Updated to use Go Client, added CA and Template parameters to issue path

Author: joevanwanzeeleKF

backend.go

@@ -7,16 +7,14 @@
  *  and limitations under the License.
  */
 
-package keyfactor
+package kfbackend
 
 import (
 	"context"
-	b64 "encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"strings"
 	"sync"
@@ -42,7 +40,7 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 // // Store certificates by serial number
 type keyfactorBackend struct {
 	*framework.Backend
-	lock         sync.RWMutex
+	configLock   sync.RWMutex
 	cachedConfig *keyfactorConfig
 	client       *keyfactorClient
 }
@@ -78,9 +76,11 @@ func backend() *keyfactorBackend {
 // reset clears any client configuration for a new
 // backend to be configured
 func (b *keyfactorBackend) reset() {
-	b.lock.Lock()
-	defer b.lock.Unlock()
+	b.configLock.RLock()
+	defer b.configLock.RUnlock()
+	b.cachedConfig = nil
 	b.client = nil
+
 }
 
 // invalidate clears an existing client configuration in
@@ -94,63 +94,73 @@ func (b *keyfactorBackend) invalidate(ctx context.Context, key string) {
 // getClient locks the backend as it configures and creates a
 // a new client for the target API
 func (b *keyfactorBackend) getClient(ctx context.Context, s logical.Storage) (*keyfactorClient, error) {
-	b.lock.RLock()
-	unlockFunc := b.lock.RUnlock
-	defer func() { unlockFunc() }()
+	b.configLock.RLock()
+	defer b.configLock.RUnlock()
 
 	if b.client != nil {
 		return b.client, nil
 	}
 
-	b.lock.RUnlock()
-	b.lock.Lock()
-	unlockFunc = b.lock.Unlock
+	// get configuration
+	config, err := b.fetchConfig(ctx, s)
+	if err != nil {
+		return nil, err
+	}
+	if config == nil {
+		return nil, errors.New("configuration is empty")
+	}
 
-	return nil, fmt.Errorf("need to return client")
+	b.client, err = newClient(config)
+	if err != nil {
+		return nil, err
+	}
+	return b.client, nil
 }
 
 // Handle interface with Keyfactor API to enroll a certificate with given content
 func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request, csr string, caName string, templateName string) ([]string, string, error) {
-	config, err := b.config(ctx, req.Storage)
+	config, err := b.fetchConfig(ctx, req.Storage)
 	if err != nil {
 		return nil, "", err
 	}
 	if config == nil {
 		return nil, "", errors.New("configuration is empty")
 	}
 
-	ca := config.CertAuthority
-	template := config.CertTemplate
-
-	creds := config.Username + ":" + config.Password
-	encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
-
 	location, _ := time.LoadLocation("UTC")
 	t := time.Now().In(location)
 	time := t.Format("2006-01-02T15:04:05")
 
-	// This is only needed when running as a vault extension
+	// get client
+	client, err := b.getClient(ctx, req.Storage)
+	if err != nil {
+		return nil, "", fmt.Errorf("error getting client: %w", err)
+	}
+
 	b.Logger().Debug("Closing idle connections")
-	http.DefaultClient.CloseIdleConnections()
+	b.client.httpClient.CloseIdleConnections()
+
+	// build request parameter structure
 
-	// Build request
 	url := config.KeyfactorUrl + "/KeyfactorAPI/Enrollment/CSR"
 	b.Logger().Debug("url: " + url)
-	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + ca + "\",\"IncludeChain\": true, \"Metadata\": {}, \"Timestamp\": \"" + time + "\",\"Template\": \"" + template + "\",\"SANs\": {}}"
+	bodyContent := "{\"CSR\": \"" + csr + "\",\"CertificateAuthority\":\"" + caName + "\",\"IncludeChain\": true, \"Metadata\": {}, \"Timestamp\": \"" + time + "\",\"Template\": \"" + templateName + "\",\"SANs\": {}}"
 	payload := strings.NewReader(bodyContent)
 	b.Logger().Debug("body: " + bodyContent)
 	httpReq, err := http.NewRequest("POST", url, payload)
+
 	if err != nil {
 		b.Logger().Info("Error forming request: {{err}}", err)
 	}
+
 	httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
 	httpReq.Header.Add("content-type", "application/json")
-	httpReq.Header.Add("authorization", "Basic "+encCreds)
 	httpReq.Header.Add("x-certificateformat", "PEM")
 
 	// Send request and check status
+
 	b.Logger().Debug("About to connect to " + config.KeyfactorUrl + "for csr submission")
-	res, err := http.DefaultClient.Do(httpReq)
+	res, err := client.httpClient.Do(httpReq)
 	if err != nil {
 		b.Logger().Info("CSR Enrollment failed: {{err}}", err.Error())
 		return nil, "", err
@@ -166,7 +176,7 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	// Read response and return certificate and key
 
 	defer res.Body.Close()
-	body, err := ioutil.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		b.Logger().Error("Error reading response: {{err}}", err)
 		return nil, "", err

cert_util.go

@@ -7,7 +7,7 @@
  *  and limitations under the License.
  */
 
-package keyfactor
+package kfbackend
 
 import (
 	"bytes"
@@ -18,12 +18,11 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/base64"
-	b64 "encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -37,7 +36,7 @@ import (
 // fetch the CA info from keyfactor
 func fetchCAInfo(ctx context.Context, req *logical.Request, b *keyfactorBackend) (response *logical.Response, retErr error) {
 	// first we see if we have previously retreived the CA or chain
-	config, err := b.config(ctx, req.Storage)
+	config, err := b.fetchConfig(ctx, req.Storage)
 	if err != nil {
 		return nil, err
 	}
@@ -151,12 +150,12 @@ func fetchCaChainInfo(ctx context.Context, req *logical.Request, b *keyfactorBac
 }
 
 func getCAId(ctx context.Context, req *logical.Request, b *keyfactorBackend) (string, error) {
-	config, err := b.config(ctx, req.Storage)
+	config, err := b.fetchConfig(ctx, req.Storage)
 	if err != nil {
 		return "", err
 	}
 	if config == nil {
-		return "", errors.New("unable to load configuration.")
+		return "", errors.New("unable to load configuration")
 	}
 
 	if config.CertAuthority == "" {
@@ -168,12 +167,16 @@ func getCAId(ctx context.Context, req *logical.Request, b *keyfactorBackend) (st
 
 	// This is only needed when running as a vault extension
 	b.Logger().Debug("Closing idle connections")
-	http.DefaultClient.CloseIdleConnections()
+	client, err := b.getClient(ctx, req.Storage)
+	if err != nil {
+		b.Logger().Error("unable to create the http client")
+	}
+	client.httpClient.CloseIdleConnections()
 
 	ca_name = url.QueryEscape(ca_name)
 
-	creds := config.Username + ":" + config.Password
-	encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
+	//creds := config.Username + ":" + config.Password
+	//encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
 
 	// Build request
 
@@ -183,21 +186,21 @@ func getCAId(ctx context.Context, req *logical.Request, b *keyfactorBackend) (st
 	if err != nil {
 		b.Logger().Info("Error forming request: {{err}}", err)
 	}
-	httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
+	//httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
 	httpReq.Header.Add("x-keyfactor-api-version", "1")
-	httpReq.Header.Add("authorization", "Basic "+encCreds)
+	//httpReq.Header.Add("authorization", "Basic "+encCreds)
 
 	// Send request and check status
 	b.Logger().Debug("About to connect to " + config.KeyfactorUrl + "for ca retrieval")
-	res, err := http.DefaultClient.Do(httpReq)
+	res, err := client.httpClient.Do(httpReq)
 	if err != nil {
 		b.Logger().Info("failed getting CA: {{err}}", err)
 		return "", err
 	}
 	if res.StatusCode != 200 {
 		b.Logger().Error("request failed: server returned" + fmt.Sprint(res.StatusCode))
 		defer res.Body.Close()
-		body, err := ioutil.ReadAll(res.Body)
+		body, err := io.ReadAll(res.Body)
 		if err != nil {
 			b.Logger().Info("Error reading response: {{err}}", err)
 			return "", err
@@ -246,22 +249,25 @@ func (b *keyfactorBackend) generateCSR(cn string, ip_sans []string, dns_sans []s
 }
 
 func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *keyfactorBackend, kfCertId string, includeChain bool) (string, error) {
-	config, err := b.config(ctx, req.Storage)
+	config, err := b.fetchConfig(ctx, req.Storage)
 	if err != nil {
 		return "", err
 	}
 	if config == nil {
 		return "", errors.New("unable to load configuration")
 	}
-	creds := config.Username + ":" + config.Password
-	encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
-	//location, _ := time.LoadLocation("UTC")
-	//t := time.Now().In(location)
-	//time := t.Format("2006-01-02T15:04:05")
+	// creds := config.Username + ":" + config.Password
+	// encCreds := b64.StdEncoding.EncodeToString([]byte(creds))
 
+	// get the client
+	client, err := b.getClient(ctx, req.Storage)
+	if err != nil {
+		b.Logger().Error("unable to create the http client")
+	}
 	// This is only needed when running as a vault extension
 	b.Logger().Debug("Closing idle connections")
-	http.DefaultClient.CloseIdleConnections()
+	client.httpClient.CloseIdleConnections()
+
 	include := "false"
 	if includeChain {
 		include = "true"
@@ -279,12 +285,11 @@ func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *keyfac
 	}
 	httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
 	httpReq.Header.Add("content-type", "application/json")
-	httpReq.Header.Add("authorization", "Basic "+encCreds)
 	httpReq.Header.Add("x-certificateformat", "PEM")
 
 	// Send request and check status
 	b.Logger().Debug("About to connect to " + config.KeyfactorUrl + "for cert retrieval")
-	res, err := http.DefaultClient.Do(httpReq)
+	res, err := client.httpClient.Do(httpReq)
 	if err != nil {
 		b.Logger().Info("failed getting cert: {{err}}", err)
 		return "", err
@@ -298,7 +303,7 @@ func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *keyfac
 	// Read response and return certificate and key
 	defer res.Body.Close()
 
-	body, err := ioutil.ReadAll(res.Body)
+	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		b.Logger().Info("Error reading response: {{err}}", err)
 		return "", err
@@ -339,7 +344,7 @@ func fetchCertBySerial(ctx context.Context, req *logical.Request, prefix, serial
 		return nil, errutil.InternalError{Err: fmt.Sprintf("error fetching certificate %s: %s", serial, err)}
 	}
 	if certEntry != nil {
-		if certEntry.Value == nil || len(certEntry.Value) == 0 {
+		if len(certEntry.Value) == 0 {
 			return nil, errutil.InternalError{Err: fmt.Sprintf("returned certificate bytes for serial %s were empty", serial)}
 		}
 		return certEntry, nil
@@ -358,7 +363,7 @@ func fetchCertBySerial(ctx context.Context, req *logical.Request, prefix, serial
 	if certEntry == nil {
 		return nil, nil
 	}
-	if certEntry.Value == nil || len(certEntry.Value) == 0 {
+	if len(certEntry.Value) == 0 {
 		return nil, errutil.InternalError{Err: fmt.Sprintf("returned certificate bytes for serial %s were empty", serial)}
 	}