Ca certs api v2

[fmarco76]

Implement v2 REST end-point for /ca/v2/certs

Implement the REST operations:

• GET of /ca/v2/certs/
• GET of /ca/v2/certs
• POST to /ca/v2/certs/search.

These implement the behaviour of the current REST operations (see [1, 2 and 3]). The new version is not based on RESTeasy framework for the REST operation and the DB searches have replaced VLV with paged queries.

The only differences with the previous implementation are:

• the total value now show the number of returned item;
• the number of returned entry is limited (this is hard-coded for now).

[fmarco76]

@edewata The total can be fixed to provide the exact number if needed but has to be retrieved from the first query and reported to the servlet so it will require some changes. Is this needed.
For the limit on the returned entry I think it is not a real limitation in the real usage but I wondering if it should be configurable and if we should have different limits for search and returned entries.

[edewata]

I have some comments/questions, but I think overall it's good. Feel free to update or merge as is, then we can address the comments in a new PR.

[edewata]

The @param should match the actual method params.

[edewata]

The timeLimit doesn't seem to be used. Should we keep it?

[fmarco76]

It is implemented in the pagedSeearch. I will add to the call.

[edewata]

This is probably an opportunity to fix APIv1. Here we could just return the base64-encoded value without the PEM header/footer. I think that would be easier to parse and more consistent with other binary data in JSON in general. What do you think?

[fmarco76]

I do not know in other places yet but here we have the chain in base64 the certificate in pem. It is better to have all base64.

[edewata]

The pretty-print probably should be generated on the client side because the client already has the cert binaries, and the output would be dependent on client's locale anyway, so I think we can skip this field.

[edewata]

The notBefore and notAfter probably should be generated on the client side too since it's dependent on client's locale and the client already has the cert binaries.

[fmarco76]

I would leave this for the moment. PrettyPrint is better in the client but the validity could be useful without the need to read the binary. What we could change is the format to be more platform independent (e.g. yyyy-MM-dd HH:mm:ss Z). The client can read or generate from binary

[fmarco76]

Currently we have two different format of data, in the certificate list we have time in milliseconds while in a single certificate we have the string. This because the list uses the class CertDataInfo while the single certificate uses the class CertData. These classes are in the same package and have almost the same fields but with different format (e.g. date is Date in one and String in the other) . Not clear why we need to have both. We could merge them. To investigate in a separate PR

[edewata]

We probably can skip the total since it can be obtained from infos.getEntries().size().

[fmarco76]

It is OK to remove for now. The pageSearch could provide the total number of entries in the DB but the information is not returned from the LDAPSession. If needed we could handle that information to the client. We will consider this in future.

[fmarco76]

I have done a couple of test and it is not enough to skip the setTotal(), it is reported as total=0 in the final json. I am leaving for now and evaluate in separate PR.

[edewata]

The LDAPSearchConstraints also has a setMaxResults(). I was wondering whether we should just ignore it, set it to size, or add another param for it (e.g. sizeLimit).

[edewata]

Another consideration is, IIUC the size is only used internally for paging, but the number of results the client will see won't actually be affected by the size. On the other hand, the sizeLimit will (if it's used to call setMaxResults()).

So maybe we should replace size with a constant or a server-side configurable param, and add a sizeLimit not for paging but for setting the max results.

[fmarco76]

Actually, size elements are returned from the search. The size is always used in the last query and the elements are returned . If start is provided, than one or more pages are requested until start - 1 elements are retrieved and then a page with size is requested.
If size is not provided there is a limit to 500. I am leaving the limit now and we can decide if this has to be customisable in a separate PR

[fmarco76]

Not sure about the MaxResults. We could discuss better approach with DS folk.

[edewata]

I was wondering if we should skip this field since not all clients needs to get the PKCS #7 cert chain, so maybe it can be provided by a different API.

[fmarco76]

We can remove this field when the new API is created in a separate PR.

[edewata]

Let's log an error so at least we know if something happens.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
48 Code Smells

0.0% Coverage
2.6% Duplication

[fmarco76]

@edewata Thanks!

I have update following some of your comments. The remaining comments need additional work in separate PRs.