feat: wire ARI (RFC 9702) into renewal scheduler

CheckExpiringCertificates() now queries each issuer's ARI endpoint before creating renewal jobs. If the CA says "not yet" (suggested window hasn't opened), renewal is deferred. ARI errors fall back gracefully to threshold-based logic. Audit trail records renewal_trigger=ari when ARI drives the decision. 4 new unit tests: ShouldRenewNow, NotYet, NilFallback, ErrorFallback. 3 new smoke tests in testing-guide.md Part 35. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-07 15:01:32 +00:00 · 2026-03-30 12:00:22 -04:00
parent a0b9285323
commit ec0e7a3560
4 changed files with 387 additions and 16 deletions
@@ -660,8 +660,10 @@ func (m *mockTargetRepo) AddTarget(target *domain.DeploymentTarget) {

 // mockIssuerConnector is a test implementation of IssuerConnector
 type mockIssuerConnector struct {
-	Result *IssuanceResult
-	Err    error
+	Result             *IssuanceResult
+	Err                error
+	getRenewalInfoResult *RenewalInfoResult
+	getRenewalInfoErr    error
 }

 func (m *mockIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string) (*IssuanceResult, error) {
@@ -717,14 +719,14 @@ func (m *mockIssuerConnector) GetCACertPEM(ctx context.Context) (string, error)
 }

 func (m *mockIssuerConnector) GetRenewalInfo(ctx context.Context, certPEM string) (*RenewalInfoResult, error) {
-	if m.Err != nil {
-		return nil, m.Err
+	if m.getRenewalInfoErr != nil {
+		return nil, m.getRenewalInfoErr
 	}
-	now := time.Now()
-	return &RenewalInfoResult{
-		SuggestedWindowStart: now,
-		SuggestedWindowEnd:   now.Add(7 * 24 * time.Hour),
-	}, nil
+	if m.getRenewalInfoResult != nil {
+		return m.getRenewalInfoResult, nil
+	}
+	// Default: return nil, nil (issuer does not support ARI)
+	return nil, nil
 }

 // Constructor functions for mocks