mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-11 03:39:01 +00:00
shankar0123
12e5f97f59
Phase 5 of the deploy-hardening I master bundle. Mirrors the Phase 4 NGINX template for Apache httpd. Test count lifts 3 → 34 (above the prompt's >=30 target; matches and slightly exceeds the IIS bar). Apache-specific quirks codified in apache.go: - Validate command convention is `apachectl configtest` (NOT `apachectl -t` — that flag exists but configtest is the documented operator-facing form). - Reload command convention is `apachectl graceful` for zero- downtime worker swap (NOT `apachectl restart` which drops in-flight TLS sessions). - Per-distro user defaults: Debian/Ubuntu apache2, RHEL/CentOS apache, Alpine httpd. pickFirstExistingUser walks the list and picks the one that resolves on the host; falls back to no-chown when none exist (cross-distro portability without operator config; same approach as nginx). - Default key file mode 0600 for back-compat with operators relying on the historical hard-coded value (matches the pre-Phase-5 implementation behavior). DeployCertificate refactor: - Replaces the duplicated os.WriteFile chain with deploy.Apply. - PreCommit runs the operator's ValidateCommand via the test seam (which wraps `sh -c <cmd>` in production). - PostCommit runs ReloadCommand the same way. - Post-deploy TLS verify (frozen-decision-0.3 default ON when Endpoint is configured): probes the configured target, compares leaf cert SHA-256 against deployed bytes, retries with exponential backoff (default 3 attempts / 2s backoff for load-balanced targets). - Rollback wires: reload-fail → restore backups + retry reload; verify-fail → restore backups + reload again. Second-failure surfaces ErrRollbackFailed for operator-actionable triage. ValidateOnly real implementation replaces the Phase 3 stub. Returns ErrValidateOnlyNotSupported when no ValidateCommand configured; otherwise runs the validate-with-the-target command without touching the live cert. Test seams (SetTestRunValidate / SetTestRunReload / SetTestProbe) allow tests to skip exec without `apachectl` on PATH; mirror the nginx pattern. Tests (34 total: 31 in apache_atomic_test.go + 3 pre-existing in apache_test.go): - Atomic invariants (happy, validate-fail-no-files-changed, reload-fail-rollback, rollback-also-fail-escalation) - SHA-256 idempotency (full skip + partial-mismatch full-deploy) - Post-deploy verify (match-success, mismatch-rollback, dial-timeout-rollback, retries-until-match, retries-exhausted-rollback, no-endpoint-skips, disabled-skips) - Ownership / mode preservation (existing-mode, override-wins, default-key-0600, default-cert-0644) - Backup retention (keeps-N, disabled-no-backups, backup-created) - Concurrency (same-paths-serialize) - ValidateOnly (happy, fails, no-command-sentinel, stderr-in-error) - Edge cases (no-chain, no-key, ctx-cancelled, verify-rollback- reload, deployment-id-prefix, metadata-populated) Coverage: Apache 86.6% (above the >=85% prompt bar). Race detector clean. golangci-lint v2.11.4 clean. Smoke test connectorsAtPhase3 list shrunk from 12 to 11 entries (apache removed; nginx + apache now have real impls). Phase 6 next: HAProxy (combined PEM atomic write + `haproxy -c -f` validate + uplift 3 → >=30).
106 lines
5.0 KiB
Go
106 lines
5.0 KiB
Go
package target_test
|
|
|
|
// Phase 3 of the deploy-hardening I master bundle: per-connector
|
|
// regression smoke pinning the default ValidateOnly stub returns
|
|
// the sentinel for every one of the 13 connectors. This test lives
|
|
// in target_test (external test package) so it can import each
|
|
// connector concretely + assert the interface contract.
|
|
//
|
|
// As Phases 4-9 replace each connector's stub with a real
|
|
// validate-with-the-target implementation, the corresponding
|
|
// per-connector entry in TestEveryConnectorDefaultsToSentinel
|
|
// MUST be deleted (or the test will fail because the real
|
|
// implementation no longer returns the sentinel). That deletion
|
|
// IS the bookkeeping that the operator-visible bit + behavior
|
|
// change are wired together.
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"testing"
|
|
|
|
"github.com/shankar0123/certctl/internal/connector/target"
|
|
// apache removed Phase 5 — real ValidateOnly implementation now in apache.go.
|
|
"github.com/shankar0123/certctl/internal/connector/target/caddy"
|
|
"github.com/shankar0123/certctl/internal/connector/target/envoy"
|
|
"github.com/shankar0123/certctl/internal/connector/target/f5"
|
|
"github.com/shankar0123/certctl/internal/connector/target/haproxy"
|
|
"github.com/shankar0123/certctl/internal/connector/target/iis"
|
|
"github.com/shankar0123/certctl/internal/connector/target/javakeystore"
|
|
"github.com/shankar0123/certctl/internal/connector/target/k8ssecret"
|
|
// nginx removed Phase 4 — real ValidateOnly implementation now in nginx.go.
|
|
"github.com/shankar0123/certctl/internal/connector/target/postfix"
|
|
"github.com/shankar0123/certctl/internal/connector/target/ssh"
|
|
"github.com/shankar0123/certctl/internal/connector/target/traefik"
|
|
"github.com/shankar0123/certctl/internal/connector/target/wincertstore"
|
|
)
|
|
|
|
// connectorsAtPhase3 is the canonical list of connectors that, as
|
|
// of Phase 3, return ErrValidateOnlyNotSupported from
|
|
// ValidateOnly. Each entry is a (name, factory) tuple; the factory
|
|
// returns a target.Connector via the connector's bare-NewConnector
|
|
// constructor pattern. As Phases 4-9 land, the corresponding
|
|
// connector is REMOVED from this list — its real ValidateOnly
|
|
// implementation is then exercised in the per-connector test
|
|
// suite, NOT here.
|
|
//
|
|
// CI guard rationale: a future PR that adds a 14th connector
|
|
// without wiring ValidateOnly fails this test (the sentinel
|
|
// contract is not satisfied). A future PR that implements a real
|
|
// ValidateOnly for, say, NGINX, but forgets to remove its entry
|
|
// from this list, fails this test (real impl no longer returns
|
|
// the sentinel). Both are the load-bearing bookkeeping protections.
|
|
var connectorsAtPhase3 = []struct {
|
|
name string
|
|
// new returns a fresh Connector instance. The default
|
|
// ValidateOnly stub doesn't dereference any field on the
|
|
// receiver, so a zero-value &pkg.Connector{} is sufficient
|
|
// to satisfy the interface and exercise the sentinel return.
|
|
// Phases 4-9 introduce real validate-with-the-target impls
|
|
// that DO read fields; those connectors will need a populated
|
|
// constructor here OR (more likely) be removed from this list
|
|
// entirely and exercised in their own per-connector test
|
|
// suite.
|
|
new func() target.Connector
|
|
}{
|
|
// apache removed Phase 5 — its ValidateOnly is now the real
|
|
// implementation; tested directly in apache/apache_atomic_test.go.
|
|
{"caddy", func() target.Connector { return &caddy.Connector{} }},
|
|
{"envoy", func() target.Connector { return &envoy.Connector{} }},
|
|
{"f5", func() target.Connector { return &f5.Connector{} }},
|
|
{"haproxy", func() target.Connector { return &haproxy.Connector{} }},
|
|
{"iis", func() target.Connector { return &iis.Connector{} }},
|
|
{"javakeystore", func() target.Connector { return &javakeystore.Connector{} }},
|
|
{"k8ssecret", func() target.Connector { return &k8ssecret.Connector{} }},
|
|
// nginx removed Phase 4 — its ValidateOnly is now the real
|
|
// implementation; tested directly in
|
|
// internal/connector/target/nginx/nginx_test.go.
|
|
{"postfix", func() target.Connector { return &postfix.Connector{} }},
|
|
{"ssh", func() target.Connector { return &ssh.Connector{} }},
|
|
{"traefik", func() target.Connector { return &traefik.Connector{} }},
|
|
{"wincertstore", func() target.Connector { return &wincertstore.Connector{} }},
|
|
}
|
|
|
|
func TestEveryConnectorDefaultsToSentinel(t *testing.T) {
|
|
// Expected list size shrinks as Phases 4-9 land their real
|
|
// ValidateOnly implementations. Phase 4 removed nginx.
|
|
const expectedAtCurrentPhase = 11
|
|
if len(connectorsAtPhase3) != expectedAtCurrentPhase {
|
|
t.Fatalf("connectors-at-phase list = %d entries, want %d (drift in the 13-connector inventory)", len(connectorsAtPhase3), expectedAtCurrentPhase)
|
|
}
|
|
for _, c := range connectorsAtPhase3 {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
conn := c.new()
|
|
err := conn.ValidateOnly(context.Background(), target.DeploymentRequest{
|
|
CertPEM: "ignored-by-stub",
|
|
ChainPEM: "ignored",
|
|
TargetConfig: json.RawMessage(`{}`),
|
|
})
|
|
if !errors.Is(err, target.ErrValidateOnlyNotSupported) {
|
|
t.Errorf("got %v, want ErrValidateOnlyNotSupported", err)
|
|
}
|
|
})
|
|
}
|
|
}
|