mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:51:30 +00:00
shankar0123
7ff2e2de08
Phase 3.5 atomic conversion. The five legacy admin-gated handlers (bulk_revocation, admin_crl_cache, admin_scep_intune, admin_est, intermediate_ca) had their in-body auth.IsAdmin checks removed; the gate moved to router.go via auth.RequirePermission middleware wrapping each route. Non-admin operators with the right scoped permission can now reach these endpoints; legacy in-body admin checks no longer block them.
Migration 000030_rbac_admin_perms.up.sql ships five admin-only fine-grained permissions: cert.bulk_revoke, crl.admin, scep.admin, est.admin, ca.hierarchy.manage. All five are seeded into r-admin only; operator/viewer/agent/mcp/cli/auditor do not receive them by default. Operators can grant any of these to a custom role via the Phase 4 RBAC API. Idempotent + transaction-wrapped.
internal/domain/auth/validate.go::CanonicalPermissions extended with the five new entries so RoleService.AddPermission accepts them.
internal/api/router/router.go: HandlerRegistry gains a Checker field (auth.PermissionChecker). New rbacGate(checker, perm, handler) helper wraps a handler with auth.RequirePermission middleware; nil-checker fall-through preserves test/demo deployments without the RBAC stack. 12 admin routes wrapped: cert.bulk_revoke (POST /api/v1/certificates/bulk-revoke + POST /api/v1/est/certificates/bulk-revoke), crl.admin (GET /api/v1/admin/crl/cache), scep.admin (GET /api/v1/admin/scep/profiles + GET /api/v1/admin/scep/intune/stats + POST /api/v1/admin/scep/intune/reload-trust), est.admin (GET /api/v1/admin/est/profiles + POST /api/v1/admin/est/reload-trust), ca.hierarchy.manage (POST /api/v1/issuers/{id}/intermediates + GET /api/v1/issuers/{id}/intermediates + POST /api/v1/intermediates/{id}/retire + GET /api/v1/intermediates/{id}).
cmd/server/main.go: HandlerRegistry.Checker wired with the same authPermissionCheckerAdapter shim Phase 4 introduced for AuthHandler. Same adapter; one source of truth.
Handler bodies: removed eight in-body auth.IsAdmin checks across the 5 files. bulk_revocation.go's BulkRevoke + BulkRevokeEST, admin_crl_cache.go::ListCache, admin_scep_intune.go's three methods, admin_est.go's two methods, intermediate_ca.go's four methods. Replaced each with a comment naming the new gate location. Unused 'github.com/certctl-io/certctl/internal/auth' imports removed.
Test triplet rewrite: deleted obsolete _NonAdmin_Returns403 and _AdminExplicitFalse_Returns403 tests across 6 test files (5 handler tests + bulk_revocation_est_test.go) — they tested the now-removed in-body gate. _AdminPermitted_ForwardsActor tests stay intact: they pin the actor-passthrough invariant which is still relevant. Added internal/api/router/rbac_gate_integration_test.go with four router-level integration tests pinning the new gate: deny → 403 + handler not reached, permit → 200 + handler reached, nil-checker → fall-through, no-actor → 401.
M-008 admin-gate registry: AdminGatedHandlers map now empty (Phase 3.5 invariant: zero in-handler auth.IsAdmin call sites; only health.go's informational caller remains). m008_admin_gate_test.go retains the scan to enforce the invariant going forward; new admin-gated routes must wrap at router.go::rbacGate, not gate in-handler. Updated error message to direct future contributors to the new pattern.
Verifications: gofmt clean across all touched files; go vet ./... clean; go test -short across internal/auth, internal/service/auth, internal/api/handler, internal/api/router, cmd/server all green.
Branch: dev/auth-bundle-1. Commit chain: 99a012e (Phase 0 extract) -> 19497ee (Phase 1 schema + repo) -> bd54d5f (Phase 2 service) -> d473398 (Phase 3 primitive) -> b169f25 (Phase 4 + 5) -> THIS (Phase 3.5 conversion). Phase 6+ (bootstrap, scope-down, auditor, approval-bypass closure, GUI, docs) on subsequent sessions.
366 lines
13 KiB
Go
366 lines
13 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/certctl-io/certctl/internal/api/middleware"
|
|
"github.com/certctl-io/certctl/internal/auth"
|
|
"github.com/certctl-io/certctl/internal/service"
|
|
)
|
|
|
|
// fakeAdminSCEPIntuneService is the test stub for AdminSCEPIntuneService.
|
|
// Records call observations so the M-008 admin-gate triplet can pin
|
|
// "service was never invoked" when the gate rejects the caller.
|
|
type fakeAdminSCEPIntuneService struct {
|
|
statsCalled bool
|
|
profilesCalled bool
|
|
reloadCalled bool
|
|
rows []service.IntuneStatsSnapshot
|
|
profileRows []service.SCEPProfileStatsSnapshot
|
|
statsErr error
|
|
profilesErr error
|
|
reloadPathID string
|
|
reloadErr error
|
|
}
|
|
|
|
func (f *fakeAdminSCEPIntuneService) Stats(_ context.Context, _ time.Time) ([]service.IntuneStatsSnapshot, error) {
|
|
f.statsCalled = true
|
|
return f.rows, f.statsErr
|
|
}
|
|
|
|
func (f *fakeAdminSCEPIntuneService) Profiles(_ context.Context, _ time.Time) ([]service.SCEPProfileStatsSnapshot, error) {
|
|
f.profilesCalled = true
|
|
return f.profileRows, f.profilesErr
|
|
}
|
|
|
|
func (f *fakeAdminSCEPIntuneService) ReloadTrust(_ context.Context, pathID string) error {
|
|
f.reloadCalled = true
|
|
f.reloadPathID = pathID
|
|
return f.reloadErr
|
|
}
|
|
|
|
// =============================================================================
|
|
// M-008 admin-gate triplet for Stats (GET).
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntune_AdminPermitted_ForwardsActor(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{
|
|
rows: []service.IntuneStatsSnapshot{
|
|
{PathID: "corp", IssuerID: "iss-corp", Enabled: true},
|
|
{PathID: "iot", IssuerID: "iss-iot", Enabled: false},
|
|
},
|
|
}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
|
|
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
|
|
ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Stats(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
if !svc.statsCalled {
|
|
t.Fatal("service was not invoked for admin caller")
|
|
}
|
|
var resp map[string]any
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if pc, ok := resp["profile_count"].(float64); !ok || pc != 2 {
|
|
t.Errorf("profile_count = %v, want 2", resp["profile_count"])
|
|
}
|
|
if _, ok := resp["profiles"].([]any); !ok {
|
|
t.Errorf("profiles missing or wrong shape: %v", resp["profiles"])
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// M-008 triplet for ReloadTrust (POST).
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntuneReload_AdminPermitted_ForwardsActor(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
body := `{"path_id":"corp"}`
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(body))
|
|
req.ContentLength = int64(len(body))
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.ReloadTrust(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
if !svc.reloadCalled {
|
|
t.Fatal("reload was not invoked")
|
|
}
|
|
if svc.reloadPathID != "corp" {
|
|
t.Errorf("path_id forwarded = %q, want corp", svc.reloadPathID)
|
|
}
|
|
var resp map[string]any
|
|
_ = json.NewDecoder(w.Body).Decode(&resp)
|
|
if reloaded, _ := resp["reloaded"].(bool); !reloaded {
|
|
t.Errorf("response.reloaded = %v, want true", resp["reloaded"])
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Endpoint behavior — method gates, error mapping, body parsing.
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntuneStats_RejectsNonGetMethod(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Stats(w, req)
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("expected 405 for POST, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_RejectsNonPostMethod(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/reload-trust", nil)
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("expected 405 for GET, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneStats_PropagatesServiceError(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{statsErr: errors.New("registry walk failed")}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Stats(w, req)
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Errorf("expected 500 on service error, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_ProfileNotFound_Returns404(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{reloadErr: ErrAdminSCEPProfileNotFound}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"nonexistent"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"nonexistent"}`))
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusNotFound {
|
|
t.Errorf("expected 404 for unknown profile, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_IntuneDisabled_Returns409(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{reloadErr: service.ErrSCEPProfileIntuneDisabled}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"iot"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"iot"}`))
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusConflict {
|
|
t.Errorf("expected 409 for Intune-disabled profile, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_BadReloadPropagates500(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{reloadErr: errors.New("trust anchor cert expired")}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"corp"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"corp"}`))
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Errorf("expected 500 on bad reload, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_EmptyBodyTargetsLegacyRoot(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust", nil)
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Errorf("expected 200 with empty body (legacy root path), got %d", w.Code)
|
|
}
|
|
if svc.reloadPathID != "" {
|
|
t.Errorf("empty body should target empty PathID; got %q", svc.reloadPathID)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_RejectsMalformedJSON(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
bad := `{not valid json`
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(bad))
|
|
req.ContentLength = int64(len(bad))
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Errorf("expected 400 on malformed JSON, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// AdminSCEPIntuneServiceImpl — narrow integration with the per-profile map.
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntuneServiceImpl_NilMapReturnsEmpty(t *testing.T) {
|
|
impl := NewAdminSCEPIntuneServiceImpl(nil)
|
|
rows, err := impl.Stats(context.Background(), time.Now())
|
|
if err != nil {
|
|
t.Fatalf("nil-map Stats: %v", err)
|
|
}
|
|
if len(rows) != 0 {
|
|
t.Errorf("nil-map Stats len=%d, want 0", len(rows))
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneServiceImpl_ReloadUnknownPathReturnsNotFound(t *testing.T) {
|
|
impl := NewAdminSCEPIntuneServiceImpl(map[string]*service.SCEPService{})
|
|
if err := impl.ReloadTrust(context.Background(), "nope"); !errors.Is(err, ErrAdminSCEPProfileNotFound) {
|
|
t.Errorf("ReloadTrust unknown = %v, want ErrAdminSCEPProfileNotFound", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// M-008 admin-gate triplet for Profiles (GET) — Phase 9 follow-up endpoint.
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPProfiles_AdminPermitted_ForwardsActor(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{
|
|
profileRows: []service.SCEPProfileStatsSnapshot{
|
|
{
|
|
PathID: "corp",
|
|
IssuerID: "iss-corp",
|
|
ChallengePasswordSet: true,
|
|
MTLSEnabled: true,
|
|
Intune: &service.IntuneSection{
|
|
Audience: "https://certctl.example.com/scep/corp",
|
|
},
|
|
},
|
|
{
|
|
PathID: "iot",
|
|
IssuerID: "iss-iot",
|
|
ChallengePasswordSet: true,
|
|
// Intune nil — disabled
|
|
},
|
|
},
|
|
}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
|
|
ctx = context.WithValue(ctx, auth.AdminKey{}, true)
|
|
ctx = context.WithValue(ctx, auth.UserKey{}, "ops-admin")
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Profiles(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
if !svc.profilesCalled {
|
|
t.Fatal("service was not invoked for admin caller")
|
|
}
|
|
var resp map[string]any
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if pc, ok := resp["profile_count"].(float64); !ok || pc != 2 {
|
|
t.Errorf("profile_count = %v, want 2", resp["profile_count"])
|
|
}
|
|
rows, ok := resp["profiles"].([]any)
|
|
if !ok || len(rows) != 2 {
|
|
t.Fatalf("profiles missing or wrong shape: %v", resp["profiles"])
|
|
}
|
|
// Find the Intune-enabled vs Intune-disabled row by path_id and
|
|
// assert the Intune sub-block is present/absent accordingly.
|
|
for _, raw := range rows {
|
|
row := raw.(map[string]any)
|
|
switch row["path_id"] {
|
|
case "corp":
|
|
if _, has := row["intune"]; !has {
|
|
t.Errorf("expected corp profile to carry an intune sub-block")
|
|
}
|
|
case "iot":
|
|
if _, has := row["intune"]; has {
|
|
t.Errorf("expected iot profile to OMIT the intune sub-block (Intune disabled)")
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfiles_RejectsNonGetMethod(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Profiles(w, req)
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("expected 405 for POST, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfiles_PropagatesServiceError(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{profilesErr: errors.New("registry walk failed")}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), auth.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Profiles(w, req)
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Errorf("expected 500 on service error, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty(t *testing.T) {
|
|
impl := NewAdminSCEPIntuneServiceImpl(nil)
|
|
rows, err := impl.Profiles(context.Background(), time.Now())
|
|
if err != nil {
|
|
t.Fatalf("nil-map Profiles: %v", err)
|
|
}
|
|
if len(rows) != 0 {
|
|
t.Errorf("nil-map Profiles len=%d, want 0", len(rows))
|
|
}
|
|
}
|