Merge pull request #25 from Keyfactor/syncfilter

Option to filter sync by division ID

Author: dgaley

digicert-certcentral-caplugin/API/ListCertificateOrders.cs

@@ -29,6 +29,7 @@ public ListCertificateOrdersRequest(bool ignoreExpired = false)
 
 		public bool ignoreExpired { get; set; }
 		public int expiredWindow { get; set; } = 0;
+		public string divID { get; set; } = string.Empty;
 
 		public new string BuildParameters()
 		{
@@ -37,6 +38,10 @@ public ListCertificateOrdersRequest(bool ignoreExpired = false)
 			sbParamters.Append("limit=").Append(this.limit.ToString());
 			sbParamters.Append("&offset=").Append(HttpUtility.UrlEncode(this.offset.ToString()));
 
+			if (!string.IsNullOrEmpty(divID))
+			{
+				sbParamters.Append("&filters[container_id]=").Append(this.divID);
+			}
 			if (ignoreExpired)
 			{
 				DateTime cutoffDate = DateTime.Today.AddDays(-1 - expiredWindow);

digicert-certcentral-caplugin/API/ViewCertificateOrder.cs

@@ -78,6 +78,9 @@ public ViewCertificateOrderResponse()
 		[JsonProperty("product")]
 		public Product product { get; set; }
 
+		[JsonProperty("container")]
+		public Container container { get; set; }
+
 		[JsonProperty("organization_contact")]
 		public Contact organization_contact { get; set; }
 

digicert-certcentral-caplugin/CertCentralCAPlugin.cs

@@ -411,6 +411,13 @@ public Dictionary<string, PropertyConfigInfo> GetCAConnectorAnnotations()
 					DefaultValue = "",
 					Type = "String"
 				},
+				[CertCentralConstants.Config.SYNC_DIV_FILTER] = new PropertyConfigInfo()
+				{
+					Comments = "If you list one or more Divison IDs (also known as Container IDs) here (comma-separated), the sync process will filter records to only return orders from those divisions. If you want to sync all divisions, leave this field empty. Note that this has no relationship to the value of the DivisionId config field.",
+					Hidden = false,
+					DefaultValue = "",
+					Type = "String"
+				},
 				[CertCentralConstants.Config.FILTER_EXPIRED] = new PropertyConfigInfo()
 				{
 					Comments = "If set to 'true', syncing will apply a filter to not return orders that are expired for longer than specified in SyncExpirationDays.",
@@ -700,10 +707,16 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
 
 			caList.ForEach(c => c.ToUpper());
 
+			List<string> divFilters = new List<string>() { "" };
+			if (!string.IsNullOrEmpty(_config.SyncDivisionFilter))
+			{
+				divFilters = new List<string>();
+				divFilters.AddRange(_config.SyncDivisionFilter.Split(','));
+			}
 
 			if (fullSync)
 			{
-				bool ignoreExpired = false; int expiredWindow = 0;
+				bool ignoreExpired = false; int expiredWindow = 0; 
 				if (_config.FilterExpiredOrders.HasValue && _config.FilterExpiredOrders.Value)
 				{
 					ignoreExpired = true;
@@ -712,50 +725,56 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
 						expiredWindow = _config.SyncExpirationDays.Value;
 					}
 				}
+
 				long time = DateTime.Now.Ticks;
 				long starttime = time;
 				_logger.LogDebug($"SYNC: Starting sync at time {time}");
-				ListCertificateOrdersResponse ordersResponse = client.ListAllCertificateOrders(ignoreExpired, expiredWindow);
-				if (ordersResponse.Status == CertCentralBaseResponse.StatusType.ERROR)
+				List<Order> allOrders = new List<Order>();
+				foreach (string div in divFilters)
 				{
-					Error error = ordersResponse.Errors[0];
-					_logger.LogError("Error in listing all certificate orders");
-					throw new Exception($"DigiCert CertCentral web service returned {error.code} - {error.message} when retrieving all rows");
+					ListCertificateOrdersResponse ordersResponse = client.ListAllCertificateOrders(ignoreExpired, expiredWindow, div);
+					if (ordersResponse.Status == CertCentralBaseResponse.StatusType.ERROR)
+					{
+						Error error = ordersResponse.Errors[0];
+						_logger.LogError("Error in listing all certificate orders");
+						throw new Exception($"DigiCert CertCentral web service returned {error.code} - {error.message} when retrieving all rows");
+					}
+					else
+					{
+						allOrders.AddRange(ordersResponse.orders);
+					}
 				}
-				else
+				_logger.LogDebug($"SYNC: Found {allOrders.Count} records");
+				foreach (var orderDetails in allOrders)
 				{
-					_logger.LogDebug($"SYNC: Found {ordersResponse.orders.Count} records");
-					foreach (var orderDetails in ordersResponse.orders)
+					List<AnyCAPluginCertificate> orderCerts = new List<AnyCAPluginCertificate>();
+					try
 					{
-						List<AnyCAPluginCertificate> orderCerts = new List<AnyCAPluginCertificate>();
-						try
+						cancelToken.ThrowIfCancellationRequested();
+						string caReqId = orderDetails.id + "-" + orderDetails.certificate.id;
+						_logger.LogDebug($"SYNC: Retrieving certs for order id {orderDetails.id}");
+						orderCerts = GetAllConnectorCertsForOrder(caReqId, caList, divFilters);
+						if (orderCerts == null || orderCerts.Count == 0)
 						{
-							cancelToken.ThrowIfCancellationRequested();
-							string caReqId = orderDetails.id + "-" + orderDetails.certificate.id;
-							_logger.LogDebug($"SYNC: Retrieving certs for order id {orderDetails.id}");
-							orderCerts = GetAllConnectorCertsForOrder(caReqId, caList);
-							if (orderCerts == null || orderCerts.Count == 0)
-							{
-								continue;
-							}
-							_logger.LogDebug($"SYNC: Retrieved {orderCerts.Count} certs at time {DateTime.Now.Ticks}");
-						}
-						catch
-						{
-							skippedOrders.Add(orderDetails.id.ToString());
-							_logger.LogWarning($"An error occurred attempting to sync order '{orderDetails.id}'. This order will be skipped.");
 							continue;
 						}
+						_logger.LogDebug($"SYNC: Retrieved {orderCerts.Count} certs at time {DateTime.Now.Ticks}");
+					}
+					catch
+					{
+						skippedOrders.Add(orderDetails.id.ToString());
+						_logger.LogWarning($"An error occurred attempting to sync order '{orderDetails.id}'. This order will be skipped.");
+						continue;
+					}
 
-						foreach (var cert in orderCerts)
-						{
-							certCount++;
-							blockingBuffer.Add(cert);
-						}
-
+					foreach (var cert in orderCerts)
+					{
+						certCount++;
+						blockingBuffer.Add(cert);
 					}
-					_logger.LogDebug($"SYNC: Complete after {DateTime.Now.Ticks - starttime} ticks");
+
 				}
+				_logger.LogDebug($"SYNC: Complete after {DateTime.Now.Ticks - starttime} ticks");
 			}
 			else
 			{
@@ -776,7 +795,7 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
 						{
 							cancelToken.ThrowIfCancellationRequested();
 							string caReqId = order.order_id + "-" + order.certificate_id;
-							orderCerts = GetAllConnectorCertsForOrder(caReqId, caList);
+							orderCerts = GetAllConnectorCertsForOrder(caReqId, caList, divFilters);
 							if (orderCerts == null || orderCerts.Count > 0)
 							{
 								continue;
@@ -1330,7 +1349,7 @@ string FormatSyncDate(DateTime? syncTime)
 		/// </summary>
 		/// <param name="caRequestID"></param>
 		/// <returns></returns>
-		private List<AnyCAPluginCertificate> GetAllConnectorCertsForOrder(string caRequestID, List<string> caFilterIds)
+		private List<AnyCAPluginCertificate> GetAllConnectorCertsForOrder(string caRequestID, List<string> caFilterIds, List<string> divIds)
 		{
 			_logger.MethodEntry(LogLevel.Trace);
 			// Split ca request id into order and cert id
@@ -1348,6 +1367,11 @@ private List<AnyCAPluginCertificate> GetAllConnectorCertsForOrder(string caReque
 				_logger.LogTrace($"Found order ID {orderId} that does not match SyncCAFilter. CA ID: {orderResponse.certificate.ca_cert.Id} Skipping...");
 				return null;
 			}
+			if (divIds != null && divIds.Count > 0 && !divIds.Contains(orderResponse.container.Id.ToString()))
+			{
+				_logger.LogTrace($"Found order ID {orderId} that does not match Division filter. Division ID: {orderResponse.container.Id.ToString()} Skipping...");
+				return null;
+			}
 
 			var orderCerts = GetAllCertsForOrder(orderId);
 

digicert-certcentral-caplugin/CertCentralConfig.cs

@@ -36,5 +36,6 @@ public List<string> SyncCAs
 
 		public bool? FilterExpiredOrders { get; set; }
 		public int? SyncExpirationDays { get; set; }
+		public string SyncDivisionFilter { get; set; }
 	}
 }

digicert-certcentral-caplugin/Client/CertCentralClient.cs

@@ -480,7 +480,7 @@ public DownloadCertificateByFormatResponse DownloadCertificateByFormat(DownloadC
 			return dlCertificateRequestResponse;
 		}
 
-		public ListCertificateOrdersResponse ListAllCertificateOrders(bool ignoreExpired = false, int expiredWindow = 0)
+		public ListCertificateOrdersResponse ListAllCertificateOrders(bool ignoreExpired = false, int expiredWindow = 0, string divId = "")
 		{
 			int batch = 1000;
 			ListCertificateOrdersResponse totalResponse = new ListCertificateOrdersResponse();
@@ -492,7 +492,8 @@ public ListCertificateOrdersResponse ListAllCertificateOrders(bool ignoreExpired
 					limit = batch,
 					offset = totalResponse.orders.Count,
 					ignoreExpired = ignoreExpired,
-					expiredWindow = expiredWindow
+					expiredWindow = expiredWindow,
+					divID = divId
 				};
 
 				CertCentralResponse response = Request(request, request.BuildParameters());

digicert-certcentral-caplugin/Constants.cs

@@ -28,6 +28,7 @@ public class Config
 			public const string REVOKE_CERT = "RevokeCertificateOnly";
 			public const string ENABLED = "Enabled";
 			public const string SYNC_CA_FILTER = "SyncCAFilter";
+			public const string SYNC_DIV_FILTER = "SyncDivisionFilter";
 			public const string FILTER_EXPIRED = "FilterExpiredOrders";
 			public const string SYNC_EXPIRATION_DAYS = "SyncExpirationDays";
 			public const string CERT_TYPE = "CertType";