fleet/ee/server/service/request_certificate_test.go

package service

import (
	"context"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"os"
	"testing"
	"time"

	"github.com/fleetdm/fleet/v4/ee/server/service/hydrant"
	"github.com/fleetdm/fleet/v4/server/authz"
	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
	"github.com/fleetdm/fleet/v4/server/datastore/mysql/common_mysql"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/mock"
	"github.com/fleetdm/fleet/v4/server/ptr"
	"github.com/go-kit/log"
	"github.com/stretchr/testify/require"
)

const (
	// Go makes it a bit of a pain to generate a CSR with both a SAN email and UPN so the below
	// was generated with the following openSSL commands:
	/*
		UUID="85700036-11ef-11e1-bbda-389239cc2c41"
		UPN="fleetie@example.com"
		USERNAME="${UPN}"
		# USERNAME="badactor@example.com" # uncomment to make "bad" CSR

		# generate the password-protected private key
		openssl genpkey -algorithm RSA -out test.key -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:$UUID

		# generate CSR signed with that private key
		openssl req -new -sha256 -key test.key -out test.csr -subj /CN=Test -addext "subjectAltName=DNS:example.com, email:$USERNAME, URI:ID:FleetDM:GUID:$UUID, otherName:msUPN;UTF8:$UPN" -passin pass:$UUID

		# modify CSR to be one-line with \n string literal characters to address API limitations
		sed 's/$/\\n/' test.csr | tr -d '\n' > test-escaped.csr
	*/
	goodCSR = "-----BEGIN CERTIFICATE REQUEST-----\nMIIC8jCCAdoCAQAwDzENMAsGA1UEAwwEVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBALMrkHOVZWVGv9PqU20NgpWed9MdRtMc8406GGWQJ3Rj9/8J\ncy8LOx1d5/XWLKK5VbN2c1hD/a26qkgHtDMfzRXnv5oFybkhaI5tlc9yhQmJVFI2\nRIBsSkZvIlX+SNWV2RuiyVHyGbjhzi3wZen1s0aOeXMMHdD5FVEngX4Fz3TuTb/Z\n8romrsSmWb32fQyQxola9/xe0IAnXZocrxi4xPjNKQbEN/2+gQ/MRJx+c+xnV3MV\nIrXn+8Av8MMBsXhCDlmT2QrpRezNAwWwRni9yKOb0sZMtTDrsCOgAmWsj0Qxf/AS\nMPh7xbozXK4ubf5ombYxEdwGgYl/IKQUKvBKYMMCAwEAAaCBnTCBmgYJKoZIhvcN\nAQkOMYGMMIGJMIGGBgNVHREEfzB9ggtleGFtcGxlLmNvbYETZmxlZXRpZUBleGFt\ncGxlLmNvbYY0SUQ6RmxlZXRETTpHVUlEOjg1NzAwMDM2LTExZWYtMTFlMS1iYmRh\nLTM4OTIzOWNjMmM0MaAjBgorBgEEAYI3FAIDoBUME2ZsZWV0aWVAZXhhbXBsZS5j\nb20wDQYJKoZIhvcNAQELBQADggEBABSBUwyvH/B4kMi9haabDmXpgjb+I7GN2ibz\nN9xS0D/p1TEPNZ2owMdd71oEUPO+pL4PeOIKkn/TRm5ZjnVHtlwlz9PPtkyg7n0d\n6v1L0PPn17jMu9o5u984oP+PYt/VXjJfqzSv2QY2fuR7u108bnxVfWh03n0w1+is\npDQhM5jT+RmXbeOiMIwLojwsYV78y3IYu9ElskonL2v8HQUD9yP8TKlASEhYOD7N\npPLSre8uKL3+A1nyvhG53Ia5xID9mQR3cMO0g6wOoCMerJ4QYMX9jkfPolteT25m\n3NKghdVqvxjm/Oxp7ZFn7LsbdALjnXDYbnNYl8BQTc1rMInnuOw=\n-----END CERTIFICATE REQUEST-----\n"
	badCSR  = "-----BEGIN CERTIFICATE REQUEST-----\nMIIC9DCCAdwCAQAwDzENMAsGA1UEAwwEVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAKUUUwsYGpfCCFZYPFL2KLMtf9QdKTizvv3xGPPh6exUo5tB\nEIyhuifEbVIJwf5BhL3104rAY1uywdcUIHqHtWcmaEzS8G6vn1hE4iOMMh5qG6e2\nzobHTxeRgOSeUKHGXWy93BqS09Nkj5H8zlTJO6NjwD3SKiDYZGQDhljdsHTw9Txt\ndHHrEi+y4Qn4FoAf/ie7x2OmfemhLIqpLpU6BxMmqiEHkGObNNlgFGsHGGC3qs9G\nR+2roK3r+nQouMKbFL2CqDCd6F/dBfSSYgOTeOJeOLoM6mZuYqF7dTC1ZU9xhPIR\nzwi9sodQ6kYj++ZycUGT56s6/0yEc4E2AUHAeB0CAwEAAaCBnzCBnAYJKoZIhvcN\nAQkOMYGOMIGLMIGIBgNVHREEgYAwfoILZXhhbXBsZS5jb22BFGJhZGFjdG9yQGV4\nYW1wbGUuY29thjRJRDpGbGVldERNOkdVSUQ6ODU3MDAwMzYtMTFlZi0xMWUxLWJi\nZGEtMzg5MjM5Y2MyYzQxoCMGCisGAQQBgjcUAgOgFQwTZmxlZXRpZUBleGFtcGxl\nLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEASt8qgOCQTtYYYr7KDMcp90Kw+ZiJAL8k\nyRhJy4OsiO4mCdUVvzkyccfV+n6U/51ktPjYkWc1CVYXa+KNN/Z0prsAKYmonR9/\nJh3VVeZrwyglsw+X2ct/H9neOC433KfstRYAZ5WGCSaBJRN1+SUI23O6fjQN7DaL\ntzBPMXMcfNZoWj8rbM/E0WjTnlgUi6L3Ppys5xq1vupdQCiryE8J8A9kKHnMyEi4\nqkCoKOBajEIT9tyFKg5NDjMbIAHFLoUWpLeEtgrGnq5bqBE+q/gOUFb+uqJmQQQz\nVlzFj30tfmt3uBq79Wne1Hu0S634eaCbHOmbuOmLforQqzKpaHXqPQ==\n-----END CERTIFICATE REQUEST-----\n"
)

func TestRequestCertificate(t *testing.T) {
	t.Parallel()

	// Setup mock Oauth server
	defaultOauthIntrospectResponse := map[string]interface{}{
		"active":   true,
		"username": "fleetie@example.com",
	}
	oauthIntrospectResponse := defaultOauthIntrospectResponse
	oauthIntrospectStatus := http.StatusOK
	mockOauthServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method != http.MethodPost || r.URL.Path != "/oauth2/v1/introspect" {
			w.WriteHeader(http.StatusNotFound)
			return
		}
		if oauthIntrospectStatus != http.StatusOK {
			w.WriteHeader(oauthIntrospectStatus)
			return
		}

		w.Header().Set("Content-Type", "application/json")
		err := json.NewEncoder(w).Encode(oauthIntrospectResponse)
		require.NoError(t, err)
	}))
	defer mockOauthServer.Close()

	// Setup mock hydrant server
	defaultHydrantSimpleEnrollResponse := "abc123"
	hydrantSimpleEnrollResponse := defaultHydrantSimpleEnrollResponse
	hydrantSimpleEnrollStatus := http.StatusOK

	mockHydrantServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if r.Method == http.MethodGet {
			if r.URL.Path != "/cacerts" {
				w.WriteHeader(http.StatusNotFound)
				return
			}
			w.Header().Set("Content-Type", "application/pkcs7-mime")
			w.WriteHeader(http.StatusOK)
			_, err := w.Write([]byte("Imagine if there was actually CA cert data here..."))
			require.NoError(t, err)
			return
		}

		if r.Method != http.MethodPost || r.URL.Path != "/simpleenroll" {
			w.WriteHeader(http.StatusNotFound)
			return
		}

		if hydrantSimpleEnrollStatus != http.StatusOK {
			w.WriteHeader(hydrantSimpleEnrollStatus)
			return
		}

		w.WriteHeader(http.StatusOK)
		_, err := w.Write([]byte(hydrantSimpleEnrollResponse))
		require.NoError(t, err)
	}))
	defer mockHydrantServer.Close()

	hydrantCA := &fleet.CertificateAuthority{
		ID:           1,
		Name:         ptr.String("TestHydrantCA"),
		Type:         string(fleet.CATypeHydrant),
		URL:          &mockHydrantServer.URL,
		ClientID:     ptr.String("test-client-id"),
		ClientSecret: ptr.String("test-client-secret"),
	}
	digicertCA := &fleet.CertificateAuthority{
		ID:        2,
		Name:      ptr.String("TestDigiCertCA"),
		Type:      string(fleet.CATypeDigiCert),
		URL:       ptr.String("https://api.digicert.com"),
		APIToken:  ptr.String("test-api-token"),
		ProfileID: ptr.String("test-profile-id"),
	}

	baseSetupForTests := func() (*Service, context.Context) {
		ds := new(mock.Store)

		// Setup DS mocks
		ds.GetCertificateAuthorityByIDFunc = func(ctx context.Context, id uint, includeSecrets bool) (*fleet.CertificateAuthority, error) {
			require.True(t, includeSecrets, "RequestCertificate should always fetch secrets")
			for _, ca := range []*fleet.CertificateAuthority{hydrantCA, digicertCA} {
				if ca.ID == id {
					return ca, nil
				}
			}
			return nil, common_mysql.NotFound("certificate authority")
		}

		ds.GetCertificateAuthorityByIDFuncInvoked = false
		authorizer, err := authz.NewAuthorizer()
		require.NoError(t, err)

		logger := log.NewLogfmtLogger(os.Stdout)
		svc := &Service{
			logger: logger,
			ds:     ds,
			authz:  authorizer,
			hydrantService: hydrant.NewService(
				hydrant.WithTimeout(2*time.Second),
				hydrant.WithLogger(logger),
			),
		}
		ctx := viewer.NewContext(context.Background(), viewer.Viewer{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}})

		oauthIntrospectResponse = defaultOauthIntrospectResponse
		oauthIntrospectStatus = http.StatusOK
		hydrantSimpleEnrollResponse = defaultHydrantSimpleEnrollResponse
		hydrantSimpleEnrollStatus = http.StatusOK

		return svc, ctx
	}

	invalidCSR := InvalidCSRError{}
	invalidIDP := InvalidIDPTokenError{}

	t.Run("Request a certificate - Happy path", func(t *testing.T) {
		svc, ctx := baseSetupForTests()

		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.NoError(t, err)
		require.NotNil(t, cert)
		require.Equal(t, "-----BEGIN CERTIFICATE-----\n"+hydrantSimpleEnrollResponse+"\n-----END CERTIFICATE-----\n", *cert)
	})

	t.Run("Request a certificate - Happy path, no IDP", func(t *testing.T) {
		svc, ctx := baseSetupForTests()

		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:  hydrantCA.ID,
			CSR: goodCSR,
		})
		require.NoError(t, err)
		require.NotNil(t, cert)
		require.Equal(t, "-----BEGIN CERTIFICATE-----\n"+hydrantSimpleEnrollResponse+"\n-----END CERTIFICATE-----\n", *cert)
	})

	t.Run("Request a certificate - Happy path, no IDP, UPN does not match IDP info(should pass)", func(t *testing.T) {
		svc, ctx := baseSetupForTests()

		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:  hydrantCA.ID,
			CSR: badCSR,
		})
		require.NoError(t, err)
		require.NotNil(t, cert)
		require.Equal(t, "-----BEGIN CERTIFICATE-----\n"+hydrantSimpleEnrollResponse+"\n-----END CERTIFICATE-----\n", *cert)
	})

	t.Run("Request a certificate - CA returns error", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		hydrantSimpleEnrollResponse = "Oh no! Something bad happened"
		hydrantSimpleEnrollStatus = http.StatusInternalServerError
		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorContains(t, err, "Hydrant certificate request failed")
		require.Nil(t, cert)
	})

	t.Run("Request a certificate - IDP introspection reports non-active token", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		oauthIntrospectResponse = map[string]interface{}{
			"active": false,
		}
		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorAs(t, err, &invalidIDP)
		require.Nil(t, cert)
	})

	t.Run("Request a certificate - IDP introspection does not return a username", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		oauthIntrospectResponse = map[string]interface{}{
			"active": true,
		}
		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorAs(t, err, &invalidIDP)
		require.Nil(t, cert)
	})

	t.Run("Request a certificate - IDP introspection returns an error", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		oauthIntrospectResponse = map[string]interface{}{
			"error": "something bad happened",
		}
		oauthIntrospectStatus = http.StatusInternalServerError
		cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorAs(t, err, &invalidIDP)
		require.Nil(t, cert)
	})

	t.Run("Request certificate - non-Hydrant CA", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          digicertCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-idp-client-id"),
		})
		require.ErrorContains(t, err, "This API currently only supports Hydrant Certificate Authorities.")
	})

	t.Run("Request certificate - nonexistent CA", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          999,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-idp-client-id"),
		})
		require.ErrorContains(t, err, "certificate authority was not found in the datastore")
	})

	t.Run("Request certificate - missing IDP client ID", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: nil, // Missing client ID
		})
		require.ErrorContains(t, err, "IDP Client ID, Token, and OAuth URL all must be provided, if any are provided when requesting a certificate.")
	})

	t.Run("Request certificate - missing IDP token", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    nil, // Missing IDP token
			IDPClientID: ptr.String("test-client-id"),
		})
		require.ErrorContains(t, err, "IDP Client ID, Token, and OAuth URL all must be provided, if any are provided when requesting a certificate.")
	})

	t.Run("Request certificate - missing IDP oauth URL", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         goodCSR,
			IDPOauthURL: nil,
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorContains(t, err, "IDP Client ID, Token, and OAuth URL all must be provided, if any are provided when requesting a certificate.")
	})

	t.Run("Request certificate - CSR email and UPN do not match", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         badCSR,
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorAs(t, err, &invalidCSR)
	})

	t.Run("Request certificate - CSR is not a CSR, IDP provided", func(t *testing.T) {
		svc, ctx := baseSetupForTests()
		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:          hydrantCA.ID,
			CSR:         "I'm not a CSR at all",
			IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),
			IDPToken:    ptr.String("test-idp-token"),
			IDPClientID: ptr.String("test-client-id"), // Missing client ID
		})
		require.ErrorAs(t, err, &invalidCSR)
	})

	t.Run("Request a certificate - CSR is not a CSR, no IDP provided", func(t *testing.T) {
		svc, ctx := baseSetupForTests()

		_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{
			ID:  hydrantCA.ID,
			CSR: "I am not a CSR",
		})
		require.ErrorAs(t, err, &invalidCSR)
	})
}
Hydrant CA Feature Branch (#31807) There are still some TODOs particularly within Gitops test code which will be worked on in a followup PR # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results - [x] Alerted the release DRI if additional load testing is needed ## Database migrations - [x] Checked table schema to confirm autoupdate - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). ## New Fleet configuration settings - [ ] Setting(s) is/are explicitly excluded from GitOps If you didn't check the box above, follow this checklist for GitOps-enabled settings: - [ ] Verified that the setting is exported via `fleetctl generate-gitops` - [x] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [x] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [x] Verified that any relevant UI is disabled when GitOps mode is enabled --------- Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com> Co-authored-by: Magnus Jensen <magnus@fleetdm.com> Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com> 2025-09-04 16:39:41 +00:00			`package service`

			`import (`
			`"context"`
			`"encoding/json"`
			`"net/http"`
			`"net/http/httptest"`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/fleetdm/fleet/v4/ee/server/service/hydrant"`
			`"github.com/fleetdm/fleet/v4/server/authz"`
			`"github.com/fleetdm/fleet/v4/server/contexts/viewer"`
			`"github.com/fleetdm/fleet/v4/server/datastore/mysql/common_mysql"`
			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/mock"`
			`"github.com/fleetdm/fleet/v4/server/ptr"`
			`"github.com/go-kit/log"`
			`"github.com/stretchr/testify/require"`
			`)`

			`const (`
			`// Go makes it a bit of a pain to generate a CSR with both a SAN email and UPN so the below`
			`// was generated with the following openSSL commands:`
			`/*`
			`UUID="85700036-11ef-11e1-bbda-389239cc2c41"`
			`UPN="fleetie@example.com"`
			`USERNAME="${UPN}"`
			`# USERNAME="badactor@example.com" # uncomment to make "bad" CSR`

			`# generate the password-protected private key`
			`openssl genpkey -algorithm RSA -out test.key -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:$UUID`

			`# generate CSR signed with that private key`
			`openssl req -new -sha256 -key test.key -out test.csr -subj /CN=Test -addext "subjectAltName=DNS:example.com, email:$USERNAME, URI:ID:FleetDM:GUID:$UUID, otherName:msUPN;UTF8:$UPN" -passin pass:$UUID`

			`# modify CSR to be one-line with \n string literal characters to address API limitations`
			`sed 's/$/\\n/' test.csr \| tr -d '\n' > test-escaped.csr`
			`*/`
			goodCSR = "-----BEGIN CERTIFICATE REQUEST-----\nMIIC8jCCAdoCAQAwDzENMAsGA1UEAwwEVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBALMrkHOVZWVGv9PqU20NgpWed9MdRtMc8406GGWQJ3Rj9/8J\ncy8LOx1d5/XWLKK5VbN2c1hD/a26qkgHtDMfzRXnv5oFybkhaI5tlc9yhQmJVFI2\nRIBsSkZvIlX+SNWV2RuiyVHyGbjhzi3wZen1s0aOeXMMHdD5FVEngX4Fz3TuTb/Z\n8romrsSmWb32fQyQxola9/xe0IAnXZocrxi4xPjNKQbEN/2+gQ/MRJx+c+xnV3MV\nIrXn+8Av8MMBsXhCDlmT2QrpRezNAwWwRni9yKOb0sZMtTDrsCOgAmWsj0Qxf/AS\nMPh7xbozXK4ubf5ombYxEdwGgYl/IKQUKvBKYMMCAwEAAaCBnTCBmgYJKoZIhvcN\nAQkOMYGMMIGJMIGGBgNVHREEfzB9ggtleGFtcGxlLmNvbYETZmxlZXRpZUBleGFt\ncGxlLmNvbYY0SUQ6RmxlZXRETTpHVUlEOjg1NzAwMDM2LTExZWYtMTFlMS1iYmRh\nLTM4OTIzOWNjMmM0MaAjBgorBgEEAYI3FAIDoBUME2ZsZWV0aWVAZXhhbXBsZS5j\nb20wDQYJKoZIhvcNAQELBQADggEBABSBUwyvH/B4kMi9haabDmXpgjb+I7GN2ibz\nN9xS0D/p1TEPNZ2owMdd71oEUPO+pL4PeOIKkn/TRm5ZjnVHtlwlz9PPtkyg7n0d\n6v1L0PPn17jMu9o5u984oP+PYt/VXjJfqzSv2QY2fuR7u108bnxVfWh03n0w1+is\npDQhM5jT+RmXbeOiMIwLojwsYV78y3IYu9ElskonL2v8HQUD9yP8TKlASEhYOD7N\npPLSre8uKL3+A1nyvhG53Ia5xID9mQR3cMO0g6wOoCMerJ4QYMX9jkfPolteT25m\n3NKghdVqvxjm/Oxp7ZFn7LsbdALjnXDYbnNYl8BQTc1rMInnuOw=\n-----END CERTIFICATE REQUEST-----\n"
			badCSR = "-----BEGIN CERTIFICATE REQUEST-----\nMIIC9DCCAdwCAQAwDzENMAsGA1UEAwwEVGVzdDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAKUUUwsYGpfCCFZYPFL2KLMtf9QdKTizvv3xGPPh6exUo5tB\nEIyhuifEbVIJwf5BhL3104rAY1uywdcUIHqHtWcmaEzS8G6vn1hE4iOMMh5qG6e2\nzobHTxeRgOSeUKHGXWy93BqS09Nkj5H8zlTJO6NjwD3SKiDYZGQDhljdsHTw9Txt\ndHHrEi+y4Qn4FoAf/ie7x2OmfemhLIqpLpU6BxMmqiEHkGObNNlgFGsHGGC3qs9G\nR+2roK3r+nQouMKbFL2CqDCd6F/dBfSSYgOTeOJeOLoM6mZuYqF7dTC1ZU9xhPIR\nzwi9sodQ6kYj++ZycUGT56s6/0yEc4E2AUHAeB0CAwEAAaCBnzCBnAYJKoZIhvcN\nAQkOMYGOMIGLMIGIBgNVHREEgYAwfoILZXhhbXBsZS5jb22BFGJhZGFjdG9yQGV4\nYW1wbGUuY29thjRJRDpGbGVldERNOkdVSUQ6ODU3MDAwMzYtMTFlZi0xMWUxLWJi\nZGEtMzg5MjM5Y2MyYzQxoCMGCisGAQQBgjcUAgOgFQwTZmxlZXRpZUBleGFtcGxl\nLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEASt8qgOCQTtYYYr7KDMcp90Kw+ZiJAL8k\nyRhJy4OsiO4mCdUVvzkyccfV+n6U/51ktPjYkWc1CVYXa+KNN/Z0prsAKYmonR9/\nJh3VVeZrwyglsw+X2ct/H9neOC433KfstRYAZ5WGCSaBJRN1+SUI23O6fjQN7DaL\ntzBPMXMcfNZoWj8rbM/E0WjTnlgUi6L3Ppys5xq1vupdQCiryE8J8A9kKHnMyEi4\nqkCoKOBajEIT9tyFKg5NDjMbIAHFLoUWpLeEtgrGnq5bqBE+q/gOUFb+uqJmQQQz\nVlzFj30tfmt3uBq79Wne1Hu0S634eaCbHOmbuOmLforQqzKpaHXqPQ==\n-----END CERTIFICATE REQUEST-----\n"
			`)`

			`func TestRequestCertificate(t *testing.T) {`
			`t.Parallel()`

			`// Setup mock Oauth server`
			`defaultOauthIntrospectResponse := map[string]interface{}{`
			`"active": true,`
			`"username": "fleetie@example.com",`
			`}`
			`oauthIntrospectResponse := defaultOauthIntrospectResponse`
			`oauthIntrospectStatus := http.StatusOK`
			`mockOauthServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method != http.MethodPost \|\| r.URL.Path != "/oauth2/v1/introspect" {`
			`w.WriteHeader(http.StatusNotFound)`
			`return`
			`}`
			`if oauthIntrospectStatus != http.StatusOK {`
			`w.WriteHeader(oauthIntrospectStatus)`
			`return`
			`}`

			`w.Header().Set("Content-Type", "application/json")`
			`err := json.NewEncoder(w).Encode(oauthIntrospectResponse)`
			`require.NoError(t, err)`
			`}))`
			`defer mockOauthServer.Close()`

			`// Setup mock hydrant server`
			`defaultHydrantSimpleEnrollResponse := "abc123"`
			`hydrantSimpleEnrollResponse := defaultHydrantSimpleEnrollResponse`
			`hydrantSimpleEnrollStatus := http.StatusOK`

			`mockHydrantServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if r.Method == http.MethodGet {`
			`if r.URL.Path != "/cacerts" {`
			`w.WriteHeader(http.StatusNotFound)`
			`return`
			`}`
			`w.Header().Set("Content-Type", "application/pkcs7-mime")`
			`w.WriteHeader(http.StatusOK)`
			`_, err := w.Write([]byte("Imagine if there was actually CA cert data here..."))`
			`require.NoError(t, err)`
			`return`
			`}`

			`if r.Method != http.MethodPost \|\| r.URL.Path != "/simpleenroll" {`
			`w.WriteHeader(http.StatusNotFound)`
			`return`
			`}`

			`if hydrantSimpleEnrollStatus != http.StatusOK {`
			`w.WriteHeader(hydrantSimpleEnrollStatus)`
			`return`
			`}`

			`w.WriteHeader(http.StatusOK)`
			`_, err := w.Write([]byte(hydrantSimpleEnrollResponse))`
			`require.NoError(t, err)`
			`}))`
			`defer mockHydrantServer.Close()`

			`hydrantCA := &fleet.CertificateAuthority{`
			`ID: 1,`
			`Name: ptr.String("TestHydrantCA"),`
			`Type: string(fleet.CATypeHydrant),`
			`URL: &mockHydrantServer.URL,`
			`ClientID: ptr.String("test-client-id"),`
			`ClientSecret: ptr.String("test-client-secret"),`
			`}`
			`digicertCA := &fleet.CertificateAuthority{`
			`ID: 2,`
			`Name: ptr.String("TestDigiCertCA"),`
			`Type: string(fleet.CATypeDigiCert),`
			`URL: ptr.String("https://api.digicert.com"),`
			`APIToken: ptr.String("test-api-token"),`
			`ProfileID: ptr.String("test-profile-id"),`
			`}`

			`baseSetupForTests := func() (*Service, context.Context) {`
			`ds := new(mock.Store)`

			`// Setup DS mocks`
			`ds.GetCertificateAuthorityByIDFunc = func(ctx context.Context, id uint, includeSecrets bool) (*fleet.CertificateAuthority, error) {`
			`require.True(t, includeSecrets, "RequestCertificate should always fetch secrets")`
			`for _, ca := range []*fleet.CertificateAuthority{hydrantCA, digicertCA} {`
			`if ca.ID == id {`
			`return ca, nil`
			`}`
			`}`
			`return nil, common_mysql.NotFound("certificate authority")`
			`}`

			`ds.GetCertificateAuthorityByIDFuncInvoked = false`
			`authorizer, err := authz.NewAuthorizer()`
			`require.NoError(t, err)`

			`logger := log.NewLogfmtLogger(os.Stdout)`
			`svc := &Service{`
			`logger: logger,`
			`ds: ds,`
			`authz: authorizer,`
			`hydrantService: hydrant.NewService(`
			`hydrant.WithTimeout(2*time.Second),`
			`hydrant.WithLogger(logger),`
			`),`
			`}`
			`ctx := viewer.NewContext(context.Background(), viewer.Viewer{User: &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}})`

			`oauthIntrospectResponse = defaultOauthIntrospectResponse`
			`oauthIntrospectStatus = http.StatusOK`
			`hydrantSimpleEnrollResponse = defaultHydrantSimpleEnrollResponse`
			`hydrantSimpleEnrollStatus = http.StatusOK`

			`return svc, ctx`
			`}`

			`invalidCSR := InvalidCSRError{}`
			`invalidIDP := InvalidIDPTokenError{}`

			`t.Run("Request a certificate - Happy path", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`

			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.NoError(t, err)`
			`require.NotNil(t, cert)`
			`require.Equal(t, "-----BEGIN CERTIFICATE-----\n"+hydrantSimpleEnrollResponse+"\n-----END CERTIFICATE-----\n", *cert)`
			`})`

			`t.Run("Request a certificate - Happy path, no IDP", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`

			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`})`
			`require.NoError(t, err)`
			`require.NotNil(t, cert)`
			`require.Equal(t, "-----BEGIN CERTIFICATE-----\n"+hydrantSimpleEnrollResponse+"\n-----END CERTIFICATE-----\n", *cert)`
			`})`

			`t.Run("Request a certificate - Happy path, no IDP, UPN does not match IDP info(should pass)", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`

			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: badCSR,`
			`})`
			`require.NoError(t, err)`
			`require.NotNil(t, cert)`
			`require.Equal(t, "-----BEGIN CERTIFICATE-----\n"+hydrantSimpleEnrollResponse+"\n-----END CERTIFICATE-----\n", *cert)`
			`})`

			`t.Run("Request a certificate - CA returns error", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`hydrantSimpleEnrollResponse = "Oh no! Something bad happened"`
			`hydrantSimpleEnrollStatus = http.StatusInternalServerError`
			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorContains(t, err, "Hydrant certificate request failed")`
			`require.Nil(t, cert)`
			`})`

			`t.Run("Request a certificate - IDP introspection reports non-active token", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`oauthIntrospectResponse = map[string]interface{}{`
			`"active": false,`
			`}`
			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorAs(t, err, &invalidIDP)`
			`require.Nil(t, cert)`
			`})`

			`t.Run("Request a certificate - IDP introspection does not return a username", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`oauthIntrospectResponse = map[string]interface{}{`
			`"active": true,`
			`}`
			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorAs(t, err, &invalidIDP)`
			`require.Nil(t, cert)`
			`})`

			`t.Run("Request a certificate - IDP introspection returns an error", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`oauthIntrospectResponse = map[string]interface{}{`
			`"error": "something bad happened",`
			`}`
			`oauthIntrospectStatus = http.StatusInternalServerError`
			`cert, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorAs(t, err, &invalidIDP)`
			`require.Nil(t, cert)`
			`})`

			`t.Run("Request certificate - non-Hydrant CA", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: digicertCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-idp-client-id"),`
			`})`
			`require.ErrorContains(t, err, "This API currently only supports Hydrant Certificate Authorities.")`
			`})`

			`t.Run("Request certificate - nonexistent CA", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: 999,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-idp-client-id"),`
			`})`
			`require.ErrorContains(t, err, "certificate authority was not found in the datastore")`
			`})`

			`t.Run("Request certificate - missing IDP client ID", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: nil, // Missing client ID`
			`})`
			`require.ErrorContains(t, err, "IDP Client ID, Token, and OAuth URL all must be provided, if any are provided when requesting a certificate.")`
			`})`

			`t.Run("Request certificate - missing IDP token", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: nil, // Missing IDP token`
			`IDPClientID: ptr.String("test-client-id"),`
			`})`
			`require.ErrorContains(t, err, "IDP Client ID, Token, and OAuth URL all must be provided, if any are provided when requesting a certificate.")`
			`})`

			`t.Run("Request certificate - missing IDP oauth URL", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: goodCSR,`
			`IDPOauthURL: nil,`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorContains(t, err, "IDP Client ID, Token, and OAuth URL all must be provided, if any are provided when requesting a certificate.")`
			`})`

			`t.Run("Request certificate - CSR email and UPN do not match", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: badCSR,`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorAs(t, err, &invalidCSR)`
			`})`

			`t.Run("Request certificate - CSR is not a CSR, IDP provided", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`
			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: "I'm not a CSR at all",`
			`IDPOauthURL: ptr.String(mockOauthServer.URL + "/oauth2/v1/introspect"),`
			`IDPToken: ptr.String("test-idp-token"),`
			`IDPClientID: ptr.String("test-client-id"), // Missing client ID`
			`})`
			`require.ErrorAs(t, err, &invalidCSR)`
			`})`

			`t.Run("Request a certificate - CSR is not a CSR, no IDP provided", func(t *testing.T) {`
			`svc, ctx := baseSetupForTests()`

			`_, err := svc.RequestCertificate(ctx, fleet.RequestCertificatePayload{`
			`ID: hydrantCA.ID,`
			`CSR: "I am not a CSR",`
			`})`
			`require.ErrorAs(t, err, &invalidCSR)`
			`})`
			`}`