Add mTLS to CP→agent channel

- Internal ECDSA P-256 CA (WRENN_CA_CERT/WRENN_CA_KEY env vars); when absent the system falls back to plain HTTP so dev mode works without certificates - Host leaf cert (7-day TTL, IP SAN) issued at registration and renewed on every JWT refresh; fingerprint + expiry stored in DB (cert_expires_at column replaces the removed mtls_enabled flag) - CP ephemeral client cert (24-hour TTL) via CPCertStore with atomic hot-swap; background goroutine renews it every 12 hours without restarting the server - Host agent uses tls.Listen + httpServer.Serve so GetCertificate callback is respected (ListenAndServeTLS always reads cert from disk) - Sandbox reverse proxy now uses pool.Transport() so it shares the same TLS config as the Connect RPC clients instead of http.DefaultTransport - Credentials file renamed host-credentials.json with cert_pem/key_pem/ ca_cert_pem fields; duplicate register/refresh response structs collapsed to authResponse
2026-03-30 21:24:35 +06:00
parent 88f919c4ca
commit 25ce0729d5
16 changed files with 716 additions and 144 deletions
--- a/internal/api/handlers_hosts.go
+++ b/internal/api/handlers_hosts.go
@ -49,6 +49,9 @@ type refreshTokenResponse struct {
 	Host         hostResponse `json:"host"`
 	Token        string       `json:"token"`
 	RefreshToken string       `json:"refresh_token"`
+	CertPEM      string       `json:"cert_pem,omitempty"`
+	KeyPEM       string       `json:"key_pem,omitempty"`
+	CACertPEM    string       `json:"ca_cert_pem,omitempty"`
 }

 type deletePreviewResponse struct {
@ -69,6 +72,9 @@ type registerHostResponse struct {
 	Host         hostResponse `json:"host"`
 	Token        string       `json:"token"`
 	RefreshToken string       `json:"refresh_token"`
+	CertPEM      string       `json:"cert_pem,omitempty"`
+	KeyPEM       string       `json:"key_pem,omitempty"`
+	CACertPEM    string       `json:"ca_cert_pem,omitempty"`
 }

 type addTagRequest struct {
@ -388,6 +394,9 @@ func (h *hostHandler) Register(w http.ResponseWriter, r *http.Request) {
 		Host:         hostToResponse(result.Host),
 		Token:        result.JWT,
 		RefreshToken: result.RefreshToken,
+		CertPEM:      result.CertPEM,
+		KeyPEM:       result.KeyPEM,
+		CACertPEM:    result.CACertPEM,
 	})
 }

@ -501,6 +510,9 @@ func (h *hostHandler) RefreshToken(w http.ResponseWriter, r *http.Request) {
 		Host:         hostToResponse(result.Host),
 		Token:        result.JWT,
 		RefreshToken: result.RefreshToken,
+		CertPEM:      result.CertPEM,
+		KeyPEM:       result.KeyPEM,
+		CACertPEM:    result.CACertPEM,
 	})
 }