From 2869d570a4fe338e06eb68140727b2fbf0723b58 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Thu, 19 Sep 2024 16:38:30 -0600 Subject: [PATCH 1/6] adds retry for certificate in case is not ready in certificate inventory. refactors logic. adds missing proxy config when creating http client --- go.mod | 2 +- go.sum | 20 ------- pkg/playbook/app/vcertutil/vcertutil.go | 16 +++++- pkg/venafi/cloud/cloudUtil.go | 29 +--------- pkg/venafi/cloud/connector.go | 75 +++++++++++++++---------- 5 files changed, 62 insertions(+), 80 deletions(-) diff --git a/go.mod b/go.mod index 67843860..09b57c2a 100644 --- a/go.mod +++ b/go.mod @@ -46,7 +46,7 @@ require ( github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect - golang.org/x/net v0.25.0 + golang.org/x/net v0.25.0 // indirect golang.org/x/sys v0.20.0 // indirect golang.org/x/term v0.20.0 // indirect golang.org/x/text v0.15.0 // indirect diff --git a/go.sum b/go.sum index 99f919dd..b01d4dfe 100644 --- a/go.sum +++ b/go.sum @@ -18,14 +18,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/Khan/genqlient v0.7.0 h1:GZ1meyRnzcDTK48EjqB8t3bcfYvHArCUUvgOwpz1D4w= github.com/Khan/genqlient v0.7.0/go.mod h1:HNyy3wZvuYwmW3Y7mkoQLZsa/R5n5yIRajS1kPBvSFM= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= -github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= -github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= -github.com/alexflint/go-arg v1.4.2 h1:lDWZAXxpAnZUq4qwb86p/3rIJJ2Li81EoMbTMujhVa0= -github.com/alexflint/go-arg v1.4.2/go.mod h1:9iRbDxne7LcR/GSvEr7ma++GLpdIU1zrghf2y2768kM= -github.com/alexflint/go-scalar v1.0.0 h1:NGupf1XV/Xb04wXskDFzS0KWOLH632W/EO4fAFi+A70= -github.com/alexflint/go-scalar v1.0.0/go.mod h1:GpHzbCOZXEKMEcygYQ5n/aa4Aq84zbxjy3MxYW0gjYw= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= @@ -242,8 +236,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -264,8 +256,6 @@ golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= -golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= -golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -280,8 +270,6 @@ golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= -golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -308,19 +296,13 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= -golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= -golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -342,8 +324,6 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ= -golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= diff --git a/pkg/playbook/app/vcertutil/vcertutil.go b/pkg/playbook/app/vcertutil/vcertutil.go index 7d19d3d5..a6fc2cde 100644 --- a/pkg/playbook/app/vcertutil/vcertutil.go +++ b/pkg/playbook/app/vcertutil/vcertutil.go @@ -23,6 +23,7 @@ import ( "crypto/x509/pkix" "errors" "fmt" + "net" "net/http" "strings" "time" @@ -86,6 +87,18 @@ func EnrollCertificate(config domain.Config, request domain.PlaybookRequest) (*c } func buildClient(config domain.Config, zone string, timeout int) (endpoint.Connector, error) { + var netTransport = &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: time.Duration(timeout) * time.Second, + KeepAlive: time.Duration(timeout) * time.Second, + }).DialContext, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + } + vcertConfig := &vcert.Config{ ConnectorType: config.Connection.GetConnectorType(), BaseUrl: config.Connection.URL, @@ -95,7 +108,8 @@ func buildClient(config domain.Config, zone string, timeout int) (endpoint.Conne } vcertConfig.Client = &http.Client{ - Timeout: time.Duration(DefaultTimeout) * time.Second, + Timeout: time.Duration(DefaultTimeout) * time.Second, + Transport: netTransport, } if timeout > 0 { vcertConfig.Client.Timeout = time.Duration(timeout) * time.Second diff --git a/pkg/venafi/cloud/cloudUtil.go b/pkg/venafi/cloud/cloudUtil.go index 98f21c4e..dc8c1f07 100644 --- a/pkg/venafi/cloud/cloudUtil.go +++ b/pkg/venafi/cloud/cloudUtil.go @@ -4,37 +4,12 @@ import ( "encoding/json" "errors" "fmt" - "net/http" - "regexp" - "github.com/Venafi/vcert/v5/pkg/certificate" "github.com/Venafi/vcert/v5/pkg/util" + "net/http" + "regexp" ) -func parseCertificateInfo(httpStatusCode int, httpStatus string, body []byte) (*managedCertificate, error) { - switch httpStatusCode { - case http.StatusOK: - var res = &managedCertificate{} - err := json.Unmarshal(body, res) - if err != nil { - return nil, fmt.Errorf("failed to parse search results: %s, body: %s", err, body) - } - return res, nil - default: - if body != nil { - respErrors, err := parseResponseErrors(body) - if err == nil { - respError := fmt.Sprintf("unexpected status code on Venafi Cloud certificate search. Status: %s\n", httpStatus) - for _, e := range respErrors { - respError += fmt.Sprintf("Error Code: %d Error: %s\n", e.Code, e.Message) - } - return nil, errors.New(respError) - } - } - return nil, fmt.Errorf("unexpected status code on Venafi Cloud certificate search. Status: %s", httpStatus) - } -} - func parseDEKInfo(httpStatusCode int, httpStatus string, body []byte) (*EdgeEncryptionKey, error) { switch httpStatusCode { case http.StatusOK: diff --git a/pkg/venafi/cloud/connector.go b/pkg/venafi/cloud/connector.go index 7c04f94c..2f2116aa 100644 --- a/pkg/venafi/cloud/connector.go +++ b/pkg/venafi/cloud/connector.go @@ -1102,27 +1102,20 @@ func retrieveServiceGeneratedCertData(c *Connector, req *certificate.Request, de } -func getDekInfo(c *Connector, cerId string) (*EdgeEncryptionKey, error) { +func getDekInfo(c *Connector, certId string) (*EdgeEncryptionKey, error) { //get certificate details for getting DekHash - url := c.getURL(urlResourceCertificateByID) - url = fmt.Sprintf(url, cerId) - - statusCode, status, body, err := c.request("GET", url, nil) - if err != nil { - return nil, err - } - managedCert, err := parseCertificateInfo(statusCode, status, body) + managedCert, err := c.getCertificate(certId) if err != nil { return nil, err } //get Dek info for getting DEK's key - url = c.getURL(urlDekPublicKey) + url := c.getURL(urlDekPublicKey) url = fmt.Sprintf(url, managedCert.DekHash) - statusCode, status, body, err = c.request("GET", url, nil) + statusCode, status, body, err := c.request("GET", url, nil) if err != nil { return nil, err } @@ -1274,34 +1267,54 @@ type managedCertificate struct { } func (c *Connector) getCertificate(certificateId string) (*managedCertificate, error) { - var err error + // Flow renew certificate + //var err error url := c.getURL(urlResourceCertificateByID) url = fmt.Sprintf(url, certificateId) - statusCode, _, body, err := c.request("GET", url, nil) - if err != nil { - return nil, err - } - switch statusCode { - case http.StatusOK: - var res = &managedCertificate{} - err = json.Unmarshal(body, res) + timeout := time.Duration(60) * time.Second + + startTime := time.Now() + for { + statusCode, _, body, err := c.request("GET", url, nil) if err != nil { - return nil, fmt.Errorf("failed to parse search results: %s, body: %s", err, body) + return nil, err } - return res, nil - default: - if body != nil { - respErrors, err := parseResponseErrors(body) - if err == nil { - respError := fmt.Sprintf("unexpected status code on Venafi Cloud certificate search. Status: %d\n", statusCode) - for _, e := range respErrors { - respError += fmt.Sprintf("Error Code: %d Error: %s\n", e.Code, e.Message) + + switch statusCode { + case http.StatusOK: + var res = &managedCertificate{} + err = json.Unmarshal(body, res) + if err != nil { + return nil, fmt.Errorf("failed to parse search results: %s, body: %s", err, body) + } + return res, nil + default: + if body != nil { + respErrors, err := parseResponseErrors(body) + if err == nil { + if timeout != time.Duration(0) { + if time.Now().After(startTime.Add(timeout)) { + return nil, endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} + } + } else { + respError := fmt.Sprintf("unexpected status code on Venafi Cloud certificate search. Status: %d\n", statusCode) + for _, e := range respErrors { + respError += fmt.Sprintf("Error Code: %d Error: %s\n", e.Code, e.Message) + } + return nil, errors.New(respError) + } } - return nil, errors.New(respError) + } + if timeout != time.Duration(0) { + if time.Now().After(startTime.Add(timeout)) { + return nil, endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} + } + } else { + return nil, fmt.Errorf("unexpected status code on Venafi Cloud certificate search. Status: %d", statusCode) } } - return nil, fmt.Errorf("unexpected status code on Venafi Cloud certificate search. Status: %d", statusCode) + time.Sleep(2 * time.Second) } } From d64cebaf143b4cb251fa392fd540870286d61f7a Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Mon, 23 Sep 2024 12:21:30 -0600 Subject: [PATCH 2/6] fix proxy config override and removes comments --- pkg/playbook/app/vcertutil/vcertutil.go | 10 +++++----- pkg/venafi/cloud/connector.go | 2 -- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/pkg/playbook/app/vcertutil/vcertutil.go b/pkg/playbook/app/vcertutil/vcertutil.go index a6fc2cde..8c9a5baf 100644 --- a/pkg/playbook/app/vcertutil/vcertutil.go +++ b/pkg/playbook/app/vcertutil/vcertutil.go @@ -122,12 +122,12 @@ func buildClient(config domain.Config, zone string, timeout int) (endpoint.Conne if !connectionTrustBundle.AppendCertsFromPEM([]byte(vcertConfig.ConnectionTrust)) { return nil, fmt.Errorf("%w: failed to parse PEM trust bundle", verror.UserDataError) } - vcertConfig.Client.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{ - RootCAs: connectionTrustBundle, - MinVersion: tls.VersionTLS12, - }, + netTransport.TLSClientConfig = &tls.Config{ + RootCAs: connectionTrustBundle, + MinVersion: tls.VersionTLS12, } + + vcertConfig.Client.Transport = netTransport } // build Authentication object diff --git a/pkg/venafi/cloud/connector.go b/pkg/venafi/cloud/connector.go index 2f2116aa..e877bc76 100644 --- a/pkg/venafi/cloud/connector.go +++ b/pkg/venafi/cloud/connector.go @@ -1267,8 +1267,6 @@ type managedCertificate struct { } func (c *Connector) getCertificate(certificateId string) (*managedCertificate, error) { - // Flow renew certificate - //var err error url := c.getURL(urlResourceCertificateByID) url = fmt.Sprintf(url, certificateId) From b9295969db0f5adaf50c68dbcdf5219383d1fe3f Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Mon, 23 Sep 2024 12:23:06 -0600 Subject: [PATCH 3/6] fixes goimports --- pkg/venafi/cloud/cloudUtil.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/venafi/cloud/cloudUtil.go b/pkg/venafi/cloud/cloudUtil.go index dc8c1f07..b6ad942d 100644 --- a/pkg/venafi/cloud/cloudUtil.go +++ b/pkg/venafi/cloud/cloudUtil.go @@ -4,10 +4,11 @@ import ( "encoding/json" "errors" "fmt" - "github.com/Venafi/vcert/v5/pkg/certificate" - "github.com/Venafi/vcert/v5/pkg/util" "net/http" "regexp" + + "github.com/Venafi/vcert/v5/pkg/certificate" + "github.com/Venafi/vcert/v5/pkg/util" ) func parseDEKInfo(httpStatusCode int, httpStatus string, body []byte) (*EdgeEncryptionKey, error) { From 5e399fc02547e4aed4b2ef7fe1e1233981eb35af Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Mon, 23 Sep 2024 14:24:54 -0600 Subject: [PATCH 4/6] adds TODO message and updates validation --- pkg/venafi/cloud/connector.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/venafi/cloud/connector.go b/pkg/venafi/cloud/connector.go index e877bc76..15d40e60 100644 --- a/pkg/venafi/cloud/connector.go +++ b/pkg/venafi/cloud/connector.go @@ -1270,6 +1270,9 @@ func (c *Connector) getCertificate(certificateId string) (*managedCertificate, e url := c.getURL(urlResourceCertificateByID) url = fmt.Sprintf(url, certificateId) + // TODO: Remove following retry logic once VC-31590 is fixed + // retry logic involves the loop to constantly, during 1 minute, to retry + // to get certificate each 2 seconds when it is not found in certificate inventory timeout := time.Duration(60) * time.Second startTime := time.Now() @@ -1291,7 +1294,7 @@ func (c *Connector) getCertificate(certificateId string) (*managedCertificate, e if body != nil { respErrors, err := parseResponseErrors(body) if err == nil { - if timeout != time.Duration(0) { + if statusCode == http.StatusNotFound { if time.Now().After(startTime.Add(timeout)) { return nil, endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} } @@ -1304,7 +1307,7 @@ func (c *Connector) getCertificate(certificateId string) (*managedCertificate, e } } } - if timeout != time.Duration(0) { + if statusCode == http.StatusNotFound { if time.Now().After(startTime.Add(timeout)) { return nil, endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} } From 8dde501a4de3e2f530509b0c3b4cd31aa80bce87 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Mon, 23 Sep 2024 17:27:45 -0600 Subject: [PATCH 5/6] only add TLSClientConfig if applies --- pkg/venafi/cloud/cloud.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/venafi/cloud/cloud.go b/pkg/venafi/cloud/cloud.go index 5fb1eea5..1b352292 100644 --- a/pkg/venafi/cloud/cloud.go +++ b/pkg/venafi/cloud/cloud.go @@ -302,8 +302,9 @@ func (c *Connector) getHTTPClient() *http.Client { tlsConfig = tlsConfig.Clone() } tlsConfig.RootCAs = c.trust + netTransport.TLSClientConfig = tlsConfig } - netTransport.TLSClientConfig = tlsConfig + c.client = &http.Client{ Timeout: time.Second * 30, Transport: netTransport, From 874ca2dbfb966f62b402ad9e43871b050d8a75f6 Mon Sep 17 00:00:00 2001 From: Luis Presuel Date: Wed, 25 Sep 2024 10:31:03 -0600 Subject: [PATCH 6/6] adds missing exit for loop and refactors code to avoid boiler plate code --- pkg/venafi/cloud/connector.go | 43 ++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/pkg/venafi/cloud/connector.go b/pkg/venafi/cloud/connector.go index 15d40e60..5aaa147b 100644 --- a/pkg/venafi/cloud/connector.go +++ b/pkg/venafi/cloud/connector.go @@ -1294,31 +1294,42 @@ func (c *Connector) getCertificate(certificateId string) (*managedCertificate, e if body != nil { respErrors, err := parseResponseErrors(body) if err == nil { - if statusCode == http.StatusNotFound { - if time.Now().After(startTime.Add(timeout)) { - return nil, endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} - } - } else { - respError := fmt.Sprintf("unexpected status code on Venafi Cloud certificate search. Status: %d\n", statusCode) - for _, e := range respErrors { - respError += fmt.Sprintf("Error Code: %d Error: %s\n", e.Code, e.Message) - } - return nil, errors.New(respError) + err = validateNotFoundTimeout(statusCode, startTime, timeout, certificateId, respErrors) + if err != nil { + return nil, err } } + return nil, err } - if statusCode == http.StatusNotFound { - if time.Now().After(startTime.Add(timeout)) { - return nil, endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} - } - } else { - return nil, fmt.Errorf("unexpected status code on Venafi Cloud certificate search. Status: %d", statusCode) + err = validateNotFoundTimeout(statusCode, startTime, timeout, certificateId, []responseError{}) + if err != nil { + return nil, err } } time.Sleep(2 * time.Second) } } +// validateNotFoundTimeout function that returns nil for not found error if waiting time for timeout is not +// completed. This is while status code is NotFound +func validateNotFoundTimeout(statusCode int, startTime time.Time, timeout time.Duration, certificateId string, respErrors []responseError) error { + respError := fmt.Sprintf("unexpected status code on Venafi Cloud certificate search. Status: %d\n", statusCode) + if statusCode == http.StatusNotFound { + if time.Now().After(startTime.Add(timeout)) { + return endpoint.ErrRetrieveCertificateTimeout{CertificateID: certificateId} + } + } else { + if len(respErrors) > 0 { + for _, e := range respErrors { + respError += fmt.Sprintf("Error Code: %d Error: %s\n", e.Code, e.Message) + } + return errors.New(respError) + } + return errors.New(respError) + } + return nil +} + func (c *Connector) getCertsBatch(page, pageSize int, withExpired bool) ([]certificate.CertificateInfo, error) { appDetails, _, err := c.getAppDetailsByName(c.zone.getApplicationName())