From e4b0680c25b3a262b742567c0f5dc6d62c5b8c02 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Fri, 9 Sep 2022 17:55:31 -0500 Subject: [PATCH 1/2] Adds acceptance test cases for TPP and VaaS for feature prevent-reissuance. Fixes bug that prevented VaaS to use that feature properly --- go.mod | 2 +- go.sum | 4 +- plugin/pki/backend_test.go | 455 ++++++++++++++++++ plugin/pki/env_test.go | 277 ++++++++++- plugin/pki/path_venafi_cert_enroll.go | 12 +- .../vcert/v4/pkg/venafi/cloud/connector.go | 35 +- .../vcert/v4/pkg/venafi/cloud/search.go | 45 ++ vendor/modules.txt | 2 +- 8 files changed, 778 insertions(+), 54 deletions(-) diff --git a/go.mod b/go.mod index 9b05dbf8..139622f8 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.13 require ( github.com/Venafi/vcert v3.18.4+incompatible - github.com/Venafi/vcert/v4 v4.22.0 + github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe github.com/hashicorp/go-hclog v0.14.1 github.com/hashicorp/vault/api v1.0.4 github.com/hashicorp/vault/sdk v0.1.13 diff --git a/go.sum b/go.sum index 90b188f8..d4b2e620 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Venafi/vcert v3.18.4+incompatible h1:mDXSjd+EpXa8YEkEo9Oad19E270aiPJJMhjoKs63b+8= github.com/Venafi/vcert v3.18.4+incompatible/go.mod h1:3dpfrCI+31cDZosD+1UX8GFziVFORaegByXtzT1dwNo= -github.com/Venafi/vcert/v4 v4.22.0 h1:trH5eftOQ3cKgGFenMGFZ62yfITeunOSF9zx2xpZ1g8= -github.com/Venafi/vcert/v4 v4.22.0/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= +github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe h1:rwsBBrmmbsc2sdcHhBMMRT2ZHpC9Hcdoq2sj+nArkw0= +github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= diff --git a/plugin/pki/backend_test.go b/plugin/pki/backend_test.go index 81931184..7b7eed6e 100644 --- a/plugin/pki/backend_test.go +++ b/plugin/pki/backend_test.go @@ -2,6 +2,7 @@ package pki import ( "testing" + "time" ) func TestFakeRolesConfigurations(t *testing.T) { @@ -172,6 +173,460 @@ func TestTokenIntegration(t *testing.T) { } +func TestTPPpreventReissuance(t *testing.T) { + regDuration := time.Duration(24) * time.Hour + // CASE: should be the SAME - same CN and SAN + t.Run("TPP Token enroll same certificate and prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuance(t, data, venafiConfigToken) + }) + // CASE: should be different - same CN but 1 additional SAN + t.Run("TPP Token second enroll certificate with extra SAN DNS and should not prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithExtraSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be different - same CN and missing 1 SAN of 3 + t.Run("TPP Token second enroll certificate and removing one SAN DNS from list and should not prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNandRemovingSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - same CN and no SANs + t.Run("TPP Token certificate with CN only and no SAN DNS second enroll should be prevented", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNnoSANSDNS(t, data, venafiConfigToken) + }) + // CASE: should be different - same CN and SAN but just barely not sufficiently valid + t.Run("TPP Token second enroll same certificate with TTL that is not sufficient for set valid time and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + minCertTimeLeft: time.Duration(24) * time.Hour, + ttl: time.Duration(23) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLnotValid(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - same CN and SAN and just barely sufficiently valid + t.Run("TPP Token second enroll same certificate wit TTL with barely sufficient valid time and should prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + // we set a TLL less than a time we consider a certificate to be valid, so we always issue a new one + data := testData{ + minCertTimeLeft: time.Duration(24) * time.Hour, + ttl: time.Duration(25) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLvalid(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - same CN and same 3 SANs + t.Run("TPP Token second enroll certificate with three SAN DNS and should prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithThreeSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be different - different CN and same 3 SANs + t.Run("TPP Token second enroll certificate with three SAN DNS but different CN and should not prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithDifferentCNandThreeSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - no CN and same 3 SANs + t.Run("TPP Token second enroll certificate with three SAN DNS but no CN and should prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithNoCNandThreeSANDNS(t, data, venafiConfigToken) + }) + // Service generated CSR + // CASE: should be the SAME - same CN and SAN + t.Run("Service Generated CSR - TPP Token enroll same certificate and prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuance(t, data, venafiConfigToken) + }) + // CASE: should be different - same CN but 1 additional SAN + t.Run("Service Generated CSR - TPP Token second enroll certificate with extra SAN DNS and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithExtraSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be different - same CN and missing 1 SAN of 3 + t.Run("Service Generated CSR - TPP Token second enroll certificate and removing one SAN DNS from list and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNandRemovingSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - same CN and no SANs + t.Run("Service Generated CSR - TPP Token certificate with CN only and no SAN DNS second enroll should be prevented", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNnoSANSDNS(t, data, venafiConfigToken) + }) + // CASE: should be different - same CN and SAN but just barely not sufficiently valid + t.Run("Service Generated CSR - TPP Token second enroll same certificate with TTL that is not sufficient for set valid time and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: time.Duration(24) * time.Hour, + ttl: time.Duration(23) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLnotValid(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - same CN and SAN and just barely sufficiently valid + t.Run("Service Generated CSR - TPP Token second enroll same certificate wit TTL with barely sufficient valid time and should prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: time.Duration(24) * time.Hour, + ttl: time.Duration(25) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLvalid(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - same CN and same 3 SANs + t.Run("Service Generated CSR - TPP Token second enroll certificate with three SAN DNS and should prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithThreeSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be different - different CN and same 3 SANs + t.Run("Service Generated CSR - TPP Token second enroll certificate with three SAN DNS but different CN and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithDifferentCNandThreeSANDNS(t, data, venafiConfigToken) + }) + // CASE: should be the SAME - no CN and same 3 SANs + t.Run("Service Generated CSR - TPP Token second enroll certificate with three SAN DNS but no CN and should prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithNoCNandThreeSANDNS(t, data, venafiConfigToken) + }) +} + +func TestVaasPreventReissuance(t *testing.T) { + regDuration := time.Duration(24) * time.Hour + // CASE: should be the SAME - same CN and SAN + t.Run("VaaS enroll same certificate and prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuance(t, data, venafiConfigCloud) + }) + // CASE: should be different - same CN but 1 additional SAN + t.Run("VaaS second enroll certificate with extra SAN DNS and should not prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithExtraSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be different - same CN and missing 1 SAN of 3 + t.Run("VaaS second enroll certificate and removing one SAN DNS from list and should not prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNandRemovingSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - same CN and no SANs + t.Run("VaaS certificate with CN only and no SAN DNS second enroll should be prevented", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNnoSANSDNS(t, data, venafiConfigCloud) + }) + t.Run("VaaS second enroll same certificate with TTL that is not sufficient for set valid time and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + // for VaaS use case we need to set and extra 24 hours since value is truncated (2184hrs = 91 days) + minCertTimeLeft: time.Duration(2184) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLnotValid(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - same CN and SAN and just barely sufficiently valid + t.Run("VaaS second enroll same certificate wit TTL with barely sufficient valid time and should prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: time.Duration(2159) * time.Hour} + integrationTestEnv.PreventReissuanceTTLvalid(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - same CN and same 3 SANs + t.Run("VaaS second enroll certificate with three SAN DNS and should prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithThreeSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be different - different CN and same 3 SANs + t.Run("VaaS second enroll certificate with three SAN DNS but different CN and should not prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithDifferentCNandThreeSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - no CN and same 3 SANs + t.Run("VaaS second enroll certificate with three SAN DNS but no CN and should prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{minCertTimeLeft: regDuration} + integrationTestEnv.PreventReissuanceCNwithNoCNandThreeSANDNS(t, data, venafiConfigCloud) + }) + // Service generated CSR + // CASE: should be the SAME - same CN and SAN + t.Run("Service Generated CSR - VaaS enroll same certificate and prevent-reissue", func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuance(t, data, venafiConfigCloud) + }) + // CASE: should be different - same CN but 1 additional SAN + t.Run("Service Generated CSR - VaaS second enroll certificate with extra SAN DNS and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithExtraSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be different - same CN and missing 1 SAN of 3 + t.Run("Service Generated CSR - VaaS second enroll certificate and removing one SAN DNS from list and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNandRemovingSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - same CN and no SANs + t.Run("Service Generated CSR - VaaS certificate with CN only and no SAN DNS second enroll should be prevented", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNnoSANSDNS(t, data, venafiConfigCloud) + }) + t.Run("Service Generated CSR - VaaS second enroll same certificate with TTL that is not sufficient for set valid time and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + // for VaaS use case we need to set and extra 24 hours since value is truncated (2184hrs = 91 days) + minCertTimeLeft: time.Duration(2184) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLnotValid(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - same CN and SAN and just barely sufficiently valid + t.Run("Service Generated CSR - VaaS second enroll same certificate wit TTL with barely sufficient valid time and should prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: time.Duration(2159) * time.Hour, + } + integrationTestEnv.PreventReissuanceTTLvalid(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - same CN and same 3 SANs + t.Run("Service Generated CSR - VaaS second enroll certificate with three SAN DNS and should prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithThreeSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be different - different CN and same 3 SANs + t.Run("Service Generated CSR - VaaS second enroll certificate with three SAN DNS but different CN and should not prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithDifferentCNandThreeSANDNS(t, data, venafiConfigCloud) + }) + // CASE: should be the SAME - no CN and same 3 SANs + t.Skip("Currently we skip this scenario as VaaS currently doesn't support it (probable bug)") + t.Run("Service Generated CSR - VaaS second enroll certificate with three SAN DNS but no CN and should prevent-reissue", + func(t *testing.T) { + t.Parallel() + integrationTestEnv, err := newIntegrationTestEnv() + if err != nil { + t.Fatal(err) + } + data := testData{ + serviceGeneratedCert: true, + minCertTimeLeft: regDuration, + } + integrationTestEnv.PreventReissuanceCNwithNoCNandThreeSANDNS(t, data, venafiConfigCloud) + }) +} + func TestZoneOverride(t *testing.T) { integrationTestEnv, err := newIntegrationTestEnv() diff --git a/plugin/pki/env_test.go b/plugin/pki/env_test.go index 2090ab66..2c3f6232 100644 --- a/plugin/pki/env_test.go +++ b/plugin/pki/env_test.go @@ -44,15 +44,18 @@ type testData struct { dnsIP string dnsNS string //onlyIP added IP Address x509 field - onlyIP string - keyPassword string - privateKey string - provider venafiConfigString - signCSR bool - customFields []string - ttl time.Duration - storeBy string - privateKeyFormat string + onlyIP string + keyPassword string + privateKey string + provider venafiConfigString + signCSR bool + customFields []string + ttl time.Duration + storeBy string + storePkey bool + serviceGeneratedCert bool + privateKeyFormat string + minCertTimeLeft time.Duration } const ( @@ -263,12 +266,27 @@ func (e *testEnv) writeRoleToBackendWithData(t *testing.T, configString venafiCo roleData["zone"] = "" ttl := strconv.Itoa(role_ttl_test_property) + "h" + if &data.ttl != nil { + ttl = data.ttl.String() + } roleData["ttl"] = ttl roleData["issuer_hint"] = util.IssuerHintMicrosoft if data.storeBy != "" { roleData["store_by"] = data.storeBy } + if data.minCertTimeLeft > 0 { + roleData["min_cert_time_left"] = data.minCertTimeLeft + } + + if &data.storePkey != nil { + roleData["store_pkey"] = data.storePkey + } + + if &data.serviceGeneratedCert != nil { + roleData["service_generated_cert"] = data.serviceGeneratedCert + } + resp, err := e.Backend.HandleRequest(e.Context, &logical.Request{ Operation: logical.UpdateOperation, Path: "roles/" + e.RoleName, @@ -315,6 +333,36 @@ func (e *testEnv) writeRoleWithZoneToBackend(t *testing.T, configString venafiCo } } +func (e *testEnv) writeRoleWithPreventIssuanceToBackend(t *testing.T, configString venafiConfigString) { + roleData, err := makeConfig(configString) + if err != nil { + t.Fatal(err) + } + roleData = copyMap(roleData) + + //Adding Venafi secret reference to Role + roleData["venafi_secret"] = e.VenafiSecretName + + ttl := strconv.Itoa(role_ttl_test_property) + "h" + roleData["ttl"] = ttl + roleData["issuer_hint"] = util.IssuerHintMicrosoft + + resp, err := e.Backend.HandleRequest(e.Context, &logical.Request{ + Operation: logical.UpdateOperation, + Path: "roles/" + e.RoleName, + Storage: e.Storage, + Data: roleData, + }) + + if err != nil { + t.Fatal(err) + } + + if resp != nil && resp.IsError() { + t.Fatalf("failed to create role, %#v", resp) + } +} + func (e *testEnv) failToWriteRoleToBackend(t *testing.T, configString venafiConfigString) { roleData, err := makeConfig(configString) if err != nil { @@ -1817,6 +1865,201 @@ func (e *testEnv) TokenEnrollWithVenafiSecretZone(t *testing.T) { e.IssueCertificateAndSaveSerial(t, data, config) } +func (e *testEnv) PreventReissuance(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial != nextCertificateSerial { + // means that we went to issue another certificate which shouldn't have happened + // as we intend to present the one in storage + t.Fatal("The serials are different") + } +} + +func (e *testEnv) PreventReissuanceCNwithExtraSANDNS(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + data.dnsNS = data.dnsNS + ",alt2-" + data.cn + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial == nextCertificateSerial { + // since a new SAN DNS was provided in second run, we should have issued + // another certificate, so serials should be different + t.Fatal("The serials are equal") + } +} + +func (e *testEnv) PreventReissuanceCNandRemovingSANDNS(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + ",alt2-" + data.cn + ",alt3-" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + data.dnsNS = "alt-" + data.cn + ",alt2-" + data.cn + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial == nextCertificateSerial { + // since SAN DNS was removed in second run, we should have issued + // another certificate, so serials should be different + t.Fatal("The serials are equal") + } +} + +func (e *testEnv) PreventReissuanceCNnoSANSDNS(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial != nextCertificateSerial { + // means that we went to issue another certificate which shouldn't have happened + // as we intend to present the one in storage + t.Fatal("The serials are different") + } +} + +func (e *testEnv) PreventReissuanceTTLnotValid(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial == nextCertificateSerial { + // since TTL is less than time we consider a certificate to be valid, we should have issued + // another certificate, so serials should be different + t.Fatal("The serials are equal") + } +} + +func (e *testEnv) PreventReissuanceTTLvalid(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial != nextCertificateSerial { + // since TTL is within than time we consider a certificate to be valid, we should have not issued + // another certificate, so serials should be equal + t.Fatal("The serials are different") + } +} + +func (e *testEnv) PreventReissuanceCNwithThreeSANDNS(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + "," + "alt2-" + data.cn + "," + "alt3" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial != nextCertificateSerial { + t.Fatal("The serials are different") + } +} + +func (e *testEnv) PreventReissuanceCNwithDifferentCNandThreeSANDNS(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + data.cn = randString + "." + domain + data.dnsNS = "alt-" + data.cn + "," + "alt2-" + data.cn + "," + "alt3" + data.cn + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + data.cn = e.TestRandString + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial == nextCertificateSerial { + t.Fatal("The serials are equal") + } +} + +func (e *testEnv) PreventReissuanceCNwithNoCNandThreeSANDNS(t *testing.T, data testData, config venafiConfigString) { + + randString := e.TestRandString + domain := "vfidev.com" + commonName := randString + "." + domain + data.cn = "" + data.dnsNS = "alt-" + commonName + "," + "alt2-" + commonName + "," + "alt3" + commonName + data.storeBy = "serial" + data.storePkey = true + + e.writeVenafiToBackend(t, config) + e.writeRoleToBackendWithData(t, config, data) + e.IssueCertificateAndSaveSerial(t, data, config) + currentCertificateSerial := e.CertificateSerial + e.IssueCertificateAndSaveSerial(t, data, config) + nextCertificateSerial := e.CertificateSerial + if currentCertificateSerial != nextCertificateSerial { + t.Fatal("The serials are different") + } +} + func checkStandardCert(t *testing.T, data testData) { var err error log.Println("Testing certificate:", data.cert) @@ -1851,7 +2094,13 @@ func checkStandardCert(t *testing.T, data testData) { t.Fatalf("Certificate common name expected to be %s but actualy it is %s", parsedCertificate.Subject.CommonName, data.cn) } - wantDNSNames := []string{data.dnsNS} + // since data.dnsNS is a string as is being copying the behaviour + // of the entry data, then it means it should have a string with values + // separated by commas + var wantDNSNames []string + if data.dnsNS != "" { + wantDNSNames = strings.Split(data.dnsNS, ",") + } if data.dnsIP != "" { wantDNSNames = append(wantDNSNames, data.dnsIP) @@ -1865,8 +2114,12 @@ func checkStandardCert(t *testing.T, data testData) { ips = append(ips, net.ParseIP(data.dnsIP)) } - if !areDNSNamesCorrect(parsedCertificate.DNSNames, []string{data.cn}, wantDNSNames) { - t.Fatalf("Certificate Subject Alternative Names %v doesn't match to requested %v", parsedCertificate.DNSNames, wantDNSNames) + // since we allow setting only the CN (although the CN will be added to the SANs) during the request and we intend to + // validate data only passed during the request, we make sure is not empty before passing the validation + if len(wantDNSNames) > 0 { + if !areDNSNamesCorrect(parsedCertificate.DNSNames, []string{data.cn}, wantDNSNames) { + t.Fatalf("Certificate Subject Alternative Names %v doesn't match to requested %v", parsedCertificate.DNSNames, wantDNSNames) + } } if !SameIpSlice(ips, parsedCertificate.IPAddresses) { diff --git a/plugin/pki/path_venafi_cert_enroll.go b/plugin/pki/path_venafi_cert_enroll.go index e6fa3558..983c6bc7 100644 --- a/plugin/pki/path_venafi_cert_enroll.go +++ b/plugin/pki/path_venafi_cert_enroll.go @@ -504,13 +504,11 @@ func preventReissue(b *backend, ctx context.Context, req *logical.Request, reqDa DNS: reqData.altNames, } // During search, if VaaS doesn't provide the CN and the CIT restricts the CN, then we will return an error since it's not supported. - if (*cl).GetType() == endpoint.ConnectorTypeTPP { - // if the CN is not inside the SAN DNS List, we added in order to search for since this functionality - // is also added formRequest function of this package - if !sliceContains(sans.DNS, commonName) && commonName != "" { // Go can compare if en empty string exist in the slice, so we omit that case - b.Logger().Debug(fmt.Sprintf("Adding CN %s to SAN %s because it wasn't included.", reqData.commonName, reqData.altNames)) - sans.DNS = append(sans.DNS, commonName) - } + // if the CN is not inside the SAN DNS List, we added in order to search for since this functionality + // is also added formRequest function of this package + if !sliceContains(sans.DNS, commonName) && commonName != "" { // Go can compare if en empty string exist in the slice, so we omit that case + b.Logger().Debug(fmt.Sprintf("Adding CN %s to SAN %s because it wasn't included.", reqData.commonName, reqData.altNames)) + sans.DNS = append(sans.DNS, commonName) } certInfo, err = (*cl).SearchCertificate(cfg.Zone, commonName, sans, role.MinCertTimeLeft) diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go index dd400922..f55d69da 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go @@ -27,7 +27,6 @@ import ( "fmt" "io/ioutil" "log" - "math" "net/http" netUrl "net/url" "regexp" @@ -100,39 +99,16 @@ func (c *Connector) SearchCertificates(req *certificate.SearchRequest) (*certifi } func (c *Connector) SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (certificateInfo *certificate.CertificateInfo, err error) { + // retrieve application name from zone appName := getAppNameFromZone(zone) - // get application id + // get application id from name app, _, err := c.getAppDetailsByName(appName) if err != nil { return nil, err } - // convert a time.Duration to days - certMinTimeDays := math.Floor(certMinTimeLeft.Hours() / 24) - // format arguments for request - req := &SearchRequest{ - Expression: &Expression{ - Operator: AND, - Operands: []Operand{ - { - Field: "subjectCN", - Operator: EQ, - Value: cn, - }, - { - Field: "subjectAlternativeNameDns", - Operator: IN, - Values: sans.DNS, - }, - { - Field: "validityPeriodDays", - Operator: GTE, - Value: certMinTimeDays, - }, - }, - }, - } + req := formatSearchCertificateArguments(cn, sans, certMinTimeLeft) // perform request searchResult, err := c.searchCertificates(req) @@ -145,13 +121,10 @@ func (c *Connector) SearchCertificate(zone string, cn string, sans *certificate. return nil, verror.NoCertificateFoundError } - // map (convert) response to an array of CertificateInfo, TODO: only add - // those certificates whose Zone matches ours + // map (convert) response to an array of CertificateInfo certificates := make([]*certificate.CertificateInfo, 0) n := 0 for _, cert := range searchResult.Certificates { - // log.Printf("looping %v\n", util.GetJsonAsString(cert)) - // TODO: filter based on applicationId (VaaS equivalent to TPP Zone) if util.ArrayContainsString(cert.ApplicationIds, app.ApplicationId) { match := cert.ToCertificateInfo() certificates = append(certificates, &match) diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go index 36e83dc6..307af8d5 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go @@ -21,6 +21,7 @@ import ( "fmt" "github.com/Venafi/vcert/v4/pkg/certificate" "log" + "math" "net/http" "strings" "time" @@ -165,3 +166,47 @@ func getAppNameFromZone(zone string) string { return zone[:lastSlash] } + +func formatSearchCertificateArguments(cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) *SearchRequest { + // convert a time.Duration to days + certMinTimeDays := math.Floor(certMinTimeLeft.Hours() / 24) + + // generate base request + req := &SearchRequest{ + Expression: &Expression{ + Operator: AND, + Operands: []Operand{ + { + Field: "validityPeriodDays", + Operator: GTE, + Value: certMinTimeDays, + }, + }, + }, + } + + // only if a list of SANS-DNS is provided, we add the field to the search request + if sans != nil && sans.DNS != nil { + addOperand(req, Operand{ + Field: "subjectAlternativeNameDns", + Operator: IN, + Values: sans.DNS, + }) + } + + // only if a CN is provided, we add the field to the search request + if cn != "" { + addOperand(req, Operand{ + Field: "subjectCN", + Operator: EQ, + Value: cn, + }) + } + + return req +} + +func addOperand(req *SearchRequest, o Operand) *SearchRequest { + req.Expression.Operands = append(req.Expression.Operands, o) + return req +} diff --git a/vendor/modules.txt b/vendor/modules.txt index ee5259b9..e87c6bf0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/Venafi/vcert v3.18.4+incompatible github.com/Venafi/vcert/test -# github.com/Venafi/vcert/v4 v4.22.0 +# github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe github.com/Venafi/vcert/v4 github.com/Venafi/vcert/v4/pkg/certificate github.com/Venafi/vcert/v4/pkg/endpoint From eb31ef9f61458114f26da4a6dafd4aea7f86f9c4 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Fri, 9 Sep 2022 18:20:36 -0500 Subject: [PATCH 2/2] Points to VCert new version --- CHANGELOG.md | 3 ++ go.mod | 2 +- go.sum | 4 +- .../Venafi/vcert/v4/pkg/endpoint/endpoint.go | 1 + .../vcert/v4/pkg/venafi/cloud/connector.go | 4 ++ .../vcert/v4/pkg/venafi/cloud/search.go | 2 +- .../vcert/v4/pkg/venafi/fake/connector.go | 4 ++ .../vcert/v4/pkg/venafi/tpp/connector.go | 51 ++++++++++++++++++- .../Venafi/vcert/v4/pkg/venafi/tpp/tpp.go | 19 ++++++- vendor/modules.txt | 2 +- 10 files changed, 85 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fee0ef28..5f42106b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +# v0.10.6 (September 9, 2022) +Adds bug fix for Prevent-reissue feature to work on VaaS + # v0.10.5 (August 30, 2022) Added feature in order to prevent an issuance of the certificate if it is already inside Vault storage diff --git a/go.mod b/go.mod index 139622f8..01b9987e 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.13 require ( github.com/Venafi/vcert v3.18.4+incompatible - github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe + github.com/Venafi/vcert/v4 v4.22.1 github.com/hashicorp/go-hclog v0.14.1 github.com/hashicorp/vault/api v1.0.4 github.com/hashicorp/vault/sdk v0.1.13 diff --git a/go.sum b/go.sum index d4b2e620..340dec7c 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Venafi/vcert v3.18.4+incompatible h1:mDXSjd+EpXa8YEkEo9Oad19E270aiPJJMhjoKs63b+8= github.com/Venafi/vcert v3.18.4+incompatible/go.mod h1:3dpfrCI+31cDZosD+1UX8GFziVFORaegByXtzT1dwNo= -github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe h1:rwsBBrmmbsc2sdcHhBMMRT2ZHpC9Hcdoq2sj+nArkw0= -github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= +github.com/Venafi/vcert/v4 v4.22.1 h1:31A8mV0DAis5qn1cfUCU9eODjALNmZKKx9I9wDOIXZM= +github.com/Venafi/vcert/v4 v4.22.1/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go b/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go index bc2cd2ad..5837afdd 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go @@ -119,6 +119,7 @@ type Connector interface { SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (*certificate.CertificateInfo, error) RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error) RetrieveCertificateMetaData(dn string) (*certificate.CertificateMetaData, error) + RetrieveSystemVersion() (string, error) } type Filter struct { diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go index f55d69da..4b55fc85 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go @@ -241,6 +241,10 @@ func (c *Connector) RetrieveAvailableSSHTemplates() (response []certificate.SshA panic("operation is not supported yet") } +func (c *Connector) RetrieveSystemVersion() (response string, err error) { + panic("operation is not supported yet") +} + func (c *Connector) GetPolicyWithRegex(name string) (*policy.PolicySpecification, error) { cit, err := retrievePolicySpecification(c, name) diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go index 307af8d5..6cc33b63 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go @@ -167,6 +167,7 @@ func getAppNameFromZone(zone string) string { return zone[:lastSlash] } +// TODO: test this function func formatSearchCertificateArguments(cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) *SearchRequest { // convert a time.Duration to days certMinTimeDays := math.Floor(certMinTimeLeft.Hours() / 24) @@ -185,7 +186,6 @@ func formatSearchCertificateArguments(cn string, sans *certificate.Sans, certMin }, } - // only if a list of SANS-DNS is provided, we add the field to the search request if sans != nil && sans.DNS != nil { addOperand(req, Operand{ Field: "subjectAlternativeNameDns", diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go index 779bdb33..305b75fa 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go @@ -71,6 +71,10 @@ func (c *Connector) RetrieveAvailableSSHTemplates() (response []certificate.SshA panic("operation is not supported yet") } +func (c *Connector) RetrieveSystemVersion() (response string, err error) { + panic("operation is not supported yet") +} + func (c *Connector) GetPolicy(name string) (*policy.PolicySpecification, error) { caName := "\\VED\\Policy\\Certificate Authorities\\TEST CA\\QA Test CA - Server 90 Days" diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go index cefd2652..598b0ca6 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go @@ -43,6 +43,7 @@ type Connector struct { apiKey string accessToken string verbose bool + Identity identity trust *x509.CertPool zone string client *http.Client @@ -141,6 +142,13 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { resp := result.(authorizeResponse) c.apiKey = resp.APIKey + + if c.client != nil { + c.Identity, err = c.retrieveSelfIdentity() + if err != nil { + return err + } + } return nil } else if auth.RefreshToken != "" { @@ -153,10 +161,23 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { resp := result.(OauthRefreshAccessTokenResponse) c.accessToken = resp.Access_token auth.RefreshToken = resp.Refresh_token + if c.client != nil { + c.Identity, err = c.retrieveSelfIdentity() + if err != nil { + return err + } + } return nil } else if auth.AccessToken != "" { c.accessToken = auth.AccessToken + + if c.client != nil { + c.Identity, err = c.retrieveSelfIdentity() + if err != nil { + return err + } + } return nil } return fmt.Errorf("failed to authenticate: can't determine valid credentials set") @@ -413,8 +434,36 @@ func (c *Connector) requestMetadataItems(dn string) ([]metadataKeyValueSet, erro return response.Data, err } +// Retrieve user's self identity +func (c *Connector) retrieveSelfIdentity() (response identity, err error) { + + var respIndentities = &identitiesResponse{} + + statusCode, statusText, body, err := c.request("GET", urlRetrieveSelfIdentity, nil) + if err != nil { + log.Printf("Failed to get the used user. Error: %v", err) + return identity{}, err + } + log.Printf("Status code: %d", statusCode) + + switch statusCode { + case http.StatusOK: + err = json.Unmarshal(body, respIndentities) + if err != nil { + return identity{}, fmt.Errorf("failed to parse identity response: %s, body: %s", err, body) + } + + if (respIndentities != nil) && (len(respIndentities.Identities) > 0) { + return respIndentities.Identities[0], nil + } + case http.StatusUnauthorized: + return identity{}, verror.AuthError + } + return identity{}, fmt.Errorf("failed to get Self. Status code: %d, Status text: %s", statusCode, statusText) +} + // requestSystemVersion returns the TPP system version of the connector context -func (c *Connector) requestSystemVersion() (string, error) { +func (c *Connector) RetrieveSystemVersion() (string, error) { statusCode, status, body, err := c.request("GET", urlResourceSystemStatusVersion, "") if err != nil { return "", err diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go index ae183f29..59a8b5d4 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go @@ -23,7 +23,6 @@ import ( "encoding/base64" "encoding/json" "fmt" - "github.com/Venafi/vcert/v4/pkg/policy" "io" "io/ioutil" "log" @@ -33,6 +32,8 @@ import ( "strings" "time" + "github.com/Venafi/vcert/v4/pkg/policy" + "github.com/Venafi/vcert/v4/pkg/certificate" "github.com/Venafi/vcert/v4/pkg/endpoint" ) @@ -198,6 +199,7 @@ type oauthGetRefreshTokenRequest struct { type OauthGetRefreshTokenResponse struct { Access_token string `json:"access_token,omitempty"` Expires int `json:"expires,omitempty"` + ExpiresIn int `json:"expires_in,omitempty"` //Attribute added as it's used on vSSH Identity string `json:"identity,omitempty"` Refresh_token string `json:"refresh_token,omitempty"` Refresh_until int `json:"refresh_until,omitempty"` @@ -319,6 +321,20 @@ type findObjectsOfClassResponse struct { PolicyObjects []policyObject `json:"Objects,omitempty"` } +type identitiesResponse struct { + Identities []identity `json:"Identities"` +} + +type identity struct { + FullName string `json:"FullName"` + Name string `json:"Name"` + Prefix string `json:"Prefix"` + PrefixedName string `json:"PrefixedName"` + PrefixedUniversal string `json:"PrefixedUniversal"` + Type int `json:"Type"` + Universal string `json:"Universal"` +} + type systemStatusVersionResponse string type urlResource string @@ -349,6 +365,7 @@ const ( urlResourceAllMetadataGet urlResource = "vedsdk/metadata/getitems" urlResourceMetadataGet urlResource = "vedsdk/metadata/get" urlResourceSystemStatusVersion urlResource = "vedsdk/systemstatus/version" + urlRetrieveSelfIdentity urlResource = "vedsdk/Identity/Self" urlResourceCreatePolicy urlResource = "vedsdk/Config/Create" urlResourceWritePolicy urlResource = "vedsdk/Config/WritePolicy" urlResourceReadPolicy urlResource = "vedsdk/Config/ReadPolicy" diff --git a/vendor/modules.txt b/vendor/modules.txt index e87c6bf0..02fc68a2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/Venafi/vcert v3.18.4+incompatible github.com/Venafi/vcert/test -# github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe +# github.com/Venafi/vcert/v4 v4.22.1 github.com/Venafi/vcert/v4 github.com/Venafi/vcert/v4/pkg/certificate github.com/Venafi/vcert/v4/pkg/endpoint