gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 18:18:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
486 Commits 1 Branch 82 Tags
92afe359e9ffa66e96a776fc0feddf013015a8df
Commit Graph

2 Commits

Author SHA1 Message Date
shankar0123 3a84432eeb Bundle M.Cloud (Coverage Audit Closure): AzureKV + GCP-SM — H-004 closed 
Closes the deferred 4th sub-batch from Bundle M; Bundle M is now FULLY CLOSED across all 4 sub-batches.

Coverage:

  AzureKV:  41.2% -> 85.6%  (+44.4pp; +15.6 above 70% target)

  GCP-SM:   43.1% -> 83.4%  (+40.3pp; +13.4 above 70% target)

Engineering: rewritingTransport (custom http.RoundTripper) intercepts

the hardcoded cloud-API URLs (login.microsoftonline.com /

oauth2.googleapis.com / secretmanager.googleapis.com) and rewrites Host

to point at an httptest.Server while preserving Path + Query. For GCP,

the service-account JSON file written to t.TempDir() carries token_uri

pointing at the test server (clean override path).

azurekv_failure_test.go (~280 LoC, 13 tests):

  - getAccessToken: happy + cached-reuse + 401 + malformed JSON +

    empty-token + network-error

  - ListCertificates: happy + token-failure + 5xx + malformed +

    multi-page pagination via nextLink

  - GetCertificate: happy + 404 + malformed JSON

  - New constructor smoke

gcpsm_failure_test.go (~430 LoC, 19 tests):

  - loadServiceAccountKey: happy + file-not-found + malformed-JSON +

    bad-PEM + empty-private-key

  - getAccessToken: happy (JWT-bearer flow) + cached-reuse + 401 +

    malformed + empty-token + load-credentials-failure

  - ListSecrets: happy + token-failure + 5xx + malformed

  - AccessSecretVersion: happy + 404 + bad-base64-payload

  - Name / Type identity

Verification:

  go vet ./internal/connector/discovery/{azurekv,gcpsm}/...    clean

  gofmt -l                                                     clean

  staticcheck -checks all                                      clean (only

    pre-existing ST1005 hits in master, unrelated to Bundle M.Cloud)

  go test -short -count=1                                      PASS

  go test -race -count=1                                       PASS, 0 races

Audit deliverables:

  findings.yaml: -0011 status open -> closed with full closure_note

  gap-backlog.md: H-004 strikethrough + Bundle M.Cloud closure-log entry

  coverage-matrix.md: 2 new rows for AzureKV + GCP-SM at post-Bundle coverage

  closure-plan.md: Bundle M [~] -> [x] (all 4 sub-batches closed)

  CHANGELOG.md: [unreleased] Bundle M.Cloud entry
 2026-04-27 17:34:00 +00:00
shankar0123 e1bcde4cf1 feat(M50): cloud secret manager discovery — AWS SM, Azure KV, GCP SM 
Extend certificate discovery from filesystem + network to cloud secret
managers. Three pluggable DiscoverySource connectors feed into the
existing discovery pipeline via sentinel agent pattern, with a 9th
scheduler loop for periodic cloud scanning.

- AWS Secrets Manager: aws-sdk-go-v2, tag/prefix filtering, 10 tests
- Azure Key Vault: stdlib HTTP + OAuth2, base64 DER/PEM, 16 tests
- GCP Secret Manager: stdlib HTTP + JWT OAuth2, label filter, 14 tests
- CloudDiscoveryService orchestrator with 9 tests
- 9th scheduler loop (6h default, atomic.Bool idempotency)
- Discovery page: color-coded source type badges
- 14 new env vars across CloudDiscoveryConfig structs
- Docs: connectors.md, architecture.md, features.md, README updated

49 new tests. All CI checks pass (go vet, race, lint, coverage).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-15 23:01:00 -04:00