-
Notifications
You must be signed in to change notification settings - Fork 20
/
vcert.go
112 lines (94 loc) · 3.27 KB
/
vcert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package pki
import (
"context"
"fmt"
"github.com/Venafi/vcert/v4"
"github.com/Venafi/vcert/v4/pkg/endpoint"
"github.com/hashicorp/vault/sdk/logical"
"io/ioutil"
"time"
)
func (b *backend) ClientVenafi(ctx context.Context, req *logical.Request, role *roleEntry) (
endpoint.Connector, *vcert.Config, time.Duration, error) {
cfg, err := b.getConfig(ctx, req, role, false)
if err != nil {
return nil, nil, 0, err
}
client, err := vcert.NewClient(cfg)
if err != nil {
return nil, nil, 0, fmt.Errorf("failed to get Venafi issuer client: %s", err)
}
return client, cfg, role.ServerTimeout, nil
}
func (b *backend) getConfig(ctx context.Context, req *logical.Request, role *roleEntry, includeRefreshToken bool) (*vcert.Config, error) {
var cfg *vcert.Config
venafiSecret, err := b.getVenafiSecret(ctx, req.Storage, role.VenafiSecret)
if err != nil {
return nil, err
}
if venafiSecret == nil {
return nil, fmt.Errorf("unknown venafi secret %v", role.VenafiSecret)
}
var trustBundlePEM string
if venafiSecret.TrustBundleFile != "" {
b.Logger().Debug(fmt.Sprintf("Reading trust bundle from file: " + venafiSecret.TrustBundleFile))
trustBundle, err := ioutil.ReadFile(venafiSecret.TrustBundleFile)
if err != nil {
return cfg, err
}
trustBundlePEM = string(trustBundle)
}
// If the role has a Zone declared, it takes priority over the Zone in the Venafi secret
var zone string
if role.Zone != "" {
b.Logger().Debug(fmt.Sprintf("Using role zone: [%s]. Overrides venafi Secret zone: [%s]", role.Zone, venafiSecret.Zone))
zone = role.Zone
} else {
b.Logger().Debug(fmt.Sprintf("Using venafi secret zone: [%s]. Role zone not found. ", venafiSecret.Zone))
zone = venafiSecret.Zone
}
cfg = &vcert.Config{}
cfg.BaseUrl = venafiSecret.URL
cfg.Zone = zone
cfg.LogVerbose = true
if trustBundlePEM != "" {
cfg.ConnectionTrust = trustBundlePEM
}
if venafiSecret.Fakemode {
b.Logger().Debug("Using fakemode to issue certificate")
cfg = &vcert.Config{
ConnectorType: endpoint.ConnectorTypeFake,
LogVerbose: true,
}
} else if venafiSecret.URL != "" && venafiSecret.TppUser != "" && venafiSecret.TppPassword != "" {
b.Logger().Debug(fmt.Sprintf("Using Venafi Platform with URL %s to issue certificate", venafiSecret.URL))
cfg.ConnectorType = endpoint.ConnectorTypeTPP
cfg.Credentials = &endpoint.Authentication{
User: venafiSecret.TppUser,
Password: venafiSecret.TppPassword,
}
} else if venafiSecret.URL != "" && venafiSecret.AccessToken != "" {
b.Logger().Debug(fmt.Sprintf("Using Venafi Platform with URL %s to issue certificate", venafiSecret.URL))
cfg.ConnectorType = endpoint.ConnectorTypeTPP
var refreshToken string
if includeRefreshToken {
refreshToken = venafiSecret.RefreshToken
}
cfg.Credentials = &endpoint.Authentication{
AccessToken: venafiSecret.AccessToken,
RefreshToken: refreshToken,
}
} else if venafiSecret.Apikey != "" {
b.Logger().Debug("Using Venafi Cloud to issue certificate")
cfg.ConnectorType = endpoint.ConnectorTypeCloud
cfg.Credentials = &endpoint.Authentication{
APIKey: venafiSecret.Apikey,
}
} else {
return nil, fmt.Errorf("failed to build config for Venafi issuer")
}
if err != nil {
return nil, fmt.Errorf("failed to get Venafi issuer client: %s", err)
}
return cfg, nil
}