gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-11 20:08:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b1ff59dbf28faedd7b5ecf17e9aa4160a6ab6e7c
certctl/internal/connector/target/wincertstore/validate_only_test.go
T
claude 975d1850eb feat(ssh,wincertstore,javakeystore,k8ssecret): explicit ValidateOnly + leverage existing connectors 
Phase 9 of the deploy-hardening I master bundle. The four
non-file-server connectors get real ValidateOnly probes that
operators use to preview a deploy without touching the live cert.
Existing DeployCertificate paths already have explicit backup +
rollback semantics (SCP backup / WinCertStore Get-ChildItem
snapshot / keytool snapshot / K8s atomic API).

SSH (validate_only.go):
- Probes via SSHClient.Connect. Confirms agent reachability +
  credentials. Cheap (no remote command runs); released cleanly
  via defer Close.
- A true SCP dry-run requires a no-commit upload (SCP doesn't
  have one). V2 ships the auth probe as the load-bearing check.
- 3 new tests in validate_only_test.go.

WinCertStore (validate_only.go):
- Probes via PowerShell `Get-ChildItem -Path Cert:\<loc>\<store>`
  using the configured StoreLocation + StoreName (defaults
  LocalMachine\My).
- Confirms agent has Windows + the IIS module + the right ACLs.
- 4 new tests including default-store-path verification.

JavaKeystore (validate_only.go):
- Probes via `keytool -list -keystore <path> -storepass <pass>`
  using the configured KeystorePath / KeystorePassword and
  KeytoolPath (default "keytool").
- Confirms keystore exists, password is correct, JRE is on PATH.
- 4 new tests covering succeeds / fails / no-path-sentinel /
  nil-executor-sentinel.

K8s Secret (validate_only.go):
- Probes via K8sClient.GetSecret on the configured Namespace +
  SecretName. Returns nil on success or "not found" (the
  CreateSecret path on Deploy will handle it). Other errors
  (forbidden/unreachable) surface as wrapped.
- 4 new tests covering succeeds / RBAC-error wrapped /
  no-config-sentinel / nil-client-sentinel.

Smoke test connectorsAtPhase3 list shrunk from 7 to 3 entries
(ssh + wincertstore + javakeystore + k8ssecret removed). Only
caddy (file-mode) + envoy + traefik remain — those three
genuinely have no validate-with-target command available.

Race detector clean across all 13 connectors. golangci-lint
v2.11.4 clean.

Phase 10 next: DeployCounters + Prometheus exposer mirroring the
production-hardening-II OCSP counter pattern.
2026-04-30 15:22:17 +00:00

63 lines
1.9 KiB
Go
Raw Blame History

package wincertstore
import (
"context"
"errors"
"strings"
"testing"
"github.com/shankar0123/certctl/internal/connector/target"
)
type stubExec struct {
out string
err error
}
func (s *stubExec) Execute(_ context.Context, _ string) (string, error) { return s.out, s.err }
func TestWinCertStore_ValidateOnly_Succeeds(t *testing.T) {
c := NewWithExecutor(&Config{StoreName: "My", StoreLocation: "LocalMachine"}, nil, &stubExec{out: "ABC123"})
if err := c.ValidateOnly(context.Background(), target.DeploymentRequest{}); err != nil {
t.Errorf("got %v", err)
}
}
func TestWinCertStore_ValidateOnly_Fails(t *testing.T) {
c := NewWithExecutor(&Config{StoreName: "My"}, nil, &stubExec{err: errors.New("access denied")})
err := c.ValidateOnly(context.Background(), target.DeploymentRequest{})
if err == nil || !strings.Contains(err.Error(), "access denied") {
t.Errorf("got %v", err)
}
}
func TestWinCertStore_ValidateOnly_NilExec_Sentinel(t *testing.T) {
c := &Connector{config: &Config{}}
if err := c.ValidateOnly(context.Background(), target.DeploymentRequest{}); !errors.Is(err, target.ErrValidateOnlyNotSupported) {
t.Errorf("got %v", err)
}
}
func TestWinCertStore_ValidateOnly_DefaultStore_LocalMachineMy(t *testing.T) {
captured := ""
exec := capture{out: "x", capt: &captured}
c := NewWithExecutor(&Config{}, nil, &exec)
c.ValidateOnly(context.Background(), target.DeploymentRequest{})
// Backslash escaping in PowerShell-string + Go-string: the
// final script literal contains "Cert:\\LocalMachine\\My" once
// quoted via %q in fmt.Sprintf. Match against the doubled form.
if !strings.Contains(captured, `LocalMachine\\My`) && !strings.Contains(captured, `LocalMachine\My`) {
t.Errorf("default store path not in script: %q", captured)
}
}
type capture struct {
out string
capt *string
}
func (c capture) Execute(_ context.Context, script string) (string, error) {
*c.capt = script
return c.out, nil
}
Reference in New Issue View Git Blame Copy Permalink