Skip to content

Commit

Permalink
Merge pull request #446 from Venafi/VC-31982/svc-account-terraform
Browse files Browse the repository at this point in the history 
feat(svc-account): Adds ability to obtain ConnectorType from Platform enum
  • Loading branch information
@rvelaVenafi
rvelaVenafi authored Apr 2, 2024
2 parents 2d11dc4 + cb21194 commit 39eb64f
Show file tree
Hide file tree
Showing 7 changed files with 102 additions and 30 deletions.
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
## 5.6.1 (April 2nd, 2024)
- Adds UserAgent header to api requests for TPP, Cloud and Firefly connectors
- Adds functionality to convert a Platform type to a ConnectorType enum

## 5.6.0 (March 28th, 2024)
- Adds support for service account authentication in TLSPC connector
- Adds new attributes to CLI `getcred` command: `tenant-id` and `external-jwt` for service account authentication
- Adds support for service account authentication to VCert playbooks
88 changes: 69 additions & 19 deletions README-CLI-CLOUD.md
View file

Large diffs are not rendered by default.

14 changes: 8 additions & 6 deletions README-PLAYBOOK.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,26 +90,28 @@ The top-level structure of the file is described as follows:

### Connection

| Field | Type | TLSPDC | TLSPC | FIREFLY | Description |
|-------------|------------------------------------|----------------|----------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| credentials | [Credentials](#credentials) object | ***Required*** | ***Required*** | ***Required*** | A [Credential](#credentials) object that defines the credentials used to authenticate to the selected provider `platform`. |
| platform | string | ***Required*** | ***Required*** | ***Required*** | For TLS Protect Datacenter, either `tpp` or `tlspdc`.<br/>For TLS Protect Cloud, either `vaas` or `tlspc`.<br/>For Firefly, use `firefly`. |
| trustBundle | string | *Optional* | n/a | *Optional* | Used when [Connection.platform](#connection) is `tlspdc` or `firefly`.<br/>Defines path to PEM-formatted trust bundle that contains the root (and optionally intermediate certificates) to use to trust the TLS connection. If omitted, will attempt to use operating system trusted CAs. |
| Field | Type | TLSPDC | TLSPC | FIREFLY | Description |
|-------------|------------------------------------|----------------|----------------|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| credentials | [Credentials](#credentials) object | ***Required*** | ***Required*** | ***Required*** | A [Credential](#credentials) object that defines the credentials used to authenticate to the selected provider `platform`. |
| platform | string | ***Required*** | ***Required*** | ***Required*** | For TLS Protect Datacenter, either `tpp` or `tlspdc`.<br/>For TLS Protect Cloud, either `vaas` or `tlspc`.<br/>For Firefly, use `firefly`. |
| trustBundle | string | *Optional* | n/a | *Optional* | Used when [Connection.platform](#connection) is `tlspdc` or `firefly`.<br/>Defines path to PEM-formatted trust bundle that contains the root (and optionally intermediate certificates) to use to trust the TLS connection. If omitted, will attempt to use operating system trusted CAs. |
| url | string | ***Required*** | *Optional* | ***Required*** | URL of the Venafi platform to connect to.<br/>If url string does not include `https://`, it will be added automatically.<br/>For connection to TLS Protect Datacenter, `url` must include the full API path (for example `https://tpp.company.com/vedsdk/` <br/> For TLS Protect Cloud you can specify the url using this parameter https://api.venafi.cloud (US region) or https://api.venafi.eu (EU region).<br/> If not set, will default to US region. |

### Credentials

| Field | Type | TLSPDC | TLSPC | FIREFLY | Description |
|--------------|--------|----------------|----------------|------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| accessToken | string | *Optional* | n/a | n/a | Used when [Connection.platform](#connection) is `tlspdc` for authenticating to the REST API.<br/>If omitted, invalid, or expired, vcert will attempt to use the [Credential.p12Task](#credentials) or [Credential.refreshToken](#credentials) to get a valid accessToken.<br/>Upon successful refresh, this value will be overwritten with the new valid accessToken. |
| accessToken | string | *Optional* | *Optional* | n/a | Used when [Connection.platform](#connection) is `tlspdc` for authenticating to the REST API.<br/>If omitted, invalid, or expired, vcert will attempt to use the [Credential.p12Task](#credentials) or [Credential.refreshToken](#credentials) to get a valid accessToken.<br/>Upon successful refresh, this value will be overwritten with the new valid accessToken. |
| apiKey | string | n/a | ***Required*** | n/a | Used when [Connection.platform](#connection) is `tlspc` for authenticating to the REST API. |
| audience | string | n/a | n/a | *Optional* | Used when [Connection.platform](#connection) is `firefly` to map the audience for the authorization token request from the OAuth2 Provider. Not all OAuth2 providers require this value. |
| clientId | string | *Optional* | n/a | *Optional* | Used when [Connection.platform](#connection) is `tlspc` to map to the API integration to be used. If omitted, uses `vcert-sdk` as default.<br/><br/>Used when [Connection.platform](#connection) is `firefly` along with `clientSecret` to follow a `credentials authorization flow`. |
| clientSecret | string | n/a | n/a | *Optional* | Used when [Connection.platform](#connection) is `firefly` along with `clientId` to follow a `credentials authorization flow` to get an authorization token from the OAuth2 Provider. |
| externalJWT | string | n/a | *Optional* | n/a | Used when [Connection.platform](#connection) is `tlspc` along with `tenantId` to request a new authorization token from a service account. |
| p12Task | string | *Optional* | n/a | n/a | Used when [Connection.platform](#connection) is `tlspdc` to reference a configured [CertificateTasks.name](#certificatetask) to be used for certificate authentication.<br/>Will be used to get a new accessToken when `accessToken` is missing, invalid, or expired.<br/>Referenced `certificateTask` must have an installation of type `pkcs12`. |
| password | string | n/a | n/a | *Optional* | Used when [Connection.platform](#connection) is `firefly` along with `user` to follow a `password authorization flow` to request a new authorization token from the OAuth2 Provider. |
| refreshToken | string | *Optional* | n/a | n/a | Used when [Connection.platform](#connection) is `tlspdc` to refresh the `accessToken` if it is missing, invalid, or expired.<br/>If omitted, the `accessToken` will not be refreshed when it expires.<br/>When a refresh token is used, a new accessToken *and* refreshToken are issued and the previous refreshToken is then invalid (one-time use only).<br/>vCert will attempt to update the refreshToken and accessToken fields upon refresh. |
| scope | string | *Optional* | n/a | *Optional* | Used when [Connection.platform](#connection) is `tlspdc` to determine the scope of the token when refreshing the access token, or when getting a new grant using a `pkcs12` certificate. Defaults to `certificate:manage` if omitted.<br/><br/>Used when [Connection.platform](#connection) is `firefly` to determine the scope of the token to be requested to the OAuth2 provider. Some providers may have default scopes while others dont. |
| tenantId | string | n/a | *Optional* | n/a | Used when [Connection.platform](#connection) is `tlspc` along with `externalJWT` to request a new authorization token from a service account. |
| tokenURL | string | ***Required*** | n/a | n/a | Used when [Connection.platform](#connection) is `firefly` to request a new authorization token to the OAuth2 Provider. |
| user | string | n/a | n/a | *Optional* | Used when [Connection.platform](#connection) is `firefly` along with `password` to follow a `password` authorization flow to request a new authorization token from the OAuth2 Provider. |

Expand Down
10 changes: 5 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,14 @@ Custom Fields and Instance Tracking require TPP 18.2 or higher, and Token Authen
3. Download the source code:

```sh
go get github.com/Venafi/vcert/v4
go get github.com/Venafi/vcert/v5
```

or

Pre Go 1.13
```sh
git clone https://github.com/Venafi/vcert.git $GOPATH/src/github.com/Venafi/vcert/v4
git clone https://github.com/Venafi/vcert.git $GOPATH/src/github.com/Venafi/vcert/v5
```

Go 1.11 with go modules enabled or go 1.13 and up make sure to clone outside of `$GOPATH/src`
Expand All @@ -56,11 +56,11 @@ make build

## Using VCert to integrate Venafi with your application

For code samples of programmatic use, please review the files in [/examples](/examples/).
For code samples of programmatic use, please review the files in [examples folder](./examples).

### Common part
1. In your main.go file, make the following import declarations: `github.com/Venafi/vcert/v4`, `github.com/Venafi/vcert/v4/pkg/certificate`, and `github.com/Venafi/vcert/v4/pkg/endpoint`.
1. Create a configuration object of type `&vcert.Config` that specifies the Venafi connection details. Solutions are typically designed to get those details from a secrets vault, .ini file, environment variables, or command line parameters.
1. In your main.go file, make the following import declarations: `github.com/Venafi/vcert/v5`, `github.com/Venafi/vcert/v5/pkg/certificate`, and `github.com/Venafi/vcert/v5/pkg/endpoint`.
2. Create a configuration object of type `&vcert.Config` that specifies the Venafi connection details. Solutions are typically designed to get those details from a secrets vault, .ini file, environment variables, or command line parameters.

### Enroll certificate
1. Instantiate a client by calling the `NewClient` method of the vcert class with the configuration object.
Expand Down
2 changes: 2 additions & 0 deletions pkg/venafi/cloud/cloud.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -631,6 +631,8 @@ func parseApplicationDetailsResult(httpStatusCode int, httpStatus string, body [
return parseApplicationDetailsData(body)
case http.StatusBadRequest:
return nil, verror.ApplicationNotFoundError
case http.StatusUnauthorized:
return nil, fmt.Errorf("%w: %s", verror.ServerError, httpStatus)
default:
respErrors, err := parseResponseErrors(body)
if err != nil {
Expand Down
3 changes: 3 additions & 0 deletions pkg/venafi/cloud/connector.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,9 @@ func (c *Connector) ReadZoneConfiguration() (config *endpoint.ZoneConfiguration,
if err != nil {
return
}
} else {
// an error happened, return now
return
}
}
if template == nil {
Expand Down
7 changes: 7 additions & 0 deletions pkg/venafi/platform.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (
"strings"

"gopkg.in/yaml.v3"

"github.com/Venafi/vcert/v5/pkg/endpoint"
)

type Platform int
Expand Down Expand Up @@ -89,6 +91,11 @@ func (p *Platform) UnmarshalYAML(value *yaml.Node) error {
return nil
}

// GetConnectorType converts the Platform value to an endpoint.ConnectorType value. With aims to make easier to use one or another
func (p Platform) GetConnectorType() endpoint.ConnectorType {
return endpoint.ConnectorType(p)
}

func GetPlatformType(platformString string) Platform {
switch strings.ToUpper(platformString) {
case strPlatformFake:
Expand Down

0 comments on commit 39eb64f

Please sign in to comment.