fix: prevent stale configPath and CA ID exposure in root certificate API#6201
Merged
vitormattos merged 4 commits intomainfrom Dec 15, 2025
Merged
fix: prevent stale configPath and CA ID exposure in root certificate API#6201vitormattos merged 4 commits intomainfrom
vitormattos merged 4 commits intomainfrom
Conversation
Filter configPath from API response when certificate is not generated to prevent form pre-population with outdated generation numbers that cause validation errors. Filter CA ID (libresign-ca-id:*) from OrganizationalUnit field to prevent users from submitting stale generation values that conflict with certificate validation. Refactor toArray() method by extracting logic into dedicated methods: - getConfigPathForApi(): Returns empty string for non-generated certificates - removeCaIdFromOrganizationalUnit(): Filters CA IDs from OU arrays Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Member
Author
|
/backport to stable32 |
Member
Author
|
/backport to stable31 |
Prevent test state pollution by ensuring config_path is deleted in setUp(). This fixes failures in OpenSslHandlerTest where the temporary config path from AEngineHandlerTest was persisting through the shared appConfig mock, causing tests that expect properly formatted PKI directory names to fail. Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
The CA ID (libresign-ca-id:...) in OrganizationalUnit should only be filtered out when the certificate is not generated (isSetupOk() returns false). When the certificate is successfully generated, the CA ID must be preserved in the API response. This ensures: - Generated certificates: CA ID is visible (expected behavior) - Failed/not generated: CA ID is filtered to prevent stale data in form Integration tests validated: - features/account/signature.feature:2 (OpenSSL) - features/account/signature.feature:23 (CFSSL) - features/admin/certificate_openssl.feature:2 - features/admin/certificate_openssl.feature:35 Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
vitormattos
force-pushed
the
fix/filter-ca-id-and-config-path-in-api
branch
4 times, most recently
from
679a33b to
139f8a6
Compare
- Add reset() method to AppConfigOverwrite that clears overWrite and deleted arrays and returns self - Integrate reset() directly into getMockAppConfig() to ensure clean state on every call - All tests now automatically get clean AppConfig state without explicit reset calls - Prevents state pollution across test suites by resetting at the source - Simplifies test code by removing need for separate reset wrapper method Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
vitormattos
force-pushed
the
fix/filter-ca-id-and-config-path-in-api
branch
from
139f8a6 to
54f73ed
Compare
github-project-automation
Bot
moved this from 0. Needs triage
to 4. to release
in Roadmap
This was referenced Dec 15, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Filter configPath from API response when certificate is not generated to prevent form pre-population with outdated generation numbers that cause validation errors.
Filter CA ID (libresign-ca-id:*) from OrganizationalUnit field to prevent users from submitting stale generation values that conflict with certificate validation.
Refactor toArray() method by extracting logic into dedicated methods: