From 131a5242552efe051ac0d3679979d70c6a276c9c Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 5 Sep 2024 11:22:56 +0200 Subject: [PATCH] add SetAuthentication function to authenticate 'passively' (without sending a self-check request to the server) Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- pkg/endpoint/endpoint.go | 4 +++ pkg/venafi/cloud/cloud.go | 2 +- pkg/venafi/cloud/connector.go | 47 ++++++++++++++++++++------------- pkg/venafi/fake/connector.go | 4 +++ pkg/venafi/firefly/connector.go | 13 +++++++++ pkg/venafi/tpp/connector.go | 40 ++++++++++++---------------- 6 files changed, 68 insertions(+), 42 deletions(-) diff --git a/pkg/endpoint/endpoint.go b/pkg/endpoint/endpoint.go index 4a8d525d..eaf39299 100644 --- a/pkg/endpoint/endpoint.go +++ b/pkg/endpoint/endpoint.go @@ -85,6 +85,10 @@ type Connector interface { // SetHTTPClient allows to set custom http.Client to this Connector. SetHTTPClient(client *http.Client) Ping() (err error) + // SetAuthentication can be used to set the authentication details for the connector, it does not perform the validation + // done by Authenticate. It is useful when you want to set the authentication details without validating them. + SetAuthentication(auth *Authentication) (err error) + // Authenticate calls SetAuthentication and then validates the authentication details by making a request to the server. // Authenticate is usually called by NewClient and it is not required that you manually call it. Authenticate(auth *Authentication) (err error) diff --git a/pkg/venafi/cloud/cloud.go b/pkg/venafi/cloud/cloud.go index 5fb1eea5..0abe5439 100644 --- a/pkg/venafi/cloud/cloud.go +++ b/pkg/venafi/cloud/cloud.go @@ -312,7 +312,7 @@ func (c *Connector) getHTTPClient() *http.Client { } func (c *Connector) request(method string, url string, data interface{}, authNotRequired ...bool) (statusCode int, statusText string, body []byte, err error) { - if (c.accessToken == "" && c.user == nil) || (c.user != nil && c.user.Company == nil) { + if c.accessToken == "" && c.apiKey == "" { if !(len(authNotRequired) == 1 && authNotRequired[0]) { err = fmt.Errorf("%w: must be autheticated to make requests to TLSPC API", verror.VcertError) return diff --git a/pkg/venafi/cloud/connector.go b/pkg/venafi/cloud/connector.go index 7c04f94c..c8b92e25 100644 --- a/pkg/venafi/cloud/connector.go +++ b/pkg/venafi/cloud/connector.go @@ -91,7 +91,6 @@ type Connector struct { apiKey string accessToken string verbose bool - user *userDetails trust *x509.CertPool zone cloudZone client *http.Client @@ -135,17 +134,42 @@ func (c *Connector) Ping() (err error) { return nil } -// Authenticate authenticates the user with Venafi Cloud using the provided API Key +// Authenticate sets the authentication credentials for the Venafi Cloud API. +// It will send a request to the API to verify the credentials are correct. func (c *Connector) Authenticate(auth *endpoint.Authentication) error { + if err := c.SetAuthentication(auth); err != nil { + return err + } + + url := c.getURL(urlResourceUserAccounts) + statusCode, status, body, err := c.request("GET", url, nil, true) + if err != nil { + return fmt.Errorf("%w: %s", verror.AuthError, err) + } + if _, err := parseUserDetailsResult(http.StatusOK, statusCode, status, body); err != nil { + return fmt.Errorf("%w: %s", verror.AuthError, err) + } + + return nil +} + +// SetAuthentication sets the authentication credentials for the Venafi Cloud API. +func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) { + defer func() { + if err != nil { + err = fmt.Errorf("%w: %s", verror.AuthError, err) + } + }() + if auth == nil { return fmt.Errorf("failed to authenticate: missing credentials") } - //1. Access token. Assign it to connector if auth.AccessToken != "" { + // 1. Access token. Assign it to connector c.accessToken = auth.AccessToken } else if auth.TokenURL != "" && auth.ExternalJWT != "" { - //2. JWT and token URL. use it to request new access token + // 2. JWT and token URL. use it to request new access token tokenResponse, err := c.GetAccessToken(auth) if err != nil { return err @@ -154,16 +178,6 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) error { } else if auth.APIKey != "" { // 3. API key. Get user to test authentication c.apiKey = auth.APIKey - url := c.getURL(urlResourceUserAccounts) - statusCode, status, body, err := c.request("GET", url, nil, true) - if err != nil { - return err - } - ud, err := parseUserDetailsResult(http.StatusOK, statusCode, status, body) - if err != nil { - return err - } - c.user = ud } // Initialize clients @@ -948,7 +962,7 @@ func (c *Connector) isAuthenticated() bool { return true } - if c.user != nil && c.user.Company != nil { + if c.apiKey != "" { return true } @@ -1431,12 +1445,10 @@ func (c *Connector) CreateUserAccount(userAccount *userAccount) (int, *userDetai if err != nil { return statusCode, nil, err } - //c.user = ud return statusCode, ud, nil } func (c *Connector) getUserDetails() (*userDetails, error) { - url := c.getURL(urlResourceUserAccounts) statusCode, status, body, err := c.request("GET", url, nil) if err != nil { @@ -1446,7 +1458,6 @@ func (c *Connector) getUserDetails() (*userDetails, error) { if err != nil { return nil, err } - c.user = ud return ud, nil } diff --git a/pkg/venafi/fake/connector.go b/pkg/venafi/fake/connector.go index 00ca2e28..a4fb797d 100644 --- a/pkg/venafi/fake/connector.go +++ b/pkg/venafi/fake/connector.go @@ -176,6 +176,10 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { return } +func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) { + return +} + type fakeRequestID struct { Req *certificate.Request CSR string diff --git a/pkg/venafi/firefly/connector.go b/pkg/venafi/firefly/connector.go index 2b93d9ea..ed18d1bc 100644 --- a/pkg/venafi/firefly/connector.go +++ b/pkg/venafi/firefly/connector.go @@ -86,7 +86,20 @@ func (c *Connector) GetType() endpoint.ConnectorType { return endpoint.ConnectorTypeFirefly } +// Authenticate authenticates the connector to the Firefly server. +// In the future, this method will send a request to the Firefly server to validate the authentication. func (c *Connector) Authenticate(auth *endpoint.Authentication) error { + if err := c.SetAuthentication(auth); err != nil { + return err + } + + // TODO: use the access token to send a request and validate the authentication. + + return nil +} + +// SetAuthentication sets the authentication details to connect to the Firefly server +func (c *Connector) SetAuthentication(auth *endpoint.Authentication) error { if auth == nil { msg := "failed to authenticate: no credentials provided" zap.L().Error(msg, fieldPlatform) diff --git a/pkg/venafi/tpp/connector.go b/pkg/venafi/tpp/connector.go index 2fcf9e48..08fcc6da 100644 --- a/pkg/venafi/tpp/connector.go +++ b/pkg/venafi/tpp/connector.go @@ -45,7 +45,6 @@ type Connector struct { apiKey string accessToken string verbose bool - Identity identity trust *x509.CertPool zone string client *http.Client @@ -118,8 +117,22 @@ func (c *Connector) Ping() (err error) { return } -// Authenticate authenticates the user to the TPP -func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { +// Authenticate sets the Authentication details for the TPP Server and +// verifies that it can retrieve Self Identity. +func (c *Connector) Authenticate(auth *endpoint.Authentication) error { + if err := c.SetAuthentication(auth); err != nil { + return err + } + + if _, err := c.retrieveSelfIdentity(); err != nil { + return fmt.Errorf("%w: %s", verror.AuthError, err) + } + + return nil +} + +// SetAuthentication sets the Authentication details for the TPP Server. +func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) { defer func() { if err != nil { err = fmt.Errorf("%w: %s", verror.AuthError, err) @@ -143,13 +156,6 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { resp := result.(authorizeResponse) c.apiKey = resp.APIKey - - if c.client != nil { - c.Identity, err = c.retrieveSelfIdentity() - if err != nil { - return err - } - } return nil } else if auth.RefreshToken != "" { @@ -161,24 +167,12 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) { resp := result.(OauthRefreshAccessTokenResponse) c.accessToken = resp.Access_token + auth.AccessToken = resp.Access_token auth.RefreshToken = resp.Refresh_token - if c.client != nil { - c.Identity, err = c.retrieveSelfIdentity() - if err != nil { - return err - } - } return nil } else if auth.AccessToken != "" { c.accessToken = auth.AccessToken - - if c.client != nil { - c.Identity, err = c.retrieveSelfIdentity() - if err != nil { - return err - } - } return nil } return fmt.Errorf("failed to authenticate: can't determine valid credentials set")