From eb31ef9f61458114f26da4a6dafd4aea7f86f9c4 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Fri, 9 Sep 2022 18:20:36 -0500 Subject: [PATCH] Points to VCert new version --- CHANGELOG.md | 3 ++ go.mod | 2 +- go.sum | 4 +- .../Venafi/vcert/v4/pkg/endpoint/endpoint.go | 1 + .../vcert/v4/pkg/venafi/cloud/connector.go | 4 ++ .../vcert/v4/pkg/venafi/cloud/search.go | 2 +- .../vcert/v4/pkg/venafi/fake/connector.go | 4 ++ .../vcert/v4/pkg/venafi/tpp/connector.go | 51 ++++++++++++++++++- .../Venafi/vcert/v4/pkg/venafi/tpp/tpp.go | 19 ++++++- vendor/modules.txt | 2 +- 10 files changed, 85 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fee0ef28..5f42106b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +# v0.10.6 (September 9, 2022) +Adds bug fix for Prevent-reissue feature to work on VaaS + # v0.10.5 (August 30, 2022) Added feature in order to prevent an issuance of the certificate if it is already inside Vault storage diff --git a/go.mod b/go.mod index 139622f8..01b9987e 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.13 require ( github.com/Venafi/vcert v3.18.4+incompatible - github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe + github.com/Venafi/vcert/v4 v4.22.1 github.com/hashicorp/go-hclog v0.14.1 github.com/hashicorp/vault/api v1.0.4 github.com/hashicorp/vault/sdk v0.1.13 diff --git a/go.sum b/go.sum index d4b2e620..340dec7c 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Venafi/vcert v3.18.4+incompatible h1:mDXSjd+EpXa8YEkEo9Oad19E270aiPJJMhjoKs63b+8= github.com/Venafi/vcert v3.18.4+incompatible/go.mod h1:3dpfrCI+31cDZosD+1UX8GFziVFORaegByXtzT1dwNo= -github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe h1:rwsBBrmmbsc2sdcHhBMMRT2ZHpC9Hcdoq2sj+nArkw0= -github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= +github.com/Venafi/vcert/v4 v4.22.1 h1:31A8mV0DAis5qn1cfUCU9eODjALNmZKKx9I9wDOIXZM= +github.com/Venafi/vcert/v4 v4.22.1/go.mod h1:4Nec3twWisOdS1unpDZ93sfau9eVSDS8Ot+Ry/gg0es= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go b/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go index bc2cd2ad..5837afdd 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/endpoint/endpoint.go @@ -119,6 +119,7 @@ type Connector interface { SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (*certificate.CertificateInfo, error) RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error) RetrieveCertificateMetaData(dn string) (*certificate.CertificateMetaData, error) + RetrieveSystemVersion() (string, error) } type Filter struct { diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go index f55d69da..4b55fc85 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/connector.go @@ -241,6 +241,10 @@ func (c *Connector) RetrieveAvailableSSHTemplates() (response []certificate.SshA panic("operation is not supported yet") } +func (c *Connector) RetrieveSystemVersion() (response string, err error) { + panic("operation is not supported yet") +} + func (c *Connector) GetPolicyWithRegex(name string) (*policy.PolicySpecification, error) { cit, err := retrievePolicySpecification(c, name) diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go index 307af8d5..6cc33b63 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/cloud/search.go @@ -167,6 +167,7 @@ func getAppNameFromZone(zone string) string { return zone[:lastSlash] } +// TODO: test this function func formatSearchCertificateArguments(cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) *SearchRequest { // convert a time.Duration to days certMinTimeDays := math.Floor(certMinTimeLeft.Hours() / 24) @@ -185,7 +186,6 @@ func formatSearchCertificateArguments(cn string, sans *certificate.Sans, certMin }, } - // only if a list of SANS-DNS is provided, we add the field to the search request if sans != nil && sans.DNS != nil { addOperand(req, Operand{ Field: "subjectAlternativeNameDns", diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go index 779bdb33..305b75fa 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/fake/connector.go @@ -71,6 +71,10 @@ func (c *Connector) RetrieveAvailableSSHTemplates() (response []certificate.SshA panic("operation is not supported yet") } +func (c *Connector) RetrieveSystemVersion() (response string, err error) { + panic("operation is not supported yet") +} + func (c *Connector) GetPolicy(name string) (*policy.PolicySpecification, error) { caName := "\\VED\\Policy\\Certificate Authorities\\TEST CA\\QA Test CA - Server 90 Days" diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go index cefd2652..598b0ca6 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/connector.go @@ -43,6 +43,7 @@ type Connector struct { apiKey string accessToken string verbose bool + Identity identity trust *x509.CertPool zone string client *http.Client @@ -141,6 +142,13 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { resp := result.(authorizeResponse) c.apiKey = resp.APIKey + + if c.client != nil { + c.Identity, err = c.retrieveSelfIdentity() + if err != nil { + return err + } + } return nil } else if auth.RefreshToken != "" { @@ -153,10 +161,23 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { resp := result.(OauthRefreshAccessTokenResponse) c.accessToken = resp.Access_token auth.RefreshToken = resp.Refresh_token + if c.client != nil { + c.Identity, err = c.retrieveSelfIdentity() + if err != nil { + return err + } + } return nil } else if auth.AccessToken != "" { c.accessToken = auth.AccessToken + + if c.client != nil { + c.Identity, err = c.retrieveSelfIdentity() + if err != nil { + return err + } + } return nil } return fmt.Errorf("failed to authenticate: can't determine valid credentials set") @@ -413,8 +434,36 @@ func (c *Connector) requestMetadataItems(dn string) ([]metadataKeyValueSet, erro return response.Data, err } +// Retrieve user's self identity +func (c *Connector) retrieveSelfIdentity() (response identity, err error) { + + var respIndentities = &identitiesResponse{} + + statusCode, statusText, body, err := c.request("GET", urlRetrieveSelfIdentity, nil) + if err != nil { + log.Printf("Failed to get the used user. Error: %v", err) + return identity{}, err + } + log.Printf("Status code: %d", statusCode) + + switch statusCode { + case http.StatusOK: + err = json.Unmarshal(body, respIndentities) + if err != nil { + return identity{}, fmt.Errorf("failed to parse identity response: %s, body: %s", err, body) + } + + if (respIndentities != nil) && (len(respIndentities.Identities) > 0) { + return respIndentities.Identities[0], nil + } + case http.StatusUnauthorized: + return identity{}, verror.AuthError + } + return identity{}, fmt.Errorf("failed to get Self. Status code: %d, Status text: %s", statusCode, statusText) +} + // requestSystemVersion returns the TPP system version of the connector context -func (c *Connector) requestSystemVersion() (string, error) { +func (c *Connector) RetrieveSystemVersion() (string, error) { statusCode, status, body, err := c.request("GET", urlResourceSystemStatusVersion, "") if err != nil { return "", err diff --git a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go index ae183f29..59a8b5d4 100644 --- a/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go +++ b/vendor/github.com/Venafi/vcert/v4/pkg/venafi/tpp/tpp.go @@ -23,7 +23,6 @@ import ( "encoding/base64" "encoding/json" "fmt" - "github.com/Venafi/vcert/v4/pkg/policy" "io" "io/ioutil" "log" @@ -33,6 +32,8 @@ import ( "strings" "time" + "github.com/Venafi/vcert/v4/pkg/policy" + "github.com/Venafi/vcert/v4/pkg/certificate" "github.com/Venafi/vcert/v4/pkg/endpoint" ) @@ -198,6 +199,7 @@ type oauthGetRefreshTokenRequest struct { type OauthGetRefreshTokenResponse struct { Access_token string `json:"access_token,omitempty"` Expires int `json:"expires,omitempty"` + ExpiresIn int `json:"expires_in,omitempty"` //Attribute added as it's used on vSSH Identity string `json:"identity,omitempty"` Refresh_token string `json:"refresh_token,omitempty"` Refresh_until int `json:"refresh_until,omitempty"` @@ -319,6 +321,20 @@ type findObjectsOfClassResponse struct { PolicyObjects []policyObject `json:"Objects,omitempty"` } +type identitiesResponse struct { + Identities []identity `json:"Identities"` +} + +type identity struct { + FullName string `json:"FullName"` + Name string `json:"Name"` + Prefix string `json:"Prefix"` + PrefixedName string `json:"PrefixedName"` + PrefixedUniversal string `json:"PrefixedUniversal"` + Type int `json:"Type"` + Universal string `json:"Universal"` +} + type systemStatusVersionResponse string type urlResource string @@ -349,6 +365,7 @@ const ( urlResourceAllMetadataGet urlResource = "vedsdk/metadata/getitems" urlResourceMetadataGet urlResource = "vedsdk/metadata/get" urlResourceSystemStatusVersion urlResource = "vedsdk/systemstatus/version" + urlRetrieveSelfIdentity urlResource = "vedsdk/Identity/Self" urlResourceCreatePolicy urlResource = "vedsdk/Config/Create" urlResourceWritePolicy urlResource = "vedsdk/Config/WritePolicy" urlResourceReadPolicy urlResource = "vedsdk/Config/ReadPolicy" diff --git a/vendor/modules.txt b/vendor/modules.txt index e87c6bf0..02fc68a2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/Venafi/vcert v3.18.4+incompatible github.com/Venafi/vcert/test -# github.com/Venafi/vcert/v4 v4.22.1-0.20220908212350-161a49f29bfe +# github.com/Venafi/vcert/v4 v4.22.1 github.com/Venafi/vcert/v4 github.com/Venafi/vcert/v4/pkg/certificate github.com/Venafi/vcert/v4/pkg/endpoint