test(dcv): FakeDomainValidator, DCV unit tests, Cloudflare integration validator

Author: spbsoluble

CERTInext.IntegrationTests/CloudflareDomainValidator.cs

@@ -0,0 +1,129 @@
+// Copyright 2024 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// At http://www.apache.org/licenses/LICENSE-2.0
+
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using System.Threading;
+using System.Threading.Tasks;
+using Keyfactor.AnyGateway.Extensions;
+
+namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
+{
+    /// <summary>
+    /// <see cref="IDomainValidator"/> that publishes and removes DNS TXT records via
+    /// the Cloudflare v4 API.  Intended for integration tests against a real domain.
+    ///
+    /// Credentials are read from the <see cref="IntegrationTestFixture"/>:
+    /// <c>CERTINEXT_CF_API_TOKEN</c> and <c>CERTINEXT_CF_ZONE_ID</c>.
+    /// </summary>
+    internal sealed class CloudflareDomainValidator : IDomainValidator
+    {
+        private const string CfApiBase = "https://api.cloudflare.com/client/v4";
+
+        private readonly string _apiToken;
+        private readonly string _zoneId;
+        private readonly HttpClient _http;
+
+        // Maps staging hostname → Cloudflare record ID so CleanupValidation can delete it
+        private readonly ConcurrentDictionary<string, string> _stagedRecordIds = new();
+
+        public CloudflareDomainValidator(string apiToken, string zoneId)
+        {
+            _apiToken = apiToken ?? throw new ArgumentNullException(nameof(apiToken));
+            _zoneId   = zoneId   ?? throw new ArgumentNullException(nameof(zoneId));
+
+            _http = new HttpClient();
+            _http.DefaultRequestHeaders.Authorization =
+                new AuthenticationHeaderValue("Bearer", _apiToken);
+        }
+
+        public void Initialize(IDomainValidatorConfigProvider configProvider) { }
+
+        public async Task<DomainValidationResult> StageValidation(string key, string value, CancellationToken cancellationToken)
+        {
+            var payload = new
+            {
+                type    = "TXT",
+                name    = key,
+                content = value,
+                ttl     = 60
+            };
+
+            var response = await _http.PostAsJsonAsync(
+                $"{CfApiBase}/zones/{_zoneId}/dns_records",
+                payload,
+                cancellationToken);
+
+            string body = await response.Content.ReadAsStringAsync(cancellationToken);
+
+            if (!response.IsSuccessStatusCode)
+                return new DomainValidationResult
+                {
+                    Success      = false,
+                    ErrorMessage = $"Cloudflare API error {(int)response.StatusCode}: {body}"
+                };
+
+            using var doc  = JsonDocument.Parse(body);
+            bool success   = doc.RootElement.GetProperty("success").GetBoolean();
+            string recordId = success
+                ? doc.RootElement.GetProperty("result").GetProperty("id").GetString()
+                : null;
+
+            if (!success || string.IsNullOrEmpty(recordId))
+                return new DomainValidationResult
+                {
+                    Success      = false,
+                    ErrorMessage = $"Cloudflare record creation failed: {body}"
+                };
+
+            _stagedRecordIds[key] = recordId;
+
+            return new DomainValidationResult { Success = true };
+        }
+
+        public async Task<DomainValidationResult> CleanupValidation(string key, CancellationToken cancellationToken)
+        {
+            if (!_stagedRecordIds.TryRemove(key, out string recordId))
+                return new DomainValidationResult { Success = true }; // nothing to clean up
+
+            var response = await _http.DeleteAsync(
+                $"{CfApiBase}/zones/{_zoneId}/dns_records/{recordId}",
+                cancellationToken);
+
+            if (!response.IsSuccessStatusCode)
+            {
+                string body = await response.Content.ReadAsStringAsync(cancellationToken);
+                return new DomainValidationResult
+                {
+                    Success      = false,
+                    ErrorMessage = $"Cloudflare delete error {(int)response.StatusCode}: {body}"
+                };
+            }
+
+            return new DomainValidationResult { Success = true };
+        }
+
+        public Task ValidateConfiguration(Dictionary<string, object> configuration) => Task.CompletedTask;
+        public Dictionary<string, Keyfactor.AnyGateway.Extensions.PropertyConfigInfo> GetDomainValidatorAnnotations() => new();
+        public string GetValidationType() => "dns-01";
+    }
+
+    internal sealed class CloudflareDomainValidatorFactory : IDomainValidatorFactory
+    {
+        private readonly IDomainValidator _validator;
+
+        public CloudflareDomainValidatorFactory(string apiToken, string zoneId)
+        {
+            _validator = new CloudflareDomainValidator(apiToken, zoneId);
+        }
+
+        public IDomainValidator ResolveDomainValidator(string domain, string validationType) => _validator;
+    }
+}

CERTInext.IntegrationTests/DcvLifecycleTests.cs

@@ -0,0 +1,180 @@
+// Copyright 2024 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// At http://www.apache.org/licenses/LICENSE-2.0
+
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using FluentAssertions;
+using Keyfactor.AnyGateway.Extensions;
+using Keyfactor.PKI.Enums.EJBCA;
+using Xunit;
+
+namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
+{
+    /// <summary>
+    /// Integration tests for the DNS DCV enrollment path.
+    ///
+    /// DNS validator selection:
+    ///   • When <c>CERTINEXT_CF_API_TOKEN</c> and <c>CERTINEXT_CF_ZONE_ID</c> are set in
+    ///     <c>~/.env_certinext</c>, a <see cref="CloudflareDomainValidator"/> is used and
+    ///     a real TXT record is published and cleaned up around the enrollment.
+    ///   • Otherwise a <see cref="StubDomainValidator"/> is used.  The plugin still
+    ///     exercises the full DCV orchestration path (Stage → propagation wait → VerifyDcv
+    ///     → Cleanup), but no real DNS record is published.  Whether CERTInext's VerifyDcv
+    ///     succeeds in this mode depends on the sandbox environment.
+    ///
+    /// All tests skip when CERTInext credentials are absent (<see cref="IntegrationSkip"/>).
+    /// Add the following to <c>~/.env_certinext</c> to run with real DNS:
+    /// <code>
+    /// CERTINEXT_CF_API_TOKEN=&lt;your Cloudflare API token with DNS:Edit&gt;
+    /// CERTINEXT_CF_ZONE_ID=&lt;Cloudflare Zone ID for your test domain&gt;
+    /// CERTINEXT_DCV_DOMAIN=&lt;subdomain to use, e.g. dcv-test.example.com&gt;
+    /// </code>
+    /// </summary>
+    public class DcvLifecycleTests : IClassFixture<IntegrationTestFixture>
+    {
+        private readonly IntegrationTestFixture _fixture;
+
+        public DcvLifecycleTests(IntegrationTestFixture fixture)
+        {
+            _fixture = fixture;
+        }
+
+        // ---------------------------------------------------------------------------
+        // Helpers
+        // ---------------------------------------------------------------------------
+
+        private IDomainValidatorFactory BuildDnsFactory() =>
+            _fixture.IsCloudflareConfigured
+                ? (IDomainValidatorFactory)new CloudflareDomainValidatorFactory(
+                    _fixture.CloudflareApiToken, _fixture.CloudflareZoneId)
+                : new StubDomainValidatorFactory();
+
+        private CERTInextCAPlugin BuildPlugin(bool dcvEnabled, int propagationDelaySeconds = 5)
+        {
+            var config = new CERTInextConfig
+            {
+                ApiUrl                    = _fixture.Config.ApiUrl,
+                AuthMode                  = _fixture.Config.AuthMode,
+                ApiKey                    = _fixture.Config.ApiKey,
+                AccountNumber             = _fixture.Config.AccountNumber,
+                GroupNumber               = _fixture.Config.GroupNumber,
+                RequestorName             = _fixture.Config.RequestorName,
+                RequestorEmail            = _fixture.Config.RequestorEmail,
+                RequestorIsdCode          = _fixture.Config.RequestorIsdCode,
+                RequestorMobileNumber     = _fixture.Config.RequestorMobileNumber,
+                SignerPlace                = _fixture.Config.SignerPlace,
+                SignerIp                   = _fixture.Config.SignerIp,
+                DefaultProductCode         = _fixture.Config.DefaultProductCode,
+                PageSize                   = _fixture.Config.PageSize,
+                DcvEnabled                 = dcvEnabled,
+                DcvPropagationDelaySeconds = propagationDelaySeconds,
+                DcvTimeoutMinutes          = 3
+            };
+
+            return new CERTInextCAPlugin(_fixture.Client, BuildDnsFactory(), config);
+        }
+
+        // ---------------------------------------------------------------------------
+        // Tests
+        // ---------------------------------------------------------------------------
+
+        /// <summary>
+        /// Enroll with DCV enabled.  Uses a real Cloudflare DNS record when CF credentials
+        /// are configured, otherwise uses <see cref="StubDomainValidator"/>.
+        ///
+        /// The test verifies that the plugin completes without throwing.  The enrollment
+        /// result status depends on whether the CERTInext sandbox auto-issues after DCV.
+        /// </summary>
+        [SkippableFact]
+        public async Task DcvEnroll_CompletesWithoutThrowing()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            var plugin = BuildPlugin(dcvEnabled: true);
+
+            var result = await plugin.Enroll(
+                csr:            IntegrationTestData.FakeCsrPem,
+                subject:        $"CN={IntegrationTestData.DcvTestDomain}",
+                san:            new Dictionary<string, string[]>
+                {
+                    ["dns"] = new[] { IntegrationTestData.DcvTestDomain }
+                },
+                productInfo:    IntegrationTestData.DvSslProductInfo(_fixture.Config.DefaultProductCode),
+                requestFormat:  RequestFormat.PKCS10,
+                enrollmentType: EnrollmentType.New);
+
+            result.Should().NotBeNull();
+
+            if (_fixture.IsCloudflareConfigured)
+            {
+                // With real DNS, CERTInext should be able to verify — assert issuance or pending
+                new[] { (int)EndEntityStatus.GENERATED, (int)EndEntityStatus.EXTERNALVALIDATION }
+                    .Should().Contain(result.Status,
+                    "enrollment with real DNS DCV should produce a valid terminal or pending status");
+            }
+            else
+            {
+                // Without real DNS the VerifyDcv may fail; we only assert no unhandled exception
+                // was thrown (the Enroll method handles the error gracefully).
+                result.Should().NotBeNull("enrollment should return a result even when stub DNS is used");
+            }
+        }
+
+        /// <summary>
+        /// Enroll without DCV enabled — verifies the plugin skips the DCV path entirely
+        /// and returns a result from the normal enrollment flow.
+        /// </summary>
+        [SkippableFact]
+        public async Task EnrollWithoutDcv_DoesNotInvokeDnsProvider()
+        {
+            IntegrationSkip.IfNotConfigured(_fixture);
+
+            // Use a plugin backed by the real client but DcvEnabled=false
+            var plugin = BuildPlugin(dcvEnabled: false);
+
+            var result = await plugin.Enroll(
+                csr:            IntegrationTestData.FakeCsrPem,
+                subject:        $"CN={IntegrationTestData.DcvTestDomain}",
+                san:            new Dictionary<string, string[]>
+                {
+                    ["dns"] = new[] { IntegrationTestData.DcvTestDomain }
+                },
+                productInfo:    IntegrationTestData.DvSslProductInfo(_fixture.Config.DefaultProductCode),
+                requestFormat:  RequestFormat.PKCS10,
+                enrollmentType: EnrollmentType.New);
+
+            result.Should().NotBeNull();
+        }
+    }
+
+    /// <summary>
+    /// Shared test data for DCV integration tests.
+    /// </summary>
+    internal static class IntegrationTestData
+    {
+        /// <summary>
+        /// Domain used for DCV tests.  Override via <c>CERTINEXT_DCV_DOMAIN</c> in
+        /// <c>~/.env_certinext</c>.
+        /// </summary>
+        public static string DcvTestDomain =>
+            System.Environment.GetEnvironmentVariable("CERTINEXT_DCV_DOMAIN")
+            ?? "dcv-test.example.com";
+
+        public const string FakeCsrPem =
+            "-----BEGIN CERTIFICATE REQUEST-----\n" +
+            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2a2rwplBQLzHPZe5TNJF\n" +
+            "-----END CERTIFICATE REQUEST-----";
+
+        public static EnrollmentProductInfo DvSslProductInfo(string productCode = null) =>
+            new EnrollmentProductInfo
+            {
+                ProductID         = productCode ?? Constants.Products.DvSsl,
+                ProductParameters = new Dictionary<string, string>
+                {
+                    ["ProfileId"]    = productCode ?? Constants.Products.DvSsl,
+                    ["ValidityYears"] = "1"
+                }
+            };
+    }
+}

CERTInext.IntegrationTests/IntegrationTestFixture.cs

@@ -33,6 +33,22 @@ public sealed class IntegrationTestFixture : IDisposable
         public string RequestorEmail { get; }
         public string RequestorName { get; }
 
+        // ---------------------------------------------------------------------------
+        // Cloudflare DCV credentials (optional)
+        // ---------------------------------------------------------------------------
+
+        /// <summary>Cloudflare API token with DNS:Edit permission on <see cref="CloudflareZoneId"/>.</summary>
+        public string CloudflareApiToken { get; }
+
+        /// <summary>Cloudflare Zone ID for the domain used in DCV integration tests.</summary>
+        public string CloudflareZoneId { get; }
+
+        /// <summary>
+        /// True when Cloudflare credentials are present, enabling real DNS DCV tests.
+        /// When false, DCV integration tests fall back to a <see cref="StubDomainValidator"/>.
+        /// </summary>
+        public bool IsCloudflareConfigured { get; }
+
         /// <summary>
         /// True when at minimum ApiUrl and AccessKey are both non-empty,
         /// indicating that live credential configuration is present.
@@ -76,6 +92,11 @@ public IntegrationTestFixture()
             RequestorEmail = GetEnvValue(env, "CERTINEXT_REQUESTOR_EMAIL");
             RequestorName  = GetEnvValue(env, "CERTINEXT_REQUESTOR_NAME");
 
+            CloudflareApiToken    = GetEnvValue(env, "CERTINEXT_CF_API_TOKEN");
+            CloudflareZoneId      = GetEnvValue(env, "CERTINEXT_CF_ZONE_ID");
+            IsCloudflareConfigured = !string.IsNullOrWhiteSpace(CloudflareApiToken) &&
+                                     !string.IsNullOrWhiteSpace(CloudflareZoneId);
+
             IsConfigured = !string.IsNullOrWhiteSpace(ApiUrl) &&
                            !string.IsNullOrWhiteSpace(AccessKey);
 

CERTInext.IntegrationTests/StubDomainValidator.cs

@@ -0,0 +1,37 @@
+// Copyright 2024 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// At http://www.apache.org/licenses/LICENSE-2.0
+
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using Keyfactor.AnyGateway.Extensions;
+
+namespace Keyfactor.Extensions.CAPlugin.CERTInext.IntegrationTests
+{
+    /// <summary>
+    /// No-op DNS validator used when Cloudflare credentials are not available.
+    /// Records are not actually published; DCV verification by CERTInext may or may
+    /// not succeed depending on whether the sandbox enforces real DNS lookups.
+    /// </summary>
+    internal sealed class StubDomainValidator : IDomainValidator
+    {
+        public void Initialize(IDomainValidatorConfigProvider configProvider) { }
+
+        public Task<DomainValidationResult> StageValidation(string key, string value, CancellationToken cancellationToken) =>
+            Task.FromResult(new DomainValidationResult { Success = true });
+
+        public Task<DomainValidationResult> CleanupValidation(string key, CancellationToken cancellationToken) =>
+            Task.FromResult(new DomainValidationResult { Success = true });
+
+        public Task ValidateConfiguration(Dictionary<string, object> configuration) => Task.CompletedTask;
+        public Dictionary<string, Keyfactor.AnyGateway.Extensions.PropertyConfigInfo> GetDomainValidatorAnnotations() => new();
+        public string GetValidationType() => "dns-01";
+    }
+
+    internal sealed class StubDomainValidatorFactory : IDomainValidatorFactory
+    {
+        private readonly IDomainValidator _validator = new StubDomainValidator();
+        public IDomainValidator ResolveDomainValidator(string domain, string validationType) => _validator;
+    }
+}