mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:11:31 +00:00
chore(fmt): gofmt cleanup on three pre-bundle drift files surfaced by v2.1.0 release-gate Phase 1
Phase 1 (make verify) of cowork/v2.1.0-release-gate.md surfaced three
files with pre-existing gofmt drift that pre-dated the 2026-05-11 fix
bundle work:
internal/auth/oidc/domain/types.go
internal/auth/oidc/integration_keycloak_rotate_test.go
internal/auth/oidc/test_discovery.go
The 2026-05-11 Fix 08 fmt-cleanup commit (b8fac59) fixed four files
that the merge introduced; these three were noted as pre-existing
master drift and intentionally left untouched at the time. The
v2.1.0 release-gate spec's Phase 1 requires zero gofmt output from
'go fmt ./...' (Makefile::verify form), so the drift must close
before tagging.
Pure whitespace alignment, no semantic change.
This commit is contained in:
shankar0123
@@ -33,20 +33,20 @@ import (
|
|||||||
// the field is non-empty + carries the v2 magic byte; actual
|
// the field is non-empty + carries the v2 magic byte; actual
|
||||||
// encryption / decryption happens in the service layer.
|
// encryption / decryption happens in the service layer.
|
||||||
type OIDCProvider struct {
|
type OIDCProvider struct {
|
||||||
ID string `json:"id"` // prefix `op-`
|
ID string `json:"id"` // prefix `op-`
|
||||||
TenantID string `json:"tenant_id"`
|
TenantID string `json:"tenant_id"`
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
IssuerURL string `json:"issuer_url"`
|
IssuerURL string `json:"issuer_url"`
|
||||||
ClientID string `json:"client_id"`
|
ClientID string `json:"client_id"`
|
||||||
ClientSecretEncrypted []byte `json:"-"` // v2 blob; never JSON-encoded
|
ClientSecretEncrypted []byte `json:"-"` // v2 blob; never JSON-encoded
|
||||||
RedirectURI string `json:"redirect_uri"`
|
RedirectURI string `json:"redirect_uri"`
|
||||||
GroupsClaimPath string `json:"groups_claim_path"`
|
GroupsClaimPath string `json:"groups_claim_path"`
|
||||||
GroupsClaimFormat string `json:"groups_claim_format"`
|
GroupsClaimFormat string `json:"groups_claim_format"`
|
||||||
FetchUserinfo bool `json:"fetch_userinfo"`
|
FetchUserinfo bool `json:"fetch_userinfo"`
|
||||||
Scopes []string `json:"scopes"`
|
Scopes []string `json:"scopes"`
|
||||||
AllowedEmailDomains []string `json:"allowed_email_domains"`
|
AllowedEmailDomains []string `json:"allowed_email_domains"`
|
||||||
IATWindowSeconds int `json:"iat_window_seconds"`
|
IATWindowSeconds int `json:"iat_window_seconds"`
|
||||||
JWKSCacheTTLSeconds int `json:"jwks_cache_ttl_seconds"`
|
JWKSCacheTTLSeconds int `json:"jwks_cache_ttl_seconds"`
|
||||||
// Enabled gates whether the provider is offered on the LoginPage and
|
// Enabled gates whether the provider is offered on the LoginPage and
|
||||||
// accepted at HandleAuthRequest. Audit 2026-05-10 MED-9 closure:
|
// accepted at HandleAuthRequest. Audit 2026-05-10 MED-9 closure:
|
||||||
// pre-fix the only way to take a provider offline was DELETE (which
|
// pre-fix the only way to take a provider offline was DELETE (which
|
||||||
|
|||||||
@@ -46,10 +46,10 @@ import (
|
|||||||
// 2. Rotate the realm's RSA key via the Keycloak admin API.
|
// 2. Rotate the realm's RSA key via the Keycloak admin API.
|
||||||
// 3. Run a fresh /auth/oidc/login → /auth/oidc/callback flow.
|
// 3. Run a fresh /auth/oidc/login → /auth/oidc/callback flow.
|
||||||
// - Keycloak signs the new ID token under the new (higher-priority)
|
// - Keycloak signs the new ID token under the new (higher-priority)
|
||||||
// key.
|
// key.
|
||||||
// - certctl's verifier holds the pre-rotate JWKS in cache.
|
// - certctl's verifier holds the pre-rotate JWKS in cache.
|
||||||
// - The verify trips kid-not-in-cache → MED-6 auto-refresh fires →
|
// - The verify trips kid-not-in-cache → MED-6 auto-refresh fires →
|
||||||
// second verify succeeds.
|
// second verify succeeds.
|
||||||
// 4. Assert the callback succeeded without the test having called
|
// 4. Assert the callback succeeded without the test having called
|
||||||
// RefreshKeys (which would mask the MED-6 path).
|
// RefreshKeys (which would mask the MED-6 path).
|
||||||
//
|
//
|
||||||
|
|||||||
@@ -21,16 +21,16 @@ import (
|
|||||||
// (e.g. discovery OK but alg-downgrade tripped) returns
|
// (e.g. discovery OK but alg-downgrade tripped) returns
|
||||||
// DiscoverySucceeded=true + a non-empty Errors slice.
|
// DiscoverySucceeded=true + a non-empty Errors slice.
|
||||||
type TestDiscoveryResult struct {
|
type TestDiscoveryResult struct {
|
||||||
DiscoverySucceeded bool `json:"discovery_succeeded"`
|
DiscoverySucceeded bool `json:"discovery_succeeded"`
|
||||||
JWKSReachable bool `json:"jwks_reachable"`
|
JWKSReachable bool `json:"jwks_reachable"`
|
||||||
SupportedAlgValues []string `json:"supported_alg_values"`
|
SupportedAlgValues []string `json:"supported_alg_values"`
|
||||||
IssParamSupported bool `json:"iss_param_supported"`
|
IssParamSupported bool `json:"iss_param_supported"`
|
||||||
IssuerEcho string `json:"issuer_echo,omitempty"` // the iss value the IdP advertised
|
IssuerEcho string `json:"issuer_echo,omitempty"` // the iss value the IdP advertised
|
||||||
AuthorizationURL string `json:"authorization_url,omitempty"`
|
AuthorizationURL string `json:"authorization_url,omitempty"`
|
||||||
TokenURL string `json:"token_url,omitempty"`
|
TokenURL string `json:"token_url,omitempty"`
|
||||||
JWKSURI string `json:"jwks_uri,omitempty"`
|
JWKSURI string `json:"jwks_uri,omitempty"`
|
||||||
UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
|
UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
|
||||||
Errors []string `json:"errors,omitempty"`
|
Errors []string `json:"errors,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestDiscovery runs the read-only subset of getOrLoad against a
|
// TestDiscovery runs the read-only subset of getOrLoad against a
|
||||||
|
|||||||
Reference in New Issue
Block a user