Automated from: 54c42cc4b7a145b0bda83df1d00278de65fe595d

DelineaXPM · Sep 21, 2021 · c733614 · c733614
1 parent a0e9d9c
commit c733614
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 55 deletions.
diff --git a/auth/auth.go b/auth/auth.go
@@ -310,6 +310,7 @@ func (a *authenticator) getTokenForAuthType(at AuthType, useCache bool) (*TokenR
 		} else if at == Certificate {
 			data.AuthProvider = viper.GetString(cst.AuthProvider)
 			data.ClientCertificate = viper.GetString("client_certificate")
+			data.PrivateKey = viper.GetString("private_key")
 		}
 	}
 
@@ -555,6 +556,7 @@ type requestBody struct {
 	CallbackHost      string `json:"_"`
 	AuthProvider      string `json:"auth_provider"`
 	ClientCertificate string `json:"client_certificate"`
+	PrivateKey        string `json:"private_key"`
 }
 
 type TokenResponse struct {

diff --git a/commands/auth_provider.go b/commands/auth_provider.go
@@ -135,13 +135,14 @@ func GetAuthProviderCreateCmd() (cli.Command, error) {
 	return NewCommand(CommandArgs{
 		Path:         []string{cst.NounAuthProvider, cst.Create},
 		RunFunc:      AuthProvider{request: requests.NewHttpClient(), outClient: nil}.handleAuthProviderUpsert,
-		SynopsisText: fmt.Sprintf("%s %s %s (<name> | --name|-n) (--type) ((--data|-d) | --aws-account-id | --azure-tenant-id | --gcp-project-id)", cst.NounConfig, cst.NounAuthProvider, cst.Create),
+		SynopsisText: fmt.Sprintf("%s %s %s (<name> | --name|-n) (--type) ((--data|-d) | --aws-account-id | --azure-tenant-id | --gcp-project-id | --root-ca-path | --assumed-role)", cst.NounConfig, cst.NounAuthProvider, cst.Create),
 		HelpText: fmt.Sprintf(`Add %[1]s provider
 
 Usage:
   • %[1]s %[2]s %[4]s %[3]s --aws-account-id 11652944433808  --type aws
   • %[1]s %[2]s %[4]s --name azure-prod --azure-tenant-id 164543 --type azure
   • %[1]s %[2]s %[4]s --name GCP-prod --gcp-project-id test-proj --type gcp
+  • %[1]s %[2]s %[4]s --name cert-prod --root-ca-path rootcert --assumed-role certauth_role --type certificate
   • %[1]s %[2]s %[4]s --data %[5]s
 
  %[6]s
@@ -157,6 +158,8 @@ Usage:
 			preds.LongFlag(cst.ThyOneAuthClientID):      cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.ThyOneAuthClientID, Usage: fmt.Sprintf("Thycotic One client ID")}), false},
 			preds.LongFlag(cst.ThyOneAuthClientSecret):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.ThyOneAuthClientSecret, Usage: fmt.Sprintf("Thycotic One client secret")}), false},
 			preds.LongFlag(cst.SendWelcomeEmail):        cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.SendWelcomeEmail, Usage: fmt.Sprintf("Whether to send welcome email for thycotic-one users linked to the auth provider (true or false)")}), false},
+			preds.LongFlag(cst.RootCaPath):              cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.RootCaPath, Usage: fmt.Sprintf("Root certificate  secret path")}), false},
+			preds.LongFlag(cst.AssumedRole):             cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.AssumedRole, Usage: fmt.Sprintf("Assumed Role")}), false},
 		},
 		MinNumberArgs: 0,
 	})
@@ -166,13 +169,14 @@ func GetAuthProviderUpdateCmd() (cli.Command, error) {
 	return NewCommand(CommandArgs{
 		Path:         []string{cst.Config, cst.NounAuthProvider, cst.Update},
 		RunFunc:      AuthProvider{request: requests.NewHttpClient(), outClient: nil}.handleAuthProviderUpsert,
-		SynopsisText: fmt.Sprintf("%s %s %s (<name> | --name|-n) (--type) ((--data|-d) | --aws-account-id | --azure-tenant-id | --gcp-project-id)", cst.NounConfig, cst.NounAuthProvider, cst.Update),
+		SynopsisText: fmt.Sprintf("%s %s %s (<name> | --name|-n) (--type) ((--data|-d) | --aws-account-id | --azure-tenant-id | --gcp-project-id | --root-ca-path | --assumed-role)", cst.NounConfig, cst.NounAuthProvider, cst.Update),
 		HelpText: fmt.Sprintf(`Update %[1]s properties
 
 Usage:
   • %[1]s %[2]s %[4]s %[3]s --aws-account-id 11652944433808  --type aws
   • %[1]s %[2]s %[4]s --name azure-prod --azure-tenant-id 164543 --type azure
   • %[1]s %[2]s %[4]s --name GCP-prod --gcp-project-id test-proj --type gcp
+  • %[1]s %[2]s %[4]s --name cert-prod --root-ca-path rootcert --assumed-role certauth_role --type certificate
   • %[1]s %[2]s %[4]s --data %[5]s
 		`, cst.NounConfig, cst.NounAuthProvider, cst.ExampleAuthProviderName, cst.Update, cst.ExampleDataPath),
 		FlagsPredictor: cli.PredictorWrappers{
@@ -186,6 +190,8 @@ Usage:
 			preds.LongFlag(cst.ThyOneAuthClientID):      cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.ThyOneAuthClientID, Usage: fmt.Sprintf("Thycotic One client ID")}), false},
 			preds.LongFlag(cst.ThyOneAuthClientSecret):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.ThyOneAuthClientSecret, Usage: fmt.Sprintf("Thycotic One client secret")}), false},
 			preds.LongFlag(cst.SendWelcomeEmail):        cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.SendWelcomeEmail, Usage: fmt.Sprintf("Whether to send welcome email for thycotic-one users linked to the auth provider (true or false)")}), false},
+			preds.LongFlag(cst.RootCaPath):              cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.RootCaPath, Usage: fmt.Sprintf("Root certificate secret path")}), false},
+			preds.LongFlag(cst.AssumedRole):             cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.AssumedRole, Usage: fmt.Sprintf("Assumed Role")}), false},
 		},
 		MinNumberArgs: 0,
 	})
@@ -349,6 +355,7 @@ func (p AuthProvider) handleAuthProviderUpsertWorkflow(args []string) int {
 				{"azure", "Azure"},
 				{"gcp", "GCP"},
 				{cst.ThyOne, "Thycotic One"},
+				{"certificate", "Certificate"},
 			}, false, false); err != nil {
 			ui.Error(err.Error())
 			return utils.GetExecStatus(err)
@@ -435,6 +442,22 @@ func (p AuthProvider) handleAuthProviderUpsertWorkflow(args []string) int {
 				params.Properties.SendWelcomeEmail = &sendWelcomeEmail
 			}
 		}
+	case "certificate":
+		if rootCaPath, err := getStringAndValidate(
+			ui, "Root certificate path:", false, nil, false, false); err != nil {
+			ui.Error(err.Error())
+			return utils.GetExecStatus(err)
+		} else {
+			params.Properties.RootCaPath = rootCaPath
+		}
+		if assumedrole, err := getStringAndValidate(
+			ui, "Assumed role:", false, nil, false, false); err != nil {
+			ui.Error(err.Error())
+			return utils.GetExecStatus(err)
+		} else {
+			params.Properties.AssumedRole = assumedrole
+		}
+
 	default:
 		ui.Error("Unsupported auth provider type.")
 		return 1
@@ -484,6 +507,8 @@ func (p AuthProvider) handleAuthProviderUpsert(args []string) int {
 				BaseURI:      viper.GetString(cst.ThyOneAuthClientBaseUri),
 				ClientID:     viper.GetString(cst.ThyOneAuthClientID),
 				ClientSecret: viper.GetString(cst.ThyOneAuthClientSecret),
+				RootCaPath:   viper.GetString(cst.RootCaPath),
+				AssumedRole:  viper.GetString(cst.AssumedRole),
 			},
 		}
 	}
@@ -649,4 +674,6 @@ type Properties struct {
 	BaseURI          string `json:"baseUri,omitempty"`
 	UsernameClaim    string `json:"usernameClaim,omitempty"`
 	SendWelcomeEmail *bool  `json:"sendWelcomeEmail,omitempty"`
+	RootCaPath       string `json:"rootcapath,omitempty"`
+	AssumedRole      string `json:"assumedrole,omitempty"`
 }
diff --git a/commands/cli-config.go b/commands/cli-config.go
@@ -539,7 +539,6 @@ func handleCliConfigInitCmd(args []string) int {
 			o(string(auth.FederatedAzure), "Azure (federated)"),
 			o(string(auth.FederatedGcp), "GCP (federated)"),
 			o(string(auth.Oidc), "OIDC (federated)"),
-			//TODO: this will be enable once this feature is completed
 			//o(string(auth.Certificate), "x509 Certificate"),
 		}, false, false); err != nil {
 			return 1
@@ -652,14 +651,6 @@ func handleCliConfigInitCmd(args []string) int {
 			viper.Set(cst.Callback, callback)
 			AddNode(&cfg, jsonish{cst.DataCallback: callback}, profile, cst.NounAuth)
 		} else if auth.AuthType(authType) == auth.Certificate {
-			if user == "" {
-				if user, err = getStringAndValidate(ui, fmt.Sprintf("Please enter username for tenant %s:", viper.GetString(cst.Tenant)), false, nil, false, false); err != nil {
-					return 1
-				}
-
-				viper.Set(cst.Username, user)
-			}
-
 			if authProvider == "" {
 				if authProvider, err = getStringAndValidate(ui, "Please enter auth provider name:", false, nil, false, false); err != nil {
 					return 1
@@ -677,13 +668,17 @@ func handleCliConfigInitCmd(args []string) int {
 
 			viper.Set("client_certificate", leaf)
 
-			leaf, err = auth.EncipherPassword(leaf)
+			AddNode(&cfg, jsonish{cst.Leaf: leaf}, profile, "leafcert")
+
+			leafPrKey, err := getStringAndValidate(ui, "Leaf private key:", false, nil, false, false)
 			if err != nil {
 				ui.Error(err.Error())
 				return 1
 			}
 
-			AddNode(&cfg, jsonish{cst.Leaf: leaf}, profile, "leafcert")
+			viper.Set("private_key", leafPrKey)
+
+			AddNode(&cfg, jsonish{cst.LeafPrivateKey: leafPrKey}, profile, "leafprivatekey")
 		}
 	}
 

diff --git a/constants/commands.go b/constants/commands.go
@@ -109,30 +109,33 @@ const (
 	ThyOneAuthClientID      = "clientId"
 	ThyOneAuthClientSecret  = "clientSecret"
 	SendWelcomeEmail        = "send.welcome.email"
-	Query                   = "query"
-	SearchLinks             = "search.links"
-	SearchComparison        = "search.comparison"
-	SearchType              = "search.type"
-	SearchField             = "search.field"
-	Limit                   = "limit"
-	OffSet                  = "offset"
-	Cursor                  = "cursor"
-	RefreshToken            = "refreshtoken"
-	Output                  = "out"
-	Overwrite               = "overwrite"
-	ClientID                = "client.id"
-	ClientSecret            = "client.secret"
-	Version                 = "version"
-	VersionStart            = "version-start"
-	VersionEnd              = "version-end"
-	StartDate               = "startdate"
-	EndDate                 = "enddate"
-	Force                   = "force"
-	Sort                    = "sort"
-	NewAdmins               = "new-admins"
-	MinNumberOfShares       = "min-number-of-shares"
-	Shares                  = "shares"
-	SendToEngine			= "send-to-engine"
+	RootCaPath              = "root.ca.path"
+	AssumedRole             = "assumed.role"
+
+	Query             = "query"
+	SearchLinks       = "search.links"
+	SearchComparison  = "search.comparison"
+	SearchType        = "search.type"
+	SearchField       = "search.field"
+	Limit             = "limit"
+	OffSet            = "offset"
+	Cursor            = "cursor"
+	RefreshToken      = "refreshtoken"
+	Output            = "out"
+	Overwrite         = "overwrite"
+	ClientID          = "client.id"
+	ClientSecret      = "client.secret"
+	Version           = "version"
+	VersionStart      = "version-start"
+	VersionEnd        = "version-end"
+	StartDate         = "startdate"
+	EndDate           = "enddate"
+	Force             = "force"
+	Sort              = "sort"
+	NewAdmins         = "new-admins"
+	MinNumberOfShares = "min-number-of-shares"
+	Shares            = "shares"
+	SendToEngine      = "send-to-engine"
 )
 
 // Data Flags

diff --git a/constants/pki.go b/constants/pki.go
@@ -1,11 +1,12 @@
 package constants
 
 const (
-	Register     = "register"
-	Sign         = "sign"
-	Leaf         = "leaf"
-	GenerateRoot = "generate-root"
-	SSHCert      = "ssh-cert"
+	Register       = "register"
+	Sign           = "sign"
+	Leaf           = "leaf"
+	GenerateRoot   = "generate-root"
+	SSHCert        = "ssh-cert"
+	LeafPrivateKey = "privatekey"
 )
 
 const (

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
 	github.com/apex/log v1.1.0
 	github.com/atotto/clipboard v0.1.1
-	github.com/aws/aws-sdk-go v1.17.2
+	github.com/aws/aws-sdk-go v1.40.37
 	github.com/danieljoos/wincred v1.0.1
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/fatih/color v1.7.0
@@ -16,7 +16,7 @@ require (
 	github.com/hokaccha/go-prettyjson v0.0.0-20190818114111-108c894c2c0e
 	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
 	github.com/jarcoal/httpmock v1.0.4
-	github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0 // indirect
+	github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.1.2
 	github.com/peterbourgon/diskv v2.0.1+incompatible
@@ -31,7 +31,7 @@ require (
 	github.com/thycotic-rd/cli v1.0.1-0.20190221164533-c25d734d6e3d
 	github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
+	golang.org/x/sys v0.0.0-20210423082822-04245dca01da
 	google.golang.org/api v0.13.0
 	google.golang.org/appengine v1.6.5 // indirect
 	gopkg.in/yaml.v2 v2.3.0