gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 13:48:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
727 Commits 1 Branch 82 Tags
c46a6aecbc04976daed6a9d89aec18d765e1633a
Commit Graph

3 Commits

Author SHA1 Message Date
shankar0123 506cff137d feat(scep): SCEP probe in network scanner for fleet-readiness assessment 
Phase 11.5 of the SCEP RFC 8894 + Intune master bundle. Adds an
operator-facing SCEP probe that issues GetCACaps + GetCACert against
an arbitrary SCEP server URL and returns a structured posture snapshot
(reachable + advertised caps + RFC 8894 / AES / POST / Renewal /
SHA-256 / SHA-512 support flags + CA cert subject + issuer + NotBefore
+ NotAfter + days-to-expiry + algorithm + chain length).

Two operator use cases per the master prompt:

  1. Pre-migration assessment — probe an existing EJBCA / NDES SCEP
     server before switching to certctl to see what capabilities it
     advertises and what the CA cert looks like.
  2. Compliance posture audits — periodic ad-hoc probes against the
     operator's own SCEP servers to flag drift.

Capability-only — does NOT POST a CSR per the spec (would consume slot
allocations on the target server + create audit noise). Standalone CLI
binary explicitly out of scope (per the master prompt §11.5.6 and the
operator's confirmation): the probe code lands inside certctl; a
future thin Cobra wrapper is a separate decision.

Backend (six new + one extended file):

  * internal/domain/network_scan.go — new SCEPProbeResult struct with
    every probe field documented for the GUI's display layer.

  * migrations/000021_scep_probe_results.up.sql + .down.sql — new
    scep_probe_results table with TEXT id, target_url, all probe
    flags, CA cert metadata, probed_at, probe_duration_ms, error.
    Two indexes: idx_scep_probe_results_probed_at (DESC) for the
    'recent probes' GUI query, idx_scep_probe_results_target_url
    (target_url, probed_at DESC) for the future per-URL history view.

  * internal/repository/interfaces.go — new SCEPProbeResultRepository
    interface (Insert + ListRecent).

  * internal/repository/postgres/scep_probe_results.go — Postgres
    implementation. ListRecent clamps limit to [1, 200]; on read
    re-derives ca_cert_days_to_expiry against the query-time wall
    clock so 'X days remaining' stays fresh.

  * internal/service/scep_probe.go — ProbeSCEP(ctx, url) on
    NetworkScanService. Validation order:
      1. Up-front URL validation via validation.ValidateSafeURL
         (defaults to validation.ValidateSafeURL but injectable for
         tests via the new scepValidateURL field on the service).
      2. Dial-time SSRF re-check via SafeHTTPDialContext on the
         http.Transport (defends against DNS rebinding).
      3. GET ?operation=GetCACaps + GET ?operation=GetCACert.
         GetCACert handles three response shapes: PKCS#7 SignedData
         certs-only envelope (multi-cert), raw DER (single-cert),
         and PEM-wrapped DER (non-conforming servers).
    Times out at 30s; uses a 1MB body cap for DoS defense; wraps
    the result + persists via the repo (nil-safe) before returning.
    describeCertAlgorithm helper returns 'RSA-N' / 'ECDSA-curve' /
    'Ed25519' / 'DSA' for the GUI's algorithm column.

  * internal/service/network_scan.go — added scepProbeRepo +
    scepHTTPClient + scepValidateURL + scepIDFn + nowFn fields;
    SetSCEPProbeRepo wires the repo at startup.

  * internal/api/handler/network_scan.go — extended NetworkScanService
    interface with ProbeSCEP + ListRecentSCEPProbes; added two new
    HTTP handlers:
      POST /api/v1/network-scan/scep-probe   (body {url})
      GET  /api/v1/network-scan/scep-probes  (recent history)
    Synchronous probe; HTTP 200 with the result body for both success
    and reachable-but-failed cases (so the GUI can render the failure
    tone with the operator-actionable error message).

  * internal/api/router/router.go — registered the two routes inline
    after the existing network-scan target endpoints.

  * api/openapi.yaml — documented both endpoints (operationId
    probeSCEP + listSCEPProbes) with full schema + response codes.

  * cmd/server/main.go — wires the new SCEPProbeResultRepository
    onto the network scan service via SetSCEPProbeRepo right after
    the existing NewNetworkScanService construction.

Backend tests (6 new — exit-criteria-named per the master prompt):

  * TestProbeSCEP_AdvertisesAllCaps — happy path, full RFC 8894
    capability set, ECDSA P-256 CA cert, 365-day expiry.
  * TestProbeSCEP_MissingSCEPStandard — pre-RFC-8894 server (only
    POSTPKIOperation + SHA-1 + DES3); SupportsRFC8894 = false.
  * TestProbeSCEP_GetCACertExpired — CA cert NotAfter 30d in the
    past; CACertExpired = true.
  * TestProbeSCEP_Unreachable — connect to TCP port 1; probe
    returns Reachable=false + non-empty Error.
  * TestProbeSCEP_RejectsReservedIP — http://169.254.169.254/scep
    (EC2 metadata literal) rejected by the up-front
    validation.ValidateSafeURL gate; result captures the error
    without ever issuing the HTTP call.
  * TestProbeSCEP_PEMWrappedCert — server returns PEM instead of
    raw DER for GetCACert; the fallback parse path handles it.

Frontend (one extended file + types/client):

  * web/src/api/types.ts — SCEPProbeResult + SCEPProbesResponse.
  * web/src/api/client.ts — probeSCEPServer + listSCEPProbes
    helpers.
  * web/src/pages/NetworkScanPage.tsx — new SCEPProbeSection
    component + ProbeResultPanel (with capability badges + CA cert
    details panel + raw caps line) + SCEPProbeHistoryTable. Form
    rejects empty URL with inline error before calling the API.
    Reload mutation goes through useTrackedMutation with explicit
    invalidates: [['scep-probes']] (M-009 contract).

Frontend tests (5 new + 0 regressions):

  * Scep probe section header + form renders.
  * Empty URL is rejected with inline error and never calls the
    probe endpoint.
  * Successful probe renders capability badges + CA cert subject
    + days-remaining inline panel.
  * Probe-level errors are surfaced in the inline panel (no result
    panel rendered).
  * Recent-probes history table renders one row per probe.
  * (Existing 2 NetworkScanPage XSS-hardening tests stub the new
    listSCEPProbes endpoint to an empty list so they still pass.)

Verification:
  * gofmt clean on touched files
  * go vet ./... clean
  * staticcheck on service+handler+router+repository+cmd-server clean
  * go test -short across service+handler+router+repository+cmd-server
    + integration: all green (existing + 6 new probe tests pass)
  * Frontend tsc --noEmit clean
  * Vitest: 7/7 NetworkScanPage tests pass (2 existing XSS + 5 new
    probe section)
  * G-3 docs-drift CI guard reproduced locally clean (no new env vars)
  * M-009 hard-zero useMutation guard clean (probe mutation goes
    through useTrackedMutation)
  * openapi-parity guard satisfied (both new routes documented)
  * The mockNetworkScanService in handler + integration packages
    extended with stub Probe methods; targeted coverage stays in
    scep_probe_test.go.

Out of scope (per master prompt §11.5.6 + operator confirmation):
  * Standalone certctl-scan CLI binary — separate decision, ~1d of
    follow-up work when/if shipped.

Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 11.5
      cowork/scep-rfc8894-intune/progress.md
 2026-04-29 18:51:57 +00:00
shankar0123 12adc97381 Bundle H follow-up #2: end-to-end fix for Pass 3 CI multi-match failures 
Second CI run surfaced 8 real failures across 7 detail/list pages and 1

mock-shape error. Root causes:

  1. Multi-match disambiguation. screen.getByText(...) matched both the

     PageHeader <h2> AND duplicated text in InfoRow / detail-row spans

     within the same page (e.g., issuer name appears as page title AND

     in the Issuer Details panel; cert.common_name appears as page title

     AND in the Common Name InfoRow). The regex variants (getByText(/X/i))

     were even worse — matched any element containing the substring.

  2. NetworkScanPage mock-shape. xssScanTarget.ports was '443,8443'

     (string), but NetworkScanPage.tsx:180 calls t.ports?.join() which

     requires a number[] per src/api/types.ts:506. Page errored before

     rendering the DataTable, so the XSS test's body.textContent

     assertion saw an empty string.

Fixes:

  - Every page-title assertion in the 14 Pass 3 test files now uses

    screen.getByRole('heading', { level: 2, name: ... }), which matches

    ONLY the PageHeader <h2> (PageHeader.tsx:11 renders an actual <h2>).

    Detail-row spans / InfoRow text / column-header text in lower-level

    headings (h3) is excluded by the level filter.

  - NetworkScanPage xssScanTarget.ports changed from '443,8443' (string)

    to [443, 8443] (number[]) per the NetworkScanTarget TS type.

Pages with assertion fixes (8 tests across 7 files):

  - AgentFleetPage         /Agent/i        -> 'Agent Fleet Overview' (h2)

  - AuditPage              /Audit/         -> 'Audit Trail' (h2)

  - CertificateDetailPage  'plain.example.com' (text)  -> heading h2

  - HealthMonitorPage      /Health/i       -> 'Health Monitor' (h2)

  - IssuerDetailPage       'Plain Name' (text)         -> heading h2

  - JobDetailPage          /j-xss-001/ (text)          -> heading h2

  - JobsPage               /Jobs/i         -> 'Jobs' (h2)

  - ProfilesPage           /Profile/i      -> 'Certificate Profiles' (h2)

  - TargetDetailPage       'Plain Name' (text)         -> heading h2

Plus 4 already-correct pages updated for consistency:

  - DigestPage             text 'Certificate Digest'   -> heading h2

  - ObservabilityPage      text 'Observability'        -> heading h2

  - NetworkScanPage        /Network/i      -> 'Network Scanning' (h2)

  - ShortLivedPage         text 'Short-Lived...'       -> heading h2

Mock-shape fix:

  - NetworkScanPage.test.tsx  ports: '443,8443' -> [443, 8443]

End-to-end audit:

  Every Pass 3 test now anchors on the unambiguous PageHeader <h2>;

  no remaining getByText() with regex or substring that could spuriously

  multi-match. Mock data shapes verified against src/api/types.ts

  interfaces (NetworkScanTarget, MetricsResponse, ManagedCertificate).
 2026-04-27 03:24:31 +00:00
shankar0123 a5c4f42ec9 M-029 Pass 3 batch C (FINAL): T-1 tests for 5 list pages — Pass 3 complete 
Closes M-029 Pass 3 fully. Every src/pages/*.tsx now has a *.test.tsx peer.

Audit recon: 'comm -23 <pages> <test-peers>' returns zero (all 14 T-1-deferred

pages now covered).

Test files added (each ships render-coverage + an XSS-hardening contract):

  - HealthMonitorPage.test.tsx     endpoint URL + last_error payloads

  - JobsPage.test.tsx              type / certificate_id / agent_id /

                                    error_message payloads

  - NetworkScanPage.test.tsx       network_range / agent_id / last_scan_message

                                    payloads

  - ProfilesPage.test.tsx          profile name / description / EKUs payloads

  - AgentFleetPage.test.tsx        agent name / hostname / OS / arch / IP

                                    payloads (mirrors the M-003 MCP fence shape)

Pass 3 totals across batches A + B + C: 14 new test files, 14/14 T-1-deferred

pages closed. Each test pins three invariants:

  1. The page renders against mock data without crashing.

  2. No live <script data-xss='...'> attaches to the DOM.

  3. The literal payload appears as escaped text content (proving the page

     surfaces the data without rendering it as HTML).

M-029 status after Pass 3:

  Pass 1 — useMutation -> useTrackedMutation     COMPLETE (6 batches, 56 -> 0)

  Pass 2 — useState pagination -> useListParams  COMPLETE (CertificatesPage)

  Pass 3 — XSS-hardening test suites             COMPLETE (14/14 pages)

M-029 IS NOW READY TO CLOSE.
 2026-04-27 03:08:18 +00:00