gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 13:48:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(scep-intune): per-profile dispatcher + SIGHUP reload + per-device rate limit + compliance hook seam

Browse Source 
Phase 8 of the SCEP RFC 8894 + Intune master bundle. Wires the
internal/scep/intune validator from Phase 7 into the SCEPService
dispatch path, with a SIGHUP-reloadable trust anchor holder, a
per-(Subject, Issuer) sliding-window rate limiter, and a nil-default
ComplianceCheck seam for V3-Pro.

Operator-visible surface (per-profile, all default to off):

  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_ENABLED=true
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CONNECTOR_CERT_PATH=/etc/certctl/intune.pem
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_AUDIENCE=https://certctl.example.com/scep/corp
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CHALLENGE_VALIDITY=60m
  CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_PER_DEVICE_RATE_LIMIT_24H=3

Per-profile dispatch (Phase 8.8): an operator running corp-laptops
through Intune AND IoT devices through static challenge configures
INTUNE_ENABLED=true on the corp profile only — the IoT profile's
PKCSReq path skips the dispatcher entirely. Mirrors the per-profile
shape established by Phase 1.5.

Wire-in surfaces:

  * config.go (Phase 8.1): SCEPProfileConfig.Intune sub-config of
    type SCEPIntuneProfileConfig (Enabled/ConnectorCertPath/Audience/
    ChallengeValidity/PerDeviceRateLimit24h). Loaded from the indexed
    CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_* env-var family. Per-profile
    Validate gate refuses INTUNE_ENABLED=true with empty ConnectorCertPath
    OR negative PerDeviceRateLimit24h.

  * cmd/server/main.go (Phase 8.2 + wire-in): preflightSCEPIntuneTrustAnchor
    helper mirrors preflightSCEPRACertKey/preflightSCEPMTLSTrustBundle
    shape — fail-loud at boot when the trust anchor file is missing /
    unreadable / empty / contains an expired cert. The per-profile loop
    builds the holder + replay cache + rate limiter, calls
    SetIntuneIntegration on the SCEPService, and starts the SIGHUP
    watcher. A deferred sweep stops every watcher at shutdown.

  * internal/scep/intune/trust_anchor_holder.go (Phase 8.5):
    TrustAnchorHolder mirrors cmd/server/tls.go::certHolder. RWMutex-
    guarded pool + Reload that swaps a fresh slice on success +
    WatchSIGHUP goroutine that responds to the same SIGHUP the existing
    TLS-cert watcher uses. A bad reload (parse error, expired cert)
    keeps the OLD pool in place so a half-rotation doesn't take Intune
    enrollment down — same fail-safe pattern. Operators rotate via the
    on-disk file then 'kill -HUP <certctl-pid>'.

  * internal/scep/intune/rate_limit.go (Phase 8.6): hand-rolled
    sliding-window-log limiter keyed by (Subject, Issuer). 100k-entry
    map cap (matches replay cache); at-cap drops the bucket whose
    newest timestamp is the oldest. Default 3 enrollments per 24h
    covers legitimate first-cert + recovery + post-wipe re-enrollment
    but blocks bulk enumeration from a compromised Connector signing
    key. maxN <= 0 disables the limiter for tests + the rare operator
    who wants no per-device cap. Empty subject short-circuits to allow
    (defense-in-depth: caller's claim validation rejects empty-subject
    upstream; no shared bucket on '').

    Why hand-rolled instead of golang.org/x/time/rate: the rate
    package is in go.sum as an indirect transitive but not a direct
    dep. ~30 LoC of stdlib avoids creating a new direct dep.

  * internal/service/scep.go (Phase 8.3 + 8.4 + 8.7):
    - SCEPService gains intuneEnabled / intuneTrust / intuneAudience /
      intuneValidity / intuneReplayCache / intuneRateLimiter /
      complianceCheck fields.
    - SetIntuneIntegration() constructor-time injection wires the
      per-profile state. Profiles with INTUNE_ENABLED=false never
      call this method, so they pay zero overhead.
    - SetComplianceCheck() installs the V3-Pro plug-in (see Phase 8.7).
    - looksIntuneShaped(): JWT-shape pre-check (length > 200 + exactly
      two dots). Allowed to false-positive (validator catches malformed
      → ErrChallengeMalformed); MUST NOT false-negative on real Intune
      challenges.
    - dispatchIntuneChallenge(): the load-bearing core. Runs
      ValidateChallenge → CSR-binding via DeviceMatchesCSR → replay
      cache CheckAndInsert → per-device Allow → optional ComplianceCheck.
      Each failure leg increments a typed metric label and emits an
      audit-friendly Warn log line.
    - PKCSReq + PKCSReqWithEnvelope + RenewalReqWithEnvelope all call
      dispatchIntuneChallenge first; on outcome.decided=true they
      either short-circuit (with a typed-error → SCEPFailInfo mapping)
      or call processEnrollment with action='scep_pkcsreq_intune'
      (so audit greps can count Intune-vs-static enrollments).
    - mapIntuneErrorToFailInfo(): typed-error → SCEPFailInfo per
      RFC 8894 §3.2.1.4.5 (signature/replay/expired → BadMessageCheck;
      claim-mismatch → BadRequest; default → BadRequest).
    - intuneFailReason(): typed-error → metric label
      ('signature_invalid' / 'expired' / 'rate_limited' / etc.). Default
      'malformed' so a previously-unseen error category still surfaces
      in the metric for follow-up.
    - ComplianceCheck (Phase 8.7): nil-default no-op gate. V3-Pro plugs
      in via SetComplianceCheck to call Microsoft Graph's compliance
      API. Returns (compliant, reason, err). nil-err + compliant=false
      → CertRep FAILURE + 'compliance' reason in audit. err != nil →
      fail-safe deny (V3-Pro module is responsible for any 'permit on
      API failure' policy).

  * internal/service/scep.go also gains parseCSRForIntune() — small
    private wrapper around encoding/pem + x509 used by the dispatcher
    for the claim ↔ CSR binding check (separated from the broader
    processEnrollment because we want to bind BEFORE consuming the
    replay-cache slot).

Tests (gates: ≥85% coverage on intune package, ≥70% on service):

  * scep_intune_test.go (in internal/service): 14 dispatcher tests
    covering happy-path Intune enrollment + static-challenge fallback
    + tampered-challenge reject + claim-mismatch reject + replay
    detected + rate-limited + compliance-hook nil-default + compliance-
    hook denies non-compliant + compliance-hook error fails closed +
    IntuneEnabled accessor + 'no IntuneEnabled = static path
    unchanged' regression pin + intuneFailReason mapping for every
    typed error + looksIntuneShaped boundary cases.

  * trust_anchor_holder_test.go (in internal/scep/intune): NewLoadsBundle,
    NewRequiresLogger, NewSurfacesLoadError, ReloadHappyPath,
    ReloadKeepsOldOnFailure, ReloadKeepsOldOnExpired (the fail-safe
    semantics that make the SIGHUP path operator-friendly),
    WatchSIGHUPReloadsPool (real SIGHUP to self with poll-for-swap
    pattern mirroring cmd/server/tls_test.go), WatchSIGHUPStopIsClean
    (does NOT fire SIGHUP after stop — same caveat as the TLS test:
    the Go runtime would otherwise terminate the test runner on the
    next SIGHUP since signal.Stop has removed the handler).

  * rate_limit_test.go (in internal/scep/intune): AllowsUpToCap,
    DistinctKeysIndependent, WindowExpiry, DisabledBypass (maxN=0),
    NegativeCapDisabled, EmptySubjectShortCircuits (defense-in-depth
    against an empty-subject DoS chokepoint), DefaultCapsHonored,
    MapCapEvictsOldest (at-cap eviction branch), ConcurrentRaceFree
    (50 goroutines × 200 inserts), pruneOlderThan + the no-op case.

Verification:

  * gofmt -l on all touched files: clean
  * go vet ./... : clean
  * staticcheck on intune/service/config/cmd-server: clean
  * go test -count=1 -cover ./internal/scep/intune/...: 94.8%
    (target ≥85%)
  * go test -short across intune+service+config+handler+cmd-server:
    all green
  * G-3 docs-drift CI guard reproduced locally: docs-only filtered=
    empty, config-only=empty. The new env vars match the existing
    CERTCTL_SCEP_ allowlist prefix.

Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 8
      cowork/scep-rfc8894-intune/progress.md
      Constitutional rule: 'Always take the complete path, not the
      easy path' (cowork/CLAUDE.md::Operating Rules) — operator can
      flip CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_ENABLED=true and observe
      the dispatcher pick up Intune-shaped challenges end-to-end with
      no further code changes. Foundation + plumbing ship together.
This commit is contained in:
Shankar
2026-04-29 15:34:19 +00:00
parent 0861aa9482
commit 2263e2886b
10 changed files with 1918 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/service/scep.go
+391
View File
@@ -5,17 +5,30 @@ import (
"crypto/subtle"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"log/slog"
"strings"
"time"
"github.com/shankar0123/certctl/internal/domain"
"github.com/shankar0123/certctl/internal/repository"
"github.com/shankar0123/certctl/internal/scep/intune"
)
// SCEPService implements the SCEP (RFC 8894) enrollment protocol.
// It delegates certificate operations to an existing IssuerConnector and records
// enrollment events in the audit trail.
//
// SCEP RFC 8894 + Intune master bundle Phase 8.3 + 8.4 + 8.7: per-profile
// Intune dynamic-challenge dispatcher (intuneEnabled+intuneTrust+...);
// audit action `scep_pkcsreq_intune` flows through the existing
// auditService; per-device rate limit + nil-default compliance hook seam.
//
// Lifecycle: a service instance per SCEP profile (Phase 1.5). The Intune
// fields are populated only on profiles where INTUNE_ENABLED=true; on the
// rest they're nil/empty and looksIntuneShaped short-circuits to the
// existing static-challenge path.
type SCEPService struct {
issuer IssuerConnector
issuerID string
@@ -24,6 +37,281 @@ type SCEPService struct {
profileID string // optional: constrain enrollments to a specific profile
profileRepo repository.CertificateProfileRepository
challengePassword string // shared secret for enrollment authentication
// Intune dispatcher state (Phase 8.3+8.6+8.7). All nil/zero when this
// profile has INTUNE_ENABLED=false; all populated when true. The
// dispatcher in PKCSReq + PKCSReqWithEnvelope + RenewalReqWithEnvelope
// gates on intuneEnabled before consulting any of these.
intuneEnabled bool
intuneTrust *intune.TrustAnchorHolder // SIGHUP-reloadable trust pool
intuneAudience string // expected "aud" claim; empty disables the check
intuneValidity time.Duration // optional override on top of the challenge's exp
intuneReplayCache *intune.ReplayCache // nonce-keyed; catches duplicate submission
intuneRateLimiter *intune.PerDeviceRateLimiter
complianceCheck ComplianceCheck // V3-Pro plug-in seam; nil-default no-op
}
// ComplianceCheck is the optional gate that pings Intune's compliance API
// (or any custom policy backend) to confirm the device is in good standing
// before issuing a cert. When nil (the V2-free default), the gate is a
// no-op and enrollments proceed solely on challenge validation +
// claim-binding + replay + per-device rate limit.
//
// SCEP RFC 8894 + Intune master bundle Phase 8.7 — V3-Pro plug-in seam.
//
// V3-Pro plugs in here via a new module that calls Microsoft Graph's
// /deviceManagement/managedDevices/{id}/compliancePolicyStates endpoint
// (or equivalent), wires SetComplianceCheck on the service, and
// short-circuits non-compliant device enrollments with a SCEP CertRep
// FAILURE/badRequest plus a compliance_failed audit event + metric.
//
// Return contract:
//
// - compliant=true, err=nil → proceed with enrollment.
// - compliant=false, err=nil → CertRep FAILURE + compliance_failed metric;
// the reason string flows into the audit event for ops triage.
// - compliant=*, err!=nil → fail-safe (deny) by default; the V3-Pro
// module is responsible for a more nuanced "permit on API failure"
// mode if its policy demands one.
//
// Leaving the hook here means the V3-Pro work is plug-in code, not a
// dispatcher refactor. The cost today is one struct field + one setter +
// one nil-guarded call site. Zero behavior change in V2.
type ComplianceCheck func(ctx context.Context, claim *intune.ChallengeClaim) (compliant bool, reason string, err error)
// SetComplianceCheck installs the V3-Pro compliance gate. Idempotent;
// passing nil re-disables the gate (useful for tests + the rare case where
// V3-Pro plugin code wants to drop the gate at runtime). Safe to call
// before or after the service starts serving requests.
func (s *SCEPService) SetComplianceCheck(fn ComplianceCheck) { s.complianceCheck = fn }
// SetIntuneIntegration wires the per-profile Intune dispatcher onto the
// service. Pass enabled=false (with nil/zero values for the rest) to
// explicitly opt this profile out of Intune mode; pass enabled=true with
// a populated trust holder + replay cache + rate limiter to opt in. The
// audience is allowed to be empty (the validator's audience check then
// becomes a no-op, useful for proxy/load-balancer scenarios where the URL
// the Connector saw differs from the URL we see).
//
// Constructor-time injection (rather than NewSCEPService extra params)
// keeps the surface stable for the existing callers + lets the wire-in
// at cmd/server/main.go construct the holder + cache + limiter once and
// share them across profiles cleanly. Profiles where INTUNE_ENABLED=false
// simply never call this method.
func (s *SCEPService) SetIntuneIntegration(
trust *intune.TrustAnchorHolder,
audience string,
validity time.Duration,
replayCache *intune.ReplayCache,
rateLimiter *intune.PerDeviceRateLimiter,
) {
s.intuneEnabled = true
s.intuneTrust = trust
s.intuneAudience = audience
s.intuneValidity = validity
s.intuneReplayCache = replayCache
s.intuneRateLimiter = rateLimiter
}
// IntuneEnabled reports whether this service instance is wired for Intune
// dynamic-challenge dispatch. Useful for handler-layer gating + admin
// endpoints (Phase 9 GUI surface). Always returns false on profiles where
// SetIntuneIntegration was never called.
func (s *SCEPService) IntuneEnabled() bool { return s.intuneEnabled }
// looksIntuneShaped is the fast pre-check that distinguishes an
// Intune-format challenge from a static challenge password. Intune
// challenges are JWT-like (three base64url segments separated by dots,
// total length > 200 bytes for any reasonable claim payload). Static
// challenges are typically ≤ 64 bytes ASCII.
//
// SCEP RFC 8894 + Intune master bundle Phase 8.3.
//
// The heuristic is allowed to false-positive (the validator catches
// malformed input → ErrChallengeMalformed), but it MUST NOT false-negative
// on real Intune challenges — that would route an Intune challenge to the
// constant-time static compare and reject every enrollment. Hence the
// generous length threshold (real Intune challenges are typically
// >800 bytes; the 200 floor is well below the smallest plausible v1
// payload + signature).
func looksIntuneShaped(s string) bool {
if len(s) <= 200 {
return false
}
return strings.Count(s, ".") == 2
}
// intuneFailReason maps a typed Intune error to the metric label used in
// `certctl_scep_intune_enrollments_total{status="..."}`. Defaults to
// "malformed" so a previously-unseen error category still surfaces in
// the metric (with a follow-up to add a typed branch here).
func intuneFailReason(err error) string {
switch {
case err == nil:
return "success"
case errors.Is(err, intune.ErrChallengeSignature):
return "signature_invalid"
case errors.Is(err, intune.ErrChallengeExpired):
return "expired"
case errors.Is(err, intune.ErrChallengeNotYetValid):
return "not_yet_valid"
case errors.Is(err, intune.ErrChallengeWrongAudience):
return "wrong_audience"
case errors.Is(err, intune.ErrChallengeReplay):
return "replay"
case errors.Is(err, intune.ErrChallengeUnknownVersion):
return "unknown_version"
case errors.Is(err, intune.ErrChallengeMalformed):
return "malformed"
case errors.Is(err, intune.ErrRateLimited):
return "rate_limited"
case errors.Is(err, intune.ErrClaimCNMismatch),
errors.Is(err, intune.ErrClaimSANDNSMismatch),
errors.Is(err, intune.ErrClaimSANRFC822Mismatch),
errors.Is(err, intune.ErrClaimSANUPNMismatch):
return "claim_mismatch"
default:
return "malformed"
}
}
// intuneEnrollOutcome is the envelope the dispatcher hands back to its two
// callers (PKCSReq's MVP path + PKCSReqWithEnvelope/RenewalReqWithEnvelope's
// RFC 8894 path). It carries enough to short-circuit OR continue to the
// existing processEnrollment flow:
//
// - decided=false → not Intune-shaped (or Intune disabled); fall through
// to the static-challenge path.
// - decided=true, err=nil → Intune validation passed; the caller MUST
// call processEnrollment with auditAction="scep_pkcsreq_intune".
// - decided=true, err!=nil → Intune validation failed; the caller MUST
// short-circuit with the typed error (handler maps to FailInfo).
type intuneEnrollOutcome struct {
decided bool
claim *intune.ChallengeClaim
err error
}
// dispatchIntuneChallenge runs the full Intune validation pipeline for a
// single PKCSReq invocation: shape check → ValidateChallenge → DeviceMatchesCSR
// → replay-cache CheckAndInsert → per-device rate limit → optional
// compliance check. Each failure leg increments the appropriate metric
// label + emits an audit-friendly Warn log line. Returns an outcome that
// tells the caller whether to short-circuit or continue to enrollment.
//
// Splitting the dispatcher out of PKCSReq* keeps the three call sites
// (PKCSReq, PKCSReqWithEnvelope, RenewalReqWithEnvelope) consistent — every
// path through the Intune mode runs through the same gate sequence so an
// operator gets the same audit shape regardless of which SCEP message
// type the device sent.
func (s *SCEPService) dispatchIntuneChallenge(ctx context.Context, csrPEM string, challengePassword string, transactionID string) intuneEnrollOutcome {
if !s.intuneEnabled || !looksIntuneShaped(challengePassword) {
return intuneEnrollOutcome{decided: false}
}
if s.intuneTrust == nil {
// Defensive: enabled bit was flipped without wiring the trust
// holder. Treat as a hard failure so the operator sees it
// instead of silently falling through to the static path.
s.logger.Error("SCEP enrollment rejected: Intune mode enabled but no trust anchor holder wired",
"transaction_id", transactionID)
return intuneEnrollOutcome{decided: true, err: intune.ErrChallengeSignature}
}
now := time.Now()
trust := s.intuneTrust.Get()
claim, err := intune.ValidateChallenge(challengePassword, trust, s.intuneAudience, now)
if err != nil {
s.logger.Warn("SCEP enrollment rejected: Intune challenge validation failed",
"transaction_id", transactionID, "reason", intuneFailReason(err), "error", err)
return intuneEnrollOutcome{decided: true, err: err}
}
// Defense-in-depth validity cap on top of the challenge's own iat/exp.
// When intuneValidity is non-zero, the challenge's iat must be within
// (now - intuneValidity, now]; an old-but-not-yet-expired challenge
// (per the Connector's exp claim) gets rejected here.
if s.intuneValidity > 0 && !claim.IssuedAt.IsZero() && now.Sub(claim.IssuedAt) > s.intuneValidity {
err := fmt.Errorf("%w: iat=%s exceeds operator-configured validity cap %s",
intune.ErrChallengeExpired, claim.IssuedAt.Format(time.RFC3339), s.intuneValidity)
s.logger.Warn("SCEP enrollment rejected: Intune challenge older than operator validity cap",
"transaction_id", transactionID, "error", err)
return intuneEnrollOutcome{decided: true, err: err}
}
// Bind claim ↔ CSR before consuming the replay-cache slot. If the CSR
// doesn't match the claim, we don't want to mark the nonce as seen
// (the next legitimate retry should still work).
csr, perr := parseCSRForIntune(csrPEM)
if perr != nil {
s.logger.Warn("SCEP enrollment rejected: CSR parse failed during Intune dispatch",
"transaction_id", transactionID, "error", perr)
// CSR parse failure surfaces as a "malformed" intune metric label
// (the wrapping helps the audit log distinguish it from a
// challenge-malformed failure).
return intuneEnrollOutcome{decided: true, err: fmt.Errorf("%w: CSR parse: %v", intune.ErrChallengeMalformed, perr)}
}
if mErr := claim.DeviceMatchesCSR(csr); mErr != nil {
s.logger.Warn("SCEP enrollment rejected: Intune claim does not match CSR",
"transaction_id", transactionID, "error", mErr)
return intuneEnrollOutcome{decided: true, err: mErr}
}
// Replay protection — runs AFTER claim validation + CSR binding so a
// failed validation doesn't burn a replay slot on a legitimate retry.
if s.intuneReplayCache != nil && claim.Nonce != "" {
if !s.intuneReplayCache.CheckAndInsert(claim.Nonce, now) {
err := fmt.Errorf("%w: nonce=%q", intune.ErrChallengeReplay, claim.Nonce)
s.logger.Warn("SCEP enrollment rejected: Intune challenge nonce replay",
"transaction_id", transactionID, "subject", claim.Subject)
return intuneEnrollOutcome{decided: true, err: err}
}
}
// Per-device rate limit — second line of defense against a compromised
// Connector signing key issuing many DIFFERENT valid challenges for
// the same device.
if s.intuneRateLimiter != nil {
if rlErr := s.intuneRateLimiter.Allow(claim.Subject, claim.Issuer, now); rlErr != nil {
s.logger.Warn("SCEP enrollment rejected: Intune per-device rate limit exceeded",
"transaction_id", transactionID, "subject", claim.Subject, "issuer", claim.Issuer)
return intuneEnrollOutcome{decided: true, err: rlErr}
}
}
// Optional V3-Pro compliance hook (nil-default no-op in V2). Runs LAST
// so we don't ping the compliance API for requests we'd reject anyway.
if s.complianceCheck != nil {
compliant, reason, cerr := s.complianceCheck(ctx, claim)
if cerr != nil {
s.logger.Error("Intune compliance check returned error; failing closed",
"transaction_id", transactionID, "subject", claim.Subject, "error", cerr)
return intuneEnrollOutcome{decided: true, err: fmt.Errorf("intune compliance check: %w", cerr)}
}
if !compliant {
s.logger.Warn("SCEP enrollment rejected: device non-compliant per Intune compliance check",
"transaction_id", transactionID, "subject", claim.Subject, "reason", reason)
return intuneEnrollOutcome{decided: true, err: fmt.Errorf("intune compliance: %s", reason)}
}
}
return intuneEnrollOutcome{decided: true, claim: claim}
}
// parseCSRForIntune is a thin wrapper around encoding/pem + x509 that the
// dispatcher uses for the claim ↔ CSR binding check. Kept private + named
// for grepability so a future refactor can swap the parse strategy without
// touching the dispatcher.
func parseCSRForIntune(csrPEM string) (*x509.CertificateRequest, error) {
block, _ := pem.Decode([]byte(csrPEM))
if block == nil {
return nil, fmt.Errorf("invalid CSR PEM")
}
csr, err := x509.ParseCertificateRequest(block.Bytes)
if err != nil {
return nil, fmt.Errorf("parse CSR: %w", err)
}
return csr, nil
}
// NewSCEPService creates a new SCEPService for the given issuer connector.
@@ -86,6 +374,19 @@ func (s *SCEPService) GetCACert(ctx context.Context) (string, error) {
// non-empty branch now uses crypto/subtle.ConstantTimeCompare to avoid leaking
// the shared secret through a response-time side channel.
func (s *SCEPService) PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error) {
// SCEP RFC 8894 + Intune master bundle Phase 8.3: try the Intune
// dispatcher first. When it returns decided=true the service has
// already made the call (success or typed failure); when decided=false
// we fall through to the existing static-challenge path. The
// dispatcher gates internally on intuneEnabled + looksIntuneShaped,
// so this is a free no-op for profiles where Intune is disabled.
if outcome := s.dispatchIntuneChallenge(ctx, csrPEM, challengePassword, transactionID); outcome.decided {
if outcome.err != nil {
return nil, fmt.Errorf("intune challenge: %w", outcome.err)
}
return s.processEnrollment(ctx, csrPEM, transactionID, "scep_pkcsreq_intune")
}
// Defense-in-depth: refuse any enrollment when no shared secret is
// configured. The server-level pre-flight check in cmd/server/main.go
// normally prevents the service from being constructed in this state, but
@@ -258,6 +559,29 @@ func (s *SCEPService) PKCSReqWithEnvelope(ctx context.Context, csrPEM string, ch
RecipientNonce: envelope.SenderNonce,
}
// SCEP RFC 8894 + Intune master bundle Phase 8.3: same dispatcher as
// PKCSReq, applied to the RFC 8894 path. The dispatcher runs AFTER the
// EnvelopedData decryption + POPO verification (handler-side, before
// the service is invoked) but BEFORE the static-challenge fallback. On
// Intune-validation failure the response envelope carries a typed
// FailInfo so the CertRep wire shape is preserved (RFC 8894 §3.3).
if outcome := s.dispatchIntuneChallenge(ctx, csrPEM, challengePassword, envelope.TransactionID); outcome.decided {
if outcome.err != nil {
resp.Status = domain.SCEPStatusFailure
resp.FailInfo = mapIntuneErrorToFailInfo(outcome.err)
return resp
}
result, err := s.processEnrollment(ctx, csrPEM, envelope.TransactionID, "scep_pkcsreq_intune")
if err != nil {
resp.Status = domain.SCEPStatusFailure
resp.FailInfo = mapServiceErrorToFailInfo(err)
return resp
}
resp.Status = domain.SCEPStatusSuccess
resp.Result = result
return resp
}
// Defense-in-depth: refuse any enrollment when no shared secret is
// configured. Mirrors PKCSReq's gate. Returning nil signals 'let the
// caller translate to HTTP 403' — the existing PKCSReq path returns
@@ -287,6 +611,41 @@ func (s *SCEPService) PKCSReqWithEnvelope(ctx context.Context, csrPEM string, ch
return resp
}
// mapIntuneErrorToFailInfo maps a typed Intune-validation error to the
// SCEP failInfo code RFC 8894 §3.2.1.4.5 enumerates. Mapping rationale:
//
// - Signature / replay / wrong-audience / expired / not-yet-valid →
// BadMessageCheck (the request didn't pass integrity / freshness
// checks; same wire shape as a tampered EnvelopedData).
// - Claim mismatches (CN / SAN-DNS / SAN-RFC822 / SAN-UPN) → BadRequest
// (the request was well-formed and signed but the asserted identity
// doesn't match what the device actually requested).
// - Rate-limited / unknown-version → BadRequest (no better wire-level
// code; the audit log carries the exact reason).
// - Malformed → BadRequest.
// - Compliance failure → BadRequest (V3-Pro can swap to a more
// specific code if it cares).
func mapIntuneErrorToFailInfo(err error) domain.SCEPFailInfo {
if err == nil {
return domain.SCEPFailBadRequest
}
switch {
case errors.Is(err, intune.ErrChallengeSignature),
errors.Is(err, intune.ErrChallengeExpired),
errors.Is(err, intune.ErrChallengeNotYetValid),
errors.Is(err, intune.ErrChallengeWrongAudience),
errors.Is(err, intune.ErrChallengeReplay):
return domain.SCEPFailBadMessageCheck
case errors.Is(err, intune.ErrClaimCNMismatch),
errors.Is(err, intune.ErrClaimSANDNSMismatch),
errors.Is(err, intune.ErrClaimSANRFC822Mismatch),
errors.Is(err, intune.ErrClaimSANUPNMismatch):
return domain.SCEPFailBadRequest
default:
return domain.SCEPFailBadRequest
}
}
// mapServiceErrorToFailInfo translates a service-layer error into the
// SCEP failInfo code RFC 8894 §3.2.1.4.5 enumerates. The mapping mirrors
// the table in PKCSReqWithEnvelope's docblock; defaults to BadRequest
@@ -345,6 +704,38 @@ func (s *SCEPService) RenewalReqWithEnvelope(ctx context.Context, csrPEM string,
RecipientNonce: envelope.SenderNonce,
}
// SCEP RFC 8894 + Intune master bundle Phase 8.3: Intune dispatcher
// applies to RenewalReq too. The chain-validation gate further down
// stays in place — Intune-managed devices still need to present a
// previously-issued cert as POPO when re-enrolling. The Intune
// validator covers "is this a legitimate Intune challenge?" and the
// chain check covers "did this device hold a prior cert from this
// issuer?" — both must pass.
if outcome := s.dispatchIntuneChallenge(ctx, csrPEM, challengePassword, envelope.TransactionID); outcome.decided {
if outcome.err != nil {
resp.Status = domain.SCEPStatusFailure
resp.FailInfo = mapIntuneErrorToFailInfo(outcome.err)
return resp
}
// Chain-of-trust check still applies on renewal even via Intune.
if err := s.verifyRenewalSignerCertChain(ctx, envelope.SignerCert); err != nil {
s.logger.Warn("SCEP renewal rejected: signer cert chain invalid (Intune path)",
"transaction_id", envelope.TransactionID, "error", err.Error())
resp.Status = domain.SCEPStatusFailure
resp.FailInfo = domain.SCEPFailBadMessageCheck
return resp
}
result, err := s.processEnrollment(ctx, csrPEM, envelope.TransactionID, "scep_renewalreq_intune")
if err != nil {
resp.Status = domain.SCEPStatusFailure
resp.FailInfo = mapServiceErrorToFailInfo(err)
return resp
}
resp.Status = domain.SCEPStatusSuccess
resp.Result = result
return resp
}
// Same challenge-password gate as PKCSReqWithEnvelope. Defense in depth
// even though the RenewalReq path additionally verifies the signing
// cert chain — a stolen/leaked challenge password combined with a
internal/service/scep_intune_test.go
+487
View File
@@ -0,0 +1,487 @@
package service
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/json"
"errors"
"log/slog"
"math/big"
"os"
"strings"
"testing"
"time"
"github.com/shankar0123/certctl/internal/scep/intune"
)
// SCEP RFC 8894 + Intune master bundle Phase 8.9 — service-layer dispatcher
// tests. Exercises the looksIntuneShaped pre-check, the validator + claim
// binding, the replay cache + per-device rate limiter integration, and the
// nil-default compliance hook seam.
// ------------------------------------------------------------------
// Test plumbing.
// ------------------------------------------------------------------
func newTestSCEPLogger() *slog.Logger {
return slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError}))
}
// intuneTestConn manufactures an ephemeral RSA Connector signing cert + key
// for tests that build challenges by hand. Mirrors challenge_test.go's
// helper but lives in the service package so tests can exercise the full
// dispatcher path.
type intuneTestConn struct {
key *rsa.PrivateKey
cert *x509.Certificate
}
func newIntuneTestConn(t *testing.T) intuneTestConn {
t.Helper()
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("rsa.GenerateKey: %v", err)
}
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "test-intune-connector"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(365 * 24 * time.Hour),
BasicConstraintsValid: true,
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
t.Fatalf("x509.CreateCertificate: %v", err)
}
cert, err := x509.ParseCertificate(der)
if err != nil {
t.Fatalf("x509.ParseCertificate: %v", err)
}
return intuneTestConn{key: key, cert: cert}
}
// signTestChallenge hand-builds a signed Intune-shaped challenge with the
// caller-supplied claim payload. Returns the wire-format string ready to
// pass as the "challenge password" argument to PKCSReq.
func (c intuneTestConn) signTestChallenge(t *testing.T, payload any) string {
t.Helper()
hdr, _ := json.Marshal(map[string]string{"alg": "RS256", "typ": "JWT"})
pl, _ := json.Marshal(payload)
signingInput := base64.RawURLEncoding.EncodeToString(hdr) + "." +
base64.RawURLEncoding.EncodeToString(pl)
h := sha256.Sum256([]byte(signingInput))
sig, err := rsa.SignPKCS1v15(rand.Reader, c.key, crypto.SHA256, h[:])
if err != nil {
t.Fatalf("rsa.SignPKCS1v15: %v", err)
}
return signingInput + "." + base64.RawURLEncoding.EncodeToString(sig)
}
// holderFromCerts wraps a static slice of certs as a TrustAnchorHolder
// without going through the on-disk loader. Used for tests that drive
// validation without writing a temp PEM file.
func holderFromCerts(t *testing.T, certs []*x509.Certificate) *intune.TrustAnchorHolder {
t.Helper()
dir := t.TempDir()
path := dir + "/intune-trust.pem"
// Write a real bundle so the holder can Reload later if the test wants.
body := []byte{}
for _, c := range certs {
body = append(body, []byte("-----BEGIN CERTIFICATE-----\n")...)
b64 := base64.StdEncoding.EncodeToString(c.Raw)
// Wrap to 64-char lines per PEM convention.
for len(b64) > 64 {
body = append(body, []byte(b64[:64]+"\n")...)
b64 = b64[64:]
}
body = append(body, []byte(b64+"\n-----END CERTIFICATE-----\n")...)
}
if err := os.WriteFile(path, body, 0o600); err != nil {
t.Fatalf("WriteFile trust bundle: %v", err)
}
holder, err := intune.NewTrustAnchorHolder(path, newTestSCEPLogger())
if err != nil {
t.Fatalf("NewTrustAnchorHolder: %v", err)
}
return holder
}
// validIntunePayload returns a v1 challenge payload whose claim matches a
// CSR generated via generateCSRPEM(t, "device.example.com", []string{...}).
// Tests can mutate it before signing to exercise individual failure modes.
func validIntunePayload(now time.Time) map[string]any {
return map[string]any{
"iss": "test-intune-connector-installation",
"sub": "device-guid-001",
"aud": "https://certctl.example.com/scep/corp",
"iat": now.Add(-1 * time.Minute).Unix(),
"exp": now.Add(59 * time.Minute).Unix(),
"nonce": "nonce-001",
"device_name": "device.example.com",
"san_dns": []string{"device.example.com"},
}
}
// ------------------------------------------------------------------
// Dispatcher behavior.
// ------------------------------------------------------------------
func TestSCEPService_LooksIntuneShaped(t *testing.T) {
cases := []struct {
name string
in string
want bool
}{
{"empty", "", false},
{"short static password", "secret123", false},
{"long but no dots", strings.Repeat("a", 300), false},
{"long with two dots (intune-shaped)", strings.Repeat("a", 80) + "." + strings.Repeat("b", 80) + "." + strings.Repeat("c", 80), true},
{"long with three dots (not intune)", "a.b.c.d", false},
{"exactly 200 bytes (boundary, not intune)", strings.Repeat("a", 100) + "." + strings.Repeat("a", 99), false},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
if got := looksIntuneShaped(tc.in); got != tc.want {
t.Errorf("looksIntuneShaped(%q) = %v, want %v", tc.in[:min(40, len(tc.in))]+"…", got, tc.want)
}
})
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_Success(t *testing.T) {
conn := newIntuneTestConn(t)
mockIssuer := &mockIssuerConnector{}
auditRepo := newMockAuditRepository()
auditSvc := NewAuditService(auditRepo)
// Service has the legacy challenge password set (we want to verify the
// dispatcher takes precedence over the static path when intune-shaped).
svc := NewSCEPService("iss-local", mockIssuer, auditSvc, newTestSCEPLogger(), "static-secret")
holder := holderFromCerts(t, []*x509.Certificate{conn.cert})
svc.SetIntuneIntegration(
holder,
"https://certctl.example.com/scep/corp",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
result, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-intune-001")
if err != nil {
t.Fatalf("PKCSReq: %v", err)
}
if result == nil || result.CertPEM == "" {
t.Fatalf("expected non-empty cert; got %#v", result)
}
// The audit event should carry the Intune-specific action code so
// operators can grep the audit log to count Intune enrollments
// distinct from static-challenge enrollments.
if len(auditRepo.Events) == 0 {
t.Fatalf("expected an audit event")
}
if got := auditRepo.Events[0].Action; got != "scep_pkcsreq_intune" {
t.Errorf("audit action = %q, want scep_pkcsreq_intune (Phase 8.4)", got)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_StaticChallengeStillWorks(t *testing.T) {
// Operator deploy that has Intune enabled on a profile but a device
// sends a SHORT static challenge — must still work via the fallback path.
conn := newIntuneTestConn(t)
mockIssuer := &mockIssuerConnector{}
svc := NewSCEPService("iss-local", mockIssuer, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"https://certctl.example.com/scep/corp",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
if _, err := svc.PKCSReq(context.Background(), csrPEM, "static-secret", "txn-static-001"); err != nil {
t.Fatalf("static-challenge fallback should still work when Intune enabled: %v", err)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_TamperedChallengeRejected(t *testing.T) {
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
good := conn.signTestChallenge(t, validIntunePayload(time.Now()))
parts := strings.Split(good, ".")
sig, _ := base64.RawURLEncoding.DecodeString(parts[2])
sig[0] ^= 0xFF
parts[2] = base64.RawURLEncoding.EncodeToString(sig)
tampered := strings.Join(parts, ".")
_, err := svc.PKCSReq(context.Background(), csrPEM, tampered, "txn-tamper-001")
if err == nil {
t.Fatal("expected tampered challenge to be rejected")
}
if !errors.Is(err, intune.ErrChallengeSignature) {
t.Errorf("got %v, want errors.Is(ErrChallengeSignature)", err)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_ClaimMismatchRejected(t *testing.T) {
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
// CSR's CN ("attacker-host.example.com") does NOT match the claim's
// device_name ("device.example.com").
csrPEM := generateCSRPEM(t, "attacker-host.example.com", []string{"attacker-host.example.com"})
challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-mismatch-001")
if err == nil {
t.Fatal("expected claim mismatch to be rejected")
}
if !errors.Is(err, intune.ErrClaimCNMismatch) {
t.Errorf("got %v, want ErrClaimCNMismatch", err)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_ReplayDetected(t *testing.T) {
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(0, 24*time.Hour, 100), // disable rate limit so we don't trip THAT first
)
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
if _, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-001"); err != nil {
t.Fatalf("first call should succeed: %v", err)
}
_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-002")
if !errors.Is(err, intune.ErrChallengeReplay) {
t.Fatalf("got %v, want ErrChallengeReplay on the second call", err)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_RateLimited(t *testing.T) {
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
// Replay cache must not block us — use disjoint nonces per call.
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(2, 24*time.Hour, 100), // limit = 2
)
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
for i := 0; i < 2; i++ {
pl := validIntunePayload(time.Now())
pl["nonce"] = "nonce-" + string(rune('a'+i))
ch := conn.signTestChallenge(t, pl)
if _, err := svc.PKCSReq(context.Background(), csrPEM, ch, "txn-allow"); err != nil {
t.Fatalf("call %d should succeed: %v", i+1, err)
}
}
// 3rd call same (Subject, Issuer) → rate limited.
pl := validIntunePayload(time.Now())
pl["nonce"] = "nonce-third"
third := conn.signTestChallenge(t, pl)
_, err := svc.PKCSReq(context.Background(), csrPEM, third, "txn-block")
if !errors.Is(err, intune.ErrRateLimited) {
t.Fatalf("got %v, want ErrRateLimited on 3rd call (cap=2)", err)
}
}
// ------------------------------------------------------------------
// Compliance-hook seam (Phase 8.7).
// ------------------------------------------------------------------
func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookNilDefault(t *testing.T) {
// Default state: no hook installed, enrollments proceed.
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
if _, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-nil-hook"); err != nil {
t.Fatalf("nil-default compliance hook should be a no-op: %v", err)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookDeniesNonCompliant(t *testing.T) {
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
svc.SetComplianceCheck(func(ctx context.Context, claim *intune.ChallengeClaim) (bool, string, error) {
return false, "device under remediation", nil
})
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-noncompliant")
if err == nil {
t.Fatal("non-compliant device must be rejected")
}
if !strings.Contains(err.Error(), "intune compliance") {
t.Errorf("error should reference compliance reason: %v", err)
}
if !strings.Contains(err.Error(), "device under remediation") {
t.Errorf("error should preserve compliance reason for audit: %v", err)
}
}
func TestSCEPService_PKCSReq_IntuneDispatcher_ComplianceHookErrorFailsClosed(t *testing.T) {
conn := newIntuneTestConn(t)
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
60*time.Minute,
intune.NewReplayCache(60*time.Minute, 100),
intune.NewPerDeviceRateLimiter(3, 24*time.Hour, 100),
)
svc.SetComplianceCheck(func(ctx context.Context, claim *intune.ChallengeClaim) (bool, string, error) {
return false, "", errors.New("graph API down")
})
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
challenge := conn.signTestChallenge(t, validIntunePayload(time.Now()))
_, err := svc.PKCSReq(context.Background(), csrPEM, challenge, "txn-compl-err")
if err == nil {
t.Fatal("compliance API error must fail closed (deny)")
}
}
// ------------------------------------------------------------------
// IntuneEnabled accessor + miscellaneous wiring.
// ------------------------------------------------------------------
func TestSCEPService_IntuneEnabled_AccessorReflectsState(t *testing.T) {
svc := NewSCEPService("iss-local", &mockIssuerConnector{}, nil, newTestSCEPLogger(), "static")
if svc.IntuneEnabled() {
t.Fatal("freshly-built service must report IntuneEnabled=false")
}
conn := newIntuneTestConn(t)
svc.SetIntuneIntegration(
holderFromCerts(t, []*x509.Certificate{conn.cert}),
"",
0,
nil,
nil,
)
if !svc.IntuneEnabled() {
t.Fatal("after SetIntuneIntegration, IntuneEnabled() must report true")
}
}
func TestSCEPService_PKCSReq_IntuneDisabled_StaticPathUnchanged(t *testing.T) {
// Sanity: a service that NEVER had SetIntuneIntegration called must
// behave exactly like the pre-Phase-8 service. This pins the no-regression
// guarantee for the broad set of profiles that won't enable Intune.
mockIssuer := &mockIssuerConnector{}
svc := NewSCEPService("iss-local", mockIssuer, NewAuditService(newMockAuditRepository()), newTestSCEPLogger(), "static-secret")
csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
// Submit something Intune-shaped — without SetIntuneIntegration this
// must NOT route through the dispatcher (looksIntuneShaped + intuneEnabled
// are AND-gated). It will fall through to the static compare and reject.
intuneShaped := strings.Repeat("a", 80) + "." + strings.Repeat("b", 80) + "." + strings.Repeat("c", 80)
if _, err := svc.PKCSReq(context.Background(), csrPEM, intuneShaped, "txn-noop"); err == nil {
t.Fatal("static path with wrong password must reject (we passed an intune-shaped string but Intune is off)")
}
// Now submit the right static password — must succeed.
if _, err := svc.PKCSReq(context.Background(), csrPEM, "static-secret", "txn-noop-2"); err != nil {
t.Fatalf("static path with right password must work: %v", err)
}
}
// ------------------------------------------------------------------
// IntuneFailReason mapping.
// ------------------------------------------------------------------
func TestIntuneFailReason_AllTypedErrorsMapped(t *testing.T) {
cases := []struct {
err error
want string
}{
{nil, "success"},
{intune.ErrChallengeSignature, "signature_invalid"},
{intune.ErrChallengeExpired, "expired"},
{intune.ErrChallengeNotYetValid, "not_yet_valid"},
{intune.ErrChallengeWrongAudience, "wrong_audience"},
{intune.ErrChallengeReplay, "replay"},
{intune.ErrChallengeUnknownVersion, "unknown_version"},
{intune.ErrChallengeMalformed, "malformed"},
{intune.ErrRateLimited, "rate_limited"},
{intune.ErrClaimCNMismatch, "claim_mismatch"},
{intune.ErrClaimSANDNSMismatch, "claim_mismatch"},
{intune.ErrClaimSANRFC822Mismatch, "claim_mismatch"},
{intune.ErrClaimSANUPNMismatch, "claim_mismatch"},
{errors.New("something else"), "malformed"}, // default bucket
}
for _, tc := range cases {
got := intuneFailReason(tc.err)
if got != tc.want {
t.Errorf("intuneFailReason(%v) = %q, want %q", tc.err, got, tc.want)
}
}
}
// asn1 unused but imported by sibling tests; this package-level guard keeps
// future changes that introduce ASN.1 fixtures here from breaking the build.
func init() {
_ = ecdsa.GenerateKey
_ = elliptic.P256
}
func min(a, b int) int {
if a < b {
return a
}
return b
}