Collect AIACAs with empty CACert BED-7513

[lrfalslev]

Description

There was an edge case where an AD AIACA with a {0} value for CACertificate attribute would cause cert parsing to fail and AIACA wasn't collected. To fix we check if byte array is not empty before attempting to parse.

Motivation and Context

BED-7513

How Has This Been Tested?

As a domain admin, make a new CA with empty cACertificate

$zeroByte = [byte[]](0x00)

New-ADObject `
    -Name "SEVENKINGDOMS-CA-EMPTY-TEST" `
    -Type certificationAuthority `
    -Path "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=sevenkingdoms,DC=local" `
    -OtherAttributes @{
        cACertificate=$zeroByte
        certificateRevocationList=$zeroByte
        authorityRevocationList=$zeroByte
    }

Confirm that new CA object with cACertificate of {0} exists in AIA

Run new collection and confirm that AIACA node was created

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Documentation updates are needed, and have been made accordingly.
• I have added and/or updated tests to cover my changes.
• All new and existing tests passed.
• My changes include a database migration.

Summary by CodeRabbit

• Bug Fixes

  • Improved robustness of LDAP CA handling by validating certificate bytes before parsing; empty or non-meaningful certificate data is now skipped to prevent parsing errors and ensure consistent property population.

• Tests

  • Added and expanded tests covering null/empty/single-zero-byte certificate scenarios and CA-related property assertions across Root, AIA, and Enterprise CA cases.

[coderabbitai]

Walkthrough

Adds a byte-validation guard for CACertificate data and applies it across Root, AIA, and Enterprise CA readers to skip certificate parsing when bytes are null, empty, or a single 0x00. Expands unit tests to cover these edge cases and valid-certificate scenarios.

Changes

Cohort / File(s)	Summary
Certificate validation & readers src/CommonLib/Processors/LdapPropertyProcessor.cs	Adds private HasBytes(byte[] data) helper and uses it in ReadRootCAProperties, ReadAIACAProperties, and ReadEnterpriseCAProperties to skip cert parsing when CACertificate contains no meaningful bytes; adds XML doc for ReadEnterpriseCAProperties.
Unit tests — CA scenarios test/unit/LdapPropertyTests.cs	Adds parameterized tests covering null/empty/single-zero CACertificate (EmptyCertBytes) for Root, AIA, and Enterprise readers; adds tests for valid CACertificate behavior and extends existing tests/assertions to include CA-derived properties; removes one deprecated ACA test.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• MikeX777
• definitelynotagoblin

Poem

🐰 I nibble bytes both small and few,
If empty or zero, I hop anew.
No parsing panic, no frantic chase,
Certificates skipped with gentle grace.
Tests hop in to keep the pace. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references the specific issue (BED-7513) and describes the main change: handling AIACAs with empty CACert, which directly matches the code fix.
Description check	✅ Passed	The description follows the template structure with all required sections completed: detailed change description, motivation with issue link, comprehensive testing steps with PowerShell code and screenshots, and type/checklist selections.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch lfalslev/bed-7513

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/CommonLib/Processors/LdapPropertyProcessor.cs (1)

513-516: Consider applying the same guard to ReadRootCAProperties and ReadEnterpriseCAProperties.

The HasBytes helper addresses an edge case for AIACA, but ReadRootCAProperties (lines 475-482) and ReadEnterpriseCAProperties (lines 526-533) have identical certificate parsing patterns without this guard:

// ReadRootCAProperties (line 475)
if (entry.TryGetByteProperty(LDAPProperties.CACertificate, out var rawCertificate)) {
    var cert = new ParsedCertificate(rawCertificate);
    ...
}

// ReadEnterpriseCAProperties (line 526)  
if (entry.TryGetByteProperty(LDAPProperties.CACertificate, out var rawCertificate)) {
    var cert = new ParsedCertificate(rawCertificate);
    ...
}

If a RootCA or EnterpriseCA could have empty/zero-byte certificate data, these would also fail. Consider applying the HasBytes guard consistently to all certificate parsing locations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/CommonLib/Processors/LdapPropertyProcessor.cs` around lines 513 - 516,
ReadRootCAProperties and ReadEnterpriseCAProperties both construct a
ParsedCertificate from rawCertificate without the HasBytes guard; update each
method so they call HasBytes(rawCertificate) (the existing helper) before
instantiating ParsedCertificate and only parse/assign when it returns true,
otherwise skip parsing or handle as null/absent to avoid throwing on
empty/zero-byte data.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/CommonLib/Processors/LdapPropertyProcessor.cs`:
- Around line 513-516: ReadRootCAProperties and ReadEnterpriseCAProperties both
construct a ParsedCertificate from rawCertificate without the HasBytes guard;
update each method so they call HasBytes(rawCertificate) (the existing helper)
before instantiating ParsedCertificate and only parse/assign when it returns
true, otherwise skip parsing or handle as null/absent to avoid throwing on
empty/zero-byte data.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52b978a and da2d1b4.

📒 Files selected for processing (2)

• src/CommonLib/Processors/LdapPropertyProcessor.cs
• test/unit/LdapPropertyTests.cs

[coderabbitai]

🧹 Nitpick comments (2)

test/unit/LdapPropertyTests.cs (1)

672-720: Consider extracting shared CA test setup into helpers.

There’s repeated cert creation and MockDirectoryObject scaffolding in the new CA tests; a small helper would reduce maintenance churn.

Also applies to: 736-754, 807-826

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/unit/LdapPropertyTests.cs` around lines 672 - 720, Extract the repeated
CA test setup (creating the self-signed cert bytes and building the
MockDirectoryObject) into a small helper method (e.g., CreateMockRootCA or
BuildMockRootCAMock) and call it from
LDAPPropertyProcessor_ReadRootCAProperties,
LDAPPropertyProcessor_ReadRootCAProperties_NoCACertificate, and the other
affected tests (lines noted around 736-754 and 807-826); the helper should
return the MockDirectoryObject (or the cert bytes + dictionary) so tests can
assert on LdapPropertyProcessor.ReadRootCAProperties consistently and avoid
duplicating certificate creation and dictionary scaffolding (refer to
ECDsa.Create, CertificateRequest.CreateSelfSigned, cert.Export,
MockDirectoryObject, and LDAPProperties.CACertificate to locate code to move).

src/CommonLib/Processors/LdapPropertyProcessor.cs (1)

941-944: Make HasBytes null-safe for safer reuse.

At Line 941, HasBytes dereferences data directly. Current call sites are short-circuited, but a null-safe helper is more robust if reused later.

♻️ Proposed defensive tweak

 private static bool HasBytes(byte[] data) {
-    return data.Length > 0
-           && !(data.Length == 1 && data[0] == 0x00);
+    return data is { Length: > 0 }
+           && !(data.Length == 1 && data[0] == 0x00);
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/CommonLib/Processors/LdapPropertyProcessor.cs` around lines 941 - 944,
The HasBytes helper dereferences the input array without null-checking; update
the HasBytes(byte[] data) method to first handle null (return false for null or
empty) and then keep the existing zero-length/sole-null-byte logic so callers
can safely pass null. Modify the implementation inside HasBytes to check data ==
null (or use data?.Length) and return false early, preserving the existing
special-case (data.Length == 1 && data[0] == 0x00) to detect the solitary null
byte.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@src/CommonLib/Processors/LdapPropertyProcessor.cs`:
- Around line 941-944: The HasBytes helper dereferences the input array without
null-checking; update the HasBytes(byte[] data) method to first handle null
(return false for null or empty) and then keep the existing
zero-length/sole-null-byte logic so callers can safely pass null. Modify the
implementation inside HasBytes to check data == null (or use data?.Length) and
return false early, preserving the existing special-case (data.Length == 1 &&
data[0] == 0x00) to detect the solitary null byte.

In `@test/unit/LdapPropertyTests.cs`:
- Around line 672-720: Extract the repeated CA test setup (creating the
self-signed cert bytes and building the MockDirectoryObject) into a small helper
method (e.g., CreateMockRootCA or BuildMockRootCAMock) and call it from
LDAPPropertyProcessor_ReadRootCAProperties,
LDAPPropertyProcessor_ReadRootCAProperties_NoCACertificate, and the other
affected tests (lines noted around 736-754 and 807-826); the helper should
return the MockDirectoryObject (or the cert bytes + dictionary) so tests can
assert on LdapPropertyProcessor.ReadRootCAProperties consistently and avoid
duplicating certificate creation and dictionary scaffolding (refer to
ECDsa.Create, CertificateRequest.CreateSelfSigned, cert.Export,
MockDirectoryObject, and LDAPProperties.CACertificate to locate code to move).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da2d1b4 and d8e5ed7.

📒 Files selected for processing (2)

• src/CommonLib/Processors/LdapPropertyProcessor.cs
• test/unit/LdapPropertyTests.cs