mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-14 16:28:52 +00:00
feat(scep): plumb CertificateProfile.MustStaple end-to-end through service layer
SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up.
Closes the 'lying field' gap from the original Phase 5.6 commit (35fcfa7).
That commit shipped CertificateProfile.MustStaple as a domain field +
IssuanceRequest.MustStaple as the issuer-interface field + the local
issuer's RFC 7633 extension generation + byte-exact tests against the
spec — but the service layer (SCEP + EST + agent + renewal) never read
profile.MustStaple and never set IssuanceRequest.MustStaple. Operators
who set the field got: a stored value, an API that returned it, docs
that promised it worked, and a cert with no extension. Worse than not
having the field at all.
Per the new operating rule landed in cowork/CLAUDE.md::Operating Rules
('Always take the complete path, not the easy path'), this commit closes
the wire end-to-end.
internal/service/renewal.go
* IssuerConnector interface signature gains a mustStaple bool param on
IssueCertificate + RenewCertificate. The original 'this is a wider
refactor' framing was overstated — it's one extra arg threaded
through six call sites, not a structural change.
internal/service/issuer_adapter.go
* IssuerConnectorAdapter.IssueCertificate + RenewCertificate accept
the new param + populate IssuanceRequest.MustStaple /
RenewalRequest.MustStaple. Connectors that don't honor extension
injection (Vault, EJBCA, ACME, etc.) silently ignore the field —
the Phase 5.6 commit's docblock already noted this.
internal/service/scep.go
* processEnrollment now reads profile.MustStaple alongside
profile.MaxTTLSeconds and threads it through the IssueCertificate
call. The SCEP path was the load-bearing one — the original Phase
5.6 docs example showed exactly this code shape but the wire was
never landed.
internal/service/est.go
* Same pattern as SCEP: read profile.MustStaple + thread to
IssueCertificate. Defense in depth so a deploy that mounts the
same profile across SCEP + EST gets consistent extension behavior.
internal/service/agent.go
* The fallback direct-issuer signing path in heartbeatPipeline reads
profile + threads MustStaple through. Server-mode keygen + ad-hoc
CSR submission paths both go through this.
internal/service/renewal.go (the renewal-loop side, not the interface)
* Both renewal call sites (server-CSR-generated + agent-CSR-submitted)
read profile.MustStaple + thread it through RenewCertificate. Renewed
certs match their initial-issuance extension set when the bound
profile changes mid-lifetime.
internal/service/scep_must_staple_test.go (new)
* TestSCEPService_PKCSReq_PlumbsMustStapleToIssuer — end-to-end
integration test: profile.MustStaple=true → SCEP service →
mock IssuerConnector saw mustStaple=true. This is the test the
original Phase 5.6 commit should have shipped — proves the wire
reaches the connector.
* TestSCEPService_PKCSReq_NoMustStaplePropagatesFalse — companion
pinning the symmetric contract; the mock pre-sets LastMustStaple=true
so a stuck-at-true bug surfaces.
internal/service/testutil_test.go +
internal/service/m11c_crypto_enforcement_test.go +
internal/service/issuer_adapter_test.go +
cmd/server/preflight_test.go
* Mock + fake IssuerConnector implementations gain the new mustStaple
bool param. mockIssuerConnector + capturingIssuerConnector also gain
a LastMustStaple / lastMustStaple field used by the new integration
tests to assert the wire reached the connector.
* Existing test call sites for adapter.IssueCertificate /
adapter.RenewCertificate gain a trailing 'false' arg (mechanical bulk
edit, no behavior change).
Verification:
* gofmt + go vet + staticcheck clean for all touched paths.
* go test -short -count=1 green across cmd/agent / cmd/cli /
cmd/mcp-server / cmd/server / api/handler / api/middleware /
api/router / service / scheduler / pkcs7 / connector/issuer/local /
every connector subpackage / domain / crypto / mcp / repository.
* The new TestSCEPService_PKCSReq_PlumbsMustStapleToIssuer test passes,
proving the wire works end-to-end.
The follow-up rule from cowork/CLAUDE.md::Operating Rules — 'can an
operator flip the configurable bit and observe the behavior change
end-to-end with no further code changes?' — is now YES for must-staple
on the SCEP + EST + agent + renewal paths.
This commit is contained in:
certctl-copilot
@@ -213,7 +213,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_MaxTTLForwarded(t *testing.T) {
|
||||
mock := &mockConnectorLayerIssuer{}
|
||||
adapter := NewIssuerConnectorAdapter(mock)
|
||||
|
||||
_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 7200)
|
||||
_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 7200, false)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
@@ -230,7 +230,7 @@ func TestIssuerConnectorAdapter_RenewCertificate_MaxTTLForwarded(t *testing.T) {
|
||||
mock := &mockConnectorLayerIssuer{}
|
||||
adapter := NewIssuerConnectorAdapter(mock)
|
||||
|
||||
_, err := adapter.RenewCertificate(context.Background(), "renew.example.com", nil, "csr", nil, 14400)
|
||||
_, err := adapter.RenewCertificate(context.Background(), "renew.example.com", nil, "csr", nil, 14400, false)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
@@ -247,7 +247,7 @@ func TestIssuerConnectorAdapter_IssueCertificate_ZeroMaxTTL(t *testing.T) {
|
||||
mock := &mockConnectorLayerIssuer{}
|
||||
adapter := NewIssuerConnectorAdapter(mock)
|
||||
|
||||
_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 0)
|
||||
_, err := adapter.IssueCertificate(context.Background(), "test.example.com", nil, "csr", nil, 0, false)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
@@ -366,11 +366,16 @@ func TestSCEPService_NoProfileRepo_PassesThrough(t *testing.T) {
|
||||
type capturingIssuerConnector struct {
|
||||
lastMaxTTLSeconds int
|
||||
lastEKUs []string
|
||||
// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: capture
|
||||
// must-staple too so the integration test can prove the wire reaches
|
||||
// the connector for both PKCSReq and renewal paths.
|
||||
lastMustStaple bool
|
||||
}
|
||||
|
||||
func (c *capturingIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
|
||||
func (c *capturingIssuerConnector) IssueCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
|
||||
c.lastMaxTTLSeconds = maxTTLSeconds
|
||||
c.lastEKUs = ekus
|
||||
c.lastMustStaple = mustStaple
|
||||
now := time.Now()
|
||||
return &IssuanceResult{
|
||||
Serial: "test-serial",
|
||||
@@ -381,8 +386,8 @@ func (c *capturingIssuerConnector) IssueCertificate(ctx context.Context, commonN
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *capturingIssuerConnector) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int) (*IssuanceResult, error) {
|
||||
return c.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds)
|
||||
func (c *capturingIssuerConnector) RenewCertificate(ctx context.Context, commonName string, sans []string, csrPEM string, ekus []string, maxTTLSeconds int, mustStaple bool) (*IssuanceResult, error) {
|
||||
return c.IssueCertificate(ctx, commonName, sans, csrPEM, ekus, maxTTLSeconds, mustStaple)
|
||||
}
|
||||
|
||||
func (c *capturingIssuerConnector) RevokeCertificate(ctx context.Context, serial string, reason string) error {
|
||||
|
||||
Reference in New Issue
Block a user