mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 12:21:31 +00:00
shankar0123
530593507b
Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP
RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md).
Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always
take the complete path, not the easy path' — drove this closure: each
gap was a load-bearing wire that crossed multiple layers (config →
validator → service wire-up → tests → docs) and shipping the bundle
without them would have produced lying-field footguns where operator-
visible config options stored values without affecting behavior.
WHAT LANDS:
Phase A — Clock-skew tolerance (master prompt §15 hazard closure)
internal/scep/intune/challenge.go: ValidateChallenge migrated from
positional args to ValidateOptions{} struct; new ClockSkewTolerance
field with default 0 (strict). 24 call sites updated mechanically.
Asymmetric application: now+tolerance >= iat AND now-tolerance < exp.
internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance
default 60s + Validate() refusal when >= ChallengeValidity.
cmd/server/main.go: SetIntuneIntegration signature extended;
per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE.
internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot
surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors.
4 new tests in challenge_test.go covering accept-within-tolerance,
reject-beyond-tolerance, accept-expired-within-tolerance,
negative-treated-as-zero defensive normalization.
docs/scep-intune.md updated with the new env var + time-bounds rule.
Phase B — unknown-version-rejected golden test
internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload
helper + signGoldenChallengeAny generic signer.
challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected
uses an in-process ECDSA fixture (the on-disk PEM was generated with
a Go-stdlib version that produces different ecdsa.GenerateKey bytes
from the current call). TestRegenerateGoldenFixtures emits the new
unknown_version fixture file too.
Phase C — Two named Intune e2e tests
internal/api/handler/scep_intune_e2e_test.go:
TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd
returns FAILURE+badRequest with rate_limited counter ticked)
TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate
on-disk PEM + holder.Reload(); old-key challenge fails with
badMessageCheck; signature_invalid counter ticked)
intuneE2EFixture struct extended with trustHolder + trustPath fields
so tests can rotate.
Phase D — Four new ChromeOS hermetic tests (10 total now)
internal/api/handler/scep_chromeos_test.go:
_RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler
rejects without reaching service.
_3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified.
_RSACSR + _ECDSACSR — explicit matrix-pair pinning.
buildTestECDSACSR helper for ECDSA P-256 CSR construction;
tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC;
assertChromeOSPositiveCertRep shared assertion.
Phase E — Per-profile counter isolation test
internal/api/handler/scep_profile_counter_isolation_test.go:
TestSCEPHandler_PerProfileIntuneCountersIsolated wires two
SCEPService instances + drives distinct PKIMessages + asserts
counter isolation. Guards against a future cmd/server/main.go
refactor that shares a *intuneCounterTab across profiles.
buildPerProfileIntuneFixture parameterized helper.
Phase F — Server-boot regression tests
cmd/server/preflight_scep_intune_test.go: 3 named tests covering
disabled-backward-compat, broken-config-with-PathID, expired-cert
refusal. preflightSCEPIntuneTrustAnchor signature extended with
pathID arg so error messages carry PathID= for operator log-grep.
Phase G — docs/connectors.md
Four new subsections under §EST/SCEP Integration: multi-profile
dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP
probe in network scanner. Each has a one-paragraph operator
explanation + an env-var or endpoint table.
Phase H — Coverage uplift
internal/service/scep_probe_persist_test.go: 5 unit tests on
persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow +
nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo
pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve
defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler
≥75) PASS at 70.9% / 79.3%.
Phase I — deploy/test integration variant
deploy/test/scep_intune_e2e_test.go (//go:build integration):
TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration
against the live docker-compose certctl container. Skip-when-
stack-missing semantics so sandbox + CI both work.
deploy/docker-compose.test.yml: new e2eintune SCEP profile env
vars + bind-mount of deploy/test/fixtures/.
deploy/test/fixtures/README.md: documents the deterministic trust
anchor regeneration recipe.
VERIFICATION (sandbox):
gofmt -d — clean for all changed files
staticcheck — clean for intune + handler + config + service +
cmd/server packages
go vet — clean for the same packages
go test -short — green for intune (95.3% cov), service (70.9%),
handler (79.3%), config (94.0%), cmd/server (boot
path; my preflight tests cover the directly-
testable function), pkcs7 (80.5% informational)
DEFERRED (per closure prompt §7 out-of-scope):
- V3-Pro Conditional Access gating + Microsoft Graph integration
- Standalone certctl-scan CLI binary
- OCSP rate-limiting, OCSP stapling, delta CRLs
Spec preserved at cowork/scep-bundle-gap-closure-prompt.md;
journal at cowork/scep-rfc8894-intune/progress.md (audit-closure
section appended).
248 lines
11 KiB
Go
248 lines
11 KiB
Go
package intune
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"errors"
|
|
"flag"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
// SCEP RFC 8894 + Intune master bundle Phase 10.1.
|
|
//
|
|
// challenge_golden_test.go reads the three persistent fixtures under
|
|
// testdata/ and asserts ValidateChallenge returns the documented typed
|
|
// error per case:
|
|
//
|
|
// testdata/intune_trust_anchor.pem — golden trust cert
|
|
// testdata/intune_challenge_golden_success.txt — valid challenge
|
|
// testdata/intune_challenge_golden_expired.txt — exp in past
|
|
// testdata/intune_challenge_golden_tampered_sig.txt — payload OK, sig flipped
|
|
//
|
|
// The fixtures are reproducibly generated by running:
|
|
//
|
|
// go test -run='^TestRegenerateGoldenFixtures$' -update-golden ./internal/scep/intune/...
|
|
//
|
|
// The trust anchor cert + signing key come from a deterministic PRNG so
|
|
// the key.PEM diff stays clean across regenerations; only the ECDSA
|
|
// signature suffix bytes vary (Go's stdlib doesn't expose RFC 6979
|
|
// deterministic-k in a clean surface, so the signature embeds a real
|
|
// random nonce). ValidateChallenge re-verifies the signature on every
|
|
// read so a re-randomized signature still passes — what we pin in the
|
|
// golden tests is the FAILURE-DIMENSION semantics, not the byte-exact
|
|
// signature output.
|
|
|
|
// updateGolden is the test flag operators flip when regenerating the
|
|
// fixtures. Default false: regular `go test` runs the read-and-validate
|
|
// path only.
|
|
var updateGolden = flag.Bool("update-golden", false, "regenerate testdata/intune_*.txt + intune_trust_anchor.pem fixtures (deterministic except for ECDSA sig nonce)")
|
|
|
|
// TestRegenerateGoldenFixtures rebuilds testdata/ when -update-golden
|
|
// is passed. Skipped otherwise so a fresh `go test` doesn't churn the
|
|
// PEM file on every run.
|
|
func TestRegenerateGoldenFixtures(t *testing.T) {
|
|
if !*updateGolden {
|
|
t.Skip("regenerate fixtures only when -update-golden is passed")
|
|
}
|
|
if err := os.MkdirAll(testdataDir(t), 0o755); err != nil {
|
|
t.Fatalf("mkdir testdata: %v", err)
|
|
}
|
|
|
|
key, cert := generateGoldenTrustAnchor(t)
|
|
|
|
// Trust anchor PEM.
|
|
if err := os.WriteFile(
|
|
filepath.Join(testdataDir(t), "intune_trust_anchor.pem"),
|
|
pemEncodeForFixture(cert.Raw),
|
|
0o600,
|
|
); err != nil {
|
|
t.Fatalf("write trust anchor: %v", err)
|
|
}
|
|
|
|
// Success fixture.
|
|
successRaw := signGoldenChallenge(t, key, goldenChallengePayload())
|
|
if err := os.WriteFile(
|
|
filepath.Join(testdataDir(t), "intune_challenge_golden_success.txt"),
|
|
[]byte(successRaw+"\n"),
|
|
0o600,
|
|
); err != nil {
|
|
t.Fatalf("write success fixture: %v", err)
|
|
}
|
|
|
|
// Expired fixture — same signing key, payload with iat+exp in the past.
|
|
expiredRaw := signGoldenChallenge(t, key, goldenExpiredChallengePayload())
|
|
if err := os.WriteFile(
|
|
filepath.Join(testdataDir(t), "intune_challenge_golden_expired.txt"),
|
|
[]byte(expiredRaw+"\n"),
|
|
0o600,
|
|
); err != nil {
|
|
t.Fatalf("write expired fixture: %v", err)
|
|
}
|
|
|
|
// Tampered-sig fixture — start from a fresh success challenge then
|
|
// flip one byte of the signature. We deliberately re-sign here so
|
|
// the regenerated tampered file's payload lines up with whatever
|
|
// the success fixture happens to be in this regeneration round —
|
|
// otherwise the golden tests for "TamperedSig" might accidentally
|
|
// pass for "WrongAudience" or similar if the fixtures drifted apart.
|
|
freshForTamper := signGoldenChallenge(t, key, goldenChallengePayload())
|
|
tamperedRaw := flipLastSignatureByte(t, freshForTamper)
|
|
if err := os.WriteFile(
|
|
filepath.Join(testdataDir(t), "intune_challenge_golden_tampered_sig.txt"),
|
|
[]byte(tamperedRaw+"\n"),
|
|
0o600,
|
|
); err != nil {
|
|
t.Fatalf("write tampered fixture: %v", err)
|
|
}
|
|
|
|
// Unknown-version fixture — same signing key + valid signature, but
|
|
// the payload carries a `version: "v999"` claim that the dispatcher
|
|
// does NOT have an unmarshaler for. ValidateChallenge MUST surface
|
|
// ErrChallengeUnknownVersion; the unknown-version fixture pins the
|
|
// dispatcher's defense against the inevitable Microsoft format
|
|
// change (master prompt §13 line 1848).
|
|
unknownVersionRaw := signGoldenChallengeAny(t, key, goldenUnknownVersionPayload())
|
|
if err := os.WriteFile(
|
|
filepath.Join(testdataDir(t), "intune_challenge_golden_unknown_version.txt"),
|
|
[]byte(unknownVersionRaw+"\n"),
|
|
0o600,
|
|
); err != nil {
|
|
t.Fatalf("write unknown-version fixture: %v", err)
|
|
}
|
|
|
|
t.Logf("regenerated 5 fixture files in %s", testdataDir(t))
|
|
}
|
|
|
|
// TestGoldenChallenge_Success — the documented happy-path: the success
|
|
// fixture validates against the trust anchor and produces a populated
|
|
// claim. Pinned at goldenChallengeNow so the iat/exp window check
|
|
// passes deterministically (no wall-clock dependency).
|
|
func TestGoldenChallenge_Success(t *testing.T) {
|
|
trust := loadGoldenTrustAnchor(t)
|
|
raw := readGoldenFixture(t, "intune_challenge_golden_success.txt")
|
|
|
|
claim, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, ExpectedAudience: "https://certctl.example.com/scep/test", Now: goldenChallengeNow})
|
|
if err != nil {
|
|
t.Fatalf("ValidateChallenge success fixture: %v", err)
|
|
}
|
|
if claim.DeviceName != "fixture-device.example.com" {
|
|
t.Errorf("DeviceName = %q, want fixture-device.example.com", claim.DeviceName)
|
|
}
|
|
if claim.Subject != "device-guid-fixture-0001" {
|
|
t.Errorf("Subject = %q, want device-guid-fixture-0001", claim.Subject)
|
|
}
|
|
if len(claim.SANDNS) != 1 || claim.SANDNS[0] != "fixture-device.example.com" {
|
|
t.Errorf("SANDNS = %v, want [fixture-device.example.com]", claim.SANDNS)
|
|
}
|
|
}
|
|
|
|
// TestGoldenChallenge_Expired — the expired fixture's iat + exp are
|
|
// both before goldenChallengeNow, so ValidateChallenge MUST surface
|
|
// ErrChallengeExpired (the validator's exp branch is the first
|
|
// time-bounds check that fires for past-exp inputs).
|
|
func TestGoldenChallenge_Expired(t *testing.T) {
|
|
trust := loadGoldenTrustAnchor(t)
|
|
raw := readGoldenFixture(t, "intune_challenge_golden_expired.txt")
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, Now: goldenChallengeNow})
|
|
if !errors.Is(err, ErrChallengeExpired) {
|
|
t.Fatalf("got %v, want errors.Is(ErrChallengeExpired)", err)
|
|
}
|
|
}
|
|
|
|
// TestGoldenChallenge_TamperedSig — the tampered fixture's signature
|
|
// byte was flipped; ValidateChallenge MUST reject with ErrChallengeSignature
|
|
// regardless of whether the payload + audience check would otherwise pass.
|
|
func TestGoldenChallenge_TamperedSig(t *testing.T) {
|
|
trust := loadGoldenTrustAnchor(t)
|
|
raw := readGoldenFixture(t, "intune_challenge_golden_tampered_sig.txt")
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, ExpectedAudience: "https://certctl.example.com/scep/test", Now: goldenChallengeNow})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want errors.Is(ErrChallengeSignature)", err)
|
|
}
|
|
}
|
|
|
|
// TestGoldenChallenge_WrongAudienceReuse — defensive: feed the success
|
|
// fixture but with the wrong audience pinned — the audience-check leg
|
|
// of ValidateChallenge MUST fire even though the signature would
|
|
// otherwise verify. Pins the correct ordering of the check sequence so
|
|
// a future refactor doesn't accidentally short-circuit the audience
|
|
// check after a successful signature verify.
|
|
func TestGoldenChallenge_WrongAudienceReuse(t *testing.T) {
|
|
trust := loadGoldenTrustAnchor(t)
|
|
raw := readGoldenFixture(t, "intune_challenge_golden_success.txt")
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: trust, ExpectedAudience: "https://attacker.example.com/scep/wrong", Now: goldenChallengeNow})
|
|
if !errors.Is(err, ErrChallengeWrongAudience) {
|
|
t.Fatalf("got %v, want errors.Is(ErrChallengeWrongAudience)", err)
|
|
}
|
|
}
|
|
|
|
// TestGoldenChallenge_RotatedTrustAnchorRejects — defensive: load the
|
|
// success fixture but verify against a freshly-generated different
|
|
// trust anchor (simulating an operator who rotated the Connector
|
|
// signing key without reloading certctl's trust). The validator MUST
|
|
// reject with ErrChallengeSignature.
|
|
func TestGoldenChallenge_RotatedTrustAnchorRejects(t *testing.T) {
|
|
// Generate a fresh trust anchor that bears no relationship to the
|
|
// fixture's signing key. Reuses the helper from challenge_test.go.
|
|
rotated := genTestECDSAConnector(t)
|
|
raw := readGoldenFixture(t, "intune_challenge_golden_success.txt")
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{Trust: []*x509.Certificate{rotated.cert}, Now: goldenChallengeNow})
|
|
if !errors.Is(err, ErrChallengeSignature) {
|
|
t.Fatalf("got %v, want errors.Is(ErrChallengeSignature) when validated against a rotated trust anchor", err)
|
|
}
|
|
}
|
|
|
|
// TestGoldenChallenge_UnknownVersionRejected — master prompt §13 line
|
|
// 1848 named acceptance criterion. A challenge whose payload carries a
|
|
// `version: "v999"` claim (a value the dispatcher's
|
|
// versionUnmarshalers map deliberately does NOT contain) MUST surface
|
|
// ErrChallengeUnknownVersion regardless of whether the signature is
|
|
// otherwise valid. This is the dispatcher's defense against the
|
|
// inevitable Microsoft Connector format change — the day Microsoft
|
|
// ships v2 and certctl's parser doesn't yet have a v2 unmarshaler, every
|
|
// Intune enrollment lands here with a clear typed error rather than
|
|
// crashing the SCEP handler with a confusing unmarshal panic.
|
|
//
|
|
// Why this test uses a fresh trust anchor instead of the on-disk
|
|
// golden PEM: the on-disk PEM was generated with a Go-stdlib version
|
|
// that produces different ECDSA key bytes from the current
|
|
// generateGoldenTrustAnchor() call (the deterministic-PRNG +
|
|
// ecdsa.GenerateKey pair has shifted across Go releases — the on-disk
|
|
// public key bytes don't match what the current Go runtime regenerates
|
|
// from the same seed). Rather than bake a stale trust anchor into the
|
|
// regression, we generate a fresh ECDSA Connector keypair in-process
|
|
// + use BOTH for signing AND for the validator's trust pool. The
|
|
// regen target still emits a fixture file under testdata/ for the
|
|
// operator-readable artifact; the test itself stays decoupled from
|
|
// the on-disk PEM's drift.
|
|
func TestGoldenChallenge_UnknownVersionRejected(t *testing.T) {
|
|
conn := genTestECDSAConnector(t)
|
|
raw := signTestChallengeES256_FixedWidth(t, conn, struct {
|
|
Version string `json:"version"`
|
|
challengePayloadV1
|
|
}{
|
|
Version: "v999",
|
|
challengePayloadV1: goldenChallengePayload(),
|
|
})
|
|
|
|
_, err := ValidateChallenge(raw, ValidateOptions{
|
|
Trust: []*x509.Certificate{conn.cert},
|
|
Now: goldenChallengeNow,
|
|
})
|
|
if !errors.Is(err, ErrChallengeUnknownVersion) {
|
|
t.Fatalf("got %v, want errors.Is(ErrChallengeUnknownVersion) for version=v999 claim", err)
|
|
}
|
|
// The error message MUST surface the specific version string so the
|
|
// operator's audit log narrows the diagnosis to "Microsoft shipped
|
|
// vN" rather than "something is wrong with the challenge."
|
|
if !strings.Contains(err.Error(), "v999") {
|
|
t.Errorf("error should contain the unknown version literal for operator audit log: %v", err)
|
|
}
|
|
}
|