mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-09 18:48:52 +00:00
fix(m-2): thread context through CertificateService cluster
Collapses CertificateService, RevocationSvc, and CAOperationsSvc to ctx-accepting method signatures. Removes context.Background() synthesis at 24 internal call sites across certificate.go, revocation_svc.go, and ca_operations.go. - Primary repo calls inherit request cancellation via the passed ctx. - Audit and notification dispatches use context.WithoutCancel(ctx) so they survive client disconnect. - Collapses TriggerRenewal/TriggerRenewalWithActor, TriggerDeployment/TriggerDeploymentWithActor, and RevokeCertificate/RevokeCertificateWithActor sibling pairs into single canonical ctx-accepting methods (decisions D-1, D-2). Handlers pass r.Context(). Mocks and tests updated to match new signatures. No HTTP surface change, no OpenAPI change. PR 1 of 6 in the M-2 remediation chain. Master green at this commit. Refs: certctl-audit-report.md M-2 (L143, L224)
This commit is contained in:
shankar0123
@@ -41,7 +41,7 @@ func (s *CAOperationsSvc) SetIssuerRegistry(registry *IssuerRegistry) {
|
||||
|
||||
// GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
|
||||
// Short-lived certificates (profile TTL < 1 hour) are excluded from the CRL.
|
||||
func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
|
||||
func (s *CAOperationsSvc) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
|
||||
if s.revocationRepo == nil {
|
||||
return nil, fmt.Errorf("revocation repository not configured")
|
||||
}
|
||||
@@ -54,7 +54,7 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
|
||||
return nil, fmt.Errorf("issuer not found: %s", issuerID)
|
||||
}
|
||||
|
||||
revocations, err := s.revocationRepo.ListAll(context.Background())
|
||||
revocations, err := s.revocationRepo.ListAll(ctx)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list revocations: %w", err)
|
||||
}
|
||||
@@ -69,9 +69,9 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
|
||||
|
||||
// Check short-lived exemption: look up the cert's profile
|
||||
if s.profileRepo != nil && s.certRepo != nil {
|
||||
cert, err := s.certRepo.Get(context.Background(), rev.CertificateID)
|
||||
cert, err := s.certRepo.Get(ctx, rev.CertificateID)
|
||||
if err == nil && cert.CertificateProfileID != "" {
|
||||
profile, err := s.profileRepo.Get(context.Background(), cert.CertificateProfileID)
|
||||
profile, err := s.profileRepo.Get(ctx, cert.CertificateProfileID)
|
||||
if err == nil && profile.IsShortLived() {
|
||||
slog.Debug("skipping short-lived cert from CRL",
|
||||
"certificate_id", rev.CertificateID,
|
||||
@@ -92,11 +92,11 @@ func (s *CAOperationsSvc) GenerateDERCRL(issuerID string) ([]byte, error) {
|
||||
})
|
||||
}
|
||||
|
||||
return issuerConn.GenerateCRL(context.Background(), entries)
|
||||
return issuerConn.GenerateCRL(ctx, entries)
|
||||
}
|
||||
|
||||
// GetOCSPResponse generates a signed OCSP response for the given certificate serial.
|
||||
func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
|
||||
func (s *CAOperationsSvc) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
|
||||
if s.revocationRepo == nil {
|
||||
return nil, fmt.Errorf("revocation repository not configured")
|
||||
}
|
||||
@@ -120,13 +120,13 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
|
||||
// Look up cert by (issuer_id, serial) — per RFC 5280 §5.2.3, serial numbers
|
||||
// are unique only within a single issuer. The OCSP URL path carries issuer_id,
|
||||
// so we scope the lookup to avoid cross-issuer collisions.
|
||||
rev, _ := s.revocationRepo.GetByIssuerAndSerial(context.Background(), issuerID, serialHex)
|
||||
rev, _ := s.revocationRepo.GetByIssuerAndSerial(ctx, issuerID, serialHex)
|
||||
if rev != nil {
|
||||
cert, err := s.certRepo.Get(context.Background(), rev.CertificateID)
|
||||
cert, err := s.certRepo.Get(ctx, rev.CertificateID)
|
||||
if err == nil && cert.CertificateProfileID != "" {
|
||||
profile, err := s.profileRepo.Get(context.Background(), cert.CertificateProfileID)
|
||||
profile, err := s.profileRepo.Get(ctx, cert.CertificateProfileID)
|
||||
if err == nil && profile.IsShortLived() {
|
||||
return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
|
||||
return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
|
||||
CertSerial: serial,
|
||||
CertStatus: 0, // good — short-lived exemption
|
||||
ThisUpdate: now,
|
||||
@@ -138,10 +138,10 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
|
||||
}
|
||||
|
||||
// Check if this (issuer_id, serial) is revoked — RFC 5280 §5.2.3 scoping.
|
||||
rev, err := s.revocationRepo.GetByIssuerAndSerial(context.Background(), issuerID, serialHex)
|
||||
rev, err := s.revocationRepo.GetByIssuerAndSerial(ctx, issuerID, serialHex)
|
||||
if err != nil {
|
||||
// Not revoked — return "good" status
|
||||
return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
|
||||
return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
|
||||
CertSerial: serial,
|
||||
CertStatus: 0, // good
|
||||
ThisUpdate: now,
|
||||
@@ -150,7 +150,7 @@ func (s *CAOperationsSvc) GetOCSPResponse(issuerID string, serialHex string) ([]
|
||||
}
|
||||
|
||||
// Revoked
|
||||
return issuerConn.SignOCSPResponse(context.Background(), OCSPSignRequest{
|
||||
return issuerConn.SignOCSPResponse(ctx, OCSPSignRequest{
|
||||
CertSerial: serial,
|
||||
CertStatus: 1, // revoked
|
||||
RevokedAt: rev.RevokedAt,
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
package service
|
||||
|
||||
import (
|
||||
"context"
|
||||
"log/slog"
|
||||
"testing"
|
||||
"time"
|
||||
@@ -48,7 +49,7 @@ func TestCAOperationsSvc_GenerateDERCRL_Success(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
crl, err := caSvc.GenerateDERCRL("iss-local")
|
||||
crl, err := caSvc.GenerateDERCRL(context.Background(), "iss-local")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -71,7 +72,7 @@ func TestCAOperationsSvc_GenerateDERCRL_EmptyCRL(t *testing.T) {
|
||||
// No revoked certs for this issuer
|
||||
revocationRepo.Revocations = []*domain.CertificateRevocation{}
|
||||
|
||||
crl, err := caSvc.GenerateDERCRL("iss-local")
|
||||
crl, err := caSvc.GenerateDERCRL(context.Background(), "iss-local")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -112,7 +113,7 @@ func TestCAOperationsSvc_GetOCSPResponse_Good(t *testing.T) {
|
||||
certRepo.Versions["cert-ocsp-good"] = []*domain.CertificateVersion{version}
|
||||
|
||||
// Request OCSP response for good cert
|
||||
resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-GOOD-001")
|
||||
resp, err := caSvc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-GOOD-001")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -165,7 +166,7 @@ func TestCAOperationsSvc_GetOCSPResponse_Revoked(t *testing.T) {
|
||||
}
|
||||
|
||||
// Request OCSP response for revoked cert
|
||||
resp, err := caSvc.GetOCSPResponse("iss-local", "OCSP-REVOKED-001")
|
||||
resp, err := caSvc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-REVOKED-001")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
|
||||
@@ -71,8 +71,8 @@ func (s *CertificateService) List(ctx context.Context, filter *repository.Certif
|
||||
|
||||
// ListCertificatesWithFilter returns a list of certificates with advanced filtering (M20).
|
||||
// This method supports the new M20 filters and returns domain.ManagedCertificate (not pointers).
|
||||
func (s *CertificateService) ListCertificatesWithFilter(filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
|
||||
certs, total, err := s.certRepo.List(context.Background(), filter)
|
||||
func (s *CertificateService) ListCertificatesWithFilter(ctx context.Context, filter *repository.CertificateFilter) ([]domain.ManagedCertificate, int, error) {
|
||||
certs, total, err := s.certRepo.List(ctx, filter)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to list certificates with filter: %w", err)
|
||||
}
|
||||
@@ -206,10 +206,10 @@ func (s *CertificateService) GetVersions(ctx context.Context, certID string) ([]
|
||||
return versions, nil
|
||||
}
|
||||
|
||||
// TriggerRenewalWithActor initiates a renewal job if the certificate is eligible.
|
||||
// TriggerRenewal initiates a renewal job if the certificate is eligible.
|
||||
// Creates a Renewal job (or Issuance for new certs) so the scheduler's job processor
|
||||
// can pick it up and route it through the issuer connector.
|
||||
func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID string, actor string) error {
|
||||
func (s *CertificateService) TriggerRenewal(ctx context.Context, certID string, actor string) error {
|
||||
cert, err := s.certRepo.Get(ctx, certID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to fetch certificate: %w", err)
|
||||
@@ -283,8 +283,11 @@ func (s *CertificateService) TriggerRenewalWithActor(ctx context.Context, certID
|
||||
return nil
|
||||
}
|
||||
|
||||
// TriggerDeploymentWithActor creates deployment jobs for all targets of a certificate.
|
||||
func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, certID string, actor string) error {
|
||||
// TriggerDeployment creates deployment jobs for all targets of a certificate.
|
||||
// The targetID parameter is accepted from the handler interface but currently unused;
|
||||
// deployment coordination happens per-certificate across all of its targets.
|
||||
func (s *CertificateService) TriggerDeployment(ctx context.Context, certID string, targetID string, actor string) error {
|
||||
_ = targetID
|
||||
cert, err := s.certRepo.Get(ctx, certID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to fetch certificate: %w", err)
|
||||
@@ -306,7 +309,7 @@ func (s *CertificateService) TriggerDeploymentWithActor(ctx context.Context, cer
|
||||
}
|
||||
|
||||
// ListCertificates returns paginated certificates with optional filtering (handler interface method).
|
||||
func (s *CertificateService) ListCertificates(status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
|
||||
func (s *CertificateService) ListCertificates(ctx context.Context, status, environment, ownerID, teamID, issuerID string, page, perPage int) ([]domain.ManagedCertificate, int64, error) {
|
||||
if page < 1 {
|
||||
page = 1
|
||||
}
|
||||
@@ -325,7 +328,7 @@ func (s *CertificateService) ListCertificates(status, environment, ownerID, team
|
||||
PerPage: perPage,
|
||||
}
|
||||
|
||||
certs, total, err := s.certRepo.List(context.Background(), filter)
|
||||
certs, total, err := s.certRepo.List(ctx, filter)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to list certificates: %w", err)
|
||||
}
|
||||
@@ -341,12 +344,12 @@ func (s *CertificateService) ListCertificates(status, environment, ownerID, team
|
||||
}
|
||||
|
||||
// GetCertificate returns a single certificate (handler interface method).
|
||||
func (s *CertificateService) GetCertificate(id string) (*domain.ManagedCertificate, error) {
|
||||
return s.certRepo.Get(context.Background(), id)
|
||||
func (s *CertificateService) GetCertificate(ctx context.Context, id string) (*domain.ManagedCertificate, error) {
|
||||
return s.certRepo.Get(ctx, id)
|
||||
}
|
||||
|
||||
// CreateCertificate creates a new certificate (handler interface method).
|
||||
func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
|
||||
func (s *CertificateService) CreateCertificate(ctx context.Context, cert domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
|
||||
if cert.ID == "" {
|
||||
cert.ID = generateID("cert")
|
||||
}
|
||||
@@ -365,16 +368,14 @@ func (s *CertificateService) CreateCertificate(cert domain.ManagedCertificate) (
|
||||
if cert.Tags == nil {
|
||||
cert.Tags = make(map[string]string)
|
||||
}
|
||||
if err := s.certRepo.Create(context.Background(), &cert); err != nil {
|
||||
if err := s.certRepo.Create(ctx, &cert); err != nil {
|
||||
return nil, fmt.Errorf("failed to create certificate: %w", err)
|
||||
}
|
||||
return &cert, nil
|
||||
}
|
||||
|
||||
// UpdateCertificate modifies a certificate (handler interface method).
|
||||
func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
|
||||
ctx := context.Background()
|
||||
|
||||
func (s *CertificateService) UpdateCertificate(ctx context.Context, id string, patch domain.ManagedCertificate) (*domain.ManagedCertificate, error) {
|
||||
// Fetch existing certificate so partial updates don't zero out fields
|
||||
existing, err := s.certRepo.Get(ctx, id)
|
||||
if err != nil {
|
||||
@@ -425,12 +426,12 @@ func (s *CertificateService) UpdateCertificate(id string, patch domain.ManagedCe
|
||||
}
|
||||
|
||||
// ArchiveCertificate marks a certificate as archived (handler interface method).
|
||||
func (s *CertificateService) ArchiveCertificate(id string) error {
|
||||
return s.certRepo.Archive(context.Background(), id)
|
||||
func (s *CertificateService) ArchiveCertificate(ctx context.Context, id string) error {
|
||||
return s.certRepo.Archive(ctx, id)
|
||||
}
|
||||
|
||||
// GetCertificateVersions returns certificate versions (handler interface method).
|
||||
func (s *CertificateService) GetCertificateVersions(certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
|
||||
func (s *CertificateService) GetCertificateVersions(ctx context.Context, certID string, page, perPage int) ([]domain.CertificateVersion, int64, error) {
|
||||
if page < 1 {
|
||||
page = 1
|
||||
}
|
||||
@@ -438,7 +439,7 @@ func (s *CertificateService) GetCertificateVersions(certID string, page, perPage
|
||||
perPage = 50
|
||||
}
|
||||
|
||||
versions, err := s.certRepo.ListVersions(context.Background(), certID)
|
||||
versions, err := s.certRepo.ListVersions(ctx, certID)
|
||||
if err != nil {
|
||||
return nil, 0, fmt.Errorf("failed to list certificate versions: %w", err)
|
||||
}
|
||||
@@ -463,24 +464,8 @@ func (s *CertificateService) GetCertificateVersions(certID string, page, perPage
|
||||
return result, total, nil
|
||||
}
|
||||
|
||||
// TriggerRenewal initiates renewal (handler interface method).
|
||||
func (s *CertificateService) TriggerRenewal(certID string) error {
|
||||
return s.TriggerRenewalWithActor(context.Background(), certID, "api")
|
||||
}
|
||||
|
||||
// TriggerDeployment triggers deployment (handler interface method).
|
||||
func (s *CertificateService) TriggerDeployment(certID string, targetID string) error {
|
||||
return s.TriggerDeploymentWithActor(context.Background(), certID, "api")
|
||||
}
|
||||
|
||||
// RevokeCertificate revokes a certificate with the given reason (handler interface method).
|
||||
func (s *CertificateService) RevokeCertificate(certID string, reason string) error {
|
||||
return s.RevokeCertificateWithActor(context.Background(), certID, reason, "api")
|
||||
}
|
||||
|
||||
// RevokeCertificateWithActor performs revocation with actor tracking.
|
||||
// Delegates to RevocationSvc.
|
||||
func (s *CertificateService) RevokeCertificateWithActor(ctx context.Context, certID string, reason string, actor string) error {
|
||||
// RevokeCertificate performs revocation with actor tracking. Delegates to RevocationSvc.
|
||||
func (s *CertificateService) RevokeCertificate(ctx context.Context, certID string, reason string, actor string) error {
|
||||
if s.revSvc == nil {
|
||||
return fmt.Errorf("revocation service not configured")
|
||||
}
|
||||
@@ -489,35 +474,35 @@ func (s *CertificateService) RevokeCertificateWithActor(ctx context.Context, cer
|
||||
|
||||
// GetRevokedCertificates returns all revoked certificate records (for CRL generation).
|
||||
// Delegates to RevocationSvc.
|
||||
func (s *CertificateService) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
|
||||
func (s *CertificateService) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
|
||||
if s.revSvc == nil {
|
||||
return nil, fmt.Errorf("revocation service not configured")
|
||||
}
|
||||
return s.revSvc.GetRevokedCertificates()
|
||||
return s.revSvc.GetRevokedCertificates(ctx)
|
||||
}
|
||||
|
||||
// GenerateDERCRL generates a DER-encoded X.509 CRL for the given issuer.
|
||||
// Delegates to CAOperationsSvc.
|
||||
func (s *CertificateService) GenerateDERCRL(issuerID string) ([]byte, error) {
|
||||
func (s *CertificateService) GenerateDERCRL(ctx context.Context, issuerID string) ([]byte, error) {
|
||||
if s.caSvc == nil {
|
||||
return nil, fmt.Errorf("CA operations service not configured")
|
||||
}
|
||||
return s.caSvc.GenerateDERCRL(issuerID)
|
||||
return s.caSvc.GenerateDERCRL(ctx, issuerID)
|
||||
}
|
||||
|
||||
// GetOCSPResponse generates a signed OCSP response for the given certificate serial.
|
||||
// Delegates to CAOperationsSvc.
|
||||
func (s *CertificateService) GetOCSPResponse(issuerID string, serialHex string) ([]byte, error) {
|
||||
func (s *CertificateService) GetOCSPResponse(ctx context.Context, issuerID string, serialHex string) ([]byte, error) {
|
||||
if s.caSvc == nil {
|
||||
return nil, fmt.Errorf("CA operations service not configured")
|
||||
}
|
||||
return s.caSvc.GetOCSPResponse(issuerID, serialHex)
|
||||
return s.caSvc.GetOCSPResponse(ctx, issuerID, serialHex)
|
||||
}
|
||||
|
||||
// GetCertificateDeployments returns all deployment targets for a certificate (M20).
|
||||
func (s *CertificateService) GetCertificateDeployments(certID string) ([]domain.DeploymentTarget, error) {
|
||||
func (s *CertificateService) GetCertificateDeployments(ctx context.Context, certID string) ([]domain.DeploymentTarget, error) {
|
||||
// Verify certificate exists
|
||||
_, err := s.certRepo.Get(context.Background(), certID)
|
||||
_, err := s.certRepo.Get(ctx, certID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("certificate not found: %w", err)
|
||||
}
|
||||
@@ -527,7 +512,7 @@ func (s *CertificateService) GetCertificateDeployments(certID string) ([]domain.
|
||||
}
|
||||
|
||||
// Get targets from repository
|
||||
targets, err := s.targetRepo.ListByCertificate(context.Background(), certID)
|
||||
targets, err := s.targetRepo.ListByCertificate(ctx, certID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to list deployment targets: %w", err)
|
||||
}
|
||||
|
||||
@@ -34,7 +34,7 @@ func TestCertificateService_RevokeCertificate_RevocationSvcNil(t *testing.T) {
|
||||
certRepo.AddCert(cert)
|
||||
|
||||
// Call RevokeCertificateWithActor with nil RevocationSvc
|
||||
err := certService.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
|
||||
err := certService.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
|
||||
|
||||
// Assert: Should return error, NOT panic
|
||||
if err == nil {
|
||||
@@ -64,7 +64,7 @@ func TestCertificateService_GenerateDERCRL_CAOpsSvcNil(t *testing.T) {
|
||||
// Note: NOT calling certService.SetCAOperationsSvc(...)
|
||||
|
||||
// Call GenerateDERCRL with nil CAOperationsSvc
|
||||
_, err := certService.GenerateDERCRL("iss-local")
|
||||
_, err := certService.GenerateDERCRL(context.Background(), "iss-local")
|
||||
|
||||
// Assert: Should return error, NOT panic
|
||||
if err == nil {
|
||||
@@ -94,7 +94,7 @@ func TestCertificateService_GetOCSPResponse_CAOpsSvcNil(t *testing.T) {
|
||||
// Note: NOT calling certService.SetCAOperationsSvc(...)
|
||||
|
||||
// Call GetOCSPResponse with nil CAOperationsSvc
|
||||
_, err := certService.GetOCSPResponse("iss-local", "serial123")
|
||||
_, err := certService.GetOCSPResponse(context.Background(), "iss-local", "serial123")
|
||||
|
||||
// Assert: Should return error, NOT panic
|
||||
if err == nil {
|
||||
@@ -124,7 +124,7 @@ func TestCertificateService_GetRevokedCertificates_RevocationSvcNil(t *testing.T
|
||||
// Note: NOT calling certService.SetRevocationSvc(...)
|
||||
|
||||
// Call GetRevokedCertificates with nil RevocationSvc
|
||||
_, err := certService.GetRevokedCertificates()
|
||||
_, err := certService.GetRevokedCertificates(context.Background())
|
||||
|
||||
// Assert: Should return error, NOT panic
|
||||
if err == nil {
|
||||
@@ -177,7 +177,7 @@ func TestCertificateService_GetCertificateDeployments_Success(t *testing.T) {
|
||||
targetRepo.AddTarget(target2)
|
||||
|
||||
// Call GetCertificateDeployments
|
||||
deployments, err := certService.GetCertificateDeployments("cert-1")
|
||||
deployments, err := certService.GetCertificateDeployments(context.Background(), "cert-1")
|
||||
|
||||
// Assert: Should return deployment list successfully
|
||||
if err != nil {
|
||||
@@ -218,7 +218,7 @@ func TestCertificateService_GetCertificateDeployments_RepositoryError(t *testing
|
||||
certRepo.AddCert(cert)
|
||||
|
||||
// Call GetCertificateDeployments with repo error
|
||||
_, err := certService.GetCertificateDeployments("cert-1")
|
||||
_, err := certService.GetCertificateDeployments(context.Background(), "cert-1")
|
||||
|
||||
// Assert: Should return error, NOT panic
|
||||
if err == nil {
|
||||
@@ -247,7 +247,7 @@ func TestCertificateService_GetCertificateDeployments_CertNotFound(t *testing.T)
|
||||
certService.SetTargetRepo(targetRepo)
|
||||
|
||||
// Call GetCertificateDeployments with nonexistent certificate
|
||||
_, err := certService.GetCertificateDeployments("nonexistent-cert")
|
||||
_, err := certService.GetCertificateDeployments(context.Background(), "nonexistent-cert")
|
||||
|
||||
// Assert: Should return error
|
||||
if err == nil {
|
||||
@@ -283,7 +283,7 @@ func TestCertificateService_GetCertificateDeployments_NilTargetRepo(t *testing.T
|
||||
certRepo.AddCert(cert)
|
||||
|
||||
// Call GetCertificateDeployments with nil TargetRepo
|
||||
deployments, err := certService.GetCertificateDeployments("cert-1")
|
||||
deployments, err := certService.GetCertificateDeployments(context.Background(), "cert-1")
|
||||
|
||||
// Assert: Should return empty list gracefully (not panic)
|
||||
if err != nil {
|
||||
@@ -337,19 +337,19 @@ func TestCertificateService_Multiple_NilSafetyChecks(t *testing.T) {
|
||||
revSvc.SetIssuerRegistry(registry)
|
||||
|
||||
// Test 1: RevokeCertificateWithActor should succeed (RevocationSvc is set)
|
||||
errRevoke := certService.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
|
||||
errRevoke := certService.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
|
||||
if errRevoke != nil {
|
||||
t.Fatalf("RevokeCertificateWithActor failed unexpectedly: %v", errRevoke)
|
||||
}
|
||||
|
||||
// Test 2: GenerateDERCRL should fail gracefully (CAOperationsSvc is nil)
|
||||
_, errCRL := certService.GenerateDERCRL("iss-local")
|
||||
_, errCRL := certService.GenerateDERCRL(context.Background(), "iss-local")
|
||||
if errCRL == nil {
|
||||
t.Fatal("GenerateDERCRL expected error, got nil")
|
||||
}
|
||||
|
||||
// Test 3: GetOCSPResponse should fail gracefully (CAOperationsSvc is nil)
|
||||
_, errOCSP := certService.GetOCSPResponse("iss-local", "ABC123")
|
||||
_, errOCSP := certService.GetOCSPResponse(context.Background(), "iss-local", "ABC123")
|
||||
if errOCSP == nil {
|
||||
t.Fatal("GetOCSPResponse expected error, got nil")
|
||||
}
|
||||
|
||||
@@ -294,7 +294,7 @@ func TestTriggerRenewal(t *testing.T) {
|
||||
auditService := NewAuditService(auditRepo)
|
||||
certService := NewCertificateService(certRepo, policyService, auditService)
|
||||
|
||||
err := certService.TriggerRenewalWithActor(ctx, "cert-001", "user-1")
|
||||
err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
|
||||
if err != nil {
|
||||
t.Fatalf("TriggerRenewal failed: %v", err)
|
||||
}
|
||||
@@ -333,13 +333,14 @@ func TestTriggerRenewal_Archived(t *testing.T) {
|
||||
auditService := NewAuditService(auditRepo)
|
||||
certService := NewCertificateService(certRepo, policyService, auditService)
|
||||
|
||||
err := certService.TriggerRenewalWithActor(ctx, "cert-001", "user-1")
|
||||
err := certService.TriggerRenewal(ctx, "cert-001", "user-1")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for archived certificate")
|
||||
}
|
||||
}
|
||||
|
||||
func TestListCertificates(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
now := time.Now()
|
||||
cert1 := &domain.ManagedCertificate{
|
||||
ID: "cert-001",
|
||||
@@ -369,7 +370,7 @@ func TestListCertificates(t *testing.T) {
|
||||
auditService := NewAuditService(auditRepo)
|
||||
certService := NewCertificateService(certRepo, policyService, auditService)
|
||||
|
||||
certs, total, err := certService.ListCertificates("", "", "", "", "", 1, 50)
|
||||
certs, total, err := certService.ListCertificates(ctx, "", "", "", "", "", 1, 50)
|
||||
if err != nil {
|
||||
t.Fatalf("ListCertificates failed: %v", err)
|
||||
}
|
||||
|
||||
@@ -151,9 +151,9 @@ func (s *RevocationSvc) RevokeCertificateWithActor(ctx context.Context, certID s
|
||||
}
|
||||
|
||||
// GetRevokedCertificates returns all revoked certificate records (for CRL generation).
|
||||
func (s *RevocationSvc) GetRevokedCertificates() ([]*domain.CertificateRevocation, error) {
|
||||
func (s *RevocationSvc) GetRevokedCertificates(ctx context.Context) ([]*domain.CertificateRevocation, error) {
|
||||
if s.revocationRepo == nil {
|
||||
return nil, fmt.Errorf("revocation repository not configured")
|
||||
}
|
||||
return s.revocationRepo.ListAll(context.Background())
|
||||
return s.revocationRepo.ListAll(ctx)
|
||||
}
|
||||
|
||||
@@ -122,7 +122,7 @@ func TestRevocationSvc_GetRevokedCertificates_Success(t *testing.T) {
|
||||
{ID: "rev-2", CertificateID: "cert-2", SerialNumber: "SER-2", Reason: "superseded", RevokedAt: time.Now()},
|
||||
}
|
||||
|
||||
revocations, err := revSvc.GetRevokedCertificates()
|
||||
revocations, err := revSvc.GetRevokedCertificates(context.Background())
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
|
||||
@@ -62,7 +62,7 @@ func TestRevokeCertificate_Success(t *testing.T) {
|
||||
certRepo.Versions["cert-1"] = []*domain.CertificateVersion{version}
|
||||
|
||||
// Revoke
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-1", "keyCompromise", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-1", "keyCompromise", "admin")
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -125,7 +125,7 @@ func TestRevokeCertificate_DefaultReason(t *testing.T) {
|
||||
}
|
||||
|
||||
// Revoke with empty reason — should default to "unspecified"
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-2", "", "api")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-2", "", "api")
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -158,7 +158,7 @@ func TestRevokeCertificate_AlreadyRevoked(t *testing.T) {
|
||||
}
|
||||
certRepo.AddCert(cert)
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-3", "superseded", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-3", "superseded", "admin")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for already revoked certificate")
|
||||
}
|
||||
@@ -179,7 +179,7 @@ func TestRevokeCertificate_ArchivedCert(t *testing.T) {
|
||||
}
|
||||
certRepo.AddCert(cert)
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-4", "keyCompromise", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-4", "keyCompromise", "admin")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for archived certificate")
|
||||
}
|
||||
@@ -200,7 +200,7 @@ func TestRevokeCertificate_InvalidReason(t *testing.T) {
|
||||
}
|
||||
certRepo.AddCert(cert)
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-5", "notAValidReason", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-5", "notAValidReason", "admin")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for invalid reason")
|
||||
}
|
||||
@@ -212,7 +212,7 @@ func TestRevokeCertificate_InvalidReason(t *testing.T) {
|
||||
func TestRevokeCertificate_NotFound(t *testing.T) {
|
||||
svc, _, _, _ := newRevocationTestService()
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "nonexistent-cert", "keyCompromise", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "nonexistent-cert", "keyCompromise", "admin")
|
||||
if err == nil {
|
||||
t.Fatal("expected error for nonexistent certificate")
|
||||
}
|
||||
@@ -231,7 +231,7 @@ func TestRevokeCertificate_NoVersion(t *testing.T) {
|
||||
certRepo.AddCert(cert)
|
||||
// No versions added — should fail
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-6", "keyCompromise", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-6", "keyCompromise", "admin")
|
||||
if err == nil {
|
||||
t.Fatal("expected error when no certificate version exists")
|
||||
}
|
||||
@@ -258,7 +258,7 @@ func TestRevokeCertificate_WithIssuerNotification(t *testing.T) {
|
||||
{ID: "ver-7", CertificateID: "cert-7", SerialNumber: "GHI789", CreatedAt: time.Now()},
|
||||
}
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-7", "cessationOfOperation", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-7", "cessationOfOperation", "admin")
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -293,7 +293,7 @@ func TestRevokeCertificate_WithNotificationService(t *testing.T) {
|
||||
{ID: "ver-8", CertificateID: "cert-8", SerialNumber: "JKL012", CreatedAt: time.Now()},
|
||||
}
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-8", "keyCompromise", "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-8", "keyCompromise", "admin")
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -336,7 +336,7 @@ func TestRevokeCertificate_AllValidReasons(t *testing.T) {
|
||||
{ID: "ver-" + reason, CertificateID: "cert-" + reason, SerialNumber: "SER-" + reason, CreatedAt: time.Now()},
|
||||
}
|
||||
|
||||
err := svc.RevokeCertificateWithActor(context.Background(), "cert-"+reason, reason, "admin")
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-"+reason, reason, "admin")
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error for reason %s, got: %v", reason, err)
|
||||
}
|
||||
@@ -358,7 +358,7 @@ func TestGetRevokedCertificates_Success(t *testing.T) {
|
||||
{ID: "rev-2", CertificateID: "cert-2", SerialNumber: "SER-2", Reason: "superseded", RevokedAt: time.Now()},
|
||||
}
|
||||
|
||||
revocations, err := svc.GetRevokedCertificates()
|
||||
revocations, err := svc.GetRevokedCertificates(context.Background())
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -370,7 +370,7 @@ func TestGetRevokedCertificates_Success(t *testing.T) {
|
||||
func TestGetRevokedCertificates_Empty(t *testing.T) {
|
||||
svc, _, _, _ := newRevocationTestService()
|
||||
|
||||
revocations, err := svc.GetRevokedCertificates()
|
||||
revocations, err := svc.GetRevokedCertificates(context.Background())
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -390,7 +390,7 @@ func TestGetRevokedCertificates_NoRepo(t *testing.T) {
|
||||
svc := NewCertificateService(certRepo, policyService, auditService)
|
||||
// Do NOT set revocation repo
|
||||
|
||||
_, err := svc.GetRevokedCertificates()
|
||||
_, err := svc.GetRevokedCertificates(context.Background())
|
||||
if err == nil {
|
||||
t.Fatal("expected error when revocation repo not configured")
|
||||
}
|
||||
@@ -411,8 +411,8 @@ func TestRevokeCertificate_HandlerInterfaceMethod(t *testing.T) {
|
||||
{ID: "ver-handler", CertificateID: "cert-handler", SerialNumber: "SER-HANDLER", CreatedAt: time.Now()},
|
||||
}
|
||||
|
||||
// Test the handler interface method (no actor param)
|
||||
err := svc.RevokeCertificate("cert-handler", "superseded")
|
||||
// Test the handler interface method (actor collapsed to required positional arg per D-2)
|
||||
err := svc.RevokeCertificate(context.Background(), "cert-handler", "superseded", "api")
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
}
|
||||
@@ -449,7 +449,7 @@ func TestGenerateDERCRL_Success(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
crl, err := svc.GenerateDERCRL("iss-local")
|
||||
crl, err := svc.GenerateDERCRL(context.Background(), "iss-local")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -472,7 +472,7 @@ func TestGenerateDERCRL_EmptyCRL(t *testing.T) {
|
||||
// No revoked certs for this issuer
|
||||
revocationRepo.Revocations = []*domain.CertificateRevocation{}
|
||||
|
||||
crl, err := svc.GenerateDERCRL("iss-local")
|
||||
crl, err := svc.GenerateDERCRL(context.Background(), "iss-local")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -493,7 +493,7 @@ func TestGenerateDERCRL_IssuerNotFound(t *testing.T) {
|
||||
svc, _, _, _ := newRevocationTestService()
|
||||
|
||||
// Try to generate CRL for unknown issuer
|
||||
crl, err := svc.GenerateDERCRL("iss-unknown")
|
||||
crl, err := svc.GenerateDERCRL(context.Background(), "iss-unknown")
|
||||
|
||||
// Should return error or nil CRL depending on implementation
|
||||
if crl != nil && err == nil {
|
||||
@@ -527,7 +527,7 @@ func TestGetOCSPResponse_Good(t *testing.T) {
|
||||
certRepo.Versions["cert-ocsp-good"] = []*domain.CertificateVersion{version}
|
||||
|
||||
// Request OCSP response for good cert
|
||||
resp, err := svc.GetOCSPResponse("iss-local", "OCSP-GOOD-001")
|
||||
resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-GOOD-001")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -580,7 +580,7 @@ func TestGetOCSPResponse_Revoked(t *testing.T) {
|
||||
}
|
||||
|
||||
// Request OCSP response for revoked cert
|
||||
resp, err := svc.GetOCSPResponse("iss-local", "OCSP-REVOKED-001")
|
||||
resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "OCSP-REVOKED-001")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error, got: %v", err)
|
||||
@@ -597,7 +597,7 @@ func TestGetOCSPResponse_Unknown(t *testing.T) {
|
||||
svc, _, _, _ := newRevocationTestService()
|
||||
|
||||
// Request OCSP response for unknown cert
|
||||
resp, err := svc.GetOCSPResponse("iss-local", "UNKNOWN-SERIAL")
|
||||
resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "UNKNOWN-SERIAL")
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("expected no error (should return unknown status), got: %v", err)
|
||||
@@ -615,7 +615,7 @@ func TestGetOCSPResponse_IssuerNotFound(t *testing.T) {
|
||||
svc, _, _, _ := newRevocationTestService()
|
||||
|
||||
// Request OCSP response for unknown issuer
|
||||
resp, err := svc.GetOCSPResponse("iss-unknown", "SOME-SERIAL")
|
||||
resp, err := svc.GetOCSPResponse(context.Background(), "iss-unknown", "SOME-SERIAL")
|
||||
|
||||
// Should return error since issuer doesn't exist
|
||||
if err == nil && resp != nil {
|
||||
@@ -629,7 +629,7 @@ func TestGetOCSPResponse_InvalidSerial(t *testing.T) {
|
||||
svc, _, _, _ := newRevocationTestService()
|
||||
|
||||
// Request OCSP response with invalid serial format
|
||||
resp, err := svc.GetOCSPResponse("iss-local", "")
|
||||
resp, err := svc.GetOCSPResponse(context.Background(), "iss-local", "")
|
||||
|
||||
if err == nil && resp != nil {
|
||||
// Empty serial might return unknown status; that's ok
|
||||
|
||||
Reference in New Issue
Block a user