Merge remote-tracking branch 'origin/main' into misc/revamp-pki-apis

2026-01-08 23:18:05 -05:00 · 2025-11-26 04:30:18 +08:00
parent d434d4ec70 4aa945f0a5
commit ceafaf5623
79 changed files with 1769 additions and 525 deletions
--- a/backend/bdd/features/pki/acme/external-ca.feature
+++ b/backend/bdd/features/pki/acme/external-ca.feature
@@ -1,6 +1,7 @@
 Feature: External CA

-  Scenario: Issue a certificate from an external CA
+  @cloudflare
+  Scenario Outline: Issue a certificate from an external CA with Cloudflare
    Given I create a Cloudflare connection as cloudflare
    Then I memorize cloudflare with jq ".appConnection.id" as app_conn_id
    Given I create a external ACME CA with the following config as ext_ca
@@ -92,9 +93,7 @@ Feature: External CA
    When I create certificate signing request as csr
    Then I add names to certificate signing request csr
      """
-      {
-        "COMMON_NAME": "localhost"
-      }
+      <subject>
      """
    # Pebble has a strict rule to only takes SANs
    Then I add subject alternative name to certificate signing request csr
@@ -177,4 +176,196 @@ Feature: External CA
      [
        "localhost"
      ]
-      """
+      """
+
+    Examples:
+      | subject                      |
+      | {"COMMON_NAME": "localhost"} |
+      | {}                           |
+
+  @dnsme
+  Scenario Outline: Issue a certificate from an external CA with DNS Made Easy
+    Given I create a DNS Made Easy connection as dnsme
+    Then I memorize dnsme with jq ".appConnection.id" as app_conn_id
+    Given I create a external ACME CA with the following config as ext_ca
+      """
+      {
+        "dnsProviderConfig": {
+            "provider": "dns-made-easy",
+            "hostedZoneId": "MOCK_ZONE_ID"
+        },
+        "directoryUrl": "{PEBBLE_URL}",
+        "accountEmail": "fangpen@infisical.com",
+        "dnsAppConnectionId": "{app_conn_id}",
+        "eabKid": "",
+        "eabHmacKey": ""
+      }
+      """
+    Then I memorize ext_ca with jq ".id" as ext_ca_id
+    Given I create a certificate template with the following config as cert_template
+      """
+      {
+        "subject": [
+          {
+            "type": "common_name",
+            "allowed": [
+              "*"
+            ]
+          }
+        ],
+        "sans": [
+          {
+            "type": "dns_name",
+            "allowed": [
+              "*"
+            ]
+          }
+        ],
+        "keyUsages": {
+          "required": [],
+          "allowed": [
+            "digital_signature",
+            "key_encipherment",
+            "non_repudiation",
+            "data_encipherment",
+            "key_agreement",
+            "key_cert_sign",
+            "crl_sign",
+            "encipher_only",
+            "decipher_only"
+          ]
+        },
+        "extendedKeyUsages": {
+          "required": [],
+          "allowed": [
+            "client_auth",
+            "server_auth",
+            "code_signing",
+            "email_protection",
+            "ocsp_signing",
+            "time_stamping"
+          ]
+        },
+        "algorithms": {
+          "signature": [
+            "SHA256-RSA",
+            "SHA512-RSA",
+            "SHA384-ECDSA",
+            "SHA384-RSA",
+            "SHA256-ECDSA",
+            "SHA512-ECDSA"
+          ],
+          "keyAlgorithm": [
+            "RSA-2048",
+            "RSA-4096",
+            "ECDSA-P384",
+            "RSA-3072",
+            "ECDSA-P256",
+            "ECDSA-P521"
+          ]
+        },
+        "validity": {
+          "max": "365d"
+        }
+      }
+      """
+    Then I memorize cert_template with jq ".certificateTemplate.id" as cert_template_id
+    Given I create an ACME profile with ca {ext_ca_id} and template {cert_template_id} as "acme_profile"
+    When I have an ACME client connecting to "{BASE_URL}/api/v1/pki/acme/profiles/{acme_profile.id}/directory"
+    Then I register a new ACME account with email fangpen@infisical.com and EAB key id "{acme_profile.eab_kid}" with secret "{acme_profile.eab_secret}" as acme_account
+    When I create certificate signing request as csr
+    Then I add names to certificate signing request csr
+      """
+      <subject>
+      """
+    # Pebble has a strict rule to only takes SANs
+    Then I add subject alternative name to certificate signing request csr
+      """
+      [
+        "localhost"
+      ]
+      """
+    And I create a RSA private key pair as cert_key
+    And I sign the certificate signing request csr with private key cert_key and output it as csr_pem in PEM format
+    And I submit the certificate signing request PEM csr_pem certificate order to the ACME server as order
+    And I select challenge with type http-01 for domain localhost from order in order as challenge
+    And I serve challenge response for challenge at localhost
+    And I tell ACME server that challenge is ready to be verified
+    Given I intercept outgoing requests
+      """
+      [
+        {
+          "scope": "https://api.dnsmadeeasy.com:443",
+          "method": "POST",
+          "path": "/V2.0/dns/managed/MOCK_ZONE_ID/records",
+          "status": 201,
+          "response": {
+            "gtdLocation": "DEFAULT",
+            "failed": false,
+            "monitor": false,
+            "failover": false,
+            "sourceId": 895364,
+            "dynamicDns": false,
+            "hardLink": false,
+            "ttl": 60,
+            "source": 1,
+            "name": "_acme-challenge",
+            "value": "\"MOCK_HTTP_01_VALUE\"",
+            "id": 12345678,
+            "type": "TXT"
+          },
+          "responseIsBinary": false
+        },
+        {
+          "scope": "https://api.dnsmadeeasy.com:443",
+          "method": "GET",
+          "path": "/V2.0/dns/managed/MOCK_ZONE_ID/records?type=TXT&recordName=_acme-challenge&page=0",
+          "status": 200,
+          "response": {
+            "totalRecords": 1,
+            "totalPages": 1,
+            "data": [
+              {
+                "gtdLocation": "DEFAULT",
+                "failed": false,
+                "monitor": false,
+                "failover": false,
+                "sourceId": 895364,
+                "dynamicDns": false,
+                "hardLink": false,
+                "ttl": 60,
+                "source": 1,
+                "name": "_acme-challenge",
+                "value": "\"MOCK_CHALLENGE_VALUE\"",
+                "id": 1111111,
+                "type": "TXT"
+              }
+            ],
+            "page": 0
+          },
+          "responseIsBinary": false
+        },
+        {
+          "scope": "https://api.dnsmadeeasy.com:443",
+          "method": "DELETE",
+          "path": "/V2.0/dns/managed/MOCK_ZONE_ID/records/1111111",
+          "status": 200,
+          "response": "",
+          "responseIsBinary": false
+        }
+      ]
+      """
+    Then I poll and finalize the ACME order order as finalized_order
+    And the value finalized_order.body with jq ".status" should be equal to "valid"
+    And I parse the full-chain certificate from order finalized_order as cert
+    And the value cert with jq "[.extensions.subjectAltName.general_names.[].value] | sort" should be equal to json
+      """
+      [
+        "localhost"
+      ]
+      """
+
+    Examples:
+      | subject                      |
+      | {"COMMON_NAME": "localhost"} |
+      | {}                           |
--- a/backend/bdd/features/steps/pki_acme.py
+++ b/backend/bdd/features/steps/pki_acme.py
@@ -147,6 +147,40 @@ def step_impl(context: Context, var_name: str):
    context.vars[var_name] = response


+@given("I create a DNS Made Easy connection as {var_name}")
+def step_impl(context: Context, var_name: str):
+    jwt_token = context.vars["AUTH_TOKEN"]
+    conn_slug = faker.slug()
+    with with_nocks(
+        context,
+        definitions=[
+            {
+                "scope": "https://api.dnsmadeeasy.com:443",
+                "method": "GET",
+                "path": "/V2.0/dns/managed/",
+                "status": 200,
+                "response": {"totalRecords": 0, "totalPages": 1, "data": [], "page": 0},
+                "responseIsBinary": False,
+            }
+        ],
+    ):
+        response = context.http_client.post(
+            "/api/v1/app-connections/dns-made-easy",
+            headers=dict(authorization="Bearer {}".format(jwt_token)),
+            json={
+                "name": conn_slug,
+                "description": "",
+                "method": "api-key-secret",
+                "credentials": {
+                    "apiKey": "MOCK_API_KEY",
+                    "secretKey": "MOCK_SECRET_KEY",
+                },
+            },
+        )
+    response.raise_for_status()
+    context.vars[var_name] = response
+
+
@given("I create a external ACME CA with the following config as {var_name}")
 def step_impl(context: Context, var_name: str):
    jwt_token = context.vars["AUTH_TOKEN"]