feat(aurora-portal): clavis create certificates#859
Conversation
Signed-off-by: Vladislav Schur <u.shchur@sap.com>
📝 WalkthroughWalkthroughThis PR implements certificate issuance functionality for Aurora's PCA (Clavis CA) management. It introduces two modal components for issuing end-entity and self-signed certificates, updates the backend schema and router to use a flattened createCertificate contract, integrates modals into the CA details flow based on PCA lifecycle state, and adds supporting tests and localization strings. ChangesCertificate Issuance Feature
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsx (1)
63-78:⚠️ Potential issue | 🟠 Major | ⚡ Quick winKeep the issue action available in the empty state.
The early return for
pcaCertificates.length === 0skips the READY-only action entirely. That leaves a READY CA with no issued certificates unable to create its first end-entity certificate. Please render the action/modal outside the non-empty branch so it is available for both empty and populated lists.Also applies to: 80-93
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/aurora/src/client/routes/_auth/projects/`$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsx around lines 63 - 78, The empty-state early return in PcaCertificatesListContainer (the pcaCertificates.length === 0 branch) prevents the READY-only action/modal from being rendered, so move the READY action/modal out of the non-empty-only code path: keep the existing empty DataGrid return for the list UI but render the READY-only action component (the component that opens the create-certificate modal / action button referenced in this file) alongside or below that empty-state UI instead of inside the non-empty branch; ensure the action/modal rendering logic (the READY check and its children) lives after the empty-state block (or in a shared wrapper) so it displays for both empty and populated pcaCertificates.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@packages/aurora/src/client/routes/_auth/projects/`$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.tsx:
- Around line 23-25: The CSR form schema and confirm-button logic allow
whitespace-only input; update the zod schema for csr to require non-empty
trimmed text (e.g., z.string().trim().min(1) or z.string().trim().nonempty()) in
formSchema, and change the disableConfirmButton logic in
IssueEndEntityCertificateModal (and the other occurrences around the csr
handling) to check the trimmed value (e.g., use form.getValues('csr')?.trim() or
watch() and .trim() before testing length) so the Save/Confirm button is
disabled for whitespace-only CSR input and the submitted value is the trimmed
string.
In
`@packages/aurora/src/client/routes/_auth/projects/`$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.tsx:
- Around line 24-25: The confirm button remains enabled when pca.csr is missing
even though handleConfirm() returns early; update the UI guard used to compute
the button disabled state (e.g., the disableConfirmButton or equivalent prop
passed to the Issue Certificate button) to include the same condition (!pca.csr)
so the button is disabled when there's no CSR, or alternatively surface an
explanatory error state/message in the modal; locate the confirm button
component and the disableConfirmButton logic and ensure they mirror
handleConfirm's guard (also check the related check around lines handling
submission/confirmation, referenced in the review for lines 48-56).
- Around line 20-22: The createCertificate mutation only invalidates
utils.services.pca.listCertificates but not the PCA details query that provides
pca.state, so after self-signing the UI can remain stuck in
AWAITING_CERTIFICATE; update the
trpcReact.services.pca.createCertificate.useMutation onSettled handler to also
invalidate/refetch the PCA details query (e.g. call
utils.services.pca.getPca.invalidate() or the equivalent
utils.services.pca.get.invalidate()) alongside
utils.services.pca.listCertificates.invalidate() so the component reading
pca.state receives fresh data.
In
`@packages/aurora/src/client/routes/_auth/projects/`$projectId/services/pca/$pcaId/-components/PcaDetailsView.tsx:
- Around line 78-87: In PcaDetailsView.tsx update the hardcoded UI strings in
the AWAITING_CERTIFICATE block so they are localized: wrap "Lifecycle action",
"Add a Signed Certificate to your CA to activate it" and the Button label "Issue
Self-Signed Certificate" with the i18n helpers (t or <Trans>) used elsewhere;
specifically modify the JSX inside the pca.state === "AWAITING_CERTIFICATE"
branch (the divs showing the title and description and the Button that calls
toggleIssueSelfSignedModal) to use t or <Trans> so these strings are picked up
by Lingui.
In `@packages/aurora/src/server/Services/types/pca.ts`:
- Around line 120-124: CreateCertificateInputSchema's certificate_authority_id
was relaxed to allow an empty string which lets invalid input reach
pcaRouter.createCertificate and produce malformed paths; restore non-empty
validation by changing the certificate_authority_id schema to require a
non-empty string (e.g., use z.string().min(1) or z.string().nonempty()) so the
validator rejects empty IDs before pcaRouter.createCertificate attempts to
splice it into the request path.
---
Outside diff comments:
In
`@packages/aurora/src/client/routes/_auth/projects/`$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsx:
- Around line 63-78: The empty-state early return in
PcaCertificatesListContainer (the pcaCertificates.length === 0 branch) prevents
the READY-only action/modal from being rendered, so move the READY action/modal
out of the non-empty-only code path: keep the existing empty DataGrid return for
the list UI but render the READY-only action component (the component that opens
the create-certificate modal / action button referenced in this file) alongside
or below that empty-state UI instead of inside the non-empty branch; ensure the
action/modal rendering logic (the READY check and its children) lives after the
empty-state block (or in a shared wrapper) so it displays for both empty and
populated pcaCertificates.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: a56cd099-d437-4693-ac7c-e42cd0176f90
📒 Files selected for processing (12)
packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.test.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.test.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.test.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaDetailsView.test.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaDetailsView.tsxpackages/aurora/src/server/Services/routers/pcaRouter.test.tspackages/aurora/src/server/Services/routers/pcaRouter.tspackages/aurora/src/server/Services/types/pca.test.tspackages/aurora/src/server/Services/types/pca.ts
There was a problem hiding this comment.
Pull request overview
This PR adds certificate issuance workflows to the Aurora Portal PCA (Clavis) UI and aligns the server-side create-certificate request/response shapes with the backend by flattening the create-certificate input and adjusting parsing.
Changes:
- Updated PCA Zod schemas to support the new create-certificate payload shape and removed the now-unused
CertificateResponseSchema. - Updated
pcaRouter.createCertificateto call thepcaOpenStack service and post the flattened payload, parsing aCertificatedirectly. - Added UI modals and actions to issue self-signed CA certificates (for
AWAITING_CERTIFICATE) and end-entity certificates (forREADY), with associated unit tests.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/aurora/src/server/Services/types/pca.ts | Adjusts PCA schemas (validity + create-certificate input/response shape). |
| packages/aurora/src/server/Services/types/pca.test.ts | Updates schema validation tests to match schema changes. |
| packages/aurora/src/server/Services/routers/pcaRouter.ts | Updates create-certificate to use pca service and flattened payload/response parsing. |
| packages/aurora/src/server/Services/routers/pcaRouter.test.ts | Updates router tests for create-certificate payload/response and service name. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaDetailsView.tsx | Adds lifecycle CTA for issuing a self-signed cert and passes PCA state to certificates list. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaDetailsView.test.tsx | Adds coverage for the lifecycle section and self-signed modal opening. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsx | Adds “Issue End Entity Certificate” action + modal gating on PCA state. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.test.tsx | Updates tests for the new action and state-gated rendering. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.tsx | New modal to issue a self-signed CA certificate via createCertificate mutation. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.test.tsx | Tests self-signed modal submission and payload. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.tsx | New modal to issue end-entity certificates using a pasted CSR. |
| packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.test.tsx | Tests CSR normalization and mutation payload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Vladislav Schur <u.shchur@sap.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
packages/aurora/src/server/Services/types/pca.ts (1)
120-125: 💤 Low valueConsider extending
CertificateAuthorityIdInputSchemafor consistency.Other schemas like
CertificateAuthorityImportInputSchemaandCertificateIdInputSchemaextendCertificateAuthorityIdInputSchema. Using the same pattern here would reduce duplication and ensure changes to the base schema propagate consistently.♻️ Suggested refactor
-export const CreateCertificateInputSchema = z.object({ - project_id: z.string(), - certificate_authority_id: z.string().min(1), - csr: z.string().min(1), - configuration: CertificateConfigurationSchema, -}) +export const CreateCertificateInputSchema = CertificateAuthorityIdInputSchema.extend({ + csr: z.string().min(1), + configuration: CertificateConfigurationSchema, +})🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/aurora/src/server/Services/types/pca.ts` around lines 120 - 125, CreateCertificateInputSchema duplicates the certificate_authority_id definition; update it to extend the existing CertificateAuthorityIdInputSchema for consistency and easier maintenance. Replace the inline certificate_authority_id: z.string().min(1) in CreateCertificateInputSchema with an extension/merge of CertificateAuthorityIdInputSchema (e.g., use CertificateAuthorityIdInputSchema.extend({...}) or CertificateAuthorityIdInputSchema.merge(z.object({...}))) and keep project_id, csr, and configuration (CertificateConfigurationSchema) as-is so CreateCertificateInputSchema composes off the shared CertificateAuthorityIdInputSchema used by CertificateAuthorityImportInputSchema and CertificateIdInputSchema.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/aurora/docs/0011_clavis.md`:
- Line 72: Update the heading text "Certificate issuing behavior by state:" to
hyphenate the compound modifier by changing it to "Certificate-issuing behavior
by state:" wherever that exact heading string appears (e.g., the heading line in
0011_clavis.md).
---
Nitpick comments:
In `@packages/aurora/src/server/Services/types/pca.ts`:
- Around line 120-125: CreateCertificateInputSchema duplicates the
certificate_authority_id definition; update it to extend the existing
CertificateAuthorityIdInputSchema for consistency and easier maintenance.
Replace the inline certificate_authority_id: z.string().min(1) in
CreateCertificateInputSchema with an extension/merge of
CertificateAuthorityIdInputSchema (e.g., use
CertificateAuthorityIdInputSchema.extend({...}) or
CertificateAuthorityIdInputSchema.merge(z.object({...}))) and keep project_id,
csr, and configuration (CertificateConfigurationSchema) as-is so
CreateCertificateInputSchema composes off the shared
CertificateAuthorityIdInputSchema used by CertificateAuthorityImportInputSchema
and CertificateIdInputSchema.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9f93d4d7-b6fb-4ae2-9e84-bef2b9ac70cd
📒 Files selected for processing (10)
packages/aurora/docs/0011_clavis.mdpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.test.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.test.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsxpackages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaDetailsView.tsxpackages/aurora/src/server/Services/types/pca.test.tspackages/aurora/src/server/Services/types/pca.tspackages/aurora/vitest.config.ts
🚧 Files skipped from review as they are similar to previous changes (6)
- packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.test.tsx
- packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueSelfSignedCertificateModal.tsx
- packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/-modals/IssueEndEntityCertificateModal.tsx
- packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaDetailsView.tsx
- packages/aurora/src/client/routes/_auth/projects/$projectId/services/pca/$pcaId/-components/PcaCertificatesListContainer.tsx
- packages/aurora/src/server/Services/types/pca.test.ts
Signed-off-by: Vladislav Schur <u.shchur@sap.com>
Signed-off-by: Vladislav Schur <u.shchur@sap.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/aurora/src/locales/de/messages.po`:
- Around line 214-215: Several certificate-related msgid entries in the German
messages.po (e.g., "Add a Signed Certificate to your CA to activate it", "Issue
Certificate", "Issue End Entity Certificate", "Issue Self Signed Certificate",
"Issue Self-Signed Certificate", "Issuing End Entity Certificate...", "Issuing
Self-Signed Certificate...", "Lifecycle action", "Paste CSR code", "This action
will create a self-signed CA certificate.") have empty msgstr values; update
messages.po by providing appropriate German translations for each listed msgid
so UI strings appear localized for German users, ensuring plural forms and
punctuation match existing locale conventions and keeping msgid text unchanged
while populating the corresponding msgstr entries.
In `@packages/aurora/src/locales/en/messages.po`:
- Around line 1639-1649: Replace the inconsistent no-hyphen string "Issue Self
Signed Certificate" so all msgid/msgstr entries use the hyphenated form "Issue
Self-Signed Certificate" and ensure "Issuing Self-Signed Certificate..." also
remains hyphenated; then update the UI code that references the old key to use
the corrected key or consolidate references to reuse "Issue Self-Signed
Certificate" to avoid duplicate keys.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8b2e2f81-9514-49a2-bab7-0212fe150450
📒 Files selected for processing (5)
.changeset/gold-stars-yawn.mdpackages/aurora/src/locales/de/messages.popackages/aurora/src/locales/de/messages.tspackages/aurora/src/locales/en/messages.popackages/aurora/src/locales/en/messages.ts
✅ Files skipped from review due to trivial changes (1)
- .changeset/gold-stars-yawn.md
Summary
Issues a new X.509 certificate from the specified Certificate Authority using a provided Certificate Signing Request (CSR).
Changes Made
Related Issues
Testing Instructions
pnpm ipnpm run testChecklist
Summary by CodeRabbit
New Features
Tests
Documentation