gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:51:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(est): per-profile dispatch — multi-profile env-var family + back-compat shim

Browse Source 
EST RFC 7030 hardening master bundle Phases 0 + 1 of 13. Lays the
foundation for the remaining hardening phases (mTLS auth, HTTP Basic
auth, channel binding, server-keygen, admin observability, GUI, libest
e2e) without changing existing operator behavior — backward-compat
shim preserves the v2.0.66 single-issuer flat env-var setup.

WHAT LANDS:

Phase 0 — Frozen decisions
  9 frozen decisions documented in
  cowork/est-rfc7030-hardening-prompt.md::Phase 0 frozen decisions
  (auth modes mTLS+Basic at GA; RFC 9266 channel binding; multi-profile
  env-var family CERTCTL_EST_PROFILES; mTLS sibling URL
  /.well-known/est-mtls/<pathID>; serverkeygen ships V2; fullcmc
  deferred; renewal device-driven per RFC 7030 §4.2.2; csrattrs
  algorithm allow-list profile-derived; libest as e2e reference).

Phase 1 — Multi-profile config + per-profile dispatch
  internal/config/config.go: extended ESTConfig with Profiles slice;
  added ESTProfileConfig struct with all field contracts (PathID +
  IssuerID + ProfileID + EnrollmentPassword + MTLSEnabled +
  MTLSClientCATrustBundlePath + ChannelBindingRequired +
  AllowedAuthModes + RateLimitPerPrincipal24h + ServerKeygenEnabled).
  Forward-looking fields (mTLS, HTTP Basic, channel binding,
  rate limit, server-keygen) are dormant in Phase 1 — Phase 2-5 wire
  the corresponding handlers; Validate() gates ensure operators can't
  set incoherent combinations (MTLSEnabled=true without bundle path,
  basic auth without password, mtls auth mode without MTLSEnabled,
  ChannelBindingRequired without mTLS, ServerKeygenEnabled without
  ProfileID).

  loadESTProfilesFromEnv: mirrors loadSCEPProfilesFromEnv exactly.
  Reads CERTCTL_EST_PROFILES=corp,iot,wifi and per-profile env vars
  CERTCTL_EST_PROFILE_<NAME>_*. Lowercase PathID, uppercase env-var
  name. parseAuthModes handles comma-separated normalization.

  mergeESTLegacyIntoProfiles: back-compat shim. When CERTCTL_EST_PROFILES
  is unset AND CERTCTL_EST_ENABLED=true, synthesizes a single-element
  Profiles[0] with PathID="" so existing /.well-known/est/
  operators see no behavior change.

  validESTPathID + validESTAuthMode: shape validators. PathID matches
  [a-z0-9-]+ with no leading/trailing hyphen (mirrors validSCEPPathID
  exactly). Auth mode is one of {mtls, basic}.

  Per-profile Validate(): refuses every documented misconfiguration
  with operator-greppable error messages naming the offending profile
  index + PathID + field. Mirrors the SCEP audit-closure pattern.

internal/api/router/router.go: refactored RegisterESTHandlers from
  single-handler to map[string]ESTHandler. Empty PathID maps to legacy
  /.well-known/est/ root (literal-string r.Register calls preserve
  openapi-parity scanner behavior). Non-empty PathIDs dynamic-register
  /.well-known/est/<pathID>/{cacerts,simpleenroll,simplereenroll,csrattrs}.
  Mirrors the SCEP per-profile dispatch from commit fdd424b.

cmd/server/main.go: refactored EST startup block to iterate
  cfg.EST.Profiles. Per-profile preflight (issuer-in-registry,
  preflightEnrollmentIssuer L-005 gate) runs in the loop with
  per-profile structured logging including PathID. Failures log the
  offending PathID so multi-profile deploys can pinpoint which broke
  startup. Mirrors the SCEP per-profile loop from commit fdd424b.

Updated 3 callers of the old single-handler signature:
  - internal/api/router/router_test.go::TestRegisterESTHandlers_AllPaths
  - internal/integration/lifecycle_test.go::setupTestServer
  - internal/integration/negative_test.go::setupTestServer
  Each wraps the existing single ESTHandler in a single-element
  map[string]handler.ESTHandler{"": estHandler} preserving exact
  legacy behavior.

NEW TESTS:

internal/config/config_est_profiles_test.go (12 tests):
  - LegacyFlatFields_SynthesizeSingleProfile (back-compat shim)
  - DisabledNoLegacyShim
  - MultipleProfiles_LoadFromEnv (3 profiles: corp+mtls+basic+keygen,
    iot+basic, wifi+mtls; verifies every field round-trips)
  - StructuredFormBeatsLegacy
  - PathIDValidation (12 sub-cases: empty/valid/leading-hyphen/
    trailing-hyphen/uppercase/slash/dot/underscore/space/percent)
  - DuplicatePathID_Refuses
  - MissingPerProfileIssuerID
  - MTLSEnabledRequiresBundlePath
  - ChannelBindingWithoutMTLS_Refuses (cross-check)
  - BasicAuthInModesRequiresPassword (cross-check)
  - MTLSAuthModeRequiresMTLSEnabled (cross-check)
  - UnknownAuthModeRefused
  - NegativeRateLimitRefused
  - ServerKeygenRequiresProfileID
  - DisabledIgnoresProfiles
  - ParseAuthModes_Normalization (8 sub-cases)

internal/api/router/router_est_profiles_test.go (4 tests):
  - LegacyEmptyPathIDMapsToRoot
  - NonEmptyPathIDMapsToSubpath
  - MultipleProfilesNoCrossBleed (the load-bearing dispatch invariant —
    each profile's PathID routes to its OWN handler instance,
    proven via per-profile-tagged mock responses with base64 prefix
    matching)
  - EmptyMapRegistersNoRoutes

VERIFICATION (sandbox, Go 1.25.9):
  gofmt -l                — clean for all changed files
  staticcheck             — clean for config + router + handler +
                            integration + cmd/server packages
  go vet                  — clean for the same packages
  go test -short -count=1 — green for config, router, handler,
                            service, integration, cmd/server

NEXT (Phase 2): mTLS client cert auth + TrustAnchorHolder + RFC 9266
tls-exporter channel binding. Phase 1's Validate gates already refuse
the incoherent configurations Phase 2 must defend against; Phase 2
adds the actual TLS-listener wiring + handler-side cert validation +
channel-binding extraction.

Spec preserved at cowork/est-rfc7030-hardening-prompt.md.
This commit is contained in:
shankar0123
2026-04-29 22:17:52 +00:00
parent 530593507b
commit a808948397
8 changed files with 1270 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/config/config.go
+393 -4
View File
@@ -646,6 +646,15 @@ type OpenSSLConfig struct {
}
// ESTConfig controls the RFC 7030 Enrollment over Secure Transport server.
// EST RFC 7030 hardening master bundle Phase 1: this type was originally a
// flat single-issuer struct. Real enterprise deployments need to expose
// multiple EST endpoints from one certctl instance — corp-laptop CA, IoT
// CA, WiFi/802.1X CA — each with its own issuer + auth modes + URL path
// (/.well-known/est/<pathID>/). The Profiles slice carries that. Existing
// operators see no behavior change: when Profiles is empty AND the legacy
// single-issuer flat fields below are set, ConfigLoad synthesizes a
// single-element Profiles[0] with PathID="" (which maps to the legacy
// /.well-known/est/ root path).
type ESTConfig struct {
// Enabled controls whether EST endpoints are available for device enrollment.
// Default: false (EST disabled). Set to true to enable RFC 7030 endpoints
@@ -653,14 +662,151 @@ type ESTConfig struct {
Enabled bool
// IssuerID selects which issuer connector processes EST certificate requests.
// Valid values: "iss-local" (default), "iss-acme", "iss-stepca", "iss-openssl".
// Default: "iss-local". Must reference a configured issuer.
// Default: "iss-local". Legacy single-issuer field; merged into Profiles[0]
// by mergeESTLegacyIntoProfiles when Profiles is empty.
IssuerID string
// ProfileID optionally constrains EST enrollments to a specific certificate profile.
// When set, all EST enrollments must match the profile's crypto constraints.
// Leave empty to allow EST to use any configured issuer's defaults.
// Legacy single-issuer field; merged into Profiles[0] when applicable.
ProfileID string
// Profiles is the multi-endpoint configuration. Each profile gets its own
// URL path (/.well-known/est/<PathID>/), its own bound issuer, its own auth
// modes, and its own per-profile policy knobs (rate limit, server-keygen
// gate, mTLS bundle, RFC 9266 channel-binding requirement). Population
// sources, in priority order:
//
// 1. Explicit list via CERTCTL_EST_PROFILES (e.g. "corp,iot,wifi").
// 2. Backward-compat shim: when CERTCTL_EST_PROFILES is unset AND the
// legacy flat fields above are populated AND Enabled=true, ConfigLoad
// synthesizes a single-element Profiles[0] with PathID="" so
// /.well-known/est/ continues to route the same way it did
// pre-Phase-1.
//
// EST RFC 7030 hardening master bundle Phase 1.
Profiles []ESTProfileConfig
}
// ESTProfileConfig is one EST endpoint's configuration. Each profile is
// bound to one issuer + one optional certctl CertificateProfile + one set
// of per-profile auth modes (mTLS / HTTP Basic / both). Future phases of
// the hardening bundle wire the additional per-profile fields:
//
// - Phase 2 reads MTLSEnabled + MTLSClientCATrustBundlePath +
// ChannelBindingRequired to enable the /.well-known/est-mtls/<PathID>
// sibling route (mirrors SCEP's /scep-mtls/<PathID> from commit e7a3075).
// - Phase 3 reads EnrollmentPassword + AllowedAuthModes to enforce HTTP
// Basic auth on the standard /.well-known/est/<PathID>/ route.
// - Phase 4 reads RateLimitPerPrincipal24h to apply per-CN+source-IP
// sliding-window rate limiting (mirrors SCEP/Intune's
// PerDeviceRateLimiter from internal/scep/intune/rate_limit.go).
// - Phase 5 reads ServerKeygenEnabled to gate the new /serverkeygen
// endpoint per RFC 7030 §4.4.
//
// Phase 1 (this commit) lays the FIELD CONTRACTS + per-profile Validate()
// gates so an operator who flips MTLSEnabled=true without supplying the
// bundle path gets a loud refuse-to-start error rather than a silent
// no-op. The actual auth/limit/keygen handlers ship in Phases 2-5.
//
// EST RFC 7030 hardening master bundle Phase 1.
type ESTProfileConfig struct {
// PathID is the URL segment after /.well-known/est/. Empty string maps
// to the legacy /.well-known/est/ root for backward compatibility (so
// existing operators with the flat single-issuer config see no URL
// change). Non-empty values MUST be a single path-safe slug
// ([a-z0-9-], no slashes); validated at startup by Config.Validate().
// Multi-profile deployments typically use short tokens like "corp",
// "iot", "wifi" — the URL becomes /.well-known/est/corp/cacerts,
// /.well-known/est/iot/simpleenroll, etc.
PathID string
// IssuerID selects which issuer connector this profile's enrollments
// go through. Must reference a configured issuer. Required (Validate
// refuses empty IssuerID).
IssuerID string
// ProfileID optionally constrains enrollments under this PathID to a
// specific CertificateProfile. Leave empty to allow the issuer's
// defaults. When non-empty, profile crypto policy (allowed key
// algorithms, required EKUs, max TTL) is enforced at enrollment time
// via service.ValidateCSRAgainstProfile.
ProfileID string
// EnrollmentPassword is the per-profile shared secret for HTTP Basic
// auth on the standard /.well-known/est/<PathID>/ route (Phase 3).
// Empty value means HTTP Basic auth is NOT required for this profile
// (mTLS-only or anonymous, depending on AllowedAuthModes). Stored only
// in process memory; never logged. Constant-time comparison via
// crypto/subtle.ConstantTimeCompare in the handler.
EnrollmentPassword string
// MTLSEnabled gates the sibling /.well-known/est-mtls/<PathID>/ route
// (Phase 2). When true, the route requires a client cert that chains
// to one of the certs in MTLSClientCATrustBundlePath. The standard
// /.well-known/est/<PathID>/ route remains application-layer-auth
// (HTTP Basic password) so existing clients keep working — mTLS is
// additive, not replacement.
//
// Mirrors SCEP's MTLSEnabled (commit e7a3075). Same defense-in-depth
// rationale: enterprise procurement teams routinely reject 'shared
// password authentication' as a checkbox-fail regardless of how
// strong the password is. This flag wires up a sibling route that
// adds client-cert auth at the handler layer.
MTLSEnabled bool
// MTLSClientCATrustBundlePath is the PEM bundle of CA certs that sign
// the client (device-bootstrap) certs the operator allows to enroll
// via the mTLS sibling route. Required when MTLSEnabled is true.
// Validated at startup by cmd/server/main.go's
// preflightESTMTLSClientCATrustBundle (Phase 2): file exists, parses
// as PEM, contains ≥1 cert, none expired.
MTLSClientCATrustBundlePath string
// ChannelBindingRequired forces the EST mTLS handler (Phase 2) to
// require RFC 9266 tls-exporter channel binding in the CSR's CMC
// id-aa-channelBindings attribute. When true, CSRs without the
// binding are refused with ErrChannelBindingMissing; mismatched
// bindings refused with ErrChannelBindingMismatch. Defaults true for
// new-cert-issuance flows (Phase 2 default), false for re-enrollment
// where the previous-cert presentation is the trust signal. Operators
// running clients that don't support RFC 9266 (older libest, etc.)
// can opt out per-profile.
//
// EST RFC 7030 hardening master bundle Phase 0 frozen decision 0.2.
ChannelBindingRequired bool
// AllowedAuthModes enumerates which application-layer auth modes
// this profile accepts. Valid entries: "mtls", "basic". Empty slice
// means no auth required (the unauthenticated default that EST
// shipped with at v2.0.66; preserved for backward compat — Validate
// emits a warning log for empty slices to nudge operators toward
// explicit opt-in). Phase 2 + 3 read this to enforce per-mode
// requirements; Phase 1 just validates shape.
//
// EST RFC 7030 hardening master bundle Phase 0 frozen decision 0.1.
AllowedAuthModes []string
// RateLimitPerPrincipal24h caps enrollments per (CSR.Subject.CN,
// sourceIP) pair in any rolling 24-hour window. Default 0 (Phase 1
// preserves the unauthenticated/unlimited default to avoid changing
// production behavior); Phase 4 will wire this against the extracted
// internal/ratelimit/SlidingWindowLimiter. Negative values are
// rejected at Validate time as a config typo.
//
// EST RFC 7030 hardening master bundle Phase 1 + Phase 4.
RateLimitPerPrincipal24h int
// ServerKeygenEnabled gates the /.well-known/est/<PathID>/serverkeygen
// endpoint (RFC 7030 §4.4) for this profile. When true, the server
// generates the keypair on behalf of the client and returns both
// cert + private key (the latter wrapped in CMS EnvelopedData).
// Default false. Phase 5 wires the handler; Phase 1 lays the gate
// + the Validate refusal for ServerKeygenEnabled=true without a
// CertificateProfile that pins AllowedKeyAlgorithms (the server
// must know what algorithm to generate).
//
// EST RFC 7030 hardening master bundle Phase 5.
ServerKeygenEnabled bool
}
// SCEPConfig controls the RFC 8894 Simple Certificate Enrollment Protocol server.
@@ -1314,6 +1460,12 @@ func Load() (*Config, error) {
Enabled: getEnvBool("CERTCTL_EST_ENABLED", false),
IssuerID: getEnv("CERTCTL_EST_ISSUER_ID", "iss-local"),
ProfileID: getEnv("CERTCTL_EST_PROFILE_ID", ""),
// EST RFC 7030 hardening Phase 1: multi-profile dispatch. When
// CERTCTL_EST_PROFILES is set (e.g. "corp,iot,wifi"), each name
// expands to per-profile env vars CERTCTL_EST_PROFILE_<NAME>_*.
// When unset, the legacy single-issuer flat fields above are
// merged into Profiles[0] by mergeESTLegacyIntoProfiles below.
Profiles: loadESTProfilesFromEnv(),
},
SCEP: SCEPConfig{
Enabled: getEnvBool("CERTCTL_SCEP_ENABLED", false),
@@ -1474,6 +1626,14 @@ func Load() (*Config, error) {
// struct.
mergeSCEPLegacyIntoProfiles(&cfg.SCEP)
// EST RFC 7030 hardening Phase 1: same back-compat shim, EST flavor.
// When CERTCTL_EST_PROFILES is unset AND the legacy flat single-issuer
// fields are populated AND Enabled=true, synthesise a single-element
// Profiles[0] with PathID="" so /.well-known/est/ continues to dispatch
// the same way it did pre-Phase-1. Done AFTER the field-by-field load
// so it can read from the populated cfg.EST struct.
mergeESTLegacyIntoProfiles(&cfg.EST)
if err := cfg.Validate(); err != nil {
return nil, err
}
@@ -1585,6 +1745,149 @@ func validSCEPPathID(s string) bool {
return true
}
// loadESTProfilesFromEnv reads the indexed CERTCTL_EST_PROFILES env var
// (e.g. "corp,iot,wifi") and expands each name into an ESTProfileConfig
// populated from CERTCTL_EST_PROFILE_<NAME>_*. Returns nil when the
// CERTCTL_EST_PROFILES env var is unset or empty — in that case the
// legacy-shim path (mergeESTLegacyIntoProfiles, called from Load after
// the initial config build) populates Profiles[0] from the flat fields
// if needed.
//
// PathID for each profile is the lowercased trimmed name from the
// CERTCTL_EST_PROFILES list (e.g. "Corp" -> "corp"). Validation that
// the PathID is path-safe ([a-z0-9-]+) lives in Config.Validate() so
// the loader can stay free of error returns.
//
// Mirrors loadSCEPProfilesFromEnv exactly. EST RFC 7030 hardening Phase 1.
func loadESTProfilesFromEnv() []ESTProfileConfig {
raw := strings.TrimSpace(os.Getenv("CERTCTL_EST_PROFILES"))
if raw == "" {
return nil
}
names := strings.Split(raw, ",")
out := make([]ESTProfileConfig, 0, len(names))
for _, n := range names {
n = strings.TrimSpace(n)
if n == "" {
continue
}
// The env-var key is the upper-cased name (CERTCTL_EST_PROFILE_CORP_*),
// but the URL path segment is the lower-cased name to match the
// path-safe slug constraint enforced in Validate.
envName := strings.ToUpper(n)
pathID := strings.ToLower(n)
out = append(out, ESTProfileConfig{
PathID: pathID,
IssuerID: getEnv("CERTCTL_EST_PROFILE_"+envName+"_ISSUER_ID", ""),
ProfileID: getEnv("CERTCTL_EST_PROFILE_"+envName+"_PROFILE_ID", ""),
EnrollmentPassword: getEnv("CERTCTL_EST_PROFILE_"+envName+"_ENROLLMENT_PASSWORD", ""),
MTLSEnabled: getEnvBool("CERTCTL_EST_PROFILE_"+envName+"_MTLS_ENABLED", false),
MTLSClientCATrustBundlePath: getEnv("CERTCTL_EST_PROFILE_"+envName+"_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH", ""),
ChannelBindingRequired: getEnvBool("CERTCTL_EST_PROFILE_"+envName+"_CHANNEL_BINDING_REQUIRED", false),
AllowedAuthModes: parseAuthModes(getEnv("CERTCTL_EST_PROFILE_"+envName+"_ALLOWED_AUTH_MODES", "")),
RateLimitPerPrincipal24h: getEnvInt("CERTCTL_EST_PROFILE_"+envName+"_RATE_LIMIT_PER_PRINCIPAL_24H", 0),
ServerKeygenEnabled: getEnvBool("CERTCTL_EST_PROFILE_"+envName+"_SERVERKEYGEN_ENABLED", false),
})
}
return out
}
// parseAuthModes splits a comma-separated env value into a normalized
// []string of auth-mode tokens. Empty input returns nil (the
// "unauthenticated default" Phase 1 preserves for back-compat). Tokens
// are lowercased + trimmed; unknown tokens are kept as-is so Validate
// can refuse them with a typed error message naming the offending token.
func parseAuthModes(s string) []string {
s = strings.TrimSpace(s)
if s == "" {
return nil
}
parts := strings.Split(s, ",")
out := make([]string, 0, len(parts))
for _, p := range parts {
p = strings.ToLower(strings.TrimSpace(p))
if p == "" {
continue
}
out = append(out, p)
}
return out
}
// mergeESTLegacyIntoProfiles is the EST backward-compat shim. When
// Profiles is empty AND the legacy single-issuer fields are populated
// (Enabled=true is the trigger; IssuerID has a non-empty default so it
// can't be the trigger by itself), synthesise a single-element
// Profiles[0] with PathID="" so /.well-known/est/ dispatches identically
// to the pre-Phase-1 deploy. No-op when Profiles is non-empty (the
// operator explicitly opted into the structured form via
// CERTCTL_EST_PROFILES) or when EST is disabled.
//
// EST's legacy single-issuer config has fewer "trigger" fields than
// SCEP's (no per-profile RA pair, no per-profile challenge password —
// both of those land in Phases 2/3 of the hardening bundle). The shim
// triggers whenever EST is enabled, since the operator clearly intends
// to serve EST. This makes the back-compat behavior identical to v2.0.66
// (single /.well-known/est/ root with the operator's chosen issuer).
//
// EST RFC 7030 hardening Phase 1.
func mergeESTLegacyIntoProfiles(c *ESTConfig) {
if c == nil || !c.Enabled || len(c.Profiles) > 0 {
return
}
c.Profiles = []ESTProfileConfig{{
PathID: "", // empty pathID maps to the legacy /.well-known/est/ root
IssuerID: c.IssuerID,
ProfileID: c.ProfileID,
// No legacy fields exist for EnrollmentPassword, MTLS*, etc. —
// those land in Phases 2/3. Operators upgrading from v2.0.66 get
// the same unauthenticated behavior they had before; opting into
// auth requires moving to the structured CERTCTL_EST_PROFILES
// form (which Phase 12 docs as the recommended migration path).
}}
}
// validESTPathID reports whether s is a valid EST profile path segment.
// Same shape as validSCEPPathID — empty string allowed (legacy root),
// otherwise ASCII lowercase letters / digits / hyphens with no
// leading/trailing hyphen. Kept as a separate function (rather than
// generalizing) so that future EST-specific path constraints (e.g. RFC
// 7030 §3.2.2 reserved path segments) can land here without affecting
// SCEP's validator.
//
// EST RFC 7030 hardening Phase 1.
func validESTPathID(s string) bool {
if s == "" {
return true // empty maps to legacy /.well-known/est/ root
}
if s[0] == '-' || s[len(s)-1] == '-' {
return false
}
for i := 0; i < len(s); i++ {
c := s[i]
if (c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') || c == '-' {
continue
}
return false
}
return true
}
// validESTAuthMode reports whether mode is one of the documented EST
// auth modes Phase 2 + Phase 3 will dispatch on. Kept here so Validate
// can refuse unknown modes (typos, future modes the binary doesn't yet
// implement) at startup with a clear error rather than at first-request
// with a confusing 401/403.
//
// EST RFC 7030 hardening Phase 1.
func validESTAuthMode(mode string) bool {
switch mode {
case "mtls", "basic":
return true
}
return false
}
// Validate checks that the configuration is valid.
func (c *Config) Validate() error {
// Validate server configuration
@@ -1821,6 +2124,92 @@ func (c *Config) Validate() error {
}
}
// EST RFC 7030 hardening Phase 1: per-profile validation. When the
// structured Profiles slice is populated (either via CERTCTL_EST_PROFILES
// or via the legacy-shim merge in Load), iterate each profile and refuse
// boot if any is malformed. PathID format + uniqueness, IssuerID
// presence, MTLS-bundle-required-when-enabled, AllowedAuthModes shape,
// RateLimit ≥0 are all gated here. Phase 2/3 preflights validate the
// MTLS trust bundle file itself (mode, parse, expiry); Phase 1 is
// the structural-config refuse, defense in depth.
if c.EST.Enabled {
seenESTPath := map[string]bool{}
for i, p := range c.EST.Profiles {
if !validESTPathID(p.PathID) {
return fmt.Errorf("EST profile %d (%q) has invalid PathID — refuse to start: must be empty (legacy /.well-known/est/ root) or a path-safe slug matching [a-z0-9-]+ with no leading/trailing hyphen (got %q)", i, p.PathID, p.PathID)
}
if seenESTPath[p.PathID] {
return fmt.Errorf("EST profile %d duplicates PathID %q — refuse to start: each profile must have a unique URL segment so the router can dispatch unambiguously", i, p.PathID)
}
seenESTPath[p.PathID] = true
if p.IssuerID == "" {
return fmt.Errorf("EST profile %d (PathID=%q) has empty IssuerID — refuse to start: each EST profile must bind to a configured issuer", i, p.PathID)
}
// Phase 2: when mTLS is enabled, the trust bundle path must be
// set. The Phase 2 preflight in cmd/server/main.go validates
// the file itself (exists, parseable PEM, ≥1 cert, none
// expired); this gate is the structural-config refuse,
// defense in depth — without it an operator who flips
// MTLS_ENABLED=true but forgets to set
// MTLS_CLIENT_CA_TRUST_BUNDLE_PATH would get every mTLS
// enrollment rejected at runtime with no trust anchor
// configured.
if p.MTLSEnabled && p.MTLSClientCATrustBundlePath == "" {
return fmt.Errorf("EST profile %d (PathID=%q) has MTLSEnabled=true but MTLS_CLIENT_CA_TRUST_BUNDLE_PATH is empty — refuse to start: the mTLS sibling route /.well-known/est-mtls/%s/ would have no client-cert trust anchor", i, p.PathID, p.PathID)
}
// Channel-binding is meaningful only when mTLS is in use (RFC
// 9266 binds the TLS-presented client cert to the CSR's CMC
// id-aa-channelBindings attribute). Channel-binding-required-
// without-mTLS is operator confusion; refuse at boot so the
// intent is unambiguous.
if p.ChannelBindingRequired && !p.MTLSEnabled {
return fmt.Errorf("EST profile %d (PathID=%q) has ChannelBindingRequired=true but MTLSEnabled=false — refuse to start: RFC 9266 channel binding is meaningful only when mTLS is in use; either enable mTLS (set MTLS_ENABLED=true + MTLS_CLIENT_CA_TRUST_BUNDLE_PATH) or disable the channel-binding requirement", i, p.PathID)
}
// AllowedAuthModes shape: every entry must be a known mode.
// Empty slice is allowed (Phase 1 preserves the unauthenticated
// default for back-compat); Phase 3 docs nudge operators to set
// this explicitly, and a future bundle may flip the default to
// require explicit opt-in.
for _, mode := range p.AllowedAuthModes {
if !validESTAuthMode(mode) {
return fmt.Errorf("EST profile %d (PathID=%q) has unknown AllowedAuthModes entry %q — refuse to start: valid modes are \"mtls\" + \"basic\" (Phase 2/3 of the EST hardening bundle wire each)", i, p.PathID, mode)
}
}
// Cross-check: when AllowedAuthModes mentions "mtls", the
// profile's MTLSEnabled MUST be true (otherwise the auth mode
// references infrastructure the operator hasn't configured).
// Conversely, "basic" in AllowedAuthModes requires a non-empty
// EnrollmentPassword (Phase 3 will ALSO refuse a configured
// "basic" mode without a password; we duplicate the gate here
// for defense in depth).
authModeIndex := map[string]bool{}
for _, mode := range p.AllowedAuthModes {
authModeIndex[mode] = true
}
if authModeIndex["mtls"] && !p.MTLSEnabled {
return fmt.Errorf("EST profile %d (PathID=%q) lists \"mtls\" in AllowedAuthModes but MTLSEnabled=false — refuse to start: enable mTLS or remove \"mtls\" from the auth-mode list", i, p.PathID)
}
if authModeIndex["basic"] && p.EnrollmentPassword == "" {
return fmt.Errorf("EST profile %d (PathID=%q) lists \"basic\" in AllowedAuthModes but ENROLLMENT_PASSWORD is empty — refuse to start: HTTP Basic auth needs a per-profile shared secret (set CERTCTL_EST_PROFILE_<NAME>_ENROLLMENT_PASSWORD)", i, p.PathID)
}
// RateLimitPerPrincipal24h ≥ 0. Negative is a config typo;
// zero means 'disabled' (allowed for tests + the rare operator
// who wants no per-device cap, mirrors SCEP's same default).
if p.RateLimitPerPrincipal24h < 0 {
return fmt.Errorf("EST profile %d (PathID=%q) has RATE_LIMIT_PER_PRINCIPAL_24H=%d — refuse to start: must be ≥0 (zero disables the per-principal cap, positive values enforce it)", i, p.PathID, p.RateLimitPerPrincipal24h)
}
// ServerKeygenEnabled requires an explicit ProfileID + the
// referenced CertificateProfile to pin AllowedKeyAlgorithms
// (the server has to decide what algorithm to generate). The
// presence of the CertificateProfile in the registry is checked
// at boot by the Phase 5 preflight; here we just gate the
// presence of ProfileID.
if p.ServerKeygenEnabled && p.ProfileID == "" {
return fmt.Errorf("EST profile %d (PathID=%q) has SERVERKEYGEN_ENABLED=true but PROFILE_ID is empty — refuse to start: server-side keygen needs a CertificateProfile to pin AllowedKeyAlgorithms (the server must know what key to generate)", i, p.PathID)
}
}
}
// Validate scheduler intervals
if c.Scheduler.RenewalCheckInterval < 1*time.Minute {
return fmt.Errorf("renewal check interval must be at least 1 minute")
internal/config/config_est_profiles_test.go
+528
View File
@@ -0,0 +1,528 @@
package config
import (
"strings"
"testing"
)
// EST RFC 7030 hardening master bundle Phase 1: per-issuer EST profiles.
// These tests pin:
//
// 1. Backward-compat shim: legacy CERTCTL_EST_* flat env vars (just
// CERTCTL_EST_ENABLED + CERTCTL_EST_ISSUER_ID + CERTCTL_EST_PROFILE_ID)
// synthesise a single-element Profiles[0] with PathID="" so existing
// /.well-known/est/ operators see no behavior change.
// 2. Structured form: CERTCTL_EST_PROFILES=corp,iot,wifi expands into
// per-profile env vars CERTCTL_EST_PROFILE_<NAME>_*.
// 3. PathID validation: only [a-z0-9-] with no leading/trailing hyphen,
// empty allowed (legacy root). Validate() refuses anything else.
// 4. Per-profile gates: Validate() refuses each profile independently
// (missing IssuerID, mtls-enabled-no-bundle, channel-binding-without-
// mtls, basic-auth-no-password, mtls-mode-without-mtls, unknown auth
// mode, negative rate limit, server-keygen without ProfileID,
// duplicate PathID).
//
// Note these tests exercise the loader + Validate() in isolation; the
// per-profile preflight + router-registration paths are exercised by the
// router_test (RegisterESTHandlers shape) and the cmd/server/main.go
// startup path (manual via `make docker-up`).
// validBaseConfigForESTProfiles returns a Config that passes Validate
// EXCEPT for the EST fields the test under exercise sets. Mirrors the
// existing validBaseConfigForSCEPProfiles helper shape so the test file
// stays uniform with its siblings.
func validBaseConfigForESTProfiles(t *testing.T) *Config {
t.Helper()
return validBaseConfigForSCEPProfiles(t) // identical infra; EST tests just override the EST block
}
// TestESTConfig_LegacyFlatFields_SynthesizeSingleProfile is the
// load-time backward-compat test: an operator with the pre-Phase-1
// flat env vars (no CERTCTL_EST_PROFILES set) must end up with a
// single-element Profiles slice carrying PathID="" so /.well-known/est/
// routes the same way it did before.
func TestESTConfig_LegacyFlatFields_SynthesizeSingleProfile(t *testing.T) {
clearCertctlEnv(t)
t.Setenv("CERTCTL_EST_ENABLED", "true")
t.Setenv("CERTCTL_EST_ISSUER_ID", "iss-legacy-est")
t.Setenv("CERTCTL_EST_PROFILE_ID", "prof-legacy-est")
// Required infra envs so Load() doesn't fail on unrelated gates.
t.Setenv("CERTCTL_DB_URL", "postgres://localhost/certctl?sslmode=disable")
t.Setenv("CERTCTL_AUTH_TYPE", "api-key")
t.Setenv("CERTCTL_AUTH_SECRET", "test-secret")
srv := validServerConfig(t)
t.Setenv("CERTCTL_SERVER_TLS_CERT_PATH", srv.TLS.CertPath)
t.Setenv("CERTCTL_SERVER_TLS_KEY_PATH", srv.TLS.KeyPath)
cfg, err := Load()
if err != nil {
t.Fatalf("Load() error = %v, want nil (legacy EST flat fields should pass)", err)
}
if len(cfg.EST.Profiles) != 1 {
t.Fatalf("len(Profiles) = %d, want 1 (legacy shim should synthesize single-element slice)", len(cfg.EST.Profiles))
}
got := cfg.EST.Profiles[0]
if got.PathID != "" {
t.Errorf("Profiles[0].PathID = %q, want \"\" (empty maps to legacy /.well-known/est/ root)", got.PathID)
}
if got.IssuerID != "iss-legacy-est" {
t.Errorf("Profiles[0].IssuerID = %q, want %q", got.IssuerID, "iss-legacy-est")
}
if got.ProfileID != "prof-legacy-est" {
t.Errorf("Profiles[0].ProfileID = %q, want %q", got.ProfileID, "prof-legacy-est")
}
// Forward-looking fields should be at their defaults (Phase 2/3/4/5
// will set non-zero values via the structured form; the legacy shim
// preserves the pre-Phase-1 unauthenticated/unlimited defaults so
// existing operators see no behavior change).
if got.MTLSEnabled {
t.Errorf("Profiles[0].MTLSEnabled = true, want false (legacy shim preserves pre-Phase-1 defaults)")
}
if got.EnrollmentPassword != "" {
t.Errorf("Profiles[0].EnrollmentPassword = %q, want empty", got.EnrollmentPassword)
}
if len(got.AllowedAuthModes) != 0 {
t.Errorf("Profiles[0].AllowedAuthModes = %v, want empty (back-compat = no auth)", got.AllowedAuthModes)
}
if got.RateLimitPerPrincipal24h != 0 {
t.Errorf("Profiles[0].RateLimitPerPrincipal24h = %d, want 0 (back-compat = unlimited)", got.RateLimitPerPrincipal24h)
}
if got.ServerKeygenEnabled {
t.Errorf("Profiles[0].ServerKeygenEnabled = true, want false (Phase 5 opt-in)")
}
}
// TestESTConfig_DisabledNoLegacyShim verifies that when EST is disabled
// the legacy shim is a no-op (Profiles stays empty, no synthesized
// element). Mirrors the SCEP equivalent.
func TestESTConfig_DisabledNoLegacyShim(t *testing.T) {
clearCertctlEnv(t)
t.Setenv("CERTCTL_EST_ENABLED", "false")
t.Setenv("CERTCTL_EST_ISSUER_ID", "iss-still-set")
t.Setenv("CERTCTL_DB_URL", "postgres://localhost/certctl?sslmode=disable")
t.Setenv("CERTCTL_AUTH_TYPE", "api-key")
t.Setenv("CERTCTL_AUTH_SECRET", "test-secret")
srv := validServerConfig(t)
t.Setenv("CERTCTL_SERVER_TLS_CERT_PATH", srv.TLS.CertPath)
t.Setenv("CERTCTL_SERVER_TLS_KEY_PATH", srv.TLS.KeyPath)
cfg, err := Load()
if err != nil {
t.Fatalf("Load() error = %v, want nil", err)
}
if len(cfg.EST.Profiles) != 0 {
t.Errorf("len(Profiles) = %d, want 0 (disabled EST should not trigger the shim)", len(cfg.EST.Profiles))
}
}
// TestESTConfig_MultipleProfiles_LoadFromEnv exercises the structured form:
// CERTCTL_EST_PROFILES=corp,iot,wifi expands into per-profile env vars.
// All forward-looking fields (auth modes, mTLS, rate limit, server-keygen)
// load correctly even though the dispatching handlers are Phase 2-5 work.
func TestESTConfig_MultipleProfiles_LoadFromEnv(t *testing.T) {
clearCertctlEnv(t)
t.Setenv("CERTCTL_EST_ENABLED", "true")
t.Setenv("CERTCTL_EST_PROFILES", "corp,iot,wifi")
// CORP: mTLS + Basic, channel-binding required, rate-limited, server-keygen on
t.Setenv("CERTCTL_EST_PROFILE_CORP_ISSUER_ID", "iss-corp-laptop")
t.Setenv("CERTCTL_EST_PROFILE_CORP_PROFILE_ID", "prof-corp-tls")
t.Setenv("CERTCTL_EST_PROFILE_CORP_ENROLLMENT_PASSWORD", "corp-secret")
t.Setenv("CERTCTL_EST_PROFILE_CORP_MTLS_ENABLED", "true")
t.Setenv("CERTCTL_EST_PROFILE_CORP_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH", "/etc/certctl/est/corp-trust.pem")
t.Setenv("CERTCTL_EST_PROFILE_CORP_CHANNEL_BINDING_REQUIRED", "true")
t.Setenv("CERTCTL_EST_PROFILE_CORP_ALLOWED_AUTH_MODES", "mtls,basic")
t.Setenv("CERTCTL_EST_PROFILE_CORP_RATE_LIMIT_PER_PRINCIPAL_24H", "5")
t.Setenv("CERTCTL_EST_PROFILE_CORP_SERVERKEYGEN_ENABLED", "true")
// IOT: Basic only (no mTLS for resource-constrained devices)
t.Setenv("CERTCTL_EST_PROFILE_IOT_ISSUER_ID", "iss-iot")
t.Setenv("CERTCTL_EST_PROFILE_IOT_PROFILE_ID", "prof-iot-30d")
t.Setenv("CERTCTL_EST_PROFILE_IOT_ENROLLMENT_PASSWORD", "iot-bootstrap")
t.Setenv("CERTCTL_EST_PROFILE_IOT_ALLOWED_AUTH_MODES", "basic")
t.Setenv("CERTCTL_EST_PROFILE_IOT_RATE_LIMIT_PER_PRINCIPAL_24H", "3")
// WIFI: mTLS only (802.1X devices have factory bootstrap certs)
t.Setenv("CERTCTL_EST_PROFILE_WIFI_ISSUER_ID", "iss-wifi-eaptls")
t.Setenv("CERTCTL_EST_PROFILE_WIFI_MTLS_ENABLED", "true")
t.Setenv("CERTCTL_EST_PROFILE_WIFI_MTLS_CLIENT_CA_TRUST_BUNDLE_PATH", "/etc/certctl/est/wifi-trust.pem")
t.Setenv("CERTCTL_EST_PROFILE_WIFI_ALLOWED_AUTH_MODES", "mtls")
// Required infra envs.
t.Setenv("CERTCTL_DB_URL", "postgres://localhost/certctl?sslmode=disable")
t.Setenv("CERTCTL_AUTH_TYPE", "api-key")
t.Setenv("CERTCTL_AUTH_SECRET", "test-secret")
srv := validServerConfig(t)
t.Setenv("CERTCTL_SERVER_TLS_CERT_PATH", srv.TLS.CertPath)
t.Setenv("CERTCTL_SERVER_TLS_KEY_PATH", srv.TLS.KeyPath)
cfg, err := Load()
if err != nil {
t.Fatalf("Load() error = %v, want nil", err)
}
if len(cfg.EST.Profiles) != 3 {
t.Fatalf("len(Profiles) = %d, want 3", len(cfg.EST.Profiles))
}
type wantProfile struct {
PathID, IssuerID, ProfileID, EnrollmentPassword, MTLSBundle string
MTLSEnabled, ChannelBinding, ServerKeygen bool
RateLimit int
AuthModes []string
}
wants := map[string]wantProfile{
"corp": {
PathID: "corp", IssuerID: "iss-corp-laptop", ProfileID: "prof-corp-tls",
EnrollmentPassword: "corp-secret", MTLSBundle: "/etc/certctl/est/corp-trust.pem",
MTLSEnabled: true, ChannelBinding: true, ServerKeygen: true,
RateLimit: 5, AuthModes: []string{"mtls", "basic"},
},
"iot": {
PathID: "iot", IssuerID: "iss-iot", ProfileID: "prof-iot-30d",
EnrollmentPassword: "iot-bootstrap",
RateLimit: 3, AuthModes: []string{"basic"},
},
"wifi": {
PathID: "wifi", IssuerID: "iss-wifi-eaptls",
MTLSBundle: "/etc/certctl/est/wifi-trust.pem", MTLSEnabled: true,
AuthModes: []string{"mtls"},
},
}
got := map[string]ESTProfileConfig{}
for _, p := range cfg.EST.Profiles {
got[p.PathID] = p
}
for name, want := range wants {
g, ok := got[name]
if !ok {
t.Fatalf("missing profile %q in loaded slice", name)
}
if g.PathID != want.PathID || g.IssuerID != want.IssuerID || g.ProfileID != want.ProfileID {
t.Errorf("profile %q identity = (%q,%q,%q), want (%q,%q,%q)",
name, g.PathID, g.IssuerID, g.ProfileID, want.PathID, want.IssuerID, want.ProfileID)
}
if g.EnrollmentPassword != want.EnrollmentPassword {
t.Errorf("profile %q EnrollmentPassword = %q, want %q", name, g.EnrollmentPassword, want.EnrollmentPassword)
}
if g.MTLSEnabled != want.MTLSEnabled || g.MTLSClientCATrustBundlePath != want.MTLSBundle {
t.Errorf("profile %q mTLS = (%v,%q), want (%v,%q)",
name, g.MTLSEnabled, g.MTLSClientCATrustBundlePath, want.MTLSEnabled, want.MTLSBundle)
}
if g.ChannelBindingRequired != want.ChannelBinding {
t.Errorf("profile %q ChannelBindingRequired = %v, want %v", name, g.ChannelBindingRequired, want.ChannelBinding)
}
if g.ServerKeygenEnabled != want.ServerKeygen {
t.Errorf("profile %q ServerKeygenEnabled = %v, want %v", name, g.ServerKeygenEnabled, want.ServerKeygen)
}
if g.RateLimitPerPrincipal24h != want.RateLimit {
t.Errorf("profile %q RateLimit = %d, want %d", name, g.RateLimitPerPrincipal24h, want.RateLimit)
}
if !equalStringSlices(g.AllowedAuthModes, want.AuthModes) {
t.Errorf("profile %q AllowedAuthModes = %v, want %v", name, g.AllowedAuthModes, want.AuthModes)
}
}
}
// TestESTConfig_StructuredFormBeatsLegacy: when CERTCTL_EST_PROFILES is
// set, the legacy shim is a no-op (the structured form takes precedence).
func TestESTConfig_StructuredFormBeatsLegacy(t *testing.T) {
clearCertctlEnv(t)
t.Setenv("CERTCTL_EST_ENABLED", "true")
t.Setenv("CERTCTL_EST_ISSUER_ID", "iss-flat-ignored")
t.Setenv("CERTCTL_EST_PROFILES", "corp")
t.Setenv("CERTCTL_EST_PROFILE_CORP_ISSUER_ID", "iss-from-structured")
t.Setenv("CERTCTL_DB_URL", "postgres://localhost/certctl?sslmode=disable")
t.Setenv("CERTCTL_AUTH_TYPE", "api-key")
t.Setenv("CERTCTL_AUTH_SECRET", "test-secret")
srv := validServerConfig(t)
t.Setenv("CERTCTL_SERVER_TLS_CERT_PATH", srv.TLS.CertPath)
t.Setenv("CERTCTL_SERVER_TLS_KEY_PATH", srv.TLS.KeyPath)
cfg, err := Load()
if err != nil {
t.Fatalf("Load() error = %v, want nil", err)
}
if len(cfg.EST.Profiles) != 1 {
t.Fatalf("len(Profiles) = %d, want 1 (structured form), got = %#v", len(cfg.EST.Profiles), cfg.EST.Profiles)
}
if got := cfg.EST.Profiles[0].IssuerID; got != "iss-from-structured" {
t.Errorf("Profiles[0].IssuerID = %q, want structured value (legacy shim should not have fired)", got)
}
if got := cfg.EST.Profiles[0].PathID; got != "corp" {
t.Errorf("Profiles[0].PathID = %q, want \"corp\"", got)
}
}
// TestESTConfig_PathIDValidation pins validESTPathID + Validate() refusal
// of malformed PathIDs.
func TestESTConfig_PathIDValidation(t *testing.T) {
cases := []struct {
pathID string
valid bool
comment string
}{
{"", true, "empty (legacy root)"},
{"corp", true, "lowercase letters"},
{"iot-fleet-2", true, "letters + digits + hyphens"},
{"a", true, "single char"},
{"-corp", false, "leading hyphen"},
{"corp-", false, "trailing hyphen"},
{"Corp", false, "uppercase"},
{"corp/iot", false, "slash"},
{"corp.iot", false, "dot"},
{"corp_iot", false, "underscore"},
{"corp iot", false, "space"},
{"corp%20iot", false, "percent encoding"},
}
for _, tc := range cases {
t.Run(tc.comment, func(t *testing.T) {
if got := validESTPathID(tc.pathID); got != tc.valid {
t.Errorf("validESTPathID(%q) = %v, want %v (%s)", tc.pathID, got, tc.valid, tc.comment)
}
})
}
}
// TestESTConfig_DuplicatePathID_Refuses verifies Validate() refuses two
// profiles with the same PathID. This is the load-bearing dispatch
// uniqueness guarantee — without it, the router would silently overwrite
// the first registration.
func TestESTConfig_DuplicatePathID_Refuses(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{PathID: "corp", IssuerID: "iss-a"},
{PathID: "corp", IssuerID: "iss-b"},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for duplicate PathID")
}
if !strings.Contains(err.Error(), "duplicates PathID") {
t.Errorf("Validate() error = %q, want substring \"duplicates PathID\"", err.Error())
}
}
// TestESTConfig_MissingPerProfileIssuerID verifies Validate() refuses
// a profile with empty IssuerID.
func TestESTConfig_MissingPerProfileIssuerID(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{PathID: "corp", IssuerID: ""},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for empty IssuerID")
}
if !strings.Contains(err.Error(), "empty IssuerID") {
t.Errorf("Validate() error = %q, want substring \"empty IssuerID\"", err.Error())
}
}
// TestESTConfig_MTLSEnabledRequiresBundlePath verifies the per-profile
// gate: MTLSEnabled=true without MTLS_CLIENT_CA_TRUST_BUNDLE_PATH = refuse.
func TestESTConfig_MTLSEnabledRequiresBundlePath(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "corp", IssuerID: "iss-corp",
MTLSEnabled: true,
MTLSClientCATrustBundlePath: "", // missing
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for MTLSEnabled without trust bundle")
}
if !strings.Contains(err.Error(), "MTLSEnabled=true") {
t.Errorf("Validate() error = %q, want substring mentioning MTLSEnabled=true", err.Error())
}
if !strings.Contains(err.Error(), "/.well-known/est-mtls/corp/") {
t.Errorf("Validate() error = %q, should reference the sibling route URL operators see", err.Error())
}
}
// TestESTConfig_ChannelBindingWithoutMTLS_Refuses verifies the cross-check:
// channel binding only makes sense when mTLS is in use (RFC 9266 binds the
// TLS-presented client cert to the CSR's CMC attribute).
func TestESTConfig_ChannelBindingWithoutMTLS_Refuses(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "corp", IssuerID: "iss-corp",
MTLSEnabled: false,
ChannelBindingRequired: true,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for ChannelBindingRequired without mTLS")
}
if !strings.Contains(err.Error(), "ChannelBindingRequired=true but MTLSEnabled=false") {
t.Errorf("Validate() error = %q, want substring mentioning the cross-check", err.Error())
}
}
// TestESTConfig_BasicAuthInModesRequiresPassword verifies the cross-check:
// AllowedAuthModes mentions "basic" → EnrollmentPassword MUST be non-empty.
func TestESTConfig_BasicAuthInModesRequiresPassword(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "corp", IssuerID: "iss-corp",
AllowedAuthModes: []string{"basic"},
EnrollmentPassword: "", // missing
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for basic auth without password")
}
if !strings.Contains(err.Error(), "ENROLLMENT_PASSWORD is empty") {
t.Errorf("Validate() error = %q, want substring mentioning empty ENROLLMENT_PASSWORD", err.Error())
}
}
// TestESTConfig_MTLSAuthModeRequiresMTLSEnabled verifies the cross-check:
// AllowedAuthModes mentions "mtls" → MTLSEnabled MUST be true.
func TestESTConfig_MTLSAuthModeRequiresMTLSEnabled(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "corp", IssuerID: "iss-corp",
AllowedAuthModes: []string{"mtls"},
MTLSEnabled: false,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for mtls auth mode without MTLSEnabled")
}
if !strings.Contains(err.Error(), "lists \"mtls\" in AllowedAuthModes but MTLSEnabled=false") {
t.Errorf("Validate() error = %q, want substring mentioning the cross-check", err.Error())
}
}
// TestESTConfig_UnknownAuthModeRefused verifies Validate() refuses any
// auth mode that isn't "mtls" or "basic" (typos, future modes the binary
// doesn't yet implement).
func TestESTConfig_UnknownAuthModeRefused(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "corp", IssuerID: "iss-corp",
AllowedAuthModes: []string{"oauth"}, // not a documented EST auth mode
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for unknown auth mode")
}
if !strings.Contains(err.Error(), "unknown AllowedAuthModes entry") {
t.Errorf("Validate() error = %q, want substring mentioning unknown auth mode", err.Error())
}
if !strings.Contains(err.Error(), "oauth") {
t.Errorf("Validate() error = %q, want to surface the offending mode name", err.Error())
}
}
// TestESTConfig_NegativeRateLimitRefused verifies Validate() catches the
// config typo of a negative rate limit.
func TestESTConfig_NegativeRateLimitRefused(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "corp", IssuerID: "iss-corp",
RateLimitPerPrincipal24h: -1,
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for negative rate limit")
}
if !strings.Contains(err.Error(), "RATE_LIMIT_PER_PRINCIPAL_24H=-1") {
t.Errorf("Validate() error = %q, want substring mentioning negative rate limit", err.Error())
}
}
// TestESTConfig_ServerKeygenRequiresProfileID verifies Validate() refuses
// ServerKeygenEnabled=true without a CertificateProfile to pin
// AllowedKeyAlgorithms (the server has to know what to generate).
func TestESTConfig_ServerKeygenRequiresProfileID(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = true
cfg.EST.Profiles = []ESTProfileConfig{
{
PathID: "iot", IssuerID: "iss-iot",
ServerKeygenEnabled: true,
ProfileID: "", // missing
},
}
err := cfg.Validate()
if err == nil {
t.Fatal("Validate() = nil, want error for ServerKeygenEnabled without ProfileID")
}
if !strings.Contains(err.Error(), "SERVERKEYGEN_ENABLED=true but PROFILE_ID is empty") {
t.Errorf("Validate() error = %q, want substring mentioning the missing PROFILE_ID", err.Error())
}
}
// TestESTConfig_DisabledIgnoresProfiles verifies that when EST is disabled,
// no per-profile validation runs (an operator with a half-configured set of
// profiles can still flip the kill-switch off without fixing every one).
func TestESTConfig_DisabledIgnoresProfiles(t *testing.T) {
cfg := validBaseConfigForESTProfiles(t)
cfg.EST.Enabled = false
cfg.EST.Profiles = []ESTProfileConfig{
{PathID: "BAD-CASE", IssuerID: ""}, // would refuse if EST.Enabled
{PathID: "corp", IssuerID: ""}, // would refuse if EST.Enabled
}
if err := cfg.Validate(); err != nil {
t.Errorf("Validate() = %v, want nil (disabled EST should skip per-profile gates)", err)
}
}
// TestESTConfig_ParseAuthModes_Normalization pins the parser's behavior
// (lowercasing, trimming, empty-element filtering).
func TestESTConfig_ParseAuthModes_Normalization(t *testing.T) {
cases := []struct {
input string
want []string
}{
{"", nil},
{" ", nil},
{"mtls", []string{"mtls"}},
{"MTLS", []string{"mtls"}},
{"mtls,basic", []string{"mtls", "basic"}},
{" mtls , basic ", []string{"mtls", "basic"}},
{"mtls,,basic", []string{"mtls", "basic"}}, // empty element dropped
{"BASIC", []string{"basic"}},
}
for _, tc := range cases {
got := parseAuthModes(tc.input)
if !equalStringSlices(got, tc.want) {
t.Errorf("parseAuthModes(%q) = %v, want %v", tc.input, got, tc.want)
}
}
}
// equalStringSlices reports whether two []string slices contain the same
// elements in the same order. nil and []string{} are treated as equal.
func equalStringSlices(a, b []string) bool {
if len(a) != len(b) {
return false
}
for i := range a {
if a[i] != b[i] {
return false
}
}
return true
}