gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:01:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed

Browse Source 
Phase 0 of the 2026-04-27 coverage-audit closure plan surfaced cmd/agent/keymem.go

with two security-critical functions at 0.0% / 11.1% line coverage:

  - marshalAgentKeyAndZeroize: zeros the DER backing buffer after PEM encode

  - ensureAgentKeyDirSecure: locks the agent key directory to 0o700

Both ship as defense-in-depth for agent private-key memory hygiene per

Bundle 9 / Audit L-002 + L-003 (agent edition), but had ZERO regression tests.

This commit adds cmd/agent/keymem_test.go (~510 LoC, 17 top-level test funcs):

marshalAgentKeyAndZeroize coverage:

  - happy path (DER decodes, callback invoked once)

  - nil key (asserts onDER NEVER invoked)

  - onDER returns error (errors.Is propagation)

  - DER backing buffer zeroized after return INVARIANT (the critical assertion)

  - DER buffer zeroized even on onDER-error path

  - contract-violator defense (caller retains slice -> reads zeros)

ensureAgentKeyDirSecure coverage (13-row table-driven):

  - empty/dot/root refused with documented error wrap

  - creates with 0700 (incl. nested ancestors)

  - existing 0700 noop short-circuit

  - tighten 0750/0755/0777 -> 0700

  - accept existing 0500/0400 (mode&0o077==0 branch, no chmod)

  - filepath.Clean normalization (trailing slash + dot prefix)

  - PathIsAFile (documents current behavior; not a bug per call sites)

  - Idempotent

  - Concurrent (-race clean across 8 goroutines)

  - Stat error propagated (root-skips cleanly on non-root CI)

  - Mkdir error propagated (root-skips cleanly on non-root CI)

  - Chmod error propagated (linux-only via /sys read-only fs)

  - Format-includes-cleaned-path debuggability assertion

Plus end-to-end smoke replaying cmd/agent/main.go's composition flow.

Coverage delta:

  cmd/agent/keymem.go::marshalAgentKeyAndZeroize  0.0%  -> 85.7% (>=85% gate met)

  cmd/agent/keymem.go::ensureAgentKeyDirSecure   11.1% -> 94.4% (>=85% gate met)

  cmd/agent overall                              54.3% -> 57.7% (+3.4pp)

The cmd/agent overall >=75% stretch target is unachievable from a keymem-only

test file because the package's bulk (Run, main, executeCSRJob,

executeDeploymentJob, verifyAndReportDeployment) is unrelated to key-handling

and dominates the denominator. Tracked as a follow-on cmd/agent flow-test bundle.

Verification:

  go test -short ./cmd/agent/...                  PASS

  go test -race -count=3 ./cmd/agent/...          PASS, 0 races

  gofmt -l cmd/agent/keymem_test.go               clean

  go vet ./cmd/agent/...                          clean

  staticcheck ./cmd/agent/...                     clean

Audit deliverables:

  coverage-audit-2026-04-27/findings.yaml: C-008 status open -> closed

  coverage-audit-2026-04-27/gap-backlog.md: closure log entry + H-006 partial

  coverage-audit-2026-04-27/coverage-report.md: Bundle 0.7 closure block appended

  coverage-audit-2026-04-27/coverage-matrix.md: cmd/agent row 'NOT MEASURED' -> 57.7%

  coverage-audit-closure-plan.md: Bundle 0.7 checklist ticked

  CHANGELOG.md: [unreleased] Bundle 0.7 entry

Bundle J (ACME failure-mode coverage) unblocked.
This commit is contained in:
cowork
2026-04-27 14:26:00 +00:00
parent e7c234e845
commit 90b8ba6f4e
2 changed files with 741 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+23 -1
View File
@@ -2,7 +2,29 @@
All notable changes to certctl are documented in this file. Dates use ISO 8601. Versions follow [Semantic Versioning](https://semver.org/).
## [unreleased] — 2026-04-26
## [unreleased] — 2026-04-27
### Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed
> Phase 0 of the 2026-04-27 coverage audit's closure plan triggered a halt-condition: `cmd/agent/keymem.go`'s two security-critical functions were at 0.0% / 11.1% line coverage despite being defense-in-depth for agent private-key memory hygiene (Bundle 9 / Audit L-002 + L-003 — agent edition). Bundle 0.7 was inserted before Bundle J as mandatory; this entry closes finding **C-008** (`CRTCTL-COVAUDIT-2026-04-27-0034`).
`cmd/agent/keymem_test.go` (~510 LoC, 17 top-level test functions) ships:
- **`marshalAgentKeyAndZeroize` regression coverage** — happy path, nil-key guard (asserts `onDER` is NOT invoked), upstream error propagation via `errors.Is`, and the **DER-buffer-zeroized-after-return invariant** verified observably: capture the slice header inside `onDER` (sharing the backing array, NOT a deep copy), then assert every byte reads `0x00` after the function returns. Pinned for both the happy path AND the `onDER`-error path. A future refactor that drops the `defer clear(der)` line would break the test even if the simpler assertions still pass. Also adds a "contract violator" defense test: a buggy caller that retains the slice past `onDER` reads zeros, not the private scalar.
- **`ensureAgentKeyDirSecure` regression coverage** — 13-row table-driven matrix covering empty/dot/root refuse with documented error wrap, create-with-0700, create-nested-0700, accept-existing-0700 (no-op short-circuit), tighten 0750/0755/0777 to 0700, accept-existing-0500/0400 (owner-only-no-write `mode&0o077 == 0` branch, no chmod), `filepath.Clean` normalization (trailing slash + dot prefix). Plus PathIsAFile (documents current behavior — function chmod's a file path silently, not a correctness bug per current call sites but a hardening candidate filed against any future refactor), Idempotent, Concurrent (`-race` clean across 8 goroutines), Stat/Mkdir/Chmod error-propagation paths (root-required ones `t.Skip` cleanly on non-root CI rather than being absent), and Format-includes-cleaned-path debuggability assertion.
- **End-to-end smoke** (`TestKeymem_AgentMainFlowSmoke`) replaying `cmd/agent/main.go`'s composition: `ensureAgentKeyDirSecure``marshalAgentKeyAndZeroize`.
Coverage delta:
| | Pre-Bundle-0.7 | Post-Bundle-0.7 | Gate | Met? |
|---|---|---|---|---|
| `cmd/agent/keymem.go::marshalAgentKeyAndZeroize` | 0.0% | **85.7%** | ≥85% | ✓ |
| `cmd/agent/keymem.go::ensureAgentKeyDirSecure` | 11.1% | **94.4%** | ≥85% | ✓ |
| `cmd/agent` overall | 54.3% | **57.7%** (+3.4pp) | (≥75% stretch) | △ partial |
Verification: `go test -race -count=3 ./cmd/agent/...` clean (0 races); `gofmt -l` clean; `go vet ./cmd/agent/...` clean; `staticcheck ./cmd/agent/...` clean. The cmd/agent overall ≥75% stretch target is unachievable from a keymem-only test file (the package's bulk — `Run`, `main`, `executeCSRJob`, `executeDeploymentJob`, `verifyAndReportDeployment` — is unrelated to key-handling and dominates the denominator); the remaining lift is tracked as a follow-on cmd/agent flow-test bundle.
Audit deliverable updates: `coverage-audit-2026-04-27/findings.yaml` flips C-008 `open``closed` with closure note + post-Bundle coverage numbers; `gap-backlog.md` adds a closure log entry and partial-closure note on H-006; `coverage-matrix.md` updates the cmd/agent row from "NOT MEASURED" to 57.7%; `coverage-report.md::Phase 0 Results` appends a Bundle 0.7 closure block with the coverage delta table and pinned-invariant list; `coverage-audit-closure-plan.md` checklist ticks Bundle 0.7. **Bundle J (ACME failure-mode coverage) unblocked.**
### Bundle H (M-029 Drain — AUDIT FULLY CLOSED): 1 audit finding closed across 3 passes
cmd/agent/keymem_test.go
+718
View File
@@ -0,0 +1,718 @@
package main
// Bundle 0.7 (Coverage Audit Closure) — cmd/agent key-handling regression coverage.
//
// Closes finding C-008 (CRTCTL-COVAUDIT-2026-04-27-0034). The two functions in
// keymem.go are the agent's defense-in-depth for ECDSA P-256 private-key
// memory hygiene (Bundle 9 / Audit L-002 + L-003 — agent edition). They
// shipped with regression-test coverage of 0.0% / 11.1% respectively. This
// file pins:
//
// - marshalAgentKeyAndZeroize: rejects nil keys, propagates onDER errors,
// and ZEROIZES the DER backing buffer after onDER returns regardless of
// whether onDER errored. The zeroization invariant is verified observably
// (capture the slice header inside onDER, then assert every byte is 0x00
// after the function returns) — NOT just asserted in prose.
//
// - ensureAgentKeyDirSecure: refuses empty / "." / "/", creates missing
// dirs with mode 0700 (incl. nested ancestors), accepts existing 0700
// and any owner-only-no-write mode (mode&0o077 == 0), tightens any other
// mode to 0700, normalizes paths via filepath.Clean, is idempotent, is
// safe under concurrent invocation, and propagates the documented error
// messages from os.Stat / os.MkdirAll / os.Chmod failures.
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"errors"
"fmt"
"os"
"path/filepath"
"runtime"
"strings"
"sync"
"testing"
)
// ---------------------------------------------------------------------------
// helpers
// ---------------------------------------------------------------------------
func mustGenAgentECDSAKey(t *testing.T) *ecdsa.PrivateKey {
t.Helper()
k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey: %v", err)
}
return k
}
// ---------------------------------------------------------------------------
// marshalAgentKeyAndZeroize
// ---------------------------------------------------------------------------
// TestMarshalAgentKeyAndZeroize_HappyPath confirms onDER receives well-formed
// DER bytes that the caller can use during the closure (e.g. to PEM-encode).
func TestMarshalAgentKeyAndZeroize_HappyPath(t *testing.T) {
k := mustGenAgentECDSAKey(t)
called := false
err := marshalAgentKeyAndZeroize(k, func(der []byte) error {
called = true
if len(der) == 0 {
t.Fatalf("der is empty inside onDER")
}
// First byte of an ECPrivateKey DER blob is the ASN.1 SEQUENCE tag 0x30.
if der[0] != 0x30 {
t.Errorf("expected DER to start with SEQUENCE tag 0x30, got %#x", der[0])
}
return nil
})
if err != nil {
t.Fatalf("marshalAgentKeyAndZeroize: %v", err)
}
if !called {
t.Fatal("onDER was never invoked")
}
}
// TestMarshalAgentKeyAndZeroize_NilKey confirms the early-return guard;
// onDER must NOT be invoked when priv is nil.
func TestMarshalAgentKeyAndZeroize_NilKey(t *testing.T) {
called := false
err := marshalAgentKeyAndZeroize(nil, func([]byte) error {
called = true
return nil
})
if err == nil {
t.Fatal("expected error on nil key")
}
if !strings.Contains(err.Error(), "nil private key") {
t.Errorf("expected error mentioning %q, got: %v", "nil private key", err)
}
if called {
t.Error("onDER must not be invoked when priv is nil")
}
}
// TestMarshalAgentKeyAndZeroize_OnDERReturnsError confirms upstream errors
// are propagated verbatim via errors.Is.
func TestMarshalAgentKeyAndZeroize_OnDERReturnsError(t *testing.T) {
k := mustGenAgentECDSAKey(t)
sentinel := errors.New("simulated downstream failure")
got := marshalAgentKeyAndZeroize(k, func([]byte) error { return sentinel })
if !errors.Is(got, sentinel) {
t.Errorf("expected upstream sentinel via errors.Is; got: %v", got)
}
}
// TestMarshalAgentKeyAndZeroize_BackingBufferZeroizedAfterReturn is the
// CRITICAL invariant test. It captures the slice header (NOT a deep copy)
// inside onDER and re-inspects after the function returns. Because Go slices
// share their backing array, the captured slice observes the zeroization
// performed by `defer clear(der)` in marshalAgentKeyAndZeroize.
//
// A future refactor that drops the `defer clear(der)` would break this test
// even if HappyPath / NilKey / OnDERReturnsError still pass.
func TestMarshalAgentKeyAndZeroize_BackingBufferZeroizedAfterReturn(t *testing.T) {
k := mustGenAgentECDSAKey(t)
var captured []byte
err := marshalAgentKeyAndZeroize(k, func(der []byte) error {
// SHARE the backing array — do NOT take a defensive copy.
captured = der
if len(der) == 0 {
t.Fatal("der is empty inside onDER")
}
// Sanity check: while still inside onDER, the bytes are live
// (defer clear has NOT run yet).
nonZero := false
for _, b := range der {
if b != 0 {
nonZero = true
break
}
}
if !nonZero {
t.Fatal("DER is all-zero INSIDE onDER; that should be impossible (clear hasn't run yet)")
}
return nil
})
if err != nil {
t.Fatalf("marshalAgentKeyAndZeroize: %v", err)
}
if len(captured) == 0 {
t.Fatal("captured slice is empty post-return")
}
// After return, defer clear(der) has run. The captured slice shares the
// backing array, so every byte must read 0x00.
for i, b := range captured {
if b != 0 {
t.Errorf("captured[%d] = %#x; expected 0x00 (zeroized)", i, b)
}
}
}
// TestMarshalAgentKeyAndZeroize_BufferZeroizedEvenOnError confirms the
// `defer clear(der)` fires regardless of onDER's return — the security
// invariant is "buffer is always zeroized after the function returns,"
// happy path or error path.
func TestMarshalAgentKeyAndZeroize_BufferZeroizedEvenOnError(t *testing.T) {
k := mustGenAgentECDSAKey(t)
sentinel := errors.New("upstream boom")
var captured []byte
gotErr := marshalAgentKeyAndZeroize(k, func(der []byte) error {
captured = der // share backing array
return sentinel
})
if !errors.Is(gotErr, sentinel) {
t.Fatalf("expected sentinel via errors.Is, got: %v", gotErr)
}
if len(captured) == 0 {
t.Fatal("captured slice empty post-return")
}
for i, b := range captured {
if b != 0 {
t.Errorf("captured[%d] = %#x; expected 0x00 (defer clear must run on error path)", i, b)
}
}
}
// TestMarshalAgentKeyAndZeroize_ContractViolatorSeesZeros frames the same
// observation as a defense-in-depth contract test. The docstring states
// "Caller must NOT retain the slice." If a caller violates that contract
// and reads the slice after onDER returns, they observe zeros — not the
// private scalar. This test pins that defense.
func TestMarshalAgentKeyAndZeroize_ContractViolatorSeesZeros(t *testing.T) {
k := mustGenAgentECDSAKey(t)
var leaked []byte // simulating a buggy caller that retains the slice
err := marshalAgentKeyAndZeroize(k, func(der []byte) error {
leaked = der
return nil
})
if err != nil {
t.Fatalf("marshalAgentKeyAndZeroize: %v", err)
}
// The contract violator now reads from `leaked`. Defense-in-depth: it's zeros.
for i, b := range leaked {
if b != 0 {
t.Errorf("contract-violator read leaked[%d] = %#x; expected 0x00", i, b)
}
}
}
// ---------------------------------------------------------------------------
// ensureAgentKeyDirSecure — table-driven coverage
// ---------------------------------------------------------------------------
func TestEnsureAgentKeyDirSecure(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
type tc struct {
name string
// setup returns the dir argument to pass to ensureAgentKeyDirSecure.
// base is a fresh t.TempDir() unique to each subtest.
setup func(t *testing.T, base string) string
// wantErrSubstr; "" means no error is expected.
wantErrSubstr string
// wantMode; if set, asserted via os.Stat after the call. Set to 0
// to skip the mode assertion (e.g. for error-path rows where the
// dir wasn't created or wasn't intended to change).
wantMode os.FileMode
}
cases := []tc{
// Refuse-empty/root invariants
{
name: "empty_string_refused",
setup: func(t *testing.T, _ string) string {
return ""
},
wantErrSubstr: `refuse empty/root dir ""`,
},
{
name: "dot_refused",
setup: func(t *testing.T, _ string) string {
return "."
},
wantErrSubstr: `refuse empty/root dir "."`,
},
{
name: "root_refused",
setup: func(t *testing.T, _ string) string {
return "/"
},
wantErrSubstr: `refuse empty/root dir "/"`,
},
// Non-existent path — MkdirAll(0700) path
{
name: "creates_with_0700",
setup: func(t *testing.T, base string) string {
return filepath.Join(base, "newdir")
},
wantMode: 0o700,
},
{
name: "creates_nested_0700",
setup: func(t *testing.T, base string) string {
return filepath.Join(base, "a", "b", "c")
},
wantMode: 0o700,
},
// Existing 0700 — no-op (mode == 0o700 branch).
{
name: "existing_0700_noop",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "exists0700")
if err := os.Mkdir(d, 0o700); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
return d
},
wantMode: 0o700,
},
// Existing more-permissive — chmod tighten to 0700.
{
name: "existing_0750_tightened",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "exists0750")
if err := os.Mkdir(d, 0o750); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o750); err != nil {
t.Fatalf("setup chmod: %v", err)
}
return d
},
wantMode: 0o700,
},
{
name: "existing_0755_tightened",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "exists0755")
if err := os.Mkdir(d, 0o755); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o755); err != nil {
t.Fatalf("setup chmod: %v", err)
}
return d
},
wantMode: 0o700,
},
{
name: "existing_0777_tightened",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "exists0777")
if err := os.Mkdir(d, 0o777); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o777); err != nil {
t.Fatalf("setup chmod: %v", err)
}
return d
},
wantMode: 0o700,
},
// Existing owner-only-no-write modes accepted as-is via the
// `mode&0o077 == 0` branch (no chmod, mode preserved).
{
name: "existing_0500_accepted_no_chmod",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "exists0500")
if err := os.Mkdir(d, 0o700); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o500); err != nil {
t.Fatalf("setup chmod: %v", err)
}
t.Cleanup(func() { _ = os.Chmod(d, 0o700) }) // let TempDir cleanup
return d
},
wantMode: 0o500,
},
{
name: "existing_0400_accepted_no_chmod",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "exists0400")
if err := os.Mkdir(d, 0o700); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o400); err != nil {
t.Fatalf("setup chmod: %v", err)
}
t.Cleanup(func() { _ = os.Chmod(d, 0o700) })
return d
},
wantMode: 0o400,
},
// filepath.Clean normalization paths.
{
name: "trailing_slash_normalized",
setup: func(t *testing.T, base string) string {
d := filepath.Join(base, "trail")
if err := os.Mkdir(d, 0o755); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o755); err != nil {
t.Fatalf("setup chmod: %v", err)
}
return d + "/"
},
wantMode: 0o700,
},
{
name: "dot_prefix_normalized",
setup: func(t *testing.T, base string) string {
// The function uses filepath.Clean which strips redundant
// "./" segments. We only need to verify Clean is invoked,
// not that we end up at a relative path; pass an absolute
// path with an embedded "./".
d := filepath.Join(base, "dotprefix")
if err := os.Mkdir(d, 0o755); err != nil {
t.Fatalf("setup mkdir: %v", err)
}
if err := os.Chmod(d, 0o755); err != nil {
t.Fatalf("setup chmod: %v", err)
}
return filepath.Join(base, ".", "dotprefix")
},
wantMode: 0o700,
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
base := t.TempDir()
dir := tc.setup(t, base)
err := ensureAgentKeyDirSecure(dir)
if tc.wantErrSubstr != "" {
if err == nil {
t.Fatalf("expected error containing %q, got nil", tc.wantErrSubstr)
}
if !strings.Contains(err.Error(), tc.wantErrSubstr) {
t.Errorf("error %q does not contain %q", err, tc.wantErrSubstr)
}
return
}
if err != nil {
t.Fatalf("ensureAgentKeyDirSecure: %v", err)
}
if tc.wantMode != 0 {
clean := filepath.Clean(dir)
info, statErr := os.Stat(clean)
if statErr != nil {
t.Fatalf("post-call stat: %v", statErr)
}
if got := info.Mode().Perm(); got != tc.wantMode {
t.Errorf("dir mode = %#o; want %#o", got, tc.wantMode)
}
}
})
}
}
// TestEnsureAgentKeyDirSecure_Idempotent confirms a second call on a
// just-created dir is a no-op (hits the `mode == 0o700` short-circuit).
func TestEnsureAgentKeyDirSecure_Idempotent(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
dir := filepath.Join(t.TempDir(), "idempotent")
if err := ensureAgentKeyDirSecure(dir); err != nil {
t.Fatalf("first call: %v", err)
}
if err := ensureAgentKeyDirSecure(dir); err != nil {
t.Fatalf("second call: %v", err)
}
info, err := os.Stat(dir)
if err != nil {
t.Fatalf("stat: %v", err)
}
if info.Mode().Perm() != 0o700 {
t.Errorf("expected 0700, got %#o", info.Mode().Perm())
}
}
// TestEnsureAgentKeyDirSecure_Concurrent runs the function from many
// goroutines simultaneously on the same fresh path. This is a safety smoke
// test under -race; it is NOT a functional correctness claim about
// concurrent agents (the agent has a single goroutine). The MkdirAll call
// is the load-bearing primitive here — it's documented as safe to call
// repeatedly with no error if the dir already exists.
func TestEnsureAgentKeyDirSecure_Concurrent(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
dir := filepath.Join(t.TempDir(), "concurrent")
const workers = 8
var wg sync.WaitGroup
errCh := make(chan error, workers)
wg.Add(workers)
for i := 0; i < workers; i++ {
go func() {
defer wg.Done()
if err := ensureAgentKeyDirSecure(dir); err != nil {
errCh <- err
}
}()
}
wg.Wait()
close(errCh)
for err := range errCh {
t.Errorf("concurrent caller returned error: %v", err)
}
info, err := os.Stat(dir)
if err != nil {
t.Fatalf("post-concurrent stat: %v", err)
}
if info.Mode().Perm() != 0o700 {
t.Errorf("expected 0700 after concurrent calls, got %#o", info.Mode().Perm())
}
}
// TestEnsureAgentKeyDirSecure_PathIsAFile pins the function's behavior when
// passed a regular file. The function does not type-check (no IsDir()), so
// it stat's the file, sees mode 0o644 (or whatever), and chmod's it to 0700.
//
// This is "silently accepts a file path" behavior. It is not a correctness
// bug per the function's caller (cmd/agent/main.go always passes
// filepath.Dir(keyPath), which is a directory), but it is a hardening
// candidate. Captured as a finding observation in the test docstring rather
// than fixed in this bundle (Bundle 0.7 ships no production-code changes).
func TestEnsureAgentKeyDirSecure_PathIsAFile(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
base := t.TempDir()
filePath := filepath.Join(base, "not-a-dir.txt")
if err := os.WriteFile(filePath, []byte("x"), 0o644); err != nil {
t.Fatalf("setup writefile: %v", err)
}
err := ensureAgentKeyDirSecure(filePath)
if err != nil {
t.Fatalf("current behavior: function chmod's a file silently and returns nil; got err = %v", err)
}
info, statErr := os.Stat(filePath)
if statErr != nil {
t.Fatalf("post-call stat: %v", statErr)
}
if info.IsDir() {
t.Fatal("file became a directory; that's not a thing")
}
if info.Mode().Perm() != 0o700 {
t.Errorf("expected mode 0700 (current behavior), got %#o", info.Mode().Perm())
}
}
// TestEnsureAgentKeyDirSecure_MkdirErrorPropagated forces the MkdirAll
// branch to fail by chmod'ing the parent to 0o500 (read+exec but no write).
// On linux/darwin running as a non-root uid, MkdirAll on a child of such a
// parent fails with EACCES. We assert the error message wraps with the
// documented "create agent key dir" prefix.
//
// Skipped if running as root (root bypasses unix dir-write checks).
func TestEnsureAgentKeyDirSecure_MkdirErrorPropagated(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
if os.Getuid() == 0 {
t.Skip("running as root; cannot revoke parent dir write permission")
}
parent := t.TempDir()
if err := os.Chmod(parent, 0o500); err != nil {
t.Fatalf("setup chmod parent: %v", err)
}
t.Cleanup(func() { _ = os.Chmod(parent, 0o700) })
child := filepath.Join(parent, "no-can-create")
err := ensureAgentKeyDirSecure(child)
if err == nil {
t.Fatal("expected error when MkdirAll cannot write to read-only parent")
}
if !strings.Contains(err.Error(), "create agent key dir") {
t.Errorf("error %q should contain %q", err.Error(), "create agent key dir")
}
}
// TestEnsureAgentKeyDirSecure_StatErrorPropagated forces os.Stat to fail
// with a non-IsNotExist error by chmod'ing the parent to 0o000 (no
// read+exec). On linux/darwin running as a non-root uid, stat on a child
// of such a parent fails with EACCES. We assert the error message wraps
// with "stat agent key dir".
//
// Skipped if running as root.
func TestEnsureAgentKeyDirSecure_StatErrorPropagated(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
if os.Getuid() == 0 {
t.Skip("running as root; cannot revoke parent dir read+exec permission")
}
parent := t.TempDir()
child := filepath.Join(parent, "victim")
if err := os.Chmod(parent, 0o000); err != nil {
t.Fatalf("setup chmod parent: %v", err)
}
t.Cleanup(func() { _ = os.Chmod(parent, 0o700) })
err := ensureAgentKeyDirSecure(child)
if err == nil {
t.Fatal("expected error when stat cannot traverse unreadable parent")
}
if !strings.Contains(err.Error(), "stat agent key dir") {
t.Errorf("error %q should contain %q", err.Error(), "stat agent key dir")
}
}
// TestEnsureAgentKeyDirSecure_ChmodErrorPropagated forces os.Chmod to fail
// on an existing more-permissive dir. We achieve this by:
// 1. Creating an intermediate dir at 0o755 (so the function takes the
// tighten-via-chmod branch).
// 2. Replacing the real dir with a read-only-from-parent bind: chmod the
// grandparent to 0o500 so the chmod syscall on the child fails with
// EACCES (the syscall needs write on the path's containing dir for
// metadata updates on most unix filesystems — actually no, chmod only
// needs ownership, not parent write. So we instead drop the file's
// owner via... no — we cannot change ownership without root.)
//
// Reaching the chmod-error branch from a non-root test is awkward because
// chmod only requires ownership (which we always have on t.TempDir()).
// The cleanest way is to skip on non-root and exercise the branch in CI
// images that run as root; but our CI runs as non-root. We DO trigger the
// branch via a different mechanism: replace the path with a SYMLINK to
// /proc/1/root (or similar) where the eventual stat resolves but chmod
// fails — but that's brittle and OS-specific.
//
// Acceptable closure: document that this branch is exercised by the
// existing chmod-fails errno path, but the test as written can only assert
// the wrap-prefix when the branch IS reached. We use a synthetic approach:
// chmod-tighten a dir we then immediately delete, racing the syscall —
// not deterministic.
//
// Pragmatic resolution: the chmod-error branch is structurally identical
// to the mkdir-error and stat-error branches (errors.Wrap with a
// distinct prefix), and is exercised in production via os.Chmod ENOENT
// or read-only-filesystem failures. We add a unit test that asserts the
// branch's MESSAGE format by passing through a wrap helper construct.
// This test instead documents that the branch is structural and any new
// failure mode (read-only fs, immutable bit, ACLs) inherits the wrap
// prefix automatically.
//
// To still get coverage on the chmod-error branch, we use os.Chmod against
// a dir whose immediate parent we delete mid-call. This is racy. Instead,
// we make chmod fail by passing a path that filepath.Clean rewrites to
// a symlink whose target was just chmod-stripped. Too brittle.
//
// CLEANEST APPROACH: rely on the OS's read-only filesystem semantics under
// /sys (which is RO on linux). os.Chmod on a path under /sys returns EROFS.
// But /sys is owned by root — stat would succeed only on existing entries,
// and the function would then attempt chmod, which fails with EROFS (the
// non-root caller still gets a clean error wrap).
//
// We cannot find a well-defined non-root chmod-fail path on darwin. So the
// test runs only on linux and skips elsewhere.
func TestEnsureAgentKeyDirSecure_ChmodErrorPropagated(t *testing.T) {
if runtime.GOOS != "linux" {
t.Skip("chmod-error branch is only reliably triggerable on linux via /sys (read-only fs)")
}
// /sys is mounted read-only on Linux. Pick a stable subdir we can stat
// (kernel-class). os.Chmod against it returns EROFS regardless of uid
// (well — root can remount, but the call against /sys/* still EROFS).
candidate := "/sys/kernel"
info, err := os.Stat(candidate)
if err != nil || !info.IsDir() {
t.Skipf("/sys/kernel not stat-able as a dir on this host; skipping (%v)", err)
}
mode := info.Mode().Perm()
if mode == 0o700 || mode&0o077 == 0 {
// Already in the no-chmod branch; this test cannot exercise the
// chmod-fail branch on this host. Skip rather than false-positive.
t.Skipf("/sys/kernel mode %#o already satisfies no-chmod branch", mode)
}
chmodErr := ensureAgentKeyDirSecure(candidate)
if chmodErr == nil {
t.Fatal("expected chmod failure on /sys (read-only fs)")
}
if !strings.Contains(chmodErr.Error(), "tighten agent key dir") {
t.Errorf("error %q should contain %q", chmodErr.Error(), "tighten agent key dir")
}
}
// TestEnsureAgentKeyDirSecure_FmtErrorMessageIncludesPath confirms each
// error wrap includes the cleaned path (debuggability invariant).
func TestEnsureAgentKeyDirSecure_FmtErrorMessageIncludesPath(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
if os.Getuid() == 0 {
t.Skip("running as root; cannot revoke parent dir write permission")
}
parent := t.TempDir()
if err := os.Chmod(parent, 0o500); err != nil {
t.Fatalf("setup chmod parent: %v", err)
}
t.Cleanup(func() { _ = os.Chmod(parent, 0o700) })
child := filepath.Join(parent, "child")
want := filepath.Clean(child)
err := ensureAgentKeyDirSecure(child)
if err == nil {
t.Fatal("expected error")
}
if !strings.Contains(err.Error(), want) {
t.Errorf("error %q should reference cleaned path %q", err, want)
}
}
// ---------------------------------------------------------------------------
// Cross-cutting: end-to-end smoke confirming the two functions compose
// the way main.go uses them (Bundle 9 / L-002 / L-003 flow).
// ---------------------------------------------------------------------------
// TestKeymem_AgentMainFlowSmoke replays the cmd/agent/main.go composition:
// ensureAgentKeyDirSecure(dir) → marshalAgentKeyAndZeroize(priv, onDER).
// Closes the contract that both helpers cooperate cleanly under realistic
// fixture conditions, and that the DER buffer is zeroized at the end of
// the marshal call.
func TestKeymem_AgentMainFlowSmoke(t *testing.T) {
if runtime.GOOS == "windows" {
t.Skip("permission semantics differ on windows")
}
keyDir := filepath.Join(t.TempDir(), "agent-keys")
if err := ensureAgentKeyDirSecure(keyDir); err != nil {
t.Fatalf("ensureAgentKeyDirSecure: %v", err)
}
info, err := os.Stat(keyDir)
if err != nil {
t.Fatalf("stat: %v", err)
}
if info.Mode().Perm() != 0o700 {
t.Fatalf("key dir not at 0700, got %#o", info.Mode().Perm())
}
priv := mustGenAgentECDSAKey(t)
var captured []byte
if err := marshalAgentKeyAndZeroize(priv, func(der []byte) error {
captured = der // share backing array
// Pretend caller does pem.EncodeToMemory(...) here; we just check
// the DER is a valid SEQUENCE.
if len(der) == 0 || der[0] != 0x30 {
return fmt.Errorf("unexpected DER shape (len=%d, first=%#x)", len(der), der)
}
return nil
}); err != nil {
t.Fatalf("marshalAgentKeyAndZeroize: %v", err)
}
for i, b := range captured {
if b != 0 {
t.Fatalf("post-flow DER buffer not zeroized at byte %d (%#x)", i, b)
}
}
}