Incremental sync support added using csc date filter so sync timing can run faster that default full sync periods

Author: bhillkeyfactor

cscglobal-caplugin/CSCGlobalCAPlugin.cs

@@ -37,6 +37,8 @@ public CSCGlobalCAPlugin()
 
     public bool EnableTemplateSync { get; set; }
 
+    public int SyncFilterDays { get; set; }
+
     //done
     public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDataReader certificateDataReader)
     {
@@ -45,6 +47,16 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
         CscGlobalClient = new CscGlobalClient(configProvider);
         var templateSync = configProvider.CAConnectionData["TemplateSync"].ToString();
         if (templateSync.ToUpper() == "ON") EnableTemplateSync = true;
+
+        if (configProvider.CAConnectionData.ContainsKey(Constants.SyncFilterDays))
+        {
+            var syncFilterDaysStr = configProvider.CAConnectionData[Constants.SyncFilterDays]?.ToString();
+            if (int.TryParse(syncFilterDaysStr, out var syncFilterDays))
+            {
+                SyncFilterDays = syncFilterDays;
+                Logger.LogDebug($"SyncFilterDays configured to {SyncFilterDays} days");
+            }
+        }
         Logger.MethodExit(LogLevel.Debug);
     }
 
@@ -98,49 +110,19 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
         {
             if (fullSync)
             {
-                var certs = await CscGlobalClient.SubmitCertificateListRequestAsync();
-
-                foreach (var currentResponseItem in certs.Results)
-                {
-                    cancelToken.ThrowIfCancellationRequested();
-                    Logger.LogTrace($"Took Certificate ID {currentResponseItem?.Uuid} from Queue");
-                    var certStatus = _requestManager.MapReturnStatus(currentResponseItem?.Status);
-
-                    //Keyfactor sync only seems to work when there is a valid cert and I can only get Active valid certs from Csc Global
-                    if (certStatus == Convert.ToInt32(EndEntityStatus.GENERATED) ||
-                        certStatus == Convert.ToInt32(EndEntityStatus.REVOKED))
-                    {
-                        //One click renewal/reissue won't work for this implementation so there is an option to disable it by not syncing back template
-                        var productId = "CscGlobal";
-                        if (EnableTemplateSync) productId = currentResponseItem?.CertificateType;
-
-                        var fileContent =
-                            PreparePemTextFromApi(
-                                currentResponseItem?.Certificate ?? string.Empty);
-
-                        if (fileContent.Length > 0)
-                        {
-                            Logger.LogTrace($"File Content {fileContent}");
-                            var certData = fileContent.Replace("\r\n", string.Empty);
-                            var certString = GetEndEntityCertificate(certData);
-                            //var currentCert = new X509Certificate2(Encoding.ASCII.GetBytes(certString));
-                            if (certString.Length > 0)
-                                blockingBuffer.Add(new AnyCAPluginCertificate
-                                {
-                                    CARequestID = $"{currentResponseItem?.Uuid}",
-                                    Certificate = certString,
-                                    //SubmissionDate = currentResponseItem?.OrderDate == null
-                                    //? Convert.ToDateTime(currentCert.NotBefore)
-                                    //: Convert.ToDateTime(currentResponseItem.OrderDate),
-                                    Status = certStatus,
-                                    ProductID = productId
-                                }, cancelToken);
-                        }
-                    }
-                }
-
-                blockingBuffer.CompleteAdding();
+                Logger.LogDebug("Performing full sync - no date filter applied");
+                await SyncCertificates(blockingBuffer, cancelToken, null);
+            }
+            else
+            {
+                var filterDays = SyncFilterDays > 0 ? SyncFilterDays : 5;
+                var filterDate = DateTime.Today.AddDays(filterDays);
+                var dateFilter = filterDate.ToString("yyyy/MM/dd");
+                Logger.LogDebug($"Performing incremental sync with expiration date filter: {dateFilter}");
+                await SyncCertificates(blockingBuffer, cancelToken, dateFilter);
             }
+
+            blockingBuffer.CompleteAdding();
         }
         catch (Exception e)
         {
@@ -153,6 +135,47 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
         Logger.MethodExit(LogLevel.Debug);
     }
 
+    private async Task SyncCertificates(BlockingCollection<AnyCAPluginCertificate> blockingBuffer,
+        CancellationToken cancelToken, string? dateFilter)
+    {
+        var certs = await CscGlobalClient.SubmitCertificateListRequestAsync(dateFilter);
+
+        foreach (var currentResponseItem in certs.Results)
+        {
+            cancelToken.ThrowIfCancellationRequested();
+            Logger.LogTrace($"Took Certificate ID {currentResponseItem?.Uuid} from Queue");
+            var certStatus = _requestManager.MapReturnStatus(currentResponseItem?.Status);
+
+            //Keyfactor sync only seems to work when there is a valid cert and I can only get Active valid certs from Csc Global
+            if (certStatus == Convert.ToInt32(EndEntityStatus.GENERATED) ||
+                certStatus == Convert.ToInt32(EndEntityStatus.REVOKED))
+            {
+                //One click renewal/reissue won't work for this implementation so there is an option to disable it by not syncing back template
+                var productId = "CscGlobal";
+                if (EnableTemplateSync) productId = currentResponseItem?.CertificateType;
+
+                var fileContent =
+                    PreparePemTextFromApi(
+                        currentResponseItem?.Certificate ?? string.Empty);
+
+                if (fileContent.Length > 0)
+                {
+                    Logger.LogTrace($"File Content {fileContent}");
+                    var certData = fileContent.Replace("\r\n", string.Empty);
+                    var certString = GetEndEntityCertificate(certData);
+                    if (certString.Length > 0)
+                        blockingBuffer.Add(new AnyCAPluginCertificate
+                        {
+                            CARequestID = $"{currentResponseItem?.Uuid}",
+                            Certificate = certString,
+                            Status = certStatus,
+                            ProductID = productId
+                        }, cancelToken);
+                }
+            }
+        }
+    }
+
     //done
     public async Task<int> Revoke(string caRequestID, string hexSerialNumber, uint revocationReason)
     {
@@ -371,6 +394,13 @@ public Dictionary<string, PropertyConfigInfo> GetCAConnectorAnnotations()
                 Hidden = false,
                 DefaultValue = "false",
                 Type = "Bool"
+            },
+            [Constants.SyncFilterDays] = new()
+            {
+                Comments = "Number of days from today to filter certificates by expiration date during incremental sync.",
+                Hidden = false,
+                DefaultValue = "5",
+                Type = "Number"
             }
         };
     }

cscglobal-caplugin/Client/CscGlobalClient.cs

@@ -166,10 +166,16 @@ public async Task<RevokeResponse> SubmitRevokeCertificateAsync(string uuId)
         }
     }
 
-    public async Task<CertificateListResponse> SubmitCertificateListRequestAsync()
+    public async Task<CertificateListResponse> SubmitCertificateListRequestAsync(string? dateFilter = null)
     {
         Logger.MethodEntry(LogLevel.Debug);
-        var resp = RestClient.GetAsync("/dbs/api/v2/tls/certificate?filter=status=in=(ACTIVE,REVOKED)").Result;
+        var filterQuery = "filter=status=in=(ACTIVE,REVOKED)";
+        if (!string.IsNullOrEmpty(dateFilter))
+        {
+            filterQuery += $";expirationDate=ge={dateFilter}";
+        }
+        Logger.LogTrace($"Certificate list filter query: {filterQuery}");
+        var resp = RestClient.GetAsync($"/dbs/api/v2/tls/certificate?{filterQuery}").Result;
 
         if (!resp.IsSuccessStatusCode)
         {

cscglobal-caplugin/Constants.cs

@@ -14,6 +14,7 @@ public class Constants
     public static string BearerToken = "BearerToken";
     public static string DefaultPageSize = "DefaultPageSize";
     public static string TemplateSync = "TemplateSync";
+    public static string SyncFilterDays = "SyncFilterDays";
 }
 
 public class ProductIDs

cscglobal-caplugin/Interfaces/ICscGlobalClient.cs

@@ -24,7 +24,7 @@ Task<ReissueResponse> SubmitReissueAsync(
 
     Task<List<GetCustomField>> SubmitGetCustomFields();
 
-    Task<CertificateListResponse> SubmitCertificateListRequestAsync();
+    Task<CertificateListResponse> SubmitCertificateListRequestAsync(string? dateFilter = null);
 
     Task<RevokeResponse> SubmitRevokeCertificateAsync(string uuId);
 }