fix: code review cleanup from SCEP implementation

- Export radius.UpsertSecret and use it in loadOrGenerateSCEPRACert;
  fixes create-first ordering that masked non-AlreadyExists errors
- Precompute GetCACert degenerate response in NewHandler instead of
  re-encoding three certs on every request
- Bound pkiOperation body read to 64 KiB with io.LimitReader
- Hoist radiusHost split above switch in GenerateProfileHandler

Author: mbillow

cmd/pint/main.go

@@ -471,10 +471,8 @@ func loadOrGenerateSCEPRACert(ctx context.Context, log *zap.Logger, k8sClient ku
 		ObjectMeta: metav1.ObjectMeta{Name: cfg.SCEPRACertSecret, Namespace: cfg.Namespace},
 		Data:       map[string][]byte{"tls.crt": certPEM, "tls.key": keyPEM},
 	}
-	if _, createErr := k8sClient.CoreV1().Secrets(cfg.Namespace).Create(ctx, raSecret, metav1.CreateOptions{}); createErr != nil {
-		if _, updateErr := k8sClient.CoreV1().Secrets(cfg.Namespace).Update(ctx, raSecret, metav1.UpdateOptions{}); updateErr != nil {
-			return nil, nil, nil, fmt.Errorf("store SCEP RA cert: %w", updateErr)
-		}
+	if err := radius.UpsertSecret(ctx, k8sClient, raSecret); err != nil {
+		return nil, nil, nil, fmt.Errorf("store SCEP RA cert: %w", err)
 	}
 	log.Info("generated new SCEP RA cert")
 	return cert, key, cert.Raw, nil

internal/handlers/profile.go

@@ -44,9 +44,9 @@ func GenerateProfileHandler(log *zap.Logger, ipaClient *freeipa.Client, cfg *con
 			return
 		}
 
+		radiusHost := strings.Split(cfg.RadiusServer, ":")[0]
 		switch platform {
 		case "windows":
-			radiusHost := strings.Split(cfg.RadiusServer, ":")[0]
 			wlan, err := profile.BuildWLANProfile(profile.WLANProfileParams{
 				SSID:       cfg.WiFiSSID,
 				RadiusHost: radiusHost,
@@ -68,7 +68,6 @@ func GenerateProfileHandler(log *zap.Logger, ipaClient *freeipa.Client, cfg *con
 				c.JSON(http.StatusInternalServerError, gin.H{"error": "challenge generation failed"})
 				return
 			}
-			radiusHost := strings.Split(cfg.RadiusServer, ":")[0]
 			mc, err := profile.BuildMobileconfig(profile.MobileconfigParams{
 				SSID:                 cfg.WiFiSSID,
 				RadiusHost:           radiusHost,

internal/radius/reload.go

@@ -45,7 +45,7 @@ func WriteRadSecTLS(ctx context.Context, k8s kubernetes.Interface, namespace, se
 //   - ca.pem: RadSec CA chain; verifies connecting router client certificates
 //   - wifi-ca.pem: WiFi CA cert; verifies EAP-TLS user certificates
 func WriteRadSecServerCert(ctx context.Context, k8s kubernetes.Interface, namespace, secretName string, certPEM, keyPEM, caPEM, wifiCAPEM []byte) error {
-	return upsertSecret(ctx, k8s, &corev1.Secret{
+	return UpsertSecret(ctx, k8s, &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: namespace},
 		Data: map[string][]byte{
 			"tls.crt":     certPEM,
@@ -85,8 +85,8 @@ func patchSecretKey(ctx context.Context, k8s kubernetes.Interface, namespace, se
 	return err
 }
 
-// upsertSecret creates or updates a Kubernetes Secret.
-func upsertSecret(ctx context.Context, k8s kubernetes.Interface, secret *corev1.Secret) error {
+// UpsertSecret creates or updates a Kubernetes Secret.
+func UpsertSecret(ctx context.Context, k8s kubernetes.Interface, secret *corev1.Secret) error {
 	ns := secret.Namespace
 	_, err := k8s.CoreV1().Secrets(ns).Update(ctx, secret, metav1.UpdateOptions{})
 	if errors.IsNotFound(err) {

internal/scep/server.go

@@ -30,7 +30,8 @@ type Handler struct {
 	raKey       *rsa.PrivateKey
 	// RA cert + wireless CA + root CA, ordered for GetCACert response.
 	// RA cert must be first so clients use it for envelope encryption.
-	caCerts []*x509.Certificate
+	caCerts    []*x509.Certificate
+	degCACerts []byte // precomputed GetCACert response body
 }
 
 func NewHandler(log *zap.Logger, store *ChallengeStore, ipaClient *freeipa.Client, caName, certProfile string, raCert *x509.Certificate, raKey *rsa.PrivateKey, caDER, rootCACertDER []byte) (*Handler, error) {
@@ -42,6 +43,11 @@ func NewHandler(log *zap.Logger, store *ChallengeStore, ipaClient *freeipa.Clien
 	if err != nil {
 		return nil, fmt.Errorf("parse root CA: %w", err)
 	}
+	caCerts := []*x509.Certificate{raCert, wifiCA, rootCA}
+	deg, err := sceppkg.DegenerateCertificates(caCerts)
+	if err != nil {
+		return nil, fmt.Errorf("build CA cert response: %w", err)
+	}
 	return &Handler{
 		log:         log,
 		store:       store,
@@ -50,7 +56,8 @@ func NewHandler(log *zap.Logger, store *ChallengeStore, ipaClient *freeipa.Clien
 		certProfile: certProfile,
 		raCert:      raCert,
 		raKey:       raKey,
-		caCerts:     []*x509.Certificate{raCert, wifiCA, rootCA},
+		caCerts:     caCerts,
+		degCACerts:  deg,
 	}, nil
 }
 
@@ -75,13 +82,7 @@ func (h *Handler) handle(c *gin.Context) {
 }
 
 func (h *Handler) getCACert(c *gin.Context) {
-	deg, err := sceppkg.DegenerateCertificates(h.caCerts)
-	if err != nil {
-		h.log.Error("scep: GetCACert failed", zap.Error(err))
-		c.Status(http.StatusInternalServerError)
-		return
-	}
-	c.Data(http.StatusOK, "application/x-x509-ca-ra-cert", deg)
+	c.Data(http.StatusOK, "application/x-x509-ca-ra-cert", h.degCACerts)
 }
 
 func (h *Handler) pkiOperation(c *gin.Context) {
@@ -91,7 +92,7 @@ func (h *Handler) pkiOperation(c *gin.Context) {
 		// SCEP GET fallback: message is base64-encoded in the query param.
 		body, err = base64.StdEncoding.DecodeString(c.Query("message"))
 	} else {
-		body, err = io.ReadAll(c.Request.Body)
+		body, err = io.ReadAll(io.LimitReader(c.Request.Body, 64*1024))
 	}
 	if err != nil || len(body) == 0 {
 		c.Status(http.StatusBadRequest)