Merge pull request #36 from Keyfactor/OauthAndParametersForTemplateAndCA

Updated with OAuth Support and the ability to pass CA and Template via cli

Author: doebrowsk

.github/workflows/release.yml

@@ -1,3 +1,8 @@
+- 1.4.0
+  - Added support for oAuth2 authentication to Keyfactor Command.
+  - Included the ability to specify CA and Template via command parameters
+  - Included the ability to pass metadata along with the request
+
 - 1.3.1 
   - Fix for issue where plugin was not enforcing plugin-side role limitations for AllowedDomains and AllowSubDomains, and was relying exclusively on the certificate template for these values.
 

CHANGELOG.md

@@ -1,40 +1,56 @@
 BINARY = "keyfactor"
 VERSION = "v1.3.1"
 
-GOARCH = amd64
+UNAME_S := $(shell uname -s)
+UNAME_M := $(shell uname -m)
 
-UNAME = $(shell uname -s)
-
-OS = linux
+ifeq ($(UNAME_S),Linux)
+	OS = linux
+else ifeq ($(UNAME_S),Darwin)
+	OS = darwin
+endif
 
-ifndef OS
-	ifeq ($(UNAME), Linux)
-		OS = linux
-	else ifeq ($(UNAME), Darwin)
-		OS = darwin
-	endif
+ifeq ($(UNAME_M),x86_64)
+	GOARCH = amd64
+else ifeq ($(UNAME_M),arm64)
+	GOARCH = arm64
+else ifeq ($(UNAME_M),i386)
+	GOARCH = 386
 endif
 
 .DEFAULT_GOAL := all
 
 all: fmt build start
 
 build:
-	GOOS=$(OS) GOARCH="$(GOARCH)" go build -o vault/plugins/keyfactor cmd/keyfactor/main.go
+	GOOS=$(OS) GOARCH=$(GOARCH) go build -o vault/plugins/keyfactor cmd/keyfactor/main.go
 
 start:
-	vault server -dev -dev-root-token-id=root -dev-plugin-dir=/vault/plugins
+	vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins
+
+register:
+	vault write sys/plugins/catalog/secret/keyfactor sha_256=$(shell shasum -a 256 ./vault/plugins/keyfactor | cut -d ' ' -f 1) command="keyfactor"
 
 enable:
+	export VAULT_ADDR=http://localhost:8200
+	export VAULT_TOKEN=root
 	vault secrets enable keyfactor
 
+config_oauth:
+	vault write keyfactor/config \
+		url="https://int1230-oauth.eastus2.cloudapp.azure.com" \
+		client_id="vault-secrets-engine" \
+		client_secret="c6rxzs6Hz8JjlkFR87ra18WBqlhXdwMO" \
+		token_url="https://int1230-oauth.eastus2.cloudapp.azure.com/oauth2/token" \
+		template="SslServerProfile" \
+		CA="TestDriveSub-G1"
+
 clean:
 	rm -f ./vault/plugins/keyfactor
 
 fmt:
 	go fmt $$(go list ./...)
 
-
 release:
 	GOOS=darwin GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_darwin_amd64
 	GOOS=freebsd GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_freebsd_386
@@ -49,5 +65,4 @@ release:
 	GOOS=windows GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_windows_386
 	GOOS=windows GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_windows_amd64
 
-
-.PHONY: build clean fmt start enable
+.PHONY: build clean fmt start enable register release

Makefile

@@ -7,16 +7,14 @@
  *  and limitations under the License.
  */
 
-package keyfactor
+package kfbackend
 
 import (
 	"context"
-	b64 "encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"strings"
 	"sync"
@@ -27,7 +25,9 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-//var config map[string]string
+const (
+	operationPrefixKeyfactor string = "keyfactor"
+)
 
 // Factory configures and returns backend
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
@@ -42,7 +42,7 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 // // Store certificates by serial number
 type keyfactorBackend struct {
 	*framework.Backend
-	lock         sync.RWMutex
+	configLock   sync.RWMutex
 	cachedConfig *keyfactorConfig
 	client       *keyfactorClient
 }
@@ -68,19 +68,31 @@ func backend() *keyfactorBackend {
 			pathCA(&b),
 			pathCerts(&b),
 		),
-		Secrets:     []*framework.Secret{},
-		BackendType: logical.TypeLogical,
-		Invalidate:  b.invalidate,
+		Secrets:        []*framework.Secret{},
+		BackendType:    logical.TypeLogical,
+		Invalidate:     b.invalidate,
+		InitializeFunc: b.Initialize,
 	}
 	return &b
 }
 
 // reset clears any client configuration for a new
 // backend to be configured
 func (b *keyfactorBackend) reset() {
-	b.lock.Lock()
-	defer b.lock.Unlock()
+	b.configLock.RLock()
+	defer b.configLock.RUnlock()
+	b.cachedConfig = nil
 	b.client = nil
+
+}
+
+func (b *keyfactorBackend) Initialize(ctx context.Context, req *logical.InitializationRequest) error {
+	b.configLock.RLock()
+	defer b.configLock.RUnlock()
+	if req == nil {
+		return fmt.Errorf("initialization request is nil")
+	}
+	return nil
 }
 
 // invalidate clears an existing client configuration in
@@ -94,63 +106,73 @@ func (b *keyfactorBackend) invalidate(ctx context.Context, key string) {
 // getClient locks the backend as it configures and creates a
 // a new client for the target API
 func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*keyfactorClient, error) {
-	b.lock.RLock()
-	unlockFunc := b.lock.RUnlock
-	defer func() { unlockFunc() }()
+	b.configLock.RLock()
+	defer b.configLock.RUnlock()
 
 	if b.client != nil {
 		return b.client, nil
 	}
 
-	b.lock.RUnlock()
-	b.lock.Lock()
-	unlockFunc = b.lock.Unlock
+	// get configuration
+	config, err := b.fetchConfig(ctx, s)
+	if err != nil {
+		return nil, err
+	}
+	if config == nil {
+		return nil, errors.New("configuration is empty")
+	}
 
-	return nil, fmt.Errorf("need to return client")
+	b.client, err = newClient(config, b)
+	if err != nil {
+		return nil, err
+	}
+	return b.client, nil
 }
 
 // Handle interface with Keyfactor API to enroll a certificate with given content
-func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request, csr string, caName string, templateName string) ([]string, string, error) {
-	config, err := b.config(ctx, req.Storage)
+func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request, csr string, caName string, templateName string, metaDataJson string) ([]string, string, error) {
+	config, err := b.fetchConfig(ctx, req.Storage)
 	if err != nil {
 		return nil, "", err
 	}
 	if config == nil {
 		return nil, "", errors.New("configuration is empty")
 	}
 
-	ca := config.CertAuthority
-	template := config.CertTemplate
-
-	creds := config.Username + ":" + config.Password
-	encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
-
 	location, _ := time.LoadLocation("UTC")
 	t := time.Now().In(location)
 	time := t.Format("2006-01-02T15:04:05")
 
-	// This is only needed when running as a vault extension
+	// get client
+	client, err := b.getClient(ctx, req.Storage)
+	if err != nil {
+		return nil, "", fmt.Errorf("error getting client: %w", err)
+	}
+
 	b.Logger().Debug("Closing idle connections")
-	http.DefaultClient.CloseIdleConnections()
+	client.httpClient.CloseIdleConnections()
+
+	// build request parameter structure
 
-	// Build request
-	url := config.KeyfactorUrl + "/KeyfactorAPI/Enrollment/CSR"
+	url := config.KeyfactorUrl + "/" + config.CommandAPIPath + "/Enrollment/CSR"
 	b.Logger().Debug("url: " + url)
-	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + ca + "\",\"IncludeChain\": true, \"Metadata\": {}, \"Timestamp\": \"" + time + "\",\"Template\": \"" + template + "\",\"SANs\": {}}"
+	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + caName + "\",\"IncludeChain\": true, \"Metadata\": " + metaDataJson + ", \"Timestamp\": \"" + time + "\",\"Template\": \"" + templateName + "\",\"SANs\": {}}"
 	payload := strings.NewReader(bodyContent)
 	b.Logger().Debug("body: " + bodyContent)
 	httpReq, err := http.NewRequest("POST", url, payload)
+
 	if err != nil {
 		b.Logger().Info("Error forming request: {{err}}", err)
 	}
+
 	httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
 	httpReq.Header.Add("content-type", "application/json")
-	httpReq.Header.Add("authorization", "Basic "+encCreds)
 	httpReq.Header.Add("x-certificateformat", "PEM")
 
 	// Send request and check status
+
 	b.Logger().Debug("About to connect to " + config.KeyfactorUrl + "for csr submission")
-	res, err := http.DefaultClient.Do(httpReq)
+	res, err := client.httpClient.Do(httpReq)
 	if err != nil {
 		b.Logger().Info("CSR Enrollment failed: {{err}}", err.Error())
 		return nil, "", err
@@ -166,7 +188,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	// Read response and return certificate and key
 
 	defer res.Body.Close()
-	body, err := ioutil.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		b.Logger().Error("Error reading response: {{err}}", err)
 		return nil, "", err
@@ -233,3 +255,15 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 const keyfactorHelp = `
 The Keyfactor backend is a pki service that issues and manages certificates.
 `
+
+func (b *keyfactorBackend) isValidJSON(str string) bool {
+	var js json.RawMessage
+	err := json.Unmarshal([]byte(str), &js)
+	if err != nil {
+		b.Logger().Debug(err.Error())
+		return false
+	} else {
+		b.Logger().Debug("the metadata was able to be parsed as valid JSON")
+		return true
+	}
+}