mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:51:30 +00:00
shankar0123
0be889ff1d
Phase 9 follow-up to the SCEP RFC 8894 + Intune master bundle. The
Phase 9.4 GUI shipped 'SCEP Intune Monitoring' at /scep/intune, which
made the per-profile observability surface look Intune-only — operators
running EJBCA + Jamf would never click that nav link expecting per-
profile RA cert + mTLS observability. The page is per-profile keyed
under the hood; this commit rebrands + restructures so the surface
matches what operators actually need.
Spec: cowork/scep-gui-restructure-prompt.md.
User-visible change:
- Nav link renamed: 'SCEP Intune' → 'SCEP Admin'.
- Route: /scep is the new canonical path; /scep/intune kept as a
backward-compat alias that lands directly on the Intune tab.
- Page header: 'SCEP Administration'.
- Three tabs:
* Profiles (default) — per-profile lean cards with RA cert
expiry countdown, mTLS sibling-route status badge, Intune
enabled/disabled badge, challenge-password-set indicator.
'View Intune details →' link on Intune-enabled cards
deep-links into the Intune tab.
* Intune Monitoring — the existing Phase 9.4 deep-dive
(per-status counters, trust anchor expiry, recent failures
table, reload-trust button + confirmation modal).
* Recent Activity — full SCEP audit log filter merging all
four action codes (scep_pkcsreq + scep_renewalreq +
scep_pkcsreq_intune + scep_renewalreq_intune); chip filters
for All / Initial / Renewal / Intune / Static.
Backend:
* internal/service/scep.go — new SCEPProfileStatsSnapshot type +
IntuneSection sub-block + ProfileStats(now) accessor. Adds
raCertSubject/raCertNotBefore/raCertNotAfter + mtlsEnabled +
mtlsTrustBundlePath fields with SetRACert + SetMTLSConfig setters.
Existing IntuneStatsSnapshot + IntuneStats(now) preserved
UNCHANGED for /admin/scep/intune/stats backward compat (the
JSON shape stays byte-stable for external consumers — the
aliasing approach the prompt initially suggested doesn't work
because the new shape nests Intune while the old one is flat).
ChallengePasswordSet is derived from challengePassword != ''
(the secret value itself is never surfaced).
* internal/api/handler/admin_scep_intune.go — new Profiles handler
method on AdminSCEPIntuneHandler with the same M-008 admin gate.
AdminSCEPIntuneServiceImpl extended (in place; same
map[string]*service.SCEPService) to satisfy the new
AdminSCEPProfileService interface. Single handler file gets the
third method so the M-008 pin entry count stays steady (no new
file, no new triplet of admin-gate test files — just three new
Profiles tests inside the existing test file).
* internal/api/router/router.go — one new route
'GET /api/v1/admin/scep/profiles' registered to
reg.AdminSCEPIntune.Profiles. HandlerRegistry unchanged.
* api/openapi.yaml — new operation 'listSCEPProfiles' documenting
the request body / response shape / error mapping. Existing
Intune entries unchanged.
* cmd/server/main.go — per-profile loop now calls
scepService.SetMTLSConfig(profile.MTLSEnabled,
profile.MTLSClientCATrustBundlePath) right after SetPathID, and
scepService.SetRACert(raCert) right after loadSCEPRAPair returns
the leaf cert. Both setters are nil-safe.
* internal/api/handler/m008_admin_gate_test.go — extended the
existing admin_scep_intune.go entry's justification to mention
the third endpoint. No new map entry needed (file already
listed).
Backend tests (8 new):
* TestAdminSCEPProfiles_NonAdmin_Returns403
* TestAdminSCEPProfiles_AdminExplicitFalse_Returns403
* TestAdminSCEPProfiles_AdminPermitted_ForwardsActor — also pins
that Intune-enabled profiles emit an 'intune' sub-block while
Intune-disabled profiles OMIT it.
* TestAdminSCEPProfiles_RejectsNonGetMethod
* TestAdminSCEPProfiles_PropagatesServiceError
* TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty
* (existing 16 Phase 9 admin tests still pass — backward-compat
preserved)
Frontend:
* web/src/api/types.ts — new SCEPProfileStatsSnapshot +
IntuneSection + SCEPProfilesResponse types. Existing
IntuneStatsSnapshot et al unchanged.
* web/src/api/client.ts — new getAdminSCEPProfiles helper.
* web/src/pages/SCEPAdminPage.tsx — full rewrite as the tabbed
surface. Reuses the existing ConfirmReloadModal and Intune
deep-dive card components verbatim; adds ProfileSummaryCard
(lean card for the Profiles tab) and ActivityTab. URL state
sync via useSearchParams so deep links survive reloads + browser
back/forward. The legacy /scep/intune route alias defaults the
activeTab to 'intune' on mount.
* web/src/main.tsx — new <Route path='scep' /> + preserved
<Route path='scep/intune' /> alias. Both render SCEPAdminPage.
* web/src/components/Layout.tsx — nav link rebranded:
label 'SCEP Intune' → 'SCEP Admin', to '/scep/intune' → '/scep'.
Frontend tests (20 — full rebuild):
* Admin gate (non-admin sees gated banner + zero admin API calls)
* Profiles tab default + Intune tab tabswitch + ?tab=intune deep
link + legacy /scep/intune alias all land on Intune
* Profiles tab status badges (Intune + mTLS + challenge-set)
reflect each profile's flags
* RA cert expiry tone bands (good ≥30d / warn 7-30d / bad <7d /
EXPIRED) verified across three fixture profiles
* 'View Intune details →' only renders for Intune-enabled
profiles AND switches tabs on click
* Empty-state banner when no profiles configured
* Intune tab counters render with the existing Phase 9 deep-dive
shape; reload modal Open/Confirm/Cancel/Error paths all pinned
* Recent Activity tab merges all four SCEP audit actions across
four parallel useQuery calls; filter chips
(all/initial/renewal/intune/static) narrow correctly
* Error path surfaces ErrorState on the active tab
Docs:
* docs/scep-intune.md — Operational monitoring section heading
expanded to '(SCEP Administration → Intune Monitoring tab)'.
Page-surface description rewritten for the tabbed shape;
admin-endpoints list extended with the new /admin/scep/profiles
entry.
* docs/architecture.md — Microsoft Intune Connector trust anchor
subsection updated to reference the Intune Monitoring tab inside
the SCEP Administration page + lists all three admin endpoints.
* docs/legacy-est-scep.md — forward-ref expanded with a parallel
sentence for the per-profile observability surface (independent
of Intune).
* README.md — Enrollment Protocols bullet for Intune updated to
'admin GUI SCEP Administration page at /scep' with the three
tabs called out.
Verification:
* gofmt clean on touched files
* go vet ./... clean
* staticcheck on intune+service+handler+router+cmd-server clean
* go test -short across intune+service+handler+router+cmd-server:
all green (existing Phase 9 tests + new Profiles tests)
* Frontend tsc --noEmit clean
* Vitest: 20/20 SCEPAdminPage tests + 3/3 sibling AuditPage tests
pass
* G-3 docs-drift CI guard reproduced locally: clean (no new env
vars; existing CERTCTL_SCEP_ allowlist prefix covers everything)
* M-009 hard-zero useMutation guard reproduced locally: clean
(the existing reload mutation already used useTrackedMutation
from the Phase 9 follow-up commit 28e277a)
* openapi-parity test green (new GET /api/v1/admin/scep/profiles
operation documented)
* M-008 admin-gate scanner green (existing admin_scep_intune.go
entry covers all three handler methods; the test scanner
enforces the triplet by file, not by endpoint, and the new
Profiles triplet was added to the existing test file)
Backward compat preserved:
* /api/v1/admin/scep/intune/stats unchanged — same JSON shape,
same error codes, same M-008 gate
* /api/v1/admin/scep/intune/reload-trust unchanged
* /scep/intune route still works (alias to /scep with activeTab=intune)
* IntuneStatsSnapshot Go type unchanged
* IntuneStats(now) accessor unchanged
Refs: cowork/scep-gui-restructure-prompt.md
cowork/scep-rfc8894-intune-master-prompt.md::Phase 9
Phase 11.5 (SCEP probe in scanner — opt-in) and Phase 12
(release prep + tag) of the master bundle resume after this.
496 lines
17 KiB
Go
496 lines
17 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/api/middleware"
|
|
"github.com/shankar0123/certctl/internal/service"
|
|
)
|
|
|
|
// fakeAdminSCEPIntuneService is the test stub for AdminSCEPIntuneService.
|
|
// Records call observations so the M-008 admin-gate triplet can pin
|
|
// "service was never invoked" when the gate rejects the caller.
|
|
type fakeAdminSCEPIntuneService struct {
|
|
statsCalled bool
|
|
profilesCalled bool
|
|
reloadCalled bool
|
|
rows []service.IntuneStatsSnapshot
|
|
profileRows []service.SCEPProfileStatsSnapshot
|
|
statsErr error
|
|
profilesErr error
|
|
reloadPathID string
|
|
reloadErr error
|
|
}
|
|
|
|
func (f *fakeAdminSCEPIntuneService) Stats(_ context.Context, _ time.Time) ([]service.IntuneStatsSnapshot, error) {
|
|
f.statsCalled = true
|
|
return f.rows, f.statsErr
|
|
}
|
|
|
|
func (f *fakeAdminSCEPIntuneService) Profiles(_ context.Context, _ time.Time) ([]service.SCEPProfileStatsSnapshot, error) {
|
|
f.profilesCalled = true
|
|
return f.profileRows, f.profilesErr
|
|
}
|
|
|
|
func (f *fakeAdminSCEPIntuneService) ReloadTrust(_ context.Context, pathID string) error {
|
|
f.reloadCalled = true
|
|
f.reloadPathID = pathID
|
|
return f.reloadErr
|
|
}
|
|
|
|
// =============================================================================
|
|
// M-008 admin-gate triplet for Stats (GET).
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntune_NonAdmin_Returns403(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
|
|
req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Stats(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 for non-admin, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
var resp map[string]any
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
msg, _ := resp["message"].(string)
|
|
if !strings.Contains(strings.ToLower(msg), "admin") {
|
|
t.Errorf("expected message to mention admin requirement, got %q", msg)
|
|
}
|
|
if svc.statsCalled {
|
|
t.Errorf("service was invoked despite non-admin caller — gate failed open")
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntune_AdminExplicitFalse_Returns403(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
|
|
ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Stats(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 for admin=false, got %d", w.Code)
|
|
}
|
|
if svc.statsCalled {
|
|
t.Error("service called despite admin=false gate")
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntune_AdminPermitted_ForwardsActor(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{
|
|
rows: []service.IntuneStatsSnapshot{
|
|
{PathID: "corp", IssuerID: "iss-corp", Enabled: true},
|
|
{PathID: "iot", IssuerID: "iss-iot", Enabled: false},
|
|
},
|
|
}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
|
|
ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
|
|
ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Stats(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
if !svc.statsCalled {
|
|
t.Fatal("service was not invoked for admin caller")
|
|
}
|
|
var resp map[string]any
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if pc, ok := resp["profile_count"].(float64); !ok || pc != 2 {
|
|
t.Errorf("profile_count = %v, want 2", resp["profile_count"])
|
|
}
|
|
if _, ok := resp["profiles"].([]any); !ok {
|
|
t.Errorf("profiles missing or wrong shape: %v", resp["profiles"])
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// M-008 triplet for ReloadTrust (POST).
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntuneReload_NonAdmin_Returns403(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"corp"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"corp"}`))
|
|
req = req.WithContext(contextWithRequestID())
|
|
w := httptest.NewRecorder()
|
|
|
|
h.ReloadTrust(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 non-admin, got %d", w.Code)
|
|
}
|
|
if svc.reloadCalled {
|
|
t.Error("service called despite non-admin gate")
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_AdminExplicitFalse_Returns403(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"corp"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"corp"}`))
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, false)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.ReloadTrust(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 admin=false, got %d", w.Code)
|
|
}
|
|
if svc.reloadCalled {
|
|
t.Error("service called despite admin=false gate")
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_AdminPermitted_ForwardsActor(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
body := `{"path_id":"corp"}`
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(body))
|
|
req.ContentLength = int64(len(body))
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.ReloadTrust(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
if !svc.reloadCalled {
|
|
t.Fatal("reload was not invoked")
|
|
}
|
|
if svc.reloadPathID != "corp" {
|
|
t.Errorf("path_id forwarded = %q, want corp", svc.reloadPathID)
|
|
}
|
|
var resp map[string]any
|
|
_ = json.NewDecoder(w.Body).Decode(&resp)
|
|
if reloaded, _ := resp["reloaded"].(bool); !reloaded {
|
|
t.Errorf("response.reloaded = %v, want true", resp["reloaded"])
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// Endpoint behavior — method gates, error mapping, body parsing.
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntuneStats_RejectsNonGetMethod(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Stats(w, req)
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("expected 405 for POST, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_RejectsNonPostMethod(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/reload-trust", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("expected 405 for GET, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneStats_PropagatesServiceError(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{statsErr: errors.New("registry walk failed")}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/intune/stats", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Stats(w, req)
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Errorf("expected 500 on service error, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_ProfileNotFound_Returns404(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{reloadErr: ErrAdminSCEPProfileNotFound}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"nonexistent"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"nonexistent"}`))
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusNotFound {
|
|
t.Errorf("expected 404 for unknown profile, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_IntuneDisabled_Returns409(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{reloadErr: service.ErrSCEPProfileIntuneDisabled}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"iot"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"iot"}`))
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusConflict {
|
|
t.Errorf("expected 409 for Intune-disabled profile, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_BadReloadPropagates500(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{reloadErr: errors.New("trust anchor cert expired")}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(`{"path_id":"corp"}`))
|
|
req.ContentLength = int64(len(`{"path_id":"corp"}`))
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Errorf("expected 500 on bad reload, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_EmptyBodyTargetsLegacyRoot(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusOK {
|
|
t.Errorf("expected 200 with empty body (legacy root path), got %d", w.Code)
|
|
}
|
|
if svc.reloadPathID != "" {
|
|
t.Errorf("empty body should target empty PathID; got %q", svc.reloadPathID)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneReload_RejectsMalformedJSON(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
bad := `{not valid json`
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/intune/reload-trust",
|
|
strings.NewReader(bad))
|
|
req.ContentLength = int64(len(bad))
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.ReloadTrust(w, req)
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Errorf("expected 400 on malformed JSON, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// AdminSCEPIntuneServiceImpl — narrow integration with the per-profile map.
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPIntuneServiceImpl_NilMapReturnsEmpty(t *testing.T) {
|
|
impl := NewAdminSCEPIntuneServiceImpl(nil)
|
|
rows, err := impl.Stats(context.Background(), time.Now())
|
|
if err != nil {
|
|
t.Fatalf("nil-map Stats: %v", err)
|
|
}
|
|
if len(rows) != 0 {
|
|
t.Errorf("nil-map Stats len=%d, want 0", len(rows))
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPIntuneServiceImpl_ReloadUnknownPathReturnsNotFound(t *testing.T) {
|
|
impl := NewAdminSCEPIntuneServiceImpl(map[string]*service.SCEPService{})
|
|
if err := impl.ReloadTrust(context.Background(), "nope"); !errors.Is(err, ErrAdminSCEPProfileNotFound) {
|
|
t.Errorf("ReloadTrust unknown = %v, want ErrAdminSCEPProfileNotFound", err)
|
|
}
|
|
}
|
|
|
|
// =============================================================================
|
|
// M-008 admin-gate triplet for Profiles (GET) — Phase 9 follow-up endpoint.
|
|
// =============================================================================
|
|
|
|
func TestAdminSCEPProfiles_NonAdmin_Returns403(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
|
|
req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Profiles(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 for non-admin, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
var resp map[string]any
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
msg, _ := resp["message"].(string)
|
|
if !strings.Contains(strings.ToLower(msg), "admin") {
|
|
t.Errorf("expected message to mention admin requirement, got %q", msg)
|
|
}
|
|
if svc.profilesCalled {
|
|
t.Errorf("service was invoked despite non-admin caller — gate failed open")
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfiles_AdminExplicitFalse_Returns403(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
|
|
ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Profiles(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 for admin=false, got %d", w.Code)
|
|
}
|
|
if svc.profilesCalled {
|
|
t.Error("service called despite admin=false gate")
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfiles_AdminPermitted_ForwardsActor(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{
|
|
profileRows: []service.SCEPProfileStatsSnapshot{
|
|
{
|
|
PathID: "corp",
|
|
IssuerID: "iss-corp",
|
|
ChallengePasswordSet: true,
|
|
MTLSEnabled: true,
|
|
Intune: &service.IntuneSection{
|
|
Audience: "https://certctl.example.com/scep/corp",
|
|
},
|
|
},
|
|
{
|
|
PathID: "iot",
|
|
IssuerID: "iss-iot",
|
|
ChallengePasswordSet: true,
|
|
// Intune nil — disabled
|
|
},
|
|
},
|
|
}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
|
|
ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
|
|
ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
|
|
h.Profiles(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
|
|
}
|
|
if !svc.profilesCalled {
|
|
t.Fatal("service was not invoked for admin caller")
|
|
}
|
|
var resp map[string]any
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if pc, ok := resp["profile_count"].(float64); !ok || pc != 2 {
|
|
t.Errorf("profile_count = %v, want 2", resp["profile_count"])
|
|
}
|
|
rows, ok := resp["profiles"].([]any)
|
|
if !ok || len(rows) != 2 {
|
|
t.Fatalf("profiles missing or wrong shape: %v", resp["profiles"])
|
|
}
|
|
// Find the Intune-enabled vs Intune-disabled row by path_id and
|
|
// assert the Intune sub-block is present/absent accordingly.
|
|
for _, raw := range rows {
|
|
row := raw.(map[string]any)
|
|
switch row["path_id"] {
|
|
case "corp":
|
|
if _, has := row["intune"]; !has {
|
|
t.Errorf("expected corp profile to carry an intune sub-block")
|
|
}
|
|
case "iot":
|
|
if _, has := row["intune"]; has {
|
|
t.Errorf("expected iot profile to OMIT the intune sub-block (Intune disabled)")
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfiles_RejectsNonGetMethod(t *testing.T) {
|
|
h := NewAdminSCEPIntuneHandler(&fakeAdminSCEPIntuneService{})
|
|
req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Profiles(w, req)
|
|
if w.Code != http.StatusMethodNotAllowed {
|
|
t.Errorf("expected 405 for POST, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfiles_PropagatesServiceError(t *testing.T) {
|
|
svc := &fakeAdminSCEPIntuneService{profilesErr: errors.New("registry walk failed")}
|
|
h := NewAdminSCEPIntuneHandler(svc)
|
|
req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/scep/profiles", nil)
|
|
ctx := context.WithValue(context.Background(), middleware.AdminKey{}, true)
|
|
req = req.WithContext(ctx)
|
|
w := httptest.NewRecorder()
|
|
h.Profiles(w, req)
|
|
if w.Code != http.StatusInternalServerError {
|
|
t.Errorf("expected 500 on service error, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestAdminSCEPProfilesServiceImpl_NilMapReturnsEmpty(t *testing.T) {
|
|
impl := NewAdminSCEPIntuneServiceImpl(nil)
|
|
rows, err := impl.Profiles(context.Background(), time.Now())
|
|
if err != nil {
|
|
t.Fatalf("nil-map Profiles: %v", err)
|
|
}
|
|
if len(rows) != 0 {
|
|
t.Errorf("nil-map Profiles len=%d, want 0", len(rows))
|
|
}
|
|
}
|