mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
25 Commits 1 Branch 2 Tags
d574685b99a6ecb1a414d7a8e071e5166bff715f
Commit Graph

5 Commits

Author SHA1 Message Date
Kyle Isom
d574685b99 Add certificate revocation, deletion, and retrieval 
Admins can now revoke or delete certificate records from the cert detail
page in the web UI. Revoked certificates display a [REVOKED] badge and
show revocation metadata (time and actor). Deletion redirects to the
issuer page.

The REST API gains three new authenticated endpoints that mirror the
gRPC surface:
  GET    /v1/ca/{mount}/cert/{serial}         (auth required)
  POST   /v1/ca/{mount}/cert/{serial}/revoke  (admin only)
  DELETE /v1/ca/{mount}/cert/{serial}         (admin only)

The CA engine stores revocation state (revoked, revoked_at, revoked_by)
directly in the existing CertRecord barrier entry. The proto CertRecord
message is extended with the same three fields (field numbers 10–12).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-15 13:37:54 -07:00
Kyle Isom
74e35ce63e Add certificate detail page and tests 
- Add cert detail page with metadata display and download link
- Change cert issuance to return tgz with key.pem and cert.pem
- Add handleCertDetail and handleCertDownload handlers
- Extract vaultBackend interface for testability
- Add table-driven tests for cert detail handlers

Co-authored-by: Junie <junie@jetbrains.com>
 2026-03-15 13:24:05 -07:00
Kyle Isom
ad167aed9b Checkpoint: grpc auth fix, issuer list/detail, v2 protos, architecture docs 
Co-authored-by: Junie <junie@jetbrains.com>
 2026-03-15 11:39:13 -07:00
Kyle Isom
fbaf79a8a0 Fix gosec, govet, and errorlint linter errors 
Co-authored-by: Junie <junie@jetbrains.com>
 2026-03-15 10:16:28 -07:00
Kyle Isom
cc1ac2e255 Separate web UI into standalone metacrypt-web binary 
The vault server holds in-memory unsealed state (KEK, engine keys) that
is lost on restart, requiring a full unseal ceremony. Previously the web
UI ran inside the vault process, so any UI change forced a restart and
re-unseal.

This change extracts the web UI into a separate metacrypt-web binary
that communicates with the vault over an authenticated gRPC connection.
The web server carries no sealed state and can be restarted freely.

- gen/metacrypt/v1/: generated Go bindings from proto/metacrypt/v1/
- internal/grpcserver/: full gRPC server implementation (System, Auth,
  Engine, PKI, Policy, ACME services) with seal/auth/admin interceptors
- internal/webserver/: web server with gRPC vault client; templates
  embedded via web/embed.go (no runtime web/ directory needed)
- cmd/metacrypt-web/: standalone binary entry point
- internal/config: added [web] section (listen_addr, vault_grpc, etc.)
- internal/server/routes.go: removed all web UI routes and handlers
- cmd/metacrypt/server.go: starts gRPC server alongside HTTP server
- Deploy: Dockerfile builds both binaries, docker-compose adds
  metacrypt-web service, new metacrypt-web.service systemd unit,
  Makefile gains proto/metacrypt-web targets

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-15 10:15:47 -07:00