fixing TODOs

Venafi · Feb 27, 2020 · bbffdaf · bbffdaf
1 parent 1f6b2c1
commit bbffdaf
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 39 deletions.
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -37,8 +37,7 @@ services:
 #      - ./bin:/vault_plugin
 #      - ./Makefile:/Makefile
     entrypoint: /tools/wait-for-it.sh -t 20 -h consul -p 8500 -s -- vault server -config=/config/vault-config-with-consul.hcl -log-level=debug
-#TODO: this is a workaround to avoid internal network conflict, need to find a better solution when netwrok will not be in docker-compose file.
-networks:
+networks: # this is a workaround to avoid internal network conflict
   default:
     ipam:
       driver: default

diff --git a/plugin/pki/backend_test.go b/plugin/pki/backend_test.go
@@ -75,40 +75,42 @@ func checkStandartCert(t *testing.T, data testData) {
 	}
 
 	//TODO: cloud now have SAN support too. Have to implement it
-	if data.provider == "tpp" {
-		wantDNSNames := []string{data.cn, data.dns_ns, data.dns_ip}
-		haveDNSNames := parsedCertificate.DNSNames
-		ips := make([]net.IP, 0, 2)
-		if data.dns_ip != "" {
-			ips = append(ips, net.ParseIP(data.dns_ip))
-		}
-		if data.only_ip != "" {
-			ips = append(ips, net.ParseIP(data.only_ip))
-		}
-		if !SameStringSlice(haveDNSNames, wantDNSNames) {
-			t.Fatalf("Certificate Subject Alternative Names %s doesn't match to requested %s", haveDNSNames, wantDNSNames)
-		}
 
-		if !SameIpSlice(ips, parsedCertificate.IPAddresses) {
-			t.Fatalf("Certificate IPs %v doesn`t match requested %v", parsedCertificate.IPAddresses, ips)
+	wantDNSNames := []string{data.cn, data.dns_ns, data.dns_ip}
+
+	ips := make([]net.IP, 0, 2)
+	if data.dns_ip != "" {
+		ips = append(ips, net.ParseIP(data.dns_ip))
+	}
+	if data.only_ip != "" {
+		ips = append(ips, net.ParseIP(data.only_ip))
+	}
+	if !SameStringSlice(parsedCertificate.DNSNames, wantDNSNames) {
+		t.Fatalf("Certificate Subject Alternative Names %v doesn't match to requested %v", parsedCertificate.DNSNames, wantDNSNames)
+	}
+
+	if !SameIpSlice(ips, parsedCertificate.IPAddresses) {
+		t.Fatalf("Certificate IPs %v doesn`t match requested %v", parsedCertificate.IPAddresses, ips)
+	}
+	wantEmail := []string{data.dns_email}
+	if !SameStringSlice(parsedCertificate.EmailAddresses, wantEmail) {
+		t.Fatalf("Certificate emails %v doesn't match requested %v", parsedCertificate.EmailAddresses, wantEmail)
+	}
+	//TODO: in policies branch Cloud endpoint should start to populate O,C,L.. fields too
+	wantOrg := os.Getenv("CERT_O")
+	if wantOrg != "" {
+		var haveOrg string
+		if len(parsedCertificate.Subject.Organization) > 0 {
+			haveOrg = parsedCertificate.Subject.Organization[0]
+		} else {
+			t.Fatalf("Organization in certificate is empty.")
 		}
-		//TODO: check email too
-		//wantEmail := []string{data.dns_email}
-		//TODO: in policies branch Cloud endpoint should start to populate O,C,L.. fields too
-		wantOrg := os.Getenv("CERT_O")
-		if wantOrg != "" {
-			var haveOrg string
-			if len(parsedCertificate.Subject.Organization) > 0 {
-				haveOrg = parsedCertificate.Subject.Organization[0]
-			} else {
-				t.Fatalf("Organization in certificate is empty.")
-			}
-			log.Println("want and have", wantOrg, haveOrg)
-			if wantOrg != haveOrg {
-				t.Fatalf("Certificate Organization %s doesn't match to requested %s", haveOrg, wantOrg)
-			}
+		log.Println("want and have", wantOrg, haveOrg)
+		if wantOrg != haveOrg {
+			t.Fatalf("Certificate Organization %s doesn't match to requested %s", haveOrg, wantOrg)
 		}
 	}
+
 }
 
 func TestPKI_Fake_BaseEnroll(t *testing.T) {
@@ -536,7 +538,7 @@ func TestPKI_Cloud_CSRSign(t *testing.T) {
 }
 
 //TODO: have to add support of populating field in Cloud vcert ednpoint
-func DoNotRun_Cloud_RestrictedEnroll(t *testing.T) {
+func Test_Cloud_RestrictedEnroll(t *testing.T) {
 	data := testData{}
 	rand := randSeq(9)
 	domain := "vfidev.com"
@@ -594,3 +596,5 @@ func DoNotRun_Cloud_RestrictedEnroll(t *testing.T) {
 
 	checkStandartCert(t, data)
 }
+
+//todo: make test for key_password
diff --git a/plugin/pki/path_roles.go b/plugin/pki/path_roles.go
@@ -91,10 +91,9 @@ Example:
 				Description: `Set it to true to store certificates privates key in certificate fields`,
 			},
 			"chain_option": {
-				Type: framework.TypeString,
-				Description: `Specify ordering certificates in chain. Root can be "first" or
-            "last"`,
-				Default: "last",
+				Type:        framework.TypeString,
+				Description: `Specify ordering certificates in chain. Root can be "first" or "last"`,
+				Default:     "last",
 			},
 			"key_type": {
 				Type:    framework.TypeString,

diff --git a/plugin/pki/path_venafi_cert_enroll.go b/plugin/pki/path_venafi_cert_enroll.go
@@ -36,6 +36,10 @@ func pathVenafiCertEnroll(b *backend) *framework.Path {
 				Type:        framework.TypeCommaStringSlice,
 				Description: "The requested IP SANs, if any, in a comma-delimited list",
 			},
+			"key_password": {
+				Type:        framework.TypeString,
+				Description: "Password for encrypting private key",
+			},
 		},
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.UpdateOperation: b.pathVenafiIssue,
@@ -143,8 +147,8 @@ func (b *backend) pathVenafiCertObtain(ctx context.Context, req *logical.Request
 			Subject: pkix.Name{
 				CommonName: commonName,
 			},
-			CsrOrigin: certificate.LocalGeneratedCSR,
-			//TODO: add key password support
+			CsrOrigin:   certificate.LocalGeneratedCSR,
+			KeyPassword: data.Get("key_password").(string),
 		}
 		ipSet := make(map[string]struct{})
 		nameSet := make(map[string]struct{})