mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 18:51:32 +00:00
shankar0123
506cff137d
Phase 11.5 of the SCEP RFC 8894 + Intune master bundle. Adds an
operator-facing SCEP probe that issues GetCACaps + GetCACert against
an arbitrary SCEP server URL and returns a structured posture snapshot
(reachable + advertised caps + RFC 8894 / AES / POST / Renewal /
SHA-256 / SHA-512 support flags + CA cert subject + issuer + NotBefore
+ NotAfter + days-to-expiry + algorithm + chain length).
Two operator use cases per the master prompt:
1. Pre-migration assessment — probe an existing EJBCA / NDES SCEP
server before switching to certctl to see what capabilities it
advertises and what the CA cert looks like.
2. Compliance posture audits — periodic ad-hoc probes against the
operator's own SCEP servers to flag drift.
Capability-only — does NOT POST a CSR per the spec (would consume slot
allocations on the target server + create audit noise). Standalone CLI
binary explicitly out of scope (per the master prompt §11.5.6 and the
operator's confirmation): the probe code lands inside certctl; a
future thin Cobra wrapper is a separate decision.
Backend (six new + one extended file):
* internal/domain/network_scan.go — new SCEPProbeResult struct with
every probe field documented for the GUI's display layer.
* migrations/000021_scep_probe_results.up.sql + .down.sql — new
scep_probe_results table with TEXT id, target_url, all probe
flags, CA cert metadata, probed_at, probe_duration_ms, error.
Two indexes: idx_scep_probe_results_probed_at (DESC) for the
'recent probes' GUI query, idx_scep_probe_results_target_url
(target_url, probed_at DESC) for the future per-URL history view.
* internal/repository/interfaces.go — new SCEPProbeResultRepository
interface (Insert + ListRecent).
* internal/repository/postgres/scep_probe_results.go — Postgres
implementation. ListRecent clamps limit to [1, 200]; on read
re-derives ca_cert_days_to_expiry against the query-time wall
clock so 'X days remaining' stays fresh.
* internal/service/scep_probe.go — ProbeSCEP(ctx, url) on
NetworkScanService. Validation order:
1. Up-front URL validation via validation.ValidateSafeURL
(defaults to validation.ValidateSafeURL but injectable for
tests via the new scepValidateURL field on the service).
2. Dial-time SSRF re-check via SafeHTTPDialContext on the
http.Transport (defends against DNS rebinding).
3. GET ?operation=GetCACaps + GET ?operation=GetCACert.
GetCACert handles three response shapes: PKCS#7 SignedData
certs-only envelope (multi-cert), raw DER (single-cert),
and PEM-wrapped DER (non-conforming servers).
Times out at 30s; uses a 1MB body cap for DoS defense; wraps
the result + persists via the repo (nil-safe) before returning.
describeCertAlgorithm helper returns 'RSA-N' / 'ECDSA-curve' /
'Ed25519' / 'DSA' for the GUI's algorithm column.
* internal/service/network_scan.go — added scepProbeRepo +
scepHTTPClient + scepValidateURL + scepIDFn + nowFn fields;
SetSCEPProbeRepo wires the repo at startup.
* internal/api/handler/network_scan.go — extended NetworkScanService
interface with ProbeSCEP + ListRecentSCEPProbes; added two new
HTTP handlers:
POST /api/v1/network-scan/scep-probe (body {url})
GET /api/v1/network-scan/scep-probes (recent history)
Synchronous probe; HTTP 200 with the result body for both success
and reachable-but-failed cases (so the GUI can render the failure
tone with the operator-actionable error message).
* internal/api/router/router.go — registered the two routes inline
after the existing network-scan target endpoints.
* api/openapi.yaml — documented both endpoints (operationId
probeSCEP + listSCEPProbes) with full schema + response codes.
* cmd/server/main.go — wires the new SCEPProbeResultRepository
onto the network scan service via SetSCEPProbeRepo right after
the existing NewNetworkScanService construction.
Backend tests (6 new — exit-criteria-named per the master prompt):
* TestProbeSCEP_AdvertisesAllCaps — happy path, full RFC 8894
capability set, ECDSA P-256 CA cert, 365-day expiry.
* TestProbeSCEP_MissingSCEPStandard — pre-RFC-8894 server (only
POSTPKIOperation + SHA-1 + DES3); SupportsRFC8894 = false.
* TestProbeSCEP_GetCACertExpired — CA cert NotAfter 30d in the
past; CACertExpired = true.
* TestProbeSCEP_Unreachable — connect to TCP port 1; probe
returns Reachable=false + non-empty Error.
* TestProbeSCEP_RejectsReservedIP — http://169.254.169.254/scep
(EC2 metadata literal) rejected by the up-front
validation.ValidateSafeURL gate; result captures the error
without ever issuing the HTTP call.
* TestProbeSCEP_PEMWrappedCert — server returns PEM instead of
raw DER for GetCACert; the fallback parse path handles it.
Frontend (one extended file + types/client):
* web/src/api/types.ts — SCEPProbeResult + SCEPProbesResponse.
* web/src/api/client.ts — probeSCEPServer + listSCEPProbes
helpers.
* web/src/pages/NetworkScanPage.tsx — new SCEPProbeSection
component + ProbeResultPanel (with capability badges + CA cert
details panel + raw caps line) + SCEPProbeHistoryTable. Form
rejects empty URL with inline error before calling the API.
Reload mutation goes through useTrackedMutation with explicit
invalidates: [['scep-probes']] (M-009 contract).
Frontend tests (5 new + 0 regressions):
* Scep probe section header + form renders.
* Empty URL is rejected with inline error and never calls the
probe endpoint.
* Successful probe renders capability badges + CA cert subject
+ days-remaining inline panel.
* Probe-level errors are surfaced in the inline panel (no result
panel rendered).
* Recent-probes history table renders one row per probe.
* (Existing 2 NetworkScanPage XSS-hardening tests stub the new
listSCEPProbes endpoint to an empty list so they still pass.)
Verification:
* gofmt clean on touched files
* go vet ./... clean
* staticcheck on service+handler+router+repository+cmd-server clean
* go test -short across service+handler+router+repository+cmd-server
+ integration: all green (existing + 6 new probe tests pass)
* Frontend tsc --noEmit clean
* Vitest: 7/7 NetworkScanPage tests pass (2 existing XSS + 5 new
probe section)
* G-3 docs-drift CI guard reproduced locally clean (no new env vars)
* M-009 hard-zero useMutation guard clean (probe mutation goes
through useTrackedMutation)
* openapi-parity guard satisfied (both new routes documented)
* The mockNetworkScanService in handler + integration packages
extended with stub Probe methods; targeted coverage stays in
scep_probe_test.go.
Out of scope (per master prompt §11.5.6 + operator confirmation):
* Standalone certctl-scan CLI binary — separate decision, ~1d of
follow-up work when/if shipped.
Refs: cowork/scep-rfc8894-intune-master-prompt.md::Phase 11.5
cowork/scep-rfc8894-intune/progress.md
68 lines
3.4 KiB
Go
68 lines
3.4 KiB
Go
package domain
|
|
|
|
import "time"
|
|
|
|
// NetworkScanTarget defines a network range to scan for TLS certificates.
|
|
type NetworkScanTarget struct {
|
|
ID string `json:"id"`
|
|
Name string `json:"name"`
|
|
CIDRs []string `json:"cidrs"`
|
|
Ports []int64 `json:"ports"`
|
|
Enabled bool `json:"enabled"`
|
|
ScanIntervalHours int `json:"scan_interval_hours"`
|
|
TimeoutMs int `json:"timeout_ms"`
|
|
LastScanAt *time.Time `json:"last_scan_at,omitempty"`
|
|
LastScanDurationMs *int `json:"last_scan_duration_ms,omitempty"`
|
|
LastScanCertsFound *int `json:"last_scan_certs_found,omitempty"`
|
|
CreatedAt time.Time `json:"created_at"`
|
|
UpdatedAt time.Time `json:"updated_at"`
|
|
}
|
|
|
|
// NetworkScanResult holds the outcome of scanning a single endpoint.
|
|
type NetworkScanResult struct {
|
|
Address string // "ip:port"
|
|
Certs []DiscoveredCertEntry
|
|
Error string
|
|
LatencyMs int
|
|
}
|
|
|
|
// SCEPProbeResult is the per-target output of an SCEP probe — a
|
|
// capability/posture snapshot of an SCEP server (RFC 8894 §3.5.1
|
|
// GetCACaps + §3.5.1 GetCACert). Used for pre-migration assessment
|
|
// (operators about to switch from EJBCA / NDES to certctl run the
|
|
// scanner against their existing SCEP server first) and compliance
|
|
// posture audits.
|
|
//
|
|
// SCEP RFC 8894 + Intune master bundle Phase 11.5.
|
|
//
|
|
// The probe deliberately does NOT POST a CSR — that would consume slot
|
|
// allocations on the target server and create audit noise. Reachability
|
|
// + capability + CA-cert metadata is the value this returns.
|
|
//
|
|
// Persistence: instances are stored in scep_probe_results (migration
|
|
// 000021) so the operator's GUI can show recent probe history.
|
|
type SCEPProbeResult struct {
|
|
ID string `json:"id"`
|
|
TargetURL string `json:"target_url"`
|
|
Reachable bool `json:"reachable"`
|
|
AdvertisedCaps []string `json:"advertised_caps"` // GetCACaps response, parsed
|
|
SupportsRFC8894 bool `json:"supports_rfc8894"` // GetCACaps contains "SCEPStandard"
|
|
SupportsAES bool `json:"supports_aes"` // contains "AES"
|
|
SupportsPOSTOperation bool `json:"supports_post_operation"` // contains "POSTPKIOperation"
|
|
SupportsRenewal bool `json:"supports_renewal"` // contains "Renewal"
|
|
SupportsSHA256 bool `json:"supports_sha256"` // contains "SHA-256"
|
|
SupportsSHA512 bool `json:"supports_sha512"` // contains "SHA-512"
|
|
CACertSubject string `json:"ca_cert_subject,omitempty"` // GetCACert leaf cert subject DN
|
|
CACertIssuer string `json:"ca_cert_issuer,omitempty"` // leaf cert issuer DN
|
|
CACertNotBefore time.Time `json:"ca_cert_not_before,omitempty"`
|
|
CACertNotAfter time.Time `json:"ca_cert_not_after,omitempty"`
|
|
CACertExpired bool `json:"ca_cert_expired"`
|
|
CACertDaysToExpiry int `json:"ca_cert_days_to_expiry"`
|
|
CACertAlgorithm string `json:"ca_cert_algorithm,omitempty"` // "RSA-2048", "ECDSA-P256", etc.
|
|
CACertChainLength int `json:"ca_cert_chain_length"` // 1 = single cert, >1 = full chain returned
|
|
ProbedAt time.Time `json:"probed_at"`
|
|
ProbeDurationMs int64 `json:"probe_duration_ms"`
|
|
Error string `json:"error,omitempty"`
|
|
CreatedAt time.Time `json:"created_at,omitempty"`
|
|
}
|