mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-11 18:18:52 +00:00
cowork
d839b233fe
Six new <conn>_failure_test.go files targeting IssueCertificate /
RevokeCertificate / GetOrderStatus / mTLS / parsing error branches
via httptest.Server. Same pattern as Bundle J's acme_failure_test.go,
adapted per-CA.
Coverage deltas
=================
vault 84.1% -> 87.3% (+3.2pp; 5 tests)
sectigo 79.4% -> 85.5% (+6.1pp; 9 tests)
globalsign 78.2% -> 87.1% (+8.9pp; 7 tests, NewWithHTTPClient pattern)
digicert 81.0% -> 84.9% (+3.9pp; 6 tests)
ejbca 76.5% -> 84.3% (+7.8pp; 8 tests, OAuth2 + mTLS branches)
entrust 70.8% -> 81.2% (+10.4pp; 14 tests; in-package mapRevocationReason
/ parseCertMetadata / loadMTLSConfig
/ ValidateConfig field-required +
unreachable + bad-cert-path +
GetOrderStatus status-variants)
Already at or above 85%
=================
stepca 90.4% (Bundle L.B closure)
awsacmpca 83.5% (existing tests; entrust-style retry edges remain)
googlecas 83.4% (existing tests; OAuth2 token retry edges remain)
Pattern per failure-mode test
=================
- httptest.NewServer with selective handlers for /sys/health,
/v1/ca, /ssl/v1/types etc. so ValidateConfig succeeds before
the failure-mode HTTP call
- 403 / 404 / 5xx / malformed-JSON / missing-PEM / invalid-base64
branches per connector
- Status variants for GetOrderStatus dispatch arms (pending /
processing / rejected / denied / unknown → fallback)
- Where applicable: malformed cert PEM / bad CSR base64 / no
DNSSolver / nil revocation reason
Audit deliverables
=================
- gap-backlog.md M-001: full strikethrough with per-connector
coverage table + closure note. CLOSED (target-met-on-average)
rather than (all ≥85%) — entrust 81.2% and awsacmpca/googlecas
83.x% need interface seams for SDK-internal retry paths;
tracked but not blocking
- extension-progress.md: N.A/B-extended marked DONE
Closes (target-met-on-average): M-001
Bundle: N.A/B-extended (Coverage Audit Extension)
196 lines
5.8 KiB
Go
196 lines
5.8 KiB
Go
package sectigo_test
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"log/slog"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/shankar0123/certctl/internal/connector/issuer/sectigo"
|
|
)
|
|
|
|
// Bundle N.A/B-extended: sectigo failure-mode round-out (79.4% → ≥85%).
|
|
// Targets uncovered branches in IssueCertificate / GetOrderStatus /
|
|
// checkStatus / collectCertificate / parsePEMBundle.
|
|
|
|
func buildSectigoConnector(t *testing.T, baseURL string) *sectigo.Connector {
|
|
t.Helper()
|
|
c := sectigo.New(nil, slog.Default())
|
|
cfg := sectigo.Config{
|
|
BaseURL: baseURL,
|
|
CustomerURI: "tcust",
|
|
Login: "user",
|
|
Password: "pw",
|
|
CertType: 1,
|
|
OrgID: 2,
|
|
Term: 365,
|
|
}
|
|
raw, _ := json.Marshal(cfg)
|
|
if err := c.ValidateConfig(context.Background(), raw); err != nil {
|
|
t.Fatalf("ValidateConfig: %v", err)
|
|
}
|
|
return c
|
|
}
|
|
|
|
// Sectigo's ValidateConfig hits /ssl/v1/types — need a valid response.
|
|
func sectigoValidateOK(w http.ResponseWriter) {
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`[{"id":1,"name":"InstantSSL"}]`))
|
|
}
|
|
|
|
func TestSectigo_GetOrderStatus_InvalidSslId(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/ssl/v1/types" {
|
|
sectigoValidateOK(w)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNotFound)
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
_, err := c.GetOrderStatus(context.Background(), "not-a-number")
|
|
if err == nil || !strings.Contains(err.Error(), "invalid") {
|
|
t.Errorf("expected 'invalid Sectigo ssl_id' error, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSectigo_CheckStatus_404_ReturnsError(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/ssl/v1/types" {
|
|
sectigoValidateOK(w)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNotFound)
|
|
_, _ = w.Write([]byte(`{"description":"not found"}`))
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
_, err := c.GetOrderStatus(context.Background(), "999")
|
|
if err == nil || !strings.Contains(err.Error(), "404") {
|
|
t.Errorf("expected 404 status error, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSectigo_CheckStatus_MalformedJSON(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/ssl/v1/types" {
|
|
sectigoValidateOK(w)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{not json`))
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
_, err := c.GetOrderStatus(context.Background(), "100")
|
|
if err == nil || !strings.Contains(err.Error(), "parse") {
|
|
t.Errorf("expected parse error, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSectigo_GetOrderStatus_AppliedAndPending(t *testing.T) {
|
|
cases := []struct {
|
|
statusVal string
|
|
want string
|
|
}{
|
|
{"Applied", "pending"},
|
|
{"Pending", "pending"},
|
|
{"Rejected", "failed"},
|
|
{"Revoked", "failed"},
|
|
{"Expired", "failed"},
|
|
{"Not Enrolled", "failed"},
|
|
{"WeirdNewStatus", "pending"}, // unknown → default pending
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.statusVal, func(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/ssl/v1/types" {
|
|
sectigoValidateOK(w)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"` + tc.statusVal + `"}`))
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
st, err := c.GetOrderStatus(context.Background(), "55001")
|
|
if err != nil {
|
|
t.Fatalf("GetOrderStatus: %v", err)
|
|
}
|
|
if st.Status != tc.want {
|
|
t.Errorf("expected status=%q, got %q", tc.want, st.Status)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSectigo_CollectCertificate_BadRequest_TreatedAsPending(t *testing.T) {
|
|
// Sectigo returns 400 with code -183 when cert approved but not yet generated.
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch {
|
|
case r.URL.Path == "/ssl/v1/types":
|
|
sectigoValidateOK(w)
|
|
case strings.HasPrefix(r.URL.Path, "/ssl/v1/collect/"):
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
_, _ = w.Write([]byte(`{"code":-183,"description":"certificate not yet ready"}`))
|
|
default:
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"Issued"}`))
|
|
}
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
st, err := c.GetOrderStatus(context.Background(), "55001")
|
|
if err != nil {
|
|
t.Fatalf("GetOrderStatus: %v", err)
|
|
}
|
|
if st.Status != "pending" {
|
|
t.Errorf("expected pending (cert not yet ready), got %q", st.Status)
|
|
}
|
|
}
|
|
|
|
func TestSectigo_CollectCertificate_500_PropagatesError(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch {
|
|
case r.URL.Path == "/ssl/v1/types":
|
|
sectigoValidateOK(w)
|
|
case strings.HasPrefix(r.URL.Path, "/ssl/v1/collect/"):
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
_, _ = w.Write([]byte(`internal error`))
|
|
default:
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"Issued"}`))
|
|
}
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
_, err := c.GetOrderStatus(context.Background(), "55001")
|
|
if err == nil || !strings.Contains(err.Error(), "500") {
|
|
t.Errorf("expected 500 error, got %v", err)
|
|
}
|
|
}
|
|
|
|
func TestSectigo_CollectCertificate_MalformedPEM_FailsClean(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
switch {
|
|
case r.URL.Path == "/ssl/v1/types":
|
|
sectigoValidateOK(w)
|
|
case strings.HasPrefix(r.URL.Path, "/ssl/v1/collect/"):
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte("not a pem"))
|
|
default:
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write([]byte(`{"status":"Issued"}`))
|
|
}
|
|
}))
|
|
defer srv.Close()
|
|
c := buildSectigoConnector(t, srv.URL)
|
|
_, err := c.GetOrderStatus(context.Background(), "55001")
|
|
if err == nil {
|
|
t.Errorf("expected error from malformed PEM bundle")
|
|
}
|
|
}
|