package router import ( "context" "net/http" "net/http/httptest" "testing" "github.com/certctl-io/certctl/internal/api/handler" "github.com/certctl-io/certctl/internal/domain" ) // EST RFC 7030 hardening master bundle Phase 1: per-profile EST router // registration. Pins: // // 1. Empty PathID maps to /.well-known/est/ (legacy backward-compat). // 2. Non-empty PathID maps to /.well-known/est//. // 3. Multi-profile registration produces 4N routes (cacerts + simpleenroll // + simplereenroll + csrattrs per profile). // 4. Each registered route reaches the right handler instance — no // cross-profile bleed-through (proven by the per-profile mock // GetCACerts response carrying the profile tag). // // The mock service is a minimal ESTService implementation that records // which profile served the request via the GetCACerts response — the test // asserts it sees the right per-profile string echoed back, which would // only happen if the right handler was wired to the right path. // estProfileMockService is a per-profile-tagged mock ESTService for // router-level tests. The CA cert PEM string carries the profile tag so // the caller can verify which profile's handler served a given request. type estProfileMockService struct { tag string } func (s *estProfileMockService) GetCACerts(_ context.Context) (string, error) { // Return a syntactically-valid PEM that embeds the profile tag in the // cert body. The handler converts this PEM to PKCS#7 via PEMToDERChain // — for the cross-bleed test we only need to confirm the right service // was reached. Use a minimal PEM that won't parse as a real cert (the // test asserts on the error path, which still routes through the right // service mock). return "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n", nil } func (s *estProfileMockService) SimpleEnroll(_ context.Context, _ string) (*domain.ESTEnrollResult, error) { return &domain.ESTEnrollResult{CertPEM: "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n"}, nil } func (s *estProfileMockService) SimpleReEnroll(_ context.Context, _ string) (*domain.ESTEnrollResult, error) { return &domain.ESTEnrollResult{CertPEM: "-----BEGIN CERTIFICATE-----\nPROFILE=" + s.tag + "\n-----END CERTIFICATE-----\n"}, nil } func (s *estProfileMockService) SimpleServerKeygen(_ context.Context, _ string) (*domain.ESTServerKeygenResult, error) { return nil, nil } func (s *estProfileMockService) GetCSRAttrs(_ context.Context) ([]byte, error) { // Return non-empty bytes so the handler returns 200 + the body. The body // won't carry a profile tag (csrattrs is base64-encoded ASN.1; sticking // a literal in here would not survive the encoding round-trip), but the // 200 vs 204 status itself is enough to prove the right service was // reached — the legacy mock returns 204 (nil bytes), this mock returns // 200, and a wrong-handler bleed would produce the wrong status. return []byte("PROFILE=" + s.tag), nil } func TestRouter_RegisterESTHandlers_LegacyEmptyPathIDMapsToRoot(t *testing.T) { r := New() svc := &estProfileMockService{tag: "legacy"} r.RegisterESTHandlers(map[string]handler.ESTHandler{ "": handler.NewESTHandler(svc), }) // /.well-known/est/cacerts is a GET. The handler will fail at the // PEM-to-DER step because our mock returns a malformed PEM, but the // service WAS reached (the 500 we get back is from the handler's // pkcs7 conversion, not from a routing error). Use csrattrs instead // — it's GET and our mock returns clean bytes. req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil) w := httptest.NewRecorder() r.ServeHTTP(w, req) if w.Code != http.StatusOK { t.Fatalf("GET /.well-known/est/csrattrs — code %d, want 200 (legacy root should be registered; body=%q)", w.Code, w.Body.String()) } } func TestRouter_RegisterESTHandlers_NonEmptyPathIDMapsToSubpath(t *testing.T) { r := New() r.RegisterESTHandlers(map[string]handler.ESTHandler{ "corp": handler.NewESTHandler(&estProfileMockService{tag: "corp"}), }) // /.well-known/est/corp/csrattrs should reach the corp handler. req := httptest.NewRequest(http.MethodGet, "/.well-known/est/corp/csrattrs", nil) w := httptest.NewRecorder() r.ServeHTTP(w, req) if w.Code != http.StatusOK { t.Fatalf("GET /.well-known/est/corp/csrattrs — code %d, want 200 (per-profile route should be registered; body=%q)", w.Code, w.Body.String()) } // /.well-known/est/ root must NOT be registered when only non-empty PathIDs exist. req = httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil) w = httptest.NewRecorder() r.ServeHTTP(w, req) if w.Code != http.StatusNotFound && w.Code != http.StatusMethodNotAllowed { t.Errorf("/.well-known/est/csrattrs without legacy profile — code %d, want 404 or 405 (no handler should be registered)", w.Code) } } // TestRouter_RegisterESTHandlers_MultipleProfilesNoCrossBleed pins the // load-bearing dispatch invariant: each profile's PathID routes to its OWN // handler instance. A regression that mis-wired the dispatch would surface // as profile A's traffic hitting profile B's mock, observable here because // each mock embeds its tag in the response. func TestRouter_RegisterESTHandlers_MultipleProfilesNoCrossBleed(t *testing.T) { r := New() r.RegisterESTHandlers(map[string]handler.ESTHandler{ "": handler.NewESTHandler(&estProfileMockService{tag: "default"}), "corp": handler.NewESTHandler(&estProfileMockService{tag: "corp"}), "iot": handler.NewESTHandler(&estProfileMockService{tag: "iot"}), }) cases := []struct { path string wantTag string }{ {"/.well-known/est/csrattrs", "default"}, {"/.well-known/est/corp/csrattrs", "corp"}, {"/.well-known/est/iot/csrattrs", "iot"}, } for _, tc := range cases { t.Run(tc.path, func(t *testing.T) { req := httptest.NewRequest(http.MethodGet, tc.path, nil) w := httptest.NewRecorder() r.ServeHTTP(w, req) if w.Code != http.StatusOK { t.Fatalf("code %d, want 200 (body=%q)", w.Code, w.Body.String()) } // The handler base64-encodes csrattrs bytes; decode our literal // to confirm the right profile's mock was hit. body := w.Body.String() // PROFILE= is emitted by the mock; the handler base64- // encodes the bytes in the body. Two checks: status was 200 // (above) AND the base64-decoded body would carry the tag. // We don't decode here — the SCEP equivalent uses substring // match against the raw body too; for EST the raw body IS // base64 of "PROFILE=". Decode-and-match is the // same verification operation; substring against the raw // base64 works because each profile's tag has a unique // base64 prefix. if !contains(body, base64Tag(tc.wantTag)) { t.Errorf("body = %q, want base64-encoded PROFILE=%s prefix", body, tc.wantTag) } }) } } func TestRouter_RegisterESTHandlers_EmptyMapRegistersNoRoutes(t *testing.T) { r := New() r.RegisterESTHandlers(map[string]handler.ESTHandler{}) req := httptest.NewRequest(http.MethodGet, "/.well-known/est/csrattrs", nil) w := httptest.NewRecorder() r.ServeHTTP(w, req) if w.Code != http.StatusNotFound && w.Code != http.StatusMethodNotAllowed { t.Errorf("/.well-known/est/csrattrs with no profiles registered — code %d, want 404 or 405", w.Code) } } // base64Tag returns the base64-encoded form of "PROFILE=" — used by // the cross-bleed test to verify the mock's response made it through the // handler's base64 encoding step. Local helper to avoid importing // encoding/base64 just for this; the encoding is tiny and stable. func base64Tag(tag string) string { // stdlib produces "UFJPRklMRT0=" for "PROFILE=" — but each tag // changes the suffix, so we match on the stable prefix only. // "PROFILE=" → standard base64 "UFJPRklMRT0=" (when alone). // "PROFILE=corp" → "UFJPRklMRT1jb3Jw" // "PROFILE=iot" → "UFJPRklMRT1pb3Q=" // "PROFILE=default" → "UFJPRklMRT1kZWZhdWx0" // All share the prefix "UFJPRklMRT" (= base64 of "PROFILE"). The tag // suffix differs, which is what cross-bleed would change. switch tag { case "default": return "UFJPRklMRT1kZWZhdWx0" case "corp": return "UFJPRklMRT1jb3Jw" case "iot": return "UFJPRklMRT1pb3Q" } return "UFJPRklMRT" // safe fallback prefix }