Move testing_utils.go to testing_utils_test.go for SCEP tests

[lucasmrod]

Resolves #45220

Here's one example why this is a good idea.

On main, the fleet production binary contains a private key used for testing:

$ strings ./build/fleet | rg "BEGIN RSA TESTING"
proto3-----BEGIN RSA TESTING KEY-----

And it's gone when using this branch:

$ strings ./build/fleet | rg "BEGIN RSA TESTING"
<empty>

Testing

• QA'd all new/changed functionality manually.

Summary by CodeRabbit

• Chores
  • Reorganized internal test infrastructure for certificate enrollment testing to improve test organization and maintainability.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Walkthrough

This pull request reorganizes SCEP test server helpers by establishing a new sceptest subpackage within ee/server/service/scep/. The change moves test constructors (NewTestNDESAdminServer, NewTestDynamicChallengeServer) and adds embedded HTML fixtures for SCEP NDES admin responses. Test files are updated to import from sceptest instead of the main scep package, and a local UTF-16 encoding helper is added to scep_proxy_test.go to support fixture loading. This aligns with the broader effort to prevent test-only code from being linked into production binaries.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Move testing_utils.go to testing_utils_test.go for SCEP tests' accurately describes the main objective: moving test-only code into _test.go files for the SCEP package.
Description check	✅ Passed	The PR description fills the required 'Related issue' field (Resolves #45220), provides clear context with a before/after example showing test RSA key removal, and marks testing as completed with a checkbox.
Linked Issues check	✅ Passed	The PR successfully addresses issue #45220 by moving SCEP test utilities (testing_utils, test fixtures) from production-reachable packages into _test.go and sceptest subpackage, eliminating 'testing' package from production binary for SCEP.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to resolving #45220: moving SCEP test code out of production. Changes to scep_proxy_test.go, sceptest.go, and integration_certificate_authorities_test.go all focus on test package reorganization with no unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch remove-more-testing-utils-from-production-binaries-round-8

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ee/server/service/scep/sceptest/sceptest.go`:
- Around line 98-103: The helper NewTestNDESAdminServer currently ignores its
integer status parameter (`_ int`) and always uses the hardcoded returnStatus
http.StatusOK; change the signature to accept a named parameter (e.g.,
responseStatus int) and set returnStatus = responseStatus (or if responseStatus
is 0 default to http.StatusOK) and ensure the handler uses returnStatus when
writing the response status; alternatively, remove the unused parameter entirely
and keep the hardcoded status—update references to NewTestNDESAdminServer
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cfee979d-b5ee-48d9-bec8-adf2cbd6f4fe

📥 Commits

Reviewing files that changed from the base of the PR and between fa0b8de and 6591643.

⛔ Files ignored due to path filters (1)

• ee/server/service/scep/sceptest/testdata/testca/ca.pem is excluded by !**/*.pem

📒 Files selected for processing (7)

• ee/server/service/scep/scep_proxy_test.go
• ee/server/service/scep/sceptest/sceptest.go
• ee/server/service/scep/sceptest/testdata/mscep_admin_cache_full.html
• ee/server/service/scep/sceptest/testdata/mscep_admin_insufficient_permissions.html
• ee/server/service/scep/sceptest/testdata/mscep_admin_password.html
• ee/server/service/scep/sceptest/testdata/testca/ca.key
• server/service/integration_certificate_authorities_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use the responseStatus parameter (or remove it).

Line 98 keeps a status argument but ignores it (_ int), while Line 102 hardcodes http.StatusOK. That makes this helper misleading and prevents callers from simulating non-200 admin responses.

Suggested fix

-func NewTestNDESAdminServer(t *testing.T, responseTemplate string, _ int) *httptest.Server {
+func NewTestNDESAdminServer(t *testing.T, responseTemplate string, responseStatus int) *httptest.Server {
 	t.Helper()

 	var returnPage func() []byte
-	returnStatus := http.StatusOK
+	returnStatus := responseStatus
+	if returnStatus == 0 {
+		returnStatus = http.StatusOK
+	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func NewTestNDESAdminServer(t *testing.T, responseTemplate string, _ int) *httptest.Server {
	t.Helper()
	var returnPage func() []byte
	returnStatus := http.StatusOK
	ndesAdminServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	ndesAdminServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
	func NewTestNDESAdminServer(t *testing.T, responseTemplate string, responseStatus int) *httptest.Server {
	t.Helper()
	var returnPage func() []byte
	returnStatus := responseStatus
	if returnStatus == 0 {
	returnStatus = http.StatusOK
	}
	ndesAdminServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ee/server/service/scep/sceptest/sceptest.go` around lines 98 - 103, The
helper NewTestNDESAdminServer currently ignores its integer status parameter (`_
int`) and always uses the hardcoded returnStatus http.StatusOK; change the
signature to accept a named parameter (e.g., responseStatus int) and set
returnStatus = responseStatus (or if responseStatus is 0 default to
http.StatusOK) and ensure the handler uses returnStatus when writing the
response status; alternatively, remove the unused parameter entirely and keep
the hardcoded status—update references to NewTestNDESAdminServer accordingly.

[Copilot]

Pull request overview

This PR refactors SCEP-related test helpers into a dedicated sceptest package so that production builds no longer risk linking Go’s testing package (and embedded test secrets) via non-_test.go files.

Changes:

• Update integration and unit tests to use the new ee/server/service/scep/sceptest helper package.
• Add embedded SCEP/NDES test fixtures (CA cert/key + canned NDES admin HTML pages) under sceptest/testdata/.
• Improve/adjust helper documentation and server behavior to support SCEP proxy tests.

Reviewed changes

Copilot reviewed 3 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
server/service/integration_certificate_authorities_test.go	Switches integration tests to use sceptest helpers instead of importing SCEP helpers from the production package.
ee/server/service/scep/sceptest/sceptest.go	Defines the new sceptest package and embeds test CA + NDES HTML fixtures for SCEP proxy tests.
ee/server/service/scep/scep_proxy_test.go	Updates SCEP proxy tests to use sceptest.NewTestSCEPServer and new fixture paths; adds a local UTF-16 helper.
ee/server/service/scep/sceptest/testdata/testca/ca.pem	Adds embedded CA certificate fixture for the SCEP test server.
ee/server/service/scep/sceptest/testdata/testca/ca.key	Adds embedded CA private key fixture for the SCEP test server.
ee/server/service/scep/sceptest/testdata/mscep_admin_password.html	Adds canned NDES admin “password” HTML fixture.
ee/server/service/scep/sceptest/testdata/mscep_admin_insufficient_permissions.html	Adds canned NDES admin “insufficient permissions” HTML fixture.
ee/server/service/scep/sceptest/testdata/mscep_admin_cache_full.html	Adds canned NDES admin “cache full” HTML fixture.

Comments suppressed due to low confidence (2)

ee/server/service/scep/sceptest/sceptest.go:104

• NewTestNDESAdminServer still accepts a responseStatus argument (callers pass http.StatusOK), but the function ignores it (_ int) and always responds with http.StatusOK. This makes the helper misleading and prevents tests from exercising non-200 responses. Please either (a) use the parameter to set returnStatus, or (b) remove the parameter and update call sites accordingly.
  ee/server/service/scep/sceptest/sceptest.go:156
• fmt.Println(r.URL.Path) in NewTestDynamicChallengeServer will write to stdout during tests and can make CI output noisy/flaky. Please remove the unconditional print, or replace it with t.Logf behind a debug flag if the path is needed for troubleshooting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.72%. Comparing base (fa0b8de) to head (6591643).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
ee/server/service/scep/sceptest/sceptest.go	33.33%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #45619   +/-   ##
=======================================
  Coverage   66.72%   66.72%           
=======================================
  Files        2740     2740           
  Lines      218984   218983    -1     
  Branches    10961    10961           
=======================================
+ Hits       146108   146112    +4     
+ Misses      59672    59666    -6     
- Partials    13204    13205    +1     

Flag	Coverage Δ
backend	68.56% <33.33%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.