Add api, commands, and binding support for mTLS certificates (cloudflare#2567)

* Add mtls-certificate api

Mostly simple proxies to the SSL mTLS endpoints
Adds a new OAuth scope to allow this

* Add mtls-certificate commands

* Support bindings of type mtls_certificate

* Add tests

* Add changeset

Author: matthewdavidrodgers

.changeset/clean-jokes-tan.md

@@ -0,0 +1,13 @@
+---
+"wrangler": minor
+---
+
+Add mtls-certificate commands and binding support
+
+Functionality implemented first as an api, which is used in the cli standard
+api commands
+
+Note that this adds a new OAuth scope, so OAuth users will need to log out and
+log back in to use the new 'mtls-certificate' commands
+However, publishing with mtls-certifcate bindings (bindings of type
+'mtls_certificate') will work without the scope.

packages/wrangler/src/__tests__/configuration.test.ts

@@ -68,6 +68,7 @@ describe("normalizeAndValidateConfig()", () => {
 				bindings: [],
 			},
 			dispatch_namespaces: [],
+			mtls_certificates: [],
 			usage_model: undefined,
 			vars: {},
 			define: {},
@@ -2190,6 +2191,75 @@ describe("normalizeAndValidateConfig()", () => {
 			});
 		});
 
+		describe("[mtls_certificates]", () => {
+			it("should error if mtls_certificates is not an array", () => {
+				const { diagnostics } = normalizeAndValidateConfig(
+					{
+						mtls_certificates: "just a string",
+					} as unknown as RawConfig,
+					undefined,
+					{ env: undefined }
+				);
+
+				expect(diagnostics.hasWarnings()).toBe(false);
+				expect(diagnostics.hasErrors()).toBe(true);
+				expect(diagnostics.renderErrors()).toMatchInlineSnapshot(`
+			"Processing wrangler configuration:
+			  - The field \\"mtls_certificates\\" should be an array but got \\"just a string\\"."
+		`);
+			});
+
+			it("should error on non valid mtls_certificates", () => {
+				const { diagnostics } = normalizeAndValidateConfig(
+					{
+						mtls_certificates: [
+							"a string",
+							123,
+							false,
+							{
+								binding: 123,
+								namespace: 123,
+							},
+							{
+								binding: "CERT_ONE",
+								id: "1234",
+							},
+							{
+								binding: "CERT_TWO",
+								certificate_id: 1234,
+							},
+							// this one is valid
+							{
+								binding: "CERT_THREE",
+								certificate_id: "1234",
+							},
+							{
+								binding: true,
+								service: "1234",
+							},
+						],
+					} as unknown as RawConfig,
+					undefined,
+					{ env: undefined }
+				);
+
+				expect(diagnostics.hasWarnings()).toBe(false);
+				expect(diagnostics.hasErrors()).toBe(true);
+				expect(diagnostics.renderErrors()).toMatchInlineSnapshot(`
+			"Processing wrangler configuration:
+			  - \\"mtls_certificates\\" bindings should be objects, but got \\"a string\\"
+			  - \\"mtls_certificates\\" bindings should be objects, but got 123
+			  - \\"mtls_certificates\\" bindings should be objects, but got false
+			  - \\"mtls_certificates[3]\\" bindings should have a string \\"binding\\" field but got {\\"binding\\":123,\\"namespace\\":123}.
+			  - \\"mtls_certificates[3]\\" bindings should have a string \\"certificate_id\\" field but got {\\"binding\\":123,\\"namespace\\":123}.
+			  - \\"mtls_certificates[4]\\" bindings should have a string \\"certificate_id\\" field but got {\\"binding\\":\\"CERT_ONE\\",\\"id\\":\\"1234\\"}.
+			  - \\"mtls_certificates[5]\\" bindings should have a string \\"certificate_id\\" field but got {\\"binding\\":\\"CERT_TWO\\",\\"certificate_id\\":1234}.
+			  - \\"mtls_certificates[7]\\" bindings should have a string \\"binding\\" field but got {\\"binding\\":true,\\"service\\":\\"1234\\"}.
+			  - \\"mtls_certificates[7]\\" bindings should have a string \\"certificate_id\\" field but got {\\"binding\\":true,\\"service\\":\\"1234\\"}."
+		`);
+			});
+		});
+
 		describe("[unsafe.bindings]", () => {
 			it("should error if unsafe is an array", () => {
 				const { diagnostics } = normalizeAndValidateConfig(

packages/wrangler/src/__tests__/index.test.ts

@@ -50,6 +50,7 @@ describe("wrangler", () => {
 			  wrangler dispatch-namespace          📦 Interact with a dispatch namespace
 			  wrangler d1                          🗄  Interact with a D1 database
 			  wrangler pubsub                      📮 Interact and manage Pub/Sub Brokers
+			  wrangler mtls-certificate            🪪 Manage certificates used for mTLS connections
 			  wrangler login                       🔓 Login to Cloudflare
 			  wrangler logout                      🚪 Logout from Cloudflare
 			  wrangler whoami                      🕵️  Retrieve your user info and test your auth config
@@ -99,6 +100,7 @@ describe("wrangler", () => {
 			  wrangler dispatch-namespace          📦 Interact with a dispatch namespace
 			  wrangler d1                          🗄  Interact with a D1 database
 			  wrangler pubsub                      📮 Interact and manage Pub/Sub Brokers
+			  wrangler mtls-certificate            🪪 Manage certificates used for mTLS connections
 			  wrangler login                       🔓 Login to Cloudflare
 			  wrangler logout                      🚪 Logout from Cloudflare
 			  wrangler whoami                      🕵️  Retrieve your user info and test your auth config