gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-10 04:48:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e292faafc6cd52af5282764f4ef1f148adebec92
certctl/internal/service/scep_probe_persist_test.go
T
shankar0123 530593507b fix(scep-intune): close 11 audit gaps from 2026-04-29 pre-tag review 
Closes the eleven gaps identified in the pre-v2.1.0 audit of the SCEP
RFC 8894 + Intune master bundle (cowork/scep-bundle-gap-closure-prompt.md).
Constitutional rule from cowork/CLAUDE.md::Operating Rules — 'Always
take the complete path, not the easy path' — drove this closure: each
gap was a load-bearing wire that crossed multiple layers (config →
validator → service wire-up → tests → docs) and shipping the bundle
without them would have produced lying-field footguns where operator-
visible config options stored values without affecting behavior.

WHAT LANDS:

Phase A — Clock-skew tolerance (master prompt §15 hazard closure)
  internal/scep/intune/challenge.go: ValidateChallenge migrated from
  positional args to ValidateOptions{} struct; new ClockSkewTolerance
  field with default 0 (strict). 24 call sites updated mechanically.
  Asymmetric application: now+tolerance >= iat AND now-tolerance < exp.
  internal/config/config.go: SCEPIntuneProfileConfig.ClockSkewTolerance
  default 60s + Validate() refusal when >= ChallengeValidity.
  cmd/server/main.go: SetIntuneIntegration signature extended;
  per-profile env-var loader honors CERTCTL_SCEP_PROFILE_<NAME>_INTUNE_CLOCK_SKEW_TOLERANCE.
  internal/service/scep.go: intuneClockSkew field + IntuneStatsSnapshot
  surfaces clock_skew_tolerance_ns. web/src/api/types.ts mirrors.
  4 new tests in challenge_test.go covering accept-within-tolerance,
  reject-beyond-tolerance, accept-expired-within-tolerance,
  negative-treated-as-zero defensive normalization.
  docs/scep-intune.md updated with the new env var + time-bounds rule.

Phase B — unknown-version-rejected golden test
  internal/scep/intune/golden_helper_test.go: goldenUnknownVersionPayload
  helper + signGoldenChallengeAny generic signer.
  challenge_golden_test.go: TestGoldenChallenge_UnknownVersionRejected
  uses an in-process ECDSA fixture (the on-disk PEM was generated with
  a Go-stdlib version that produces different ecdsa.GenerateKey bytes
  from the current call). TestRegenerateGoldenFixtures emits the new
  unknown_version fixture file too.

Phase C — Two named Intune e2e tests
  internal/api/handler/scep_intune_e2e_test.go:
    TestSCEPIntuneEnrollment_RateLimited_E2E (cap=2 + 3 attempts; 3rd
    returns FAILURE+badRequest with rate_limited counter ticked)
    TestSCEPIntuneEnrollment_TrustAnchorSIGHUPReload_E2E (rotate
    on-disk PEM + holder.Reload(); old-key challenge fails with
    badMessageCheck; signature_invalid counter ticked)
  intuneE2EFixture struct extended with trustHolder + trustPath fields
  so tests can rotate.

Phase D — Four new ChromeOS hermetic tests (10 total now)
  internal/api/handler/scep_chromeos_test.go:
    _RAKeyMismatch — PKIMessage encrypted to wrong RA cert; handler
      rejects without reaching service.
    _3DESBackwardCompat — RFC 8894 §3.5.2 legacy fallback verified.
    _RSACSR + _ECDSACSR — explicit matrix-pair pinning.
  buildTestECDSACSR helper for ECDSA P-256 CSR construction;
  tripleDESCBCEncrypt mirrors aesCBCEncrypt for 3DES-CBC;
  assertChromeOSPositiveCertRep shared assertion.

Phase E — Per-profile counter isolation test
  internal/api/handler/scep_profile_counter_isolation_test.go:
    TestSCEPHandler_PerProfileIntuneCountersIsolated wires two
    SCEPService instances + drives distinct PKIMessages + asserts
    counter isolation. Guards against a future cmd/server/main.go
    refactor that shares a *intuneCounterTab across profiles.
  buildPerProfileIntuneFixture parameterized helper.

Phase F — Server-boot regression tests
  cmd/server/preflight_scep_intune_test.go: 3 named tests covering
  disabled-backward-compat, broken-config-with-PathID, expired-cert
  refusal. preflightSCEPIntuneTrustAnchor signature extended with
  pathID arg so error messages carry PathID= for operator log-grep.

Phase G — docs/connectors.md
  Four new subsections under §EST/SCEP Integration: multi-profile
  dispatch + mTLS sibling route + Intune Connector dispatcher + SCEP
  probe in network scanner. Each has a one-paragraph operator
  explanation + an env-var or endpoint table.

Phase H — Coverage uplift
  internal/service/scep_probe_persist_test.go: 5 unit tests on
  persistProbeResult (nil-safe + nil-repo-safe + repo-error swallow +
  nil-logger guard) + ListRecentSCEPProbes (empty-slice-not-nil + repo
  pass-through) + describeCertAlgorithm (RSA/ECDSA/QF1008-nil-curve
  defensive branch/Ed25519/DSA/empty). CI gates (service ≥70, handler
  ≥75) PASS at 70.9% / 79.3%.

Phase I — deploy/test integration variant
  deploy/test/scep_intune_e2e_test.go (//go:build integration):
    TestSCEPIntuneEnrollment_Integration + _RateLimited_Integration
    against the live docker-compose certctl container. Skip-when-
    stack-missing semantics so sandbox + CI both work.
  deploy/docker-compose.test.yml: new e2eintune SCEP profile env
  vars + bind-mount of deploy/test/fixtures/.
  deploy/test/fixtures/README.md: documents the deterministic trust
  anchor regeneration recipe.

VERIFICATION (sandbox):
  gofmt -d        — clean for all changed files
  staticcheck     — clean for intune + handler + config + service +
                    cmd/server packages
  go vet          — clean for the same packages
  go test -short  — green for intune (95.3% cov), service (70.9%),
                    handler (79.3%), config (94.0%), cmd/server (boot
                    path; my preflight tests cover the directly-
                    testable function), pkcs7 (80.5% informational)

DEFERRED (per closure prompt §7 out-of-scope):
  - V3-Pro Conditional Access gating + Microsoft Graph integration
  - Standalone certctl-scan CLI binary
  - OCSP rate-limiting, OCSP stapling, delta CRLs

Spec preserved at cowork/scep-bundle-gap-closure-prompt.md;
journal at cowork/scep-rfc8894-intune/progress.md (audit-closure
section appended).
2026-04-29 20:28:53 +00:00

219 lines
8.0 KiB
Go
Raw Blame History

package service
import (
"context"
"crypto/ecdsa"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"errors"
"math/big"
"testing"
"time"
"github.com/shankar0123/certctl/internal/domain"
)
// SCEP RFC 8894 + Intune master prompt §13 line 1859 acceptance —
// coverage uplift on the SCEP probe persistence + clamp paths. Closed
// in the 2026-04-29 audit-closure bundle (Phase H).
//
// Targets the lowest-coverage hot spots in
// internal/service/scep_probe.go (per the audit) without bloating the
// suite:
//
// 1. persistProbeResult is nil-safe + nil-repo-safe.
// 2. persistProbeResult swallows repo errors (probe stays a "best-
// effort persist") + still surfaces them through the logger.
// 3. ListRecentSCEPProbes returns an empty slice (NOT nil) when no
// repo is wired so JSON marshaling stays clean.
// 4. describeCertAlgorithm covers RSA/ECDSA/Ed25519/unknown branches
// including the QF1008 nil-curve defensive branch added in
// commit 9fcea95.
// stubSCEPProbeRepo is a controllable repository.SCEPProbeResultRepository
// used by the persist + list tests. Returns the configured insertErr +
// listResults from each Insert/ListRecent call; bumps insertCalls so the
// test can assert which probes reached the persist path.
type stubSCEPProbeRepo struct {
insertCalls int
insertErr error
listResults []*domain.SCEPProbeResult
listLimit int
listErr error
}
func (r *stubSCEPProbeRepo) Insert(_ context.Context, _ *domain.SCEPProbeResult) error {
r.insertCalls++
return r.insertErr
}
func (r *stubSCEPProbeRepo) ListRecent(_ context.Context, limit int) ([]*domain.SCEPProbeResult, error) {
r.listLimit = limit
return r.listResults, r.listErr
}
// TestPersistProbeResult_NoRepoIsNoOp verifies persistProbeResult is
// safe to call before SetSCEPProbeRepo wires a repo (the production
// startup order is: build service → wire repo). Without this, a probe
// that runs during the boot window would nil-deref.
func TestPersistProbeResult_NoRepoIsNoOp(t *testing.T) {
s := newScepProbeServiceForTest(t)
// Should not panic even though scepProbeRepo is nil.
s.persistProbeResult(context.Background(), &domain.SCEPProbeResult{
ID: "probe-no-repo",
TargetURL: "https://example.com/scep",
})
}
// TestPersistProbeResult_RepoErrorDoesNotFailCaller pins the
// "best-effort persist" contract documented on persistProbeResult: a
// repo write failure MUST NOT bubble back to the probe caller (the
// probe's primary contract is "run + return," not "run + persist").
// The repo's insertCalls counter MUST still be bumped so an operator
// can prove the persist code path was reached even when it failed.
func TestPersistProbeResult_RepoErrorDoesNotFailCaller(t *testing.T) {
repo := &stubSCEPProbeRepo{insertErr: errors.New("simulated db down")}
s := newScepProbeServiceForTest(t)
s.SetSCEPProbeRepo(repo)
s.persistProbeResult(context.Background(), &domain.SCEPProbeResult{
ID: "probe-err",
TargetURL: "https://example.com/scep",
})
if repo.insertCalls != 1 {
t.Errorf("Insert calls = %d, want 1", repo.insertCalls)
}
// A logger-less service MUST also survive a repo error — the warn-
// log branch guards on `s.logger != nil`. Walk the same code path
// with a logger-nil service to exercise that defensive guard.
sNoLog := &NetworkScanService{nowFn: time.Now}
sNoLog.SetSCEPProbeRepo(repo)
sNoLog.persistProbeResult(context.Background(), &domain.SCEPProbeResult{
ID: "probe-err-nologger",
TargetURL: "https://example.com/scep",
})
if repo.insertCalls != 2 {
t.Errorf("Insert calls (after nologger run) = %d, want 2", repo.insertCalls)
}
}
// TestListRecentSCEPProbes_NilRepoReturnsEmptySlice pins the
// "JSON-clean empty" contract documented on ListRecentSCEPProbes —
// the absence of a repo MUST surface as an empty slice (not nil) so
// the GUI's JSON consumer doesn't render `null` instead of `[]`.
// Critical for the React Network Scan page that .map()s over the
// result and would crash on null.
func TestListRecentSCEPProbes_NilRepoReturnsEmptySlice(t *testing.T) {
s := newScepProbeServiceForTest(t)
got, err := s.ListRecentSCEPProbes(context.Background(), 50)
if err != nil {
t.Fatalf("ListRecentSCEPProbes (nil repo): %v", err)
}
if got == nil {
t.Fatal("ListRecentSCEPProbes (nil repo) returned nil, want empty slice for JSON cleanliness")
}
if len(got) != 0 {
t.Errorf("ListRecentSCEPProbes (nil repo) = %d items, want 0", len(got))
}
}
// TestListRecentSCEPProbes_DelegatesToRepo verifies the wired-repo
// path: the limit value flows through to the repository unmodified
// (the [1, 200] clamp lives at the handler layer, not the service —
// this test pins the service is a thin pass-through).
func TestListRecentSCEPProbes_DelegatesToRepo(t *testing.T) {
repo := &stubSCEPProbeRepo{
listResults: []*domain.SCEPProbeResult{
{ID: "probe-1", TargetURL: "https://a.example.com/scep"},
{ID: "probe-2", TargetURL: "https://b.example.com/scep"},
},
}
s := newScepProbeServiceForTest(t)
s.SetSCEPProbeRepo(repo)
got, err := s.ListRecentSCEPProbes(context.Background(), 17)
if err != nil {
t.Fatalf("ListRecentSCEPProbes: %v", err)
}
if repo.listLimit != 17 {
t.Errorf("repo.ListRecent received limit=%d, want 17", repo.listLimit)
}
if len(got) != 2 {
t.Errorf("ListRecentSCEPProbes returned %d items, want 2", len(got))
}
}
// TestDescribeCertAlgorithm covers every documented branch of the
// describe helper — including the QF1008 nil-curve defensive guard
// added in commit 9fcea95. Walking each branch keeps the staticcheck
// fix exercised in CI so a future "simplify" never reverts the nil
// check + crashes on a malformed cert.
func TestDescribeCertAlgorithm(t *testing.T) {
rsaCert, _ := fixtureRSACertForDescribeTest(t)
if got, want := describeCertAlgorithm(rsaCert), "RSA-2048"; got != want {
t.Errorf("RSA describe = %q, want %q", got, want)
}
ecCert, _ := fixtureCACert(t, "ec-describe", time.Now().Add(-1*time.Hour), time.Now().Add(24*time.Hour))
if got, want := describeCertAlgorithm(ecCert), "ECDSA-P-256"; got != want {
t.Errorf("ECDSA describe = %q, want %q", got, want)
}
// Defensive branch: an ECDSA public key with a nil Curve. The
// QF1008 fix keeps the explicit nil check so this case returns
// "ECDSA" without panicking.
bogusEC := &x509.Certificate{
PublicKey: &ecdsa.PublicKey{Curve: nil},
PublicKeyAlgorithm: x509.ECDSA,
}
if got, want := describeCertAlgorithm(bogusEC), "ECDSA"; got != want {
t.Errorf("nil-curve ECDSA describe = %q, want %q (QF1008 defensive branch)", got, want)
}
// Algorithm-only fall-through (no key type match) → Ed25519/DSA.
ed := &x509.Certificate{PublicKeyAlgorithm: x509.Ed25519}
if got, want := describeCertAlgorithm(ed), "Ed25519"; got != want {
t.Errorf("Ed25519 describe = %q, want %q", got, want)
}
dsa := &x509.Certificate{PublicKeyAlgorithm: x509.DSA}
if got, want := describeCertAlgorithm(dsa), "DSA"; got != want {
t.Errorf("DSA describe = %q, want %q", got, want)
}
// Unrecognized → empty string (the GUI then renders "—").
unknown := &x509.Certificate{}
if got := describeCertAlgorithm(unknown); got != "" {
t.Errorf("unknown describe = %q, want empty", got)
}
}
// fixtureRSACertForDescribeTest is a tiny helper exclusive to the
// describe-algo coverage test. The package's other RSA cert helpers
// live behind type-specialized fixtures; we want a generic 2048-bit
// RSA cert + nothing else.
func fixtureRSACertForDescribeTest(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
t.Helper()
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
t.Fatalf("rsa.GenerateKey: %v", err)
}
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "rsa-describe"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(24 * time.Hour),
}
der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &key.PublicKey, key)
if err != nil {
t.Fatalf("CreateCertificate: %v", err)
}
parsed, err := x509.ParseCertificate(der)
if err != nil {
t.Fatalf("ParseCertificate: %v", err)
}
return parsed, key
}
Reference in New Issue View Git Blame Copy Permalink