feat(cli): pam migrate to handle Keyfactor secrets.

spbsoluble · spbsoluble · commit 77d047a234e0 · 2026-01-09T13:36:11.000-08:00
Signed-off-by: spbsoluble &lt;1661003+spbsoluble@users.noreply.github.com&gt;
diff --git a/cmd/helpers.go b/cmd/helpers.go
@@ -552,8 +552,8 @@ func storePasswordPropToCSV(
 				row[fmt.Sprintf("Password.Parameters.%s", paramName)] = *v.Value
 			}
 		}
-	} else if store.Password.Value != nil {
-		row["Password"] = store.Password.Value
+	} else if store.Password.HasValue && store.Password.Value != nil {
+		row["Password"] = fmt.Sprintf("%s", *store.Password.Value)
 	}
 
 	return nil
diff --git a/cmd/migrate.go b/cmd/migrate.go
@@ -392,7 +392,7 @@ var migratePamCmd = &cobra.Command{
 		}
 
 		// check Store Password for PAM field, and process migration if applicable
-		var storePassword *api.StorePasswordConfig
+		var storePassword *api.UpdateStorePasswordConfig
 		if certStore.Password.IsManaged { // managed secret, i.e. PAM Provider in use
 
 			// check if Pam Secret is using our migrating provider
@@ -643,21 +643,38 @@ func selectProviderTypeParamId(name string, pamTypeParameterDefinitions []interf
 }
 
 func reformatPamSecretForPost(secretProp map[string]interface{}) map[string]interface{} {
-	reformatted := map[string]interface{}{
-		"Provider": secretProp["ProviderId"],
+
+	reformatted := map[string]interface{}{}
+	// check if secretProp has a "SecretValue" key
+	if secVal, ok := secretProp["SecretValue"]; ok && secVal != nil {
+		// add top level "value" key with SecretValue
+		formattedVal := make(map[string]interface{})
+		formattedVal["SecretValue"] = secVal
+		// convert formattedVal into escaped JSON string
+		jsonVal, _ := json.Marshal(formattedVal)
+		reformatted["value"] = string(jsonVal)
+		//reformatted["value"] = formattedVal
 	}
 
-	providerParams := secretProp["ProviderTypeParameterValues"].([]interface{})
-	reformattedParams := map[string]string{}
+	// check if secretProp has a "ProviderId" key
+	if prId, ok := secretProp["ProviderId"]; ok && prId != nil {
+		reformatted["Provider"] = prId
+	}
+	// check if secretProp has a "ProviderTypeParameterValues" key
+	if vals, valsOk := secretProp["ProviderTypeParameterValues"]; valsOk && vals != nil {
+		providerParams := secretProp["ProviderTypeParameterValues"].([]interface{})
+		reformattedParams := map[string]string{}
 
-	for _, param := range providerParams {
-		providerTypeParam := param.(map[string]interface{})["ProviderTypeParam"].(map[string]interface{})
-		name := providerTypeParam["Name"].(string)
-		value := param.(map[string]interface{})["Value"].(string)
-		reformattedParams[name] = value
+		for _, param := range providerParams {
+			providerTypeParam := param.(map[string]interface{})["ProviderTypeParam"].(map[string]interface{})
+			name := providerTypeParam["Name"].(string)
+			value := param.(map[string]interface{})["Value"].(string)
+			reformattedParams[name] = value
+		}
+
+		reformatted["Parameters"] = reformattedParams
 	}
 
-	reformatted["Parameters"] = reformattedParams
 	return reformatted
 }
 

Original file line number	Diff line number	Diff line change
`@@ -552,8 +552,8 @@ func storePasswordPropToCSV(`
`552`	`552`	`row[fmt.Sprintf("Password.Parameters.%s", paramName)] = *v.Value`
`553`	`553`	`}`
`554`	`554`	`}`
`555`		`- } else if store.Password.Value != nil {`
`556`		`- row["Password"] = store.Password.Value`
	`555`	`+ } else if store.Password.HasValue && store.Password.Value != nil {`
	`556`	`+ row["Password"] = fmt.Sprintf("%s", *store.Password.Value)`
`557`	`557`	`}`
`558`	`558`
`559`	`559`	`return nil`