From 65b0b9f89ecb93d9fa060f77fe16261a92945112 Mon Sep 17 00:00:00 2001 From: Dave Galey <89407235+dgaley@users.noreply.github.com> Date: Thu, 19 Mar 2026 13:28:41 -0400 Subject: [PATCH 1/2] Release: 1.0.1 Signed-off-by: Morgan Gangwere Co-authored-by: Mark Kachkaev Co-authored-by: Keyfactor --- .../keyfactor-bootstrap-workflow-v3.yml | 20 --- .../keyfactor-bootstrap-workflow.yml | 29 +++ README.md | 18 +- .../Api/GlobalSignEnrollRequest.cs | 27 ++- .../Api/GlobalSignRenewRequest.cs | 25 ++- .../Client/GlobalSignApiClient.cs | 29 +-- globalsign-mssl-caplugin/Constants.cs | 4 + .../GlobalSignCAConfig.cs | 2 + .../GlobalSignCAPlugin.cs | 167 +++++++++++++++--- integration-manifest.json | 16 ++ 10 files changed, 273 insertions(+), 64 deletions(-) delete mode 100644 .github/workflows/keyfactor-bootstrap-workflow-v3.yml create mode 100644 .github/workflows/keyfactor-bootstrap-workflow.yml diff --git a/.github/workflows/keyfactor-bootstrap-workflow-v3.yml b/.github/workflows/keyfactor-bootstrap-workflow-v3.yml deleted file mode 100644 index 64919a4..0000000 --- a/.github/workflows/keyfactor-bootstrap-workflow-v3.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Keyfactor Bootstrap Workflow - -on: - workflow_dispatch: - pull_request: - types: [opened, closed, synchronize, edited, reopened] - push: - create: - branches: - - 'release-*.*' - -jobs: - call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v3 - secrets: - token: ${{ secrets.V2BUILDTOKEN}} - APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} - gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} - gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} - scan_token: ${{ secrets.SAST_TOKEN }} diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml new file mode 100644 index 0000000..56756c6 --- /dev/null +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -0,0 +1,29 @@ +name: Keyfactor Bootstrap Workflow + +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' + +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v4 + permissions: + contents: write # Explicitly grant write permission + with: + command_token_url: ${{ vars.COMMAND_TOKEN_URL }} + command_hostname: ${{ vars.COMMAND_HOSTNAME }} + command_base_api_path: ${{ vars.COMMAND_API_PATH }} + secrets: + token: ${{ secrets.V2BUILDTOKEN}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} + scan_token: ${{ secrets.SAST_TOKEN }} + entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} + entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} + command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} + command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} \ No newline at end of file diff --git a/README.md b/README.md index 35a37ad..d58ec3f 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@

- GlobalSign MSSL Gateway AnyCA Gateway REST Plugin + GlobalSign MSSL AnyCA Gateway REST Plugin

@@ -38,10 +38,10 @@ The GlobalSign CAPlugin enables the Synchronization, Enrollment, and Revocation ## Compatibility -The GlobalSign MSSL Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.2.0 and later. +The GlobalSign MSSL AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.2.0 and later. ## Support -The GlobalSign MSSL Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. +The GlobalSign MSSL AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. @@ -60,7 +60,7 @@ This extension uses the contact information of the GCC Domain point of contact f 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin/releases/latest) from GitHub. 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: @@ -71,11 +71,11 @@ This extension uses the contact information of the GCC Domain point of contact f Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions ``` - > The directory containing the GlobalSign MSSL Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. + > The directory containing the GlobalSign MSSL AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. 4. Restart the AnyCA Gateway REST service. -5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the GlobalSign MSSL Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the GlobalSign MSSL plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. ## Configuration @@ -103,8 +103,10 @@ This extension uses the contact information of the GCC Domain point of contact f * **RetryCount** - This is the number of times the AnyGateway will attempt to pickup an new certificate before reporting an error. Default is 5. * **SyncIntervalDays** - OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments. * **SyncStartDate** - If provided, full syncs will start at the specified date. + * **SyncProducts** - OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs. + * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. -2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The GlobalSign MSSL Gateway plugin supports the following product IDs: +2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The GlobalSign MSSL plugin supports the following product IDs: * **PEV_SHA2** * **PEV** @@ -123,6 +125,8 @@ This extension uses the contact information of the GCC Domain point of contact f * **CertificateValidityInYears** - Number of years the certificate will be valid for * **SlotSize** - Maximum number of SANs that a certificate may have - valid values are [FIVE, TEN, FIFTEEN, TWENTY, THIRTY, FOURTY, FIFTY, ONE_HUNDRED] * **RootCAType** - The certificate's root CA - Depending on certificate expiration date, SHA_1 not be allowed. Will default to SHA_2 if expiration date exceeds sha1 allowed date. Options are GlobalSign R certs. + * **MSSLProfileId** - OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com). + * **ContactName** - The name of the contact to use for enrollments. Can be specified here or via an Enrollment Field in Command. Enrollment Fields will override any value supplied here. ## Valid GlobalSign SAN Usage diff --git a/globalsign-mssl-caplugin/Api/GlobalSignEnrollRequest.cs b/globalsign-mssl-caplugin/Api/GlobalSignEnrollRequest.cs index 9d4b16e..df91f0c 100644 --- a/globalsign-mssl-caplugin/Api/GlobalSignEnrollRequest.cs +++ b/globalsign-mssl-caplugin/Api/GlobalSignEnrollRequest.cs @@ -107,7 +107,32 @@ public BmV2PvOrderRequest Request continue; } - var entry = new SANEntry(); + string trimCN = CommonName, trimItem = item; + + if (CommonName.StartsWith("*.")) + { + trimCN = CommonName.Substring(2).ToLower(); + trimItem = item.ToLower(); + List equivs = new List { $"*.{trimCN}", $"www.{trimCN}", $"{trimCN}" }; + if (equivs.Contains(trimItem)) + { + Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request"); + continue; + } + } + else if (CommonName.StartsWith("www.")) + { + trimCN = CommonName.Substring(4).ToLower(); + trimItem = item.ToLower(); + List equivs = new List { $"www.{trimCN}", $"{trimCN}" }; + if (equivs.Contains(trimItem)) + { + Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request"); + continue; + } + } + + var entry = new SANEntry(); entry.SubjectAltName = item; var sb = new StringBuilder(); sb.Append("Adding SAN entry of type "); diff --git a/globalsign-mssl-caplugin/Api/GlobalSignRenewRequest.cs b/globalsign-mssl-caplugin/Api/GlobalSignRenewRequest.cs index 8ab88d7..117576c 100644 --- a/globalsign-mssl-caplugin/Api/GlobalSignRenewRequest.cs +++ b/globalsign-mssl-caplugin/Api/GlobalSignRenewRequest.cs @@ -53,8 +53,31 @@ public GlobalSignRenewRequest(GlobalSignCAConfig config, bool privateDomain, boo Logger.LogInformation($"SAN Entry {item} matches CN, removing from request"); continue; } + string trimCN = CommonName, trimItem = item; - var entry = new SANEntry(); + if (CommonName.StartsWith("*.")) + { + trimCN = CommonName.Substring(2).ToLower(); + trimItem = item.ToLower(); + List equivs = new List { $"*.{trimCN}", $"www.{trimCN}", $"{trimCN}" }; + if (equivs.Contains(trimItem)) + { + Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request"); + continue; + } + } + else if (CommonName.StartsWith("www.")) + { + trimCN = CommonName.Substring(4).ToLower(); + trimItem = item.ToLower(); + List equivs = new List { $"www.{trimCN}", $"{trimCN}" }; + if (equivs.Contains(trimItem)) + { + Logger.LogInformation($"SAN Entry {item} is equivalent to CN ignoring wildcards or www prefix, removing from request"); + continue; + } + } + var entry = new SANEntry(); entry.SubjectAltName = item; var sb = new StringBuilder(); sb.Append("Adding SAN entry of type "); diff --git a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs index 0c54492..ef4c468 100644 --- a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs +++ b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs @@ -26,6 +26,13 @@ public GlobalSignApiClient(GlobalSignCAConfig config, ILogger logger) Logger = logger; Config = config; // Logger = LogHandler.GetClassLogger(this.GetType()); + var enabled =config.Enabled; + if (!enabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); + Logger.MethodExit(); + return; + } QueryService = new GASV1Client { Endpoint = { Address = new EndpointAddress(config.GetUrl(GlobalSignServiceType.QUERY)), Name = "QUERY" } @@ -47,10 +54,8 @@ public async Task> GetCertificatesForSyncAsync( var results = new List(); if (fullSync) { - // If startDate is before year 2000, treat it as “since the dawn of time” - var from = startDate > new DateTime(2000, 1, 1) - ? startDate - : DateTime.MinValue; + + var from = startDate; var finalStop = DateTime.UtcNow; // first window @@ -72,8 +77,12 @@ public async Task> GetCertificatesForSyncAsync( } else { - // incremental sync since lastSync + // incremental sync since lastSync, unless lastSync is earlier than startDate, then use that var from = lastSync; + if (from < startDate) + { + from = startDate; + } var to = DateTime.UtcNow; results.AddRange( @@ -272,11 +281,11 @@ public async Task Enroll(GlobalSignEnrollRequest enrollRequest Logger.MethodEntry(); var rawRequest = enrollRequest.Request; Logger.LogTrace("Request details:"); - Logger.LogTrace($"Profile ID: {enrollRequest.MsslProfileId}"); - Logger.LogTrace($"Domain ID: {enrollRequest.MsslDomainId}"); + Logger.LogTrace($"Profile ID: {rawRequest.MSSLProfileID}"); + Logger.LogTrace($"Domain ID: {rawRequest.MSSLDomainID}"); Logger.LogTrace( - $"Contact Info: {enrollRequest.FirstName}, {enrollRequest.LastName}, {enrollRequest.Email}, {enrollRequest.Phone}"); - Logger.LogTrace($"SAN Count: {enrollRequest.SANs.Count()}"); + $"Contact Info: {rawRequest.ContactInfo.FirstName}, {rawRequest.ContactInfo.LastName}, {rawRequest.ContactInfo.Email}, {rawRequest.ContactInfo.Phone}"); + Logger.LogTrace($"SAN Count: {rawRequest.SANEntries.Count()}"); if (rawRequest.SANEntries.Count() > 0) Logger.LogTrace($"SANs: {string.Join(",", rawRequest.SANEntries.Select(s => s.SubjectAltName))}"); Logger.LogTrace($"Product Code: {rawRequest.OrderRequestParameter.ProductCode}"); @@ -284,7 +293,7 @@ public async Task Enroll(GlobalSignEnrollRequest enrollRequest if (!string.IsNullOrEmpty(rawRequest.OrderRequestParameter.BaseOption)) Logger.LogTrace($"Order Base Option: {rawRequest.OrderRequestParameter.BaseOption}"); - var requestwrapper = new PVOrder(enrollRequest.Request); + var requestwrapper = new PVOrder(rawRequest); var responsewrapper = await OrderService.PVOrderAsync(requestwrapper); ; var response = responsewrapper.Response; diff --git a/globalsign-mssl-caplugin/Constants.cs b/globalsign-mssl-caplugin/Constants.cs index 108da49..dbbcb43 100644 --- a/globalsign-mssl-caplugin/Constants.cs +++ b/globalsign-mssl-caplugin/Constants.cs @@ -21,6 +21,8 @@ internal class Constants public static string PICKUPDELAY = "DelayTime"; public static string SYNCSTARTDATE = "SyncStartDate"; public static string SYNCINTERNVALDAYS = "SyncIntervalDays"; + public static string SYNCPRODUCTS = "SyncProducts"; + public static string Enabled = "Enabled"; } public static class EnrollmentConfigConstants @@ -28,4 +30,6 @@ public static class EnrollmentConfigConstants public const string RootCAType = "RootCAType"; public const string SlotSize = "SlotSize"; public const string CertificateValidityInYears = "CertificateValidityInYears"; + public const string MSSLProfileId = "MSSLProfileId"; + public const string ContactName = "ContactName"; } \ No newline at end of file diff --git a/globalsign-mssl-caplugin/GlobalSignCAConfig.cs b/globalsign-mssl-caplugin/GlobalSignCAConfig.cs index 0340b09..ba52afe 100644 --- a/globalsign-mssl-caplugin/GlobalSignCAConfig.cs +++ b/globalsign-mssl-caplugin/GlobalSignCAConfig.cs @@ -32,7 +32,9 @@ public class GlobalSignCAConfig public string SyncStartDate { get; set; } = ""; public int SyncIntervalDays { get; set; } = 0; + public string SyncProducts { get; set; } = ""; + public bool Enabled { get; set; } = true; public string GetUrl(GlobalSignServiceType queryType) { diff --git a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs index e4cfde3..d6ec046 100644 --- a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs +++ b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs @@ -23,16 +23,25 @@ public class GlobalSignCAPlugin : IAnyCAPlugin private ICertificateDataReader? _certificateDataReader; private ILogger Logger; - private GlobalSignCAConfig Config { get; set; } = new(); - + private GlobalSignCAConfig Config { get; set; } = new(); + private bool _enabled = false; public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDataReader certificateDataReader) { Logger = LogHandler.GetClassLogger(GetType()); Logger.MethodEntry(); + var enabledValue = configProvider.CAConnectionData["Enabled"]; + bool isEnabled = enabledValue is bool ? (bool)enabledValue : bool.Parse((string)enabledValue); + if (!isEnabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); + Logger.MethodExit(); + return; + } Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)configProvider.CAConnectionData["TestAPI"]), + Enabled = isEnabled, Password = (string)configProvider.CAConnectionData["GlobalSignPassword"], Username = (string)configProvider.CAConnectionData["GlobalSignUsername"], PickupDelay = int.Parse((string)configProvider.CAConnectionData["DelayTime"]), @@ -83,15 +92,37 @@ public async Task Synchronize(BlockingCollection blockin if (Config == null) throw new InvalidOperationException("Config is not initialized."); var apiClient = new GlobalSignApiClient(Config, Logger); - var fullSyncFrom = new DateTime(2000, 01, 01); + var fullSyncFrom = DateTime.UtcNow.AddYears(-1); if (!string.IsNullOrEmpty(Config.SyncStartDate)) fullSyncFrom = DateTime.Parse(Config.SyncStartDate); var syncFrom = lastSync; var certs = await apiClient.GetCertificatesForSyncAsync(fullSync, syncFrom, fullSyncFrom, Config.SyncIntervalDays); + bool productFilter = false; + List products = null; + if (!string.IsNullOrEmpty(Config.SyncProducts)) + { + products = Config.SyncProducts.Split(',').ToList(); + products.ForEach(p => p.ToUpper()); + productFilter = true; + } + foreach (var c in certs) { + if (productFilter) + { + bool prodMatch = false; + if (c.OrderInfo?.ProductCode != null && products.Contains(c.OrderInfo.ProductCode.ToUpper())) + { + prodMatch = true; + } + if (!prodMatch) + { + Logger.LogInformation($"Found certificate with product code {c.OrderInfo?.ProductCode}, which does not match the filter criteria. Skipping."); + continue; + } + } var orderStatus = (GlobalSignOrderStatus)Enum.Parse(typeof(GlobalSignOrderStatus), c.CertificateInfo?.CertificateStatus ?? string.Empty); DateTime? subDate = DateTime.TryParse(c.OrderInfo?.OrderDate, out var orderDate) ? orderDate : null; @@ -237,6 +268,8 @@ public async Task Enroll(string csr, string subject, Dictionar if (sanDict.TryGetValue("ipaddress", out var ipSans)) Logger.LogTrace($"IP SAN Count: {ipSans.Length}"); + List matchedDomains = new List(); + // only try to resolve a domain if we don't already have a commonName if (string.IsNullOrWhiteSpace(commonName)) { @@ -247,16 +280,16 @@ public async Task Enroll(string csr, string subject, Dictionar if (string.IsNullOrWhiteSpace(ipSan)) continue; - var tempDomain = validDomains? - .FirstOrDefault(d => + var tempDomains = validDomains + .Where(d => !string.IsNullOrEmpty(d?.DomainName) && ipSan.EndsWith($".{d.DomainName}", StringComparison.OrdinalIgnoreCase) - ); + ).ToList(); - if (tempDomain != null) + if (tempDomains != null && tempDomains.Count > 0) { Logger.LogDebug($"ipSAN Domain match found for ipSAN: {ipSan}"); - domain = tempDomain; + matchedDomains = tempDomains; commonName = ipSan; break; } @@ -269,23 +302,23 @@ public async Task Enroll(string csr, string subject, Dictionar if (string.IsNullOrWhiteSpace(dnsSan)) continue; - var tempDomain = validDomains? - .FirstOrDefault(d => + var tempDomains = validDomains + .Where(d => !string.IsNullOrEmpty(d?.DomainName) && dnsSan.EndsWith(d.DomainName, StringComparison.OrdinalIgnoreCase) - ); + ).ToList(); - if (tempDomain != null) + if (tempDomains != null && tempDomains.Count > 0) { Logger.LogDebug($"SAN Domain match found for SAN: {dnsSan}"); - domain = tempDomain; + matchedDomains = tempDomains; commonName = dnsSan; break; } } } // If private domain skip domain resolution. - if (privateDomain) + else if (privateDomain) { var profiles = await apiClient.GetProfiles(); var fillProfile = profiles.FirstOrDefault(); @@ -302,18 +335,41 @@ public async Task Enroll(string csr, string subject, Dictionar } }; domain.MSSLProfileID = fillProfile.MSSLProfileId; + matchedDomains = new List { domain }; } // 3) Fallback: if we did obtain a commonName (or it was already set), try matching it - if (domain == null && !string.IsNullOrWhiteSpace(commonName)) - domain = validDomains? - .FirstOrDefault(d => + else if (domain == null && !string.IsNullOrWhiteSpace(commonName)) + matchedDomains = validDomains + .Where(d => !string.IsNullOrEmpty(d?.DomainName) && commonName.EndsWith(d.DomainName, StringComparison.OrdinalIgnoreCase) - ); - - - if (domain == null) throw new Exception("Unable to determine GlobalSign domain"); + ).ToList(); + + if (matchedDomains.Count == 1) + { + domain = matchedDomains[0]; + } + else + { + var profId = productInfo.ProductParameters["MSSLProfileID"]; + if (!string.IsNullOrEmpty(profId) ) + { + var tempDomain = matchedDomains.Where(d => + d.MSSLProfileID.Equals(profId, StringComparison.OrdinalIgnoreCase)).FirstOrDefault(); + if (tempDomain != null) + { + domain = tempDomain; + } + else + { + throw new Exception($"No domain matching common name {commonName} has provided MSSLProfileID of {profId}. Check configuration."); + } + } + } + + + if (domain == null) throw new Exception("Unable to determine GlobalSign domain"); @@ -426,6 +482,12 @@ public async Task Enroll(string csr, string subject, Dictionar public async Task Ping() { Logger.MethodEntry(); + if (!_enabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); + Logger.MethodExit(); + return; + } try { Logger.LogInformation("Ping reqeuest recieved"); @@ -443,6 +505,18 @@ public async Task ValidateCAConnectionInfo(Dictionary connection { Logger = LogHandler.GetClassLogger(GetType()); Logger.MethodEntry(); + + // Handle Enabled flag - could be bool or string + var enabledValue = connectionInfo["Enabled"]; + bool isEnabled = enabledValue is bool ? (bool)enabledValue : bool.Parse((string)enabledValue); + + if (!isEnabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); + Logger.MethodExit(LogLevel.Trace); + return; + } + Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)connectionInfo["TestAPI"]), @@ -455,6 +529,7 @@ public async Task ValidateCAConnectionInfo(Dictionary connection ORDER_TEST_URL = (string)connectionInfo["OrderAPITestURL"], QUERY_TEST_URL = (string)connectionInfo["QueryAPITestURL"], QUERY_PROD_URL = (string)connectionInfo["QueryAPIProdURL"], + Enabled = isEnabled, SyncStartDate = connectionInfo.TryGetValue("SyncStartDate", out object? value) ? (string)value : string.Empty, SyncIntervalDays = connectionInfo.TryGetValue("SyncIntervalDays", out var val) @@ -470,6 +545,17 @@ public async Task ValidateCAConnectionInfo(Dictionary connection public Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary connectionInfo) { + // Handle Enabled flag - could be bool or string + var enabledValue = connectionInfo["Enabled"]; + bool isEnabled = enabledValue is bool ? (bool)enabledValue : bool.Parse((string)enabledValue); + + if (!isEnabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); + Logger.MethodExit(LogLevel.Trace); + return Task.CompletedTask; + } + Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)connectionInfo["TestAPI"]), @@ -482,6 +568,7 @@ public Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary GetCAConnectorAnnotations() Comments = "If provided, full syncs will start at the specified date.", Hidden = false, - DefaultValue = "2000-01-01", - Type = "Integer" + DefaultValue = "", + Type = "String" + }, + [Constants.SYNCPRODUCTS] = new() + { + Comments = "OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs.", + Hidden = false, + DefaultValue = null, + Type = "String" + }, + [Constants.Enabled] = new() + { + Comments = "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available.", + Hidden = false, + DefaultValue = true, + Type = "Boolean" } }; } @@ -605,7 +706,7 @@ public Dictionary GetTemplateParameterAnnotations() { Comments = "Number of years the certificate will be valid for", Hidden = false, - DefaultValue = "1", + DefaultValue = 1, Type = "Number" }, [EnrollmentConfigConstants.SlotSize] = new() @@ -623,7 +724,23 @@ public Dictionary GetTemplateParameterAnnotations() Hidden = false, DefaultValue = "GLOBALSIGN_ROOT_R3", Type = "String" - } + }, + [EnrollmentConfigConstants.MSSLProfileId] = new() + { + Comments = + "OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com).", + Hidden = false, + DefaultValue = null, + Type = "String" + }, + [EnrollmentConfigConstants.ContactName] = new() + { + Comments = + "The name of the contact to use for enrollments. Can be specified here or via an Enrollment Field in Command. Enrollment Fields will override any value supplied here.", + Hidden = false, + DefaultValue = "", + Type = "String" + } }; } diff --git a/integration-manifest.json b/integration-manifest.json index 49a628a..412b9e5 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -60,6 +60,14 @@ { "name": "SyncStartDate", "description": "If provided, full syncs will start at the specified date." + }, + { + "name": "SyncProducts", + "description": "OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs." + }, + { + "name": "Enabled", + "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available." } ], "enrollment_config": [ @@ -74,6 +82,14 @@ { "name": "RootCAType", "description": "The certificate's root CA - Depending on certificate expiration date, SHA_1 not be allowed. Will default to SHA_2 if expiration date exceeds sha1 allowed date. Options are GlobalSign R certs." + }, + { + "name": "MSSLProfileId", + "description": "OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com)." + }, + { + "name": "ContactName", + "description": "The name of the contact to use for enrollments. Can be specified here or via an Enrollment Field in Command. Enrollment Fields will override any value supplied here." } ], "product_ids": [ From b987fc64ad67530767841d4fe7b6155248e43125 Mon Sep 17 00:00:00 2001 From: Dave Galey <89407235+dgaley@users.noreply.github.com> Date: Thu, 30 Apr 2026 15:17:05 -0400 Subject: [PATCH 2/2] Dev 1.1 (#6) * Update to provide "Enabled" flag support for SAAS deployment. * Update generated docs * Fixing build. * Fixes for enabled. * Update generated docs * More fixes. * remove retry logic for reissue pickup * changelog * Update keyfactor-bootstrap-workflow.yml * Update keyfactor-bootstrap-workflow.yml --------- Co-authored-by: Mark Kachkaev Co-authored-by: Keyfactor --- .../keyfactor-bootstrap-workflow.yml | 13 +-- CHANGELOG.md | 5 +- .../Client/GlobalSignApiClient.cs | 100 ++++++++++-------- 3 files changed, 60 insertions(+), 58 deletions(-) diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml index 56756c6..64919a4 100644 --- a/.github/workflows/keyfactor-bootstrap-workflow.yml +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -11,19 +11,10 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v4 - permissions: - contents: write # Explicitly grant write permission - with: - command_token_url: ${{ vars.COMMAND_TOKEN_URL }} - command_hostname: ${{ vars.COMMAND_HOSTNAME }} - command_base_api_path: ${{ vars.COMMAND_API_PATH }} + uses: keyfactor/actions/.github/workflows/starter.yml@v3 secrets: token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} scan_token: ${{ secrets.SAST_TOKEN }} - entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} - entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} - command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} - command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index faffcc3..95948b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,2 +1,5 @@ v1.0 --Initial Release. \ No newline at end of file +-Initial Release. + +1.1 +Remove retry logic around reissue pickups \ No newline at end of file diff --git a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs index ef4c468..8e3e6ad 100644 --- a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs +++ b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs @@ -157,64 +157,63 @@ public async Task PickupCertificateById(string caRequest } }; - var retryCounter = 0; - while (retryCounter <= Config.PickupRetries) + var wrapper = new GetOrderByOrderID(request); + var responseWrapper = await QueryService.GetOrderByOrderIDAsync(wrapper); + var response = responseWrapper.Response; + + if (response.OrderResponseHeader.SuccessCode == 0) { - var wrapper = new GetOrderByOrderID(request); - var responseWrapper = await QueryService.GetOrderByOrderIDAsync(wrapper); - var response = responseWrapper.Response; + Logger.LogDebug($"Order with order ID {caRequestId} successfully picked up"); + var orderStatus = (GlobalSignOrderStatus)Enum.Parse( + typeof(GlobalSignOrderStatus), + response.OrderDetail.CertificateInfo.CertificateStatus); - if (response.OrderResponseHeader.SuccessCode == 0) + if (orderStatus == GlobalSignOrderStatus.Issued) { - Logger.LogDebug($"Order with order ID {caRequestId} successfully picked up"); - var orderStatus = (GlobalSignOrderStatus)Enum.Parse( - typeof(GlobalSignOrderStatus), - response.OrderDetail.CertificateInfo.CertificateStatus); - - if (orderStatus == GlobalSignOrderStatus.Issued) + var orderDate = DateTime.TryParse( + response.OrderDetail.OrderInfo.OrderDate, + out var od) + ? od + : (DateTime?)null; + var completeDate = DateTime.TryParse( + response.OrderDetail.OrderInfo.OrderCompleteDate, + out var cd) + ? cd + : (DateTime?)null; + var deactivateDate = DateTime.TryParse( + response.OrderDetail.OrderInfo.OrderDeactivatedDate, + out var de) + ? de + : (DateTime?)null; + + Logger.MethodExit(); + return new AnyCAPluginCertificate { - var orderDate = DateTime.TryParse( - response.OrderDetail.OrderInfo.OrderDate, - out var od) - ? od - : (DateTime?)null; - var completeDate = DateTime.TryParse( - response.OrderDetail.OrderInfo.OrderCompleteDate, - out var cd) - ? cd - : (DateTime?)null; - var deactivateDate = DateTime.TryParse( - response.OrderDetail.OrderInfo.OrderDeactivatedDate, - out var de) - ? de - : (DateTime?)null; - - Logger.MethodExit(); - return new AnyCAPluginCertificate - { - CARequestID = caRequestId, - ProductID = response.OrderDetail.OrderInfo.ProductCode, - Status = OrderStatus.ConvertToKeyfactorStatus(orderStatus), - CSR = response.OrderDetail.Fulfillment.OriginalCSR, - Certificate = response.OrderDetail.Fulfillment.ServerCertificate.X509Cert, - RevocationReason = 0, - RevocationDate = orderStatus == GlobalSignOrderStatus.Revoked ? deactivateDate : null - }; - } + CARequestID = caRequestId, + ProductID = response.OrderDetail.OrderInfo.ProductCode, + Status = OrderStatus.ConvertToKeyfactorStatus(orderStatus), + CSR = response.OrderDetail.Fulfillment.OriginalCSR, + Certificate = response.OrderDetail.Fulfillment.ServerCertificate.X509Cert, + RevocationReason = 0, + RevocationDate = orderStatus == GlobalSignOrderStatus.Revoked ? deactivateDate : null + }; } - - retryCounter++; - Logger.LogDebug( - $"Pickup certificate failed for order ID {caRequestId}. Attempt {retryCounter} of {Config.PickupRetries}.{(retryCounter < Config.PickupRetries ? " Retrying..." : string.Empty)}"); - await Task.Delay(TimeSpan.FromSeconds(Config.PickupDelay)); } + Logger.LogInformation( + $"Certificate for order ID {caRequestId} was not immediately available. Once issued, it should be picked up by the next gateway sync."); + + var gsError = GlobalSignErrorIndex.GetGlobalSignError(-9916); var errorMsg = "Unable to pickup certificate during configured pickup window. Check for required approvals in GlobalSign portal. This can also be caused by a delay with GlobalSign, in which case the certificate will get picked up by a future sync"; Logger.LogError(errorMsg); Logger.LogError(gsError.DetailedMessage); - throw new Exception(errorMsg); + return new AnyCAPluginCertificate() + { + CARequestID = caRequestId, + Status = (int)EndEntityStatus.INPROCESS + }; } public async Task> GetDomains() @@ -418,6 +417,15 @@ public async Task Reissue(GlobalSignReissueRequest reissueRequ // Pick up the certificate after reissue var pickupResponse = await PickupCertificateById(response.OrderID); + + if (pickupResponse.Status == (int)EndEntityStatus.INPROCESS) + { + return new EnrollmentResult + { + CARequestID = response.OrderID, + Status = (int)EndEntityStatus.INPROCESS + }; + } var cert = CertificateConverterFactory.FromPEM(pickupResponse.Certificate).ToX509Certificate2(); // If newly generated or serial differs, return success