mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:41:36 +00:00
shankar0123
530593507b
Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP
RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md).
Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always
take the complete path, not the easy path' — drove this closure: each
gap was a load-bearing wire that crossed multiple layers (config →
validator → service wire-up → tests → docs) and shipping the bundle
without them would have produced lying-field footguns where operator-
visible config options stored values without affecting behavior.
WHAT LANDS:
Phase A — Clock-skew tolerance (master prompt §15 hazard closure)
internal/scep/intune/challenge.go: ValidateChallenge migrated from
positional args to ValidateOptions{} struct; new ClockSkewTolerance
field with default 0 (strict). 24 call sites updated mechanically.
Asymmetric application: now+tolerance >= iat AND now-tolerance < exp.
internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance
default 60s + Validate() refusal when >= ChallengeValidity.
cmd/server/main.go: SetIntuneIntegration signature extended;
per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE.
internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot
surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors.
4 new tests in challenge_test.go covering accept-within-tolerance,
reject-beyond-tolerance, accept-expired-within-tolerance,
negative-treated-as-zero defensive normalization.
docs/scep-intune.md updated with the new env var + time-bounds rule.
Phase B — unknown-version-rejected golden test
internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload
helper + signGoldenChallengeAny generic signer.
challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected
uses an in-process ECDSA fixture (the on-disk PEM was generated with
a Go-stdlib version that produces different ecdsa.GenerateKey bytes
from the current call). TestRegenerateGoldenFixtures emits the new
unknown_version fixture file too.
Phase C — Two named Intune e2e tests
internal/api/handler/scep_intune_e2e_test.go:
TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd
returns FAILURE+badRequest with rate_limited counter ticked)
TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate
on-disk PEM + holder.Reload(); old-key challenge fails with
badMessageCheck; signature_invalid counter ticked)
intuneE2EFixture struct extended with trustHolder + trustPath fields
so tests can rotate.
Phase D — Four new ChromeOS hermetic tests (10 total now)
internal/api/handler/scep_chromeos_test.go:
_RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler
rejects without reaching service.
_3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified.
_RSACSR + _ECDSACSR — explicit matrix-pair pinning.
buildTestECDSACSR helper for ECDSA P-256 CSR construction;
tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC;
assertChromeOSPositiveCertRep shared assertion.
Phase E — Per-profile counter isolation test
internal/api/handler/scep_profile_counter_isolation_test.go:
TestSCEPHandler_PerProfileIntuneCountersIsolated wires two
SCEPService instances + drives distinct PKIMessages + asserts
counter isolation. Guards against a future cmd/server/main.go
refactor that shares a *intuneCounterTab across profiles.
buildPerProfileIntuneFixture parameterized helper.
Phase F — Server-boot regression tests
cmd/server/preflight_scep_intune_test.go: 3 named tests covering
disabled-backward-compat, broken-config-with-PathID, expired-cert
refusal. preflightSCEPIntuneTrustAnchor signature extended with
pathID arg so error messages carry PathID= for operator log-grep.
Phase G — docs/connectors.md
Four new subsections under §EST/SCEP Integration: multi-profile
dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP
probe in network scanner. Each has a one-paragraph operator
explanation + an env-var or endpoint table.
Phase H — Coverage uplift
internal/service/scep_probe_persist_test.go: 5 unit tests on
persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow +
nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo
pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve
defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler
≥75) PASS at 70.9% / 79.3%.
Phase I — deploy/test integration variant
deploy/test/scep_intune_e2e_test.go (//go:build integration):
TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration
against the live docker-compose certctl container. Skip-when-
stack-missing semantics so sandbox + CI both work.
deploy/docker-compose.test.yml: new e2eintune SCEP profile env
vars + bind-mount of deploy/test/fixtures/.
deploy/test/fixtures/README.md: documents the deterministic trust
anchor regeneration recipe.
VERIFICATION (sandbox):
gofmt -d — clean for all changed files
staticcheck — clean for intune + handler + config + service +
cmd/server packages
go vet — clean for the same packages
go test -short — green for intune (95.3% cov), service (70.9%),
handler (79.3%), config (94.0%), cmd/server (boot
path; my preflight tests cover the directly-
testable function), pkcs7 (80.5% informational)
DEFERRED (per closure prompt §7 out-of-scope):
- V3-Pro Conditional Access gating + Microsoft Graph integration
- Standalone certctl-scan CLI binary
- OCSP rate-limiting, OCSP stapling, delta CRLs
Spec preserved at cowork/scep-bundle-gap-closure-prompt.md;
journal at cowork/scep-rfc8894-intune/progress.md (audit-closure
section appended).
157 lines
6.3 KiB
Go
157 lines
6.3 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"io"
|
|
"log/slog"
|
|
"math/big"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
// SCEP RFC 8894 + Intune master prompt §13 line 1853 acceptance —
|
|
// boot regression tests for preflightSCEPIntuneTrustAnchor. Closed in
|
|
// the 2026-04-29 audit-closure bundle (Phase F).
|
|
//
|
|
// Spec text:
|
|
// "clean boot with Intune disabled (backward compat)" and
|
|
// "refuses-to-start with broken per-profile config (PathID logged)."
|
|
//
|
|
// These three tests exercise the function the cmd/server/main.go boot
|
|
// loop calls per profile. We can't (and don't want to) run main()
|
|
// itself in a unit test — that would require docker compose + a real
|
|
// listener. Instead we drive the function directly and assert its
|
|
// contract holds: nil error on disabled, structured error containing
|
|
// the PathID on enabled-but-broken.
|
|
|
|
func discardLogger() *slog.Logger {
|
|
return slog.New(slog.NewTextHandler(io.Discard, &slog.HandlerOptions{Level: slog.LevelError + 10}))
|
|
}
|
|
|
|
// TestPreflightSCEPIntuneTrustAnchor_DisabledIsBackwardCompat — when
|
|
// the profile has Intune disabled, preflight returns (nil, nil) and
|
|
// MUST NOT touch the filesystem. This is the dominant path in
|
|
// production: most operators run SCEP without Intune. A regression
|
|
// here would make every non-Intune deploy fail boot with a confusing
|
|
// "trust anchor missing" error.
|
|
func TestPreflightSCEPIntuneTrustAnchor_DisabledIsBackwardCompat(t *testing.T) {
|
|
holder, err := preflightSCEPIntuneTrustAnchor(false, "corp", "", discardLogger())
|
|
if err != nil {
|
|
t.Fatalf("disabled preflight should be a no-op, got error: %v", err)
|
|
}
|
|
if holder != nil {
|
|
t.Errorf("disabled preflight should return nil holder, got %#v", holder)
|
|
}
|
|
|
|
// Confirm the no-touch contract: even if PathID + path are both
|
|
// non-empty, disabled=false short-circuits before any I/O. Pass a
|
|
// path that doesn't exist — the call MUST still succeed.
|
|
holder, err = preflightSCEPIntuneTrustAnchor(false, "iot", "/tmp/this-file-does-not-exist-12345.pem", discardLogger())
|
|
if err != nil {
|
|
t.Fatalf("disabled preflight with non-existent path should still succeed: %v", err)
|
|
}
|
|
if holder != nil {
|
|
t.Error("disabled preflight should return nil holder even with non-existent path")
|
|
}
|
|
}
|
|
|
|
// TestPreflightSCEPIntuneTrustAnchor_BrokenConfigRefusesWithPathID —
|
|
// when the profile has Intune enabled but the trust-anchor file
|
|
// doesn't exist, preflight returns an error whose text contains the
|
|
// literal PathID. Operators grep their boot log for the PathID to
|
|
// triage which profile is broken in a multi-profile deploy.
|
|
func TestPreflightSCEPIntuneTrustAnchor_BrokenConfigRefusesWithPathID(t *testing.T) {
|
|
missingPath := filepath.Join(t.TempDir(), "this-trust-anchor-was-never-written.pem")
|
|
holder, err := preflightSCEPIntuneTrustAnchor(true, "corp", missingPath, discardLogger())
|
|
if err == nil {
|
|
t.Fatal("expected error when trust anchor file is missing, got nil")
|
|
}
|
|
if holder != nil {
|
|
t.Errorf("expected nil holder on broken config, got %#v", holder)
|
|
}
|
|
if !strings.Contains(err.Error(), `PathID="corp"`) {
|
|
t.Errorf("error should contain PathID for operator log-grep: %v", err)
|
|
}
|
|
if !strings.Contains(err.Error(), missingPath) {
|
|
t.Errorf("error should contain the path for operator log-grep: %v", err)
|
|
}
|
|
|
|
// Empty PathID (legacy /scep root) — the error MUST surface a
|
|
// readable label, not an empty quoted string that looks like a
|
|
// missing variable.
|
|
_, err = preflightSCEPIntuneTrustAnchor(true, "", missingPath, discardLogger())
|
|
if err == nil {
|
|
t.Fatal("expected error on broken legacy-root config")
|
|
}
|
|
if !strings.Contains(err.Error(), `PathID="<root>"`) {
|
|
t.Errorf("error should label empty PathID as <root>: %v", err)
|
|
}
|
|
|
|
// Empty path with enabled=true — distinct error path (path-empty
|
|
// vs file-missing). Spec requires this branch ALSO surfaces the
|
|
// PathID so the operator's grep narrows to the profile.
|
|
_, err = preflightSCEPIntuneTrustAnchor(true, "iot", "", discardLogger())
|
|
if err == nil {
|
|
t.Fatal("expected error when trust anchor path is empty")
|
|
}
|
|
if !strings.Contains(err.Error(), `PathID="iot"`) {
|
|
t.Errorf("empty-path error should contain PathID for operator log-grep: %v", err)
|
|
}
|
|
}
|
|
|
|
// TestPreflightSCEPIntuneTrustAnchor_ExpiredTrustAnchorRefuses — an
|
|
// expired Connector signing cert in the trust anchor file is the
|
|
// silent-failure mode this preflight is built to catch. Without the
|
|
// gate, the SCEP server boots cleanly and then rejects every Intune
|
|
// enrollment at runtime with "no trust anchor recognizes this
|
|
// signature" — confusing for the operator whose Connector is healthy
|
|
// (the cert just expired without rotation). Pin the contract: the
|
|
// boot MUST refuse with an error that names the expired cert's
|
|
// subject CN so the operator knows what to rotate.
|
|
func TestPreflightSCEPIntuneTrustAnchor_ExpiredTrustAnchorRefuses(t *testing.T) {
|
|
// Build a deterministic ECDSA cert with NotAfter 1 hour in the past.
|
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("ecdsa.GenerateKey: %v", err)
|
|
}
|
|
now := time.Now()
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
Subject: pkix.Name{CommonName: "intune-connector-rotated-must-replace"},
|
|
NotBefore: now.Add(-2 * time.Hour),
|
|
NotAfter: now.Add(-1 * time.Hour), // expired
|
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
}
|
|
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
|
|
if err != nil {
|
|
t.Fatalf("CreateCertificate: %v", err)
|
|
}
|
|
|
|
bundlePath := filepath.Join(t.TempDir(), "intune-expired.pem")
|
|
if err := os.WriteFile(bundlePath, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), 0o600); err != nil {
|
|
t.Fatalf("write expired cert: %v", err)
|
|
}
|
|
|
|
holder, err := preflightSCEPIntuneTrustAnchor(true, "corp-expired", bundlePath, discardLogger())
|
|
if err == nil {
|
|
t.Fatal("expected refuse-to-start on expired trust anchor cert, got nil error")
|
|
}
|
|
if holder != nil {
|
|
t.Errorf("expected nil holder on expired-cert refusal, got %#v", holder)
|
|
}
|
|
if !strings.Contains(err.Error(), `PathID="corp-expired"`) {
|
|
t.Errorf("error should contain PathID for operator log-grep: %v", err)
|
|
}
|
|
if !strings.Contains(err.Error(), "intune-connector-rotated-must-replace") {
|
|
t.Errorf("error should contain the expired cert's subject CN so the operator knows what to rotate: %v", err)
|
|
}
|
|
}
|