mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-14 14:48:52 +00:00
secret: migrate EJBCA / GlobalSign / Sectigo credentials to *secret.Ref (Phase 2)
Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.
This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.
Shared (internal/secret/):
- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
NewRefFromString without callers having to know the field type
changed. Null and missing keys leave the receiver nil; non-string
payloads (numbers, bools) are rejected with a typed error. Pinned
by TestRef_UnmarshalJSON: string_value, null, missing_key,
number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
goes through "[redacted]" intentionally — JSON-marshal-then-
unmarshal of a Config with secrets is NOT a supported test pattern;
callers that construct a rawConfig must use a JSON literal with
the real values).
Per-connector migration:
- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
to call Token.Use; the Bearer header string is built inside the
callback and the buffer is zeroed on return. mTLS path is
unaffected.
- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
→ *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
Extracted setAuthHeaders helper consolidates the four duplicated
triple-Set sites (ValidateConfig probe, IssueCertificate,
RevokeCertificate, pollCertificateOnce) so any future header-shape
change applies once. ValidateConfig now pulls from the local cfg
(post-Unmarshal) so the helper takes a *Config rather than the
receiver — needed because ValidateConfig writes the validated cfg
onto c.config only AFTER the probe succeeds.
- Sectigo (sectigo.go): Config.Login + Config.Password: string →
*secret.Ref. CustomerURI stays plain string (org identifier, not
a credential). setAuthHeaders rewritten to call Login.Use +
Password.Use; ValidateConfig's inline header writes use the same
pattern (the ValidateConfig probe writes to a local cfg, not
c.config, so it can't share setAuthHeaders without rewiring — the
inline form is fine, kept consistent in shape).
Test migration:
- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
Password.
Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.
Out of scope (intentional):
- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
`EJBCAConfig` env-var-loader structs are still plain strings —
those types are the env-load shape, not the steady-state runtime
shape. The seed path in service/issuer.go json-marshals them into
a map[string]interface{} which the factory then UnmarshalJSON's
into the connector Config; the new UnmarshalJSON on *Ref handles
the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
will pick them up. The audit explicitly named EJBCA / GlobalSign /
Sectigo as the Phase 2 scope (RESULTS.md L633).
Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
issuerfactory, service, api/handler: green
Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.
This commit is contained in:
shankar0123
@@ -20,6 +20,7 @@ import (
|
||||
|
||||
"github.com/shankar0123/certctl/internal/connector/issuer"
|
||||
"github.com/shankar0123/certctl/internal/connector/issuer/globalsign"
|
||||
"github.com/shankar0123/certctl/internal/secret"
|
||||
)
|
||||
|
||||
func TestGlobalSignConnector(t *testing.T) {
|
||||
@@ -44,8 +45,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := globalsign.Config{
|
||||
APIUrl: srv.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: "unused_for_httptest",
|
||||
ClientKeyPath: "unused_for_httptest",
|
||||
}
|
||||
@@ -63,8 +64,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
t.Run("ValidateConfig_MissingAPIUrl", func(t *testing.T) {
|
||||
config := globalsign.Config{
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: "/tmp/cert.pem",
|
||||
ClientKeyPath: "/tmp/key.pem",
|
||||
}
|
||||
@@ -83,7 +84,7 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
t.Run("ValidateConfig_MissingAPIKey", func(t *testing.T) {
|
||||
config := globalsign.Config{
|
||||
APIUrl: "https://api.example.com",
|
||||
APISecret: "gs-test-secret",
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: "/tmp/cert.pem",
|
||||
ClientKeyPath: "/tmp/key.pem",
|
||||
}
|
||||
@@ -102,7 +103,7 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
t.Run("ValidateConfig_MissingAPISecret", func(t *testing.T) {
|
||||
config := globalsign.Config{
|
||||
APIUrl: "https://api.example.com",
|
||||
APIKey: "gs-test-key",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
ClientCertPath: "/tmp/cert.pem",
|
||||
ClientKeyPath: "/tmp/key.pem",
|
||||
}
|
||||
@@ -121,8 +122,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
t.Run("ValidateConfig_MissingClientCertPath", func(t *testing.T) {
|
||||
config := globalsign.Config{
|
||||
APIUrl: "https://api.example.com",
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientKeyPath: "/tmp/key.pem",
|
||||
}
|
||||
|
||||
@@ -140,8 +141,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
t.Run("ValidateConfig_MissingClientKeyPath", func(t *testing.T) {
|
||||
config := globalsign.Config{
|
||||
APIUrl: "https://api.example.com",
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: "/tmp/cert.pem",
|
||||
}
|
||||
|
||||
@@ -187,8 +188,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -235,8 +236,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -276,8 +277,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -318,8 +319,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -356,8 +357,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
PollMaxWaitSeconds: 1, // keep async-pending tests fast
|
||||
}
|
||||
|
||||
@@ -400,8 +401,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -445,8 +446,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -478,8 +479,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -524,8 +525,8 @@ func TestGlobalSignConnector(t *testing.T) {
|
||||
|
||||
config := &globalsign.Config{
|
||||
APIUrl: mockServer.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
}
|
||||
|
||||
connector := globalsign.NewWithHTTPClient(config, logger, httpClient)
|
||||
@@ -613,15 +614,22 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
|
||||
clientCert, clientKey := writeClientMTLS(t)
|
||||
config := globalsign.Config{
|
||||
APIUrl: srv.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: clientCert,
|
||||
ClientKeyPath: clientKey,
|
||||
ServerCAPath: caPath,
|
||||
}
|
||||
|
||||
connector := globalsign.New(&config, logger)
|
||||
rawConfig, _ := json.Marshal(config)
|
||||
// Build rawConfig as a JSON literal so the secrets round-trip
|
||||
// intact via UnmarshalJSON (json.Marshal redacts *secret.Ref →
|
||||
// "[redacted]" by design; it MUST NOT be used to construct a
|
||||
// rawConfig that ValidateConfig will then header-write back).
|
||||
rawConfig := []byte(fmt.Sprintf(
|
||||
`{"api_url":%q,"api_key":"gs-test-key","api_secret":"gs-test-secret","client_cert_path":%q,"client_key_path":%q,"server_ca_path":%q}`,
|
||||
config.APIUrl, config.ClientCertPath, config.ClientKeyPath, config.ServerCAPath,
|
||||
))
|
||||
if err := connector.ValidateConfig(ctx, rawConfig); err != nil {
|
||||
t.Fatalf("ValidateConfig with pinned CA should succeed, got: %v", err)
|
||||
}
|
||||
@@ -645,8 +653,8 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
|
||||
clientCert, clientKey := writeClientMTLS(t)
|
||||
config := globalsign.Config{
|
||||
APIUrl: srv.URL,
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: clientCert,
|
||||
ClientKeyPath: clientKey,
|
||||
ServerCAPath: caPath,
|
||||
@@ -671,8 +679,8 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
|
||||
clientCert, clientKey := writeClientMTLS(t)
|
||||
config := globalsign.Config{
|
||||
APIUrl: "https://example.invalid",
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: clientCert,
|
||||
ClientKeyPath: clientKey,
|
||||
ServerCAPath: "/nonexistent/path/to/ca.pem",
|
||||
@@ -699,8 +707,8 @@ func TestGlobalSign_ServerTLSConfig(t *testing.T) {
|
||||
|
||||
config := globalsign.Config{
|
||||
APIUrl: "https://example.invalid",
|
||||
APIKey: "gs-test-key",
|
||||
APISecret: "gs-test-secret",
|
||||
APIKey: secret.NewRefFromString("gs-test-key"),
|
||||
APISecret: secret.NewRefFromString("gs-test-secret"),
|
||||
ClientCertPath: clientCert,
|
||||
ClientKeyPath: clientKey,
|
||||
ServerCAPath: badCAPath,
|
||||
|
||||
Reference in New Issue
Block a user