Merge TASK-019: high-level GnuTLS accessors replacing gnutls_session_t

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: etr

examples/client_cert_auth.cpp

@@ -52,6 +52,7 @@
  *    curl -k https://localhost:8443/secure
  */
 
+#include <cstdint>
 #include <iostream>
 #include <memory>
 #include <set>
@@ -72,11 +73,14 @@ class secure_resource : public httpserver::http_resource {
             return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Client certificate required").with_status(httpserver::http::http_utils::http_unauthorized));
         }
 
-        // Get certificate information
-        std::string cn = req.get_client_cert_cn();
-        std::string dn = req.get_client_cert_dn();
-        std::string issuer = req.get_client_cert_issuer_dn();
-        std::string fingerprint = req.get_client_cert_fingerprint_sha256();
+        // Get certificate information. TASK-019: the four string-typed
+        // accessors return string_view aliasing per-request storage; we
+        // copy into std::string here so the locals survive the rest of
+        // this method (and so the `+` chains below compile).
+        std::string cn(req.get_client_cert_cn());
+        std::string dn(req.get_client_cert_dn());
+        std::string issuer(req.get_client_cert_issuer_dn());
+        std::string fingerprint(req.get_client_cert_fingerprint_sha256());
         bool verified = req.is_client_cert_verified();
 
         // Check if certificate is verified by our CA
@@ -90,10 +94,11 @@ class secure_resource : public httpserver::http_resource {
             return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Certificate not in allowlist").with_status(httpserver::http::http_utils::http_forbidden));
         }
 
-        // Check certificate validity times
+        // Check certificate validity times. TASK-019 narrows the
+        // accessor return type to std::int64_t.
         time_t now = time(nullptr);
-        time_t not_before = req.get_client_cert_not_before();
-        time_t not_after = req.get_client_cert_not_after();
+        std::int64_t not_before = req.get_client_cert_not_before();
+        std::int64_t not_after = req.get_client_cert_not_after();
 
         if (now < not_before) {
             return std::make_shared<httpserver::http_response>(httpserver::http_response::string("Certificate not yet valid").with_status(httpserver::http::http_utils::http_forbidden));
@@ -123,7 +128,9 @@ class info_resource : public httpserver::http_resource {
 
         if (req.has_client_certificate()) {
             response = "Client certificate detected:\n";
-            response += "  Common Name: " + req.get_client_cert_cn() + "\n";
+            // TASK-019: get_client_cert_cn() returns string_view; copy
+            // into std::string for the `+` chain.
+            response += "  Common Name: " + std::string(req.get_client_cert_cn()) + "\n";
             response += "  Verified: " + std::string(req.is_client_cert_verified() ? "Yes" : "No") + "\n";
         } else {
             response = "No client certificate provided.\n";

specs/tasks/M3-request/TASK-019.md

@@ -8,8 +8,8 @@
 Replace methods that returned raw `gnutls_session_t` (or other GnuTLS types) with high-level accessors so the public header doesn't need `<gnutls/gnutls.h>`.
 
 **Action Items:**
-- [ ] Remove any public `http_request` method returning `gnutls_session_t`.
-- [ ] Add high-level accessors (return `string_view` or sentinel when TLS disabled):
+- [x] Remove any public `http_request` method returning `gnutls_session_t`.
+- [x] Add high-level accessors (return `string_view` or sentinel when TLS disabled):
   - `bool has_tls_session() const noexcept;`
   - `bool has_client_certificate() const noexcept;`
   - `string_view get_client_cert_dn() const;`
@@ -19,8 +19,8 @@ Replace methods that returned raw `gnutls_session_t` (or other GnuTLS types) wit
   - `bool is_client_cert_verified() const noexcept;`
   - `std::int64_t get_client_cert_not_before() const noexcept;` (seconds since epoch; -1 if no cert)
   - `std::int64_t get_client_cert_not_after() const noexcept;`
-- [ ] Implementation uses GnuTLS internally (in `http_request.cpp`); `gnutls_session_t` remains accessible to library internals via friend access on the impl.
-- [ ] When `HAVE_GNUTLS` is off at build time, all accessors return empty / `false` / `-1` (no exception, per §7).
+- [x] Implementation uses GnuTLS internally (in `http_request.cpp`); `gnutls_session_t` remains accessible to library internals via friend access on the impl.
+- [x] When `HAVE_GNUTLS` is off at build time, all accessors return empty / `false` / `-1` (no exception, per §7).
 
 **Dependencies:**
 - Blocked by: TASK-015
@@ -37,4 +37,4 @@ Replace methods that returned raw `gnutls_session_t` (or other GnuTLS types) wit
 **Related Requirements:** PRD-HDR-REQ-003, PRD-FLG-REQ-002
 **Related Decisions:** §4.2, §6.2
 
-**Status:** Not Started
+**Status:** Done

specs/tasks/_index.md

@@ -101,7 +101,7 @@ Nominally: **13 sequential tasks**, each S–XL. Most other tasks parallelize of
 | TASK-016 | Per-connection arena for `http_request_impl` | M3 | Done | TASK-014, TASK-015 |
 | TASK-017 | `http_request` container getters return `const&` | M3 | Done | TASK-015 |
 | TASK-018 | `http_request` single-key getters return `string_view`, all const | M3 | Done | TASK-015, TASK-016 |
-| TASK-019 | High-level GnuTLS accessors replacing `gnutls_session_t` | M3 | Not Started | TASK-015 |
+| TASK-019 | High-level GnuTLS accessors replacing `gnutls_session_t` | M3 | Done | TASK-015 |
 | TASK-020 | Final public-header backend-include sweep | M3 | Not Started | TASK-014, TASK-015, TASK-019 |
 | TASK-021 | `http_resource` allow-mask via `method_set` | M4 | Not Started | TASK-005 |
 | TASK-022 | Snake_case `render_*` overrides on `http_resource` | M4 | Not Started | TASK-021 |

specs/unworked_review_issues/2026-05-07_000000_task-019.md

@@ -0,0 +1,93 @@
+# Unworked Review Issues
+
+**Run:** 2026-05-07 00:00:00
+**Task:** TASK-019
+**Total:** 20 (0 critical, 1 major deferred, 19 minor)
+
+## Major Deferred (acknowledged scope deferrals)
+
+1. [ ] **code-simplifier** | `src/http_request.cpp:518` | code-structure
+   The Subject DN and Issuer DN extraction in populate_all_cert_fields (lines 518-540) are structurally identical two-call GnuTLS blocks: size-probe, allocate, fill, strip trailing NUL, assign to pmr::string. This pattern repeats twice verbatim with only the GnuTLS function name and destination field differing. The Common Name block (lines 542-553) is a third near-copy.
+   *Recommendation:* Extract a static file-scope helper inside the #ifdef HAVE_GNUTLS block: `static std::string extract_dn(gnutls_x509_crt_t cert, int(*getter)(gnutls_x509_crt_t, char*, size_t*))`. The code-simplifier agent returned `approve` — this is a non-blocking simplification opportunity deferred to a future task.
+
+## Minor
+
+2. [ ] **code-simplifier** | `src/http_request.cpp:964` | code-structure
+   The four string_view accessor bodies (get_client_cert_dn, get_client_cert_issuer_dn, get_client_cert_cn, get_client_cert_fingerprint_sha256) are structurally identical: `#ifdef HAVE_GNUTLS`, call populate_all_cert_fields(), return `std::string_view(impl_->field.data(), impl_->field.size())`, `#else` return `std::string_view{}`, `#endif`.
+   *Recommendation:* A small private helper or macro (e.g. `CERT_STRING_VIEW_ACCESSOR(name, field)`) would collapse all four bodies to a one-liner, matching the existing COMPARATOR macro style in http_utils.hpp.
+
+3. [ ] **code-simplifier** | `src/http_request.cpp:494` | code-structure
+   In populate_all_cert_fields, the code first calls has_tls_session() then separately calls get_tls_session(). But get_tls_session() already checks connection_ == nullptr and returns nullptr on miss, making the outer has_tls_session() guard partially redundant.
+   *Recommendation:* Simplify to `gnutls_session_t session = get_tls_session();` directly, removing the has_tls_session() call from populate_all_cert_fields entirely.
+
+4. [ ] **code-simplifier** | `src/http_request.cpp:557` | naming
+   The local array `unsigned char fingerprint[32]` uses a magic number 32 for the SHA-256 digest size.
+   *Recommendation:* Replace the literal 32 with a named constant such as `static constexpr size_t SHA256_DIGEST_BYTES = 32;` inside the anonymous namespace.
+
+5. [ ] **code-quality-reviewer** | `src/http_request.cpp:519` | code-elegance
+   The GnuTLS two-call DN/CN extraction pattern is repeated three times (DN, issuer DN, CN) with nearly identical code.
+   *Recommendation:* Extract a named lambda or private helper (e.g., `read_gnutls_string`) that takes the GnuTLS getter function pointer and the destination pmr::string&.
+
+6. [ ] **code-quality-reviewer** | `src/httpserver/http_utils.hpp:372` | code-readability
+   In `arg_comparator::operator()(const std::string& x, std::string_view y)` the call constructs a heap-allocated `std::string` from a `string_view` unnecessarily; other three overloads delegate to `(string_view, string_view)`. Pre-existing issue from a prior task.
+   *Recommendation:* Change to delegate to `operator()(std::string_view(x), y)` rather than `operator()(std::string_view(x), std::string(y))`.
+
+7. [ ] **code-quality-reviewer** | `test/unit/http_request_tls_accessors_test.cpp:1` | test-coverage
+   No runtime test covers the noexcept try/catch wrappers in `is_client_cert_verified`, `get_client_cert_not_before`, and `get_client_cert_not_after` under an allocation-failure scenario.
+   *Recommendation:* Add a comment noting that the try/catch sentinel path is not covered by automated tests since injecting bad_alloc in GnuTLS context is impractical in CI.
+
+8. [ ] **code-quality-reviewer** | `src/http_request.cpp:948` | code-readability
+   The comment block preceding the TASK-019 public accessor implementations is verbose (12 lines) and restates design decisions already captured in the task spec and architecture doc.
+   *Recommendation:* Condense to 3-4 lines covering only the non-obvious decisions (unconditional public symbols, noexcept try/catch rationale).
+
+9. [ ] **security-reviewer** | `src/http_request.cpp:492` | insecure-design
+   In populate_all_cert_fields(), client_cert_fields_cached is set to true before any cert field is populated. If std::bad_alloc is thrown during string allocation, the cached flag is already true, creating an asymmetric exception contract between noexcept and string_view accessors.
+   *Recommendation:* Move client_cert_fields_cached = true to after all field population is complete, or catch per-field allocation failures individually. Alternatively, add try/catch in the four string_view accessors to match the noexcept accessors' contract.
+
+10. [ ] **security-reviewer** | `examples/client_cert_auth.cpp:103` | insecure-design
+    The time validity check is correctly guarded by has_client_certificate() and is_client_cert_verified() checks earlier, but this guard dependency is not documented. A developer copying only the time-checking snippet would be vulnerable: when no cert is present not_after is -1, and any non-negative now would satisfy now > not_after.
+    *Recommendation:* Add an inline comment noting that the time checks must only be reached after has_client_certificate() returns true.
+
+11. [ ] **security-reviewer** | `src/http_request.cpp:1108` | logging-failures
+    The operator<< diagnostic formatter logs the Basic Auth password in plaintext. Pre-existing behavior not introduced by TASK-019. New cert fields (DN, CN, fingerprint) were correctly excluded from the formatter.
+    *Recommendation:* Pre-existing issue outside TASK-019 scope.
+
+12. [ ] **performance-reviewer** | `src/http_request.cpp:467` | missing-caching
+    has_client_certificate() calls gnutls_certificate_get_peers() on every invocation with no caching. If a handler calls this predicate more than once per request, the peer-certificate list is fetched from GnuTLS multiple times.
+    *Recommendation:* Add a mutable tri-state cache field (e.g. `mutable std::optional<bool> client_cert_present_cached_`) to http_request_impl.
+
+13. [ ] **performance-reviewer** | `src/http_request.cpp:561` | memory-allocation
+    The SHA-256 fingerprint is assembled into a default-heap std::string (hex_fingerprint) then .assign()'d into the arena-backed pmr::string, causing one extra heap allocation and a byte-by-byte copy.
+    *Recommendation:* Reserve client_cert_fingerprint_sha256 to 64 chars upfront and write hex digits directly into it using a scratch buffer, bypassing the intermediate std::string.
+
+14. [ ] **performance-reviewer** | `src/http_request.cpp:495` | resource-leak
+    populate_all_cert_fields() calls has_tls_session() then get_tls_session() as two separate MHD_get_connection_info lookups inside what is already a once-cached function.
+    *Recommendation:* Call get_tls_session() once, assign to a local, and check for null to infer the has_tls_session() condition.
+
+15. [ ] **architecture-alignment-checker** | `src/httpserver/http_utils.hpp:50` | pattern-violation
+    http_utils.hpp includes <microhttpd.h> unconditionally at the public-header level. Pre-existing issue not introduced by TASK-019; MHD types are supposed to appear only in detail/ headers and .cpp files per §4.1 and §4.2.
+    *Recommendation:* Track as a separate cleanup task to move the <microhttpd.h> dependency behind HTTPSERVER_COMPILATION. TASK-019 itself correctly excludes <gnutls/gnutls.h>.
+
+16. [ ] **spec-alignment-checker** | `test/integ/ws_start_stop.cpp:1057` | acceptance-criteria
+    The `client_cert_with_certificate` test checks only that `CN:Test Client` appears and that a fingerprint field is present, not a specific known fingerprint value. The `client_cert_fingerprint` test verifies length is 64 hex chars but not exact value.
+    *Recommendation:* Document that length+format verification against a known cert is sufficient, or add a test fixture that embeds the expected SHA-256 fingerprint.
+
+17. [ ] **spec-alignment-checker** | `src/httpserver/create_test_request.hpp:115` | ears-requirement
+    The `tls_enabled()` builder method is still gated on `#ifdef HAVE_GNUTLS`, violating PRD-FLG-REQ-001 which requires no HAVE_* gates in public headers.
+    *Recommendation:* Make `tls_enabled()` unconditional (the impl guard in http_request.cpp is sufficient), or track this as deferred to the API-FLG milestone task.
+
+18. [ ] **spec-alignment-checker** | `src/httpserver/http_request.hpp:126` | specification-gap
+    `http_request.hpp` still has `#ifdef HAVE_BAUTH` and `#ifdef HAVE_DAUTH` gates around auth accessors, violating PRD-FLG-REQ-001. TASK-019 correctly removed the HAVE_GNUTLS gate (its direct scope) but did not address these remaining gates.
+    *Recommendation:* Add a TODO comment cross-referencing the API-FLG milestone task so the remaining PRD-FLG-REQ-001 violation is tracked.
+
+19. [ ] **test-quality-reviewer** | `test/integ/ws_start_stop.cpp:0` | logic-in-test
+    The fingerprint validation loop `for (char c : fp)` with an if-based validity check introduces control flow logic in test code.
+    *Recommendation:* Replace with `std::all_of` and a lambda, or a regex match against `^[0-9a-f]{64}$`.
+
+20. [ ] **test-quality-reviewer** | `test/unit/create_test_request_test.cpp:198` | redundant-test
+    `build_tls_enabled_no_peer_cert` and `build_no_client_cert_returns_sentinels` both exercise the same code path with the same sentinel assertions.
+    *Recommendation:* Collapse into a single test: keep `build_no_client_cert_returns_sentinels` (ungated) and expand it with a `tls_enabled()` builder block.
+
+21. [ ] **test-quality-reviewer** | `test/unit/http_request_tls_accessors_test.cpp:0` | missing-test
+    The compile-time test file has no corresponding no-GNUTLS compile target in test/Makefile.am. The HAVE_GNUTLS=off sentinel path is contractually guaranteed but not compile-tested.
+    *Recommendation:* Add a second Makefile.am entry compiled with -UHAVE_GNUTLS, or document that the no-GNUTLS path is covered by the unconditional runtime sentinels in create_test_request_test.cpp.