TLS Protect Cloud Authentication Addition (#445)

* Add TLS Protect Cloud authentication to the agent

* Change config flag, set default url in venafi cloud mode, and consolidate the way credentials are processed

* Return correct credential type and use json vs yaml for cred config

* Changing from uploadID to uploaderID

Author: d0ktadr3y

agent.yaml

@@ -11,3 +11,7 @@ data-gatherers:
     name: "dummy-fail"
     config:
       always-fail: true
+venafi-cloud:
+  upload_id: "example-id"
+  upload_path: "/example/endpoint/path"
+  

cmd/agent.go

@@ -76,6 +76,13 @@ func init() {
 		"",
 		"Location of the credentials file. For OAuth2 based authentication.",
 	)
+	agentCmd.PersistentFlags().BoolVarP(
+		&agent.VenafiCloudMode,
+		"venafi-cloud",
+		"",
+		false,
+		"Runs agent with parsing config and credentials file in Venafi Cloud format if true.",
+	)
 	agentCmd.PersistentFlags().BoolVarP(
 		&agent.OneShot,
 		"one-shot",

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/d4l3k/messagediff v1.2.1
 	github.com/fatih/color v1.15.0
+	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/json-iterator/go v1.1.12
 	github.com/juju/errors v1.0.0
@@ -36,11 +37,11 @@ require (
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/swag v0.21.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -65,7 +66,7 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect

go.sum

@@ -53,6 +53,8 @@ github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrK
 github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

pkg/agent/config.go

@@ -10,7 +10,7 @@ import (
 	"github.com/jetstack/preflight/pkg/datagatherer/k8s"
 	"github.com/jetstack/preflight/pkg/datagatherer/local"
 	"github.com/pkg/errors"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // Config wraps the options for a run of the agent.
@@ -30,7 +30,8 @@ type Config struct {
 	// InputPath replaces DataGatherers with input data file
 	InputPath string `yaml:"input-path"`
 	// OutputPath replaces Server with output data file
-	OutputPath string `yaml:"output-path"`
+	OutputPath  string             `yaml:"output-path"`
+	VenafiCloud *VenafiCloudConfig `yaml:"venafi-cloud,omitempty"`
 }
 
 type Endpoint struct {
@@ -46,6 +47,14 @@ type DataGatherer struct {
 	Config   datagatherer.Config
 }
 
+type VenafiCloudConfig struct {
+	// UploaderID is the upload ID that will be used when
+	// creating a cluster connection
+	UploaderID string `yaml:"uploader_id,omitempty"`
+	// UploadPath is the endpoint path for the upload API.
+	UploadPath string `yaml:"upload_path,omitempty"`
+}
+
 func reMarshal(rawConfig interface{}, config datagatherer.Config) error {
 	bb, err := yaml.Marshal(rawConfig)
 	if err != nil {
@@ -120,11 +129,25 @@ func (c *Config) Dump() (string, error) {
 func (c *Config) validate() error {
 	var result *multierror.Error
 
-	if c.OrganizationID == "" {
-		result = multierror.Append(result, fmt.Errorf("organization_id is required"))
-	}
-	if c.ClusterID == "" {
-		result = multierror.Append(result, fmt.Errorf("cluster_id is required"))
+	// configured for Venafi Cloud
+	if c.VenafiCloud != nil {
+		if c.VenafiCloud.UploaderID == "" {
+			result = multierror.Append(result, fmt.Errorf("upload_id is required in Venafi Cloud mode"))
+		}
+		if c.VenafiCloud.UploadPath == "" {
+			result = multierror.Append(result, fmt.Errorf("upload_path is required in Venafi Cloud mode"))
+		}
+
+		if _, err := url.Parse(c.VenafiCloud.UploadPath); err != nil {
+			result = multierror.Append(result, fmt.Errorf("upload_path is not a valid URL"))
+		}
+	} else {
+		if c.OrganizationID == "" {
+			result = multierror.Append(result, fmt.Errorf("organization_id is required"))
+		}
+		if c.ClusterID == "" {
+			result = multierror.Append(result, fmt.Errorf("cluster_id is required"))
+		}
 	}
 
 	if c.Server != "" {
@@ -155,7 +178,11 @@ func ParseConfig(data []byte) (Config, error) {
 	}
 
 	if config.Server == "" && config.Endpoint.Host == "" && config.Endpoint.Path == "" {
-		config.Server = "https://preflight.jetstack.io"
+		if config.VenafiCloud != nil {
+			config.Server = "https://api.venafi.cloud"
+		} else {
+			config.Server = "https://preflight.jetstack.io"
+		}
 	}
 
 	if config.Endpoint.Protocol == "" && config.Server == "" {

pkg/agent/config_test.go

@@ -98,6 +98,54 @@ func TestValidConfigWithEndpointLoad(t *testing.T) {
 	}
 }
 
+func TestValidVenafiCloudConfigLoad(t *testing.T) {
+	configFileContents := `
+      server: "http://localhost:8080"
+      period: 1h
+      data-gatherers:
+      - name: d1
+        kind: dummy
+        config:
+          always-fail: false
+      input-path: "/home"
+      output-path: "/nothome"
+      venafi-cloud: 
+        uploader_id: test-agent
+        upload_path: "/testing/path"
+`
+
+	loadedConfig, err := ParseConfig([]byte(configFileContents))
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	expected := Config{
+		Server:         "http://localhost:8080",
+		Period:         time.Hour,
+		OrganizationID: "",
+		ClusterID:      "",
+		DataGatherers: []DataGatherer{
+			{
+				Name: "d1",
+				Kind: "dummy",
+				Config: &dummyConfig{
+					AlwaysFail: false,
+				},
+			},
+		},
+		InputPath:  "/home",
+		OutputPath: "/nothome",
+		VenafiCloud: &VenafiCloudConfig{
+			UploaderID: "test-agent",
+			UploadPath: "/testing/path",
+		},
+	}
+
+	if diff, equal := messagediff.PrettyDiff(expected, loadedConfig); !equal {
+		t.Errorf("Diff %s", diff)
+	}
+}
+
 func TestInvalidConfigError(t *testing.T) {
 	configFileContents := `data-gatherers: "things"`
 

pkg/agent/run.go

@@ -36,6 +36,9 @@ var Period time.Duration
 // OneShot flag causes agent to run once
 var OneShot bool
 
+// VenafiCloudMode flag determines which format to load for config and credential type
+var VenafiCloudMode bool
+
 // CredentialsPath is where the agent will try to loads the credentials. (Experimental)
 var CredentialsPath string
 
@@ -221,7 +224,7 @@ func getConfiguration() (Config, client.Client) {
 
 	log.Printf("Loaded config: \n%s", dump)
 
-	var credentials *client.Credentials
+	var credentials client.Credentials
 	if CredentialsPath != "" {
 		file, err = os.Open(CredentialsPath)
 		if err != nil {
@@ -233,7 +236,11 @@ func getConfiguration() (Config, client.Client) {
 		if err != nil {
 			log.Fatalf("Failed to read credentials file: %v", err)
 		}
-		credentials, err = client.ParseCredentials(b)
+		if VenafiCloudMode {
+			credentials, err = client.ParseVenafiCredentials(b)
+		} else {
+			credentials, err = client.ParseOAuthCredentials(b)
+		}
 		if err != nil {
 			log.Fatalf("Failed to parse credentials file: %s", err)
 		}
@@ -247,8 +254,7 @@ func getConfiguration() (Config, client.Client) {
 	var preflightClient client.Client
 	switch {
 	case credentials != nil:
-		log.Println("A credentials file was specified, using oauth authentication.")
-		preflightClient, err = client.NewOAuthClient(agentMetadata, credentials, baseURL)
+		preflightClient, err = createCredentialClient(credentials, config, agentMetadata, baseURL)
 	case APIToken != "":
 		log.Println("An API token was specified, using API token authentication.")
 		preflightClient, err = client.NewAPITokenClient(agentMetadata, APIToken, baseURL)
@@ -264,6 +270,24 @@ func getConfiguration() (Config, client.Client) {
 	return config, preflightClient
 }
 
+func createCredentialClient(credentials client.Credentials, config Config, agentMetadata *api.AgentMetadata, baseURL string) (client.Client, error) {
+	switch creds := credentials.(type) {
+	case *client.VenafiSvcAccountCredentials:
+		log.Println("Venafi Cloud mode was specified, using Venafi Service Account authentication.")
+		// check if config has Venafi Cloud data
+		if config.VenafiCloud == nil {
+			log.Fatalf("Failed to find config for venafi-cloud: required for Venafi Cloud mode")
+		}
+		return client.NewVenafiCloudClient(agentMetadata, creds, baseURL, config.VenafiCloud.UploaderID, config.VenafiCloud.UploadPath)
+
+	case *client.OAuthCredentials:
+		log.Println("A credentials file was specified, using oauth authentication.")
+		return client.NewOAuthClient(agentMetadata, creds, baseURL)
+	default:
+		return nil, errors.New("credentials file is in unknown format")
+	}
+}
+
 func gatherAndOutputData(config Config, preflightClient client.Client, dataGatherers map[string]datagatherer.DataGatherer) {
 	var readings []*api.DataReading
 
@@ -363,6 +387,18 @@ func postData(config Config, preflightClient client.Client, readings []*api.Data
 
 	log.Println("Running Agent...")
 	log.Println("Posting data to:", baseURL)
+
+	if VenafiCloudMode {
+		// orgID and clusterID are not required for Venafi Cloud auth
+		err := preflightClient.PostDataReadings("", "", readings)
+		if err != nil {
+			return fmt.Errorf("post to server failed: %+v", err)
+		}
+		log.Println("Data sent successfully.")
+
+		return nil
+	}
+
 	if config.OrganizationID == "" {
 		data, err := json.Marshal(readings)
 		if err != nil {
@@ -382,7 +418,7 @@ func postData(config Config, preflightClient client.Client, readings []*api.Data
 		res, err := preflightClient.Post(path, bytes.NewBuffer(data))
 
 		if err != nil {
-			return fmt.Errorf("Failed to post data: %+v", err)
+			return fmt.Errorf("failed to post data: %+v", err)
 		}
 		if code := res.StatusCode; code < 200 || code >= 300 {
 			errorContent := ""
@@ -392,19 +428,19 @@ func postData(config Config, preflightClient client.Client, readings []*api.Data
 			}
 			defer res.Body.Close()
 
-			return fmt.Errorf("Received response with status code %d. Body: %s", code, errorContent)
+			return fmt.Errorf("received response with status code %d. Body: %s", code, errorContent)
 		}
 		log.Println("Data sent successfully.")
 		return err
 	}
 
 	if config.ClusterID == "" {
-		return fmt.Errorf("Post to server failed: missing clusterID from agent configuration")
+		return fmt.Errorf("post to server failed: missing clusterID from agent configuration")
 	}
 
 	err := preflightClient.PostDataReadings(config.OrganizationID, config.ClusterID, readings)
 	if err != nil {
-		return fmt.Errorf("Post to server failed: %+v", err)
+		return fmt.Errorf("post to server failed: %+v", err)
 	}
 	log.Println("Data sent successfully.")
 

pkg/client/client.go

@@ -15,6 +15,12 @@ type (
 		PostDataReadings(orgID, clusterID string, readings []*api.DataReading) error
 		Post(path string, body io.Reader) (*http.Response, error)
 	}
+
+	// The Credentials interface describes methods for credential types to implement for verification.
+	Credentials interface {
+		IsClientSet() bool
+		Validate() error
+	}
 )
 
 func fullURL(baseURL, path string) string {

pkg/client/client_oauth.go

@@ -21,7 +21,7 @@ type (
 	// The OAuthClient type is a Client implementation used to upload data readings to the Jetstack Secure platform
 	// using OAuth as its authentication method.
 	OAuthClient struct {
-		credentials   *Credentials
+		credentials   *OAuthCredentials
 		accessToken   *accessToken
 		baseURL       string
 		agentMetadata *api.AgentMetadata
@@ -33,8 +33,8 @@ type (
 		expirationDate time.Time
 	}
 
-	// Credentials defines the format of the credentials.json file.
-	Credentials struct {
+	// OAuthCredentials defines the format of the credentials.json file.
+	OAuthCredentials struct {
 		// UserID is the ID or email for the user or service account.
 		UserID string `json:"user_id"`
 		// UserSecret is the secret for the user or service account.
@@ -68,8 +68,8 @@ func (t *accessToken) needsRenew() bool {
 
 // NewOAuthClient returns a new instance of the OAuthClient type that will perform HTTP requests using OAuth to provide
 // authentication tokens to the backend API.
-func NewOAuthClient(agentMetadata *api.AgentMetadata, credentials *Credentials, baseURL string) (*OAuthClient, error) {
-	if err := credentials.validate(); err != nil {
+func NewOAuthClient(agentMetadata *api.AgentMetadata, credentials *OAuthCredentials, baseURL string) (*OAuthClient, error) {
+	if err := credentials.Validate(); err != nil {
 		return nil, fmt.Errorf("cannot create OAuthClient: %v", err)
 	}
 	if baseURL == "" {
@@ -214,28 +214,28 @@ func (c *OAuthClient) renewAccessToken() error {
 	return nil
 }
 
-// ParseCredentials reads credentials into a struct used. Performs validations.
-func ParseCredentials(data []byte) (*Credentials, error) {
-	var credentials Credentials
+// ParseOAuthCredentials reads credentials into an OAuthCredentials struct. Performs validations.
+func ParseOAuthCredentials(data []byte) (*OAuthCredentials, error) {
+	var credentials OAuthCredentials
 
 	err := json.Unmarshal(data, &credentials)
 	if err != nil {
 		return nil, err
 	}
 
-	if err = credentials.validate(); err != nil {
+	if err = credentials.Validate(); err != nil {
 		return nil, err
 	}
 
 	return &credentials, nil
 }
 
 // IsClientSet returns whether the client credentials are set or not.
-func (c *Credentials) IsClientSet() bool {
+func (c *OAuthCredentials) IsClientSet() bool {
 	return c.ClientID != "" && c.ClientSecret != "" && c.AuthServerDomain != ""
 }
 
-func (c *Credentials) validate() error {
+func (c *OAuthCredentials) Validate() error {
 	var result *multierror.Error
 
 	if c == nil {