updated CSR enrollment to use Keyfactor Client SDK

Author: joevanwanzeeleKF

backend.go

@@ -16,6 +16,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/Keyfactor/keyfactor-go-client-sdk/v24"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -39,7 +40,7 @@ type keyfactorBackend struct {
 	*framework.Backend
 	configLock   sync.RWMutex
 	cachedConfig *keyfactorConfig
-	client       *keyfactorClient
+	client       *keyfactor.APIClient
 }
 
 // keyfactorBackend defines the target API keyfactorBackend
@@ -100,13 +101,12 @@ func (b *keyfactorBackend) invalidate(ctx context.Context, key string) {
 
 // getClient locks the backend as it configures and creates a
 // a new client for the target API
-func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*keyfactorClient, error) {
+func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*keyfactor.APIClient, error) {
 	b.configLock.RLock()
 	defer b.configLock.RUnlock()
 
 	if b.client != nil {
 		b.Logger().Debug("closing idle connections before returning existing client")
-		b.client.httpClient.CloseIdleConnections()
 		return b.client, nil
 	}
 

cert_util.go

@@ -28,6 +28,7 @@ import (
 	"strings"
 	"time"
 
+	v1 "github.com/Keyfactor/keyfactor-go-client-sdk/v24/api/keyfactor/v1"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -70,116 +71,83 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	}
 
 	location, _ := time.LoadLocation("UTC")
-	t := time.Now().In(location)
-	time := t.Format("2006-01-02T15:04:05")
+	time := time.Now().In(location)
 
 	// get client
 	client, err := b.getClient(ctx, req.Storage)
 	if err != nil {
 		return nil, "", fmt.Errorf("error getting client: %w", err)
 	}
 
-	b.Logger().Debug("Closing idle connections")
-	client.httpClient.CloseIdleConnections()
-
 	// build request parameter structure
+	var metadataMap map[string]interface{}
 
-	// build dns_sans payload string
-	dns_sans_payload_string := ""
+	err = json.Unmarshal([]byte(metaDataJson), &metadataMap)
 
-	for _, d := range dns_sans {
-		if d != dns_sans[0] {
-			dns_sans_payload_string += "," // pre-pend a comma before next entry if not the first entry
-		}
-		dns_sans_payload_string = dns_sans_payload_string + fmt.Sprintf("\"%s\"", d)
+	if err != nil {
+		return nil, "", fmt.Errorf("there was an error parsing the Metadata as JSON: %w", err)
 	}
-	b.Logger().Debug("dns_sans payload string = %s", dns_sans_payload_string)
 
-	ip_sans_payload_string := ""
+	inclChain := true
 
-	for _, i := range ip_sans {
-		if i != ip_sans[0] {
-			ip_sans_payload_string += ","
-		}
-		ip_sans_payload_string = ip_sans_payload_string + fmt.Sprintf("\"%s\"", i)
+	enrollmentRequest := v1.EnrollmentCSREnrollmentRequest{
+		CSR:                  csr,
+		CertificateAuthority: *v1.NewNullableString(&caName),
+		IncludeChain:         &inclChain,
+		Metadata:             metadataMap,
+		Timestamp:            &time,
+		Template:             *v1.NewNullableString(&templateName),
+		//SANs:                       map[string][]string{},
 	}
-	b.Logger().Debug("ip_sans payload string = %s", ip_sans_payload_string)
 
-	url := config.KeyfactorUrl + "/" + config.CommandAPIPath + "/Enrollment/CSR"
-	b.Logger().Debug("url: " + url)
-	bodyContent := "{\"CSR\": \"" + csr + "\", \"CertificateAuthority\":\"" + caName + "\", \"IncludeChain\": true, \"Metadata\": " + metaDataJson + ", \"Timestamp\": \"" + time + "\",\"Template\": \"" + templateName + "\""
+	// SANs parameter
+	b.Logger().Debug("ip_sans = %s", ip_sans)
+	b.Logger().Debug("dns_sans = %s", dns_sans)
 
-	sans_payload := "\"SANs\": {"
+	if len(ip_sans) > 0 {
+		enrollmentRequest.SANs["ip"] = ip_sans
+	}
 
-	if dns_sans_payload_string != "" || ip_sans_payload_string != "" {
-		if dns_sans_payload_string != "" {
-			sans_payload += "\"dns\": [" + dns_sans_payload_string + "]"
-		}
-		if ip_sans_payload_string != "" {
-			sans_payload += ", \"ip\": [" + ip_sans_payload_string + "]"
-		}
+	if len(dns_sans) > 0 {
+		enrollmentRequest.SANs["dns"] = dns_sans
 	}
-	sans_payload += "}"
 
-	b.Logger().Trace(fmt.Sprintf("sans_payload: %s", sans_payload))
-	bodyContent += ", " + sans_payload + "}"
-	payload := strings.NewReader(bodyContent)
+	reqMap, _ := enrollmentRequest.ToMap()
 
-	b.Logger().Debug("request body: " + bodyContent)
-	httpReq, err := http.NewRequest("POST", url, payload)
+	b.Logger().Debug("request body: %s", reqMap)
 
-	if err != nil {
-		b.Logger().Info("Error forming request: {{err}}", err)
-	}
+	// Send request and check status
 
-	httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
-	httpReq.Header.Add("content-type", "application/json")
-	httpReq.Header.Add("x-certificateformat", "PEM")
+	b.Logger().Debug("about to connect to " + config.KeyfactorUrl + " with Keyfactor client for CSR submission")
 
-	// Send request and check status
+	apiRequest := client.V1.EnrollmentApi.NewCreateEnrollmentCSRRequest(ctx)
+	apiRequest.XCertificateformat("PEM")
+	apiRequest.EnrollmentCSREnrollmentRequest(enrollmentRequest)
 
-	b.Logger().Debug("About to connect to " + config.KeyfactorUrl + "for csr submission")
-	res, err := client.httpClient.Do(httpReq)
-	if err != nil {
-		b.Logger().Info("CSR Enrollment failed: {{err}}", err.Error())
+	resData, httpRes, err := apiRequest.Execute()
+
+	if err != nil || httpRes.StatusCode != 200 {
+		b.Logger().Error("there was an error performing CSR enrollment.  HttpStatusCode: %d, error: %s", httpRes.StatusCode, err)
 		return nil, "", err
 	}
-	if res.StatusCode != 200 {
-		b.Logger().Error("CSR Enrollment failed: server returned" + fmt.Sprint(res.StatusCode))
-		defer res.Body.Close()
-		body, _ := io.ReadAll(res.Body)
-		b.Logger().Error("Error response: " + string(body[:]))
-		return nil, "", fmt.Errorf("CSR Enrollment request failed with status code %d and error: "+string(body[:]), res.StatusCode)
-	}
 
-	// Read response and return certificate and key
+	// Read certificates from response
+	certs, ok := resData.CertificateInformation.GetCertificatesOk()
 
-	defer res.Body.Close()
-	body, err := io.ReadAll(res.Body)
-	if err != nil {
-		b.Logger().Error("Error reading response: {{err}}", err)
+	if !ok {
+		b.Logger().Error("unable to read certificate response : %s", err)
 		return nil, "", err
 	}
 
-	// Parse response
-	var r map[string]interface{}
-	json.Unmarshal(body, &r)
-	b.Logger().Debug("response = ", r)
+	serial := resData.CertificateInformation.SerialNumber
+	kfId := resData.CertificateInformation.KeyfactorID
 
-	inner := r["CertificateInformation"].(map[string]interface{})
-	certI := inner["Certificates"].([]interface{})
-	certs := make([]string, len(certI))
-	for i, v := range certI {
-		certs[i] = v.(string)
-		start := strings.Index(certs[i], "-----BEGIN CERTIFICATE-----")
-		certs[i] = certs[i][start:]
-	}
-	serial := inner["SerialNumber"].(string)
-	kfId := inner["KeyfactorID"].(float64)
+	resMap, _ := resData.ToMap()
+	b.Logger().Debug("full response: %s", resMap)
 
-	b.Logger().Debug("parsed response: ", certI...)
+	// store the ca chain
 
-	caEntry, err := logical.StorageEntryJSON("ca_chain/", certs[1:])
+	caEntry, err := logical.StorageEntryJSON("ca_chain/", certs[1:]) // certs after the first one are the chain
 	if err != nil {
 		b.Logger().Error("error creating ca_chain entry", err)
 	}
@@ -189,7 +157,11 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 		b.Logger().Error("error storing the ca_chain locally", err)
 	}
 
-	key := "certs/" + normalizeSerial(serial)
+	// store the certificate
+
+	normalizedSerial := *serial.Get()
+
+	key := "certs/" + normalizedSerial
 
 	entry := &logical.StorageEntry{
 		Key:   key,
@@ -203,7 +175,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 		return nil, "", errwrap.Wrapf("unable to store certificate locally: {{err}}", err)
 	}
 
-	kfIdEntry, err := logical.StorageEntryJSON("kfId/"+normalizeSerial(serial), kfId)
+	kfIdEntry, err := logical.StorageEntryJSON("kfId/"+normalizedSerial, kfId)
 	if err != nil {
 		return nil, "", err
 	}
@@ -213,7 +185,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 		return nil, "", errwrap.Wrapf("unable to store the keyfactor ID for the certificate locally: {{err}}", err)
 	}
 
-	return certs, serial, nil
+	return certs, normalizedSerial, nil
 }
 
 // fetch the CA info from keyfactor

client.go

@@ -12,17 +12,13 @@ package kfbackend
 import (
 	"errors"
 	"fmt"
-	"net/http"
 
 	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
+	"github.com/Keyfactor/keyfactor-go-client-sdk/v24"
 )
 
-type keyfactorClient struct {
-	httpClient *http.Client
-}
-
-func newClient(config *keyfactorConfig, b *keyfactorBackend) (*keyfactorClient, error) {
-	client := new(keyfactorClient)
+func newClient(config *keyfactorConfig, b *keyfactorBackend) (*keyfactor.APIClient, error) {
+	b.Logger().Trace("creating a new Keyfactor API client..")
 
 	if config == nil {
 		return nil, errors.New("client configuration was nil")
@@ -40,16 +36,17 @@ func newClient(config *keyfactorConfig, b *keyfactorBackend) (*keyfactorClient,
 	if !isBasicAuth && !isOAuth {
 		return nil, errors.New(
 			"invalid Keyfactor Command client configuration, " +
-				"please provide a valid Basic auth or OAuth configuration",
+				"please provide a valid Basic (username/password) or OAuth configuration",
 		)
 	}
 
-	oAuthConfig := &auth_providers.CommandConfigOauth{}
-	basicAuthConfig := &auth_providers.CommandAuthConfigBasic{}
+	var conf *auth_providers.Server
 
 	if isBasicAuth {
 		b.Logger().Debug(fmt.Sprintf("using basic auth with username %s, domain %s and password (hidden)", config.Username, config.Domain))
 
+		basicAuthConfig := &auth_providers.CommandAuthConfigBasic{}
+
 		basicAuthConfig.WithCommandHostName(hostname).
 			WithCommandAPIPath(config.CommandAPIPath).
 			WithSkipVerify(config.SkipTLSVerify).
@@ -68,17 +65,21 @@ func newClient(config *keyfactorConfig, b *keyfactorBackend) (*keyfactorClient,
 			b.Logger().Debug("successfully authenticated using basic auth")
 		}
 
-		client.httpClient, bErr = basicAuthConfig.GetHttpClient()
-
 		if bErr != nil {
 			errMsg := fmt.Sprintf("[ERROR] there was an error retreiving the basic auth http client: %s", bErr.Error())
 			b.Logger().Error(errMsg)
 			return nil, bErr
 		}
 
+		conf = basicAuthConfig.GetServerConfig()
+
 	} else if isOAuth {
+		oAuthConfig := &auth_providers.CommandConfigOauth{}
+
 		b.Logger().Debug(fmt.Sprintf("using oAuth authentication with client_id: %s, token_url %s and client_secret: (hidden)", config.ClientId, config.TokenUrl))
-		_ = oAuthConfig.WithCommandHostName(hostname).
+
+		oAuthConfig.CommandAuthConfig.
+			WithCommandHostName(hostname).
 			WithCommandAPIPath(config.CommandAPIPath).
 			WithSkipVerify(config.SkipTLSVerify).
 			WithCommandCACert(config.CommandCertPath)
@@ -92,18 +93,22 @@ func newClient(config *keyfactorConfig, b *keyfactorBackend) (*keyfactorClient,
 			WithAudience(config.Audience).
 			Authenticate()
 
+		conf = oAuthConfig.GetServerConfig()
+
 		if oErr != nil {
 			errMsg := fmt.Sprintf("[ERROR] unable to authenticate with provided oAuth credentials: %s", oErr.Error())
 			b.Logger().Error(errMsg)
 			return nil, oErr
 		}
+	}
 
-		client.httpClient, oErr = oAuthConfig.GetHttpClient()
-		if oErr != nil {
-			errMsg := fmt.Sprintf("[ERROR] there was an error retreiving the oAuth http client: %s", oErr.Error())
-			b.Logger().Error(errMsg)
-			return nil, oErr
-		}
+	c, err := keyfactor.NewAPIClient(conf)
+
+	if err != nil {
+		errMsg := fmt.Sprintf("[ERROR] there was an error creating the Keyfactor client: %s", err.Error())
+		b.Logger().Error(errMsg)
+		return nil, err
 	}
-	return client, nil
+
+	return c, nil
 }

go.mod

@@ -6,6 +6,7 @@ toolchain go1.23.3
 
 require (
 	github.com/Keyfactor/keyfactor-auth-client-go v1.2.0
+	github.com/Keyfactor/keyfactor-go-client-sdk/v24 v24.0.0
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/vault/api v1.1.1

go.sum

@@ -21,6 +21,10 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Keyfactor/keyfactor-auth-client-go v1.2.0 h1:uNSlyOW5Bqpi0nsOGZtOYQzN0vP/h4S4J38jtQes+OI=
 github.com/Keyfactor/keyfactor-auth-client-go v1.2.0/go.mod h1:7htRcBIWn+X4fI5jaYBALSYwP84H/djN7d8y3n0ZDQ0=
+github.com/Keyfactor/keyfactor-go-client-sdk v1.0.2 h1:caLlzFCz2L4Dth/9wh+VlypFATmOMmCSQkCPKOKMxw8=
+github.com/Keyfactor/keyfactor-go-client-sdk v1.0.2/go.mod h1:Z5pSk8YFGXHbKeQ1wTzVN8A4P/fZmtAwqu3NgBHbDOs=
+github.com/Keyfactor/keyfactor-go-client-sdk/v24 v24.0.0 h1:b7jYhcw4ENQC/VdFiikquI9lkUBt5C84TM9VnH3jzFI=
+github.com/Keyfactor/keyfactor-go-client-sdk/v24 v24.0.0/go.mod h1:xIbpgJ9eYfcYeSM0VzP5Q3ifgLCf3yGKKyZtWmqqOi8=
 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
 github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=