certctl

gsadmin/certctl

Fork 0

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 20:38:51 +00:00

Commit Graph

Author	SHA1	Message	Date
shankar0123	03eecaa42c	Bundle N (Coverage Audit Closure) [partial]: issuer-connector stubs coverage Closes M-001 partially; M-002, M-003, and CI threshold raise #2 deferred. Stubs coverage shipped across 8 issuer connectors via per-connector <conn>_stubs_test.go (~50 LoC each) pinning the not-supported issuer.Connector interface methods (GenerateCRL, SignOCSPResponse, GetCACertPEM, GetRenewalInfo). Most CAs delegate CRL/OCSP/CA-cert distribution to managed services, so these are documented stubs that return errors. Pinning them ensures the stubs aren't silently replaced with no-ops in a future refactor. Coverage delta: digicert: 79.3% -> 81.0% (+1.7pp) ejbca: 75.8% -> 76.5% (+0.7pp) entrust: 70.8% -> 70.8% (stubs already covered) sectigo: 78.0% -> 79.4% (+1.4pp) vault: 81.0% -> 84.1% (+3.1pp) openssl: 76.9% -> 78.0% (+1.1pp) googlecas: 81.0% -> 83.4% (+2.4pp) globalsign: 75.9% -> 78.2% (+2.3pp) (awsacmpca not included; its 0%-coverage hotspots are stubClient methods structurally different from the others' interface stubs. Already at 83.5%.) Why the gates aren't yet met: the stub functions are tiny (1-2 lines each, mostly 'return nil, fmt.Errorf("not supported")'). Lifting each connector to >=85% requires per-connector failure-mode test files mirroring Bundle J's ACME pattern (httptest.Server + canned 401/403/ 429+Retry-After/5xx/malformed responses against the actual API methods). That's ~200-300 LoC x 9 connectors = ~2000-2700 LoC of bespoke per-CA mock work; exceeds this session's budget. Tracked as follow-on Bundle N.A-extended / N.B-extended. Deferred sub-batches: N.C (M-002 + M-003): internal/service (70.5%) + internal/api/handler (79.4%) round-out NOT YET STARTED. Tracked as Bundle N.C-extended. N.CI (CI threshold raise #2): prescribed raises require underlying coverage at proposed floors first. Premature raise would fail CI immediately. Tracked as Bundle N.CI-extended. Verification: go vet ./internal/connector/issuer/{8-pkgs}/... clean gofmt -l clean go test -short -count=1 PASS for all 8 Audit deliverables: gap-backlog.md: M-001 partial-strikethrough with per-connector table + Bundle N closure-log entry covering all 4 sub-batch statuses closure-plan.md: Bundle N [~] with per-sub-batch status breakdown CHANGELOG.md: [unreleased] Bundle N entry	2026-04-27 17:45:18 +00:00
shankar0123	5a53b648b1	feat(M44): Google CAS issuer connector Google Cloud Certificate Authority Service integration via REST API with OAuth2 service account auth (JWT→access token). Synchronous issuance model, CA pool selection, mutex-guarded token caching, revocation with RFC 5280 reason mapping. No Google SDK dependency — all stdlib. 19 tests with httptest mock OAuth2 + CAS API. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-03 21:25:34 -04:00

Author

SHA1

Message

Date

shankar0123

03eecaa42c

Bundle N (Coverage Audit Closure) [partial]: issuer-connector stubs coverage

Closes M-001 partially; M-002, M-003, and CI threshold raise #2 deferred.

Stubs coverage shipped across 8 issuer connectors via per-connector

<conn>_stubs_test.go (~50 LoC each) pinning the not-supported

issuer.Connector interface methods (GenerateCRL, SignOCSPResponse,

GetCACertPEM, GetRenewalInfo). Most CAs delegate CRL/OCSP/CA-cert

distribution to managed services, so these are documented stubs that

return errors. Pinning them ensures the stubs aren't silently replaced

with no-ops in a future refactor.

Coverage delta:

  digicert:   79.3% -> 81.0%  (+1.7pp)

  ejbca:      75.8% -> 76.5%  (+0.7pp)

  entrust:    70.8% -> 70.8%  (stubs already covered)

  sectigo:    78.0% -> 79.4%  (+1.4pp)

  vault:      81.0% -> 84.1%  (+3.1pp)

  openssl:    76.9% -> 78.0%  (+1.1pp)

  googlecas:  81.0% -> 83.4%  (+2.4pp)

  globalsign: 75.9% -> 78.2%  (+2.3pp)

(awsacmpca not included; its 0%-coverage hotspots are stubClient methods

structurally different from the others' interface stubs. Already at 83.5%.)

Why the gates aren't yet met: the stub functions are tiny (1-2 lines

each, mostly 'return nil, fmt.Errorf("not supported")'). Lifting each

connector to >=85% requires per-connector failure-mode test files

mirroring Bundle J's ACME pattern (httptest.Server + canned 401/403/

429+Retry-After/5xx/malformed responses against the actual API methods).

That's ~200-300 LoC x 9 connectors = ~2000-2700 LoC of bespoke per-CA

mock work; exceeds this session's budget. Tracked as follow-on

Bundle N.A-extended / N.B-extended.

Deferred sub-batches:

  N.C (M-002 + M-003): internal/service (70.5%) + internal/api/handler

    (79.4%) round-out NOT YET STARTED. Tracked as Bundle N.C-extended.

  N.CI (CI threshold raise #2): prescribed raises require underlying

    coverage at proposed floors first. Premature raise would fail CI

    immediately. Tracked as Bundle N.CI-extended.

Verification:

  go vet ./internal/connector/issuer/{8-pkgs}/...   clean

  gofmt -l                                          clean

  go test -short -count=1                           PASS for all 8

Audit deliverables:

  gap-backlog.md: M-001 partial-strikethrough with per-connector table

    + Bundle N closure-log entry covering all 4 sub-batch statuses

  closure-plan.md: Bundle N [~] with per-sub-batch status breakdown

  CHANGELOG.md: [unreleased] Bundle N entry

2026-04-27 17:45:18 +00:00

shankar0123

5a53b648b1

feat(M44): Google CAS issuer connector

Google Cloud Certificate Authority Service integration via REST API
with OAuth2 service account auth (JWT→access token). Synchronous
issuance model, CA pool selection, mutex-guarded token caching,
revocation with RFC 5280 reason mapping. No Google SDK dependency —
all stdlib. 19 tests with httptest mock OAuth2 + CAS API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-04-03 21:25:34 -04:00

2 Commits