Add architecture docs, fix gRPC/REST API parity, project conventions

- Add ARCHITECTURE.md with full system specification - Add Project Structure and API Sync Rule to CLAUDE.md; ignore srv/ - Fix engine.proto MountRequest missing config field - Add pki.proto PKIService to match unauthenticated REST PKI routes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-14 23:29:51 -07:00
parent 8f77050a84
commit 658d067d78
15 changed files with 923 additions and 201 deletions
--- a/internal/engine/ca/ca_test.go
+++ b/internal/engine/ca/ca_test.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"sync"
 	"testing"
+	"time"

 	"git.wntrmute.dev/kyle/metacrypt/internal/barrier"
 	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
@@ -113,6 +114,69 @@ func TestInitializeGeneratesRootCA(t *testing.T) {
 	}
 }

+func TestInitializeWithImportedRoot(t *testing.T) {
+	// First, generate a root CA to use as the import source.
+	srcEng, _ := setupEngine(t)
+	rootPEM, err := srcEng.GetRootCertPEM()
+	if err != nil {
+		t.Fatalf("GetRootCertPEM: %v", err)
+	}
+	// Get the key PEM from barrier.
+	srcKeyPEM, err := srcEng.barrier.Get(context.Background(), srcEng.mountPath+"root/key.pem")
+	if err != nil {
+		t.Fatalf("get root key: %v", err)
+	}
+
+	// Now initialize a new engine with the imported root.
+	b := newMemBarrier()
+	eng := NewCAEngine().(*CAEngine)
+	ctx := context.Background()
+
+	config := map[string]interface{}{
+		"organization": "ImportOrg",
+		"root_cert_pem": string(rootPEM),
+		"root_key_pem":  string(srcKeyPEM),
+	}
+
+	if err := eng.Initialize(ctx, b, "engine/ca/imported/", config); err != nil {
+		t.Fatalf("Initialize with import: %v", err)
+	}
+
+	if eng.rootCert == nil {
+		t.Fatal("root cert is nil after import")
+	}
+	if !eng.rootCert.IsCA {
+		t.Error("imported root is not a CA")
+	}
+	// The CN should be from the original cert, not the new org.
+	if eng.rootCert.Subject.CommonName != "TestOrg Root CA" {
+		t.Errorf("imported root CN: got %q, want %q", eng.rootCert.Subject.CommonName, "TestOrg Root CA")
+	}
+
+	// Verify we can create issuers and issue certs from the imported root.
+	_, err = eng.HandleRequest(ctx, &engine.Request{
+		Operation:  "create-issuer",
+		CallerInfo: adminCaller(),
+		Data:       map[string]interface{}{"name": "infra"},
+	})
+	if err != nil {
+		t.Fatalf("create-issuer from imported root: %v", err)
+	}
+
+	_, err = eng.HandleRequest(ctx, &engine.Request{
+		Operation:  "issue",
+		CallerInfo: userCaller(),
+		Data: map[string]interface{}{
+			"issuer":      "infra",
+			"common_name": "imported.example.com",
+			"profile":     "server",
+		},
+	})
+	if err != nil {
+		t.Fatalf("issue from imported root: %v", err)
+	}
+}
+
 func TestUnsealSealLifecycle(t *testing.T) {
 	eng, b := setupEngine(t)
 	mountPath := "engine/ca/test/"
@@ -596,6 +660,97 @@ func TestDeleteIssuer(t *testing.T) {
 	}
 }

+func TestImportRootRejectsValidRoot(t *testing.T) {
+	eng, _ := setupEngine(t)
+	ctx := context.Background()
+
+	// Generate a new root to try importing.
+	other, _ := setupEngine(t)
+	otherPEM, _ := other.GetRootCertPEM()
+	otherKeyPEM, _ := other.barrier.Get(ctx, other.mountPath+"root/key.pem")
+
+	_, err := eng.HandleRequest(ctx, &engine.Request{
+		Operation:  "import-root",
+		CallerInfo: adminCaller(),
+		Data: map[string]interface{}{
+			"cert_pem": string(otherPEM),
+			"key_pem":  string(otherKeyPEM),
+		},
+	})
+	if err == nil {
+		t.Fatal("expected error when importing over a valid root")
+	}
+	if !strings.Contains(err.Error(), "still valid") {
+		t.Errorf("expected 'still valid' error, got: %v", err)
+	}
+}
+
+func TestImportRootReplacesExpiredRoot(t *testing.T) {
+	eng, _ := setupEngine(t)
+	ctx := context.Background()
+
+	// Simulate an expired root by setting NotAfter to the past.
+	eng.mu.Lock()
+	eng.rootCert.NotAfter = time.Now().Add(-1 * time.Hour)
+	eng.mu.Unlock()
+
+	// Generate a new root to import.
+	other, _ := setupEngine(t)
+	newPEM, _ := other.GetRootCertPEM()
+	newKeyPEM, _ := other.barrier.Get(ctx, other.mountPath+"root/key.pem")
+
+	resp, err := eng.HandleRequest(ctx, &engine.Request{
+		Operation:  "import-root",
+		CallerInfo: adminCaller(),
+		Data: map[string]interface{}{
+			"cert_pem": string(newPEM),
+			"key_pem":  string(newKeyPEM),
+		},
+	})
+	if err != nil {
+		t.Fatalf("import-root: %v", err)
+	}
+	if resp.Data["cn"] == nil {
+		t.Error("expected cn in response")
+	}
+
+	// Verify the root was replaced.
+	rootPEM, err := eng.GetRootCertPEM()
+	if err != nil {
+		t.Fatalf("GetRootCertPEM: %v", err)
+	}
+	if string(rootPEM) != string(newPEM) {
+		t.Error("root cert was not replaced")
+	}
+
+	// Verify we can still create issuers with the new root.
+	_, err = eng.HandleRequest(ctx, &engine.Request{
+		Operation:  "create-issuer",
+		CallerInfo: adminCaller(),
+		Data:       map[string]interface{}{"name": "new-issuer"},
+	})
+	if err != nil {
+		t.Fatalf("create-issuer after import: %v", err)
+	}
+}
+
+func TestImportRootRequiresAdmin(t *testing.T) {
+	eng, _ := setupEngine(t)
+	ctx := context.Background()
+
+	_, err := eng.HandleRequest(ctx, &engine.Request{
+		Operation:  "import-root",
+		CallerInfo: userCaller(),
+		Data: map[string]interface{}{
+			"cert_pem": "fake",
+			"key_pem":  "fake",
+		},
+	})
+	if err != ErrForbidden {
+		t.Errorf("expected ErrForbidden, got: %v", err)
+	}
+}
+
 func TestPublicMethods(t *testing.T) {
 	eng, _ := setupEngine(t)
 	ctx := context.Background()