip.file('client.crt', cert.cert_pem)
zip.file('client.key', cert.key_pem)
const blob = await zip.generateAsync({ type: 'blob' })
downloadBlob(blob, `${hostname || 'host'}-certs.zip`)
} finally {
setDownloading(false)
}
} }
return ( return (
@ -165,20 +182,96 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) {
before closing this dialog. before closing this dialog.
</Alert> </Alert>
{cert && ( {cert && (
<Box> <>
<Typography variant="caption" color="text.secondary"> <Typography variant="caption" color="text.secondary">
Serial: {cert.serial_number} &nbsp;|&nbsp; Expires: {fmtDate(cert.expires_at)} Serial: {cert.serial_number} &nbsp;|&nbsp; Expires: {fmtDate(cert.expires_at)}
</Typography> </Typography>
<Box>
<Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}>
<Typography variant="subtitle2">CA Root Certificate (ca.crt)</Typography>
<Tooltip title={copiedField === 'ca' ? 'Copied!' : 'Copy CA root cert to clipboard'}>
<Button
size="small"
startIcon={<CopyIcon />}
onClick={() => handleCopy(cert.ca_root_pem, 'ca')}
variant="outlined"
>
{copiedField === 'ca' ? 'Copied!' : 'Copy CA Root'}
</Button>
</Tooltip>
</Box>
<Box <Box
component="pre" component="pre"
sx={{ sx={{
mt: 1,
p: 2, p: 2,
bgcolor: 'grey.100', bgcolor: 'grey.100',
borderRadius: 1, borderRadius: 1,
fontSize: 12, fontSize: 12,
overflow: 'auto', overflow: 'auto',
maxHeight: 320, maxHeight: 150,
fontFamily: 'monospace',
whiteSpace: 'pre-wrap',
wordBreak: 'break-all',
}}
>
{cert.ca_root_pem}
</Box>
</Box>
<Box>
<Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}>
<Typography variant="subtitle2">Certificate (client.crt)</Typography>
<Tooltip title={copiedField === 'cert' ? 'Copied!' : 'Copy certificate to clipboard'}>
<Button
size="small"
startIcon={<CopyIcon />}
onClick={() => handleCopy(cert.cert_pem, 'cert')}
variant="outlined"
>
{copiedField === 'cert' ? 'Copied!' : 'Copy Cert'}
</Button>
</Tooltip>
</Box>
<Box
component="pre"
sx={{
p: 2,
bgcolor: 'grey.100',
borderRadius: 1,
fontSize: 12,
overflow: 'auto',
maxHeight: 200,
fontFamily: 'monospace',
whiteSpace: 'pre-wrap',
wordBreak: 'break-all',
}}
>
{cert.cert_pem}
</Box>
</Box>
<Box>
<Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}>
<Typography variant="subtitle2" color="error">Private Key (client.key)</Typography>
<Tooltip title={copiedField === 'key' ? 'Copied!' : 'Copy private key to clipboard'}>
<Button
size="small"
startIcon={<CopyIcon />}
onClick={() => handleCopy(cert.key_pem, 'key')}
variant="outlined"
color="error"
>
{copiedField === 'key' ? 'Copied!' : 'Copy Key'}
</Button>
</Tooltip>
</Box>
<Box
component="pre"
sx={{
p: 2,
bgcolor: 'grey.100',
borderRadius: 1,
fontSize: 12,
overflow: 'auto',
maxHeight: 200,
fontFamily: 'monospace', fontFamily: 'monospace',
whiteSpace: 'pre-wrap', whiteSpace: 'pre-wrap',
wordBreak: 'break-all', wordBreak: 'break-all',
@ -187,14 +280,17 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) {
{cert.key_pem} {cert.key_pem}
</Box> </Box>
</Box> </Box>
</>
)} )}
</DialogContent> </DialogContent>
<DialogActions> <DialogActions sx={{ justifyContent: 'space-between' }}>
<Tooltip title={copied ? 'Copied!' : 'Copy private key to clipboard'}> <Button
<Button startIcon={<CopyIcon />} onClick={handleCopy} variant="outlined"> variant="outlined"
{copied ? 'Copied!' : 'Copy Key'} onClick={handleDownloadBundle}
disabled={downloading || !cert}
>
{downloading ? <CircularProgress size={20} /> : 'Download Bundle (.zip)'}
</Button> </Button>
</Tooltip>
<Button variant="contained" onClick={onClose}>I Have Saved the Key</Button> <Button variant="contained" onClick={onClose}>I Have Saved the Key</Button>
</DialogActions> </DialogActions>
</Dialog> </Dialog>

130
frontend/src/pages/HostDetailPage.tsx
View File

@ -1,4 +1,5 @@
import { useEffect, useState, useCallback } from 'react' import { useEffect, useState, useCallback } from 'react'
import JSZip from 'jszip'
import { useParams, useNavigate } from 'react-router-dom' import { useParams, useNavigate } from 'react-router-dom'
import { import {
Alert, Alert,
@ -314,18 +315,40 @@ function HealthCheckFormDialog({ open, title, initial, onClose, onSubmit }: Heal
interface KeyDisplayDialogProps { interface KeyDisplayDialogProps {
open: boolean open: boolean
cert: IssuedCert | null cert: IssuedCert | null
hostname?: string
onClose: () => void onClose: () => void
} }
function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) { function KeyDisplayDialog({ open, cert, hostname, onClose }: KeyDisplayDialogProps) {
const [copiedField, setCopiedField] = useState<'cert' | 'key' | null>(null) const [copiedField, setCopiedField] = useState<'cert' | 'key' | 'ca' | null>(null)
const [downloading, setDownloading] = useState(false)
const handleCopy = async (text: string, field: 'cert' | 'key') => { const handleCopy = async (text: string, field: 'cert' | 'key' | 'ca') => {
await navigator.clipboard.writeText(text) await navigator.clipboard.writeText(text)
setCopiedField(field) setCopiedField(field)
setTimeout(() => setCopiedField(null), 2000) setTimeout(() => setCopiedField(null), 2000)
} }
const handleDownloadBundle = async () => {
if (!cert) return
setDownloading(true)
try {
const zip = new JSZip()
zip.file('ca.crt', cert.ca_root_pem)
zip.file('client.crt', cert.cert_pem)
zip.file('client.key', cert.key_pem)
const blob = await zip.generateAsync({ type: 'blob' })
const url = URL.createObjectURL(blob)
const a = document.createElement('a')
a.href = url
a.download = `${hostname || 'host'}-certs.zip`
a.click()
URL.revokeObjectURL(url)
} finally {
setDownloading(false)
}
}
return ( return (
<Dialog open={open} onClose={onClose} maxWidth="md" fullWidth> <Dialog open={open} onClose={onClose} maxWidth="md" fullWidth>
<DialogTitle>Certificate Issued Save Your Private Key</DialogTitle> <DialogTitle>Certificate Issued Save Your Private Key</DialogTitle>
@ -341,7 +364,38 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) {
</Typography> </Typography>
<Box> <Box>
<Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}> <Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}>
<Typography variant="subtitle2">Certificate (cert.pem)</Typography> <Typography variant="subtitle2">CA Root Certificate (ca.crt)</Typography>
<Tooltip title={copiedField === 'ca' ? 'Copied!' : 'Copy CA root cert to clipboard'}>
<Button
size="small"
startIcon={<CopyIcon />}
onClick={() => handleCopy(cert.ca_root_pem, 'ca')}
variant="outlined"
>
{copiedField === 'ca' ? 'Copied!' : 'Copy CA Root'}
</Button>
</Tooltip>
</Box>
<Box
component="pre"
sx={{
p: 2,
bgcolor: 'grey.100',
borderRadius: 1,
fontSize: 12,
overflow: 'auto',
maxHeight: 150,
fontFamily: 'monospace',
whiteSpace: 'pre-wrap',
wordBreak: 'break-all',
}}
>
{cert.ca_root_pem}
</Box>
</Box>
<Box>
<Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}>
<Typography variant="subtitle2">Certificate (client.crt)</Typography>
<Tooltip title={copiedField === 'cert' ? 'Copied!' : 'Copy certificate to clipboard'}> <Tooltip title={copiedField === 'cert' ? 'Copied!' : 'Copy certificate to clipboard'}>
<Button <Button
size="small" size="small"
@ -372,7 +426,7 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) {
</Box> </Box>
<Box> <Box>
<Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}> <Box sx={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', mb: 0.5 }}>
<Typography variant="subtitle2" color="error">Private Key (key.pem)</Typography> <Typography variant="subtitle2" color="error">Private Key (client.key)</Typography>
<Tooltip title={copiedField === 'key' ? 'Copied!' : 'Copy private key to clipboard'}> <Tooltip title={copiedField === 'key' ? 'Copied!' : 'Copy private key to clipboard'}>
<Button <Button
size="small" size="small"
@ -405,7 +459,14 @@ function KeyDisplayDialog({ open, cert, onClose }: KeyDisplayDialogProps) {
</> </>
)} )}
</DialogContent> </DialogContent>
<DialogActions> <DialogActions sx={{ justifyContent: 'space-between' }}>
<Button
variant="outlined"
onClick={handleDownloadBundle}
disabled={downloading || !cert}
>
{downloading ? <CircularProgress size={20} /> : 'Download Bundle (.zip)'}
</Button>
<Button variant="contained" onClick={onClose}>I Have Saved the Key</Button> <Button variant="contained" onClick={onClose}>I Have Saved the Key</Button>
</DialogActions> </DialogActions>
</Dialog> </Dialog>
@ -567,6 +628,11 @@ export default function HostDetailPage() {
const [issueCertHostname, setIssueCertHostname] = useState('') const [issueCertHostname, setIssueCertHostname] = useState('')
const [issueCertError, setIssueCertError] = useState<string | null>(null) const [issueCertError, setIssueCertError] = useState<string | null>(null)
// Re-issue certificate state
const [reissueConfirmOpen, setReissueConfirmOpen] = useState(false)
const [reissueLoading, setReissueLoading] = useState(false)
const [reissueError, setReissueError] = useState<string | null>(null)
// ── Fetch host ──────────────────────────────────────────────────────────── // ── Fetch host ────────────────────────────────────────────────────────────
useEffect(() => { useEffect(() => {
if (id === 'new') { setLoading(false); return } if (id === 'new') { setLoading(false); return }
@ -717,6 +783,26 @@ export default function HostDetailPage() {
} }
} }
// ── Re-issue certificate ────────────────────────────────────────────────
const handleReissue = async () => {
if (!id) return
setReissueLoading(true)
setReissueError(null)
try {
const res = await certsApi.reissue(id)
setIssuedCert(res.data)
setReissueConfirmOpen(false)
setKeyDialogOpen(true)
setCertExists(true)
} catch (e: unknown) {
const msg = (e as { response?: { data?: { error?: { message?: string } } } })
?.response?.data?.error?.message ?? 'Failed to re-issue certificate'
setReissueError(msg)
} finally {
setReissueLoading(false)
}
}
// ── Create health check ────────────────────────────────────────────────── // ── Create health check ──────────────────────────────────────────────────
const handleHcCreateSubmit = async (values: HealthCheckFormValues) => { const handleHcCreateSubmit = async (values: HealthCheckFormValues) => {
if (!id) return if (!id) return
@ -848,7 +934,18 @@ export default function HostDetailPage() {
Issue Certificate Issue Certificate
</Button> </Button>
)} )}
<Tooltip title="Download mTLS Client Certificate"> {certExists && (
<Button
variant="outlined"
size="small"
color="warning"
startIcon={<VpnKeyIcon />}
onClick={() => { setReissueError(null); setReissueConfirmOpen(true) }}
>
Re-issue Certificate
</Button>
)}
<Tooltip title="Download Client Certificate (public cert only)">
<IconButton onClick={handleDownloadClientCert} color="primary"> <IconButton onClick={handleDownloadClientCert} color="primary">
<VpnKeyIcon /> <VpnKeyIcon />
</IconButton> </IconButton>
@ -1147,10 +1244,29 @@ export default function HostDetailPage() {
</DialogActions> </DialogActions>
</Dialog> </Dialog>
{/* Re-issue Certificate Confirmation Dialog */}
<Dialog open={reissueConfirmOpen} onClose={() => setReissueConfirmOpen(false)} maxWidth="sm" fullWidth>
<DialogTitle>Re-issue Certificate</DialogTitle>
<DialogContent sx={{ display: 'flex', flexDirection: 'column', gap: 2, pt: 2 }}>
{reissueError && <Alert severity="error">{reissueError}</Alert>}
<Alert severity="warning">
<strong>This will revoke all existing certificates for this host and issue a new set.</strong>
{' '}The new private key will only be shown once. Continue?
</Alert>
</DialogContent>
<DialogActions>
<Button onClick={() => setReissueConfirmOpen(false)} disabled={reissueLoading}>Cancel</Button>
<Button color="warning" variant="contained" onClick={handleReissue} disabled={reissueLoading}>
{reissueLoading ? <CircularProgress size={20} /> : 'Re-issue Certificate'}
</Button>
</DialogActions>
</Dialog>
{/* One-time key display dialog */} {/* One-time key display dialog */}
<KeyDisplayDialog <KeyDisplayDialog
open={keyDialogOpen} open={keyDialogOpen}
cert={issuedCert} cert={issuedCert}
hostname={String(host?.fqdn ?? '')}
onClose={() => setKeyDialogOpen(false)} onClose={() => setKeyDialogOpen(false)}
/> />

1
frontend/src/types/index.ts
View File

@ -203,6 +203,7 @@ export interface IssuedCert {
key_pem: string key_pem: string
serial_number: string serial_number: string
expires_at: string expires_at: string
ca_root_pem: string
} }
// ── Reports (M9) ───────────────────────────────────────────────────────────── // ── Reports (M9) ─────────────────────────────────────────────────────────────

2
migrations/010_cert_reissued_audit_action.sql Normal file
View File

@ -0,0 +1,2 @@
-- Add certificate_reissued audit_action enum value
ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'certificate_reissued';