Finished testing. Updated documentation.

Author: joevanwanzeeleKF

.gitignore

@@ -8,3 +8,4 @@ Keyfactor Vault Secrets Engine Guide.docx
 Makefile
 sample_config.json
 README.md
+README.md

backend.go

@@ -23,10 +23,9 @@ import (
 
 const (
 	operationPrefixKeyfactor string = "keyfactor"
+	PluginVersion                   = "1.4.2" // this should match the release version of the plugin
 )
 
-const PluginVersion = "1.4.2" // this should match the release version of the plugin
-
 // Factory configures and returns backend
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
 
@@ -109,7 +108,7 @@ func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*k
 	defer b.configLock.RUnlock()
 
 	if b.client != nil {
-		b.Logger().Debug("closing idle connections before returning existing client")
+		b.Logger().Trace("returning existing client")
 		return b.client, nil
 	}
 
@@ -130,5 +129,5 @@ func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*k
 }
 
 const keyfactorHelp = `
-The Keyfactor backend is a pki service that issues and manages certificates.
+The Keyfactor backend is a pki service that issues and manages certificates via the Keyfactor Command platform.
 `

cert_util.go

@@ -22,6 +22,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"strings"
 	"time"
@@ -128,15 +129,24 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 
 	b.Logger().Debug("setting parameters on the request.. ")
 
-	apiRequest := client.V1.EnrollmentApi.NewCreateEnrollmentCSRRequest(ctx).EnrollmentCSREnrollmentRequest(enrollmentRequest).XCertificateformat("PEM")
+	apiRequest := client.V1.EnrollmentApi.NewCreateEnrollmentCSRRequest(ctx).ForceEnroll(true).EnrollmentCSREnrollmentRequest(enrollmentRequest).XCertificateformat("PEM")
 
 	b.Logger().Debug("about to connect to " + config.KeyfactorUrl + " with Keyfactor client for CSR submission")
 
 	resData, httpRes, err := apiRequest.Execute()
 
 	if err != nil || httpRes.StatusCode != 200 {
-		b.Logger().Error(fmt.Sprintf("there was an error performing CSR enrollment.  HttpStatusCode: %d, error: %s", httpRes.StatusCode, err))
-		return nil, "", err
+		body, bodyErr := io.ReadAll(httpRes.Body)
+		errMsg := ""
+
+		if bodyErr != nil {
+			b.Logger().Error(fmt.Sprintf("there was an error reading the response body: %v", bodyErr))
+			errMsg = err.Error()
+		} else {
+			errMsg = string(body)
+		}
+		b.Logger().Error(fmt.Sprintf("there was an error performing CSR enrollment.  HttpStatusCode: %d, error: %s", httpRes.StatusCode, errMsg))
+		return nil, "", fmt.Errorf(errMsg)
 	}
 
 	// Read certificates from response
@@ -389,19 +399,17 @@ func fetchCertIssuedByCA(ctx context.Context, req *logical.Request, b *keyfactor
 
 	//caName = strings.Replace(caName, " ", "%20", -1)
 
-	getCertRequest := v1.ApiGetCertificatesRequest{}
-	getCertRequest.QueryString("CA -eq " + caName)
-	getCertRequest.ReturnLimit(1)
-
 	// Send request and check status
-	b.Logger().Debug("calling API with query string %s for cert retrieval", getCertRequest.QueryString)
 
-	apiRequest := client.V1.CertificateApi.NewGetCertificatesRequest(ctx)
+	b.Logger().Debug(fmt.Sprintf("calling API with to fetch cert issued by %s", caName))
+
+	certs, httpResponse, err := client.V1.CertificateApi.NewGetCertificatesRequest(ctx).QueryString("CA -eq \"" + caName + "\"").ReturnLimit(1).Execute()
 
-	certs, httpResponse, err := apiRequest.ApiService.GetCertificatesExecute(getCertRequest)
+	//certs, httpResponse, err := apiRequest.Execute()
 
 	if err != nil {
-		b.Logger().Info(fmt.Sprintf("failed getting cert: %s", err.Error()))
+		b.Logger().Error(fmt.Sprintf("failed to retreive cert: %s", err.Error()))
+		b.Logger().Debug(fmt.Sprintf("http status code: %d, http response: %s", httpResponse.StatusCode, httpResponse.Body))
 		return nil, err
 	}
 
@@ -411,7 +419,7 @@ func fetchCertIssuedByCA(ctx context.Context, req *logical.Request, b *keyfactor
 		return nil, fmt.Errorf("error downloading certificate. returned status = %d\n %s", httpResponse.StatusCode, httpResponse.Body)
 	}
 
-	b.Logger().Debug("response = ", certs)
+	b.Logger().Debug(fmt.Sprintf("cert issued by CA response: %s", certs))
 
 	if len(certs) == 0 {
 		return nil, fmt.Errorf("no certificates issued by CA %s found in Command.  At least 1 must exist in order to retreive the CA or CA chain certificate(s)", caName)
@@ -434,8 +442,6 @@ func fetchChainAndCAForCert(ctx context.Context, req *logical.Request, b *keyfac
 	if err != nil {
 		b.Logger().Error("unable to create the http client")
 	}
-	// This is only needed when running as a vault extension
-	b.Logger().Debug("Closing idle connections")
 
 	// Build request
 

installation.txt

@@ -23,8 +23,7 @@ sha256 checksum: <checksum>
 
 	> vault secrets enable <instance name>
 
-6) test the connection by requesting the ca
-
+6) test the connection by requesting the CA (the CA certificate will need to exist in the Command database)
 	> vault read <instance name>/ca
 
 

readme_source.md

@@ -596,7 +596,10 @@ instance of the plugin is named "keyfactor".
 ### Read CA cert
 
 `vault read keyfactor/ca ca=<ca name>`
+> Note: The certificate for the CA needs to have been imported into Command for this endpoint to return the CA Certificate
 
 ### Read CA chain
 
 `vault read keyfactor/ca_chain ca=<ca name>`
+> Note: _All_ certificates in the chain need to have been imported into Command for this endpoint to return the CA Certificate Chain
+