Add DisabledExtensions CA reg key

[JonasBK]

Description

Collection of CA registry key DisabledExtensions for ADCS ESC16 edge

Also updates the collection of CA reg key setting IsUserSpecifiesSanEnabled to support custom reg key paths.

Motivation and Context

Tickets: BED-6176

How Has This Been Tested?

Locally in lab environment.

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Documentation updates are needed, and have been made accordingly.
• I have added and/or updated tests to cover my changes.
• All new and existing tests passed.
• My changes include a database migration.

Summary by CodeRabbit

• New Features
  • Added the ability to retrieve a list of disabled certificate authority extensions.
• Improvements
  • Enhanced logic for detecting user-specified Subject Alternative Name (SAN) settings by dynamically identifying the active policy.
• Bug Fixes
  • Improved error handling for missing or inaccessible registry values when retrieving certificate authority policy settings.

[coderabbitai]

Walkthrough

A new API result class for returning string arrays was introduced. The CARegistryData class now includes a property for disabled extensions using this new result type. The CertAbuseProcessor class was updated to dynamically determine the active policy when querying registry values and now includes a method to retrieve disabled extensions.

Changes

Cohort / File(s)	Change Summary
New API Result Class src/CommonLib/OutputTypes/StringArrayRegistryAPIResult.cs	Added StringArrayRegistryAPIResult, a public class inheriting from APIResult with a string[] Data property.
CARegistryData Property Addition src/CommonLib/OutputTypes/CARegistryData.cs	Added DisabledExtensions property of type StringArrayRegistryAPIResult to CARegistryData.
CertAbuseProcessor Enhancements src/CommonLib/Processors/CertAbuseProcessor.cs	Updated IsUserSpecifiesSanEnabled to use the active policy subkey; added DisabledExtensions method to read disabled extension list.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant CertAbuseProcessor
    participant Registry

    Caller->>CertAbuseProcessor: IsUserSpecifiesSanEnabled(target, caName)
    CertAbuseProcessor->>Registry: Read "Active" from PolicyModules
    Registry-->>CertAbuseProcessor: Return activePolicyName
    CertAbuseProcessor->>Registry: Read "EditFlags" from activePolicyName subkey
    Registry-->>CertAbuseProcessor: Return EditFlags value
    CertAbuseProcessor-->>Caller: Return BoolRegistryAPIResult

    Caller->>CertAbuseProcessor: DisabledExtensions(target, caName)
    CertAbuseProcessor->>Registry: Read "Active" from PolicyModules
    Registry-->>CertAbuseProcessor: Return activePolicyName
    CertAbuseProcessor->>Registry: Read "DisableExtensionList" from activePolicyName subkey
    Registry-->>CertAbuseProcessor: Return string[] of disabled extensions
    CertAbuseProcessor-->>Caller: Return StringArrayRegistryAPIResult

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

In the registry fields where the data arrays grow,
New classes and properties now gently bestow.
Policies shift, their actives revealed,
Extensions disabled, their fates now unsealed.
With every key queried, the code hops anew—
A rabbit’s delight in the work that you do! 🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch esc16

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Walkthrough

A new API result class for string arrays was introduced. The CARegistryData class now includes a property for disabled extensions using this new result type. The CertAbuseProcessor class was refactored to dynamically determine the active policy subkey from the registry and includes a new method to retrieve disabled extensions. Error handling and control flow were improved.

Changes

Cohort / File(s)	Change Summary
API Result Type for String Arrays src/CommonLib/OutputTypes/APIResults/StringArrayRegistryAPIResult.cs	Added StringArrayRegistryAPIResult class inheriting from APIResult, with a Data property of type string[] initialized to an empty array.
CA Registry Data Extension src/CommonLib/OutputTypes/CARegistryData.cs	Added a new public property DisabledExtensions of type StringArrayRegistryAPIResult to the CARegistryData class.
CertAbuseProcessor Refactor & Extension src/CommonLib/Processors/CertAbuseProcessor.cs	Refactored IsUserSpecifiesSanEnabled to dynamically resolve the policy subkey; added DisabledExtensions method to retrieve disabled extensions from the registry; improved error handling.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant CertAbuseProcessor
    participant Registry

    Caller->>CertAbuseProcessor: DisabledExtensions(target, caName)
    CertAbuseProcessor->>Registry: Read "Active" value from PolicyModules
    alt "Active" value exists
        CertAbuseProcessor->>Registry: Read "DisableExtensionList" from active policy subkey
        Registry-->>CertAbuseProcessor: Return string array or error
    else No "Active" value
        CertAbuseProcessor->>Registry: Use default policy subkey, read "DisableExtensionList"
        Registry-->>CertAbuseProcessor: Return string array or error
    end
    CertAbuseProcessor-->>Caller: Return StringArrayRegistryAPIResult

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A bunny hopped through code so neat,
New string arrays, a tidy feat!
Extensions disabled, now easy to find,
With registry reads smartly aligned.
Refactors done, errors in check—
This rabbit’s work is quite the tech! 🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch esc16

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

src/CommonLib/Processors/CertAbuseProcessor.cs (1)

298-341: LGTM! New method follows established patterns.

The DisabledExtensions method is well-implemented and follows the same registry querying pattern as other methods in the class.

Consider extracting the common active policy resolution logic into a helper method to reduce code duplication between IsUserSpecifiesSanEnabled and DisabledExtensions:

+private RegistryResult GetActivePolicy(string target, string caName)
+{
+    var subKey = $"SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\{caName}\\PolicyModules";
+    const string subValue = "Active";
+    return Helpers.GetRegistryKeyData(target, subKey, subValue, _log);
+}

Then both methods could use this helper to get the active policy name before querying specific values.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 852fe9b and 6349928.

📒 Files selected for processing (3)

• src/CommonLib/OutputTypes/APIResults/StringArrayRegistryAPIResult.cs (1 hunks)
• src/CommonLib/OutputTypes/CARegistryData.cs (1 hunks)
• src/CommonLib/Processors/CertAbuseProcessor.cs (3 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/CommonLib/OutputTypes/CARegistryData.cs (1)

src/CommonLib/OutputTypes/APIResults/StringArrayRegistryAPIResult.cs (1)

• StringArrayRegistryAPIResult (5-8)

🔇 Additional comments (3)

src/CommonLib/OutputTypes/APIResults/StringArrayRegistryAPIResult.cs (1)

1-9: LGTM! Clean and consistent implementation.

The class follows established patterns and uses Array.Empty<String>() for efficient default initialization.

src/CommonLib/OutputTypes/CARegistryData.cs (1)

11-11: LGTM! Property added consistently.

The new DisabledExtensions property follows the established pattern and naming conventions of the class.

src/CommonLib/Processors/CertAbuseProcessor.cs (1)

254-296: LGTM! Dynamic policy resolution improves robustness.

The updated method now dynamically determines the active policy instead of using a hardcoded value, which makes it more robust for different CA configurations.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

src/CommonLib/Processors/CertAbuseProcessor.cs (4)

257-341: Consider extracting common policy retrieval logic.

Both IsUserSpecifiesSanEnabled and DisabledExtensions methods share identical logic for retrieving the active policy name. Consider extracting this into a private helper method to reduce code duplication and improve maintainability.

+private (bool Collected, string FailureReason, string ActivePolicy) GetActivePolicy(string target, string caName)
+{
+    var activePolicy = "CertificateAuthority_MicrosoftDefault.Policy";
+    var subKey = $"SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\{caName}\\PolicyModules";
+    const string subValue = "Active";
+    var data = Helpers.GetRegistryKeyData(target, subKey, subValue, _log);
+
+    if (!data.Collected)
+    {
+        return (false, data.FailureReason, null);
+    }
+
+    if (data.Value != null)
+    {
+        activePolicy = (string)data.Value;
+    }
+
+    return (true, null, activePolicy);
+}

Then both methods can use this helper to reduce duplication.

---

259-259: Consider using constants for registry paths.

The registry key paths are constructed inline in multiple places. Consider defining constants for the base paths to improve maintainability and reduce the risk of typos.

+private const string CERT_SVC_CONFIG_BASE = "SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration";
+private const string POLICY_MODULES_SUBPATH = "PolicyModules";

Then use these constants when constructing the full paths.

Also applies to: 276-276, 304-304, 321-321

---

298-341: Method implementation is correct but consider extracting common logic.

The DisabledExtensions method follows the same pattern as IsUserSpecifiesSanEnabled with proper error handling and registry access. However, there's significant code duplication between these two methods.

Consider extracting the common policy retrieval logic into a helper method:

+        private (bool Success, string ActivePolicy, string FailureReason) GetActivePolicy(string target, string caName)
+        {
+            var activePolicy = "CertificateAuthority_MicrosoftDefault.Policy";
+            var subKey = $"SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\{caName}\\PolicyModules";
+            const string subValue = "Active";
+            var data = Helpers.GetRegistryKeyData(target, subKey, subValue, _log);
+
+            if (!data.Collected)
+            {
+                return (false, null, data.FailureReason);
+            }
+
+            if (data.Value != null)
+            {
+                activePolicy = (string)data.Value;
+            }
+
+            return (true, activePolicy, null);
+        }

This would eliminate the duplicated code in both methods and improve maintainability.

---

257-341: Consider extracting common policy resolution logic.

Both IsUserSpecifiesSanEnabled and DisabledExtensions methods contain duplicate code for determining the active policy. Consider extracting this into a helper method to improve maintainability.

Example refactor:

+private (bool Success, string ActivePolicy, string FailureReason) GetActivePolicy(string target, string caName)
+{
+    var activePolicy = "CertificateAuthority_MicrosoftDefault.Policy";
+    var subKey = $"SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration\\{caName}\\PolicyModules";
+    const string subValue = "Active";
+    var data = Helpers.GetRegistryKeyData(target, subKey, subValue, _log);
+    
+    if (!data.Collected)
+    {
+        return (false, null, data.FailureReason);
+    }
+    
+    if (data.Value != null)
+    {
+        activePolicy = (string)data.Value;
+    }
+    
+    return (true, activePolicy, null);
+}

Then both methods can use this helper to reduce duplication.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 852fe9b and 6349928.

📒 Files selected for processing (3)

• src/CommonLib/OutputTypes/APIResults/StringArrayRegistryAPIResult.cs (1 hunks)
• src/CommonLib/OutputTypes/CARegistryData.cs (1 hunks)
• src/CommonLib/Processors/CertAbuseProcessor.cs (3 hunks)

🔇 Additional comments (11)

src/CommonLib/OutputTypes/APIResults/StringArrayRegistryAPIResult.cs (3)

1-9: LGTM! Clean and well-structured implementation.

The new StringArrayRegistryAPIResult class follows C# best practices with proper inheritance, naming conventions, and safe default initialization. The class serves its intended purpose as a container for string array registry results.

---

1-9: LGTM! Clean and focused API result implementation.

The class follows the established pattern for API result types in the codebase. The initialization to Array.Empty<String>() is appropriate and memory-efficient compared to new string[0].

---

1-9: LGTM! Clean and efficient implementation.

The new StringArrayRegistryAPIResult class follows established patterns, uses Array.Empty<String>() for optimal performance, and provides a focused container for string array registry results.

src/CommonLib/OutputTypes/CARegistryData.cs (3)

11-11: LGTM! Consistent integration of the new property.

The DisabledExtensions property follows the established pattern of the CARegistryData class and uses the appropriate StringArrayRegistryAPIResult type for holding string array registry data.

---

11-11: LGTM! Property addition follows established patterns.

The new DisabledExtensions property is consistent with the existing properties in the class, using the appropriate StringArrayRegistryAPIResult type and following the same naming conventions.

---

11-11: LGTM! Property addition follows established patterns.

The new DisabledExtensions property is consistent with other registry result properties in the class and uses the appropriate specialized result type.

src/CommonLib/Processors/CertAbuseProcessor.cs (5)

257-296: Excellent refactoring to use dynamic policy detection.

The refactoring from hardcoded policy name to dynamically reading the "Active" policy value makes the code more robust and flexible. The improved error handling with proper failure reason propagation is also a good enhancement.

---

298-341: Well-implemented new method with consistent pattern.

The DisabledExtensions method follows the same robust pattern as the refactored IsUserSpecifiesSanEnabled method, with proper error handling and dynamic policy detection. The string array casting and return type are appropriate for the DisableExtensionList registry value.

---

257-296: Good refactoring to use dynamic policy determination.

The method now correctly reads the active policy from the registry instead of using a hardcoded value. The error handling has been improved to properly propagate failure reasons from both registry reads.

---

257-296: LGTM! Improved dynamic policy resolution.

The refactoring to dynamically determine the active policy subkey instead of using a hardcoded value is a significant improvement. The error handling is properly implemented with failure reason propagation.

---

298-341: LGTM! New method follows established patterns.

The new DisabledExtensions method correctly implements the registry access pattern and properly handles error cases. The implementation aligns well with the refactored IsUserSpecifiesSanEnabled method.