gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 19:21:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba0959ddc7be929693fa0d953fd58ea7305642c4
certctl/internal/service/ocsp_response_cache_real_test.go
T
shankar0123 8b75e0311b chore: rename Go module path to github.com/certctl-io/certctl 
Mechanical sed across the main go.mod's module declaration, the f5-mock-icontrol
sub-module's go.mod, every Go file's import path (361 files), and a rebuild of
the checked-in f5-mock-icontrol binary so its embedded build-info reflects the
new module path. No behavior change.

Choice B from cowork/transfer-certctl-to-org.md, executed 2026-05-04. Choice A
(keep module path declared as github.com/shankar0123/certctl regardless of
repo URL) shipped on the day of the org transfer (2026-05-03) since we had no
external Go consumers; this commit closes that deferral.

Backward-compat: GitHub HTTP redirects continue to forward
github.com/shankar0123/certctl → github.com/certctl-io/certctl at the URL
level, but Go's module proxy uses the path declared in go.mod as the
canonical name. Pre-fix, anyone trying `go get github.com/certctl-io/certctl/...`
hit a "module path mismatch" error because go.mod said
github.com/shankar0123/certctl and the URL they fetched it from said
certctl-io/certctl. Post-fix, the canonical name and the URL agree, so
go get / go install / external Go consumers / Go-tooling integrations
work cleanly via either the new path (preferred) or the old path (which
redirects and Go follows the redirect for source fetch).

Anyone still importing the old path inside their own code keeps working
provided they update their go.mod's `require` line to match — the module
path declared in their consumer's go.sum / go.mod is the authoritative
import name, so a mass sed across their import statements is the migration
on the consumer side. No external consumers exist today.

Diff shape:
  361 *.go files  — import path replacement only
    2 go.mod     — module declaration replacement only
    1 binary     — deploy/test/f5-mock-icontrol/f5-mock-icontrol rebuilt
                   so embedded build-info reflects the new path (8618965 vs
                   8618933 bytes; 32-byte diff is the build-info change)

  Total: 364 files, 730 insertions / 730 deletions, net-zero size, pure
  mechanical substitution.

Verification:
  gofmt: 17 files needed re-alignment after sed (the new path is one char
    shorter than the old, so column-aligned import groups drifted). Applied
    `gofmt -w` to fix.
  go mod tidy: clean exit on both modules.
  go vet ./...: clean exit.
  go build ./...: clean exit.
  go test -short -count=1 on representative packages: all green
    (internal/domain, internal/validation, internal/crypto, internal/crypto/signer,
    cmd/agent). Test output now reads `ok github.com/certctl-io/certctl/...`
    confirming the module path resolves correctly.
  binary: f5-mock-icontrol rebuilt; `strings | grep shankar0123` returns
    nothing; `strings | grep certctl-io/certctl` shows the new module path
    embedded in build-info.

Files intentionally NOT touched in this commit:
  README.md / CHANGELOG.md / docs/ / etc. — already swept to certctl-io
    URLs in commit 0729ee4 (the post-transfer URL refresh). This commit is
    purely the Go-tooling layer.
  Scarf pixels (`shankar0123.docker.scarf.sh/...`) — Scarf-account
    namespace, not a Go import or GitHub repo URL. Stays.

This is a non-blocking, non-customer-impacting change. Operators pulling
container images, running `make verify`, hitting the API, or installing the
agent see no functional difference. Only Go-tooling consumers (none today)
are affected, and they're enabled — not broken — by this commit.
2026-05-04 00:30:29 +00:00

298 lines
10 KiB
Go
Raw Blame History

package service
import (
"context"
"errors"
"io"
"log/slog"
"sync"
"testing"
"time"
"github.com/certctl-io/certctl/internal/domain"
)
// Production hardening II Phase 2 — exercise the REAL OCSPResponseCacheService
// (not the test-harness mirror in ocsp_response_cache_test.go) wired against
// a real CAOperationsSvc + mockIssuerConnector. Closes the coverage gap on:
//
// - OCSPResponseCacheService.Get (cache miss → live-sign → write-back)
// - OCSPResponseCacheService.regenerate (singleflight + cache.Put + the
// cache-write-failure log branch)
// - OCSPResponseCacheService.InvalidateOnRevoke (the load-bearing wire
// into the real revocation flow)
// - OCSPResponseCacheService.CountByIssuer
// - CAOperationsSvc.GetOCSPResponseWithNonce dispatch when cache wired
// - CAOperationsSvc.SetOCSPCacheSvc setter
// - RevocationSvc.SetOCSPCacheInvalidator setter + invalidator wire
// silentLogger returns a slog.Logger that discards everything.
func silentLogger() *slog.Logger {
return slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{Level: slog.LevelError + 10}))
}
// putErrorRepo wraps the in-memory cache repo and forces Put to fail.
// Used to exercise the "cache write failed (response still valid)"
// log branch in regenerate.
type putErrorRepo struct {
*fakeOCSPCacheRepo
putErr error
}
func (r *putErrorRepo) Put(ctx context.Context, e *domain.OCSPResponseCacheEntry) error {
if r.putErr != nil {
return r.putErr
}
return r.fakeOCSPCacheRepo.Put(ctx, e)
}
// deleteErrorRepo forces Delete to fail; exercises the invalidate-failure
// log branch in InvalidateOnRevoke.
type deleteErrorRepo struct {
*fakeOCSPCacheRepo
deleteErr error
}
func (r *deleteErrorRepo) Delete(ctx context.Context, issuer, serial string) error {
if r.deleteErr != nil {
return r.deleteErr
}
return r.fakeOCSPCacheRepo.Delete(ctx, issuer, serial)
}
func TestOCSPResponseCacheService_RealGet_HappyPath_CachesAfterMiss(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := newFakeOCSPCacheRepo()
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, NewOCSPCounters(), silentLogger())
// First fetch: cache miss → live-sign via mockIssuerConnector → cache write-back.
der1, err := cache.Get(context.Background(), "iss-local", "deadbeef")
if err != nil {
t.Fatalf("first fetch: %v", err)
}
if len(der1) == 0 {
t.Fatal("expected non-empty DER from live sign")
}
// Cache row now present.
got, _ := cacheRepo.Get(context.Background(), "iss-local", "deadbeef")
if got == nil {
t.Fatal("expected cache row written after miss")
}
// Second fetch: cache hit (returns the same cached bytes).
der2, err := cache.Get(context.Background(), "iss-local", "deadbeef")
if err != nil {
t.Fatalf("second fetch: %v", err)
}
if string(der1) != string(der2) {
t.Errorf("cache returned different bytes than original sign")
}
}
func TestOCSPResponseCacheService_RealGet_CacheWriteFailureIsNonFatal(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := &putErrorRepo{
fakeOCSPCacheRepo: newFakeOCSPCacheRepo(),
putErr: errors.New("disk full simulation"),
}
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
// Get: live-sign succeeds, cache.Put fails — the response is still
// valid; we just lose the cache benefit on the next request. The
// caller MUST get a successful response.
der, err := cache.Get(context.Background(), "iss-local", "deadbeef")
if err != nil {
t.Fatalf("expected fail-soft on cache write failure, got %v", err)
}
if len(der) == 0 {
t.Fatal("expected non-empty DER even when cache.Put failed")
}
}
func TestOCSPResponseCacheService_RealGet_StaleEntryRegenerates(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := newFakeOCSPCacheRepo()
// Pre-populate with a stale entry.
stale := &domain.OCSPResponseCacheEntry{
IssuerID: "iss-local",
SerialHex: "abcd",
ResponseDER: []byte{0x11},
CertStatus: "good",
ThisUpdate: time.Now().Add(-2 * time.Hour),
NextUpdate: time.Now().Add(-1 * time.Hour),
GeneratedAt: time.Now().Add(-2 * time.Hour),
}
_ = cacheRepo.Put(context.Background(), stale)
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
der, err := cache.Get(context.Background(), "iss-local", "abcd")
if err != nil {
t.Fatalf("get: %v", err)
}
// Stale entry → re-sign produces fresh bytes (different from the
// pre-populated 0x11 placeholder).
if len(der) == 1 && der[0] == 0x11 {
t.Errorf("stale entry should have triggered re-sign; got pre-populated bytes")
}
}
func TestOCSPResponseCacheService_RealInvalidateOnRevoke(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := newFakeOCSPCacheRepo()
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
// Pre-populate one row.
_ = cacheRepo.Put(context.Background(), &domain.OCSPResponseCacheEntry{
IssuerID: "iss-local",
SerialHex: "deadbeef",
ResponseDER: []byte{0x42},
CertStatus: "good",
ThisUpdate: time.Now(),
NextUpdate: time.Now().Add(1 * time.Hour),
GeneratedAt: time.Now(),
})
if err := cache.InvalidateOnRevoke(context.Background(), "iss-local", "deadbeef"); err != nil {
t.Fatalf("invalidate: %v", err)
}
got, _ := cacheRepo.Get(context.Background(), "iss-local", "deadbeef")
if got != nil {
t.Errorf("expected cache row deleted after invalidate")
}
}
func TestOCSPResponseCacheService_InvalidateOnRevoke_DeleteFailureSurfacesError(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := &deleteErrorRepo{
fakeOCSPCacheRepo: newFakeOCSPCacheRepo(),
deleteErr: errors.New("delete failed"),
}
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
err := cache.InvalidateOnRevoke(context.Background(), "iss-local", "deadbeef")
if err == nil {
t.Errorf("expected error when delete fails, got nil")
}
}
func TestOCSPResponseCacheService_RealCountByIssuer(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := newFakeOCSPCacheRepo()
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
for i, e := range []struct{ iss, ser string }{
{"iss-local", "ser1"},
{"iss-local", "ser2"},
{"iss-other", "ser1"},
} {
_ = i
_ = cacheRepo.Put(context.Background(), &domain.OCSPResponseCacheEntry{
IssuerID: e.iss,
SerialHex: e.ser,
ResponseDER: []byte{0x42},
CertStatus: "good",
ThisUpdate: time.Now(),
NextUpdate: time.Now().Add(1 * time.Hour),
GeneratedAt: time.Now(),
})
}
got, err := cache.CountByIssuer(context.Background())
if err != nil {
t.Fatalf("count: %v", err)
}
if got["iss-local"] != 2 || got["iss-other"] != 1 {
t.Errorf("CountByIssuer = %#v, want iss-local=2 iss-other=1", got)
}
}
func TestOCSPResponseCacheService_NilRepoReturnsEmptyCountByIssuer(t *testing.T) {
cache := NewOCSPResponseCacheService(nil, nil, nil, silentLogger())
got, err := cache.CountByIssuer(context.Background())
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if len(got) != 0 {
t.Errorf("expected empty map, got %v", got)
}
}
func TestCAOperationsSvc_GetOCSPResponseWithNonce_CacheDispatchHit(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := newFakeOCSPCacheRepo()
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
caSvc.SetOCSPCacheSvc(cache)
// Nil-nonce request: dispatches through the cache. First call is
// a miss (live-sign + write-back); cache row should appear.
_, err := caSvc.GetOCSPResponseWithNonce(context.Background(), "iss-local", "deadbeef", nil)
if err != nil {
t.Fatalf("first: %v", err)
}
if got, _ := cacheRepo.Get(context.Background(), "iss-local", "deadbeef"); got == nil {
t.Errorf("expected cache row populated after first nil-nonce request")
}
// Second call returns the cached bytes (same content).
der1, _ := caSvc.GetOCSPResponseWithNonce(context.Background(), "iss-local", "deadbeef", nil)
der2, _ := caSvc.GetOCSPResponseWithNonce(context.Background(), "iss-local", "deadbeef", nil)
if string(der1) != string(der2) {
t.Errorf("repeated cached fetches returned different bytes")
}
}
func TestCAOperationsSvc_GetOCSPResponseWithNonce_NonceBypassesCache(t *testing.T) {
caSvc, _, _, _ := newCAOperationsSvcTestWithIssuer()
cacheRepo := newFakeOCSPCacheRepo()
cache := NewOCSPResponseCacheService(cacheRepo, caSvc, nil, silentLogger())
caSvc.SetOCSPCacheSvc(cache)
// Nonce-bearing request: bypasses the cache entirely. After the
// call, the cache row should still NOT be populated.
nonce := []byte{0xaa, 0xbb}
_, err := caSvc.GetOCSPResponseWithNonce(context.Background(), "iss-local", "deadbeef", nonce)
if err != nil {
t.Fatalf("nonce request: %v", err)
}
if got, _ := cacheRepo.Get(context.Background(), "iss-local", "deadbeef"); got != nil {
t.Errorf("nonce-bearing live-sign should NOT write to cache; found row %#v", got)
}
}
func TestRevocationSvc_SetOCSPCacheInvalidator_WireConnects(t *testing.T) {
// The wire under test: SetOCSPCacheInvalidator stores the invalidator
// on the service such that subsequent revoke flows can call it.
// We verify the wire is connected by directly invoking the stored
// invalidator (the full revoke flow needs a live cert + repo
// pipeline that's covered elsewhere).
fake := &fakeInvalidator{}
svc := NewRevocationSvc(nil, nil, nil)
svc.SetOCSPCacheInvalidator(fake)
if err := svc.ocspCacheInvalidator.InvalidateOnRevoke(context.Background(), "iss-local", "ff"); err != nil {
t.Fatalf("invalidate: %v", err)
}
if fake.calls != 1 {
t.Errorf("expected 1 InvalidateOnRevoke call, got %d", fake.calls)
}
if fake.lastIssuer != "iss-local" || fake.lastSerial != "ff" {
t.Errorf("invalidator received wrong args: issuer=%q serial=%q",
fake.lastIssuer, fake.lastSerial)
}
}
type fakeInvalidator struct {
mu sync.Mutex
calls int
lastIssuer string
lastSerial string
}
func (f *fakeInvalidator) InvalidateOnRevoke(_ context.Context, issuerID, serialHex string) error {
f.mu.Lock()
defer f.mu.Unlock()
f.calls++
f.lastIssuer = issuerID
f.lastSerial = serialHex
return nil
}
Reference in New Issue View Git Blame Copy Permalink