refactor: continue cira

rsdmike · rsdmike · commit 1dc41cd45135 · 2025-11-19T11:56:59.000-07:00
diff --git a/cmd/app/main.go b/cmd/app/main.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/device-management-toolkit/console/config"
 	"github.com/device-management-toolkit/console/internal/app"
+	"github.com/device-management-toolkit/console/internal/certificates"
 	"github.com/device-management-toolkit/console/internal/controller/openapi"
 	"github.com/device-management-toolkit/console/internal/usecase"
 	"github.com/device-management-toolkit/console/pkg/logger"
@@ -42,11 +43,15 @@ func main() {
 		log.Fatalf("App init error: %s", err)
 	}
 
-	// root, privateKey, err := certificates.GenerateRootCertificate(true, cfg.CommonName, "US", "open-amt-cloud-toolkit", true)
-	// if err != nil {
-	// 	log.Fatalf("Error generating root certificate: %s", err)
-	// }
-	// certificates.IssueWebServerCertificate(certificates.CertAndKeyType{Cert: root, Key: privateKey}, false, cfg.CommonName, "US", "open-amt-cloud-toolkit", true)
+	root, privateKey, err := certificates.CheckAndLoadOrGenerateRootCertificate(true, cfg.CommonName, "US", "device-management-toolkit", true)
+	if err != nil {
+		log.Fatalf("Error loading or generating root certificate: %s", err)
+	}
+
+	_, _, err = certificates.CheckAndLoadOrGenerateWebServerCertificate(certificates.CertAndKeyType{Cert: root, Key: privateKey}, false, cfg.CommonName, "US", "device-management-toolkit", true)
+	if err != nil {
+		log.Fatalf("Error loading or generating web server certificate: %s", err)
+	}
 
 	handleEncryptionKey(cfg)
 
diff --git a/config/config.go b/config/config.go
@@ -3,6 +3,7 @@ package config
 import (
 	"errors"
 	"flag"
+	"net"
 	"os"
 	"path/filepath"
 	"time"
@@ -94,14 +95,36 @@ type (
 	}
 )
 
+// getPreferredIPAddress detects the most likely candidate IP address for this machine.
+// It prefers non-loopback IPv4 addresses and excludes link-local addresses.
+func getPreferredIPAddress() string {
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		return "localhost"
+	}
+
+	for _, addr := range addrs {
+		if ipNet, ok := addr.(*net.IPNet); ok && !ipNet.IP.IsLoopback() {
+			if ipNet.IP.To4() != nil {
+				// Exclude link-local addresses (169.254.x.x)
+				if !ipNet.IP.IsLinkLocalUnicast() {
+					return ipNet.IP.String()
+				}
+			}
+		}
+	}
+
+	return "localhost"
+}
+
 // defaultConfig constructs the in-memory default configuration.
 func defaultConfig() *Config {
 	return &Config{
 		App: App{
 			Name:                 "console",
 			Repo:                 "device-management-toolkit/console",
 			Version:              "DEVELOPMENT",
-			CommonName:           "localhost",
+			CommonName:           getPreferredIPAddress(),
 			EncryptionKey:        "",
 			AllowInsecureCiphers: false,
 		},
diff --git a/internal/app/app.go b/internal/app/app.go
@@ -78,7 +78,11 @@ func Run(cfg *config.Config) {
 
 	wsv1.RegisterRoutes(handler, log, usecases.Devices, upgrader)
 
-	ciraServer, err := cira.NewServer("config/cert.pem", "config/key.pem", usecases.Devices)
+	// Use the same certificates that were generated in main.go
+	ciraCertFile := fmt.Sprintf("config/%s_cert.pem", cfg.CommonName)
+	ciraKeyFile := fmt.Sprintf("config/%s_key.pem", cfg.CommonName)
+
+	ciraServer, err := cira.NewServer(ciraCertFile, ciraKeyFile, usecases.Devices)
 	if err != nil {
 		log.Fatal("CIRA Server failed: %v", err)
 	}
diff --git a/internal/certificates/generate.go b/internal/certificates/generate.go
@@ -14,6 +14,95 @@ import (
 	"time"
 )
 
+// LoadCertificateFromFile loads a certificate and private key from PEM files
+func LoadCertificateFromFile(certPath, keyPath string) (*x509.Certificate, *rsa.PrivateKey, error) {
+	// Read certificate file
+	certPEM, err := os.ReadFile(certPath)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to read certificate file: %w", err)
+	}
+
+	// Decode PEM block
+	certBlock, _ := pem.Decode(certPEM)
+	if certBlock == nil {
+		return nil, nil, fmt.Errorf("failed to decode certificate PEM")
+	}
+
+	// Parse certificate
+	cert, err := x509.ParseCertificate(certBlock.Bytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	// Read private key file
+	keyPEM, err := os.ReadFile(keyPath)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to read private key file: %w", err)
+	}
+
+	// Decode PEM block
+	keyBlock, _ := pem.Decode(keyPEM)
+	if keyBlock == nil {
+		return nil, nil, fmt.Errorf("failed to decode private key PEM")
+	}
+
+	// Parse private key
+	privateKey, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	return cert, privateKey, nil
+}
+
+// CheckAndLoadOrGenerateRootCertificate checks if root certificate files exist,
+// loads them if they do, or generates new ones if they don't
+func CheckAndLoadOrGenerateRootCertificate(addThumbPrintToName bool, commonName, country, organization string, strong bool) (*x509.Certificate, *rsa.PrivateKey, error) {
+	certPath := "config/root_cert.pem"
+	keyPath := "config/root_key.pem"
+
+	// Check if both files exist
+	_, certErr := os.Stat(certPath)
+	_, keyErr := os.Stat(keyPath)
+
+	if certErr == nil && keyErr == nil {
+		// Files exist, try to load them
+		cert, key, err := LoadCertificateFromFile(certPath, keyPath)
+		if err == nil {
+			return cert, key, nil
+		}
+		// If loading fails, fall through to generation
+		fmt.Printf("Warning: Failed to load existing certificates: %v. Generating new ones...\n", err)
+	}
+
+	// Files don't exist or loading failed, generate new certificates
+	return GenerateRootCertificate(addThumbPrintToName, commonName, country, organization, strong)
+}
+
+// CheckAndLoadOrGenerateWebServerCertificate checks if web server certificate files exist,
+// loads them if they do, or generates new ones if they don't
+func CheckAndLoadOrGenerateWebServerCertificate(rootCert CertAndKeyType, addThumbPrintToName bool, commonName, country, organization string, strong bool) (*x509.Certificate, *rsa.PrivateKey, error) {
+	certPath := "config/" + commonName + "_cert.pem"
+	keyPath := "config/" + commonName + "_key.pem"
+
+	// Check if both files exist
+	_, certErr := os.Stat(certPath)
+	_, keyErr := os.Stat(keyPath)
+
+	if certErr == nil && keyErr == nil {
+		// Files exist, try to load them
+		cert, key, err := LoadCertificateFromFile(certPath, keyPath)
+		if err == nil {
+			return cert, key, nil
+		}
+		// If loading fails, fall through to generation
+		fmt.Printf("Warning: Failed to load existing certificates: %v. Generating new ones...\n", err)
+	}
+
+	// Files don't exist or loading failed, generate new certificates
+	return IssueWebServerCertificate(rootCert, addThumbPrintToName, commonName, country, organization, strong)
+}
+
 func GenerateRootCertificate(addThumbPrintToName bool, commonName, country, organization string, strong bool) (*x509.Certificate, *rsa.PrivateKey, error) {
 	keyLength := 2048
 	if strong {
diff --git a/internal/controller/http/router.go b/internal/controller/http/router.go
@@ -97,6 +97,8 @@ func NewRouter(handler *gin.Engine, l logger.Interface, t usecase.Usecases, cfg
 	{
 		v1.NewDeviceRoutes(h2, t.Devices, l)
 		v1.NewAmtRoutes(h2, t.Devices, t.AMTExplorer, t.Exporter, l)
+		v1.NewCIRACertRoutes(h2, l)
+
 	}
 
 	h := protected.Group("/v1/admin")
diff --git a/internal/controller/http/v1/ciracert.go b/internal/controller/http/v1/ciracert.go
@@ -0,0 +1,60 @@
+package v1
+
+import (
+	"encoding/pem"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/device-management-toolkit/console/pkg/logger"
+)
+
+type ciraCertRoutes struct {
+	l logger.Interface
+}
+
+func NewCIRACertRoutes(handler *gin.RouterGroup, l logger.Interface) {
+	r := &ciraCertRoutes{l}
+
+	h := handler.Group("/ciracert")
+	{
+		h.GET("", r.getCIRACert)
+	}
+}
+
+func (r *ciraCertRoutes) getCIRACert(c *gin.Context) {
+	// Read the root certificate file
+	certData, err := os.ReadFile("config/root_cert.pem")
+	if err != nil {
+		r.l.Error(err, "http - CIRA cert - v1 - getCIRACert - failed to read certificate file")
+		c.String(http.StatusInternalServerError, "Failed to read certificate file")
+		return
+	}
+
+	// Decode the PEM block
+	block, _ := pem.Decode(certData)
+	if block == nil {
+		r.l.Error(nil, "http - CIRA cert - v1 - getCIRACert - failed to decode PEM")
+		c.String(http.StatusInternalServerError, "Failed to decode certificate")
+		return
+	}
+
+	// Extract just the base64-encoded certificate data (strip PEM headers/footers)
+	pemString := string(certData)
+	lines := strings.Split(pemString, "\n")
+	var certContent strings.Builder
+
+	for _, line := range lines {
+		trimmed := strings.TrimSpace(line)
+		// Skip empty lines and PEM headers/footers
+		if trimmed == "" || strings.HasPrefix(trimmed, "-----") {
+			continue
+		}
+		certContent.WriteString(trimmed)
+	}
+
+	// Return as plain text
+	c.String(http.StatusOK, certContent.String())
+}
diff --git a/internal/controller/http/v1/ciracert_test.go b/internal/controller/http/v1/ciracert_test.go

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,8 @@ func NewRouter(handler *gin.Engine, l logger.Interface, t usecase.Usecases, cfg`
`97`	`97`	`{`
`98`	`98`	`v1.NewDeviceRoutes(h2, t.Devices, l)`
`99`	`99`	`v1.NewAmtRoutes(h2, t.Devices, t.AMTExplorer, t.Exporter, l)`
	`100`	`+ v1.NewCIRACertRoutes(h2, l)`
	`101`	`+`
`100`	`102`	`}`
`101`	`103`
`102`	`104`	`h := protected.Group("/v1/admin")`