gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 14:08:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Go 1.25 upgrade, codebase audit fixes, MCP server tests

Browse Source 
Upgrade from Go 1.22 to 1.25 (minimum for MCP SDK, actively supported).
CI updated to match.

Codebase audit fixes:
- Local CA parseIP() now uses net.ParseIP — IP SANs no longer silently dropped
- Nil pointer guards in agent.go GetWorkWithTargets for target/cert enrichment
- MCP CreateCertificateInput marks owner_id/team_id as required
- NGINX connector uses CombinedOutput() — captures diagnostic output on failure
- Jobs handler validates JSON decode on rejection body — returns 400 on malformed
- CRL/OCSP handlers propagate requestID for error tracing

MCP server tests (26 tests):
- client_test.go: HTTP client coverage (GET/POST/PUT/DELETE, auth, 204, errors, binary)
- tools_test.go: tool registration, pagination, end-to-end flows with mock API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Shankar
2026-03-23 17:36:25 -04:00
parent 7c8d4d29ff
commit d460950cce
10 changed files with 742 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/connector/issuer/local/local.go
+10 -3
View File
@@ -15,6 +15,7 @@ import (
"fmt"
"log/slog"
"math/big"
"net"
"os"
"sync"
"time"
@@ -558,9 +559,15 @@ func parseIP(s string) []byte {
if s == "localhost" {
return []byte{127, 0, 0, 1}
}
// In production, use net.ParseIP for proper parsing.
// For now, return nil for non-localhost IPs.
return nil
ip := net.ParseIP(s)
if ip == nil {
return nil
}
// Prefer 4-byte representation for IPv4
if v4 := ip.To4(); v4 != nil {
return v4
}
return ip
}
// isEmail checks if a string looks like an email address.
internal/connector/target/nginx/nginx.go
+6 -6
View File
@@ -120,9 +120,9 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
// Validate NGINX configuration before reload
c.logger.Debug("validating NGINX configuration", "validate_command", c.config.ValidateCommand)
validateCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ValidateCommand)
if err := validateCmd.Run(); err != nil {
errMsg := fmt.Sprintf("NGINX config validation failed: %v", err)
c.logger.Error("NGINX validation failed", "error", err)
if output, err := validateCmd.CombinedOutput(); err != nil {
errMsg := fmt.Sprintf("NGINX config validation failed: %v (output: %s)", err, string(output))
c.logger.Error("NGINX validation failed", "error", err, "output", string(output))
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.CertPath,
@@ -134,9 +134,9 @@ func (c *Connector) DeployCertificate(ctx context.Context, request target.Deploy
// Reload NGINX
c.logger.Debug("reloading NGINX", "reload_command", c.config.ReloadCommand)
reloadCmd := exec.CommandContext(ctx, "sh", "-c", c.config.ReloadCommand)
if err := reloadCmd.Run(); err != nil {
errMsg := fmt.Sprintf("NGINX reload failed: %v", err)
c.logger.Error("NGINX reload failed", "error", err)
if output, err := reloadCmd.CombinedOutput(); err != nil {
errMsg := fmt.Sprintf("NGINX reload failed: %v (output: %s)", err, string(output))
c.logger.Error("NGINX reload failed", "error", err, "output", string(output))
return &target.DeploymentResult{
Success: false,
TargetAddress: c.config.CertPath,