feat: DMS: add certificate Issuance Profile support#276
Merged
haritzsaiz merged 6 commits intomainfrom Jul 2, 2025
Merged
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #276 +/- ##
==========================================
- Coverage 45.82% 45.81% -0.01%
==========================================
Files 128 128
Lines 8570 8569 -1
==========================================
- Hits 3927 3926 -1
Misses 4307 4307
Partials 336 336
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jgalipienzo
changed the title
…roll Signed-off-by: Jon Galipienzo <[email protected]>
Signed-off-by: Jon Galipienzo <[email protected]>
Signed-off-by: Jon Galipienzo <[email protected]>
Signed-off-by: Jon Galipienzo <[email protected]>
Signed-off-by: Jon Galipienzo <[email protected]>
jgalipienzo
force-pushed
the
feat/dms-issuance-profile
branch
from
a85a413 to
42aec29
Compare
Signed-off-by: Jon Galipienzo <[email protected]>
jgalipienzo
force-pushed
the
feat/dms-issuance-profile
branch
from
7f62113 to
5be2ab6
Compare
|
jgalipienzo
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds configurable certificate issuance profiles to the DMS, enhancing control over device certificate management.
- Introduces a new IssuanceProfile field in DMS settings with associated validation and default assignment logic.
- Updates create, update, enroll, and reenroll operations to validate the issuance profile against the enrollment CA’s certificate.
- Adds new error definitions and test cases to capture invalid issuance profile scenarios.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| core/pkg/models/dms.go | Added a new IssuanceProfile field to the DMS settings struct |
| core/pkg/errs/dms.go | Added new error ErrDMSIssuanceProfile for issuance profile validation failures |
| backend/pkg/x509engines/x509engine.go | Updated error message wording for certificate expiration checks |
| backend/pkg/services/dmsmanager.go | Integrated issuance profile validation and default assignment in DMS operations |
| backend/pkg/controllers/dmsmanager.go | Adjusted HTTP error responses to use consistent JSON formatting |
| backend/pkg/assemblers/dms-manager_test.go | Added tests covering invalid issuance profile scenarios |
Comments suppressed due to low confidence (1)
core/pkg/errs/dms.go:8
- [nitpick] Standardize the error message wording for issuance profile validation so that it matches the log messages produced in the validation function; this will help reduce ambiguity when troubleshooting.
ErrDMSIssuanceProfile error = errors.New("DMS certificate expiration exceeds that of the enrollment CA")
jjrodrig
approved these changes
Jul 2, 2025
haritzsaiz
approved these changes
Jul 2, 2025
haritzsaiz
pushed a commit
that referenced
this pull request
Jul 15, 2025
* feat: use Issuance Profile definition from DMS during enroll and reenroll Signed-off-by: Jon Galipienzo <[email protected]> * test: add/update tests to cover the new configuration Signed-off-by: Jon Galipienzo <[email protected]> * feat: provide enrollment CA's IssuanceProfile as default Signed-off-by: Jon Galipienzo <[email protected]> * test: add test for default issuance profile Signed-off-by: Jon Galipienzo <[email protected]> * test: fix tests Signed-off-by: Jon Galipienzo <[email protected]> * feat: validate issuance profile on create/update Signed-off-by: Jon Galipienzo <[email protected]> --------- Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz <haritzsaiz>
haritzsaiz
pushed a commit
that referenced
this pull request
Jul 15, 2025
* feat: use Issuance Profile definition from DMS during enroll and reenroll Signed-off-by: Jon Galipienzo <[email protected]> * test: add/update tests to cover the new configuration Signed-off-by: Jon Galipienzo <[email protected]> * feat: provide enrollment CA's IssuanceProfile as default Signed-off-by: Jon Galipienzo <[email protected]> * test: add test for default issuance profile Signed-off-by: Jon Galipienzo <[email protected]> * test: fix tests Signed-off-by: Jon Galipienzo <[email protected]> * feat: validate issuance profile on create/update Signed-off-by: Jon Galipienzo <[email protected]> --------- Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz <haritzsaiz>
haritzsaiz
added a commit
that referenced
this pull request
Jul 15, 2025
…d with colons (#279) * fix crl urls Signed-off-by: Haritz <haritzsaiz> * fix tests Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix SubjectKeyIDs Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix crl Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix import tests Signed-off-by: Haritz <haritzsaiz> * fix va role fetching Signed-off-by: Haritz <haritzsaiz> * chore: Bump dependencies (#278) Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: DMS: add certificate Issuance Profile support (#276) * feat: use Issuance Profile definition from DMS during enroll and reenroll Signed-off-by: Jon Galipienzo <[email protected]> * test: add/update tests to cover the new configuration Signed-off-by: Jon Galipienzo <[email protected]> * feat: provide enrollment CA's IssuanceProfile as default Signed-off-by: Jon Galipienzo <[email protected]> * test: add test for default issuance profile Signed-off-by: Jon Galipienzo <[email protected]> * test: fix tests Signed-off-by: Jon Galipienzo <[email protected]> * feat: validate issuance profile on create/update Signed-off-by: Jon Galipienzo <[email protected]> --------- Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: va: Remove get roles (#280) Remove get roles Signed-off-by: Haritz <haritzsaiz> Co-authored-by: Haritz <haritzsaiz> Signed-off-by: Haritz <haritzsaiz> * chore: monolithic: add labels and standard ports in docker containers (#281) add labels and standard ports Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> --------- Signed-off-by: Haritz <haritzsaiz> Signed-off-by: haritz <[email protected]> Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz S. Sierra <[email protected]> Co-authored-by: Haritz <haritzsaiz> Co-authored-by: Juanjo Rodriguez <[email protected]> Co-authored-by: Jon Galipienzo <[email protected]>
haritzsaiz
added a commit
that referenced
this pull request
Sep 2, 2025
…d with colons (#279) * fix crl urls Signed-off-by: Haritz <haritzsaiz> * fix tests Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix SubjectKeyIDs Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix crl Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix import tests Signed-off-by: Haritz <haritzsaiz> * fix va role fetching Signed-off-by: Haritz <haritzsaiz> * chore: Bump dependencies (#278) Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: DMS: add certificate Issuance Profile support (#276) * feat: use Issuance Profile definition from DMS during enroll and reenroll Signed-off-by: Jon Galipienzo <[email protected]> * test: add/update tests to cover the new configuration Signed-off-by: Jon Galipienzo <[email protected]> * feat: provide enrollment CA's IssuanceProfile as default Signed-off-by: Jon Galipienzo <[email protected]> * test: add test for default issuance profile Signed-off-by: Jon Galipienzo <[email protected]> * test: fix tests Signed-off-by: Jon Galipienzo <[email protected]> * feat: validate issuance profile on create/update Signed-off-by: Jon Galipienzo <[email protected]> --------- Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: va: Remove get roles (#280) Remove get roles Signed-off-by: Haritz <haritzsaiz> Co-authored-by: Haritz <haritzsaiz> Signed-off-by: Haritz <haritzsaiz> * chore: monolithic: add labels and standard ports in docker containers (#281) add labels and standard ports Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> --------- Signed-off-by: Haritz <haritzsaiz> Signed-off-by: haritz <[email protected]> Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz S. Sierra <[email protected]> Co-authored-by: Haritz <haritzsaiz> Co-authored-by: Juanjo Rodriguez <[email protected]> Co-authored-by: Jon Galipienzo <[email protected]> Signed-off-by: haritz <[email protected]>
haritzsaiz
added a commit
that referenced
this pull request
Sep 2, 2025
…d with colons (#279) * fix crl urls Signed-off-by: Haritz <haritzsaiz> * fix tests Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix SubjectKeyIDs Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix crl Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix import tests Signed-off-by: Haritz <haritzsaiz> * fix va role fetching Signed-off-by: Haritz <haritzsaiz> * chore: Bump dependencies (#278) Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: DMS: add certificate Issuance Profile support (#276) * feat: use Issuance Profile definition from DMS during enroll and reenroll Signed-off-by: Jon Galipienzo <[email protected]> * test: add/update tests to cover the new configuration Signed-off-by: Jon Galipienzo <[email protected]> * feat: provide enrollment CA's IssuanceProfile as default Signed-off-by: Jon Galipienzo <[email protected]> * test: add test for default issuance profile Signed-off-by: Jon Galipienzo <[email protected]> * test: fix tests Signed-off-by: Jon Galipienzo <[email protected]> * feat: validate issuance profile on create/update Signed-off-by: Jon Galipienzo <[email protected]> --------- Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: va: Remove get roles (#280) Remove get roles Signed-off-by: Haritz <haritzsaiz> Co-authored-by: Haritz <haritzsaiz> Signed-off-by: Haritz <haritzsaiz> * chore: monolithic: add labels and standard ports in docker containers (#281) add labels and standard ports Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> --------- Signed-off-by: Haritz <haritzsaiz> Signed-off-by: haritz <[email protected]> Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz S. Sierra <[email protected]> Co-authored-by: Haritz <haritzsaiz> Co-authored-by: Juanjo Rodriguez <[email protected]> Co-authored-by: Jon Galipienzo <[email protected]> Signed-off-by: haritz <[email protected]>
haritzsaiz
added a commit
that referenced
this pull request
Sep 2, 2025
…d with colons (#279) * fix crl urls Signed-off-by: Haritz <haritzsaiz> * fix tests Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix SubjectKeyIDs Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix crl Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> * fix import tests Signed-off-by: Haritz <haritzsaiz> * fix va role fetching Signed-off-by: Haritz <haritzsaiz> * chore: Bump dependencies (#278) Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: DMS: add certificate Issuance Profile support (#276) * feat: use Issuance Profile definition from DMS during enroll and reenroll Signed-off-by: Jon Galipienzo <[email protected]> * test: add/update tests to cover the new configuration Signed-off-by: Jon Galipienzo <[email protected]> * feat: provide enrollment CA's IssuanceProfile as default Signed-off-by: Jon Galipienzo <[email protected]> * test: add test for default issuance profile Signed-off-by: Jon Galipienzo <[email protected]> * test: fix tests Signed-off-by: Jon Galipienzo <[email protected]> * feat: validate issuance profile on create/update Signed-off-by: Jon Galipienzo <[email protected]> --------- Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz <haritzsaiz> * feat: va: Remove get roles (#280) Remove get roles Signed-off-by: Haritz <haritzsaiz> Co-authored-by: Haritz <haritzsaiz> Signed-off-by: Haritz <haritzsaiz> * chore: monolithic: add labels and standard ports in docker containers (#281) add labels and standard ports Signed-off-by: haritz <[email protected]> Signed-off-by: Haritz <haritzsaiz> --------- Signed-off-by: Haritz <haritzsaiz> Signed-off-by: haritz <[email protected]> Signed-off-by: Juan Jose Rodriguez <[email protected]> Signed-off-by: Jon Galipienzo <[email protected]> Signed-off-by: Haritz S. Sierra <[email protected]> Co-authored-by: Haritz <haritzsaiz> Co-authored-by: Juanjo Rodriguez <[email protected]> Co-authored-by: Jon Galipienzo <[email protected]> Signed-off-by: haritz <[email protected]>
This was referenced Sep 23, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces support for configurable issuance profiles on a per-DMS basis, providing greater flexibility and control over device certificate management.
Closes #274
New functionality:
IssuanceProfilefield to the DMS settings struct.This feature enables fine-grained control over certificate issuance policies for each DMS.