feat: Implement certificate issuance cancellation, ACME account mutation protection, and status synchronization.

Author: ThisSeanZhang

landscape-common/src/cert/mod.rs

@@ -32,10 +32,14 @@ pub enum CertError {
     #[api_error(id = "cert.staging_not_supported", status = 400)]
     StagingNotSupported,
 
-    #[error("Operation not allowed: account is currently in '{0}' status")]
+    #[error("Operation not allowed in current status: {0}")]
     #[api_error(id = "cert.invalid_status_transition", status = 409)]
     InvalidStatusTransition(String),
 
+    #[error("Cannot mutate account while active/renewable certificates exist: {0}")]
+    #[api_error(id = "cert.account_has_active_certificates", status = 409)]
+    AccountHasActiveCertificates(String),
+
     #[error("Cannot change ACME account while certificate is valid; revoke it first")]
     #[api_error(id = "cert.acme_account_change_requires_revocation", status = 409)]
     AcmeAccountChangeRequiresRevocation,

landscape-common/src/cert/order.rs

@@ -71,6 +71,7 @@ pub enum CertStatus {
     Pending,
     Ready,
     Processing,
+    Cancelled,
     Valid,
     Invalid,
     Expired,

landscape-database/src/cert/repository.rs

@@ -1,5 +1,11 @@
-use landscape_common::cert::order::CertConfig;
-use sea_orm::DatabaseConnection;
+use std::collections::HashSet;
+
+use landscape_common::cert::account::AccountStatus;
+use landscape_common::cert::order::{CertConfig, CertStatus, CertType};
+use landscape_common::error::LdError;
+use sea_orm::{
+    ActiveModelTrait, DatabaseConnection, EntityTrait, TransactionError, TransactionTrait,
+};
 
 use super::entity::{CertActiveModel, CertEntity, CertModel};
 use crate::DBId;
@@ -9,10 +15,84 @@ pub struct CertRepository {
     db: DatabaseConnection,
 }
 
+pub struct SyncAccountHintTxResult {
+    pub changed_cert_ids: Vec<DBId>,
+    pub cancelled_cert_ids: Vec<DBId>,
+}
+
 impl CertRepository {
     pub fn new(db: DatabaseConnection) -> Self {
         Self { db }
     }
+
+    pub async fn sync_account_status_hint_tx(
+        &self,
+        account_id: DBId,
+        account_status: &AccountStatus,
+        hint_prefix: &str,
+    ) -> Result<SyncAccountHintTxResult, LdError> {
+        let account_is_registered = matches!(account_status, AccountStatus::Registered);
+        let hint = format!("{hint_prefix} {:?}", account_status);
+        let hint_prefix = hint_prefix.to_string();
+        let hint_opt = if account_is_registered { None } else { Some(hint) };
+
+        self.db
+            .transaction::<_, SyncAccountHintTxResult, LdError>(|txn| {
+                let hint_prefix = hint_prefix.clone();
+                let hint_opt = hint_opt.clone();
+                Box::pin(async move {
+                    let cert_models = CertEntity::find().all(txn).await?;
+                    let mut changed_cert_ids = Vec::new();
+                    let mut cancelled_cert_ids = HashSet::new();
+
+                    for cert_model in cert_models {
+                        let mut cert: CertConfig = cert_model.clone().into();
+                        let CertType::Acme(acme) = &cert.cert_type else {
+                            continue;
+                        };
+                        if acme.account_id != account_id {
+                            continue;
+                        }
+
+                        let mut changed = false;
+                        if let Some(hint) = &hint_opt {
+                            if matches!(cert.status, CertStatus::Processing) {
+                                cert.status = CertStatus::Cancelled;
+                                cancelled_cert_ids.insert(cert.id);
+                                changed = true;
+                            }
+                            if cert.status_message.as_deref() != Some(hint.as_str()) {
+                                cert.status_message = Some(hint.clone());
+                                changed = true;
+                            }
+                        } else if cert
+                            .status_message
+                            .as_deref()
+                            .is_some_and(|m| m.starts_with(&hint_prefix))
+                        {
+                            cert.status_message = None;
+                            changed = true;
+                        }
+
+                        if changed {
+                            let active: CertActiveModel = cert.into();
+                            active.update(txn).await?;
+                            changed_cert_ids.push(cert_model.id);
+                        }
+                    }
+
+                    Ok(SyncAccountHintTxResult {
+                        changed_cert_ids,
+                        cancelled_cert_ids: cancelled_cert_ids.into_iter().collect(),
+                    })
+                })
+            })
+            .await
+            .map_err(|e| match e {
+                TransactionError::Connection(db_err) => LdError::DatabaseError(db_err),
+                TransactionError::Transaction(ld_err) => ld_err,
+            })
+    }
 }
 
 crate::impl_repository!(CertRepository, CertModel, CertEntity, CertActiveModel, CertConfig, DBId);

landscape-webserver/src/cert/accounts.rs

@@ -45,6 +45,9 @@ async fn create_cert_account(
     JsonBody(account): JsonBody<CertAccountConfig>,
 ) -> LandscapeApiResult<CertAccountConfig> {
     account.validate()?;
+    if account.id != ConfigId::default() {
+        state.cert_service.ensure_account_mutation_allowed(account.id).await?;
+    }
     let result = state.cert_account_service.checked_set(account).await?;
     LandscapeApiResp::success(result)
 }
@@ -85,6 +88,7 @@ async fn delete_cert_account(
     State(state): State<LandscapeApp>,
     Path(id): Path<ConfigId>,
 ) -> LandscapeApiResult<()> {
+    state.cert_service.ensure_account_mutation_allowed(id).await?;
     state.cert_account_service.delete(id).await;
     LandscapeApiResp::success(())
 }
@@ -106,6 +110,7 @@ async fn register_cert_account(
     Path(id): Path<ConfigId>,
 ) -> LandscapeApiResult<CertAccountConfig> {
     let result = state.cert_account_service.register_account(id).await?;
+    state.cert_service.sync_account_status_hint(id, &result.status).await;
     LandscapeApiResp::success(result)
 }
 
@@ -125,6 +130,7 @@ async fn verify_cert_account(
     Path(id): Path<ConfigId>,
 ) -> LandscapeApiResult<CertAccountConfig> {
     let result = state.cert_account_service.verify_account(id).await?;
+    state.cert_service.sync_account_status_hint(id, &result.status).await;
     LandscapeApiResp::success(result)
 }
 
@@ -143,6 +149,8 @@ async fn deactivate_cert_account(
     State(state): State<LandscapeApp>,
     Path(id): Path<ConfigId>,
 ) -> LandscapeApiResult<CertAccountConfig> {
+    state.cert_service.ensure_account_mutation_allowed(id).await?;
     let result = state.cert_account_service.deactivate_account(id).await?;
+    state.cert_service.sync_account_status_hint(id, &result.status).await;
     LandscapeApiResp::success(result)
 }

landscape-webserver/src/cert/certs.rs

@@ -17,6 +17,7 @@ pub fn get_cert_paths() -> OpenApiRouter<LandscapeApp> {
         .routes(routes!(get_cert, delete_cert))
         .routes(routes!(get_cert_info))
         .routes(routes!(issue_cert))
+        .routes(routes!(cancel_cert))
         .routes(routes!(revoke_cert))
         .routes(routes!(renew_cert))
 }
@@ -125,6 +126,25 @@ async fn issue_cert(
     LandscapeApiResp::success(result)
 }
 
+#[utoipa::path(
+    post,
+    path = "/certs/{id}/cancel",
+    tag = "Certificates",
+    params(("id" = Uuid, Path, description = "Certificate ID")),
+    responses(
+        (status = 200, body = CommonApiResp<CertConfig>),
+        (status = 404, description = "Not found"),
+        (status = 409, description = "Invalid status transition")
+    )
+)]
+async fn cancel_cert(
+    State(state): State<LandscapeApp>,
+    Path(id): Path<ConfigId>,
+) -> LandscapeApiResult<CertConfig> {
+    let result = state.cert_service.cancel_cert(id).await?;
+    LandscapeApiResp::success(result)
+}
+
 #[utoipa::path(
     post,
     path = "/certs/{id}/revoke",

landscape-webui/src/api/cert/order.ts

@@ -5,6 +5,7 @@ import {
   createCert,
   deleteCert,
   issueCert,
+  cancelCert,
   revokeCert,
   renewCert,
 } from "@landscape-router/types/api/certificates/certificates";
@@ -33,6 +34,10 @@ export async function issue_cert(id: string): Promise<CertConfig> {
   return issueCert(id);
 }
 
+export async function cancel_cert(id: string): Promise<CertConfig> {
+  return cancelCert(id);
+}
+
 export async function revoke_cert(id: string): Promise<CertConfig> {
   return revokeCert(id);
 }

landscape-webui/src/api/index.ts

@@ -3,6 +3,17 @@ import router from "@/router";
 import i18n from "@/i18n";
 import { LANDSCAPE_TOKEN_KEY } from "@/lib/common";
 
+function formatApiErrorTemplate(
+  template: string,
+  args: Record<string, unknown> | undefined,
+): string {
+  if (!args) return template;
+  return template.replace(/\{([^}]+)\}/g, (_m: string, key: string) => {
+    const value = args[key];
+    return value == null ? `{${key}}` : String(value);
+  });
+}
+
 /**
  * Apply common interceptors (auth token, token refresh, error handling)
  * to any axios instance.
@@ -43,9 +54,24 @@ export function applyInterceptors(instance: AxiosInstance): AxiosInstance {
           });
         }
 
+        const locale =
+          typeof i18n.global.locale === "string"
+            ? i18n.global.locale
+            : i18n.global.locale.value;
+        const localeMessages = i18n.global.getLocaleMessage(locale) as Record<
+          string,
+          unknown
+        >;
+        const errorsMap = localeMessages.errors as
+          | Record<string, string>
+          | undefined;
+        const flatTemplate =
+          error_id && errorsMap ? errorsMap[error_id] : undefined;
+
         const errorKey = error_id ? `errors.${error_id}` : "";
-        const displayMsg =
-          errorKey && i18n.global.te(errorKey)
+        const displayMsg = flatTemplate
+          ? formatApiErrorTemplate(flatTemplate, args || {})
+          : errorKey && i18n.global.te(errorKey)
             ? (i18n.global.t(errorKey, args || {}) as string)
             : message;