Merge pull request #18 from Keyfactor/release-v1.1

Merge v1.1.2 to main

Author: doebrowsk

.github/config/variables.tf

@@ -27,12 +27,13 @@ variable "keyfactor_client_secret_12_3_0" {
 variable "keyfactor_hostname_12_3_0_KC" {
   description = "The hostname of the Keyfactor instance"
   type        = string
-  default     = "int-oidc-lab.eastus2.cloudapp.azure.com"
+  default     = "int1230-oauth.eastus2.cloudapp.azure.com"
+
 }
 
 variable "keyfactor_auth_token_url_12_3_0_KC" {
   description = "The hostname of the KeyCloak instance to authenticate to for a Keyfactor Command access token"
   type        = string
-  default     = "https://int-oidc-lab.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"
+  default     = "https://int1230-oauth.eastus2.cloudapp.azure.com:8444/realms/Keyfactor/protocol/openid-connect/token"
 }
 

CHANGELOG.md

@@ -1,3 +1,17 @@
+# v1.1.1
+
+## Bug fixes
+- `oauth2` client now correctly sets the `scopes` and `audience` fields when invoked with explicit values.
+- `core` when passing a string for CA certificate check if `.TLSClientConfig.RootCAs` is nil and create a new `CertPool` if it is.
+
+## Chores
+- Update `stretchr/testify` to `v1.10.0`  
+- Update `AzureAD/microsoft-authentication-library-for-go` to `v1.3.2`  
+- Update `x/crypto` to `v0.30.0`  
+- Update `x/net` to `v0.32.0`  
+- Update `x/sys` to `v0.28.0`  
+- Update `x/text` to `v0.21.0`
+
 # v1.1.0
 
 ## Features

auth_providers/auth_core.go

@@ -322,6 +322,9 @@ func (c *CommandAuthConfig) BuildTransport() (*http.Transport, error) {
 				return &output, fmt.Errorf("failed to append custom CA cert to pool")
 			}
 		} else {
+			if output.TLSClientConfig.RootCAs == nil {
+				output.TLSClientConfig.RootCAs = x509.NewCertPool()
+			}
 			// Append your custom cert to the pool
 			if ok := output.TLSClientConfig.RootCAs.AppendCertsFromPEM([]byte(c.CommandCACert)); !ok {
 				return &output, fmt.Errorf("failed to append custom CA cert to pool")

auth_providers/auth_oauth.go

@@ -220,12 +220,6 @@ func (b *CommandConfigOauth) GetHttpClient() (*http.Client, error) {
 		b.Scopes = DefaultScopes
 	}
 
-	if b.Audience != "" {
-		config.EndpointParams = map[string][]string{
-			"Audience": {b.Audience},
-		}
-	}
-
 	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, &http.Client{Transport: baseTransport})
 	tokenSource := config.TokenSource(ctx)
 

auth_providers/auth_oauth_test.go

@@ -15,9 +15,13 @@
 package auth_providers_test
 
 import (
+	"crypto/tls"
+	"encoding/pem"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 
@@ -107,7 +111,19 @@ func TestCommandConfigOauth_Authenticate(t *testing.T) {
 		t.FailNow()
 	}
 
-	caCertPath := "../lib/certs/int-oidc-lab.eastus2.cloudapp.azure.com.crt"
+	hostName := os.Getenv(auth_providers.EnvKeyfactorHostName)
+	caCertPath := fmt.Sprintf("../lib/certs/%s.crt", hostName)
+	// check if the caCertPath exists and if not then reach out to host to get the cert and save it to the path
+	if _, err := os.Stat(caCertPath); os.IsNotExist(err) {
+		// get the cert from the host
+		dErr := DownloadCertificate(hostName, caCertPath)
+		if dErr != nil {
+			t.Errorf("unable to download certificate from %s: %v", hostName, dErr)
+			t.FailNow()
+		}
+
+		// save the cert to the
+	}
 
 	//Delete the config file
 	t.Logf("Deleting config file: %s", configFilePath)
@@ -434,3 +450,83 @@ func unsetOAuthEnvVariables() {
 	//os.Unsetenv(auth_providers.EnvKeyfactorDomain)
 
 }
+
+// DownloadCertificate fetches the SSL certificate chain from the given URL or hostname
+// while ignoring SSL verification and saves it to a file named "<hostname>.crt".
+func DownloadCertificate(input string, outputPath string) error {
+	// Ensure the input has a scheme; default to "https://"
+	if !strings.HasPrefix(input, "http://") && !strings.HasPrefix(input, "https://") {
+		input = "https://" + input
+	}
+
+	// Parse the URL
+	parsedURL, err := url.Parse(input)
+	if err != nil {
+		return fmt.Errorf("invalid URL: %v", err)
+	}
+
+	hostname := parsedURL.Hostname()
+	if hostname == "" {
+		return fmt.Errorf("could not determine hostname from URL: %s", input)
+	}
+
+	// Set default output path to current working directory if none is provided
+	if outputPath == "" {
+		cwd, err := os.Getwd()
+		if err != nil {
+			return fmt.Errorf("failed to get current working directory: %v", err)
+		}
+		outputPath = cwd
+	}
+
+	// Ensure the output directory exists
+	if err := os.MkdirAll(outputPath, os.ModePerm); err != nil {
+		return fmt.Errorf("failed to create output directory: %v", err)
+	}
+
+	// Create the output file
+	outputFile := filepath.Join(outputPath, fmt.Sprintf("%s.crt", hostname))
+	file, err := os.Create(outputFile)
+	if err != nil {
+		return fmt.Errorf("failed to create file %s: %v", outputFile, err)
+	}
+	defer file.Close()
+
+	// Create an HTTP client that ignores SSL verification
+	httpClient := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true, // Ignore SSL certificate verification
+			},
+		},
+	}
+
+	// Send an HTTP GET request to the server
+	resp, err := httpClient.Get(input)
+	if err != nil {
+		return fmt.Errorf("failed to connect to %s: %v", input, err)
+	}
+	defer resp.Body.Close()
+
+	// Get the TLS connection state from the response
+	tlsConnState := resp.TLS
+	if tlsConnState == nil {
+		return fmt.Errorf("no TLS connection state found")
+	}
+
+	// Write the entire certificate chain to the output file in PEM format
+	for _, cert := range tlsConnState.PeerCertificates {
+		err = pem.Encode(
+			file, &pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: cert.Raw,
+			},
+		)
+		if err != nil {
+			return fmt.Errorf("failed to write certificate to file: %v", err)
+		}
+	}
+
+	fmt.Printf("Certificate chain saved to: %s\n", outputFile)
+	return nil
+}

auth_providers/command_config.go

@@ -314,6 +314,8 @@ func (s *Server) GetOAuthClientConfig() (*CommandConfigOauth, error) {
 		WithClientSecret(s.ClientSecret).
 		WithAccessToken(s.AccessToken).
 		WithTokenUrl(s.OAuthTokenUrl).
+		WithScopes(s.Scopes).
+		WithAudience(s.Audience).
 		Build()
 
 	vErr := oauthConfig.ValidateAuthConfig()

go.mod

@@ -19,7 +19,7 @@ go 1.22
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	golang.org/x/oauth2 v0.24.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -28,16 +28,16 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -12,8 +12,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1 h1:gUDtaZk8heteyfdmv+pcfHvhR9llnh7c7GMwZ8RVG04=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.3.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 h1:kYRSnvJju5gYVyhkij+RTJ/VR6QIUaCfWeaFm2ycsjQ=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -42,19 +42,19 @@ github.com/redis/go-redis/v9 v9.6.1 h1:HHDteefn6ZkTtY5fGUE8tj8uy85AHk6zP7CpzIAM0
 github.com/redis/go-redis/v9 v9.6.1/go.mod h1:0C0c6ycQsdpVNQpxb1njEQIqkx5UcsM8FJCQLgE9+RA=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
+golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
 golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

tag.sh

@@ -1,5 +1,5 @@
-RC_VERSION=rc.2
-TAG_VERSION_1=v1.0.0-$RC_VERSION
+RC_VERSION=rc.0
+TAG_VERSION_1=v1.1.2-$RC_VERSION
 git tag -d $TAG_VERSION_1 || true
 git tag $TAG_VERSION_1
 git push origin $TAG_VERSION_1