Add sync product filter

Fixes for SAN duplications

Author: dgaley

globalsign-mssl-caplugin/Api/GlobalSignEnrollRequest.cs

@@ -107,7 +107,32 @@ public BmV2PvOrderRequest Request
                             continue;
                         }
 
-                        var entry = new SANEntry();
+						string trimCN = CommonName, trimItem = item;
+
+						if (CommonName.StartsWith("*."))
+						{
+							trimCN = CommonName.Substring(2).ToLower();
+							trimItem = item.ToLower();
+							List<string> equivs = new List<string> { $"*.{trimCN}", $"www.{trimCN}", $"{trimCN}" };
+							if (equivs.Contains(trimItem))
+							{
+								Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+								continue;
+							}
+						}
+						else if (CommonName.StartsWith("www."))
+						{
+							trimCN = CommonName.Substring(4).ToLower();
+							trimItem = item.ToLower();
+							List<string> equivs = new List<string> { $"www.{trimCN}", $"{trimCN}" };
+							if (equivs.Contains(trimItem))
+							{
+								Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+								continue;
+							}
+						}
+
+						var entry = new SANEntry();
                         entry.SubjectAltName = item;
                         var sb = new StringBuilder();
                         sb.Append("Adding SAN entry of type ");

globalsign-mssl-caplugin/Api/GlobalSignRenewRequest.cs

@@ -53,8 +53,31 @@ public GlobalSignRenewRequest(GlobalSignCAConfig config, bool privateDomain, boo
                             Logger.LogInformation($"SAN Entry {item} matches CN, removing from request");
                             continue;
                         }
+						string trimCN = CommonName, trimItem = item;
 
-                        var entry = new SANEntry();
+						if (CommonName.StartsWith("*."))
+						{
+							trimCN = CommonName.Substring(2).ToLower();
+							trimItem = item.ToLower();
+							List<string> equivs = new List<string> { $"*.{trimCN}", $"www.{trimCN}", $"{trimCN}" };
+							if (equivs.Contains(trimItem))
+							{
+								Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+								continue;
+							}
+						}
+						else if (CommonName.StartsWith("www."))
+						{
+							trimCN = CommonName.Substring(4).ToLower();
+							trimItem = item.ToLower();
+							List<string> equivs = new List<string> { $"www.{trimCN}", $"{trimCN}" };
+							if (equivs.Contains(trimItem))
+							{
+								Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request");
+								continue;
+							}
+						}
+						var entry = new SANEntry();
                         entry.SubjectAltName = item;
                         var sb = new StringBuilder();
                         sb.Append("Adding SAN entry of type ");

globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs

@@ -272,19 +272,19 @@ public async Task<EnrollmentResult> Enroll(GlobalSignEnrollRequest enrollRequest
         Logger.MethodEntry();
         var rawRequest = enrollRequest.Request;
         Logger.LogTrace("Request details:");
-        Logger.LogTrace($"Profile ID: {enrollRequest.MsslProfileId}");
-        Logger.LogTrace($"Domain ID: {enrollRequest.MsslDomainId}");
+        Logger.LogTrace($"Profile ID: {rawRequest.MSSLProfileID}");
+        Logger.LogTrace($"Domain ID: {rawRequest.MSSLDomainID}");
         Logger.LogTrace(
-            $"Contact Info: {enrollRequest.FirstName}, {enrollRequest.LastName}, {enrollRequest.Email}, {enrollRequest.Phone}");
-        Logger.LogTrace($"SAN Count: {enrollRequest.SANs.Count()}");
+            $"Contact Info: {rawRequest.ContactInfo.FirstName}, {rawRequest.ContactInfo.LastName}, {rawRequest.ContactInfo.Email}, {rawRequest.ContactInfo.Phone}");
+        Logger.LogTrace($"SAN Count: {rawRequest.SANEntries.Count()}");
         if (rawRequest.SANEntries.Count() > 0)
             Logger.LogTrace($"SANs: {string.Join(",", rawRequest.SANEntries.Select(s => s.SubjectAltName))}");
         Logger.LogTrace($"Product Code: {rawRequest.OrderRequestParameter.ProductCode}");
         Logger.LogTrace($"Order Kind: {rawRequest.OrderRequestParameter.OrderKind}");
         if (!string.IsNullOrEmpty(rawRequest.OrderRequestParameter.BaseOption))
             Logger.LogTrace($"Order Base Option: {rawRequest.OrderRequestParameter.BaseOption}");
 
-        var requestwrapper = new PVOrder(enrollRequest.Request);
+        var requestwrapper = new PVOrder(rawRequest);
         var responsewrapper = await OrderService.PVOrderAsync(requestwrapper);
         ;
         var response = responsewrapper.Response;

globalsign-mssl-caplugin/Constants.cs

@@ -21,11 +21,13 @@ internal class Constants
     public static string PICKUPDELAY = "DelayTime";
     public static string SYNCSTARTDATE = "SyncStartDate";
     public static string SYNCINTERNVALDAYS = "SyncIntervalDays";
+	public static string SYNCPRODUCTS = "SyncProducts";
 }
 
 public static class EnrollmentConfigConstants
 {
     public const string RootCAType = "RootCAType";
     public const string SlotSize = "SlotSize";
-    public const string CertificateValidityInYears = "CertificateValidityInYears";
+    public const string CertificateValidityInDays = "CertificateValidityInDays";
+	public const string MSSLProfileId = "MSSLProfileId";
 }

globalsign-mssl-caplugin/GlobalSignCAConfig.cs

@@ -32,6 +32,7 @@ public class GlobalSignCAConfig
 
     public string SyncStartDate { get; set; } = "";
     public int SyncIntervalDays { get; set; } = 0;
+	public string SyncProducts { get; set; } = "";
 
 
     public string GetUrl(GlobalSignServiceType queryType)

globalsign-mssl-caplugin/GlobalSignCAPlugin.cs

@@ -90,8 +90,30 @@ public async Task Synchronize(BlockingCollection<AnyCAPluginCertificate> blockin
             var certs = await apiClient.GetCertificatesForSyncAsync(fullSync, syncFrom, fullSyncFrom,
                 Config.SyncIntervalDays);
 
+			bool productFilter = false;
+			List<string> products = null;
+			if (!string.IsNullOrEmpty(Config.SyncProducts))
+			{
+				products = Config.SyncProducts.Split(',').ToList();
+				products.ForEach(p => p.ToUpper());
+				productFilter = true;
+			}
+
             foreach (var c in certs)
             {
+				if (productFilter)
+				{
+					bool prodMatch = false;
+					if (c.OrderInfo?.ProductCode != null && products.Contains(c.OrderInfo.ProductCode.ToUpper()))
+					{
+						prodMatch = true;
+					}
+					if (!prodMatch)
+					{
+						Logger.LogInformation($"Found certificate with product code {c.OrderInfo?.ProductCode}, which does not match the filter criteria. Skipping.");
+						continue;
+					}
+				}
                 var orderStatus = (GlobalSignOrderStatus)Enum.Parse(typeof(GlobalSignOrderStatus),
                     c.CertificateInfo?.CertificateStatus ?? string.Empty);
                 DateTime? subDate = DateTime.TryParse(c.OrderInfo?.OrderDate, out var orderDate) ? orderDate : null;
@@ -237,6 +259,8 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
             if (sanDict.TryGetValue("ipaddress", out var ipSans))
                 Logger.LogTrace($"IP SAN Count: {ipSans.Length}");
 
+			List<GetDomainsDomainDetail> matchedDomains = new List<GetDomainsDomainDetail>();
+
             // only try to resolve a domain if we don't already have a commonName
             if (string.IsNullOrWhiteSpace(commonName))
             {
@@ -247,16 +271,16 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
                         if (string.IsNullOrWhiteSpace(ipSan))
                             continue;
 
-                        var tempDomain = validDomains?
-                            .FirstOrDefault(d =>
+                        var tempDomains = validDomains
+                            .Where(d =>
                                 !string.IsNullOrEmpty(d?.DomainName) &&
                                 ipSan.EndsWith($".{d.DomainName}", StringComparison.OrdinalIgnoreCase)
-                            );
+                            ).ToList();
 
-                        if (tempDomain != null)
+                        if (tempDomains != null && tempDomains.Count > 0)
                         {
                             Logger.LogDebug($"ipSAN Domain match found for ipSAN: {ipSan}");
-                            domain = tempDomain;
+                            matchedDomains = tempDomains;
                             commonName = ipSan;
                             break;
                         }
@@ -269,23 +293,23 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
                         if (string.IsNullOrWhiteSpace(dnsSan))
                             continue;
 
-                        var tempDomain = validDomains?
-                            .FirstOrDefault(d =>
+                        var tempDomains = validDomains
+                            .Where(d =>
                                 !string.IsNullOrEmpty(d?.DomainName) &&
                                 dnsSan.EndsWith(d.DomainName, StringComparison.OrdinalIgnoreCase)
-                            );
+                            ).ToList();
 
-                        if (tempDomain != null)
+                        if (tempDomains != null && tempDomains.Count > 0)
                         {
                             Logger.LogDebug($"SAN Domain match found for SAN: {dnsSan}");
-                            domain = tempDomain;
+                            matchedDomains = tempDomains;
                             commonName = dnsSan;
                             break;
                         }
                     }
             }
             // If private domain skip domain resolution.
-            if (privateDomain)
+            else if (privateDomain)
             {
                 var profiles = await apiClient.GetProfiles();
                 var fillProfile = profiles.FirstOrDefault();
@@ -302,18 +326,41 @@ public async Task<EnrollmentResult> Enroll(string csr, string subject, Dictionar
                     }
                 };
                 domain.MSSLProfileID = fillProfile.MSSLProfileId;
+				matchedDomains = new List<GetDomainsDomainDetail> { domain };
             }
 
             // 3) Fallback: if we did obtain a commonName (or it was already set), try matching it
-            if (domain == null && !string.IsNullOrWhiteSpace(commonName))
-                domain = validDomains?
-                    .FirstOrDefault(d =>
+            else if (domain == null && !string.IsNullOrWhiteSpace(commonName))
+                matchedDomains = validDomains
+                    .Where(d =>
                         !string.IsNullOrEmpty(d?.DomainName) &&
                         commonName.EndsWith(d.DomainName, StringComparison.OrdinalIgnoreCase)
-                    );
-
-
-            if (domain == null) throw new Exception("Unable to determine GlobalSign domain");
+                    ).ToList();
+
+			if (matchedDomains.Count == 1)
+			{
+				domain = matchedDomains[0];
+			}
+			else
+			{
+				var profId = productInfo.ProductParameters["MSSLProfileID"];
+				if (!string.IsNullOrEmpty(profId) )
+				{
+					var tempDomain = matchedDomains.Where(d =>
+														d.MSSLProfileID.Equals(profId, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();
+					if (tempDomain != null)
+					{
+						domain = tempDomain;
+					}
+					else
+					{
+						throw new Exception($"No domain matching common name {commonName} has provided MSSLProfileID of {profId}. Check configuration.");
+					}
+				}
+			}
+
+
+			if (domain == null) throw new Exception("Unable to determine GlobalSign domain");
 
 
 
@@ -592,7 +639,14 @@ public Dictionary<string, PropertyConfigInfo> GetCAConnectorAnnotations()
                 Hidden = false,
                 DefaultValue = "2000-01-01",
                 Type = "Integer"
-            }
+            },
+			[Constants.SYNCPRODUCTS] = new()
+			{
+				Comments = "OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs.",
+				Hidden = false,
+				DefaultValue = null,
+				Type = "String"
+			}
         };
     }
 
@@ -601,11 +655,11 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
     {
         return new Dictionary<string, PropertyConfigInfo>
         {
-            [EnrollmentConfigConstants.CertificateValidityInYears] = new()
+            [EnrollmentConfigConstants.CertificateValidityInDays] = new()
             {
-                Comments = "Number of years the certificate will be valid for",
+                Comments = "Number of days the certificate will be valid for",
                 Hidden = false,
-                DefaultValue = "1",
+                DefaultValue = "199",
                 Type = "Number"
             },
             [EnrollmentConfigConstants.SlotSize] = new()
@@ -623,7 +677,15 @@ public Dictionary<string, PropertyConfigInfo> GetTemplateParameterAnnotations()
                 Hidden = false,
                 DefaultValue = "GLOBALSIGN_ROOT_R3",
                 Type = "String"
-            }
+            },
+			[EnrollmentConfigConstants.MSSLProfileId] = new()
+			{
+				Comments =
+					"OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com).",
+				Hidden = false,
+				DefaultValue = null,
+				Type = "String"
+			}
         };
     }