got revoke working, better logging

Author: joevanwanzeeleKF

cert_util.go

@@ -94,21 +94,26 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 		Metadata:             metadataMap,
 		Timestamp:            &time,
 		Template:             *v1.NewNullableString(&templateName),
-		SANs:                 make(map[string][]string),
 	}
 
 	// SANs parameter
 	b.Logger().Debug(fmt.Sprintf("ip_sans = %s", ip_sans))
 	b.Logger().Debug(fmt.Sprintf("dns_sans = %s", dns_sans))
 
+	sans := make(map[string][]string)
+
 	if len(ip_sans) > 0 {
-		enrollmentRequest.SANs["ip"] = ip_sans
+		sans["ip"] = ip_sans
 	}
 
 	if len(dns_sans) > 0 {
-		enrollmentRequest.SANs["dns"] = dns_sans
+		sans["dns"] = dns_sans
 	}
 
+	enrollmentRequest.SANs = sans
+
+	enrollmentRequest.SetSANs(sans)
+
 	reqMap := make(map[string]interface{})
 	reqMap, err = enrollmentRequest.ToMap()
 
@@ -117,6 +122,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	}
 
 	b.Logger().Debug(fmt.Sprintf("request body: %s", reqMap))
+	b.Logger().Debug(fmt.Sprintf("sans parameter: %s", enrollmentRequest.GetSANs()))
 
 	// Send request and check status
 
@@ -162,6 +168,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	// store the certificate
 
 	normalizedSerial := *serial.Get()
+	normalizedSerial = strings.ToUpper(normalizedSerial)
 
 	key := "certs/" + normalizedSerial
 
@@ -182,6 +189,8 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 		return nil, "", err
 	}
 
+	b.Logger().Debug(fmt.Sprintf("writing the Keyfactor ID to storage for future operations: key = %s, value = %s", kfIdEntry.Key, kfIdEntry.Value))
+
 	err = req.Storage.Put(ctx, kfIdEntry)
 	if err != nil {
 		return nil, "", fmt.Errorf("unable to store the keyfactor ID for the certificate locally: {{err}}", err)
@@ -392,14 +401,14 @@ func fetchCertIssuedByCA(ctx context.Context, req *logical.Request, b *keyfactor
 	certs, httpResponse, err := apiRequest.ApiService.GetCertificatesExecute(getCertRequest)
 
 	if err != nil {
-		b.Logger().Info("failed getting cert: {{err}}", err)
+		b.Logger().Info(fmt.Sprintf("failed getting cert: %s", err.Error()))
 		return nil, err
 	}
 
 	if httpResponse.StatusCode != 200 {
 		b.Logger().Error("request failed: server returned" + fmt.Sprint(httpResponse.StatusCode))
 		b.Logger().Error("Error response = " + fmt.Sprint(httpResponse.Body))
-		return nil, fmt.Errorf("error downloading certificate. returned status = %d\n ", httpResponse.StatusCode)
+		return nil, fmt.Errorf("error downloading certificate. returned status = %d\n %s", httpResponse.StatusCode, httpResponse.Body)
 	}
 
 	b.Logger().Debug("response = ", certs)
@@ -440,26 +449,24 @@ func fetchChainAndCAForCert(ctx context.Context, req *logical.Request, b *keyfac
 		IncludeChain: &includeChain,
 	}
 
-	apiRequest := client.V1.CertificateApi.NewCreateCertificatesDownloadRequest(ctx)
-	apiRequest.CertificatesCertificateDownloadRequest(certDownloadRequest)
-	apiRequest.XCertificateformat("P7B")
+	apiRequest := client.V1.CertificateApi.NewCreateCertificatesDownloadRequest(ctx).CertificatesCertificateDownloadRequest(certDownloadRequest).XCertificateformat("P7B")
 
 	reqMap, _ := certDownloadRequest.ToMap()
 
 	// Send request and check status
-	b.Logger().Debug("request parameters: %s", reqMap)
+	b.Logger().Debug(fmt.Sprintf("request parameters: %s", reqMap))
 	b.Logger().Debug("making request for cert retrieval")
 
 	response, httpResponse, err := apiRequest.Execute()
 
 	if err != nil {
-		b.Logger().Info(fmt.Sprintf("failed getting cert: %s", err))
-		return nil, "", err
+		b.Logger().Info(fmt.Sprintf("failed getting cert: %s \n %s", err, httpResponse.Body))
+		return nil, "", fmt.Errorf("failed to retreive CA Chain.\n http status code: %d \n %s", httpResponse.StatusCode, httpResponse.Body)
 	}
 	if httpResponse.StatusCode != 200 {
 		b.Logger().Error("request failed: server returned" + fmt.Sprint(httpResponse.StatusCode))
 		b.Logger().Error("Error response = " + fmt.Sprint(httpResponse.Body))
-		return nil, "", fmt.Errorf("error downloading certificate. returned status = %d\n ", httpResponse.StatusCode)
+		return nil, "", fmt.Errorf("error downloading certificate. returned status = %d\n %s", httpResponse.StatusCode, httpResponse.Body)
 	}
 
 	// Read response and convert to x509 certificates
@@ -499,7 +506,7 @@ func fetchChainAndCAForCert(ctx context.Context, req *logical.Request, b *keyfac
 }
 
 func normalizeSerial(serial string) string {
-	return strings.Replace(strings.ToLower(serial), ":", "-", -1)
+	return strings.Replace(strings.ToUpper(serial), ":", "-", -1)
 }
 
 // ConvertBase64P7BtoCertificates takes a base64 encoded P7B certificate string and returns a slice of *x509.Certificate.

path_certs.go

@@ -501,10 +501,6 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 }
 
 func (b *keyfactorBackend) pathRevokeCert(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	if b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
-		return nil, logical.ErrReadOnly
-	}
-
 	serial := data.Get("serial").(string)
 	b.Logger().Debug("serial = " + serial)
 
@@ -525,30 +521,35 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 		return nil, nil
 	}
 
+	serial = strings.ToUpper(serial)
+
 	// get client
 	client, err := b.getClient(ctx, req.Storage)
 	if err != nil {
 		return nil, fmt.Errorf("error getting client: %w", err)
 	}
 
+	b.Logger().Debug(fmt.Sprintf("retreiving the keyfactor ID for cert stored at path: %s", "kfId/"+serial))
+
 	kfId, err := req.Storage.Get(ctx, "kfId/"+serial) //retrieve the keyfactor certificate ID, keyed by sn here
 	if err != nil {
-		b.Logger().Error("Unable to retreive Keyfactor certificate ID for cert with serial: "+serial, err)
+		b.Logger().Error("unable to retreive Keyfactor certificate ID for cert with serial: "+serial, err)
 		return nil, err
 	}
-
-	var keyfactorId int
+	b.Logger().Debug(fmt.Sprintf("retreived the logical storage entry, decoding..."))
+	var keyfactorId int32
 	err = kfId.DecodeJSON(&keyfactorId)
-
 	if err != nil {
 		b.Logger().Error("Unable to parse stored certificate ID for cert with serial: "+serial, err)
 		return nil, err
 	}
 
+	b.Logger().Debug(fmt.Sprintf("decoded keyfactor ID value: %d", keyfactorId))
+
 	// set up keyfactor api request
 	//url := b.cachedConfig.KeyfactorUrl + "/" + b.cachedConfig.CommandAPIPath + kf_revoke_path
 
-	certIds := []int32{int32(keyfactorId)}
+	certIds := []int32{keyfactorId}
 	revokeReason := v1.KeyfactorPKIEnumsRevokeCode(0)
 	effectiveDate := time.Now().UTC()
 	revokeComment := "via Hashicorp Vault"
@@ -563,29 +564,30 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 	}
 
 	// create the api call wrapper object
-	apiReq := client.V1.CertificateApi.NewCreateCertificatesRevokeRequest(ctx)
-
-	// apply the request parameters to the pending request
-	apiReq.CertificatesRevokeCertificateRequest(revokeReq)
+	apiReq := client.V1.CertificateApi.NewCreateCertificatesRevokeRequest(ctx).CertificatesRevokeCertificateRequest(revokeReq)
 
 	// execute request
 
 	_, httpResponse, err := apiReq.Execute()
 
 	if err != nil {
-		b.Logger().Error("Revoke failed: {{err}}", err)
-		return nil, err
+		b.Logger().Error(fmt.Sprintf("revocation failed: %s \n %s", err, httpResponse.Body))
+		return nil, fmt.Errorf("revocation failed. \n http status: %s \n response body: %s", httpResponse.Status, httpResponse.Body)
 	}
 
 	if httpResponse.StatusCode != 204 && httpResponse.StatusCode != 200 {
 		b.Logger().Info("revocation failed: server returned" + fmt.Sprint(httpResponse.StatusCode))
 		b.Logger().Info("error response = " + fmt.Sprint(httpResponse.Body))
-		return nil, fmt.Errorf("revocation failed: server returned  %s\n ", httpResponse.Status)
+		return nil, fmt.Errorf("revocation failed: server returned  %s\n %s", httpResponse.Status, httpResponse.Body)
 	}
 
 	alreadyRevoked := false
 	var revInfo revocationInfo
 
+	b.Logger().Debug("revocation request was successful.")
+
+	b.Logger().Debug("updating values if previously revoked..")
+
 	revEntry, err := fetchCertBySerial(ctx, req, "revoked/", serial)
 	if err != nil {
 		switch err.(type) {
@@ -604,6 +606,7 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 		}
 	}
 
+	b.Logger().Debug("updating local storage entry..")
 	if !alreadyRevoked {
 		certEntry, err := fetchCertBySerial(ctx, req, "certs/", serial)
 		if err != nil {
@@ -615,13 +618,6 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 			}
 		}
 		if certEntry == nil {
-			if fromLease {
-				// We can't write to revoked/ or update the CRL anyway because we don't have the cert,
-				// and there's no reason to expect this will work on a subsequent
-				// retry.  Just give up and let the lease get deleted.
-				b.Logger().Warn("expired certificate revoke failed because not found in storage, treating as success", "serial", serial)
-				return nil, nil
-			}
 			return logical.ErrorResponse(fmt.Sprintf("certificate with serial %s not found", serial)), nil
 		}
 		b.Logger().Debug("certEntry key = " + certEntry.Key)
@@ -693,19 +689,6 @@ func checkAllowedDomains(role *roleEntry, roleName string, domains []string) (bo
 	return true, nil
 }
 
-// func (b *keyfactorBackend) isValidJSON(str string) bool {
-// 	var js map[string]interface{}
-// 	err := json.Unmarshal([]byte(str), &js)
-
-// 	if err != nil {
-// 		b.Logger().Debug(err.Error())
-// 		return false
-// 	} else {
-// 		b.Logger().Debug("the metadata was able to be parsed as valid JSON")
-// 		return true
-// 	}
-// }
-
 const pathIssueHelpSyn = `
 Request a certificate using a certain role with the provided details.
 example: vault write keyfactor/issue/<role> common_name=<cn> dns_sans=<dns sans>