refactor(api): extract tls provisioning into internal/api/tlsutil leaf (ADR-0011)#453
Merged
Conversation
…f (ADR-0011) Move certificate provisioning, ACME manager construction, the TLS 1.3 config template, and the active-cert fingerprint cache out of the flat internal/api namespace into the internal/api/tlsutil leaf package (ADR-0011). The leaf depends only on stdlib, golang.org/x/crypto, and internal/logging; the api-tlsutil-isolated depguard rule statically forbids any upward import of the transport layer. The HTTP serving lifecycle stays in internal/api: startTLS / startTLSWithACME and the two Server methods that bridge the cache to the request path (activeCertPath, tlsFingerprintForResponse). Two constants that lived in the old tls.go const block but are unrelated to TLS are rehomed to the api layer rather than dragged into the leaf: refreshMultiplier (auth cookie lifetime -> handlers_auth.go) and acmeReadHeaderTimeoutSec (challenge-server timeout -> server.go). The ForTest ACME wrappers in test_helpers.go are dropped; the TLS tests now exercise the leaf's exported API directly from internal/api/tlsutil. No behaviour change: endpoints, /__version fingerprint, and cert paths are identical.
Contributor
License Compliance ReportAll dependencies pass license compliance checksGo Dependencies
npm DependenciesSee full report in workflow artifacts Allowed Licenses: MIT, Apache-2.0, BSD-*, ISC, CC0-1.0, MPL-2.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extracts the TLS provisioning concern out of the flat
internal/apinamespace into the
internal/api/tlsutilleaf package — the thirdslice of the ADR-0011
internal/apisub-package decomposition (afterratelimit#451 andsse#452).The leaf owns: the
Config/ACMEConfigsettings structs,ServerConfig(the TLS 1.3
tls.Configtemplate),EnsureSelfSignedCert(self-signedcert generation), the ACME constructors (
NewACMEManager,ACMETLSConfig), and theFingerprintCache(active-cert SHA-256fingerprint, surfaced via
/__version). It depends only on stdlib,golang.org/x/crypto(ACME), andinternal/logging. The newapi-tlsutil-isolateddepguard rule statically forbids any upward importof the transport layer, so an accidental re-coupling fails CI.
The HTTP serving lifecycle stays in
internal/api:startTLS/startTLSWithACME(listener binding + the port-80 HTTP-01 challengeserver) and the two
Servermethods that bridge the cache into therequest path —
activeCertPathandtlsFingerprintForResponse.Drift fixed along the way: two constants sat in the old
tls.goconst block but had nothing to do with TLS. Rather than drag them into
the leaf, they are rehomed to their real owners:
refreshMultiplier(auth refresh-cookie lifetime) →handlers_auth.goacmeReadHeaderTimeoutSec(transport challenge-server timeout) →server.goThe
*ForTestACME wrappers intest_helpers.goare deleted; the TLStests now exercise the leaf's exported API directly from
internal/api/tlsutil.No behaviour change: endpoints, the
/__versionfingerprint, and certpaths are identical. Net effect:
internal/apishrinks by two files andone snake_case filename (
tls_fingerprint.go);internal/apiunderscorecount 20 → 19.
Linked Issue
Related to #450
Testing Evidence
Gated from a clean worktree off
origin/main(go 1.26.4,golangci-lint v2.12.2):
Security and Release Checklist
/__versionfingerprint, and cert paths are identical.
api-tlsutil-isolateddepguardrule); golangci-lint clean.
(CSRF, rate-limit, role gating, output encoding) untouched.
private-key file mode
0o600preserved.