updated read/write operations on kv-v1 to reflect that the secrets are _always_ stored as JSON in v1.

Author: joevanwanzeeleKF

hashicorp-vault-orchestrator/FileStores/PfxFileStore.cs

@@ -45,9 +45,9 @@ public string AddCertificate(string alias, string pfxPassword, string entryConte
             var newCertBytes = Convert.FromBase64String(entryContents);
 
             logger.LogTrace("adding the new certificate, and getting the new PFX store bytes.");
-            var newJksBytes = AddOrRemoveCert(alias, pfxPassword, newCertBytes, pfxBytes, passphrase);
+            var newPFXbytes = AddOrRemoveCert(alias, pfxPassword, newCertBytes, pfxBytes, passphrase);
 
-            return Convert.ToBase64String(newJksBytes);
+            return Convert.ToBase64String(newPFXbytes);
         }
         public string RemoveCertificate(string alias, string passphrase, string storeFileContent)
         {

hashicorp-vault-orchestrator/HcvKeyValueClient.cs

@@ -99,10 +99,10 @@ private async Task CreateFileStore()
 
             var certSecretIsJSON = !string.IsNullOrEmpty(_certPropName);
             if (certSecretIsJSON) logger.LogTrace($"the certificate data will be stored as a JSON object with the base64 encoded cert stored in the property '{_certPropName}'");
-
+            else logger.LogTrace($"the certificate data will be stored as the entire secret content at '{certParentPath}/{certSecretName}' and contain the base64 encoded cert.");
             var passphraseSecretIsJSON = !string.IsNullOrEmpty(_passphrasePropName);
             if (passphraseSecretIsJSON) logger.LogTrace($"the passphrase secret will be stored as a JSON object with the passphrase in the property '{_passphrasePropName}'");
-
+            else logger.LogTrace($"the passphrase string will be stored as the entire secret content at '{passphraseParentPath}/{passphraseSecretName}'");
             switch (_storeType)
             {
                 case StoreType.HCVKVPFX:
@@ -131,6 +131,13 @@ private async Task CreateFileStore()
 
             try
             {
+                var kvVersion = await GetKVVersionAsync();
+                if (!certSecretIsJSON && kvVersion == 1)
+                {
+                    _certPropName = "value"; // kv v1 secrets are _always_ stored as JSON; setting generic "value" property
+                    certSecretIsJSON = true;
+                }
+
                 // create the cert secret                
                 Dictionary<string, object> certSecretContent;
                 var pathToWriteCert = string.Empty;
@@ -141,7 +148,7 @@ private async Task CreateFileStore()
                 {
                     // this means the cert should be stored as a JSON object with property _certPropName, as opposed to a raw base64 string.
                     certSecretContent = new Dictionary<string, object> { { _certPropName, Convert.ToBase64String(newStoreBytes) } }; // the content includes the property name
-                    pathToWriteCert = certParentPath + certSecretName; // we write to the secret
+                    pathToWriteCert = $"{certParentPath}/{certSecretName}"; // we write to the secret
                 }
                 else
                 {
@@ -161,13 +168,19 @@ private async Task CreateFileStore()
 
                 // create the passphrase secret
 
+                if (!passphraseSecretIsJSON && kvVersion == 1)
+                {
+                    _passphrasePropName = "value"; // kv v1 secrets are _always_ stored as JSON; setting generic "value" property
+                    passphraseSecretIsJSON = true;
+                }
+
                 Dictionary<string, object> passphraseSecretContent;
                 var pathToWritePassphrase = string.Empty;
 
                 if (passphraseSecretIsJSON)
                 {
                     passphraseSecretContent = new Dictionary<string, object> { { _passphrasePropName, passphrase } };
-                    pathToWritePassphrase = passphraseParentPath + passphraseSecretName;
+                    pathToWritePassphrase = $"{passphraseParentPath}/{passphraseSecretName}";
                 }
                 else
                 {
@@ -394,7 +407,6 @@ public async Task<CurrentInventoryItem> GetCertificateFromPemStore(string key)
             return (vaultPaths, warnings);
         }
 
-
         public async Task PutCertificate(string certName, string contents, string pfxPassword, string certPath, string certPropName, string keyPath, string keyPropName, bool includeChain)
         {
             logger.MethodEntry();
@@ -943,8 +955,10 @@ private async Task<List<string>> GetSubPaths(string storagePath)
 
         private async Task<(string, string)> GetCertificateAndPassphrase()
         {
+
             (var certParentPath, var certSecretName, var passphraseParentPath, var passphraseSecretName) = ParsedSecretPaths();
             var certSecretIsJSON = !string.IsNullOrEmpty(_certPropName);
+
             var passphraseSecretIsJSON = !string.IsNullOrEmpty(_passphrasePropName);
 
             string certContent = string.Empty;
@@ -954,6 +968,22 @@ private async Task<List<string>> GetSubPaths(string storagePath)
             // first get cert contents
             try
             {
+                var kvVersion = await GetKVVersionAsync();
+
+                if (kvVersion == 1) // in the key-value secrets engine v1; all secrets are stored as JSON
+                {
+                    if (!certSecretIsJSON)
+                    {
+                        _certPropName = "value";
+                        certSecretIsJSON = true;
+                    }
+                    if (!passphraseSecretIsJSON)
+                    {
+                        _passphrasePropName = "value";
+                        passphraseSecretIsJSON = true;
+                    }
+                }
+
                 logger.LogTrace($"cert secret name {certSecretName}");
                 logger.LogTrace($"retreiving the certificate store secret at {certParentPath + "/" + certSecretName} from the Key-Value secrets engine mounted at {_mountPoint}..");
                 logger.LogTrace($"the cert is {(certSecretIsJSON ? "" : "not")} a JSON property.");
@@ -1123,12 +1153,12 @@ public async Task<Dictionary<string, object>> ReadSecretAutoAsync(
                 }
                 else // v1
                 {
-                    Secret<Dictionary<string, object>> secret = null;
+                    logger.LogTrace($"making request to read secret at {mountPoint}{path}..");
 
                     var secretv1 = await _vaultClient.V1.Secrets.KeyValue.V1.ReadSecretAsync(
                     path,
                     mountPoint: mountPoint);
-
+                    logger.LogTrace($"response: {JsonConvert.SerializeObject(secretv1)}");
                     return secretv1.Data;
                 }
             }
@@ -1234,17 +1264,25 @@ await _vaultClient.V1.Secrets.KeyValue.V2.PatchSecretAsync(
                 }
                 else // v1
                 {
+                    Dictionary<string, object> existing = null;
                     // KV v1 requires read-modify-write
-                    var existing = await ReadSecretAutoAsync(path, mountPoint);
-
+                    try
+                    {
+                        existing = await ReadSecretAutoAsync(path, mountPoint);
+                    }
+                    catch (VaultApiException ex) {
+                        if (ex.StatusCode != 404) throw;
+                        // if it's not found, that's ok.  we'll create a new secret
+                    }
+                    if (existing == null) existing = new Dictionary<string, object>();
                     // Merge with new data
                     foreach (var kvp in keysToUpdate)
                     {
                         existing[kvp.Key] = kvp.Value;
                     }
 
                     // Write back the merged data
-                    await WriteSecretAutoAsync(path, existing as Dictionary<string, object>, mountPoint);
+                    await WriteSecretAutoAsync(path, existing, mountPoint);
                 }
             }
             catch (VaultApiException ex)

hashicorp-vault-orchestrator/Jobs/JobBase.cs

@@ -117,7 +117,10 @@ public void Initialize(DiscoveryJobConfiguration config)
             logger.LogTrace($"Directories to search (mount point): {JobParameters.MountPoint}");
             logger.LogTrace($"Enterprise Namespace: {JobParameters.Namespace}");
             logger.LogTrace($"Directories to ignore (subpath to search): {subPath}");
+
             InitProps(config.JobProperties, config.Capability);
+
+            LogInitValues();
         }
         public void Initialize(ManagementJobConfiguration config)
         {
@@ -130,6 +133,7 @@ public void Initialize(ManagementJobConfiguration config)
             JobParameters.StorePath = config.CertificateStoreDetails.StorePath;
             dynamic props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties.ToString());
             InitProps(props, config.Capability);
+            LogInitValues();
         }
 
         private async void InitProps(dynamic props, string capability)