Add conditional_access.cert_serial_format config option

[moaead]

Related issue: Resolves #38549

Summary

• Added conditional_access.cert_serial_format server configuration option to support both hexadecimal (default) and decimal certificate serial number formats for Okta conditional access.

Problem

The Okta conditional access SSO endpoint (/api/fleet/conditional_access/idp/sso) fails to authenticate devices when using Caddy as a reverse proxy for local testing because:

• Fleet's parseSerialNumber() function parses the X-Client-Cert-Serial header as hexadecimal (base 16)
• AWS ALB sends the serial in hexadecimal format (correct)
• Caddy sends the serial in decimal format (mismatch)

This causes authentication failures when certificate serial numbers reach 10 or higher:

• Certificate with serial 10 (decimal) → Caddy sends "10" → Fleet parses as hex → looks up serial 16 → not found

Solution

Added a new server configuration option:

• Config: conditional_access.cert_serial_format
• Env var: FLEET_CONDITIONAL_ACCESS_CERT_SERIAL_FORMAT
• Values: hex (default) or decimal

The default remains hex for AWS ALB (production), while decimal can be used for local testing with Caddy.

Changes

• server/config/config.go: Added ConditionalAccessConfig struct and config registration
• ee/server/service/condaccess/idp.go: Modified parseSerialNumber() to accept format parameter
• ee/server/service/condaccess/idp_test.go: Added tests for decimal format parsing
• changes/38549-cert-serial-format: Added changes file

Testing

• Added unit tests for both hex and decimal parsing formats
• Tests verify:
  • Hex parsing works as before (default behavior)
  • Decimal parsing correctly interprets values like 10 as decimal 10, not hex 16
  • Default format is hex when unspecified or invalid

Checklist for submitter

• Changes file added for user-visible changes in changes/
• Input data is properly validated
• Added/updated automated tests

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.07%. Comparing base (fa59f05) to head (e9b0a82).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #38553   +/-   ##
=======================================
  Coverage   66.07%   66.07%           
=======================================
  Files        2413     2413           
  Lines      192661   192675   +14     
  Branches     8489     8489           
=======================================
+ Hits       127307   127318   +11     
+ Misses      53787    53785    -2     
- Partials    11567    11572    +5     

Flag	Coverage Δ
backend	67.92% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[getvictor]

@moaead Thank you for the PR. Can you fix the lint issue by running gofmt:

Error: server/config/config.go:661:1: File is not properly formatted (gofmt)
	ConditionalAccess          ConditionalAccessConfig           `yaml:"conditional_access"`
^