feature: add PKI approval workflows

[carlosmonastyrski]

Context

This PR adds approval workflows for certificate issuance. When users request certificates, the backend checks for approval policies on the certificate profile and, if required, creates an approval request that must be approved before the certificate is issued. Admins can create approval policies that specify which profiles require approval, how many approvers are needed, and who can approve. The frontend includes pages to view pending approval requests, approve or reject them, and manage approval policies. Certificate requests are linked to approval requests, and the certificate is only issued after the approval workflow completes.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR implements approval workflows for PKI certificate issuance, allowing administrators to require approval before certificates are issued from specific profiles. The implementation includes backend approval policy matching, multi-step approval flows, and frontend UI for managing policies and approving requests.

Key Changes:

• Database schema extended to link certificate requests with approval requests and track machine identity requesters
• Approval workflow integrated into certificate issuance pipeline for both direct issuance and CSR signing
• API responses updated to return pending status when approval is required instead of immediate certificate
• Frontend pages added for managing approval policies and viewing/approving certificate requests
• Machine identity bypass option allows automated systems to skip approval workflows

Critical Issues Found:

• Certificate issuance uses approver's actor context instead of original requester's identity, potentially allowing privilege escalation
• Machine identity bypass doesn't validate specific identities, allowing any machine identity to skip approval
• Breaking API changes without endpoint versioning will break existing integrations
• Foreign key constraint could orphan certificate requests if approval requests are deleted

Confidence Score: 2/5

• This PR has critical security vulnerabilities that must be fixed before merging
• Score reflects multiple high-severity security issues: (1) approval bypass allows any machine identity to skip approval without validation, (2) certificates are issued using approver's permissions instead of original requester's identity, (3) breaking API changes without versioning, and (4) potential for orphaned certificate requests due to SET NULL foreign key constraint
• Pay close attention to backend/src/services/certificate-v3/certificate-v3-service.ts and backend/src/services/approval-policy/approval-policy-service.ts - both contain critical security flaws in the approval and issuance flow

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260116104856_pki-certificate-approvals.ts	Adds database schema for approval workflows: links certificate requests to approval requests, adds machine identity tracking, and bypass flag for policies. Foreign key uses SET NULL which could orphan requests.
backend/src/services/certificate-v3/certificate-v3-service.ts	Core certificate issuance logic with approval workflow integration. Contains critical security issues: approval bypass doesn't validate specific identities, and certificate issuance uses approver's context instead of requester's.
backend/src/services/approval-policy/approval-policy-service.ts	Approval policy service with certificate issuance post-approval routine. Security flaw: issues certificates using approver's actor context rather than original requester's identity.
backend/src/server/routes/v1/certificate-router.ts	API endpoints updated to handle approval workflow responses. Breaking change: certificate response can now be null with status/message fields when approval is required.
backend/src/services/approval-policy/cert-request/cert-request-policy-factory.ts	Certificate request approval policy factory. Matches policies by profile name and creates approval grants. canAccess always returns false which may prevent legitimate request viewing.

[greptile-apps]

Additional Comments (1)

1. backend/src/server/routes/v1/certificate-router.ts, line 175-192 (link)

   logic: Breaking API Change: response schema now includes optional status and message fields, and certificate can be null when status is PENDING_APPROVAL. Existing API consumers expecting certificates to always be returned will break.

   Consider versioning this endpoint (e.g., /v2/certificates/issue) or ensuring backwards compatibility by always including certificate data in v1.

_{73 files reviewed, 7 comments}

_{Edit Code Review Agent Settings | Greptile}