mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-11 15:48:58 +00:00
awsacmpca: thread ctx through factory + registry — fix CI contextcheck
Follow-up to6119f26(awsacmpca: replace stub client with AWS SDK v2 implementation). CI's golangci-lint contextcheck rule flagged six violations in awsacmpca_test.go where mustNew/awsacmpca.New were called from test functions that had ctx in scope but didn't thread it through New(). The previous commit used context.Background() inside New() with the rationale that "the audit allows either threading or documenting the limitation"; CI made that choice for us. Threading ctx is the right shape per the audit's stated preference. The fix cascades from awsacmpca.New through issuerfactory.NewFromConfig and IssuerRegistry.Rebuild because the contextcheck rule propagates upward through every caller that has ctx in scope. This commit: - Changes awsacmpca.New(config, logger) to awsacmpca.New(ctx, config, logger). The ctx is passed to buildSDKClient → awsconfig.LoadDefaultConfig so SDK credential chain resolution honors caller deadlines (LoadDefaultConfig may probe IMDS or remote credential sources). The doc-comment on New explains that callers without a useful deadline should pass context.Background() and that the SDK has internal credential-resolution timeouts. - Adds ctx as the first parameter of issuerfactory.NewFromConfig. Currently only the AWSACMPCA branch uses ctx (it's threaded into awsacmpca.New); the other 11 branches accept ctx without using it. This is a contractual change that lets callers thread ctx through without contextcheck warnings, even though most issuer constructors do no ctx-aware work today. - Adds ctx as the first parameter of IssuerRegistry.Rebuild. Rebuild iterates over configs and calls NewFromConfig per issuer; the same ctx flows through every connector instantiation. - Updates the two production call sites in internal/service: - issuer.go:279 (TestIssuer connection test) now passes its method-scoped ctx - issuer.go:303 (BuildRegistry) now passes its method-scoped ctx to Rebuild - Updates 13 test sites in internal/connector/issuerfactory/factory_test.go via a new testCtx() helper that returns context.Background(). Helper is dedicated to this file so contextcheck's "you have a ctx in scope, pass it" rule doesn't fire on test functions that don't otherwise need ctx. - Updates 6 test sites in internal/service/issuer_registry_test.go to pass context.Background() to Rebuild. - Removes the now-stale "// NewFromConfig has no ctx parameter (preserved across all 12 connectors); pass context.Background() ..." comment from the awsacmpca branch in factory.go — that workaround is no longer the design. Verified locally: - gofmt -l . clean - go vet ./... clean - staticcheck ./... clean - golangci-lint run --timeout 5m ./... clean (was failing with 6 contextcheck issues before the cascade; now 0 issues) - go test -short -count=1 across all changed packages green Sandbox couldn't run the existing CI's full make verify due to disk pressure on /sessions and a virtiofs concurrent-open-file ceiling on go mod tidy; operator should run `make verify` on the workstation to confirm. Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md Top-10 fix #1 (CI follow-up; behavior unchanged from6119f26).
This commit is contained in:
shankar0123
@@ -276,7 +276,7 @@ func (s *IssuerService) TestConnection(ctx context.Context, id string) error {
|
||||
}
|
||||
|
||||
// Instantiate a throwaway connector and validate
|
||||
connector, err := issuerfactory.NewFromConfig(string(iss.Type), configJSON, s.logger)
|
||||
connector, err := issuerfactory.NewFromConfig(ctx, string(iss.Type), configJSON, s.logger)
|
||||
if err != nil {
|
||||
s.updateTestStatus(ctx, iss, "failed")
|
||||
return fmt.Errorf("failed to create connector: %w", err)
|
||||
@@ -300,7 +300,7 @@ func (s *IssuerService) BuildRegistry(ctx context.Context) error {
|
||||
return fmt.Errorf("failed to load issuers from database: %w", err)
|
||||
}
|
||||
|
||||
if err := s.registry.Rebuild(issuers, s.encryptionKey); err != nil {
|
||||
if err := s.registry.Rebuild(ctx, issuers, s.encryptionKey); err != nil {
|
||||
// Log the error but don't fail — some issuers loaded successfully.
|
||||
s.logger.Warn("issuer registry rebuilt with errors", "error", err)
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package service
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
@@ -115,7 +116,7 @@ func (r *IssuerRegistry) Len() int {
|
||||
// for v2 blobs is performed inside [crypto.DecryptIfKeySet]. Empty passphrase
|
||||
// fails closed via [crypto.ErrEncryptionKeyRequired] when encrypted configs
|
||||
// are encountered. See M-8 in certctl-audit-report.md.
|
||||
func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey string) error {
|
||||
func (r *IssuerRegistry) Rebuild(ctx context.Context, configs []*domain.Issuer, encryptionKey string) error {
|
||||
newIssuers := make(map[string]IssuerConnector)
|
||||
var errors []string
|
||||
|
||||
@@ -141,7 +142,7 @@ func (r *IssuerRegistry) Rebuild(configs []*domain.Issuer, encryptionKey string)
|
||||
configJSON = json.RawMessage("{}")
|
||||
}
|
||||
|
||||
connector, err := issuerfactory.NewFromConfig(string(cfg.Type), configJSON, r.logger)
|
||||
connector, err := issuerfactory.NewFromConfig(ctx, string(cfg.Type), configJSON, r.logger)
|
||||
if err != nil {
|
||||
errors = append(errors, fmt.Sprintf("issuer %s: factory error: %v", cfg.ID, err))
|
||||
continue
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package service
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"log/slog"
|
||||
"os"
|
||||
@@ -101,7 +102,7 @@ func TestIssuerRegistry_Rebuild_Enabled(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
err := reg.Rebuild(configs, "")
|
||||
err := reg.Rebuild(context.Background(), configs, "")
|
||||
if err != nil {
|
||||
t.Fatalf("Rebuild failed: %v", err)
|
||||
}
|
||||
@@ -142,7 +143,7 @@ func TestIssuerRegistry_Rebuild_WithEncryption(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
err = reg.Rebuild(configs, "test-key")
|
||||
err = reg.Rebuild(context.Background(), configs, "test-key")
|
||||
if err != nil {
|
||||
t.Fatalf("Rebuild with encryption failed: %v", err)
|
||||
}
|
||||
@@ -168,7 +169,7 @@ func TestIssuerRegistry_Rebuild_NilKeyFallback(t *testing.T) {
|
||||
|
||||
// Empty passphrase is safe when no EncryptedConfig is present — falls back to config column.
|
||||
// The C-2 fail-closed sentinel only fires when EncryptedConfig is non-empty.
|
||||
err := reg.Rebuild(configs, "")
|
||||
err := reg.Rebuild(context.Background(), configs, "")
|
||||
if err != nil {
|
||||
t.Fatalf("Rebuild with empty key failed: %v", err)
|
||||
}
|
||||
@@ -200,7 +201,7 @@ func TestIssuerRegistry_Rebuild_InvalidConfig(t *testing.T) {
|
||||
}
|
||||
|
||||
// Should return an error indicating partial failure, but still load valid issuers
|
||||
err := reg.Rebuild(configs, "")
|
||||
err := reg.Rebuild(context.Background(), configs, "")
|
||||
if err == nil {
|
||||
t.Fatal("Rebuild should return error when some issuers fail to load")
|
||||
}
|
||||
@@ -232,7 +233,7 @@ func TestIssuerRegistry_Rebuild_ReplacesExisting(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
err := reg.Rebuild(configs, "")
|
||||
err := reg.Rebuild(context.Background(), configs, "")
|
||||
if err != nil {
|
||||
t.Fatalf("Rebuild failed: %v", err)
|
||||
}
|
||||
@@ -277,7 +278,7 @@ func TestIssuerRegistry_Rebuild_Empty(t *testing.T) {
|
||||
|
||||
reg.Set("iss-existing", &mockIssuerConnector{})
|
||||
|
||||
err := reg.Rebuild([]*domain.Issuer{}, "")
|
||||
err := reg.Rebuild(context.Background(), []*domain.Issuer{}, "")
|
||||
if err != nil {
|
||||
t.Fatalf("Rebuild with empty configs failed: %v", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user