refactor: eliminate remaining code duplication flagged by SonarCloud

Robbie-Microsoft · Copilot · Robbie-Microsoft · commit f0f12432bb55 · 2026-04-09T02:54:50.000Z
cng_windows.go: extract ncryptSign() helper to share the two-step
NCryptSignHash pattern (size query + actual sign) between signPSS()
and signPKCS1v15(). Removes ~30 duplicate lines.

jwtutil: add PrintTokenInfo() sharing token preview, expiry, TokenSource,
and JWT claim printing across both test drivers. Removes ~15 duplicate
lines from path1 and path2 main.go.

All unit tests pass.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/apps/managedidentity/cng_windows.go b/apps/managedidentity/cng_windows.go
@@ -210,38 +210,7 @@ func (s *cngSigner) signPSS(digest []byte, opts *rsa.PSSOptions) ([]byte, error)
 	}
 
 	padding := bcryptPSSPaddingInfo{pszAlgId: algNameUTF16, cbSalt: saltLen}
-	paddingFlags := uint32(ncryptPadPSSFlag)
-
-	var sigLen uint32
-	ret, _, _ := procNCryptSignHash.Call(
-		s.hKey,
-		uintptr(unsafe.Pointer(&padding)),
-		uintptr(unsafe.Pointer(&digest[0])),
-		uintptr(len(digest)),
-		0,
-		0,
-		uintptr(unsafe.Pointer(&sigLen)),
-		uintptr(paddingFlags),
-	)
-	if ret != 0 {
-		return nil, fmt.Errorf("NCryptSignHash PSS (size query) failed: 0x%x", ret)
-	}
-
-	sig := make([]byte, sigLen)
-	ret, _, _ = procNCryptSignHash.Call(
-		s.hKey,
-		uintptr(unsafe.Pointer(&padding)),
-		uintptr(unsafe.Pointer(&digest[0])),
-		uintptr(len(digest)),
-		uintptr(unsafe.Pointer(&sig[0])),
-		uintptr(sigLen),
-		uintptr(unsafe.Pointer(&sigLen)),
-		uintptr(paddingFlags),
-	)
-	if ret != 0 {
-		return nil, fmt.Errorf("NCryptSignHash PSS failed: 0x%x", ret)
-	}
-	return sig[:sigLen], nil
+	return ncryptSign(s.hKey, unsafe.Pointer(&padding), ncryptPadPSSFlag, digest, "PSS")
 }
 
 func (s *cngSigner) signPKCS1v15(digest []byte, opts crypto.SignerOpts) ([]byte, error) {
@@ -255,13 +224,16 @@ func (s *cngSigner) signPKCS1v15(digest []byte, opts crypto.SignerOpts) ([]byte,
 		return nil, fmt.Errorf("converting hash alg name: %w", err)
 	}
 	padding := bcryptPKCS1PaddingInfo{pszAlgId: algNameUTF16}
-	paddingFlags := uint32(0x00000002) // NCRYPT_PAD_PKCS1_FLAG
+	return ncryptSign(s.hKey, unsafe.Pointer(&padding), 0x00000002, digest, "PKCS1v15")
+}
 
-	// Get required buffer size
+// ncryptSign performs a two-step NCryptSignHash call (size query, then sign)
+// using the provided key handle, padding info pointer, padding flags, and digest.
+func ncryptSign(hKey uintptr, padding unsafe.Pointer, paddingFlags uint32, digest []byte, label string) ([]byte, error) {
 	var sigLen uint32
 	ret, _, _ := procNCryptSignHash.Call(
-		s.hKey,
-		uintptr(unsafe.Pointer(&padding)),
+		hKey,
+		uintptr(padding),
 		uintptr(unsafe.Pointer(&digest[0])),
 		uintptr(len(digest)),
 		0,
@@ -270,13 +242,13 @@ func (s *cngSigner) signPKCS1v15(digest []byte, opts crypto.SignerOpts) ([]byte,
 		uintptr(paddingFlags),
 	)
 	if ret != 0 {
-		return nil, fmt.Errorf("NCryptSignHash (size query) failed: 0x%x", ret)
+		return nil, fmt.Errorf("NCryptSignHash %s (size query) failed: 0x%x", label, ret)
 	}
 
 	sig := make([]byte, sigLen)
 	ret, _, _ = procNCryptSignHash.Call(
-		s.hKey,
-		uintptr(unsafe.Pointer(&padding)),
+		hKey,
+		uintptr(padding),
 		uintptr(unsafe.Pointer(&digest[0])),
 		uintptr(len(digest)),
 		uintptr(unsafe.Pointer(&sig[0])),
@@ -285,7 +257,7 @@ func (s *cngSigner) signPKCS1v15(digest []byte, opts crypto.SignerOpts) ([]byte,
 		uintptr(paddingFlags),
 	)
 	if ret != 0 {
-		return nil, fmt.Errorf("NCryptSignHash failed: 0x%x", ret)
+		return nil, fmt.Errorf("NCryptSignHash %s failed: 0x%x", label, ret)
 	}
 	return sig[:sigLen], nil
 }
diff --git a/apps/tests/devapps/mtls-pop/internal/jwtutil/jwt.go b/apps/tests/devapps/mtls-pop/internal/jwtutil/jwt.go
@@ -4,7 +4,9 @@ package jwtutil
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"strings"
+	"time"
 )
 
 // DecodeClaims decodes the JWT payload and returns (token_type, cnf) claims.
@@ -35,3 +37,25 @@ func DecodeClaims(token string) (tokenType, cnf string) {
 	}
 	return
 }
+
+// PrintTokenInfo prints common mTLS PoP token details: token preview, expiry,
+// token source, and decoded JWT claims (token_type, cnf).
+func PrintTokenInfo(accessToken string, expiresOn time.Time, tokenSource int) {
+	tokenLen := len(accessToken)
+	if tokenLen > 60 {
+		tokenLen = 60
+	}
+	fmt.Printf("  Token (first 60 chars): %s...\n", accessToken[:tokenLen])
+	fmt.Printf("  Expires:     %s\n", expiresOn)
+	fmt.Printf("  TokenSource: %v\n", tokenSource)
+
+	tokenType, cnf := DecodeClaims(accessToken)
+	fmt.Printf("  token_type (JWT): %s\n", tokenType)
+	fmt.Printf("  cnf claim (JWT):  %s\n", cnf)
+
+	if tokenType == "mtls_pop" {
+		fmt.Println("  ✅ Token type is mtls_pop")
+	} else {
+		fmt.Printf("  ⚠️  Token type is %q (expected mtls_pop)\n", tokenType)
+	}
+}
diff --git a/apps/tests/devapps/mtls-pop/path1_confidential/main.go b/apps/tests/devapps/mtls-pop/path1_confidential/main.go
@@ -212,22 +212,7 @@ func testHappyPath(cred confidential.Credential, certPEM, keyPEM []byte, tenantI
 		fmt.Println("  ❌ BindingCertificate is nil — expected non-nil for mTLS PoP")
 	}
 
-	tokenLen := len(result.AccessToken)
-	if tokenLen > 60 {
-		tokenLen = 60
-	}
-	fmt.Printf("  Token (first 60 chars): %s...\n", result.AccessToken[:tokenLen])
-	fmt.Printf("  Expires: %s\n", result.ExpiresOn)
-	fmt.Printf("  Source: %v\n", result.Metadata.TokenSource)
-
-	tokenType, cnf := jwtutil.DecodeClaims(result.AccessToken)
-	fmt.Printf("  token_type (JWT): %s\n", tokenType)
-	fmt.Printf("  cnf claim (JWT):  %s\n", cnf)
-	if tokenType == "mtls_pop" {
-		fmt.Println("  ✅ Token type is mtls_pop")
-	} else {
-		fmt.Printf("  ⚠️  Token type is %q (expected mtls_pop — verify tenant has mtlsauth enabled)\n", tokenType)
-	}
+	jwtutil.PrintTokenInfo(result.AccessToken, result.ExpiresOn, int(result.Metadata.TokenSource))
 
 	// Second call — should hit cache
 	fmt.Println("\n  Acquiring again (expect cache hit)...")
diff --git a/apps/tests/devapps/mtls-pop/path2_managedidentity/main.go b/apps/tests/devapps/mtls-pop/path2_managedidentity/main.go
@@ -84,24 +84,7 @@ func printResult(label string, result managedidentity.AuthResult) {
 	} else {
 		fmt.Println("  ❌ BindingCertificate is nil — expected non-nil for mTLS PoP")
 	}
-
-	tokenLen := len(result.AccessToken)
-	if tokenLen > 60 {
-		tokenLen = 60
-	}
-	fmt.Printf("  Token (first 60 chars): %s...\n", result.AccessToken[:tokenLen])
-	fmt.Printf("  Expires:     %s\n", result.ExpiresOn)
-	fmt.Printf("  TokenSource: %v\n", result.Metadata.TokenSource)
-
-	tokenType, cnf := jwtutil.DecodeClaims(result.AccessToken)
-	fmt.Printf("  token_type (JWT): %s\n", tokenType)
-	fmt.Printf("  cnf claim (JWT):  %s\n", cnf)
-
-	if tokenType == "mtls_pop" {
-		fmt.Println("  ✅ Token type is mtls_pop")
-	} else {
-		fmt.Printf("  ⚠️  Token type is %q (expected mtls_pop)\n", tokenType)
-	}
+	jwtutil.PrintTokenInfo(result.AccessToken, result.ExpiresOn, int(result.Metadata.TokenSource))
 }
 
 
