mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:51:36 +00:00
fix: resolve M25 compile errors in verification tests
- Fix undefined tls.Listener in verify_test.go (type doesn't exist in crypto/tls); use server.Listener.Addr() and server.TLS.Certificates - Fix mockJobRepository missing Delete/ListByStatus/ListByCertificate/ UpdateStatus/GetPendingJobs methods required by JobRepository interface - Fix mockAuditService type mismatch: NewVerificationService expects *AuditService (concrete), not a mock; use real AuditService with mock repo following existing testutil_test.go patterns - Fix List() signature mismatch (had extra filter param) - Add nil-safe logger checks in verify.go to prevent panics in tests - Remove unused imports (crypto/tls, bytes, repository) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
+42
-28
@@ -59,9 +59,11 @@ func verifyDeployment(
|
||||
|
||||
// Connect to the target's TLS endpoint
|
||||
address := fmt.Sprintf("%s:%d", targetHost, targetPort)
|
||||
logger.Debug("probing TLS endpoint for verification",
|
||||
"address", address,
|
||||
"expected_fingerprint", expectedFp)
|
||||
if logger != nil {
|
||||
logger.Debug("probing TLS endpoint for verification",
|
||||
"address", address,
|
||||
"expected_fingerprint", expectedFp)
|
||||
}
|
||||
|
||||
dialer := &net.Dialer{Timeout: timeout}
|
||||
conn, err := tls.DialWithDialer(dialer, "tcp", address, &tls.Config{
|
||||
@@ -82,22 +84,26 @@ func verifyDeployment(
|
||||
leafCert := state.PeerCertificates[0]
|
||||
actualFp := fmt.Sprintf("%x", sha256.Sum256(leafCert.Raw))
|
||||
|
||||
logger.Debug("received certificate from endpoint",
|
||||
"address", address,
|
||||
"cn", leafCert.Subject.CommonName,
|
||||
"actual_fingerprint", actualFp)
|
||||
if logger != nil {
|
||||
logger.Debug("received certificate from endpoint",
|
||||
"address", address,
|
||||
"cn", leafCert.Subject.CommonName,
|
||||
"actual_fingerprint", actualFp)
|
||||
}
|
||||
|
||||
// Compare fingerprints
|
||||
verified := actualFp == expectedFp
|
||||
if !verified {
|
||||
logger.Warn("certificate fingerprint mismatch at endpoint",
|
||||
"address", address,
|
||||
"expected_fingerprint", expectedFp,
|
||||
"actual_fingerprint", actualFp)
|
||||
} else {
|
||||
logger.Info("certificate verification succeeded",
|
||||
"address", address,
|
||||
"fingerprint", actualFp)
|
||||
if logger != nil {
|
||||
if !verified {
|
||||
logger.Warn("certificate fingerprint mismatch at endpoint",
|
||||
"address", address,
|
||||
"expected_fingerprint", expectedFp,
|
||||
"actual_fingerprint", actualFp)
|
||||
} else {
|
||||
logger.Info("certificate verification succeeded",
|
||||
"address", address,
|
||||
"fingerprint", actualFp)
|
||||
}
|
||||
}
|
||||
|
||||
return &VerificationResult{
|
||||
@@ -181,9 +187,11 @@ func (a *Agent) reportVerificationResult(
|
||||
return fmt.Errorf("verification reporting failed with status %d: %s", resp.StatusCode, string(bodyBytes))
|
||||
}
|
||||
|
||||
a.logger.Debug("verification result reported to control plane",
|
||||
"job_id", jobID,
|
||||
"verified", result.Verified)
|
||||
if a.logger != nil {
|
||||
a.logger.Debug("verification result reported to control plane",
|
||||
"job_id", jobID,
|
||||
"verified", result.Verified)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -236,11 +244,13 @@ func (a *Agent) verifyAndReportDeployment(
|
||||
a.logger)
|
||||
|
||||
if err != nil {
|
||||
a.logger.Warn("verification probe failed",
|
||||
"job_id", job.ID,
|
||||
"target_host", targetHost,
|
||||
"target_port", targetPort,
|
||||
"error", err)
|
||||
if a.logger != nil {
|
||||
a.logger.Warn("verification probe failed",
|
||||
"job_id", job.ID,
|
||||
"target_host", targetHost,
|
||||
"target_port", targetPort,
|
||||
"error", err)
|
||||
}
|
||||
// Probe failure: report error but continue
|
||||
result = &VerificationResult{
|
||||
Error: err.Error(),
|
||||
@@ -250,14 +260,18 @@ func (a *Agent) verifyAndReportDeployment(
|
||||
|
||||
// Report result to control plane
|
||||
if job.TargetID == nil {
|
||||
a.logger.Warn("cannot report verification: target_id is nil", "job_id", job.ID)
|
||||
if a.logger != nil {
|
||||
a.logger.Warn("cannot report verification: target_id is nil", "job_id", job.ID)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
if err := a.reportVerificationResult(ctx, job.ID, *job.TargetID, result); err != nil {
|
||||
a.logger.Warn("failed to report verification result",
|
||||
"job_id", job.ID,
|
||||
"error", err)
|
||||
if a.logger != nil {
|
||||
a.logger.Warn("failed to report verification result",
|
||||
"job_id", job.ID,
|
||||
"error", err)
|
||||
}
|
||||
// Non-blocking: continue even if report fails
|
||||
}
|
||||
}
|
||||
|
||||
+18
-19
@@ -1,9 +1,7 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
@@ -368,34 +366,35 @@ func TestVerifyDeployment_FingerprintComparison(t *testing.T) {
|
||||
}))
|
||||
defer server.Close()
|
||||
|
||||
// Extract host and port from server URL
|
||||
listener := server.Listener.(*tls.Listener)
|
||||
if listener == nil {
|
||||
t.Skip("unable to get TLS listener")
|
||||
// Get the server's TLS certificate from TLS config
|
||||
if len(server.TLS.Certificates) == 0 {
|
||||
t.Skip("no TLS certificates configured on test server")
|
||||
}
|
||||
|
||||
// Get cert from server and use it for testing
|
||||
serverCert := server.Certificate
|
||||
if serverCert == nil {
|
||||
t.Skip("unable to get server certificate")
|
||||
// Parse the leaf certificate from the DER bytes
|
||||
leafDER := server.TLS.Certificates[0].Certificate[0]
|
||||
leafCert, err := x509.ParseCertificate(leafDER)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to parse test server certificate: %v", err)
|
||||
}
|
||||
|
||||
certPEM := string(pem.EncodeToMemory(&pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: serverCert.Raw,
|
||||
Bytes: leafCert.Raw,
|
||||
}))
|
||||
|
||||
// Parse the server URL to get host/port
|
||||
parts := bytes.Split([]byte(server.URL), []byte("://"))
|
||||
if len(parts) != 2 {
|
||||
t.Skip("unable to parse server URL")
|
||||
// Get host and port from the listener address
|
||||
addr := server.Listener.Addr().String()
|
||||
host, portStr, err := net.SplitHostPort(addr)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to parse server address: %v", err)
|
||||
}
|
||||
port := 0
|
||||
fmt.Sscanf(portStr, "%d", &port)
|
||||
|
||||
hostPort := string(parts[1])
|
||||
|
||||
// Verify deployment should succeed with matching cert
|
||||
// Verify deployment against the live TLS server
|
||||
ctx := context.Background()
|
||||
result, err := verifyDeployment(ctx, string(hostPort[:len(hostPort)-1]), 443, certPEM, 0, 5*time.Second, nil)
|
||||
result, _ := verifyDeployment(ctx, host, port, certPEM, 0, 5*time.Second, nil)
|
||||
|
||||
// This test may fail in some environments due to TLS setup complexity
|
||||
// The key is testing the fingerprint comparison logic
|
||||
|
||||
Reference in New Issue
Block a user