nordic-institute · enelir · Oct 27, 2025 · Oct 6, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -31,6 +31,7 @@
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.BooleanUtils;
 import org.niis.xroad.common.managementrequest.ManagementRequestSoapExecutor;
 import org.niis.xroad.cs.registrationservice.service.AdminApiService;
 import org.springframework.http.HttpHeaders;
@@ -69,6 +70,11 @@ public ResponseEntity<String> register(@RequestHeader(HttpHeaders.CONTENT_TYPE)
 
                     log.debug("Making a registration request for {}", authRequest.getServer());
 
+                    if (BooleanUtils.isTrue(authRequest.isDryRun())) {
+                        log.info("Processed dry-run registration request for {}", authRequest.getServer());
+                        return 0;
+                    }
+
                     var requestId = adminApiService.addRegistrationRequest(
                             authRequest.getServer(),
                             authRequest.getAddress(),

@@ -0,0 +1,107 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.common.core.dto;
+
+import ee.ria.xroad.common.DiagnosticStatus;
+
+import lombok.Getter;
+import lombok.ToString;
+
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@Getter
+@ToString
+public final class ConnectionStatus implements Serializable {
+    private final DiagnosticStatus status;
+    private final String errorCode;
+    private final List<String> errorMetadata;       // empty when OK
+    private final Map<String, List<String>> validationErrors; // empty when OK
+
+    private ConnectionStatus(
+            DiagnosticStatus status,
+            String errorCode,
+            List<String> errorMetadata,
+            Map<String, List<String>> validationErrors
+    ) {
+        this.status = status;
+        this.errorCode = errorCode;
+        this.errorMetadata = List.copyOf(errorMetadata == null ? List.of() : errorMetadata);
+        this.validationErrors = validationErrors == null
+                ? Map.of()
+                : validationErrors.entrySet().stream()
+                .collect(java.util.stream.Collectors.toUnmodifiableMap(
+                        Map.Entry::getKey,
+                        e -> List.copyOf(e.getValue())
+                ));
+    }
+
+    public static ConnectionStatus ok() {
+        return new ConnectionStatus(DiagnosticStatus.OK, null, List.of(), Map.of());
+    }
+
+    public static ConnectionStatus error(String errorCode, List<String> metadata) {
+        return new ConnectionStatus(DiagnosticStatus.ERROR, errorCode,
+                metadata == null ? List.of() : metadata, Map.of());
+    }
+
+    public static ConnectionStatus errorWithValidation(
+            String errorCode,
+            List<String> metadata,
+            String validationKey,
+            List<String> validationMetadata
+    ) {
+        Map<String, List<String>> ve = new HashMap<>();
+        ve.put(validationKey, validationMetadata == null ? List.of() : List.copyOf(validationMetadata));
+        return new ConnectionStatus(DiagnosticStatus.ERROR, errorCode,
+                metadata == null ? List.of() : metadata, ve);
+    }
+
+    public static ConnectionStatus fromErrorAndValidation(
+            String errorCode,
+            List<String> metadata,
+            String validationErrorCode,
+            List<String> certValidationMetadata) {
+
+        if (validationErrorCode == null) {
+            return ConnectionStatus.error(errorCode, metadata);
+        }
+
+        List<String> validationMeta = (certValidationMetadata == null)
+                ? List.of()
+                : certValidationMetadata;
+
+        return ConnectionStatus.errorWithValidation(
+                errorCode,
+                metadata,
+                validationErrorCode,
+                validationMeta
+        );
+    }
+}
@@ -0,0 +1,56 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.common.core.dto;
+
+import lombok.AccessLevel;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.ToString;
+
+import java.io.Serializable;
+import java.util.List;
+
+@Getter
+@ToString
+@NoArgsConstructor(force = true, access = AccessLevel.PRIVATE)
+public final class DownloadUrlConnectionStatus implements Serializable {
+    private String downloadUrl;
+    private ConnectionStatus connectionStatus;
+
+    private DownloadUrlConnectionStatus(ConnectionStatus connectionStatus, String downloadUrl) {
+        this.downloadUrl = downloadUrl;
+        this.connectionStatus = connectionStatus;
+    }
+
+    public static DownloadUrlConnectionStatus ok(String url) {
+        return new DownloadUrlConnectionStatus(ConnectionStatus.ok(), url);
+    }
+
+    public static DownloadUrlConnectionStatus error(String url, String errorCode, List<String> metadata) {
+        return new DownloadUrlConnectionStatus(ConnectionStatus.error(errorCode, metadata), url);
+    }
+}
@@ -24,7 +24,7 @@
  * THE SOFTWARE.
  */
 
-package org.niis.xroad.confclient.core;
+package org.niis.xroad.common.core.util;
 
 import ee.ria.xroad.common.SystemProperties;
 

@@ -43,6 +43,14 @@
                     </documentation>
                 </annotation>
             </element>
+            <element name="dryRun" type="boolean" minOccurs="0" default="false">
+                <annotation>
+                    <documentation>
+                        Optional flag indicating whether the request
+                        should be validated only and not processed like a real request.
+                    </documentation>
+                </annotation>
+            </element>
             <element name="requestId" type="tns:RequestIdType" minOccurs="0"/>
         </sequence>
     </complexType>

@@ -84,14 +84,15 @@ final class ManagementRequestBuilder {
 
     // -- Public API methods --------------------------------------------------
 
-    SoapMessageImpl buildAuthCertRegRequest(SecurityServerId.Conf securityServer, String address, byte[] authCert)
+    SoapMessageImpl buildAuthCertRegRequest(SecurityServerId.Conf securityServer, String address, byte[] authCert, boolean dryRun)
             throws SOAPException, JAXBException, IOException, IllegalAccessException {
         log.debug("buildAuthCertRegRequest(server: {}, address: {})", securityServer, address);
 
         var request = FACTORY.createAuthCertRegRequestType();
         request.setServer(securityServer);
         request.setAddress(address);
         request.setAuthCert(authCert);
+        request.setDryRun(dryRun);
 
         return buildMessage(element(AUTH_CERT_REGISTRATION_REQUEST, AuthCertRegRequestType.class, request));
     }

@@ -42,6 +42,7 @@
 import org.niis.xroad.common.core.annotation.ArchUnitSuppressed;
 import org.niis.xroad.common.managementrequest.model.AddressChangeRequest;
 import org.niis.xroad.common.managementrequest.model.AuthCertRegRequest;
+import org.niis.xroad.common.managementrequest.model.AuthCertRegWithoutCertRequest;
 import org.niis.xroad.common.managementrequest.model.ClientDisableRequest;
 import org.niis.xroad.common.managementrequest.model.ClientEnableRequest;
 import org.niis.xroad.common.managementrequest.model.ClientRegRequest;
@@ -116,14 +117,21 @@ private URI getSecurityServerURI() throws URISyntaxException {
      *                       registered
      * @param address        the IP address of the security server
      * @param authCert       the authentication certificate bytes
+     * @param dryRun         if true, the request is not actually processed
      * @return request ID in the central server database
      * @throws Exception if an error occurs
      */
-    public Integer sendAuthCertRegRequest(SecurityServerId.Conf securityServer, String address, byte[] authCert)
+    public Integer sendAuthCertRegRequest(SecurityServerId.Conf securityServer, String address, byte[] authCert, boolean dryRun)
             throws Exception {
+        if (dryRun && authCert.length == 0) {
+            try (HttpSender sender = managementRequestClient.createCentralHttpSender()) {
+                return send(sender, getCentralServiceURI(), new AuthCertRegWithoutCertRequest(signerRpcClient, authCert,
+                        securityServer.getOwner(), builder.buildAuthCertRegRequest(securityServer, address, authCert, true)));
+            }
+        }
         try (HttpSender sender = managementRequestClient.createCentralHttpSender()) {
             return send(sender, getCentralServiceURI(), new AuthCertRegRequest(signerRpcClient, authCert, securityServer.getOwner(),
-                    builder.buildAuthCertRegRequest(securityServer, address, authCert)));
+                    builder.buildAuthCertRegRequest(securityServer, address, authCert, dryRun)));
         }
     }
 

@@ -68,9 +68,9 @@ public class AuthCertRegRequest implements ManagementRequest {
 
     private CertificateInfo ownerCert;
 
-    private byte[] dataToSign;
+    private final byte[] dataToSign;
 
-    private MultipartOutputStream multipart;
+    protected MultipartOutputStream multipart;
 
     public AuthCertRegRequest(SignerRpcClient signerRpcClient, byte[] authCert, ClientId owner, SoapMessageImpl request) {
         this.signerRpcClient = signerRpcClient;
@@ -154,7 +154,7 @@ private void writeSignatures() throws IOException, OperatorCreationException {
         multipart.write(createSignature(memberSigningInfo.keyId(), ownerSignAlgoId, digest));
     }
 
-    private void writeSoap() throws IOException {
+    protected void writeSoap() throws IOException {
         multipart.startPart(MimeTypes.TEXT_XML_UTF8);
         multipart.write(dataToSign);
     }

@@ -0,0 +1,58 @@
+/*
+ * The MIT License
+ *
+ * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS)
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package org.niis.xroad.common.managementrequest.model;
+
+import ee.ria.xroad.common.identifier.ClientId;
+import ee.ria.xroad.common.message.MultipartOutputStream;
+import ee.ria.xroad.common.message.SoapMessageImpl;
+
+import org.niis.xroad.signer.client.SignerRpcClient;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+public class AuthCertRegWithoutCertRequest extends AuthCertRegRequest {
+    public AuthCertRegWithoutCertRequest(SignerRpcClient signerRpcClient, byte[] authCert,
+                                         ClientId owner,
+                                         SoapMessageImpl request) {
+        super(signerRpcClient, authCert, owner, request);
+    }
+
+    @Override
+    public InputStream getRequestContent() throws IOException {
+
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        multipart = new MultipartOutputStream(out);
+
+        writeSoap();
+
+        multipart.close();
+        return new ByteArrayInputStream(out.toByteArray());
+    }
+}
@@ -172,6 +172,11 @@ public X509Certificate getCentralServerSslCertificate() {
         return null;
     }
 
+    @Override
+    public Set<String> findSourceAddresses() {
+        return Set.of();
+    }
+
     @Override
     public boolean isSecurityServerClient(ClientId client,
                                           SecurityServerId securityServer) {

@@ -269,6 +269,11 @@ public X509Certificate getCentralServerSslCertificate() {
         return globalConfProvider.getCentralServerSslCertificate();
     }
 
+    @Override
+    public Set<String> findSourceAddresses() {
+        return Set.of();
+    }
+
     @Override
     public int getOcspFreshnessSeconds() {
         return globalConfProvider.getOcspFreshnessSeconds();

@@ -340,6 +340,11 @@ boolean isSecurityServerClient(ClientId client,
      */
     X509Certificate getCentralServerSslCertificate();
 
+    /**
+     * @return a set containing all configured source addresses
+     */
+    Set<String> findSourceAddresses();
+
     /**
      * @return maximum allowed validity time of OCSP responses. If thisUpdate
      * field of an OCSP response is older than ocspFreshnessSeconds seconds,

@@ -69,6 +69,7 @@
 import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR;
 import static ee.ria.xroad.common.ErrorCodes.X_OUTDATED_GLOBALCONF;
@@ -637,6 +638,14 @@ public X509Certificate getCentralServerSslCertificate() {
         return certBytes != null ? CryptoUtils.readCertificate(certBytes) : null;
     }
 
+    @Override
+    public Set<String> findSourceAddresses() {
+        return getSharedParameters(getInstanceIdentifier()).getSources().stream()
+                .map(SharedParameters.ConfigurationSource::getAddress)
+                .filter(StringUtils::isNotBlank)
+                .collect(Collectors.toSet());
+    }
+
     @Override
     public int getOcspFreshnessSeconds() {
         return getSharedParameters(getInstanceIdentifier())