feat(tunnel): Add mTLS authentication tests (T-6.2)

[obtFusi]

Summary

• Add unit tests for mTLS certificate validation logic (TC19, TC21-TC23, TC27)
• Add mtlstest E2E test binary for Windows VMs
• Verify mTLS server infrastructure is ready (port 33074, CA loaded, domain mapping)

Test Cases Implemented

Test	Beschreibung	Status
TC19	Issuer-CA Validation (wrong CA rejected)	Unit ✅, E2E Tool ✅
TC21	mTLS-Strict Method-Allowlist (no cert → Unauthenticated)	E2E Tool ✅
TC22	Multi-SAN AllowedDomains (evil.com + corp.local → corp.local accepted)	Unit ✅
TC23	Multi-SAN Rejection (only evil.com → rejected)	Unit ✅
TC27	Issuer-Fingerprint Validation (via VerifiedChains)	Unit ✅, E2E Tool ✅

Unit Test Results

=== RUN   TestMTLSCertGeneration
--- PASS: TestMTLSCertGeneration (0.00s)
=== RUN   TestMTLSMultiSANValidation
    --- PASS: TC22: evil.com + corp.local → corp.local accepted
    --- PASS: TC23: only evil.com → rejected
--- PASS: TestMTLSMultiSANValidation (0.00s)
=== RUN   TestMTLSIssuerValidation
--- PASS: TestMTLSIssuerValidation (0.00s)

Infrastructure Verification

mTLS Server (10.0.0.103:33074):
✅ Port 33074 listening
✅ TLS handshake successful
✅ Server requests client certificate (Request CERT)
✅ CA certificate loaded (test-ca.crt)
✅ Domain mapping: test.local → d5pnitkcvkrc73eb6um0
✅ Issuer fingerprint: 42fecad0...

E2E Test Tool Usage

# On Windows VM
.\mtlstest.exe -server 10.0.0.103:33074
.\mtlstest.exe -server 10.0.0.103:33074 -test tc21
.\mtlstest.exe -server 10.0.0.103:33074 -ca .\test-ca.crt

Files Changed

• client/internal/tunnel/mtls_test.go - Unit tests
• client/internal/tunnel/cmd/mtlstest/main.go - E2E test binary

Closes #55

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added Windows Machine Tunnel bootstrap automation with two-phase authentication (Setup-Key and mTLS).
  • Added automated domain join and certificate enrollment for pre-login VPN scenarios.
  • Added mTLS-based authentication support for machine tunnel clients with certificate validation.
  • Added DC connectivity verification and pre-join requirement validation.

• Documentation

  • Added architecture decision records for mTLS port strategy and certificate integration.

• Chores

  • Enhanced CI/CD workflows with auto-labeling and linting for pull requests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[obtFusi]

Opened on wrong repository by mistake. This should go to our fork obtFusi/netbird-fork.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Introduces comprehensive Windows pre-login VPN machine tunnel with two-phase bootstrap (Setup-Key then mTLS), automatic certificate enrollment, domain join automation, management server mTLS authentication, peer registration/sync RPCs, and supporting infrastructure including git hooks, GitHub workflows, PowerShell scripts, and test certificates.

Changes

Cohort / File(s)	Summary
Git Configuration & Automation .githooks/pre-commit, .github/ISSUE_TEMPLATE/*, .github/workflows/*, .github/dependabot.yml, .gitignore, Makefile	Added pre-commit hook for gofmt and secret scanning; GitHub issue templates (bug, feature, epic, story, task) with German labels; auto-labeling workflow; PR linting for conventional commits; e2e tunnel test workflow; Dependabot config for go, github-actions, docker; expanded .gitignore for secrets/artifacts.
Client Tunnel Bootstrap client/internal/tunnel/bootstrap.go, client/internal/tunnel/bootstrap_test.go	Implements two-phase bootstrap: Phase 1 (Setup-Key auth) and Phase 2 (mTLS with client cert). Includes MachineConfig, BootstrapResult, AuthMethod types; certificate validation; URL construction; server connectivity with fallback logic.
Certificate Enrollment & Management client/internal/tunnel/certenroll.go, client/internal/tunnel/certenroll_test.go	Adds cert validation, SHA-256 thumbprint computation, renewal checks, PowerShell script generation for enrollment via AD CS. Includes CertEnrollmentConfig/Result types, ParseCertificateFile, WatchCertificateExpiry, ExtractIssuerFingerprint.
Domain Join Utilities client/internal/tunnel/domainjoin.go, client/internal/tunnel/domainjoin_test.go	Implements DC connectivity verification (LDAP, LDAPS, Kerberos, DNS, SMB, NTP ports), PreJoinChecklist validation, GenerateDomainJoinScript for automated domain join via PowerShell.
Certificate Trust & Pinning client/internal/tunnel/trust_windows.go, client/internal/tunnel/mtls_test.go	Adds certificate fingerprinting, pin-based verification, issuer validation; InstallCACert/RemoveCACert for Windows cert store management via certutil.
Windows Security & Encryption client/internal/tunnel/security_windows.go, client/internal/tunnel/interface_windows.go, client/internal/tunnel/interface_other.go, client/internal/tunnel/eventlog_windows.go	DPAPI-based encryption/decryption for setup keys; secure config management with ACL hardening; WireGuard interface discovery/verification; Windows event log registration and logging helpers.
Client Test Tools client/internal/tunnel/cmd/mtlstest/main.go, client/internal/tunnel/cmd/securitytest/main.go, client/internal/tunnel/cmd/trusttest/main.go	Windows CLI tools for mTLS authentication, security feature validation (DPAPI, ACLs, event logs), and certificate trust bootstrap testing.
SSH Server Tests client/ssh/server/jwt_test.go, client/ssh/server/test.go, client/server/debug_test.go	Added error handling wrappers for server cleanup; replaced goroutine-based readiness checks with SSH banner polling; server startup synchronization via health endpoint.
Management Server mTLS Infrastructure management/internals/server/mtls_auth.go, management/internals/server/mtls_auth_test.go, management/internals/server/mtls_server.go, management/internals/server/boot.go	Implements mTLS interceptors for gRPC (unary/stream); identity extraction from certificates (DNSName, domain, issuer, template OID); domain-to-account mapping; issuer fingerprint validation; dedicated mTLS server on port 33074 with CA cert loading.
Management Configuration & Server Changes management/internals/server/config/config.go, management/internals/server/server.go, management/server/peer.go, management/server/peer/peer.go	Added HttpServerConfig fields for mTLS (enabled, port, CA, strict mode, domain/issuer mappings); MTLSServer initialization in BaseServer; mTLS DNS label generation for peers; PeerSystemMeta fields for auth/cert tracking.
Management gRPC Machine Tunnel management/internals/shared/grpc/machine_tunnel.go, management/internals/shared/grpc/conversion_test.go	New RegisterMachinePeer, SyncMachinePeer, GetMachineRoutes, ReportMachineStatus RPCs with mTLS auth and issuer validation; peer metadata enrichment.
Shared mTLS Utilities management/internals/shared/mtls/identity.go, management/internals/shared/mtls/dnslabel.go, management/internals/shared/mtls/dnslabel_test.go	Identity context key/helpers, issuer validation config; DNS label generation with FQDN hashing, collision detection, RFC 1123 compliance.
Proto Definitions shared/management/proto/management.proto	Added MachineIdentity, MachineRegisterRequest/Response, MachineSyncRequest/Response, MachineRoutesRequest/Response, MachineStatusRequest/Response; MachineUpdateType enum; four new machine-tunnel RPCs.
Architecture & Design Documentation docs/ADR-001-mTLS-Port-Strategy.md, docs/ADR-002-CNG-Signer-Interface.md	Documented single-port mTLS routing approach, TLS config, method whitelisting, interceptor flow; Windows CNG signer integration for non-exportable certificates.
PowerShell Bootstrap & Setup scripts/bootstrap-new-client.ps1, scripts/lab/setup-lab-ca.ps1, scripts/lab/autounattend.xml	Comprehensive bootstrap script (NTP, tunnel setup, DC connectivity, domain join, cert enrollment, mTLS config); AD CS lab CA setup with NetBirdMachine template; unattended Windows Server 2025 installation.
PowerShell Testing & Cleanup scripts/lab/test-client-enrollment.ps1, scripts/lab/verify-lab-ca.ps1, scripts/tests/Test-TunnelEstablishment.ps1, scripts/verify-nrpt-cleanup.ps1, scripts/reinstall-and-test.ps1, scripts/reset-netbird-machine.ps1	Scripts for certificate enrollment validation, CA readiness verification, tunnel establishment tests, NRPT cleanup verification, full reinstall/test cycle, and comprehensive machine reset/cleanup.
Test Certificates test/certs/*	Added CA, server, and client X.509 certificates with private keys, CSRs, and OpenSSL configuration files for mTLS testing.
CNG Signer & SAN Parser Spikes spike/cng-signer/main.go, spike/cng-signer/go.mod, spike/san-parser/main.go, spike/san-parser/go.mod	Windows-specific cryptographic utilities: CNG-backed crypto.Signer for non-exportable certs, SAN DNSName extraction, certificate template OID/name parsing, peer type determination.
Docker management/Dockerfile.multistage	Multi-stage build for management binary with runtime image.

Sequence Diagram(s)

sequenceDiagram
    participant Client as NetBird Client
    participant Mgmt as Management Server
    participant CA as Windows CA
    participant DC as Domain Controller

    Client->>Client: Phase 1: Setup-Key Bootstrap
    activate Client
    Client->>Mgmt: Connect with SetupKey
    Mgmt->>Mgmt: Validate SetupKey
    Mgmt->>Client: Return PeerConfig, NetbirdConfig
    Client->>Client: Generate WireGuard Key
    Client->>Client: Store in encrypted config
    deactivate Client

    Client->>Client: Configure Tunnel & Join Domain
    activate Client
    Client->>DC: Verify DC Connectivity (LDAP/Kerberos/DNS)
    DC->>Client: Acknowledge
    Client->>CA: Enroll Machine Certificate
    CA->>Client: Issue Cert with SAN (hostname.domain)
    Client->>Client: Validate & store cert
    deactivate Client

    Client->>Client: Phase 2: mTLS Bootstrap
    activate Client
    Client->>Mgmt: RegisterMachinePeer with Client Cert (mTLS)
    Mgmt->>Mgmt: Extract Identity from Cert<br/>(DNSName, Domain, Issuer)
    Mgmt->>Mgmt: Validate Issuer Fingerprint
    Mgmt->>Mgmt: Map Domain to Account
    Mgmt->>Client: Return MachineIdentity,<br/>AllowedDCRoutes, DNSConfig
    Client->>Client: Update config, remove SetupKey
    deactivate Client

    Client->>Mgmt: SyncMachinePeer (mTLS stream)
    activate Client
    activate Mgmt
    Mgmt->>Mgmt: Authorize via mTLS Identity
    Mgmt->>Client: NetworkMap, DNSConfig
    Client->>Client: Apply routes & DNS
    deactivate Mgmt
    deactivate Client

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• [management] pass config to controller #4807: Parallel changes to network_map controller and peer config propagation (Http/DeviceAuth configs) that align with this machine tunnel feature.

Suggested reviewers

• pascal-fischer
• pappz

Poem

🐰 Hops with glee through Windows doors,
Bootstrap keys and cert stores,
mTLS bonds machine and trust,
Two-phase dance, a must!
Domain-joined with rabbity care, 🔐✨

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
18 New issues
3 Security Hotspots
C Security Rating on New Code (required ≥ A)
16 New Code Smells (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE