github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

Addressed PR comments

Browse Source
This commit is contained in:
Carlos Monastyrski
2025-10-14 03:18:35 -03:00
parent 073be13906
commit 42800fdfe5
82 changed files with 4223 additions and 1956 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/src/db/migrations/20251007133321_pki-v3-tables.ts
View File

@@ -8,7 +8,7 @@ export async function up(knex: Knex): Promise<void> {
await knex.schema.createTable(TableName.CertificateTemplateV2, (t) => {
t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
t.string("projectId").notNullable();
t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
t.foreign("projectId").references("id").inTable(TableName.Project);
t.string("slug").notNullable();
t.string("description");
@@ -60,7 +60,7 @@ export async function up(knex: Knex): Promise<void> {
await knex.schema.createTable(TableName.CertificateProfile, (t) => {
t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
t.string("projectId").notNullable();
t.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
t.foreign("projectId").references("id").inTable(TableName.Project);
t.uuid("caId").notNullable();
t.foreign("caId").references("id").inTable(TableName.CertificateAuthority);

47
backend/src/ee/services/audit-log/audit-log-types.ts
View File

@@ -2569,19 +2569,41 @@ interface GetCertificateTemplateEstConfig {
interface CreateCertificateTemplate {
type: EventType.CREATE_CERTIFICATE_TEMPLATE;
metadata: {
certificateTemplateId: string;
name: string;
projectId: string;
};
metadata:
| {
certificateTemplateId: string;
name: string;
projectId: string;
}
| {
certificateTemplateId: string;
caId: string;
pkiCollectionId: string;
name: string;
commonName: string;
subjectAlternativeName: string;
ttl: string;
projectId: string;
};
}
interface UpdateCertificateTemplate {
type: EventType.UPDATE_CERTIFICATE_TEMPLATE;
metadata: {
certificateTemplateId: string;
name: string;
};
metadata:
| {
certificateTemplateId: string;
name: string;
}
| {
certificateTemplateId: string;
caId: string;
pkiCollectionId: string;
name: string;
commonName: string;
subjectAlternativeName: string;
ttl: string;
projectId: string;
};
}
interface DeleteCertificateTemplate {
@@ -2629,6 +2651,7 @@ interface DeleteCertificateProfile {
type: EventType.DELETE_CERTIFICATE_PROFILE;
metadata: {
certificateProfileId: string;
name: string;
};
}
@@ -2636,6 +2659,7 @@ interface GetCertificateProfile {
type: EventType.GET_CERTIFICATE_PROFILE;
metadata: {
certificateProfileId: string;
name: string;
};
}
@@ -2652,6 +2676,7 @@ interface IssueCertificateFromProfile {
certificateProfileId: string;
certificateId: string;
commonName: string;
profileName: string;
};
}
@@ -2660,6 +2685,8 @@ interface SignCertificateFromProfile {
metadata: {
certificateProfileId: string;
certificateId: string;
profileName: string;
commonName: string;
};
}
@@ -2668,7 +2695,7 @@ interface OrderCertificateFromProfile {
metadata: {
certificateProfileId: string;
orderId: string;
subjectAlternativeNames: string[];
profileName: string;
};
}

7
backend/src/ee/services/permission/project-permission.ts
View File

@@ -1119,6 +1119,13 @@ export const ProjectPermissionV2Schema = z.discriminatedUnion("subject", [
"When specified, only matching conditions will be allowed to access given resource."
).optional()
}),
z.object({
subject: z.literal(ProjectPermissionSub.CertificateProfiles).describe("The entity this permission pertains to."),
inverted: z.boolean().optional().describe("Whether rule allows or forbids."),
action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionCertificateProfileActions).describe(
"Describe what action an entity can take."
)
}),
...GeneralPermissionSchema
]);

121
backend/src/server/routes/v1/certificate-profiles-router.ts
View File

@@ -1,3 +1,4 @@
import RE2 from "re2";
import { z } from "zod";
import { CertificateProfilesSchema } from "@app/db/schemas";
@@ -6,12 +7,7 @@ import { ApiDocsTags } from "@app/lib/api-docs";
import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import {
createCertificateProfileSchema,
deleteCertificateProfileSchema,
listCertificateProfilesSchema,
updateCertificateProfileSchema
} from "@app/services/certificate-profile/certificate-profile-schemas";
import { EnrollmentType } from "@app/services/certificate-profile/certificate-profile-types";
export const registerCertificateProfilesRouter = async (server: FastifyZodProvider) => {
server.route({
@@ -23,7 +19,57 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateProfiles],
body: createCertificateProfileSchema,
body: z
.object({
projectId: z.string().min(1),
caId: z.string().uuid(),
certificateTemplateId: z.string().uuid(),
slug: z
.string()
.min(1)
.max(255)
.regex(new RE2("^[a-z0-9-]+$"), "Slug must contain only lowercase letters, numbers, and hyphens"),
description: z.string().max(1000).optional(),
enrollmentType: z.nativeEnum(EnrollmentType),
estConfig: z
.object({
disableBootstrapCaValidation: z.boolean().default(false),
passphrase: z.string().min(1),
encryptedCaChain: z.string()
})
.optional(),
apiConfig: z
.object({
autoRenew: z.boolean().default(false),
autoRenewDays: z.number().min(1).max(365).optional()
})
.optional()
})
.refine(
(data) => {
if (data.enrollmentType === EnrollmentType.EST) {
if (!data.estConfig) {
return false;
}
if (data.apiConfig) {
return false;
}
}
if (data.enrollmentType === EnrollmentType.API) {
if (!data.apiConfig) {
return false;
}
if (data.estConfig) {
return false;
}
}
return true;
},
{
message:
"EST enrollment type requires EST configuration and cannot have API configuration. API enrollment type requires API configuration and cannot have EST configuration."
}
),
response: {
200: z.object({
certificateProfile: CertificateProfilesSchema
@@ -68,7 +114,13 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateProfiles],
querystring: listCertificateProfilesSchema.extend({
querystring: z.object({
projectId: z.string().min(1),
offset: z.coerce.number().min(0).default(0),
limit: z.coerce.number().min(1).max(100).default(20),
search: z.string().optional(),
enrollmentType: z.nativeEnum(EnrollmentType).optional(),
caId: z.string().uuid().optional(),
includeMetrics: z.coerce.boolean().optional().default(false),
expiringDays: z.coerce.number().min(1).max(365).optional().default(7)
}),
@@ -209,7 +261,8 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
event: {
type: EventType.GET_CERTIFICATE_PROFILE,
metadata: {
certificateProfileId: certificateProfile.id
certificateProfileId: certificateProfile.id,
name: certificateProfile.slug
}
}
});
@@ -266,7 +319,48 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
params: z.object({
id: z.string().min(1)
}),
body: updateCertificateProfileSchema,
body: z
.object({
slug: z
.string()
.min(1)
.max(255)
.regex(new RE2("^[a-z0-9-]+$"), "Slug must contain only lowercase letters, numbers, and hyphens")
.optional(),
description: z.string().max(1000).optional(),
enrollmentType: z.nativeEnum(EnrollmentType).optional(),
estConfig: z
.object({
disableBootstrapCaValidation: z.boolean().default(false),
passphrase: z.string().min(1),
encryptedCaChain: z.string()
})
.optional(),
apiConfig: z
.object({
autoRenew: z.boolean().default(false),
autoRenewDays: z.number().min(1).max(365).optional()
})
.optional()
})
.refine(
(data) => {
if (data.enrollmentType === EnrollmentType.EST) {
if (data.apiConfig) {
return false;
}
}
if (data.enrollmentType === EnrollmentType.API) {
if (data.estConfig) {
return false;
}
}
return true;
},
{
message: "Cannot have EST config with API enrollment type or API config with EST enrollment type."
}
),
response: {
200: z.object({
certificateProfile: CertificateProfilesSchema
@@ -309,7 +403,9 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateProfiles],
params: deleteCertificateProfileSchema,
params: z.object({
id: z.string().uuid()
}),
response: {
200: z.object({
certificateProfile: CertificateProfilesSchema
@@ -332,7 +428,8 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
event: {
type: EventType.DELETE_CERTIFICATE_PROFILE,
metadata: {
certificateProfileId: certificateProfile.id
certificateProfileId: certificateProfile.id,
name: certificateProfile.slug
}
}
});

12
backend/src/server/routes/v1/certificate-template-router.ts
View File

@@ -117,7 +117,12 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
type: EventType.CREATE_CERTIFICATE_TEMPLATE,
metadata: {
certificateTemplateId: certificateTemplate.id,
caId: certificateTemplate.caId,
pkiCollectionId: certificateTemplate.pkiCollectionId as string,
name: certificateTemplate.name,
commonName: certificateTemplate.commonName,
subjectAlternativeName: certificateTemplate.subjectAlternativeName,
ttl: certificateTemplate.ttl,
projectId: certificateTemplate.projectId
}
}
@@ -181,7 +186,12 @@ export const registerCertificateTemplateRouter = async (server: FastifyZodProvid
type: EventType.UPDATE_CERTIFICATE_TEMPLATE,
metadata: {
certificateTemplateId: certificateTemplate.id,
name: certificateTemplate.name
name: certificateTemplate.name,
caId: certificateTemplate.caId,
pkiCollectionId: certificateTemplate.pkiCollectionId as string,
commonName: certificateTemplate.commonName,
subjectAlternativeName: certificateTemplate.subjectAlternativeName,
ttl: certificateTemplate.ttl
}
}
});

199
backend/src/server/routes/v2/certificate-templates-v2-router.ts
View File

@@ -4,18 +4,107 @@ import { CertificateTemplatesV2Schema } from "@app/db/schemas";
import { EventType } from "@app/ee/services/audit-log/audit-log-types";
import { ApiDocsTags } from "@app/lib/api-docs";
import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
import { slugSchema } from "@app/server/lib/schemas";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import {
certificateRequestSchema,
createCertificateTemplateV2Schema,
deleteCertificateTemplateV2Schema,
getCertificateTemplateV2ByIdSchema,
listCertificateTemplatesV2Schema,
updateCertificateTemplateV2Schema
} from "@app/services/certificate-template-v2/certificate-template-v2-schemas";
CertDurationUnit,
CertExtendedKeyUsageType,
CertIncludeType,
CertKeyUsageType,
CertSubjectAlternativeNameType,
CertSubjectAttributeType
} from "@app/services/certificate-common/certificate-constants";
export const registerCertificateTemplatesV2Router = async (server: FastifyZodProvider) => {
const templateV2AttributeSchema = z
.object({
type: z.nativeEnum(CertSubjectAttributeType),
include: z.nativeEnum(CertIncludeType),
value: z.array(z.string()).optional()
})
.refine(
(data) => {
if (data.type === CertSubjectAttributeType.COMMON_NAME && data.value && data.value.length > 1) {
return false;
}
if (data.include === CertIncludeType.MANDATORY && (!data.value || data.value.length > 1)) {
return false;
}
return true;
},
{
message: "Common name can only have one value. Mandatory attributes can only have one value or no value (empty)"
}
);
const templateV2KeyUsagesSchema = z.object({
requiredUsages: z
.object({
all: z.array(z.nativeEnum(CertKeyUsageType))
})
.optional(),
optionalUsages: z
.object({
all: z.array(z.nativeEnum(CertKeyUsageType))
})
.optional()
});
const templateV2ExtendedKeyUsagesSchema = z.object({
requiredUsages: z
.object({
all: z.array(z.nativeEnum(CertExtendedKeyUsageType))
})
.optional(),
optionalUsages: z
.object({
all: z.array(z.nativeEnum(CertExtendedKeyUsageType))
})
.optional()
});
const templateV2SanSchema = z
.object({
type: z.nativeEnum(CertSubjectAlternativeNameType),
include: z.nativeEnum(CertIncludeType),
value: z.array(z.string()).optional()
})
.refine(
(data) => {
if (data.include === CertIncludeType.MANDATORY && (!data.value || data.value.length > 1)) {
return false;
}
return true;
},
{
message: "Mandatory SANs can only have one value or no value (empty)"
}
);
const templateV2ValiditySchema = z.object({
maxDuration: z.object({
value: z.number().positive(),
unit: z.nativeEnum(CertDurationUnit)
}),
minDuration: z
.object({
value: z.number().positive(),
unit: z.nativeEnum(CertDurationUnit)
})
.optional()
});
const templateV2SignatureAlgorithmSchema = z.object({
allowedAlgorithms: z.array(z.string()).min(1),
defaultAlgorithm: z.string()
});
const templateV2KeyAlgorithmSchema = z.object({
allowedKeyTypes: z.array(z.string()).min(1),
defaultKeyType: z.string()
});
server.route({
method: "POST",
url: "/",
@@ -25,7 +114,36 @@ export const registerCertificateTemplatesV2Router = async (server: FastifyZodPro
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateTemplates],
body: createCertificateTemplateV2Schema,
body: z
.object({
projectId: z.string().min(1),
slug: slugSchema({ min: 1, max: 255 }),
description: z.string().max(1000).optional(),
attributes: z.array(templateV2AttributeSchema).optional(),
keyUsages: templateV2KeyUsagesSchema.optional(),
extendedKeyUsages: templateV2ExtendedKeyUsagesSchema.optional(),
subjectAlternativeNames: z.array(templateV2SanSchema).optional(),
validity: templateV2ValiditySchema.optional(),
signatureAlgorithm: templateV2SignatureAlgorithmSchema.optional(),
keyAlgorithm: templateV2KeyAlgorithmSchema.optional()
})
.refine(
(data) => {
const hasConstraints =
(data.attributes && data.attributes.length > 0) ||
(data.subjectAlternativeNames && data.subjectAlternativeNames.length > 0) ||
data.keyUsages ||
data.extendedKeyUsages ||
data.validity ||
data.signatureAlgorithm ||
data.keyAlgorithm;
return hasConstraints;
},
{
message:
"Certificate template must define at least one constraint (attributes, SANs, key usages, validity, or algorithms)"
}
),
response: {
200: z.object({
certificateTemplate: CertificateTemplatesV2Schema
@@ -70,7 +188,12 @@ export const registerCertificateTemplatesV2Router = async (server: FastifyZodPro
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateTemplates],
querystring: listCertificateTemplatesV2Schema,
querystring: z.object({
projectId: z.string().min(1),
offset: z.coerce.number().min(0).default(0),
limit: z.coerce.number().min(1).max(100).default(20),
search: z.string().optional()
}),
response: {
200: z.object({
certificateTemplates: CertificateTemplatesV2Schema.array(),
@@ -112,7 +235,9 @@ export const registerCertificateTemplatesV2Router = async (server: FastifyZodPro
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateTemplates],
params: getCertificateTemplateV2ByIdSchema,
params: z.object({
id: z.string().uuid()
}),
response: {
200: z.object({
certificateTemplate: CertificateTemplatesV2Schema
@@ -154,8 +279,20 @@ export const registerCertificateTemplatesV2Router = async (server: FastifyZodPro
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateTemplates],
params: getCertificateTemplateV2ByIdSchema,
body: updateCertificateTemplateV2Schema,
params: z.object({
id: z.string().uuid()
}),
body: z.object({
slug: slugSchema({ min: 1, max: 255 }).optional(),
description: z.string().max(1000).optional(),
attributes: z.array(templateV2AttributeSchema).optional(),
keyUsages: templateV2KeyUsagesSchema.optional(),
extendedKeyUsages: templateV2ExtendedKeyUsagesSchema.optional(),
subjectAlternativeNames: z.array(templateV2SanSchema).optional(),
validity: templateV2ValiditySchema.optional(),
signatureAlgorithm: templateV2SignatureAlgorithmSchema.optional(),
keyAlgorithm: templateV2KeyAlgorithmSchema.optional()
}),
response: {
200: z.object({
certificateTemplate: CertificateTemplatesV2Schema
@@ -198,7 +335,9 @@ export const registerCertificateTemplatesV2Router = async (server: FastifyZodPro
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateTemplates],
params: deleteCertificateTemplateV2Schema,
params: z.object({
id: z.string().uuid()
}),
response: {
200: z.object({
certificateTemplate: CertificateTemplatesV2Schema
@@ -230,38 +369,4 @@ export const registerCertificateTemplatesV2Router = async (server: FastifyZodPro
return { certificateTemplate };
}
});
server.route({
method: "POST",
url: "/:id/validate",
config: {
rateLimit: readLimit
},
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificateTemplates],
params: getCertificateTemplateV2ByIdSchema,
body: z.object({
request: certificateRequestSchema
}),
response: {
200: z.object({
valid: z.boolean(),
errors: z.array(z.string()).optional()
})
}
},
onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
handler: async (req) => {
const result = await server.services.certificateTemplateV2.validateCertificateRequest(
req.params.id,
req.body.request
);
return {
valid: result.isValid,
errors: result.errors.length > 0 ? result.errors : undefined
};
}
});
};

222
backend/src/server/routes/v3/certificates-router.ts
View File

@@ -6,12 +6,22 @@ import { ms } from "@app/lib/ms";
import { writeLimit } from "@app/server/config/rateLimiter";
import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
import { AuthMode } from "@app/services/auth/auth-type";
import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
import {
ACMESANType,
CertificateOrderStatus,
CertKeyAlgorithm,
CertSignatureAlgorithm
} from "@app/services/certificate/certificate-types";
import {
validateAltNamesField,
validateAndMapAltNameType,
validateCaDateField
} from "@app/services/certificate-authority/certificate-authority-validators";
import {
CertExtendedKeyUsageType,
CertKeyUsageType,
CertSubjectAlternativeNameType
} from "@app/services/certificate-common/certificate-constants";
import { mapEnumsForValidation } from "@app/services/certificate-common/certificate-utils";
import { validateTemplateRegexField } from "@app/services/certificate-template/certificate-template-validators";
@@ -25,18 +35,43 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificates],
body: z.object({
profileId: z.string().uuid(),
commonName: validateTemplateRegexField,
ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
keyUsages: z.nativeEnum(CertKeyUsage).array().optional(),
extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional(),
notBefore: validateCaDateField.optional(),
notAfter: validateCaDateField.optional(),
altNames: validateAltNamesField.optional(),
signatureAlgorithm: z.string().optional(),
keyAlgorithm: z.string().optional()
}),
body: z
.object({
profileId: z.string().uuid(),
commonName: validateTemplateRegexField,
ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
keyUsages: z.nativeEnum(CertKeyUsageType).array().optional(),
extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsageType).array().optional(),
notBefore: validateCaDateField.optional(),
notAfter: validateCaDateField.optional(),
subjectAltNames: validateAltNamesField.optional(),
signatureAlgorithm: z.nativeEnum(CertSignatureAlgorithm).optional(),
keyAlgorithm: z.nativeEnum(CertKeyAlgorithm).optional()
})
.refine(
(data) => {
const hasDateFields = data.notBefore || data.notAfter;
const hasTtl = data.ttl;
return !(hasDateFields && hasTtl);
},
{
message:
"Cannot specify both TTL and notBefore/notAfter. Use either TTL for duration-based validity or notBefore/notAfter for explicit date range."
}
)
.refine(
(data) => {
if (data.notBefore && data.notAfter) {
const notBefore = new Date(data.notBefore);
const notAfter = new Date(data.notAfter);
return notBefore < notAfter;
}
return true;
},
{
message: "notBefore must be earlier than notAfter"
}
),
response: {
200: z.object({
certificate: z.string().trim(),
@@ -54,8 +89,8 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
commonName: req.body.commonName,
keyUsages: req.body.keyUsages,
extendedKeyUsages: req.body.extendedKeyUsages,
subjectAlternativeNames: req.body.altNames
? req.body.altNames
altNames: req.body.subjectAltNames
? req.body.subjectAltNames
.split(", ")
.map((name) => name.trim())
.map((name) => {
@@ -68,7 +103,7 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
url: "uri"
} as const;
return {
type: typeMapping[mappedType.type] as "dns_name" | "ip_address" | "email" | "uri",
type: typeMapping[mappedType.type] as CertSubjectAlternativeNameType,
value: mappedType.value
};
})
@@ -94,23 +129,16 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
certificateRequest: mappedCertificateRequest
});
const profile = await server.services.certificateProfile.getProfileById({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
profileId: req.body.profileId
});
await server.services.auditLog.createAuditLog({
...req.auditLogInfo,
projectId: profile.projectId,
projectId: data.projectId,
event: {
type: EventType.ISSUE_CERTIFICATE_FROM_PROFILE,
metadata: {
certificateProfileId: req.body.profileId,
certificateId: data.certificateId,
commonName: req.body.commonName || ""
commonName: req.body.commonName || "",
profileName: data.profileName
}
}
});
@@ -128,13 +156,38 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificates],
body: z.object({
profileId: z.string().uuid(),
csr: z.string().trim().min(1).max(4096),
ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
notBefore: validateCaDateField.optional(),
notAfter: validateCaDateField.optional()
}),
body: z
.object({
profileId: z.string().uuid(),
csr: z.string().trim().min(1).max(4096),
ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
notBefore: validateCaDateField.optional(),
notAfter: validateCaDateField.optional()
})
.refine(
(data) => {
const hasDateFields = data.notBefore || data.notAfter;
const hasTtl = data.ttl;
return !(hasDateFields && hasTtl);
},
{
message:
"Cannot specify both TTL and notBefore/notAfter. Use either TTL for duration-based validity or notBefore/notAfter for explicit date range."
}
)
.refine(
(data) => {
if (data.notBefore && data.notAfter) {
const notBefore = new Date(data.notBefore);
const notAfter = new Date(data.notAfter);
return notBefore < notAfter;
}
return true;
},
{
message: "notBefore must be earlier than notAfter"
}
),
response: {
200: z.object({
certificate: z.string().trim(),
@@ -161,22 +214,16 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
notAfter: req.body.notAfter ? new Date(req.body.notAfter) : undefined
});
const profile = await server.services.certificateProfile.getProfileById({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
profileId: req.body.profileId
});
await server.services.auditLog.createAuditLog({
...req.auditLogInfo,
projectId: profile.projectId,
projectId: data.projectId,
event: {
type: EventType.SIGN_CERTIFICATE_FROM_PROFILE,
metadata: {
certificateProfileId: req.body.profileId,
certificateId: data.certificateId
certificateId: data.certificateId,
profileName: data.profileName,
commonName: req.body.csr || ""
}
}
});
@@ -194,48 +241,73 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
schema: {
hide: false,
tags: [ApiDocsTags.PkiCertificates],
body: z.object({
profileId: z.string().uuid(),
subjectAlternativeNames: z
.array(
z.object({
type: z.enum(["dns", "ip"]),
value: z.string()
})
)
.min(1),
ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
keyUsages: z.nativeEnum(CertKeyUsage).array().optional(),
extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsage).array().optional(),
notBefore: validateCaDateField.optional(),
notAfter: validateCaDateField.optional(),
commonName: validateTemplateRegexField.optional(),
signatureAlgorithm: z.string().optional(),
keyAlgorithm: z.string().optional()
}),
body: z
.object({
profileId: z.string().uuid(),
subjectAlternativeNames: z
.array(
z.object({
type: z.nativeEnum(ACMESANType),
value: z.string()
})
)
.min(1),
ttl: z.string().refine((val) => ms(val) > 0, "TTL must be a positive number"),
keyUsages: z.nativeEnum(CertKeyUsageType).array().optional(),
extendedKeyUsages: z.nativeEnum(CertExtendedKeyUsageType).array().optional(),
notBefore: validateCaDateField.optional(),
notAfter: validateCaDateField.optional(),
commonName: validateTemplateRegexField.optional(),
signatureAlgorithm: z.nativeEnum(CertSignatureAlgorithm).optional(),
keyAlgorithm: z.nativeEnum(CertKeyAlgorithm).optional()
})
.refine(
(data) => {
const hasDateFields = data.notBefore || data.notAfter;
const hasTtl = data.ttl;
return !(hasDateFields && hasTtl);
},
{
message:
"Cannot specify both TTL and notBefore/notAfter. Use either TTL for duration-based validity or notBefore/notAfter for explicit date range."
}
)
.refine(
(data) => {
if (data.notBefore && data.notAfter) {
const notBefore = new Date(data.notBefore);
const notAfter = new Date(data.notAfter);
return notBefore < notAfter;
}
return true;
},
{
message: "notBefore must be earlier than notAfter"
}
),
response: {
200: z.object({
orderId: z.string(),
status: z.enum(["pending", "processing", "valid", "invalid"]),
status: z.nativeEnum(CertificateOrderStatus),
subjectAlternativeNames: z.array(
z.object({
type: z.enum(["dns", "ip"]),
type: z.nativeEnum(ACMESANType),
value: z.string(),
status: z.enum(["pending", "processing", "valid", "invalid"])
status: z.nativeEnum(CertificateOrderStatus)
})
),
authorizations: z.array(
z.object({
identifier: z.object({
type: z.enum(["dns", "ip"]),
type: z.nativeEnum(ACMESANType),
value: z.string()
}),
status: z.enum(["pending", "processing", "valid", "invalid"]),
status: z.nativeEnum(CertificateOrderStatus),
expires: z.string().optional(),
challenges: z.array(
z.object({
type: z.string(),
status: z.enum(["pending", "processing", "valid", "invalid"]),
status: z.nativeEnum(CertificateOrderStatus),
url: z.string(),
token: z.string()
})
@@ -256,7 +328,7 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
actorOrgId: req.permission.orgId,
profileId: req.body.profileId,
certificateOrder: {
subjectAlternativeNames: req.body.subjectAlternativeNames,
altNames: req.body.subjectAlternativeNames,
validity: {
ttl: req.body.ttl
},
@@ -270,23 +342,15 @@ export const registerCertificatesRouter = async (server: FastifyZodProvider) =>
}
});
const profile = await server.services.certificateProfile.getProfileById({
actor: req.permission.type,
actorId: req.permission.id,
actorAuthMethod: req.permission.authMethod,
actorOrgId: req.permission.orgId,
profileId: req.body.profileId
});
await server.services.auditLog.createAuditLog({
...req.auditLogInfo,
projectId: profile.projectId,
projectId: data.projectId,
event: {
type: EventType.ORDER_CERTIFICATE_FROM_PROFILE,
metadata: {
certificateProfileId: req.body.profileId,
orderId: data.orderId,
subjectAlternativeNames: req.body.subjectAlternativeNames.map((san) => `${san.type}:${san.value}`)
profileName: data.profileName
}
}
});

153
backend/src/services/certificate-authority/certificate-authority-fns.test.ts Normal file
View File

@@ -0,0 +1,153 @@
import { describe, expect, it } from "vitest";
import { CertKeyAlgorithm } from "@app/services/certificate/certificate-types";
import { signatureAlgorithmToAlgCfg } from "./certificate-authority-fns";
describe("signatureAlgorithmToAlgCfg", () => {
describe("RSA algorithms", () => {
it("should handle RSA-SHA256 correctly", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA256", CertKeyAlgorithm.RSA_2048);
expect(result).toEqual({
name: "RSASSA-PKCS1-v1_5",
hash: "SHA-256",
publicExponent: new Uint8Array([1, 0, 1]),
modulusLength: 2048
});
});
it("should handle RSA-SHA384 correctly", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA384", CertKeyAlgorithm.RSA_4096);
expect(result).toEqual({
name: "RSASSA-PKCS1-v1_5",
hash: "SHA-384",
publicExponent: new Uint8Array([1, 0, 1]),
modulusLength: 4096
});
});
it("should handle RSA-SHA512 correctly", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA512", CertKeyAlgorithm.RSA_2048);
expect(result).toEqual({
name: "RSASSA-PKCS1-v1_5",
hash: "SHA-512",
publicExponent: new Uint8Array([1, 0, 1]),
modulusLength: 2048
});
});
});
describe("ECDSA algorithms", () => {
it("should handle ECDSA-SHA256 with P-256 curve", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA256", CertKeyAlgorithm.ECDSA_P256);
expect(result).toEqual({
name: "ECDSA",
namedCurve: "P-256",
hash: "SHA-256"
});
});
it("should handle ECDSA-SHA384 with P-384 curve", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA384", CertKeyAlgorithm.ECDSA_P384);
expect(result).toEqual({
name: "ECDSA",
namedCurve: "P-384",
hash: "SHA-384"
});
});
it("should handle ECDSA-SHA256 with EC_prime256v1 string format", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA256", "EC_prime256v1");
expect(result).toEqual({
name: "ECDSA",
namedCurve: "P-256",
hash: "SHA-256"
});
});
it("should handle ECDSA-SHA384 with EC_secp384r1 string format", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA384", "EC_secp384r1");
expect(result).toEqual({
name: "ECDSA",
namedCurve: "P-384",
hash: "SHA-384"
});
});
});
describe("hash format normalization", () => {
it("should normalize SHA256 to SHA-256", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA256", CertKeyAlgorithm.RSA_2048);
expect(result.hash).toBe("SHA-256");
});
it("should normalize SHA384 to SHA-384", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA384", CertKeyAlgorithm.ECDSA_P384);
expect(result.hash).toBe("SHA-384");
});
it("should normalize SHA512 to SHA-512", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA512", CertKeyAlgorithm.RSA_4096);
expect(result.hash).toBe("SHA-512");
});
it("should handle SHA1 format", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA1", CertKeyAlgorithm.RSA_2048);
expect(result.hash).toBe("SHA-1");
});
it("should handle SHA224 format", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA224", CertKeyAlgorithm.ECDSA_P256);
expect(result.hash).toBe("SHA-224");
});
it("should handle case insensitive hash normalization", () => {
const result = signatureAlgorithmToAlgCfg("RSA-sha256", CertKeyAlgorithm.RSA_2048);
expect(result.hash).toBe("SHA-256");
});
it("should handle already normalized hash formats", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA256", CertKeyAlgorithm.ECDSA_P256);
expect(result.hash).toBe("SHA-256");
});
it("should handle SHA-3 family hashes", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA3256", CertKeyAlgorithm.RSA_2048);
expect(result.hash).toBe("SHA3-256");
});
});
describe("dynamic key algorithm support", () => {
it("should support future RSA key sizes", () => {
const result = signatureAlgorithmToAlgCfg("RSA-SHA256", "RSA_8192");
expect(result.name).toBe("RSASSA-PKCS1-v1_5");
expect(result.hash).toBe("SHA-256");
});
it("should support future EC curves", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA256", "EC_secp521r1");
expect(result.name).toBe("ECDSA");
expect(result.namedCurve).toBe("P-256");
expect(result.hash).toBe("SHA-256");
});
it("should support EC_P384 string format", () => {
const result = signatureAlgorithmToAlgCfg("ECDSA-SHA384", "EC_P384");
expect(result).toEqual({
name: "ECDSA",
namedCurve: "P-384",
hash: "SHA-384"
});
});
});
});

33
backend/src/services/certificate-authority/certificate-authority-fns.ts
View File

@@ -99,29 +99,52 @@ export const keyAlgorithmToAlgCfg = (keyAlgorithm: CertKeyAlgorithm) => {
}
};
export const signatureAlgorithmToAlgCfg = (signatureAlgorithm: string, keyAlgorithm: CertKeyAlgorithm) => {
export const signatureAlgorithmToAlgCfg = (signatureAlgorithm: string, keyAlgorithm: CertKeyAlgorithm | string) => {
// Parse signature algorithm like "RSA-SHA256", "ECDSA-SHA256" etc.
const [keyType, hashType] = signatureAlgorithm.split("-");
const normalizeHashType = (hash: string) => {
const upperHash = hash.toUpperCase();
if (upperHash === "SHA1" || upperHash === "SHA-1") return "SHA-1";
if (upperHash === "SHA224" || upperHash === "SHA-224") return "SHA-224";
if (upperHash === "SHA256" || upperHash === "SHA-256") return "SHA-256";
if (upperHash === "SHA384" || upperHash === "SHA-384") return "SHA-384";
if (upperHash === "SHA512" || upperHash === "SHA-512") return "SHA-512";
if (upperHash === "SHA3224" || upperHash === "SHA3-224") return "SHA3-224";
if (upperHash === "SHA3256" || upperHash === "SHA3-256") return "SHA3-256";
if (upperHash === "SHA3384" || upperHash === "SHA3-384") return "SHA3-384";
if (upperHash === "SHA3512" || upperHash === "SHA3-512") return "SHA3-512";
return hash;
};
const normalizedHash = hashType ? normalizeHashType(hashType) : undefined;
switch (keyType) {
case "RSA":
return {
name: "RSASSA-PKCS1-v1_5",
hash: hashType || "SHA-256",
hash: normalizedHash || "SHA-256",
publicExponent: new Uint8Array([1, 0, 1]),
modulusLength: keyAlgorithm === CertKeyAlgorithm.RSA_4096 ? 4096 : 2048
};
case "ECDSA":
// eslint-disable-next-line no-case-declarations
const namedCurve = keyAlgorithm === CertKeyAlgorithm.ECDSA_P384 ? "P-384" : "P-256";
const is384Curve =
keyAlgorithm === CertKeyAlgorithm.ECDSA_P384 || keyAlgorithm === "EC_secp384r1" || keyAlgorithm === "EC_P384";
// eslint-disable-next-line no-case-declarations
const namedCurve = is384Curve ? "P-384" : "P-256";
return {
name: "ECDSA",
namedCurve,
hash: hashType || (namedCurve === "P-384" ? "SHA-384" : "SHA-256")
hash: normalizedHash || (namedCurve === "P-384" ? "SHA-384" : "SHA-256")
};
default:
// Fallback to key algorithm default
return keyAlgorithmToAlgCfg(keyAlgorithm);
return keyAlgorithmToAlgCfg(keyAlgorithm as CertKeyAlgorithm);
}
};

46
backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
View File

@@ -1280,16 +1280,31 @@ export const internalCertificateAuthorityServiceFactory = ({
throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
}
// Use provided keyAlgorithm if available, otherwise fall back to CA's algorithm
const effectiveKeyAlgorithm =
(keyAlgorithm as CertKeyAlgorithm) || (ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
const keyGenAlg = keyAlgorithmToAlgCfg(effectiveKeyAlgorithm);
const leafKeys = await crypto.nativeCrypto.subtle.generateKey(keyGenAlg, true, ["sign", "verify"]);
if (signatureAlgorithm) {
const caKeyAlgorithm = ca.internalCa.keyAlgorithm;
const requestedKeyType = signatureAlgorithm.split("-")[0];
const isRsaCa = caKeyAlgorithm.startsWith("RSA");
const isEcdsaCa = caKeyAlgorithm.startsWith("EC");
if ((requestedKeyType === "RSA" && !isRsaCa) || (requestedKeyType === "ECDSA" && !isEcdsaCa)) {
// eslint-disable-next-line no-nested-ternary
const supportedType = isRsaCa ? "RSA" : isEcdsaCa ? "ECDSA" : "unknown";
throw new BadRequestError({
message: `Requested signature algorithm ${signatureAlgorithm} is not compatible with CA key algorithm ${caKeyAlgorithm}. CA can only sign with ${supportedType}-based signature algorithms.`
});
}
}
// Determine signing algorithm for certificate signing
const signingAlg = signatureAlgorithm
? signatureAlgorithmToAlgCfg(signatureAlgorithm, effectiveKeyAlgorithm)
: keyGenAlg;
? signatureAlgorithmToAlgCfg(signatureAlgorithm, ca.internalCa.keyAlgorithm as CertKeyAlgorithm)
: keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
const csrObj = await x509.Pkcs10CertificateRequestGenerator.create({
name: `CN=${commonName}`,
@@ -1528,7 +1543,9 @@ export const internalCertificateAuthorityServiceFactory = ({
notBefore,
notAfter,
keyUsages,
extendedKeyUsages
extendedKeyUsages,
signatureAlgorithm,
keyAlgorithm
} = dto;
let collectionId = pkiCollectionId;
@@ -1633,7 +1650,26 @@ export const internalCertificateAuthorityServiceFactory = ({
throw new BadRequestError({ message: "notAfter date is after CA certificate's notAfter date" });
}
const alg = keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
if (signatureAlgorithm) {
const caKeyAlgorithm = ca.internalCa.keyAlgorithm;
const requestedKeyType = signatureAlgorithm.split("-")[0]; // Get the first part (RSA, ECDSA)
const isRsaCa = caKeyAlgorithm.startsWith("RSA");
const isEcdsaCa = caKeyAlgorithm.startsWith("EC");
if ((requestedKeyType === "RSA" && !isRsaCa) || (requestedKeyType === "ECDSA" && !isEcdsaCa)) {
// eslint-disable-next-line no-nested-ternary
const supportedType = isRsaCa ? "RSA" : isEcdsaCa ? "ECDSA" : "unknown";
throw new BadRequestError({
message: `Requested signature algorithm ${signatureAlgorithm} is not compatible with CA key algorithm ${caKeyAlgorithm}. CA can only sign with ${supportedType}-based signature algorithms.`
});
}
}
const effectiveKeyAlgorithm = (keyAlgorithm || ca.internalCa.keyAlgorithm) as CertKeyAlgorithm;
const alg = signatureAlgorithm
? signatureAlgorithmToAlgCfg(signatureAlgorithm, effectiveKeyAlgorithm)
: keyAlgorithmToAlgCfg(ca.internalCa.keyAlgorithm as CertKeyAlgorithm);
const csrObj = new x509.Pkcs10CertificateRequest(csr);

4
backend/src/services/certificate-authority/internal/internal-certificate-authority-types.ts
View File

@@ -150,6 +150,8 @@ export type TSignCertFromCaDTO =
notAfter?: string;
keyUsages?: CertKeyUsage[];
extendedKeyUsages?: CertExtendedKeyUsage[];
signatureAlgorithm?: string;
keyAlgorithm?: string;
}
| ({
isInternal: false;
@@ -165,6 +167,8 @@ export type TSignCertFromCaDTO =
notAfter?: string;
keyUsages?: CertKeyUsage[];
extendedKeyUsages?: CertExtendedKeyUsage[];
signatureAlgorithm?: string;
keyAlgorithm?: string;
} & Omit<TProjectPermission, "projectId">);
export type TGetCaCertificateTemplatesDTO = {

186
backend/src/services/certificate-common/certificate-constants.ts Normal file
View File

@@ -0,0 +1,186 @@
export enum CertSubjectAlternativeNameType {
DNS_NAME = "dns_name",
IP_ADDRESS = "ip_address",
EMAIL = "email",
URI = "uri"
}
export enum CertKeyUsageType {
DIGITAL_SIGNATURE = "digital_signature",
KEY_ENCIPHERMENT = "key_encipherment",
NON_REPUDIATION = "non_repudiation",
DATA_ENCIPHERMENT = "data_encipherment",
KEY_AGREEMENT = "key_agreement",
KEY_CERT_SIGN = "key_cert_sign",
CRL_SIGN = "crl_sign",
ENCIPHER_ONLY = "encipher_only",
DECIPHER_ONLY = "decipher_only"
}
export enum CertExtendedKeyUsageType {
CLIENT_AUTH = "client_auth",
SERVER_AUTH = "server_auth",
CODE_SIGNING = "code_signing",
EMAIL_PROTECTION = "email_protection",
OCSP_SIGNING = "ocsp_signing",
TIME_STAMPING = "time_stamping"
}
export enum CertIncludeType {
MANDATORY = "mandatory",
OPTIONAL = "optional",
PROHIBIT = "prohibit"
}
export enum CertDurationUnit {
DAYS = "days",
MONTHS = "months",
YEARS = "years"
}
export enum CertSubjectAttributeType {
COMMON_NAME = "common_name"
}
export const mapSANTypeToLegacy = (type: CertSubjectAlternativeNameType): string => {
switch (type) {
case CertSubjectAlternativeNameType.DNS_NAME:
return "dns";
case CertSubjectAlternativeNameType.IP_ADDRESS:
return "ip";
case CertSubjectAlternativeNameType.EMAIL:
return "email";
case CertSubjectAlternativeNameType.URI:
return "uri";
default:
return type;
}
};
export const mapLegacySANTypeToStandard = (type: string): CertSubjectAlternativeNameType => {
switch (type) {
case "dns":
case "dns_name":
return CertSubjectAlternativeNameType.DNS_NAME;
case "ip":
case "ip_address":
return CertSubjectAlternativeNameType.IP_ADDRESS;
case "email":
return CertSubjectAlternativeNameType.EMAIL;
case "uri":
case "url":
return CertSubjectAlternativeNameType.URI;
default:
throw new Error(`Unknown SAN type: ${type}`);
}
};
export const mapKeyUsageToLegacy = (usage: CertKeyUsageType): string => {
switch (usage) {
case CertKeyUsageType.DIGITAL_SIGNATURE:
return "digitalSignature";
case CertKeyUsageType.KEY_ENCIPHERMENT:
return "keyEncipherment";
case CertKeyUsageType.NON_REPUDIATION:
return "nonRepudiation";
case CertKeyUsageType.DATA_ENCIPHERMENT:
return "dataEncipherment";
case CertKeyUsageType.KEY_AGREEMENT:
return "keyAgreement";
case CertKeyUsageType.KEY_CERT_SIGN:
return "keyCertSign";
case CertKeyUsageType.CRL_SIGN:
return "cRLSign";
case CertKeyUsageType.ENCIPHER_ONLY:
return "encipherOnly";
case CertKeyUsageType.DECIPHER_ONLY:
return "decipherOnly";
default:
return usage;
}
};
export const mapLegacyKeyUsageToStandard = (usage: string): CertKeyUsageType => {
switch (usage) {
case "digitalSignature":
case "digital_signature":
return CertKeyUsageType.DIGITAL_SIGNATURE;
case "keyEncipherment":
case "key_encipherment":
return CertKeyUsageType.KEY_ENCIPHERMENT;
case "nonRepudiation":
case "non_repudiation":
return CertKeyUsageType.NON_REPUDIATION;
case "dataEncipherment":
case "data_encipherment":
return CertKeyUsageType.DATA_ENCIPHERMENT;
case "keyAgreement":
case "key_agreement":
return CertKeyUsageType.KEY_AGREEMENT;
case "keyCertSign":
case "key_cert_sign":
return CertKeyUsageType.KEY_CERT_SIGN;
case "cRLSign":
case "crl_sign":
return CertKeyUsageType.CRL_SIGN;
case "encipherOnly":
case "encipher_only":
return CertKeyUsageType.ENCIPHER_ONLY;
case "decipherOnly":
case "decipher_only":
return CertKeyUsageType.DECIPHER_ONLY;
default:
throw new Error(`Unknown key usage: ${usage}`);
}
};
export const mapExtendedKeyUsageToLegacy = (usage: CertExtendedKeyUsageType): string => {
switch (usage) {
case CertExtendedKeyUsageType.CLIENT_AUTH:
return "clientAuth";
case CertExtendedKeyUsageType.SERVER_AUTH:
return "serverAuth";
case CertExtendedKeyUsageType.CODE_SIGNING:
return "codeSigning";
case CertExtendedKeyUsageType.EMAIL_PROTECTION:
return "emailProtection";
case CertExtendedKeyUsageType.OCSP_SIGNING:
return "ocspSigning";
case CertExtendedKeyUsageType.TIME_STAMPING:
return "timeStamping";
default:
return usage;
}
};
export const mapLegacyExtendedKeyUsageToStandard = (usage: string): CertExtendedKeyUsageType => {
switch (usage) {
case "clientAuth":
case "client_auth":
return CertExtendedKeyUsageType.CLIENT_AUTH;
case "serverAuth":
case "server_auth":
return CertExtendedKeyUsageType.SERVER_AUTH;
case "codeSigning":
case "code_signing":
return CertExtendedKeyUsageType.CODE_SIGNING;
case "emailProtection":
case "email_protection":
return CertExtendedKeyUsageType.EMAIL_PROTECTION;
case "ocspSigning":
case "ocsp_signing":
return CertExtendedKeyUsageType.OCSP_SIGNING;
case "timeStamping":
case "time_stamping":
return CertExtendedKeyUsageType.TIME_STAMPING;
default:
throw new Error(`Unknown extended key usage: ${usage}`);
}
};
export const SAN_TYPE_OPTIONS = Object.values(CertSubjectAlternativeNameType);
export const KEY_USAGE_OPTIONS = Object.values(CertKeyUsageType);
export const EXTENDED_KEY_USAGE_OPTIONS = Object.values(CertExtendedKeyUsageType);
export const INCLUDE_TYPE_OPTIONS = Object.values(CertIncludeType);
export const DURATION_UNIT_OPTIONS = Object.values(CertDurationUnit);
export const SUBJECT_ATTRIBUTE_TYPE_OPTIONS = Object.values(CertSubjectAttributeType);

132
backend/src/services/certificate-common/certificate-utils.ts
View File

@@ -1,34 +1,39 @@
import { CertExtendedKeyUsage, CertKeyUsage } from "../certificate/certificate-types";
import {
CertExtendedKeyUsageType,
CertKeyUsageType,
mapExtendedKeyUsageToLegacy,
mapKeyUsageToLegacy,
mapLegacyExtendedKeyUsageToStandard,
mapLegacyKeyUsageToStandard
} from "./certificate-constants";
interface CertificateRequestInput {
keyUsages?: string[];
extendedKeyUsages?: string[];
}
export const mapEnumsForValidation = <T extends CertificateRequestInput>(request: T): T => {
const keyUsageMapping: Record<string, string> = {
digitalSignature: "digital_signature",
keyEncipherment: "key_encipherment",
nonRepudiation: "non_repudiation",
dataEncipherment: "data_encipherment",
keyAgreement: "key_agreement",
keyCertSign: "key_cert_sign",
cRLSign: "crl_sign",
encipherOnly: "encipher_only",
decipherOnly: "decipher_only"
const mapKeyUsage = (usage: string): string => {
try {
return mapLegacyKeyUsageToStandard(usage);
} catch {
return usage;
}
};
const extendedKeyUsageMapping: Record<string, string> = {
serverAuth: "server_auth",
clientAuth: "client_auth",
codeSigning: "code_signing",
emailProtection: "email_protection",
timeStamping: "time_stamping",
ocspSigning: "ocsp_signing"
const mapExtendedKeyUsage = (usage: string): string => {
try {
return mapLegacyExtendedKeyUsageToStandard(usage);
} catch {
return usage;
}
};
return {
...request,
keyUsages: request.keyUsages?.map((usage: string) => keyUsageMapping[usage] || usage),
extendedKeyUsages: request.extendedKeyUsages?.map((usage: string) => extendedKeyUsageMapping[usage] || usage)
keyUsages: request.keyUsages?.map(mapKeyUsage),
extendedKeyUsages: request.extendedKeyUsages?.map(mapExtendedKeyUsage)
} as T;
};
@@ -51,27 +56,28 @@ export const buildCertificateSubjectFromTemplate = (
): Record<string, string | undefined> => {
const subject: Record<string, string> = {};
const attributeMap: Record<string, string> = {
common_name: "commonName",
organization_name: "organization",
organization_unit: "organizationUnit",
locality: "locality",
state: "state",
country: "country",
email: "email",
street_address: "streetAddress",
postal_code: "postalCode"
common_name: "commonName"
};
if (!templateAttributes || templateAttributes.length === 0) {
Object.entries(attributeMap).forEach(([templateKey, requestKey]) => {
const value = request[requestKey];
if (value && typeof value === "string") {
subject[templateKey] = value;
}
});
return subject;
throw new Error(
"Template must define allowed certificate attributes. Cannot issue certificate without template attribute constraints."
);
}
const allowedAttributes = new Set(templateAttributes.map((attr) => attributeMap[attr.type]));
Object.keys(attributeMap).forEach((templateType) => {
const requestKey = attributeMap[templateType];
const value = request[requestKey];
if (value && !allowedAttributes.has(requestKey)) {
throw new Error(
`Certificate attribute '${requestKey}' is not allowed by the template. Template must define constraints for all requested attributes.`
);
}
});
templateAttributes.forEach((attr) => {
if (attr.include === "prohibit") {
return;
@@ -101,12 +107,28 @@ export const buildSubjectAlternativeNamesFromTemplate = (
}
if (!templateSans || templateSans.length === 0) {
return request.subjectAlternativeNames.map((san) => san.value).join(",");
if (request.subjectAlternativeNames.length > 0) {
throw new Error(
"Template must define allowed subject alternative names. Cannot issue certificate with SANs when template has no SAN constraints."
);
}
return "";
}
const allowedSans: string[] = [];
const templateSanTypes = new Set(templateSans.map((san) => san.type));
const prohibitedTypes = new Set(templateSans.filter((san) => san.include === "prohibit").map((san) => san.type));
request.subjectAlternativeNames.forEach((san) => {
const sanType = san.type === "dns_name" ? "dns_name" : san.type;
if (!templateSanTypes.has(sanType)) {
throw new Error(
`Subject Alternative Name type '${sanType}' is not allowed by the template. Template must define constraints for all requested SAN types.`
);
}
});
const allowedSans: string[] = [];
request.subjectAlternativeNames.forEach((san) => {
const sanType = san.type === "dns_name" ? "dns_name" : san.type;
if (!prohibitedTypes.has(sanType)) {
@@ -116,3 +138,39 @@ export const buildSubjectAlternativeNamesFromTemplate = (
return allowedSans.join(",");
};
export const convertLegacyKeyUsage = (usage: CertKeyUsage): CertKeyUsageType => {
return mapLegacyKeyUsageToStandard(usage);
};
export const convertToLegacyKeyUsage = (usage: CertKeyUsageType): CertKeyUsage => {
return mapKeyUsageToLegacy(usage) as CertKeyUsage;
};
export const convertLegacyExtendedKeyUsage = (usage: CertExtendedKeyUsage): CertExtendedKeyUsageType => {
return mapLegacyExtendedKeyUsageToStandard(usage);
};
export const convertToLegacyExtendedKeyUsage = (usage: CertExtendedKeyUsageType): CertExtendedKeyUsage => {
return mapExtendedKeyUsageToLegacy(usage) as CertExtendedKeyUsage;
};
export const convertKeyUsageArrayFromLegacy = (usages?: CertKeyUsage[]): CertKeyUsageType[] | undefined => {
return usages?.map(convertLegacyKeyUsage);
};
export const convertKeyUsageArrayToLegacy = (usages?: CertKeyUsageType[]): CertKeyUsage[] | undefined => {
return usages?.map(convertToLegacyKeyUsage);
};
export const convertExtendedKeyUsageArrayFromLegacy = (
usages?: CertExtendedKeyUsage[]
): CertExtendedKeyUsageType[] | undefined => {
return usages?.map(convertLegacyExtendedKeyUsage);
};
export const convertExtendedKeyUsageArrayToLegacy = (
usages?: CertExtendedKeyUsageType[]
): CertExtendedKeyUsage[] | undefined => {
return usages?.map(convertToLegacyExtendedKeyUsage);
};

21
backend/src/services/certificate-est-v3/certificate-est-v3-service.ts
View File

@@ -8,6 +8,7 @@ import { TCertificateAuthorityDALFactory } from "@app/services/certificate-autho
import { getCaCertChain, getCaCertChains } from "@app/services/certificate-authority/certificate-authority-fns";
import { TInternalCertificateAuthorityServiceFactory } from "@app/services/certificate-authority/internal/internal-certificate-authority-service";
import { TCertificateProfileDALFactory } from "@app/services/certificate-profile/certificate-profile-dal";
import { EnrollmentType } from "@app/services/certificate-profile/certificate-profile-types";
import { TCertificateTemplateDALFactory } from "@app/services/certificate-template/certificate-template-dal";
import { TEstEnrollmentConfigDALFactory } from "@app/services/enrollment-config/est-enrollment-config-dal";
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -56,6 +57,10 @@ export const certificateEstV3ServiceFactory = ({
throw new NotFoundError({ message: "Certificate profile not found" });
}
if (profile.enrollmentType !== EnrollmentType.EST) {
throw new BadRequestError({ message: "Profile is not configured for EST enrollment" });
}
if (!profile.estConfigId) {
throw new BadRequestError({ message: "EST enrollment not configured for this profile" });
}
@@ -141,6 +146,10 @@ export const certificateEstV3ServiceFactory = ({
throw new NotFoundError({ message: "Certificate profile not found" });
}
if (profile.enrollmentType !== EnrollmentType.EST) {
throw new BadRequestError({ message: "Profile is not configured for EST enrollment" });
}
if (!profile.estConfigId) {
throw new BadRequestError({ message: "EST enrollment not configured for this profile" });
}
@@ -237,6 +246,10 @@ export const certificateEstV3ServiceFactory = ({
throw new NotFoundError({ message: "Certificate profile not found" });
}
if (profile.enrollmentType !== EnrollmentType.EST) {
throw new BadRequestError({ message: "Profile is not configured for EST enrollment" });
}
if (!profile.estConfigId) {
throw new BadRequestError({ message: "EST enrollment not configured for this profile" });
}
@@ -280,8 +293,14 @@ export const certificateEstV3ServiceFactory = ({
kmsService
});
const certificates = extractX509CertFromChain(caCertChain).map((cert) => new x509.X509Certificate(cert));
const certificateChain = extractX509CertFromChain(caCertChain);
if (!certificateChain || certificateChain.length === 0) {
throw new BadRequestError({
message: "Invalid CA certificate chain: unable to extract certificates"
});
}
const certificates = certificateChain.map((cert) => new x509.X509Certificate(cert));
const caCertificate = new x509.X509Certificate(caCert);
return convertRawCertsToPkcs7([caCertificate.rawData, ...certificates.map((cert) => cert.rawData)]);
};

86
backend/src/services/certificate-profile/certificate-profile-schemas.ts
View File

@@ -31,42 +31,72 @@ export const createCertificateProfileSchema = z
})
.refine(
(data) => {
if (data.enrollmentType === EnrollmentType.EST && !data.estConfig) {
return false;
if (data.enrollmentType === EnrollmentType.EST) {
if (!data.estConfig) {
return false;
}
if (data.apiConfig) {
return false;
}
}
if (data.enrollmentType === EnrollmentType.API && !data.apiConfig) {
return false;
if (data.enrollmentType === EnrollmentType.API) {
if (!data.apiConfig) {
return false;
}
if (data.estConfig) {
return false;
}
}
return true;
},
{
message: "Config must be provided based on enrollment type"
message:
"EST enrollment type requires EST configuration and cannot have API configuration. API enrollment type requires API configuration and cannot have EST configuration."
}
);
export const updateCertificateProfileSchema = z.object({
slug: z
.string()
.min(1)
.max(255)
.regex(new RE2("^[a-z0-9-]+$"), "Slug must contain only lowercase letters, numbers, and hyphens")
.optional(),
description: z.string().max(1000).optional(),
enrollmentType: z.nativeEnum(EnrollmentType).optional(),
estConfig: z
.object({
disableBootstrapCaValidation: z.boolean().default(false),
passphrase: z.string().min(1),
encryptedCaChain: z.string()
})
.optional(),
apiConfig: z
.object({
autoRenew: z.boolean().default(false),
autoRenewDays: z.number().min(1).max(365).optional()
})
.optional()
});
export const updateCertificateProfileSchema = z
.object({
slug: z
.string()
.min(1)
.max(255)
.regex(new RE2("^[a-z0-9-]+$"), "Slug must contain only lowercase letters, numbers, and hyphens")
.optional(),
description: z.string().max(1000).optional(),
enrollmentType: z.nativeEnum(EnrollmentType).optional(),
estConfig: z
.object({
disableBootstrapCaValidation: z.boolean().default(false),
passphrase: z.string().min(1),
encryptedCaChain: z.string()
})
.optional(),
apiConfig: z
.object({
autoRenew: z.boolean().default(false),
autoRenewDays: z.number().min(1).max(365).optional()
})
.optional()
})
.refine(
(data) => {
if (data.enrollmentType === EnrollmentType.EST) {
if (data.apiConfig) {
return false;
}
}
if (data.enrollmentType === EnrollmentType.API) {
if (data.estConfig) {
return false;
}
}
return true;
},
{
message: "Cannot have EST config with API enrollment type or API config with EST enrollment type."
}
);
export const getCertificateProfileByIdSchema = z.object({
id: z.string().uuid()

76
backend/src/services/certificate-profile/certificate-profile-service.test.ts
View File

@@ -122,9 +122,7 @@ describe("CertificateProfileService", () => {
create: vi.fn().mockResolvedValue({ id: "api-config-123" }),
findById: vi.fn(),
updateById: vi.fn(),
deleteById: vi.fn(),
findProfilesForAutoRenewal: vi.fn(),
isConfigInUse: vi.fn(),
transaction: vi.fn(),
find: vi.fn(),
findOne: vi.fn(),
@@ -136,8 +134,6 @@ describe("CertificateProfileService", () => {
create: vi.fn().mockResolvedValue({ id: "est-config-123" }),
findById: vi.fn(),
updateById: vi.fn(),
deleteById: vi.fn(),
isConfigInUse: vi.fn(),
transaction: vi.fn(),
find: vi.fn(),
findOne: vi.fn(),
@@ -158,6 +154,12 @@ describe("CertificateProfileService", () => {
throwUnlessCan: vi.fn()
} as any);
// Mock the transaction method to execute the callback and return the result
(mockCertificateProfileDAL.transaction as any).mockImplementation(async (fn: any) => {
// eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/return-await
return await fn();
});
service = certificateProfileServiceFactory({
certificateProfileDAL: mockCertificateProfileDAL,
certificateTemplateV2DAL: mockCertificateTemplateV2DAL,
@@ -188,7 +190,10 @@ describe("CertificateProfileService", () => {
(mockCertificateTemplateV2DAL.findById as any).mockResolvedValue(sampleTemplate);
(mockCertificateProfileDAL.findByNameAndProjectId as any).mockResolvedValue(null);
(mockCertificateProfileDAL.findBySlugAndProjectId as any).mockResolvedValue(null);
(mockCertificateProfileDAL.create as any).mockResolvedValue(sampleProfile);
(mockCertificateProfileDAL.create as any).mockResolvedValue({
...sampleProfile,
enrollmentType: EnrollmentType.API // Ensure enrollmentType is explicitly included
});
});
it("should create profile successfully", async () => {
@@ -201,16 +206,19 @@ describe("CertificateProfileService", () => {
expect(result).toEqual(sampleProfile);
expect(mockCertificateTemplateV2DAL.findById).toHaveBeenCalledWith("template-123");
expect(mockCertificateProfileDAL.findBySlugAndProjectId).toHaveBeenCalledWith("new-profile", "project-123");
expect(mockCertificateProfileDAL.create).toHaveBeenCalledWith({
slug: "new-profile",
description: "New test profile",
enrollmentType: EnrollmentType.API,
caId: "ca-123",
certificateTemplateId: "template-123",
apiConfigId: "api-config-123",
estConfigId: null,
projectId: "project-123"
});
expect(mockCertificateProfileDAL.create).toHaveBeenCalledWith(
{
slug: "new-profile",
description: "New test profile",
enrollmentType: EnrollmentType.API,
caId: "ca-123",
certificateTemplateId: "template-123",
apiConfigId: "api-config-123",
estConfigId: null,
projectId: "project-123"
},
undefined
);
});
it("should throw NotFoundError when certificate template not found", async () => {
@@ -318,7 +326,11 @@ describe("CertificateProfileService", () => {
beforeEach(() => {
(mockCertificateProfileDAL.findById as any).mockResolvedValue(sampleProfile);
(mockCertificateProfileDAL.updateById as any).mockResolvedValue({ ...sampleProfile, ...updateData });
(mockCertificateProfileDAL.updateById as any).mockResolvedValue({
...sampleProfile,
...updateData,
enrollmentType: EnrollmentType.API // Ensure enrollmentType is explicitly included
});
});
it("should update profile successfully", async () => {
@@ -330,7 +342,7 @@ describe("CertificateProfileService", () => {
expect(result.slug).toBe("updated-profile");
expect(mockCertificateProfileDAL.findById).toHaveBeenCalledWith("profile-123");
expect(mockCertificateProfileDAL.updateById).toHaveBeenCalledWith("profile-123", updateData);
expect(mockCertificateProfileDAL.updateById).toHaveBeenCalledWith("profile-123", updateData, undefined);
});
it("should throw NotFoundError when profile not found", async () => {
@@ -720,11 +732,14 @@ describe("CertificateProfileService", () => {
});
expect(result.enrollmentType).toBe(EnrollmentType.EST);
expect(mockEstEnrollmentConfigDAL.create).toHaveBeenCalledWith({
disableBootstrapCaValidation: estProfileData.estConfig.disableBootstrapCaValidation,
hashedPassphrase: "mocked-hash",
encryptedCaChain: Buffer.from(estProfileData.estConfig.encryptedCaChain, "base64")
});
expect(mockEstEnrollmentConfigDAL.create).toHaveBeenCalledWith(
{
disableBootstrapCaValidation: estProfileData.estConfig.disableBootstrapCaValidation,
hashedPassphrase: "mocked-hash",
encryptedCaChain: Buffer.from(estProfileData.estConfig.encryptedCaChain, "base64")
},
undefined
);
});
it("should handle profile slug uniqueness validation", async () => {
@@ -772,7 +787,8 @@ describe("CertificateProfileService", () => {
(mockCertificateProfileDAL.findBySlugAndProjectId as any).mockResolvedValue(null);
(mockCertificateProfileDAL.create as any).mockResolvedValue({
...sampleProfile,
apiConfigId: "api-config-123"
apiConfigId: "api-config-123",
enrollmentType: EnrollmentType.API
});
const result = await service.createProfile({
@@ -781,10 +797,13 @@ describe("CertificateProfileService", () => {
data: autoRenewData
});
expect(mockApiEnrollmentConfigDAL.create).toHaveBeenCalledWith({
autoRenew: true,
autoRenewDays: 7
});
expect(mockApiEnrollmentConfigDAL.create).toHaveBeenCalledWith(
{
autoRenew: true,
autoRenewDays: 7
},
undefined
);
expect(result).toBeDefined();
});
});
@@ -1076,7 +1095,8 @@ describe("CertificateProfileService", () => {
(mockCertificateProfileDAL.findBySlugAndProjectId as any).mockResolvedValue(null);
(mockCertificateProfileDAL.create as any).mockResolvedValue({
...sampleProfile,
slug: invalidSlugData.slug
slug: invalidSlugData.slug,
enrollmentType: EnrollmentType.API
});
const result = await service.createProfile({

205
backend/src/services/certificate-profile/certificate-profile-service.ts
View File

@@ -49,70 +49,6 @@ const convertDalToService = (dalResult: Record<string, unknown>): TCertificatePr
} as TCertificateProfile;
};
const validateEnrollmentConfig = async (data: {
enrollmentType: EnrollmentType;
estConfig?: TEstConfigData | null;
apiConfig?: TApiConfigData | null;
}): Promise<void> => {
if (data.enrollmentType === EnrollmentType.EST) {
if (!data.estConfig) {
throw new ForbiddenRequestError({
message: "EST enrollment type requires EST configuration"
});
}
if (data.apiConfig) {
throw new ForbiddenRequestError({
message: "EST enrollment type cannot have API configuration"
});
}
} else if (data.enrollmentType === EnrollmentType.API) {
if (!data.apiConfig) {
throw new ForbiddenRequestError({
message: "API enrollment type requires API configuration"
});
}
if (data.estConfig) {
throw new ForbiddenRequestError({
message: "API enrollment type cannot have EST configuration"
});
}
}
};
const validateEnrollmentConfigForUpdate = async (data: {
enrollmentType: EnrollmentType;
estConfigId?: string | null;
apiConfigId?: string | null;
}): Promise<void> => {
if (data.enrollmentType === EnrollmentType.EST) {
if (!data.estConfigId) {
throw new ForbiddenRequestError({
message: "EST enrollment type requires EST configuration ID"
});
}
if (data.apiConfigId) {
throw new ForbiddenRequestError({
message: "EST enrollment type cannot have API configuration ID"
});
}
} else if (data.enrollmentType === EnrollmentType.API) {
if (!data.apiConfigId) {
throw new ForbiddenRequestError({
message: "API enrollment type requires API configuration ID"
});
}
if (data.estConfigId) {
throw new ForbiddenRequestError({
message: "API enrollment type cannot have EST configuration ID"
});
}
}
};
const hasEnrollmentConfigChanges = (data: TCertificateProfileUpdate): boolean => {
return !!(data.enrollmentType || data.estConfigId || data.apiConfigId);
};
export const certificateProfileServiceFactory = ({
certificateProfileDAL,
certificateTemplateV2DAL,
@@ -169,43 +105,61 @@ export const certificateProfileServiceFactory = ({
});
}
// Validate enrollment type configuration
await validateEnrollmentConfig({
enrollmentType: data.enrollmentType,
estConfig: data.estConfig,
apiConfig: data.apiConfig
});
// Create enrollment configs based on type
let estConfigId: string | null = null;
let apiConfigId: string | null = null;
if (data.enrollmentType === EnrollmentType.EST && data.estConfig) {
const appCfg = getConfig();
// Hash the passphrase
const hashedPassphrase = await crypto.hashing().createHash(data.estConfig.passphrase, appCfg.SALT_ROUNDS);
const estConfig = await estEnrollmentConfigDAL.create({
disableBootstrapCaValidation: data.estConfig.disableBootstrapCaValidation,
hashedPassphrase,
encryptedCaChain: Buffer.from(data.estConfig.encryptedCaChain, "base64")
// Validate enrollment configuration requirements
if (data.enrollmentType === EnrollmentType.EST && !data.estConfig) {
throw new ForbiddenRequestError({
message: "EST enrollment requires EST configuration"
});
estConfigId = estConfig.id;
} else if (data.enrollmentType === EnrollmentType.API && data.apiConfig) {
const apiConfig = await apiEnrollmentConfigDAL.create({
autoRenew: data.apiConfig.autoRenew,
autoRenewDays: data.apiConfig.autoRenewDays
}
if (data.enrollmentType === EnrollmentType.API && !data.apiConfig) {
throw new ForbiddenRequestError({
message: "API enrollment requires API configuration"
});
apiConfigId = apiConfig.id;
}
// Create the profile with the created config IDs
const { estConfig, apiConfig, ...profileData } = data;
const profile = await certificateProfileDAL.create({
...profileData,
projectId,
estConfigId,
apiConfigId
// Create enrollment configs and profile
const profile = await certificateProfileDAL.transaction(async (tx) => {
let estConfigId: string | null = null;
let apiConfigId: string | null = null;
if (data.enrollmentType === EnrollmentType.EST && data.estConfig) {
const appCfg = getConfig();
// Hash the passphrase
const hashedPassphrase = await crypto.hashing().createHash(data.estConfig.passphrase, appCfg.SALT_ROUNDS);
const estConfig = await estEnrollmentConfigDAL.create(
{
disableBootstrapCaValidation: data.estConfig.disableBootstrapCaValidation,
hashedPassphrase,
encryptedCaChain: Buffer.from(data.estConfig.encryptedCaChain, "base64")
},
tx
);
estConfigId = estConfig.id;
} else if (data.enrollmentType === EnrollmentType.API && data.apiConfig) {
const apiConfig = await apiEnrollmentConfigDAL.create(
{
autoRenew: data.apiConfig.autoRenew,
autoRenewDays: data.apiConfig.autoRenewDays
},
tx
);
apiConfigId = apiConfig.id;
}
// Create the profile with the created config IDs
const { estConfig, apiConfig, ...profileData } = data;
const profileResult = await certificateProfileDAL.create(
{
...profileData,
projectId,
estConfigId,
apiConfigId
},
tx
);
return profileResult;
});
return convertDalToService(profile);
@@ -268,37 +222,40 @@ export const certificateProfileServiceFactory = ({
}
}
if (hasEnrollmentConfigChanges(data)) {
const mergedData = { ...existingProfile, ...data };
await validateEnrollmentConfigForUpdate({
enrollmentType: mergedData.enrollmentType as EnrollmentType,
estConfigId: mergedData.estConfigId,
apiConfigId: mergedData.apiConfigId
});
}
const { estConfig, apiConfig, ...profileUpdateData } = data;
if (estConfig && existingProfile.estConfigId) {
await estEnrollmentConfigDAL.updateById(existingProfile.estConfigId, {
disableBootstrapCaValidation: estConfig.disableBootstrapCaValidation,
...(estConfig.passphrase && {
hashedPassphrase: await crypto.hashing().createHash(estConfig.passphrase, getConfig().SALT_ROUNDS)
}),
...(estConfig.caChain && {
encryptedCaChain: Buffer.from(estConfig.caChain, "base64")
})
});
}
const updatedProfile = await certificateProfileDAL.transaction(async (tx) => {
if (estConfig && existingProfile.estConfigId) {
await estEnrollmentConfigDAL.updateById(
existingProfile.estConfigId,
{
disableBootstrapCaValidation: estConfig.disableBootstrapCaValidation,
...(estConfig.passphrase && {
hashedPassphrase: await crypto.hashing().createHash(estConfig.passphrase, getConfig().SALT_ROUNDS)
}),
...(estConfig.caChain && {
encryptedCaChain: Buffer.from(estConfig.caChain, "base64")
})
},
tx
);
}
if (apiConfig && existingProfile.apiConfigId) {
await apiEnrollmentConfigDAL.updateById(existingProfile.apiConfigId, {
autoRenew: apiConfig.autoRenew,
autoRenewDays: apiConfig.autoRenewDays
});
}
if (apiConfig && existingProfile.apiConfigId) {
await apiEnrollmentConfigDAL.updateById(
existingProfile.apiConfigId,
{
autoRenew: apiConfig.autoRenew,
autoRenewDays: apiConfig.autoRenewDays
},
tx
);
}
const profileResult = await certificateProfileDAL.updateById(profileId, profileUpdateData, tx);
return profileResult;
});
const updatedProfile = await certificateProfileDAL.updateById(profileId, profileUpdateData);
return convertDalToService(updatedProfile);
};

30
backend/src/services/certificate-template-v2/certificate-template-v2-dal.ts
View File

@@ -14,6 +14,10 @@ import {
export type TCertificateTemplateV2DALFactory = ReturnType<typeof certificateTemplateV2DALFactory>;
interface CountResult {
count: string;
}
export const certificateTemplateV2DALFactory = (db: TDbClient) => {
const certificateTemplateV2Orm = ormify(db, TableName.CertificateTemplateV2);
@@ -199,12 +203,33 @@ export const certificateTemplateV2DALFactory = (db: TDbClient) => {
.count("*")
.first();
return parseInt(profileCount || "0", 10) > 0;
const profileUsage = parseInt((profileCount as unknown as CountResult).count || "0", 10) > 0;
const certCount = await (tx || db)(TableName.Certificate)
.where({ certificateTemplateId: templateId })
.count("*")
.first();
const certUsage = parseInt((certCount as unknown as CountResult).count || "0", 10) > 0;
return profileUsage || certUsage;
} catch (error) {
throw new DatabaseError({ error, name: "Check if certificate template v2 is in use" });
}
};
const getProfilesUsingTemplate = async (templateId: string, tx?: Knex) => {
try {
const profiles = await (tx || db)(TableName.CertificateProfile)
.select("id", "slug", "description")
.where({ certificateTemplateId: templateId });
return profiles;
} catch (error) {
throw new DatabaseError({ error, name: "Get profiles using certificate template v2" });
}
};
return {
...certificateTemplateV2Orm,
create,
@@ -214,6 +239,7 @@ export const certificateTemplateV2DALFactory = (db: TDbClient) => {
findByProjectId,
countByProjectId,
findBySlugAndProjectId,
isTemplateInUse
isTemplateInUse,
getProfilesUsingTemplate
};
};

103
backend/src/services/certificate-template-v2/certificate-template-v2-schemas.ts
View File

@@ -1,13 +1,22 @@
import RE2 from "re2";
import { z } from "zod";
const attributeTypeSchema = z.enum(["common_name"]);
import { slugSchema } from "@app/server/lib/schemas";
import {
CertDurationUnit,
CertExtendedKeyUsageType,
CertIncludeType,
CertKeyUsageType,
CertSubjectAlternativeNameType,
CertSubjectAttributeType
} from "@app/services/certificate-common/certificate-constants";
const includeTypeSchema = z.enum(["mandatory", "optional", "prohibit"]);
const attributeTypeSchema = z.nativeEnum(CertSubjectAttributeType);
const sanTypeSchema = z.enum(["dns_name", "ip_address", "email", "uri"]);
const includeTypeSchema = z.nativeEnum(CertIncludeType);
const durationUnitSchema = z.enum(["days", "months", "years"]);
const sanTypeSchema = z.nativeEnum(CertSubjectAlternativeNameType);
const durationUnitSchema = z.nativeEnum(CertDurationUnit);
export const templateV2AttributeSchema = z
.object({
@@ -17,32 +26,43 @@ export const templateV2AttributeSchema = z
})
.refine(
(data) => {
if (data.type === "common_name" && data.value && data.value.length > 1) {
return false;
}
if (data.include === "mandatory" && (!data.value || data.value.length > 1)) {
return false;
}
return true;
},
{
message: "Mandatory attributes can only have one value or no value (empty)"
message: "Common name can only have one value. Mandatory attributes can only have one value or no value (empty)"
}
);
export const templateV2KeyUsagesSchema = z.object({
requiredUsages: z.object({
all: z.array(z.string())
}),
optionalUsages: z.object({
all: z.array(z.string())
})
requiredUsages: z
.object({
all: z.array(z.nativeEnum(CertKeyUsageType))
})
.optional(),
optionalUsages: z
.object({
all: z.array(z.nativeEnum(CertKeyUsageType))
})
.optional()
});
export const templateV2ExtendedKeyUsagesSchema = z.object({
requiredUsages: z.object({
all: z.array(z.string())
}),
optionalUsages: z.object({
all: z.array(z.string())
})
requiredUsages: z
.object({
all: z.array(z.nativeEnum(CertExtendedKeyUsageType))
})
.optional(),
optionalUsages: z
.object({
all: z.array(z.nativeEnum(CertExtendedKeyUsageType))
})
.optional()
});
export const templateV2SanSchema = z
@@ -76,26 +96,30 @@ export const templateV2ValiditySchema = z.object({
.optional()
});
export const templateV2SignatureAlgorithmSchema = z.object({
allowedAlgorithms: z.array(z.string()).min(1),
defaultAlgorithm: z.string()
});
export const templateV2SignatureAlgorithmSchema = z
.object({
allowedAlgorithms: z.array(z.string()).min(1),
defaultAlgorithm: z.string()
})
.refine((data) => data.allowedAlgorithms.includes(data.defaultAlgorithm), {
message: "Default signature algorithm must be included in the allowed algorithms list"
});
export const templateV2KeyAlgorithmSchema = z.object({
allowedKeyTypes: z.array(z.string()).min(1),
defaultKeyType: z.string()
});
export const templateV2KeyAlgorithmSchema = z
.object({
allowedKeyTypes: z.array(z.string()).min(1),
defaultKeyType: z.string()
})
.refine((data) => data.allowedKeyTypes.includes(data.defaultKeyType), {
message: "Default key algorithm must be included in the allowed key types list"
});
export const createCertificateTemplateV2Schema = z.object({
projectId: z.string().min(1),
slug: z
.string()
.min(1)
.max(255)
.regex(new RE2("^[a-z0-9-]+$"), "Slug must contain only lowercase letters, numbers, and hyphens"),
slug: slugSchema({ min: 1, max: 255 }),
description: z.string().max(1000).optional(),
attributes: z.array(templateV2AttributeSchema).optional(),
keyUsages: templateV2KeyUsagesSchema.optional(),
attributes: z.array(templateV2AttributeSchema).min(1),
keyUsages: templateV2KeyUsagesSchema,
extendedKeyUsages: templateV2ExtendedKeyUsagesSchema.optional(),
subjectAlternativeNames: z.array(templateV2SanSchema).optional(),
validity: templateV2ValiditySchema.optional(),
@@ -104,12 +128,7 @@ export const createCertificateTemplateV2Schema = z.object({
});
export const updateCertificateTemplateV2Schema = z.object({
slug: z
.string()
.min(1)
.max(255)
.regex(new RE2("^[a-z0-9-]+$"), "Slug must contain only lowercase letters, numbers, and hyphens")
.optional(),
slug: slugSchema({ min: 1, max: 255 }).optional(),
description: z.string().max(1000).optional(),
attributes: z.array(templateV2AttributeSchema).optional(),
keyUsages: templateV2KeyUsagesSchema.optional(),
@@ -126,7 +145,7 @@ export const getCertificateTemplateV2ByIdSchema = z.object({
export const getCertificateTemplateV2BySlugSchema = z.object({
projectId: z.string().min(1),
slug: z.string().min(1)
slug: slugSchema()
});
export const listCertificateTemplatesV2Schema = z.object({
@@ -142,8 +161,8 @@ export const deleteCertificateTemplateV2Schema = z.object({
export const certificateRequestSchema = z.object({
commonName: z.string().optional(),
keyUsages: z.array(z.string()).optional(),
extendedKeyUsages: z.array(z.string()).optional(),
keyUsages: z.array(z.nativeEnum(CertKeyUsageType)).optional(),
extendedKeyUsages: z.array(z.nativeEnum(CertExtendedKeyUsageType)).optional(),
subjectAlternativeNames: z
.array(
z.object({

730
backend/src/services/certificate-template-v2/certificate-template-v2-service.test.ts
View File

File diff suppressed because it is too large Load Diff

532
backend/src/services/certificate-template-v2/certificate-template-v2-service.ts
View File

@@ -12,13 +12,13 @@ import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
import { alphaNumericNanoId } from "@app/lib/nanoid";
import { ActorAuthMethod, ActorType } from "../auth/auth-type";
import { CertIncludeType, CertSubjectAttributeType } from "../certificate-common/certificate-constants";
import { TCertificateTemplateV2DALFactory } from "./certificate-template-v2-dal";
import {
TCertificateRequest,
TCertificateTemplateV2,
TCertificateTemplateV2Insert,
TCertificateTemplateV2Update,
TTemplateV2Policy,
TTemplateValidationResult
} from "./certificate-template-v2-types";
@@ -70,8 +70,41 @@ export const certificateTemplateV2ServiceFactory = ({
}
};
const getRequestAttributeValue = (request: TCertificateRequest, attrType: string): string | undefined => {
const validateSubjectAttributePolicy = (attributes: Array<{ type: string; include: string; value?: string[] }>) => {
if (!attributes || attributes.length === 0) return;
const attributesByType = attributes.reduce(
(acc, attr) => {
if (!acc[attr.type]) acc[attr.type] = [];
acc[attr.type].push(attr);
return acc;
},
{} as Record<string, typeof attributes>
);
for (const [type, attrs] of Object.entries(attributesByType)) {
const mandatoryAttrs = attrs.filter((attr) => attr.include === CertIncludeType.MANDATORY);
if (mandatoryAttrs.length > 1) {
throw new ForbiddenRequestError({
message: `Multiple mandatory values found for subject attribute type '${type}'. Only one mandatory value is allowed per attribute type.`
});
}
if (mandatoryAttrs.length === 1 && attrs.length > 1) {
throw new ForbiddenRequestError({
message: `When a mandatory value exists for subject attribute type '${type}', no other values (optional or forbidden) are allowed for that attribute type.`
});
}
}
};
const getRequestAttributeValue = (
request: TCertificateRequest,
attrType: CertSubjectAttributeType | string
): string | undefined => {
switch (attrType) {
case CertSubjectAttributeType.COMMON_NAME:
case "common_name":
return request.commonName;
default:
@@ -79,44 +112,6 @@ export const certificateTemplateV2ServiceFactory = ({
}
};
const validateTemplatePolicy = (policy: Partial<TTemplateV2Policy>): void => {
if (!policy) {
throw new Error("Template policy is required");
}
if (!policy.attributes || policy.attributes.length === 0) {
throw new Error("Template policy must include attributes array");
}
if (!policy.keyUsages || !policy.keyUsages.requiredUsages || !policy.keyUsages.optionalUsages) {
throw new Error("Template policy must include valid key usages configuration");
}
if (policy.signatureAlgorithm) {
if (!policy.signatureAlgorithm.allowedAlgorithms.includes(policy.signatureAlgorithm.defaultAlgorithm)) {
throw new Error("Default signature algorithm must be in allowed algorithms list");
}
}
if (policy.keyAlgorithm) {
if (!policy.keyAlgorithm.allowedKeyTypes.includes(policy.keyAlgorithm.defaultKeyType)) {
throw new Error("Default key algorithm must be in allowed key types list");
}
}
};
const hasAnyPolicyField = (data: TCertificateTemplateV2Update): boolean => {
return !!(
data.attributes ||
data.keyUsages ||
data.extendedKeyUsages ||
data.subjectAlternativeNames ||
data.validity ||
data.signatureAlgorithm ||
data.keyAlgorithm
);
};
const generateTemplateSlug = (baseSlug?: string): string => {
if (baseSlug) {
return slugify(baseSlug);
@@ -139,177 +134,274 @@ export const certificateTemplateV2ServiceFactory = ({
return randomSlug;
};
const isWildcardPattern = (value: string): boolean => {
return value.includes("*");
};
const createWildcardRegex = (pattern: string): RegExp => {
const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
const regexPattern = escaped.replace(/\*/g, ".*");
return new RE2(`^${regexPattern}$`);
};
const mapTemplateSignatureAlgorithmToApi = (templateFormat: string): string => {
const mapping: Record<string, string> = {
"SHA256-RSA": "RSA-SHA256",
"SHA384-RSA": "RSA-SHA384",
"SHA512-RSA": "RSA-SHA512",
"SHA256-ECDSA": "ECDSA-SHA256",
"SHA384-ECDSA": "ECDSA-SHA384",
"SHA512-ECDSA": "ECDSA-SHA512"
};
return mapping[templateFormat] || templateFormat;
};
const mapTemplateKeyAlgorithmToApi = (templateFormat: string): string => {
const mapping: Record<string, string> = {
"RSA-2048": "RSA_2048",
"RSA-4096": "RSA_4096",
"ECDSA-P256": "EC_prime256v1",
"ECDSA-P384": "EC_secp384r1"
};
return mapping[templateFormat] || templateFormat;
};
const validateValueAgainstConstraints = (
value: string,
allowedValues: string[],
fieldName: string
): { isValid: boolean; error?: string } => {
if (!allowedValues || allowedValues.length === 0) {
return { isValid: true };
}
const hasWildcards = allowedValues.some(isWildcardPattern);
for (const allowedValue of allowedValues) {
if (isWildcardPattern(allowedValue)) {
try {
const regex = createWildcardRegex(allowedValue);
if (regex.test(value)) {
return { isValid: true };
}
} catch {
if (allowedValue === value) {
return { isValid: true };
}
}
} else if (allowedValue === value) {
return { isValid: true };
}
}
if (hasWildcards) {
return {
isValid: false,
error: `${fieldName} value '${value}' does not match allowed patterns: ${allowedValues.join(", ")}`
};
}
return {
isValid: false,
error: `${fieldName} value '${value}' is not in allowed values list`
};
};
const validateRequestAgainstPolicy = (
template: TCertificateTemplateV2,
request: TCertificateRequest
): TTemplateValidationResult => {
const errors: string[] = [];
const warnings: string[] = [];
const templateAttributeTypes = new Set(template.attributes?.map((attr) => attr.type) || []);
const attributePoliciesByType = new Map<string, typeof template.attributes>();
template.attributes?.forEach((attrPolicy) => {
const requestValue = getRequestAttributeValue(request, attrPolicy.type);
if (attrPolicy.include === "mandatory") {
if (!requestValue) {
errors.push(`${attrPolicy.type} is mandatory but not provided in request`);
} else if (attrPolicy.value && attrPolicy.value.length > 0) {
// Check if the request value matches any allowed pattern
const hasWildcards = attrPolicy.value.some((val) => val.includes("*"));
const isValidValue = attrPolicy.value.some((allowedValue) => {
if (allowedValue.includes("*")) {
// Handle wildcard patterns
const pattern = allowedValue.replace(/\./g, "\\.").replace(/\*/g, ".*");
const regex = new RE2(`^${pattern}$`);
return regex.test(requestValue);
}
return allowedValue === requestValue;
});
if (!isValidValue) {
if (hasWildcards) {
errors.push(
`${attrPolicy.type} value '${requestValue}' does not match allowed patterns: ${attrPolicy.value.join(", ")}`
);
} else {
errors.push(`${attrPolicy.type} value '${requestValue}' is not in allowed values list`);
}
}
}
}
if (attrPolicy.include === "prohibit" && requestValue) {
errors.push(`${attrPolicy.type} is prohibited by template policy`);
}
if (attrPolicy.include === "optional" && requestValue && attrPolicy.value && attrPolicy.value.length > 0) {
const hasWildcards = attrPolicy.value.some((val) => val.includes("*"));
const isValidValue = attrPolicy.value.some((allowedValue) => {
if (allowedValue.includes("*")) {
// Handle wildcard patterns - escape dots and replace * with .*
const pattern = allowedValue.replace(/\./g, "\\.").replace(/\*/g, ".*");
const regex = new RE2(`^${pattern}$`);
return regex.test(requestValue);
}
return allowedValue === requestValue;
});
if (!isValidValue) {
if (hasWildcards) {
errors.push(
`${attrPolicy.type} value '${requestValue}' does not match allowed patterns: ${attrPolicy.value.join(", ")}`
);
} else {
errors.push(`${attrPolicy.type} value '${requestValue}' is not in allowed values list`);
}
}
}
const existing = attributePoliciesByType.get(attrPolicy.type) || [];
attributePoliciesByType.set(attrPolicy.type, [...existing, attrPolicy]);
});
if (template.keyUsages) {
const missingRequired = template.keyUsages.requiredUsages.all.filter(
(usage) => !request.keyUsages?.includes(usage)
);
if (missingRequired.length > 0) {
errors.push(`Missing required key usages: ${missingRequired.join(", ")}`);
for (const [attrType, policies] of attributePoliciesByType) {
const requestValue = getRequestAttributeValue(request, attrType);
const hasMandatory = policies.some((p) => p.include === CertIncludeType.MANDATORY);
const hasProhibit = policies.some((p) => p.include === CertIncludeType.PROHIBIT);
if (hasProhibit && requestValue) {
errors.push(`${attrType} is prohibited by template policy`);
// eslint-disable-next-line no-continue
continue;
}
if (request.keyUsages) {
const allAllowedUsages = [...template.keyUsages.requiredUsages.all, ...template.keyUsages.optionalUsages.all];
const invalidUsages = request.keyUsages.filter((usage) => !allAllowedUsages.includes(usage));
if (invalidUsages.length > 0) {
errors.push(`Invalid key usages: ${invalidUsages.join(", ")}`);
if (hasMandatory && !requestValue) {
errors.push(`${attrType} is mandatory but not provided in request`);
// eslint-disable-next-line no-continue
continue;
}
if (requestValue) {
const policiesWithValues = policies.filter(
(p) =>
p.value &&
p.value.length > 0 &&
(p.include === CertIncludeType.MANDATORY || p.include === CertIncludeType.OPTIONAL)
);
if (policiesWithValues.length > 0) {
const allAllowedValues = policiesWithValues.flatMap((p) => p.value || []);
const validation = validateValueAgainstConstraints(requestValue, allAllowedValues, attrType);
if (!validation.isValid && validation.error) {
errors.push(validation.error);
}
}
}
}
const requestAttributeTypes: CertSubjectAttributeType[] = [];
if (request.commonName) requestAttributeTypes.push(CertSubjectAttributeType.COMMON_NAME);
for (const requestAttrType of requestAttributeTypes) {
if (!templateAttributeTypes.has(requestAttrType)) {
errors.push(`${requestAttrType} is not allowed by template policy (not defined in template)`);
}
}
if (template.keyUsages) {
if (template.keyUsages.requiredUsages && template.keyUsages.requiredUsages.all.length > 0) {
const missingRequired = template.keyUsages.requiredUsages.all.filter(
(usage) => !request.keyUsages?.includes(usage)
);
if (missingRequired.length > 0) {
errors.push(`Missing required key usages: ${missingRequired.join(", ")}`);
}
}
if (request.keyUsages && (template.keyUsages.requiredUsages || template.keyUsages.optionalUsages)) {
const allAllowedUsages = [
...(template.keyUsages.requiredUsages?.all || []),
...(template.keyUsages.optionalUsages?.all || [])
];
if (allAllowedUsages.length > 0) {
const invalidUsages = request.keyUsages.filter((usage) => !allAllowedUsages.includes(usage));
if (invalidUsages.length > 0) {
errors.push(`Invalid key usages: ${invalidUsages.join(", ")}`);
}
}
}
} else if (request.keyUsages && request.keyUsages.length > 0) {
errors.push(`Key usages are not allowed by template policy (not defined in template)`);
}
if (template.extendedKeyUsages) {
const missingRequired = template.extendedKeyUsages.requiredUsages.all.filter(
(usage) => !request.extendedKeyUsages?.includes(usage)
);
if (missingRequired.length > 0) {
errors.push(`Missing required extended key usages: ${missingRequired.join(", ")}`);
}
if (request.extendedKeyUsages) {
const allAllowedUsages = [
...template.extendedKeyUsages.requiredUsages.all,
...template.extendedKeyUsages.optionalUsages.all
];
const invalidUsages = request.extendedKeyUsages.filter((usage) => !allAllowedUsages.includes(usage));
if (invalidUsages.length > 0) {
errors.push(`Invalid extended key usages: ${invalidUsages.join(", ")}`);
if (template.extendedKeyUsages.requiredUsages && template.extendedKeyUsages.requiredUsages.all.length > 0) {
const missingRequired = template.extendedKeyUsages.requiredUsages.all.filter(
(usage) => !request.extendedKeyUsages?.includes(usage)
);
if (missingRequired.length > 0) {
errors.push(`Missing required extended key usages: ${missingRequired.join(", ")}`);
}
}
if (
request.extendedKeyUsages &&
(template.extendedKeyUsages.requiredUsages || template.extendedKeyUsages.optionalUsages)
) {
const allAllowedUsages = [
...(template.extendedKeyUsages.requiredUsages?.all || []),
...(template.extendedKeyUsages.optionalUsages?.all || [])
];
if (allAllowedUsages.length > 0) {
const invalidUsages = request.extendedKeyUsages.filter((usage) => !allAllowedUsages.includes(usage));
if (invalidUsages.length > 0) {
errors.push(`Invalid extended key usages: ${invalidUsages.join(", ")}`);
}
}
}
} else if (request.extendedKeyUsages && request.extendedKeyUsages.length > 0) {
errors.push(`Extended key usages are not allowed by template policy (not defined in template)`);
}
const templateSanTypes = new Set(template.subjectAlternativeNames?.map((san) => san.type) || []);
const sanPoliciesByType = new Map<string, typeof template.subjectAlternativeNames>();
template.subjectAlternativeNames?.forEach((sanPolicy) => {
const requestSans = request.subjectAlternativeNames?.filter((san) => san.type === sanPolicy.type) || [];
if (sanPolicy.include === "mandatory") {
if (requestSans.length === 0) {
errors.push(`${sanPolicy.type} SAN is mandatory but not provided in request`);
} else if (sanPolicy.value && sanPolicy.value.length > 0) {
const hasWildcards = sanPolicy.value.some((val) => val.includes("*"));
requestSans.forEach((san) => {
const isValidValue = sanPolicy.value!.some((allowedValue) => {
if (allowedValue.includes("*")) {
// Handle wildcard patterns - escape dots and replace * with .*
const pattern = allowedValue.replace(/\./g, "\\.").replace(/\*/g, ".*");
const regex = new RE2(`^${pattern}$`);
return regex.test(san.value);
}
return allowedValue === san.value;
});
if (!isValidValue) {
if (hasWildcards) {
errors.push(
`${sanPolicy.type} SAN value '${san.value}' does not match allowed patterns: ${sanPolicy.value!.join(", ")}`
);
} else {
errors.push(`${sanPolicy.type} SAN value '${san.value}' is not in allowed values list`);
}
}
});
}
}
if (sanPolicy.include === "prohibit" && requestSans.length > 0) {
errors.push(`${sanPolicy.type} SAN is prohibited by template policy`);
}
if (sanPolicy.include === "optional" && sanPolicy.value && sanPolicy.value.length > 0) {
const hasWildcards = sanPolicy.value.some((val) => val.includes("*"));
requestSans.forEach((san) => {
const isValidValue = sanPolicy.value!.some((allowedValue) => {
if (allowedValue.includes("*")) {
// Handle wildcard patterns - escape dots and replace * with .*
const pattern = allowedValue.replace(/\./g, "\\.").replace(/\*/g, ".*");
const regex = new RE2(`^${pattern}$`);
return regex.test(san.value);
}
return allowedValue === san.value;
});
if (!isValidValue) {
if (hasWildcards) {
errors.push(
`${sanPolicy.type} SAN value '${san.value}' does not match allowed patterns: ${sanPolicy.value!.join(", ")}`
);
} else {
errors.push(`${sanPolicy.type} SAN value '${san.value}' is not in allowed values list`);
}
}
});
}
const existing = sanPoliciesByType.get(sanPolicy.type) || [];
sanPoliciesByType.set(sanPolicy.type, [...existing, sanPolicy]);
});
if (request.signatureAlgorithm && template.signatureAlgorithm) {
if (!template.signatureAlgorithm?.allowedAlgorithms.includes(request.signatureAlgorithm)) {
errors.push(`Signature algorithm '${request.signatureAlgorithm}' is not allowed by template policy`);
for (const [sanType, policies] of sanPoliciesByType) {
const requestSans = request.subjectAlternativeNames?.filter((san) => san.type === sanType) || [];
const hasMandatory = policies.some((p) => p.include === CertIncludeType.MANDATORY);
const hasProhibit = policies.some((p) => p.include === CertIncludeType.PROHIBIT);
if (hasProhibit && requestSans.length > 0) {
errors.push(`${sanType} SAN is prohibited by template policy`);
// eslint-disable-next-line no-continue
continue;
}
if (hasMandatory && requestSans.length === 0) {
errors.push(`${sanType} SAN is mandatory but not provided in request`);
// eslint-disable-next-line no-continue
continue;
}
if (requestSans.length > 0) {
const policiesWithValues = policies.filter(
(p) =>
p.value &&
p.value.length > 0 &&
(p.include === CertIncludeType.MANDATORY || p.include === CertIncludeType.OPTIONAL)
);
if (policiesWithValues.length > 0) {
const allAllowedValues = policiesWithValues.flatMap((p) => p.value || []);
requestSans.forEach((san) => {
const validation = validateValueAgainstConstraints(san.value, allAllowedValues, `${sanType} SAN`);
if (!validation.isValid && validation.error) {
errors.push(validation.error);
}
});
}
}
}
if (request.keyAlgorithm && template.keyAlgorithm) {
if (!template.keyAlgorithm?.allowedKeyTypes.includes(request.keyAlgorithm)) {
errors.push(`Key algorithm '${request.keyAlgorithm}' is not allowed by template policy`);
const requestSanTypes = new Set(request.subjectAlternativeNames?.map((san) => san.type) || []);
for (const requestSanType of requestSanTypes) {
if (!templateSanTypes.has(requestSanType)) {
errors.push(`${requestSanType} SAN is not allowed by template policy (not defined in template)`);
}
}
if (request.signatureAlgorithm) {
if (template.signatureAlgorithm && template.signatureAlgorithm.allowedAlgorithms) {
const mappedTemplateAlgorithms = template.signatureAlgorithm.allowedAlgorithms.map(
mapTemplateSignatureAlgorithmToApi
);
if (!mappedTemplateAlgorithms.includes(request.signatureAlgorithm)) {
errors.push(`Signature algorithm '${request.signatureAlgorithm}' is not allowed by template policy`);
}
} else if (!template.signatureAlgorithm) {
errors.push(
`Signature algorithm '${request.signatureAlgorithm}' is not allowed by template policy (not defined in template)`
);
}
}
if (request.keyAlgorithm) {
if (template.keyAlgorithm && template.keyAlgorithm.allowedKeyTypes) {
const mappedTemplateKeyTypes = template.keyAlgorithm.allowedKeyTypes.map(mapTemplateKeyAlgorithmToApi);
if (!mappedTemplateKeyTypes.includes(request.keyAlgorithm)) {
errors.push(`Key algorithm '${request.keyAlgorithm}' is not allowed by template policy`);
}
} else if (!template.keyAlgorithm) {
errors.push(
`Key algorithm '${request.keyAlgorithm}' is not allowed by template policy (not defined in template)`
);
}
}
@@ -335,6 +427,44 @@ export const certificateTemplateV2ServiceFactory = ({
}
}
if (request.validity?.ttl && (request.notBefore || request.notAfter)) {
errors.push(
"Cannot specify both TTL and notBefore/notAfter. Use either TTL for duration-based validity or notBefore/notAfter for explicit date range."
);
}
if (request.notBefore && request.notAfter && request.notBefore >= request.notAfter) {
errors.push("notBefore must be earlier than notAfter");
}
if ((request.notBefore || request.notAfter) && template.validity) {
const notBefore = request.notBefore || new Date();
const { notAfter } = request;
if (notAfter && notBefore && notAfter instanceof Date && notBefore instanceof Date) {
const requestDuration = notAfter.getTime() - notBefore.getTime();
const maxDuration = convertToMilliseconds(
template.validity.maxDuration.value,
template.validity.maxDuration.unit
);
if (requestDuration > maxDuration) {
errors.push(`Requested validity period (notBefore to notAfter) exceeds maximum allowed duration`);
}
if (template.validity.minDuration) {
const minDuration = convertToMilliseconds(
template.validity.minDuration.value,
template.validity.minDuration.unit
);
if (requestDuration < minDuration) {
errors.push(`Requested validity period (notBefore to notAfter) is below minimum required duration`);
}
}
}
}
return {
isValid: errors.length === 0,
errors,
@@ -375,15 +505,9 @@ export const certificateTemplateV2ServiceFactory = ({
throw new Error("Template data is required");
}
validateTemplatePolicy({
attributes: data.attributes,
keyUsages: data.keyUsages,
extendedKeyUsages: data.extendedKeyUsages,
subjectAlternativeNames: data.subjectAlternativeNames,
validity: data.validity,
signatureAlgorithm: data.signatureAlgorithm,
keyAlgorithm: data.keyAlgorithm
});
if (data.attributes) {
validateSubjectAttributePolicy(data.attributes);
}
const slug = data.slug || generateTemplateSlug();
const uniqueSlug = await ensureUniqueSlug(projectId, slug);
@@ -431,18 +555,8 @@ export const certificateTemplateV2ServiceFactory = ({
ProjectPermissionSub.CertificateTemplates
);
if (hasAnyPolicyField(data)) {
const mergedPolicy = {
attributes: data.attributes || existingTemplate.attributes,
keyUsages: data.keyUsages || existingTemplate.keyUsages,
extendedKeyUsages: data.extendedKeyUsages || existingTemplate.extendedKeyUsages,
subjectAlternativeNames: data.subjectAlternativeNames || existingTemplate.subjectAlternativeNames,
validity: data.validity || existingTemplate.validity,
signatureAlgorithm: data.signatureAlgorithm || existingTemplate.signatureAlgorithm,
keyAlgorithm: data.keyAlgorithm || existingTemplate.keyAlgorithm
};
validateTemplatePolicy(mergedPolicy);
if (data.attributes) {
validateSubjectAttributePolicy(data.attributes);
}
const updateData = { ...data };
@@ -614,8 +728,14 @@ export const certificateTemplateV2ServiceFactory = ({
const isInUse = await certificateTemplateV2DAL.isTemplateInUse(templateId);
if (isInUse) {
const profilesUsingTemplate = await certificateTemplateV2DAL.getProfilesUsingTemplate(templateId);
const profileNames = profilesUsingTemplate.map((profile) => profile.slug || profile.id).join(", ");
throw new ForbiddenRequestError({
message: "Cannot delete template that is in use by certificate profiles"
message:
profilesUsingTemplate.length > 0
? `Cannot delete template '${template.slug}' as it is currently in use by the following certificate profiles: ${profileNames}. Please remove this template from these profiles before deleting it.`
: `Cannot delete template '${template.slug}' as it is currently in use by one or more certificates. Please ensure no certificates are using this template before deleting it.`
});
}

44
backend/src/services/certificate-template-v2/certificate-template-v2-types.ts
View File

@@ -1,27 +1,35 @@
import { TCertificateTemplatesV2, TCertificateTemplatesV2Insert } from "@app/db/schemas/certificate-templates-v2";
import {
CertDurationUnit,
CertExtendedKeyUsageType,
CertIncludeType,
CertKeyUsageType,
CertSubjectAlternativeNameType,
CertSubjectAttributeType
} from "@app/services/certificate-common/certificate-constants";
export interface TTemplateV2Policy {
attributes: Array<{
type: "common_name";
include: "mandatory" | "optional" | "prohibit";
type: CertSubjectAttributeType;
include: CertIncludeType;
value?: string[];
}>;
keyUsages: {
requiredUsages: { all: string[] };
optionalUsages: { all: string[] };
requiredUsages?: { all: CertKeyUsageType[] };
optionalUsages?: { all: CertKeyUsageType[] };
};
extendedKeyUsages: {
requiredUsages: { all: string[] };
optionalUsages: { all: string[] };
requiredUsages?: { all: CertExtendedKeyUsageType[] };
optionalUsages?: { all: CertExtendedKeyUsageType[] };
};
subjectAlternativeNames: Array<{
type: "dns_name" | "ip_address" | "email" | "uri";
include: "mandatory" | "optional" | "prohibit";
type: CertSubjectAlternativeNameType;
include: CertIncludeType;
value?: string[];
}>;
validity: {
maxDuration: { value: number; unit: "days" | "months" | "years" };
minDuration?: { value: number; unit: "days" | "months" | "years" };
maxDuration: { value: number; unit: CertDurationUnit };
minDuration?: { value: number; unit: CertDurationUnit };
};
signatureAlgorithm: {
allowedAlgorithms: string[];
@@ -88,15 +96,25 @@ export type TCertificateTemplateV2Update = Partial<
export interface TCertificateRequest {
commonName?: string;
keyUsages?: string[];
extendedKeyUsages?: string[];
organizationName?: string;
organizationUnit?: string;
locality?: string;
state?: string;
country?: string;
email?: string;
streetAddress?: string;
postalCode?: string;
keyUsages?: CertKeyUsageType[];
extendedKeyUsages?: CertExtendedKeyUsageType[];
subjectAlternativeNames?: Array<{
type: "dns_name" | "ip_address" | "email" | "uri";
type: CertSubjectAlternativeNameType;
value: string;
}>;
validity?: {
ttl: string;
};
notBefore?: Date;
notAfter?: Date;
signatureAlgorithm?: string;
keyAlgorithm?: string;
}

60
backend/src/services/certificate-template/certificate-template-validators.ts
View File

@@ -3,26 +3,40 @@ import z from "zod";
import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
export const validateTemplateRegexField = z
.string()
.min(1)
.max(100)
.refine(
(val) =>
characterValidator([
CharacterType.AlphaNumeric,
CharacterType.Spaces, // (space)
CharacterType.Asterisk, // *
CharacterType.At, // @
CharacterType.Hyphen, // -
CharacterType.Period, // .
CharacterType.Backslash // \
])(val),
{
message: "Invalid pattern: only alphanumeric characters, spaces, *, ., @, -, and \\ are allowed."
}
)
// we ensure that the inputted pattern is computationally safe by limiting star height to 1
.refine((v) => safe(v), {
message: "Unsafe REGEX pattern"
});
export const createTemplateFieldValidator = (options?: {
minLength?: number;
maxLength?: number;
allowedCharacters?: CharacterType[];
customMessage?: string;
}) => {
const {
minLength = 1,
maxLength = 100,
allowedCharacters = [
CharacterType.AlphaNumeric,
CharacterType.Spaces, // (space)
CharacterType.Asterisk, // *
CharacterType.At, // @
CharacterType.Hyphen, // -
CharacterType.Period, // .
CharacterType.Backslash // \
],
customMessage = "Invalid pattern: only alphanumeric characters, spaces, *, ., @, -, and \\ are allowed."
} = options || {};
return (
z
.string()
.min(minLength)
.max(maxLength)
.refine((val) => characterValidator(allowedCharacters)(val), {
message: customMessage
})
// we ensure that the inputted pattern is computationally safe by limiting star height to 1
.refine((v) => safe(v), {
message: "Unsafe REGEX pattern"
})
);
};
export const validateTemplateRegexField = createTemplateFieldValidator();

313
backend/src/services/certificate-v3/certificate-v3-service.test.ts
View File

@@ -7,7 +7,13 @@ import { ForbiddenError } from "@casl/ability";
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
import { CertExtendedKeyUsage, CertKeyUsage } from "@app/services/certificate/certificate-types";
import { ACMESANType, CertificateOrderStatus } from "@app/services/certificate/certificate-types";
import {
CertExtendedKeyUsageType,
CertIncludeType,
CertKeyUsageType,
CertSubjectAttributeType
} from "@app/services/certificate-common/certificate-constants";
import { EnrollmentType } from "@app/services/certificate-profile/certificate-profile-types";
import { ActorType, AuthMethod } from "../auth/auth-type";
@@ -76,8 +82,8 @@ describe("CertificateV3Service", () => {
describe("issueCertificateFromProfile", () => {
const mockCertificateRequest = {
commonName: "test.example.com",
keyUsages: [CertKeyUsage.DIGITAL_SIGNATURE],
extendedKeyUsages: [CertExtendedKeyUsage.SERVER_AUTH],
keyUsages: [CertKeyUsageType.DIGITAL_SIGNATURE],
extendedKeyUsages: [CertExtendedKeyUsageType.SERVER_AUTH],
validity: { ttl: "30d" },
signatureAlgorithm: "RSA-SHA256",
keyAlgorithm: "RSA_2048"
@@ -102,12 +108,19 @@ describe("CertificateV3Service", () => {
id: "template-123",
signatureAlgorithm: { defaultAlgorithm: "RSA-SHA256" },
keyAlgorithm: { defaultKeyType: "RSA_2048" },
attributes: []
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
const mockCertificateResult = {
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("issuing-ca"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
};
@@ -136,6 +149,8 @@ describe("CertificateV3Service", () => {
});
expect(result).toHaveProperty("certificate");
expect(result).toHaveProperty("issuingCaCertificate");
expect(result).toHaveProperty("certificateChain");
expect(result).toHaveProperty("privateKey");
expect(result).toHaveProperty("serialNumber", "123456");
expect(result).toHaveProperty("certificateId", "cert-123");
@@ -160,12 +175,19 @@ describe("CertificateV3Service", () => {
id: "template-123",
signatureAlgorithm: { defaultAlgorithm: "RSA-SHA256" },
keyAlgorithm: { defaultKeyType: "RSA_2048" },
attributes: []
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
const mockCertificateResult = {
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("issuing-ca"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
};
@@ -178,17 +200,17 @@ describe("CertificateV3Service", () => {
const camelCaseRequest = {
commonName: "test.example.com",
keyUsages: [
CertKeyUsage.DIGITAL_SIGNATURE,
CertKeyUsage.NON_REPUDIATION,
CertKeyUsage.KEY_AGREEMENT,
CertKeyUsage.CRL_SIGN,
CertKeyUsage.DECIPHER_ONLY
CertKeyUsageType.DIGITAL_SIGNATURE,
CertKeyUsageType.NON_REPUDIATION,
CertKeyUsageType.KEY_AGREEMENT,
CertKeyUsageType.CRL_SIGN,
CertKeyUsageType.DECIPHER_ONLY
],
extendedKeyUsages: [
CertExtendedKeyUsage.CLIENT_AUTH,
CertExtendedKeyUsage.CODE_SIGNING,
CertExtendedKeyUsage.OCSP_SIGNING,
CertExtendedKeyUsage.SERVER_AUTH
CertExtendedKeyUsageType.CLIENT_AUTH,
CertExtendedKeyUsageType.CODE_SIGNING,
CertExtendedKeyUsageType.OCSP_SIGNING,
CertExtendedKeyUsageType.SERVER_AUTH
],
validity: { ttl: "10d" }
};
@@ -215,8 +237,19 @@ describe("CertificateV3Service", () => {
expect(mockCertificateTemplateV2Service.validateCertificateRequest).toHaveBeenCalledWith(
"template-123",
expect.objectContaining({
keyUsages: ["digital_signature", "non_repudiation", "key_agreement", "crl_sign", "decipher_only"],
extendedKeyUsages: ["client_auth", "code_signing", "ocsp_signing", "server_auth"]
keyUsages: [
CertKeyUsageType.DIGITAL_SIGNATURE,
CertKeyUsageType.NON_REPUDIATION,
CertKeyUsageType.KEY_AGREEMENT,
CertKeyUsageType.CRL_SIGN,
CertKeyUsageType.DECIPHER_ONLY
],
extendedKeyUsages: [
CertExtendedKeyUsageType.CLIENT_AUTH,
CertExtendedKeyUsageType.CODE_SIGNING,
CertExtendedKeyUsageType.OCSP_SIGNING,
CertExtendedKeyUsageType.SERVER_AUTH
]
})
);
});
@@ -286,6 +319,7 @@ describe("CertificateV3Service", () => {
const mockSignResult = {
certificate: Buffer.from("signed-cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("issuing-ca"),
serialNumber: "789012"
};
@@ -308,6 +342,8 @@ describe("CertificateV3Service", () => {
});
expect(result).toHaveProperty("certificate");
expect(result).toHaveProperty("issuingCaCertificate");
expect(result).toHaveProperty("certificateChain");
expect(result).toHaveProperty("serialNumber", "789012");
expect(result).toHaveProperty("certificateId", "cert-456");
expect(result).not.toHaveProperty("privateKey");
@@ -347,11 +383,11 @@ describe("CertificateV3Service", () => {
describe("orderCertificateFromProfile", () => {
const mockCertificateOrder = {
subjectAlternativeNames: [{ type: "dns" as const, value: "example.com" }],
altNames: [{ type: ACMESANType.DNS, value: "example.com" }],
validity: { ttl: "30d" },
commonName: "example.com",
keyUsages: [CertKeyUsage.DIGITAL_SIGNATURE],
extendedKeyUsages: [CertExtendedKeyUsage.SERVER_AUTH],
keyUsages: [CertKeyUsageType.DIGITAL_SIGNATURE],
extendedKeyUsages: [CertExtendedKeyUsageType.SERVER_AUTH],
signatureAlgorithm: "RSA-SHA256",
keyAlgorithm: "RSA_2048"
};
@@ -375,12 +411,19 @@ describe("CertificateV3Service", () => {
id: "template-123",
signatureAlgorithm: { defaultAlgorithm: "RSA-SHA256" },
keyAlgorithm: { defaultKeyType: "RSA_2048" },
attributes: []
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
const mockCertificateResult = {
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("issuing-ca"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
};
@@ -413,9 +456,9 @@ describe("CertificateV3Service", () => {
expect(result).toHaveProperty("certificate");
expect(result.subjectAlternativeNames).toHaveLength(1);
expect(result.subjectAlternativeNames[0]).toEqual({
type: "dns",
type: ACMESANType.DNS,
value: "example.com",
status: "valid"
status: CertificateOrderStatus.VALID
});
});
@@ -448,4 +491,230 @@ describe("CertificateV3Service", () => {
).rejects.toThrow("Profile is not configured for api enrollment");
});
});
describe("algorithm compatibility (integration tests)", () => {
const mockProfile = {
id: "profile-1",
slug: "test-profile",
projectId: "project-1",
caId: "ca-1",
certificateTemplateId: "template-1",
enrollmentType: EnrollmentType.API
};
const mockCertificateRequest = {
commonName: "test.example.com",
validity: { ttl: "30d" },
keyUsages: [CertKeyUsageType.DIGITAL_SIGNATURE],
extendedKeyUsages: [CertExtendedKeyUsageType.SERVER_AUTH]
};
beforeEach(() => {
vi.clearAllMocks();
});
it("should successfully process RSA algorithms with RSA CAs", async () => {
const rsaCa = {
id: "ca-1",
projectId: "project-1",
status: "active",
internalCa: {
keyAlgorithm: "RSA_2048"
}
};
const rsaTemplate = {
id: "template-1",
signatureAlgorithm: {
allowedAlgorithms: ["SHA256-RSA", "SHA384-RSA"]
},
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
mockCertificateProfileDAL.findByIdWithConfigs.mockResolvedValue(mockProfile);
mockCertificateAuthorityDAL.findByIdWithAssociatedCa.mockResolvedValue(rsaCa);
mockCertificateTemplateV2Service.validateCertificateRequest.mockResolvedValue({ isValid: true, errors: [] });
mockCertificateTemplateV2Service.getTemplateV2ById.mockResolvedValue(rsaTemplate);
mockInternalCaService.issueCertFromCa.mockResolvedValue({
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("ca-cert"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
});
mockCertificateDAL.findOne.mockResolvedValue({ id: "cert-1" });
mockCertificateDAL.updateById.mockResolvedValue(undefined);
// Should not throw - RSA CA is compatible with RSA signature algorithms
await expect(
service.issueCertificateFromProfile({
profileId: mockProfile.id,
certificateRequest: {
...mockCertificateRequest,
signatureAlgorithm: "RSA-SHA256"
},
...mockActor
})
).resolves.toBeDefined();
});
it("should successfully process ECDSA algorithms with EC CAs", async () => {
const ecCa = {
id: "ca-1",
projectId: "project-1",
status: "active",
internalCa: {
keyAlgorithm: "EC_prime256v1"
}
};
const ecdsaTemplate = {
id: "template-1",
signatureAlgorithm: {
allowedAlgorithms: ["SHA256-ECDSA", "SHA384-ECDSA"]
},
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
mockCertificateProfileDAL.findByIdWithConfigs.mockResolvedValue(mockProfile);
mockCertificateAuthorityDAL.findByIdWithAssociatedCa.mockResolvedValue(ecCa);
mockCertificateTemplateV2Service.validateCertificateRequest.mockResolvedValue({ isValid: true, errors: [] });
mockCertificateTemplateV2Service.getTemplateV2ById.mockResolvedValue(ecdsaTemplate);
mockInternalCaService.issueCertFromCa.mockResolvedValue({
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("ca-cert"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
});
mockCertificateDAL.findOne.mockResolvedValue({ id: "cert-1" });
mockCertificateDAL.updateById.mockResolvedValue(undefined);
// Should not throw - EC CA is compatible with ECDSA signature algorithms
await expect(
service.issueCertificateFromProfile({
profileId: mockProfile.id,
certificateRequest: {
...mockCertificateRequest,
signatureAlgorithm: "ECDSA-SHA256"
},
...mockActor
})
).resolves.toBeDefined();
});
it("should dynamically support new RSA key sizes", async () => {
const rsa8192Ca = {
id: "ca-1",
projectId: "project-1",
status: "active",
internalCa: {
keyAlgorithm: "RSA_8192" // Future RSA key size
}
};
const rsaTemplate = {
id: "template-1",
signatureAlgorithm: {
allowedAlgorithms: ["SHA256-RSA"]
},
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
mockCertificateProfileDAL.findByIdWithConfigs.mockResolvedValue(mockProfile);
mockCertificateAuthorityDAL.findByIdWithAssociatedCa.mockResolvedValue(rsa8192Ca);
mockCertificateTemplateV2Service.validateCertificateRequest.mockResolvedValue({ isValid: true, errors: [] });
mockCertificateTemplateV2Service.getTemplateV2ById.mockResolvedValue(rsaTemplate);
mockInternalCaService.issueCertFromCa.mockResolvedValue({
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("ca-cert"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
});
mockCertificateDAL.findOne.mockResolvedValue({ id: "cert-1" });
mockCertificateDAL.updateById.mockResolvedValue(undefined);
// Should not throw - dynamic check supports new RSA key sizes
await expect(
service.issueCertificateFromProfile({
profileId: mockProfile.id,
certificateRequest: {
...mockCertificateRequest,
signatureAlgorithm: "RSA-SHA256"
},
...mockActor
})
).resolves.toBeDefined();
});
it("should dynamically support new EC curve types", async () => {
const newEcCa = {
id: "ca-1",
projectId: "project-1",
status: "active",
internalCa: {
keyAlgorithm: "EC_secp521r1" // Future EC curve
}
};
const ecdsaTemplate = {
id: "template-1",
signatureAlgorithm: {
allowedAlgorithms: ["SHA384-ECDSA"]
},
attributes: [
{
type: CertSubjectAttributeType.COMMON_NAME,
include: CertIncludeType.OPTIONAL,
value: ["example.com"]
}
]
};
mockCertificateProfileDAL.findByIdWithConfigs.mockResolvedValue(mockProfile);
mockCertificateAuthorityDAL.findByIdWithAssociatedCa.mockResolvedValue(newEcCa);
mockCertificateTemplateV2Service.validateCertificateRequest.mockResolvedValue({ isValid: true, errors: [] });
mockCertificateTemplateV2Service.getTemplateV2ById.mockResolvedValue(ecdsaTemplate);
mockInternalCaService.issueCertFromCa.mockResolvedValue({
certificate: Buffer.from("cert"),
certificateChain: Buffer.from("chain"),
issuingCaCertificate: Buffer.from("ca-cert"),
privateKey: Buffer.from("key"),
serialNumber: "123456"
});
mockCertificateDAL.findOne.mockResolvedValue({ id: "cert-1" });
mockCertificateDAL.updateById.mockResolvedValue(undefined);
// Should not throw - dynamic check supports new EC curves
await expect(
service.issueCertificateFromProfile({
profileId: mockProfile.id,
certificateRequest: {
...mockCertificateRequest,
signatureAlgorithm: "ECDSA-SHA384"
},
...mockActor
})
).resolves.toBeDefined();
});
});
});

214
backend/src/services/certificate-v3/certificate-v3-service.ts
View File

@@ -10,6 +10,7 @@ import {
import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
import { ActorAuthMethod, ActorType } from "@app/services/auth/auth-type";
import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
import { CertificateOrderStatus } from "@app/services/certificate/certificate-types";
import {
TCertificateAuthorityDALFactory,
TCertificateAuthorityWithAssociatedCa
@@ -20,10 +21,13 @@ import { TCertificateProfileDALFactory } from "@app/services/certificate-profile
import { EnrollmentType } from "@app/services/certificate-profile/certificate-profile-types";
import { TCertificateTemplateV2ServiceFactory } from "@app/services/certificate-template-v2/certificate-template-v2-service";
import { CertSubjectAlternativeNameType } from "../certificate-common/certificate-constants";
import {
bufferToString,
buildCertificateSubjectFromTemplate,
buildSubjectAlternativeNamesFromTemplate,
convertExtendedKeyUsageArrayToLegacy,
convertKeyUsageArrayToLegacy,
mapEnumsForValidation,
normalizeDateForApi
} from "../certificate-common/certificate-utils";
@@ -95,6 +99,45 @@ const validateCaSupport = (ca: TCertificateAuthorityWithAssociatedCa, operation:
return caType;
};
const validateAlgorithmCompatibility = (
ca: TCertificateAuthorityWithAssociatedCa,
template: {
signatureAlgorithm?: {
allowedAlgorithms?: string[];
};
}
) => {
if (!template.signatureAlgorithm || !template.signatureAlgorithm.allowedAlgorithms) {
return;
}
const caKeyAlgorithm = ca.internalCa?.keyAlgorithm;
if (!caKeyAlgorithm) {
throw new BadRequestError({ message: "CA key algorithm not found" });
}
const compatibleAlgorithms = template.signatureAlgorithm.allowedAlgorithms.filter((sigAlg: string) => {
const parts = sigAlg.split("-");
const keyType = parts[parts.length - 1];
if (caKeyAlgorithm.startsWith("RSA")) {
return keyType === "RSA";
}
if (caKeyAlgorithm.startsWith("EC")) {
return keyType === "ECDSA";
}
return false;
});
if (compatibleAlgorithms.length === 0) {
throw new BadRequestError({
message: `Template signature algorithms (${template.signatureAlgorithm.allowedAlgorithms.join(", ")}) are not compatible with CA key algorithm (${caKeyAlgorithm})`
});
}
};
const extractCertificateFromBuffer = (certData: Buffer | { rawData: Buffer } | string): string => {
if (typeof certData === "string") return certData;
if (Buffer.isBuffer(certData)) return bufferToString(certData);
@@ -131,6 +174,12 @@ export const certificateV3ServiceFactory = ({
EnrollmentType.API
);
if (certificateRequest.commonName && Array.isArray(certificateRequest.commonName)) {
throw new BadRequestError({
message: "Common Name must be a single value, not an array"
});
}
const mappedCertificateRequest = mapEnumsForValidation(certificateRequest);
const validationResult = await certificateTemplateV2Service.validateCertificateRequest(
profile.certificateTemplateId,
@@ -166,33 +215,48 @@ export const certificateV3ServiceFactory = ({
throw new NotFoundError({ message: "Certificate template not found for this profile" });
}
validateAlgorithmCompatibility(ca, template);
const effectiveSignatureAlgorithm =
certificateRequest.signatureAlgorithm || template.signatureAlgorithm?.defaultAlgorithm;
const effectiveKeyAlgorithm = certificateRequest.keyAlgorithm || template.keyAlgorithm?.defaultKeyType;
if (template.keyAlgorithm?.allowedKeyTypes && !effectiveKeyAlgorithm) {
throw new BadRequestError({
message: "Key algorithm is required by template policy but not provided in request or template default"
});
}
if (template.signatureAlgorithm?.allowedAlgorithms && !effectiveSignatureAlgorithm) {
throw new BadRequestError({
message: "Signature algorithm is required by template policy but not provided in request or template default"
});
}
const certificateSubject = buildCertificateSubjectFromTemplate(certificateRequest, template.attributes);
const subjectAlternativeNames = buildSubjectAlternativeNamesFromTemplate(
certificateRequest,
{ subjectAlternativeNames: certificateRequest.altNames },
template.subjectAlternativeNames
);
const { certificate, certificateChain, privateKey, serialNumber } = await internalCaService.issueCertFromCa({
caId: ca.id,
friendlyName: certificateSubject.common_name || "Certificate",
commonName: certificateSubject.common_name || "",
altNames: subjectAlternativeNames,
ttl: certificateRequest.validity.ttl,
keyUsages: certificateRequest.keyUsages,
extendedKeyUsages: certificateRequest.extendedKeyUsages,
notBefore: normalizeDateForApi(certificateRequest.notBefore),
notAfter: normalizeDateForApi(certificateRequest.notAfter),
signatureAlgorithm: effectiveSignatureAlgorithm,
keyAlgorithm: effectiveKeyAlgorithm,
actor,
actorId,
actorAuthMethod,
actorOrgId
});
const { certificate, certificateChain, issuingCaCertificate, privateKey, serialNumber } =
await internalCaService.issueCertFromCa({
caId: ca.id,
friendlyName: certificateSubject.common_name || "Certificate",
commonName: certificateSubject.common_name || "",
altNames: subjectAlternativeNames,
ttl: certificateRequest.validity.ttl,
keyUsages: convertKeyUsageArrayToLegacy(certificateRequest.keyUsages) || [],
extendedKeyUsages: convertExtendedKeyUsageArrayToLegacy(certificateRequest.extendedKeyUsages) || [],
notBefore: normalizeDateForApi(certificateRequest.notBefore),
notAfter: normalizeDateForApi(certificateRequest.notAfter),
signatureAlgorithm: effectiveSignatureAlgorithm,
keyAlgorithm: effectiveKeyAlgorithm,
actor,
actorId,
actorAuthMethod,
actorOrgId
});
const cert = await certificateDAL.findOne({ serialNumber, caId: ca.id });
if (!cert) {
@@ -201,14 +265,15 @@ export const certificateV3ServiceFactory = ({
await certificateDAL.updateById(cert.id, { profileId });
const certificateChainString = bufferToString(certificateChain);
return {
certificate: bufferToString(certificate),
issuingCaCertificate: certificateChainString.split("\n").pop() || bufferToString(certificate),
certificateChain: certificateChainString,
issuingCaCertificate: bufferToString(issuingCaCertificate),
certificateChain: bufferToString(certificateChain),
privateKey: bufferToString(privateKey),
serialNumber,
certificateId: cert.id
certificateId: cert.id,
projectId: profile.projectId,
profileName: profile.slug
};
};
@@ -218,6 +283,8 @@ export const certificateV3ServiceFactory = ({
validity,
notBefore,
notAfter,
signatureAlgorithm,
keyAlgorithm,
actor,
actorId,
actorAuthMethod,
@@ -241,16 +308,52 @@ export const certificateV3ServiceFactory = ({
validateCaSupport(ca, "CSR signing");
const { certificate, certificateChain, serialNumber } = await internalCaService.signCertFromCa({
isInternal: true,
caId: ca.id,
csr,
ttl: validity.ttl,
altNames: "",
notBefore: normalizeDateForApi(notBefore),
notAfter: normalizeDateForApi(notAfter)
if (!actorAuthMethod) {
throw new BadRequestError({ message: "Authentication method is required for certificate signing" });
}
const template = await certificateTemplateV2Service.getTemplateV2ById({
actor,
actorId,
actorAuthMethod,
actorOrgId,
templateId: profile.certificateTemplateId
});
if (!template) {
throw new NotFoundError({ message: "Certificate template not found for this profile" });
}
validateAlgorithmCompatibility(ca, template);
const effectiveSignatureAlgorithm = signatureAlgorithm || template.signatureAlgorithm?.defaultAlgorithm;
const effectiveKeyAlgorithm = keyAlgorithm || template.keyAlgorithm?.defaultKeyType;
if (template.keyAlgorithm?.allowedKeyTypes && !effectiveKeyAlgorithm) {
throw new BadRequestError({
message: "Key algorithm is required by template policy but not provided in request or template default"
});
}
if (template.signatureAlgorithm?.allowedAlgorithms && !effectiveSignatureAlgorithm) {
throw new BadRequestError({
message: "Signature algorithm is required by template policy but not provided in request or template default"
});
}
const { certificate, certificateChain, issuingCaCertificate, serialNumber } =
await internalCaService.signCertFromCa({
isInternal: true,
caId: ca.id,
csr,
ttl: validity.ttl,
altNames: "",
notBefore: normalizeDateForApi(notBefore),
notAfter: normalizeDateForApi(notAfter),
signatureAlgorithm: effectiveSignatureAlgorithm,
keyAlgorithm: effectiveKeyAlgorithm
});
const cert = await certificateDAL.findOne({ serialNumber, caId: ca.id });
if (!cert) {
throw new NotFoundError({ message: "Certificate was signed but could not be found in database" });
@@ -263,10 +366,12 @@ export const certificateV3ServiceFactory = ({
return {
certificate: certificateString,
issuingCaCertificate: certificateChainString.split("\n").pop() || certificateString,
issuingCaCertificate: extractCertificateFromBuffer(issuingCaCertificate as unknown as Buffer),
certificateChain: certificateChainString,
serialNumber,
certificateId: cert.id
certificateId: cert.id,
projectId: profile.projectId,
profileName: profile.slug
};
};
@@ -293,8 +398,8 @@ export const certificateV3ServiceFactory = ({
commonName: certificateOrder.commonName,
keyUsages: certificateOrder.keyUsages,
extendedKeyUsages: certificateOrder.extendedKeyUsages,
subjectAlternativeNames: certificateOrder.subjectAlternativeNames.map((san) => ({
type: san.type === "dns" ? ("dns_name" as const) : ("ip_address" as const),
subjectAlternativeNames: certificateOrder.altNames.map((san) => ({
type: san.type === "dns" ? CertSubjectAlternativeNameType.DNS_NAME : CertSubjectAlternativeNameType.IP_ADDRESS,
value: san.value
})),
validity: certificateOrder.validity,
@@ -334,43 +439,26 @@ export const certificateV3ServiceFactory = ({
});
const orderId = randomUUID();
const subjectAlternativeNames = certificateOrder.subjectAlternativeNames.map((san) => ({
type: san.type,
value: san.value,
status: "valid" as const
}));
const authorizations = certificateOrder.subjectAlternativeNames.map((san) => ({
identifier: {
type: san.type,
value: san.value
},
status: "valid" as const,
expires: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
challenges: [
{
type: "internal-validation",
status: "valid" as const,
url: `/api/v3/certificates/orders/${orderId}/internal`,
token: "internal-ca-validation"
}
]
}));
return {
orderId,
status: "valid",
subjectAlternativeNames,
authorizations,
finalize: `/api/v3/certificates/orders/${orderId}/finalize`,
certificate: certificateResult.certificate
status: CertificateOrderStatus.VALID,
subjectAlternativeNames: certificateOrder.altNames.map((san) => ({
type: san.type,
value: san.value,
status: CertificateOrderStatus.VALID
})),
authorizations: [],
finalize: `/api/v3/certificates/orders/${orderId}/completed`,
certificate: certificateResult.certificate,
projectId: certificateResult.projectId,
profileName: certificateResult.profileName
};
}
if (caType === CaType.ACME) {
throw new BadRequestError({
message:
"ACME certificate ordering via profiles is not yet implemented. Use direct certificate issuance for ACME CAs."
message: "ACME certificate ordering via profiles is not yet implemented."
});
}

41
backend/src/services/certificate-v3/certificate-v3-types.ts
View File

@@ -1,15 +1,20 @@
import { TProjectPermission } from "@app/lib/types";
import { CertExtendedKeyUsage, CertKeyUsage } from "../certificate/certificate-types";
import { ACMESANType, CertificateOrderStatus } from "../certificate/certificate-types";
import {
CertExtendedKeyUsageType,
CertKeyUsageType,
CertSubjectAlternativeNameType
} from "../certificate-common/certificate-constants";
export type TIssueCertificateFromProfileDTO = {
profileId: string;
certificateRequest: {
commonName?: string;
keyUsages?: CertKeyUsage[];
extendedKeyUsages?: CertExtendedKeyUsage[];
subjectAlternativeNames?: Array<{
type: "dns_name" | "ip_address" | "email" | "uri";
keyUsages?: CertKeyUsageType[];
extendedKeyUsages?: CertExtendedKeyUsageType[];
altNames?: Array<{
type: CertSubjectAlternativeNameType;
value: string;
}>;
validity: {
@@ -30,21 +35,23 @@ export type TSignCertificateFromProfileDTO = {
};
notBefore?: Date;
notAfter?: Date;
signatureAlgorithm?: string;
keyAlgorithm?: string;
} & Omit<TProjectPermission, "projectId">;
export type TOrderCertificateFromProfileDTO = {
profileId: string;
certificateOrder: {
subjectAlternativeNames: Array<{
type: "dns" | "ip";
altNames: Array<{
type: ACMESANType;
value: string;
}>;
validity: {
ttl: string;
};
commonName?: string;
keyUsages?: CertKeyUsage[];
extendedKeyUsages?: CertExtendedKeyUsage[];
keyUsages?: CertKeyUsageType[];
extendedKeyUsages?: CertExtendedKeyUsageType[];
notBefore?: Date;
notAfter?: Date;
signatureAlgorithm?: string;
@@ -59,30 +66,34 @@ export type TCertificateFromProfileResponse = {
privateKey?: string;
serialNumber: string;
certificateId: string;
projectId: string;
profileName: string;
};
export type TCertificateOrderResponse = {
orderId: string;
status: "pending" | "processing" | "valid" | "invalid";
status: CertificateOrderStatus;
subjectAlternativeNames: Array<{
type: "dns" | "ip";
type: ACMESANType;
value: string;
status: "pending" | "processing" | "valid" | "invalid";
status: CertificateOrderStatus;
}>;
authorizations: Array<{
identifier: {
type: "dns" | "ip";
type: ACMESANType;
value: string;
};
status: "pending" | "processing" | "valid" | "invalid";
status: CertificateOrderStatus;
expires?: string;
challenges: Array<{
type: string;
status: "pending" | "processing" | "valid" | "invalid";
status: CertificateOrderStatus;
url: string;
token: string;
}>;
}>;
finalize: string;
certificate?: string;
projectId: string;
profileName: string;
};

28
backend/src/services/certificate/certificate-types.ts
View File

@@ -18,6 +18,15 @@ export enum CertKeyAlgorithm {
ECDSA_P384 = "EC_secp384r1"
}
export enum CertSignatureAlgorithm {
RSA_SHA256 = "RSA-SHA256",
RSA_SHA384 = "RSA-SHA384",
RSA_SHA512 = "RSA-SHA512",
ECDSA_SHA256 = "ECDSA-SHA256",
ECDSA_SHA384 = "ECDSA-SHA384",
ECDSA_SHA512 = "ECDSA-SHA512"
}
export enum CertKeyUsage {
DIGITAL_SIGNATURE = "digitalSignature",
KEY_ENCIPHERMENT = "keyEncipherment",
@@ -111,7 +120,26 @@ export enum TAltNameType {
IP = "ip",
URL = "url"
}
export enum CertSubjectAlternativeNameType {
DNS_NAME = "dns_name",
IP_ADDRESS = "ip_address",
EMAIL = "email",
URI = "uri"
}
export type TAltNameMapping = {
type: TAltNameType;
value: string;
};
export enum ACMESANType {
DNS = "dns",
IP = "ip"
}
export enum CertificateOrderStatus {
PENDING = "pending",
PROCESSING = "processing",
VALID = "valid",
INVALID = "invalid"
}

27
backend/src/services/enrollment-config/est-enrollment-config-dal.ts
View File

@@ -32,16 +32,6 @@ export const estEnrollmentConfigDALFactory = (db: TDbClient) => {
}
};
const deleteById = async (id: string, tx?: Knex) => {
try {
const [estConfig] = await (tx || db)(TableName.PkiEstEnrollmentConfig).where({ id }).del().returning("*");
return estConfig;
} catch (error) {
throw new DatabaseError({ error, name: "Delete EST enrollment config" });
}
};
const findById = async (id: string, tx?: Knex) => {
try {
const estConfig = await (tx || db)(TableName.PkiEstEnrollmentConfig).where({ id }).first();
@@ -52,25 +42,10 @@ export const estEnrollmentConfigDALFactory = (db: TDbClient) => {
}
};
const isConfigInUse = async (configId: string, tx?: Knex) => {
try {
const profileCount = await (tx || db)(TableName.CertificateProfile)
.where({ estConfigId: configId })
.count("* as count")
.first();
return parseInt(profileCount || "0", 10) > 0;
} catch (error) {
throw new DatabaseError({ error, name: "Check if EST enrollment config is in use" });
}
};
return {
...estEnrollmentConfigOrm,
create,
updateById,
deleteById,
findById,
isConfigInUse
findById
};
};

4
docs/api-reference/endpoints/certificate-profiles/create.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Create"
openapi: "POST /api/v1/pki/certificate-profiles"
---

4
docs/api-reference/endpoints/certificate-profiles/delete.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v1/pki/certificate-profiles/{id}"
---

4
docs/api-reference/endpoints/certificate-profiles/get-by-id.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v1/pki/certificate-profiles/{id}"
---

4
docs/api-reference/endpoints/certificate-profiles/get-by-slug.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by Slug"
openapi: "GET /api/v1/pki/certificate-profiles/slug/{slug}"
---

4
docs/api-reference/endpoints/certificate-profiles/list-certificates.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "List Certificates"
openapi: "GET /api/v1/pki/certificate-profiles/{id}/certificates"
---

4
docs/api-reference/endpoints/certificate-profiles/list.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v1/pki/certificate-profiles"
---

4
docs/api-reference/endpoints/certificate-profiles/update.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Update"
openapi: "PATCH /api/v1/pki/certificate-profiles/{id}"
---

4
docs/api-reference/endpoints/certificate-templates-v2/create.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Create"
openapi: "POST /api/v2/certificate-templates"
---

4
docs/api-reference/endpoints/certificate-templates-v2/delete.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Delete"
openapi: "DELETE /api/v2/certificate-templates/{id}"
---

4
docs/api-reference/endpoints/certificate-templates-v2/get-by-id.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Get by ID"
openapi: "GET /api/v2/certificate-templates/{id}"
---

4
docs/api-reference/endpoints/certificate-templates-v2/list.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "List"
openapi: "GET /api/v2/certificate-templates"
---

4
docs/api-reference/endpoints/certificate-templates-v2/update.mdx Normal file
View File

@@ -0,0 +1,4 @@
---
title: "Update"
openapi: "PATCH /api/v2/certificate-templates/{id}"
---

6
docs/api-reference/endpoints/certificate-templates/create.mdx
View File

@@ -2,3 +2,9 @@
title: "Create"
openapi: "POST /api/v1/pki/certificate-templates"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Templates V2 API](/api-reference/endpoints/certificate-templates-v2) instead.
</Warning>

6
docs/api-reference/endpoints/certificate-templates/delete.mdx
View File

@@ -2,3 +2,9 @@
title: "Delete"
openapi: "DELETE /api/v1/pki/certificate-templates/{certificateTemplateId}"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Templates V2 API](/api-reference/endpoints/certificate-templates-v2) instead.
</Warning>

6
docs/api-reference/endpoints/certificate-templates/get-by-id.mdx
View File

@@ -2,3 +2,9 @@
title: "Get by ID"
openapi: "GET /api/v1/pki/certificate-templates/{certificateTemplateId}"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Templates V2 API](/api-reference/endpoints/certificate-templates-v2) instead.
</Warning>

6
docs/api-reference/endpoints/certificate-templates/update.mdx
View File

@@ -2,3 +2,9 @@
title: "Update"
openapi: "PATCH /api/v1/pki/certificate-templates/{certificateTemplateId}"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Templates V2 API](/api-reference/endpoints/certificate-templates-v2) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/create.mdx
View File

@@ -2,3 +2,9 @@
title: "Create"
openapi: "POST /api/v1/pki/subscribers"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/delete.mdx
View File

@@ -2,3 +2,9 @@
title: "Delete"
openapi: "DELETE /api/v1/pki/subscribers/{subscriberName}"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/get-latest-cert-bundle.mdx
View File

@@ -2,3 +2,9 @@
title: "Retrieve latest certificate bundle"
openapi: "GET /api/v1/pki/subscribers/{subscriberName}/latest-certificate-bundle"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/issue-cert.mdx
View File

@@ -2,3 +2,9 @@
title: "Issue Certificate"
openapi: "POST /api/v1/pki/subscribers/{subscriberName}/issue-certificate"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/list-certs.mdx
View File

@@ -2,3 +2,9 @@
title: "List Certificates"
openapi: "GET /api/v1/pki/subscribers/{subscriberName}/certificates"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/order-cert.mdx
View File

@@ -2,3 +2,9 @@
title: "Order Certificate"
openapi: "POST /api/v1/pki/subscribers/{subscriberName}/order-certificate"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/read.mdx
View File

@@ -2,3 +2,9 @@
title: "Retrieve"
openapi: "GET /api/v1/pki/subscribers/{subscriberName}"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/sign-cert.mdx
View File

@@ -2,3 +2,9 @@
title: "Sign Certificate"
openapi: "POST /api/v1/pki/subscribers/{subscriberName}/sign-certificate"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

6
docs/api-reference/endpoints/pki/subscribers/update.mdx
View File

@@ -2,3 +2,9 @@
title: "Update"
openapi: "PATCH /api/v1/pki/subscribers/{subscriberName}"
---
<Warning>
**Deprecated API Endpoint**
This endpoint is deprecated and will be removed in a future version. Please use the new [Certificate Profiles API](/api-reference/endpoints/certificate-profiles) instead.
</Warning>

28
docs/docs.json
View File

@@ -2493,10 +2493,21 @@
{
"group": "Certificate Templates",
"pages": [
"api-reference/endpoints/certificate-templates/create",
"api-reference/endpoints/certificate-templates/update",
"api-reference/endpoints/certificate-templates/get-by-id",
"api-reference/endpoints/certificate-templates/delete"
"api-reference/endpoints/certificate-templates-v2/list",
"api-reference/endpoints/certificate-templates-v2/create",
"api-reference/endpoints/certificate-templates-v2/update",
"api-reference/endpoints/certificate-templates-v2/get-by-id",
"api-reference/endpoints/certificate-templates-v2/delete",
{
"group": "Legacy",
"pages": [
"api-reference/endpoints/certificate-templates/list",
"api-reference/endpoints/certificate-templates/create",
"api-reference/endpoints/certificate-templates/update",
"api-reference/endpoints/certificate-templates/get-by-id",
"api-reference/endpoints/certificate-templates/delete"
]
}
]
},
{
@@ -2520,6 +2531,15 @@
"api-reference/endpoints/pki-alerts/delete"
]
},
{
"group": "Certificate Profiles",
"pages": [
"api-reference/endpoints/certificate-profiles/create",
"api-reference/endpoints/certificate-profiles/update",
"api-reference/endpoints/certificate-profiles/get-by-id",
"api-reference/endpoints/certificate-profiles/delete"
]
},
{
"group": "Certificate Syncs",
"pages": [

1
frontend/src/context/ProjectPermissionContext/index.tsx
View File

@@ -4,6 +4,7 @@ export {
ProjectPermissionActions,
ProjectPermissionAuditLogsActions,
ProjectPermissionCertificateActions,
ProjectPermissionCertificateProfileActions,
ProjectPermissionCmekActions,
ProjectPermissionDynamicSecretActions,
ProjectPermissionGroupActions,

11
frontend/src/context/ProjectPermissionContext/types.ts
View File

@@ -124,6 +124,14 @@ export enum ProjectPermissionPkiTemplateActions {
ListCerts = "list-certs"
}
export enum ProjectPermissionCertificateProfileActions {
Read = "read",
Create = "create",
Edit = "edit",
Delete = "delete",
IssueCert = "issue-cert"
}
export enum ProjectPermissionSecretRotationActions {
Read = "read",
ReadGeneratedCredentials = "read-generated-credentials",
@@ -217,6 +225,7 @@ export type ConditionalProjectPermissionSubject =
| ProjectPermissionSub.SshHosts
| ProjectPermissionSub.PkiSubscribers
| ProjectPermissionSub.CertificateTemplates
| ProjectPermissionSub.CertificateProfiles
| ProjectPermissionSub.SecretFolders
| ProjectPermissionSub.SecretImports
| ProjectPermissionSub.SecretRotation
@@ -293,6 +302,7 @@ export enum ProjectPermissionSub {
PkiAlerts = "pki-alerts",
PkiCollections = "pki-collections",
PkiSubscribers = "pki-subscribers",
CertificateProfiles = "certificate-profiles",
Kms = "kms",
Cmek = "cmek",
SecretSyncs = "secret-syncs",
@@ -470,6 +480,7 @@ export type ProjectPermissionSet =
| (ForcedSubject<ProjectPermissionSub.PkiSubscribers> & PkiSubscriberSubjectFields)
)
]
| [ProjectPermissionCertificateProfileActions, ProjectPermissionSub.CertificateProfiles]
| [ProjectPermissionActions, ProjectPermissionSub.PkiAlerts]
| [ProjectPermissionActions, ProjectPermissionSub.PkiCollections]
| [ProjectPermissionActions.Delete, ProjectPermissionSub.Project]

1
frontend/src/context/index.tsx
View File

@@ -15,6 +15,7 @@ export {
ProjectPermissionActions,
ProjectPermissionAuditLogsActions,
ProjectPermissionCertificateActions,
ProjectPermissionCertificateProfileActions,
ProjectPermissionCmekActions,
ProjectPermissionDynamicSecretActions,
ProjectPermissionGroupActions,

2
frontend/src/helpers/project.ts
View File

@@ -79,7 +79,7 @@ export const getProjectHomePage = (type: ProjectType, environments: ProjectEnv[]
case ProjectType.SecretManager:
return "/projects/secret-management/$projectId/overview" as const;
case ProjectType.CertificateManager:
return "/projects/cert-management/$projectId/subscribers" as const;
return "/projects/cert-management/$projectId/policies" as const;
case ProjectType.SecretScanning:
return `/projects/${type}/$projectId/data-sources` as const;
case ProjectType.PAM:

2
frontend/src/hooks/api/ca/index.tsx
View File

@@ -1,10 +1,12 @@
export { AcmeDnsProvider, CaRenewalType, CaStatus, CaType, InternalCaType } from "./enums";
export type { TOrderCertificateDTO, TOrderCertificateResponse } from "./types";
export {
useCreateCa,
useCreateCertificate,
useCreateCertificateV3,
useDeleteCa,
useImportCaCertificate,
useOrderCertificateWithProfile,
useRenewCa,
useSignIntermediate,
useUpdateCa

20
frontend/src/hooks/api/ca/mutations.tsx
View File

@@ -14,6 +14,8 @@ import {
TDeleteCertificateAuthorityDTO,
TImportCaCertificateDTO,
TImportCaCertificateResponse,
TOrderCertificateDTO,
TOrderCertificateResponse,
TRenewCaDTO,
TRenewCaResponse,
TSignIntermediateDTO,
@@ -168,6 +170,24 @@ export const useCreateCertificateV3 = () => {
});
};
export const useOrderCertificateWithProfile = () => {
const queryClient = useQueryClient();
return useMutation<TOrderCertificateResponse, object, TOrderCertificateDTO>({
mutationFn: async (body) => {
const { data } = await apiRequest.post<TOrderCertificateResponse>(
"/api/v3/certificates/order-certificate",
body
);
return data;
},
onSuccess: (_, { projectSlug }) => {
queryClient.invalidateQueries({
queryKey: projectKeys.forProjectCertificates(projectSlug)
});
}
});
};
export const useRenewCa = () => {
const queryClient = useQueryClient();
return useMutation<TRenewCaResponse, object, TRenewCaDTO>({

52
frontend/src/hooks/api/ca/types.ts
View File

@@ -155,7 +155,7 @@ export type TCreateCertificateDTO = {
pkiCollectionId?: string;
friendlyName?: string;
commonName: string;
altNames: string; // sans
subjectAltNames: string; // sans
ttl: string; // string compatible with ms
notBefore?: string;
notAfter?: string;
@@ -185,7 +185,7 @@ export type TCreateCertificateV3DTO = {
email?: string;
streetAddress?: string;
postalCode?: string;
altNames: string;
subjectAltNames: string;
ttl: string;
notBefore?: string;
notAfter?: string;
@@ -197,6 +197,54 @@ export type TCreateCertificateV3DTO = {
export type TCreateCertificateV3Response = TCreateCertificateResponse;
export type TOrderCertificateDTO = {
projectSlug: string;
profileId: string;
subjectAlternativeNames: Array<{
type: "dns" | "ip";
value: string;
}>;
ttl: string;
keyUsages?: CertKeyUsage[];
extendedKeyUsages?: CertExtendedKeyUsage[];
notBefore?: string;
notAfter?: string;
commonName?: string;
signatureAlgorithm?: string;
keyAlgorithm?: string;
};
export type TOrderCertificateResponse = {
orderId: string;
status: "pending" | "processing" | "valid" | "invalid";
subjectAlternativeNames: Array<{
type: "dns" | "ip";
value: string;
status: "pending" | "processing" | "valid" | "invalid";
}>;
authorizations: Array<{
identifier: {
type: "dns" | "ip";
value: string;
};
status: "pending" | "processing" | "valid" | "invalid";
expires?: string;
challenges: Array<{
type: string;
status: "pending" | "processing" | "valid" | "invalid";
url: string;
token: string;
validated?: string;
error?: any;
}>;
}>;
certificate?: string;
privateKey?: string;
expires: string;
notBefore: string;
notAfter: string;
};
export type TRenewCaDTO = {
projectSlug: string;
caId: string;

11
frontend/src/hooks/api/certificateTemplates/types.ts
View File

@@ -124,16 +124,7 @@ export type TListCertificateTemplatesDTO = {
export type TCertificateTemplateV2Policy = {
attributes: Array<{
type:
| "common_name"
| "organization_name"
| "organization_unit"
| "locality"
| "state"
| "country"
| "email"
| "street_address"
| "postal_code";
type: "common_name";
include: "mandatory" | "optional" | "prohibit";
value?: string[];
}>;

30
frontend/src/hooks/api/certificates/enums.tsx
View File

@@ -25,22 +25,22 @@ export enum CrlReason {
}
export enum CertKeyUsage {
DIGITAL_SIGNATURE = "digitalSignature",
KEY_ENCIPHERMENT = "keyEncipherment",
NON_REPUDIATION = "nonRepudiation",
DATA_ENCIPHERMENT = "dataEncipherment",
KEY_AGREEMENT = "keyAgreement",
KEY_CERT_SIGN = "keyCertSign",
CRL_SIGN = "cRLSign",
ENCIPHER_ONLY = "encipherOnly",
DECIPHER_ONLY = "decipherOnly"
DIGITAL_SIGNATURE = "digital_signature",
KEY_ENCIPHERMENT = "key_encipherment",
NON_REPUDIATION = "non_repudiation",
DATA_ENCIPHERMENT = "data_encipherment",
KEY_AGREEMENT = "key_agreement",
KEY_CERT_SIGN = "key_cert_sign",
CRL_SIGN = "crl_sign",
ENCIPHER_ONLY = "encipher_only",
DECIPHER_ONLY = "decipher_only"
}
export enum CertExtendedKeyUsage {
CLIENT_AUTH = "clientAuth",
SERVER_AUTH = "serverAuth",
CODE_SIGNING = "codeSigning",
EMAIL_PROTECTION = "emailProtection",
TIMESTAMPING = "timeStamping",
OCSP_SIGNING = "ocspSigning"
CLIENT_AUTH = "client_auth",
SERVER_AUTH = "server_auth",
CODE_SIGNING = "code_signing",
EMAIL_PROTECTION = "email_protection",
TIMESTAMPING = "time_stamping",
OCSP_SIGNING = "ocsp_signing"
}

2
frontend/src/hooks/api/certificates/types.ts
View File

@@ -7,7 +7,7 @@ export type TCertificate = {
status: CertStatus;
friendlyName: string;
commonName: string;
altNames: string;
subjectAltNames: string;
serialNumber: string;
notBefore: string;
notAfter: string;

10
frontend/src/layouts/PkiManagerLayout/PkiManagerLayout.tsx
View File

@@ -18,7 +18,7 @@ import { Link, Outlet } from "@tanstack/react-router";
import { motion } from "framer-motion";
import { Lottie, Menu, MenuGroup, MenuItem } from "@app/components/v2";
import { useProject, useProjectPermission } from "@app/context";
import { useProject, useProjectPermission, useSubscription } from "@app/context";
import {
useListWorkspaceCertificateTemplates,
useListWorkspacePkiSubscribers
@@ -29,6 +29,7 @@ import { AssumePrivilegeModeBanner } from "../ProjectLayout/components/AssumePri
export const PkiManagerLayout = () => {
const { currentProject } = useProject();
const { assumedPrivilegeDetails } = useProjectPermission();
const { subscription } = useSubscription();
const { t } = useTranslation();
const { data: subscribers = [] } = useListWorkspacePkiSubscribers(currentProject?.id || "");
@@ -39,7 +40,8 @@ export const PkiManagerLayout = () => {
const hasExistingSubscribers = subscribers.length > 0;
const hasExistingTemplates = templates.length > 0;
const showLegacySection = hasExistingSubscribers || hasExistingTemplates;
const showLegacySection =
subscription.pkiLegacyTemplates || hasExistingSubscribers || hasExistingTemplates;
return (
<>
@@ -166,7 +168,7 @@ export const PkiManagerLayout = () => {
</MenuGroup>
{showLegacySection && (
<MenuGroup title="Legacy">
{hasExistingSubscribers && (
{(subscription.pkiLegacyTemplates || hasExistingSubscribers) && (
<Link
to="/projects/cert-management/$projectId/subscribers"
params={{
@@ -185,7 +187,7 @@ export const PkiManagerLayout = () => {
)}
</Link>
)}
{hasExistingTemplates && (
{(subscription.pkiLegacyTemplates || hasExistingTemplates) && (
<Link
to="/projects/cert-management/$projectId/certificate-templates"
params={{

20
frontend/src/pages/cert-manager/CertificatesPage/components/CertificateImportModal.tsx
View File

@@ -7,7 +7,6 @@ import { createNotification } from "@app/components/notifications";
import {
Button,
FormControl,
Input,
Modal,
ModalContent,
Select,
@@ -24,8 +23,6 @@ const schema = z.object({
certificatePem: z.string().trim().min(1, "Certificate PEM is required"),
privateKeyPem: z.string().trim().min(1, "Private Key PEM is required"),
chainPem: z.string().trim().min(1, "Certificate Chain PEM is required"),
friendlyName: z.string(),
collectionId: z.string().optional()
});
@@ -72,7 +69,6 @@ export const CertificateImportModal = ({ popUp, handlePopUpToggle }: Props) => {
certificatePem,
privateKeyPem,
chainPem,
friendlyName,
collectionId
}: FormData) => {
try {
@@ -84,8 +80,6 @@ export const CertificateImportModal = ({ popUp, handlePopUpToggle }: Props) => {
certificatePem,
privateKeyPem,
chainPem,
friendlyName,
pkiCollectionId: collectionId
});
@@ -150,20 +144,6 @@ export const CertificateImportModal = ({ popUp, handlePopUpToggle }: Props) => {
</FormControl>
)}
/>
<Controller
control={control}
defaultValue=""
name="friendlyName"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Friendly Name"
isError={Boolean(error)}
errorText={error?.message}
>
<Input {...field} placeholder="My Certificate" isDisabled={Boolean(cert)} />
</FormControl>
)}
/>
<Controller
control={control}
defaultValue=""

854
frontend/src/pages/cert-manager/CertificatesPage/components/CertificateIssuanceModal.tsx
View File

File diff suppressed because it is too large Load Diff

31
frontend/src/pages/cert-manager/CertificatesPage/components/CertificateModal.tsx
View File

@@ -46,9 +46,8 @@ const schema = z.object({
certificateTemplateId: z.string().optional(),
caId: z.string(),
collectionId: z.string().optional(),
friendlyName: z.string(),
commonName: z.string().trim().min(1),
altNames: z.string(),
subjectAltNames: z.string(),
ttl: z.string().trim(),
keyUsages: z.object({
[CertKeyUsage.DIGITAL_SIGNATURE]: z.boolean().optional(),
@@ -139,9 +138,8 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
if (cert) {
reset({
caId: cert.caId,
friendlyName: cert.friendlyName,
commonName: cert.commonName,
altNames: cert.altNames,
subjectAltNames: cert.subjectAltNames,
certificateTemplateId: cert.certificateTemplateId ?? CERT_TEMPLATE_NONE_VALUE,
ttl: "",
keyUsages: Object.fromEntries((cert.keyUsages || []).map((name) => [name, true])),
@@ -152,9 +150,8 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
} else {
reset({
caId: "",
friendlyName: "",
commonName: "",
altNames: "",
subjectAltNames: "",
ttl: "",
certificateTemplateId: CERT_TEMPLATE_NONE_VALUE,
keyUsages: {
@@ -182,10 +179,9 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
const onFormSubmit = async ({
caId,
friendlyName,
collectionId,
commonName,
altNames,
subjectAltNames,
ttl,
keyUsages,
extendedKeyUsages
@@ -198,9 +194,8 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
certificateTemplateId: selectedCertTemplate ? selectedCertTemplateId : undefined,
projectSlug: currentProject.slug,
pkiCollectionId: collectionId,
friendlyName,
commonName,
altNames,
subjectAltNames,
ttl,
keyUsages: Object.entries(keyUsages)
.filter(([, value]) => value)
@@ -359,20 +354,6 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
/>
</>
)}
<Controller
control={control}
defaultValue=""
name="friendlyName"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Friendly Name"
isError={Boolean(error)}
errorText={error?.message}
>
<Input {...field} placeholder="My Certificate" isDisabled={Boolean(cert)} />
</FormControl>
)}
/>
<Controller
control={control}
defaultValue=""
@@ -391,7 +372,7 @@ export const CertificateModal = ({ popUp, handlePopUpToggle }: Props) => {
<Controller
control={control}
defaultValue=""
name="altNames"
name="subjectAltNames"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Alternative Names (SANs)"

12
frontend/src/pages/cert-manager/PkiSubscribersPage/components/PkiSubscriberSection.tsx
View File

@@ -7,7 +7,8 @@ import { Button, DeleteActionModal } from "@app/components/v2";
import {
ProjectPermissionPkiSubscriberActions,
ProjectPermissionSub,
useProject
useProject,
useSubscription
} from "@app/context";
import { useDeletePkiSubscriber, useUpdatePkiSubscriber } from "@app/hooks/api";
import { PkiSubscriberStatus } from "@app/hooks/api/pkiSubscriber/types";
@@ -18,9 +19,10 @@ import { PkiSubscribersTable } from "./PkiSubscribersTable";
export const PkiSubscriberSection = () => {
const { currentProject } = useProject();
const { subscription } = useSubscription();
const projectId = currentProject.id;
const allowNewSubscriberCreation = false;
const allowNewSubscriberCreation = subscription.pkiLegacyTemplates;
const { mutateAsync: deletePkiSubscriber } = useDeletePkiSubscriber();
const { mutateAsync: updatePkiSubscriber } = useUpdatePkiSubscriber();
@@ -85,16 +87,16 @@ export const PkiSubscriberSection = () => {
const subscriberName = subscriberStatusData?.subscriberName || "";
return (
<div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
<div className="border-mineshaft-600 bg-mineshaft-900 mb-6 rounded-lg border p-4">
<div className="mb-4 flex justify-between">
<p className="text-xl font-medium text-mineshaft-100">Subscribers</p>
<p className="text-mineshaft-100 text-xl font-medium">Subscribers</p>
<div className="flex w-full justify-end">
<a
target="_blank"
rel="noopener noreferrer"
href="https://infisical.com/docs/documentation/platform/pki/subscribers"
>
<span className="flex w-max cursor-pointer items-center rounded-md border border-mineshaft-500 bg-mineshaft-600 px-4 py-2 text-mineshaft-200 duration-200 hover:border-primary/40 hover:bg-primary/10 hover:text-white">
<span className="border-mineshaft-500 bg-mineshaft-600 text-mineshaft-200 hover:border-primary/40 hover:bg-primary/10 flex w-max cursor-pointer items-center rounded-md border px-4 py-2 duration-200 hover:text-white">
Documentation{" "}
<FontAwesomeIcon
icon={faArrowUpRightFromSquare}

6
frontend/src/pages/cert-manager/PkiTemplateListPage/PkiTemplateListPage.tsx
View File

@@ -112,7 +112,9 @@ export const PkiTemplateListPage = () => {
/>
</div>
<div className="container mx-auto mb-6 max-w-7xl rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
<div className="mb-4 flex justify-between">
{
subscription?.pkiLegacyTemplates && (
<div className="mb-4 flex justify-between">
<p className="text-xl font-medium text-mineshaft-100">Templates</p>
<div className="flex w-full justify-end">
<ProjectPermissionCan
@@ -134,6 +136,8 @@ export const PkiTemplateListPage = () => {
</ProjectPermissionCan>
</div>
</div>
)
}
<TableContainer>
<Table>
<THead>

5
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateProfilesTab/CertificateProfilesTab.tsx
View File

@@ -2,6 +2,7 @@ import { useState } from "react";
import { faPlus } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import { createNotification } from "@app/components/notifications";
import { Button, DeleteActionModal } from "@app/components/v2";
import { useProjectPermission } from "@app/context";
import {
@@ -54,6 +55,10 @@ export const CertificateProfilesTab = () => {
});
setIsDeleteModalOpen(false);
setSelectedProfile(null);
createNotification({
text: `Certificate profile "${selectedProfile.slug}" deleted successfully`,
type: "success"
});
} catch (error) {
console.error("Failed to delete profile:", error);
}

35
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateProfilesTab/CreateProfileModal.tsx
View File

@@ -122,7 +122,7 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
const certificateAuthorities = caData || [];
const certificateTemplates = templateData?.certificateTemplates || [];
const { control, handleSubmit, reset, watch, setValue } = useForm<FormData>({
const { control, handleSubmit, reset, watch, setValue, formState } = useForm<FormData>({
resolver: zodResolver(isEdit ? editSchema : createSchema),
defaultValues: isEdit
? {
@@ -260,7 +260,7 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
name="certificateAuthorityId"
render={({ field: { onChange, ...field }, fieldState: { error } }) => (
<FormControl
label="Certificate Authority"
label="Issuing CA"
isRequired
isError={Boolean(error)}
errorText={error?.message}
@@ -296,7 +296,6 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
<Select
{...field}
onValueChange={(value) => {
onChange(value);
if (watchedEnrollmentType === "est") {
setValue("estConfig", {
disableBootstrapCaValidation: false,
@@ -311,6 +310,7 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
});
setValue("estConfig", undefined);
}
onChange(value);
}}
placeholder="Select a certificate template"
className="w-full"
@@ -339,7 +339,23 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
>
<Select
{...field}
onValueChange={onChange}
onValueChange={(value) => {
if (value === "est") {
setValue("apiConfig", undefined);
setValue("estConfig", {
disableBootstrapCaValidation: false,
passphrase: "",
caChain: ""
});
} else {
setValue("estConfig", undefined);
setValue("apiConfig", {
autoRenew: false,
autoRenewDays: 30
});
}
onChange(value);
}}
className="w-full"
position="popper"
isDisabled={Boolean(isEdit)}
@@ -360,17 +376,17 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
name="estConfig.disableBootstrapCaValidation"
render={({ field: { value, onChange }, fieldState: { error } }) => (
<FormControl isError={Boolean(error)} errorText={error?.message}>
<div className="flex items-center gap-3 rounded-md border border-mineshaft-600 bg-mineshaft-900 p-4">
<div className="border-mineshaft-600 bg-mineshaft-900 flex items-center gap-3 rounded-md border p-4">
<Checkbox
id="disableBootstrapCaValidation"
isChecked={value}
onCheckedChange={onChange}
/>
<div className="space-y-1">
<span className="text-sm font-medium text-mineshaft-100">
<span className="text-mineshaft-100 text-sm font-medium">
Disable Bootstrap CA Validation
</span>
<p className="text-xs text-bunker-300">
<p className="text-bunker-300 text-xs">
Skip CA certificate validation during EST bootstrap phase
</p>
</div>
@@ -417,7 +433,7 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
rows={6}
className="w-full font-mono text-xs"
/>
<p className="text-xs text-bunker-400">
<p className="text-bunker-400 text-xs">
Paste the complete CA certificate chain in PEM format
</p>
</div>
@@ -478,6 +494,9 @@ export const CreateProfileModal = ({ isOpen, onClose, profile, mode = "create" }
type="submit"
colorSchema="primary"
isLoading={isEdit ? updateProfile.isPending : createProfile.isPending}
isDisabled={
!formState.isValid || (isEdit ? updateProfile.isPending : createProfile.isPending)
}
>
{isEdit ? "Save Changes" : "Create"}
</Button>

40
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateProfilesTab/ProfileList.tsx
View File

@@ -4,6 +4,7 @@ import {
TableContainer,
TableSkeleton,
TBody,
Td,
Th,
THead,
Tr
@@ -33,14 +34,6 @@ export const ProfileList = ({ onEditProfile, onDeleteProfile }: Props) => {
const profiles = data?.certificateProfiles || [];
if (isLoading) {
return <TableSkeleton columns={6} innerKey="certificate-profiles" />;
}
if (!profiles || profiles.length === 0) {
return <EmptyState title="No Certificate Profiles" />;
}
return (
<TableContainer>
<Table>
@@ -48,21 +41,32 @@ export const ProfileList = ({ onEditProfile, onDeleteProfile }: Props) => {
<Tr>
<Th>Name</Th>
<Th>Enrollment Type</Th>
<Th>Certificate Authority</Th>
<Th>Template</Th>
<Th>Issuing CA</Th>
<Th>Certificate Template</Th>
<Th>Certificates</Th>
<Th className="w-5" />
</Tr>
</THead>
<TBody>
{profiles.map((profile) => (
<ProfileRow
key={profile.id}
profile={profile}
onEditProfile={onEditProfile}
onDeleteProfile={onDeleteProfile}
/>
))}
{isLoading && <TableSkeleton columns={6} innerKey="certificate-profiles" />}
{!isLoading && (!profiles || profiles.length === 0) && (
<Tr>
<Td colSpan={6}>
<EmptyState title="No Certificate Profiles" />
</Td>
</Tr>
)}
{!isLoading &&
profiles &&
profiles.length > 0 &&
profiles.map((profile) => (
<ProfileRow
key={profile.id}
profile={profile}
onEditProfile={onEditProfile}
onDeleteProfile={onDeleteProfile}
/>
))}
</TBody>
</Table>
</TableContainer>

53
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateProfilesTab/ProfileRow.tsx
View File

@@ -1,5 +1,5 @@
/* eslint-disable no-nested-ternary */
import { faCircleInfo, faEdit, faEllipsis, faTrash } from "@fortawesome/free-solid-svg-icons";
import { faCheck, faCircleInfo, faCopy, faEdit, faEllipsis, faPlus, faTrash } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import {
@@ -15,11 +15,16 @@ import {
import { useProjectPermission } from "@app/context";
import {
ProjectPermissionActions,
ProjectPermissionCertificateProfileActions,
ProjectPermissionSub
} from "@app/context/ProjectPermissionContext/types";
import { useGetCaById } from "@app/hooks/api/ca/queries";
import { TCertificateProfile } from "@app/hooks/api/certificateProfiles";
import { useGetCertificateTemplateV2ById } from "@app/hooks/api/certificateTemplates/queries";
import { usePopUp, useToggle } from "@app/hooks";
import { createNotification } from "@app/components/notifications";
import { useCallback } from "react";
import { CertificateIssuanceModal } from "@app/pages/cert-manager/CertificatesPage/components/CertificateIssuanceModal";
interface Props {
profile: TCertificateProfile;
@@ -32,6 +37,27 @@ export const ProfileRow = ({ profile, onEditProfile, onDeleteProfile }: Props) =
const { data: caData } = useGetCaById(profile.caId);
const { popUp, handlePopUpToggle } = usePopUp([
"certificateIssuance"
] as const);
const [isIdCopied, setIsIdCopied] = useToggle(false);
const handleCopyId = useCallback(() => {
setIsIdCopied.on();
navigator.clipboard.writeText(profile.id);
createNotification({
text: "Profile ID copied to clipboard",
type: "info"
});
const timer = setTimeout(() => setIsIdCopied.off(), 2000);
// eslint-disable-next-line consistent-return
return () => clearTimeout(timer);
}, [isIdCopied]);
const { data: templateData } = useGetCertificateTemplateV2ById({
templateId: profile.certificateTemplateId
});
@@ -41,6 +67,11 @@ export const ProfileRow = ({ profile, onEditProfile, onDeleteProfile }: Props) =
ProjectPermissionSub.CertificateAuthorities
);
const canIssueCertificate = permission.can(
ProjectPermissionCertificateProfileActions.IssueCert,
ProjectPermissionSub.CertificateProfiles
);
const canDeleteProfile = permission.can(
ProjectPermissionActions.Delete,
ProjectPermissionSub.CertificateAuthorities
@@ -128,6 +159,12 @@ export const ProfileRow = ({ profile, onEditProfile, onDeleteProfile }: Props) =
</div>
</DropdownMenuTrigger>
<DropdownMenuContent align="start" className="p-1">
<DropdownMenuItem
icon={<FontAwesomeIcon icon={isIdCopied ? faCheck : faCopy} />}
onClick={() => handleCopyId()}
>
Copy Profile ID
</DropdownMenuItem>
{canEditProfile && (
<DropdownMenuItem
onClick={(e) => {
@@ -139,6 +176,19 @@ export const ProfileRow = ({ profile, onEditProfile, onDeleteProfile }: Props) =
Edit Profile
</DropdownMenuItem>
)}
{
canIssueCertificate && (
<DropdownMenuItem
onClick={(e) => {
e.stopPropagation();
handlePopUpToggle("certificateIssuance");
}}
icon={<FontAwesomeIcon icon={faPlus} />}
>
Issue Certificate
</DropdownMenuItem>
)
}
{canDeleteProfile && (
<DropdownMenuItem
onClick={(e) => {
@@ -152,6 +202,7 @@ export const ProfileRow = ({ profile, onEditProfile, onDeleteProfile }: Props) =
)}
</DropdownMenuContent>
</DropdownMenu>
<CertificateIssuanceModal popUp={popUp} handlePopUpToggle={handlePopUpToggle} profileId={profile.id}/>
</Td>
</Tr>
);

7
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/CertificateTemplatesV2Tab.tsx
View File

@@ -2,6 +2,7 @@ import { useState } from "react";
import { faPlus } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import { createNotification } from "@app/components/notifications";
import { Button, DeleteActionModal } from "@app/components/v2";
import { useProjectPermission } from "@app/context";
import {
@@ -52,7 +53,11 @@ export const CertificateTemplatesV2Tab = () => {
});
setIsDeleteModalOpen(false);
setSelectedTemplate(null);
} catch (error) {
createNotification({
text: `Certificate template "${selectedTemplate.slug}" deleted successfully`,
type: "success"
});
} catch (error: any) {
console.error("Failed to delete template:", error);
}
};

541
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/CreateTemplateModal.tsx
View File

@@ -1,5 +1,6 @@
import { useMemo } from "react";
import { Controller, useForm } from "react-hook-form";
import { faPlus, faTrash } from "@fortawesome/free-solid-svg-icons";
import { faExclamationTriangle, faPlus, faTrash } from "@fortawesome/free-solid-svg-icons";
import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
import { zodResolver } from "@hookform/resolvers/zod";
@@ -18,7 +19,8 @@ import {
ModalContent,
Select,
SelectItem,
TextArea
TextArea,
Tooltip
} from "@app/components/v2";
import { useProject } from "@app/context";
import {
@@ -27,7 +29,7 @@ import {
} from "@app/hooks/api/certificateTemplates/mutations";
import { TCertificateTemplateV2New } from "@app/hooks/api/certificateTemplates/types";
import { INCLUDE_OPTIONS, SAN_TYPES, SUBJECT_ATTRIBUTE_TYPES } from "./shared/utils";
import { INCLUDE_TYPE_OPTIONS, SAN_TYPE_OPTIONS, SUBJECT_ATTRIBUTE_TYPE_OPTIONS } from "./shared/certificate-constants";
import { KeyUsagesSection, TemplateFormData, templateSchema } from "./shared";
export type FormData = TemplateFormData;
@@ -39,26 +41,18 @@ interface Props {
mode?: "create" | "edit";
}
const ATTRIBUTE_TYPE_LABELS: Record<(typeof SUBJECT_ATTRIBUTE_TYPES)[number], string> = {
common_name: "Common Name (CN)",
organization_name: "Organization (O)",
organization_unit: "Organizational Unit (OU)",
locality: "Locality (L)",
state: "State/Province (ST)",
country: "Country (C)",
email: "Email Address",
street_address: "Street Address",
postal_code: "Postal Code"
const ATTRIBUTE_TYPE_LABELS: Record<(typeof SUBJECT_ATTRIBUTE_TYPE_OPTIONS)[number], string> = {
common_name: "Common Name (CN)"
};
const SAN_TYPE_LABELS: Record<(typeof SAN_TYPES)[number], string> = {
const SAN_TYPE_LABELS: Record<(typeof SAN_TYPE_OPTIONS)[number], string> = {
dns_name: "DNS Name",
ip_address: "IP Address",
email: "Email",
uri: "URI"
};
const INCLUDE_TYPE_LABELS: Record<(typeof INCLUDE_OPTIONS)[number], string> = {
const INCLUDE_TYPE_LABELS: Record<(typeof INCLUDE_TYPE_OPTIONS)[number], string> = {
mandatory: "Mandatory",
optional: "Optional",
prohibit: "Prohibited"
@@ -89,7 +83,36 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
const isEdit = mode === "edit" && template;
const { control, handleSubmit, reset, watch, setValue } = useForm<FormData>({
const validateAttributeRules = (attributes: FormData["attributes"]) => {
if (!attributes) return { isValid: true, warnings: [], invalidIndices: [] };
const warnings: string[] = [];
const invalidIndices: number[] = [];
const attributesByType = attributes.reduce((acc, attr, index) => {
if (!acc[attr.type]) acc[attr.type] = [];
acc[attr.type].push({ ...attr, index });
return acc;
}, {} as Record<string, Array<(typeof attributes[0] & { index: number })>>);
Object.entries(attributesByType).forEach(([type, attrs]) => {
const mandatoryAttrs = attrs.filter(attr => attr.include === 'mandatory');
if (mandatoryAttrs.length > 1) {
mandatoryAttrs.forEach(attr => invalidIndices.push(attr.index));
warnings.push(`Multiple mandatory values found for ${ATTRIBUTE_TYPE_LABELS[type as keyof typeof ATTRIBUTE_TYPE_LABELS]}. Only one mandatory value is allowed per attribute type.`);
}
if (mandatoryAttrs.length === 1 && attrs.length > 1) {
attrs.forEach(attr => invalidIndices.push(attr.index));
warnings.push(`When a mandatory value exists for ${ATTRIBUTE_TYPE_LABELS[type as keyof typeof ATTRIBUTE_TYPE_LABELS]}, no other values (optional or forbidden) are allowed for that attribute type.`);
}
});
return { isValid: warnings.length === 0, warnings, invalidIndices };
};
const { control, handleSubmit, reset, watch, setValue, formState } = useForm<FormData>({
resolver: zodResolver(templateSchema),
defaultValues: isEdit
? {
@@ -138,13 +161,42 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
const watchedAttributes = watch("attributes") || [];
const watchedSans = watch("subjectAlternativeNames") || [];
const watchedKeyUsages = watch("keyUsages");
const watchedExtendedKeyUsages = watch("extendedKeyUsages");
const watchedKeyUsages = watch("keyUsages") || { requiredUsages: [], optionalUsages: [] };
const watchedExtendedKeyUsages = watch("extendedKeyUsages") || { requiredUsages: [], optionalUsages: [] };
const attributeValidation = useMemo(() =>
validateAttributeRules(watchedAttributes),
[watchedAttributes]
);
const onFormSubmit = async (data: FormData) => {
try {
if (!currentProject?.id && !isEdit) return;
if (!attributeValidation.isValid) {
createNotification({
text: "Please fix validation errors before submitting",
type: "error"
});
return;
}
const hasEmptyAttributeValues = data.attributes?.some(attr =>
!attr.value || attr.value.length === 0 || attr.value.some(v => !v.trim())
);
const hasEmptySanValues = data.subjectAlternativeNames?.some(san =>
!san.value || san.value.length === 0 || san.value.some(v => !v.trim())
);
if (hasEmptyAttributeValues || hasEmptySanValues) {
createNotification({
text: "All values must be non-empty. Use wildcards (*) if needed.",
type: "error"
});
return;
}
if (isEdit) {
const updateData = {
templateId: template.id,
@@ -221,9 +273,9 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
const addAttribute = () => {
const newAttribute = {
type: SUBJECT_ATTRIBUTE_TYPES[0],
include: INCLUDE_OPTIONS[1],
value: []
type: SUBJECT_ATTRIBUTE_TYPE_OPTIONS[0],
include: INCLUDE_TYPE_OPTIONS[1],
value: ["*"]
};
setValue("attributes", [...watchedAttributes, newAttribute]);
};
@@ -235,9 +287,9 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
const addSan = () => {
const newSan = {
type: SAN_TYPES[0],
include: INCLUDE_OPTIONS[1],
value: []
type: SAN_TYPE_OPTIONS[0],
include: INCLUDE_TYPE_OPTIONS[1],
value: ["*"]
};
setValue("subjectAlternativeNames", [...watchedSans, newSan]);
};
@@ -247,42 +299,18 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
setValue("subjectAlternativeNames", newSans);
};
const toggleKeyUsage = (usage: string, type: "required" | "optional") => {
const current = watchedKeyUsages || { requiredUsages: [], optionalUsages: [] };
const otherType = type === "required" ? "optional" : "required";
const currentList = Array.isArray(current[`${type}Usages`]) ? current[`${type}Usages`] : [];
const otherList = Array.isArray(current[`${otherType}Usages`])
? current[`${otherType}Usages`]
: [];
const newOtherList = (otherList || []).filter((u) => u !== usage);
const newCurrentList = currentList?.includes(usage)
? currentList.filter((u) => u !== usage)
: [...(currentList || []), usage];
const handleKeyUsagesChange = (usages: { requiredUsages: string[]; optionalUsages: string[] }) => {
setValue("keyUsages", {
[`${type}Usages`]: newCurrentList,
[`${otherType}Usages`]: newOtherList
} as any);
requiredUsages: usages.requiredUsages as any,
optionalUsages: usages.optionalUsages as any
});
};
const toggleExtendedKeyUsage = (usage: string, type: "required" | "optional") => {
const current = watchedExtendedKeyUsages || { requiredUsages: [], optionalUsages: [] };
const otherType = type === "required" ? "optional" : "required";
const currentList = Array.isArray(current[`${type}Usages`]) ? current[`${type}Usages`] : [];
const otherList = Array.isArray(current[`${otherType}Usages`])
? current[`${otherType}Usages`]
: [];
const newOtherList = (otherList || []).filter((u) => u !== usage);
const newCurrentList = currentList?.includes(usage)
? currentList.filter((u) => u !== usage)
: [...(currentList || []), usage];
const handleExtendedKeyUsagesChange = (usages: { requiredUsages: string[]; optionalUsages: string[] }) => {
setValue("extendedKeyUsages", {
[`${type}Usages`]: newCurrentList,
[`${otherType}Usages`]: newOtherList
} as any);
requiredUsages: usages.requiredUsages as any,
optionalUsages: usages.optionalUsages as any
});
};
return (
@@ -297,7 +325,7 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
>
<ModalContent
className="max-w-4xl"
title={isEdit ? "Edit Certificate Template V2" : "Create Certificate Template V2"}
title={isEdit ? "Edit Certificate Template" : "Create Certificate Template"}
subTitle={
isEdit
? `Update configuration for ${template?.slug}`
@@ -306,42 +334,36 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
>
<form onSubmit={handleSubmit(onFormSubmit)} className="space-y-6">
<Accordion type="multiple" defaultValue={["basic"]} className="w-full">
<AccordionItem value="basic">
<AccordionTrigger>Basic Information</AccordionTrigger>
<AccordionContent>
<div className="space-y-4">
<Controller
control={control}
name="slug"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Template Name"
isRequired
isError={Boolean(error)}
errorText={error?.message}
>
<Input {...field} placeholder="Enter template name" className="w-full" />
</FormControl>
)}
/>
<Controller
control={control}
name="description"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Description"
isError={Boolean(error)}
errorText={error?.message}
>
<TextArea {...field} placeholder="Enter template description" rows={3} />
</FormControl>
)}
/>
</div>
</AccordionContent>
</AccordionItem>
<div className="space-y-4">
<Controller
control={control}
name="slug"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Template Name"
isRequired
isError={Boolean(error)}
errorText={error?.message}
>
<Input {...field} placeholder="Enter template name" className="w-full" />
</FormControl>
)}
/>
<Controller
control={control}
name="description"
render={({ field, fieldState: { error } }) => (
<FormControl
label="Description"
isError={Boolean(error)}
errorText={error?.message}
>
<TextArea {...field} placeholder="Enter template description" rows={3} />
</FormControl>
)}
/>
</div>
<AccordionItem value="attributes">
<AccordionTrigger>Subject Attributes</AccordionTrigger>
<AccordionContent>
@@ -351,92 +373,173 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
type="button"
onClick={addAttribute}
size="sm"
variant="outline_bg"
leftIcon={<FontAwesomeIcon icon={faPlus} />}
>
Add Attribute
</Button>
</div>
{/* Validation warnings */}
{!attributeValidation.isValid && attributeValidation.warnings.length > 0 && (
<div className="bg-yellow-500/10 border border-yellow-500/20 rounded-md p-3">
<div className="flex items-start gap-2">
<FontAwesomeIcon icon={faExclamationTriangle} className="text-yellow-500 mt-0.5" />
<div className="flex-1">
<h4 className="text-yellow-500 font-medium text-sm">Validation Warnings</h4>
<ul className="text-yellow-400 text-sm mt-1 space-y-1">
{attributeValidation.warnings.map((warning, index) => (
<li key={index}> {warning}</li>
))}
</ul>
</div>
</div>
</div>
)}
<div className="space-y-2">
{watchedAttributes.length === 0 ? (
<div className="py-8 text-center text-bunker-300">
<div className="text-bunker-300 py-8 text-center">
No subject attributes configured yet. Click &quot;Add Attribute&quot; to get
started.
</div>
) : (
watchedAttributes.map((attr, index) => (
<div
key={`attr-${attr.type}`}
className="flex flex-col space-y-2 rounded-md border border-mineshaft-600 p-4"
>
<div className="flex items-center justify-between">
<span className="text-sm font-medium text-mineshaft-200">
{ATTRIBUTE_TYPE_LABELS[attr.type] || attr.type}
</span>
</div>
watchedAttributes.map((attr, index) => {
const isInvalid = attributeValidation.invalidIndices.includes(index);
const errorClass = isInvalid ? "border-red-500 focus:border-red-500" : "";
<div className="flex gap-3">
<Select
value={attr.type}
onValueChange={(value) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = { ...attr, type: value as any };
setValue("attributes", newAttributes);
}}
position="popper"
>
{SUBJECT_ATTRIBUTE_TYPES.map((type) => (
<SelectItem key={type} value={type}>
{ATTRIBUTE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
return (
<div key={`attr-${attr.type}-${attr.include}-${index}`} className="flex items-start gap-2">
{isInvalid ? (
<Tooltip content="This attribute has validation errors. Check the warnings above for details.">
<div className="flex items-start gap-2 flex-1">
<Select
value={attr.type}
onValueChange={(value) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = { ...attr, type: value as any };
setValue("attributes", newAttributes);
}}
className={`w-48 ${errorClass}`}
>
{SUBJECT_ATTRIBUTE_TYPE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{ATTRIBUTE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Select
value={attr.include}
onValueChange={(value) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = { ...attr, include: value as any };
setValue("attributes", newAttributes);
}}
position="popper"
>
{INCLUDE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{INCLUDE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Select
value={attr.include}
onValueChange={(value) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = { ...attr, include: value as any };
setValue("attributes", newAttributes);
}}
className={`w-32 ${errorClass}`}
>
{INCLUDE_TYPE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{INCLUDE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Input
placeholder="Pattern/Value (optional)"
value={attr.value?.[0] || ""}
onChange={(e) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = {
...attr,
value: e.target.value ? [e.target.value] : []
};
setValue("attributes", newAttributes);
}}
/>
<Input
placeholder="Pattern/Value (required - use * for wildcards)"
value={attr.value?.[0] || ""}
onChange={(e) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = {
...attr,
value: e.target.value.trim() ? [e.target.value.trim()] : []
};
setValue("attributes", newAttributes);
}}
className={`flex-1 ${errorClass} ${
attr.value && attr.value.length > 0 && attr.value[0] === ""
? "border-red-500 focus:border-red-500"
: ""
}`}
required
/>
</div>
</Tooltip>
) : (
<>
<Select
value={attr.type}
onValueChange={(value) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = { ...attr, type: value as any };
setValue("attributes", newAttributes);
}}
className="w-48"
>
{SUBJECT_ATTRIBUTE_TYPE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{ATTRIBUTE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Select
value={attr.include}
onValueChange={(value) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = { ...attr, include: value as any };
setValue("attributes", newAttributes);
}}
className="w-32"
>
{INCLUDE_TYPE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{INCLUDE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Input
placeholder="Pattern/Value (required - use * for wildcards)"
value={attr.value?.[0] || ""}
onChange={(e) => {
const newAttributes = [...watchedAttributes];
newAttributes[index] = {
...attr,
value: e.target.value.trim() ? [e.target.value.trim()] : []
};
setValue("attributes", newAttributes);
}}
className={`flex-1 ${
attr.value && attr.value.length > 0 && attr.value[0] === ""
? "border-red-500 focus:border-red-500"
: ""
}`}
required
/>
</>
)}
{watchedAttributes.length > 1 && (
<IconButton
ariaLabel="delete attribute"
ariaLabel="Remove Attribute"
variant="plain"
size="sm"
onClick={() => removeAttribute(index)}
>
<FontAwesomeIcon icon={faTrash} className="text-red-500" />
<FontAwesomeIcon icon={faTrash} />
</IconButton>
</div>
)}
</div>
))
);
})
)}
</div>
</div>
</AccordionContent>
</AccordionItem>
<AccordionItem value="san">
<AccordionItem value="san" className="mt-4">
<AccordionTrigger>Subject Alternative Names</AccordionTrigger>
<AccordionContent>
<div className="space-y-4">
@@ -445,6 +548,7 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
type="button"
onClick={addSan}
size="sm"
variant="outline_bg"
leftIcon={<FontAwesomeIcon icon={faPlus} />}
>
Add SAN
@@ -453,72 +557,72 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
<div className="space-y-2">
{watchedSans.length === 0 ? (
<div className="py-8 text-center text-bunker-300">
<div className="text-bunker-300 py-8 text-center">
No subject alternative names configured yet. Click &quot;Add SAN&quot; to
get started.
</div>
) : (
watchedSans.map((san, index) => (
<div
key={`san-${san.type}`}
className="flex flex-col space-y-4 rounded-md border border-mineshaft-600 p-4"
>
<div className="flex gap-3">
<Select
value={san.type}
onValueChange={(value) => {
const newSans = [...watchedSans];
newSans[index] = { ...san, type: value as any };
setValue("subjectAlternativeNames", newSans);
}}
position="popper"
>
{SAN_TYPES.map((type) => (
<SelectItem key={type} value={type}>
{SAN_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<div key={`san-${san.type}-${san.include}-${index}`} className="flex items-start gap-2">
<Select
value={san.type}
onValueChange={(value) => {
const newSans = [...watchedSans];
newSans[index] = { ...san, type: value as any };
setValue("subjectAlternativeNames", newSans);
}}
className="w-24"
>
{SAN_TYPE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{SAN_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Select
value={san.include}
onValueChange={(value) => {
const newSans = [...watchedSans];
newSans[index] = { ...san, include: value as any };
setValue("subjectAlternativeNames", newSans);
}}
position="popper"
>
{INCLUDE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{INCLUDE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Select
value={san.include}
onValueChange={(value) => {
const newSans = [...watchedSans];
newSans[index] = { ...san, include: value as any };
setValue("subjectAlternativeNames", newSans);
}}
className="w-32"
>
{INCLUDE_TYPE_OPTIONS.map((type) => (
<SelectItem key={type} value={type}>
{INCLUDE_TYPE_LABELS[type]}
</SelectItem>
))}
</Select>
<Input
placeholder="Pattern/Value (optional)"
value={san.value?.[0] || ""}
onChange={(e) => {
const newSans = [...watchedSans];
newSans[index] = {
...san,
value: e.target.value ? [e.target.value] : []
};
setValue("subjectAlternativeNames", newSans);
}}
/>
<div className="flex items-center justify-between">
<IconButton
onClick={() => removeSan(index)}
size="sm"
variant="plain"
ariaLabel="Remove SAN"
>
<FontAwesomeIcon icon={faTrash} className="text-red-500" />
</IconButton>
</div>
</div>
<Input
placeholder="Pattern/Value (required - use * for wildcards)"
value={san.value?.[0] || ""}
onChange={(e) => {
const newSans = [...watchedSans];
newSans[index] = {
...san,
value: e.target.value.trim() ? [e.target.value.trim()] : []
};
setValue("subjectAlternativeNames", newSans);
}}
className={`flex-1 ${
san.value && san.value.length > 0 && san.value[0] === ""
? "border-red-500 focus:border-red-500"
: ""
}`}
required
/>
<IconButton
ariaLabel="Remove SAN"
variant="plain"
size="sm"
onClick={() => removeSan(index)}
>
<FontAwesomeIcon icon={faTrash} />
</IconButton>
</div>
))
)}
@@ -527,19 +631,19 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
</AccordionContent>
</AccordionItem>
<AccordionItem value="usages">
<AccordionItem value="usages" className="mt-4">
<AccordionTrigger>Key Usages</AccordionTrigger>
<AccordionContent>
<KeyUsagesSection
watchedKeyUsages={watchedKeyUsages}
watchedExtendedKeyUsages={watchedExtendedKeyUsages}
toggleKeyUsage={toggleKeyUsage}
toggleExtendedKeyUsage={toggleExtendedKeyUsage}
onKeyUsagesChange={handleKeyUsagesChange}
onExtendedKeyUsagesChange={handleExtendedKeyUsagesChange}
/>
</AccordionContent>
</AccordionItem>
<AccordionItem value="constraints">
<AccordionItem value="constraints" className="mt-4">
<AccordionTrigger>Constraints</AccordionTrigger>
<AccordionContent>
<div className="space-y-4">
@@ -637,7 +741,7 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
/>
<label
htmlFor={`sig-alg-${alg}`}
className="cursor-pointer text-sm font-medium text-mineshaft-200"
className="text-mineshaft-200 cursor-pointer text-sm font-medium"
>
{alg}
</label>
@@ -717,7 +821,7 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
/>
<label
htmlFor={`key-alg-${alg}`}
className="cursor-pointer text-sm font-medium text-mineshaft-200"
className="text-mineshaft-200 cursor-pointer text-sm font-medium"
>
{alg}
</label>
@@ -765,6 +869,11 @@ export const CreateTemplateModal = ({ isOpen, onClose, template, mode = "create"
type="submit"
colorSchema="primary"
isLoading={isEdit ? updateTemplate.isPending : createTemplate.isPending}
isDisabled={
!formState.isValid ||
!attributeValidation.isValid ||
(isEdit ? updateTemplate.isPending : createTemplate.isPending)
}
>
{isEdit ? "Save Changes" : "Create"}
</Button>

18
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/TemplateList.tsx
View File

@@ -56,14 +56,6 @@ export const TemplateList = ({ onEditTemplate, onDeleteTemplate }: Props) => {
return new Date(dateString).toLocaleDateString();
};
if (isLoading) {
return <TableSkeleton columns={4} innerKey="certificate-templates" />;
}
if (!templates || templates.length === 0) {
return <EmptyState title="No Certificate Templates" />;
}
return (
<TableContainer>
<Table>
@@ -75,7 +67,15 @@ export const TemplateList = ({ onEditTemplate, onDeleteTemplate }: Props) => {
</Tr>
</THead>
<TBody>
{templates.map((template) => (
{isLoading && <TableSkeleton columns={3} innerKey="certificate-templates" />}
{!isLoading && (!templates || templates.length === 0) && (
<Tr>
<Td colSpan={3}>
<EmptyState title="No Certificate Templates" />
</Td>
</Tr>
)}
{!isLoading && templates && templates.length > 0 && templates.map((template) => (
<Tr
key={template.id}
className="h-10 transition-colors duration-100 hover:bg-mineshaft-700"

164
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/shared/certificate-constants.ts Normal file
View File

@@ -0,0 +1,164 @@
export enum CertSubjectAlternativeNameType {
DNS_NAME = "dns_name",
IP_ADDRESS = "ip_address",
EMAIL = "email",
URI = "uri"
}
export enum CertKeyUsageType {
DIGITAL_SIGNATURE = "digital_signature",
KEY_ENCIPHERMENT = "key_encipherment",
NON_REPUDIATION = "non_repudiation",
DATA_ENCIPHERMENT = "data_encipherment",
KEY_AGREEMENT = "key_agreement",
KEY_CERT_SIGN = "key_cert_sign",
CRL_SIGN = "crl_sign",
ENCIPHER_ONLY = "encipher_only",
DECIPHER_ONLY = "decipher_only"
}
export enum CertExtendedKeyUsageType {
CLIENT_AUTH = "client_auth",
SERVER_AUTH = "server_auth",
CODE_SIGNING = "code_signing",
EMAIL_PROTECTION = "email_protection",
OCSP_SIGNING = "ocsp_signing",
TIME_STAMPING = "time_stamping"
}
export enum CertIncludeType {
MANDATORY = "mandatory",
OPTIONAL = "optional",
PROHIBIT = "prohibit"
}
export enum CertDurationUnit {
DAYS = "days",
MONTHS = "months",
YEARS = "years"
}
export enum CertSubjectAttributeType {
COMMON_NAME = "common_name"
}
export const formatSANType = (type: CertSubjectAlternativeNameType): string => {
switch (type) {
case CertSubjectAlternativeNameType.DNS_NAME:
return "DNS Name";
case CertSubjectAlternativeNameType.IP_ADDRESS:
return "IP Address";
case CertSubjectAlternativeNameType.EMAIL:
return "Email";
case CertSubjectAlternativeNameType.URI:
return "URI";
default:
return type;
}
};
export const formatKeyUsage = (usage: CertKeyUsageType): string => {
switch (usage) {
case CertKeyUsageType.DIGITAL_SIGNATURE:
return "Digital Signature";
case CertKeyUsageType.KEY_ENCIPHERMENT:
return "Key Encipherment";
case CertKeyUsageType.NON_REPUDIATION:
return "Non Repudiation";
case CertKeyUsageType.DATA_ENCIPHERMENT:
return "Data Encipherment";
case CertKeyUsageType.KEY_AGREEMENT:
return "Key Agreement";
case CertKeyUsageType.KEY_CERT_SIGN:
return "Key Cert Sign";
case CertKeyUsageType.CRL_SIGN:
return "CRL Sign";
case CertKeyUsageType.ENCIPHER_ONLY:
return "Encipher Only";
case CertKeyUsageType.DECIPHER_ONLY:
return "Decipher Only";
default:
return usage;
}
};
export const formatExtendedKeyUsage = (usage: CertExtendedKeyUsageType): string => {
switch (usage) {
case CertExtendedKeyUsageType.CLIENT_AUTH:
return "Client Auth";
case CertExtendedKeyUsageType.SERVER_AUTH:
return "Server Auth";
case CertExtendedKeyUsageType.CODE_SIGNING:
return "Code Signing";
case CertExtendedKeyUsageType.EMAIL_PROTECTION:
return "Email Protection";
case CertExtendedKeyUsageType.OCSP_SIGNING:
return "OCSP Signing";
case CertExtendedKeyUsageType.TIME_STAMPING:
return "Time Stamping";
default:
return usage;
}
};
export const formatSubjectAttributeType = (type: CertSubjectAttributeType): string => {
switch (type) {
case CertSubjectAttributeType.COMMON_NAME:
return "Common Name";
default:
return type;
}
};
export const formatIncludeType = (include: CertIncludeType): string => {
switch (include) {
case CertIncludeType.MANDATORY:
return "Mandatory";
case CertIncludeType.OPTIONAL:
return "Optional";
case CertIncludeType.PROHIBIT:
return "Prohibit";
default:
return include;
}
};
export const mapLegacySANTypeToStandard = (type: string): CertSubjectAlternativeNameType => {
switch (type) {
case "dns":
case "dns_name":
return CertSubjectAlternativeNameType.DNS_NAME;
case "ip":
case "ip_address":
return CertSubjectAlternativeNameType.IP_ADDRESS;
case "email":
return CertSubjectAlternativeNameType.EMAIL;
case "uri":
case "url":
return CertSubjectAlternativeNameType.URI;
default:
throw new Error(`Unknown SAN type: ${type}`);
}
};
export const mapSANTypeToLegacy = (type: CertSubjectAlternativeNameType): string => {
switch (type) {
case CertSubjectAlternativeNameType.DNS_NAME:
return "dns";
case CertSubjectAlternativeNameType.IP_ADDRESS:
return "ip";
case CertSubjectAlternativeNameType.EMAIL:
return "email";
case CertSubjectAlternativeNameType.URI:
return "uri";
default:
return type;
}
};
export const SAN_TYPE_OPTIONS = Object.values(CertSubjectAlternativeNameType);
export const KEY_USAGE_OPTIONS = Object.values(CertKeyUsageType);
export const EXTENDED_KEY_USAGE_OPTIONS = Object.values(CertExtendedKeyUsageType);
export const INCLUDE_TYPE_OPTIONS = Object.values(CertIncludeType);
export const DURATION_UNIT_OPTIONS = Object.values(CertDurationUnit);
export const SUBJECT_ATTRIBUTE_TYPE_OPTIONS = Object.values(CertSubjectAttributeType);

237
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/shared/components.tsx
View File

@@ -1,141 +1,152 @@
import { Button } from "@app/components/v2";
import { Checkbox } from "@app/components/v2";
import {
EXTENDED_KEY_USAGES,
formatUsageName,
getUsageState,
KEY_USAGES,
toggleUsageState
} from "./utils";
CertExtendedKeyUsageType,
CertKeyUsageType,
formatExtendedKeyUsage,
formatKeyUsage,
EXTENDED_KEY_USAGE_OPTIONS,
KEY_USAGE_OPTIONS
} from "./certificate-constants";
type UsageToggleProps = {
value: "required" | "optional" | undefined;
onChange: (value: "required" | "optional" | undefined) => void;
type UsageState = "mandatory" | "optional" | undefined;
type ThreeStateCheckboxProps = {
value: UsageState;
onChange: (newValue: UsageState) => void;
label: string;
id: string;
};
export const UsageToggle = ({ value, onChange }: UsageToggleProps) => {
const ThreeStateCheckbox = ({ value, onChange, label, id }: ThreeStateCheckboxProps) => {
const handleClick = () => {
if (value === undefined) {
onChange("optional");
} else if (value === "optional") {
onChange("mandatory");
} else {
onChange(undefined);
}
};
const getCheckboxState = () => {
if (value) return true;
return false;
};
const getIndeterminateState = () => {
return value === "optional";
};
const getStateLabel = () => {
if (value === "mandatory") return " (Mandatory)";
if (value === "optional") return " (Optional)";
return "";
};
return (
<div className="border-mineshaft-600 bg-mineshaft-800 flex gap-x-0.5 rounded-md border p-1">
<Button
variant="outline_bg"
onClick={() => {
onChange(value === "required" ? undefined : "required");
}}
size="xs"
className={`${
value === "required" ? "bg-mineshaft-500" : "bg-transparent"
} hover:bg-mineshaft-600 min-w-[2.4rem] rounded border-none`}
<div className="flex items-center space-x-3">
<Checkbox
id={id}
isChecked={getCheckboxState()}
isIndeterminate={getIndeterminateState()}
onCheckedChange={handleClick}
/>
<label
htmlFor={id}
className="text-mineshaft-200 cursor-pointer text-sm font-medium"
>
Required
</Button>
<Button
variant="outline_bg"
onClick={() => {
onChange(value === "optional" ? undefined : "optional");
}}
size="xs"
className={`${
value === "optional" ? "bg-mineshaft-500" : "bg-transparent"
} hover:bg-mineshaft-600 min-w-[2.4rem] rounded border-none`}
>
Optional
</Button>
{label}
{value && (
<span className="text-mineshaft-400 text-xs ml-1">
{getStateLabel()}
</span>
)}
</label>
</div>
);
};
type KeyUsagesSectionProps = {
watchedKeyUsages?: {
requiredUsages?: string[];
optionalUsages?: string[];
};
watchedExtendedKeyUsages?: {
requiredUsages?: string[];
optionalUsages?: string[];
};
toggleKeyUsage: (usage: string, type: "required" | "optional") => void;
toggleExtendedKeyUsage: (usage: string, type: "required" | "optional") => void;
watchedKeyUsages?: { requiredUsages?: string[]; optionalUsages?: string[] };
watchedExtendedKeyUsages?: { requiredUsages?: string[]; optionalUsages?: string[] };
onKeyUsagesChange: (usages: { requiredUsages: string[]; optionalUsages: string[] }) => void;
onExtendedKeyUsagesChange: (usages: { requiredUsages: string[]; optionalUsages: string[] }) => void;
};
export const KeyUsagesSection = ({
watchedKeyUsages,
watchedExtendedKeyUsages,
toggleKeyUsage,
toggleExtendedKeyUsage
watchedKeyUsages = { requiredUsages: [], optionalUsages: [] },
watchedExtendedKeyUsages = { requiredUsages: [], optionalUsages: [] },
onKeyUsagesChange,
onExtendedKeyUsagesChange
}: KeyUsagesSectionProps) => {
const getUsageState = (usage: string, data: { requiredUsages?: string[]; optionalUsages?: string[] }): UsageState => {
if (data.requiredUsages?.includes(usage)) return "mandatory";
if (data.optionalUsages?.includes(usage)) return "optional";
return undefined;
};
const handleKeyUsageChange = (usage: CertKeyUsageType, newState: UsageState) => {
const currentRequired = watchedKeyUsages.requiredUsages || [];
const currentOptional = watchedKeyUsages.optionalUsages || [];
let newRequired = currentRequired.filter(u => u !== usage);
let newOptional = currentOptional.filter(u => u !== usage);
if (newState === "mandatory") {
newRequired = [...newRequired, usage];
} else if (newState === "optional") {
newOptional = [...newOptional, usage];
}
onKeyUsagesChange({ requiredUsages: newRequired, optionalUsages: newOptional });
};
const handleExtendedKeyUsageChange = (usage: CertExtendedKeyUsageType, newState: UsageState) => {
const currentRequired = watchedExtendedKeyUsages.requiredUsages || [];
const currentOptional = watchedExtendedKeyUsages.optionalUsages || [];
let newRequired = currentRequired.filter(u => u !== usage);
let newOptional = currentOptional.filter(u => u !== usage);
if (newState === "mandatory") {
newRequired = [...newRequired, usage];
} else if (newState === "optional") {
newOptional = [...newOptional, usage];
}
onExtendedKeyUsagesChange({ requiredUsages: newRequired, optionalUsages: newOptional });
};
return (
<div className="space-y-6">
<div className="space-y-3">
<h3 className="text-mineshaft-200 text-sm font-medium">Key Usages</h3>
<div className="grid grid-cols-2 gap-3">
{KEY_USAGES.map((usage) => {
const requiredUsages = Array.isArray(watchedKeyUsages?.requiredUsages)
? watchedKeyUsages.requiredUsages
: [];
const optionalUsages = Array.isArray(watchedKeyUsages?.optionalUsages)
? watchedKeyUsages.optionalUsages
: [];
const currentState = getUsageState(usage, requiredUsages, optionalUsages);
return (
<div key={usage} className="flex items-center justify-between p-2">
<span className="text-mineshaft-300 text-sm capitalize">
{formatUsageName(usage)}
</span>
<UsageToggle
value={currentState}
onChange={(newValue) => {
toggleUsageState(
usage,
newValue,
requiredUsages,
optionalUsages,
(u) => toggleKeyUsage(u, "required"),
(u) => toggleKeyUsage(u, "optional")
);
}}
/>
</div>
);
})}
<div className="grid grid-cols-2 gap-2 pl-2">
{KEY_USAGE_OPTIONS.map((usage) => (
<ThreeStateCheckbox
key={usage}
id={`key-usage-${usage}`}
label={formatKeyUsage(usage)}
value={getUsageState(usage, watchedKeyUsages)}
onChange={(newState) => handleKeyUsageChange(usage, newState)}
/>
))}
</div>
</div>
<div className="space-y-3">
<h3 className="text-mineshaft-200 text-sm font-medium">Extended Key Usages</h3>
<div className="grid grid-cols-2 gap-3">
{EXTENDED_KEY_USAGES.map((usage) => {
const requiredUsages = Array.isArray(watchedExtendedKeyUsages?.requiredUsages)
? watchedExtendedKeyUsages.requiredUsages
: [];
const optionalUsages = Array.isArray(watchedExtendedKeyUsages?.optionalUsages)
? watchedExtendedKeyUsages.optionalUsages
: [];
const currentState = getUsageState(usage, requiredUsages, optionalUsages);
return (
<div key={usage} className="flex items-center justify-between p-2">
<span className="text-mineshaft-300 text-sm capitalize">
{formatUsageName(usage)}
</span>
<UsageToggle
value={currentState}
onChange={(newValue) => {
toggleUsageState(
usage,
newValue,
requiredUsages,
optionalUsages,
(u) => toggleExtendedKeyUsage(u, "required"),
(u) => toggleExtendedKeyUsage(u, "optional")
);
}}
/>
</div>
);
})}
<div className="grid grid-cols-2 gap-2 pl-2">
{EXTENDED_KEY_USAGE_OPTIONS.map((usage) => (
<ThreeStateCheckbox
key={usage}
id={`ext-key-usage-${usage}`}
label={formatExtendedKeyUsage(usage)}
value={getUsageState(usage, watchedExtendedKeyUsages)}
onChange={(newState) => handleExtendedKeyUsageChange(usage, newState)}
/>
))}
</div>
</div>
</div>

59
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/shared/schemas.ts
View File

@@ -1,33 +1,64 @@
import { z } from "zod";
import { INCLUDE_OPTIONS, SAN_TYPES, SUBJECT_ATTRIBUTE_TYPES } from "./utils";
import {
CertDurationUnit,
CertExtendedKeyUsageType,
CertIncludeType,
CertKeyUsageType,
CertSubjectAlternativeNameType,
CertSubjectAttributeType
} from "./certificate-constants";
export const attributeSchema = z.object({
type: z.enum(SUBJECT_ATTRIBUTE_TYPES),
include: z.enum(INCLUDE_OPTIONS),
value: z.array(z.string()).optional()
type: z.nativeEnum(CertSubjectAttributeType),
include: z.nativeEnum(CertIncludeType),
value: z.array(z.string().min(1, "Value cannot be empty")).optional()
});
export const sanSchema = z.object({
type: z.enum(SAN_TYPES),
include: z.enum(INCLUDE_OPTIONS),
value: z.array(z.string()).optional()
type: z.nativeEnum(CertSubjectAlternativeNameType),
include: z.nativeEnum(CertIncludeType),
value: z.array(z.string().min(1, "Value cannot be empty")).optional()
});
export const templateSchema = z.object({
slug: z.string().trim().min(1, "Template name is required"),
description: z.string().optional(),
attributes: z.array(attributeSchema).optional(),
attributes: z.array(attributeSchema).optional().refine((attributes) => {
if (!attributes) return true;
const attributesByType = attributes.reduce((acc, attr) => {
if (!acc[attr.type]) acc[attr.type] = [];
acc[attr.type].push(attr);
return acc;
}, {} as Record<string, typeof attributes>);
for (const [, attrs] of Object.entries(attributesByType)) {
const mandatoryAttrs = attrs.filter(attr => attr.include === 'mandatory');
if (mandatoryAttrs.length > 1) {
return false;
}
if (mandatoryAttrs.length === 1 && attrs.length > 1) {
return false;
}
}
return true;
}, {
message: "Attribute validation failed: when a mandatory value exists, no other values are allowed for that attribute type"
}),
keyUsages: z
.object({
requiredUsages: z.array(z.string()).optional(),
optionalUsages: z.array(z.string()).optional()
requiredUsages: z.array(z.nativeEnum(CertKeyUsageType)).optional(),
optionalUsages: z.array(z.nativeEnum(CertKeyUsageType)).optional()
})
.optional(),
extendedKeyUsages: z
.object({
requiredUsages: z.array(z.string()).optional(),
optionalUsages: z.array(z.string()).optional()
requiredUsages: z.array(z.nativeEnum(CertExtendedKeyUsageType)).optional(),
optionalUsages: z.array(z.nativeEnum(CertExtendedKeyUsageType)).optional()
})
.optional(),
subjectAlternativeNames: z.array(sanSchema).optional(),
@@ -36,13 +67,13 @@ export const templateSchema = z.object({
maxDuration: z
.object({
value: z.number().min(1, "Duration must be at least 1"),
unit: z.enum(["days", "months", "years"])
unit: z.nativeEnum(CertDurationUnit)
})
.optional(),
minDuration: z
.object({
value: z.number().min(1, "Duration must be at least 1"),
unit: z.enum(["days", "months", "years"])
unit: z.nativeEnum(CertDurationUnit)
})
.optional()
})

68
frontend/src/pages/cert-manager/PoliciesPage/components/CertificateTemplatesV2Tab/shared/utils.ts
View File

@@ -1,47 +1,27 @@
export const KEY_USAGES = [
"digital_signature",
"key_encipherment",
"non_repudiation",
"data_encipherment",
"key_agreement",
"key_cert_sign",
"crl_sign",
"encipher_only",
"decipher_only"
] as const;
export const EXTENDED_KEY_USAGES = [
"client_auth",
"server_auth",
"code_signing",
"email_protection",
"ocsp_signing",
"time_stamping"
] as const;
export const SUBJECT_ATTRIBUTE_TYPES = [
"common_name",
"organization_name",
"organization_unit",
"locality",
"state",
"country",
"email",
"street_address",
"postal_code"
] as const;
export const SAN_TYPES = ["dns_name", "ip_address", "email", "uri"] as const;
export const INCLUDE_OPTIONS = ["mandatory", "optional", "prohibit"] as const;
import {
CertExtendedKeyUsageType,
CertKeyUsageType,
formatExtendedKeyUsage,
formatKeyUsage
} from "./certificate-constants";
export const formatUsageName = (usage: string): string => {
try {
if (Object.values(CertKeyUsageType).includes(usage as CertKeyUsageType)) {
return formatKeyUsage(usage as CertKeyUsageType);
}
if (Object.values(CertExtendedKeyUsageType).includes(usage as CertExtendedKeyUsageType)) {
return formatExtendedKeyUsage(usage as CertExtendedKeyUsageType);
}
} catch {
}
return usage.replace(/_/g, " ");
};
export const getUsageState = (
usage: string,
requiredUsages: string[],
optionalUsages: string[]
usage: CertKeyUsageType | CertExtendedKeyUsageType,
requiredUsages: (CertKeyUsageType | CertExtendedKeyUsageType)[],
optionalUsages: (CertKeyUsageType | CertExtendedKeyUsageType)[]
): "required" | "optional" | undefined => {
if (requiredUsages.includes(usage)) return "required";
if (optionalUsages.includes(usage)) return "optional";
@@ -49,12 +29,12 @@ export const getUsageState = (
};
export const toggleUsageState = (
usage: string,
usage: CertKeyUsageType | CertExtendedKeyUsageType,
newState: "required" | "optional" | undefined,
currentRequiredUsages: string[],
currentOptionalUsages: string[],
toggleRequired: (usage: string) => void,
toggleOptional: (usage: string) => void
currentRequiredUsages: (CertKeyUsageType | CertExtendedKeyUsageType)[],
currentOptionalUsages: (CertKeyUsageType | CertExtendedKeyUsageType)[],
toggleRequired: (usage: CertKeyUsageType | CertExtendedKeyUsageType) => void,
toggleOptional: (usage: CertKeyUsageType | CertExtendedKeyUsageType) => void
) => {
const isRequired = currentRequiredUsages.includes(usage);
const isOptional = currentOptionalUsages.includes(usage);

57
frontend/src/pages/project/RoleDetailsBySlugPage/components/ProjectRoleModifySection.utils.tsx
View File

@@ -7,6 +7,7 @@ import { Tooltip } from "@app/components/v2";
import {
ProjectPermissionActions,
ProjectPermissionCertificateActions,
ProjectPermissionCertificateProfileActions,
ProjectPermissionCmekActions,
ProjectPermissionSub
} from "@app/context";
@@ -215,6 +216,13 @@ const PkiTemplatePolicyActionSchema = z.object({
[ProjectPermissionPkiTemplateActions.IssueCert]: z.boolean().optional(),
[ProjectPermissionPkiTemplateActions.ListCerts]: z.boolean().optional()
});
const CertificateProfilePolicyActionSchema = z.object({
[ProjectPermissionCertificateProfileActions.Read]: z.boolean().optional(),
[ProjectPermissionCertificateProfileActions.Create]: z.boolean().optional(),
[ProjectPermissionCertificateProfileActions.Edit]: z.boolean().optional(),
[ProjectPermissionCertificateProfileActions.Delete]: z.boolean().optional(),
[ProjectPermissionCertificateProfileActions.IssueCert]: z.boolean().optional()
});
const SecretEventsPolicyActionSchema = z.object({
[ProjectPermissionSecretEventActions.SubscribeCreated]: z.boolean().optional(),
@@ -385,6 +393,12 @@ export const projectRoleFormSchema = z.object({
})
.array()
.default([]),
[ProjectPermissionSub.CertificateProfiles]: CertificateProfilePolicyActionSchema.extend({
inverted: z.boolean().optional(),
conditions: ConditionSchema
})
.array()
.default([]),
[ProjectPermissionSub.SshCertificateAuthorities]: GeneralPolicyActionSchema.array().default(
[]
),
@@ -465,6 +479,7 @@ export const isConditionalSubjects = (
subject === ProjectPermissionSub.SecretRotation ||
subject === ProjectPermissionSub.PkiSubscribers ||
subject === ProjectPermissionSub.CertificateTemplates ||
subject === ProjectPermissionSub.CertificateProfiles ||
subject === ProjectPermissionSub.SecretSyncs ||
subject === ProjectPermissionSub.PkiSyncs ||
subject === ProjectPermissionSub.SecretEvents ||
@@ -808,7 +823,9 @@ export const rolePermission2Form = (permissions: TProjectPermission[] = []) => {
const canDelete = action.includes(ProjectPermissionActions.Delete);
const canCreate = action.includes(ProjectPermissionActions.Create);
if (!formVal[subject]) formVal[subject] = [{}];
if (!formVal[subject]) {
formVal[subject] = [{ conditions: [] }];
}
if (canRead) formVal[subject as ProjectPermissionSub.Member]![0].read = true;
if (canEdit) formVal[subject as ProjectPermissionSub.Member]![0].edit = true;
if (canCreate) formVal[subject as ProjectPermissionSub.Member]![0].create = true;
@@ -1138,6 +1155,33 @@ export const rolePermission2Form = (permissions: TProjectPermission[] = []) => {
conditions: conditions ? convertCaslConditionToFormOperator(conditions) : [],
inverted
});
return;
}
if (subject === ProjectPermissionSub.CertificateProfiles) {
if (!formVal[subject]) formVal[subject] = [];
formVal[subject]!.push({
[ProjectPermissionCertificateProfileActions.Edit]: action.includes(
ProjectPermissionCertificateProfileActions.Edit
),
[ProjectPermissionCertificateProfileActions.Delete]: action.includes(
ProjectPermissionCertificateProfileActions.Delete
),
[ProjectPermissionCertificateProfileActions.Create]: action.includes(
ProjectPermissionCertificateProfileActions.Create
),
[ProjectPermissionCertificateProfileActions.Read]: action.includes(
ProjectPermissionCertificateProfileActions.Read
),
[ProjectPermissionCertificateProfileActions.IssueCert]: action.includes(
ProjectPermissionCertificateProfileActions.IssueCert
),
conditions: conditions ? convertCaslConditionToFormOperator(conditions) : [],
inverted
});
return;
}
if (subject === ProjectPermissionSub.PamAccounts) {
@@ -1522,6 +1566,16 @@ export const PROJECT_PERMISSION_OBJECT: TProjectPermissionObject = {
{ label: "List Certificates", value: ProjectPermissionPkiTemplateActions.ListCerts }
]
},
[ProjectPermissionSub.CertificateProfiles]: {
title: "Certificate Profiles",
actions: [
{ label: "Read", value: ProjectPermissionCertificateProfileActions.Read },
{ label: "Create", value: ProjectPermissionCertificateProfileActions.Create },
{ label: "Modify", value: ProjectPermissionCertificateProfileActions.Edit },
{ label: "Remove", value: ProjectPermissionCertificateProfileActions.Delete },
{ label: "Issue Certificates", value: ProjectPermissionCertificateProfileActions.IssueCert }
]
},
[ProjectPermissionSub.SshCertificateAuthorities]: {
title: "SSH Certificate Authorities",
actions: [
@@ -1869,6 +1923,7 @@ const CertificateManagerPermissionSubjects = (enabled = false) => ({
[ProjectPermissionSub.PkiSyncs]: enabled,
[ProjectPermissionSub.CertificateAuthorities]: enabled,
[ProjectPermissionSub.CertificateTemplates]: enabled,
[ProjectPermissionSub.CertificateProfiles]: enabled,
[ProjectPermissionSub.Certificates]: enabled
});