Add CERTIFICATE_REGISTERED event type and payload#772
Merged
Conversation
Register a CERTIFICATE_REGISTERED resource event with a CertificateRegisteredEventData payload carrying the certificate identity, the issuance deadline, and the one-time credential the recipient presents to complete issuance. The credential is JSON-serialized (so external notification providers deliver it) but excluded from toString and equals/hashCode so it cannot leak into logs or tracing spans.
There was a problem hiding this comment.
Pull request overview
Adds a new certificate lifecycle event contract so core can emit a one-shot notification when a certificate is pre-registered, including the one-time completion credential and its deadline, while avoiding accidental credential leakage via toString/equals/hashCode.
Changes:
- Introduces
CertificateRegisteredEventDatawithissuanceDeadlineand sensitivecredential(excluded fromtoStringandequals/hashCode). - Registers
CERTIFICATE_REGISTEREDinResourceEvent(+Codesconstant). - Clarifies
ClientCertificateRegistrationDto.expiresAtschema description to reflect completion-request gating semantics. - Adds a unit test to ensure
toString()does not leak the credential.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/main/java/com/otilm/api/model/common/events/data/CertificateRegisteredEventData.java | New event payload type for pre-registration notifications, including deadline + credential handling. |
| src/main/java/com/otilm/api/model/core/other/ResourceEvent.java | Adds the new CERTIFICATE_REGISTERED event type and code constant. |
| src/main/java/com/otilm/api/model/core/v2/ClientCertificateRegistrationDto.java | Updates OpenAPI schema wording for the registration completion deadline (expiresAt). |
| src/test/java/com/otilm/api/model/common/events/data/CertificateRegisteredEventDataTest.java | Adds tests around credential non-leakage in toString(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…then tests - Rename the event field issuanceDeadline -> completionDeadline and reword its description to match the clarified expiresAt semantics (it gates the completion request, not final issuance) — the old name reintroduced the misconception the DTO reword corrected. - Declare RA_PROFILE + GROUP overriding resources on CERTIFICATE_REGISTERED, like every other authority-scoped certificate event, so RA-profile/group-scoped triggers and notification profiles can target it. - Strengthen the payload test: JSON round-trip proving the credential serializes for external delivery, a positive toString assertion, and equals/hashCode exclusion — locking both halves of the leak-safe-yet-deliverable invariant. - Note that credential carries the value supplied inbound as authorizationSecret.
|
3keyroman
approved these changes
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Part of #1571. Adds the
CERTIFICATE_REGISTEREDevent type + payload that core fires when a certificate is pre-registered.ResourceEvent.CERTIFICATE_REGISTERED(+Codesconstant) — resource CERTIFICATE,monitoring=false(one-shot), payloadCertificateRegisteredEventData.CertificateRegisteredEventDataextendsCertificateEventAuthorityDataand addsissuanceDeadlineandcredential(the one-time challenge the recipient presents to complete issuance).credentialis JSON-serialized so external notification providers deliver it, but excluded fromtoStringandequals/hashCodeso it cannot leak into logs or tracing spans (both event envelopes carry this object in theirtoString).expiresAtdescription: it gates the completion request (a valid challenge before the deadline), not final issuance — an approved/async completion may finalize shortly after.Consumed by the core handler + firing (core#1571). No behavior on its own.