fix tests and merge the escrow function

Author: weswhet

Makefile

@@ -60,8 +60,8 @@ build_binary:
 	# bazel build --platforms=@io_bazel_rules_go//go/toolchain:darwin_amd64 //:cmd:crypt-amd
 	# bazel build --platforms=@io_bazel_rules_go//go/toolchain:darwin_arm //cmd:crypt-arm
 	# tools/bazel_to_builddir.sh
-	CGO_ENABLED=1 CC=/opt/homebrew/opt/llvm/bin/clang CXX=/opt/homebrew/opt/llvm/bin/clang++ GOOS=darwin GOARCH=arm64 go build -ldflags "-X main.version=${BUNDLE_VERSION}" -o build/checkin.arm64 cmd/main.go
-	CGO_ENABLED=1 CC=/opt/homebrew/opt/llvm/bin/clang CXX=/opt/homebrew/opt/llvm/bin/clang++ GOOS=darwin GOARCH=amd64 go build -ldflags "-X main.version=${BUNDLE_VERSION}" -o build/checkin.amd64 cmd/main.go
+	MACOSX_DEPLOYMENT_TARGET=13.0 CGO_ENABLED=1 CC=/opt/homebrew/opt/llvm/bin/clang CXX=/opt/homebrew/opt/llvm/bin/clang++ GOOS=darwin GOARCH=arm64 go build -ldflags "-X main.version=${BUNDLE_VERSION}" -o build/checkin.arm64 cmd/main.go
+	MACOSX_DEPLOYMENT_TARGET=13.0 CGO_ENABLED=1 CC=/opt/homebrew/opt/llvm/bin/clang CXX=/opt/homebrew/opt/llvm/bin/clang++ GOOS=darwin GOARCH=amd64 go build -ldflags "-X main.version=${BUNDLE_VERSION}" -o build/checkin.amd64 cmd/main.go
 	/usr/bin/lipo -create -output build/checkin build/checkin.arm64 build/checkin.amd64
 	/bin/rm build/checkin.arm64
 	/bin/rm build/checkin.amd64

pkg/authmechs/authemechs.go

@@ -55,13 +55,12 @@ func checkMechsInDB(db AuthDB, mechList []string, indexMech string, indexOffset
 	return reflect.DeepEqual(db.Mechanisms[insertIndex:insertIndex+len(mechList)], mechList)
 }
 
-func setMechsInDB(db AuthDB, mechList []string, indexMech string, indexOffset int, add bool) AuthDB {
+func setMechsInDB(db AuthDB, mechList []string, indexMech string, indexOffset int) AuthDB {
+	// Remove all the mechanisms that crypt ever added but are not needed anymore we'll re-add the ones we need
 	db = removeMechsInDB(db, fv2MechsToRemove)
 
-	if add {
-		insertIndex := indexOf(db.Mechanisms, indexMech) + indexOffset
-		db.Mechanisms = insertMechsAtPosition(db.Mechanisms, mechList, insertIndex)
-	}
+	insertIndex := indexOf(db.Mechanisms, indexMech) + indexOffset
+	db.Mechanisms = insertMechsAtPosition(db.Mechanisms, mechList, insertIndex)
 
 	return db
 }
@@ -114,7 +113,7 @@ func editAuthDB(r utils.Runner, add bool) error {
 		return err
 	}
 
-	d = setMechsInDB(d, fv2Mechs, fv2IndexMech, fv2IndexOffset, add)
+	d = setMechsInDB(d, fv2Mechs, fv2IndexMech, fv2IndexOffset)
 	data, err := plist.Marshal(d)
 	if err != nil {
 		return err

pkg/authmechs/authmechs_test.go

@@ -101,7 +101,6 @@ func TestSetMechsInDB(t *testing.T) {
 		mechList    []string
 		indexMech   string
 		indexOffset int
-		add         bool
 		want        AuthDB
 	}{
 		{
@@ -110,7 +109,6 @@ func TestSetMechsInDB(t *testing.T) {
 			mechList:    []string{"mech1", "mech2"},
 			indexMech:   "mech1",
 			indexOffset: 1,
-			add:         true,
 			want:        AuthDB{Mechanisms: []string{"mech1", "mech2"}},
 		},
 		{
@@ -119,7 +117,6 @@ func TestSetMechsInDB(t *testing.T) {
 			mechList:    []string{"mech4", "mech5"},
 			indexMech:   "mech2",
 			indexOffset: 1,
-			add:         true,
 			want:        AuthDB{Mechanisms: []string{"mech1", "mech2", "mech4", "mech5", "mech3"}},
 		},
 		{
@@ -128,32 +125,29 @@ func TestSetMechsInDB(t *testing.T) {
 			mechList:    []string{},
 			indexMech:   "mech2",
 			indexOffset: 1,
-			add:         true,
 			want:        AuthDB{Mechanisms: []string{"mech1", "mech2", "mech3"}},
 		},
 		{
-			name:        "Test with non-empty db, add is false",
+			name:        "Test with non-empty db and mechList to add",
 			db:          AuthDB{Mechanisms: []string{"mech1", "mech2", "mech3"}},
-			mechList:    []string{"mech4", "mech3"},
+			mechList:    []string{"mech4", "mech5"},
 			indexMech:   "mech2",
 			indexOffset: 1,
-			add:         false,
-			want:        AuthDB{Mechanisms: []string{"mech1", "mech2"}},
+			want:        AuthDB{Mechanisms: []string{"mech1", "mech2", "mech4", "mech5", "mech3"}},
 		},
 		{
-			name:        "Test with non-empty db, mechList is empty, add is false",
+			name:        "Test with non-empty db, empty mechList",
 			db:          AuthDB{Mechanisms: []string{"mech1", "mech2", "mech3"}},
 			mechList:    []string{},
 			indexMech:   "mech2",
 			indexOffset: 1,
-			add:         false,
 			want:        AuthDB{Mechanisms: []string{"mech1", "mech2", "mech3"}},
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := setMechsInDB(tt.db, tt.mechList, tt.indexMech, tt.indexOffset, tt.add)
+			got := setMechsInDB(tt.db, tt.mechList, tt.indexMech, tt.indexOffset)
 			assert.Equal(t, tt.want, got)
 		})
 	}

pkg/checkin/escrow.go

@@ -130,13 +130,7 @@ func RunEscrow(r utils.Runner, p pref.PrefInterface) error {
 		return errors.Wrap(err, "failed to get mTLS common name for escrow")
 	}
 
-	if mTLScommonName != "" {
-		// we will use mTLS for escrow, as well as native go http client
-		keyRotated, err = escrowWithMTLS(cryptData, r, p, mTLScommonName)
-	} else {
-		// escrow using curl if mTLS is not configured
-		keyRotated, err = escrowKey(cryptData, r, p)
-	}
+	keyRotated, err = escrowKey(cryptData, r, p, mTLScommonName)
 	if err != nil {
 		return errors.Wrap(err, "escrow operation failed")
 	}
@@ -546,44 +540,60 @@ func runCurl(configFile string, r utils.Runner, p pref.PrefInterface) (string, e
 	return string(out), nil
 }
 
-// escrowKey attempts to escrow a key by sending data to a server URL built from preferences.
-// It logs the process and handles errors appropriately.
+// escrowKey attempts to escrow a key to the server, using either mTLS or curl based on configuration.
+// It builds the check-in URL, constructs the form data, and sends the escrow request using
+// the appropriate method based on whether a CommonNameForEscrow is configured.
 //
 // Parameters:
-//   - plist: CryptData containing the data to be sent.
-//   - r: utils.Runner to execute commands.
-//   - p: pref.PrefInterface to retrieve preferences.
+//   - plist: CryptData containing the data to be sent
+//   - r: utils.Runner interface for executing commands
+//   - p: pref.PrefInterface for accessing preferences
+//   - mTLScommonName: Optional common name for mTLS authentication. If empty, curl will be used.
 //
 // Returns:
-//   - bool: indicating if the key rotation was initiated by the server.
-//   - error: if any error occurs during the process.
-func escrowKey(plist CryptData, r utils.Runner, p pref.PrefInterface) (bool, error) {
+//   - bool: Indicates if the key was rotated as part of the escrow process
+//   - error: Any error encountered during the process
+func escrowKey(plist CryptData, r utils.Runner, p pref.PrefInterface, mTLScommonName string) (bool, error) {
 	log.Println("Attempting to Escrow Key...")
-	// serverURL, err := p.GetString("ServerURL")
-	// if err != nil {
-	// 	return errors.Wrap(err, "failed to get server URL")
-	// }
+
 	theURL, err := buildCheckinURL(p)
 	if err != nil {
 		return false, errors.Wrap(err, "failed to build checkin URL")
 	}
 
+	// Build form data
 	data, err := buildData(plist, r)
 	if err != nil {
 		return false, errors.Wrap(err, "failed to build data")
 	}
-	configFile := utils.BuildCurlConfigFile(map[string]string{"url": theURL, "data": data})
-	output, err := runCurl(configFile, r, p)
-	if err != nil {
-		return false, errors.Wrap(err, "failed to run curl")
+
+	var responseBody string
+
+	// Determine whether to use mTLS or curl based on whether a common name is provided
+	if mTLScommonName != "" {
+		log.Printf("Using mTLS for escrow with common name: %s", mTLScommonName)
+		body, err := sendRequest(theURL, data, mTLScommonName)
+		if err != nil {
+			return false, errors.Wrap(err, "failed to send request with mTLS")
+		}
+		responseBody = string(body)
+	} else {
+		log.Println("Using curl for escrow")
+		configFile := utils.BuildCurlConfigFile(map[string]string{"url": theURL, "data": data})
+		output, err := runCurl(configFile, r, p)
+		if err != nil {
+			return false, errors.Wrap(err, "failed to run curl")
+		}
+		responseBody = output
 	}
 
 	log.Println("Key escrow successful.")
 
-	keyRotated, err := serverInitiatedRotation(output, r, p)
+	keyRotated, err := serverInitiatedRotation(responseBody, r, p)
 	if err != nil {
 		return false, errors.Wrap(err, "serverInitiatedRotation")
 	}
+
 	return keyRotated, nil
 }
 
@@ -773,48 +783,6 @@ func getRecoveryKey(keyLocation string, p pref.PrefInterface) (string, error) {
 	return key.RecoveryKey, nil
 }
 
-// escrowWithMTLS attempts to escrow a key using mTLS (mutual TLS) authentication.
-// It builds the check-in URL, constructs the form data, creates an HTTP POST request,
-// and sends it using an mTLS client. The function checks the response status and
-// processes the response body to determine if the key escrow was successful.
-//
-// Parameters:
-//   - plist: CryptData containing the data to be sent.
-//   - r: utils.Runner interface for executing commands.
-//   - p: pref.PrefInterface for accessing preferences.
-//
-// Returns:
-//   - bool: Indicates if the key was rotated as part of the escrow process.
-//   - error: Any error encountered during the process.
-func escrowWithMTLS(plist CryptData, r utils.Runner, p pref.PrefInterface, commonName string) (bool, error) {
-	log.Println("Attempting to Escrow Key...")
-
-	theURL, err := buildCheckinURL(p)
-	if err != nil {
-		return false, errors.Wrap(err, "failed to build checkin URL")
-	}
-
-	// Build form data
-	data, err := buildData(plist, r)
-	if err != nil {
-		return false, errors.Wrap(err, "failed to build data")
-	}
-
-	body, err := sendRequest(theURL, data, commonName)
-	if err != nil {
-		return false, errors.Wrap(err, "failed to send request")
-	}
-
-	log.Println("Key escrow successful.")
-
-	keyRotated, err := serverInitiatedRotation(string(body), r, p)
-	if err != nil {
-		return false, errors.Wrap(err, "serverInitiatedRotation")
-	}
-
-	return keyRotated, nil
-}
-
 // sendRequest sends an HTTP POST request to the specified URL with the given data
 // and uses mTLS (mutual TLS) for authentication with the provided common name.
 // It returns the response body as a byte slice or an error if the request fails.