Skip to content

Commit

Permalink
add SetAuthentication function to authenticate 'passively' (without s…
Browse files Browse the repository at this point in the history
…ending a self-check request to the server)

Signed-off-by: Tim Ramlot <[email protected]>
  • Loading branch information
inteon committed Jan 3, 2025
1 parent dbcec10 commit 28de5ec
Show file tree
Hide file tree
Showing 6 changed files with 68 additions and 42 deletions.
4 changes: 4 additions & 0 deletions pkg/endpoint/endpoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ type Connector interface {
// SetHTTPClient allows to set custom http.Client to this Connector.
SetHTTPClient(client *http.Client)
Ping() (err error)
// SetAuthentication can be used to set the authentication details for the connector, it does not perform the validation
// done by Authenticate. It is useful when you want to set the authentication details without validating them.
SetAuthentication(auth *Authentication) (err error)
// Authenticate calls SetAuthentication and then validates the authentication details by making a request to the server.
// Authenticate is usually called by NewClient and it is not required that you manually call it.
Authenticate(auth *Authentication) (err error)

Expand Down
2 changes: 1 addition & 1 deletion pkg/venafi/cloud/cloud.go
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@ func (c *Connector) getHTTPClient() *http.Client {
}

func (c *Connector) request(method string, url string, data interface{}, authNotRequired ...bool) (statusCode int, statusText string, body []byte, err error) {
if (c.accessToken == "" && c.user == nil) || (c.user != nil && c.user.Company == nil) {
if c.accessToken == "" && c.apiKey == "" {
if !(len(authNotRequired) == 1 && authNotRequired[0]) {
err = fmt.Errorf("%w: must be autheticated to make requests to TLSPC API", verror.VcertError)
return
Expand Down
47 changes: 29 additions & 18 deletions pkg/venafi/cloud/connector.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,6 @@ type Connector struct {
apiKey string
accessToken string
verbose bool
user *userDetails
trust *x509.CertPool
zone cloudZone
client *http.Client
Expand Down Expand Up @@ -135,17 +134,42 @@ func (c *Connector) Ping() (err error) {
return nil
}

// Authenticate authenticates the user with Venafi Cloud using the provided API Key
// Authenticate sets the authentication credentials for the Venafi Cloud API.
// It will send a request to the API to verify the credentials are correct.
func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
if err := c.SetAuthentication(auth); err != nil {
return err
}

url := c.getURL(urlResourceUserAccounts)
statusCode, status, body, err := c.request("GET", url, nil, true)
if err != nil {
return fmt.Errorf("%w: %s", verror.AuthError, err)
}
if _, err := parseUserDetailsResult(http.StatusOK, statusCode, status, body); err != nil {
return fmt.Errorf("%w: %s", verror.AuthError, err)
}

return nil
}

// SetAuthentication sets the authentication credentials for the Venafi Cloud API.
func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) {
defer func() {
if err != nil {
err = fmt.Errorf("%w: %s", verror.AuthError, err)
}
}()

if auth == nil {
return fmt.Errorf("failed to authenticate: missing credentials")
}

//1. Access token. Assign it to connector
if auth.AccessToken != "" {
// 1. Access token. Assign it to connector
c.accessToken = auth.AccessToken
} else if auth.TokenURL != "" && auth.ExternalJWT != "" {
//2. JWT and token URL. use it to request new access token
// 2. JWT and token URL. use it to request new access token
tokenResponse, err := c.GetAccessToken(auth)
if err != nil {
return err
Expand All @@ -154,16 +178,6 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
} else if auth.APIKey != "" {
// 3. API key. Get user to test authentication
c.apiKey = auth.APIKey
url := c.getURL(urlResourceUserAccounts)
statusCode, status, body, err := c.request("GET", url, nil, true)
if err != nil {
return err
}
ud, err := parseUserDetailsResult(http.StatusOK, statusCode, status, body)
if err != nil {
return err
}
c.user = ud
}

// Initialize clients
Expand Down Expand Up @@ -948,7 +962,7 @@ func (c *Connector) isAuthenticated() bool {
return true
}

if c.user != nil && c.user.Company != nil {
if c.apiKey != "" {
return true
}

Expand Down Expand Up @@ -1456,12 +1470,10 @@ func (c *Connector) CreateUserAccount(userAccount *userAccount) (int, *userDetai
if err != nil {
return statusCode, nil, err
}
//c.user = ud
return statusCode, ud, nil
}

func (c *Connector) getUserDetails() (*userDetails, error) {

url := c.getURL(urlResourceUserAccounts)
statusCode, status, body, err := c.request("GET", url, nil)
if err != nil {
Expand All @@ -1471,7 +1483,6 @@ func (c *Connector) getUserDetails() (*userDetails, error) {
if err != nil {
return nil, err
}
c.user = ud
return ud, nil
}

Expand Down
4 changes: 4 additions & 0 deletions pkg/venafi/fake/connector.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,10 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {
return
}

func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) {
return
}

type fakeRequestID struct {
Req *certificate.Request
CSR string
Expand Down
13 changes: 13 additions & 0 deletions pkg/venafi/firefly/connector.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,20 @@ func (c *Connector) GetType() endpoint.ConnectorType {
return endpoint.ConnectorTypeFirefly
}

// Authenticate authenticates the connector to the Firefly server.
// In the future, this method will send a request to the Firefly server to validate the authentication.
func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
if err := c.SetAuthentication(auth); err != nil {
return err
}

// TODO: use the access token to send a request and validate the authentication.

return nil
}

// SetAuthentication sets the authentication details to connect to the Firefly server
func (c *Connector) SetAuthentication(auth *endpoint.Authentication) error {
if auth == nil {
msg := "failed to authenticate: no credentials provided"
zap.L().Error(msg, fieldPlatform)
Expand Down
40 changes: 17 additions & 23 deletions pkg/venafi/tpp/connector.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ type Connector struct {
apiKey string
accessToken string
verbose bool
Identity identity
trust *x509.CertPool
zone string
client *http.Client
Expand Down Expand Up @@ -118,8 +117,22 @@ func (c *Connector) Ping() (err error) {
return
}

// Authenticate authenticates the user to the TPP
func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {
// Authenticate sets the Authentication details for the TPP Server and
// verifies that it can retrieve Self Identity.
func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
if err := c.SetAuthentication(auth); err != nil {
return err
}

if _, err := c.retrieveSelfIdentity(); err != nil {
return fmt.Errorf("%w: %s", verror.AuthError, err)
}

return nil
}

// SetAuthentication sets the Authentication details for the TPP Server.
func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) {
defer func() {
if err != nil {
err = fmt.Errorf("%w: %s", verror.AuthError, err)
Expand All @@ -143,13 +156,6 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {

resp := result.(authorizeResponse)
c.apiKey = resp.APIKey

if c.client != nil {
c.Identity, err = c.retrieveSelfIdentity()
if err != nil {
return err
}
}
return nil

} else if auth.RefreshToken != "" {
Expand All @@ -161,24 +167,12 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {

resp := result.(OauthRefreshAccessTokenResponse)
c.accessToken = resp.Access_token
auth.AccessToken = resp.Access_token
auth.RefreshToken = resp.Refresh_token
if c.client != nil {
c.Identity, err = c.retrieveSelfIdentity()
if err != nil {
return err
}
}
return nil

} else if auth.AccessToken != "" {
c.accessToken = auth.AccessToken

if c.client != nil {
c.Identity, err = c.retrieveSelfIdentity()
if err != nil {
return err
}
}
return nil
}
return fmt.Errorf("failed to authenticate: can't determine valid credentials set")
Expand Down

0 comments on commit 28de5ec

Please sign in to comment.