@@ -14,10 +14,32 @@ import { PostHogEventTypes } from "@app/services/telemetry/telemetry-types";
1414import {
1515 ApprovalPolicyBodySchema ,
1616 HSM_SUPPORTED_KEY_ALGORITHMS ,
17+ SignerExternalConfigurationSchema ,
1718 SignerIdParamsSchema ,
1819 SignerKeyAlgorithm
1920} from "./schemas" ;
2021
22+ const SignerWithCertificateResponseSchema = PkiSignersSchema . extend ( {
23+ certificateCommonName : z . string ( ) . nullable ( ) . optional ( ) ,
24+ certificateSerialNumber : z . string ( ) . nullable ( ) . optional ( ) ,
25+ certificateNotAfter : z . date ( ) . nullable ( ) . optional ( ) ,
26+ certificateNotBefore : z . date ( ) . nullable ( ) . optional ( ) ,
27+ certificateKeyAlgorithm : z . string ( ) . nullable ( ) . optional ( ) ,
28+ certificateKeySource : z . string ( ) . nullable ( ) . optional ( ) ,
29+ certificateHsmConnectorId : z . string ( ) . nullable ( ) . optional ( ) ,
30+ certificateStatus : z . string ( ) . nullable ( ) . optional ( ) ,
31+ certificateCaId : z . string ( ) . nullable ( ) . optional ( ) ,
32+ approvalPolicyName : z . string ( ) . nullable ( ) . optional ( ) ,
33+ externalOrder : z
34+ . object ( {
35+ provider : z . string ( ) ,
36+ orderId : z . number ( ) ,
37+ status : z . string ( ) . nullable ( )
38+ } )
39+ . nullable ( )
40+ . optional ( )
41+ } ) ;
42+
2143export const registerSignerLifecycleRouter = async ( server : FastifyZodProvider ) => {
2244 server . route ( {
2345 method : "POST" ,
@@ -45,6 +67,7 @@ export const registerSignerLifecycleRouter = async (server: FastifyZodProvider)
4567 hsmConnectorId : z . string ( ) . uuid ( ) . optional ( )
4668 } )
4769 . optional ( ) ,
70+ externalConfiguration : SignerExternalConfigurationSchema . optional ( ) ,
4871 approvalPolicyId : z . string ( ) . uuid ( ) . optional ( ) ,
4972 members : z
5073 . array (
@@ -100,7 +123,8 @@ export const registerSignerLifecycleRouter = async (server: FastifyZodProvider)
100123 certificateId : signer . certificateId ,
101124 approvalPolicyId : signer . approvalPolicyId ,
102125 keySource : req . body . certificate ?. keySource ,
103- hsmConnectorId : req . body . certificate ?. hsmConnectorId
126+ hsmConnectorId : req . body . certificate ?. hsmConnectorId ,
127+ externalConfiguration : req . body . externalConfiguration
104128 }
105129 }
106130 } ) ;
@@ -187,18 +211,7 @@ export const registerSignerLifecycleRouter = async (server: FastifyZodProvider)
187211 description : "Get a code signing signer by ID" ,
188212 params : SignerIdParamsSchema ,
189213 response : {
190- 200 : PkiSignersSchema . extend ( {
191- certificateCommonName : z . string ( ) . nullable ( ) . optional ( ) ,
192- certificateSerialNumber : z . string ( ) . nullable ( ) . optional ( ) ,
193- certificateNotAfter : z . date ( ) . nullable ( ) . optional ( ) ,
194- certificateNotBefore : z . date ( ) . nullable ( ) . optional ( ) ,
195- certificateKeyAlgorithm : z . string ( ) . nullable ( ) . optional ( ) ,
196- certificateKeySource : z . string ( ) . nullable ( ) . optional ( ) ,
197- certificateHsmConnectorId : z . string ( ) . nullable ( ) . optional ( ) ,
198- certificateStatus : z . string ( ) . nullable ( ) . optional ( ) ,
199- certificateCaId : z . string ( ) . nullable ( ) . optional ( ) ,
200- approvalPolicyName : z . string ( ) . nullable ( ) . optional ( )
201- } )
214+ 200 : SignerWithCertificateResponseSchema
202215 }
203216 } ,
204217 onRequest : verifyAuth ( [ AuthMode . JWT , AuthMode . IDENTITY_ACCESS_TOKEN ] ) ,
@@ -267,6 +280,34 @@ export const registerSignerLifecycleRouter = async (server: FastifyZodProvider)
267280 }
268281 } ) ;
269282
283+ server . route ( {
284+ method : "POST" ,
285+ url : "/:signerId/issuance/check" ,
286+ config : { rateLimit : writeLimit } ,
287+ schema : {
288+ hide : false ,
289+ operationId : "checkSignerIssuance" ,
290+ tags : [ ApiDocsTags . PkiSigners ] ,
291+ description :
292+ "Poll the upstream CA for a pending signer's certificate immediately instead of waiting for the next scheduled check." ,
293+ params : SignerIdParamsSchema ,
294+ response : {
295+ 200 : SignerWithCertificateResponseSchema
296+ }
297+ } ,
298+ onRequest : verifyAuth ( [ AuthMode . JWT , AuthMode . IDENTITY_ACCESS_TOKEN ] ) ,
299+ handler : async ( req ) => {
300+ const signer = await server . services . pkiSigner . checkIssuanceNow ( {
301+ signerId : req . params . signerId ,
302+ actor : req . permission . type ,
303+ actorId : req . permission . id ,
304+ actorAuthMethod : req . permission . authMethod ,
305+ actorOrgId : req . permission . orgId
306+ } ) ;
307+ return signer ;
308+ }
309+ } ) ;
310+
270311 server . route ( {
271312 method : "PATCH" ,
272313 url : "/:signerId" ,
0 commit comments