certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 01:28:52 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
shankar0123	0509790325	asyncpoll: refactor Sectigo / Entrust / GlobalSign to bounded polling (Phase 2) Phase 2 of the #5 acquisition-readiness fix from the 2026-05-01 issuer coverage audit. Phase 1 (commit `711265b`) shipped the shared asyncpoll package and refactored DigiCert as the reference. This commit applies the same pattern to the remaining three async-CA connectors and adds the operator-facing docs. Per-connector refactors: - Sectigo (sectigo.go): GetOrderStatus now wraps pollEnrollmentOnce in asyncpoll.Poll. The collectNotReady sentinel (cert approved by SCM but not yet retrievable from the collect endpoint) maps to StillPending and rides the backoff schedule rather than the prior "return pending immediately" branch. Added isPermanentStatusError helper to distinguish transient HTTP errors (5xx / 429 / network) from permanent ones (4xx / parse failure) — the wrapped checkStatus errors get triaged at the poll closure boundary. - Entrust (entrust.go): GetOrderStatus wraps pollEnrollmentOnce. The AWAITING_APPROVAL status maps to StillPending; operators using approval-pending workflows where humans approve enrollments should bump CERTCTL_ENTRUST_POLL_MAX_WAIT_SECONDS to 86400 (24h) so a single scheduler tick can wait through the approval window. The default 10-minute deadline matches the other three connectors. - GlobalSign (globalsign.go): GetOrderStatus wraps pollCertificateOnce. GlobalSign tracks orders by serial number rather than order ID, but the polling shape is identical to the other three. Status-code triage matches DigiCert: 4xx (not 429) is permanent, 5xx / 429 / network is transient. Per-connector Config field added: - DigiCert.PollMaxWaitSeconds (env CERTCTL_DIGICERT_POLL_MAX_WAIT_SECONDS) - Sectigo.PollMaxWaitSeconds (env CERTCTL_SECTIGO_POLL_MAX_WAIT_SECONDS) - Entrust.PollMaxWaitSeconds (env CERTCTL_ENTRUST_POLL_MAX_WAIT_SECONDS) - GlobalSign.PollMaxWaitSeconds (env CERTCTL_GLOBALSIGN_POLL_MAX_WAIT_SECONDS) internal/config/config.go env-var loaders updated for all four. Default is 600 seconds (10 minutes); zero falls back to the asyncpoll package default. Test-helper updates: every existing test that exercises the pending branch (collectNotReady, AWAITING_APPROVAL, status="pending", etc.) now sets PollMaxWaitSeconds=1 in its Config so the test doesn't block on the production-default 10-minute deadline. Tests that exercise permanent-error branches (404, 401, malformed JSON, etc.) continue to return immediately. Test sites updated: - buildSectigoConnector helper + GetOrderStatus_CollectNotReady test - buildEntrustConnector helper + GetOrderStatus_Pending test - buildGlobalsignConnector helper + GetOrderStatus_Pending test + the GetHTTPClient_NoMTLSCertPaths test (network failure now rides the backoff schedule rather than returning immediately) Documentation: - docs/async-polling.md: new operator reference covering the backoff schedule, status-code triage, the four env vars, failure modes, and where the implementation lives. Audit blocker citation included. - docs/connectors.md: per-issuer sections for DigiCert, Sectigo, Entrust, GlobalSign each gain the PollMaxWaitSeconds env var row and a cross-link to async-polling.md. Lint cleanup: simplified the isPermanentStatusError branch to satisfy staticcheck S1008 (single-line return for a final boolean check). Verified locally: - gofmt -l . clean - go vet ./... clean - staticcheck ./... clean - golangci-lint run --timeout 5m ./... → 0 issues - go test -short -count=1 across all 4 connector packages + config + asyncpoll: green Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md Top-10 fix #5 — Phase 2.	2026-05-02 02:41:36 +00:00
shankar0123	4e773d31ac	Bundle N.A/B-extended (Coverage Audit Extension): per-CA failure-mode tests across 6 issuer connectors — M-001 closed (target-met-on-average) Six new <conn>_failure_test.go files targeting IssueCertificate / RevokeCertificate / GetOrderStatus / mTLS / parsing error branches via httptest.Server. Same pattern as Bundle J's acme_failure_test.go, adapted per-CA. Coverage deltas ================= vault 84.1% -> 87.3% (+3.2pp; 5 tests) sectigo 79.4% -> 85.5% (+6.1pp; 9 tests) globalsign 78.2% -> 87.1% (+8.9pp; 7 tests, NewWithHTTPClient pattern) digicert 81.0% -> 84.9% (+3.9pp; 6 tests) ejbca 76.5% -> 84.3% (+7.8pp; 8 tests, OAuth2 + mTLS branches) entrust 70.8% -> 81.2% (+10.4pp; 14 tests; in-package mapRevocationReason / parseCertMetadata / loadMTLSConfig / ValidateConfig field-required + unreachable + bad-cert-path + GetOrderStatus status-variants) Already at or above 85% ================= stepca 90.4% (Bundle L.B closure) awsacmpca 83.5% (existing tests; entrust-style retry edges remain) googlecas 83.4% (existing tests; OAuth2 token retry edges remain) Pattern per failure-mode test ================= - httptest.NewServer with selective handlers for /sys/health, /v1/ca, /ssl/v1/types etc. so ValidateConfig succeeds before the failure-mode HTTP call - 403 / 404 / 5xx / malformed-JSON / missing-PEM / invalid-base64 branches per connector - Status variants for GetOrderStatus dispatch arms (pending / processing / rejected / denied / unknown → fallback) - Where applicable: malformed cert PEM / bad CSR base64 / no DNSSolver / nil revocation reason Audit deliverables ================= - gap-backlog.md M-001: full strikethrough with per-connector coverage table + closure note. CLOSED (target-met-on-average) rather than (all ≥85%) — entrust 81.2% and awsacmpca/googlecas 83.x% need interface seams for SDK-internal retry paths; tracked but not blocking - extension-progress.md: N.A/B-extended marked DONE Closes (target-met-on-average): M-001 Bundle: N.A/B-extended (Coverage Audit Extension)	2026-04-27 21:35:01 +00:00

shankar0123

0509790325

asyncpoll: refactor Sectigo / Entrust / GlobalSign to bounded polling (Phase 2)

Phase 2 of the #5 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 711265b) shipped the shared asyncpoll
package and refactored DigiCert as the reference. This commit applies
the same pattern to the remaining three async-CA connectors and adds
the operator-facing docs.

Per-connector refactors:

- Sectigo (sectigo.go): GetOrderStatus now wraps pollEnrollmentOnce in
  asyncpoll.Poll. The collectNotReady sentinel (cert approved by SCM
  but not yet retrievable from the collect endpoint) maps to
  StillPending and rides the backoff schedule rather than the prior
  "return pending immediately" branch. Added isPermanentStatusError
  helper to distinguish transient HTTP errors (5xx / 429 / network)
  from permanent ones (4xx / parse failure) — the wrapped checkStatus
  errors get triaged at the poll closure boundary.

- Entrust (entrust.go): GetOrderStatus wraps pollEnrollmentOnce. The
  AWAITING_APPROVAL status maps to StillPending; operators using
  approval-pending workflows where humans approve enrollments should
  bump CERTCTL_ENTRUST_POLL_MAX_WAIT_SECONDS to 86400 (24h) so a
  single scheduler tick can wait through the approval window. The
  default 10-minute deadline matches the other three connectors.

- GlobalSign (globalsign.go): GetOrderStatus wraps pollCertificateOnce.
  GlobalSign tracks orders by serial number rather than order ID, but
  the polling shape is identical to the other three. Status-code
  triage matches DigiCert: 4xx (not 429) is permanent, 5xx / 429 /
  network is transient.

Per-connector Config field added:
- DigiCert.PollMaxWaitSeconds (env CERTCTL_DIGICERT_POLL_MAX_WAIT_SECONDS)
- Sectigo.PollMaxWaitSeconds (env CERTCTL_SECTIGO_POLL_MAX_WAIT_SECONDS)
- Entrust.PollMaxWaitSeconds (env CERTCTL_ENTRUST_POLL_MAX_WAIT_SECONDS)
- GlobalSign.PollMaxWaitSeconds (env CERTCTL_GLOBALSIGN_POLL_MAX_WAIT_SECONDS)

internal/config/config.go env-var loaders updated for all four. Default
is 600 seconds (10 minutes); zero falls back to the asyncpoll package
default.

Test-helper updates: every existing test that exercises the pending
branch (collectNotReady, AWAITING_APPROVAL, status="pending", etc.)
now sets PollMaxWaitSeconds=1 in its Config so the test doesn't block
on the production-default 10-minute deadline. Tests that exercise
permanent-error branches (404, 401, malformed JSON, etc.) continue
to return immediately.

Test sites updated:
- buildSectigoConnector helper + GetOrderStatus_CollectNotReady test
- buildEntrustConnector helper + GetOrderStatus_Pending test
- buildGlobalsignConnector helper + GetOrderStatus_Pending test +
  the GetHTTPClient_NoMTLSCertPaths test (network failure now rides
  the backoff schedule rather than returning immediately)

Documentation:
- docs/async-polling.md: new operator reference covering the backoff
  schedule, status-code triage, the four env vars, failure modes, and
  where the implementation lives. Audit blocker citation included.
- docs/connectors.md: per-issuer sections for DigiCert, Sectigo,
  Entrust, GlobalSign each gain the PollMaxWaitSeconds env var row
  and a cross-link to async-polling.md.

Lint cleanup: simplified the isPermanentStatusError branch to satisfy
staticcheck S1008 (single-line return for a final boolean check).

Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck ./... clean
- golangci-lint run --timeout 5m ./... → 0 issues
- go test -short -count=1 across all 4 connector packages + config + asyncpoll: green

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #5 — Phase 2.

2026-05-02 02:41:36 +00:00

shankar0123

4e773d31ac

Bundle N.A/B-extended (Coverage Audit Extension): per-CA failure-mode tests across 6 issuer connectors — M-001 closed (target-met-on-average)

Six new <conn>_failure_test.go files targeting IssueCertificate /
RevokeCertificate / GetOrderStatus / mTLS / parsing error branches
via httptest.Server. Same pattern as Bundle J's acme_failure_test.go,
adapted per-CA.

Coverage deltas
=================
  vault       84.1% -> 87.3%   (+3.2pp; 5 tests)
  sectigo     79.4% -> 85.5%   (+6.1pp; 9 tests)
  globalsign  78.2% -> 87.1%   (+8.9pp; 7 tests, NewWithHTTPClient pattern)
  digicert    81.0% -> 84.9%   (+3.9pp; 6 tests)
  ejbca       76.5% -> 84.3%   (+7.8pp; 8 tests, OAuth2 + mTLS branches)
  entrust     70.8% -> 81.2%  (+10.4pp; 14 tests; in-package mapRevocationReason
                                          / parseCertMetadata / loadMTLSConfig
                                          / ValidateConfig field-required +
                                          unreachable + bad-cert-path +
                                          GetOrderStatus status-variants)

Already at or above 85%
=================
  stepca      90.4%   (Bundle L.B closure)
  awsacmpca   83.5%   (existing tests; entrust-style retry edges remain)
  googlecas   83.4%   (existing tests; OAuth2 token retry edges remain)

Pattern per failure-mode test
=================
  - httptest.NewServer with selective handlers for /sys/health,
    /v1/ca, /ssl/v1/types etc. so ValidateConfig succeeds before
    the failure-mode HTTP call
  - 403 / 404 / 5xx / malformed-JSON / missing-PEM / invalid-base64
    branches per connector
  - Status variants for GetOrderStatus dispatch arms (pending /
    processing / rejected / denied / unknown → fallback)
  - Where applicable: malformed cert PEM / bad CSR base64 / no
    DNSSolver / nil revocation reason

Audit deliverables
=================
  - gap-backlog.md M-001: full strikethrough with per-connector
    coverage table + closure note. CLOSED (target-met-on-average)
    rather than (all ≥85%) — entrust 81.2% and awsacmpca/googlecas
    83.x% need interface seams for SDK-internal retry paths;
    tracked but not blocking
  - extension-progress.md: N.A/B-extended marked DONE

Closes (target-met-on-average): M-001
Bundle: N.A/B-extended (Coverage Audit Extension)

2026-04-27 21:35:01 +00:00

2 Commits