Update tests, fix issues (#228)

Author: klauspost

.gitattributes

@@ -0,0 +1 @@
+* text=auto eol=lf

.github/workflows/go.yml

@@ -17,11 +17,12 @@ permissions:
 
 jobs:
   build:
-    name: Build Go ${{ matrix.go-version }}
-    runs-on: ubuntu-latest
+    name: Build Go ${{ matrix.go-version }} ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        go-version: [1.25.x]
+        os: [ubuntu-latest, macos-latest, windows-latest, ubuntu-24.04-arm]
+        go-version: [1.25.x, 1.26.x]
     steps:
       - name: Set up Go ${{ matrix.go-version }}
         uses: actions/setup-go@v5

.github/workflows/ldap.yaml

@@ -31,7 +31,7 @@ jobs:
           LDAP_ADMIN_PASSWORD: "admin"
     strategy:
       matrix:
-        go-version: [1.25.x]
+        go-version: [1.26.x]
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5

.github/workflows/vulncheck.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [ 1.25.x ]
+        go-version: [ 1.26.x ]
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4

.golangci.yml

@@ -34,7 +34,7 @@ linters:
       - examples$
 formatters:
   enable:
-    - gofmt
+    - gofumpt
     - goimports
   exclusions:
     generated: lax

Makefile

@@ -6,16 +6,14 @@ all: test
 
 getdeps:
 	@mkdir -p ${GOPATH}/bin
-	@echo "Installing golangci-lint" && curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH)/bin
+	@echo "Installing golangci-lint" && go install tool
 
 lint: getdeps
 	@echo "Running $@ check"
-	@${GOPATH}/bin/golangci-lint cache clean
 	@${GOPATH}/bin/golangci-lint run --build-tags kqueue --timeout=10m --config ./.golangci.yml
 
 lint-fix: getdeps
 	@echo "Running $@ check"
-	@${GOPATH}/bin/golangci-lint cache clean
 	@${GOPATH}/bin/golangci-lint run --build-tags kqueue --timeout=10m --config ./.golangci.yml --fix
 
 test: lint

certs/cert_pool_windows.go

@@ -28,7 +28,11 @@ import (
 func loadSystemRoots() (*x509.CertPool, error) {
 	const CRYPTENOTFOUND = 0x80092004
 
-	store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
+	rootPtr, err := syscall.UTF16PtrFromString("ROOT")
+	if err != nil {
+		return nil, err
+	}
+	store, err := syscall.CertOpenSystemStore(0, rootPtr)
 	if err != nil {
 		return nil, err
 	}

certs/certificate2.go

@@ -203,19 +203,17 @@ func watchFile(ctx context.Context, path string, ch chan notify.EventInfo, wg *s
 	}
 	symLink := st.Mode()&os.ModeSymlink == os.ModeSymlink
 	if !symLink {
-		// Windows doesn't allow for watching file changes but instead allows
-		// for directory changes only, while we can still watch for changes
-		// on files on other platforms. For other platforms it's also better
-		// to watch the directory to catch all changes. Some updates are written
-		// to a new file and then renamed to the destination file. This method
-		// ensures we catch all such changes.
-		//
-		// Note: Certificate reloading relies on atomic file updates (write new
-		// file, then rename). If certificate files are updated in-place without
-		// atomicity, there is a window where partial/corrupted data may be read.
-		// The hash comparison will skip reloads when content hasn't changed, but
-		// does not protect against temporary inconsistency during partial writes.
-		return notify.Watch(filepath.Dir(path), ch, eventWrite...)
+		stop, err := watchDirSafe(filepath.Dir(path), path, ch, ctx.Done())
+		if err != nil {
+			return err
+		}
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			<-ctx.Done()
+			stop()
+		}()
+		return nil
 	}
 
 	wg.Add(1)

certs/certificate2_test.go

@@ -23,6 +23,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"testing"
 	"time"
 )
@@ -89,6 +90,9 @@ func TestCertificate2_AutoReload(t *testing.T) {
 }
 
 func TestCertificate2_AutoReloadSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks require admin on Windows")
+	}
 	testCertificate2AutoReload(t, true)
 }
 
@@ -177,6 +181,9 @@ func TestCertificate2_AutoReloadCertFileOnly(t *testing.T) {
 }
 
 func TestCertificate2_AutoReloadCertFileOnlySymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks require admin on Windows")
+	}
 	testCertificate2AutoReloadCertFileOnly(t, true)
 }
 
@@ -216,6 +223,9 @@ func TestCertificate2_InvalidReloadIgnored(t *testing.T) {
 }
 
 func TestCertificate2_InvalidReloadIgnoredSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("symlinks require admin on Windows")
+	}
 	testCertificate2InvalidReloadIgnored(t, true)
 }
 
@@ -286,8 +296,8 @@ func overwriteFile(t *testing.T, src, dst string, symlink bool) {
 func updateCertWithWait(t *testing.T, cert *Certificate2, symlink bool, update func()) {
 	done := make(chan struct{})
 	wait := time.Second
-	if symlink {
-		wait = wait + symlinkReloadInterval // can take up to symlinkReloadInterval to detect changes
+	if symlink || runtime.GOOS == "windows" {
+		wait = wait + symlinkReloadInterval
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), wait)
 	defer cancel()

certs/certs.go

@@ -149,14 +149,17 @@ func (c *Certificate) Watch(ctx context.Context, interval time.Duration, signals
 	if !certFileSymLink && !keyFileSymLink && !isk8s {
 		go func() {
 			events := make(chan notify.EventInfo, 1)
-			if err := notify.Watch(filepath.Dir(c.certFile), events, eventWrite...); err != nil {
+			stop1, err := watchDirSafe(filepath.Dir(c.certFile), c.certFile, events, ctx.Done())
+			if err != nil {
 				return
 			}
-			if err := notify.Watch(filepath.Dir(c.keyFile), events, eventWrite...); err != nil {
-				notify.Stop(events)
+			stop2, err := watchDirSafe(filepath.Dir(c.keyFile), c.keyFile, events, ctx.Done())
+			if err != nil {
+				stop1()
 				return
 			}
-			defer notify.Stop(events)
+			defer stop1()
+			defer stop2()
 			for {
 				select {
 				case <-events: