feat(auth): Add support for plugin to use oAuth to authenticate to Keyfactor Command

Author: spbsoluble

.github/workflows/release.yml

@@ -1,3 +1,6 @@
+- 1.4.0
+  - Added support for oAuth2 authentication to Keyfactor Command.
+
 - 1.3.1 
   - Fix for issue where plugin was not enforcing plugin-side role limitations for AllowedDomains and AllowSubDomains, and was relying exclusively on the certificate template for these values.
 

CHANGELOG.md

@@ -11,11 +11,11 @@ package keyfactor
 
 import (
 	"errors"
-	"fmt"
 	"log"
 	"strings"
 
-	"github.com/Keyfactor/keyfactor-go-client/api"
+	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
+	"github.com/Keyfactor/keyfactor-go-client/v3/api"
 )
 
 type keyfactorClient struct {
@@ -27,33 +27,58 @@ func newClient(config *keyfactorConfig) (*api.Client, error) {
 		return nil, errors.New("client configuration was nil")
 	}
 
-	if config.Username == "" {
-		return nil, errors.New("client username was not defined")
-	}
-
-	if config.Password == "" {
-		return nil, errors.New("client password was not defined")
-	}
-
 	if config.KeyfactorUrl == "" {
 		return nil, errors.New("client URL was not defined")
 	}
-	username := strings.Split(config.Username, "//")[1]
-	domain := strings.Split(config.Username, "//")[1]
 	hostname := config.KeyfactorUrl
 	if strings.HasPrefix(config.KeyfactorUrl, "http") {
 		hostname = strings.Split(config.KeyfactorUrl, "//")[1] //extract just the domain
 	}
 
-	var clientAuth api.AuthConfig
-	clientAuth.Username = username
-	clientAuth.Password = config.Password
-	clientAuth.Domain = domain
-	clientAuth.Hostname = hostname
+	isBasicAuth := config.Username != "" && config.Password != ""
+	isOAuth := (config.ClientId != "" && config.ClientSecret != "" && config.TokenUrl != "") || config.AccessToken != ""
+
+	if !isBasicAuth && !isOAuth {
+		return nil, errors.New(
+			"invalid Keyfactor Command client configuration, " +
+				"please provide a valid Basic auth or OAuth configuration",
+		)
+	}
 
-	fmt.Printf("clientAuth values: \n %s", clientAuth)
+	serverConfig := &auth_providers.Server{}
+	if isBasicAuth {
+		basicAuthConfig := &auth_providers.CommandAuthConfigBasic{}
+		_ = basicAuthConfig.WithCommandHostName(hostname).
+			WithCommandAPIPath(config.CommandAPIPath)
+
+		bErr := basicAuthConfig.
+			WithUsername(config.Username).
+			WithPassword(config.Password).
+			Authenticate()
+
+		if bErr != nil {
+			return nil, bErr
+		}
+		serverConfig = basicAuthConfig.GetServerConfig()
+	} else if isOAuth {
+		oauthConfig := &auth_providers.CommandConfigOauth{}
+		_ = oauthConfig.WithCommandHostName(hostname).
+			WithCommandAPIPath(config.CommandAPIPath)
+
+		oErr := oauthConfig.
+			WithClientId(config.ClientId).
+			WithClientSecret(config.ClientSecret).
+			WithTokenUrl(config.TokenUrl).
+			WithAccessToken(config.AccessToken).
+			Authenticate()
+
+		if oErr != nil {
+			return nil, oErr
+		}
+		serverConfig = oauthConfig.GetServerConfig()
+	}
 
-	c, err := api.NewKeyfactorClient(&clientAuth)
+	c, err := api.NewKeyfactorClient(serverConfig, nil)
 	if err != nil {
 		log.Fatalf("[ERROR] creating Keyfactor client: %s", err)
 	}

README.md

@@ -1,11 +1,14 @@
 module github.com/keyfactor/hashicorp-vault-secrets-engine
 
-go 1.20
+go 1.23
+
+toolchain go1.23.3
 
 require (
-	github.com/Keyfactor/keyfactor-go-client v1.2.0
+	github.com/Keyfactor/keyfactor-auth-client-go v1.0.0-rc.2
+	github.com/Keyfactor/keyfactor-go-client/v3 v3.0.0
 	github.com/hashicorp/errwrap v1.0.0
-	github.com/hashicorp/go-hclog v0.16.2
+	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/vault/api v1.1.1
 	github.com/hashicorp/vault/sdk v0.2.1
 )
@@ -14,7 +17,7 @@ require (
 	github.com/armon/go-metrics v0.3.3 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
-	github.com/fatih/color v1.7.0 // indirect
+	github.com/fatih/color v1.13.0 // indirect
 	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
@@ -29,27 +32,30 @@ require (
 	github.com/hashicorp/go-version v1.2.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/mapstructure v1.3.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/spbsoluble/go-pkcs12 v0.3.1 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	github.com/spbsoluble/go-pkcs12 v0.3.3 // indirect
+	go.mozilla.org/pkcs7 v0.9.0 // indirect
 	go.uber.org/atomic v1.6.0 // indirect
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
-	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
-	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
 	google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect
 	google.golang.org/grpc v1.29.1 // indirect
 	google.golang.org/protobuf v1.25.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )