build: target IAnyCAPlugin 3.2.0 (no-DCV variant for 25.5.0 hosts)

Gateway hosts on anygateway-rest 25.5.0 ship IAnyCAPlugin 3.2.0; a plugin built
against 3.3.0-PRERELEASE loads but its AnyCAPluginCertificate records are not
persisted by the 3.2 host (issue 0003). This branch builds against 3.2.0 so the
contract matches, at the cost of DCV (the v3.3-only IDomainValidatorFactory).

- CERTInext.csproj: IAnyCAPlugin 3.3.0-PRERELEASE -> 3.2.0; SUPPORTS_DCV define
  documented (left undefined).
- CERTInextCAPlugin.cs: fence all DCV/IDomainValidator(Factory) code with
  #if SUPPORTS_DCV — the factory ctor, DomainValidatorFactory property, the Enroll
  DCV block, PerformDcvIfNeededAsync. TryRunDcvDuringSyncAsync no-ops (returns false)
  so the 0001 body-refetch + 0002 gate keep working; SetDomainValidatorFactory(object)
  stays as a logged no-op for host compatibility.
- Test csprojs: exclude DCV-only files (DcvTests, FakeDomainValidator, integration
  DCV lifecycle + DNS validators) unless SUPPORTS_DCV is defined.
- SmokeTests: use the (client, config) ctor instead of the fenced factory ctor.

Solution builds clean (0 warnings); 172 unit tests pass (23 DCV tests excluded).

Author: spbsoluble

CERTInext.IntegrationTests/CERTInext.IntegrationTests.csproj

@@ -12,6 +12,16 @@
     <ProjectReference Include="..\CERTInext\CERTInext.csproj" />
   </ItemGroup>
 
+  <!-- DCV integration tests + the DNS validator implementations use the v3.3-only
+       IDomainValidator / IDomainValidatorFactory and the factory constructor. On the
+       IAnyCAPlugin 3.2.0 (no-DCV) build those don't exist, so exclude these files unless
+       SUPPORTS_DCV is defined. See issue 0003. -->
+  <ItemGroup Condition="!$(DefineConstants.Contains('SUPPORTS_DCV'))">
+    <Compile Remove="DcvLifecycleTests.cs" />
+    <Compile Remove="CloudflareDomainValidator.cs" />
+    <Compile Remove="StubDomainValidator.cs" />
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
     <PackageReference Include="xunit" Version="2.9.0" />

CERTInext.IntegrationTests/SmokeTests.cs

@@ -109,7 +109,7 @@ public async Task GetSingleRecord_ReturnsRecord()
             Skip.If(string.IsNullOrWhiteSpace(orderId),
                 "Set CERTINEXT_ORDER_ID in ~/.env_certinext to run this test.");
 
-            var plugin = new CERTInextCAPlugin(_fixture.Client, new StubDomainValidatorFactory(), _fixture.Config);
+            var plugin = new CERTInextCAPlugin(_fixture.Client, _fixture.Config);
             var record = await plugin.GetSingleRecord(orderId);
 
             record.Should().NotBeNull();
@@ -130,7 +130,7 @@ public async Task GetSingleRecord_ForAllOrders_AllSucceed()
         {
             IntegrationSkip.IfNotConfigured(_fixture);
 
-            var plugin = new CERTInextCAPlugin(_fixture.Client, new StubDomainValidatorFactory(), _fixture.Config);
+            var plugin = new CERTInextCAPlugin(_fixture.Client, _fixture.Config);
 
             var orderNumbers = new List<string>();
             await foreach (var entry in _fixture.Client.ListOrdersAsync())
@@ -170,7 +170,7 @@ public async Task Synchronize_DumpsAllRecords()
         {
             IntegrationSkip.IfNotConfigured(_fixture);
 
-            var plugin = new CERTInextCAPlugin(_fixture.Client, new StubDomainValidatorFactory(), _fixture.Config);
+            var plugin = new CERTInextCAPlugin(_fixture.Client, _fixture.Config);
 
             var records = new List<Keyfactor.AnyGateway.Extensions.AnyCAPluginCertificate>();
             var blockingCollection = new System.Collections.Concurrent.BlockingCollection<Keyfactor.AnyGateway.Extensions.AnyCAPluginCertificate>();

CERTInext.Tests/CERTInext.Tests.csproj

@@ -12,6 +12,14 @@
     <ProjectReference Include="..\CERTInext\CERTInext.csproj" />
   </ItemGroup>
 
+  <!-- DCV unit tests + the fake DNS validator implement the v3.3-only IDomainValidator /
+       IDomainValidatorFactory. On the IAnyCAPlugin 3.2.0 (no-DCV) build those types don't
+       exist, so exclude these files unless SUPPORTS_DCV is defined. See issue 0003. -->
+  <ItemGroup Condition="!$(DefineConstants.Contains('SUPPORTS_DCV'))">
+    <Compile Remove="CERTInextCAPluginDcvTests.cs" />
+    <Compile Remove="FakeDomainValidator.cs" />
+  </ItemGroup>
+
   <ItemGroup>
     <PackageReference Include="coverlet.collector" Version="6.0.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />

CERTInext/CERTInext.csproj

@@ -6,11 +6,19 @@
     <ImplicitUsings>disable</ImplicitUsings>
     <Nullable>warnings</Nullable>
     <LangVersion>12.0</LangVersion>
+    <!-- DCV requires the v3.3-only IDomainValidatorFactory. This branch targets
+         IAnyCAPlugin 3.2.0 (for 25.5.0 hosts), so SUPPORTS_DCV is intentionally NOT
+         defined and all DCV code is fenced out with #if SUPPORTS_DCV. See issue 0003. -->
+    <!-- <DefineConstants>SUPPORTS_DCV</DefineConstants> -->
     <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.3.0-PRERELEASE-78770-979f582005" />
+    <!-- 3.2.0 (NOT 3.3) so the plugin's AnyCAPluginCertificate contract matches gateway
+         hosts shipping IAnyCAPlugin 3.2.0 (e.g. anygateway-rest 25.5.0). DCV requires the
+         3.3-only IDomainValidatorFactory, so the DCV code is disabled on this branch.
+         See issue 0003. -->
+    <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.2.0" />
     <PackageReference Include="Keyfactor.Logging" Version="1.1.2" />
     <PackageReference Include="Keyfactor.PKI" Version="5.5.0" />
     <PackageReference Include="RestSharp" Version="112.1.0" />

CERTInext/CERTInextCAPlugin.cs

@@ -19,7 +19,9 @@
 using Keyfactor.Logging;
 using Keyfactor.PKI.Enums.EJBCA;
 using Microsoft.Extensions.Logging;
+#if SUPPORTS_DCV
 using IDomainValidatorFactory = Keyfactor.AnyGateway.Extensions.IDomainValidatorFactory;
+#endif
 
 namespace Keyfactor.Extensions.CAPlugin.CERTInext
 {
@@ -51,7 +53,14 @@ public class CERTInextCAPlugin : IAnyCAPlugin, IDisposable
         // `volatile` because the field is written by SetDomainValidatorFactory and read
         // by EnrollNewAsync / TryRunDcvDuringSyncAsync, which can run on different threads.
         // See GitHub issue #7 for the full reasoning.
+        // On the no-DCV build (IAnyCAPlugin 3.2.0, SUPPORTS_DCV undefined) this field is
+        // intentionally never assigned — its assignment sites (the factory ctor and
+        // SetDomainValidatorFactory) are fenced out, so it stays null and the Initialize
+        // DCV-wiring check reports "not wired". Suppress CS0649 for that case; on the
+        // SUPPORTS_DCV build it is assigned normally and the pragma is a no-op.
+#pragma warning disable CS0649
         private volatile object _domainValidatorFactory;
+#pragma warning restore CS0649
 
         /// <summary>
         /// Returns the injected <see cref="IDomainValidatorFactory"/> when one is
@@ -60,8 +69,10 @@ public class CERTInextCAPlugin : IAnyCAPlugin, IDisposable
         /// gateway host stays compileable and never triggers <c>TypeLoadException</c>
         /// at runtime.  All read sites in this class go through this property.
         /// </summary>
+#if SUPPORTS_DCV
         private IDomainValidatorFactory DomainValidatorFactory =>
             _domainValidatorFactory as IDomainValidatorFactory;
+#endif
 
         // True when the client was passed in via a test-injection constructor and therefore
         // should not be disposed by this class (the test owns the mock's lifetime).
@@ -141,13 +152,15 @@ internal CERTInextCAPlugin(ICERTInextClient client, CERTInextConfig config)
         /// <c>CERTInext.IntegrationTests</c> can still reach it via
         /// <c>[InternalsVisibleTo]</c>.  See issue #7.
         /// </summary>
+#if SUPPORTS_DCV
         internal CERTInextCAPlugin(ICERTInextClient client, IDomainValidatorFactory domainValidatorFactory, CERTInextConfig config = null)
         {
             _client = client;
             _clientWasInjected = true;
             _domainValidatorFactory = domainValidatorFactory;
             _config = config ?? new CERTInextConfig();
         }
+#endif
 
         /// <summary>
         /// Injects an <see cref="IDomainValidatorFactory"/> after construction.  Intended
@@ -162,6 +175,7 @@ internal CERTInextCAPlugin(ICERTInextClient client, IDomainValidatorFactory doma
         /// </summary>
         public void SetDomainValidatorFactory(object factory)
         {
+#if SUPPORTS_DCV
             var typed = factory as IDomainValidatorFactory;
             // SOX change-management / SOC2 CC6.1: log every factory injection so an auditor
             // can confirm which DNS provider plugin is being used to publish TXT records.
@@ -173,6 +187,14 @@ public void SetDomainValidatorFactory(object factory)
                 "OfferedType={OfferedType}, Accepted={Accepted}",
                 factory?.GetType().FullName ?? "(null)", typed != null);
             _domainValidatorFactory = typed;
+#else
+            // DCV is not supported on this build (IAnyCAPlugin 3.2.0 — no IDomainValidatorFactory).
+            // Accept the call for host compatibility but leave DCV disabled. See issue 0003.
+            _logger.LogInformation(
+                "Domain validator factory offered but DCV is not supported on this build " +
+                "(IAnyCAPlugin 3.2.0). OfferedType={OfferedType}",
+                factory?.GetType().FullName ?? "(null)");
+#endif
         }
 
         // ---------------------------------------------------------------------------
@@ -1024,6 +1046,7 @@ private async Task<EnrollmentResult> EnrollNewAsync(
 
             var enrollResp = await _client.EnrollCertificateAsync(enrollReq);
 
+#if SUPPORTS_DCV
             // DCV: run domain validation if enabled, the factory was injected, and the
             // order was accepted (not immediately failed).
             string orderNumber = enrollResp.Id;
@@ -1086,6 +1109,7 @@ private async Task<EnrollmentResult> EnrollNewAsync(
                     }
                 }
             }
+#endif
 
             return BuildEnrollmentResult(enrollResp, ep.AutoApprove);
         }
@@ -1285,6 +1309,7 @@ private static bool IsDcvNotYetReady(Exception ex)
         /// </summary>
         private async Task<bool> TryRunDcvDuringSyncAsync(string orderNumber, CancellationToken ct, bool fastSync = false)
         {
+#if SUPPORTS_DCV
             if (_domainValidatorFactory == null || !_config.DcvEnabled || string.IsNullOrEmpty(orderNumber))
                 return false;
 
@@ -1330,6 +1355,12 @@ private async Task<bool> TryRunDcvDuringSyncAsync(string orderNumber, Cancellati
             {
                 _dcvInFlight.TryRemove(orderNumber, out _);
             }
+#else
+            // DCV is not supported on this build (IAnyCAPlugin 3.2.0). No-op: pending orders
+            // are reported as EXTERNALVALIDATION and not advanced during sync. See issue 0003.
+            await Task.CompletedTask;
+            return false;
+#endif
         }
 
         /// <summary>
@@ -1347,6 +1378,7 @@ private async Task<bool> TryRunDcvDuringSyncAsync(string orderNumber, Cancellati
         /// on the next cycle instead.  Enroll passes <c>null</c> to keep the full configured
         /// budget (user-visible latency benefits from a one-shot end-to-end finish).
         /// </summary>
+#if SUPPORTS_DCV
         private async Task<bool> PerformDcvIfNeededAsync(
             string orderNumber,
             CancellationToken ct,
@@ -1608,6 +1640,7 @@ private async Task<bool> PerformDcvIfNeededAsync(
 
             return true;
         }
+#endif
 
         /// <summary>
         /// Polls <c>GetCertificateAsync</c> until either (a) the certificate reaches a terminal