Merge pull request #83 from Infisical/feat-pki/PKI-52

feat: add certificates to Infisical agent

Author: carlosmonastyrski

certificate-agent-config.yaml

@@ -0,0 +1,52 @@
+version: v1
+
+infisical:
+  address: "https://app.infisical.com/"
+
+auth:
+  type: "universal-auth"
+  config:
+    client-id: "./client-id"
+    client-secret: "./client-secret"
+    remove_client_secret_on_read: false
+
+certificates:
+  - profile-name: "my-profile-name"
+    project-slug: "my-project-slug"
+
+    # Certificate parameters
+    attributes:
+      common-name: "api.mycompany.com"
+      alt-names:
+        - "www.api.mycompany.com"
+        - "internal-api.mycompany.com"
+      key-algorithm: "RSA_2048"
+      signature-algorithm: "RSA-SHA256"
+      key-usages:
+        - "digital_signature"
+        - "key_encipherment"
+      extended-key-usages:
+        - "server_auth"
+      ttl: "30d"
+    lifecycle:
+      renew-before-expiry: "1d"            # When to start checking for renewal before expiration
+      status-check-interval: "6h"          # How often to check certificate status and renewal needs
+
+    # Post-hooks for automation
+    post-hooks:
+      on-issuance:
+        command: "systemctl reload nginx"
+        timeout: 30
+      on-renewal:
+        command: "systemctl reload nginx"
+        timeout: 30
+      on-failure:
+        command: "logger 'Certificate failed for api.mycompany.com'"
+        timeout: 10
+
+    file-output:
+      private-key-path: "./certs/web-server/private.key"
+      certificate-path: "./certs/web-server/certificate.crt"
+      certificate-chain-path: "./certs/web-server/chain.crt"
+      file-permissions: "0600"
+      directory-permissions: "0755"

packages/api/api.go

@@ -55,6 +55,10 @@ const (
 	operationCallPAMSessionTermination             = "CallPAMSessionTermination"
 	operationCallOrgRelayHeartBeat                 = "CallOrgRelayHeartBeat"
 	operationCallInstanceRelayHeartBeat            = "CallInstanceRelayHeartBeat"
+	operationCallIssueCertificate                  = "CallIssueCertificate"
+	operationCallRetrieveCertificate               = "CallRetrieveCertificate"
+	operationCallRenewCertificate                  = "CallRenewCertificate"
+	operationCallGetCertificateRequest             = "CallGetCertificateRequest"
 )
 
 var ErrNotFound = errors.New("resource not found")
@@ -291,6 +295,45 @@ func CallGetProjectById(httpClient *resty.Client, id string) (Project, error) {
 	return projectResponse.Project, nil
 }
 
+func CallGetProjectBySlug(httpClient *resty.Client, slug string) (Project, error) {
+	var projectResponse GetProjectBySlugResponse
+	response, err := httpClient.
+		R().
+		SetResult(&projectResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		Get(fmt.Sprintf("%v/v1/projects/slug/%s", config.INFISICAL_URL, slug))
+
+	if err != nil {
+		return Project{}, NewGenericRequestError("CallGetProjectBySlug", err)
+	}
+
+	if response.IsError() {
+		return Project{}, NewAPIErrorWithResponse("CallGetProjectBySlug", response, nil)
+	}
+
+	return Project(projectResponse), nil
+}
+
+func CallGetCertificateProfileBySlug(httpClient *resty.Client, projectId, slug string) (CertificateProfile, error) {
+	var profileResponse GetCertificateProfileResponse
+	response, err := httpClient.
+		R().
+		SetResult(&profileResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		SetQueryParam("projectId", projectId).
+		Get(fmt.Sprintf("%v/v1/cert-manager/certificate-profiles/slug/%s", config.INFISICAL_URL, slug))
+
+	if err != nil {
+		return CertificateProfile{}, NewGenericRequestError("CallGetCertificateProfileBySlug", err)
+	}
+
+	if response.IsError() {
+		return CertificateProfile{}, NewAPIErrorWithResponse("CallGetCertificateProfileBySlug", response, nil)
+	}
+
+	return profileResponse.CertificateProfile, nil
+}
+
 func CallIsAuthenticated(httpClient *resty.Client) bool {
 	var workSpacesResponse GetWorkSpacesResponse
 	response, err := httpClient.
@@ -956,3 +999,81 @@ func CallPAMSessionTermination(httpClient *resty.Client, sessionId string) error
 
 	return nil
 }
+
+func CallIssueCertificate(httpClient *resty.Client, request IssueCertificateRequest) (*CertificateResponse, error) {
+	var resBody CertificateResponse
+	response, err := httpClient.
+		R().
+		SetResult(&resBody).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v1/cert-manager/certificates", config.INFISICAL_URL))
+
+	if err != nil {
+		return nil, NewGenericRequestError(operationCallIssueCertificate, err)
+	}
+
+	if response.IsError() {
+		return nil, NewAPIErrorWithResponse(operationCallIssueCertificate, response, nil)
+	}
+
+	return &resBody, nil
+}
+
+func CallRetrieveCertificate(httpClient *resty.Client, certificateId string) (*RetrieveCertificateResponse, error) {
+	var resBody RetrieveCertificateResponse
+	response, err := httpClient.
+		R().
+		SetResult(&resBody).
+		SetHeader("User-Agent", USER_AGENT).
+		Get(fmt.Sprintf("%v/v1/cert-manager/certificates/%s", config.INFISICAL_URL, certificateId))
+
+	if err != nil {
+		return nil, NewGenericRequestError(operationCallRetrieveCertificate, err)
+	}
+
+	if response.IsError() {
+		return nil, NewAPIErrorWithResponse(operationCallRetrieveCertificate, response, nil)
+	}
+
+	return &resBody, nil
+}
+
+func CallRenewCertificate(httpClient *resty.Client, certificateId string, request RenewCertificateRequest) (*RenewCertificateResponse, error) {
+	var resBody RenewCertificateResponse
+	response, err := httpClient.
+		R().
+		SetResult(&resBody).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v1/cert-manager/certificates/%s/renew", config.INFISICAL_URL, certificateId))
+
+	if err != nil {
+		return nil, NewGenericRequestError(operationCallRenewCertificate, err)
+	}
+
+	if response.IsError() {
+		return nil, NewAPIErrorWithResponse(operationCallRenewCertificate, response, nil)
+	}
+
+	return &resBody, nil
+}
+
+func CallGetCertificateRequest(httpClient *resty.Client, certificateRequestId string) (*GetCertificateRequestResponse, error) {
+	var resBody GetCertificateRequestResponse
+	response, err := httpClient.
+		R().
+		SetResult(&resBody).
+		SetHeader("User-Agent", USER_AGENT).
+		Get(fmt.Sprintf("%v/v1/cert-manager/certificates/certificate-requests/%s", config.INFISICAL_URL, certificateRequestId))
+
+	if err != nil {
+		return nil, NewGenericRequestError(operationCallGetCertificateRequest, err)
+	}
+
+	if response.IsError() {
+		return nil, NewAPIErrorWithResponse(operationCallGetCertificateRequest, response, nil)
+	}
+
+	return &resBody, nil
+}

packages/api/model.go

@@ -136,6 +136,21 @@ type GetProjectByIdResponse struct {
 	Project Project `json:"workspace"`
 }
 
+type GetProjectBySlugResponse Project
+
+type CertificateProfile struct {
+	ID                    string `json:"id"`
+	Name                  string `json:"name"`
+	Description           string `json:"description"`
+	ProjectID             string `json:"projectId"`
+	CaID                  string `json:"caId"`
+	CertificateTemplateID string `json:"certificateTemplateId"`
+}
+
+type GetCertificateProfileResponse struct {
+	CertificateProfile CertificateProfile `json:"certificateProfile"`
+}
+
 type GetOrganizationsResponse struct {
 	Organizations []struct {
 		ID   string `json:"id"`
@@ -859,3 +874,90 @@ type UploadPAMSessionLogsRequest struct {
 type RelayHeartbeatRequest struct {
 	Name string `json:"name"`
 }
+
+type AltName struct {
+	Type  string `json:"type"`
+	Value string `json:"value"`
+}
+
+type CertificateAttributes struct {
+	TTL                  string    `json:"ttl,omitempty"`
+	SignatureAlgorithm   string    `json:"signatureAlgorithm,omitempty"`
+	KeyAlgorithm         string    `json:"keyAlgorithm,omitempty"`
+	CommonName           string    `json:"commonName,omitempty"`
+	KeyUsages            []string  `json:"keyUsages,omitempty"`
+	ExtendedKeyUsages    []string  `json:"extendedKeyUsages,omitempty"`
+	NotBefore            string    `json:"notBefore,omitempty"`
+	NotAfter             string    `json:"notAfter,omitempty"`
+	AltNames             []AltName `json:"altNames,omitempty"`
+	RemoveRootsFromChain bool      `json:"removeRootsFromChain,omitempty"`
+}
+
+type IssueCertificateRequest struct {
+	ProfileID  string                 `json:"profileId"`
+	CSR        string                 `json:"csr,omitempty"`
+	Attributes *CertificateAttributes `json:"attributes,omitempty"`
+}
+
+type CertificateData struct {
+	Certificate          string `json:"certificate"`
+	IssuingCaCertificate string `json:"issuingCaCertificate"`
+	CertificateChain     string `json:"certificateChain"`
+	PrivateKey           string `json:"privateKey,omitempty"`
+	SerialNumber         string `json:"serialNumber"`
+	CertificateID        string `json:"certificateId"`
+}
+
+type CertificateResponse struct {
+	Certificate          *CertificateData `json:"certificate,omitempty"`
+	CertificateRequestID string           `json:"certificateRequestId"`
+}
+
+type RetrieveCertificateResponse struct {
+	Certificate struct {
+		ID                string    `json:"id"`
+		CreatedAt         time.Time `json:"createdAt"`
+		UpdatedAt         time.Time `json:"updatedAt"`
+		Status            string    `json:"status"`
+		SerialNumber      string    `json:"serialNumber"`
+		CommonName        string    `json:"commonName"`
+		NotBefore         time.Time `json:"notBefore"`
+		NotAfter          time.Time `json:"notAfter"`
+		ProjectId         string    `json:"projectId"`
+		CaId              string    `json:"caId"`
+		KeyUsages         []string  `json:"keyUsages"`
+		ExtendedKeyUsages []string  `json:"extendedKeyUsages"`
+		Certificate       string    `json:"certificate,omitempty"`
+		CertificateChain  string    `json:"certificateChain,omitempty"`
+		PrivateKey        string    `json:"privateKey,omitempty"`
+	} `json:"certificate"`
+}
+
+type RenewCertificateRequest struct {
+}
+
+type RenewCertificateResponse struct {
+	Certificate          string `json:"certificate"`
+	IssuingCaCertificate string `json:"issuingCaCertificate"`
+	CertificateChain     string `json:"certificateChain"`
+	PrivateKey           string `json:"privateKey"`
+	SerialNumber         string `json:"serialNumber"`
+	CertificateID        string `json:"certificateId"`
+	CertificateRequestID string `json:"certificateRequestId,omitempty"`
+}
+
+type GetCertificateRequestResponse struct {
+	Status               string    `json:"status"` // "pending", "issued", "failed"
+	CreatedAt            time.Time `json:"createdAt"`
+	UpdatedAt            time.Time `json:"updatedAt"`
+	CommonName           string    `json:"commonName,omitempty"`
+	ProjectID            string    `json:"projectId,omitempty"`
+	ProfileID            string    `json:"profileId,omitempty"`
+	Certificate          *string   `json:"certificate,omitempty"`
+	IssuingCaCertificate *string   `json:"issuingCaCertificate,omitempty"`
+	CertificateChain     *string   `json:"certificateChain,omitempty"`
+	PrivateKey           *string   `json:"privateKey,omitempty"`
+	SerialNumber         *string   `json:"serialNumber,omitempty"`
+	CertificateID        *string   `json:"certificateId,omitempty"`
+	ErrorMessage         *string   `json:"errorMessage,omitempty"`
+}