feat: complete SSL order body, sync DCV retry, and bounded Enroll waits

Closes several gaps uncovered while running live enrollments against the
CERTInext sandbox under concurrent load.

SSL order body (CERTInextClient.BuildOrderRequestFromLegacyEnrollRequest):
- Populate organizationDetails (preVetting="1" + organizationNumber) so orders
  declare a pre-vetted org and skip CERTInext's manual vetting queue. Without
  this, fresh orders parked in "Pending System RA" for tens of hours on the
  sandbox.
- Populate delegationInformation.groupNumber so orders route to the configured
  account group.
- Populate technicalPointOfContact (defaults fall back to Requestor*).
- Apply admin-configurable defaults for accountingModel, emailNotifications,
  subscriptionDetails.autoRenew/renewCriteria, certificateInformation.autoSecureWww.

Connector configuration (CERTInextConfig + Constants + manifest + README):
- Add OrganizationNumber, TechnicalContactName/Email/IsdCode/MobileNumber,
  AccountingModel, EmailNotifications, SubscriptionValidityYears,
  SubscriptionAutoRenew, SubscriptionRenewCriteriaDays, AutoSecureWww.
- Each has a PropertyConfigInfo descriptor surfaced in the Keyfactor Command
  connector UI, plus a matching entry in integration-manifest.json and the
  README "CA Configuration" reference table.

Sync-driven DCV retry (CERTInextCAPlugin.Synchronize + GetSingleRecord):
- Add TryRunDcvDuringSyncAsync wrapper around PerformDcvIfNeededAsync with a
  per-order in-flight guard (_dcvInFlight ConcurrentDictionary) and bounded
  timeout. Called from Synchronize for every non-terminal order and from
  GetSingleRecord for single-record refreshes, so orders whose DCV challenge
  is only exposed after Enroll() returns get advanced on the next gateway
  sync cycle.
- Also reserve the in-flight slot during the enroll-side DCV path so a
  concurrent sync can't double-stage TXT records for the same order.

EMS-956 tolerance (PerformDcvIfNeededAsync):
- CERTInext returns "EMS-956 Invalid Request for this API" from GetDcv when
  TrackOrder shows domainVerification populated but the GetDcv endpoint
  isn't yet accepting calls. Plugin now treats this narrowly as
  "not yet ready" (deferred to next sync) instead of throwing and failing
  the enrollment. Matching requires either an exact "EMS-956" code OR the
  phrase with no other EMS-NNN code present, so a 4xx whose body happens
  to contain the phrase isn't silently swallowed.

Bounded Enroll() waits (DcvWaitForChallengeSeconds, DcvWaitForIssuanceSeconds):
- Inside PerformDcvIfNeededAsync, poll TrackOrder up to DcvWaitForChallengeSeconds
  (default 60) waiting for domainVerification to materialize. Without this,
  high-concurrency enrollments race CERTInext and skip DCV during Enroll().
- After WaitForDcvVerificationAsync confirms DCV, poll GetCertificate up to
  DcvWaitForIssuanceSeconds (default 60) waiting for CERTInext's async issuance
  to complete. Without this, Enroll() returns a pending result and the cert
  is picked up on the next sync cycle. Both env-overridable via
  CERTINEXT_DCV_WAIT_FOR_CHALLENGE_SECONDS and CERTINEXT_DCV_WAIT_FOR_ISSUANCE_SECONDS.

Tests:
- CERTInextClientRequestShapeTests (9): pin the JSON body emitted by the new
  builder against connector config combinations (org set/blank, group set/blank,
  TPoC explicit/fallback, defaults vs custom).
- CERTInextCAPluginDcvTests (5 new): EMS-956 tolerance (defer with code,
  defer with phrase-only, rethrow on unrelated error), challenge-wait polling
  (succeeds when slot appears late, gives up after budget), issuance-wait
  polling (returns issued, not first pending).
- SmokeTests adds GetSingleRecord_ForAllOrders_AllSucceed which iterates the
  account's orders through the plugin's GetSingleRecord path.
- DcvLifecycleTests adds GetSingleRecord_DrivesDcvForPendingOrder and
  BulkDvEnrollment_AllOrdersIssue_AndPaginationWorks (opt-in via
  CERTINEXT_RUN_BULK_TEST=1) to exercise the deferred-DCV path and verify
  the sync iterator crosses the PageSize boundary under volume.

136/136 unit tests pass.

Author: spbsoluble

CERTInext.IntegrationTests/CERTInext.IntegrationTests.csproj

@@ -21,6 +21,7 @@
     </PackageReference>
     <PackageReference Include="FluentAssertions" Version="6.12.0" />
     <PackageReference Include="Xunit.SkippableFact" Version="1.4.13" />
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.0.0" />
     <!-- Suppress TFM support build warnings for transitive dependencies -->
     <PackageReference Include="Microsoft.Bcl.AsyncInterfaces" Version="8.0.0" />
     <PackageReference Include="System.IO.Pipelines" Version="8.0.0" />

CERTInext.IntegrationTests/DcvLifecycleTests.cs

@@ -83,6 +83,12 @@ public IntegrationTestFixture()
 
             var env = LoadEnvFile(envPath);
 
+            // Promote env-file values into the process environment so that any code
+            // calling System.Environment.GetEnvironmentVariable() picks them up.
+            foreach (var kv in env)
+                if (System.Environment.GetEnvironmentVariable(kv.Key) == null)
+                    System.Environment.SetEnvironmentVariable(kv.Key, kv.Value);
+
             ApiUrl        = GetEnvValue(env, "CERTINEXT_API_URL");
             AccessKey     = GetEnvValue(env, "CERTINEXT_ACCESS_KEY");
             AccountNumber = GetEnvValue(env, "CERTINEXT_ACCOUNT_NUMBER");
@@ -109,6 +115,7 @@ public IntegrationTestFixture()
                     ApiKey             = AccessKey,
                     AccountNumber      = AccountNumber,
                     GroupNumber        = GroupNumber,
+                    OrganizationNumber = OrgNumber,
                     RequestorName      = string.IsNullOrWhiteSpace(RequestorName)
                                              ? "Keyfactor Integration Test"
                                              : RequestorName,

CERTInext.IntegrationTests/IntegrationTestFixture.cs

@@ -6,14 +6,18 @@
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Linq;
-using System.Security.Cryptography;
-using System.Security.Cryptography.X509Certificates;
+using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Crypto;
+using Org.BouncyCastle.Crypto.Generators;
+using Org.BouncyCastle.Pkcs;
+using Org.BouncyCastle.Security;
 using System.Threading;
 using System.Threading.Tasks;
 using FluentAssertions;
 using Keyfactor.AnyGateway.Extensions;
 using Keyfactor.PKI.Enums.EJBCA;
 using Xunit;
+using Xunit.Abstractions;
 
 namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
 {
@@ -34,10 +38,12 @@ namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
     public class LifecycleTests : IClassFixture<IntegrationTestFixture>
     {
         private readonly IntegrationTestFixture _fixture;
+        private readonly ITestOutputHelper _output;
 
-        public LifecycleTests(IntegrationTestFixture fixture)
+        public LifecycleTests(IntegrationTestFixture fixture, ITestOutputHelper output)
         {
             _fixture = fixture;
+            _output = output;
         }
 
         // ---------------------------------------------------------------------------
@@ -60,22 +66,15 @@ private CERTInextCAPlugin BuildPlugin()
         /// </summary>
         private static string GenerateCsrPem(string commonName)
         {
-            using var rsa = RSA.Create(2048);
+            var keyGen = new RsaKeyPairGenerator();
+            keyGen.Init(new KeyGenerationParameters(new SecureRandom(), 2048));
+            var keyPair = keyGen.GenerateKeyPair();
 
-            var certReq = new CertificateRequest(
-                $"CN={commonName}",
-                rsa,
-                HashAlgorithmName.SHA256,
-                RSASignaturePadding.Pkcs1);
-
-            var sanBuilder = new SubjectAlternativeNameBuilder();
-            sanBuilder.AddDnsName(commonName);
-            certReq.CertificateExtensions.Add(sanBuilder.Build());
-
-            byte[] csrDer = certReq.CreateSigningRequest();
+            var subject = new X509Name($"CN={commonName}");
+            var csr = new Pkcs10CertificationRequest("SHA256withRSA", subject, keyPair.Public, null, keyPair.Private);
 
             return "-----BEGIN CERTIFICATE REQUEST-----\n"
-                + Convert.ToBase64String(csrDer, Base64FormattingOptions.InsertLineBreaks)
+                + Convert.ToBase64String(csr.GetEncoded(), Base64FormattingOptions.InsertLineBreaks)
                 + "\n-----END CERTIFICATE REQUEST-----";
         }
 
@@ -237,5 +236,6 @@ await revokeAct.Should().NotThrowAsync(
                 (int)EndEntityStatus.REVOKED,
                 "Revoke must return the REVOKED status code on success");
         }
+
     }
 }

CERTInext.IntegrationTests/LifecycleTests.cs

@@ -0,0 +1,199 @@
+// Copyright 2024 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// At http://www.apache.org/licenses/LICENSE-2.0
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using FluentAssertions;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
+{
+    /// <summary>
+    /// Basic smoke tests — one operation per test, no side effects.
+    /// These verify the API is reachable and returning sensible data without
+    /// creating or modifying any orders.
+    ///
+    /// All tests skip when CERTInext credentials are absent (<see cref="IntegrationSkip"/>).
+    /// </summary>
+    public class SmokeTests : IClassFixture<IntegrationTestFixture>
+    {
+        private readonly IntegrationTestFixture _fixture;
+        private readonly ITestOutputHelper _output;
+
+        public SmokeTests(IntegrationTestFixture fixture, ITestOutputHelper output)
+        {
+            _fixture = fixture;
+            _output = output;
+        }
+
+        [SkippableFact]
+        public async Task Ping_Succeeds()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            await _fixture.Client.Invoking(c => c.PingAsync())
+                .Should().NotThrowAsync("credentials should be valid and API should be reachable");
+        }
+
+        [SkippableFact]
+        public async Task GetProductDetails_ReturnsProducts()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            var products = await _fixture.Client.GetProductDetailsAsync();
+
+            products.Should().NotBeNullOrEmpty("account must have at least one product configured");
+
+            foreach (var p in products)
+                _output.WriteLine($"  ProductCode={p.ProductCode}  Name={p.ProductName}  Type={p.ProductType}");
+        }
+
+        [SkippableFact]
+        public async Task ListOrders_ReturnsFirstPage()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            var orders = new List<API.OrderReportEntry>();
+
+            await foreach (var entry in _fixture.Client.ListOrdersAsync(pageSize: 10))
+            {
+                orders.Add(entry);
+                if (orders.Count >= 10) break;
+            }
+
+            orders.Should().NotBeEmpty("sandbox account should have at least one order");
+
+            _output.WriteLine($"Returned {orders.Count} orders (capped at 10):");
+            foreach (var o in orders)
+                _output.WriteLine($"  OrderNumber={o.OrderNumber}  Domain={o.DomainName}  Status={o.CertificateStatus}  Expiry={o.CertificateExpiryDate}");
+        }
+
+        [SkippableFact]
+        public async Task TrackOrder_ReturnsDetails()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            string orderId = System.Environment.GetEnvironmentVariable("CERTINEXT_ORDER_ID");
+            Skip.If(string.IsNullOrWhiteSpace(orderId),
+                "Set CERTINEXT_ORDER_ID in ~/.env_certinext to run this test.");
+
+            var response = await _fixture.Client.TrackOrderAsync(orderId);
+
+            response.Should().NotBeNull();
+            response.OrderDetails.Should().NotBeNull();
+
+            var od = response.OrderDetails;
+            _output.WriteLine($"OrderNumber:       {orderId}");
+            _output.WriteLine($"OrderStatus:       {od.OrderStatus} (id={od.OrderStatusId})");
+            _output.WriteLine($"CertificateStatus: {od.CertificateStatus} (id={od.CertificateStatusId})");
+            _output.WriteLine($"CertificateExpiry: {od.CertificateExpiryDate}");
+            _output.WriteLine($"TrackingUrl:       {od.TrackingUrl}");
+
+            if (od.DomainVerification != null)
+            {
+                foreach (var kv in od.DomainVerification.GetDomainEntries())
+                    _output.WriteLine($"  Domain [{kv.Key}]: dcvMethod={kv.Value.DcvMethod} dcvStatus={kv.Value.DcvStatus} verifiedDate={kv.Value.VerifiedDate}");
+            }
+        }
+
+        [SkippableFact]
+        public async Task GetSingleRecord_ReturnsRecord()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            string orderId = System.Environment.GetEnvironmentVariable("CERTINEXT_ORDER_ID");
+            Skip.If(string.IsNullOrWhiteSpace(orderId),
+                "Set CERTINEXT_ORDER_ID in ~/.env_certinext to run this test.");
+
+            var plugin = new CERTInextCAPlugin(_fixture.Client, new StubDomainValidatorFactory(), _fixture.Config);
+            var record = await plugin.GetSingleRecord(orderId);
+
+            record.Should().NotBeNull();
+
+            _output.WriteLine($"CARequestID:  {record.CARequestID}");
+            _output.WriteLine($"Status:       {record.Status}");
+            _output.WriteLine($"Certificate:  {(string.IsNullOrWhiteSpace(record.Certificate) ? "(not yet issued)" : record.Certificate[..60] + "...")}");
+        }
+
+        /// <summary>
+        /// Exercises <see cref="CERTInextCAPlugin.GetSingleRecord"/> against every order
+        /// returned by <c>ListOrdersAsync</c>.  Validates that the per-order plugin
+        /// code path (TrackOrder → GetCertificate → AnyCAPluginCertificate mapping)
+        /// succeeds for every order on the account, regardless of certificate status.
+        /// </summary>
+        [SkippableFact]
+        public async Task GetSingleRecord_ForAllOrders_AllSucceed()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            var plugin = new CERTInextCAPlugin(_fixture.Client, new StubDomainValidatorFactory(), _fixture.Config);
+
+            var orderNumbers = new List<string>();
+            await foreach (var entry in _fixture.Client.ListOrdersAsync())
+            {
+                if (!string.IsNullOrWhiteSpace(entry.OrderNumber))
+                    orderNumbers.Add(entry.OrderNumber);
+            }
+
+            orderNumbers.Should().NotBeEmpty("sandbox account should have at least one order");
+            _output.WriteLine($"Calling GetSingleRecord for {orderNumbers.Count} order(s):");
+
+            var failures = new List<(string Order, string Error)>();
+            foreach (var orderId in orderNumbers)
+            {
+                try
+                {
+                    var record = await plugin.GetSingleRecord(orderId);
+                    string certPreview = string.IsNullOrWhiteSpace(record.Certificate)
+                        ? "(none)"
+                        : $"{record.Certificate.Length} chars";
+                    _output.WriteLine($"  [OK]   Order={orderId}  Status={record.Status}  Cert={certPreview}");
+                }
+                catch (Exception ex)
+                {
+                    failures.Add((orderId, ex.Message));
+                    _output.WriteLine($"  [FAIL] Order={orderId}  Error={ex.Message}");
+                }
+            }
+
+            failures.Should().BeEmpty(
+                $"every order's GetSingleRecord call should succeed; {failures.Count} failed: " +
+                string.Join("; ", failures.Select(f => $"{f.Order}={f.Error}")));
+        }
+
+        [SkippableFact]
+        public async Task Synchronize_DumpsAllRecords()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            var plugin = new CERTInextCAPlugin(_fixture.Client, new StubDomainValidatorFactory(), _fixture.Config);
+
+            var records = new List<Keyfactor.AnyGateway.Extensions.AnyCAPluginCertificate>();
+            var blockingCollection = new System.Collections.Concurrent.BlockingCollection<Keyfactor.AnyGateway.Extensions.AnyCAPluginCertificate>();
+
+            var syncTask = plugin.Synchronize(blockingCollection, lastSync: null, fullSync: true, cancelToken: default);
+            var collectTask = Task.Run(() =>
+            {
+                foreach (var r in blockingCollection.GetConsumingEnumerable())
+                    records.Add(r);
+            });
+
+            await syncTask;
+            blockingCollection.CompleteAdding();
+            await collectTask;
+
+            records.Should().NotBeEmpty("sandbox account should have at least one order");
+
+            _output.WriteLine($"Synchronized {records.Count} records:");
+            foreach (var r in records.Take(20))
+                _output.WriteLine($"  CARequestID={r.CARequestID}  Status={r.Status}");
+
+            if (records.Count > 20)
+                _output.WriteLine($"  ... and {records.Count - 20} more");
+        }
+    }
+}