gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
80cbd2db59aef9ef20cf290e2ae164a03e0a1ba7
certctl/internal/secret/secret_test.go
T
shankar0123 2a384c690e secret: migrate EJBCA / GlobalSign / Sectigo credentials to *secret.Ref (Phase 2) 
Phase 2 of the #6 acquisition-readiness fix from the 2026-05-01 issuer
coverage audit. Phase 1 (commit 633a10a) shipped the secret.Ref opaque
credential type with PBKDF2-derived key, ChaCha20-Poly1305 envelope,
String/MarshalJSON redaction to "[redacted]", and the Use callback
that zero-fills the per-call buffer after the consumer returns.

This commit applies the type to the three connectors flagged by the
audit and adds the JSON-roundtrip glue that the production factory
path needs.

Shared (internal/secret/):

- Add UnmarshalJSON on *Ref so json.Unmarshal of a stored config
  blob (issuerfactory.NewFromConfig) parses the bytes-as-string into
  NewRefFromString without callers having to know the field type
  changed. Null and missing keys leave the receiver nil; non-string
  payloads (numbers, bools) are rejected with a typed error. Pinned
  by TestRef_UnmarshalJSON: string_value, null, missing_key,
  number_rejected, roundtrip_marshal_then_unmarshal (the round-trip
  goes through "[redacted]" intentionally — JSON-marshal-then-
  unmarshal of a Config with secrets is NOT a supported test pattern;
  callers that construct a rawConfig must use a JSON literal with
  the real values).

Per-connector migration:

- EJBCA (ejbca.go): Config.Token: string → *secret.Ref. ValidateConfig
  empty-check uses Token.IsEmpty() (nil-safe). setAuthHeaders rewritten
  to call Token.Use; the Bearer header string is built inside the
  callback and the buffer is zeroed on return. mTLS path is
  unaffected.

- GlobalSign (globalsign.go): Config.APIKey + Config.APISecret: string
  → *secret.Ref. Both ValidateConfig empty-checks use IsEmpty().
  Extracted setAuthHeaders helper consolidates the four duplicated
  triple-Set sites (ValidateConfig probe, IssueCertificate,
  RevokeCertificate, pollCertificateOnce) so any future header-shape
  change applies once. ValidateConfig now pulls from the local cfg
  (post-Unmarshal) so the helper takes a *Config rather than the
  receiver — needed because ValidateConfig writes the validated cfg
  onto c.config only AFTER the probe succeeds.

- Sectigo (sectigo.go): Config.Login + Config.Password: string →
  *secret.Ref. CustomerURI stays plain string (org identifier, not
  a credential). setAuthHeaders rewritten to call Login.Use +
  Password.Use; ValidateConfig's inline header writes use the same
  pattern (the ValidateConfig probe writes to a local cfg, not
  c.config, so it can't share setAuthHeaders without rewiring — the
  inline form is fine, kept consistent in shape).

Test migration:

- ejbca_test.go, ejbca_failure_test.go, ejbca_stubs_test.go: bulk
  Token: "X" → Token: secret.NewRefFromString("X") via sed; secret
  import added.
- globalsign_test.go, globalsign_failure_test.go: same pattern for
  APIKey + APISecret.
- sectigo_test.go, sectigo_failure_test.go: same pattern for Login +
  Password.

Two tests (TestGlobalSign_ServerTLSConfig/PinnedCA_TrustsExpectedServer
and TestSectigoConnector/ValidateConfig_Success) used to construct
rawConfig via json.Marshal(config) → ValidateConfig(rawConfig). After
the migration, json.Marshal redacts *secret.Ref to "[redacted]" by
design, so the roundtripped rawConfig wrote "[redacted]" as the
actual header value and the mock server's auth-header check 403'd.
Both tests now build rawConfig as a JSON literal (the production-
shape input — the factory path always feeds rawConfig from the DB
or env, never from json.Marshal of an in-memory Config). The new
tests have a comment explaining the trap so the next person who
adds a similar test sees the pattern.

Out of scope (intentional):

- The `internal/config/config.SectigoConfig` / `GlobalSignConfig` /
  `EJBCAConfig` env-var-loader structs are still plain strings —
  those types are the env-load shape, not the steady-state runtime
  shape. The seed path in service/issuer.go json-marshals them into
  a map[string]interface{} which the factory then UnmarshalJSON's
  into the connector Config; the new UnmarshalJSON on *Ref handles
  the conversion at the boundary.
- DigiCert.APIKey + Vault.Token are still plain strings; Phase 3
  will pick them up. The audit explicitly named EJBCA / GlobalSign /
  Sectigo as the Phase 2 scope (RESULTS.md L633).

Verified locally:
- gofmt -l . clean
- go vet ./... clean
- staticcheck across all four packages clean
- go test -short -count=1 across secret, ejbca, globalsign, sectigo,
  issuerfactory, service, api/handler: green

Audit reference: cowork/issuer-coverage-audit-2026-05-01/RESULTS.md
Top-10 fix #6 — Phase 2.
2026-05-02 12:53:58 +00:00

257 lines
7.1 KiB
Go
Raw Blame History

// Copyright (c) certctl
// SPDX-License-Identifier: BSL-1.1
package secret
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io"
"testing"
)
// TestRef_UseExposesBytesAndZeros — the canonical contract: Use
// hands fn a buffer containing the credential, fn reads it, and
// after fn returns the buffer is overwritten with zeros.
func TestRef_UseExposesBytesAndZeros(t *testing.T) {
r := NewRefFromString("secret-token")
var captured []byte
err := r.Use(func(buf []byte) error {
// Copy so we can inspect post-zero behavior — the original
// buf is going to be zeroed by Use's defer.
captured = make([]byte, len(buf))
copy(captured, buf)
if string(buf) != "secret-token" {
t.Errorf("Use: want bytes 'secret-token', got %q", buf)
}
return nil
})
if err != nil {
t.Fatalf("Use: %v", err)
}
if string(captured) != "secret-token" {
t.Errorf("captured bytes: want 'secret-token', got %q", captured)
}
}
// TestRef_BufferZeroedAfterUse — the load-bearing security property.
// Without zeroing, the credential lingers in the heap and is trivially
// extractable from a process dump. We assert via Use's internal-state
// observation: a slice escape (with a known anti-pattern) reads zeros
// after Use returns.
func TestRef_BufferZeroedAfterUse(t *testing.T) {
r := NewRefFromString("very-secret")
// Anti-pattern: capture the slice header and read it after Use.
// In production code this is a bug (caller must not retain the
// slice). The test exercises the bug to assert the buffer was
// zeroed.
var escaped []byte
_ = r.Use(func(buf []byte) error {
escaped = buf
return nil
})
// After Use, the slice should be all zeros.
for i, b := range escaped {
if b != 0 {
t.Errorf("byte %d not zeroed: 0x%02x", i, b)
}
}
}
// TestRef_WriteTo writes the secret to a writer and asserts the
// write happened correctly + the staging buffer is zeroed.
func TestRef_WriteTo(t *testing.T) {
r := NewRefFromString("Bearer abc123")
var buf bytes.Buffer
n, err := r.WriteTo(&buf)
if err != nil {
t.Fatalf("WriteTo: %v", err)
}
if int64(buf.Len()) != n {
t.Errorf("WriteTo: want %d bytes, got %d", buf.Len(), n)
}
if buf.String() != "Bearer abc123" {
t.Errorf("WriteTo: wrong bytes, got %q", buf.String())
}
}
// TestRef_StringRedacted — Ref.String() must NEVER return the
// underlying bytes. Catches accidental fmt.Sprintf("%v", cfg) leaks.
func TestRef_StringRedacted(t *testing.T) {
r := NewRefFromString("super-secret-token")
got := r.String()
if got != "[redacted]" {
t.Errorf("String: want '[redacted]', got %q", got)
}
// Test the implicit fmt.Stringer interface too.
got = fmt.Sprintf("%v", r)
if got != "[redacted]" {
t.Errorf("fmt.Sprintf: want '[redacted]', got %q", got)
}
}
// TestRef_MarshalJSONRedacted — JSON-encoding a Ref returns
// "[redacted]". Catches API-surface leak via GET /issuers etc.
func TestRef_MarshalJSONRedacted(t *testing.T) {
r := NewRefFromString("my-api-key")
got, err := json.Marshal(r)
if err != nil {
t.Fatalf("Marshal: %v", err)
}
if string(got) != `"[redacted]"` {
t.Errorf("MarshalJSON: want '\"[redacted]\"', got %s", got)
}
}
// TestRef_MarshalJSONInStruct — a config struct holding a *Ref
// field marshals with the credential redacted.
func TestRef_MarshalJSONInStruct(t *testing.T) {
cfg := struct {
Name string `json:"name"`
Key *Ref `json:"key"`
}{
Name: "globalsign",
Key: NewRefFromString("the-key"),
}
got, err := json.Marshal(cfg)
if err != nil {
t.Fatalf("Marshal: %v", err)
}
want := `{"name":"globalsign","key":"[redacted]"}`
if string(got) != want {
t.Errorf("MarshalJSON struct: want %s, got %s", want, got)
}
}
// TestRef_NilSafety — calling methods on a nil *Ref returns errors,
// not panics. Defensive programming for paths that haven't wired
// the Ref yet.
func TestRef_NilSafety(t *testing.T) {
var r *Ref
if got := r.String(); got != "[redacted]" {
t.Errorf("nil Ref.String: want '[redacted]', got %q", got)
}
// Use on nil returns an error, doesn't panic.
if err := r.Use(func(buf []byte) error { return nil }); err == nil {
t.Error("Use on nil Ref: expected error")
}
// WriteTo on nil returns an error, doesn't panic.
if _, err := r.WriteTo(io.Discard); err == nil {
t.Error("WriteTo on nil Ref: expected error")
}
if !r.IsEmpty() {
t.Error("IsEmpty on nil Ref: want true")
}
}
// TestRef_SourceErrorPropagated — when the source closure returns
// an error (decrypt failure, etc.), Use propagates it.
func TestRef_SourceErrorPropagated(t *testing.T) {
sentinel := errors.New("decrypt failed")
r := NewRef(func() ([]byte, error) { return nil, sentinel })
err := r.Use(func(buf []byte) error {
t.Error("fn should not be called when source errors")
return nil
})
if !errors.Is(err, sentinel) {
t.Errorf("Use: want sentinel in chain, got %v", err)
}
}
// TestRef_IsEmpty — empty source returns IsEmpty=true.
func TestRef_IsEmpty(t *testing.T) {
if !NewRefFromString("").IsEmpty() {
t.Error("empty string Ref: want IsEmpty=true")
}
if NewRefFromString("x").IsEmpty() {
t.Error("non-empty Ref: want IsEmpty=false")
}
}
// TestRef_UnmarshalJSON — parse a JSON string into a Ref via
// NewRefFromString. Required for the factory's JSON-deserialization
// path that loads issuer configs from the DB.
func TestRef_UnmarshalJSON(t *testing.T) {
type cfg struct {
Token *Ref `json:"token"`
}
t.Run("string_value", func(t *testing.T) {
var c cfg
if err := json.Unmarshal([]byte(`{"token":"my-secret-token"}`), &c); err != nil {
t.Fatalf("Unmarshal: %v", err)
}
if c.Token == nil {
t.Fatal("expected non-nil Ref")
}
_ = c.Token.Use(func(buf []byte) error {
if string(buf) != "my-secret-token" {
t.Errorf("Use: want 'my-secret-token', got %q", buf)
}
return nil
})
})
t.Run("null", func(t *testing.T) {
var c cfg
if err := json.Unmarshal([]byte(`{"token":null}`), &c); err != nil {
t.Fatalf("Unmarshal: %v", err)
}
if c.Token != nil {
t.Errorf("null should leave Ref nil, got %v", c.Token)
}
})
t.Run("missing_key", func(t *testing.T) {
var c cfg
if err := json.Unmarshal([]byte(`{}`), &c); err != nil {
t.Fatalf("Unmarshal: %v", err)
}
if c.Token != nil {
t.Error("missing key should leave Ref nil")
}
})
t.Run("number_rejected", func(t *testing.T) {
var c cfg
err := json.Unmarshal([]byte(`{"token":123}`), &c)
if err == nil {
t.Error("expected error for non-string Ref input")
}
})
t.Run("roundtrip_marshal_then_unmarshal", func(t *testing.T) {
// Marshal returns "[redacted]" — round-tripping through
// Unmarshal would store the string "[redacted]" as the
// new credential. Documented behavior; operators marshal
// for inspection, not for re-loading.
original := cfg{Token: NewRefFromString("real-secret")}
marshaled, err := json.Marshal(original)
if err != nil {
t.Fatalf("Marshal: %v", err)
}
if string(marshaled) != `{"token":"[redacted]"}` {
t.Errorf("Marshal: got %s", marshaled)
}
})
}
// TestZero — direct test of the zero helper to lock the
// implementation: every byte set to 0.
func TestZero(t *testing.T) {
b := []byte("not-zero")
zero(b)
for i, x := range b {
if x != 0 {
t.Errorf("byte %d: want 0, got %d", i, x)
}
}
}
Reference in New Issue View Git Blame Copy Permalink