Merge pull request #1 from Venafi/adding-trust-bundle

Adding trust bundle option

.gitignore

@@ -0,0 +1,3 @@
+chain.pem
+credentials
+.idea

Makefile

@@ -1,6 +1,6 @@
 ###Build parameters
 IMAGE_NAME := vault-venafi
-DOCKER_IMAGE := 192.168.3.9:5000/venafi/$(IMAGE_NAME)
+DOCKER_IMAGE := venafi/$(IMAGE_NAME)
 BUILD_TAG := build
 PLUGIN_NAME := venafi-pki-backend
 PLUGIN_DIR := bin
@@ -194,6 +194,8 @@ cloud: cloud_config_write cloud_cert_write cloud_cert_read_certificate cloud_cer
 #TPP role tasks
 tpp_config_write:
 	vault write $(MOUNT)/roles/$(TPP_ROLE) tpp_url=$(TPPURL) tpp_user=$(TPPUSER) tpp_password=$(TPPPASSWORD) zone="$(TPPZONE)" $(ROLE_OPTIONS)
+tpp_config_write_trust_bundle:
+	vault write $(MOUNT)/roles/$(TPP_ROLE) tpp_url=$(TPPURL) tpp_user=$(TPPUSER) tpp_password=$(TPPPASSWORD) zone="$(TPPZONE)" trust_bundle_file=$(TRUST_BUNDLE) $(ROLE_OPTIONS)
 tpp_config_read:
 	vault read $(MOUNT)/roles/$(TPP_ROLE)
 
@@ -211,7 +213,7 @@ tpp_cert_read_pkey:
 	@openssl x509 -in $(CERT_TMP_FILE) -pubkey -noout -outform pem | sha256sum
 
 
-tpp: tpp_config_write tpp_cert_write tpp_cert_read_certificate tpp_cert_read_pkey
+tpp: tpp_config_write_trust_bundle tpp_cert_write tpp_cert_read_certificate tpp_cert_read_pkey
 
 
 #Consul template tasks

README.md

@@ -34,6 +34,40 @@ X509v3 extensions:
 
 4. Option in TPP CA configuration template "Automatically include CN as DNS SAN" should be set to true.
 
+### Import trust chain for the Platform
+
+If Venafi Platform uses an internal (self-signed) certificate, you must get your server root certificate
+using open ssl command below and provide it as an option to the 'trust_bundle_file' vault parameter. Otherwise, the plugin will fail because of untrusted certificate error.
+Use the following command to import the certificate to the chain.pem file.
+
+To get server certificate run following openssl command
+
+```
+echo | openssl s_client -showcerts -servername TPP_ADDRESS -connect TPP_ADDRESS:TPP_PORT | openssl x509 -outform pem -out chain.pem
+```
+
+Example:
+
+```
+echo | openssl s_client -showcerts -servername venafi.example.com -connect venafi.example.com:5008 | openssl x509 -outform pem -out chain.pem
+```
+
+Example of configuring vault role with trust bundle:
+
+
+```
+vault write venafi-pki/roles/custom-tpp \
+    tpp_url=https://tpp.venafi.example/vedsdk \
+    tpp_user=admin \
+    tpp_password=password \
+    zone=testpolicy\\vault \
+    generate_lease=true \
+    store_by_cn="true" \
+    store_by_serial="true" \
+    store_pkey="true" \
+    trust_bundle_file="./chain.pem"
+```
+
 
 ## Step by step
 1. Export your Venafi Platform or Cloud configuration variables (or both)

docker-compose.yaml

@@ -24,11 +24,20 @@ services:
       VAULT_ADDR: http://127.0.0.1:8200
     ports:
       - "8200:8200"
-#    Uncomment mount if you want to use developement version of the plugin
 #    volumes:
+#    If you want to use trust bundle file option
+#       - ./chain.pem:/chain.pem
+#    Uncomment this mounts if you want to use developement version of the plugin
 #      - ./scripts/tools:/tools
 #      - ./scripts/config/vault:/config
 #      - ./scripts/config/vault/policies:/policies
 #      - ./bin:/vault_plugin
 #      - ./Makefile:/Makefile
     entrypoint: /tools/wait-for-it.sh -t 20 -h consul -p 8500 -s -- vault server -config=/config/vault-config-with-consul.hcl -log-level=debug
+#TODO: this is a workaround to avoid internal network conflict, need to find a better solution when netwrok will not be in docker-compose file.
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+      - subnet: "10.84.0.1/24"

main.go

@@ -1,7 +1,7 @@
 package main
 
 import (
-	pki "github.com/Venafi/vault-pki-vcert/plugin/pki"
+	pki "github.com/Venafi/vault-pki-backend-venafi/plugin/pki"
 	"github.com/hashicorp/vault/helper/pluginutil"
 	"github.com/hashicorp/vault/logical/plugin"
 	"log"

plugin/pki/path_roles.go

@@ -2,10 +2,10 @@ package pki
 
 import (
 	"context"
-		"strings"
+	"strings"
 	"time"
 
-		"github.com/hashicorp/vault/helper/consts"
+	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/helper/parseutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -43,7 +43,7 @@ func pathRoles(b *backend) *framework.Path {
 			},
 
 			"zone": &framework.FieldSchema{
-				Type:        framework.TypeString,
+				Type: framework.TypeString,
 				Description: `Name of Venafi Platfrom or Cloud policy. 
 Example for Platform: testpolicy\\vault
 Example for Venafi Cloud: Default`,
@@ -57,6 +57,12 @@ Example for Venafi Cloud: Default`,
 				Type:        framework.TypeString,
 				Description: `Password for web API user Example: password`,
 			},
+			"trust_bundle_file": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `Use to specify a PEM formatted file with certificates to be used as trust anchors when communicating with the remote server.
+Example:
+  trust_bundle_file = "/full/path/to/chain.pem""`,
+			},
 			"apikey": &framework.FieldSchema{
 				Type:        framework.TypeString,
 				Description: `API key for Venafi Cloud. Example: 142231b7-cvb0-412e-886b-6aeght0bc93d`,
@@ -223,6 +229,7 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 		TPPPassword:     data.Get("tpp_password").(string),
 		Apikey:          data.Get("apikey").(string),
 		TPPUser:         data.Get("tpp_user").(string),
+		TrustBundleFile: data.Get("trust_bundle_file").(string),
 		Fakemode:        data.Get("fakemode").(bool),
 		StoreByCN:       data.Get("store_by_cn").(bool),
 		StoreBySerial:   data.Get("store_by_serial").(bool),
@@ -253,42 +260,44 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 type roleEntry struct {
 
 	//Venafi values
-	TPPURL          string `json:"tpp_url"`
-	CloudURL        string `json:"cloud_url"`
-	Zone            string `json:"zone"`
-	TPPPassword     string `json:"tpp_password"`
-	Apikey          string `json:"apikey"`
-	TPPUser         string `json:"tpp_user"`
-	Fakemode        bool   `json:"fakemode"`
-	StoreByCN       bool   `json:"store_by_cn"`
-	StoreBySerial   bool   `json:"store_by_serial"`
-	StorePrivateKey bool   `json:"store_pkey"`
-	LeaseMax                      string        `json:"lease_max"`
-	Lease                         string        `json:"lease"`
-	TTL                           time.Duration `json:"ttl_duration" mapstructure:"ttl_duration"`
-	MaxTTL                        time.Duration `json:"max_ttl_duration" mapstructure:"max_ttl_duration"`
-	GenerateLease                 bool          `json:"generate_lease,omitempty"`
-	DeprecatedMaxTTL              string        `json:"max_ttl" mapstructure:"max_ttl"`
-	DeprecatedTTL                 string        `json:"ttl" mapstructure:"ttl"`
-
+	TPPURL           string        `json:"tpp_url"`
+	CloudURL         string        `json:"cloud_url"`
+	Zone             string        `json:"zone"`
+	TPPPassword      string        `json:"tpp_password"`
+	Apikey           string        `json:"apikey"`
+	TPPUser          string        `json:"tpp_user"`
+	TrustBundleFile  string        `json:"trust_bundle_file"`
+	Fakemode         bool          `json:"fakemode"`
+	StoreByCN        bool          `json:"store_by_cn"`
+	StoreBySerial    bool          `json:"store_by_serial"`
+	StorePrivateKey  bool          `json:"store_pkey"`
+	LeaseMax         string        `json:"lease_max"`
+	Lease            string        `json:"lease"`
+	TTL              time.Duration `json:"ttl_duration" mapstructure:"ttl_duration"`
+	MaxTTL           time.Duration `json:"max_ttl_duration" mapstructure:"max_ttl_duration"`
+	GenerateLease    bool          `json:"generate_lease,omitempty"`
+	DeprecatedMaxTTL string        `json:"max_ttl" mapstructure:"max_ttl"`
+	DeprecatedTTL    string        `json:"ttl" mapstructure:"ttl"`
 }
 
 func (r *roleEntry) ToResponseData() map[string]interface{} {
 	responseData := map[string]interface{}{
 		//Venafi
-		"tpp_url":         r.TPPURL,
-		"cloud_url":       r.CloudURL,
-		"zone":            r.Zone,
-		"tpp_password":    r.TPPPassword,
-		"apikey":          r.Apikey,
-		"tpp_user":        r.TPPUser,
-		"fakemode":        r.Fakemode,
-		"store_by_cn":     r.StoreByCN,
-		"store_by_serial": r.StoreBySerial,
-		"store_pkey":      r.StorePrivateKey,
-		"ttl":                                int64(r.TTL.Seconds()),
-		"max_ttl":                            int64(r.MaxTTL.Seconds()),
-		"generate_lease": r.GenerateLease,
+		"tpp_url":   r.TPPURL,
+		"cloud_url": r.CloudURL,
+		"zone":      r.Zone,
+		//We shouldn't show credentials
+		//"tpp_password":      r.TPPPassword,
+		//"apikey":            r.Apikey,
+		"tpp_user":          r.TPPUser,
+		"trust_bundle_file": r.TrustBundleFile,
+		"fakemode":          r.Fakemode,
+		"store_by_cn":       r.StoreByCN,
+		"store_by_serial":   r.StoreBySerial,
+		"store_pkey":        r.StorePrivateKey,
+		"ttl":               int64(r.TTL.Seconds()),
+		"max_ttl":           int64(r.MaxTTL.Seconds()),
+		"generate_lease":    r.GenerateLease,
 	}
 	return responseData
 }

plugin/pki/path_venafi_cert_enroll.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@@ -13,7 +12,6 @@ import (
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"log"
-	"net/http"
 	"strings"
 	"time"
 )
@@ -46,8 +44,6 @@ func pathVenafiCertEnroll(b *backend) *framework.Path {
 
 func (b *backend) pathVenafiCertObtain(ctx context.Context, req *logical.Request, data *framework.FieldData) (
 	*logical.Response, error) {
-	//TODO: switch to vcert insecure flag
-	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 
 	log.Printf("Getting the role\n")
 	roleName := data.Get("role").(string)

plugin/pki/path_venafi_fetch.go

@@ -3,7 +3,7 @@ package pki
 import (
 	"context"
 	"encoding/pem"
-		"strings"
+	"strings"
 
 	"github.com/hashicorp/vault/helper/errutil"
 	"github.com/hashicorp/vault/logical"
@@ -62,7 +62,6 @@ func (b *backend) pathVenafiFetchRead(ctx context.Context, req *logical.Request,
 		Data: map[string]interface{}{},
 	}
 
-
 	switch {
 	case req.Path == "crl" || req.Path == "crl/pem":
 		serial = "crl"

plugin/pki/test/e2e/e2e.go

@@ -137,13 +137,13 @@ var _ = Describe("Vault PKI Venafi backend e2e tests	", func() {
 					})
 					It("Fetching "+endpoint.name+" endpoint certificate with CN "+cn, func() {
 						By("Should be listed in certificates list")
-						cmd = fmt.Sprintf(`docker exec %s vault list venafi-pki/certs`,vaultContainerName)
+						cmd = fmt.Sprintf(`docker exec %s vault list venafi-pki/certs`, vaultContainerName)
 						out, err, code = testRun(cmd)
 						Expect(code).To(BeZero())
 						Expect(out).To(MatchRegexp(cn))
 
 						By("Should return valid JSON")
-						cmd = fmt.Sprintf(`docker exec %s vault read -format=json venafi-pki/cert/%s`,vaultContainerName,cn)
+						cmd = fmt.Sprintf(`docker exec %s vault read -format=json venafi-pki/cert/%s`, vaultContainerName, cn)
 						fmt.Println(cmd)
 						out, err, code = testRun(cmd)
 						cert := vaultJSONCertificate{}

plugin/pki/test/e2e/e2e_test.go

@@ -6,10 +6,10 @@ import (
 	"bufio"
 	"fmt"
 	. "github.com/onsi/ginkgo"
+	"github.com/onsi/ginkgo/reporters"
 	. "github.com/onsi/gomega"
 	"strings"
 	"time"
-	"github.com/onsi/ginkgo/reporters"
 )
 
 func init() {

plugin/pki/test/e2e/util.go

@@ -84,9 +84,9 @@ type RunContext struct {
 	TPPTestingEnabled   bool
 	CloudTestingEnabled bool
 	FakeTestingEnabled  bool
-	TPPIssuerCN           string
-	CloudIssuerCN         string
-	FakeIssuerCN          string
+	TPPIssuerCN         string
+	CloudIssuerCN       string
+	FakeIssuerCN        string
 }
 
 func GetContext() *RunContext {

plugin/pki/vcert.go

@@ -7,6 +7,7 @@ import (
 	"github.com/Venafi/vcert/pkg/endpoint"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
+	"io/ioutil"
 	"log"
 )
 
@@ -33,16 +34,36 @@ func (b *backend) ClientVenafi(ctx context.Context, s logical.Storage, data *fra
 			LogVerbose:    true,
 		}
 	} else if role.TPPURL != "" && role.TPPUser != "" && role.TPPPassword != "" {
-		log.Printf("Using Platform with url %s to issue certificate\n",role.TPPURL)
-		cfg = &vcert.Config{
-			ConnectorType: endpoint.ConnectorTypeTPP,
-			BaseUrl:       role.TPPURL,
-			Credentials: &endpoint.Authentication{
-				User:     role.TPPUser,
-				Password: role.TPPPassword,
-			},
-			Zone:       role.Zone,
-			LogVerbose: true,
+		log.Printf("Using Platform with url %s to issue certificate\n", role.TPPURL)
+		if role.TrustBundleFile != "" {
+			log.Printf("Trying to read trust bundle from file %s\n", role.TrustBundleFile)
+			trustBundle, err := ioutil.ReadFile(role.TrustBundleFile)
+			if err != nil {
+				return nil, err
+			}
+			trustBundlePEM := string(trustBundle)
+			cfg = &vcert.Config{
+				ConnectorType:   endpoint.ConnectorTypeTPP,
+				BaseUrl:         role.TPPURL,
+				ConnectionTrust: trustBundlePEM,
+				Credentials: &endpoint.Authentication{
+					User:     role.TPPUser,
+					Password: role.TPPPassword,
+				},
+				Zone:       role.Zone,
+				LogVerbose: true,
+			}
+		} else {
+			cfg = &vcert.Config{
+				ConnectorType: endpoint.ConnectorTypeTPP,
+				BaseUrl:       role.TPPURL,
+				Credentials: &endpoint.Authentication{
+					User:     role.TPPUser,
+					Password: role.TPPPassword,
+				},
+				Zone:       role.Zone,
+				LogVerbose: true,
+			}
 		}
 
 	} else if role.Apikey != "" {