certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:01:37 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	8fa61fd7ba	Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed Phase 0 of the 2026-04-27 coverage-audit closure plan surfaced cmd/agent/keymem.go with two security-critical functions at 0.0% / 11.1% line coverage: - marshalAgentKeyAndZeroize: zeros the DER backing buffer after PEM encode - ensureAgentKeyDirSecure: locks the agent key directory to 0o700 Both ship as defense-in-depth for agent private-key memory hygiene per Bundle 9 / Audit L-002 + L-003 (agent edition), but had ZERO regression tests. This commit adds cmd/agent/keymem_test.go (~510 LoC, 17 top-level test funcs): marshalAgentKeyAndZeroize coverage: - happy path (DER decodes, callback invoked once) - nil key (asserts onDER NEVER invoked) - onDER returns error (errors.Is propagation) - DER backing buffer zeroized after return INVARIANT (the critical assertion) - DER buffer zeroized even on onDER-error path - contract-violator defense (caller retains slice -> reads zeros) ensureAgentKeyDirSecure coverage (13-row table-driven): - empty/dot/root refused with documented error wrap - creates with 0700 (incl. nested ancestors) - existing 0700 noop short-circuit - tighten 0750/0755/0777 -> 0700 - accept existing 0500/0400 (mode&0o077==0 branch, no chmod) - filepath.Clean normalization (trailing slash + dot prefix) - PathIsAFile (documents current behavior; not a bug per call sites) - Idempotent - Concurrent (-race clean across 8 goroutines) - Stat error propagated (root-skips cleanly on non-root CI) - Mkdir error propagated (root-skips cleanly on non-root CI) - Chmod error propagated (linux-only via /sys read-only fs) - Format-includes-cleaned-path debuggability assertion Plus end-to-end smoke replaying cmd/agent/main.go's composition flow. Coverage delta: cmd/agent/keymem.go::marshalAgentKeyAndZeroize 0.0% -> 85.7% (>=85% gate met) cmd/agent/keymem.go::ensureAgentKeyDirSecure 11.1% -> 94.4% (>=85% gate met) cmd/agent overall 54.3% -> 57.7% (+3.4pp) The cmd/agent overall >=75% stretch target is unachievable from a keymem-only test file because the package's bulk (Run, main, executeCSRJob, executeDeploymentJob, verifyAndReportDeployment) is unrelated to key-handling and dominates the denominator. Tracked as a follow-on cmd/agent flow-test bundle. Verification: go test -short ./cmd/agent/... PASS go test -race -count=3 ./cmd/agent/... PASS, 0 races gofmt -l cmd/agent/keymem_test.go clean go vet ./cmd/agent/... clean staticcheck ./cmd/agent/... clean Audit deliverables: coverage-audit-2026-04-27/findings.yaml: C-008 status open -> closed coverage-audit-2026-04-27/gap-backlog.md: closure log entry + H-006 partial coverage-audit-2026-04-27/coverage-report.md: Bundle 0.7 closure block appended coverage-audit-2026-04-27/coverage-matrix.md: cmd/agent row 'NOT MEASURED' -> 57.7% coverage-audit-closure-plan.md: Bundle 0.7 checklist ticked CHANGELOG.md: [unreleased] Bundle 0.7 entry Bundle J (ACME failure-mode coverage) unblocked.	2026-04-27 14:26:00 +00:00

Author

SHA1

Message

Date

shankar0123

8fa61fd7ba

Bundle 0.7 (Coverage Audit Closure): cmd/agent key-handling regression coverage — C-008 closed

Phase 0 of the 2026-04-27 coverage-audit closure plan surfaced cmd/agent/keymem.go

with two security-critical functions at 0.0% / 11.1% line coverage:

  - marshalAgentKeyAndZeroize: zeros the DER backing buffer after PEM encode

  - ensureAgentKeyDirSecure: locks the agent key directory to 0o700

Both ship as defense-in-depth for agent private-key memory hygiene per

Bundle 9 / Audit L-002 + L-003 (agent edition), but had ZERO regression tests.

This commit adds cmd/agent/keymem_test.go (~510 LoC, 17 top-level test funcs):

marshalAgentKeyAndZeroize coverage:

  - happy path (DER decodes, callback invoked once)

  - nil key (asserts onDER NEVER invoked)

  - onDER returns error (errors.Is propagation)

  - DER backing buffer zeroized after return INVARIANT (the critical assertion)

  - DER buffer zeroized even on onDER-error path

  - contract-violator defense (caller retains slice -> reads zeros)

ensureAgentKeyDirSecure coverage (13-row table-driven):

  - empty/dot/root refused with documented error wrap

  - creates with 0700 (incl. nested ancestors)

  - existing 0700 noop short-circuit

  - tighten 0750/0755/0777 -> 0700

  - accept existing 0500/0400 (mode&0o077==0 branch, no chmod)

  - filepath.Clean normalization (trailing slash + dot prefix)

  - PathIsAFile (documents current behavior; not a bug per call sites)

  - Idempotent

  - Concurrent (-race clean across 8 goroutines)

  - Stat error propagated (root-skips cleanly on non-root CI)

  - Mkdir error propagated (root-skips cleanly on non-root CI)

  - Chmod error propagated (linux-only via /sys read-only fs)

  - Format-includes-cleaned-path debuggability assertion

Plus end-to-end smoke replaying cmd/agent/main.go's composition flow.

Coverage delta:

  cmd/agent/keymem.go::marshalAgentKeyAndZeroize  0.0%  -> 85.7% (>=85% gate met)

  cmd/agent/keymem.go::ensureAgentKeyDirSecure   11.1% -> 94.4% (>=85% gate met)

  cmd/agent overall                              54.3% -> 57.7% (+3.4pp)

The cmd/agent overall >=75% stretch target is unachievable from a keymem-only

test file because the package's bulk (Run, main, executeCSRJob,

executeDeploymentJob, verifyAndReportDeployment) is unrelated to key-handling

and dominates the denominator. Tracked as a follow-on cmd/agent flow-test bundle.

Verification:

  go test -short ./cmd/agent/...                  PASS

  go test -race -count=3 ./cmd/agent/...          PASS, 0 races

  gofmt -l cmd/agent/keymem_test.go               clean

  go vet ./cmd/agent/...                          clean

  staticcheck ./cmd/agent/...                     clean

Audit deliverables:

  coverage-audit-2026-04-27/findings.yaml: C-008 status open -> closed

  coverage-audit-2026-04-27/gap-backlog.md: closure log entry + H-006 partial

  coverage-audit-2026-04-27/coverage-report.md: Bundle 0.7 closure block appended

  coverage-audit-2026-04-27/coverage-matrix.md: cmd/agent row 'NOT MEASURED' -> 57.7%

  coverage-audit-closure-plan.md: Bundle 0.7 checklist ticked

  CHANGELOG.md: [unreleased] Bundle 0.7 entry

Bundle J (ACME failure-mode coverage) unblocked.

2026-04-27 14:26:00 +00:00

1 Commits