gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-14 00:48:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

WIP: M-1 handler sentinel error mapping (checkpoint before branch cleanup)

Browse Source 
Uncommitted migration work at the time of branch cleanup. Tagged as
checkpoint/m1-migration-wip so the commit survives git gc --prune=now.

Session context: Phase 3 Part B+C of the M-1 sentinel error migration
was in progress. 38 modified files, 4 new files (errors.go + errors_test.go
in internal/service/ and internal/api/handler/). Resume from this commit
via 'git checkout checkpoint/m1-migration-wip'.
This commit is contained in:
shankar0123
2026-04-24 00:35:12 +00:00
parent d6959a75c1
commit 36e722ba12
42 changed files with 1319 additions and 294 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/service/scep_test.go
+19
View File
@@ -148,6 +148,13 @@ func TestSCEPService_PKCSReq_ChallengePassword_Invalid(t *testing.T) {
if err == nil {
t.Fatal("expected error for invalid challenge password")
}
// M-1 (P2): pin the sentinel wrap so the handler's errToStatus dispatch
// (errors.Is → 401 Unauthorized) stays contract-stable. The parallel
// substring check is retained because it also pins the user-facing reason
// that service.ErrUnauthenticated composes with via fmt.Errorf("%w: ...").
if !errors.Is(err, ErrUnauthenticated) {
t.Errorf("expected errors.Is(err, ErrUnauthenticated), got: %v", err)
}
if !strings.Contains(err.Error(), "challenge password") {
t.Errorf("expected 'challenge password' in error, got: %v", err)
}
@@ -171,6 +178,12 @@ func TestSCEPService_PKCSReq_ChallengePassword_EmptyServerConfigRejected(t *test
if err == nil {
t.Fatalf("expected rejection when server challenge password is empty (client=%q)", clientPassword)
}
// M-1 (P2): pin the sentinel wrap on the "no shared secret configured"
// branch so both H-2 failure modes route to the same 401 arm at the
// handler. Preserves the explanatory substring assertion alongside.
if !errors.Is(err, ErrUnauthenticated) {
t.Errorf("expected errors.Is(err, ErrUnauthenticated) for client=%q, got: %v", clientPassword, err)
}
if !strings.Contains(err.Error(), "not configured") {
t.Errorf("expected 'not configured' in error, got: %v", err)
}
@@ -193,6 +206,12 @@ func TestSCEPService_PKCSReq_ChallengePassword_ConstantTimeLengthIndependence(t
if err == nil {
t.Fatalf("expected rejection for bad password %q", bad)
}
// M-1 (P2): pin sentinel-wrap on every bad-password input so both the
// length-mismatch and content-mismatch ConstantTimeCompare paths map to
// the same 401 arm.
if !errors.Is(err, ErrUnauthenticated) {
t.Errorf("expected errors.Is(err, ErrUnauthenticated) for %q, got: %v", bad, err)
}
if !strings.Contains(err.Error(), "invalid challenge password") {
t.Errorf("expected 'invalid challenge password' for %q, got: %v", bad, err)
}