Merge branch 'ab#84816' into release-1.2

Author: leefine02

GCPSecretManager/GCPClient.cs

@@ -1,16 +1,16 @@
-using Google.Api.Gax.ResourceNames;
-using Google.Cloud.SecretManager.V1;
+using Google.Api.Gax;
+using Google.Api.Gax.ResourceNames;
 using Google.Cloud.ResourceManager.V3;
-
-using Microsoft.Extensions.Logging;
-
+using Google.Cloud.SecretManager.V1;
+using Google.Protobuf.Collections;
+using Google.Protobuf.WellKnownTypes;
 using Keyfactor.Logging;
-
+using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using Google.Api.Gax;
-using System.Xml.Linq;
+using System.Reflection;
+using System.Reflection.Metadata;
 
 namespace Keyfactor.Extensions.Orchestrator.GCPSecretManager
 {
@@ -80,16 +80,26 @@ public List<string> GetSecretNames()
             return rtnSecrets;
         }
 
-        public string GetCertificateEntry(string name)
+        public SecretWithLabels GetCertificateEntry(string name)
         {
             _logger.MethodEntry(LogLevel.Debug);
 
-            string rtnValue;
+            SecretWithLabels rtnValue = new SecretWithLabels();
 
             try
             {
                 AccessSecretVersionResponse version = Client.AccessSecretVersion(new AccessSecretVersionRequest() { Name = name + "/versions/latest" });
-                rtnValue = version.Payload.Data.ToStringUtf8();
+                rtnValue.Secret = version.Payload.Data.ToStringUtf8();
+                rtnValue.Labels = string.Empty;
+
+                Secret secret = GetSecret(name);
+                List<string> labelsString = new List<string>();
+                foreach(var label in secret.Labels)
+                {
+                    labelsString.Add($"{label.Key}:{label.Value}");
+                }
+                if (labelsString.Count > 0)
+                    rtnValue.Labels = string.Join(",", labelsString.ToArray());
             }
             catch (Exception ex)
             {
@@ -104,21 +114,19 @@ public string GetCertificateEntry(string name)
             return rtnValue;
         }
 
-        public string GetSecret(string alias)
+        public Secret GetSecret(string alias)
         {
             _logger.MethodEntry(LogLevel.Debug);
             string rtnValue = string.Empty;
 
             try
             { 
-                var secret = Client.GetSecret(
+                return Client.GetSecret(
                     new GetSecretRequest()
                     {
                         SecretName = SecretName.FromProjectSecret(ProjectId, alias)
                     }
                 );
-
-                rtnValue = secret.Name;
             }
             catch (Exception ex)
             {
@@ -129,14 +137,14 @@ public string GetSecret(string alias)
             {
                 _logger.MethodExit(LogLevel.Debug);
             }
-
-            return rtnValue;
         }
 
-        public void AddSecret(string alias, string secretContent, bool entryExists)
+        public bool AddSecret(string alias, string secretContent, bool entryExists, string labels = null, List<ReplicationRegion> replicationRegions = null, TimeSpan? ttlDuration = null, TimeSpan? versionDestroyTtlDuration = null)
         {
             _logger.MethodEntry(LogLevel.Debug);
 
+            bool rtnWarning = false;
+
             try
             {
                 SecretName secretName = new SecretName(ProjectId, alias);
@@ -149,12 +157,38 @@ public void AddSecret(string alias, string secretContent, bool entryExists)
                     CreateSecretRequest secretRequest = new CreateSecretRequest();
                     secretRequest.ParentAsProjectName = new ProjectName(ProjectId);
                     secretRequest.SecretId = alias;
-                    secretRequest.Secret = new Secret { Replication = new Replication { Automatic = new Replication.Types.Automatic() } };
+
+                    secretRequest.Secret = new Secret();
+                    if (ttlDuration.HasValue) secretRequest.Secret.Ttl = Duration.FromTimeSpan(ttlDuration.Value);
+                    if (versionDestroyTtlDuration.HasValue) secretRequest.Secret.VersionDestroyTtl = Duration.FromTimeSpan(versionDestroyTtlDuration.Value);
+                    if (replicationRegions == null || replicationRegions.Count == 0)
+                    {
+                        secretRequest.Secret.Replication = new Replication { Automatic = new Replication.Types.Automatic() };
+                    }
+                    else
+                    {
+                        secretRequest.Secret.Replication = new Replication { UserManaged = new Replication.Types.UserManaged() };
+
+                        foreach (ReplicationRegion replicationRegion in replicationRegions)
+                        {
+                            Replication.Types.UserManaged.Types.Replica replica = new Replication.Types.UserManaged.Types.Replica();
+                            replica.Location = replicationRegion.Region;
+                            if (replicationRegion.KmsKeyPath != null)
+                                replica.CustomerManagedEncryption = new CustomerManagedEncryption() { KmsKeyName = replicationRegion.KmsKeyPath };
+
+                            secretRequest.Secret.Replication.UserManaged.Replicas.Add(replica);
+                        }
+                    }
+
+                    AssignLabels(labels, secretRequest.Secret.Labels);
 
                     Secret secret = Client.CreateSecret(secretRequest);
                 }
 
                 //create new version
+                ClearSecretFields(alias, labels != null, ttlDuration.HasValue, versionDestroyTtlDuration.HasValue);
+                UpdateSecretFields(alias, labels, ttlDuration, versionDestroyTtlDuration);
+
                 AddSecretVersionRequest secretVersionRequest = new AddSecretVersionRequest();
                 secretVersionRequest.ParentAsSecretName = secretName;
                 secretVersionRequest.Payload = new SecretPayload { Data = Google.Protobuf.ByteString.CopyFromUtf8(secretContent) };
@@ -170,6 +204,8 @@ public void AddSecret(string alias, string secretContent, bool entryExists)
             {
                 _logger.MethodExit(LogLevel.Debug);
             }
+
+            return rtnWarning;
         }
 
         public void DeleteCertificate(string name)
@@ -317,10 +353,10 @@ public List<TagValue> GetTagValues(string tagName)
             return rtnValues;
         }
 
-        public Dictionary<string, object> GetSecretTags(string secretResource)
+        public string GetSecretTags(string secretResource)
         {
             _logger.MethodEntry(LogLevel.Debug);
-            Dictionary<string, object> rtnValue = new Dictionary<string, object>();
+            string rtnValue = string.Empty;
             List<string> tagPairs = new List<string>();
 
             ListTagBindingsRequest request = new ListTagBindingsRequest()
@@ -349,7 +385,7 @@ public Dictionary<string, object> GetSecretTags(string secretResource)
             }
 
             if (tagPairs.Count > 0)
-                rtnValue.Add("tags", string.Join(",", tagPairs));
+                rtnValue = string.Join(",", tagPairs);
 
             return rtnValue;
         }
@@ -364,7 +400,7 @@ public void SetSecretTag(string alias, string tagValue)
                 {
                     TagBinding = new TagBinding()
                     {
-                        Parent = $"{ResourcePrefix}{GetSecret(alias)}",
+                        Parent = $"{ResourcePrefix}{GetSecret(alias).Name}",
                         TagValue = tagValue
                     }
                 });
@@ -380,14 +416,121 @@ public void SetSecretTag(string alias, string tagValue)
             }
         }
 
+        public void ClearSecretFields(string alias, bool clearLabels, bool clearTtl, bool clearVersionDestroyTtl)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+
+            Secret secret = new Secret { SecretName = new SecretName(ProjectId, alias) };
+
+            FieldMask updateMask = new FieldMask();
+            if (clearLabels)
+            {
+                updateMask.Paths.Add("labels");
+                secret.Labels.Clear();
+            }
+
+            if (clearTtl)
+            {
+                updateMask.Paths.Add("ttl");
+                secret.Ttl = null;
+            }
+
+            if (clearVersionDestroyTtl)
+            {
+                updateMask.Paths.Add("version_destroy_ttl");
+                secret.VersionDestroyTtl = null;
+            }
+
+            try
+            {
+                var updatedSecret = Client.UpdateSecret(secret, updateMask);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex.Message);
+                throw;
+            }
+            finally
+            {
+                _logger.MethodExit(LogLevel.Debug);
+            }
+        }
+
+        public void UpdateSecretFields(string alias, string labels, TimeSpan? ttlDuration, TimeSpan? versionDestroyTtlDuration)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+
+            Secret secret = new Secret { SecretName = new SecretName(ProjectId, alias) };
+
+            FieldMask updateMask = new FieldMask();
+            if (!string.IsNullOrEmpty(labels))
+            {
+                updateMask.Paths.Add("labels");
+                AssignLabels(labels, secret.Labels);
+            }
+
+            if (ttlDuration.HasValue)
+            {
+                updateMask.Paths.Add("ttl");
+                secret.Ttl = Duration.FromTimeSpan(ttlDuration.Value);
+            }
+
+            if (versionDestroyTtlDuration.HasValue)
+            {
+                updateMask.Paths.Add("version_destroy_ttl");
+                secret.VersionDestroyTtl = Duration.FromTimeSpan(versionDestroyTtlDuration.Value);
+            }
+
+            try
+            {
+                var updatedSecret = Client.UpdateSecret(secret, updateMask);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex.Message);
+                throw;
+            }
+            finally
+            {
+                _logger.MethodExit(LogLevel.Debug);
+            }
+        }
+
         private string GetOrganizationFromProject()
         {
+            _logger.MethodEntry(LogLevel.Debug);
+
             string organization = string.Empty;
 
-            Project project = ProjectsClient.GetProject(new GetProjectRequest() { ProjectName = ProjectName.FromProject(ProjectId) });
-            organization = project.Parent;
+            try
+            {
+                Project project = ProjectsClient.GetProject(new GetProjectRequest() { ProjectName = ProjectName.FromProject(ProjectId) });
+                organization = project.Parent;
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex.Message);
+                throw;
+            }
+            finally
+            {
+                _logger.MethodExit(LogLevel.Debug);
+            }
 
             return organization.Substring(organization.IndexOf("/") + 1);
         }
+
+        private void AssignLabels(string labels, MapField<string, string> labelMap)
+        {
+            List<(string, string)> labelsList = labels != null ? null :
+                labels.Split(',', StringSplitOptions.RemoveEmptyEntries)
+                .Select(pair => pair.Split(':', 2))
+                .Where(parts => parts.Length == 2)
+                .Select(parts => (Key: parts[0].Trim(), Value: parts[1].Trim()))
+                .ToList();
+
+            foreach (var label in labelsList)
+                labelMap[label.Item1] = label.Item2;
+        }
     }
 }

GCPSecretManager/Inventory.cs

@@ -44,7 +44,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                 List<string> secretNames = client.GetSecretNames();
                 foreach(string secretName in secretNames)
                 {
-                    string certificateEntry = string.Empty;
+                    SecretWithLabels certificateEntry = new SecretWithLabels();
                     try
                     {
                         certificateEntry = client.GetCertificateEntry(secretName);
@@ -55,9 +55,25 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                         continue;
                     }
 
-                    if (!CertificateFormatter.IsValid(certificateEntry))
+                    if (!CertificateFormatter.IsValid(certificateEntry.Secret))
                         continue;
-                    string[] certificateChain = CertificateFormatter.ConvertSecretToCertificateChain(certificateEntry);
+                    string[] certificateChain = CertificateFormatter.ConvertSecretToCertificateChain(certificateEntry.Secret);
+
+                    string secretTags = string.Empty;
+                    try
+                    {
+                        secretTags = client.GetSecretTags(secretName);
+                    }
+                    catch (Exception)
+                    {
+                        hasWarnings = true;
+                    }
+
+                    Dictionary<string, object> entryParameters = new()
+                    {
+                        { "tags", secretTags },
+                        { "labels", certificateEntry.Labels }
+                    };
 
                     Dictionary<string, object> secretTags = new Dictionary<string, object>();
                     try
@@ -74,10 +90,10 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
                     {
                         ItemStatus = OrchestratorInventoryItemStatus.Unknown,
                         Alias = secretName.Substring(secretName.LastIndexOf("/") + 1),
-                        PrivateKeyEntry = CertificateFormatter.HasPrivateKey(certificateEntry),
+                        PrivateKeyEntry = CertificateFormatter.HasPrivateKey(certificateEntry.Secret),
                         UseChainLevel = certificateChain.Length > 1,
                         Certificates = certificateChain,
-                        Parameters = secretTags
+                        Parameters = entryParameters
                     });
                 }
             }

GCPSecretManager/JobBase.cs

@@ -1,8 +1,11 @@
-using Keyfactor.Logging;
+using Google.Protobuf.WellKnownTypes;
+using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Extensions;
 using Keyfactor.Orchestrators.Extensions.Interfaces;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
 
 namespace Keyfactor.Extensions.Orchestrator.GCPSecretManager
 {
@@ -16,6 +19,7 @@ public class JobBase
         internal string PasswordSecretSuffix { get; set; }
         internal bool IncludeChain { get; set; }
 
+
         internal void Initialize(CertificateStore certificateStoreDetails)
         {
             Logger.MethodEntry(LogLevel.Debug);