mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-09 14:09:01 +00:00
claude
8e83f02401
Phase 8 of the deploy-hardening I master bundle. F5 + IIS already have transactional / explicit-backup-restore rollback semantics in their DeployCertificate paths. Phase 8 adds the explicit ValidateOnly dry-run probe that operators use to preview a deploy without touching the live cert. F5 (validate_only.go): - ValidateOnly probes the iControl REST API via Authenticate. Cheap (no F5 transaction created) + cached after first success. Failure surfaces as a wrapped error so operators see the actual cause (auth provider down, invalid creds, BIG-IP unreachable, etc.). nil client returns ErrValidateOnlyNotSupported. - A true cert-bind dry-run requires F5's no-commit transaction mode (v17.5+); V3-Pro can add per-version dispatch. V2 ships the reachability probe as the load-bearing safety check. - 5 new tests in validate_only_test.go covering: auth-success, auth-fail wrapped, nil-client sentinel, error-message contains BIG-IP context, recoverable auth-fail surfaces provider info. IIS (validate_only.go): - ValidateOnly runs `Get-WebSite -Name <SiteName>` via the injected PowerShellExecutor. Confirms the IIS PS module is loaded AND the site exists AND the agent has admin privileges. Failure here surfaces the actual PowerShell stderr (site not found / module missing / access denied). - A true cert-bind dry-run would need IIS to expose a no-commit New-WebBinding (it doesn't); V3-Pro can extend with a temp-install + immediate-remove. V2 ships the permission + module probe as the load-bearing check. - 5 new tests in validate_only_test.go covering: get-website succeeds, get-website fails, nil-executor sentinel, site-name quoting (handles spaces in 'Default Web Site'), output-context in error. Smoke test connectorsAtPhase3 list shrunk from 10 to 7 entries (f5 + iis + postfix removed). Caddy stays in (file-mode returns sentinel; api-mode is real-impl). Envoy + Traefik stay in (no validate-with-target command exists for either). javakeystore + k8ssecret + ssh + wincertstore stay in pending Phase 9. Coverage: F5 holds at ≥85%; IIS holds at ≥85%. Race detector clean. golangci-lint v2.11.4 clean. Phase 9 next: SSH + WinCertStore + JavaKeystore + K8s — the non-file-server connectors.
116 lines
4.0 KiB
Go
116 lines
4.0 KiB
Go
package f5
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"log/slog"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/shankar0123/certctl/internal/connector/target"
|
|
)
|
|
|
|
// Phase 8 of the deploy-hardening I master bundle: F5 ValidateOnly
|
|
// real implementation tests. F5 already has full transactional
|
|
// rollback via the iControl REST `mgmt/tm/transaction` endpoint;
|
|
// the new bit is the explicit dry-run probe via Authenticate.
|
|
|
|
type stubF5Authenticator struct {
|
|
authErr error
|
|
}
|
|
|
|
func (s *stubF5Authenticator) Authenticate(_ context.Context) error {
|
|
return s.authErr
|
|
}
|
|
|
|
// implement the rest of the F5Client interface as no-ops so the
|
|
// stub satisfies the interface.
|
|
func (s *stubF5Authenticator) UploadFile(context.Context, string, []byte) error {
|
|
return nil
|
|
}
|
|
func (s *stubF5Authenticator) InstallCert(context.Context, string, string) error { return nil }
|
|
func (s *stubF5Authenticator) InstallKey(context.Context, string, string) error { return nil }
|
|
func (s *stubF5Authenticator) CreateTransaction(context.Context) (string, error) {
|
|
return "", nil
|
|
}
|
|
func (s *stubF5Authenticator) CommitTransaction(context.Context, string) error {
|
|
return nil
|
|
}
|
|
func (s *stubF5Authenticator) UpdateSSLProfile(context.Context, string, string, string, string, string, string) error {
|
|
return nil
|
|
}
|
|
func (s *stubF5Authenticator) GetSSLProfile(context.Context, string, string) (*SSLProfileInfo, error) {
|
|
return nil, nil
|
|
}
|
|
func (s *stubF5Authenticator) DeleteCert(context.Context, string, string) error { return nil }
|
|
func (s *stubF5Authenticator) DeleteKey(context.Context, string, string) error { return nil }
|
|
|
|
func quietLogger() *slog.Logger {
|
|
return slog.New(slog.NewTextHandler(os.NewFile(0, os.DevNull), &slog.HandlerOptions{Level: slog.LevelError}))
|
|
}
|
|
|
|
func TestF5_ValidateOnly_Auth_Succeeds_ReturnsNil(t *testing.T) {
|
|
c := NewWithClient(&Config{Host: "f5.example", Username: "admin"}, quietLogger(), &stubF5Authenticator{authErr: nil})
|
|
if err := c.ValidateOnly(context.Background(), target.DeploymentRequest{}); err != nil {
|
|
t.Errorf("got %v, want nil", err)
|
|
}
|
|
}
|
|
|
|
func TestF5_ValidateOnly_AuthFails_ReturnsWrappedError(t *testing.T) {
|
|
c := NewWithClient(&Config{Host: "f5.example", Username: "admin"}, quietLogger(), &stubF5Authenticator{authErr: errors.New("invalid credentials")})
|
|
err := c.ValidateOnly(context.Background(), target.DeploymentRequest{})
|
|
if err == nil {
|
|
t.Fatal("expected error")
|
|
}
|
|
if errors.Is(err, target.ErrValidateOnlyNotSupported) {
|
|
t.Errorf("got sentinel, want wrapped auth error: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestF5_ValidateOnly_NilClient_ReturnsSentinel(t *testing.T) {
|
|
c := &Connector{config: &Config{Host: "f5.example"}, logger: quietLogger()}
|
|
// Don't inject a client.
|
|
if err := c.ValidateOnly(context.Background(), target.DeploymentRequest{}); !errors.Is(err, target.ErrValidateOnlyNotSupported) {
|
|
t.Errorf("got %v, want sentinel", err)
|
|
}
|
|
}
|
|
|
|
func TestF5_ValidateOnly_AuthFailureMessageMentionsBIGIP(t *testing.T) {
|
|
c := NewWithClient(&Config{Host: "f5.example"}, quietLogger(), &stubF5Authenticator{authErr: errors.New("conn refused")})
|
|
err := c.ValidateOnly(context.Background(), target.DeploymentRequest{})
|
|
if err == nil {
|
|
t.Fatal("expected error")
|
|
}
|
|
if !contains(err.Error(), "BIG-IP") {
|
|
t.Errorf("error missing BIG-IP context: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestF5_ValidateOnly_RecoverableAuthErrIsActionable(t *testing.T) {
|
|
// Auth-fail variant that simulates a one-time TACACS+ outage —
|
|
// the operator is meant to see this as actionable.
|
|
c := NewWithClient(&Config{Host: "f5.example"}, quietLogger(), &stubF5Authenticator{authErr: errors.New("TACACS+ auth provider unreachable")})
|
|
err := c.ValidateOnly(context.Background(), target.DeploymentRequest{})
|
|
if err == nil {
|
|
t.Fatal("expected error")
|
|
}
|
|
if !contains(err.Error(), "TACACS+") {
|
|
t.Errorf("error doesn't surface auth provider info: %v", err)
|
|
}
|
|
}
|
|
|
|
func contains(haystack, needle string) bool {
|
|
return len(haystack) > 0 && len(needle) > 0 &&
|
|
(len(haystack) >= len(needle)) &&
|
|
(indexOf(haystack, needle) >= 0)
|
|
}
|
|
|
|
func indexOf(s, substr string) int {
|
|
for i := 0; i+len(substr) <= len(s); i++ {
|
|
if s[i:i+len(substr)] == substr {
|
|
return i
|
|
}
|
|
}
|
|
return -1
|
|
}
|