Skip to content

Add Gateway Portal and PKI feature handlers#63

Merged
aidankhogg merged 4 commits into
dev/alphafrom
claude/declared-not-implemented-features-q67rf8
Jun 28, 2026
Merged

Add Gateway Portal and PKI feature handlers#63
aidankhogg merged 4 commits into
dev/alphafrom
claude/declared-not-implemented-features-q67rf8

Conversation

@aidankhogg

Copy link
Copy Markdown
Contributor

Summary

This PR introduces comprehensive support for Gateway Portal (real internet access and cross-world federation) and extended PKI features (CRL, OCSP, intermediate CA, DNSSEC). It adds new handler implementations, test coverage, and integrates these features into the Phase 3 PKI bootstrap and post-Phase 7 gateway portal execution flows.

Key Changes

Gateway Portal Handler (gateway_portal_handler.py)

  • New boundary handler that executes after Phase 7 to apply real internet and cross-world policies
  • Implements real internet policy application with five modes: ISOLATED, SHADOWED, MIRRORED, EXPOSED, CUSTOM
  • Handles cross-world peer setup including trust anchor installation, routing configuration, and DNS forwarding
  • Supports upstream resolver configuration for DNS forwarding to real internet
  • Mock mode support for testing without Docker execution

Gateway Handler Extensions (gateway_handler.py)

  • Added apply_internet_policy() and remove_internet_policy() methods
  • Implemented rule generators for all five internet modes:
    • _isolated_internet_rules(): Blocks all WAN traffic
    • _shadowed_internet_rules(): Allows outbound HTTPS only with masquerade
    • _mirrored_internet_rules(): Restricts traffic to configured service mirrors
    • _exposed_internet_rules(): Full internet access with stateful filtering
  • Added apply_peer_routing() and remove_peer_routing() for cross-world federation
  • Generates and loads nftables rulesets via temporary files

PKI Handler Extensions (pki_handler.py)

  • Added _pki_flag() helper to read boolean PKI flags from both Pydantic models and dict specs
  • Implemented read_intermediate_cert() to expose intermediate CA certificate
  • Added _read_ca_config() and _write_ca_config() for step-ca configuration management
  • Implemented _inject_crl_config() to enable CRL generation in ca.json
  • Implemented _inject_ocsp_config() to enable OCSP responder in ca.json
  • Added setup_dnssec() to generate DNSSEC keys (KSK and ZSK) for zones
  • Integrated feature setup into bootstrap flow before server start

Phase 3 PKI Handler (phase_pki.py)

  • Extended PKI output to include CRL, OCSP, intermediate CA, and DNSSEC information
  • Added DNSSEC key generation with configurable lifetimes
  • Improved certificate rotation worker registration with support for cert type overrides
  • Enhanced logging for optional PKI features

Runtime State (core/state.py)

  • Added intermediate_ca_cert field to track intermediate CA certificate
  • Added gateway_portal_output field for gateway portal deployment results
  • Added dnssec_output field for DNSSEC key information

Test Coverage

  • test_gateway_portal.py: 354 lines covering real internet policy generation, peer routing, trust anchor installation, and mock mode execution
  • test_pki_features.py: 354 lines covering intermediate CA, CRL, OCSP, and DNSSEC feature implementations

Implementation Details

  • Internet policy rules are generated as nftables syntax and loaded via temporary files to avoid shell escaping issues
  • Cross-world peer setup is resilient: failures in individual steps (trust anchor, routing, DNS) are logged but don't abort the entire peer setup
  • PKI feature injection happens before step-ca server starts to ensure configuration is applied on first run
  • DNSSEC key generation uses ECDSAP256SHA256 algorithm with configurable KSK and ZSK lifetimes
  • Mock mode in GatewayPortalHandler allows testing without Docker client, populating output with declared configuration

https://claude.ai/code/session_01Et5va49PwFQRdDQFompEZ1

claude added 4 commits June 28, 2026 04:37
…tion features

PKI (pki_handler.py + phase_pki.py):
- DNSSEC: setup_dnssec() generates KSK+ZSK via dnssec-keygen in BIND container,
  keys stored in netengines_dnssec_keys volume for CoreDNS dnssec plugin
- CRL: _inject_crl_config() patches ca.json with crl.enabled before server start
- OCSP: _inject_ocsp_config() patches ca.json authority.claims.enableOCSP
- Intermediate CA: read_intermediate_cert() exposes step-ca's auto-generated
  intermediate cert; bootstrap() stores it in state when intermediate_ca_enabled
- PKI Rotation Policy: _register_rotation_worker() refactored to be fully dynamic —
  handles all builtin cert types plus any extras declared in cert_type_overrides

Real Internet Gateway (gateway_handler.py):
- apply_internet_policy() dispatches to per-mode nftables rule generators
- ISOLATED: block all WAN ingress/egress
- SHADOWED: outbound HTTPS only + masquerade, no WAN inbound
- MIRRORED: forward to configured service_mirrors, block all other WAN
- EXPOSED: full pass-through with stateful inbound filtering
- CUSTOM: no-op (operator manages rules)
- remove_internet_policy() teardown method
- apply_peer_routing() / remove_peer_routing() for cross-world peer endpoints

Cross-World Federation (gateway_portal_handler.py — new):
- GatewayPortalHandler implements BasePhaseHandler for the gateway_portal spec section
- Applies real internet policy and sets up cross-world peers in one phase
- Per-peer: installs trust anchor cert into gateway container CA bundle,
  adds nftables routing rules, configures CoreDNS forwarding stub zone
- Supports PEERED and FEDERATED modes; NONE is a no-op

State (state.py):
- Added intermediate_ca_cert, dnssec_output, gateway_portal_output fields

Tests: 55 new unit tests across test_pki_features.py and test_gateway_portal.py;
all 186 existing tests continue to pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Run black on all 6 new/modified handler and test files
- Fix gateway_portal_handler.py mypy errors: add dict[str, Any] type args
  on all 4 bare `dict` return/param annotations, add type: ignore for
  untyped DockerHandler() call, fix pgmq send() to two-arg form
  send("gateway_portal_events", event)
- Add setup_dnssec to SimpleNamespace mock in test_phase_3_pki_inserts_ca_dns_record
  so the integration test survives phase_pki calling pki.setup_dnssec()
  when minimal.yaml has dnssec_enabled: true
@aidankhogg aidankhogg self-assigned this Jun 28, 2026
@aidankhogg aidankhogg marked this pull request as ready for review June 28, 2026 14:23
@aidankhogg aidankhogg merged commit d4dce97 into dev/alpha Jun 28, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants