From ece15cb4573821ab9b9a1587ee312d38c6bb3d01 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Sun, 3 May 2026 20:49:23 +0000 Subject: [PATCH] vault, digicert: migrate Token / APIKey to *secret.Ref (Bundle I Phase 3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes Top-10 fix #2 of the 2026-05-03 issuer-coverage audit (see cowork/issuer-coverage-audit-2026-05-03/RESULTS.md). Pre-fix, vault.Config.Token and digicert.Config.APIKey were plain string fields. Practical impact: 1. GET /api/v1/issuers responses marshalled the credential into the JSON body. An acquirer's procurement engineer running 'curl /api/v1/issuers | jq' saw the token / API key in plain text on screen. 2. DEBUG-level HTTP request logging printed the credential header verbatim. 3. A heap dump of the running server contained the credential as readable bytes for the lifetime of the process. Bundle I from the 2026-05-01 audit closed this for AWSACMPCA, EJBCA, GlobalSign, Sectigo (Phase 1+2). Vault and DigiCert were left out. This commit ports the same migration onto them. Mechanics: - Config.Token / Config.APIKey type changed from 'string' to '*secret.Ref'. UnmarshalJSON of a JSON string populates the Ref via NewRefFromString — operator config files are unchanged. - Every header-write call site routed through Ref.Use, with the byte buffer zeroed after the callback returns. Vault: 3 sites (IssueCertificate, RevokeCertificate, GetCACertPEM). DigiCert: 5 sites (ValidateConfig, IssueCertificate, RevokeCertificate, pollOrderOnce, downloadCertificate). - ValidateConfig nil-checks switch from 'cfg.Token == ""' to 'cfg.Token.IsEmpty()' (mirrors Sectigo's existing pattern). - Tests migrated: every Config{Token:"..."} → Config{Token: secret.NewRefFromString("...")}. The 'json.Marshal(config) → ValidateConfig(rawConfig)' round-trip pattern in DigiCert's ValidateConfig_Success test is now broken by the redact-on-marshal contract — switched that one to construct the rawConfig as a JSON literal (mirrors Sectigo's existing test pattern). - Two new tests pin the redact-on-marshal contract: - TestVault_Config_TokenMarshalsAsRedacted (vault_redact_test.go) - TestDigiCert_Config_APIKeyMarshalsAsRedacted (digicert_redact_test.go) Both assert the marshaled JSON contains '"[redacted]"' and does NOT contain the plaintext bytes. Operator-visible: GET /api/v1/issuers responses for type=vault and type=digicert now show the credential as '[redacted]'. Existing config files keep working — the Ref unmarshal accepts strings. CHANGELOG note: certctl/CHANGELOG.md is intentionally not hand-edited; release notes are auto-generated from commit messages between consecutive tags. This commit's message body is the release-note artifact. Verified locally: - gofmt clean across the repo. - go vet ./... clean across the repo. - go test -race -count=1 -short ./internal/connector/issuer/vault/... ./internal/connector/issuer/digicert/... ./internal/secret/... green. Audit reference: cowork/issuer-coverage-audit-2026-05-03/ RESULTS.md Top-10 fix #2. --- .../connector/issuer/digicert/digicert.go | 50 ++++++++++++++++--- .../issuer/digicert/digicert_failure_test.go | 3 +- .../issuer/digicert/digicert_redact_test.go | 38 ++++++++++++++ .../issuer/digicert/digicert_test.go | 44 ++++++++-------- internal/connector/issuer/vault/vault.go | 35 +++++++++++-- .../issuer/vault/vault_failure_test.go | 3 +- .../issuer/vault/vault_redact_test.go | 39 +++++++++++++++ internal/connector/issuer/vault/vault_test.go | 27 +++++----- 8 files changed, 191 insertions(+), 48 deletions(-) create mode 100644 internal/connector/issuer/digicert/digicert_redact_test.go create mode 100644 internal/connector/issuer/vault/vault_redact_test.go diff --git a/internal/connector/issuer/digicert/digicert.go b/internal/connector/issuer/digicert/digicert.go index 091fdc6..5ade485 100644 --- a/internal/connector/issuer/digicert/digicert.go +++ b/internal/connector/issuer/digicert/digicert.go @@ -39,13 +39,23 @@ import ( "github.com/shankar0123/certctl/internal/connector/issuer" "github.com/shankar0123/certctl/internal/connector/issuer/asyncpoll" + "github.com/shankar0123/certctl/internal/secret" ) // Config represents the DigiCert CertCentral issuer connector configuration. type Config struct { // APIKey is the CertCentral API key for authentication. // Required. Set via CERTCTL_DIGICERT_API_KEY environment variable. - APIKey string `json:"api_key"` + // + // Type: *secret.Ref (audit fix #6 Phase 3 — Bundle I close). + // Wrapping the API key in a Ref means: it never stringifies (Config + // marshals as "[redacted]"), the bytes are zeroed after each + // Use/WriteTo invocation (defeats heap-dump extraction), and + // outbound X-DC-DEVKEY header writes go through Ref.Use so the + // staging buffer is short-lived. JSON unmarshal of a string value + // populates the Ref via NewRefFromString — operator config files + // are unchanged. + APIKey *secret.Ref `json:"api_key"` // OrgID is the DigiCert organization ID for certificate orders. // Required. Set via CERTCTL_DIGICERT_ORG_ID environment variable. @@ -149,7 +159,7 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag return fmt.Errorf("invalid DigiCert config: %w", err) } - if cfg.APIKey == "" { + if cfg.APIKey.IsEmpty() { return fmt.Errorf("DigiCert api_key is required") } @@ -170,7 +180,12 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag if err != nil { return fmt.Errorf("failed to create API test request: %w", err) } - req.Header.Set("X-DC-DEVKEY", cfg.APIKey) + if err := cfg.APIKey.Use(func(buf []byte) error { + req.Header.Set("X-DC-DEVKEY", string(buf)) + return nil + }); err != nil { + return fmt.Errorf("digicert apikey use: %w", err) + } req.Header.Set("Content-Type", "application/json") resp, err := c.httpClient.Do(req) @@ -226,7 +241,12 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc if err != nil { return nil, fmt.Errorf("failed to create order request: %w", err) } - req.Header.Set("X-DC-DEVKEY", c.config.APIKey) + if err := c.config.APIKey.Use(func(buf []byte) error { + req.Header.Set("X-DC-DEVKEY", string(buf)) + return nil + }); err != nil { + return nil, fmt.Errorf("digicert apikey use: %w", err) + } req.Header.Set("Content-Type", "application/json") resp, err := c.httpClient.Do(req) @@ -329,7 +349,12 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca if err != nil { return fmt.Errorf("failed to create revoke request: %w", err) } - req.Header.Set("X-DC-DEVKEY", c.config.APIKey) + if err := c.config.APIKey.Use(func(buf []byte) error { + req.Header.Set("X-DC-DEVKEY", string(buf)) + return nil + }); err != nil { + return fmt.Errorf("digicert apikey use: %w", err) + } req.Header.Set("Content-Type", "application/json") resp, err := c.httpClient.Do(req) @@ -415,7 +440,12 @@ func (c *Connector) pollOrderOnce(ctx context.Context, orderID string) (*issuer. if err != nil { return nil, asyncpoll.Failed, fmt.Errorf("failed to create status request: %w", err) } - req.Header.Set("X-DC-DEVKEY", c.config.APIKey) + if err := c.config.APIKey.Use(func(buf []byte) error { + req.Header.Set("X-DC-DEVKEY", string(buf)) + return nil + }); err != nil { + return nil, asyncpoll.Failed, fmt.Errorf("digicert apikey use: %w", err) + } req.Header.Set("Content-Type", "application/json") resp, err := c.httpClient.Do(req) @@ -518,7 +548,13 @@ func (c *Connector) downloadCertificate(ctx context.Context, certificateID int) err = fmt.Errorf("failed to create download request: %w", reqErr) return } - req.Header.Set("X-DC-DEVKEY", c.config.APIKey) + if useErr := c.config.APIKey.Use(func(buf []byte) error { + req.Header.Set("X-DC-DEVKEY", string(buf)) + return nil + }); useErr != nil { + err = fmt.Errorf("digicert apikey use: %w", useErr) + return + } resp, doErr := c.httpClient.Do(req) if doErr != nil { diff --git a/internal/connector/issuer/digicert/digicert_failure_test.go b/internal/connector/issuer/digicert/digicert_failure_test.go index 761f18f..ee15ef8 100644 --- a/internal/connector/issuer/digicert/digicert_failure_test.go +++ b/internal/connector/issuer/digicert/digicert_failure_test.go @@ -10,6 +10,7 @@ import ( "testing" "github.com/shankar0123/certctl/internal/connector/issuer/digicert" + "github.com/shankar0123/certctl/internal/secret" ) // Bundle N.A/B-extended: digicert failure-mode round-out (81.0% → ≥85%). @@ -23,7 +24,7 @@ func buildDigicertConnector(t *testing.T, baseURL string) *digicert.Connector { // status returns within ~1s instead of the 10-minute production // default. Tests that exercise issued/failed/parse-error paths // don't block on the wait. - cfg := digicert.Config{APIKey: "k", OrgID: "1", ProductType: "ssl_basic", BaseURL: baseURL, PollMaxWaitSeconds: 1} + cfg := digicert.Config{APIKey: secret.NewRefFromString("k"), OrgID: "1", ProductType: "ssl_basic", BaseURL: baseURL, PollMaxWaitSeconds: 1} raw, _ := json.Marshal(cfg) if err := c.ValidateConfig(context.Background(), raw); err != nil { t.Fatalf("ValidateConfig: %v", err) diff --git a/internal/connector/issuer/digicert/digicert_redact_test.go b/internal/connector/issuer/digicert/digicert_redact_test.go new file mode 100644 index 0000000..bab33a5 --- /dev/null +++ b/internal/connector/issuer/digicert/digicert_redact_test.go @@ -0,0 +1,38 @@ +package digicert_test + +// Phase 3 of the secret.Ref migration (audit fix #6 → 2026-05-03 Top-10 +// fix #2). Pins the operator-visible contract: GET /api/v1/issuers +// responses for type=digicert marshal APIKey as "[redacted]" rather +// than the plaintext value. Regression guard for any future refactor +// that changes the field type back to string. + +import ( + "encoding/json" + "strings" + "testing" + + "github.com/shankar0123/certctl/internal/connector/issuer/digicert" + "github.com/shankar0123/certctl/internal/secret" +) + +func TestDigiCert_Config_APIKeyMarshalsAsRedacted(t *testing.T) { + cfg := digicert.Config{ + APIKey: secret.NewRefFromString("dc-real-api-key-must-not-leak"), + OrgID: "12345", + ProductType: "ssl_basic", + BaseURL: "https://www.digicert.com/services/v2", + } + + out, err := json.Marshal(cfg) + if err != nil { + t.Fatalf("marshal: %v", err) + } + got := string(out) + + if !strings.Contains(got, `"api_key":"[redacted]"`) { + t.Errorf("expected api_key redacted, got: %s", got) + } + if strings.Contains(got, "dc-real-api-key-must-not-leak") { + t.Fatalf("plaintext api_key leaked into marshaled JSON: %s", got) + } +} diff --git a/internal/connector/issuer/digicert/digicert_test.go b/internal/connector/issuer/digicert/digicert_test.go index 0bfc478..f127d95 100644 --- a/internal/connector/issuer/digicert/digicert_test.go +++ b/internal/connector/issuer/digicert/digicert_test.go @@ -19,6 +19,7 @@ import ( "github.com/shankar0123/certctl/internal/connector/issuer" "github.com/shankar0123/certctl/internal/connector/issuer/digicert" + "github.com/shankar0123/certctl/internal/secret" ) func TestDigiCertConnector(t *testing.T) { @@ -41,15 +42,16 @@ func TestDigiCertConnector(t *testing.T) { })) defer srv.Close() - config := digicert.Config{ - APIKey: "dc-test-api-key", - OrgID: "12345", - ProductType: "ssl_basic", - BaseURL: srv.URL, - } + // Build rawConfig as a JSON literal so the secrets round-trip + // intact via UnmarshalJSON (json.Marshal redacts *secret.Ref → + // "[redacted]" by design; it MUST NOT be used to construct a + // rawConfig that ValidateConfig will then header-write back). + rawConfig := []byte(fmt.Sprintf( + `{"api_key":"dc-test-api-key","org_id":"12345","product_type":"ssl_basic","base_url":%q}`, + srv.URL, + )) connector := digicert.New(nil, logger) - rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err != nil { t.Fatalf("ValidateConfig failed: %v", err) @@ -74,7 +76,7 @@ func TestDigiCertConnector(t *testing.T) { t.Run("ValidateConfig_MissingOrgID", func(t *testing.T) { config := digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), } connector := digicert.New(nil, logger) @@ -100,7 +102,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := digicert.Config{ - APIKey: "dc-bad-key", + APIKey: secret.NewRefFromString("dc-bad-key"), OrgID: "12345", BaseURL: srv.URL, } @@ -136,7 +138,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", ProductType: "ssl_basic", BaseURL: srv.URL, @@ -180,7 +182,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", ProductType: "ssl_ev_basic", BaseURL: srv.URL, @@ -217,7 +219,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", ProductType: "ssl_basic", BaseURL: srv.URL, @@ -255,7 +257,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: srv.URL, } @@ -289,7 +291,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: srv.URL, PollMaxWaitSeconds: 1, // keep async-pending tests fast @@ -321,7 +323,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: srv.URL, } @@ -350,7 +352,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", ProductType: "ssl_basic", BaseURL: srv.URL, @@ -388,7 +390,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: srv.URL, } @@ -414,7 +416,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: srv.URL, } @@ -446,7 +448,7 @@ func TestDigiCertConnector(t *testing.T) { defer srv.Close() config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: srv.URL, } @@ -463,7 +465,7 @@ func TestDigiCertConnector(t *testing.T) { t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) { config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", BaseURL: "https://api.digicert.com", } @@ -480,7 +482,7 @@ func TestDigiCertConnector(t *testing.T) { t.Run("DefaultProductType", func(t *testing.T) { config := &digicert.Config{ - APIKey: "dc-test-key", + APIKey: secret.NewRefFromString("dc-test-key"), OrgID: "12345", // ProductType intentionally left empty } diff --git a/internal/connector/issuer/vault/vault.go b/internal/connector/issuer/vault/vault.go index 7b0de6d..e38c03a 100644 --- a/internal/connector/issuer/vault/vault.go +++ b/internal/connector/issuer/vault/vault.go @@ -32,6 +32,7 @@ import ( "time" "github.com/shankar0123/certctl/internal/connector/issuer" + "github.com/shankar0123/certctl/internal/secret" ) // Config represents the Vault PKI issuer connector configuration. @@ -42,7 +43,16 @@ type Config struct { // Token is the Vault token for authentication. // Required. Set via CERTCTL_VAULT_TOKEN environment variable. - Token string `json:"token"` + // + // Type: *secret.Ref (audit fix #6 Phase 3 — Bundle I close). + // Wrapping the token in a Ref means: it never stringifies (Config + // marshals as "[redacted]"), the bytes are zeroed after each + // Use/WriteTo invocation (defeats heap-dump extraction), and + // outbound X-Vault-Token header writes go through Ref.Use so the + // staging buffer is short-lived. JSON unmarshal of a string value + // populates the Ref via NewRefFromString — operator config files + // are unchanged. + Token *secret.Ref `json:"token"` // Mount is the PKI secrets engine mount path. // Default: "pki". Set via CERTCTL_VAULT_MOUNT environment variable. @@ -111,7 +121,7 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag return fmt.Errorf("Vault addr is required") } - if cfg.Token == "" { + if cfg.Token.IsEmpty() { return fmt.Errorf("Vault token is required") } @@ -189,7 +199,12 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc return nil, fmt.Errorf("failed to create sign request: %w", err) } req.Header.Set("Content-Type", "application/json") - req.Header.Set("X-Vault-Token", c.config.Token) + if err := c.config.Token.Use(func(buf []byte) error { + req.Header.Set("X-Vault-Token", string(buf)) + return nil + }); err != nil { + return nil, fmt.Errorf("vault token use: %w", err) + } resp, err := c.httpClient.Do(req) if err != nil { @@ -300,7 +315,12 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca return fmt.Errorf("failed to create revoke request: %w", err) } req.Header.Set("Content-Type", "application/json") - req.Header.Set("X-Vault-Token", c.config.Token) + if err := c.config.Token.Use(func(buf []byte) error { + req.Header.Set("X-Vault-Token", string(buf)) + return nil + }); err != nil { + return fmt.Errorf("vault token use: %w", err) + } resp, err := c.httpClient.Do(req) if err != nil { @@ -344,7 +364,12 @@ func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) { if err != nil { return "", fmt.Errorf("failed to create CA cert request: %w", err) } - req.Header.Set("X-Vault-Token", c.config.Token) + if err := c.config.Token.Use(func(buf []byte) error { + req.Header.Set("X-Vault-Token", string(buf)) + return nil + }); err != nil { + return "", fmt.Errorf("vault token use: %w", err) + } resp, err := c.httpClient.Do(req) if err != nil { diff --git a/internal/connector/issuer/vault/vault_failure_test.go b/internal/connector/issuer/vault/vault_failure_test.go index 67f5260..e1256dc 100644 --- a/internal/connector/issuer/vault/vault_failure_test.go +++ b/internal/connector/issuer/vault/vault_failure_test.go @@ -11,6 +11,7 @@ import ( "github.com/shankar0123/certctl/internal/connector/issuer" "github.com/shankar0123/certctl/internal/connector/issuer/vault" + "github.com/shankar0123/certctl/internal/secret" ) // Bundle N.A/B-extended: failure-mode round-out for Vault PKI connector. @@ -139,7 +140,7 @@ func TestVault_GetCACertPEM_Non200_ReturnsError(t *testing.T) { func buildVaultConnector(t *testing.T, url string) *vault.Connector { t.Helper() c := vault.New(nil, slog.Default()) - cfg := vault.Config{Addr: url, Token: "tok", Mount: "pki", Role: "web", TTL: "1h"} + cfg := vault.Config{Addr: url, Token: secret.NewRefFromString("tok"), Mount: "pki", Role: "web", TTL: "1h"} raw, _ := json.Marshal(cfg) if err := c.ValidateConfig(context.Background(), raw); err != nil { t.Fatalf("ValidateConfig: %v", err) diff --git a/internal/connector/issuer/vault/vault_redact_test.go b/internal/connector/issuer/vault/vault_redact_test.go new file mode 100644 index 0000000..01458d0 --- /dev/null +++ b/internal/connector/issuer/vault/vault_redact_test.go @@ -0,0 +1,39 @@ +package vault_test + +// Phase 3 of the secret.Ref migration (audit fix #6 → 2026-05-03 Top-10 +// fix #2). Pins the operator-visible contract: GET /api/v1/issuers +// responses for type=vault marshal Token as "[redacted]" rather than +// the plaintext value. Regression guard for any future refactor that +// changes the field type back to string. + +import ( + "encoding/json" + "strings" + "testing" + + "github.com/shankar0123/certctl/internal/connector/issuer/vault" + "github.com/shankar0123/certctl/internal/secret" +) + +func TestVault_Config_TokenMarshalsAsRedacted(t *testing.T) { + cfg := vault.Config{ + Addr: "https://vault.example.com:8200", + Token: secret.NewRefFromString("hvs.real-token-bytes-must-not-leak"), + Mount: "pki", + Role: "web", + TTL: "8760h", + } + + out, err := json.Marshal(cfg) + if err != nil { + t.Fatalf("marshal: %v", err) + } + got := string(out) + + if !strings.Contains(got, `"token":"[redacted]"`) { + t.Errorf("expected token redacted, got: %s", got) + } + if strings.Contains(got, "hvs.real-token-bytes-must-not-leak") { + t.Fatalf("plaintext token leaked into marshaled JSON: %s", got) + } +} diff --git a/internal/connector/issuer/vault/vault_test.go b/internal/connector/issuer/vault/vault_test.go index 13620d7..8b1cf30 100644 --- a/internal/connector/issuer/vault/vault_test.go +++ b/internal/connector/issuer/vault/vault_test.go @@ -19,6 +19,7 @@ import ( "github.com/shankar0123/certctl/internal/connector/issuer" "github.com/shankar0123/certctl/internal/connector/issuer/vault" + "github.com/shankar0123/certctl/internal/secret" ) func TestVaultConnector(t *testing.T) { @@ -38,7 +39,7 @@ func TestVaultConnector(t *testing.T) { config := vault.Config{ Addr: srv.URL, - Token: "s.test-token-12345", + Token: secret.NewRefFromString("s.test-token-12345"), Mount: "pki", Role: "web-certs", TTL: "8760h", @@ -54,7 +55,7 @@ func TestVaultConnector(t *testing.T) { t.Run("ValidateConfig_MissingAddr", func(t *testing.T) { config := vault.Config{ - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Role: "web-certs", } @@ -89,7 +90,7 @@ func TestVaultConnector(t *testing.T) { t.Run("ValidateConfig_MissingRole", func(t *testing.T) { config := vault.Config{ Addr: "https://vault.example.com:8200", - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), } connector := vault.New(nil, logger) @@ -106,7 +107,7 @@ func TestVaultConnector(t *testing.T) { t.Run("ValidateConfig_UnreachableVault", func(t *testing.T) { config := vault.Config{ Addr: "http://localhost:19999", - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Role: "web-certs", } @@ -153,7 +154,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", TTL: "8760h", @@ -208,7 +209,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", } @@ -245,7 +246,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.bad-token", + Token: secret.NewRefFromString("s.bad-token"), Mount: "pki", Role: "web-certs", } @@ -293,7 +294,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", } @@ -336,7 +337,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", } @@ -370,7 +371,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", } @@ -402,7 +403,7 @@ func TestVaultConnector(t *testing.T) { config := &vault.Config{ Addr: srv.URL, - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", } @@ -421,7 +422,7 @@ func TestVaultConnector(t *testing.T) { t.Run("GetOrderStatus_Synchronous", func(t *testing.T) { config := &vault.Config{ Addr: "https://vault.example.com:8200", - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", } @@ -443,7 +444,7 @@ func TestVaultConnector(t *testing.T) { t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) { config := &vault.Config{ Addr: "https://vault.example.com:8200", - Token: "s.test-token", + Token: secret.NewRefFromString("s.test-token"), Mount: "pki", Role: "web-certs", }