certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:01:34 +00:00

Files

T

shankar0123 4e8fb16fc2 fix(oidc): test seam for jwksProbeClient — closes the B5 R6 httptest regression

CI break diagnosed from go-build-and-test on 47da13e+596e675:
TestTestDiscovery_HappyPath_AgainstMockIdP + TestTestDiscovery_JWKSFetchFails
fail with "refusing to dial reserved address 127.0.0.1" because my
Bundle 5 R6 closure wrapped jwksReachable in
validation.SafeHTTPDialContext — which is exactly what the production
guard is supposed to refuse for httptest.NewServer's 127.0.0.1 bind.

Same shape as the Slack/Teams test-seam fix in 596e675: factor the
http.Client construction into a package-level var (`jwksProbeClient`),
default to the SSRF-safe transport in production, override to
http.DefaultTransport in test-only `setup_test.go::init()`. Production
code never reassigns the var. The audit R6 closure stands — the
production jwksReachable still uses validation.SafeHTTPDialContext.

Verification (sandbox, Go 1.25.10):
  go test -short -count=1
    -run 'TestTestDiscovery_HappyPath|TestTestDiscovery_JWKSFetchFails'
    ./internal/auth/oidc                                # PASS (1.1s)
  go test -short -count=1 ./internal/auth/oidc          # PASS (21.8s)
  gofmt -l                                              # clean
  go vet ./internal/auth/oidc                           # clean

2026-05-13 01:30:47 +00:00

bootstrap

harden(auth): LOW + Nit batch — bootstrap audit, crypto/rand, XFF trust, CSRF check, protocol-prefix unify (Batch 1)

2026-05-10 22:26:12 +00:00

breakglass

test(coverage): backfill 5 packages to clear v2.1.0 release-gate Phase 3 floors

2026-05-11 14:12:11 +00:00

oidc

fix(oidc): test seam for jwksProbeClient — closes the B5 R6 httptest regression

2026-05-13 01:30:47 +00:00

session

test(coverage): backfill 5 packages to clear v2.1.0 release-gate Phase 3 floors