feat: Implement mTLS event stream authentication support #1402

hsong-rh · 2025-10-13T21:42:59Z

Summary

This PR implements comprehensive mTLS (mutual TLS) authentication support for Event Streams, enabling secure client certificate-based authentication with the Gateway service.

https://issues.redhat.com/browse/AAP-46060

Key Features

New mTLS Credential Type: EventStreamCredentialType.MTLS for secure client authentication
Certificate Synchronization: Automatic sync with Gateway API during Event Stream lifecycle
Certificate Validation: PEM format validation with expiration checking and RFC 2253 subject validation
Lifecycle Management: Automatic certificate create/update/delete operations

Core Components

SyncCertificates service for Gateway certificate management
Enhanced EdaCredential model with mTLS-specific validation
EventStream views with automatic certificate synchronization
New API exceptions for Gateway and credential error handling

Security Enhancements

Certificate format validation using cryptography library
Subject DN validation with proper X.509 attribute checking
Secure certificate storage and transmission to Gateway
Comprehensive error handling for authentication failures

Test plan

Unit tests for certificate validation logic
Integration tests for EventStream mTLS workflows
Service-level tests for Gateway synchronization
Edge case testing for certificate lifecycle management
All existing tests continue to pass
Linting and code quality checks pass

🤖 Generated with Claude Code

codecov-commenter · 2025-10-13T21:53:40Z

Codecov Report

❌ Patch coverage is 98.64986% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.60%. Comparing base (80bc7b3) to head (655e867).

Files with missing lines	Patch %	Lines
src/aap_eda/core/utils/credentials.py	92.50%	9 Missing ⚠️
tests/integration/api/test_eda_credential.py	94.31%	5 Missing ⚠️
src/aap_eda/api/views/event_stream.py	95.65%	1 Missing ⚠️

@@            Coverage Diff             @@
##             main    #1402      +/-   ##
==========================================
+ Coverage   94.36%   94.60%   +0.24%     
==========================================
  Files         339      343       +4     
  Lines       20006    21111    +1105     
==========================================
+ Hits        18878    19973    +1095     
- Misses       1128     1138      +10

Flag	Coverage Δ
unit-int-tests-3.11	`94.55% <98.64%> (+0.25%)`	⬆️
unit-int-tests-3.12	`94.60% <98.64%> (+0.24%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/aap_eda/api/event_stream_authentication.py	`92.30% <100.00%> (+2.76%)`	⬆️
src/aap_eda/api/exceptions.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/views/eda_credential.py	`99.26% <100.00%> (+<0.01%)`	⬆️
src/aap_eda/core/exceptions.py	`100.00% <100.00%> (ø)`
...da/core/management/commands/create_initial_data.py	`97.95% <100.00%> (+0.01%)`	⬆️
src/aap_eda/services/sync_certs.py	`100.00% <100.00%> (ø)`
src/aap_eda/utils/logging.py	`94.28% <ø> (ø)`
tests/integration/api/test_event_stream.py	`100.00% <100.00%> (ø)`
tests/integration/services/test_sync_certs.py	`100.00% <100.00%> (ø)`
tests/unit/test_certificate_validation.py	`100.00% <100.00%> (ø)`
... and 4 more

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

src/aap_eda/api/event_stream_authentication.py

src/aap_eda/services/sync_certs.py

src/aap_eda/core/utils/credentials.py

src/aap_eda/api/views/event_stream.py

src/aap_eda/services/sync_certs.py

src/aap_eda/core/management/commands/create_initial_data.py

This commit introduces comprehensive mTLS (mutual TLS) authentication support for Event Streams, including: - New EventStreamCredentialType.MTLS credential type for mTLS authentication - Certificate synchronization service with Gateway API integration - PEM certificate validation with expiration checking - RFC 2253 compliant certificate subject validation - Automatic certificate lifecycle management (create/update/delete) - SyncCertificates service for Gateway certificate management - Enhanced EdaCredential model with mTLS-specific validation - EventStream views with automatic certificate synchronization - New API exceptions for Gateway and credential errors - Certificate format validation using cryptography library - Subject DN validation with proper X.509 attribute checking - Secure certificate storage and transmission to Gateway - Proper error handling for authentication failures - Comprehensive unit tests for certificate validation - Integration tests for EventStream mTLS workflows - Edge case testing for certificate lifecycle management - Service-level testing for Gateway synchronization 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>

sonarqubecloud · 2025-10-17T17:42:24Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.7% Duplication on New Code

See analysis details on SonarQube Cloud

hsong-rh requested a review from a team as a code owner October 13, 2025 21:43

hsong-rh changed the title ~~Implement mTLS event stream authentication support~~ feat: Implement mTLS event stream authentication support Oct 13, 2025

hsong-rh force-pushed the aap-46060 branch 2 times, most recently from 8c3f3de to 986759f Compare October 14, 2025 14:00

hsong-rh mentioned this pull request Oct 14, 2025

feat: add support for mTLS EventStreams #1358

Closed

hsong-rh added the run-e2e label Oct 14, 2025

hsong-rh force-pushed the aap-46060 branch 2 times, most recently from 02dc635 to 4424554 Compare October 15, 2025 13:55

mkanoor reviewed Oct 16, 2025

View reviewed changes

src/aap_eda/api/event_stream_authentication.py Show resolved Hide resolved

hsong-rh force-pushed the aap-46060 branch 2 times, most recently from 4a2fa14 to 1dd17fd Compare October 16, 2025 20:44