Merge dd9c324 into 4a53b63

Author: leefine02

.github/workflows/keyfactor-starter-workflow.yml

@@ -11,10 +11,19 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2
+    uses: keyfactor/actions/.github/workflows/starter.yml@screenshots
+    with:
+      command_token_url: ${{ vars.DOCTOOL_COMMAND_TOKEN_URL }}
+      command_hostname: ${{ vars.DOCTOOL_COMMAND_HOSTNAME }}
+      command_base_api_path: ${{ vars.DOCTOOL_COMMAND_BASE_API_PATH }}
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
       APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
       scan_token: ${{ secrets.SAST_TOKEN }}
+      entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }}
+      entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }}
+      command_client_id: ${{ secrets.DOCTOOL_COMMAND_CLIENT_ID }}
+      command_client_secret: ${{ secrets.DOCTOOL_COMMAND_CLIENT_SECRET }}
+      

CHANGELOG.md

@@ -1,3 +1,9 @@
+v1.9.0
+- Added new SSLProfiles READ ONLY entry parameter that will contain a comma delimited list of SSL Profiles a certificate is bound to on the F5 device. 
+
+v1.8.1
+- Documentation changes including highlighting lack of HA support as well as a correction to the proper StorePath value for F5-CA-REST stores.
+
 v1.8.0
 - Add new custom field - Remove Chain on Add - to allow the removal of the certificate chain before adding/replacing a certificate on the F5 device.  Default = false.
 - Apply store password when replacing a certificate as well as adding (extension to change made in v1.6.0)

F5Client.cs

@@ -24,6 +24,8 @@
 using System.Collections.Concurrent;
 using System.Drawing.Printing;
 using System.Diagnostics.CodeAnalysis;
+using static Keyfactor.Orchestrators.Common.OrchestratorConstants;
+using static Org.BouncyCastle.Math.EC.ECCurve;
 
 namespace Keyfactor.Extensions.Orchestrator.F5Orchestrator
 {
@@ -91,7 +93,9 @@ public void AddEntry(string partition, string name, string b64Certificate, strin
         {
             LogHandlerCommon.MethodEntry(logger, CertificateStore, "AddEntry");
             LogHandlerCommon.Trace(logger, CertificateStore, $"Processing certificate for partition '{partition}' and name '{name}'");
+            LogHandlerCommon.Trace(logger, CertificateStore, $"*** CERT CONTENTS: *** {b64Certificate}");
             byte[] entryContents = Convert.FromBase64String(b64Certificate);
+            LogHandlerCommon.Trace(logger, CertificateStore, $"*** AFTER CERT CONTENTS: ***");
             string password = PFXPassword;
             CertificateConverter converter = CertificateConverterFactory.FromDER(entryContents, password);
             X509Certificate2 certificate = converter.ToX509Certificate2(password);
@@ -350,6 +354,35 @@ private X509Certificate2Collection GetCertificateEntry(string path)
             return c.ToX509Certificate2Collection();
         }
 
+        public List<F5SSLProfile> GetSSLProfiles(int pageSize)
+        {
+            LogHandlerCommon.MethodEntry(logger, CertificateStore, "GetSSLProfiles");
+            string partition = CertificateStore.StorePath;
+            string query = $"/mgmt/tm/ltm/profile/client-ssl?$top={pageSize}&$skip=0";
+            F5PagedSSLProfiles pagedProfiles = REST.Get<F5PagedSSLProfiles>(query);
+            List<F5SSLProfile> profiles = new List<F5SSLProfile>();
+
+            if (pagedProfiles.totalItems == 0 || pagedProfiles.items?.Length == 0)
+            {
+                return profiles;
+            }
+
+            for (int i = pagedProfiles.pageIndex; i <= pagedProfiles.totalPages; i++)
+            {
+                profiles.AddRange(pagedProfiles.items);
+
+                // The current paged profile will contain a link to the next set, unless the end has been reached
+                if (string.IsNullOrEmpty(pagedProfiles.nextLink)) { break; }
+
+                // Get the next page of profiles
+                query = pagedProfiles.nextLink.Replace("https://localhost", "");
+                pagedProfiles = REST.Get<F5PagedSSLProfiles>(query);
+            }
+
+            LogHandlerCommon.MethodExit(logger, CertificateStore, "GetCertificateEntries");
+            return profiles;
+        }
+
         private void SetItemStatus(CurrentInventoryItem agentInventoryItem)
         {
             LogHandlerCommon.MethodEntry(logger, CertificateStore, "SetItemStatus");
@@ -609,67 +642,79 @@ private List<X509Certificate2> ReorderPEMLIst(List<X509Certificate2> certList)
         // WebServer
         #endregion
 
-        #region SSL Profiles
+        #region SSL Certificates
 
-        public List<CurrentInventoryItem> GetSSLProfiles(int pageSize)
+        public List<CurrentInventoryItem> GetCertificateEntries(int pageSize)
         {
-            LogHandlerCommon.MethodEntry(logger, CertificateStore, "GetSSLProfiles");
+            LogHandlerCommon.MethodEntry(logger, CertificateStore, "GetCertificateEntries");
             string partition = CertificateStore.StorePath;
             string query = $"/mgmt/tm/sys/file/ssl-cert?$filter=partition+eq+{partition}&$select=name,keyType,isBundle&$top={pageSize}&$skip=0";
-            F5PagedSSLProfiles pagedProfiles = REST.Get<F5PagedSSLProfiles>(query);
-            List<F5SSLProfile> profiles = new List<F5SSLProfile>();
+            F5PagedSSLCertificates pagedCertificates = REST.Get<F5PagedSSLCertificates>(query);
+            List<F5SSLCertificate> certificates = new List<F5SSLCertificate>();
             List<CurrentInventoryItem> inventory = new List<CurrentInventoryItem>();
 
-            if (pagedProfiles.totalItems == 0 || pagedProfiles.items?.Length == 0)
+            LogHandlerCommon.Debug(logger, CertificateStore, $"Getting SSL Profiles from '{CertificateStore.StorePath}'");
+            List<F5SSLProfile> sslProfiles = GetSSLProfiles(pageSize);
+
+            if (pagedCertificates.totalItems == 0 || pagedCertificates.items?.Length == 0)
             {
-                LogHandlerCommon.Trace(logger, CertificateStore, $"No SSL profiles found in partition '{partition}'");
-                LogHandlerCommon.MethodExit(logger, CertificateStore, "GetSSLProfiles");
+                LogHandlerCommon.Trace(logger, CertificateStore, $"No SSL certificates found in partition '{partition}'");
+                LogHandlerCommon.MethodExit(logger, CertificateStore, "GetCertificateEntries");
                 return inventory;
             }
             else
             {
-                LogHandlerCommon.Trace(logger, CertificateStore, $"Compiling {pagedProfiles.totalPages} pages containing {pagedProfiles.totalItems} total inventory entries");
+                LogHandlerCommon.Trace(logger, CertificateStore, $"Compiling {pagedCertificates.totalPages} pages containing {pagedCertificates.totalItems} total inventory entries");
             }
 
-            // Collected all of the profile entry names
-            for (int i = pagedProfiles.pageIndex; i <= pagedProfiles.totalPages; i++)
+            // Collected all of the certificate entry names
+            for (int i = pagedCertificates.pageIndex; i <= pagedCertificates.totalPages; i++)
             {
-                profiles.AddRange(pagedProfiles.items);
+                certificates.AddRange(pagedCertificates.items);
 
-                // The current paged profile will contain a link to the next set, unless the end has been reached
-                if (string.IsNullOrEmpty(pagedProfiles.nextLink)) { break; }
+                // The current paged certificate list will contain a link to the next set, unless the end has been reached
+                if (string.IsNullOrEmpty(pagedCertificates.nextLink)) { break; }
 
-                // Get the next page of profiles
-                query = pagedProfiles.nextLink.Replace("https://localhost", "");
-                pagedProfiles = REST.Get<F5PagedSSLProfiles>(query);
+                // Get the next page of certificates
+                query = pagedCertificates.nextLink.Replace("https://localhost", "");
+                pagedCertificates = REST.Get<F5PagedSSLCertificates>(query);
             }
 
             // Compile the entries into inventory items
-            for (int i = 0; i < profiles.Count; i++)
+            for (int i = 0; i < certificates.Count; i++)
             {
                 try
                 {
-                    LogHandlerCommon.Trace(logger, CertificateStore, $"Processing alias {profiles[i].name}");
+                    LogHandlerCommon.Trace(logger, CertificateStore, $"Processing alias {certificates[i].name}");
                     // Exclude 'ca-bundle.crt' as that can only be managed by F5
-                    if (profiles[i].name.Equals("ca-bundle.crt", StringComparison.OrdinalIgnoreCase)
-                        || profiles[i].name.Equals("f5-ca-bundle.crt", StringComparison.OrdinalIgnoreCase))
+                    if (certificates[i].name.Equals("ca-bundle.crt", StringComparison.OrdinalIgnoreCase)
+                        || certificates[i].name.Equals("f5-ca-bundle.crt", StringComparison.OrdinalIgnoreCase))
                     {
-                        LogHandlerCommon.Trace(logger, CertificateStore, $"Skipping '{profiles[i].name}' because it is managed by F5");
+                        LogHandlerCommon.Trace(logger, CertificateStore, $"Skipping '{certificates[i].name}' because it is managed by F5");
                         continue;
                     }
-                    inventory.Add(GetInventoryItem(partition, profiles[i].name, true));
+                    CurrentInventoryItem inventoryItem = GetInventoryItem(partition, certificates[i].name, true);
+                    Dictionary<string, object> parameters = new Dictionary<string, object>();
+
+                    string certName = $"/{partition}/{inventoryItem.Alias}";
+                    string sslProfileNames = string.Join(",", sslProfiles.Where(p => p.cert == certName).Select(p => p.name));
+                    if (!string.IsNullOrEmpty(sslProfileNames))
+                        parameters.Add("SSLProfiles", sslProfileNames);
+                    inventoryItem.Parameters = parameters;
+
+                    inventory.Add(inventoryItem);
                 }
                 catch (Exception ex)
                 {
-                    LogHandlerCommon.Error(logger, CertificateStore, ExceptionHandler.FlattenExceptionMessages(ex, $"Unable to process inventory item {profiles[i].name}."));
+                    LogHandlerCommon.Error(logger, CertificateStore, ExceptionHandler.FlattenExceptionMessages(ex, $"Unable to process inventory item {certificates[i].name}."));
                 }
             }
 
-            LogHandlerCommon.MethodExit(logger, CertificateStore, "GetSSLProfiles");
+            LogHandlerCommon.MethodExit(logger, CertificateStore, "GetCertificateEntries");
             return inventory;
         }
 
-        // SSL Profiles
+        // SSL Certificates
         #endregion
 
         #region Auth & Version

F5DataModels.cs

@@ -62,6 +62,18 @@ internal class F5CABundle
         public string[] includeBundle { get; set; }
     }
 
+    internal class F5PagedSSLCertificates : F5PagedResult
+    {
+        public F5SSLCertificate[] items { get; set; }
+    }
+
+    internal class F5SSLCertificate
+    {
+        public string name { get; set; }
+        public bool isBundle { get; set; }
+        public string keyType { get; set; }
+    }
+
     internal class F5PagedSSLProfiles : F5PagedResult
     {
         public F5SSLProfile[] items { get; set; }
@@ -70,8 +82,7 @@ internal class F5PagedSSLProfiles : F5PagedResult
     internal class F5SSLProfile
     {
         public string name { get; set; }
-        public bool isBundle { get; set; }
-        public string keyType { get; set; }
+        public string cert { get; set; }
     }
 
     internal class F5Key