feat(bff): clavis create certificate-authority and certificate issued by authority (#774)

vlad-schur-external-sap · web-flow · commit 5612a1420d2f · 2026-05-12T09:09:11.000+02:00
* feat(bff): create certificate-authority operation

* feat(bff): create certificate by certificate-authority

* feat(bff): add missing tests for create operations router and schema

* fix(bff): prettier formatting in pca-clavis files

* fix(bff): replace query with mutation

* fix(bff): tests for pca-router
diff --git a/apps/aurora-portal/src/server/Services/routers/pcaRouter.test.ts b/apps/aurora-portal/src/server/Services/routers/pcaRouter.test.ts
@@ -65,19 +65,58 @@ const validGetByIdCertificateResponse = {
   certificate: validCertificatesResponse.certificates[0],
 }
 
+const validCreateCAResponse = {
+  certificate_authority: {
+    id: "ca-new",
+    project_id: TEST_PROJECT_ID,
+    state: "CREATING" as const,
+    configuration: {
+      subject: {
+        common_name: "new-ca.example.com",
+      },
+    },
+  },
+}
+
+const validCreateCertificateResponse = {
+  certificate: {
+    id: "cert-new",
+    certificate_authority_id: "ca-1",
+    project_id: TEST_PROJECT_ID,
+    certificate: {
+      pem: "-----BEGIN CERTIFICATE-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE-----",
+      validity: {
+        not_before: 1705315200,
+        not_after: 1736851200,
+      },
+    },
+    configuration: {
+      validity: {
+        not_before: 1705315200,
+        not_after: 1736851200,
+      },
+    },
+    csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE REQUEST-----",
+  },
+}
+
 const createMockContext = (opts?: {
   noClavis?: boolean
   parseError?: boolean
   certificateParseError?: boolean
   getByIdParseError?: boolean
   getByIdCertificateParseError?: boolean
+  createCAParseError?: boolean
+  createCertificateParseError?: boolean
 }) => {
   const {
     noClavis = false,
     parseError = false,
     certificateParseError = false,
     getByIdParseError = false,
     getByIdCertificateParseError = false,
+    createCAParseError = false,
+    createCertificateParseError = false,
   } = opts || {}
 
   const getMock = vi.fn().mockImplementation((url: string) => {
@@ -97,8 +136,22 @@ const createMockContext = (opts?: {
     })
   })
 
+  const postMock = vi.fn().mockImplementation((url: string) => {
+    let responseBody: unknown
+    if (url.includes("/certificates")) {
+      responseBody = createCertificateParseError ? { invalid: true } : validCreateCertificateResponse
+    } else {
+      responseBody = createCAParseError ? { invalid: true } : validCreateCAResponse
+    }
+
+    return Promise.resolve({
+      json: vi.fn().mockResolvedValue(responseBody),
+    })
+  })
+
   const clavisService = {
     get: getMock,
+    post: postMock,
   }
 
   const serviceMock = vi.fn().mockImplementation((serviceName: string) => {
@@ -120,6 +173,7 @@ const createMockContext = (opts?: {
     getMultipartData: vi.fn(),
     __serviceMock: serviceMock,
     __getMock: getMock,
+    __postMock: postMock,
   }
 }
 
@@ -322,4 +376,113 @@ describe("pcaRouter", () => {
       )
     })
   })
+
+  describe("create", () => {
+    it("creates certificate authority for valid input", async () => {
+      const ctx = createMockContext()
+      const caller = createCaller(ctx as never)
+
+      const result = await caller.services.pca.create({
+        project_id: TEST_PROJECT_ID,
+        configuration: {
+          subject: {
+            common_name: "new-ca.example.com",
+          },
+        },
+      })
+
+      expect(result).toEqual(validCreateCAResponse.certificate_authority)
+      expect(ctx.__postMock).toHaveBeenCalledWith("v1/certificate-authorities", expect.any(Object))
+      const [, request] = ctx.__postMock.mock.calls[0]
+      expect(JSON.parse(request.body)).toEqual({
+        project_id: TEST_PROJECT_ID,
+        configuration: {
+          subject: {
+            common_name: "new-ca.example.com",
+          },
+        },
+      })
+    })
+
+    it("throws PARSE_ERROR on invalid create response payload", async () => {
+      const ctx = createMockContext({ createCAParseError: true })
+      const caller = createCaller(ctx as never)
+
+      await expect(
+        caller.services.pca.create({
+          project_id: TEST_PROJECT_ID,
+          configuration: {
+            subject: {
+              common_name: "new-ca.example.com",
+            },
+          },
+        })
+      ).rejects.toThrow(
+        new TRPCError({
+          code: "PARSE_ERROR",
+          message: "Failed to parse response in pcaRouter.create",
+        })
+      )
+    })
+  })
+
+  describe("createCertificate", () => {
+    it("creates certificate for valid input", async () => {
+      const ctx = createMockContext()
+      const caller = createCaller(ctx as never)
+
+      const result = await caller.services.pca.createCertificate({
+        project_id: TEST_PROJECT_ID,
+        certificate_authority_id: "ca-1",
+        certificate: {
+          configuration: {
+            validity: {
+              not_before: 1705315200,
+              not_after: 1736851200,
+            },
+          },
+          csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE REQUEST-----",
+        },
+      })
+
+      expect(result).toEqual(validCreateCertificateResponse.certificate)
+      expect(ctx.__postMock).toHaveBeenCalledWith("v1/certificate-authorities/ca-1/certificates", expect.any(Object))
+      const [, request] = ctx.__postMock.mock.calls[0]
+      expect(JSON.parse(request.body)).toEqual({
+        configuration: {
+          validity: {
+            not_before: 1705315200,
+            not_after: 1736851200,
+          },
+        },
+        csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE REQUEST-----",
+      })
+    })
+
+    it("throws PARSE_ERROR on invalid create certificate response payload", async () => {
+      const ctx = createMockContext({ createCertificateParseError: true })
+      const caller = createCaller(ctx as never)
+
+      await expect(
+        caller.services.pca.createCertificate({
+          project_id: TEST_PROJECT_ID,
+          certificate_authority_id: "ca-1",
+          certificate: {
+            configuration: {
+              validity: {
+                not_before: 1705315200,
+                not_after: 1736851200,
+              },
+            },
+            csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE REQUEST-----",
+          },
+        })
+      ).rejects.toThrow(
+        new TRPCError({
+          code: "PARSE_ERROR",
+          message: "Failed to parse response in pcaRouter.createCertificate",
+        })
+      )
+    })
+  })
 })
diff --git a/apps/aurora-portal/src/server/Services/routers/pcaRouter.ts b/apps/aurora-portal/src/server/Services/routers/pcaRouter.ts
@@ -11,6 +11,8 @@ import {
   CertificateAuthorityResponseSchema,
   CertificateIdInputSchema,
   CertificateResponseSchema,
+  CertificateAuthorityCreateSchema,
+  CreateCertificateInputSchema,
 } from "../types/pca"
 
 /** PCA (Private Certificate Authority) - Clavis service for certificate authority management  */
@@ -28,6 +30,25 @@ export const pcaRouter = {
       return parseOrThrow(CertificateAuthoritiesListSchema, data, "pcaRouter.list").certificate_authorities
     }, "list certificate authorities")
   }),
+  /**
+   * Creates a new Certificate Authority (CA).
+   * The CA is created in CREATING state and transitions to AWAITING_CERTIFICATE state once its CSR has been generated.
+   * CA in AWAITING_CERTIFICATE can't issue end-entity certificates, and needs to have its certificate imported - see the respective importCertificate endpoint.
+   */
+  create: projectScopedProcedure
+    .input(CertificateAuthorityCreateSchema)
+    .mutation(async ({ input, ctx }): Promise<CertificateAuthority> => {
+      return withErrorHandling(async () => {
+        const pca = ctx.openstack?.service("clavis")
+        validateOpenstackService(pca, "clavis")
+
+        const response = await pca.post(PCA_BASE_URL, { body: JSON.stringify(input) })
+        const data = await response.json()
+
+        // Certificate Authority creation initiated successfully (async operation)
+        return parseOrThrow(CertificateAuthorityResponseSchema, data, "pcaRouter.create").certificate_authority
+      }, "create certificate authority")
+    }),
   getById: projectScopedProcedure
     .input(CertificateAuthorityIdInputSchema)
     .query(async ({ input, ctx }): Promise<CertificateAuthority> => {
@@ -56,6 +77,20 @@ export const pcaRouter = {
         return parseOrThrow(CertificatesListSchema, data, "pcaRouter.listCertificates").certificates
       }, "list certificates for certificate authority")
     }),
+  createCertificate: projectScopedProcedure
+    .input(CreateCertificateInputSchema)
+    .mutation(async ({ input, ctx }): Promise<Certificate> => {
+      return withErrorHandling(async () => {
+        const pca = ctx.openstack?.service("clavis")
+        validateOpenstackService(pca, "clavis")
+
+        const url = `${PCA_BASE_URL}/${input.certificate_authority_id}/certificates`
+        const response = await pca.post(url, { body: JSON.stringify(input.certificate) })
+        const data = await response.json()
+
+        return parseOrThrow(CertificateResponseSchema, data, "pcaRouter.createCertificate").certificate
+      }, "create certificate for certificate authority")
+    }),
   getByIdCertificate: projectScopedProcedure
     .input(CertificateIdInputSchema)
     .query(async ({ input, ctx }): Promise<Certificate> => {
diff --git a/apps/aurora-portal/src/server/Services/types/pca.test.ts b/apps/aurora-portal/src/server/Services/types/pca.test.ts
@@ -1,13 +1,16 @@
 import { describe, it, expect } from "vitest"
 import {
   CertificateAuthoritiesListSchema,
+  CertificateAuthorityCreateSchema,
   CertificateAuthorityResponseSchema,
   CertificateAuthoritySchema,
+  CertificateConfigurationSchema,
   CertificateAuthorityIdInputSchema,
   CertificateIdInputSchema,
   CertificateResponseSchema,
   CertificateSchema,
   CertificatesListSchema,
+  CreateCertificateInputSchema,
 } from "./pca"
 import { omit } from "@/server/helpers/object"
 
@@ -770,6 +773,83 @@ describe("PCA (Private Certificate Authority) Schema Validation", () => {
     })
   })
 
+  describe("CertificateAuthorityCreateSchema", () => {
+    it("should validate create input with subject.common_name", () => {
+      expect(
+        CertificateAuthorityCreateSchema.safeParse({
+          configuration: {
+            subject: { common_name: "ca.example.com" },
+          },
+        }).success
+      ).toBe(true)
+    })
+
+    it("should reject create input without subject.common_name", () => {
+      expect(
+        CertificateAuthorityCreateSchema.safeParse({
+          configuration: {
+            subject: {},
+          },
+        }).success
+      ).toBe(false)
+    })
+  })
+
+  describe("CertificateConfigurationSchema", () => {
+    it("should validate certificate configuration payload", () => {
+      expect(
+        CertificateConfigurationSchema.safeParse({
+          validity: {
+            not_after: 1736851200,
+            not_before: 1705315200,
+          },
+        }).success
+      ).toBe(true)
+    })
+
+    it("should reject certificate configuration payload without validity", () => {
+      expect(CertificateConfigurationSchema.safeParse({}).success).toBe(false)
+    })
+  })
+
+  describe("CreateCertificateInputSchema", () => {
+    it("should validate create certificate input", () => {
+      expect(
+        CreateCertificateInputSchema.safeParse({
+          project_id: "project-1",
+          certificate_authority_id: "ca-123",
+          certificate: {
+            configuration: {
+              validity: {
+                not_after: 1736851200,
+                not_before: 1705315200,
+              },
+            },
+            csr: "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
+          },
+        }).success
+      ).toBe(true)
+    })
+
+    it("should reject create certificate input with empty certificate_authority_id", () => {
+      expect(
+        CreateCertificateInputSchema.safeParse({
+          project_id: "project-1",
+          certificate_authority_id: "",
+          certificate: {
+            configuration: {
+              validity: {
+                not_after: 1736851200,
+                not_before: 1705315200,
+              },
+            },
+            csr: "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
+          },
+        }).success
+      ).toBe(false)
+    })
+  })
+
   describe("CertificateIdInputSchema", () => {
     it("should validate with required project_id, certificate_authority_id and certificate_id", () => {
       expect(
diff --git a/apps/aurora-portal/src/server/Services/types/pca.ts b/apps/aurora-portal/src/server/Services/types/pca.ts
