Merge branch 'master' into dependabot/go_modules/golang.org/x/net-0.29.0

Makefile

@@ -120,7 +120,7 @@ release:
 	echo '```' > release.txt
 	cd artifacts; sha1sum * >> ../release.txt
 	echo '```' >> release.txt
-	go install github.com/tcnksm/ghr@latest
+	go install github.com/tcnksm/ghr@v0.16.2
 	export "PATH=$(PATH):$(shell go env GOPATH)/bin" && ghr -prerelease -n $$RELEASE_VERSION -body="$$(cat ./release.txt)" $$RELEASE_VERSION artifacts/
 
 linter:

README-PLAYBOOK.md

@@ -182,7 +182,7 @@ The top-level structure of the file is described as follows:
 | fields      | array of [CustomField](#customfield) objects | *Optional*     | - Sets the specified custom field on certificate object. Only valid when [Connection.platform](#connection) is `tpp`.                                                                                                                                                                                                                                                                                                                                                                                                           |
 | issuerHint  | string                                       | *Optional*     | - Used only when [Request.validDays](#request) is specified to determine the correct Specific End Date attribute to set on the TPP certificate object. Valid options are `DIGICERT`, `MICROSOFT`, `ENTRUST`, `ALL_ISSUERS`. If not defined, but `validDays` are set, the attribute 'Specific End Date' will be used. Only valid when [Connection.platform](#connection) is `tpp`.                                                                                                                                               |
 | keyCurve    | string                                       | ***Required*** | when [Request.keyType](#request) is `ECDSA`, `EC`, or `ECC`. Valid values are `P256`, `P384`, `P521`, `ED25519`.                                                                                                                                                                                                                                                                                                                                                                                                                |
-| keySize     | integer                                      | *Optional*     | - Specifies the key size when specified [Request.keyType](#request) is `RSA`. Supported values are `1024`, `2048`, `4096`, and `8192`. Defaults to 2048.                                                                                                                                                                                                                                                                                                                                                                        |
+| keySize     | integer                                      | *Optional*     | - Specifies the key size when specified [Request.keyType](#request) is `RSA`. Supported values are `1024`, `2048`, `3072`, `4096`, and `8192`. Defaults to 2048.                                                                                                                                                                                                                                                                                                                                                                        |
 | keyType     | string                                       | *Optional*     | - Specify the key type of the requested certificate. Valid options are `RSA`, `ECDSA`, `EC`, `ECC` and `ED25519`. Default is `RSA`.                                                                                                                                                                                                                                                                                                                                                                                             |
 | location    | [Location](#location) object                 | *Optional*     | - Use to provide the name/address of the compute instance and an identifier for the workload using the certificate. This results in a device (node) and application (workload) being associated with the certificate in the Venafi Platform.<br/>Example: `node:workload`.                                                                                                                                                                                                                                                      |
 | nickname    | string                                       | *Optional*     | - Specify the certificate object name to be created in TPP for the requested certificate. If not specified, TPP will use the [Subject.commonName](#subject). Only valid when [Connection.platform](#connection) is `tpp`.                                                                                                                                                                                                                                                                                                       |

aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature

@@ -12,6 +12,21 @@ Feature: provision to cloud keystore
     And I remember the output
     And I use previous Pickup ID to provision from VCP a certificate to cloudkeystore "<cloudkeystore>" setting keystore and provider names
     And I remember the output
+      And the output should not contain "Warning: --platform not set. Attempting to best-guess platform from connection flags"
+    And I grab cloud ID from output
+    Then I clean up previous installed certificate from cloudkeystore
+    Examples:
+      | cloudkeystore    |
+      | GOOGLE           |
+      | AWS              |
+      | AZURE            |
+
+  Scenario Outline: Enroll certificate and execute provisioning for cloud keystore without Platform flags
+    Given I enroll a random certificate with defined platform VCP with -csr service -no-prompt
+    And I remember the output
+    And I use previous Pickup ID to provision without set Platform flag from VCP a certificate to cloudkeystore "<cloudkeystore>" setting keystore and provider names
+    And I remember the output
+      And the output should contain "Warning: --platform not set. Attempting to best-guess platform from connection flags"
     And I grab cloud ID from output
     Then I clean up previous installed certificate from cloudkeystore
     Examples:
@@ -31,6 +46,7 @@ Feature: provision to cloud keystore
       | cloudkeystore    |
       | GOOGLE           |
       | AWS              |
+      | AZURE            |
 
   Scenario Outline: Enroll certificate, execute provisioning and then provisioning again for replace
     Given I enroll a random certificate with defined platform VCP with -csr service -no-prompt

aruba/features/provision/cloudkeystore/steps_definitions/my_steps.rb

@@ -1,13 +1,20 @@
 And(/^I use previous Pickup ID to provision (?:from|using) (\S+) a certificate to cloudkeystore "(.*)"( setting keystore and provider names)?$/) do |platform, cloudkeystore_type, keystore_provider_names|
 
-  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names)
+  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, "",true)
+
+  steps %{Then I try to run `#{cmd}`}
+end
+
+And(/^I use previous Pickup ID to provision without set Platform flag (?:from|using) (\S+) a certificate to cloudkeystore "(.*)"( setting keystore and provider names)?$/) do |platform, cloudkeystore_type, keystore_provider_names|
+
+  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, "",false)
 
   steps %{Then I try to run `#{cmd}`}
 end
 
 And(/^I use previous Pickup ID to provision (?:from|using) (\S+) a certificate to cloudkeystore "(.*)"( setting keystore and provider names)? with (.+)?/) do |platform, cloudkeystore_type, keystore_provider_names, flags|
 
-  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, flags)
+  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, flags, true)
 
   steps %{Then I try to run `#{cmd}`}
 end
@@ -26,17 +33,20 @@
     fail(ArgumentError.new("Unknown cloud type: #{@cloudkeystore_type}"))
   end
   flags += @global_set_provision_flags
-  cmd = build_provision_cmd(PLATFORM_VCP, @cloudkeystore_type, keystore_provider_names, flags)
+  cmd = build_provision_cmd(PLATFORM_VCP, @cloudkeystore_type, keystore_provider_names, flags, true)
   steps %{Then I try to run `#{cmd}`}
 end
 
-def build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, flags = "")
+def build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, flags = "", set_platform_flag=true)
 
   @global_set_provision_flags = flags
 
-  platform_flag = " -platform " + platform
+  cmd = "vcert provision cloudkeystore #{ENDPOINTS[PLATFORM_VCP]} -pickup-id #{@pickup_id}"
 
-  cmd = "vcert provision cloudkeystore #{platform_flag} #{ENDPOINTS[PLATFORM_VCP]} -pickup-id #{@pickup_id}"
+  if set_platform_flag
+    platform_flag = " -platform " + platform
+    cmd = cmd + platform_flag
+  end
 
   keystore_name = ""
   provider_name = ""

cmd/vcert/cmdCloudKeystores.go

@@ -15,9 +15,10 @@ import (
 
 var (
 	subCommandCloudKeystore = &cli.Command{
-		Name:  subCommandCloudKeystoreName,
-		Flags: provisionFlags,
-		Usage: "provision certificate from Venafi Platform to Cloud Keystore",
+		Before: runBeforeProvisionCommand,
+		Name:   subCommandCloudKeystoreName,
+		Flags:  provisionFlags,
+		Usage:  "provision certificate from Venafi Platform to Cloud Keystore",
 		UsageText: `vcert provision cloudkeystore <Required Venafi Control Plane> <Options>
 
    vcert provision cloudkeystore --platform vcp -k <VCP API key> --certificate-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx --keystore-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx --format json

cmd/vcert/cmdHelper.go

@@ -43,7 +43,7 @@ import (
 var tlsConfig tls.Config
 
 func runBeforeCommand(c *cli.Context) error {
-	//TODO: move all flag validations here
+	//TODO: refactor flags to specified command. If command doesn't use it, flag should be ignored.
 	flags.orgUnits = c.StringSlice("ou")
 	flags.dnsSans = c.StringSlice("san-dns")
 	flags.emailSans = c.StringSlice("san-email")
@@ -98,6 +98,13 @@ func runBeforeCommand(c *cli.Context) error {
 	return nil
 }
 
+func runBeforeProvisionCommand(c *cli.Context) error {
+	if flags.platformString != "" {
+		flags.platform = venafi.GetPlatformType(flags.platformString)
+	}
+	return nil
+}
+
 func setTLSConfig() error {
 	//Set RenegotiateFreelyAsClient in case of we're communicating with MTLS TPP server with only user\password
 	if flags.apiKey == "" {

cmd/vcert/flags.go

@@ -27,8 +27,9 @@ var (
 	flagPlatform = &cli.StringFlag{
 		Name: "platform",
 		Usage: "Use to specify the platform VCert will use to execute the given command. Only accepted values are:\n" +
-			"\t\tFor getcred command: --platform [TPP | VAAS | OIDC]\n" +
-			"\t\tFor enroll command: --platform [TPP | VAAS | FIREFLY]",
+			"\t\tFor getcred command: --platform [TPP | VCP | OIDC]\n" +
+			"\t\tFor enroll command: --platform [TPP | VCP | FIREFLY]\n" +
+			"\t\tFor provision command: --platform [ VCP ]",
 		Destination: &flags.platformString,
 		Aliases:     []string{"p"},
 	}

cmd/vcert/validatorsCloud.go

@@ -17,10 +17,10 @@ func validateConnectionFlagsCloud(commandName string) error {
 		emailPresent := flags.email != ""
 
 		if tokenURLPresent && !jwtPresent {
-			return fmt.Errorf("missing jwt for service account authentication. Set the jwt using --idp-jwt flag")
+			return fmt.Errorf("missing jwt for service account authentication. Set the jwt using --external-jwt flag")
 		}
 
-		advice := "Use --token-url/--idp-jwt for authentication or --email for registration"
+		advice := "Use --token-url/--external-jwt for authentication or --email for registration"
 		if !svcAccountPresent && !emailPresent {
 			return fmt.Errorf("missing flags for Venafi Cloud Platform authentication. %s", advice)
 		}

pkg/certificate/certificate.go

@@ -41,7 +41,7 @@ const (
 )
 
 func AllSupportedKeySizes() []int {
-	return []int{1024, DefaultRSAlength, 4096, 8192}
+	return []int{1024, DefaultRSAlength, 3072, 4096, 8192}
 }
 
 //SSH Certificate structures

pkg/venafi/cloud/certificate.go

@@ -16,11 +16,14 @@
 
 package cloud
 
+import "time"
+
 type VenafiCertificate struct {
-	ID                   string `json:"id,omitempty"`
-	CertificateStatus    string `json:"certificateStatus,omitempty"`
-	CertificateRequestId string `json:"certificateRequestId,omitempty"`
-	DekHash              string `json:"dekHash,omitempty"`
-	Fingerprint          string `json:"fingerprint,omitempty"`
-	CertificateSource    string `json:"certificateSource,omitempty"`
+	ID                   string    `json:"id,omitempty"`
+	CertificateStatus    string    `json:"certificateStatus,omitempty"`
+	CertificateRequestId string    `json:"certificateRequestId,omitempty"`
+	DekHash              string    `json:"dekHash,omitempty"`
+	Fingerprint          string    `json:"fingerprint,omitempty"`
+	CertificateSource    string    `json:"certificateSource,omitempty"`
+	ValidityEnd          time.Time `json:"validityEnd"`
 }

pkg/venafi/cloud/cloudproviders.go

@@ -66,13 +66,13 @@ func (c *Connector) ProvisionCertificate(req *domain.ProvisioningRequest, option
 	certificateIDString := *(reqData.CertificateID)
 	log.Printf("Certificate ID for provisioning: %s", certificateIDString)
 
-	// Is certificate generated by VCP?
-	log.Printf("Validating if certificate is generated by VCP")
-	err := c.validateIfCertIsVCPGeneratedByID(*(reqData.CertificateID))
+	// Is certificate valid for provisioning?
+	log.Printf("Validating if certificate is valid")
+	err := c.validateCertificate(*(reqData.CertificateID))
 	if err != nil {
 		return nil, err
 	}
-	log.Println("Certificate is valid for provisioning (VCP generated)")
+	log.Printf("Good certificate for provisioning!")
 
 	cloudKeystore := reqData.Keystore
 
@@ -175,7 +175,7 @@ func (c *Connector) ProvisionCertificateToMachineIdentity(req domain.Provisionin
 
 	// Is certificate generated by VCP?
 	log.Printf("validating if certificate is generated by VCP")
-	err := c.validateIfCertIsVCPGeneratedByID(certificateID)
+	err := c.validateCertificate(certificateID)
 	if err != nil {
 		return nil, err
 	}
@@ -300,14 +300,26 @@ func setProvisioningOptions(options domain.ProvisioningOptions, keystoreType dom
 	return provisioningOptions, nil
 }
 
-func (c *Connector) validateIfCertIsVCPGeneratedByID(certificateId string) error {
+func (c *Connector) validateCertificate(certificateId string) error {
 	cert, err := c.getCertificates(certificateId)
 	if err != nil {
 		return fmt.Errorf("error trying to get certificate details for cert with ID: %s, error: %s", certificateId, err.Error())
 	}
+
+	// Is certificate not expired?
+	log.Printf("Validating if certificate is not expired")
+	now := time.Now()
+	if now.Unix() > cert.ValidityEnd.Unix() {
+		return fmt.Errorf("error trying to provisioning certificate with ID: %s. Provided certificate is expired", certificateId)
+	}
+	log.Printf("Certificate is still valid")
+
+	// Is certificate generated by VCP?
+	log.Printf("Validating if certificate is generated by VCP")
 	if cert.DekHash == "" {
 		return fmt.Errorf("error trying to provisioning certificate with ID: %s. Provided certificate is not VCP generated", certificateId)
 	}
+	log.Println("Certificate is valid for provisioning (VCP generated)")
 	return nil
 }
 

pkg/venafi/tpp/connector_test.go

@@ -1814,7 +1814,6 @@ func TestRenewCertRestoringValues(t *testing.T) {
 	req.KeyType = certificate.KeyTypeECDSA
 	req.KeyCurve = certificate.EllipticCurveP521
 	req.CsrOrigin = certificate.ServiceGeneratedCSR
-	req.Timeout = time.Second * 10
 	err = tpp.GenerateRequest(&endpoint.ZoneConfiguration{}, req)
 	if err != nil {
 		t.Fatalf("err is not nil, err: %s", err)
@@ -1828,6 +1827,11 @@ func TestRenewCertRestoringValues(t *testing.T) {
 	req.FetchPrivateKey = true
 	req.KeyPassword = os.Getenv("TPP_PASSWORD")
 
+	req.Timeout = time.Second * 30 // explicitly setting this value here
+	// to make sure we only wait for certificate issuance for 30 seconds because
+	// setting it before the RequestCertificate function, will override
+	// workToDoTimeout to only wait to 30 seconds
+
 	pcc, err := tpp.RetrieveCertificate(req)
 	if err != nil {
 		t.Fatal(err)
@@ -1847,11 +1851,11 @@ func TestRenewCertRestoringValues(t *testing.T) {
 	renewReq := certificate.RenewalRequest{
 		CertificateDN: req.PickupID,
 	}
-	pickupdID, err := tpp.RenewCertificate(&renewReq)
+	pickupID, err := tpp.RenewCertificate(&renewReq)
 	if err != nil {
 		t.Fatal(err)
 	}
-	req = &certificate.Request{PickupID: pickupdID, Timeout: 30 * time.Second}
+	req = &certificate.Request{PickupID: pickupID, Timeout: 30 * time.Second}
 	pcc, err = tpp.RetrieveCertificate(req)
 	if err != nil {
 		t.Fatal(err)
@@ -2002,7 +2006,7 @@ func TestReadPolicyConfiguration(t *testing.T) {
 				[]string{"^Utah$"},
 				[]string{"^Salt Lake$"},
 				[]string{"^US$"},
-				[]endpoint.AllowedKeyConfiguration{{certificate.KeyTypeRSA, []int{2048, 4096, 8192}, nil}},
+				[]endpoint.AllowedKeyConfiguration{{certificate.KeyTypeRSA, []int{2048, 3072, 4096, 8192}, nil}},
 				[]string{`^([\p{L}\p{N}-*]+\.)*vfidev\.com$`, `^([\p{L}\p{N}-*]+\.)*vfidev\.net$`, `^([\p{L}\p{N}-*]+\.)*vfide\.org$`},
 				[]string{".*"},
 				[]string{".*"},
@@ -2288,7 +2292,6 @@ func TestEnrollWithLocation(t *testing.T) {
 
 	req := certificate.Request{}
 	req.Subject.CommonName = cn
-	req.Timeout = time.Second * 10
 	req.Location = &certificate.Location{
 		Instance:   "instance",
 		Workload:   workload,
@@ -2305,7 +2308,6 @@ func TestEnrollWithLocation(t *testing.T) {
 	}
 	req = certificate.Request{}
 	req.Subject.CommonName = cn
-	req.Timeout = time.Second * 10
 	req.Location = &certificate.Location{
 		Instance:   "instance",
 		Workload:   workload,
@@ -2322,7 +2324,6 @@ func TestEnrollWithLocation(t *testing.T) {
 	}
 	req = certificate.Request{}
 	req.Subject.CommonName = cn
-	req.Timeout = time.Second * 10
 	req.Location = &certificate.Location{
 		Instance:   "instance",
 		Workload:   workload,
@@ -2862,6 +2863,9 @@ func TestSetPolicyValuesAndValidate(t *testing.T) {
 func TestCreateSshCertServiceGeneratedKP(t *testing.T) {
 
 	tpp, err := getTestConnector(ctx.TPPurl, ctx.TPPZone)
+	if err != nil {
+		t.Fatalf("err is not nil, err: %s", err)
+	}
 
 	duration := 4
 
@@ -2880,7 +2884,6 @@ func TestCreateSshCertServiceGeneratedKP(t *testing.T) {
 	req.ValidityPeriod = fmt.Sprint(duration, "h")
 	req.Template = os.Getenv("TPP_SSH_CA")
 	req.SourceAddresses = []string{"test.com"}
-	req.Timeout = time.Second * 10
 
 	respData, err := tpp.RequestSSHCertificate(req)
 
@@ -2928,6 +2931,10 @@ func TestCreateSshCertLocalGeneratedKP(t *testing.T) {
 
 	tpp, err := getTestConnector(ctx.TPPurl, ctx.TPPZone)
 
+	if err != nil {
+		t.Fatalf("err is not nil, err: %s", err)
+	}
+
 	duration := 4
 
 	tpp.verbose = true
@@ -2959,7 +2966,6 @@ func TestCreateSshCertLocalGeneratedKP(t *testing.T) {
 	req.ValidityPeriod = fmt.Sprint(duration, "h")
 	req.Template = os.Getenv("TPP_SSH_CA")
 	req.SourceAddresses = []string{"test.com"}
-	req.Timeout = time.Second * 10
 
 	sPubKey := string(pub)
 

pkg/venafi/tpp/sshCertUtils.go

@@ -46,7 +46,9 @@ func RequestSshCertificate(c *Connector, req *certificate.SshCertRequest) (*cert
 	}
 
 	//TODO: Maybe, there is a better way to set the timeout.
-	c.client.Timeout = time.Duration(req.Timeout) * time.Second
+	if req.Timeout > 0 {
+		c.client.Timeout = req.Timeout * time.Second
+	}
 	statusCode, status, body, err := c.request("POST", urlResourceSshCertReq, sshCertReq)
 	if err != nil {
 		return nil, err

pkg/venafi/tpp/tpp_test.go

@@ -311,7 +311,7 @@ func TestConvertServerPolicyToInternalPolicy(t *testing.T) {
 	if k.KeyType != certificate.KeyTypeRSA {
 		t.Fatal("invalid key type")
 	}
-	if len(k.KeySizes) != 3 || k.KeySizes[0] != 2048 || k.KeySizes[1] != 4096 || k.KeySizes[2] != 8192 {
+	if len(k.KeySizes) != 4 || k.KeySizes[0] != 2048 || k.KeySizes[1] != 3072 || k.KeySizes[2] != 4096 || k.KeySizes[3] != 8192 {
 		t.Fatal("bad key lengths")
 	}
 
@@ -399,7 +399,7 @@ func TestConvertServerPolicyToInternalPolicy(t *testing.T) {
 	if k.KeyType != certificate.KeyTypeRSA {
 		t.Fatal("invalid key type")
 	}
-	if len(k.KeySizes) != 3 || k.KeySizes[0] != 2048 || k.KeySizes[1] != 4096 || k.KeySizes[2] != 8192 {
+	if len(k.KeySizes) != 4 || k.KeySizes[0] != 2048 || k.KeySizes[1] != 3072 || k.KeySizes[2] != 4096 || k.KeySizes[3] != 8192 {
 		t.Fatal("bad key lengths")
 	}
 	k = p.AllowedKeyConfigurations[1]