gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-08 17:09:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
516 Commits 1 Branch 82 Tags
6cf7ae05d6546606e462feafa7bcfc45a57c19e4
Commit Graph

5 Commits

Author SHA1 Message Date
shankar0123 dfb083c9f4 Bundle M.SSH-extended (Coverage Audit Extension): SSH connector 71.6% -> 90.2% — H-002 closed 
internal/connector/target/ssh/ssh_server_fixture_test.go (~580 LoC,
14 tests) pins realSSHClient.Connect / Execute / WriteFile /
StatFile / Close end-to-end via an embedded golang.org/x/crypto/ssh
ServerConn + pkg/sftp.NewServer, bound to net.Listen('tcp',
'127.0.0.1:0'). Same hand-rolled in-process protocol-server pattern
as the M.Email SMTP fixture.

Coverage delta (per-function):
  Connect      0.0% -> ~95% (ed25519 host key + password/key auth +
                             handshake + sftp open)
  Execute     25.0% -> ~95% (success path + exit-code-1 + not-conn)
  WriteFile   15.4% -> ~95% (round-trip + chmod + not-conn)
  StatFile    33.3% -> ~95% (size assertion + not-conn + not-exist)
  Close       42.9% -> ~95% (idempotent + never-connected)

Package overall: 71.6% -> 90.2% (+18.6pp; +5.2 above 85% gate).

Test infrastructure
  - fakeSSHServer (~150 LoC): net.Listen + ed25519 host key +
    PasswordCallback + PublicKeyCallback. Optional toggles for
    rejectAuth / dropOnHandshake / failExec / failSFTP failure
    modes.
  - encodePEMBlock + base64Encode helpers (~50 LoC) for OpenSSH
    private-key serialization. Avoids encoding/pem dep churn in
    test header.
  - t.Cleanup wires server shutdown + WaitGroup-drain of in-flight
    connection handlers (no goroutine leaks).

Test groups
  - Connect: password success / wrong-password / auth-rejected-all /
    handshake-dropped / TCP-refused / key-auth success
  - Execute: success / not-connected / exit-code-1
  - WriteFile + StatFile: round-trip with size + chmod 0640
    verification / not-connected / not-exist
  - Close: idempotent / never-connected

Verification
  - go test -short -count=1 ./internal/connector/target/ssh/...: PASS
  - 20ms wall time
  - go vet clean

Audit deliverables
  - findings.yaml H-002 status partial_closed -> closed
    (will update in extension-progress.md sweep)
  - extension-progress.md: M.SSH-extended marked DONE

Closes: H-002 (SSH Connect / Execute / WriteFile branches)
Bundle: M.SSH-extended (Coverage Audit Extension)
 2026-04-27 19:07:38 +00:00
shankar0123 41a8f5853e Bundle M (Coverage Audit Closure): connector failure-mode round — 3 of 4 sub-batches 
M.F5 closes H-001; M.Email closes H-003; M.SSH partial-closes H-002; M.Cloud (H-004) deferred.

M.F5 (~430 LoC f5_realclient_test.go):

  Coverage: 44.6% -> 90.1% (+45.5pp; +5.1 above 85% target)

  Bypasses existing F5Client-interface mock; exercises every realF5Client

  HTTP method end-to-end against httptest.Server with canned iControl REST

  responses. 401-retry path verified. Per-fn ALL previously-0% lifted to

  88-100%. Plus context-cancel test.

M.SSH (~150 LoC ssh_realclient_test.go) PARTIAL-CLOSED:

  Coverage: 55.2% -> 71.6% (+16.4pp; below 85% target)

  Covers buildAuthMethods all branches + WriteFile/Execute/StatFile

  not-connected guards + Close idempotency.

  Connect() ~50 LoC needs embedded golang.org/x/crypto/ssh server fixture

  (~1000 LoC test infrastructure). Tracked as Bundle M.SSH-extended.

M.Email (~340 LoC email_failure_test.go):

  Coverage: 39.7% -> 70.5% (+30.8pp; +0.5 above 70% target)

  Hand-rolled minimal SMTP server (responds to EHLO/AUTH/MAIL/RCPT/DATA/

  QUIT with canned 2xx/3xx/5xx responses based on per-test failOn map).

  Tests:

    - Header-injection (CWE-113): CR/LF/NUL in From/To/Subject reject

      before any SMTP I/O (6 tests across sendEmail + sendHTMLEmail)

    - Connection-refused for both sendEmail and sendHTMLEmail

    - SendAlert / SendEvent full SMTP transactions (happy path)

    - Server-side failures: RCPT 550, DATA 554

    - AUTH PLAIN happy + 535-failure

M.Cloud (H-004) DEFERRED:

  AzureKV 41.2% / GCP-SM 43.1%. Same M.F5 approach (httptest.Server +

  OAuth2 token endpoint mock) is straightforward but ~600 LoC tests +

  ~200 LoC mock infrastructure exceeds session budget. Tracked as

  Bundle M.Cloud-extended.

Verification:

  go vet ./internal/connector/{target/f5,target/ssh,notifier/email}/...  clean

  gofmt -l                                                                clean

  staticcheck -checks all                                                 clean

  go test -short -count=1                                                 PASS

  F5     90.1%  Email 70.5%  SSH 71.6%

Audit deliverables:

  findings.yaml: -0008 (F5) + -0010 (Email) -> closed; -0009 (SSH) ->

    partial_closed; -0011 (Cloud) retained as deferred

  gap-backlog.md: strikethroughs + Bundle M closure-log entry covering all 4 sub-batches

  coverage-matrix.md: 3 new rows for F5/SSH/Email at post-Bundle-M coverage

  closure-plan.md: Bundle M [~] with per-sub-batch status breakdown

  CHANGELOG.md: [unreleased] Bundle M entry
 2026-04-27 17:24:55 +00:00
shankar0123 370f856725 fix: resolve 8 staticcheck lint errors in test files 
SA1029: use typed context key instead of string in main_test.go
S1039: remove unnecessary fmt.Sprintf in validation_test.go
SA4023: fix unreachable nil check on concrete error type
SA4006: fix unused variable assignments in stepca_test.go (4 occurrences)
SA4000: fix duplicate expression in ssh_test.go (BEGIN vs END CERTIFICATE)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-09 23:27:57 -04:00
shankar0123 7382e5f03b test: comprehensive test gap closure across 24 packages 
Close coverage gaps identified by dual-audit (qualitative + quantitative).
New test files for config (0%→98%), router (0%→100%), handler validation,
health, audit, response helpers, webhook notifier (0%→88%), email notifier,
middleware (recovery, rate limiter), domain profile, service nil-safety,
config helpers, issuer bootstrap, and server bootstrap wiring. Expanded
existing tests for ACME (34%→42%), step-ca (42%→52%), F5, SSH, agent
(43%→63%), scheduler (88%→99%), renewal service, and issuerfactory.

All tests pass: go test -short, go vet, go test -race clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-09 23:09:40 -04:00
shankar0123 697c0be9f3 feat(M38): SSH target connector for agentless deployment via SSH/SFTP 
Adds a new target connector enabling certificate deployment to any
Linux/Unix server without installing the certctl agent binary. Uses the
proxy agent pattern — a single agent in the same network zone deploys
certs to remote servers over SSH/SFTP.

Key additions:
- SSH/SFTP connector with key auth (file/inline) + password auth
- Injectable SSHClient interface for cross-platform testing (25 tests)
- Shell injection prevention via validation.ValidateShellCommand()
- Configurable cert/key/chain paths with octal permissions
- GUI: 11 SSH config fields in target create wizard

Also fixes pre-existing frontend bug where all target type strings
(nginx, apache, etc.) were sent as lowercase but the backend expects
proper-case (NGINX, Apache, etc.), breaking GUI-created targets.
Adds missing TargetTypeSSH to validTargetTypes service map.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-05 12:36:01 -04:00