gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:01:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
93e00f6a5e7f70c76c6a73f010b9c33bfe68130e
certctl/docs/testing/skip-inventory.md
T
shankar0123 c8985cf868 fix(ratelimit): Hotfix #5 — Postgres timestamptz[] scan + skip-inventory drift 
Two CI hotfixes surfaced by master CI on 29cb13e7 (Sprint 13.6 tip
before the Sprint 13.7 closure landed):

1. TestRateLimit_PostgresBackend_CapEnforcedAcrossReplicas failed with
   "pq: scanning to time.Time is not implemented; only sql.Scanner".
   Root cause: time.Time does not implement sql.Scanner, and lib/pq's
   pq.GenericArray scan path calls element-Scan() directly rather than
   database/sql's convertAssign (which DOES support time conversions).
   So `pq.Array(&[]time.Time{})` reliably fails on read even though
   the symmetric write `pq.Array([]time.Time{...})` works (the write
   path uses driver.Value() which time.Time implements).

   Fix: cast the timestamptz[] to a text[] of canonical ISO 8601 UTC
   strings at the SQL boundary via to_char(t AT TIME ZONE 'UTC',
   'YYYY-MM-DD"T"HH24:MI:SS.US"Z"'), read via pq.StringArray (well-
   supported), and parse Go-side with layout "2006-01-02T15:04:05.000000Z".
   The format is fully deterministic regardless of the session's
   DateStyle or TimeZone settings.

   Touched: internal/ratelimit/postgres_sliding_window.go (Step 2 of
   the Allow() transaction — locking + read).

   Falsifiable proof on CI: the failing test
   TestRateLimit_PostgresBackend_CapEnforcedAcrossReplicas
   (100 concurrent Allow calls / 3 replicas / cap=10) must now produce
   exactly 10 succeed / 90 ErrRateLimited. Pre-fix it produced 1 / 0
   because every Allow after the first crashed on Scan.

2. skip-inventory-drift.sh CI guard turned red because Sprint 13.2
   added two new t.Skip sites:

     internal/ratelimit/equivalence_test.go:80
       t.Skip("race-style test under -short")
     internal/ratelimit/equivalence_test.go:88
       t.Skip("postgres equivalence tests require testcontainers;
              skipped under -short")

   The inventory at docs/testing/skip-inventory.md is auto-generated
   by scripts/skip-inventory.sh and must be re-generated alongside
   any t.Skip churn. Sprint 13.2 missed the regeneration.

   Fix: re-ran scripts/skip-inventory.sh. Totals walked
   142 → 144 sites; testing.Short() guards 76 → 78. The two new
   entries land in the internal/ratelimit section.

Verification (local sandbox, all clean):
  $ bash scripts/ci-guards/skip-inventory-drift.sh
    skip-inventory-drift guard OK: docs/testing/skip-inventory.md
    matches the live tree
  $ bash scripts/ci-guards/openapi-handler-parity.sh
    openapi-handler-parity: clean.
  $ bash scripts/ci-guards/openapi-rest-deferred-monotonic.sh
    openapi-rest-deferred-monotonic: clean — rest-deferred = 0,
    baseline = 0.
  $ gofmt -l internal/ratelimit/postgres_sliding_window.go
    (no output)
  $ go vet ./internal/ratelimit/
    (no output)

The Postgres rate-limit fix's full falsifiable proof
(TestRateLimit_PostgresBackend_CapEnforcedAcrossReplicas) cannot be
exercised in the sandbox (no docker for testcontainers); CI on the
amd64 runner will re-run it on this push. The diagnosis is verified
against lib/pq source semantics and the fix uses only well-supported
primitives (pq.StringArray + canonical to_char output + time.Parse).
2026-05-14 13:26:47 +00:00

18 KiB
Raw Blame History

Test Skip Inventory

Last reviewed: 2026-05-14

Summary

  • Total t.Skip sites: 144
  • testing.Short() guards: 78 (these gate behind go test -short)

Re-run inventory with: ./scripts/skip-inventory.sh.

Sites (grouped by package)

cmd/agent

  • cmd/agent/keymem_test.go:209 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:425 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:451 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:491 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:523 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:526 — t.Skip("running as root; cannot revoke parent dir write permission")
  • cmd/agent/keymem_test.go:553 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:556 — t.Skip("running as root; cannot revoke parent dir read+exec permission")
  • cmd/agent/keymem_test.go:623 — t.Skip("chmod-error branch is only reliably triggerable on linux via /sys (read-only fs)")
  • cmd/agent/keymem_test.go:631 — t.Skipf("/sys/kernel not stat-able as a dir on this host; skipping (%v)", err)
  • cmd/agent/keymem_test.go:637 — t.Skipf("/sys/kernel mode %#o already satisfies no-chmod branch", mode)
  • cmd/agent/keymem_test.go:652 — t.Skip("permission semantics differ on windows")
  • cmd/agent/keymem_test.go:655 — t.Skip("running as root; cannot revoke parent dir write permission")
  • cmd/agent/keymem_test.go:686 — t.Skip("permission semantics differ on windows")
  • cmd/agent/verify_test.go:402 — t.Skip("no TLS certificates configured on test server")

cmd/server

  • cmd/server/preflight_demo_residual_test.go:41 — t.Skip("preflight A-8 test requires Postgres (testcontainers); skipping under -short")
  • cmd/server/preflight_demo_residual_test.go:97 — t.Skip("A-8 testcontainers unavailable; skipping")

deploy/test/acme-integration

  • deploy/test/acme-integration/certmanager_test.go:54 — t.Skip("KIND_AVAILABLE unset — kind-driven cert-manager integration test skipped")

deploy/test

  • deploy/test/crl_ocsp_e2e_test.go:134 — t.Skip("integration only")
  • deploy/test/crl_ocsp_e2e_test.go:65 — t.Skip("integration only")
  • deploy/test/est_e2e_test.go:124 — t.Skip("integration tests require INTEGRATION=1; skipping libest e2e suite")
  • deploy/test/est_e2e_test.go:129 — t.Skipf("libest sidecar (container %q) not running (status=%q). Run cd deploy && docker compose -f docker-compose.test.yml --profile est-e2e up -d libest-client to bring it up.", libestContainer, status)
  • deploy/test/est_e2e_test.go:213 — t.Skip("/config/certs/bootstrap.pem not present in libest sidecar — skipping mTLS path. To enable: mint a bootstrap cert against the per-profile mTLS trust anchor and copy into deploy/test/certs/.")
  • deploy/test/est_e2e_test.go:252 — t.Skip("server-keygen disabled on the e2e EST profile (HTTP 404). Enable via CERTCTL_EST_PROFILE_E2E_SERVER_KEYGEN_ENABLED=true in docker-compose.test.yml.")
  • deploy/test/est_e2e_test.go:333 — t.Skipf("libest build lacks --tls-exporter support: %v", err)
  • deploy/test/healthcheck_test.go:102 — t.Skip("docker not available — skipping image-level HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:163 — t.Skip("docker not available — skipping image-level HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:224 — t.Skip("docker not available — skipping runtime HEALTHCHECK test")
  • deploy/test/healthcheck_test.go:227 — t.Skip("runtime HEALTHCHECK test takes ~45s; skipping under -short")
  • deploy/test/healthcheck_test.go:229 — t.Skip("runtime probe contract not yet wired to a sidecar postgres; " +
  • deploy/test/healthcheck_test.go:28 — // The tests skip cleanly with t.Skip when docker is not available
  • deploy/test/healthcheck_test.go:32 — // Q-1 closure (cat-s3-58ce7e9840be): this file's 5 t.Skip sites are
  • deploy/test/healthcheck_test.go:41 — // - Line 212: hard t.Skip for the runtime probe contract — image-spec
  • deploy/test/integration_test.go:1129 — t.Skip("no PEM data in certificate version")
  • deploy/test/integration_test.go:513 — t.Skip("agent not yet online (may be slow to heartbeat)")
  • deploy/test/integration_test.go:805 — t.Skip("depends on Phase04 (Local CA cert not created)")
  • deploy/test/integration_test.go:901 — t.Skip("no discovered certificates yet (agent scan may not have run)")
  • deploy/test/integration_test.go:942 — t.Skip("no certificate in Active state for renewal test")
  • deploy/test/integration_test.go:954 — t.Skipf("renewal trigger returned: %s", body)
  • deploy/test/nginx_vendor_e2e_test.go:108 — t.Skip()
  • deploy/test/qa_test.go:1055 — t.Skip("Part 23 (S/MIME & EKU) is documented in docs/testing-guide.md::Part 23 " +
  • deploy/test/qa_test.go:1065 — t.Skip("Part 24 (OCSP/CRL) is documented in docs/testing-guide.md::Part 24 " +
  • deploy/test/qa_test.go:1175 — t.Skip("Requires compiled certctl-cli binary — manual test")
  • deploy/test/qa_test.go:1179 — t.Skip("Requires compiled mcp-server binary + stdio — manual test")
  • deploy/test/qa_test.go:1313 — t.Skip("Scheduler tests are timing-dependent — verify via Docker logs manually")
  • deploy/test/qa_test.go:1320 — t.Skip("Requires Docker log inspection — manual test")
  • deploy/test/qa_test.go:1327 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1334 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1338 — t.Skip("Requires browser — manual test")
  • deploy/test/qa_test.go:1914 — t.Skip("Part 55 (Agent Soft-Retirement) is documented in docs/testing-guide.md::Part 55 " +
  • deploy/test/qa_test.go:1924 — t.Skip("Part 56 (Notification Retry/Dead-Letter) is documented in docs/testing-guide.md::Part 56 " +
  • deploy/test/qa_test.go:38 — // Q-1 closure (cat-s3-58ce7e9840be): this file contains 11 `t.Skip("Requires
  • deploy/test/qa_test.go:46 — // the runtime t.Skip is the second-line guard for operators who run
  • deploy/test/qa_test.go:50 — // is correct, and the t.Skip messages already name the missing
  • deploy/test/qa_test.go:870 — t.Skip("Requires CA cert+key setup — manual test")
  • deploy/test/qa_test.go:874 — t.Skip("Requires ACME CA with ARI support — manual test")
  • deploy/test/qa_test.go:881 — t.Skip("Requires live Vault server — manual test")
  • deploy/test/qa_test.go:885 — t.Skip("Requires DigiCert sandbox — manual test")
  • deploy/test/scep_intune_e2e_test.go:159 — t.Skipf("integration stack not reachable at %s: %v — start docker-compose.test.yml first", serverURL, err)
  • deploy/test/scep_intune_e2e_test.go:163 — t.Skipf("/scep/%s not configured — see deploy/docker-compose.test.yml for the e2eintune profile env vars", e2eintunePathID)
  • deploy/test/scep_intune_e2e_test.go:166 — t.Skipf("/scep/%s GetCACaps returned %d — Intune profile may not be enabled in compose env", e2eintunePathID, resp.StatusCode)
  • deploy/test/scep_intune_e2e_test.go:170 — t.Skipf("/scep/%s GetCACaps body=%q does NOT advertise SCEPStandard — Intune profile may be misconfigured", e2eintunePathID, string(body))
  • deploy/test/vendor_e2e_helpers_smoke_test.go:31 — t.Skip("requires network egress to api.github.com (or similar known TLS endpoint); run manually")
  • deploy/test/vendor_e2e_helpers_smoke_test.go:36 — t.Skip("requires network egress; run manually")
  • deploy/test/vendor_e2e_helpers_smoke_test.go:41 — // When hostPath is empty the helper t.Skip's. Re-run-from-

internal/api/handler

  • internal/api/handler/health_test.go:481 — t.Skip("integration-style test; covered by deploy/test/integration_test.go (//go:build integration). " +
  • internal/api/handler/health_test.go:499 — t.Skipf("postgres driver unavailable in this build: %v", err)

internal/auth/breakglass

  • internal/auth/breakglass/service_test.go:417 — t.Skip("timing test skipped in -short mode (Argon2id is expensive)")

internal/auth/oidc/domain

  • internal/auth/oidc/domain/types_test.go:186 — t.Skip()

internal/auth/oidc

  • internal/auth/oidc/bench_keycloak_test.go:103 — // signature matters because it calls t.Skip / t.Fatal / t.Cleanup.
  • internal/auth/oidc/integration_keycloak_test.go:53 — // initialized in keycloakFor() so individual tests can t.Skip under
  • internal/auth/oidc/integration_okta_smoke_test.go:64 — // If any required env var is missing, the test t.Skip's with a clear
  • internal/auth/oidc/integration_okta_smoke_test.go:84 — t.Skipf("Okta smoke test requires env vars: %s — skipping", strings.Join(missing, ", "))

internal/ciparity

  • internal/ciparity/surface_parity_test.go:113 — // readFileOrSkip reads a file; on ENOENT, calls t.Skipf rather than

internal/connector/issuer/acme

  • internal/connector/issuer/acme/acme_failure_test.go:687 — t.Skipf("could not bind challenge server (env may not allow): %v", err)

internal/connector/issuer/local

  • internal/connector/issuer/local/bundle9_coverage_test.go:467 — t.Skip("unexpectedly short DER")
  • internal/connector/issuer/local/bundle9_coverage_test.go:592 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:609 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:621 — t.Skip("permission semantics differ on windows")
  • internal/connector/issuer/local/bundle9_coverage_test.go:653 — t.Skip("permission semantics differ on windows")

internal/connector/issuer/openssl

  • internal/connector/issuer/openssl/openssl_failure_test.go:124 — t.Skip("running as root; chmod 0o600 doesn't gate execution for uid 0")
  • internal/connector/issuer/openssl/openssl_failure_test.go:71 — t.Skip("openssl adapter shell-out tests assume POSIX bash; skipping on Windows")

internal/connector/notifier/email

  • internal/connector/notifier/email/email_test.go:425 — t.Skip("test requires no service on smtp.example.com:587")
  • internal/connector/notifier/email/email_test.go:503 — t.Skip("test assumes no service on 127.0.0.1:54321")

internal/connector/target/iis

  • internal/connector/target/iis/iis_test.go:225 — t.Skip("Skipping: powershell.exe not available (non-Windows)")
  • internal/connector/target/iis/iis_test.go:92 — t.Skip("Skipping: powershell.exe not available (non-Windows)")

internal/crypto

  • internal/crypto/encryption_property_test.go:35 — t.Skip("skipping property-based test in -short mode (PBKDF2 600k rounds × 50 iters > short budget)")
  • internal/crypto/encryption_property_test.go:75 — t.Skip("skipping property-based test in -short mode (PBKDF2 cost)")

internal/deploy

  • internal/deploy/coverage_test.go:403 — t.Skip("read-only chmod doesn't restrict root")
  • internal/deploy/coverage_test.go:467 — t.Skip("non-unix")
  • internal/deploy/deploy_test.go:611 — t.Skip("non-unix platform")

internal/ratelimit

  • internal/ratelimit/equivalence_test.go:80 — t.Skip("race-style test under -short")
  • internal/ratelimit/equivalence_test.go:88 — t.Skip("postgres equivalence tests require testcontainers; skipped under -short")
  • internal/ratelimit/sliding_window_test.go:146 — t.Skip("race-style test under -short")

internal/repository/postgres

  • internal/repository/postgres/audit_worm_test.go:29 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:118 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:149 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:179 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:208 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:56 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_revoke_scope_test.go:87 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:123 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:153 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:181 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:207 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:229 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:252 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:281 — t.Skip("integration test in short mode")
  • internal/repository/postgres/auth_scope_test.go:95 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:160 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:225 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_encryption_invariant_test.go:62 — t.Skip("Phase 13 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_prelogin_encryption_test.go:163 — t.Skip("HIGH-5 legacy fallback: integration test in short mode")
  • internal/repository/postgres/oidc_prelogin_encryption_test.go:42 — t.Skip("HIGH-5 encryption invariant: integration test in short mode")
  • internal/repository/postgres/oidc_test.go:117 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:140 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:171 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:185 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:209 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:239 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:301 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:331 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:45 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:82 — t.Skip("integration test in short mode")
  • internal/repository/postgres/oidc_test.go:96 — t.Skip("integration test in short mode")
  • internal/repository/postgres/repo_test.go:1944 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/repo_test.go:2003 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/repo_test.go:2114 — t.Skip("integration test requires PostgreSQL")
  • internal/repository/postgres/seed_test.go:91 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/session_test.go:100 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:120 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:167 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:197 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:211 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:246 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:259 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:29 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:307 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:340 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:407 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:54 — t.Skip("integration test in short mode")
  • internal/repository/postgres/session_test.go:86 — t.Skip("integration test in short mode")
  • internal/repository/postgres/testutil_test.go:39 — t.Skip("skipping integration test in short mode")
  • internal/repository/postgres/user_test.go:106 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:131 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:170 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:210 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:29 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:302 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:339 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:374 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:59 — t.Skip("integration test in short mode")
  • internal/repository/postgres/user_test.go:73 — t.Skip("integration test in short mode")

internal/scep/intune

  • internal/scep/intune/challenge_golden_test.go:47 — t.Skip("regenerate fixtures only when -update-golden is passed")
  • internal/scep/intune/challenge_test.go:213 — t.Skip("encoder didn't produce padding for this fixture; skipping")
  • internal/scep/intune/rate_limit_test.go:139 — t.Skip("race-style test under -short")
  • internal/scep/intune/replay_test.go:131 — t.Skip("race-style test under -short; run full suite for coverage")

internal/service

  • internal/service/coverage_extras_test.go:374 — t.Skipf("RSA keygen unavailable: %v", err)
  • internal/service/coverage_extras_test.go:394 — t.Skipf("ECDSA keygen unavailable: %v", err)
Reference in New Issue View Git Blame Copy Permalink