fix(scep-intune): close 11 audit gaps from 2026-04-29 pre-tag review

Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md). Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always take the complete path, not the easy path' — drove this closure: each gap was a load-bearing wire that crossed multiple layers (config → validator → service wire-up → tests → docs) and shipping the bundle without them would have produced lying-field footguns where operator- visible config options stored values without affecting behavior. WHAT LANDS: Phase A — Clock-skew tolerance (master prompt §15 hazard closure) internal/scep/intune/challenge.go: ValidateChallenge migrated from positional args to ValidateOptions{} struct; new ClockSkewTolerance field with default 0 (strict). 24 call sites updated mechanically. Asymmetric application: now+tolerance >= iat AND now-tolerance < exp. internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance default 60s + Validate() refusal when >= ChallengeValidity. cmd/server/main.go: SetIntuneIntegration signature extended; per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE. internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors. 4 new tests in challenge_test.go covering accept-within-tolerance, reject-beyond-tolerance, accept-expired-within-tolerance, negative-treated-as-zero defensive normalization. docs/scep-intune.md updated with the new env var + time-bounds rule. Phase B — unknown-version-rejected golden test internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload helper + signGoldenChallengeAny generic signer. challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected uses an in-process ECDSA fixture (the on-disk PEM was generated with a Go-stdlib version that produces different ecdsa.GenerateKey bytes from the current call). TestRegenerateGoldenFixtures emits the new unknown_version fixture file too. Phase C — Two named Intune e2e tests internal/api/handler/scep_intune_e2e_test.go: TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd returns FAILURE+badRequest with rate_limited counter ticked) TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate on-disk PEM + holder.Reload(); old-key challenge fails with badMessageCheck; signature_invalid counter ticked) intuneE2EFixture struct extended with trustHolder + trustPath fields so tests can rotate. Phase D — Four new ChromeOS hermetic tests (10 total now) internal/api/handler/scep_chromeos_test.go: _RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler rejects without reaching service. _3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified. _RSACSR + _ECDSACSR — explicit matrix-pair pinning. buildTestECDSACSR helper for ECDSA P-256 CSR construction; tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC; assertChromeOSPositiveCertRep shared assertion. Phase E — Per-profile counter isolation test internal/api/handler/scep_profile_counter_isolation_test.go: TestSCEPHandler_PerProfileIntuneCountersIsolated wires two SCEPService instances + drives distinct PKIMessages + asserts counter isolation. Guards against a future cmd/server/main.go refactor that shares a *intuneCounterTab across profiles. buildPerProfileIntuneFixture parameterized helper. Phase F — Server-boot regression tests cmd/server/preflight_scep_intune_test.go: 3 named tests covering disabled-backward-compat, broken-config-with-PathID, expired-cert refusal. preflightSCEPIntuneTrustAnchor signature extended with pathID arg so error messages carry PathID= for operator log-grep. Phase G — docs/connectors.md Four new subsections under §EST/SCEP Integration: multi-profile dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP probe in network scanner. Each has a one-paragraph operator explanation + an env-var or endpoint table. Phase H — Coverage uplift internal/service/scep_probe_persist_test.go: 5 unit tests on persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow + nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler ≥75) PASS at 70.9% / 79.3%. Phase I — deploy/test integration variant deploy/test/scep_intune_e2e_test.go (//go:build integration): TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration against the live docker-compose certctl container. Skip-when- stack-missing semantics so sandbox + CI both work. deploy/docker-compose.test.yml: new e2eintune SCEP profile env vars + bind-mount of deploy/test/fixtures/. deploy/test/fixtures/README.md: documents the deterministic trust anchor regeneration recipe. VERIFICATION (sandbox): gofmt -d — clean for all changed files staticcheck — clean for intune + handler + config + service + cmd/server packages go vet — clean for the same packages go test -short — green for intune (95.3% cov), service (70.9%), handler (79.3%), config (94.0%), cmd/server (boot path; my preflight tests cover the directly- testable function), pkcs7 (80.5% informational) DEFERRED (per closure prompt §7 out-of-scope): - V3-Pro Conditional Access gating + Microsoft Graph integration - Standalone certctl-scan CLI binary - OCSP rate-limiting, OCSP stapling, delta CRLs Spec preserved at cowork/scep-bundle-gap-closure-prompt.md; journal at cowork/scep-rfc8894-intune/progress.md (audit-closure section appended).
2026-06-14 23:08:51 +00:00 · 2026-04-29 20:28:53 +00:00
parent 84fac19f98
commit 530593507b
20 changed files with 2143 additions and 74 deletions
@@ -6,6 +6,7 @@ import (
 	"flag"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )

@@ -96,7 +97,22 @@ func TestRegenerateGoldenFixtures(t *testing.T) {
 		t.Fatalf("write tampered fixture: %v", err)
 	}

-	t.Logf("regenerated 4 fixture files in %s", testdataDir(t))
+	// Unknown-version fixture — same signing key + valid signature, but
+	// the payload carries a `version: "v999"` claim that the dispatcher
+	// does NOT have an unmarshaler for. ValidateChallenge MUST surface
+	// ErrChallengeUnknownVersion; the unknown-version fixture pins the
+	// dispatcher's defense against the inevitable Microsoft format
+	// change (master prompt §13 line 1848).
+	unknownVersionRaw := signGoldenChallengeAny(t, key, goldenUnknownVersionPayload())
+	if err := os.WriteFile(
+		filepath.Join(testdataDir(t), "intune_challenge_golden_unknown_version.txt"),
+		[]byte(unknownVersionRaw+"\n"),
+		0o600,
+	); err != nil {
+		t.Fatalf("write unknown-version fixture: %v", err)
+	}
+
+	t.Logf("regenerated 5 fixture files in %s", testdataDir(t))
 }

 // TestGoldenChallenge_Success — the documented happy-path: the success
@@ -107,7 +123,7 @@ func TestGoldenChallenge_Success(t *testing.T) {
 	trust := loadGoldenTrustAnchor(t)
 	raw := readGoldenFixture(t, "intune_challenge_golden_success.txt")

-	claim, err := ValidateChallenge(raw, trust, "https://certctl.example.com/scep/test", goldenChallengeNow)
+	claim, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, ExpectedAudience: "https://certctl.example.com/scep/test", Now: goldenChallengeNow})
 	if err != nil {
 		t.Fatalf("ValidateChallenge success fixture: %v", err)
 	}
@@ -130,7 +146,7 @@ func TestGoldenChallenge_Expired(t *testing.T) {
 	trust := loadGoldenTrustAnchor(t)
 	raw := readGoldenFixture(t, "intune_challenge_golden_expired.txt")

-	_, err := ValidateChallenge(raw, trust, "", goldenChallengeNow)
+	_, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, Now: goldenChallengeNow})
 	if !errors.Is(err, ErrChallengeExpired) {
 		t.Fatalf("got %v, want errors.Is(ErrChallengeExpired)", err)
 	}
@@ -143,7 +159,7 @@ func TestGoldenChallenge_TamperedSig(t *testing.T) {
 	trust := loadGoldenTrustAnchor(t)
 	raw := readGoldenFixture(t, "intune_challenge_golden_tampered_sig.txt")

-	_, err := ValidateChallenge(raw, trust, "https://certctl.example.com/scep/test", goldenChallengeNow)
+	_, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, ExpectedAudience: "https://certctl.example.com/scep/test", Now: goldenChallengeNow})
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want errors.Is(ErrChallengeSignature)", err)
 	}
@@ -159,7 +175,7 @@ func TestGoldenChallenge_WrongAudienceReuse(t *testing.T) {
 	trust := loadGoldenTrustAnchor(t)
 	raw := readGoldenFixture(t, "intune_challenge_golden_success.txt")

-	_, err := ValidateChallenge(raw, trust, "https://attacker.example.com/scep/wrong", goldenChallengeNow)
+	_, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, ExpectedAudience: "https://attacker.example.com/scep/wrong", Now: goldenChallengeNow})
 	if !errors.Is(err, ErrChallengeWrongAudience) {
 		t.Fatalf("got %v, want errors.Is(ErrChallengeWrongAudience)", err)
 	}
@@ -176,8 +192,56 @@ func TestGoldenChallenge_RotatedTrustAnchorRejects(t *testing.T) {
 	rotated := genTestECDSAConnector(t)
 	raw := readGoldenFixture(t, "intune_challenge_golden_success.txt")

-	_, err := ValidateChallenge(raw, []*x509.Certificate{rotated.cert}, "", goldenChallengeNow)
+	_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{rotated.cert}, Now: goldenChallengeNow})
 	if !errors.Is(err, ErrChallengeSignature) {
 		t.Fatalf("got %v, want errors.Is(ErrChallengeSignature) when validated against a rotated trust anchor", err)
 	}
 }
+
+// TestGoldenChallenge_UnknownVersionRejected — master prompt §13 line
+// 1848 named acceptance criterion. A challenge whose payload carries a
+// `version: "v999"` claim (a value the dispatcher's
+// versionUnmarshalers map deliberately does NOT contain) MUST surface
+// ErrChallengeUnknownVersion regardless of whether the signature is
+// otherwise valid. This is the dispatcher's defense against the
+// inevitable Microsoft Connector format change — the day Microsoft
+// ships v2 and certctl's parser doesn't yet have a v2 unmarshaler, every
+// Intune enrollment lands here with a clear typed error rather than
+// crashing the SCEP handler with a confusing unmarshal panic.
+//
+// Why this test uses a fresh trust anchor instead of the on-disk
+// golden PEM: the on-disk PEM was generated with a Go-stdlib version
+// that produces different ECDSA key bytes from the current
+// generateGoldenTrustAnchor() call (the deterministic-PRNG +
+// ecdsa.GenerateKey pair has shifted across Go releases — the on-disk
+// public key bytes don't match what the current Go runtime regenerates
+// from the same seed). Rather than bake a stale trust anchor into the
+// regression, we generate a fresh ECDSA Connector keypair in-process
+// + use BOTH for signing AND for the validator's trust pool. The
+// regen target still emits a fixture file under testdata/ for the
+// operator-readable artifact; the test itself stays decoupled from
+// the on-disk PEM's drift.
+func TestGoldenChallenge_UnknownVersionRejected(t *testing.T) {
+	conn := genTestECDSAConnector(t)
+	raw := signTestChallengeES256_FixedWidth(t, conn, struct {
+		Version string `json:"version"`
+		challengePayloadV1
+	}{
+		Version:            "v999",
+		challengePayloadV1: goldenChallengePayload(),
+	})
+
+	_, err := ValidateChallenge(raw, ValidateOptions{
+		Trust: []*x509.Certificate{conn.cert},
+		Now:   goldenChallengeNow,
+	})
+	if !errors.Is(err, ErrChallengeUnknownVersion) {
+		t.Fatalf("got %v, want errors.Is(ErrChallengeUnknownVersion) for version=v999 claim", err)
+	}
+	// The error message MUST surface the specific version string so the
+	// operator's audit log narrows the diagnosis to "Microsoft shipped
+	// vN" rather than "something is wrong with the challenge."
+	if !strings.Contains(err.Error(), "v999") {
+		t.Errorf("error should contain the unknown version literal for operator audit log: %v", err)
+	}
+}