Merge 1.0.1 to main

.github/workflows/keyfactor-bootstrap-workflow.yml

@@ -11,9 +11,17 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v2
+    uses: keyfactor/actions/.github/workflows/starter.yml@v4
+    with:
+      command_token_url: ${{ vars.COMMAND_TOKEN_URL }}
+      command_hostname: ${{ vars.COMMAND_HOSTNAME }}
+      command_base_api_path: ${{ vars.COMMAND_API_PATH }}
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
-      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
+      scan_token: ${{ secrets.SAST_TOKEN }}
+      entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }}
+      entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }}
+      command_client_id: ${{ secrets.COMMAND_CLIENT_ID }}
+      command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }}

CHANGELOG.md

@@ -0,0 +1,8 @@
+## 1.0.2
+* bug fix: _certDataReader is now initialized in the Initialize method
+
+## 1.0.1
+* added retrieval of roles associated with enrolled certificates via metadata for Vault Enterprise users
+
+## 1.0.0
+* initial release

hashicorp-vault-cagateway/APIProxy/CertResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,7 +16,10 @@ public class CertResponse
         public string Certificate { get; set; }
 
         [JsonPropertyName("revocation_time_rfc3339")]
-        public DateTime? RevocationTime { get; set; }
+        public string RevocationTime { get; set; }
+
+        [JsonPropertyName("revocation_time")]
+        public int? RevocationTimestamp { get; set; }
 
         [JsonPropertyName("issuer_id")]
         public string IssuerId { get; set; }

hashicorp-vault-cagateway/APIProxy/ErrorResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/KeyedList.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/MetadataResponse.cs

@@ -0,0 +1,30 @@
+// Copyright 2025 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using System;
+using System.Text.Json.Serialization;
+
+namespace Keyfactor.Extensions.CAPlugin.HashicorpVault.APIProxy
+{
+    public class MetadataResponse
+    {
+        [JsonPropertyName("issuer_id")]
+        public string IssuerId { get; set; }
+
+        [JsonPropertyName("expiration")]
+        public DateTime? Expiration { get; set; }
+
+        [JsonPropertyName("cert_metadata")]
+        public string CertMetadata { get; set; }
+
+        [JsonPropertyName("role")]
+        public string Role { get; set; }
+
+        [JsonPropertyName("serial_number")]
+        public string SerialNumber { get; set; }
+    }
+}

hashicorp-vault-cagateway/APIProxy/RevokeRequest.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/RevokeResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/SealStatusResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/SignRequest.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/SignResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/TokenLookupResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,

hashicorp-vault-cagateway/APIProxy/WrappedResponse.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
@@ -12,6 +12,9 @@ namespace Keyfactor.Extensions.CAPlugin.HashicorpVault.APIProxy
 {
     public class WrappedResponse<T>
     {
+        [JsonPropertyName("request_id")]
+        public string RequestId { get; set; }
+
         [JsonPropertyName("lease_id")]
         public string LeaseId { get; set; }
 
@@ -30,6 +33,9 @@ public class WrappedResponse<T>
         [JsonPropertyName("mount_point")]
         public string MountPoint { get; set; }
 
+        [JsonPropertyName("mount_type")]
+        public string MountType { get; set; }
+
         [JsonPropertyName("mount_running_plugin_version")]
         public string PluginVersion { get; set; }
 

hashicorp-vault-cagateway/Client/HashicorpVaultClient.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
@@ -131,9 +131,15 @@ public async Task<CertResponse> GetCertificate(string certSerial)
 
             try
             {
-                var response = await _vaultHttp.GetAsync<CertResponse>($"cert/{certSerial}");
+                var response = await _vaultHttp.GetAsync<WrappedResponse<CertResponse>>($"cert/{certSerial}");
+
                 logger.LogTrace($"successfully received a response for certificate with serial number: {certSerial}");
-                return response;
+                logger.LogTrace($"--response data--");
+                logger.LogTrace($"cert string: {response.Data?.Certificate}");
+                logger.LogTrace($"revocation time: {response.Data?.RevocationTime}");
+
+
+                return response.Data;
             }
             catch (Exception ex)
             {
@@ -152,9 +158,9 @@ public async Task<RevokeResponse> RevokeCertificate(string serial)
             logger.LogTrace($"making request to revoke cert with serial: {serial}");
             try
             {                
-                var response = await _vaultHttp.PostAsync<RevokeResponse>("revoke", new RevokeRequest(serial));
-                logger.LogTrace($"successfully revoked cert with serial {serial}, revocation time:  {response.RevocationTime}");
-                return response;
+                var response = await _vaultHttp.PostAsync<WrappedResponse<RevokeResponse>>("revoke", new RevokeRequest(serial));
+                logger.LogTrace($"successfully revoked cert with serial {serial}, revocation time:  {response.Data.RevocationTime}");
+                return response.Data;
             }
             catch (Exception ex)
             {
@@ -189,7 +195,7 @@ public async Task<bool> PingServer()
         }
 
         /// <summary>
-        /// Retreives all serial numbers for issued certificates 
+        /// Retrieves all serial numbers for issued certificates 
         /// </summary>
         /// <returns>a list of the certificate serial number strings</returns>
         public async Task<List<string>> GetAllCertSerialNumbers()
@@ -199,7 +205,7 @@ public async Task<List<string>> GetAllCertSerialNumbers()
             try
             {
                 var res = await _vaultHttp.GetAsync<WrappedResponse<KeyedList>>("certs/?list=true");
-                return res.Data.Entries;
+                return res?.Data?.Entries;
             }
             catch (Exception ex)
             {
@@ -215,8 +221,8 @@ private async Task<List<string>> GetRevokedSerialNumbers()
             var keys = new List<string>();
             try
             {
-                var res = await _vaultHttp.GetAsync<KeyedList>("certs/revoked");
-                keys = res.Entries;
+                var res = await _vaultHttp.GetAsync<WrappedResponse<KeyedList>>("certs/revoked");
+                keys = res?.Data?.Entries;
             }
             catch (Exception ex)
             {
@@ -246,6 +252,41 @@ public async Task<List<string>> GetRoleNamesAsync()
             finally { logger.MethodExit(); }            
         }
 
+        /// <summary>
+        /// Retrieves the metadata for the certificate
+        /// </summary>
+        /// <param name="certSerial"></param>
+        /// <returns></returns>
+        public async Task<MetadataResponse> GetCertMetadata(string certSerial)
+        {
+            logger.MethodEntry();
+
+            try 
+            {
+                var res = await _vaultHttp.GetAsync<WrappedResponse<MetadataResponse>>($"cert-metadata/{certSerial}");
+                var md = res?.Data;
+                if (md != null)
+                {
+                    logger.LogTrace($"got response from cert-metadata");
+                    logger.LogTrace($"serial number: {md.SerialNumber}");
+                    logger.LogTrace($"issuer id: {md.IssuerId}");
+                    logger.LogTrace($"expiration: {md.Expiration}");
+                    logger.LogTrace($"metadata: {md.CertMetadata}");
+                    logger.LogTrace($"role: {md.Role}");
+                }
+                else {
+                    logger.LogTrace($"no metadata associated with cert {certSerial} could be found.");
+                }
+                return md;
+            }
+            catch (Exception ex)
+            { 
+                logger.LogError($"an error occurred when attempting to retrieve the certificate metadata: {ex.Message}");
+                throw;
+            }            
+            finally { logger.MethodExit(); }
+        }
+
         private void SetClientValuesFromConfigs(HashicorpVaultCAConfig caConfig, HashicorpVaultCATemplateConfig templateConfig)
         {
             logger.MethodEntry();
@@ -282,5 +323,7 @@ private static string ConvertSerialToTrackingId(string serialNumber)
 
             return serialNumber.Replace(":", "-");
         }
+
+
     }
 }

hashicorp-vault-cagateway/Client/VaultHttp.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,6 +14,7 @@
 using System.Collections.Generic;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace Keyfactor.Extensions.CAPlugin.HashicorpVault.Client
@@ -36,12 +37,12 @@ public VaultHttp(string host, string mountPoint, string authToken, string nameSp
             _serializerOptions = new()
             {
                 DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingDefault,
-                RespectNullableAnnotations = true,
                 PropertyNameCaseInsensitive = true,
-                PreferredObjectCreationHandling = JsonObjectCreationHandling.Replace,
+                RespectNullableAnnotations = true,                
+                PreferredObjectCreationHandling = JsonObjectCreationHandling.Replace
             };
 
-            var restClientOptions = new RestClientOptions($"{host.TrimEnd('/')}/v1") { ThrowOnAnyError = true };
+            var restClientOptions = new RestClientOptions($"{host.TrimEnd('/')}/v1") { ThrowOnAnyError = true  };
             _restClient = new RestClient(restClientOptions, configureSerialization: s => s.UseSystemTextJson(_serializerOptions));
 
             _mountPoint = mountPoint.TrimStart('/').TrimEnd('/'); // remove leading and trailing slashes
@@ -69,18 +70,32 @@ public VaultHttp(string host, string mountPoint, string authToken, string nameSp
         public async Task<T> GetAsync<T>(string path, Dictionary<string, string> parameters = null)
         {
             logger.MethodEntry();
-            logger.LogTrace($"preparing to send GET request to {path} with parameters {JsonSerializer.Serialize(parameters)}");
-            logger.LogTrace($"will attempt to deserialize the response into a {typeof(T)}");
+            logger.LogTrace($"preparing to send GET request to {_mountPoint}/{path} with parameters {JsonSerializer.Serialize(parameters)}");
+
             try
             {
                 var request = new RestRequest($"{_mountPoint}/{path}", Method.Get);
-                if (parameters != null) { request.AddJsonBody(parameters); }
+                if (parameters != null && parameters.Keys.Count > 0) { request.AddJsonBody(parameters); }
+                var response = await _restClient.ExecuteGetAsync(request);
+
+                logger.LogTrace($"raw response: {JsonSerializer.Serialize(response)}");
+
+                logger.LogTrace($"response content: {response.Content}");
+
+                logger.LogTrace($"response status: {response.StatusCode}");
 
-                var response = await _restClient.ExecuteGetAsync<T>(request);
+                logger.LogTrace($"response error msg: {response.ErrorMessage}");
 
                 response.ThrowIfError();
+                if (string.IsNullOrEmpty(response.Content)) throw new Exception(response.ErrorMessage ?? "no content returned from Vault");
 
-                return response.Data;
+                logger.LogTrace($"deserializing the response into a {typeof(T)}");                               
+
+                var deserialized = JsonSerializer.Deserialize<T>(response.Content, _serializerOptions);
+
+                logger.LogTrace($"successfully deserialized the response");
+
+                return deserialized;
             }
             catch (Exception ex)
             {
@@ -107,7 +122,7 @@ public async Task<T> PostAsync<T>(string path, dynamic parameters = default)
                 var request = new RestRequest(resourcePath, Method.Post);
                 if (parameters != null)
                 {
-                    string serializedParams = JsonSerializer.Serialize(parameters, _serializerOptions);
+                    string serializedParams = JsonSerializer.Serialize(parameters);
                     logger.LogTrace($"serialized parameters (from {parameters.GetType()?.Name}): {serializedParams}");
                     request.AddJsonBody(serializedParams);
                 }
@@ -126,7 +141,7 @@ public async Task<T> PostAsync<T>(string path, dynamic parameters = default)
 
                 if (response.StatusCode == System.Net.HttpStatusCode.BadRequest)
                 {
-                    errorResponse = JsonSerializer.Deserialize<ErrorResponse>(response.Content!);
+                    errorResponse = JsonSerializer.Deserialize<ErrorResponse>(response.Content ?? "no content");
                     string allErrors = "(Bad Request)";
                     if (errorResponse?.Errors.Count > 0)
                     {

hashicorp-vault-cagateway/Constants.cs

@@ -1,4 +1,4 @@
-// Copyright 2024 Keyfactor
+// Copyright 2025 Keyfactor
 // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,