Merge pull request #1 from Keyfactor/fix-error-on-vault-restart

added "ca" and "template" as parameters to sign and issue reqs.

Author: joevanwanzeeleKF

backend.go

@@ -28,11 +28,6 @@ var config map[string]string
 
 // Factory configures and returns backend
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
-	confPath := os.Getenv("KF_CONF_PATH")
-
-	file, _ := ioutil.ReadFile(confPath)
-	config = make(map[string]string)
-	jsonutil.DecodeJSON(file, &config)
 
 	var b backend
 
@@ -50,15 +45,14 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 			pathIssue(&b),
 			pathSign(&b),
 		},
+		InitializeFunc: b.initialize,
 	}
 
 	if conf == nil {
 		return nil, fmt.Errorf("configuration passed into backend is nil")
 	}
 
 	b.Backend.Setup(ctx, conf)
-	b.Logger().Debug("KF_CONF_PATH = " + confPath)
-	b.Logger().Debug("config file contents = ", config)
 	return b, nil
 }
 
@@ -67,6 +61,22 @@ type backend struct {
 	*framework.Backend
 }
 
+func (b *backend) initialize(ctx context.Context, req *logical.InitializationRequest) error {
+	err := req.Storage.Delete(ctx, "/ca")
+
+	if err != nil {
+		b.Logger().Error("Error removing previous stored ca values on init")
+		return err
+	}
+	confPath := os.Getenv("KF_CONF_PATH")
+	file, _ := ioutil.ReadFile(confPath)
+	config = make(map[string]string)
+	jsonutil.DecodeJSON(file, &config)
+	b.Logger().Debug("INITIALIZE: KF_CONF_PATH = " + confPath)
+	b.Logger().Debug("config file contents = ", config)
+	return nil
+}
+
 // Generate keypair and CSR
 func (b *backend) generateCSR(cn string, ip_sans []string, dns_sans []string) (string, []byte) {
 	keyBytes, _ := rsa.GenerateKey(rand.Reader, 2048)
@@ -93,12 +103,20 @@ func (b *backend) generateCSR(cn string, ip_sans []string, dns_sans []string) (s
 }
 
 // Handle interface with Keyfactor API to enroll a certificate with given content
-func (b *backend) submitCSR(ctx context.Context, req *logical.Request, csr string) ([]string, string, error) {
+func (b *backend) submitCSR(ctx context.Context, req *logical.Request, csr string, caName string, templateName string) ([]string, string, error) {
 	host := config["host"]
 	template := config["template"]
 	ca := config["CA"]
 	creds := config["creds"]
 
+	if caName != "" {
+		ca = caName
+	}
+
+	if templateName != "" {
+		template = templateName
+	}
+
 	location, _ := time.LoadLocation("UTC")
 	t := time.Now().In(location)
 	time := t.Format("2006-01-02T15:04:05")
@@ -126,12 +144,14 @@ func (b *backend) submitCSR(ctx context.Context, req *logical.Request, csr strin
 	b.Logger().Debug("About to connect to " + config["host"] + "for csr submission")
 	res, err := http.DefaultClient.Do(httpReq)
 	if err != nil {
-		b.Logger().Info("Enrollment failed: {{err}}", err)
+		b.Logger().Info("CSR Enrollment failed: {{err}}", err)
 		return nil, "", err
 	}
 	if res.StatusCode != 200 {
-		b.Logger().Error("Enrollment failed: server returned" + fmt.Sprint(res.StatusCode))
-		b.Logger().Error("Error response = " + fmt.Sprint(res.Body))
+		b.Logger().Error("CSR Enrollment failed: server returned" + fmt.Sprint(res.StatusCode))
+		defer res.Body.Close()
+		body, _ := ioutil.ReadAll(res.Body)
+		b.Logger().Error("Error response: " + fmt.Sprint(body))
 		return nil, "", fmt.Errorf("enrollment failed: server returned  %d\n ", res.StatusCode)
 	}
 

cert_util.go

@@ -61,7 +61,7 @@ func fetchCAInfo(ctx context.Context, req *logical.Request, b *backend) (respons
 	if caEntry != nil {
 		var r map[string]interface{}
 		json.Unmarshal(caEntry.Value, &r)
-		b.Logger().Debug("caEntry.Value = ", r)
+		b.Logger().Debug("stored ca = ", r)
 
 		resp := &logical.Response{
 			Data: r,
@@ -268,6 +268,7 @@ func fetchCertFromKeyfactor(ctx context.Context, req *logical.Request, b *backen
 
 	// Read response and return certificate and key
 	defer res.Body.Close()
+
 	body, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		b.Logger().Info("Error reading response: {{err}}", err)

fields.go

@@ -2,83 +2,26 @@ package keyfactor
 
 import "github.com/hashicorp/vault/sdk/framework"
 
-// addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing
-// and signing
-func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields["exclude_cn_from_sans"] = &framework.FieldSchema{
-		Type:    framework.TypeBool,
-		Default: false,
-		Description: `If true, the Common Name will not be
-included in DNS or Email Subject Alternate Names.
-Defaults to false (CN is included).`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Exclude Common Name from Subject Alternative Names (SANs)",
-		},
-	}
+// addNonCACommonFields adds fields with help text specific to non-CA
+// certificate issuing and signing
+func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
 
-	fields["format"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "pem",
-		Description: `Format for returned data. Can be "pem", "der",
-or "pem_bundle". If "pem_bundle" any private
-key and issuing cert will be appended to the
-certificate pem. Defaults to "pem".`,
-		AllowedValues: []interface{}{"pem", "der", "pem_bundle"},
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: "pem",
-		},
+	fields["ca"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: `Specify the CA to use for the request in the format "<host\\logical>". If blank, will use the default from configuration.`,
 	}
 
-	fields["private_key_format"] = &framework.FieldSchema{
-		Type:    framework.TypeString,
-		Default: "der",
-		Description: `Format for the returned private key.
-Generally the default will be controlled by the "format"
-parameter as either base64-encoded DER or PEM-encoded DER.
-However, this can be set to "pkcs8" to have the returned
-private key contain base64-encoded pkcs8 or PEM-encoded
-pkcs8 instead. Defaults to "der".`,
-		AllowedValues: []interface{}{"", "der", "pem", "pkcs8"},
-		DisplayAttrs: &framework.DisplayAttributes{
-			Value: "der",
-		},
+	fields["template"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: `Specify the name of the certificate template to use for the request. If blank, will use the default from configuration.`,
 	}
 
-	fields["ip_sans"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `The requested IP SANs, if any, in a
-comma-delimited list`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "IP Subject Alternative Names (SANs)",
-		},
+	fields["dns_sans"] = &framework.FieldSchema{
+		Type:        framework.TypeString,
+		Description: `Comma seperated list of DNS Subject Alternative Names`,
+		Required:    true,
 	}
 
-	fields["uri_sans"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `The requested URI SANs, if any, in a
-comma-delimited list.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "URI Subject Alternative Names (SANs)",
-		},
-	}
-
-	fields["other_sans"] = &framework.FieldSchema{
-		Type: framework.TypeCommaStringSlice,
-		Description: `Requested other SANs, in an array with the format
-<oid>;UTF8:<utf8 string value> for each entry.`,
-		DisplayAttrs: &framework.DisplayAttributes{
-			Name: "Other SANs",
-		},
-	}
-
-	return fields
-}
-
-// addNonCACommonFields adds fields with help text specific to non-CA
-// certificate issuing and signing
-func addNonCACommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
-	fields = addIssueAndSignCommonFields(fields)
-
 	fields["role"] = &framework.FieldSchema{
 		Type: framework.TypeString,
 		Description: `The desired role with configuration for this
@@ -91,6 +34,7 @@ request`,
 one, specify the alternative names in the
 alt_names map. If email protection is enabled
 in the role, this may be an email address.`,
+		Required: true,
 	}
 
 	fields["alt_names"] = &framework.FieldSchema{

path_issue_sign.go

@@ -87,7 +87,13 @@ func (b *backend) pathSign(ctx context.Context, req *logical.Request, data *fram
 		return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
 	}
 
-	certs, serial, errr := b.submitCSR(ctx, req, csr)
+	caName := data.Get("ca").(string)
+	templateName := data.Get("template").(string)
+
+	b.Logger().Debug("CA Name parameter = " + caName)
+	b.Logger().Debug("Template name parameter = " + templateName)
+
+	certs, serial, errr := b.submitCSR(ctx, req, csr, caName, templateName)
 
 	if errr != nil {
 		return nil, fmt.Errorf("could not sign csr: %s", errr)
@@ -109,36 +115,63 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 		return nil, logical.ErrReadOnly
 	}
 
-	arg, _ := json.Marshal(req.Data)
-	b.Logger().Debug(string(arg))
-	cn := ""
 	var ip_sans []string
 	var dns_sans []string
 
-	// Get and validate subject info from Vault command
-	for k, v := range req.Data {
-		if k == "common_name" {
-			cn = v.(string)
-		}
-		if k == "ip_sans" { // TODO - type switch
-			ip_sans = strings.Split(v.(string), ",")
-		}
-		if k == "dns_sans" { // TODO - type switch
-			dns_sans = strings.Split(v.(string), ",")
-		}
+	arg, _ := json.Marshal(req.Data)
+	b.Logger().Debug(string(arg))
+
+	// get common name
+	cn, ok := data.GetOk("common_name")
+
+	if !ok {
+		return nil, fmt.Errorf("common_name must be provided to issue certificate")
 	}
 
+	cn = cn.(string)
+
 	if cn == "" {
 		return nil, fmt.Errorf("common_name must be provided to issue certificate")
 	}
 
-	var err_resp error
+	// get dns sans (required)
+	dns_sans_string, ok := data.GetOk("dns_sans")
 
-	if strings.Contains(cn, role.AllowedBaseDomain) && !role.AllowSubdomains {
-		err_resp = fmt.Errorf("sub-domains not allowed for role")
+	if !ok {
+		return nil, fmt.Errorf("dns_sans must be provided to issue certificate")
 	}
 
-	if role.AllowedBaseDomain == cn {
+	dns_sans_string = dns_sans_string.(string)
+
+	if dns_sans_string == "" {
+		return nil, fmt.Errorf("dns_sans must be provided to issue certificate")
+	}
+
+	dns_sans = strings.Split(dns_sans_string.(string), ",")
+
+	if len(dns_sans) == 0 {
+		return nil, fmt.Errorf("dns_sans must be provided to issue certificate")
+	}
+
+	// get ip sans (optional)
+	ip_sans_string, ok := data.GetOk("ip_sans")
+	if ok {
+		ip_sans = strings.Split(ip_sans_string.(string), ",")
+	}
+
+	caName := data.Get("ca").(string)
+
+	templateName := data.Get("template").(string)
+
+	b.Logger().Debug("CA Name parameter = " + caName)
+	b.Logger().Debug("Template name parameter = " + templateName)
+
+	//check role permissions
+	var err_resp error
+	if strings.Contains(cn.(string), role.AllowedBaseDomain) && !role.AllowSubdomains {
+		err_resp = fmt.Errorf("sub-domains not allowed for role")
+	}
+	if role.AllowedBaseDomain == cn.(string) {
 		err_resp = fmt.Errorf("common name not allowed for provided role")
 	}
 
@@ -152,8 +185,9 @@ func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, d
 		}
 	}
 
-	csr, key := b.generateCSR(cn, ip_sans, dns_sans)
-	certs, serial, errr := b.submitCSR(ctx, req, csr)
+	//generate and submit CSR
+	csr, key := b.generateCSR(cn.(string), ip_sans, dns_sans)
+	certs, serial, errr := b.submitCSR(ctx, req, csr, caName, templateName)
 
 	if errr != nil {
 		return nil, fmt.Errorf("could not enroll certificate: %s", errr)