Pamupdates (#23)

* Adding Re-Enrollment
* Added ReEnrollment logic for Fortanix HSM
* Pam Updates
* Remove unused solution
* add secret for readme build
* fixed unused import
* Update integration-manifest.json

Co-authored-by: Bob Pokorny <[email protected]>
Co-authored-by: Michael Henderson <[email protected]>

Author: 3 people

IISU/IISManager.cs

@@ -42,7 +42,7 @@ public class IISManager
         /// Performs a Reenrollment of a certificate in IIS
         /// </summary>
         /// <param name="config"></param>
-        public IISManager(ReenrollmentJobConfiguration config)
+        public IISManager(ReenrollmentJobConfiguration config,string serverUserName,string serverPassword)
         {
             Logger = LogHandler.GetClassLogger<IISManager>();
 
@@ -56,8 +56,8 @@ public IISManager(ReenrollmentJobConfiguration config)
                 IpAddress = config.JobProperties["IPAddress"].ToString();
 
                 PrivateKeyPassword = ""; // A reenrollment does not have a PFX Password
-                ServerUserName = config.ServerUsername;
-                ServerPassword = config.ServerPassword;
+                ServerUserName = serverUserName;
+                ServerPassword = serverPassword;
                 RenewalThumbprint = ""; // A reenrollment will always be empty
                 ClientMachine = config.CertificateStoreDetails.ClientMachine;
                 Path = config.CertificateStoreDetails.StorePath;
@@ -81,7 +81,7 @@ public IISManager(ReenrollmentJobConfiguration config)
         /// Performs Management functions of Adding or updating certificates in IIS
         /// </summary>
         /// <param name="config"></param>
-        public IISManager(ManagementJobConfiguration config)
+        public IISManager(ManagementJobConfiguration config, string serverUserName, string serverPassword)
         {
             Logger = LogHandler.GetClassLogger<IISManager>(); 
 
@@ -95,8 +95,8 @@ public IISManager(ManagementJobConfiguration config)
                 IpAddress = config.JobProperties["IPAddress"].ToString();
 
                 PrivateKeyPassword = config.JobCertificate.PrivateKeyPassword;
-                ServerUserName = config.ServerUsername;
-                ServerPassword = config.ServerPassword;
+                ServerUserName = serverUserName;
+                ServerPassword = serverPassword;
                 ClientMachine = config.CertificateStoreDetails.ClientMachine;
                 Path = config.CertificateStoreDetails.StorePath;
                 CertContents = config.JobCertificate.Contents;

IISU/IISU.csproj

@@ -1,30 +1,30 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-  <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
     <RootNamespace>Keyfactor.Extensions.Orchestrator.IISU</RootNamespace>
-    <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
-  </PropertyGroup>
-
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
-    <DebugType>none</DebugType>
-    <DebugSymbols>false</DebugSymbols>
-  </PropertyGroup>
-
+    <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
+    <DebugType>none</DebugType>
+    <DebugSymbols>false</DebugSymbols>
+  </PropertyGroup>
+
   <ItemGroup>
     <Compile Remove="PowerShellCertRequest.cs" />
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
-    <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="0.6.0" />
-    <PackageReference Include="System.Management.Automation" Version="7.0.5" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <None Update="manifest.json">
-      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-    </None>
-  </ItemGroup>
-
-</Project>
+    <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
+    <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="0.7.0" />
+    <PackageReference Include="System.Management.Automation" Version="7.0.5" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Update="manifest.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
+</Project>

IISU/Jobs/Inventory.cs

@@ -7,23 +7,41 @@
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 
 namespace Keyfactor.Extensions.Orchestrator.IISU.Jobs
 {
     public class Inventory : IInventoryJobExtension
     {
-        private readonly ILogger<Inventory> _logger;
-
-        public Inventory(ILogger<Inventory> logger) =>
-            _logger = logger;
+        private ILogger _logger;
+
+        private IPAMSecretResolver _resolver;
+
+        private string ServerUserName { get; set; }
+        private string ServerPassword { get; set; }
+
+        public Inventory(IPAMSecretResolver resolver)
+        {
+            _resolver = resolver;
+        }
+
+        private string ResolvePamField(string name, string value)
+        {
+            _logger.LogTrace($"Attempting to resolved PAM eligible field {name}");
+            return _resolver.Resolve(value);
+        }
 
         private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInventoryUpdate submitInventory)
         {
             try
-            {
-                _logger.MethodEntry();
+            {
+                _logger = LogHandler.GetClassLogger<Inventory>();
+                _logger.MethodEntry();
+                ServerUserName = ResolvePamField("Server UserName", config.ServerUsername);
+                ServerPassword = ResolvePamField("Server Password", config.ServerPassword);
+
                 _logger.LogTrace($"Job Configuration: {JsonConvert.SerializeObject(config)}");
                 var storePath = JsonConvert.DeserializeObject<JobProperties>(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate });
                 var inventoryItems = new List<CurrentInventoryItem>();
@@ -35,10 +53,10 @@ private JobResult PerformInventory(InventoryJobConfiguration config, SubmitInven
 
                 if (storePath != null)
                 {
-                    var pw = new NetworkCredential(config.ServerUsername, config.ServerPassword)
+                    var pw = new NetworkCredential(ServerUserName, ServerPassword)
                         .SecurePassword;
-                    _logger.LogTrace($"Credentials: UserName:{config.ServerUsername} Password:{config.ServerPassword}");
-                    connInfo.Credential = new PSCredential(config.ServerUsername, pw);
+                    _logger.LogTrace($"Credentials: UserName:{ServerUserName} Password:{ServerPassword}");
+                    connInfo.Credential = new PSCredential(ServerUserName, pw);
                     _logger.LogTrace($"PSCredential Created {pw}");
 
                     using var runSpace = RunspaceFactory.CreateRunspace(connInfo);

IISU/Jobs/Management.cs

@@ -6,26 +6,41 @@
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 
 namespace Keyfactor.Extensions.Orchestrator.IISU.Jobs
 {
     public class Management : IManagementJobExtension
     {
-        private readonly ILogger<Management> _logger;
+        private ILogger _logger;
+
+        private IPAMSecretResolver _resolver;
 
         private string _thumbprint = string.Empty;
 
-        public Management(ILogger<Management> logger)
+        private string ServerUserName { get; set; }
+        private string ServerPassword { get; set; }
+
+        public Management(IPAMSecretResolver resolver)
         {
-            _logger = logger;
+            _resolver = resolver;
         }
 
         public string ExtensionName => "IISU";
 
+        private string ResolvePamField(string name,string value)
+        {
+            _logger.LogTrace($"Attempting to resolved PAM eligible field {name}");
+            return _resolver.Resolve(value);
+        }
+
         public JobResult ProcessJob(ManagementJobConfiguration jobConfiguration)
         {
+            _logger = LogHandler.GetClassLogger<Management>();
+            ServerUserName = ResolvePamField("Server UserName", jobConfiguration.ServerUsername);
+            ServerPassword = ResolvePamField("Server Password", jobConfiguration.ServerPassword);
             _logger.MethodEntry();
             _logger.LogTrace($"Job Configuration: {JsonConvert.SerializeObject(jobConfiguration)}");
             var complete = new JobResult
@@ -83,10 +98,10 @@ private JobResult PerformRemoval(ManagementJobConfiguration config)
                 {
                     _logger.LogTrace($"IncludePortInSPN: {storePath.SpnPortFlag}");
                     connInfo.IncludePortInSPN = storePath.SpnPortFlag;
-                    var pw = new NetworkCredential(config.ServerUsername, config.ServerPassword)
+                    var pw = new NetworkCredential(ServerUserName, ServerPassword)
                         .SecurePassword;
-                    _logger.LogTrace($"Credentials: UserName:{config.ServerUsername} Password:{config.ServerPassword}");
-                    connInfo.Credential = new PSCredential(config.ServerUsername, pw);
+                    _logger.LogTrace($"Credentials: UserName:{ServerUserName} Password:{ServerPassword}");
+                    connInfo.Credential = new PSCredential(ServerUserName, pw);
                     _logger.LogTrace($"PSCredential Created {pw}");
                     using var runSpace = RunspaceFactory.CreateRunspace(connInfo);
                     _logger.LogTrace("runSpace Created");
@@ -212,7 +227,7 @@ private JobResult PerformAddition(ManagementJobConfiguration config)
             {
                 _logger.MethodEntry();
 
-                    var iisManager=new IISManager(config);
+                    var iisManager=new IISManager(config,ServerUserName,ServerPassword);
                     return iisManager.AddCertificate();
             }
             catch (Exception ex)

IISU/Jobs/ReEnrollment.cs

@@ -1,5 +1,4 @@
-using System;
-using System.Collections;
+using System;
 using System.Collections.ObjectModel;
 using System.Linq;
 using System.Management.Automation;
@@ -10,25 +9,35 @@
 using Keyfactor.Logging;
 using Keyfactor.Orchestrators.Common.Enums;
 using Keyfactor.Orchestrators.Extensions;
+using Keyfactor.Orchestrators.Extensions.Interfaces;
 using Microsoft.Extensions.Logging;
 using Newtonsoft.Json;
 
 namespace Keyfactor.Extensions.Orchestrator.IISU.Jobs
 {
     public class ReEnrollment:IReenrollmentJobExtension
     {
-        private readonly ILogger<ReEnrollment> _logger;
+        private ILogger _logger;
 
-        public ReEnrollment(ILogger<ReEnrollment> logger)
+        private IPAMSecretResolver _resolver;
+
+        public ReEnrollment(IPAMSecretResolver resolver)
         {
-            _logger = logger;
+            _resolver = resolver;
         }
 
         public string ExtensionName => "IISU";
 
+        private string ResolvePamField(string name, string value)
+        {
+            _logger.LogTrace($"Attempting to resolved PAM eligible field {name}");
+            return _resolver.Resolve(value);
+        }
+
         public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollmentCSR submitReEnrollmentUpdate)
         {
             _logger.MethodEntry();
+            _logger = LogHandler.GetClassLogger<ReEnrollment>();
             _logger.LogTrace($"Job Configuration: {JsonConvert.SerializeObject(config)}");
             var storePath = JsonConvert.DeserializeObject<JobProperties>(config.CertificateStoreDetails.Properties, new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate });
             _logger.LogTrace($"WinRm Url: {storePath?.WinRmProtocol}://{config.CertificateStoreDetails.ClientMachine}:{storePath?.WinRmPort}/wsman");
@@ -44,17 +53,19 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi
             try
             {
                 _logger.MethodEntry();
+                var serverUserName = ResolvePamField("Server UserName", config.ServerUsername);
+                var serverPassword = ResolvePamField("Server Password", config.ServerPassword);
 
                 // Extract values necessary to create remote PS connection
                 JobProperties properties = JsonConvert.DeserializeObject<JobProperties>(config.CertificateStoreDetails.Properties,
                     new JsonSerializerSettings { DefaultValueHandling = DefaultValueHandling.Populate });
 
                 WSManConnectionInfo connectionInfo = new WSManConnectionInfo(new Uri($"{properties?.WinRmProtocol}://{config.CertificateStoreDetails.ClientMachine}:{properties?.WinRmPort}/wsman"));
                 connectionInfo.IncludePortInSPN = properties.SpnPortFlag;
-                var pw = new NetworkCredential(config.ServerUsername, config.ServerPassword).SecurePassword;
-                _logger.LogTrace($"Credentials: UserName:{config.ServerUsername} Password:{config.ServerPassword}");
+                var pw = new NetworkCredential(serverUserName, serverPassword).SecurePassword;
+                _logger.LogTrace($"Credentials: UserName:{serverUserName} Password:{serverPassword}");
 
-                connectionInfo.Credential = new PSCredential(config.ServerUsername, pw);
+                connectionInfo.Credential = new PSCredential(serverUserName, pw);
                 _logger.LogTrace($"PSCredential Created {pw}");
 
                 // Establish new remote ps session
@@ -64,6 +75,7 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi
                 runSpace.Open();
                 _logger.LogTrace("Workspace opened");
 
+                // NEW
                 var ps = PowerShell.Create();
                 ps.Runspace = runSpace;
 
@@ -176,8 +188,7 @@ private JobResult PerformReEnrollment(ReenrollmentJobConfiguration config, Submi
                     runSpace.Close();
 
                     // Bind the certificate to IIS
-                    _logger.LogTrace("Binding the certificate to IIS.");
-                    var iisManager = new IISManager(config);
+                    var iisManager = new IISManager(config,serverUserName,serverPassword);
                     return iisManager.ReEnrollCertificate(myCert);
                 }
                 else

README.md

@@ -20,9 +20,11 @@ The Universal Orchestrator is the successor to the Windows Orchestrator. This Ca
 
 
 
-## Platform Specific Notes
+## Keyfactor Version Supported
+
+The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1
 
-The minimum version of the Universal Orchestrator Framework needed to run this version of the extension is 
+## Platform Specific Notes
 
 The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running.
 | Operation | Win | Linux |

integration-manifest.json

@@ -7,6 +7,7 @@
   "description": "The IIS Orchestrator treats the certificates bound (actively in use) on a Microsoft Internet Information Server (IIS) as a Keyfactor certificate store. Inventory and Management functions are supported. The orchestrator replaces the IIS orchestrator that ships with Keyfactor Command (which did not support binding.)",
   "about": {
     "orchestrator": {
+      "UOFramework": "10.1",
       "win": {
         "supportsCreateStore": false,
         "supportsDiscovery": false,