gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
aa139ee0d98d5fdb4cfac8a2886d382e591a39ea
certctl/internal/service/scep_must_staple_test.go
T
shankar0123 01f6eb9d09 feat(scep): plumb CertificateProfile.MustStaple end-to-end through service layer 
SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up.

Closes the 'lying field' gap from the original Phase 5.6 commit (b33b843).
That commit shipped CertificateProfile.MustStaple as a domain field +
IssuanceRequest.MustStaple as the issuer-interface field + the local
issuer's RFC 7633 extension generation + byte-exact tests against the
spec — but the service layer (SCEP + EST + agent + renewal) never read
profile.MustStaple and never set IssuanceRequest.MustStaple. Operators
who set the field got: a stored value, an API that returned it, docs
that promised it worked, and a cert with no extension. Worse than not
having the field at all.

Per the new operating rule landed in cowork/CLAUDE.md::Operating Rules
('Always take the complete path, not the easy path'), this commit closes
the wire end-to-end.

internal/service/renewal.go
  * IssuerConnector interface signature gains a mustStaple bool param on
    IssueCertificate + RenewCertificate. The original 'this is a wider
    refactor' framing was overstated — it's one extra arg threaded
    through six call sites, not a structural change.

internal/service/issuer_adapter.go
  * IssuerConnectorAdapter.IssueCertificate + RenewCertificate accept
    the new param + populate IssuanceRequest.MustStaple /
    RenewalRequest.MustStaple. Connectors that don't honor extension
    injection (Vault, EJBCA, ACME, etc.) silently ignore the field —
    the Phase 5.6 commit's docblock already noted this.

internal/service/scep.go
  * processEnrollment now reads profile.MustStaple alongside
    profile.MaxTTLSeconds and threads it through the IssueCertificate
    call. The SCEP path was the load-bearing one — the original Phase
    5.6 docs example showed exactly this code shape but the wire was
    never landed.

internal/service/est.go
  * Same pattern as SCEP: read profile.MustStaple + thread to
    IssueCertificate. Defense in depth so a deploy that mounts the
    same profile across SCEP + EST gets consistent extension behavior.

internal/service/agent.go
  * The fallback direct-issuer signing path in heartbeatPipeline reads
    profile + threads MustStaple through. Server-mode keygen + ad-hoc
    CSR submission paths both go through this.

internal/service/renewal.go (the renewal-loop side, not the interface)
  * Both renewal call sites (server-CSR-generated + agent-CSR-submitted)
    read profile.MustStaple + thread it through RenewCertificate. Renewed
    certs match their initial-issuance extension set when the bound
    profile changes mid-lifetime.

internal/service/scep_must_staple_test.go (new)
  * TestSCEPService_PKCSReq_PlumbsMustStapleToIssuer — end-to-end
    integration test: profile.MustStaple=true → SCEP service →
    mock IssuerConnector saw mustStaple=true. This is the test the
    original Phase 5.6 commit should have shipped — proves the wire
    reaches the connector.
  * TestSCEPService_PKCSReq_NoMustStaplePropagatesFalse — companion
    pinning the symmetric contract; the mock pre-sets LastMustStaple=true
    so a stuck-at-true bug surfaces.

internal/service/testutil_test.go +
internal/service/m11c_crypto_enforcement_test.go +
internal/service/issuer_adapter_test.go +
cmd/server/preflight_test.go
  * Mock + fake IssuerConnector implementations gain the new mustStaple
    bool param. mockIssuerConnector + capturingIssuerConnector also gain
    a LastMustStaple / lastMustStaple field used by the new integration
    tests to assert the wire reached the connector.
  * Existing test call sites for adapter.IssueCertificate /
    adapter.RenewCertificate gain a trailing 'false' arg (mechanical bulk
    edit, no behavior change).

Verification:
  * gofmt + go vet + staticcheck clean for all touched paths.
  * go test -short -count=1 green across cmd/agent / cmd/cli /
    cmd/mcp-server / cmd/server / api/handler / api/middleware /
    api/router / service / scheduler / pkcs7 / connector/issuer/local /
    every connector subpackage / domain / crypto / mcp / repository.
  * The new TestSCEPService_PKCSReq_PlumbsMustStapleToIssuer test passes,
    proving the wire works end-to-end.

The follow-up rule from cowork/CLAUDE.md::Operating Rules — 'can an
operator flip the configurable bit and observe the behavior change
end-to-end with no further code changes?' — is now YES for must-staple
on the SCEP + EST + agent + renewal paths.
2026-04-29 13:36:30 +00:00

155 lines
5.5 KiB
Go
Raw Blame History

package service
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io"
"log/slog"
"testing"
"github.com/shankar0123/certctl/internal/domain"
)
// SCEP RFC 8894 + Intune master bundle Phase 5.6 follow-up: end-to-end
// integration test for the must-staple wire from CertificateProfile.MustStaple
// through the SCEPService into the IssuerConnector.
//
// Background: the original Phase 5.6 commit shipped the local issuer's RFC
// 7633 extension generation + the IssuanceRequest.MustStaple field, but
// the SCEP service layer (and EST + agent + renewal) didn't read
// profile.MustStaple and didn't pass it to IssueCertificate. That made
// CertificateProfile.MustStaple a "lying field" — the operator could set
// it, the API would store + return it, the docs claimed it worked, but
// the cert came back without the extension. Worse than not having the
// field at all.
//
// This test pins the wire end-to-end:
//
// 1. Create a CertificateProfile with MustStaple=true.
// 2. Drive a SCEP enrollment through SCEPService.PKCSReq.
// 3. Assert the mock IssuerConnector saw mustStaple=true (proving the
// service-layer wire reaches the connector).
//
// The local-issuer-side test (must_staple_test.go) already pins that the
// connector translates that bool into the RFC 7633 extension. Together
// they prove: configurable bit → behavior change, end-to-end.
// stubProfileRepo is a minimal in-memory CertificateProfileRepository for
// the test. Returns the configured profile by ID; other repo methods
// panic if exercised (we only need Get).
type stubProfileRepo struct {
profile *domain.CertificateProfile
}
func (s *stubProfileRepo) Get(_ context.Context, id string) (*domain.CertificateProfile, error) {
if s.profile != nil && s.profile.ID == id {
return s.profile, nil
}
return nil, nil
}
func (s *stubProfileRepo) Create(_ context.Context, _ *domain.CertificateProfile) error {
panic("stubProfileRepo.Create not implemented for this test")
}
func (s *stubProfileRepo) Update(_ context.Context, _ *domain.CertificateProfile) error {
panic("stubProfileRepo.Update not implemented for this test")
}
func (s *stubProfileRepo) Delete(_ context.Context, _ string) error {
panic("stubProfileRepo.Delete not implemented for this test")
}
func (s *stubProfileRepo) List(_ context.Context) ([]*domain.CertificateProfile, error) {
panic("stubProfileRepo.List not implemented for this test")
}
func TestSCEPService_PKCSReq_PlumbsMustStapleToIssuer(t *testing.T) {
// 1. Mock issuer that records the must-staple bool from the call.
mock := &mockIssuerConnector{}
// 2. Profile with MustStaple=true.
profile := &domain.CertificateProfile{
ID: "prof-must-staple",
Name: "must-staple",
MaxTTLSeconds: 86400,
MustStaple: true,
Enabled: true,
}
repo := &stubProfileRepo{profile: profile}
// 3. Build the service. Use a real challenge password so we exercise
// the same gate the production path runs.
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
svc := NewSCEPService("iss-test", mock, nil, logger, "shared-secret-123")
svc.SetProfileRepo(repo)
svc.SetProfileID(profile.ID)
// 4. Build a CSR (real crypto so processEnrollment's CheckSignature
// + crypto-policy validation both pass).
csrPEM := buildCSRForSCEPMustStaple(t, "must-staple.example.com")
// 5. Drive the enrollment.
_, err := svc.PKCSReq(context.Background(), csrPEM, "shared-secret-123", "txn-must-staple")
if err != nil {
t.Fatalf("PKCSReq: %v", err)
}
// 6. Assert the must-staple wire reached the connector.
if !mock.LastMustStaple {
t.Errorf("mockIssuerConnector.LastMustStaple = false, want true — service layer dropped profile.MustStaple on the floor (the 'lying field' regression)")
}
}
func TestSCEPService_PKCSReq_NoMustStaplePropagatesFalse(t *testing.T) {
// Companion: when the profile does NOT have MustStaple set, the
// connector must see false. Pins the symmetric contract.
mock := &mockIssuerConnector{LastMustStaple: true} // pre-set to true so we can detect a stuck-at-true bug
profile := &domain.CertificateProfile{
ID: "prof-no-staple",
Name: "no-staple",
MaxTTLSeconds: 86400,
MustStaple: false,
Enabled: true,
}
repo := &stubProfileRepo{profile: profile}
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
svc := NewSCEPService("iss-test", mock, nil, logger, "shared-secret-123")
svc.SetProfileRepo(repo)
svc.SetProfileID(profile.ID)
csrPEM := buildCSRForSCEPMustStaple(t, "no-staple.example.com")
_, err := svc.PKCSReq(context.Background(), csrPEM, "shared-secret-123", "txn-no-staple")
if err != nil {
t.Fatalf("PKCSReq: %v", err)
}
if mock.LastMustStaple {
t.Errorf("mockIssuerConnector.LastMustStaple = true, want false — service layer set MustStaple=true despite profile.MustStaple=false")
}
}
// buildCSRForSCEPMustStaple creates an ECDSA P-256 CSR for the given CN.
// Local helper — kept distinct from buildCSRForSCEP elsewhere in the
// service test suite to avoid name collisions.
func buildCSRForSCEPMustStaple(t *testing.T, cn string) string {
t.Helper()
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("ecdsa.GenerateKey: %v", err)
}
tmpl := &x509.CertificateRequest{
Subject: pkix.Name{CommonName: cn},
}
der, err := x509.CreateCertificateRequest(rand.Reader, tmpl, key)
if err != nil {
t.Fatalf("CreateCertificateRequest: %v", err)
}
return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: der}))
}
Reference in New Issue View Git Blame Copy Permalink