3keycompany / czertainly-interfaces Goto Github PK
View Code? Open in Web Editor NEWCZERTAINLY - interfaces definitions and common objects for the platform
Home Page: https://www.czertainly.com
License: MIT License
CZERTAINLY - interfaces definitions and common objects for the platform
Home Page: https://www.czertainly.com
License: MIT License
The Core-Interfaces
provides the validation methods for attributes:
https://github.com/3KeyCompany/CZERTAINLY-Interfaces/blob/develop/src/main/java/com/czertainly/core/util/AttributeDefinitionUtils.java
When the attribute is wrong, for example it is required, but missing, the Exception is sent back with the name of the attribute that is wrong:
errors.add(ValidationError.create("Required attribute {} not found.", definition.getName()));
To improve the user behaviour, we should send back the name and label, because the users operating on the web interfaces see the labels of the attributes only.
Add new attribute content type for storing code snippets.
Requirements:
Define new API routes used to manage custom attributes.
Requirements:
Credential attribute content data is CredentialDto
which contains secret attribute content as ResponseAttributeDto
. Since we introduced custom serializer for ResponseAttributeDto
, it is masked in Credential attribute content even when sent to connector which results in null pointer when using secret in credential.
CredentialAttributeContentData
needs to be created which will not contain ResponseAttributeDto
to prevent masking.
Add endpoint used to identify certificate by authority by the sent certificate content. It is used to identify certificate that is migrated to the authority to retrieve attributes/metadata necessary to perform certificate operations.
Response:
404
- certificate is unknown to authority or does not have necessary information about certificate200
- certificate is identified and certificate attributes are sent in responseNew endpoint should be added to Client operations v2 and contain no body and its response should be same as existing issue endpoint.
/v2/operations/authorities/{authorityUuid}/raProfiles/{raProfileUuid}/certificates/{certificateUuid}/revoke
issueCertificate
endpoint, remove uuid
property from ClientCertificateSignRequestDto
.Update search fields DTOs to allow searching not only on properties of resource but also on custom and metadata attributes.
SearchableFieldType
with EQUALS conditiongetSearchableFieldInformation
endpoint should return also list of available custom attributes and metadata to search onSearchFilterRequestDto
needs to have search field source type to properly identify field (property, custom or meta attribute)We should be able to get CA certificate, or full chain of CA certificates up to root, from the RA Profile, including the current CRL if available and issued by the authority.
com.czertainly.core.util.AttributeDefinitionUtils
In the validation of attributes there is a section with common cases:
case STRING:
case INTEGER:
case SECRET:
case BOOLEAN:
case FLOAT:
case TEXT:
BaseAttributeContent<?> stringBaseAttributeContent = (BaseAttributeContent)ATTRIBUTES_OBJECT_MAPPER.convertValue(baseAttributeContent, BaseAttributeContent.class);
if (stringBaseAttributeContent.getValue() == null) {
errors.add(ValidationError.create("Wrong value of Attribute {} {}.", new Object[]{definition.getName(), definition.getType()}));
wrongValue = true;
}
break;
It does not check for the proper types of the values inside the content.
For example, when the attribute is defined as INTEGER
and client will send string in the value, for example "value": "5986"
, it will not be evaluated as wrong attribute, but it should.
We should include in this section validation of the value with the attribute type definition.
Define endpoints for cryptographicProvider
function group connectors.
Add new endpoint GET /certificates/{uuid}/chain/{certificateFormat}
to get BASE64 encoded certificate chain in specified format.
Path parameter certificateFormat
represents new enum type CertificateFormat
with two supported enum items PKCS7
and PEM
. In addition, add optional boolean query parameter withEndCertificate
.
Response of chain download is CertificateChainDownloadResponseDto
with following properties
completeChain
- boolean flag if full certificate chain could be constructedformat
- same enum as in request to specify what format is in outputcontent
- BASE64 encoded certificate chain in specified formatAccordingly change response of get certificate chain endpoint to CertificateChainResponseDto
completeChain
- boolean flag if full certificate chain could be constructedcertificates
- list of certificates as CertificateDetailDto
Requirements:
GET /certificates/{uuid}/chain
CertificateFormat
implementing IPlatformEnum
with 2 items
pkcs7
, label: PKCS#7
pem
, label: PEM
Move SCEP URL property from detail DTO to listing DTO.
Right now, dependencies between projects are in various different versions, even somewhere without version which then uses latest version which is not desirable.
It is necessary to consolidate and cleanup dependencies and create POM hierarchy with defined parent POM file with desired dependencies versions across platform.
Add the interfaces for the management of the following items.
Add the DTOs and the needed updates to the existing DTOs for the same
Define core interface to manage approval profiles with DTOs corresponding to DB entity model defined in https://github.com/orgs/3KeyCompany/projects/8/views/1?pane=issue&itemId=30534377
Route mapping: /v1/approvalProfiles
Approval profile should have following operations
ApprovalProfile
+ number of steps of approval profile)Define core interface to manage approvals with DTOs corresponding to DB entity model defined in https://github.com/orgs/3KeyCompany/projects/8/views/1?pane=issue&itemId=30534377
Route mapping: /v1/approvals
Approvals should have following operations
/v1/approvals/{uuid}/approve
/v1/approvals/{uuid}/reject
/v1/approvals/{uuid}/approveRecipient
(needs DTO with comment)/v1/approvals/{uuid}/rejectRecipient
(needs DTO with comment)Add new endpoint to certificate controller to list certificate's approvals
/v1/certificates/{certificateUuid}/approvals
Auth
service (package com.czertainly.api.model.core.auth
)Core
for create and update user (package com.czertainly.api.model.client.auth)Add new property certificateRequest
to certificate detail DTO which contains CertificateRequestDTO
representing certificate request.
DTO should have following properties:
Add new endpoint to RA profile management controller to retrieve authority certificate chain.
GET /v1/authorities/{authorityUuid}/raProfiles/{raProfileUuid}/caCertificates
with response type as list of <CertificateDetailDto>
Create separate DTO for listing custom attributes that in addition contains list of resources for each custom attribute. It can be moved from detail DTO since it is extending listing one.
Add related certificates to CertificateDetailDto
that will be populated with CertificateDto
representing certificates for which certificate is source.
Implement interface for communication with Scheduler
service to manage scheduled jobs.
Scheduler
serviceScheduler
serviceContent of Secret attribute content type needs to be automatically masked before sending it in response. It will prevent that secrets are leaked when explicit masking function is not applied.
Add endpoints that allows to get and associate/dissasociate existing approval profile to RA profile
GET /v1/authorities/{authorityUuid}/raProfiles/{raProfileUuid}/approvalProfiles
PATCH /v1/authorities/{authorityUuid}/raProfiles/{raProfileUuid}/approvalProfiles/{approvalProfileUuid}
DELETE /v1/authorities/{authorityUuid}/raProfiles/{raProfileUuid}/approvalProfiles/{approvalProfileUuid}
Add two endpoint for bulk operation with body as list of UUIDs to perform operation on.
PATCH /v1/notifications
- to bulk mark as readDELETE /v1/notifications
- to bulk deleteAdd endpoint to RA Profile Management interface to get the issuing CA certificate chain from connector.
GET /v1/{authorityUuid}/raProfiles/{raProfileUuid}/caCertificates
with response - list of certificate detail DTOs.
Define new API routes used to manage global metadata.
Requirements:
Add possibility to run discoveries manually in external provider. To achieve that, discovery Core interface and DTOs representing discovery needs to be extended:
DiscoveryRequestDto
DiscoveryProviderDto
List<DiscoveryProviderCertificateDataDto>
Right now, enums of platform are implemented differently and does not contain same fields that represent their items consistently compared with each other.
Each enum item should contain following properties:
Endpoints for retrieving enums and their items should be defined. That way, enums can be used not only by code, but also enhanced with other properties as name and description.
Example:
GET /enums
{
"AttributeType": {
"data": {
"code": "data",
"label": "Data"
},
"meta": {
"code": "meta",
"label": "Metadata"
},
"custom": {
"code": "custom",
"label": "Custom"
},
"group": {
"code": "group",
"label": "Group"
},
"info": {
"code": "info",
"label": "Info"
}
},
"KeyType": {
"private": {
"code": "private",
"label": "Private key",
"description": "Asymmetric private key"
},
"split": {
"code": "split",
"label": "Split key",
"description": "Secret or private key split into parts"
},
"public": {
"code": "public",
"label": "Public key",
"description": "Asymmetric public key"
},
"secret": {
"code": "secret",
"label": "Secret key",
"description": "Symmetric secret key"
}
}
}
Add new controller for notifications with endpoint to retrieve user notifications with query parameter serving as filter for unread messages. If query parameter unread
is not present retrieve all messages, otherwise based on boolean value.
v1/notifications?unread=true
Add endpoints to mark as read and delete notification for specific user
Discovery Listing and Discovery Details API are currently using DiscoveryHistoryDto. This DTO contains the complete information that is only needed for the details page.
Much of the costly information in the data is not being used by the List page in the FE and is also not relevant.
After certificates are found by discovery, rules assigned to discovery should be applied to each certificate. Rules consist of defined criteria on properties of certificate and action that needs to be performed when certificate matches criteria.
Define DTOs and interface to manage discovery rules.
In https://github.com/3KeyCompany/CZERTAINLY-Interfaces/blob/develop/src/main/java/com/czertainly/api/clients/BaseApiClient.java, there is a bug in the SslContext
:
TrustManager tm = null;
String trustStoreData = AttributeDefinitionUtils.getAttributeValue(ATTRIBUTE_TRUSTSTORE, attributes);
if (trustStoreData != null && !trustStoreData.isEmpty()) {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); //"SunX509"
String trustStoreType = AttributeDefinitionUtils.getAttributeValue(ATTRIBUTE_TRUSTSTORE_TYPE, attributes);
String trustStorePassword = AttributeDefinitionUtils.getAttributeValue(ATTRIBUTE_TRUSTSTORE_PASSWORD, attributes);
byte[] trustStoreBytes = Base64.getDecoder().decode(keyStoreData);
tmf.init(KeyStoreUtils.bytes2KeyStore(trustStoreBytes, trustStorePassword, trustStoreType));
tm = tmf.getTrustManagers()[0];
}
byte[] trustStoreBytes = Base64.getDecoder().decode(keyStoreData);
should decode trustStoreData
.
return SslContextBuilder
.forClient()
.keyManager(km)
.trustManager(tm)
.protocols("TLSv1.2")
.build();
When the tm
is null
, it will throw NullPointerException
.
Validation of custom attributes is currently skipped because utils method implemented in Interfaces takes only data attributes definitions into account and filters out other attributes types.
Validation should support also custom attributes and check same properties and content to not allow create object without required custom attributes.
The validation of LIST attributes is commented out in the:
https://github.com/3KeyCompany/CZERTAINLY-Interfaces/blob/develop/src/main/java/com/czertainly/core/util/AttributeDefinitionUtils.java
case LIST:
// wrongValue = !((Collection) definition.getValue()).contains(attribute.getValue());
break;
There is no reason described in the code, why it is commented. The validation of LIST attribute is therefore not working, when wrong values (or incompatible values) are sent as part of the request.
This is connected with the 3KeyCompany/CZERTAINLY-FE-Administrator#37
The validation of the LIST attribute should be implemented, checking its values, multivalues if defined, and also the callback values if available.
Some DTOs representing listed objects are missing UUIDs of related objects, which prevents to construct request if user would like to retrieve detail of it.
Make following changes to DTOs:
ownerUuid
to KeyDto
and KeyDetailDto
owner
in KeyRequestDto
owner
with ownerUuid
in EditKeyRequestDto
SimplifiedRaProfileDto
when representing RA profile in
AcmeAccountListResponseDto
AcmeAccountResponseDto
AcmeProfileListDto
AcmeProfileDto
(replace current RaProfileDto
)ScepProfileDto
ScepProfileDetailDto
(replace current RaProfileDto
)Add endpoints to get and update settings for CZERTAINLY platform that can be edited by user with access
Endpoints:
GET /v1/settings/sections -> list of sections = enum items
GET /v1/settings/sections/{sectionName} -> section settings DTO
PUT /v1/settings/sections/{sectionName} -> update section settings
Requirements:
Individual notifications can be configured and used in form of notification instance references that will be managed by Core
.
Similarly as authority instance references, notification instance references hold reference to its counterpart stored in provider.
Core
clients to manage and use notification instances.NotificationInstanceDTO
NotificationInstanceRequestDTO
RequestAttributeDto
)This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.github/workflows/build.yml
actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11
actions/setup-java v4
actions/cache v4
actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11
actions/setup-java v4
actions/cache v4
actions/cache v4
actions/github-script v7
.github/workflows/codeql.yml
actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11
github/codeql-action v3
actions/setup-java v4
actions/cache v4
github/codeql-action v3
.github/workflows/publish-package.yml
actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11
actions/setup-java v4
actions/setup-java v4
.github/workflows/workflow_run_pruner.yml
actions/github-script v7
actions/github-script v7
pom.xml
com.czertainly:dependencies 1.1.0
org.apache.maven.plugins:maven-gpg-plugin 3.1.0
Define new API routes used to manage collections.
Requirements:
https://docs.czertainly.com/api/core-acme/#operation/updateRaProfile
it is delete, not update
CertificateController
to retrieve certificate chain GET /v1/certificates/{uuid}/chain
with response of List<CertificateDto>
issuerCertificateUuid
property to CertificateDto
(not required)Define new function group for entity provider and define its interface.
The Entity Provider implements the following mandatory interfaces:
Add interface for management of scheduled jobs to Core API. It should contain following endpoints
GET /v1/scheduler/jobs
GET /v1/scheduler/jobs/{jobUuid}
DELETE /v1/scheduler/jobs/{jobUuid}
GET /v1/scheduler/jobs/{jobUuid}/history
PATCH /v1/scheduler/jobs/{jobUuid}/enable
PATCH /v1/scheduler/jobs/{jobUuid}/disable
Scheduled job has following properties
Scheduled job history has following properties
The API for searching, for example listCertificates has field with name fieldIdentifier
.
It is not clear how to get these values to be filled for the request and improving the documentation of the API should help users to know how to get supported values from https://docs.czertainly.com/api/core-certificate/#tag/Certificate-Inventory/operation/getSearchableFieldInformation.
SettingsSection
with code 'notifications'/v1/settings/notifications
/v1/settings/notifications
notificationsMapping
represented by type Map<NotificationType, UUID>
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.