gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:51:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7e2481b22524ebdc8d03f44c62a6930cab1d1ab2
certctl/docs/testing/skip-inventory.md
T
shankar0123 c4ed3da30b fix(ci): Sprint 6 CI follow-up — staticcheck ST1021 + tenant-query baseline + skip inventory 
Sprint 6 push (commits 43836ac + 663b14b) tripped three CI guards.
Fixing all three in this single follow-up — each is a small,
mechanical correction that doesn't change behavior:

1. staticcheck ST1021: AuditChainSnapshot doc comment was on the
   wrong type.

   internal/service/audit_chain_metric.go:91 had:
     // Snapshot returns the current counter state for the Prometheus
     // exposer. Reads use atomic loads — no mutex.
     type AuditChainSnapshot struct { ... }

   The comment described Snapshot() (the method on AuditChainCounter)
   but sat directly above the AuditChainSnapshot struct. staticcheck
   ST1021 requires exported-type comments to start with the type's
   name + optional leading article. Rewrote to lead with
   "AuditChainSnapshot is the point-in-time view ...".

2. multi-tenant-query-coverage: baseline drifted 31 → 32 because
   Sprint 6 COMP-002-RETENTION added UserRepository.ListDeactivatedBefore
   at internal/repository/postgres/user.go:191 — legitimately
   tenant-spanning by design.

   The retention policy is control-plane-wide (one
   CERTCTL_USER_RETENTION_WINDOW for the whole deployment, not
   per-tenant). The scheduler's userRetentionLoop walks every
   tenant's deactivated users on the same tick. A per-tenant
   tenant_id filter would require the scheduler to iterate every
   tenant — more code for equivalent semantics.

   Per the guard's own documentation (option b), legitimately
   tenant-spanning queries get an inline rationale comment + a
   baseline lift. Both delivered:
     - Inline comment block on the SELECT in user.go::ListDeactivatedBefore.
     - BASELINE_COUNT 31 → 32 in
       scripts/ci-guards/multi-tenant-query-coverage.sh, with the
       Sprint 6 rebase entry added to the rebase-history comment.

3. skip-inventory-drift: docs/testing/skip-inventory.md was stale.
   COMP-001-HASH added three new t.Skip sites in
   internal/repository/postgres/audit_chain_test.go (the three
   testing.Short() gates on the testcontainers integration tests).
   Re-ran ./scripts/skip-inventory.sh to regenerate the doc —
   totals went from 144 → 147 sites + 78 → 82 short-mode guards.

Verified locally:
  bash scripts/ci-guards/multi-tenant-query-coverage.sh      (clean)
  bash scripts/ci-guards/skip-inventory-drift.sh              (clean)
  go vet ./...                                                (clean)
  staticcheck ./internal/service/...                          (clean)

Closes the three Sprint 6 CI failures. The next CI run should
green out.
2026-05-16 06:24:09 +00:00

18 KiB
Raw Blame History

Test Skip Inventory

Last reviewed: 2026-05-16

Summary

  • Total t.Skip sites: 147
  • testing.Short() guards: 82 (these gate behind go test -short)

Re-run inventory with: ./scripts/skip-inventory.sh.

Sites (grouped by package)

cmd/agent

  • cmd/agent/keymem_test.go:209 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:425 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:451 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:491 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:523 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:526 — t.Skip("running as root; cannot revoke parent dir write permission")
  • cmd/agent/keymem_test.go:553 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:556 — t.Skip("running as root; cannot revoke parent dir read+exec permission")
  • cmd/agent/keymem_test.go:623 — t.Skip("chmod-error branch is only reliably triggerable on linux via /sys (read-only fs)")
  • cmd/agent/keymem_test.go:631 — t.Skipf("/sys/kernel not stat-able as a dir on this host; skipping (%v)", err)
  • cmd/agent/keymem_test.go:637 — t.Skipf("/sys/kernel mode %#o already satisfies no-chmod branch", mode)
  • cmd/agent/keymem_test.go:652 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:655 — t.Skip("running as root; cannot revoke parent dir write permission")
  • cmd/agent/keymem_test.go:686 — t.Skip("permission semantics differ on windows")
  • cmd/agent/verify_test.go:402 — t.Skip("no TLS certificates configured on test server")

cmd/server

  • cmd/server/preflight_demo_residual_test.go:41 — t.Skip("preflight A-8 test requires Postgres (testcontainers); skipping under -short")
  • cmd/server/preflight_demo_residual_test.go:97 — t.Skip("A-8 testcontainers unavailable; skipping")

deploy/test/acme-integration

  • deploy/test/acme-integration/certmanager_test.go:54 — t.Skip("KIND_AVAILABLE unset — kind-driven cert-manager integration test skipped")

deploy/test

  • deploy/test/crl_ocsp_e2e_test.go:134 — t.Skip("integration only")
  • deploy/test/crl_ocsp_e2e_test.go:65 — t.Skip("integration only")
  • deploy/test/est_e2e_test.go:124 — t.Skip("integration tests require INTEGRATION=1; skipping libest e2e suite")
  • deploy/test/est_e2e_test.go:129 — t.Skipf("libest sidecar (container %q) not running (status=%q). Run cd deploy && docker compose -f docker-compose.test.yml --profile est-e2e up -d libest-client to bring it up.", libestContainer, status)
  • deploy/test/est_e2e_test.go:213 — t.Skip("/config/certs/bootstrap.pem not present in libest sidecar — skipping mTLS path. To enable: mint a bootstrap cert against the per-profile mTLS trust anchor and copy into deploy/test/certs/.")
  • deploy/test/est_e2e_test.go:252 — t.Skip("server-keygen disabled on the e2e EST profile (HTTP 404). Enable via CERTCTL_EST_PROFILE_E2E_SERVER_KEYGEN_ENABLED=true in docker-compose.test.yml.")
  • deploy/test/est_e2e_test.go:333 — t.Skipf("libest build lacks --tls-exporter support: %v", err)
  • deploy/test/healthcheck_test.go:102 — t.Skip("docker not available — skipping image-level HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:163 — t.Skip("docker not available — skipping image-level HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:224 — t.Skip("docker not available — skipping runtime HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:227 — t.Skip("runtime HEALTHCHECK test takes ~45s; skipping under -short")
  • deploy/test/healthcheck_test.go:229 — t.Skip("runtime probe contract not yet wired to a sidecar postgres; " +
  • deploy/test/healthcheck_test.go:28 — // The tests skip cleanly with t.Skip when docker is not available
  • deploy/test/healthcheck_test.go:32 — // Q-1 closure (cat-s3-58ce7e9840be): this file's 5 t.Skip sites are
  • deploy/test/healthcheck_test.go:41 — // - Line 212: hard t.Skip for the runtime probe contract — image-spec
  • deploy/test/integration_test.go:1129 — t.Skip("no PEM data in certificate version")
  • deploy/test/integration_test.go:513 — t.Skip("agent not yet online (may be slow to heartbeat)")
  • deploy/test/integration_test.go:805 — t.Skip("depends on Phase04 (Local CA cert not created)")
  • deploy/test/integration_test.go:901 — t.Skip("no discovered certificates yet (agent scan may not have run)")
  • deploy/test/integration_test.go:942 — t.Skip("no certificate in Active state for renewal test")
  • deploy/test/integration_test.go:954 — t.Skipf("renewal trigger returned: %s", body)
  • deploy/test/nginx_vendor_e2e_test.go:108 — t.Skip()
  • deploy/test/qa_test.go:1055 — t.Skip("Part 23 (S/MIME & EKU) is documented in docs/testing-guide.md::Part 23 " +
  • deploy/test/qa_test.go:1065 — t.Skip("Part 24 (OCSP/CRL) is documented in docs/testing-guide.md::Part 24 " +
  • deploy/test/qa_test.go:1175 — t.Skip("Requires compiled certctl-cli binary — manual test")
  • deploy/test/qa_test.go:1179 — t.Skip("Requires compiled mcp-server binary + stdio — manual test")
  • deploy/test/qa_test.go:1313 — t.Skip("Scheduler tests are timing-dependent — verify via Docker logs manually")
  • deploy/test/qa_test.go:1320 — t.Skip("Requires Docker log inspection — manual test")
  • deploy/test/qa_test.go:1327 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1334 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1338 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1914 — t.Skip("Part 55 (Agent Soft-Retirement) is documented in docs/testing-guide.md::Part 55 " +
  • deploy/test/qa_test.go:1924 — t.Skip("Part 56 (Notification Retry/Dead-Letter) is documented in docs/testing-guide.md::Part 56 " +
  • deploy/test/qa_test.go:38 — // Q-1 closure (cat-s3-58ce7e9840be): this file contains 11 `t.Skip("Requires
  • deploy/test/qa_test.go:46 — // the runtime t.Skip is the second-line guard for operators who run
  • deploy/test/qa_test.go:50 — // is correct, and the t.Skip messages already name the missing
  • deploy/test/qa_test.go:870 — t.Skip("Requires CA cert+key setup — manual test")
  • deploy/test/qa_test.go:874 — t.Skip("Requires ACME CA with ARI support — manual test")
  • deploy/test/qa_test.go:881 — t.Skip("Requires live Vault server — manual test")
  • deploy/test/qa_test.go:885 — t.Skip("Requires DigiCert sandbox — manual test")
  • deploy/test/scep_intune_e2e_test.go:159 — t.Skipf("integration stack not reachable at %s: %v — start docker-compose.test.yml first", serverURL, err)
  • deploy/test/scep_intune_e2e_test.go:163 — t.Skipf("/scep/%s not configured — see deploy/docker-compose.test.yml for the e2eintune profile env vars", e2eintunePathID)
  • deploy/test/scep_intune_e2e_test.go:166 — t.Skipf("/scep/%s GetCACaps returned %d — Intune profile may not be enabled in compose env", e2eintunePathID, resp.StatusCode)
  • deploy/test/scep_intune_e2e_test.go:170 — t.Skipf("/scep/%s GetCACaps body=%q does NOT advertise SCEPStandard — Intune profile may be misconfigured", e2eintunePathID, string(body))
  • deploy/test/vendor_e2e_helpers_smoke_test.go:31 — t.Skip("requires network egress to api.github.com (or similar known TLS endpoint); run manually")
  • deploy/test/vendor_e2e_helpers_smoke_test.go:36 — t.Skip("requires network egress; run manually")
  • deploy/test/vendor_e2e_helpers_smoke_test.go:41 — // When hostPath is empty the helper t.Skip's. Re-run-from-

internal/api/handler

  • internal/api/handler/health_test.go:481 — t.Skip("integration-style test; covered by deploy/test/integration_test.go (//go:build integration). " +
  • internal/api/handler/health_test.go:499 — t.Skipf("postgres driver unavailable in this build: %v", err)

internal/auth/breakglass

  • internal/auth/breakglass/service_test.go:417 — t.Skip("timing test skipped in -short mode (Argon2id is expensive)")

internal/auth/oidc/domain

  • internal/auth/oidc/domain/types_test.go:221 — t.Skip()

internal/auth/oidc

  • internal/auth/oidc/bench_keycloak_test.go:103 — // signature matters because it calls t.Skip / t.Fatal / t.Cleanup.
  • internal/auth/oidc/integration_keycloak_test.go:53 — // initialized in keycloakFor() so individual tests can t.Skip under
  • internal/auth/oidc/integration_okta_smoke_test.go:64 — // If any required env var is missing, the test t.Skip's with a clear
  • internal/auth/oidc/integration_okta_smoke_test.go:84 — t.Skipf("Okta smoke test requires env vars: %s — skipping", strings.Join(missing, ", "))

internal/ciparity

  • internal/ciparity/surface_parity_test.go:113 — // readFileOrSkip reads a file; on ENOENT, calls t.Skipf rather than

internal/connector/issuer/acme

  • internal/connector/issuer/acme/acme_failure_test.go:687 — t.Skipf("could not bind challenge server (env may not allow): %v", err)

internal/connector/issuer/local

  • internal/connector/issuer/local/bundle9_coverage_test.go:467 — t.Skip("unexpectedly short DER")
  • internal/connector/issuer/local/bundle9_coverage_test.go:592 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:609 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:621 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:653 — t.Skip("permission semantics differ on windows")

internal/connector/issuer/openssl

  • internal/connector/issuer/openssl/openssl_failure_test.go:124 — t.Skip("running as root; chmod 0o600 doesn't gate execution for uid 0")
  • internal/connector/issuer/openssl/openssl_failure_test.go:71 — t.Skip("openssl adapter shell-out tests assume POSIX bash; skipping on Windows")

internal/connector/notifier/email

  • internal/connector/notifier/email/email_test.go:425 — t.Skip("test requires no service on smtp.example.com:587")
  • internal/connector/notifier/email/email_test.go:503 — t.Skip("test assumes no service on 127.0.0.1:54321")

internal/connector/target/iis

  • internal/connector/target/iis/iis_test.go:225 — t.Skip("Skipping: powershell.exe not available (non-Windows)")
  • internal/connector/target/iis/iis_test.go:92 — t.Skip("Skipping: powershell.exe not available (non-Windows)")

internal/crypto

  • internal/crypto/encryption_property_test.go:35 — t.Skip("skipping property-based test in -short mode (PBKDF2 600k rounds × 50 iters > short budget)")
  • internal/crypto/encryption_property_test.go:75 — t.Skip("skipping property-based test in -short mode (PBKDF2 cost)")

internal/deploy

  • internal/deploy/coverage_test.go:403 — t.Skip("read-only chmod doesn't restrict root")
  • internal/deploy/coverage_test.go:467 — t.Skip("non-unix")
  • internal/deploy/deploy_test.go:611 — t.Skip("non-unix platform")

internal/ratelimit

  • internal/ratelimit/equivalence_test.go:80 — t.Skip("race-style test under -short")
  • internal/ratelimit/equivalence_test.go:88 — t.Skip("postgres equivalence tests require testcontainers; skipped under -short")
  • internal/ratelimit/sliding_window_test.go:146 — t.Skip("race-style test under -short")

internal/repository/postgres

  • internal/repository/postgres/audit_chain_test.go:137 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/audit_chain_test.go:36 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/audit_chain_test.go:58 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/audit_worm_test.go:29 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:118 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:149 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:179 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:208 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:56 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:87 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:123 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:153 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:181 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:207 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:229 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:252 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:281 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:95 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:160 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:225 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:62 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_prelogin_encryption_test.go:163 — t.Skip("HIGH-5 legacy fallback: integration test in short mode")
  • internal/repository/postgres/oidc_prelogin_encryption_test.go:42 — t.Skip("HIGH-5 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_test.go:117 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:140 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:171 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:185 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:209 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:239 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:301 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:331 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:45 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:82 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:96 — t.Skip("integration test in short mode")
  • internal/repository/postgres/repo_test.go:1944 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/repo_test.go:2003 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/repo_test.go:2114 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/seed_test.go:91 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/session_test.go:100 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:120 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:167 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:197 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:211 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:246 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:259 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:29 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:307 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:340 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:407 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:54 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:86 — t.Skip("integration test in short mode")
  • internal/repository/postgres/testutil_test.go:39 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/user_test.go:106 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:131 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:170 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:210 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:29 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:302 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:339 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:374 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:59 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:73 — t.Skip("integration test in short mode")

internal/scep/intune

  • internal/scep/intune/challenge_golden_test.go:47 — t.Skip("regenerate fixtures only when -update-golden is passed")
  • internal/scep/intune/challenge_test.go:213 — t.Skip("encoder didn't produce padding for this fixture; skipping")
  • internal/scep/intune/rate_limit_test.go:139 — t.Skip("race-style test under -short")
  • internal/scep/intune/replay_test.go:131 — t.Skip("race-style test under -short; run full suite for coverage")

internal/service

  • internal/service/coverage_extras_test.go:374 — t.Skipf("RSA keygen unavailable: %v", err)
  • internal/service/coverage_extras_test.go:394 — t.Skipf("ECDSA keygen unavailable: %v", err)
Reference in New Issue View Git Blame Copy Permalink