gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:12:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7c04f0a0b8a35122fd362f109ce40de96e9764d4
certctl/internal/auth/oidc/setup_test.go
T
shankar0123 7c04f0a0b8 fix(oidc): test seam for jwksProbeClient — closes the B5 R6 httptest regression 
CI break diagnosed from go-build-and-test on f1fa311+36840dd:
TestTestDiscovery_HappyPath_AgainstMockIdP + TestTestDiscovery_JWKSFetchFails
fail with "refusing to dial reserved address 127.0.0.1" because my
Bundle 5 R6 closure wrapped jwksReachable in
validation.SafeHTTPDialContext — which is exactly what the production
guard is supposed to refuse for httptest.NewServer's 127.0.0.1 bind.

Same shape as the Slack/Teams test-seam fix in 36840dd: factor the
http.Client construction into a package-level var (`jwksProbeClient`),
default to the SSRF-safe transport in production, override to
http.DefaultTransport in test-only `setup_test.go::init()`. Production
code never reassigns the var. The audit R6 closure stands — the
production jwksReachable still uses validation.SafeHTTPDialContext.

Verification (sandbox, Go 1.25.10):
  go test -short -count=1
    -run 'TestTestDiscovery_HappyPath|TestTestDiscovery_JWKSFetchFails'
    ./internal/auth/oidc                                # PASS (1.1s)
  go test -short -count=1 ./internal/auth/oidc          # PASS (21.8s)
  gofmt -l                                              # clean
  go vet ./internal/auth/oidc                           # clean
2026-05-13 01:30:47 +00:00

33 lines
1.2 KiB
Go
Raw Blame History

// Test-only setup for the internal/auth/oidc package.
//
// Bundle 5 closure (audit R6) wrapped the package's jwks reachability
// probe in validation.SafeHTTPDialContext so production OIDC config
// dry-runs can't be pivoted into reserved-address ranges via DNS
// rebinding. The test suite uses httptest.NewServer which binds to
// 127.0.0.1 — that's exactly the reserved-address case the production
// guard refuses to dial, so the package-level jwksProbeClient is
// replaced here with an SSRF-guard-bypassed http.Client for the
// duration of every test in this package.
//
// Mirrors the internal/connector/notifier/webhook + slack + teams
// test-seam pattern (newForTest constructor). The production code
// never reassigns jwksProbeClient — only this _test.go file does, so
// the test seam can't leak into a real deployment.
package oidc
import (
"net/http"
"time"
)
func init() {
// Replace the SSRF-safe transport with one that has no
// DialContext override. http.DefaultTransport handles 127.0.0.1
// without complaint, which is what httptest.NewServer needs.
jwksProbeClient = &http.Client{
Timeout: 10 * time.Second,
Transport: http.DefaultTransport,
}
}
Reference in New Issue View Git Blame Copy Permalink