Merge pull request #68 from Venafi/VEN-54285-fix

Vault Monitor - Add option to limit import to certificates that are non-compliant with Venafi policy
Venafi · Jan 22, 2021 · c511cac · c511cac
2 parents 8a4287f + 8c4f256
commit c511cac
Show file tree

Hide file tree

Showing 8 changed files with 486 additions and 42 deletions.
diff --git a/Makefile b/Makefile
@@ -189,4 +189,4 @@ mount_docker:
 	$(VAULT_CMD) secrets enable -path=$(MOUNT) -plugin-name=$(PLUGIN_NAME) plugin
 
 linter:
-	golangci-lint run
+	golangci-lint run --timeout 3m0s
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/ryanuber/go-glob v1.0.0
 	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 	golang.org/x/net v0.0.0-20200602114024-627f9648deb9
-	gotest.tools/gotestsum v0.6.0 // indirect
+	gotest.tools/gotestsum v1.6.1 // indirect
 )
 
 replace github.com/hashicorp/vault/api => github.com/hashicorp/vault/api v0.0.0-20200718022110-340cc2fa263f

diff --git a/plugin/pki/path_import_queue.go b/plugin/pki/path_import_queue.go
@@ -29,6 +29,7 @@ type Job struct {
 	ctx        context.Context
 	//req        *logical.Request
 	storage *logical.Storage
+	importOnlyNonCompliant bool
 }
 
 // This returns the list of queued for import to TPP certificates
@@ -96,7 +97,7 @@ func (b *backend) pathUpdateImportQueue(ctx context.Context, req *logical.Reques
 	return logical.ListResponse(entries), nil
 }
 
-func (b *backend) fillImportQueueTask(roleName string, policyName string, noOfWorkers int, storage logical.Storage, conf *logical.BackendConfig) {
+func (b *backend) fillImportQueueTask(roleName string, policyName string, noOfWorkers int, storage logical.Storage, importOnlyNonCompliant bool, conf *logical.BackendConfig) {
 	ctx := context.Background()
 	jobs := make(chan Job, 100)
 	replicationState := conf.System.ReplicationState()
@@ -146,6 +147,7 @@ func (b *backend) fillImportQueueTask(roleName string, policyName string, noOfWo
 			policyName: policyName,
 			storage:    &storage,
 			ctx:        ctx,
+			importOnlyNonCompliant: importOnlyNonCompliant,
 		}
 		jobs <- job
 	}
@@ -203,7 +205,10 @@ func (b *backend) controlImportQueue(conf *logical.BackendConfig) {
 		}
 		b.taskStorage.register(fillQueuePrefix+roleName, func() {
 			log.Printf("%s run queue filler %s", logPrefixVenafiImport, roleName)
-			b.fillImportQueueTask(roleName, policyMap.Roles[roleName].ImportPolicy, policyConfig.VenafiImportWorkers, b.storage, conf)
+			//get the policy config here, since this is on the scoupe of this anonymous methods, this will
+			//solve an issue with the ImportOnlyNonCompliant that doesn't hold the correct value.
+			policyConfig, _ := b.getVenafiPolicyConfig(ctx, &b.storage, policyMap.Roles[roleName].ImportPolicy)
+			b.fillImportQueueTask(roleName, policyMap.Roles[roleName].ImportPolicy, policyConfig.VenafiImportWorkers, b.storage, policyConfig.ImportOnlyNonCompliant, conf)
 		}, 1, time.Duration(policyConfig.VenafiImportTimeout)*time.Second)
 
 	}
@@ -249,6 +254,17 @@ func (b *backend) processImportToTPP(job Job) string {
 	if err != nil {
 		return fmt.Sprintf("%s Could not get certificate from entry %s: %s", msg, importPath+job.entry, err)
 	}
+	if job.importOnlyNonCompliant {
+		valid, err := b.checkCertMatchPolicy(Certificate, job.policyName)
+		if err != nil {
+			return fmt.Sprintf("Failed checking certificate compliance with policies: %v", err)
+		}
+		if valid {
+			b.deleteCertFromQueue(job)
+			return fmt.Sprintf("Skipped import of compliant certificate %v for role %v", job.entry, job.roleName)
+		}
+	}
+
 	//TODO: here we should check for existing CN and set it to DNS or throw error
 	cn := Certificate.Subject.CommonName
 
@@ -338,6 +354,39 @@ func (b *backend) processImportToTPP(job Job) string {
 
 }
 
+func (b *backend) checkCertMatchPolicy(cert *x509.Certificate, policyName string) (bool, error) {
+	var req x509.CertificateRequest
+	req.Subject = cert.Subject
+	req.Extensions = cert.Extensions
+	req.PublicKey = cert.PublicKey
+	req.EmailAddresses = cert.EmailAddresses
+	req.DNSNames = cert.DNSNames
+	req.IPAddresses = cert.IPAddresses
+	req.URIs = cert.URIs
+
+
+
+	entry, err := b.storage.Get(context.Background(), venafiPolicyPath+policyName+"/policy")
+	if err != nil {
+		return false, err
+	}
+	if entry == nil {
+		return false, fmt.Errorf("policy data is nil. You need configure Venafi policy to proceed")
+	}
+
+	var policy venafiPolicyEntry
+
+	if err := entry.DecodeJSON(&policy); err != nil {
+		log.Printf("%s error reading Venafi policy configuration: %s", logPrefixVenafiPolicyEnforcement, err)
+		return false, err
+	}
+	err = checkCSR(false, &req, policy)
+	if err != nil {
+		return false, nil
+	}
+	return true, nil
+}
+
 func (b *backend) deleteCertFromQueue(job Job) {
 
 	msg := fmt.Sprintf("Job id: %v ###", job.id)