Apple non-proxied SCEP profile validation (PR 7/9)

[mostlikelee]

Related issue: Resolves #45223

What this PR does

Adds additionalNonProxiedSCEPValidation: any profile containing a com.apple.security.scep payload AND no Fleet proxy variables must carry $FLEET_VAR_CERTIFICATE_RENEWAL_ID in the cert Subject OU, or the upload is rejected. Profiles using Fleet proxy variables (NDES / Custom SCEP / Smallstep) keep their existing per-CA validators.

Why this is a follow-up to #45043

PR #45043 (2.3) added the ACME validator. Same renewal-ID requirement, same Decision 2.7 rationale, but it only fires on com.apple.security.acme payloads. Raw-SCEP profiles (literal Challenge/URL, no Fleet proxy vars — the Okta SCEP / Okta Verify-static-challenge flows named in #40639) still bypass all renewal-ID enforcement on main. This PR closes that gap.

What's new vs PR 2.3

• OU-only: the marker must live in Subject OU. CN placement is rejected. Net-new validator owes no back-compat for CN placement; aligns behavior with the "must be in the OU" error message that every existing validator already shows.
• Preferred-only: only $FLEET_VAR_CERTIFICATE_RENEWAL_ID is accepted. The legacy $FLEET_VAR_SCEP_RENEWAL_ID is rejected. Same net-new reasoning.
• Bypass broadening: validateConfigProfileFleetVariables's payload check now recognizes both ACME and SCEP via mobileconfig.HasPayloadType so the new validator runs before the fleetVars early-return.

Checklist for submitter

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

Testing

• Added/updated automated tests

Summary by CodeRabbit

• Bug Fixes

  • Improved validation for SCEP certificate configuration profiles to ensure renewal ID markers are properly configured.
  • Enhanced detection of invalid SCEP configurations to prevent misconfigurations.

• Tests

  • Added comprehensive test coverage for SCEP profile validation across multiple configuration scenarios.

[mostlikelee]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cc201bfd-9104-4468-ac6b-b8a41cae6984

📥 Commits

Reviewing files that changed from the base of the PR and between 430df5d and c354fba.

📒 Files selected for processing (3)

• server/service/apple_mdm.go
• server/service/apple_mdm_test.go
• server/service/mdm_profiles.go

---

Walkthrough

This PR implements validation for non-proxied SCEP profiles to require a certificate auto-renewal marker ($FLEET_VAR_CERTIFICATE_RENEWAL_ID in the SCEP certificate Subject OrganizationalUnit). The change introduces a new helper function additionalNonProxiedSCEPValidation invoked during profile upload validation, which parses raw SCEP payloads and rejects those lacking the renewal-ID requirement while deferring to per-CA validators for profiles using Fleet proxy CA variables. Related validation bypass logic in mdm_profiles.go now recognizes both ACME and raw SCEP payloads when determining renewal-ID-only profiles. Comprehensive test coverage validates the preferred renewal-ID variable, rejects the legacy variable name, and confirms correct behavior across proxy and non-proxy scenarios.

Possibly related PRs

• fleetdm/fleet#45043: Introduces the new preferred renewal-marker variable name ($FLEET_VAR_CERTIFICATE_RENEWAL_ID) and associated regex that this PR now enforces in non-proxied SCEP certificate validation.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding validation for Apple non-proxied SCEP profiles with a renewal-ID requirement.
Description check	✅ Passed	The description covers the main objective, relates it to prior work (#45043), explains what's new, provides rationale, and marks required checklist items; however, it is missing the 'Changes file added' checklist item and some optional testing sections.
Linked Issues check	✅ Passed	The PR implements the coding requirement from #45223: rejecting non-proxied SCEP profiles lacking the renewal-ID marker in cert Subject OU, while preserving per-CA validation for proxied profiles.
Out of Scope Changes check	✅ Passed	All changes (new validation function, test coverage, payload detection refactor) are directly in scope for implementing non-proxied SCEP profile validation per #45223.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pr-2.3b-raw-scep-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[codecov]

Codecov Report

❌ Patch coverage is 83.87097% with 5 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (40639-cert-renew@b649599). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
server/service/apple_mdm.go	83.33%	2 Missing and 2 partials ⚠️
server/service/mdm_profiles.go	85.71%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##             40639-cert-renew   #45364   +/-   ##
===================================================
  Coverage                    ?   66.74%           
===================================================
  Files                       ?     2730           
  Lines                       ?   218567           
  Branches                    ?    10703           
===================================================
  Hits                        ?   145879           
  Misses                      ?    59467           
  Partials                    ?    13221           

Flag	Coverage Δ
backend	68.60% <83.87%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sgress454]

LGTM! It feels like when we're done here there's gonna be a fair amount of overlap/duplicated code between proxy-less SCEP and proxy-less ACME, that might be worth pulling into shared helpers at some point.

[sgress454]

This duck-typing is now repeated both here and in validateProfileCertificateAuthorityVariables, so they'll have to be kept in sync if any new kind of SCEP proxy is implemented. Not sure how likely that is.

[mostlikelee]

agree, i'll make a note