gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-13 08:38:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(scep-gui): rebrand SCEP admin surface to per-profile tabbed interface (Profiles + Intune + Recent Activity)

Browse Source 
Phase 9 follow-up to the SCEP RFC 8894 + Intune master bundle. The
Phase 9.4 GUI shipped 'SCEP Intune Monitoring' at /scep/intune, which
made the per-profile observability surface look Intune-only — operators
running EJBCA + Jamf would never click that nav link expecting per-
profile RA cert + mTLS observability. The page is per-profile keyed
under the hood; this commit rebrands + restructures so the surface
matches what operators actually need.

Spec: cowork/scep-gui-restructure-prompt.md.

User-visible change:

  - Nav link renamed: 'SCEP Intune' → 'SCEP Admin'.
  - Route: /scep is the new canonical path; /scep/intune kept as a
    backward-compat alias that lands directly on the Intune tab.
  - Page header: 'SCEP Administration'.
  - Three tabs:
      * Profiles (default) — per-profile lean cards with RA cert
        expiry countdown, mTLS sibling-route status badge, Intune
        enabled/disabled badge, challenge-password-set indicator.
        'View Intune details →' link on Intune-enabled cards
        deep-links into the Intune tab.
      * Intune Monitoring — the existing Phase 9.4 deep-dive
        (per-status counters, trust anchor expiry, recent failures
        table, reload-trust button + confirmation modal).
      * Recent Activity — full SCEP audit log filter merging all
        four action codes (scep_pkcsreq + scep_renewalreq +
        scep_pkcsreq_intune + scep_renewalreq_intune); chip filters
        for All / Initial / Renewal / Intune / Static.

Backend:

  * internal/service/scep.go — new SCEPProfileStatsSnapshot type +
    IntuneSection sub-block + ProfileStats(now) accessor. Adds
    raCertSubject/raCertNotBefore/raCertNotAfter + mtlsEnabled +
    mtlsTrustBundlePath fields with SetRACert + SetMTLSConfig setters.
    Existing IntuneStatsSnapshot + IntuneStats(now) preserved
    UNCHANGED for /admin/scep/intune/stats backward compat (the
    JSON shape stays byte-stable for external consumers — the
    aliasing approach the prompt initially suggested doesn't work
    because the new shape nests Intune while the old one is flat).
    ChallengePasswordSet is derived from challengePassword != ''
    (the secret value itself is never surfaced).

  * internal/api/handler/admin_scep_intune.go — new Profiles handler
    method on AdminSCEPIntuneHandler with the same M-008 admin gate.
    AdminSCEPIntuneServiceImpl extended (in place; same
    map[string]*service.SCEPService) to satisfy the new
    AdminSCEPProfileService interface. Single handler file gets the
    third method so the M-008 pin entry count stays steady (no new
    file, no new triplet of admin-gate test files — just three new
    Profiles tests inside the existing test file).

  * internal/api/router/router.go — one new route
    'GET /api/v1/admin/scep/profiles' registered to
    reg.AdminSCEPIntune.Profiles. HandlerRegistry unchanged.

  * api/openapi.yaml — new operation 'listSCEPProfiles' documenting
    the request body / response shape / error mapping. Existing
    Intune entries unchanged.

  * cmd/server/main.go — per-profile loop now calls
    scepService.SetMTLSConfig(profile.MTLSEnabled,
    profile.MTLSClientCATrustBundlePath) right after SetPathID, and
    scepService.SetRACert(raCert) right after loadSCEPRAPair returns
    the leaf cert. Both setters are nil-safe.

  * internal/api/handler/m008_admin_gate_test.go — extended the
    existing admin_scep_intune.go entry's justification to mention
    the third endpoint. No new map entry needed (file already
    listed).

Backend tests (8 new):

  * TestAdminSCEPProfiles_NonAdmin_Returns403
  * TestAdminSCEPProfiles_AdminExplicitFalse_Returns403
  * TestAdminSCEPProfiles_AdminPermitted_ForwardsActor — also pins
    that Intune-enabled profiles emit an 'intune' sub-block while
    Intune-disabled profiles OMIT it.
  * TestAdminSCEPProfiles_RejectsNonGetMethod
  * TestAdminSCEPProfiles_PropagatesServiceError
  * TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty
  * (existing 16 Phase 9 admin tests still pass — backward-compat
    preserved)

Frontend:

  * web/src/api/types.ts — new SCEPProfileStatsSnapshot +
    IntuneSection + SCEPProfilesResponse types. Existing
    IntuneStatsSnapshot et al unchanged.
  * web/src/api/client.ts — new getAdminSCEPProfiles helper.
  * web/src/pages/SCEPAdminPage.tsx — full rewrite as the tabbed
    surface. Reuses the existing ConfirmReloadModal and Intune
    deep-dive card components verbatim; adds ProfileSummaryCard
    (lean card for the Profiles tab) and ActivityTab. URL state
    sync via useSearchParams so deep links survive reloads + browser
    back/forward. The legacy /scep/intune route alias defaults the
    activeTab to 'intune' on mount.
  * web/src/main.tsx — new <Route path='scep' /> + preserved
    <Route path='scep/intune' /> alias. Both render SCEPAdminPage.
  * web/src/components/Layout.tsx — nav link rebranded:
    label 'SCEP Intune' → 'SCEP Admin', to '/scep/intune' → '/scep'.

Frontend tests (20 — full rebuild):

  * Admin gate (non-admin sees gated banner + zero admin API calls)
  * Profiles tab default + Intune tab tabswitch + ?tab=intune deep
    link + legacy /scep/intune alias all land on Intune
  * Profiles tab status badges (Intune + mTLS + challenge-set)
    reflect each profile's flags
  * RA cert expiry tone bands (good ≥30d / warn 7-30d / bad <7d /
    EXPIRED) verified across three fixture profiles
  * 'View Intune details →' only renders for Intune-enabled
    profiles AND switches tabs on click
  * Empty-state banner when no profiles configured
  * Intune tab counters render with the existing Phase 9 deep-dive
    shape; reload modal Open/Confirm/Cancel/Error paths all pinned
  * Recent Activity tab merges all four SCEP audit actions across
    four parallel useQuery calls; filter chips
    (all/initial/renewal/intune/static) narrow correctly
  * Error path surfaces ErrorState on the active tab

Docs:

  * docs/scep-intune.md — Operational monitoring section heading
    expanded to '(SCEP Administration → Intune Monitoring tab)'.
    Page-surface description rewritten for the tabbed shape;
    admin-endpoints list extended with the new /admin/scep/profiles
    entry.
  * docs/architecture.md — Microsoft Intune Connector trust anchor
    subsection updated to reference the Intune Monitoring tab inside
    the SCEP Administration page + lists all three admin endpoints.
  * docs/legacy-est-scep.md — forward-ref expanded with a parallel
    sentence for the per-profile observability surface (independent
    of Intune).
  * README.md — Enrollment Protocols bullet for Intune updated to
    'admin GUI SCEP Administration page at /scep' with the three
    tabs called out.

Verification:
  * gofmt clean on touched files
  * go vet ./... clean
  * staticcheck on intune+service+handler+router+cmd-server clean
  * go test -short across intune+service+handler+router+cmd-server:
    all green (existing Phase 9 tests + new Profiles tests)
  * Frontend tsc --noEmit clean
  * Vitest: 20/20 SCEPAdminPage tests + 3/3 sibling AuditPage tests
    pass
  * G-3 docs-drift CI guard reproduced locally: clean (no new env
    vars; existing CERTCTL_SCEP_ allowlist prefix covers everything)
  * M-009 hard-zero useMutation guard reproduced locally: clean
    (the existing reload mutation already used useTrackedMutation
    from the Phase 9 follow-up commit 28e277a)
  * openapi-parity test green (new GET /api/v1/admin/scep/profiles
    operation documented)
  * M-008 admin-gate scanner green (existing admin_scep_intune.go
    entry covers all three handler methods; the test scanner
    enforces the triplet by file, not by endpoint, and the new
    Profiles triplet was added to the existing test file)

Backward compat preserved:
  * /api/v1/admin/scep/intune/stats unchanged — same JSON shape,
    same error codes, same M-008 gate
  * /api/v1/admin/scep/intune/reload-trust unchanged
  * /scep/intune route still works (alias to /scep with activeTab=intune)
  * IntuneStatsSnapshot Go type unchanged
  * IntuneStats(now) accessor unchanged

Refs: cowork/scep-gui-restructure-prompt.md
      cowork/scep-rfc8894-intune-master-prompt.md::Phase 9
      Phase 11.5 (SCEP probe in scanner — opt-in) and Phase 12
      (release prep + tag) of the master bundle resume after this.
This commit is contained in:
shankar0123
2026-04-29 17:46:42 +00:00
parent 5d080c86fd
commit 0be889ff1d
17 changed files with 1387 additions and 366 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/pages/SCEPAdminPage.test.tsx
+335 -175
View File
@@ -1,24 +1,32 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { render, screen, waitFor, cleanup, fireEvent } from '@testing-library/react';
import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
import { MemoryRouter } from 'react-router-dom';
import { MemoryRouter, Routes, Route } from 'react-router-dom';
import type { ReactNode } from 'react';
// SCEP RFC 8894 + Intune master bundle Phase 9.5: Vitest coverage for the
// SCEPAdminPage component. Pins:
// 1. Admin gate — non-admin callers see the gated banner and the page
// MUST NOT issue the underlying admin API requests.
// 2. Profile cards render with status + counters + trust-anchor expiry
// badge tone (good / warn / bad / EXPIRED).
// 3. Disabled profiles render the off-state pill instead of the counter
// grid.
// 4. Reload button opens the confirmation modal; Confirm calls the
// mutation and refetches stats; Cancel closes without calling.
// 5. Error path surfaces ErrorState with retry.
// 6. Audit log filter merges PKCSReq + RenewalReq events and sorts by
// timestamp descending.
// SCEP RFC 8894 + Intune master bundle Phase 9 follow-up
// (cowork/scep-gui-restructure-prompt.md): Vitest coverage for the
// rebranded SCEP Administration page. Pins:
// 1. Admin gate — non-admin sees the gated banner; admin requests are
// never issued.
// 2. Tab navigation — Profiles is the default; clicking each tab
// switches surface; ?tab=intune deep-links land on Intune; the
// legacy /scep/intune route alias also lands on Intune.
// 3. Profiles tab — per-profile lean cards; status badges reflect
// Intune + mTLS + challenge-password-set; RA cert expiry badge
// tone bands (good ≥30d / warn 7-30d / bad <7d / EXPIRED);
// "View Intune details →" link only renders for Intune-enabled
// profiles AND switches to the Intune tab on click.
// 4. Intune tab — counters render with the existing Phase 9 deep-dive
// shape; reload modal opens / Confirm calls mutation / Cancel
// skips mutation / Error keeps modal open + surfaces message.
// 5. Recent Activity tab — merges all four SCEP audit actions across
// four parallel useQuery calls; filter chips narrow to the
// requested subset.
// 6. Error path — surfaces ErrorState on the active tab.
vi.mock('../api/client', () => ({
getAdminSCEPProfiles: vi.fn(),
getAdminSCEPIntuneStats: vi.fn(),
reloadAdminSCEPIntuneTrust: vi.fn(),
getAuditEvents: vi.fn(),
@@ -32,13 +40,18 @@ import SCEPAdminPage from './SCEPAdminPage';
import * as client from '../api/client';
import { useAuth } from '../components/AuthProvider';
function renderWithQuery(ui: ReactNode) {
function renderWithRoute(initialPath: string, ui: ReactNode) {
const qc = new QueryClient({
defaultOptions: { queries: { retry: false, gcTime: 0, staleTime: 0 } },
});
return render(
<QueryClientProvider client={qc}>
<MemoryRouter>{ui}</MemoryRouter>
<MemoryRouter initialEntries={[initialPath]}>
<Routes>
<Route path="/scep" element={ui} />
<Route path="/scep/intune" element={ui} />
</Routes>
</MemoryRouter>
</QueryClientProvider>,
);
}
@@ -57,47 +70,71 @@ function setAuth(opts: { authRequired: boolean; admin: boolean }) {
});
}
const baseEnabledProfile = {
const corpProfileSummary = {
path_id: 'corp',
issuer_id: 'iss-corp',
challenge_password_set: true,
ra_cert_subject: 'ra-corp',
ra_cert_not_before: '2026-01-01T00:00:00Z',
ra_cert_not_after: '2027-01-01T00:00:00Z',
ra_cert_days_to_expiry: 250,
ra_cert_expired: false,
mtls_enabled: true,
mtls_trust_bundle_path: '/etc/certctl/mtls-corp.pem',
generated_at: '2026-04-29T15:00:00Z',
intune: {
trust_anchor_path: '/etc/certctl/intune-corp.pem',
trust_anchors: [
{ subject: 'intune-conn', not_before: '2026-01-01T00:00:00Z', not_after: '2027-01-01T00:00:00Z', days_to_expiry: 250, expired: false },
],
audience: 'https://certctl.example.com/scep/corp',
challenge_validity_ns: 3_600_000_000_000,
rate_limit_disabled: false,
replay_cache_size: 12,
counters: { success: 42 },
},
};
const iotProfileSummary = {
path_id: 'iot',
issuer_id: 'iss-iot',
challenge_password_set: true,
ra_cert_subject: 'ra-iot',
ra_cert_not_before: '2026-01-01T00:00:00Z',
ra_cert_not_after: '2026-05-15T00:00:00Z',
ra_cert_days_to_expiry: 16,
ra_cert_expired: false,
mtls_enabled: false,
generated_at: '2026-04-29T15:00:00Z',
// Intune disabled — no intune field
};
const expiredProfileSummary = {
path_id: 'legacy',
issuer_id: 'iss-old',
challenge_password_set: true,
ra_cert_subject: 'ra-old',
ra_cert_not_before: '2024-01-01T00:00:00Z',
ra_cert_not_after: '2025-01-01T00:00:00Z',
ra_cert_days_to_expiry: 0,
ra_cert_expired: true,
mtls_enabled: false,
generated_at: '2026-04-29T15:00:00Z',
};
const corpIntuneStats = {
path_id: 'corp',
issuer_id: 'iss-corp',
enabled: true,
trust_anchor_path: '/etc/certctl/intune-corp.pem',
trust_anchors: [
{
subject: 'intune-connector-installation-corp',
not_before: '2026-01-01T00:00:00Z',
not_after: '2027-01-01T00:00:00Z',
days_to_expiry: 250,
expired: false,
},
{ subject: 'intune-conn', not_before: '2026-01-01T00:00:00Z', not_after: '2027-01-01T00:00:00Z', days_to_expiry: 250, expired: false },
],
audience: 'https://certctl.example.com/scep/corp',
challenge_validity_ns: 3_600_000_000_000,
rate_limit_disabled: false,
replay_cache_size: 12,
counters: {
success: 42,
signature_invalid: 1,
expired: 0,
not_yet_valid: 0,
wrong_audience: 0,
replay: 2,
rate_limited: 0,
claim_mismatch: 3,
compliance_failed: 0,
malformed: 0,
unknown_version: 0,
},
generated_at: '2026-04-29T15:00:00Z',
};
const disabledProfile = {
path_id: 'iot',
issuer_id: 'iss-iot',
enabled: false,
rate_limit_disabled: false,
replay_cache_size: 0,
counters: {},
counters: { success: 42, signature_invalid: 1, claim_mismatch: 3, replay: 2 },
generated_at: '2026-04-29T15:00:00Z',
};
@@ -113,138 +150,236 @@ beforeEach(() => {
} as never);
});
// =============================================================================
// Admin gate.
// =============================================================================
describe('SCEPAdminPage — admin gate', () => {
it('renders an Admin access required banner for non-admin callers and skips the admin API', async () => {
setAuth({ authRequired: true, admin: false });
renderWithQuery(<SCEPAdminPage />);
renderWithRoute('/scep', <SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByRole('heading', { level: 2, name: /SCEP Intune Monitoring/ })).toBeInTheDocument();
expect(screen.getByRole('heading', { level: 2, name: /SCEP Administration/ })).toBeInTheDocument();
});
expect(client.getAdminSCEPProfiles).not.toHaveBeenCalled();
expect(client.getAdminSCEPIntuneStats).not.toHaveBeenCalled();
expect(screen.getByText(/Admin access required/i)).toBeInTheDocument();
});
it('lets admin callers through and fetches stats', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
it('lets admin callers through and fetches the per-profile snapshot', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
renderWithRoute('/scep', <SCEPAdminPage />);
expect(await screen.findByTestId('profile-summary-corp')).toBeInTheDocument();
expect(client.getAdminSCEPProfiles).toHaveBeenCalled();
// Default tab is Profiles → Intune stats endpoint NOT called yet
expect(client.getAdminSCEPIntuneStats).not.toHaveBeenCalled();
});
});
// =============================================================================
// Tab navigation + deep links.
// =============================================================================
describe('SCEPAdminPage — tab navigation', () => {
it('renders Profiles tab as default', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithRoute('/scep', <SCEPAdminPage />);
expect(await screen.findByTestId('profile-summary-corp')).toBeInTheDocument();
expect(screen.getByTestId('tab-profiles').getAttribute('aria-pressed')).toBe('true');
});
it('switches to Intune tab on click and triggers the Intune stats fetch', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [corpIntuneStats],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithRoute('/scep', <SCEPAdminPage />);
await screen.findByTestId('profile-summary-corp');
fireEvent.click(screen.getByTestId('tab-intune'));
expect(await screen.findByTestId('profile-card-corp')).toBeInTheDocument();
expect(client.getAdminSCEPIntuneStats).toHaveBeenCalled();
});
it('keeps the page accessible when authRequired=false (no-auth dev mode)', async () => {
setAuth({ authRequired: false, admin: false });
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [],
profile_count: 0,
it('?tab=intune deep-link lands on Intune tab', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [corpIntuneStats],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithRoute('/scep?tab=intune', <SCEPAdminPage />);
await waitFor(() => {
expect(client.getAdminSCEPIntuneStats).toHaveBeenCalledTimes(1);
expect(screen.getByTestId('tab-intune').getAttribute('aria-pressed')).toBe('true');
});
});
it('legacy /scep/intune route alias lands on Intune tab', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [corpIntuneStats],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithRoute('/scep/intune', <SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('tab-intune').getAttribute('aria-pressed')).toBe('true');
});
});
it('switches to Activity tab and merges the four SCEP audit actions', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
vi.mocked(client.getAuditEvents).mockImplementation((params: Record<string, string> = {}) => {
const events: Record<string, unknown[]> = {
scep_pkcsreq: [{ id: 'a1', action: 'scep_pkcsreq', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'c1', details: {}, timestamp: '2026-04-29T14:00:00Z' }],
scep_renewalreq: [{ id: 'a2', action: 'scep_renewalreq', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'c2', details: {}, timestamp: '2026-04-29T14:10:00Z' }],
scep_pkcsreq_intune: [{ id: 'a3', action: 'scep_pkcsreq_intune', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'c3', details: {}, timestamp: '2026-04-29T14:20:00Z' }],
scep_renewalreq_intune: [{ id: 'a4', action: 'scep_renewalreq_intune', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'c4', details: {}, timestamp: '2026-04-29T14:30:00Z' }],
};
const action = params.action ?? '';
return Promise.resolve({
data: events[action] ?? [],
total: events[action]?.length ?? 0,
page: 1,
per_page: 200,
} as never);
});
renderWithRoute('/scep', <SCEPAdminPage />);
await screen.findByTestId('profile-summary-corp');
fireEvent.click(screen.getByTestId('tab-activity'));
await screen.findByTestId('activity-tab');
const table = await screen.findByTestId('activity-events-table');
const rows = table.querySelectorAll('tbody tr');
expect(rows.length).toBe(4);
// Sorted descending → renewal_intune (14:30) is first
expect(rows[0].textContent).toContain('scep_renewalreq_intune');
});
});
describe('SCEPAdminPage — profile rendering', () => {
it('renders enabled profile counters with the expected labels and tone', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
profile_count: 1,
// =============================================================================
// Profiles tab — lean cards.
// =============================================================================
describe('SCEPAdminPage — Profiles tab cards', () => {
it('renders status badges for Intune + mTLS + challenge-password-set', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary, iotProfileSummary],
profile_count: 2,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('counter-corp-success')).toHaveTextContent('42');
});
expect(screen.getByTestId('counter-corp-replay')).toHaveTextContent('2');
expect(screen.getByTestId('counter-corp-claim_mismatch')).toHaveTextContent('3');
// Expiry badge is "good" tone for >= 30 days remaining.
const badge = screen.getByTestId('expiry-badge-corp');
expect(badge).toHaveTextContent('250d');
renderWithRoute('/scep', <SCEPAdminPage />);
await screen.findByTestId('profile-summary-corp');
const corpBadges = screen.getByTestId('profile-badges-corp');
expect(corpBadges.textContent).toContain('Intune enabled');
expect(corpBadges.textContent).toContain('mTLS enabled');
expect(corpBadges.textContent).toContain('Challenge password set');
const iotBadges = screen.getByTestId('profile-badges-iot');
expect(iotBadges.textContent).toContain('Intune disabled');
expect(iotBadges.textContent).toContain('mTLS disabled');
});
it('renders an expiry badge with EXPIRED text and bad tone when an anchor is past NotAfter', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [
{
...baseEnabledProfile,
trust_anchors: [
{ subject: 'expired-conn', not_before: '2024-01-01T00:00:00Z', not_after: '2025-01-01T00:00:00Z', days_to_expiry: 0, expired: true },
],
},
],
profile_count: 1,
it('RA cert expiry badge tone reflects the days-to-expiry band', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary, iotProfileSummary, expiredProfileSummary],
profile_count: 3,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('expiry-badge-corp')).toHaveTextContent(/EXPIRED/);
});
renderWithRoute('/scep', <SCEPAdminPage />);
expect(await screen.findByTestId('ra-expiry-badge-corp')).toHaveTextContent('250d');
expect(screen.getByTestId('ra-expiry-badge-iot')).toHaveTextContent(/16d remaining \(rotate soon\)/);
expect(screen.getByTestId('ra-expiry-badge-legacy')).toHaveTextContent(/EXPIRED/);
});
it('renders the off-state pill for disabled profiles instead of the counter grid', async () => {
it('"View Intune details →" only renders for Intune-enabled profiles AND switches tabs', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary, iotProfileSummary],
profile_count: 2,
generated_at: '2026-04-29T15:00:00Z',
} as never);
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [disabledProfile],
profiles: [corpIntuneStats],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('profile-card-iot')).toBeInTheDocument();
});
expect(screen.getByText(/Intune disabled/)).toBeInTheDocument();
// Counter grid should NOT render for disabled profiles.
expect(screen.queryByTestId('counter-iot-success')).toBeNull();
renderWithRoute('/scep', <SCEPAdminPage />);
await screen.findByTestId('profile-summary-corp');
expect(screen.getByTestId('view-intune-details-corp')).toBeInTheDocument();
expect(screen.queryByTestId('view-intune-details-iot')).toBeNull();
fireEvent.click(screen.getByTestId('view-intune-details-corp'));
expect(await screen.findByTestId('profile-card-corp')).toBeInTheDocument();
expect(screen.getByTestId('tab-intune').getAttribute('aria-pressed')).toBe('true');
});
it('renders an empty-state banner when no profiles are configured', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [],
profile_count: 0,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByText(/No SCEP profiles are configured/)).toBeInTheDocument();
});
renderWithRoute('/scep', <SCEPAdminPage />);
expect(await screen.findByText(/No SCEP profiles are configured/)).toBeInTheDocument();
});
});
describe('SCEPAdminPage — reload-trust modal', () => {
it('opens the confirmation modal when the Reload trust button is clicked', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
// =============================================================================
// Intune tab — reload modal + counters.
// =============================================================================
describe('SCEPAdminPage — Intune tab', () => {
function gotoIntune() {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
});
fireEvent.click(screen.getByTestId('reload-button-corp'));
expect(await screen.findByRole('dialog')).toBeInTheDocument();
expect(screen.getByText(/Reload Intune trust anchor/i)).toBeInTheDocument();
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [corpIntuneStats],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithRoute('/scep?tab=intune', <SCEPAdminPage />);
}
it('renders counters with the expected labels and tones', async () => {
gotoIntune();
expect(await screen.findByTestId('counter-corp-success')).toHaveTextContent('42');
expect(screen.getByTestId('counter-corp-signature_invalid')).toHaveTextContent('1');
expect(screen.getByTestId('counter-corp-claim_mismatch')).toHaveTextContent('3');
});
it('calls reloadAdminSCEPIntuneTrust on Confirm and closes the modal on success', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
it('opens the reload modal and calls the mutation on Confirm', async () => {
vi.mocked(client.reloadAdminSCEPIntuneTrust).mockResolvedValue({
reloaded: true,
path_id: 'corp',
reloaded_at: '2026-04-29T15:01:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
});
gotoIntune();
expect(await screen.findByTestId('reload-button-corp')).toBeInTheDocument();
fireEvent.click(screen.getByTestId('reload-button-corp'));
fireEvent.click(await screen.findByRole('button', { name: /Reload trust anchor/i }));
await waitFor(() => {
@@ -255,36 +390,21 @@ describe('SCEPAdminPage — reload-trust modal', () => {
});
});
it('keeps the modal open and shows the error message when reload fails', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
it('keeps the modal open and shows the error when reload fails', async () => {
vi.mocked(client.reloadAdminSCEPIntuneTrust).mockRejectedValue(new Error('trust anchor cert expired'));
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
});
gotoIntune();
expect(await screen.findByTestId('reload-button-corp')).toBeInTheDocument();
fireEvent.click(screen.getByTestId('reload-button-corp'));
fireEvent.click(await screen.findByRole('button', { name: /Reload trust anchor/i }));
await waitFor(() => {
expect(screen.getByText(/trust anchor cert expired/)).toBeInTheDocument();
});
// Modal stays open so the operator can read the error and retry.
expect(screen.getByRole('dialog')).toBeInTheDocument();
});
it('Cancel closes the modal without calling the reload mutation', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('reload-button-corp')).toBeInTheDocument();
});
gotoIntune();
expect(await screen.findByTestId('reload-button-corp')).toBeInTheDocument();
fireEvent.click(screen.getByTestId('reload-button-corp'));
fireEvent.click(await screen.findByRole('button', { name: /Cancel/i }));
await waitFor(() => {
@@ -294,47 +414,87 @@ describe('SCEPAdminPage — reload-trust modal', () => {
});
});
describe('SCEPAdminPage — error + audit-log surface', () => {
it('surfaces ErrorState when the stats query fails', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockRejectedValue(new Error('boom'));
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByText(/Failed to load data/i)).toBeInTheDocument();
});
});
// =============================================================================
// Recent Activity tab — filter chips.
// =============================================================================
it('merges PKCSReq + RenewalReq audit events and sorts by timestamp descending', async () => {
vi.mocked(client.getAdminSCEPIntuneStats).mockResolvedValue({
profiles: [baseEnabledProfile],
describe('SCEPAdminPage — Activity tab filter', () => {
beforeEach(() => {
vi.mocked(client.getAdminSCEPProfiles).mockResolvedValue({
profiles: [corpProfileSummary],
profile_count: 1,
generated_at: '2026-04-29T15:00:00Z',
} as never);
vi.mocked(client.getAuditEvents).mockImplementation((params: Record<string, string> = {}) => {
if (params.action === 'scep_pkcsreq_intune') {
return Promise.resolve({
data: [
{ id: 'ae-pkcs-1', action: 'scep_pkcsreq_intune', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'cert-1', details: {}, timestamp: '2026-04-29T14:00:00Z' },
],
total: 1, page: 1, per_page: 200,
} as never);
}
const lookup: Record<string, unknown[]> = {
scep_pkcsreq: [{ id: 'p1', action: 'scep_pkcsreq', actor: 's', actor_type: 'system', resource_type: 'certificate', resource_id: 'c1', details: {}, timestamp: '2026-04-29T14:00:00Z' }],
scep_renewalreq: [{ id: 'p2', action: 'scep_renewalreq', actor: 's', actor_type: 'system', resource_type: 'certificate', resource_id: 'c2', details: {}, timestamp: '2026-04-29T14:01:00Z' }],
scep_pkcsreq_intune: [{ id: 'p3', action: 'scep_pkcsreq_intune', actor: 's', actor_type: 'system', resource_type: 'certificate', resource_id: 'c3', details: {}, timestamp: '2026-04-29T14:02:00Z' }],
scep_renewalreq_intune: [{ id: 'p4', action: 'scep_renewalreq_intune', actor: 's', actor_type: 'system', resource_type: 'certificate', resource_id: 'c4', details: {}, timestamp: '2026-04-29T14:03:00Z' }],
};
return Promise.resolve({
data: [
{ id: 'ae-renew-1', action: 'scep_renewalreq_intune', actor: 'scep-client', actor_type: 'system', resource_type: 'certificate', resource_id: 'cert-2', details: {}, timestamp: '2026-04-29T14:30:00Z' },
],
total: 1, page: 1, per_page: 200,
data: lookup[params.action ?? ''] ?? [],
total: 1,
page: 1,
per_page: 200,
} as never);
});
});
renderWithQuery(<SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByTestId('recent-failures-table')).toBeInTheDocument();
});
it('filter=all shows all four actions', async () => {
renderWithRoute('/scep?tab=activity', <SCEPAdminPage />);
await screen.findByTestId('activity-tab');
const table = await screen.findByTestId('activity-events-table');
expect(table.querySelectorAll('tbody tr').length).toBe(4);
});
const rows = screen.getByTestId('recent-failures-table').querySelectorAll('tbody tr');
it('filter=intune narrows to just the two _intune actions', async () => {
renderWithRoute('/scep?tab=activity', <SCEPAdminPage />);
await screen.findByTestId('activity-tab');
fireEvent.click(screen.getByTestId('activity-filter-intune'));
const table = await screen.findByTestId('activity-events-table');
const rows = table.querySelectorAll('tbody tr');
expect(rows.length).toBe(2);
// Sorted descending by timestamp — renewal (14:30) comes before pkcs (14:00).
expect(rows[0].textContent).toContain('scep_renewalreq_intune');
expect(rows[1].textContent).toContain('scep_pkcsreq_intune');
for (const r of rows) {
expect(r.textContent).toMatch(/_intune/);
}
});
it('filter=renewal narrows to just the two renewal actions', async () => {
renderWithRoute('/scep?tab=activity', <SCEPAdminPage />);
await screen.findByTestId('activity-tab');
fireEvent.click(screen.getByTestId('activity-filter-renewal'));
const table = await screen.findByTestId('activity-events-table');
const rows = table.querySelectorAll('tbody tr');
expect(rows.length).toBe(2);
for (const r of rows) {
expect(r.textContent).toContain('scep_renewalreq');
}
});
it('filter=static narrows to just the two non-Intune actions', async () => {
renderWithRoute('/scep?tab=activity', <SCEPAdminPage />);
await screen.findByTestId('activity-tab');
fireEvent.click(screen.getByTestId('activity-filter-static'));
const table = await screen.findByTestId('activity-events-table');
const rows = table.querySelectorAll('tbody tr');
expect(rows.length).toBe(2);
for (const r of rows) {
expect(r.textContent).not.toMatch(/_intune/);
}
});
});
// =============================================================================
// Error path.
// =============================================================================
describe('SCEPAdminPage — error surfacing', () => {
it('surfaces ErrorState on the active tab when its query fails', async () => {
vi.mocked(client.getAdminSCEPProfiles).mockRejectedValue(new Error('boom-profiles'));
renderWithRoute('/scep', <SCEPAdminPage />);
await waitFor(() => {
expect(screen.getByText(/Failed to load data/i)).toBeInTheDocument();
});
});
});