gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:12:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5b151e74da46b0e0095955cdb63b82d5a614eac2
certctl/internal/config/coverage_test.go
T
shankar0123 0ab6bc4a73 feat(ci): item-1 complete-path config-coverage guard (PARTIAL — sandbox could not verify Go test) 
Shell guard verified working in sandbox:
  - Green on clean repo: 'OK — every CERTCTL_* env var (194) has at least
    one non-config-package consumer.'
  - Red on injected orphan: '::error::Orphan env vars — defined in
    config.go but no consumer found outside internal/config/' with three
    remediation paths listed.

Go test internal/config/coverage_test.go written but NOT verified —
sandbox Go 1.25.9 < go.mod's 1.25.10 requirement; toolchain
auto-download fails (disk full). Operator must run `make verify` from
workstation before merge.

Allowlist scaffold at scripts/ci-guards/complete-path-config-coverage-exceptions.yaml.
Every entry requires name + justification + expires fields; expired
entries fail the guard.

Catches the lying-field bug class — env var defined in config.go that no
business-logic code reads. The 2026-04-29 SCEP MustStaple Phase 5.6 gap
(domain field shipped, service layer never read profile.MustStaple) is
the canonical case this guard would have caught at commit time.

Audit-Closes: post-v2.1.0-anti-rot/item-1
2026-05-12 14:02:04 +00:00

240 lines
6.6 KiB
Go
Raw Blame History

// Package config — coverage_test.go
//
// Per post-v2.1.0 anti-rot item 1 (Auditable Codebase Bundle).
//
// Catches "lying env vars" — CERTCTL_* env vars read by config.go that
// have no consumer in the rest of the codebase. Companion to the
// scripts/ci-guards/complete-path-config-coverage.sh shell guard: the
// shell guard catches non-Go consumers too (Helm, .env templates,
// docs); this Go test runs under `go test -short` and gives developers
// the same signal in the same loop they're already in.
//
// Allowlist is the same YAML file used by the shell guard. Keep them in
// sync — a row added here should be added there, and vice versa.
package config
import (
"os"
"path/filepath"
"regexp"
"strings"
"testing"
"time"
)
// envVarRe matches getEnv* call sites that take a CERTCTL_-prefixed
// string literal as their first argument. Mirrors the regex in
// scripts/ci-guards/complete-path-config-coverage.sh.
var envVarRe = regexp.MustCompile(`getEnv(?:Bool|Int|Int64|Duration|Float|StringSlice)?\(\s*"(CERTCTL_[A-Z0-9_]+)"`)
// allowlistEntry is the shape of a row in
// scripts/ci-guards/complete-path-config-coverage-exceptions.yaml.
type allowlistEntry struct {
Name string
Justification string
Expires time.Time
}
func TestCompletePathConfigCoverage(t *testing.T) {
// Find repo root by walking up from this file's dir until we hit
// go.mod.
repoRoot, err := findRepoRoot()
if err != nil {
t.Fatalf("find repo root: %v", err)
}
// 1. Extract env-var read sites from internal/config/config.go.
configBytes, err := os.ReadFile(filepath.Join(repoRoot, "internal", "config", "config.go"))
if err != nil {
t.Fatalf("read config.go: %v", err)
}
envVars := map[string]struct{}{}
for _, m := range envVarRe.FindAllStringSubmatch(string(configBytes), -1) {
envVars[m[1]] = struct{}{}
}
if len(envVars) == 0 {
t.Fatal("regex matched zero env vars — likely a regex/format change, fix the test")
}
// 2. Walk the rest of the repo looking for consumers.
searchDirs := []string{
"cmd", "internal", "deploy", "migrations", "scripts", "docs",
"api", "web",
}
searchFiles := []string{"Makefile", "README.md", "CHANGELOG.md"}
consumed := map[string]bool{}
for ev := range envVars {
consumed[ev] = false
}
walk := func(path string) error {
return filepath.Walk(path, func(p string, info os.FileInfo, walkErr error) error {
if walkErr != nil {
return nil // best-effort
}
if info.IsDir() {
name := info.Name()
if name == "node_modules" || name == "dist" || name == ".git" {
return filepath.SkipDir
}
return nil
}
// Skip internal/config (where the vars are DEFINED) and this
// test file itself.
rel, _ := filepath.Rel(repoRoot, p)
if strings.HasPrefix(rel, filepath.Join("internal", "config")) {
return nil
}
// Only text-ish files.
ok := false
for _, ext := range []string{".go", ".sh", ".yml", ".yaml", ".sql", ".md", ".tmpl", ".tpl", ".env", ".json", ".toml", ".ts", ".tsx"} {
if strings.HasSuffix(p, ext) {
ok = true
break
}
}
if !ok && info.Name() != "Makefile" && info.Name() != "Dockerfile" {
return nil
}
data, err := os.ReadFile(p)
if err != nil {
return nil
}
body := string(data)
for ev := range envVars {
if consumed[ev] {
continue
}
if strings.Contains(body, ev) {
consumed[ev] = true
}
}
return nil
})
}
for _, d := range searchDirs {
if err := walk(filepath.Join(repoRoot, d)); err != nil {
t.Fatalf("walk %s: %v", d, err)
}
}
for _, f := range searchFiles {
p := filepath.Join(repoRoot, f)
if _, err := os.Stat(p); err == nil {
data, _ := os.ReadFile(p)
body := string(data)
for ev := range envVars {
if consumed[ev] {
continue
}
if strings.Contains(body, ev) {
consumed[ev] = true
}
}
}
}
// 3. Load the allowlist + filter orphans through it.
allowlist, err := loadAllowlist(filepath.Join(repoRoot, "scripts", "ci-guards", "complete-path-config-coverage-exceptions.yaml"))
if err != nil {
t.Fatalf("load allowlist: %v", err)
}
today := time.Now().UTC().Truncate(24 * time.Hour)
var orphans []string
for ev, ok := range consumed {
if ok {
continue
}
entry, allowlisted := allowlist[ev]
if !allowlisted {
orphans = append(orphans, ev+" (no consumer found)")
continue
}
if entry.Expires.Before(today) {
orphans = append(orphans, ev+" (allowlist entry expired "+entry.Expires.Format("2006-01-02")+")")
continue
}
if entry.Justification == "" {
orphans = append(orphans, ev+" (allowlist entry has no justification)")
continue
}
}
if len(orphans) > 0 {
t.Errorf("complete-path config-coverage: %d orphan env var(s) — defined in config.go, no consumer outside internal/config/:", len(orphans))
for _, o := range orphans {
t.Errorf(" - %s", o)
}
t.Errorf("Fix: wire the env var to a real consumer, remove it from config.go, or allowlist it with a justification + expiration in scripts/ci-guards/complete-path-config-coverage-exceptions.yaml")
}
}
func findRepoRoot() (string, error) {
wd, err := os.Getwd()
if err != nil {
return "", err
}
cur := wd
for {
if _, err := os.Stat(filepath.Join(cur, "go.mod")); err == nil {
return cur, nil
}
parent := filepath.Dir(cur)
if parent == cur {
return "", os.ErrNotExist
}
cur = parent
}
}
// loadAllowlist parses the tiny YAML shape used by the exceptions file.
// Same shape parsed by complete-path-config-coverage.sh — keep them in
// sync. Returns name → entry.
func loadAllowlist(path string) (map[string]allowlistEntry, error) {
out := map[string]allowlistEntry{}
data, err := os.ReadFile(path)
if err != nil {
if os.IsNotExist(err) {
return out, nil
}
return nil, err
}
var cur *allowlistEntry
for _, raw := range strings.Split(string(data), "\n") {
line := strings.TrimRight(raw, "\r")
trimmed := strings.TrimSpace(line)
if trimmed == "" || strings.HasPrefix(trimmed, "#") {
continue
}
if strings.HasPrefix(trimmed, "- name:") {
name := strings.TrimSpace(strings.TrimPrefix(trimmed, "- name:"))
name = strings.Trim(name, `"' `)
cur = &allowlistEntry{Name: name}
out[name] = *cur
continue
}
if cur == nil || !strings.HasPrefix(line, " ") {
continue
}
kv := strings.SplitN(trimmed, ":", 2)
if len(kv) != 2 {
continue
}
k := strings.TrimSpace(kv[0])
v := strings.Trim(strings.TrimSpace(kv[1]), `"' `)
switch k {
case "justification":
cur.Justification = v
case "expires":
if t, err := time.Parse("2006-01-02", v); err == nil {
cur.Expires = t
}
}
out[cur.Name] = *cur
}
return out, nil
}
Reference in New Issue View Git Blame Copy Permalink