Merge 40a226b into 6d655d3

Author: spbsoluble

.github/config/.terraform.lock.hcl

@@ -9,14 +9,13 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_github"></a> [github](#provider\_github) | 6.3.1 |
+| <a name="provider_github"></a> [github](#provider\_github) | 6.6.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_keyfactor_github_test_environment_12_3_0_kc"></a> [keyfactor\_github\_test\_environment\_12\_3\_0\_kc](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_kc) | git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| <a name="module_keyfactor_github_test_environment_ad_10_5_0"></a> [keyfactor\_github\_test\_environment\_ad\_10\_5\_0](#module\_keyfactor\_github\_test\_environment\_ad\_10\_5\_0) | git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
+| <a name="module_keyfactor_github_test_environment_ses_2441"></a> [keyfactor\_github\_test\_environment\_ses\_2441](#module\_keyfactor\_github\_test\_environment\_ses\_2441) | git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
 
 ## Resources
 
@@ -28,11 +27,15 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_keyfactor_auth_token_url_12_3_0_KC"></a> [keyfactor\_auth\_token\_url\_12\_3\_0\_KC](#input\_keyfactor\_auth\_token\_url\_12\_3\_0\_KC) | The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token | `string` | `"https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
+| <a name="input_keyfactor_auth_token_url_12_3_0_KC"></a> [keyfactor\_auth\_token\_url\_12\_3\_0\_KC](#input\_keyfactor\_auth\_token\_url\_12\_3\_0\_KC) | The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token | `string` | `"https://int1230-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
+| <a name="input_keyfactor_auth_token_url_ses_2441"></a> [keyfactor\_auth\_token\_url\_ses\_2441](#input\_keyfactor\_auth\_token\_url\_ses\_2441) | The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token | `string` | `"https://auth.kftestlab.com/oauth2/token"` | no |
 | <a name="input_keyfactor_client_id_12_3_0"></a> [keyfactor\_client\_id\_12\_3\_0](#input\_keyfactor\_client\_id\_12\_3\_0) | The client ID to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
+| <a name="input_keyfactor_client_id_ses_2441"></a> [keyfactor\_client\_id\_ses\_2441](#input\_keyfactor\_client\_id\_ses\_2441) | The client ID to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
 | <a name="input_keyfactor_client_secret_12_3_0"></a> [keyfactor\_client\_secret\_12\_3\_0](#input\_keyfactor\_client\_secret\_12\_3\_0) | The client secret to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
+| <a name="input_keyfactor_client_secret_ses_2441"></a> [keyfactor\_client\_secret\_ses\_2441](#input\_keyfactor\_client\_secret\_ses\_2441) | The client secret to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
 | <a name="input_keyfactor_hostname_10_5_0"></a> [keyfactor\_hostname\_10\_5\_0](#input\_keyfactor\_hostname\_10\_5\_0) | The hostname of the Keyfactor instance | `string` | `"integrations1050-lab.kfdelivery.com"` | no |
-| <a name="input_keyfactor_hostname_12_3_0_KC"></a> [keyfactor\_hostname\_12\_3\_0\_KC](#input\_keyfactor\_hostname\_12\_3\_0\_KC) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no |
+| <a name="input_keyfactor_hostname_12_3_0_KC"></a> [keyfactor\_hostname\_12\_3\_0\_KC](#input\_keyfactor\_hostname\_12\_3\_0\_KC) | The hostname of the Keyfactor instance | `string` | `"int1230-oauth.eastus2.cloudapp.azure.com"` | no |
+| <a name="input_keyfactor_hostname_ses_2441"></a> [keyfactor\_hostname\_ses\_2441](#input\_keyfactor\_hostname\_ses\_2441) | The hostname of the Keyfactor instance | `string` | `"int2441.kftestlab.com"` | no |
 | <a name="input_keyfactor_password_10_5_0"></a> [keyfactor\_password\_10\_5\_0](#input\_keyfactor\_password\_10\_5\_0) | The password to authenticate with the Keyfactor instance | `string` | n/a | yes |
 | <a name="input_keyfactor_username_10_5_0"></a> [keyfactor\_username\_10\_5\_0](#input\_keyfactor\_username\_10\_5\_0) | The username to authenticate with the Keyfactor instance | `string` | n/a | yes |
 

.github/config/MODULE.MD

@@ -58,14 +58,13 @@ module "keyfactor_github_test_environment_12_3_0_kc" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_github"></a> [github](#provider\_github) | 6.3.1 |
+| <a name="provider_github"></a> [github](#provider\_github) | 6.6.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_keyfactor_github_test_environment_12_3_0_kc"></a> [keyfactor\_github\_test\_environment\_12\_3\_0\_kc](#module\_keyfactor\_github\_test\_environment\_12\_3\_0\_kc) | git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
-| <a name="module_keyfactor_github_test_environment_ad_10_5_0"></a> [keyfactor\_github\_test\_environment\_ad\_10\_5\_0](#module\_keyfactor\_github\_test\_environment\_ad\_10\_5\_0) | git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
+| <a name="module_keyfactor_github_test_environment_ses_2441"></a> [keyfactor\_github\_test\_environment\_ses\_2441](#module\_keyfactor\_github\_test\_environment\_ses\_2441) | git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git | main |
 
 ## Resources
 
@@ -77,11 +76,15 @@ module "keyfactor_github_test_environment_12_3_0_kc" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_keyfactor_auth_token_url_12_3_0_KC"></a> [keyfactor\_auth\_token\_url\_12\_3\_0\_KC](#input\_keyfactor\_auth\_token\_url\_12\_3\_0\_KC) | The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token | `string` | `"https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
+| <a name="input_keyfactor_auth_token_url_12_3_0_KC"></a> [keyfactor\_auth\_token\_url\_12\_3\_0\_KC](#input\_keyfactor\_auth\_token\_url\_12\_3\_0\_KC) | The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token | `string` | `"https://int1230-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"` | no |
+| <a name="input_keyfactor_auth_token_url_ses_2441"></a> [keyfactor\_auth\_token\_url\_ses\_2441](#input\_keyfactor\_auth\_token\_url\_ses\_2441) | The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token | `string` | `"https://auth.kftestlab.com/oauth2/token"` | no |
 | <a name="input_keyfactor_client_id_12_3_0"></a> [keyfactor\_client\_id\_12\_3\_0](#input\_keyfactor\_client\_id\_12\_3\_0) | The client ID to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
+| <a name="input_keyfactor_client_id_ses_2441"></a> [keyfactor\_client\_id\_ses\_2441](#input\_keyfactor\_client\_id\_ses\_2441) | The client ID to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
 | <a name="input_keyfactor_client_secret_12_3_0"></a> [keyfactor\_client\_secret\_12\_3\_0](#input\_keyfactor\_client\_secret\_12\_3\_0) | The client secret to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
+| <a name="input_keyfactor_client_secret_ses_2441"></a> [keyfactor\_client\_secret\_ses\_2441](#input\_keyfactor\_client\_secret\_ses\_2441) | The client secret to authenticate with the Keyfactor instance using Keycloak client credentials | `string` | n/a | yes |
 | <a name="input_keyfactor_hostname_10_5_0"></a> [keyfactor\_hostname\_10\_5\_0](#input\_keyfactor\_hostname\_10\_5\_0) | The hostname of the Keyfactor instance | `string` | `"integrations1050-lab.kfdelivery.com"` | no |
-| <a name="input_keyfactor_hostname_12_3_0_KC"></a> [keyfactor\_hostname\_12\_3\_0\_KC](#input\_keyfactor\_hostname\_12\_3\_0\_KC) | The hostname of the Keyfactor instance | `string` | `"int-oidc-lab.eastus2.cloudapp.azure.com"` | no |
+| <a name="input_keyfactor_hostname_12_3_0_KC"></a> [keyfactor\_hostname\_12\_3\_0\_KC](#input\_keyfactor\_hostname\_12\_3\_0\_KC) | The hostname of the Keyfactor instance | `string` | `"int1230-oauth.eastus2.cloudapp.azure.com"` | no |
+| <a name="input_keyfactor_hostname_ses_2441"></a> [keyfactor\_hostname\_ses\_2441](#input\_keyfactor\_hostname\_ses\_2441) | The hostname of the Keyfactor instance | `string` | `"int2441.kftestlab.com"` | no |
 | <a name="input_keyfactor_password_10_5_0"></a> [keyfactor\_password\_10\_5\_0](#input\_keyfactor\_password\_10\_5\_0) | The password to authenticate with the Keyfactor instance | `string` | n/a | yes |
 | <a name="input_keyfactor_username_10_5_0"></a> [keyfactor\_username\_10\_5\_0](#input\_keyfactor\_username\_10\_5\_0) | The username to authenticate with the Keyfactor instance | `string` | n/a | yes |
 

.github/config/README.md

@@ -1,13 +1,13 @@
-module "keyfactor_github_test_environment_ad_10_5_0" {
-  source = "git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
-
-  gh_environment_name = "KFC_10_5_0"
-  gh_repo_name        = data.github_repository.repo.name
-  keyfactor_hostname  = var.keyfactor_hostname_10_5_0
-  keyfactor_username  = var.keyfactor_username_10_5_0
-  keyfactor_password  = var.keyfactor_password_10_5_0
-  keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
+# module "keyfactor_github_test_environment_ad_10_5_0" {
+#   source = "git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
+# 
+#   gh_environment_name = "KFC_10_5_0"
+#   gh_repo_name        = data.github_repository.repo.name
+#   keyfactor_hostname  = var.keyfactor_hostname_10_5_0
+#   keyfactor_username  = var.keyfactor_username_10_5_0
+#   keyfactor_password  = var.keyfactor_password_10_5_0
+#   keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
+# }
 
 # module "keyfactor_github_test_environment_11_5_0_kc" {
 #   source = "git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-kc.git?ref=main"
@@ -21,15 +21,29 @@ module "keyfactor_github_test_environment_ad_10_5_0" {
 #   keyfactor_tls_skip_verify = true
 # }
 
-module "keyfactor_github_test_environment_12_3_0_kc" {
+# module "keyfactor_github_test_environment_12_3_0_kc" {
+#   source = "git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
+# 
+#   gh_environment_name       = "KFC_12_3_0_KC"
+#   gh_repo_name              = data.github_repository.repo.name
+#   keyfactor_hostname        = var.keyfactor_hostname_12_3_0_KC
+#   keyfactor_auth_token_url  = var.keyfactor_auth_token_url_12_3_0_KC
+#   keyfactor_client_id       = var.keyfactor_client_id_12_3_0
+#   keyfactor_client_secret   = var.keyfactor_client_secret_12_3_0
+#   keyfactor_tls_skip_verify = true
+#   keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
+# }
+
+module "keyfactor_github_test_environment_ses_2441" {
   source = "git::ssh://[email protected]/Keyfactor/terraform-module-keyfactor-github-test-environment-ad.git?ref=main"
 
-  gh_environment_name       = "KFC_12_3_0_KC"
+  gh_environment_name       = "ses_2441"
   gh_repo_name              = data.github_repository.repo.name
-  keyfactor_hostname        = var.keyfactor_hostname_12_3_0_KC
-  keyfactor_auth_token_url  = var.keyfactor_auth_token_url_12_3_0_KC
-  keyfactor_client_id       = var.keyfactor_client_id_12_3_0
-  keyfactor_client_secret   = var.keyfactor_client_secret_12_3_0
+  keyfactor_hostname        = var.keyfactor_hostname_ses_2441
+  keyfactor_auth_token_url  = var.keyfactor_auth_token_url_ses_2441
+  keyfactor_client_id       = var.keyfactor_client_id_ses_2441
+  keyfactor_client_secret   = var.keyfactor_client_secret_ses_2441
   keyfactor_tls_skip_verify = true
+  keyfactor_api_path        = "/Keyfactor/API"
   keyfactor_config_file = base64encode(file("${path.module}/command_config.json"))
-}
+}

.github/config/environments.tf

@@ -37,3 +37,25 @@ variable "keyfactor_auth_token_url_12_3_0_KC" {
   default     = "https://int1230-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"
 }
 
+variable "keyfactor_client_id_ses_2441" {
+  description = "The client ID to authenticate with the Keyfactor instance using Keycloak client credentials"
+  type        = string
+}
+
+variable "keyfactor_client_secret_ses_2441" {
+  description = "The client secret to authenticate with the Keyfactor instance using Keycloak client credentials"
+  type        = string
+}
+
+variable "keyfactor_hostname_ses_2441" {
+  description = "The hostname of the Keyfactor instance"
+  type        = string
+  default     = "int2441.kftestlab.com"
+
+}
+
+variable "keyfactor_auth_token_url_ses_2441" {
+  description = "The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token"
+  type        = string
+  default     = "https://auth.kftestlab.com/oauth2/token"
+}

.github/config/variables.tf

@@ -12,7 +12,8 @@ jobs:
       matrix:
         environment:
 #          - "KFC_10_5_0"
-          - "KFC_12_3_0_KC"
+#          - "KFC_12_3_0_KC"
+            - "ses_2441"
     environment: ${{ matrix.environment }}
     steps:
       - name: Check out code
@@ -21,15 +22,11 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22
+          go-version: 1.24
 
       - name: Get Public IP
         run: curl -s https://api.ipify.org
 
-      - name: Validate lab cert is present
-        run: |
-          cat lib/certs/int-oidc-lab.eastus2.cloudapp.azure.com.crt
-
       - name: Run tests
         run: |
           if [ -n "${{ secrets.KEYFACTOR_AUTH_CONFIG_B64 }}" ]; then

.github/workflows/go_tests.yml

@@ -1,3 +1,15 @@
+# v1.3.0
+
+## Features
+- Add support for fetching an oauth2 token using the `client_credentials` grant type without connecting to Keyfactor Command.
+- Add placeholders for omitted `Authorization` header in the `curl` command string output in trace logging.
+
+## Bug Fixes
+- Log `curl` command string at `trace` level after request is sent to include any transport mutations.
+
+## Chores
+- Bump Go version to `1.24`.
+
 # v1.2.0
 
 ## Features

CHANGELOG.md

@@ -501,19 +501,21 @@ func (c *CommandAuthConfig) Authenticate() error {
 	}
 
 	c.HttpClient.Timeout = time.Duration(c.HttpClientTimeout) * time.Second
-	curlStr, cErr := RequestToCurl(req)
-	if cErr == nil {
+
+	cResp, cErr := c.HttpClient.Do(req)
+	curlStr, curlErr := RequestToCurl(req)
+	if curlErr == nil {
 		log.Printf("[TRACE] curl command: %s", curlStr)
 	}
 
-	cResp, cErr := c.HttpClient.Do(req)
 	if cErr != nil {
 		return cErr
 	} else if cResp == nil {
 		return fmt.Errorf("failed to authenticate, no response received from Keyfactor Command")
 	}
 
 	defer cResp.Body.Close()
+	log.Printf("[DEBUG] request to Keyfactor Command API returned status code %d", cResp.StatusCode)
 
 	// check if body is empty
 	if cResp.Body == nil {
@@ -798,19 +800,56 @@ func RequestToCurl(req *http.Request) (string, error) {
 	// Add headers
 	for name, values := range req.Header {
 		for _, value := range values {
+			// check if is Authorization header and skip it
+			if strings.EqualFold(name, "Authorization") {
+				// check if basic auth and skip it
+				if strings.HasPrefix(value, "Basic ") {
+					// Remove credentials and put in env variables as placeholder
+					log.Printf(
+						"[DEBUG] Found Basic auth in Authorization header, " +
+							"replacing with env variable references",
+					)
+					curlCommand.WriteString(
+						fmt.Sprintf(
+							"-H %q ", fmt.Sprintf(
+								"%s: Basic $(echo -n $\"%s,$%s\" | base64)", name,
+								EnvKeyfactorUsername, EnvKeyfactorPassword,
+							),
+						),
+					)
+					continue
+				} else if strings.HasPrefix(value, "Bearer ") {
+					// Remove credentials and put in env variables as placeholder
+					log.Printf("[DEBUG] Found Bearer token in Authorization header, replacing with kfutil command to fetch token")
+					curlCommand.WriteString(
+						fmt.Sprintf(
+							"-H %q ", fmt.Sprintf(
+								"%s: Bearer $(kfutil auth fetch-oauth-token)", name,
+							),
+						),
+					)
+					continue
+				} else {
+					// Skip other Authorization headers
+					log.Printf("[ERROR] Skipping unhandled Authorization header: %s", name)
+					continue
+				}
+			}
 			curlCommand.WriteString(fmt.Sprintf("-H %q ", fmt.Sprintf("%s: %s", name, value)))
 		}
 	}
 
 	// Add the body if it exists
 	if req.Method == http.MethodPost || req.Method == http.MethodPut {
-		body, err := io.ReadAll(req.Body)
-		if err != nil {
-			return "", err
-		}
-		req.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore the request body
+		if req.Body != nil {
+			body, err := io.ReadAll(req.Body)
+			if err != nil {
+				return "", err
+			}
+			req.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore the request body
 
-		curlCommand.WriteString(fmt.Sprintf("--data %q ", string(body)))
+			curlCommand.WriteString(fmt.Sprintf("--data %q ", string(body)))
+		}
 	}
 
 	return curlCommand.String(), nil