mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 20:41:30 +00:00
claude
436382450e
Phase 1 of the deploy-hardening I master bundle. Closes the load-bearing prerequisite for the seven Bundle I items by extracting one canonical atomic-deploy primitive at internal/deploy/ that all 13 target connectors will consume in Phases 4-9. The package ships: - Plan + Apply API: write all File entries to sibling .certctl-tmp.<nanos> in the destination directory (same-filesystem guarantees os.Rename atomicity), call PreCommit (validate-with-the-target), atomic-rename all temps to final, call PostCommit (reload). On PostCommit failure, restore from pre-deploy backups + re-call PostCommit. If second PostCommit also fails, return ErrRollbackFailed (operator-actionable; documented loud). - AtomicWriteFile lower-level entry for connectors that don't fit the Plan model (F5, K8s — they ship bytes through APIs, not local files). - SHA-256 idempotency: every Apply short-circuits when all File destinations already match SHA-256 of new bytes. Defends against agent-restart retry storms hammering targets with no-op reloads. - Ownership + mode preservation: existing nginx:nginx 0640 stays nginx:nginx 0640 across renewals. Per-target FileDefaults applies for first-deploy. Per-File explicit Mode/Owner/Group overrides win over both. Closes the silent-failure mode where os.WriteFile(path, bytes, 0600) at apache.go:119 (et al.) clobbered worker access. - Backup retention janitor: pre-deploy backup at <path>.certctl-bak.<nanos>; default keeps last 3 (DefaultBackupRetention); BackupRetention=-1 disables backups (rollback impossible — documented foot-gun). - File-level mutex via sync.Map: two concurrent Apply calls touching the same destination serialize. Per-target serialization (Phase 2) is finer- grained at the agent dispatch layer; this is the file-level guard. - Sentinel errors for connector errors.Is checks: ErrPlanInvalid, ErrValidateFailed, ErrReloadFailed, ErrRollbackFailed. Tests (37 named cases across deploy_test.go + coverage_test.go) pin every load-bearing invariant the prompt's Phase 1 requires, plus error-leg coverage uplifts: - TestApply_HappyPath_PreCommitSucceeds_PostCommitSucceeds_FilesAtomic - TestApply_PreCommitFails_NoFilesChanged (atomic-or-nothing on validate) - TestApply_PostCommitFails_FilesRolledBack (rollback wire) - TestApply_RollbackAlsoFails_ReturnsErrRollbackFailed (escalation path) - TestApply_IdempotentSkip_SHA256Match (idempotency short-circuit) - TestApply_PreservesExistingOwnerAndMode_WhenNotOverridden - TestApply_RespectsOverrides_OwnerGroupMode - TestApply_ConcurrentApplyToSameFile_Serializes (file-level lock) - TestApply_BackupRetention_KeepsLastN (janitor pruning) - TestApply_NoExistingFile_UsesDefaultsForOwnerGroupMode - TestAtomicWriteFile_TempFileCleanedUpOnError - TestAtomicWriteFile_RenameRaceWithReader_AtomicReadAlwaysSeesOldOrNew (POSIX-rename atomicity proof via concurrent reader) Plus white-box tests for resolveOwnership, lookupUID/GID, and deeper error legs in restoreFromBackups + applyOwnership + AtomicWriteFile. Coverage 87.3% — practical ceiling without injecting a fault-aware FS abstraction (Write/Sync/Close OS errors are unreachable from go test without sudo'd disk-fill or a custom interface seam). Above the existing service-layer 70% floor; Phases 4-9 will lift this further as they exercise the package through real-connector use. Race detector clean; gofmt + go vet + golangci-lint v2.11.4 all 0 issues. The package is the load-bearing prerequisite for Phases 4-9. Phase 2 next: per-target deploy mutex in cmd/agent/main.go. Spec: cowork/deploy-hardening-i-prompt.md Baseline + recon: cowork/deploy-hardening-i/baseline.md
524 lines
16 KiB
Go
524 lines
16 KiB
Go
package deploy
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"sync/atomic"
|
|
"testing"
|
|
)
|
|
|
|
// Coverage uplift tests for Phase 1. These pin the error paths
|
|
// exercised in production but rare in the happy-path flow:
|
|
// - restoreFromBackups: file-didn't-exist-before deploy →
|
|
// rollback removes the new file (vs restoring bytes)
|
|
// - cleanupBackups: partial backup cleanup on early failure
|
|
// - writeTempFile: dir-creation race / O_EXCL collision
|
|
// - applyOwnership: chmod error / chown skipped when uid=-1
|
|
// - lookupUID/lookupGID: empty-string and unresolvable cases
|
|
// - unixOwnerFromStat: nil safety
|
|
// - Apply: ownership-resolution failure midway through prep
|
|
|
|
// TestApply_NewFileRollback_RemovesFile pins the
|
|
// no-backup-because-no-original case during PostCommit failure:
|
|
// the rollback removes the file rather than restoring (since
|
|
// there was nothing to restore).
|
|
func TestApply_NewFileRollback_RemovesFile(t *testing.T) {
|
|
dir := t.TempDir()
|
|
cert := filepath.Join(dir, "fresh.crt")
|
|
|
|
postCalls := 0
|
|
plan := Plan{
|
|
Files: []File{{Path: cert, Bytes: []byte(testCert1)}},
|
|
PostCommit: func(ctx context.Context) error {
|
|
postCalls++
|
|
if postCalls == 1 {
|
|
return errors.New("nginx exited 1")
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
res, err := Apply(context.Background(), plan)
|
|
if !errors.Is(err, ErrReloadFailed) {
|
|
t.Fatalf("expected ErrReloadFailed, got %v", err)
|
|
}
|
|
if !res.RolledBack {
|
|
t.Error("expected RolledBack=true")
|
|
}
|
|
// The file should no longer exist (rollback removed it
|
|
// because there was no backup to restore from).
|
|
if _, statErr := os.Stat(cert); statErr == nil {
|
|
t.Error("file still exists after rollback of new-file deploy")
|
|
}
|
|
}
|
|
|
|
// TestApply_BackupReadFails_RollbackEscalates triggers the
|
|
// restoreFromBackups error path by deleting the backup before
|
|
// PostCommit fires (simulates an aggressive operator-side
|
|
// janitor).
|
|
func TestApply_BackupReadFails_RollbackEscalates(t *testing.T) {
|
|
dir := t.TempDir()
|
|
cert := filepath.Join(dir, "tls.crt")
|
|
if err := os.WriteFile(cert, []byte("ORIGINAL"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var capturedBackup atomic.Value // string
|
|
plan := Plan{
|
|
Files: []File{{Path: cert, Bytes: []byte(testCert1)}},
|
|
PostCommit: func(ctx context.Context) error {
|
|
// Steal the backup BEFORE rollback runs. We have to
|
|
// find it via directory glob since Result isn't
|
|
// available yet.
|
|
entries, _ := os.ReadDir(dir)
|
|
for _, e := range entries {
|
|
if strings.Contains(e.Name(), BackupSuffix) {
|
|
capturedBackup.Store(filepath.Join(dir, e.Name()))
|
|
_ = os.Remove(filepath.Join(dir, e.Name()))
|
|
break
|
|
}
|
|
}
|
|
return errors.New("nginx exited 1")
|
|
},
|
|
}
|
|
_, err := Apply(context.Background(), plan)
|
|
if !errors.Is(err, ErrRollbackFailed) {
|
|
t.Fatalf("expected ErrRollbackFailed, got %v", err)
|
|
}
|
|
}
|
|
|
|
// TestApply_RenameMidLoopFails simulates a mid-loop rename
|
|
// failure by making the second destination's parent directory
|
|
// disappear after writeTempFile but before rename. We do this by
|
|
// using two destinations + removing the second's parent during
|
|
// PreCommit.
|
|
func TestApply_RenameMidLoopFails_PartialRollback(t *testing.T) {
|
|
dir := t.TempDir()
|
|
subA := filepath.Join(dir, "a")
|
|
subB := filepath.Join(dir, "b")
|
|
if err := os.MkdirAll(subA, 0755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := os.MkdirAll(subB, 0755); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
pathA := filepath.Join(subA, "tls.crt")
|
|
pathB := filepath.Join(subB, "tls.crt")
|
|
if err := os.WriteFile(pathA, []byte("ORIG-A"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := os.WriteFile(pathB, []byte("ORIG-B"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
plan := Plan{
|
|
Files: []File{
|
|
{Path: pathA, Bytes: []byte(testCert1)},
|
|
{Path: pathB, Bytes: []byte(testCert2)},
|
|
},
|
|
PreCommit: func(ctx context.Context, tempPaths map[string]string) error {
|
|
// After temps are written + ownership applied,
|
|
// remove the SECOND temp file so its rename fails.
|
|
// The first will succeed (rename pathA's temp
|
|
// → pathA), then the loop will fail at pathB
|
|
// triggering the partial-rollback restore.
|
|
tempB := tempPaths[pathB]
|
|
_ = os.Remove(tempB)
|
|
return nil
|
|
},
|
|
}
|
|
_, err := Apply(context.Background(), plan)
|
|
if err == nil {
|
|
t.Fatal("expected mid-loop rename failure")
|
|
}
|
|
// pathA should be restored to ORIG-A (rollback ran).
|
|
if got, _ := os.ReadFile(pathA); string(got) != "ORIG-A" {
|
|
t.Errorf("pathA = %q, want ORIG-A (partial rollback restore)", got)
|
|
}
|
|
}
|
|
|
|
// TestCleanupBackups_RemovesGivenSet — directly exercise the
|
|
// cleanupBackups helper. Used internally on backup-step failure;
|
|
// usually unreachable through the public API.
|
|
func TestCleanupBackups_RemovesGivenSet(t *testing.T) {
|
|
dir := t.TempDir()
|
|
bp := filepath.Join(dir, "x"+BackupSuffix+"00000000")
|
|
if err := os.WriteFile(bp, []byte("backup data"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
cleanupBackups(map[string]string{
|
|
"/some/path": bp,
|
|
"/other": "", // empty entries should be ignored
|
|
})
|
|
if _, err := os.Stat(bp); err == nil {
|
|
t.Error("backup not removed by cleanupBackups")
|
|
}
|
|
}
|
|
|
|
// TestApplyOwnership_ChmodSkippedWhenModeNotSet verifies the
|
|
// branch where ModeSet is false (no chmod attempted).
|
|
func TestApplyOwnership_ChmodSkippedWhenModeNotSet(t *testing.T) {
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "f")
|
|
if err := os.WriteFile(path, []byte("x"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
res := resolvedOwnership{UID: -1, GID: -1, ModeSet: false}
|
|
if err := applyOwnership(path, res); err != nil {
|
|
t.Fatalf("applyOwnership: %v", err)
|
|
}
|
|
// File mode unchanged.
|
|
stat, _ := os.Stat(path)
|
|
if stat.Mode().Perm() != 0644 {
|
|
t.Errorf("mode = %#o, want 0644", stat.Mode().Perm())
|
|
}
|
|
}
|
|
|
|
// TestApplyOwnership_ChmodOnNonexistentFile returns the wrapped
|
|
// chmod error.
|
|
func TestApplyOwnership_ChmodOnNonexistentFile(t *testing.T) {
|
|
res := resolvedOwnership{Mode: 0644, ModeSet: true, UID: -1, GID: -1}
|
|
err := applyOwnership("/nonexistent/path/to/nothing", res)
|
|
if err == nil {
|
|
t.Fatal("expected error chmodding nonexistent file")
|
|
}
|
|
if !strings.Contains(err.Error(), "chmod") {
|
|
t.Errorf("error not labeled chmod: %v", err)
|
|
}
|
|
}
|
|
|
|
// TestLookupUID_Empty + Unresolvable pin both error legs.
|
|
func TestLookupUID_ErrorLegs(t *testing.T) {
|
|
if _, err := lookupUID(""); err == nil {
|
|
t.Error("empty username should error")
|
|
}
|
|
if _, err := lookupUID("nonexistent-user-xyz-test-12345"); err == nil {
|
|
t.Error("unresolvable user should error")
|
|
}
|
|
}
|
|
|
|
func TestLookupGID_ErrorLegs(t *testing.T) {
|
|
if _, err := lookupGID(""); err == nil {
|
|
t.Error("empty groupname should error")
|
|
}
|
|
if _, err := lookupGID("nonexistent-group-xyz-test-12345"); err == nil {
|
|
t.Error("unresolvable group should error")
|
|
}
|
|
}
|
|
|
|
// TestUnixOwnerFromStat_NilFileInfo pins the nil safety.
|
|
func TestUnixOwnerFromStat_NilFileInfo(t *testing.T) {
|
|
uid, gid, ok := unixOwnerFromStat(nil)
|
|
if ok {
|
|
t.Errorf("ok=true for nil FileInfo (uid=%d, gid=%d)", uid, gid)
|
|
}
|
|
if uid != -1 || gid != -1 {
|
|
t.Errorf("uid/gid = %d/%d, want -1/-1", uid, gid)
|
|
}
|
|
}
|
|
|
|
// TestApply_ResolveOwnershipError_AbortsBeforeAnyWrite triggers
|
|
// the resolveOwnership-fails branch (unresolvable owner string).
|
|
// No live files should be modified.
|
|
func TestApply_ResolveOwnershipError_AbortsBeforeAnyWrite(t *testing.T) {
|
|
dir := t.TempDir()
|
|
cert := filepath.Join(dir, "tls.crt")
|
|
if err := os.WriteFile(cert, []byte("ORIGINAL"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
plan := Plan{
|
|
Files: []File{{
|
|
Path: cert,
|
|
Bytes: []byte(testCert1),
|
|
Owner: "nonexistent-user-xyz-12345",
|
|
Group: "nonexistent-group-xyz-12345",
|
|
}},
|
|
}
|
|
_, err := Apply(context.Background(), plan)
|
|
if err == nil {
|
|
t.Fatal("expected error from unresolvable owner")
|
|
}
|
|
// File untouched.
|
|
if got, _ := os.ReadFile(cert); string(got) != "ORIGINAL" {
|
|
t.Errorf("file modified despite ownership-resolution failure: %q", got)
|
|
}
|
|
}
|
|
|
|
// TestPruneBackups_BadDirectory pins the early error path.
|
|
func TestPruneBackups_BadDirectory(t *testing.T) {
|
|
err := pruneBackups("/nonexistent-parent-xyz/file", 3)
|
|
if err == nil {
|
|
t.Error("expected error reading nonexistent dir")
|
|
}
|
|
}
|
|
|
|
// TestPruneBackups_KeepZeroOrNegative_NoOp pins the early-return
|
|
// branch.
|
|
func TestPruneBackups_KeepZeroOrNegative_NoOp(t *testing.T) {
|
|
dir := t.TempDir()
|
|
abs := filepath.Join(dir, "f")
|
|
bp := abs + BackupSuffix + "00001"
|
|
if err := os.WriteFile(bp, []byte("x"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if err := pruneBackups(abs, 0); err != nil {
|
|
t.Errorf("keep=0 error: %v", err)
|
|
}
|
|
if err := pruneBackups(abs, -1); err != nil {
|
|
t.Errorf("keep=-1 error: %v", err)
|
|
}
|
|
// Backup still exists.
|
|
if _, err := os.Stat(bp); err != nil {
|
|
t.Error("backup deleted under non-pruning retention")
|
|
}
|
|
}
|
|
|
|
// TestAtomicWriteFile_BadOwnership exercises the
|
|
// resolveOwnership error path within the lower-level entry.
|
|
func TestAtomicWriteFile_BadOwnership(t *testing.T) {
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "f")
|
|
_, err := AtomicWriteFile(context.Background(), path, []byte("x"), WriteOptions{
|
|
Owner: "nonexistent-user-xyz-12345",
|
|
Group: "nonexistent-group-xyz-12345",
|
|
})
|
|
if err == nil {
|
|
t.Error("expected error from bad ownership")
|
|
}
|
|
}
|
|
|
|
// TestAtomicWriteFile_ContextCancelled before lock acquisition.
|
|
func TestAtomicWriteFile_ContextCancelled(t *testing.T) {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
cancel()
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "f")
|
|
_, err := AtomicWriteFile(ctx, path, []byte("x"), WriteOptions{})
|
|
if !errors.Is(err, context.Canceled) {
|
|
t.Errorf("got %v, want context.Canceled", err)
|
|
}
|
|
}
|
|
|
|
// TestWriteTempFile_BadDir verifies the open-file error path.
|
|
func TestWriteTempFile_BadDir(t *testing.T) {
|
|
_, err := writeTempFile("/nonexistent-parent-xyz/file", []byte("x"))
|
|
if err == nil {
|
|
t.Error("expected error writing into nonexistent parent")
|
|
}
|
|
}
|
|
|
|
// TestBackupFile_NonexistentSource pins the read-error path.
|
|
func TestBackupFile_NonexistentSource(t *testing.T) {
|
|
dir := t.TempDir()
|
|
_, err := backupFile(filepath.Join(dir, "does-not-exist"))
|
|
if err == nil {
|
|
t.Error("expected error backing up nonexistent file")
|
|
}
|
|
}
|
|
|
|
// TestApply_SkipIdempotent_SecondPathExists_FirstNew exercises
|
|
// the partial-match branch where one file matches and one doesn't.
|
|
// Since not ALL match, the deploy proceeds normally for both.
|
|
func TestApply_PartialIdempotency_DeploysAll(t *testing.T) {
|
|
dir := t.TempDir()
|
|
a := filepath.Join(dir, "a.crt")
|
|
b := filepath.Join(dir, "b.crt")
|
|
if err := os.WriteFile(a, []byte(testCert1), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// b doesn't exist yet — partial match.
|
|
|
|
preCalls := 0
|
|
plan := Plan{
|
|
Files: []File{
|
|
{Path: a, Bytes: []byte(testCert1)},
|
|
{Path: b, Bytes: []byte(testCert2)},
|
|
},
|
|
PreCommit: func(ctx context.Context, _ map[string]string) error {
|
|
preCalls++
|
|
return nil
|
|
},
|
|
}
|
|
res, err := Apply(context.Background(), plan)
|
|
if err != nil {
|
|
t.Fatalf("Apply: %v", err)
|
|
}
|
|
if res.SkippedAsIdempotent {
|
|
t.Error("partial match should not skip")
|
|
}
|
|
if preCalls != 1 {
|
|
t.Errorf("PreCommit calls = %d, want 1", preCalls)
|
|
}
|
|
}
|
|
|
|
// TestApply_FilePathInvalidAbs covers the filepath.Abs error
|
|
// branch. Hard to trigger on most platforms; the validation
|
|
// catches the empty case which IS triggerable.
|
|
func TestApply_FilePathEmpty_RejectedEarly(t *testing.T) {
|
|
plan := Plan{
|
|
Files: []File{{Path: "", Bytes: []byte("x")}},
|
|
}
|
|
_, err := Apply(context.Background(), plan)
|
|
if !errors.Is(err, ErrPlanInvalid) {
|
|
t.Errorf("got %v, want ErrPlanInvalid", err)
|
|
}
|
|
}
|
|
|
|
// TestLockFile_RelativePathFallback covers the filepath.Abs
|
|
// failure-fallback branch in lockFile by acquiring + releasing
|
|
// a relative path lock.
|
|
func TestLockFile_RelativePath(t *testing.T) {
|
|
unlock := lockFile("relative/path/test")
|
|
unlock()
|
|
// Reacquiring should succeed (mutex released).
|
|
unlock = lockFile("relative/path/test")
|
|
unlock()
|
|
}
|
|
|
|
// TestApply_NowNanosStr_FormatStable double-checks the
|
|
// lex-sortable format used by pruneBackups for chronological
|
|
// ordering.
|
|
func TestNowNanosStr_FormatStable(t *testing.T) {
|
|
a := nowNanosStr()
|
|
if len(a) != 19 {
|
|
t.Errorf("len = %d, want 19 (zero-padded for sort)", len(a))
|
|
}
|
|
for _, c := range a {
|
|
if c < '0' || c > '9' {
|
|
t.Errorf("non-digit in nano string: %c", c)
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestApply_RestoreFails_RenameAfterChmodReadOnly triggers the
|
|
// "rename during restore fails" branch by chmodding the parent
|
|
// directory to read-only AFTER the temp file is renamed in but
|
|
// BEFORE PostCommit fires (so the rollback's restore-rename
|
|
// fails). This tests the deepest leg of restoreFromBackups.
|
|
func TestApply_RestoreFails_RenameAfterChmodReadOnly(t *testing.T) {
|
|
if os.Getuid() == 0 {
|
|
t.Skip("read-only chmod doesn't restrict root")
|
|
}
|
|
dir := t.TempDir()
|
|
cert := filepath.Join(dir, "tls.crt")
|
|
if err := os.WriteFile(cert, []byte("ORIGINAL"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer func() {
|
|
// Ensure cleanup can proceed.
|
|
_ = os.Chmod(dir, 0755)
|
|
}()
|
|
|
|
plan := Plan{
|
|
Files: []File{{Path: cert, Bytes: []byte(testCert1)}},
|
|
PostCommit: func(ctx context.Context) error {
|
|
// Make the directory read-only so the subsequent
|
|
// restore-rename will fail.
|
|
_ = os.Chmod(dir, 0555)
|
|
return errors.New("nginx exited 1")
|
|
},
|
|
}
|
|
_, err := Apply(context.Background(), plan)
|
|
if err == nil {
|
|
t.Fatal("expected error")
|
|
}
|
|
// Either ErrReloadFailed (rollback succeeded somehow) or
|
|
// ErrRollbackFailed (rollback couldn't restore due to RO).
|
|
if !errors.Is(err, ErrReloadFailed) && !errors.Is(err, ErrRollbackFailed) {
|
|
t.Errorf("got %v, want ErrReloadFailed or ErrRollbackFailed", err)
|
|
}
|
|
}
|
|
|
|
// TestApply_DuplicateNormalisedPath catches the validatePlan
|
|
// duplicate detection after filepath.Abs normalisation.
|
|
func TestApply_DuplicateNormalisedPath(t *testing.T) {
|
|
dir := t.TempDir()
|
|
a := filepath.Join(dir, "x.crt")
|
|
// Same logical destination via a relative + absolute mix.
|
|
plan := Plan{
|
|
Files: []File{
|
|
{Path: a, Bytes: []byte("a")},
|
|
{Path: a, Bytes: []byte("b")},
|
|
},
|
|
}
|
|
_, err := Apply(context.Background(), plan)
|
|
if !errors.Is(err, ErrPlanInvalid) {
|
|
t.Errorf("got %v, want ErrPlanInvalid", err)
|
|
}
|
|
}
|
|
|
|
// TestUnixOwnerFromStat_LiveStat covers the happy path with a
|
|
// real os.Stat result.
|
|
func TestUnixOwnerFromStat_LiveStat(t *testing.T) {
|
|
dir := t.TempDir()
|
|
path := filepath.Join(dir, "f")
|
|
if err := os.WriteFile(path, []byte("x"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
stat, err := os.Stat(path)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
uid, gid, ok := unixOwnerFromStat(stat)
|
|
if !ok {
|
|
t.Skip("non-unix")
|
|
}
|
|
if uid != os.Getuid() || gid != os.Getgid() {
|
|
t.Errorf("uid/gid = %d/%d, want %d/%d", uid, gid, os.Getuid(), os.Getgid())
|
|
}
|
|
}
|
|
|
|
// TestBackupFile_StatFailsAfterRead triggers the rare
|
|
// "file deleted between read and stat" race-window branch in
|
|
// backupFile by using a path that disappears mid-call. We can't
|
|
// easily race it, but we can show the read-then-stat ordering by
|
|
// checking that backupFile of a missing file errors at read.
|
|
// Already covered by TestBackupFile_NonexistentSource above; this
|
|
// is a placeholder so the package's race-aware code path is
|
|
// documented.
|
|
func TestBackupFile_RaceWindow_DocumentedInCode(t *testing.T) {
|
|
t.Log("backupFile race window between read+stat is documented but not faulttested without fault injection")
|
|
}
|
|
|
|
// TestWriteTempFile_OEXCLContention pins the O_EXCL belt-and-
|
|
// braces protection in writeTempFile. Hard to trigger externally
|
|
// because nowNanosStr() is monotonic; we exercise the protection
|
|
// by pre-creating a file at the temp path and checking that a
|
|
// second write to the same nanos collides + errors. This requires
|
|
// freezing the clock — skipped (impractical) — but the test
|
|
// documents the existence of the protection.
|
|
func TestWriteTempFile_OEXCLContention_DocumentedInCode(t *testing.T) {
|
|
t.Log("O_EXCL collision branch defends against clock collision; not test-injectable without time mock")
|
|
}
|
|
|
|
// TestApply_BackupRetentionDefault verifies the default-of-3
|
|
// behavior when BackupRetention is left zero.
|
|
func TestApply_BackupRetentionDefault(t *testing.T) {
|
|
dir := t.TempDir()
|
|
cert := filepath.Join(dir, "tls.crt")
|
|
if err := os.WriteFile(cert, []byte("V0"), 0644); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
for i := 1; i <= 6; i++ {
|
|
plan := Plan{
|
|
Files: []File{{Path: cert, Bytes: []byte(fmt.Sprintf("V%d", i))}},
|
|
}
|
|
if _, err := Apply(context.Background(), plan); err != nil {
|
|
t.Fatalf("Apply iter %d: %v", i, err)
|
|
}
|
|
}
|
|
entries, _ := os.ReadDir(dir)
|
|
count := 0
|
|
for _, e := range entries {
|
|
if strings.Contains(e.Name(), BackupSuffix) {
|
|
count++
|
|
}
|
|
}
|
|
if count != DefaultBackupRetention {
|
|
t.Errorf("backup count = %d, want %d (default)", count, DefaultBackupRetention)
|
|
}
|
|
}
|