Skip to content

Add CERTIFICATE_REGISTERED event type and payload#772

Merged
lubomirw merged 4 commits into
mainfrom
issue-1571-certificate-registered-event
Jul 13, 2026
Merged

Add CERTIFICATE_REGISTERED event type and payload#772
lubomirw merged 4 commits into
mainfrom
issue-1571-certificate-registered-event

Conversation

@lubomirw

Copy link
Copy Markdown
Contributor

Part of #1571. Adds the CERTIFICATE_REGISTERED event type + payload that core fires when a certificate is pre-registered.

  • ResourceEvent.CERTIFICATE_REGISTERED (+ Codes constant) — resource CERTIFICATE, monitoring=false (one-shot), payload CertificateRegisteredEventData.
  • CertificateRegisteredEventData extends CertificateEventAuthorityData and adds issuanceDeadline and credential (the one-time challenge the recipient presents to complete issuance). credential is JSON-serialized so external notification providers deliver it, but excluded from toString and equals/hashCode so it cannot leak into logs or tracing spans (both event envelopes carry this object in their toString).
  • Clarifies the register expiresAt description: it gates the completion request (a valid challenge before the deadline), not final issuance — an approved/async completion may finalize shortly after.

Consumed by the core handler + firing (core#1571). No behavior on its own.

lubomirw added 2 commits July 13, 2026 14:47
Register a CERTIFICATE_REGISTERED resource event with a CertificateRegisteredEventData
payload carrying the certificate identity, the issuance deadline, and the one-time
credential the recipient presents to complete issuance. The credential is JSON-serialized
(so external notification providers deliver it) but excluded from toString and
equals/hashCode so it cannot leak into logs or tracing spans.
Copilot AI review requested due to automatic review settings July 13, 2026 13:32
@lubomirw lubomirw added the enhancement Improvement to existing functionality label Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new certificate lifecycle event contract so core can emit a one-shot notification when a certificate is pre-registered, including the one-time completion credential and its deadline, while avoiding accidental credential leakage via toString/equals/hashCode.

Changes:

  • Introduces CertificateRegisteredEventData with issuanceDeadline and sensitive credential (excluded from toString and equals/hashCode).
  • Registers CERTIFICATE_REGISTERED in ResourceEvent (+ Codes constant).
  • Clarifies ClientCertificateRegistrationDto.expiresAt schema description to reflect completion-request gating semantics.
  • Adds a unit test to ensure toString() does not leak the credential.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/main/java/com/otilm/api/model/common/events/data/CertificateRegisteredEventData.java New event payload type for pre-registration notifications, including deadline + credential handling.
src/main/java/com/otilm/api/model/core/other/ResourceEvent.java Adds the new CERTIFICATE_REGISTERED event type and code constant.
src/main/java/com/otilm/api/model/core/v2/ClientCertificateRegistrationDto.java Updates OpenAPI schema wording for the registration completion deadline (expiresAt).
src/test/java/com/otilm/api/model/common/events/data/CertificateRegisteredEventDataTest.java Adds tests around credential non-leakage in toString().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

…then tests

- Rename the event field issuanceDeadline -> completionDeadline and reword its
  description to match the clarified expiresAt semantics (it gates the completion
  request, not final issuance) — the old name reintroduced the misconception the
  DTO reword corrected.
- Declare RA_PROFILE + GROUP overriding resources on CERTIFICATE_REGISTERED, like
  every other authority-scoped certificate event, so RA-profile/group-scoped
  triggers and notification profiles can target it.
- Strengthen the payload test: JSON round-trip proving the credential serializes
  for external delivery, a positive toString assertion, and equals/hashCode
  exclusion — locking both halves of the leak-safe-yet-deliverable invariant.
- Note that credential carries the value supplied inbound as authorizationSecret.
@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@lubomirw lubomirw requested a review from klaraf755 July 13, 2026 14:35
@lubomirw lubomirw merged commit db13656 into main Jul 13, 2026
9 checks passed
@lubomirw lubomirw deleted the issue-1571-certificate-registered-event branch July 13, 2026 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement Improvement to existing functionality

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants