gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-13 15:58:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

secret: migrate EJBCA / GlobalSign / Sectigo credentials to *secret.Ref (Phase 2)

Browse Source 
Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.

This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.

Shared (internal/secret/):

- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
  blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
  NewRefFromString without callers having to know the field type
  changed. Null and missing keys leave the receiver nil; non-string
  payloads (numbers, bools) are rejected with a typed error. Pinned
  by TestRef_UnmarshalJSON: string_value, null, missing_key,
  number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
  goes through "[redacted]" intentionally — JSON-marshal-then-
  unmarshal of a Config with secrets is NOT a supported test pattern;
  callers that construct a rawConfig must use a JSON literal with
  the real values).

Per-connector migration:

- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
  empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
  to call Token.Use; the Bearer header string is built inside the
  callback and the buffer is zeroed on return. mTLS path is
  unaffected.

- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
  → *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
  Extracted setAuthHeaders helper consolidates the four duplicated
  triple-Set sites (ValidateConfig probe, IssueCertificate,
  RevokeCertificate, pollCertificateOnce) so any future header-shape
  change applies once. ValidateConfig now pulls from the local cfg
  (post-Unmarshal) so the helper takes a *Config rather than the
  receiver — needed because ValidateConfig writes the validated cfg
  onto c.config only AFTER the probe succeeds.

- Sectigo (sectigo.go): Config.Login + Config.Password: string →
  *secret.Ref. CustomerURI stays plain string (org identifier, not
  a credential). setAuthHeaders rewritten to call Login.Use +
  Password.Use; ValidateConfig's inline header writes use the same
  pattern (the ValidateConfig probe writes to a local cfg, not
  c.config, so it can't share setAuthHeaders without rewiring — the
  inline form is fine, kept consistent in shape).

Test migration:

- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
  Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
  import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
  APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
  Password.

Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.

Out of scope (intentional):

- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
  `EJBCAConfig` env-var-loader structs are still plain strings —
  those types are the env-load shape, not the steady-state runtime
  shape. The seed path in service/issuer.go json-marshals them into
  a map[string]interface{} which the factory then UnmarshalJSON's
  into the connector Config; the new UnmarshalJSON on *Ref handles
  the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
  will pick them up. The audit explicitly named EJBCA / GlobalSign /
  Sectigo as the Phase 2 scope (RESULTS.md L633).

Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
  issuerfactory, service, api/handler: green

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.
This commit is contained in:
shankar0123
2026-05-02 12:53:58 +00:00
parent 0509790325
commit 2a384c690e
12 changed files with 316 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/issuer/sectigo/sectigo.go
+41 -8
View File
@@ -38,6 +38,7 @@ import (
"github.com/shankar0123/certctl/internal/connector/issuer"
"github.com/shankar0123/certctl/internal/connector/issuer/asyncpoll"
"github.com/shankar0123/certctl/internal/secret"
)
// Config represents the Sectigo Certificate Manager issuer connector configuration.
@@ -48,11 +49,16 @@ type Config struct {
// Login is the Sectigo API account login.
// Required. Set via CERTCTL_SECTIGO_LOGIN environment variable.
Login string `json:"login"`
//
// Type: *secret.Ref (audit fix #6 Phase 2). Login can be tied to
// a privileged service-account identity, so it's protected from
// accidental logging the same way Password is.
Login *secret.Ref `json:"login"`
// Password is the Sectigo API account password or API key.
// Required. Set via CERTCTL_SECTIGO_PASSWORD environment variable.
Password string `json:"password"`
// Same *secret.Ref protections as Login.
Password *secret.Ref `json:"password"`
// OrgID is the Sectigo organization ID for certificate enrollments.
// Required. Set via CERTCTL_SECTIGO_ORG_ID environment variable.
@@ -144,10 +150,27 @@ type statusResponse struct {
}
// setAuthHeaders sets the three Sectigo authentication headers on a request.
//
// Login and Password are pulled from *secret.Ref via Use, which zero-fills
// the per-call buffer after the header string is set; the Ref's underlying
// bytes remain encrypted at rest. The Use return value is intentionally
// ignored — Set never errors and the only failure modes inside Use are
// nil-Ref / empty-Ref which the upstream IsEmpty validation has already
// excluded for production paths. Audit fix #6 Phase 2.
func (c *Connector) setAuthHeaders(req *http.Request) {
req.Header.Set("customerUri", c.config.CustomerURI)
req.Header.Set("login", c.config.Login)
req.Header.Set("password", c.config.Password)
if c.config.Login != nil {
_ = c.config.Login.Use(func(buf []byte) error {
req.Header.Set("login", string(buf))
return nil
})
}
if c.config.Password != nil {
_ = c.config.Password.Use(func(buf []byte) error {
req.Header.Set("password", string(buf))
return nil
})
}
req.Header.Set("Content-Type", "application/json")
}
@@ -162,11 +185,11 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
return fmt.Errorf("Sectigo customer_uri is required")
}
if cfg.Login == "" {
if cfg.Login.IsEmpty() {
return fmt.Errorf("Sectigo login is required")
}
if cfg.Password == "" {
if cfg.Password.IsEmpty() {
return fmt.Errorf("Sectigo password is required")
}
@@ -188,8 +211,18 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
return fmt.Errorf("failed to create API test request: %w", err)
}
req.Header.Set("customerUri", cfg.CustomerURI)
req.Header.Set("login", cfg.Login)
req.Header.Set("password", cfg.Password)
if cfg.Login != nil {
_ = cfg.Login.Use(func(buf []byte) error {
req.Header.Set("login", string(buf))
return nil
})
}
if cfg.Password != nil {
_ = cfg.Password.Use(func(buf []byte) error {
req.Header.Set("password", string(buf))
return nil
})
}
req.Header.Set("Content-Type", "application/json")
resp, err := c.httpClient.Do(req)
internal/connector/issuer/sectigo/sectigo_failure_test.go
+3 -2
View File
@@ -10,6 +10,7 @@ import (
"testing"
"github.com/shankar0123/certctl/internal/connector/issuer/sectigo"
"github.com/shankar0123/certctl/internal/secret"
)
// Bundle N.A/B-extended: sectigo failure-mode round-out (79.4% → ≥85%).
@@ -22,8 +23,8 @@ func buildSectigoConnector(t *testing.T, baseURL string) *sectigo.Connector {
cfg := sectigo.Config{
BaseURL: baseURL,
CustomerURI: "tcust",
Login: "user",
Password: "pw",
Login: secret.NewRefFromString("user"),
Password: secret.NewRefFromString("pw"),
CertType: 1,
OrgID: 2,
Term: 365,
internal/connector/issuer/sectigo/sectigo_test.go
+45 -46
View File
@@ -20,6 +20,7 @@ import (
"github.com/shankar0123/certctl/internal/connector/issuer"
"github.com/shankar0123/certctl/internal/connector/issuer/sectigo"
"github.com/shankar0123/certctl/internal/secret"
)
func TestSectigoConnector(t *testing.T) {
@@ -47,18 +48,16 @@ func TestSectigoConnector(t *testing.T) {
}))
defer srv.Close()
config := sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
OrgID: 12345,
CertType: 423,
Term: 365,
BaseURL: srv.URL,
}
// Build rawConfig as a JSON literal so the secrets round-trip
// intact via UnmarshalJSON (json.Marshal redacts *secret.Ref →
// "[redacted]" by design; it MUST NOT be used to construct a
// rawConfig that ValidateConfig will then header-write back).
rawConfig := []byte(fmt.Sprintf(
`{"customer_uri":"test-org","login":"api-user","password":"api-pass","org_id":12345,"cert_type":423,"term":365,"base_url":%q}`,
srv.URL,
))
connector := sectigo.New(nil, logger)
rawConfig, _ := json.Marshal(config)
err := connector.ValidateConfig(ctx, rawConfig)
if err != nil {
t.Fatalf("ValidateConfig failed: %v", err)
@@ -67,8 +66,8 @@ func TestSectigoConnector(t *testing.T) {
t.Run("ValidateConfig_MissingCustomerURI", func(t *testing.T) {
config := sectigo.Config{
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
}
@@ -86,7 +85,7 @@ func TestSectigoConnector(t *testing.T) {
t.Run("ValidateConfig_MissingLogin", func(t *testing.T) {
config := sectigo.Config{
CustomerURI: "test-org",
Password: "api-pass",
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
}
@@ -104,7 +103,7 @@ func TestSectigoConnector(t *testing.T) {
t.Run("ValidateConfig_MissingPassword", func(t *testing.T) {
config := sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Login: secret.NewRefFromString("api-user"),
OrgID: 12345,
}
@@ -122,8 +121,8 @@ func TestSectigoConnector(t *testing.T) {
t.Run("ValidateConfig_MissingOrgID", func(t *testing.T) {
config := sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
}
connector := sectigo.New(nil, logger)
@@ -150,8 +149,8 @@ func TestSectigoConnector(t *testing.T) {
config := sectigo.Config{
CustomerURI: "bad-org",
Login: "bad-user",
Password: "bad-pass",
Login: secret.NewRefFromString("bad-user"),
Password: secret.NewRefFromString("bad-pass"),
OrgID: 12345,
BaseURL: srv.URL,
}
@@ -215,8 +214,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
CertType: 423,
Term: 365,
@@ -265,8 +264,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
CertType: 423,
Term: 365,
@@ -305,8 +304,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
CertType: 423,
Term: 365,
@@ -346,8 +345,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
}
@@ -382,8 +381,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
PollMaxWaitSeconds: 1, // keep pending tests fast
@@ -416,8 +415,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
}
@@ -451,8 +450,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
PollMaxWaitSeconds: 1, // keep collect-not-ready tests fast
@@ -487,8 +486,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
CertType: 423,
Term: 365,
@@ -543,8 +542,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
}
@@ -571,8 +570,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
}
@@ -591,8 +590,8 @@ func TestSectigoConnector(t *testing.T) {
t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: "https://cert-manager.com/api",
}
@@ -610,8 +609,8 @@ func TestSectigoConnector(t *testing.T) {
t.Run("DefaultTerm", func(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
CertType: 423,
// Term intentionally left as 0
@@ -697,8 +696,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "verify-org",
Login: "verify-user",
Password: "verify-pass",
Login: secret.NewRefFromString("verify-user"),
Password: secret.NewRefFromString("verify-pass"),
OrgID: 12345,
CertType: 423,
Term: 365,
@@ -753,8 +752,8 @@ func TestSectigoConnector(t *testing.T) {
config := &sectigo.Config{
CustomerURI: "test-org",
Login: "api-user",
Password: "api-pass",
Login: secret.NewRefFromString("api-user"),
Password: secret.NewRefFromString("api-pass"),
OrgID: 12345,
BaseURL: srv.URL,
}