Merge branch 'include_metadata_56051' of https://github.com/Keyfactor/hashicorp-vault-secretsengine into OauthAndParametersForTemplateAndCA

joevanwanzeeleKF · joevanwanzeeleKF · commit 3d870ead4c73 · 2025-02-03T15:11:33.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 - 1.4.0
   - Added support for oAuth2 authentication to Keyfactor Command.
   - Included the ability to specify CA and Template via command parameters
+  - Included the ability to pass metadata along with the request
 
 - 1.3.1 
   - Fix for issue where plugin was not enforcing plugin-side role limitations for AllowedDomains and AllowSubDomains, and was relying exclusively on the certificate template for these values.
diff --git a/README.md b/README.md
@@ -479,6 +479,11 @@ the Vault secrets store.
 > [!NOTE]
 > The Certificate Authority and Template values can be passed via command parameters.  If they are omitted, the values set in the configuration are used.
 
+> [!NOTE]
+> As of v1.4, certificate Metadata is able to be provided in the command line and submitted along with the signing request.
+> example: `vault write keyfactor/issue/hashiIssuer common_name="test.com" dns_sans="test.com" metadata='{ \"testMetadata\": \"arbitrary string value\" }' ca="myCA"`
+> **Make sure that the quotation marks as escaped, as above, or an error will be returned.**
+
 ### Viewing Certificates
 
 After certificates are stored in the secrets store, you can then retrieve those certificates at a later time if
diff --git a/backend.go b/backend.go
@@ -130,7 +130,7 @@ func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*k
 }
 
 // Handle interface with Keyfactor API to enroll a certificate with given content
-func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request, csr string, caName string, templateName string) ([]string, string, error) {
+func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request, csr string, caName string, templateName string, metaDataJson string) ([]string, string, error) {
 	config, err := b.fetchConfig(ctx, req.Storage)
 	if err != nil {
 		return nil, "", err
@@ -156,7 +156,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 
 	url := config.KeyfactorUrl + "/" + config.CommandAPIPath + "/Enrollment/CSR"
 	b.Logger().Debug("url: " + url)
-	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + caName + "\",\"IncludeChain\": true, \"Metadata\": {}, \"Timestamp\": \"" + time + "\",\"Template\": \"" + templateName + "\",\"SANs\": {}}"
+	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + caName + "\",\"IncludeChain\": true, \"Metadata\": " + metaDataJson + ", \"Timestamp\": \"" + time + "\",\"Template\": \"" + templateName + "\",\"SANs\": {}}"
 	payload := strings.NewReader(bodyContent)
 	b.Logger().Debug("body: " + bodyContent)
 	httpReq, err := http.NewRequest("POST", url, payload)
@@ -255,3 +255,15 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 const keyfactorHelp = `
 The Keyfactor backend is a pki service that issues and manages certificates.
 `
+
+func (b *keyfactorBackend) isValidJSON(str string) bool {
+	var js json.RawMessage
+	err := json.Unmarshal([]byte(str), &js)
+	if err != nil {
+		b.Logger().Debug(err.Error())
+		return false
+	} else {
+		b.Logger().Debug("the metadata was able to be parsed as valid JSON")
+		return true
+	}
+}
diff --git a/fields.go b/fields.go
@@ -76,6 +76,13 @@ be larger than the role max TTL.`,
 		},
 	}
 
+	fields["metadata"] = &framework.FieldSchema{
+		Type: framework.TypeString,
+		Description: `Metadata in JSON format to be passed along with the signing request and associated with the certificate in Command.  
+		Quotation marks should be escaped.  
+		Example: ... metadata='{ \"testMetadata\": \"arbitrary string value\" }`,
+	}
+
 	return fields
 }
 
diff --git a/path_certs.go b/path_certs.go
@@ -262,7 +262,21 @@ func (b *keyfactorBackend) pathSign(ctx context.Context, req *logical.Request, d
 	b.Logger().Debug("CA Name parameter = " + caName)
 	b.Logger().Debug("Template name parameter = " + templateName)
 
-	certs, serial, errr := b.submitCSR(ctx, req, csr, caName, templateName)
+	metadata := data.Get("metadata").(string)
+
+	if metadata == "" {
+		metadata = "{}"
+	}
+
+	// verify that any passed metadata string is valid JSON
+
+	if !b.isValidJSON(metadata) {
+		err := fmt.Errorf("'%s' is not a valid JSON string", metadata)
+		b.Logger().Error(err.Error())
+		return nil, err
+	}
+
+	certs, serial, errr := b.submitCSR(ctx, req, csr, caName, templateName, metadata)
 
 	if errr != nil {
 		return nil, fmt.Errorf("could not sign csr: %s", errr)
@@ -411,14 +425,27 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 		err_resp = fmt.Errorf("at least one DNS SAN is required to match the supplied Common Name for RFC 2818 compliance")
 	}
 
+	metadata := data.Get("metadata").(string)
+
+	if metadata == "" {
+		metadata = "{}"
+	}
+
+	// verify that any passed metadata string is valid JSON
+
+	if !b.isValidJSON(metadata) {
+		err_resp := fmt.Errorf("'%s' is not a valid JSON string", metadata)
+		b.Logger().Error(err_resp.Error())
+	}
+
 	if err_resp != nil {
 		return nil, err_resp
 	}
 
 	//generate and submit CSR
 	b.Logger().Debug("generating the CSR...")
 	csr, key := b.generateCSR(cn.(string), ip_sans, dns_sans)
-	certs, serial, errr := b.submitCSR(ctx, req, csr, caName, templateName)
+	certs, serial, errr := b.submitCSR(ctx, req, csr, caName, templateName, metadata)
 
 	if errr != nil {
 		return nil, fmt.Errorf("could not enroll certificate: %s", errr)
diff --git a/readme_source.md b/readme_source.md
@@ -455,6 +455,11 @@ the Vault secrets store.
 > [!NOTE]
 > The Certificate Authority and Template values can be passed via command parameters.  If they are omitted, the values set in the configuration are used.
 
+> [!NOTE]
+> As of v1.4, certificate Metadata is able to be provided in the command line and submitted along with the signing request.
+> example: `vault write keyfactor/issue/hashiIssuer common_name="test.com" dns_sans="test.com" metadata='{ \"testMetadata\": \"arbitrary string value\" }' ca="myCA"`
+> **Make sure that the quotation marks as escaped, as above, or an error will be returned.**
+
 ### Viewing Certificates
 
 After certificates are stored in the secrets store, you can then retrieve those certificates at a later time if

Original file line number	Diff line number	Diff line change
@@ -76,6 +76,13 @@ be larger than the role max TTL.`,
`76`	`76`	`},`
`77`	`77`	`}`
`78`	`78`
	`79`	`+ fields["metadata"] = &framework.FieldSchema{`
	`80`	`+ Type: framework.TypeString,`
	`81`	+ Description: `Metadata in JSON format to be passed along with the signing request and associated with the certificate in Command.
	`82`	`+ Quotation marks should be escaped.`
	`83`	+ Example: ... metadata='{ \"testMetadata\": \"arbitrary string value\" }`,
	`84`	`+ }`
	`85`	`+`
`79`	`86`	`return fields`
`80`	`87`	`}`
`81`	`88`