feat(bff): delete and import certificate of certificate-authority operations (#777)

* feat(bff): create certificate-authority operation

* feat(bff): create certificate by certificate-authority

* feat(bff): add missing tests for create operations router and schema

* fix(bff): prettier formatting in pca-clavis files

* fix(bff): replace query with mutation

* feat(bff): delete operation

* feat(bff): import certificate procedure

Author: vlad-schur-external-sap

apps/aurora-portal/src/server/Services/routers/pcaRouter.test.ts

@@ -108,6 +108,7 @@ const createMockContext = (opts?: {
   getByIdCertificateParseError?: boolean
   createCAParseError?: boolean
   createCertificateParseError?: boolean
+  importCAParseError?: boolean
 }) => {
   const {
     noClavis = false,
@@ -117,6 +118,7 @@ const createMockContext = (opts?: {
     getByIdCertificateParseError = false,
     createCAParseError = false,
     createCertificateParseError = false,
+    importCAParseError = false,
   } = opts || {}
 
   const getMock = vi.fn().mockImplementation((url: string) => {
@@ -140,6 +142,8 @@ const createMockContext = (opts?: {
     let responseBody: unknown
     if (url.includes("/certificates")) {
       responseBody = createCertificateParseError ? { invalid: true } : validCreateCertificateResponse
+    } else if (url.includes(":importCertificate")) {
+      responseBody = importCAParseError ? { invalid: true } : validCreateCAResponse
     } else {
       responseBody = createCAParseError ? { invalid: true } : validCreateCAResponse
     }
@@ -149,7 +153,10 @@ const createMockContext = (opts?: {
     })
   })
 
+  const delMock = vi.fn().mockResolvedValue(undefined)
+
   const clavisService = {
+    del: delMock,
     get: getMock,
     post: postMock,
   }
@@ -172,6 +179,7 @@ const createMockContext = (opts?: {
     terminateSession: vi.fn(),
     getMultipartData: vi.fn(),
     __serviceMock: serviceMock,
+    __delMock: delMock,
     __getMock: getMock,
     __postMock: postMock,
   }
@@ -276,6 +284,38 @@ describe("pcaRouter", () => {
     })
   })
 
+  describe("delete", () => {
+    it("deletes certificate authority for valid input", async () => {
+      const ctx = createMockContext()
+      const caller = createCaller(ctx as never)
+
+      const result = await caller.services.pca.delete({
+        project_id: TEST_PROJECT_ID,
+        certificate_authority_id: "ca-1",
+      })
+
+      expect(result).toBeUndefined()
+      expect(ctx.__delMock).toHaveBeenCalledWith("v1/certificate-authorities/ca-1")
+    })
+
+    it("throws INTERNAL_SERVER_ERROR when clavis service is unavailable", async () => {
+      const ctx = createMockContext({ noClavis: true })
+      const caller = createCaller(ctx as never)
+
+      await expect(
+        caller.services.pca.delete({
+          project_id: TEST_PROJECT_ID,
+          certificate_authority_id: "ca-1",
+        })
+      ).rejects.toThrow(
+        new TRPCError({
+          code: "INTERNAL_SERVER_ERROR",
+          message: "Clavis service is not available",
+        })
+      )
+    })
+  })
+
   describe("listCertificates", () => {
     it("returns certificates for a certificate authority", async () => {
       const ctx = createMockContext()
@@ -393,15 +433,6 @@ describe("pcaRouter", () => {
 
       expect(result).toEqual(validCreateCAResponse.certificate_authority)
       expect(ctx.__postMock).toHaveBeenCalledWith("v1/certificate-authorities", expect.any(Object))
-      const [, request] = ctx.__postMock.mock.calls[0]
-      expect(JSON.parse(request.body)).toEqual({
-        project_id: TEST_PROJECT_ID,
-        configuration: {
-          subject: {
-            common_name: "new-ca.example.com",
-          },
-        },
-      })
     })
 
     it("throws PARSE_ERROR on invalid create response payload", async () => {
@@ -447,16 +478,6 @@ describe("pcaRouter", () => {
 
       expect(result).toEqual(validCreateCertificateResponse.certificate)
       expect(ctx.__postMock).toHaveBeenCalledWith("v1/certificate-authorities/ca-1/certificates", expect.any(Object))
-      const [, request] = ctx.__postMock.mock.calls[0]
-      expect(JSON.parse(request.body)).toEqual({
-        configuration: {
-          validity: {
-            not_before: 1705315200,
-            not_after: 1736851200,
-          },
-        },
-        csr: "-----BEGIN CERTIFICATE REQUEST-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE REQUEST-----",
-      })
     })
 
     it("throws PARSE_ERROR on invalid create certificate response payload", async () => {
@@ -485,4 +506,48 @@ describe("pcaRouter", () => {
       )
     })
   })
+
+  describe("import", () => {
+    it("imports certificate for valid input", async () => {
+      const ctx = createMockContext()
+      const caller = createCaller(ctx as never)
+
+      const result = await caller.services.pca.import({
+        project_id: TEST_PROJECT_ID,
+        certificate_authority_id: "ca-1",
+        imported_certificate_chain:
+          "-----BEGIN CERTIFICATE-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE-----",
+      })
+
+      expect(result).toEqual(validCreateCAResponse.certificate_authority)
+      expect(ctx.__postMock).toHaveBeenCalledWith(
+        "v1/certificate-authorities/ca-1:importCertificate",
+        expect.any(Object)
+      )
+      const [, request] = ctx.__postMock.mock.calls[ctx.__postMock.mock.calls.length - 1]
+      expect(JSON.parse(request.body)).toEqual({
+        imported_certificate_chain:
+          "-----BEGIN CERTIFICATE-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE-----",
+      })
+    })
+
+    it("throws PARSE_ERROR on invalid import response payload", async () => {
+      const ctx = createMockContext({ importCAParseError: true })
+      const caller = createCaller(ctx as never)
+
+      await expect(
+        caller.services.pca.import({
+          project_id: TEST_PROJECT_ID,
+          certificate_authority_id: "ca-1",
+          imported_certificate_chain:
+            "-----BEGIN CERTIFICATE-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE-----",
+        })
+      ).rejects.toThrow(
+        new TRPCError({
+          code: "PARSE_ERROR",
+          message: "Failed to parse response in pcaRouter.import",
+        })
+      )
+    })
+  })
 })

apps/aurora-portal/src/server/Services/routers/pcaRouter.ts

@@ -13,6 +13,7 @@ import {
   CertificateResponseSchema,
   CertificateAuthorityCreateSchema,
   CreateCertificateInputSchema,
+  CertificateAuthorityImportInputSchema,
 } from "../types/pca"
 
 /** PCA (Private Certificate Authority) - Clavis service for certificate authority management  */
@@ -63,6 +64,40 @@ export const pcaRouter = {
         return parseOrThrow(CertificateAuthorityResponseSchema, data, "pcaRouter.getById").certificate_authority
       }, "get certificate authority details")
     }),
+  // Permanently deletes a Certificate Authority. This operation is irreversible.
+  delete: projectScopedProcedure
+    .input(CertificateAuthorityIdInputSchema)
+    .mutation(async ({ input, ctx }): Promise<void> => {
+      return withErrorHandling(async () => {
+        const pca = ctx.openstack?.service("clavis")
+        validateOpenstackService(pca, "clavis")
+
+        const url = `${PCA_BASE_URL}/${input.certificate_authority_id}`
+        // 204 Certificate Authority deleted successfully
+        await pca.del(url)
+      }, "delete certificate authority")
+    }),
+  /**
+   * Imports Certificate Authority certificate
+   * Transitioning the CA from AWAITING_CERTIFICATE to READY state
+   * after which the CA becomes fully operational and can issue certificates to end entities
+   */
+  import: projectScopedProcedure
+    .input(CertificateAuthorityImportInputSchema)
+    .mutation(async ({ input, ctx }): Promise<CertificateAuthority> => {
+      return withErrorHandling(async () => {
+        const pca = ctx.openstack?.service("clavis")
+        validateOpenstackService(pca, "clavis")
+
+        const url = `${PCA_BASE_URL}/${input.certificate_authority_id}:importCertificate`
+        const response = await pca.post(url, {
+          body: JSON.stringify({ imported_certificate_chain: input.imported_certificate_chain }),
+        })
+        const data = await response.json()
+
+        return parseOrThrow(CertificateAuthorityResponseSchema, data, "pcaRouter.import").certificate_authority
+      }, "import certificate of certificate authority")
+    }),
   listCertificates: projectScopedProcedure
     .input(CertificateAuthorityIdInputSchema)
     .query(async ({ input, ctx }): Promise<Certificate[]> => {

apps/aurora-portal/src/server/Services/types/pca.test.ts

@@ -2,6 +2,7 @@ import { describe, it, expect } from "vitest"
 import {
   CertificateAuthoritiesListSchema,
   CertificateAuthorityCreateSchema,
+  CertificateAuthorityImportInputSchema,
   CertificateAuthorityResponseSchema,
   CertificateAuthoritySchema,
   CertificateConfigurationSchema,
@@ -773,6 +774,38 @@ describe("PCA (Private Certificate Authority) Schema Validation", () => {
     })
   })
 
+  describe("CertificateAuthorityImportInputSchema", () => {
+    it("should validate import input with all required fields", () => {
+      expect(
+        CertificateAuthorityImportInputSchema.safeParse({
+          project_id: "project-1",
+          certificate_authority_id: "ca-123",
+          imported_certificate_chain:
+            "-----BEGIN CERTIFICATE-----\nMIIBkTCB+wIJAKHHC...ABC123==\n-----END CERTIFICATE-----",
+        }).success
+      ).toBe(true)
+    })
+
+    it("should reject import input without imported_certificate_chain", () => {
+      expect(
+        CertificateAuthorityImportInputSchema.safeParse({
+          project_id: "project-1",
+          certificate_authority_id: "ca-123",
+        }).success
+      ).toBe(false)
+    })
+
+    it("should reject import input with empty imported_certificate_chain", () => {
+      expect(
+        CertificateAuthorityImportInputSchema.safeParse({
+          project_id: "project-1",
+          certificate_authority_id: "ca-123",
+          imported_certificate_chain: "",
+        }).success
+      ).toBe(false)
+    })
+  })
+
   describe("CertificateAuthorityCreateSchema", () => {
     it("should validate create input with subject.common_name", () => {
       expect(

apps/aurora-portal/src/server/Services/types/pca.ts

@@ -77,7 +77,7 @@ export const CertificateAuthoritiesListSchema = z.object({
   certificate_authorities: z.array(CertificateAuthoritySchema),
 })
 
-// Used by: /v1/certificate-authorities -  Create new Certificate Authority
+// Used by: /v1/certificate-authorities - Create new Certificate Authority
 export const CertificateAuthorityCreateSchema = z.object({
   configuration: z.object({
     subject: CertificateAuthoritySubjectSchema,
@@ -90,17 +90,19 @@ export const CertificateAuthorityCreateSchema = z.object({
  * Used by:
  * - GET /v1/certificate-authorities/{certificate_authority_id} - Show Certificate Authority details
  * - DELETE /v1/certificate-authorities/{certificate_authority_id} - Delete Certificate Authority
- * - POST /v1/certificate-authorities/{certificate_authority_id}:importCertificate - Import certificate of Certificate Authority
- *
  * - GET /v1/certificate-authorities/{certificate_authority_id}/certificates - List Certificates
- * - POST /v1/certificate-authorities/{certificate_authority_id}/certificates - Create new Certificate
  *
  */
 export const CertificateAuthorityIdInputSchema = z.object({
   project_id: z.string(),
   certificate_authority_id: z.string().min(1),
 })
 
+// Used by: /v1/certificate-authorities/{certificate_authority_id}:importCertificate - Import certificate of Certificate Authority
+export const CertificateAuthorityImportInputSchema = CertificateAuthorityIdInputSchema.extend({
+  imported_certificate_chain: z.string().min(1),
+})
+
 // Used by: /v1/certificate-authorities/{certificate_authority_id}/certificates/{certificate_id} - Get Certificate details
 export const CertificateIdInputSchema = CertificateAuthorityIdInputSchema.extend({
   certificate_id: z.string().min(1),