feat(M49): Entrust, GlobalSign & EJBCA issuer connectors

Add three new issuer connectors completing commercial and open-source CA coverage. Entrust uses mTLS client certificate auth with sync/async issuance. GlobalSign Atlas uses mTLS + API key/secret dual auth with serial-based tracking. EJBCA supports dual auth (mTLS or OAuth2) for self-hosted Keyfactor CAs. Each connector implements the full issuer.Connector interface (9 methods), includes httptest-based unit tests (~14 each), and follows established patterns (injectable HTTP clients, RFC 5280 revocation reason mapping, CRL/OCSP delegated to CA). Also includes: issuer factory cases, env var seeding, config structs, domain types, seed data (3 rows, all disabled), OpenAPI enum updates, frontend issuer catalog entries with config fields, and full docs (connectors.md, architecture.md, features.md, README). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-11 16:38:52 +00:00 · 2026-04-15 22:24:12 -04:00
parent f3a85d6b08
commit 3f619bcaac
17 changed files with 3820 additions and 19 deletions
@@ -503,6 +503,69 @@ func (s *IssuerService) buildEnvVarSeeds(cfg *config.Config) []*domain.Issuer {
 		})
 	}

+	// Conditional: Entrust — only seed if API URL is set
+	if cfg.Entrust.APIUrl != "" {
+		seeds = append(seeds, &domain.Issuer{
+			ID:   "iss-entrust",
+			Name: "Entrust",
+			Type: domain.IssuerTypeEntrust,
+			Config: mustJSON(map[string]interface{}{
+				"api_url":          cfg.Entrust.APIUrl,
+				"client_cert_path": cfg.Entrust.ClientCertPath,
+				"client_key_path":  cfg.Entrust.ClientKeyPath,
+				"ca_id":            cfg.Entrust.CAId,
+				"profile_id":       cfg.Entrust.ProfileId,
+			}),
+			Enabled:   true,
+			Source:    "env",
+			CreatedAt: now,
+			UpdatedAt: now,
+		})
+	}
+
+	// Conditional: GlobalSign — only seed if API URL and API key are set
+	if cfg.GlobalSign.APIUrl != "" && cfg.GlobalSign.APIKey != "" {
+		seeds = append(seeds, &domain.Issuer{
+			ID:   "iss-globalsign",
+			Name: "GlobalSign Atlas",
+			Type: domain.IssuerTypeGlobalSign,
+			Config: mustJSON(map[string]interface{}{
+				"api_url":          cfg.GlobalSign.APIUrl,
+				"api_key":          cfg.GlobalSign.APIKey,
+				"api_secret":       cfg.GlobalSign.APISecret,
+				"client_cert_path": cfg.GlobalSign.ClientCertPath,
+				"client_key_path":  cfg.GlobalSign.ClientKeyPath,
+			}),
+			Enabled:   true,
+			Source:    "env",
+			CreatedAt: now,
+			UpdatedAt: now,
+		})
+	}
+
+	// Conditional: EJBCA — only seed if API URL and CA name are set
+	if cfg.EJBCA.APIUrl != "" && cfg.EJBCA.CAName != "" {
+		seeds = append(seeds, &domain.Issuer{
+			ID:   "iss-ejbca",
+			Name: "EJBCA",
+			Type: domain.IssuerTypeEJBCA,
+			Config: mustJSON(map[string]interface{}{
+				"api_url":          cfg.EJBCA.APIUrl,
+				"auth_mode":        cfg.EJBCA.AuthMode,
+				"client_cert_path": cfg.EJBCA.ClientCertPath,
+				"client_key_path":  cfg.EJBCA.ClientKeyPath,
+				"token":            cfg.EJBCA.Token,
+				"ca_name":          cfg.EJBCA.CAName,
+				"cert_profile":     cfg.EJBCA.CertProfile,
+				"ee_profile":       cfg.EJBCA.EEProfile,
+			}),
+			Enabled:   true,
+			Source:    "env",
+			CreatedAt: now,
+			UpdatedAt: now,
+		})
+	}
+
 	return seeds
 }