Close M-004 (OCSP issuer binding) and M-005 (discovery actor propagation) coverage-gap findings

M-004 — OCSP issuer binding (composite key): The OCSP lookup path now binds (issuer_id, serial) as a composite key rather than resolving by serial alone. CertificateRepository and RevocationRepository gain GetByIssuerAndSerial methods; ca_operations.go scopes both lookups by the issuer_id path param. When no managed cert binds to that (issuer, serial) tuple, GetOCSPResponse constructs an RFC 6960 §2.2 'unknown' response (CertStatus=2) instead of the prior default 'good'. Short-lived cert exemption (profile TTL < 1h) is preserved. Real repo errors (non-sql.ErrNoRows) fail closed with a log. Regression coverage: internal/service/ca_operations_test.go - TestCAOperationsSvc_GetOCSPResponse_Unknown_CrossIssuer - TestCAOperationsSvc_GetOCSPResponse_Unknown_UnknownSerial M-005 — Discovery Claim/Dismiss actor propagation: DiscoveryService.ClaimDiscovered and DismissDiscovered now accept an explicit 'actor string' parameter (propagation pattern mirrors bulk_revocation.go / revocation_svc.go). The handler layer passes resolveActor(r.Context()) — the named-key identity established by the M-002 auth unification — and the service falls back to 'api' (the same safe sentinel resolveActor uses when no auth context is present) only when the caller passes an empty string. Never falls back to 'operator'. Regression coverage: internal/service/discovery_test.go - TestDiscoveryService_ClaimDiscovered_AuditActor - TestDiscoveryService_DismissDiscovered_AuditActor - TestDiscoveryService_ClaimDiscovered_EmptyActorFallsBackToAPI - TestDiscoveryService_DismissDiscovered_EmptyActorFallsBackToAPI Each new test asserts event.Actor matches the caller-supplied string (or 'api' on empty input) and explicitly asserts event.Actor != 'operator' to lock in the historical fix intent. Files: internal/api/handler/discovery.go — pass resolveActor(ctx) internal/api/handler/discovery_handler_test.go — updated call sites internal/integration/lifecycle_test.go — updated mock wiring internal/repository/interfaces.go — GetByIssuerAndSerial on CertificateRepository + RevocationRepository internal/repository/postgres/certificate.go — composite key lookup internal/service/ca_operations.go — (issuer_id, serial) scoping internal/service/ca_operations_test.go — 2 new M-004 tests internal/service/discovery.go — actor parameter + 'api' fallback internal/service/discovery_test.go — 4 new M-005 tests internal/service/shortlived_test.go — mock signature update internal/service/testutil_test.go — mock GetByIssuerAndSerial
2026-06-13 15:48:52 +00:00 · 2026-04-18 22:20:25 +00:00
parent ff7357f889
commit fe7e766510
11 changed files with 430 additions and 41 deletions
@@ -148,7 +148,14 @@ func (s *DiscoveryService) GetDiscovered(ctx context.Context, id string) (*domai
 }

 // ClaimDiscovered links a discovered certificate to a managed certificate.
-func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, managedCertID string) error {
+// The actor parameter names the authenticated identity that initiated the
+// claim and is recorded on the audit event. Callers in the handler layer pass
+// resolveActor(ctx); service-to-service callers pass a descriptive sentinel
+// (e.g., "system"). Empty actor falls back to "api" (the same safe sentinel
+// resolveActor uses when no auth context is present), never to "operator" —
+// hardcoding "operator" was M-005, a coverage-gap closure where audit records
+// failed to identify who actually performed the triage action.
+func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, managedCertID string, actor string) error {
 	if managedCertID == "" {
 		return fmt.Errorf("managed_certificate_id is required")
 	}
@@ -168,8 +175,12 @@ func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, manag
 		return fmt.Errorf("failed to update discovered certificate status: %w", err)
 	}

+	if actor == "" {
+		actor = "api"
+	}
+
 	// Audit trail
-	if err := s.auditService.RecordEvent(ctx, "operator", domain.ActorTypeUser,
+	if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
 		"discovery_cert_claimed", "discovered_certificate", id,
 		map[string]interface{}{
 			"managed_certificate_id": managedCertID,
@@ -182,14 +193,19 @@ func (s *DiscoveryService) ClaimDiscovered(ctx context.Context, id string, manag
 	return nil
 }

-// DismissDiscovered marks a discovered certificate as dismissed.
-func (s *DiscoveryService) DismissDiscovered(ctx context.Context, id string) error {
+// DismissDiscovered marks a discovered certificate as dismissed. See
+// ClaimDiscovered for the actor contract — same rules apply (M-005).
+func (s *DiscoveryService) DismissDiscovered(ctx context.Context, id string, actor string) error {
 	if err := s.discoveryRepo.UpdateDiscoveredStatus(ctx, id, domain.DiscoveryStatusDismissed, ""); err != nil {
 		return fmt.Errorf("failed to dismiss discovered certificate: %w", err)
 	}

+	if actor == "" {
+		actor = "api"
+	}
+
 	// Audit trail
-	if err := s.auditService.RecordEvent(ctx, "operator", domain.ActorTypeUser,
+	if err := s.auditService.RecordEvent(ctx, actor, domain.ActorTypeUser,
 		"discovery_cert_dismissed", "discovered_certificate", id, nil); err != nil {
 		slog.Error("failed to record audit event", "error", err)
 	}