-
Notifications
You must be signed in to change notification settings - Fork 20
/
vcert.go
137 lines (117 loc) · 3.91 KB
/
vcert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
package pki
import (
"context"
"fmt"
"github.com/Venafi/vcert/v4"
"github.com/Venafi/vcert/v4/pkg/endpoint"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
"io/ioutil"
"time"
)
func (b *backend) ClientVenafi(ctx context.Context, s logical.Storage, data *framework.FieldData, req *logical.Request, roleName string) (
endpoint.Connector, time.Duration, error) {
b.Logger().Debug(fmt.Sprintf("Using role: %s", roleName))
if roleName == "" {
return nil, 0, fmt.Errorf("missing role name")
}
role, err := b.getRole(ctx, req.Storage, roleName)
if err != nil {
return nil, 0, err
}
if role == nil {
return nil, 0, fmt.Errorf("unknown role %v", role)
}
cfg, err := b.getConfig(ctx, req, roleName, false)
if err != nil {
return nil, 0, err
}
client, err := vcert.NewClient(cfg)
if err != nil {
return nil, 0, fmt.Errorf("failed to get Venafi issuer client: %s", err)
}
return client, role.ServerTimeout, nil
}
func (b *backend) getConfig(ctx context.Context, req *logical.Request, roleName string, includeRefreshToken bool) (*vcert.Config, error) {
var cfg *vcert.Config
b.Logger().Debug(fmt.Sprintf("Using role: %s", roleName))
if roleName == "" {
return nil, fmt.Errorf("missing role name")
}
role, err := b.getRole(ctx, req.Storage, roleName)
if err != nil {
return nil, err
}
if role == nil {
return nil, fmt.Errorf("unknown role %v", role)
}
venafiSecret, err := b.getVenafiSecret(ctx, req.Storage, role.VenafiSecret)
if err != nil {
return nil, err
}
if venafiSecret == nil {
return nil, fmt.Errorf("unknown venafi secret %v", role.VenafiSecret)
}
var trustBundlePEM string
if venafiSecret.TrustBundleFile != "" {
b.Logger().Debug(fmt.Sprintf("Reading trust bundle from file: " + venafiSecret.TrustBundleFile))
trustBundle, err := ioutil.ReadFile(venafiSecret.TrustBundleFile)
if err != nil {
return cfg, err
}
trustBundlePEM = string(trustBundle)
}
//If the role has a Zone declared, it takes priority over the Zone in the Venafi secret
var zone string
if role.Zone != "" {
b.Logger().Debug(fmt.Sprintf("Using role zone: [%s]. Overrides venafi Secret zone: [%s]", role.Zone, venafiSecret.Zone))
zone = role.Zone
} else {
b.Logger().Debug(fmt.Sprintf("Using venafi secret zone: [%s]. Role zone not found. ", venafiSecret.Zone))
zone = venafiSecret.Zone
}
cfg = &vcert.Config{}
cfg.BaseUrl = venafiSecret.URL
cfg.Zone = zone
cfg.LogVerbose = true
if trustBundlePEM != "" {
cfg.ConnectionTrust = trustBundlePEM
}
if venafiSecret.Fakemode {
b.Logger().Debug("Using fakemode to issue certificate")
cfg = &vcert.Config{
ConnectorType: endpoint.ConnectorTypeFake,
LogVerbose: true,
}
} else if venafiSecret.URL != "" && venafiSecret.TppUser != "" && venafiSecret.TppPassword != "" {
b.Logger().Debug(fmt.Sprintf("Using Venafi Platform with URL %s to issue certificate", venafiSecret.URL))
cfg.ConnectorType = endpoint.ConnectorTypeTPP
cfg.Credentials = &endpoint.Authentication{
User: venafiSecret.TppUser,
Password: venafiSecret.TppPassword,
}
} else if venafiSecret.URL != "" && venafiSecret.AccessToken != "" {
b.Logger().Debug(fmt.Sprintf("Using Venafi Platform with URL %s to issue certificate", venafiSecret.URL))
cfg.ConnectorType = endpoint.ConnectorTypeTPP
var refreshToken string
if includeRefreshToken {
refreshToken = venafiSecret.RefreshToken
}
cfg.Credentials = &endpoint.Authentication{
AccessToken: venafiSecret.AccessToken,
RefreshToken: refreshToken,
}
} else if venafiSecret.Apikey != "" {
b.Logger().Debug("Using Venafi Cloud to issue certificate")
cfg.ConnectorType = endpoint.ConnectorTypeCloud
cfg.Credentials = &endpoint.Authentication{
APIKey: venafiSecret.Apikey,
}
} else {
return nil, fmt.Errorf("failed to build config for Venafi issuer")
}
if err != nil {
return nil, fmt.Errorf("failed to get Venafi issuer client: %s", err)
}
return cfg, nil
}