updated readme, cleanedup logs, completed testing

Author: joevanwanzeeleKF

backend.go

@@ -25,7 +25,9 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-//var config map[string]string
+const (
+	operationPrefixKeyfactor string = "keyfactor"
+)
 
 // Factory configures and returns backend
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
@@ -66,9 +68,10 @@ func backend() *keyfactorBackend {
 			pathCA(&b),
 			pathCerts(&b),
 		),
-		Secrets:     []*framework.Secret{},
-		BackendType: logical.TypeLogical,
-		Invalidate:  b.invalidate,
+		Secrets:        []*framework.Secret{},
+		BackendType:    logical.TypeLogical,
+		Invalidate:     b.invalidate,
+		InitializeFunc: b.Initialize,
 	}
 	return &b
 }
@@ -83,6 +86,15 @@ func (b *keyfactorBackend) reset() {
 
 }
 
+func (b *keyfactorBackend) Initialize(ctx context.Context, req *logical.InitializationRequest) error {
+	b.configLock.RLock()
+	defer b.configLock.RUnlock()
+	if req == nil {
+		return fmt.Errorf("initialization request is nil")
+	}
+	return nil
+}
+
 // invalidate clears an existing client configuration in
 // the backend
 func (b *keyfactorBackend) invalidate(ctx context.Context, key string) {
@@ -110,7 +122,7 @@ func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*k
 		return nil, errors.New("configuration is empty")
 	}
 
-	b.client, err = newClient(config)
+	b.client, err = newClient(config, b)
 	if err != nil {
 		return nil, err
 	}
@@ -138,11 +150,11 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	}
 
 	b.Logger().Debug("Closing idle connections")
-	b.client.httpClient.CloseIdleConnections()
+	client.httpClient.CloseIdleConnections()
 
 	// build request parameter structure
 
-	url := config.KeyfactorUrl + "/KeyfactorAPI/Enrollment/CSR"
+	url := config.KeyfactorUrl + "/" + config.CommandAPIPath + "/Enrollment/CSR"
 	b.Logger().Debug("url: " + url)
 	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + caName + "\",\"IncludeChain\": true, \"Metadata\": {}, \"Timestamp\": \"" + time + "\",\"Template\": \"" + templateName + "\",\"SANs\": {}}"
 	payload := strings.NewReader(bodyContent)

cert_util.go

@@ -180,7 +180,7 @@ func getCAId(ctx context.Context, req *logical.Request, b *keyfactorBackend) (st
 
 	// Build request
 
-	url := config.KeyfactorUrl + "/KeyfactorAPI/Certificates?pq.queryString=CA%20-eq%20%22" + ca_name + "%22%20AND%20CertState%20-eq%20%226%22" // CertState 6 = cert
+	url := config.KeyfactorUrl + "/" + config.CommandAPIPath + "/Certificates?pq.queryString=CA%20-eq%20%22" + ca_name + "%22%20AND%20CertState%20-eq%20%226%22" // CertState 6 = cert
 	b.Logger().Debug("url: " + url)
 	httpReq, err := http.NewRequest("GET", url, nil)
 	if err != nil {
@@ -256,8 +256,6 @@ func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *keyfac
 	if config == nil {
 		return "", errors.New("unable to load configuration")
 	}
-	// creds := config.Username + ":" + config.Password
-	// encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
 
 	// get the client
 	client, err := b.getClient(ctx, req.Storage)
@@ -274,7 +272,7 @@ func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *keyfac
 	}
 
 	// Build request
-	url := config.KeyfactorUrl + "/KeyfactorAPI/Certificates/Download"
+	url := config.KeyfactorUrl + "Certificates/Download"
 	b.Logger().Debug("url: " + url)
 	bodyContent := fmt.Sprintf(`{"CertID": %s, "IncludeChain": %s }`, kfCertId, include)
 	payload := strings.NewReader(bodyContent)
@@ -319,7 +317,7 @@ func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *keyfac
 }
 
 // Allows fetching certificates from the backend; it handles the slightly
-// separate pathing for CA, CRL, and revoked certificates.
+// separate pathing for CA and revoked certificates.
 func fetchCertBySerial(ctx context.Context, req *logical.Request, prefix, serial string) (*logical.StorageEntry, error) {
 	var path, legacyPath string
 	var err error

client.go

@@ -12,7 +12,6 @@ package kfbackend
 import (
 	"errors"
 	"fmt"
-	"log"
 	"net/http"
 
 	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
@@ -22,7 +21,7 @@ type keyfactorClient struct {
 	httpClient *http.Client
 }
 
-func newClient(config *keyfactorConfig) (*keyfactorClient, error) {
+func newClient(config *keyfactorConfig, b *keyfactorBackend) (*keyfactorClient, error) {
 	client := new(keyfactorClient)
 
 	if config == nil {
@@ -49,6 +48,8 @@ func newClient(config *keyfactorConfig) (*keyfactorClient, error) {
 	basicAuthConfig := &auth_providers.CommandAuthConfigBasic{}
 
 	if isBasicAuth {
+		b.Logger().Debug(fmt.Sprintf("using basic auth with username %s, domain %s and password (hidden)", config.Username, config.Domain))
+
 		basicAuthConfig.WithCommandHostName(hostname).
 			WithCommandAPIPath(config.CommandAPIPath).
 			WithSkipVerify(config.SkipTLSVerify).
@@ -61,20 +62,22 @@ func newClient(config *keyfactorConfig) (*keyfactorClient, error) {
 
 		if bErr != nil {
 			errMsg := fmt.Sprintf("[ERROR] unable to authenticate with provided basic auth credentials: %s", bErr.Error())
-			log.Fatal(errMsg)
+			b.Logger().Error(errMsg)
 			return nil, bErr
+		} else {
+			b.Logger().Debug("successfully authenticated using basic auth")
 		}
 
 		client.httpClient, bErr = basicAuthConfig.GetHttpClient()
 
 		if bErr != nil {
 			errMsg := fmt.Sprintf("[ERROR] there was an error retreiving the basic auth http client: %s", bErr.Error())
-			log.Fatal(errMsg)
+			b.Logger().Error(errMsg)
 			return nil, bErr
 		}
 
 	} else if isOAuth {
-
+		b.Logger().Debug(fmt.Sprintf("using oAuth authentication with client_id: %s, token_url %s and client_secret: (hidden)", config.ClientId, config.TokenUrl))
 		_ = oAuthConfig.WithCommandHostName(hostname).
 			WithCommandAPIPath(config.CommandAPIPath).
 			WithSkipVerify(config.SkipTLSVerify).
@@ -89,14 +92,14 @@ func newClient(config *keyfactorConfig) (*keyfactorClient, error) {
 
 		if oErr != nil {
 			errMsg := fmt.Sprintf("[ERROR] unable to authenticate with provided oAuth credentials: %s", oErr.Error())
-			log.Fatal(errMsg)
+			b.Logger().Error(errMsg)
 			return nil, oErr
 		}
 
 		client.httpClient, oErr = oAuthConfig.GetHttpClient()
 		if oErr != nil {
 			errMsg := fmt.Sprintf("[ERROR] there was an error retreiving the oAuth http client: %s", oErr.Error())
-			log.Fatal(errMsg)
+			b.Logger().Error(errMsg)
 			return nil, oErr
 		}
 	}

fields.go

@@ -79,167 +79,6 @@ be larger than the role max TTL.`,
 	return fields
 }
 
-// addCACommonFields adds fields with help text specific to CA
-// certificate issuing and signing
-// func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-// 	fields = addIssueAndSignCommonFields(fields)
-
-// 	fields["alt_names"] = &framework.FieldSchema{
-// 		Type: framework.TypeString,
-// 		Description: `The requested Subject Alternative Names, if any,
-// in a comma-delimited list. May contain both
-// DNS names and email addresses.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "DNS/Email Subject Alternative Names (SANs)",
-// 		},
-// 	}
-
-// 	fields["common_name"] = &framework.FieldSchema{
-// 		Type: framework.TypeString,
-// 		Description: `The requested common name; if you want more than
-// one, specify the alternative names in the alt_names
-// map. If not specified when signing, the common
-// name will be taken from the CSR; other names
-// must still be specified in alt_names or ip_sans.`,
-// 	}
-
-// 	fields["ttl"] = &framework.FieldSchema{
-// 		Type: framework.TypeDurationSecond,
-// 		Description: `The requested Time To Live for the certificate;
-// sets the expiration date. If not specified
-// the role default, backend default, or system
-// default TTL is used, in that order. Cannot
-// be larger than the mount max TTL. Note:
-// this only has an effect when generating
-// a CA cert or signing a CA cert, not when
-// generating a CSR for an intermediate CA.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "TTL",
-// 		},
-// 	}
-
-// 	fields["ou"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, OU (OrganizationalUnit) will be set to
-// this value.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "OU (Organizational Unit)",
-// 		},
-// 	}
-
-// 	fields["organization"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, O (Organization) will be set to
-// this value.`,
-// 	}
-
-// 	fields["country"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, Country will be set to
-// this value.`,
-// 	}
-
-// 	fields["locality"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, Locality will be set to
-// this value.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "Locality/City",
-// 		},
-// 	}
-
-// 	fields["province"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, Province will be set to
-// this value.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "Province/State",
-// 		},
-// 	}
-
-// 	fields["street_address"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, Street Address will be set to
-// this value.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "Street Address",
-// 		},
-// 	}
-
-// 	fields["postal_code"] = &framework.FieldSchema{
-// 		Type: framework.TypeCommaStringSlice,
-// 		Description: `If set, Postal Code will be set to
-// this value.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "Postal Code",
-// 		},
-// 	}
-
-// 	fields["serial_number"] = &framework.FieldSchema{
-// 		Type: framework.TypeString,
-// 		Description: `The requested serial number, if any. If you want
-// more than one, specify alternative names in
-// the alt_names map using OID 2.5.4.5.`,
-// 	}
-
-// 	return fields
-// }
-
-// // addCAKeyGenerationFields adds fields with help text specific to CA key
-// // generation and exporting
-// func addCAKeyGenerationFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-// 	fields["exported"] = &framework.FieldSchema{
-// 		Type: framework.TypeString,
-// 		Description: `Must be "internal" or "exported". If set to
-// "exported", the generated private key will be
-// returned. This is your *only* chance to retrieve
-// the private key!`,
-// 	}
-
-// 	fields["key_bits"] = &framework.FieldSchema{
-// 		Type:    framework.TypeInt,
-// 		Default: 2048,
-// 		Description: `The number of bits to use. You will almost
-// certainly want to change this if you adjust
-// the key_type.`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Value: 2048,
-// 		},
-// 	}
-
-// 	fields["key_type"] = &framework.FieldSchema{
-// 		Type:    framework.TypeString,
-// 		Default: "rsa",
-// 		Description: `The type of key to use; defaults to RSA. "rsa"
-// and "ec" are the only valid values.`,
-// 		AllowedValues: []interface{}{"rsa", "ec"},
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Value: "rsa",
-// 		},
-// 	}
-// 	return fields
-// }
-
-// addCAIssueFields adds fields common to CA issuing, e.g. when returning
-// an actual certificate
-// func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-// 	fields["max_path_length"] = &framework.FieldSchema{
-// 		Type:        framework.TypeInt,
-// 		Default:     -1,
-// 		Description: "The maximum allowable path length",
-// 	}
-
-// 	fields["permitted_dns_domains"] = &framework.FieldSchema{
-// 		Type:        framework.TypeCommaStringSlice,
-// 		Description: `Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).`,
-// 		DisplayAttrs: &framework.DisplayAttributes{
-// 			Name: "Permitted DNS Domains",
-// 		},
-// 	}
-
-// 	return fields
-// }
-
 func addRoleFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
 
 	fields["name"] = &framework.FieldSchema{

images/configread.png

@@ -63,10 +63,6 @@ func (b *keyfactorBackend) pathFetchCa(ctx context.Context, req *logical.Request
 		serial = "ca"
 	}
 
-	if len(serial) == 0 {
-		response = logical.ErrorResponse("The serial number must be provided")
-	}
-
 	if serial == "ca" {
 		return fetchCAInfo(ctx, req, b)
 	}