gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 18:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
certctl/internal/connector/target/validate_only_test.go
T
shankar0123 49f1a60762 feat(target): ValidateOnly dry-run method on Connector interface (default returns ErrValidateOnlyNotSupported) 
Phase 3 of the deploy-hardening I master bundle. Extends the
target.Connector interface with the dry-run method that operators
will use to preview a deploy before committing — but ships only the
default-stub for all 13 connectors. Phases 4-9 replace each stub
with the real validate-with-the-target implementation.

interface.go:
- Add ErrValidateOnlyNotSupported sentinel (frozen decision 0.6 —
  connectors that cannot dry-run, like K8s, return this rather than
  nil so operator triage can errors.Is for "not supported" vs
  "validated successfully").
- Add ValidateOnly(ctx, request DeploymentRequest) error to
  Connector interface.

13 new validate_only.go files (one per connector at
internal/connector/target/<name>/validate_only.go):
- apache, caddy, envoy, f5, haproxy, iis, javakeystore, k8ssecret,
  nginx, postfix, ssh, traefik, wincertstore.
- Each file is identical except for the package declaration: a
  one-method default stub returning target.ErrValidateOnlyNotSupported.
- Per-connector files (rather than a single embed-method approach)
  let Phases 4-9 replace each connector's stub independently
  without churning a shared base.

Tests:
- internal/connector/target/validate_only_test.go pins the sentinel
  contract (errors.Is identity, Error() string, %w wrap propagation).
- internal/connector/target/validate_only_smoke_test.go (external
  test package) constructs a zero-value &<pkg>.Connector{} for each
  of the 13 connectors and asserts ValidateOnly returns
  ErrValidateOnlyNotSupported. The test's
  connectorsAtPhase3 list is the load-bearing CI guard:
  - A 14th connector added without wiring ValidateOnly fails the
    `len(connectorsAtPhase3) != 13` invariant.
  - A connector whose real ValidateOnly lands (Phase 4 NGINX, Phase
    5 Apache, etc.) MUST be removed from this list or the smoke test
    fails (real impl no longer returns the sentinel). That removal
    IS the bookkeeping that the operator-visible bit + behavior
    change are wired together end-to-end.

Compile + go vet + golangci-lint v2.11.4 + go test all 0 issues.

Phase 4 next: NGINX canonical real-impl — replace the stub with
nginx -t -c <temp>; same time replace the existing os.WriteFile
flow in DeployCertificate with deploy.Apply(...).
2026-04-30 14:40:51 +00:00

64 lines
2.3 KiB
Go
Raw Permalink Blame History

package target
import (
"errors"
"testing"
)
// Phase 3 of the deploy-hardening I master bundle: pin the
// ErrValidateOnlyNotSupported sentinel contract. Connectors
// returning this from ValidateOnly indicate they cannot dry-run
// (e.g. K8s — no API for "would this Secret update succeed?").
//
// Every connector compile-time-implements ValidateOnly via the
// per-package validate_only.go stub; Phases 4-9 replace the stub
// with a real validate-with-the-target implementation per
// connector. Until then the sentinel is the contract.
// TestErrValidateOnlyNotSupported_Sentinel pins the sentinel's
// identity and message so downstream connectors can rely on
// errors.Is checks.
func TestErrValidateOnlyNotSupported_Sentinel(t *testing.T) {
if ErrValidateOnlyNotSupported == nil {
t.Fatal("sentinel is nil")
}
if !errors.Is(ErrValidateOnlyNotSupported, ErrValidateOnlyNotSupported) {
t.Fatal("errors.Is fails on the sentinel against itself")
}
want := "target connector does not support ValidateOnly dry-run"
if got := ErrValidateOnlyNotSupported.Error(); got != want {
t.Errorf("Error() = %q, want %q", got, want)
}
}
// TestErrValidateOnlyNotSupported_WrappableForCallerContext
// confirms callers can wrap the sentinel with extra context (e.g.
// "k8s: ValidateOnly: ErrValidateOnlyNotSupported") and the
// wrapped error still satisfies errors.Is for the operator's
// triage logic.
func TestErrValidateOnlyNotSupported_WrappableForCallerContext(t *testing.T) {
wrapped := errors.New("connector wraps with extra info: " + ErrValidateOnlyNotSupported.Error())
// errors.Is should NOT match a wrapped-by-string copy (no %w).
if errors.Is(wrapped, ErrValidateOnlyNotSupported) {
t.Error("errors.Is matched a string-wrapped copy; should require %w wrap")
}
// %w wrap MUST match.
properly := wrapErr(ErrValidateOnlyNotSupported, "k8s")
if !errors.Is(properly, ErrValidateOnlyNotSupported) {
t.Error("errors.Is failed to match %w-wrapped sentinel")
}
}
// wrapErr is a small test-only helper proving the %w pattern.
func wrapErr(err error, ctx string) error {
return &wrappedErr{ctx: ctx, err: err}
}
type wrappedErr struct {
ctx string
err error
}
func (w *wrappedErr) Error() string { return w.ctx + ": " + w.err.Error() }
func (w *wrappedErr) Unwrap() error { return w.err }
Reference in New Issue View Git Blame Copy Permalink