diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md new file mode 100644 index 0000000..2033d4c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug-report.md @@ -0,0 +1,45 @@ +--- +name: Bug report +about: Create a report to help us improve +title: "[BUG]" +labels: bug +assignees: '' + +--- + +**Describe the Bug** + +A clear and concise description of what the bug is. + +**To Reproduce** + +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected Behavior** + +A clear and concise description of what you expected to happen. + +**Screenshots and Logs** + +If applicable, add screenshots and logs to help explain your problem. + +**Product Deployment** + +Please complete the following information: + - Deployment format: [e.g. software, container] + - Version [e.g. 8.0.0] + +**Desktop** + +Please complete the following information: + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Additional Context** + +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..db73d91 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,6 @@ +blank_issues_enabled: true + +contact_links: + - name: GitHub Discussions + url: https://github.com/Keyfactor/kfutil/discussions + about: Join in-depth discussions or ask questions \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md new file mode 100644 index 0000000..05a453e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request.md @@ -0,0 +1,25 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem or specific use case? Please describe.** +A clear and concise description of the problem or use case. + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Product deployment** +Please complete the following information: + - Deployment format: [e.g. software, container] + - Version [e.g. 8.0.0] + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..7ef9f71 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,15 @@ +## Describe your changes + + + +## How has this been tested? + + + +## Checklist before requesting a review + + +- [ ] I have performed a self-review of my code +- [ ] I have kept the patch limited to only change the parts related to the patch +- [ ] This change requires a documentation update + diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..b06532a --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,33 @@ +name: Go Lint +on: [workflow_dispatch, push, pull_request] +jobs: + build: + name: Build and Lint + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + # Checkout code + # https://github.com/actions/checkout + - name: Checkout code + uses: actions/checkout@v4 + + # Setup GoLang build environment + # https://github.com/actions/setup-go + - name: Set up Go 1.x + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + cache: true + + # Download dependencies + - run: go mod download + + # Build Go binary + - run: go build -v . + + # Run Go linters + # https://github.com/golangci/golangci-lint-action + - name: Run linters + uses: golangci/golangci-lint-action@v6 + with: + version: latest \ No newline at end of file diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 8580a26..93ed013 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -141,7 +141,37 @@ jobs: - name: Run tests run: echo "Running tests for KF 11.x.x" + ## KFC 12.x.x + kf_12_x_x: + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Run tests + run: echo "Running tests for KF 12.x.x" + ### Store Type Tests + Test_StoreTypes_KFC_12_0_0: + runs-on: ubuntu-latest + needs: + - build + - kf_11_x_x + env: + SECRET_NAME: "command-config-1200-clean" + KEYFACTOR_HOSTNAME: "int1200-test-clean.kfdelivery.com" + KEYFACTOR_DOMAIN: "command" + KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }} + KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Run tests + run: | + unset KFUTIL_DEBUG + go test -v ./cmd -run "^Test_StoreTypes*" + Test_StoreTypes_KFC_11_2_0: runs-on: ubuntu-latest needs: @@ -182,6 +212,23 @@ jobs: ### Store Tests + Test_Stores_KFC_12_0_0: + runs-on: ubuntu-latest + needs: + - build + - kf_12_x_x + - Test_StoreTypes_KFC_12_0_0 + env: + SECRET_NAME: "command-config-1200" + KEYFACTOR_HOSTNAME: "integrations1200-lab.kfdelivery.com" + KEYFACTOR_DOMAIN: "command" + KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }} + KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Run tests + run: go test -v ./cmd -run "^Test_Stores_*" Test_Stores_KFC_11_2_0: runs-on: ubuntu-latest needs: @@ -218,6 +265,27 @@ jobs: run: go test -v ./cmd -run "^Test_Stores_*" ### PAM Tests + Test_PAM_KFC_12_0_0: + runs-on: ubuntu-latest + needs: + - build + - kf_12_x_x + - Test_StoreTypes_KFC_12_0_0 + env: + SECRET_NAME: "command-config-1200" + KEYFACTOR_HOSTNAME: "integrations1200-lab.kfdelivery.com" + KEYFACTOR_DOMAIN: "command" + KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }} + KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Run tests + run: | + unset KFUTIL_DEBUG + go test -v ./cmd -run "^Test_PAM*" + + Test_PAM_KFC_11_2_0: runs-on: ubuntu-latest needs: @@ -261,6 +329,33 @@ jobs: ### PAM Tests AKV Auth Provider + Test_AKV_PAM_KFC_12_0_0: + runs-on: self-hosted + needs: + - Test_PAM_KFC_12_0_0 + env: + SECRET_NAME: "command-config-1200-az" + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.21" + - name: Install dependencies + run: go mod download && go mod tidy + - name: Get secret from Azure Key Vault + run: | + . ./examples/auth/akv/akv_auth.sh + cat $HOME/.keyfactor/command_config.json + - name: Install kfutil + run: | + make install + - name: Run tests + run: | + go test -v ./cmd -run "^Test_PAM*" + + Test_AKV_PAM_KFC_11_2_0: runs-on: self-hosted needs: diff --git a/cmd/containers.go b/cmd/containers.go index 2b29dfe..8a3bd23 100644 --- a/cmd/containers.go +++ b/cmd/containers.go @@ -120,7 +120,7 @@ var containersDeleteCmd = &cobra.Command{ // Authenticate //authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - //kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + //Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) // CLI Logic return fmt.Errorf("delete store containers not implemented") diff --git a/cmd/export.go b/cmd/export.go index 9048465..3be7415 100644 --- a/cmd/export.go +++ b/cmd/export.go @@ -141,7 +141,7 @@ var exportCmd = &cobra.Command{ authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) if authConfig == nil { - log.Error().Msg("auth config is nil, invalid client configuration") + log.Error().Msg("auth config is nil, invalid Client configuration") return fmt.Errorf(FailedAuthMsg) } diff --git a/cmd/inventory.go b/cmd/inventory.go index 0b004ec..b4a5007 100644 --- a/cmd/inventory.go +++ b/cmd/inventory.go @@ -17,9 +17,10 @@ package cmd import ( "encoding/json" "fmt" + "log" + "github.com/Keyfactor/keyfactor-go-client/v2/api" "github.com/spf13/cobra" - "log" ) // inventoryCmd represents the inventory command @@ -66,7 +67,7 @@ var inventoryClearCmd = &cobra.Command{ dryRun, _ := cmd.Flags().GetBool("dry-run") storeID, _ := cmd.Flags().GetStringSlice("sid") - machineName, _ := cmd.Flags().GetStringSlice("client") + machineName, _ := cmd.Flags().GetStringSlice("Client") storeType, _ := cmd.Flags().GetStringSlice("store-type") containerType, _ := cmd.Flags().GetStringSlice("container") allStores, _ := cmd.Flags().GetBool("all") @@ -74,7 +75,7 @@ var inventoryClearCmd = &cobra.Command{ kfClient, _ := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if storeID == nil && machineName == nil && storeType == nil && containerType == nil && !allStores { - fmt.Println("You must specify at least one of the following options: --sid, --client, --store-type, --container, --all") + fmt.Println("You must specify at least one of the following options: --sid, --Client, --store-type, --container, --all") return } @@ -133,7 +134,11 @@ var inventoryClearCmd = &cobra.Command{ } if !force { - fmt.Printf("This will clear the inventory of ALL certificates in the store %s:%s. Are you sure you sure?! Press 'y' to continue? (y/n) ", store.ClientMachine, store.StorePath) + fmt.Printf( + "This will clear the inventory of ALL certificates in the store %s:%s. Are you sure you sure?! Press 'y' to continue? (y/n) ", + store.ClientMachine, + store.StorePath, + ) var answer string fmt.Scanln(&answer) if answer != "y" { @@ -145,7 +150,8 @@ var inventoryClearCmd = &cobra.Command{ for _, inv := range *sInvs { certs := inv.Certificates for _, cert := range certs { - st := api.CertificateStore{ //TODO: This conversion is a bit weird to have to do. Should be able to pass the store directly. + st := api.CertificateStore{ + //TODO: This conversion is a bit weird to have to do. Should be able to pass the store directly. CertificateStoreId: store.Id, Alias: cert.Thumbprint, Overwrite: true, @@ -163,12 +169,23 @@ var inventoryClearCmd = &cobra.Command{ if !dryRun { _, err := kfClient.RemoveCertificateFromStores(&removeReq) if err != nil { - fmt.Printf("Error removing certificate %s(%d) from store %s: %s\n", cert.IssuedDN, cert.Id, st.CertificateStoreId, err) + fmt.Printf( + "Error removing certificate %s(%d) from store %s: %s\n", + cert.IssuedDN, + cert.Id, + st.CertificateStoreId, + err, + ) log.Printf("[ERROR] %s", err) continue } } else { - fmt.Printf("Dry run: Would have removed certificate %s(%d) from store %s\n", cert.IssuedDN, cert.Id, st.CertificateStoreId) + fmt.Printf( + "Dry run: Would have removed certificate %s(%d) from store %s\n", + cert.IssuedDN, + cert.Id, + st.CertificateStoreId, + ) } } @@ -199,7 +216,7 @@ var inventoryAddCmd = &cobra.Command{ Short: "Adds one or more certificates to one or more certificate store inventories.", Long: `Adds one or more certificates to one or more certificate store inventories. The certificate(s) to add can be specified by thumbprint, Keyfactor command certificate ID, or subject name. The store(s) to add the certificate(s) to can be -specified by Keyfactor command store ID, client machine name, store type, or container type. At least one or more stores +specified by Keyfactor command store ID, Client machine name, store type, or container type. At least one or more stores and one or more certificates must be specified. If multiple stores and/or certificates are specified, the command will attempt to add all the certificate(s) meeting the specified criteria to all stores meeting the specified criteria.`, Run: func(cmd *cobra.Command, args []string) { @@ -222,13 +239,13 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor thumbprints, _ := cmd.Flags().GetStringSlice("thumbprint") certIDs, _ := cmd.Flags().GetStringSlice("cid") subjects, _ := cmd.Flags().GetStringSlice("cn") - machineNames, _ := cmd.Flags().GetStringSlice("client") + machineNames, _ := cmd.Flags().GetStringSlice("Client") storeTypes, _ := cmd.Flags().GetStringSlice("store-type") containerType, _ := cmd.Flags().GetStringSlice("container") allStores, _ := cmd.Flags().GetBool("all-stores") if !allStores && (len(storeIDs) == 0 && len(machineNames) == 0 && len(storeTypes) == 0 && len(containerType) == 0) { - fmt.Println("At least one store parameter must be specified: [sid, client, store-type, container]. Or specify --all-stores.") + fmt.Println("At least one store parameter must be specified: [sid, Client, store-type, container]. Or specify --all-stores.") log.Fatalf("At least one store must be specified") } @@ -240,7 +257,7 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor kfClient, _ := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if storeIDs == nil && machineNames == nil && storeTypes == nil && containerType == nil && !allStores { - fmt.Println("You must specify at least one of the following options: --sid, --client, --store-type, --container, --all") + fmt.Println("You must specify at least one of the following options: --sid, --Client, --store-type, --container, --all") return } @@ -264,9 +281,11 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor var filteredCerts []api.GetCertificateResponse for _, cn := range subjects { - cert, err := kfClient.ListCertificates(map[string]string{ - "subject": cn, - }) + cert, err := kfClient.ListCertificates( + map[string]string{ + "subject": cn, + }, + ) if err != nil { fmt.Printf("Unable to find certificate with subject: %s\n", cn) continue @@ -274,9 +293,11 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor filteredCerts = append(filteredCerts, cert...) } for _, thumbprint := range thumbprints { - cert, err := kfClient.ListCertificates(map[string]string{ - "thumbprint": thumbprint, - }) + cert, err := kfClient.ListCertificates( + map[string]string{ + "thumbprint": thumbprint, + }, + ) if err != nil { fmt.Printf("Unable to find certificate with thumbprint: %s\n", thumbprint) continue @@ -284,9 +305,11 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor filteredCerts = append(filteredCerts, cert...) } for _, certID := range certIDs { - cert, err := kfClient.ListCertificates(map[string]string{ - "id": certID, - }) + cert, err := kfClient.ListCertificates( + map[string]string{ + "id": certID, + }, + ) if err != nil { fmt.Printf("Unable to find certificate with ID: %s\n", certID) continue @@ -323,7 +346,8 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor Immediate: boolToPointer(true), } for _, cert := range filteredCerts { - st := api.CertificateStore{ //TODO: This conversion is weird. Should be able to use the store directly. + st := api.CertificateStore{ + //TODO: This conversion is weird. Should be able to use the store directly. CertificateStoreId: store.Id, Alias: cert.Thumbprint, Overwrite: true, @@ -340,7 +364,13 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor } if !dryRun { if !force { - fmt.Printf("This will add the certificate %s(%d) to certificate store %s%s's inventory. Are you sure you shouldPass to continue? (y/n) ", cert.IssuedCN, cert.Id, store.ClientMachine, store.StorePath) + fmt.Printf( + "This will add the certificate %s(%d) to certificate store %s%s's inventory. Are you sure you shouldPass to continue? (y/n) ", + cert.IssuedCN, + cert.Id, + store.ClientMachine, + store.StorePath, + ) var answer string fmt.Scanln(&answer) if answer != "y" { @@ -350,12 +380,23 @@ attempt to add all the certificate(s) meeting the specified criteria to all stor } _, err := kfClient.AddCertificateToStores(&addReq) if err != nil { - fmt.Printf("Error adding certificate %s(%d) to store %s: %s\n", cert.IssuedCN, cert.Id, st.CertificateStoreId, err) + fmt.Printf( + "Error adding certificate %s(%d) to store %s: %s\n", + cert.IssuedCN, + cert.Id, + st.CertificateStoreId, + err, + ) log.Printf("[ERROR] %s", err) continue } } else { - fmt.Printf("Dry run: Would have added certificate %s(%d) from store %s", cert.IssuedDN, cert.Id, st.CertificateStoreId) + fmt.Printf( + "Dry run: Would have added certificate %s(%d) from store %s", + cert.IssuedDN, + cert.Id, + st.CertificateStoreId, + ) } } @@ -388,13 +429,13 @@ var inventoryRemoveCmd = &cobra.Command{ thumbprints, _ := cmd.Flags().GetStringSlice("thumbprint") certIDs, _ := cmd.Flags().GetStringSlice("cid") subjects, _ := cmd.Flags().GetStringSlice("cn") - machineNames, _ := cmd.Flags().GetStringSlice("client") + machineNames, _ := cmd.Flags().GetStringSlice("Client") storeTypes, _ := cmd.Flags().GetStringSlice("store-type") containerType, _ := cmd.Flags().GetStringSlice("container") allStores, _ := cmd.Flags().GetBool("all-stores") if !allStores && (len(storeIDs) == 0 && len(machineNames) == 0 && len(storeTypes) == 0 && len(containerType) == 0) { - fmt.Println("At least one store parameter must be specified: [sid, client, store-type, container]. Or specify --all-stores.") + fmt.Println("At least one store parameter must be specified: [sid, Client, store-type, container]. Or specify --all-stores.") log.Fatalf("At least one store must be specified") } @@ -406,7 +447,7 @@ var inventoryRemoveCmd = &cobra.Command{ kfClient, _ := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if storeIDs == nil && machineNames == nil && storeTypes == nil && containerType == nil && !allStores { - fmt.Println("You must specify at least one of the following options: --sid, --client, --store-type, --container, --all") + fmt.Println("You must specify at least one of the following options: --sid, --Client, --store-type, --container, --all") return } @@ -430,9 +471,11 @@ var inventoryRemoveCmd = &cobra.Command{ var filteredCerts []api.GetCertificateResponse for _, cn := range subjects { - cert, err := kfClient.ListCertificates(map[string]string{ - "subject": cn, - }) + cert, err := kfClient.ListCertificates( + map[string]string{ + "subject": cn, + }, + ) if err != nil { fmt.Printf("Unable to find certificate with subject: %s\n", cn) continue @@ -440,9 +483,11 @@ var inventoryRemoveCmd = &cobra.Command{ filteredCerts = append(filteredCerts, cert...) } for _, thumbprint := range thumbprints { - cert, err := kfClient.ListCertificates(map[string]string{ - "thumbprint": thumbprint, - }) + cert, err := kfClient.ListCertificates( + map[string]string{ + "thumbprint": thumbprint, + }, + ) if err != nil { fmt.Printf("Unable to find certificate with thumbprint: %s\n", thumbprint) continue @@ -450,9 +495,11 @@ var inventoryRemoveCmd = &cobra.Command{ filteredCerts = append(filteredCerts, cert...) } for _, certID := range certIDs { - cert, err := kfClient.ListCertificates(map[string]string{ - "id": certID, - }) + cert, err := kfClient.ListCertificates( + map[string]string{ + "id": certID, + }, + ) if err != nil { fmt.Printf("Unable to find certificate with ID: %s\n", certID) continue @@ -490,7 +537,8 @@ var inventoryRemoveCmd = &cobra.Command{ Immediate: boolToPointer(true), } for _, cert := range filteredCerts { - st := api.CertificateStore{ //TODO: This conversion is weird. Should be able to use the store directly. + st := api.CertificateStore{ + //TODO: This conversion is weird. Should be able to use the store directly. CertificateStoreId: store.Id, Alias: cert.Thumbprint, Overwrite: true, @@ -507,7 +555,12 @@ var inventoryRemoveCmd = &cobra.Command{ } if !dryRun { if !force { - fmt.Printf("This will remove the certificate %s from certificate store %s%s's inventory. Are you sure you shouldPass to continue? (y/n) ", certToString(&cert), store.ClientMachine, store.StorePath) + fmt.Printf( + "This will remove the certificate %s from certificate store %s%s's inventory. Are you sure you shouldPass to continue? (y/n) ", + certToString(&cert), + store.ClientMachine, + store.StorePath, + ) var answer string fmt.Scanln(&answer) if answer != "y" { @@ -517,12 +570,21 @@ var inventoryRemoveCmd = &cobra.Command{ } _, err := kfClient.RemoveCertificateFromStores(&removeReq) if err != nil { - fmt.Printf("Error removing certificate %s to store %s: %s\n", certToString(&cert), st.CertificateStoreId, err) + fmt.Printf( + "Error removing certificate %s to store %s: %s\n", + certToString(&cert), + st.CertificateStoreId, + err, + ) log.Printf("[ERROR] %s", err) continue } } else { - fmt.Printf("Dry run: Would have removed certificate %s from store %s\n", certToString(&cert), st.CertificateStoreId) + fmt.Printf( + "Dry run: Would have removed certificate %s from store %s\n", + certToString(&cert), + st.CertificateStoreId, + ) } } @@ -565,14 +627,14 @@ var inventoryShowCmd = &cobra.Command{ debugModeEnabled := checkDebug(debugFlag) log.Println("Debug mode enabled: ", debugModeEnabled) storeIDs, _ := cmd.Flags().GetStringSlice("sid") - clientMachineNames, _ := cmd.Flags().GetStringSlice("client") + clientMachineNames, _ := cmd.Flags().GetStringSlice("Client") storeTypes, _ := cmd.Flags().GetStringSlice("store-type") containers, _ := cmd.Flags().GetStringSlice("container") kfClient, _ := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if len(storeIDs) == 0 && len(clientMachineNames) == 0 && len(storeTypes) == 0 && len(containers) == 0 { - fmt.Println("No filters specified. Unable to show inventory. Please specify at least one filter: [--sid, --client, --store-type, --container]") + fmt.Println("No filters specified. Unable to show inventory. Please specify at least one filter: [--sid, --Client, --store-type, --container]") return } @@ -669,42 +731,182 @@ func init() { storesCmd.AddCommand(inventoryCmd) inventoryCmd.AddCommand(inventoryClearCmd) - inventoryClearCmd.Flags().StringSliceVar(&ids, "sid", []string{}, "The Keyfactor Command ID of the certificate store(s) remove all inventory from.") - inventoryClearCmd.Flags().StringSliceVar(&clients, "client", []string{}, "Remove all inventory from store(s) of specific client machine(s).") - inventoryClearCmd.Flags().StringSliceVar(&types, "store-type", []string{}, "Remove all inventory from store(s) of specific store type(s).") - inventoryClearCmd.Flags().StringSliceVar(&containers, "container", []string{}, "Remove all inventory from store(s) of specific container type(s).") + inventoryClearCmd.Flags().StringSliceVar( + &ids, + "sid", + []string{}, + "The Keyfactor Command ID of the certificate store(s) remove all inventory from.", + ) + inventoryClearCmd.Flags().StringSliceVar( + &clients, + "Client", + []string{}, + "Remove all inventory from store(s) of specific Client machine(s).", + ) + inventoryClearCmd.Flags().StringSliceVar( + &types, + "store-type", + []string{}, + "Remove all inventory from store(s) of specific store type(s).", + ) + inventoryClearCmd.Flags().StringSliceVar( + &containers, + "container", + []string{}, + "Remove all inventory from store(s) of specific container type(s).", + ) inventoryClearCmd.Flags().BoolVar(&all, "all", false, "Remove all inventory from all certificate stores.") - inventoryClearCmd.Flags().BoolVar(&force, "force", false, "Force removal of inventory without prompting for confirmation.") - inventoryClearCmd.Flags().BoolVar(&dryRun, "dry-run", false, "Do not remove inventory, only show what would be removed.") + inventoryClearCmd.Flags().BoolVar( + &force, + "force", + false, + "Force removal of inventory without prompting for confirmation.", + ) + inventoryClearCmd.Flags().BoolVar( + &dryRun, + "dry-run", + false, + "Do not remove inventory, only show what would be removed.", + ) inventoryCmd.AddCommand(inventoryAddCmd) - inventoryAddCmd.Flags().StringSliceVar(&ids, "sid", []string{}, "The Keyfactor Command ID of the certificate store(s) to add inventory to.") - inventoryAddCmd.Flags().StringSliceVar(&clients, "client", []string{}, "Add a certificate to all stores of specific client machine(s).") - inventoryAddCmd.Flags().StringSliceVar(&types, "store-type", []string{}, "Add a certificate to all stores of specific store type(s).") - inventoryAddCmd.Flags().StringSliceVar(&containers, "container", []string{}, "Add a certificate to all stores of specific container type(s).") - inventoryAddCmd.Flags().StringSliceVar(&thumbprints, "thumbprint", []string{}, "The thumbprint of the certificate(s) to add to the store(s).") - inventoryAddCmd.Flags().StringSliceVar(&cIDs, "cid", []string{}, "The Keyfactor command certificate ID(s) of the certificate to add to the store(s).") - inventoryAddCmd.Flags().StringSliceVar(&subjectNames, "cn", []string{}, "Subject name(s) of the certificate(s) to add to the store(s).") + inventoryAddCmd.Flags().StringSliceVar( + &ids, + "sid", + []string{}, + "The Keyfactor Command ID of the certificate store(s) to add inventory to.", + ) + inventoryAddCmd.Flags().StringSliceVar( + &clients, + "Client", + []string{}, + "Add a certificate to all stores of specific Client machine(s).", + ) + inventoryAddCmd.Flags().StringSliceVar( + &types, + "store-type", + []string{}, + "Add a certificate to all stores of specific store type(s).", + ) + inventoryAddCmd.Flags().StringSliceVar( + &containers, + "container", + []string{}, + "Add a certificate to all stores of specific container type(s).", + ) + inventoryAddCmd.Flags().StringSliceVar( + &thumbprints, + "thumbprint", + []string{}, + "The thumbprint of the certificate(s) to add to the store(s).", + ) + inventoryAddCmd.Flags().StringSliceVar( + &cIDs, + "cid", + []string{}, + "The Keyfactor command certificate ID(s) of the certificate to add to the store(s).", + ) + inventoryAddCmd.Flags().StringSliceVar( + &subjectNames, + "cn", + []string{}, + "Subject name(s) of the certificate(s) to add to the store(s).", + ) inventoryAddCmd.Flags().BoolVar(&all, "all-stores", false, "Add the certificate(s) to all certificate stores.") - inventoryAddCmd.Flags().BoolVar(&force, "force", false, "Force addition of inventory without prompting for confirmation.") + inventoryAddCmd.Flags().BoolVar( + &force, + "force", + false, + "Force addition of inventory without prompting for confirmation.", + ) inventoryAddCmd.Flags().BoolVar(&dryRun, "dry-run", false, "Do not add inventory, only show what would be added.") inventoryCmd.AddCommand(inventoryRemoveCmd) - inventoryRemoveCmd.Flags().StringSliceVar(&ids, "sid", []string{}, "The Keyfactor Command ID of the certificate store(s) to remove inventory from.") - inventoryRemoveCmd.Flags().StringSliceVar(&clients, "client", []string{}, "Remove certificate(s) from all stores of specific client machine(s).") - inventoryRemoveCmd.Flags().StringSliceVar(&types, "store-type", []string{}, "Remove certificate(s) from all stores of specific store type(s).") - inventoryRemoveCmd.Flags().StringSliceVar(&containers, "container", []string{}, "Remove certificate(s) from all stores of specific container type(s).") - inventoryRemoveCmd.Flags().StringSliceVar(&thumbprints, "thumbprint", []string{}, "The thumbprint of the certificate(s) to remove from the store(s).") - inventoryRemoveCmd.Flags().StringSliceVar(&cIDs, "cid", []string{}, "The Keyfactor command certificate ID(s) of the certificate to remove from the store(s).") - inventoryRemoveCmd.Flags().StringSliceVar(&subjectNames, "cn", []string{}, "Subject name(s) of the certificate(s) to remove from the store(s).") - inventoryRemoveCmd.Flags().BoolVar(&all, "all-stores", false, "Remove the certificate(s) from all certificate stores.") - inventoryRemoveCmd.Flags().BoolVar(&force, "force", false, "Force removal of inventory without prompting for confirmation.") - inventoryRemoveCmd.Flags().BoolVar(&dryRun, "dry-run", false, "Do not remove inventory, only show what would be removed.") + inventoryRemoveCmd.Flags().StringSliceVar( + &ids, + "sid", + []string{}, + "The Keyfactor Command ID of the certificate store(s) to remove inventory from.", + ) + inventoryRemoveCmd.Flags().StringSliceVar( + &clients, + "Client", + []string{}, + "Remove certificate(s) from all stores of specific Client machine(s).", + ) + inventoryRemoveCmd.Flags().StringSliceVar( + &types, + "store-type", + []string{}, + "Remove certificate(s) from all stores of specific store type(s).", + ) + inventoryRemoveCmd.Flags().StringSliceVar( + &containers, + "container", + []string{}, + "Remove certificate(s) from all stores of specific container type(s).", + ) + inventoryRemoveCmd.Flags().StringSliceVar( + &thumbprints, + "thumbprint", + []string{}, + "The thumbprint of the certificate(s) to remove from the store(s).", + ) + inventoryRemoveCmd.Flags().StringSliceVar( + &cIDs, + "cid", + []string{}, + "The Keyfactor command certificate ID(s) of the certificate to remove from the store(s).", + ) + inventoryRemoveCmd.Flags().StringSliceVar( + &subjectNames, + "cn", + []string{}, + "Subject name(s) of the certificate(s) to remove from the store(s).", + ) + inventoryRemoveCmd.Flags().BoolVar( + &all, + "all-stores", + false, + "Remove the certificate(s) from all certificate stores.", + ) + inventoryRemoveCmd.Flags().BoolVar( + &force, + "force", + false, + "Force removal of inventory without prompting for confirmation.", + ) + inventoryRemoveCmd.Flags().BoolVar( + &dryRun, + "dry-run", + false, + "Do not remove inventory, only show what would be removed.", + ) inventoryCmd.AddCommand(inventoryShowCmd) - inventoryShowCmd.Flags().StringSliceVar(&ids, "sid", []string{}, "The Keyfactor Command ID of the certificate store(s) to retrieve inventory from.") - inventoryShowCmd.Flags().StringSliceVar(&clients, "client", []string{}, "Show certificate inventories for stores of specific client machine(s).") - inventoryShowCmd.Flags().StringSliceVar(&types, "store-type", []string{}, "Show certificate inventories for stores of specific store type(s).") - inventoryShowCmd.Flags().StringSliceVar(&containers, "container", []string{}, "Show certificate inventories for stores of specific container type(s).") + inventoryShowCmd.Flags().StringSliceVar( + &ids, + "sid", + []string{}, + "The Keyfactor Command ID of the certificate store(s) to retrieve inventory from.", + ) + inventoryShowCmd.Flags().StringSliceVar( + &clients, + "Client", + []string{}, + "Show certificate inventories for stores of specific Client machine(s).", + ) + inventoryShowCmd.Flags().StringSliceVar( + &types, + "store-type", + []string{}, + "Show certificate inventories for stores of specific store type(s).", + ) + inventoryShowCmd.Flags().StringSliceVar( + &containers, + "container", + []string{}, + "Show certificate inventories for stores of specific container type(s).", + ) } diff --git a/cmd/login.go b/cmd/login.go index 527c786..a1dd6e2 100644 --- a/cmd/login.go +++ b/cmd/login.go @@ -17,16 +17,17 @@ package cmd import ( "encoding/json" "fmt" + "os" + "path" + "strings" + "syscall" + "github.com/Keyfactor/keyfactor-go-client-sdk/api/keyfactor" "github.com/Keyfactor/keyfactor-go-client/v2/api" "github.com/google/go-cmp/cmp" "github.com/rs/zerolog/log" "github.com/spf13/cobra" "golang.org/x/crypto/ssh/terminal" - "os" - "path" - "strings" - "syscall" ) var loginCmd = &cobra.Command{ @@ -84,7 +85,11 @@ WARNING: The 'username'' and 'password' will be stored in the config file in pla if noPrompt { log.Info().Msg("Using environment variables for configuration data.") // First try to auth with environment variables - authConfig, authEnvErr = authEnvVars(configFile, profile, true) // always save config file is login is called + authConfig, authEnvErr = authEnvVars( + configFile, + profile, + true, + ) // always save config file is login is called if authEnvErr != nil { for _, err := range authEnvErr { log.Error().Err(err) @@ -94,7 +99,13 @@ WARNING: The 'username'' and 'password' will be stored in the config file in pla if !validConfigFileEntry(authConfig, profile) { // Attempt to auth with config file log.Info().Msgf("Attempting to authenticate via config '%s' profile.", profile) - authConfig, authEnvErr = authConfigFile(configFile, profile, "", noPrompt, true) // always save config file is login is called + authConfig, authEnvErr = authConfigFile( + configFile, + profile, + "", + noPrompt, + true, + ) // always save config file is login is called if authEnvErr != nil { // Print out the error messages for _, err := range authEnvErr { @@ -125,7 +136,17 @@ WARNING: The 'username'' and 'password' will be stored in the config file in pla Str("domain", existingAuth.Domain). Str("apiPath", existingAuth.APIPath). Msg("call: authInteractive()") - authConfig, authErr = authInteractive(existingAuth.Hostname, existingAuth.Username, existingAuth.Password, existingAuth.Domain, existingAuth.APIPath, profile, !noPrompt, true, configFile) + authConfig, authErr = authInteractive( + existingAuth.Hostname, + existingAuth.Username, + existingAuth.Password, + existingAuth.Domain, + existingAuth.APIPath, + profile, + !noPrompt, + true, + configFile, + ) log.Debug().Msg("authInteractive() returned") if authErr != nil { log.Error().Err(authErr) @@ -143,7 +164,13 @@ WARNING: The 'username'' and 'password' will be stored in the config file in pla Str("profile", profile). Bool("noPrompt", noPrompt). Msg("call: authConfigFile()") - authConfig, authConfigFileErrs = authConfigFile(configFile, profile, "", noPrompt, true) // always save config file is login is called + authConfig, authConfigFileErrs = authConfigFile( + configFile, + profile, + "", + noPrompt, + true, + ) // always save config file is login is called log.Debug().Msg("authConfigFile() returned") if authConfigFileErrs != nil { // Print out the error messages @@ -157,7 +184,17 @@ WARNING: The 'username'' and 'password' will be stored in the config file in pla //Attempt to auth with user interactive login log.Info().Msg("Attempting to authenticate via user interactive login.") authEntry := authConfig.Servers[profile] - authConfig, authErr = authInteractive(authEntry.Hostname, authEntry.Username, authEntry.Password, authEntry.Domain, authEntry.APIPath, profile, false, true, configFile) + authConfig, authErr = authInteractive( + authEntry.Hostname, + authEntry.Username, + authEntry.Password, + authEntry.Domain, + authEntry.APIPath, + profile, + false, + true, + configFile, + ) if authErr != nil { //log.Println(authErr) log.Error().Err(authErr) @@ -208,7 +245,10 @@ func validConfigFileEntry(configFile ConfigurationFile, profile string) bool { if configFile.Servers[profile].Hostname == "" || configFile.Servers[profile].Username == "" || configFile.Servers[profile].Password == "" { return false } - if configFile.Servers[profile].Domain == "" && (!strings.Contains(configFile.Servers[profile].Username, "@") || !strings.Contains(configFile.Servers[profile].Username, "\\")) { + if configFile.Servers[profile].Domain == "" && (!strings.Contains( + configFile.Servers[profile].Username, + "@", + ) || !strings.Contains(configFile.Servers[profile].Username, "\\")) { return false } return true @@ -223,7 +263,14 @@ func getDomainFromUsername(username string) string { return "" } -func createConfigFile(hostname string, username string, password string, domain string, apiPath string, profileName string) ConfigurationFile { +func createConfigFile( + hostname string, + username string, + password string, + domain string, + apiPath string, + profileName string, +) ConfigurationFile { output := ConfigurationFile{ Servers: map[string]ConfigurationFileEntry{ profileName: { @@ -329,7 +376,17 @@ func saveConfigFile(configFile ConfigurationFile, configPath string, profileName return loadedConfig, nil } -func authInteractive(hostname string, username string, password string, domain string, apiPath string, profileName string, forcePrompt bool, saveConfig bool, configPath string) (ConfigurationFile, error) { +func authInteractive( + hostname string, + username string, + password string, + domain string, + apiPath string, + profileName string, + forcePrompt bool, + saveConfig bool, + configPath string, +) (ConfigurationFile, error) { if hostname == "" || forcePrompt { hostname = promptForInteractiveParameter("Keyfactor Command kfcHostName", hostname) } @@ -397,7 +454,12 @@ func prepHomeDir() (string, error) { return userHomeDir, hErr } -func loadConfigFileData(profileName string, configPath string, noPrompt bool, configurationFile ConfigurationFile) (string, string, string, string, string) { +func loadConfigFileData( + profileName string, + configPath string, + noPrompt bool, + configurationFile ConfigurationFile, +) (string, string, string, string, string) { log.Debug().Str("profileName", profileName). Str("configPath", configPath). Bool("noPrompt", noPrompt). @@ -505,7 +567,10 @@ func authViaProvider() (*api.Client, error) { log.Info().Str("providerType", providerType).Msg("attempting to auth via auth provider") var providerConfig AuthProvider if providerProfile == "" { - log.Info().Str("providerProfile", providerProfile).Msg("auth provider profile not set, defaulting to 'default'") + log.Info().Str( + "providerProfile", + providerProfile, + ).Msg("auth provider profile not set, defaulting to 'default'") providerProfile = "default" } @@ -586,10 +651,10 @@ func authViaProvider() (*api.Client, error) { if err != nil { //fmt.Printf("Error connecting to Keyfactor: %s\n", err) outputError(err, true, "text") - //log.Fatalf("[ERROR] creating Keyfactor client: %s", err) - return nil, fmt.Errorf("unable to create Keyfactor Command client: %s", err) + //log.Fatalf("[ERROR] creating Keyfactor Client: %s", err) + return nil, fmt.Errorf("unable to create Keyfactor Command Client: %s", err) } - log.Info().Msg("Keyfactor Command client created") + log.Info().Msg("Keyfactor Command Client created") log.Debug().Str("flagAuthProvider", providerType). Str("providerProfile", providerProfile). Msg("returning from provider auth") @@ -604,7 +669,10 @@ func authViaProviderGenClient() (*keyfactor.APIClient, error) { log.Info().Str("providerType", providerType).Msg("attempting to auth via auth provider") var providerConfig AuthProvider if providerProfile == "" { - log.Info().Str("providerProfile", providerProfile).Msg("auth provider profile not set, defaulting to 'default'") + log.Info().Str( + "providerProfile", + providerProfile, + ).Msg("auth provider profile not set, defaulting to 'default'") providerProfile = "default" } @@ -683,7 +751,7 @@ func authViaProviderGenClient() (*keyfactor.APIClient, error) { configuration := keyfactor.NewConfiguration(sdkClientConfig) c := keyfactor.NewAPIClient(configuration) log.Debug().Msg("complete: api.NewKeyfactorClient()") - log.Info().Msg("Keyfactor Command client created") + log.Info().Msg("Keyfactor Command Client created") log.Debug().Str("flagAuthProvider", providerType). Str("providerProfile", providerProfile). Msg("returning from provider auth") @@ -702,7 +770,11 @@ func authViaProviderParams(providerConfig *AuthProvider) (ConfigurationFile, err // Check if auth provider is valid if !validAuthProvider(pt) { - return ConfigurationFile{}, fmt.Errorf("invalid auth provider type '%s'. Valid auth providers are: %v", pt, ValidAuthProviders) + return ConfigurationFile{}, fmt.Errorf( + "invalid auth provider type '%s'. Valid auth providers are: %v", + pt, + ValidAuthProviders, + ) } // Check if provider type matches requested provider type @@ -734,7 +806,11 @@ func authViaProviderParams(providerConfig *AuthProvider) (ConfigurationFile, err log.Error().Msg("invalid auth provider type") break } - return ConfigurationFile{}, fmt.Errorf("invalid auth provider type '%s'. Valid auth providers are: %v", pt, ValidAuthProviders) + return ConfigurationFile{}, fmt.Errorf( + "invalid auth provider type '%s'. Valid auth providers are: %v", + pt, + ValidAuthProviders, + ) } func validAuthProvider(providerType string) bool { @@ -752,7 +828,13 @@ func validAuthProvider(providerType string) bool { return false } -func authConfigFile(configPath string, profileName string, authProviderProfile string, noPrompt bool, saveConfig bool) (ConfigurationFile, []error) { +func authConfigFile( + configPath string, + profileName string, + authProviderProfile string, + noPrompt bool, + saveConfig bool, +) (ConfigurationFile, []error) { var configurationFile ConfigurationFile var ( hostName string @@ -793,7 +875,12 @@ func authConfigFile(configPath string, profileName string, authProviderProfile s } log.Debug().Msg("calling loadConfigFileData()") - hostName, userName, password, domain, apiPath = loadConfigFileData(profileName, configPath, noPrompt, configurationFile) + hostName, userName, password, domain, apiPath = loadConfigFileData( + profileName, + configPath, + noPrompt, + configurationFile, + ) log.Debug().Msg("loadConfigFileData() returned") log.Debug().Str("hostName", hostName). @@ -832,7 +919,10 @@ func authConfigFile(configPath string, profileName string, authProviderProfile s func authEnvProvider(authProvider *AuthProvider, configProfile string) (ConfigurationFile, []error) { //log.Println(fmt.Sprintf("[INFO] authenticating with auth provider '%s' params from environment variables", authProvider.Type)) - log.Info().Str("authProvider.Type", authProvider.Type).Msg("authenticating with auth provider params from environment variables") + log.Info().Str( + "authProvider.Type", + authProvider.Type, + ).Msg("authenticating with auth provider params from environment variables") if configProfile == "" { log.Debug().Msg("configProfile is empty, setting to default") @@ -918,7 +1008,12 @@ func authEnvProvider(authProvider *AuthProvider, configProfile string) (Configur } else { //log.Println(fmt.Sprintf("[DEBUG] profile '%s' not found in authProviderParams file", configProfile)) log.Debug().Str("configProfile", configProfile).Msg("profile not found in authProviderParams file") - return ConfigurationFile{}, []error{fmt.Errorf("profile '%s' not found in authProviderParams file", configProfile)} + return ConfigurationFile{}, []error{ + fmt.Errorf( + "profile '%s' not found in authProviderParams file", + configProfile, + ), + } } } else { //check if provider params is an AuthProvider @@ -956,7 +1051,10 @@ func authEnvProvider(authProvider *AuthProvider, configProfile string) (Configur authProvider.Parameters = providerParams } //log.Println("[INFO] Attempting to fetch kfutil creds from auth provider ", authProvider) - log.Info().Str("authProvider", fmt.Sprintf("%+v", authProvider)).Msg("Attempting to fetch kfutil creds from auth provider") + log.Info().Str( + "authProvider", + fmt.Sprintf("%+v", authProvider), + ).Msg("Attempting to fetch kfutil creds from auth provider") configFile, authErr := authViaProviderParams(authProvider) if authErr != nil { //log.Println("[ERROR] Unable to authenticate via provider: ", authErr) @@ -1011,16 +1109,28 @@ func authEnvVars(configPath string, profileName string, saveConfig bool) (Config var outputErr []error if !hostSet { - outputErr = append(outputErr, fmt.Errorf("KEYFACTOR_HOSTNAME environment variable not set. Please set the KEYFACTOR_HOSTNAME environment variable")) + outputErr = append( + outputErr, + fmt.Errorf("KEYFACTOR_HOSTNAME environment variable not set. Please set the KEYFACTOR_HOSTNAME environment variable"), + ) } if !userSet { - outputErr = append(outputErr, fmt.Errorf("KEYFACTOR_USERNAME environment variable not set. Please set the KEYFACTOR_USERNAME environment variable")) + outputErr = append( + outputErr, + fmt.Errorf("KEYFACTOR_USERNAME environment variable not set. Please set the KEYFACTOR_USERNAME environment variable"), + ) } if !passSet { - outputErr = append(outputErr, fmt.Errorf("KEYFACTOR_PASSWORD environment variable not set. Please set the KEYFACTOR_PASSWORD environment variable")) + outputErr = append( + outputErr, + fmt.Errorf("KEYFACTOR_PASSWORD environment variable not set. Please set the KEYFACTOR_PASSWORD environment variable"), + ) } if !domainSet { - outputErr = append(outputErr, fmt.Errorf("KEYFACTOR_DOMAIN environment variable not set. Please set the KEYFACTOR_DOMAIN environment variable")) + outputErr = append( + outputErr, + fmt.Errorf("KEYFACTOR_DOMAIN environment variable not set. Please set the KEYFACTOR_DOMAIN environment variable"), + ) } if !apiPathSet { apiPath = DefaultAPIPath @@ -1182,7 +1292,10 @@ func loadConfigurationFile(filePath string, silent bool) (ConfigurationFile, err sjErr := json.Unmarshal(f, &singleEntry) if sjErr != nil { //log.Println(fmt.Sprintf("[DEBUG] config file '%s' is a not single entry, will attempt to parse as v1 config file", filePath)) - log.Debug().Str("filePath", filePath).Msg("config file is not a single entry, will attempt to parse as v1 config file") + log.Debug().Str( + "filePath", + filePath, + ).Msg("config file is not a single entry, will attempt to parse as v1 config file") } else if (singleEntry != ConfigurationFileEntry{}) { // if we successfully unmarshalled a single entry, add it to the map as the default entry //log.Println(fmt.Sprintf("[DEBUG] config file '%s' is a single entry, adding to map", filePath)) @@ -1203,7 +1316,13 @@ func loadConfigurationFile(filePath string, silent bool) (ConfigurationFile, err return data, nil } -func createAuthConfigFromParams(hostname string, username string, password string, domain string, apiPath string) *api.AuthConfig { +func createAuthConfigFromParams( + hostname string, + username string, + password string, + domain string, + apiPath string, +) *api.AuthConfig { output := api.AuthConfig{ Hostname: hostname, Username: username, diff --git a/cmd/orchs.go b/cmd/orchs.go index 47d85ff..21a6023 100644 --- a/cmd/orchs.go +++ b/cmd/orchs.go @@ -33,8 +33,8 @@ var orchsCmd = &cobra.Command{ // getOrchestratorCmd represents the get orchestrator command var getOrchestratorCmd = &cobra.Command{ Use: "get", - Short: "Get orchestrator by machine/client name.", - Long: `Get orchestrator by machine/client name.`, + Short: "Get orchestrator by machine/Client name.", + Long: `Get orchestrator by machine/Client name.`, Run: func(cmd *cobra.Command, args []string) { authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) @@ -48,7 +48,7 @@ var getOrchestratorCmd = &cobra.Command{ debugModeEnabled := checkDebug(debugFlag) log.Println("Debug mode enabled: ", debugModeEnabled) - client := cmd.Flag("client").Value.String() + client := cmd.Flag("Client").Value.String() kfClient, _ := initClient(configFile, profile, "", "", noPrompt, authConfig, false) agents, aErr := kfClient.GetAgent(client) if aErr != nil { @@ -67,8 +67,8 @@ var getOrchestratorCmd = &cobra.Command{ // listOrchestratorsCmd represents the list orchestrators command var approveOrchestratorCmd = &cobra.Command{ Use: "approve", - Short: "Approve orchestrator by machine/client name.", - Long: `Approve orchestrator by machine/client name.`, + Short: "Approve orchestrator by machine/Client name.", + Long: `Approve orchestrator by machine/Client name.`, Run: func(cmd *cobra.Command, args []string) { authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) @@ -82,7 +82,7 @@ var approveOrchestratorCmd = &cobra.Command{ debugModeEnabled := checkDebug(debugFlag) log.Println("Debug mode enabled: ", debugModeEnabled) - client := cmd.Flag("client").Value.String() + client := cmd.Flag("Client").Value.String() kfClient, cErr := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if cErr != nil { fmt.Println("Error, unable to connect to Keyfactor.") @@ -106,8 +106,8 @@ var approveOrchestratorCmd = &cobra.Command{ // disapproveOrchestratorCmd represents the disapprove orchestrator command var disapproveOrchestratorCmd = &cobra.Command{ Use: "disapprove", - Short: "Disapprove orchestrator by machine/client name.", - Long: `Disapprove orchestrator by machine/client name.`, + Short: "Disapprove orchestrator by machine/Client name.", + Long: `Disapprove orchestrator by machine/Client name.`, Run: func(cmd *cobra.Command, args []string) { authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) @@ -121,7 +121,7 @@ var disapproveOrchestratorCmd = &cobra.Command{ debugModeEnabled := checkDebug(debugFlag) log.Println("Debug mode enabled: ", debugModeEnabled) - client := cmd.Flag("client").Value.String() + client := cmd.Flag("Client").Value.String() kfClient, cErr := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if cErr != nil { fmt.Println("Error, unable to connect to Keyfactor.") @@ -145,8 +145,8 @@ var disapproveOrchestratorCmd = &cobra.Command{ // resetOrchestratorCmd represents the reset orchestrator command var resetOrchestratorCmd = &cobra.Command{ Use: "reset", - Short: "Reset orchestrator by machine/client name.", - Long: `Reset orchestrator by machine/client name.`, + Short: "Reset orchestrator by machine/Client name.", + Long: `Reset orchestrator by machine/Client name.`, Run: func(cmd *cobra.Command, args []string) { fmt.Println("orchestrator reset called") }, @@ -155,8 +155,8 @@ var resetOrchestratorCmd = &cobra.Command{ // getLogsOrchestratorCmd represents the get logs orchestrator command var getLogsOrchestratorCmd = &cobra.Command{ Use: "logs", - Short: "Get orchestrator logs by machine/client name.", - Long: `Get orchestrator logs by machine/client name.`, + Short: "Get orchestrator logs by machine/Client name.", + Long: `Get orchestrator logs by machine/Client name.`, Run: func(cmd *cobra.Command, args []string) { authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) @@ -171,7 +171,7 @@ var getLogsOrchestratorCmd = &cobra.Command{ debugModeEnabled := checkDebug(debugFlag) log.Println("Debug mode enabled: ", debugModeEnabled) - client := cmd.Flag("client").Value.String() + client := cmd.Flag("Client").Value.String() kfClient, cErr := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if cErr != nil { fmt.Println("Error, unable to connect to Keyfactor.") @@ -237,8 +237,14 @@ func init() { orchsCmd.AddCommand(listOrchestratorsCmd) // GET orchestrator command orchsCmd.AddCommand(getOrchestratorCmd) - getOrchestratorCmd.Flags().StringVarP(&client, "client", "c", "", "Get a specific orchestrator by machine or client name.") - getOrchestratorCmd.MarkFlagRequired("client") + getOrchestratorCmd.Flags().StringVarP( + &client, + "Client", + "c", + "", + "Get a specific orchestrator by machine or Client name.", + ) + getOrchestratorCmd.MarkFlagRequired("Client") // CREATE orchestrator command //orchsCmd.AddCommand(createOrchestratorCmd) // UPDATE orchestrator command @@ -247,20 +253,44 @@ func init() { //orchsCmd.AddCommand(deleteOrchestratorCmd) // APPROVE orchestrator command orchsCmd.AddCommand(approveOrchestratorCmd) - approveOrchestratorCmd.Flags().StringVarP(&client, "client", "c", "", "Approve a specific orchestrator by machine or client name.") - approveOrchestratorCmd.MarkFlagRequired("client") + approveOrchestratorCmd.Flags().StringVarP( + &client, + "Client", + "c", + "", + "Approve a specific orchestrator by machine or Client name.", + ) + approveOrchestratorCmd.MarkFlagRequired("Client") // DISAPPROVE orchestrator command orchsCmd.AddCommand(disapproveOrchestratorCmd) - disapproveOrchestratorCmd.Flags().StringVarP(&client, "client", "c", "", "Disapprove a specific orchestrator by machine or client name.") - disapproveOrchestratorCmd.MarkFlagRequired("client") + disapproveOrchestratorCmd.Flags().StringVarP( + &client, + "Client", + "c", + "", + "Disapprove a specific orchestrator by machine or Client name.", + ) + disapproveOrchestratorCmd.MarkFlagRequired("Client") // RESET orchestrator command orchsCmd.AddCommand(resetOrchestratorCmd) - resetOrchestratorCmd.Flags().StringVarP(&client, "client", "c", "", "Reset a specific orchestrator by machine or client name.") - resetOrchestratorCmd.MarkFlagRequired("client") + resetOrchestratorCmd.Flags().StringVarP( + &client, + "Client", + "c", + "", + "Reset a specific orchestrator by machine or Client name.", + ) + resetOrchestratorCmd.MarkFlagRequired("Client") // GET orchestrator logs command orchsCmd.AddCommand(getLogsOrchestratorCmd) - getLogsOrchestratorCmd.Flags().StringVarP(&client, "client", "c", "", "Get logs for a specific orchestrator by machine or client name.") - getLogsOrchestratorCmd.MarkFlagRequired("client") + getLogsOrchestratorCmd.Flags().StringVarP( + &client, + "Client", + "c", + "", + "Get logs for a specific orchestrator by machine or Client name.", + ) + getLogsOrchestratorCmd.MarkFlagRequired("Client") // SET orchestrator auth certificate reenrollment command //orchsCmd.AddCommand(setOrchestratorAuthCertReenrollCmd) // Utility commands diff --git a/cmd/pam.go b/cmd/pam.go index 2b3e6ff..15fa054 100644 --- a/cmd/pam.go +++ b/cmd/pam.go @@ -18,12 +18,13 @@ import ( "context" "encoding/json" "fmt" - "github.com/Keyfactor/keyfactor-go-client-sdk/api/keyfactor" - "github.com/rs/zerolog/log" - "github.com/spf13/cobra" "io" "net/http" "os" + + "github.com/Keyfactor/keyfactor-go-client-sdk/api/keyfactor" + "github.com/rs/zerolog/log" + "github.com/spf13/cobra" ) type JSONImportableObject interface { @@ -136,7 +137,7 @@ https://github.com/Keyfactor/hashicorp-vault-pam/blob/main/integration-manifest. // Authenticate authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - //kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + //Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) sdkClient, _ := initGenClient(configFile, profile, noPrompt, authConfig, false) // Check required flags @@ -230,7 +231,7 @@ var pamProvidersListCmd = &cobra.Command{ // Authenticate authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - //kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + //Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) sdkClient, _ := initGenClient(configFile, profile, noPrompt, authConfig, false) // CLI Logic @@ -282,12 +283,15 @@ var pamProvidersGetCmd = &cobra.Command{ // Authenticate authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - //kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + //Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) sdkClient, _ := initGenClient(configFile, profile, noPrompt, authConfig, false) // CLI Logic log.Debug().Msg("call: PAMProviderGetPamProvider()") - pamProvider, httpResponse, err := sdkClient.PAMProviderApi.PAMProviderGetPamProvider(context.Background(), pamProviderId). + pamProvider, httpResponse, err := sdkClient.PAMProviderApi.PAMProviderGetPamProvider( + context.Background(), + pamProviderId, + ). XKeyfactorRequestedWith(XKeyfactorRequestedWith).XKeyfactorApiVersion(XKeyfactorApiVersion). Execute() log.Debug().Msg("returned: PAMProviderGetPamProvider()") @@ -335,7 +339,7 @@ var pamProvidersCreateCmd = &cobra.Command{ // Authenticate authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - // kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + // Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) sdkClient, _ := initGenClient(configFile, profile, noPrompt, authConfig, false) // CLI Logic @@ -399,7 +403,7 @@ var pamProvidersUpdateCmd = &cobra.Command{ // Authenticate authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - //kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + //Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) sdkClient, _ := initGenClient(configFile, profile, noPrompt, authConfig, false) // CLI Logic @@ -466,7 +470,7 @@ var pamProvidersDeleteCmd = &cobra.Command{ // Authenticate authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - //kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) + //Client, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) sdkClient, _ := initGenClient(configFile, profile, noPrompt, authConfig, false) // CLI Logic @@ -500,7 +504,11 @@ func GetPAMTypeInternet(providerName string, repo string, branch string) (interf branch = "main" } - providerUrl := fmt.Sprintf("https://raw.githubusercontent.com/Keyfactor/%s/%s/integration-manifest.json", repo, branch) + providerUrl := fmt.Sprintf( + "https://raw.githubusercontent.com/Keyfactor/%s/%s/integration-manifest.json", + repo, + branch, + ) log.Debug().Str("providerUrl", providerUrl). Msg("Getting PAM Type from Internet") response, err := http.Get(providerUrl) @@ -558,7 +566,10 @@ func GetPAMTypeInternet(providerName string, repo string, branch string) (interf return pamTypeJson, nil } -func GetTypeFromInternet[T JSONImportableObject](providerName string, repo string, branch string, returnType *T) (*T, error) { +func GetTypeFromInternet[T JSONImportableObject](providerName string, repo string, branch string, returnType *T) ( + *T, + error, +) { log.Debug().Str("providerName", providerName). Str("repo", repo). Str("branch", branch). @@ -629,10 +640,22 @@ func init() { // PAM Provider Types Create pamCmd.AddCommand(pamTypesCreateCmd) - pamTypesCreateCmd.Flags().StringVarP(&filePath, FlagFromFile, "f", "", "Path to a JSON file containing the PAM Type Object Data.") + pamTypesCreateCmd.Flags().StringVarP( + &filePath, + FlagFromFile, + "f", + "", + "Path to a JSON file containing the PAM Type Object Data.", + ) pamTypesCreateCmd.Flags().StringVarP(&name, "name", "n", "", "Name of the PAM Provider Type.") pamTypesCreateCmd.Flags().StringVarP(&repo, "repo", "r", "", "Keyfactor repository name of the PAM Provider Type.") - pamTypesCreateCmd.Flags().StringVarP(&branch, "branch", "b", "", "Branch name for the repository. Defaults to 'main'.") + pamTypesCreateCmd.Flags().StringVarP( + &branch, + "branch", + "b", + "", + "Branch name for the repository. Defaults to 'main'.", + ) // PAM Providers pamCmd.AddCommand(pamProvidersListCmd) @@ -641,11 +664,23 @@ func init() { pamProvidersGetCmd.MarkFlagRequired("id") pamCmd.AddCommand(pamProvidersCreateCmd) - pamProvidersCreateCmd.Flags().StringVarP(&filePath, FlagFromFile, "f", "", "Path to a JSON file containing the PAM Provider Object Data.") + pamProvidersCreateCmd.Flags().StringVarP( + &filePath, + FlagFromFile, + "f", + "", + "Path to a JSON file containing the PAM Provider Object Data.", + ) pamProvidersCreateCmd.MarkFlagRequired(FlagFromFile) pamCmd.AddCommand(pamProvidersUpdateCmd) - pamProvidersUpdateCmd.Flags().StringVarP(&filePath, FlagFromFile, "f", "", "Path to a JSON file containing the PAM Provider Object Data.") + pamProvidersUpdateCmd.Flags().StringVarP( + &filePath, + FlagFromFile, + "f", + "", + "Path to a JSON file containing the PAM Provider Object Data.", + ) pamProvidersUpdateCmd.MarkFlagRequired(FlagFromFile) pamCmd.AddCommand(pamProvidersDeleteCmd) diff --git a/cmd/root.go b/cmd/root.go index fe1dc3c..9f7c38f 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -224,9 +224,9 @@ func initClient( if err != nil { //fmt.Printf("Error connecting to Keyfactor: %s\n", err) outputError(err, true, "text") - return nil, fmt.Errorf("unable to create Keyfactor Command client: %s", err) + return nil, fmt.Errorf("unable to create Keyfactor Command Client: %s", err) } - log.Info().Msg("Keyfactor Command client created") + log.Info().Msg("Keyfactor Command Client created") return c, nil } diff --git a/cmd/rot.go b/cmd/rot.go index 05abc87..91ec2c1 100644 --- a/cmd/rot.go +++ b/cmd/rot.go @@ -18,7 +18,6 @@ import ( "bufio" "context" "encoding/csv" - "encoding/json" "errors" "fmt" "net/http" @@ -97,566 +96,7 @@ func templateTypeCompletion(cmd *cobra.Command, args []string, toComplete string }, cobra.ShellCompDirectiveDefault } -func generateAuditReport( - addCerts map[string]string, - removeCerts map[string]string, - stores map[string]StoreCSVEntry, - outputFilePath string, - kfClient *api.Client, -) ([][]string, map[string][]ROTAction, error) { - log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "generateAuditReport")) - - log.Info().Str("output_file", outputFilePath).Msg("Generating audit report") - var ( - data [][]string - ) - - data = append(data, AuditHeader) - var csvFile *os.File - var fErr error - log.Debug().Str("output_file", outputFilePath).Msg("Checking for output file") - if outputFilePath == "" { - log.Debug().Str("output_file", reconcileDefaultFileName).Msg("No output file specified, using default") - csvFile, fErr = os.Create(reconcileDefaultFileName) - outputFilePath = reconcileDefaultFileName - } else { - csvFile, fErr = os.Create(outputFilePath) - } - - if fErr != nil { - fmt.Printf("%s", fErr) - log.Error().Err(fErr).Str("output_file", outputFilePath).Msg("Error creating output file") - } - - log.Trace().Str("output_file", outputFilePath).Msg("Creating CSV writer") - csvWriter := csv.NewWriter(csvFile) - log.Debug().Str("output_file", outputFilePath).Strs("csv_header", AuditHeader).Msg("Writing header to CSV") - cErr := csvWriter.Write(AuditHeader) - if cErr != nil { - log.Error().Err(cErr).Str("output_file", outputFilePath).Msg("Error writing header to CSV") - return nil, nil, cErr - } - - log.Trace().Str("output_file", outputFilePath).Msg("Creating actions map") - actions := make(map[string][]ROTAction) - - var errs []error - for tp, cId := range addCerts { - log.Debug().Str("thumbprint", tp). - Str("cert_id", cId). - Msg("Looking up certificate") - certLookupReq := api.GetCertificateContextArgs{} - if cId != "" { - certIdInt, cErr := strconv.Atoi(cId) - if cErr != nil { - log.Error(). - Err(cErr). - Str("thumbprint", tp). - Msg("Error converting cert ID to integer, skipping") - errs = append(errs, cErr) - continue - } - certLookupReq = api.GetCertificateContextArgs{ - IncludeMetadata: boolToPointer(true), - IncludeLocations: boolToPointer(true), - CollectionId: nil, //todo: add CollectionID support - Thumbprint: "", - Id: certIdInt, - } - } else { - certLookupReq = api.GetCertificateContextArgs{ - IncludeMetadata: boolToPointer(true), - IncludeLocations: boolToPointer(true), - CollectionId: nil, //todo: add CollectionID support - Thumbprint: tp, - Id: 0, //todo: should also allow KFC ID - } - } - - log.Debug(). - Str("thumbprint", tp). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateContext")) - certLookup, err := kfClient.GetCertificateContext(&certLookupReq) - if err != nil { - log.Error(). - Err(err). - Str("thumbprint", tp). - Msg("Error looking up certificate, skipping") - errMsg := fmt.Errorf( - "error recieved from Keyfactor Command when looking up thumbprint '%s':'%w'", - tp, - err, - ) - errs = append(errs, errMsg) - continue - } - certID := certLookup.Id - certIDStr := strconv.Itoa(certID) - log.Debug().Str("thumbprint", tp).Msg("Iterating over stores") - for _, store := range stores { - log.Debug().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Checking if cert is deployed to store") - if _, ok := store.Thumbprints[tp]; ok { - // Cert is already in the store do nothing - log.Info().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Cert is already deployed to store") - row := []string{ - //todo: this should be a toCSV field on whatever object this is - tp, - certIDStr, - certLookup.IssuedDN, - certLookup.IssuerDN, - store.ID, - store.Type, - store.Machine, - store.Path, - "false", - "false", - "true", - getCurrentTime(""), - } - log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Appending data row") - data = append(data, row) - log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Writing data row to CSV") - wErr := csvWriter.Write(row) - if wErr != nil { - log.Error(). - Err(wErr). - Str("thumbprint", tp). - Str("output_file", outputFilePath). - Strs("row", row). - Msg("Error writing row to CSV") - } - } else { - // Cert is not deployed to this store and will need to be added - log.Info(). - Str("thumbprint", tp). - Str("store_id", store.ID). - Msg("Cert is not deployed to store") - row := []string{ - //todo: this should be a toCSV - tp, - certIDStr, - certLookup.IssuedDN, - certLookup.IssuerDN, - store.ID, - store.Type, - store.Machine, - store.Path, - "true", - "false", - "false", - getCurrentTime(""), - } - log.Trace(). - Str("thumbprint", tp). - Strs("row", row). - Msg("Appending data row") - data = append(data, row) - log.Debug(). - Str("thumbprint", tp). - Strs("row", row). - Msg("Writing data row to CSV") - wErr := csvWriter.Write(row) - if wErr != nil { - log.Error(). - Err(wErr). - Str("thumbprint", tp). - Str("output_file", outputFilePath). - Strs("row", row). - Msg("Error writing row to CSV") - } - log.Debug(). - Str("thumbprint", tp). - Msg("Adding 'add' action to actions map") - actions[tp] = append( - actions[tp], ROTAction{ - Thumbprint: tp, - CertID: certID, - StoreID: store.ID, - StoreType: store.Type, - StorePath: store.Path, - AddCert: true, - RemoveCert: false, - Deployed: false, - }, - ) - } - } - } - for tp, cId := range removeCerts { - log.Debug().Str("thumbprint", tp). - Str("cert_id", cId). - Msg("Looking up certificate") - certLookupReq := api.GetCertificateContextArgs{} - if cId != "" { - certIdInt, cErr := strconv.Atoi(cId) - if cErr != nil { - log.Error(). - Err(cErr). - Str("thumbprint", tp). - Msg("Error converting cert ID to integer, skipping") - errs = append(errs, cErr) - continue - } - certLookupReq = api.GetCertificateContextArgs{ - IncludeMetadata: boolToPointer(true), - IncludeLocations: boolToPointer(true), - CollectionId: nil, //todo: add CollectionID support - Thumbprint: "", - Id: certIdInt, - } - } else { - certLookupReq = api.GetCertificateContextArgs{ - IncludeMetadata: boolToPointer(true), - IncludeLocations: boolToPointer(true), - CollectionId: nil, //todo: add CollectionID support - Thumbprint: tp, - Id: 0, //todo: should also allow KFC ID - } - } - - log.Debug(). - Str("thumbprint", tp). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateContext")) - certLookup, err := kfClient.GetCertificateContext(&certLookupReq) - if err != nil { - log.Error(). - Err(err). - Str("thumbprint", tp). - Msg("Error looking up certificate, skipping") - errMsg := fmt.Errorf( - "error recieved from Keyfactor Command when looking up thumbprint '%s':'%w'", - tp, - err, - ) - errs = append(errs, errMsg) - continue - } - certID := certLookup.Id - certIDStr := strconv.Itoa(certID) - log.Debug().Str("thumbprint", tp).Msg("Iterating over stores") - for _, store := range stores { - log.Debug().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Checking if cert is deployed to store") - if _, ok := store.Thumbprints[tp]; !ok { - // Cert is already in the store do nothing - log.Info().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Cert is not deployed to store") - row := []string{ - //todo: this should be a toCSV field on whatever object this is - tp, - certIDStr, - certLookup.IssuedDN, - certLookup.IssuerDN, - store.ID, - store.Type, - store.Machine, - store.Path, - "false", // Add to store - "false", // Remove from store - "false", // Is Deployed - getCurrentTime(""), - } - log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Appending data row") - data = append(data, row) - log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Writing data row to CSV") - wErr := csvWriter.Write(row) - if wErr != nil { - log.Error(). - Err(wErr). - Str("thumbprint", tp). - Str("output_file", outputFilePath). - Strs("row", row). - Msg("Error writing row to CSV") - } - } else { - // Cert is deployed to this store and will need to be removed - log.Info(). - Str("thumbprint", tp). - Str("store_id", store.ID). - Msg("Cert is deployed to store") - row := []string{ - //todo: this should be a toCSV - tp, - certIDStr, - certLookup.IssuedDN, - certLookup.IssuerDN, - store.ID, - store.Type, - store.Machine, - store.Path, - "false", // Add to store - "true", // Remove from store - "true", // Is Deployed - getCurrentTime(""), - } - log.Trace(). - Str("thumbprint", tp). - Strs("row", row). - Msg("Appending data row") - data = append(data, row) - log.Debug(). - Str("thumbprint", tp). - Strs("row", row). - Msg("Writing data row to CSV") - wErr := csvWriter.Write(row) - if wErr != nil { - log.Error(). - Err(wErr). - Str("thumbprint", tp). - Str("output_file", outputFilePath). - Strs("row", row). - Msg("Error writing row to CSV") - } - log.Debug(). - Str("thumbprint", tp). - Msg("Adding 'remove' action to actions map") - actions[tp] = append( - actions[tp], ROTAction{ - Thumbprint: tp, - StoreAlias: "", //TODO get this value - CertID: certID, - StoreID: store.ID, - StoreType: store.Type, - StorePath: store.Path, - AddCert: false, - RemoveCert: true, - Deployed: true, - }, - ) - } - } - } - log.Trace(). - Str("output_file", outputFilePath). - Msg("Flushing CSV writer") - csvWriter.Flush() - log.Trace(). - Str("output_file", outputFilePath). - Msg("Closing CSV file") - ioErr := csvFile.Close() - if ioErr != nil { - log.Error(). - Err(ioErr). - Str("output_file", outputFilePath). - Msg("Error closing CSV file") - } - log.Info(). - Str("output_file", outputFilePath). - Msg("Audit report written to disk successfully") - fmt.Printf("Audit report written to %s\n", outputFilePath) //todo: remove or propagate message to CLI - fmt.Printf( - "Please review the report and run `kfutil stores rot reconcile --import-csv --input"+ - "-file %s` apply the changes\n", outputFilePath, - ) - - if len(errs) > 0 { - errStr := mergeErrsToString(&errs, false) - log.Trace().Str("output_file", outputFilePath).Str( - "errors", - errStr, - ).Msg("The following errors occurred while generating audit report") - return data, actions, fmt.Errorf("the following errors occurred while generating audit report:\r\n%s", errStr) - } - log.Debug().Msg(fmt.Sprintf(DebugFuncExit, "generateAuditReport")) - return data, actions, nil -} - -func reconcileRoots(actions map[string][]ROTAction, kfClient *api.Client, reportFile string, dryRun bool) error { - log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "reconcileRoots")) - if len(actions) == 0 { - log.Info().Msg("No actions to reconcile detected, root of trust stores are up-to-date.") - return nil - } - log.Info().Msg("Reconciling root of trust stores") - - rFileName := fmt.Sprintf("%s_reconciled.csv", strings.Split(reportFile, ".csv")[0]) - log.Debug(). - Str("report_file", reportFile). - Str("reconciled_file", rFileName). - Msg("Creating reconciled report file") - csvFile, fErr := os.Create(rFileName) - if fErr != nil { - log.Error(). - Err(fErr). - Str("reconciled_file", rFileName). - Msg("Error creating reconciled report file") - return fErr - } - log.Trace().Str("reconciled_file", rFileName).Msg("Creating CSV writer") - csvWriter := csv.NewWriter(csvFile) - - log.Debug().Str("reconciled_file", rFileName).Strs("csv_header", ReconciledAuditHeader).Msg("Writing header to CSV") - cErr := csvWriter.Write(ReconciledAuditHeader) - if cErr != nil { - log.Error().Err(cErr).Str("reconciled_file", rFileName).Msg("Error writing header to CSV") - return cErr - } - log.Info().Str("report_file", reportFile).Msg("Processing reconciliation actions") - var errs []error - for thumbprint, action := range actions { - for _, a := range action { - if a.AddCert { - if !dryRun { - log.Info().Str("thumbprint", thumbprint).Str("store_id", a.StoreID).Str( - "store_path", - a.StorePath, - ).Msg("Attempting to add cert to store") - log.Debug().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating orchestrator 'add' job request") - - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating certificate store object") - apiStore := api.CertificateStore{ - CertificateStoreId: a.StoreID, - Overwrite: true, - } - - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating certificate store array") - var stores []api.CertificateStore - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Appending certificate store to array") - stores = append(stores, apiStore) - - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating inventory 'immediate' schedule") - schedule := &api.InventorySchedule{ - Immediate: boolToPointer(true), - } - - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating add certificate request") - addReq := api.AddCertificateToStore{ - CertificateId: a.CertID, - CertificateStores: &stores, - InventorySchedule: schedule, - } - - log.Trace().Str("thumbprint", thumbprint).Interface( - "add_request", - addReq, - ).Msg("Converting add request to JSON") - addReqJSON, jErr := json.Marshal(addReq) - if jErr != nil { - log.Error().Err(jErr).Str("thumbprint", thumbprint).Msg("Error converting add request to JSON") - errMsg := fmt.Errorf( - "error converting add request for '%s' in stores '%v' to JSON: %s", - thumbprint, stores, jErr, - ) - errs = append(errs, errMsg) - continue - } - log.Debug().Str("thumbprint", thumbprint).Str( - "add_request", - string(addReqJSON), - ).Msg(fmt.Sprintf(DebugFuncCall, "kfClient.AddCertificateToStores")) - _, err := kfClient.AddCertificateToStores(&addReq) - if err != nil { - fmt.Printf( - "ERROR adding cert %s(%d) to store %s: %s\n", - a.Thumbprint, - a.CertID, - a.StoreID, - err, - ) - log.Error().Err(err).Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Str("store_path", a.StorePath).Msg("unable to add cert to store") - continue - } - } else { - log.Info().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("DRY RUN: Would have added cert to store") - } - } else if a.RemoveCert { - if !dryRun { - log.Info().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Attempting to remove cert from store") - cStore := api.CertificateStore{ - CertificateStoreId: a.StoreID, - Alias: a.Thumbprint, //todo: support non-thumbprint aliases - } - log.Trace().Interface("store_object", cStore).Msg("Converting store to slice of single store") - var stores []api.CertificateStore - stores = append(stores, cStore) - - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating inventory 'immediate' schedule") - schedule := &api.InventorySchedule{ - Immediate: boolToPointer(true), - } - - log.Trace().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("Creating remove certificate request") - removeReq := api.RemoveCertificateFromStore{ - CertificateId: a.CertID, - CertificateStores: &stores, - InventorySchedule: schedule, - } - log.Debug().Str("thumbprint", thumbprint).Interface( - "remove_request", - removeReq, - ).Msg(fmt.Sprintf(DebugFuncCall, "kfClient.RemoveCertificateFromStores")) - _, err := kfClient.RemoveCertificateFromStores(&removeReq) - if err != nil { - log.Error().Err(err).Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Str("store_path", a.StorePath).Msg("unable to remove cert from store") - fmt.Printf( - "ERROR removing cert %s(%d) from store %s: %s\n", - a.Thumbprint, - a.CertID, - a.StoreID, - err, - ) - } - } else { - fmt.Printf( - "DRY RUN: Would have removed cert %s from store %s\n", thumbprint, - a.StoreID, - ) //todo: propagate back to CLI - log.Info().Str("thumbprint", thumbprint).Str( - "store_id", - a.StoreID, - ).Msg("DRY RUN: Would have removed cert from store") - } - } - } - } - log.Info().Str("reconciled_file", rFileName).Msg("Reconciliation actions scheduled on Keyfactor Command") - if len(errs) > 0 { - errStr := mergeErrsToString(&errs, false) - log.Trace().Str("reconciled_file", rFileName).Str( - "errors", - errStr, - ).Msg("The following errors occurred while reconciling actions") - return fmt.Errorf("The following errors occurred while reconciling actions:\r\n%s", errStr) - } - log.Debug().Msg(fmt.Sprintf(DebugFuncExit, "reconcileRoots")) - return nil -} - -func readCertsFile(certsFilePath string, kfclient *api.Client) (map[string]string, error) { +func readCertsFile(certsFilePath string) (map[string]string, error) { log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "readCertsFile")) // Read in the cert CSV log.Info().Str("certs_file", certsFilePath).Msg("Reading in certs file") @@ -686,6 +126,7 @@ func readCertsFile(certsFilePath string, kfclient *api.Client) (map[string]strin log.Trace().Str("certs_file", certsFilePath).Msg("Iterating over CSV data") headerMap := make(map[string]int) for i, entry := range certEntries { + log.Trace().Int("row", i).Msg("Processing row") if i == 0 { for j, h := range entry { headerMap[h] = j @@ -695,14 +136,19 @@ func readCertsFile(certsFilePath string, kfclient *api.Client) (map[string]strin log.Trace().Strs("entry", entry).Msg("Processing row") switch entry[0] { - case "CertID", "thumbprint", "id", "CertId", "Thumbprint": //todo: is there a way to do this with a var? + case "CertID", "thumbprint", "id", "CertId", "Thumbprint", + "Alias", "alias": //todo: is there a way to do this with a var? log.Trace().Strs("entry", entry).Msg("Skipping header row") continue // Skip header } - tp := entry[headerMap["Thumbprint"]] - if tp == "" { - log.Warn().Strs("entry", entry).Msg("Thumbprint is empty, skipping") - continue + alias := entry[headerMap["Alias"]] + if alias == "" { + tp := entry[headerMap["Thumbprint"]] + if tp == "" { + log.Warn().Strs("entry", entry).Msg("'Alias' and 'Thumbprint' are empty, skipping") + continue + } + alias = tp } cId := entry[headerMap["CertID"]] @@ -712,7 +158,7 @@ func readCertsFile(certsFilePath string, kfclient *api.Client) (map[string]strin } log.Trace().Strs("entry", entry).Msg("Adding thumbprint to map") - certs[tp] = cId + certs[alias] = cId log.Trace().Interface("certs", certs).Msg("Cert map") } log.Info().Str("certs_file", certsFilePath).Msg("Certs file read successfully") @@ -823,10 +269,8 @@ func isRootStore( return true } -func findTrustStores( - criteria *TrustStoreCriteria, +func (r *RootOfTrustManager) findTrustStores( containerName string, - c *api.Client, ) (*KFCStores, error) { log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "findTrustStores")) trustStores := KFCStores{ @@ -851,7 +295,7 @@ func findTrustStores( Str("container", containerName). Interface("params", params). Msg(fmt.Sprintf(DebugFuncCall, "c.ListCertificateStores")) - stList, stErr := c.ListCertificateStores(¶ms) + stList, stErr := r.Client.ListCertificateStores(¶ms) if stErr != nil { log.Error().Err(stErr).Msg("Error fetching stList from Keyfactor Command") return nil, stErr @@ -871,7 +315,7 @@ func findTrustStores( Str("store_path", st.StorePath). Str("client_machine", st.ClientMachine). Msg(fmt.Sprintf(DebugFuncCall, "GetCertStoreInventory")) - inventory, invErr := c.GetCertStoreInventory(st.Id) + inventory, invErr := r.Client.GetCertStoreInventory(st.Id) if invErr != nil { log.Error().Err(invErr).Str("store_id", st.Id).Msg("Error getting cert store inventory") errLine := fmt.Sprintf("%s,%s,%s,%s\n", st.Id, st.StorePath, st.ClientMachine, st.CertStoreType) @@ -888,14 +332,17 @@ func findTrustStores( } log.Debug().Str("store_id", st.Id). - Int("min_certs", criteria.MinCerts). - Int("max_keys", criteria.MaxKeys). - Int("max_leaf", criteria.MaxLeaf). + Int("min_certs", r.TrustStoreCriteria.MinCerts). + Int("max_keys", r.TrustStoreCriteria.MaxKeys). + Int("max_leaf", r.TrustStoreCriteria.MaxLeaves). Str("store_id", st.Id). Str("store_path", st.StorePath). Str("client_machine", st.ClientMachine). Msg(fmt.Sprintf(DebugFuncCall, "isRootStore")) - if isRootStore(&st, inventory, criteria.MinCerts, criteria.MaxKeys, criteria.MaxLeaf) { + if isRootStore( + &st, inventory, r.TrustStoreCriteria.MinCerts, r.TrustStoreCriteria.MaxKeys, + r.TrustStoreCriteria.MaxLeaves, + ) { log.Info(). Str("store_id", st.Id). Str("store_path", st.StorePath). @@ -909,9 +356,9 @@ func findTrustStores( continue } log.Info(). - Int("min_certs", criteria.MinCerts). - Int("max_keys", criteria.MaxKeys). - Int("max_leaf", criteria.MaxLeaf). + Int("min_certs", r.TrustStoreCriteria.MinCerts). + Int("max_keys", r.TrustStoreCriteria.MaxKeys). + Int("max_leaf", r.TrustStoreCriteria.MaxLeaves). Str("store_id", st.Id). Str("store_path", st.StorePath). Str("client_machine", st.ClientMachine). @@ -930,21 +377,106 @@ func findTrustStores( return &trustStores, nil } -func validateStoresInput(storesFile *string, noPrompt *bool, kfClient *api.Client) (string, error) { +func (r *RootOfTrustManager) validateStoresInput(storesFile *string, noPrompt *bool) error { + log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "validateStoresInput")) + if noPrompt == nil { noPrompt = boolToPointer(false) } + if (storesFile == nil || *storesFile == "") && r.StoresFilePath != "" { + log.Debug(). + Str("stores_file", r.StoresFilePath). + Bool("no_prompt", *noPrompt). + Msg("Setting stores file path from struct") + storesFile = &r.StoresFilePath + } + + log.Debug().Str("stores_file", *storesFile).Bool("no_prompt", *noPrompt).Msg("Validating stores input") + if storesFile == nil || *storesFile == "" { if *noPrompt { - return "", fmt.Errorf("stores file is required, use flag `--stores` to specify 1 or more file paths") + return fmt.Errorf("stores file is required, use flag `--stores` to specify 1 or more file paths") } apiOrFile := promptSelectRotStores("certificate stores") switch apiOrFile { + case "All": + selectedStores, sErr := r.Client.ListCertificateStores(nil) + if sErr != nil { + return sErr + } + if len(*selectedStores) == 0 { + return errors.New("no certificate stores selected, unable to continue") + } + //create stores file + storesFile = stringToPointer(DefaultROTAuditStoresOutfilePath) + // create file + f, ioErr := os.Create(*storesFile) + if ioErr != nil { + log.Error().Err(ioErr).Str("stores_file", *storesFile).Msg("Error creating stores file") + return ioErr + } + defer f.Close() + // create CSV writer + log.Debug().Str("stores_file", *storesFile).Msg("Creating CSV writer") + writer := csv.NewWriter(f) + defer writer.Flush() + // write header + log.Debug().Str("stores_file", *storesFile).Msg("Writing header to stores file") + wErr := writer.Write(StoreHeader) + if wErr != nil { + log.Error().Err(wErr).Str("stores_file", *storesFile).Msg("Error writing header to stores file") + return wErr + } + // write selected stores + r.Stores = make(map[string]*TrustStore) + for _, store := range *selectedStores { + log.Debug().Str("store_id", store.Id).Msg("Adding store to stores file") + //parse ID from selection `: ` + storeId := store.Id + //remove () and white spaces from storeId + storeId = strings.Trim(strings.Trim(strings.Trim(storeId, " "), "("), ")") + + tStore := TrustStore{ + StoreID: storeId, + StoreType: fmt.Sprintf("%d", store.CertStoreType), //todo: look up name + StoreMachine: store.ClientMachine, + StorePath: store.StorePath, + ContainerName: store.ContainerName, + ContainerID: store.ContainerId, + Inventory: []api.CertStoreInventory{}, + } + + r.Stores[storeId] = &tStore + + storeInstance := ROTStore{ + StoreID: storeId, + StoreType: fmt.Sprintf("%d", store.CertStoreType), //todo: look up name + StoreMachine: store.ClientMachine, + StorePath: store.StorePath, + ContainerId: fmt.Sprintf("%d", store.ContainerId), + ContainerName: store.ContainerName, + LastQueried: "", + } + storeLine := storeInstance.toCSV() + + wErr = writer.Write(strings.Split(storeLine, ",")) + if wErr != nil { + log.Error().Err(wErr).Str( + "stores_file", + *storesFile, + ).Msg("Error writing store to stores file") + continue + } + } + writer.Flush() + f.Close() + r.StoresFilePath = *storesFile + return nil case "Manual Select": - selectedStores := promptSelectStores(kfClient) + selectedStores := promptSelectStores(r.Client) if len(selectedStores) == 0 { - return "", errors.New("no certificate stores selected, unable to continue") + return errors.New("no certificate stores selected, unable to continue") } //create stores file storesFile = stringToPointer(fmt.Sprintf("%s", DefaultROTAuditStoresOutfilePath)) @@ -952,7 +484,7 @@ func validateStoresInput(storesFile *string, noPrompt *bool, kfClient *api.Clien f, ioErr := os.Create(*storesFile) if ioErr != nil { log.Error().Err(ioErr).Str("stores_file", *storesFile).Msg("Error creating stores file") - return "", ioErr + return ioErr } defer f.Close() // create CSV writer @@ -964,7 +496,7 @@ func validateStoresInput(storesFile *string, noPrompt *bool, kfClient *api.Clien wErr := writer.Write(StoreHeader) if wErr != nil { log.Error().Err(wErr).Str("stores_file", *storesFile).Msg("Error writing header to stores file") - return "", wErr + return wErr } // write selected stores for _, store := range selectedStores { @@ -996,23 +528,26 @@ func validateStoresInput(storesFile *string, noPrompt *bool, kfClient *api.Clien } writer.Flush() f.Close() - return *storesFile, nil + r.StoresFilePath = *storesFile + return nil case "File": - return promptForFilePath("Input a file path for the CSV file containing stores to audit."), nil - case "Discover": + + r.StoresFilePath = promptForFilePath("Input a file path for the CSV file containing stores to audit.") + return nil + case "Search": promptForCriteria() - trusts, sErr := findTrustStores(&trustCriteria, "", kfClient) + trusts, sErr := r.findTrustStores("") if sErr != nil { - return "", sErr + return sErr } else if trusts == nil || trusts.Stores == nil || len(trusts.Stores) == 0 { - return "", fmt.Errorf("no trust stores found using the following criteria:\n%s", trustCriteria.String()) + return fmt.Errorf("no trust stores found using the following criteria:\n%s", trustCriteria.String()) } - storesFile = stringToPointer(fmt.Sprintf("%s", DefaultROTAuditStoresOutfilePath)) + storesFile = stringToPointer(DefaultROTAuditStoresOutfilePath) // create file f, ioErr := os.Create(*storesFile) if ioErr != nil { log.Error().Err(ioErr).Str("stores_file", *storesFile).Msg("Error creating stores file") - return "", ioErr + return ioErr } defer f.Close() // create CSV writer @@ -1024,7 +559,7 @@ func validateStoresInput(storesFile *string, noPrompt *bool, kfClient *api.Clien wErr := writer.Write(StoreHeader) if wErr != nil { log.Error().Err(wErr).Str("stores_file", *storesFile).Msg("Error writing header to stores file") - return "", wErr + return wErr } for _, store := range trusts.Stores { storeInstance := ROTStore{ @@ -1047,27 +582,24 @@ func validateStoresInput(storesFile *string, noPrompt *bool, kfClient *api.Clien continue } } - return f.Name(), nil + r.StoresFilePath = f.Name() + return nil default: - return "", errors.New("invalid selection") + errors.New("invalid selection") } } - return *storesFile, nil + r.StoresFilePath = *storesFile + return nil } -func validateCertsInput(addRootsFile string, removeRootsFile string, client *api.Client) ( - string, - string, - error, -) { +func (r *RootOfTrustManager) validateCertsInput(addRootsFile string, removeRootsFile string, noPrompt bool) error { log.Debug().Str("add_certs_file", addRootsFile). Str("remove_certs_file", removeRootsFile). Bool("no_prompt", noPrompt). Msg(fmt.Sprintf(DebugFuncEnter, "validateCertsInput")) if addRootsFile == "" && removeRootsFile == "" && noPrompt { - //cmd.SilenceUsage = false //todo: is this necessary? - return addRootsFile, removeRootsFile, InvalidROTCertsInputErr + return InvalidROTCertsInputErr } if addRootsFile == "" || removeRootsFile == "" { @@ -1079,9 +611,9 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api addSrcType := promptSelectFromAPIorFile("certificates") switch addSrcType { case "API": - selectedCerts := promptSelectCerts(client) + selectedCerts := promptSelectCerts(r.Client) if len(selectedCerts) == 0 { - return "", "", InvalidROTCertsInputErr + return InvalidROTCertsInputErr } //create stores file addRootsFile = fmt.Sprintf("%s", DefaultROTAuditAddCertsOutfilePath) @@ -1092,7 +624,7 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api "add_certs_file", addRootsFile, ).Msg("Error creating certs to add file") - return addRootsFile, removeRootsFile, ioErr + return ioErr } defer f.Close() // create CSV writer @@ -1107,7 +639,7 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api "stores_file", addRootsFile, ).Msg("Error writing header to stores file") - return addRootsFile, removeRootsFile, wErr + return wErr } // write selected stores for _, c := range selectedCerts { @@ -1169,9 +701,9 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api remSrcType := promptSelectFromAPIorFile("certificates") switch remSrcType { case "API": - selectedCerts := promptSelectCerts(client) + selectedCerts := promptSelectCerts(r.Client) if len(selectedCerts) == 0 { - return "", "", InvalidROTCertsInputErr + return InvalidROTCertsInputErr } //create stores file removeRootsFile = fmt.Sprintf("%s", DefaultROTAuditRemoveCertsOutfilePath) @@ -1182,7 +714,7 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api "remove_certs_file", removeRootsFile, ).Msg("Error creating certs to remove file") - return addRootsFile, removeRootsFile, ioErr + return ioErr } defer f.Close() // create CSV writer @@ -1197,7 +729,7 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api "stores_file", removeRootsFile, ).Msg("Error writing header to stores file") - return addRootsFile, removeRootsFile, wErr + return wErr } // write selected stores for _, c := range selectedCerts { @@ -1252,564 +784,14 @@ func validateCertsInput(addRootsFile string, removeRootsFile string, client *api } } if addRootsFile == "" && removeRootsFile == "" { - return "", "", InvalidROTCertsInputErr + return InvalidROTCertsInputErr } } - return addRootsFile, removeRootsFile, nil - -} - -func processFromStoresAndCertFiles( - storesFile string, - addRootsFile string, - removeRootsFile string, - reportFile string, - outputFilePath string, - minCerts int, - maxLeaves int, - maxKeys int, - kfClient *api.Client, - dryRun bool, -) error { - // Read in the stores CSV - log.Debug().Str("stores_file", storesFile).Msg("Reading in stores file") - csvFile, _ := os.Open(storesFile) - reader := csv.NewReader(bufio.NewReader(csvFile)) - storeEntries, _ := reader.ReadAll() - var stores = make(map[string]StoreCSVEntry) - var lookupFailures []string - var errs []error - for i, row := range storeEntries { - if len(row) == 0 { - log.Warn(). - Str("stores_file", storesFile). - Int("row", i).Msg("Skipping empty row") - continue - } else if row[0] == "StoreID" || row[0] == "StoreId" || i == 0 { - log.Trace().Strs("row", row).Msg("Skipping header row") - continue // Skip header - } + r.AddCertsFilePath = addRootsFile + r.RemoveCertsFilePath = removeRootsFile - log.Debug().Strs("row", row). - Str("store_id", row[0]). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateStoreByID")) - apiResp, err := kfClient.GetCertificateStoreByID(row[0]) - if err != nil { - errs = append(errs, err) - log.Error().Err(err).Str("store_id", row[0]).Msg("failed to retrieve store from Keyfactor Command") - lookupFailures = append(lookupFailures, row[0]) - continue - } - - log.Debug().Str("store_id", row[0]).Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertStoreInventoryV1")) - inventory, invErr := kfClient.GetCertStoreInventory(row[0]) - if invErr != nil { - errs = append(errs, invErr) - log.Error().Err(invErr).Str( - "store_id", - row[0], - ).Msg("failed to retrieve inventory for certificate store from Keyfactor Command") - continue - } - - if !isRootStore(apiResp, inventory, minCerts, maxLeaves, maxKeys) { - log.Error().Str( - "store_id", - row[0], - ).Msg("Store is not considered a root of trust store and will be excluded.") - errs = append(errs, fmt.Errorf("store '%s' is not considered a root of trust store", row[0])) - continue - } - - log.Info().Str("store_id", row[0]).Msg("Store is considered a root of trust store") - log.Trace().Str("store_id", row[0]).Msg("Creating StoreCSVEntry object") - stores[row[0]] = StoreCSVEntry{ - ID: row[0], - Type: row[1], - Machine: row[2], - Path: row[3], - Thumbprints: make(map[string]bool), - Serials: make(map[string]bool), - Ids: make(map[int]bool), - } - - log.Debug().Str("store_id", row[0]).Msg( - "Iterating over inventory for thumbprints, " + - "serial numbers and cert IDs", - ) - for _, cert := range *inventory { - log.Trace().Str("store_id", row[0]).Interface("cert", cert).Msg("Processing inventory") - thumb := cert.Thumbprints - for t, v := range thumb { - log.Trace().Str("store_id", row[0]). - Str("value", v). - Int("thumbprint", t).Msg("Adding cert thumbprint to store object") - //stores[row[0]].Thumbprints[t] = v - } - for t, v := range cert.Serials { - log.Trace().Str("store_id", row[0]). - Str("value", v). - Int("serial", t).Msg("Adding cert serial to store object") - //stores[row[0]].Serials[t] = v - } - for t, v := range cert.Ids { - log.Trace().Str("store_id", row[0]). - Int("value", v). - Int("cert_id", t).Msg("Adding cert ID to store object") - //stores[row[0]].Ids[t] = v - } - } - } - if len(lookupFailures) > 0 { - errMsg := fmt.Errorf("The following stores were not found:\r\n%s", strings.Join(lookupFailures, ",\r\n")) - fmt.Printf(errMsg.Error()) - log.Error().Err(errMsg). - Strs("lookup_failures", lookupFailures). - Msg("The following stores could not be found") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - errMsg = fmt.Errorf("%s\r\n%s", errMsg, apiErrs) - } - return errMsg - } - if len(stores) == 0 { - errMsg := fmt.Errorf("no root of trust stores found that meet the defined criteria") - log.Error(). - Err(errMsg). - Int("min_certs", minCerts). - Int("max_leaves", maxLeaves). - Int("max_keys", maxKeys).Send() - - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - errMsg = fmt.Errorf("%s\r\n%s", errMsg, apiErrs) - } - return errMsg - } - // Read in the add addCerts CSV - var certsToAdd = make(map[string]string) - var rErr error - if addRootsFile == "" { - log.Info().Msg("No add certs file specified, add operations will not be performed") - } else { - log.Info().Str("add_certs_file", addRootsFile).Msg("Reading certs to add file") - log.Debug().Str("add_certs_file", addRootsFile).Msg(fmt.Sprintf(DebugFuncCall, "readCertsFile")) - certsToAdd, rErr = readCertsFile(addRootsFile, kfClient) - if rErr != nil { - log.Error().Err(rErr).Str("add_certs_file", addRootsFile).Msg("Error reading certs to add file") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - rErr = fmt.Errorf("%s\r\n%s", rErr, apiErrs) - } - return rErr - } - log.Debug().Str("add_certs_file", addRootsFile).Msg("finished reading certs to add file") - } - - // Read in the remove removeCerts CSV - var certsToRemove = make(map[string]string) - if removeRootsFile == "" { - log.Info().Msg("No remove certs file specified, remove operations will not be performed") - } else { - log.Info().Str("remove_certs_file", removeRootsFile).Msg("Reading certs to remove file") - log.Debug().Str("remove_certs_file", removeRootsFile).Msg(fmt.Sprintf(DebugFuncCall, "readCertsFile")) - certsToRemove, rErr = readCertsFile(removeRootsFile, kfClient) - if rErr != nil { - log.Error().Err(rErr).Str("remove_certs_file", removeRootsFile).Msg("Error reading certs to remove file") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - rErr = fmt.Errorf("%s\r\n%s", rErr, apiErrs) - } - return rErr - } - } - - if len(certsToAdd) == 0 && len(certsToRemove) == 0 { - log.Info().Msg("No add or remove operations specified, please verify your configuration") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - return fmt.Errorf(apiErrs) - } - fmt.Println("No add or remove operations specified, please verify your configuration") - return nil - } - - log.Trace().Interface("certs_to_add", certsToAdd). - Interface("certs_to_remove", certsToRemove). - Str("stores_file", storesFile). - Msg("Generating audit report") - - log.Debug(). - Msg(fmt.Sprintf(DebugFuncCall, "generateAuditReport")) - _, actions, err := generateAuditReport(certsToAdd, certsToRemove, stores, outputFilePath, kfClient) - if err != nil { - log.Error(). - Err(err). - Str("outputFilePath", outputFilePath). - Msg("Error generating audit report") - } - if len(actions) == 0 { - msg := "No reconciliation actions to take, the specified root of trust stores are up-to-date" - log.Info(). - Str("stores_file", storesFile). - Str("add_certs_file", addRootsFile). - Str("remove_certs_file", removeRootsFile). - Msg(msg) - fmt.Println("No reconciliation actions to take, root stores are up-to-date. Exiting.") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - return fmt.Errorf(apiErrs) - } - return nil - } - - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "reconcileRoots")) - rErr = reconcileRoots(actions, kfClient, reportFile, dryRun) - if rErr != nil { - log.Error().Err(rErr).Msg("Error reconciling root of trust stores") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - rErr = fmt.Errorf("%s\r\n%s", rErr, apiErrs) - } - return rErr - } - if lookupFailures != nil { - errMsg := fmt.Errorf( - "The following stores could not be found:\r\n%s", strings.Join(lookupFailures, ",\r\n"), - ) - log.Error().Err(errMsg).Strs("lookup_failures", lookupFailures).Send() - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - errMsg = fmt.Errorf("%s\r\n%s", errMsg, apiErrs) - return errMsg - } - return errMsg - } - orchsURL := fmt.Sprintf( - "https://%s/Keyfactor/Portal/AgentJobStatus/Index", - kfClient.Hostname, - ) //todo: this path might not work for everyone - - log.Info(). - Str("orchs_url", orchsURL). - Str("outputFilePath", outputFilePath). - Msg("Reconciliation completed. Check orchestrator jobs for details.") - fmt.Println(fmt.Sprintf("Reconciliation completed. Check orchestrator jobs for details. %s", orchsURL)) - - if len(lookupFailures) > 0 { - lookupErrs := fmt.Errorf( - "Reconciliation completed with failures, "+ - "the following stores could not be found:\r\n%s", strings.Join( - lookupFailures, - "\r\n", - ), - ) - log.Error().Err(lookupErrs).Strs( - "lookup_failures", - lookupFailures, - ).Msg("The following stores could not be found") - if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - lookupErrs = fmt.Errorf("%s\r\n%s", lookupErrs, apiErrs) - } - return lookupErrs - } else if len(errs) > 0 { - apiErrs := mergeErrsToString(&errs, false) - log.Error().Str("api_errors", apiErrs).Msg("Reconciliation completed with failures") - return fmt.Errorf("Reconciliation completed with failures:\r\n%s", apiErrs) - } return nil -} - -func processCSVReportFile(reportFile string, kfClient *api.Client, dryRun bool) error { - log.Debug().Str("report_file", reportFile).Bool("dry_run", dryRun). - Msg("Parsing existing audit report") - // Read in the CSV - - log.Debug().Str("report_file", reportFile).Msg("reading audit report file") - csvFile, err := os.Open(reportFile) - if err != nil { - log.Error().Err(err).Str("report_file", reportFile).Msg("Error reading audit report file") - return err - } - - validHeader := false - log.Trace().Str("report_file", reportFile).Msg("Creating CSV reader") - aCSV := csv.NewReader(csvFile) - aCSV.FieldsPerRecord = -1 - log.Debug().Str("report_file", reportFile).Msg("Reading CSV data") - inFile, cErr := aCSV.ReadAll() - if cErr != nil { - log.Error().Err(cErr).Str("report_file", reportFile).Msg("Error reading CSV file") - return cErr - } - - actions := make(map[string][]ROTAction) - fieldMap := make(map[int]string) - - log.Debug().Str("report_file", reportFile). - Strs("csv_header", AuditHeader). - Msg("Creating field map, index to header name") - for i, field := range AuditHeader { - log.Trace().Str("report_file", reportFile).Str("field", field).Int( - "index", - i, - ).Msg("Processing field") - fieldMap[i] = field - } - - log.Debug().Str("report_file", reportFile).Msg("Iterating over CSV rows") - var errs []error - for ri, row := range inFile { - log.Trace().Str("report_file", reportFile).Strs("row", row).Msg("Processing row") - if strings.EqualFold(strings.Join(row, ","), strings.Join(AuditHeader, ",")) { - log.Trace().Str("report_file", reportFile).Strs("row", row).Msg("Skipping header row") - validHeader = true - continue // Skip header - } - if !validHeader { - invalidHeaderErr := fmt.Errorf( - "invalid header in audit report file please use '%s'", strings.Join( - AuditHeader, - ",", - ), - ) - log.Error().Err(invalidHeaderErr).Str( - "report_file", - reportFile, - ).Msg("Invalid header in audit report file") - return invalidHeaderErr - } - - log.Debug().Str("report_file", reportFile).Msg("Creating action map") - action := make(map[string]interface{}) - for i, field := range row { - log.Trace().Str("report_file", reportFile).Str("field", field).Int( - "index", - i, - ).Msg("Processing field") - fieldInt, iErr := strconv.Atoi(field) - if iErr != nil { - log.Trace().Err(iErr).Str("report_file", reportFile). - Str("field", field). - Int("index", i). - Msg("Field is not an integer, replacing with index value") - action[fieldMap[i]] = field - } else { - log.Trace().Err(iErr).Str("report_file", reportFile). - Str("field", field). - Int("index", i). - Msg("Field is an integer") - action[fieldMap[i]] = fieldInt - } - } - - log.Debug().Str("report_file", reportFile).Msg("Processing add cert action") - addCertStr, aOk := action["AddCert"].(string) - if !aOk { - log.Warn().Str("report_file", reportFile).Msg( - "AddCert field not found in action, " + - "using empty string", - ) - addCertStr = "" - } - - log.Trace().Str("report_file", reportFile).Str( - "add_cert", - addCertStr, - ).Msg("Converting addCertStr to bool") - addCert, acErr := strconv.ParseBool(addCertStr) - if acErr != nil { - log.Warn().Str("report_file", reportFile).Err(acErr).Msg( - "Unable to parse bool from addCertStr, defaulting to FALSE", - ) - addCert = false - } - - log.Debug().Str("report_file", reportFile).Msg("Processing remove cert action") - removeCertStr, rOk := action["RemoveCert"].(string) - if !rOk { - log.Warn().Str("report_file", reportFile).Msg( - "RemoveCert field not found in action, " + - "using empty string", - ) - removeCertStr = "" - } - log.Trace().Str("report_file", reportFile).Str( - "remove_cert", - removeCertStr, - ).Msg("Converting removeCertStr to bool") - removeCert, rcErr := strconv.ParseBool(removeCertStr) - if rcErr != nil { - log.Warn(). - Str("report_file", reportFile). - Err(rcErr). - Msg("Unable to parse bool from removeCertStr, defaulting to FALSE") - removeCert = false - } - - log.Trace().Str("report_file", reportFile).Msg("Processing store type") - sType, sOk := action["StoreType"].(string) - if !sOk { - log.Warn().Str("report_file", reportFile).Msg( - "StoreType field not found in action, " + - "using empty string", - ) - sType = "" - } - - log.Trace().Str("report_file", reportFile).Msg("Processing store path") - sPath, pOk := action["Path"].(string) - if !pOk { - log.Warn().Str("report_file", reportFile).Msg( - "Path field not found in action, " + - "using empty string", - ) - sPath = "" - } - - log.Trace().Str("report_file", reportFile).Msg("Processing thumbprint") - tp, tpOk := action["Thumbprint"].(string) - if !tpOk { - log.Warn().Str("report_file", reportFile).Msg( - "Thumbprint field not found in action, " + - "using empty string", - ) - tp = "" - } - - log.Trace().Str("report_file", reportFile).Msg("Processing cert id") - cid, cidOk := action["CertID"].(int) - if !cidOk { - log.Warn().Str("report_file", reportFile).Msg( - "CertID field not found in action, " + - "using -1", - ) - cid = -1 - } - - if !tpOk && !cidOk { - errMsg := fmt.Errorf("row is missing Thumbprint or CertID") - log.Error().Err(errMsg). - Str("report_file", reportFile). - Int("row", ri). - Msg("Invalid row in audit report file") - errs = append(errs, errMsg) - continue - } - - sId, sIdOk := action["StoreID"].(string) - if !sIdOk { - errMsg := fmt.Errorf("row is missing StoreID") - log.Error().Err(errMsg). - Str("report_file", reportFile). - Int("row", ri). - Msg("Invalid row in audit report file") - errs = append(errs, errMsg) - continue - } - if cid == -1 && tp != "" { - log.Debug().Str("report_file", reportFile). - Int("row", ri). - Str("thumbprint", tp). - Msg("Looking up certificate by thumbprint") - certLookupReq := api.GetCertificateContextArgs{ - IncludeMetadata: boolToPointer(true), - IncludeLocations: boolToPointer(true), - CollectionId: nil, //todo: add support for collection ID - Thumbprint: tp, - Id: 0, //force to 0 as -1 will error out the API request - } - log.Debug().Str("report_file", reportFile). - Int("row", ri). - Str("thumbprint", tp). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateContext")) - - certLookup, err := kfClient.GetCertificateContext(&certLookupReq) - if err != nil { - log.Error().Err(err).Str("report_file", reportFile). - Int("row", ri). - Str("thumbprint", tp). - Msg("Error looking up certificate by thumbprint") - continue - } - cid = certLookup.Id - log.Debug().Str("report_file", reportFile). - Int("row", ri). - Str("thumbprint", tp). - Int("cert_id", cid). - Msg("Certificate found by thumbprint") - } - - log.Trace().Str("report_file", reportFile). - Int("row", ri). - Str("store_id", sId). - Str("store_type", sType). - Str("store_path", sPath). - Str("thumbprint", tp). - Int("cert_id", cid). - Bool("add_cert", addCert). - Bool("remove_cert", removeCert). - Msg("Creating reconciliation action") - a := ROTAction{ - StoreID: sId, - StoreType: sType, - StorePath: sPath, - Thumbprint: tp, - CertID: cid, - AddCert: addCert, - RemoveCert: removeCert, - } - - log.Trace().Str("report_file", reportFile). - Int("row", ri).Interface("action", a).Msg("Adding action to actions map") - actions[a.Thumbprint] = append(actions[a.Thumbprint], a) - } - - log.Info().Str("report_file", reportFile).Msg("Audit report parsed successfully") - if len(actions) == 0 { - rtMsg := "No reconciliation actions to take, root stores are up-to-date. Exiting." - log.Info().Str("report_file", reportFile). - Msg(rtMsg) - fmt.Println(rtMsg) - if len(errs) > 0 { - errStr := mergeErrsToString(&errs, false) - log.Error().Str("report_file", reportFile). - Str("errors", errStr). - Msg("Errors encountered while parsing audit report") - return fmt.Errorf("errors encountered while parsing audit report: %s", errStr) - } - return nil - } - - log.Debug().Str("report_file", reportFile).Msg(fmt.Sprintf(DebugFuncCall, "reconcileRoots")) - rErr := reconcileRoots(actions, kfClient, reportFile, dryRun) - if rErr != nil { - log.Error().Err(rErr).Str("report_file", reportFile).Msg("Error reconciling roots") - return rErr - } - defer csvFile.Close() - - orchsURL := fmt.Sprintf( - "https://%s/Keyfactor/Portal/AgentJobStatus/Index", - kfClient.Hostname, - ) //todo: this pathing might not work for everyone - - if len(errs) > 0 { - errStr := mergeErrsToString(&errs, false) - log.Error().Str("report_file", reportFile). - Str("errors", errStr). - Msg("Errors encountered while reconciling root of trust stores") - return fmt.Errorf("errors encountered while reconciling roots:\r\n%s", errStr) - - } - log.Info().Str("report_file", reportFile). - Str("orchs_url", orchsURL). - Msg("Reconciliation completed. Check orchestrator jobs for details") - fmt.Println(fmt.Sprintf("Reconciliation completed. Check orchestrator jobs for details. %s", orchsURL)) - - return nil } func init() { @@ -1865,7 +847,7 @@ func init() { ) rotAuditCmd.Flags().BoolP("dry-run", "d", false, "Dry run mode") rotAuditCmd.Flags().StringVarP( - &outputFilePath, "outputFilePath", "o", "", + &outputFilePath, "OutputFilePath", "o", "", "Path to write the audit report file to. If not specified, the file will be written to the current directory.", ) @@ -1908,7 +890,7 @@ func init() { "Path to a file generated by 'stores rot audit' command.", ) rotReconcileCmd.Flags().StringVarP( - &outputFilePath, "outputFilePath", "o", "", + &outputFilePath, "OutputFilePath", "o", "", "Path to write the audit report file to. If not specified, the file will be written to the current directory.", ) //rotReconcileCmd.MarkFlagsRequiredTogether("add-certs", "stores") @@ -1920,7 +902,7 @@ func init() { // Root of trust `generate` command rotCmd.AddCommand(rotGenStoreTemplateCmd) rotGenStoreTemplateCmd.Flags().StringVarP( - &outputFilePath, "outputFilePath", "o", "", + &outputFilePath, "OutputFilePath", "o", "", "Path to write the template file to. If not specified, the file will be written to the current directory.", ) rotGenStoreTemplateCmd.Flags().StringVarP( @@ -1996,7 +978,7 @@ func promptSelectRotStores(resourceType string) string { opts := []string{ "Manual Select", - "Discover", + "Search", "File", "All", } @@ -2096,7 +1078,7 @@ func promptSelectCerts(client *api.Client) []string { Str("collection", col). Int("collection_id", colID). Interface("params", params). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificatesByCollection")) + Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertificatesByCollection")) certOpts, certErr := menuCertificates(client, ¶ms) if certErr != nil { log.Error().Err(certErr).Msg("Error fetching certificates from Keyfactor Command") @@ -2149,7 +1131,7 @@ func promptSelectStores(client *api.Client) []string { // Collection based store collection not supported as stores are not associated with collections certificates // are associated with collections //case "Collection": - // collectionOpts, colErr := menuCollections(client) + // collectionOpts, colErr := menuCollections(Client) // if colErr != nil { // fmt.Println("Error fetching collections from Keyfactor Command: ", colErr) // continue @@ -2168,8 +1150,8 @@ func promptSelectStores(client *api.Client) []string { // // //fetch stores associated with selected collections // log.Info().Msg("Fetching stores associated with selected collections") - // log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetStoresByCollection")) - // stores, sErr := client.GetSt(selectedCollections) + // log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.GetStoresByCollection")) + // stores, sErr := Client.GetSt(selectedCollections) case "StoreType": storeTypeNames, stErr := menuStoreType(client) @@ -2205,7 +1187,7 @@ func promptSelectStores(client *api.Client) []string { continue } - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetStoresByStoreType")) + log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.GetStoresByStoreType")) params := make(map[string]interface{}) params["CertStoreType"] = stID stores, sErr := menuCertificateStores(client, ¶ms) @@ -2270,7 +1252,7 @@ func promptMultiSelect(msg string, opts []string) []string { func menuStoreType(client *api.Client) ([]string, error) { //fetch store type options from keyfactor command log.Info().Msg("Fetching store types from Keyfactor Command") - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.ListCertificateStoreTypes")) + log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.ListCertificateStoreTypes")) storeTypes, stErr := client.ListCertificateStoreTypes() if stErr != nil { log.Error().Err(stErr).Msg("Error fetching store types from Keyfactor Command") @@ -2296,7 +1278,7 @@ func menuStoreType(client *api.Client) ([]string, error) { func menuContainers(client *api.Client) ([]string, error) { //fetch container options from keyfactor command log.Info().Msg("Fetching containers from Keyfactor Command") - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetStoreContainers")) + log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.GetStoreContainers")) containers, cErr := client.GetStoreContainers() if cErr != nil { log.Error().Err(cErr).Msg("Error fetching containers from Keyfactor Command") @@ -2321,11 +1303,11 @@ func menuContainers(client *api.Client) ([]string, error) { func menuCollections(client *api.Client) ([]string, error) { //fetch collection options from keyfactor command log.Info().Msg("Fetching collections from Keyfactor Command") - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCollections")) + log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCollections")) sdkClient, sdkErr := convertClient(client) if sdkErr != nil { - log.Error().Err(sdkErr).Msg("Error converting client to v2") + log.Error().Err(sdkErr).Msg("Error converting Client to v2") return nil, sdkErr } //createdPamProviderType, httpResponse, rErr := sdkClient.PAMProviderApi.PAMProviderCreatePamProviderType(context.Background()). @@ -2364,12 +1346,12 @@ func menuCollections(client *api.Client) ([]string, error) { } func convertClient(v1Client *api.Client) (*sdk.APIClient, error) { - // todo add support to convert the v1 client to v2 but for now use inputs used to created the v1 client + // todo add support to convert the v1 Client to v2 but for now use inputs used to created the v1 Client config := make(map[string]string) if v1Client != nil { config["host"] = v1Client.Hostname - //todo: expose these values in the client + //todo: expose these values in the Client //config["username"] = v1Client.Username //config["password"] = v1Client.Password //config["domain"] = v1Client.Domain @@ -2419,7 +1401,7 @@ func menuCertificates(client *api.Client, params *map[string]string) ([]string, func menuCertificateStores(client *api.Client, params *map[string]interface{}) ([]string, error) { // fetch all stores from keyfactor command log.Info().Msg("Fetching stores from Keyfactor Command") - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.ListCertificateStores")) + log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.ListCertificateStores")) stores, sErr := client.ListCertificateStores(params) if sErr != nil { log.Error().Err(sErr).Msg("Error fetching stores from Keyfactor Command") @@ -2438,7 +1420,7 @@ func menuCertificateStores(client *api.Client, params *map[string]interface{}) ( //lookup store type name var stName = fmt.Sprintf("%d", st.CertStoreType) if _, ok := storeTypesLookup[st.CertStoreType]; !ok { - log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateStoreType")) + log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertificateStoreType")) storeType, stErr := client.GetCertificateStoreType(st.CertStoreType) if stErr != nil { log.Error().Err(stErr).Msg("Error fetching store type name from Keyfactor Command") @@ -2520,7 +1502,7 @@ kfutil stores rot reconcile --import-csv SuggestFor: nil, Short: "Audit generates a CSV report of what actions will be taken based on input CSV files.", Long: `Root of Trust Audit: Will read and parse inputs to generate a report of certs that need to be added or removed from the "root of trust" stores.`, - Example: "", + Example: "kfutil stores rot audit", ValidArgs: nil, ValidArgsFunction: nil, Args: nil, @@ -2546,7 +1528,7 @@ kfutil stores rot reconcile --import-csv maxLeaves, _ := cmd.Flags().GetInt("max-leaf-certs") maxKeys, _ := cmd.Flags().GetInt("max-keys") dryRun, _ := cmd.Flags().GetBool("dry-run") - outputFilePath, _ := cmd.Flags().GetString("outputFilePath") + outputFilePath, _ := cmd.Flags().GetString("OutputFilePath") // Debug + expEnabled checks isExperimental := false @@ -2556,9 +1538,6 @@ kfutil stores rot reconcile --import-csv } informDebug(debugFlag) - trustCriteria.MinCerts = minCerts - trustCriteria.MaxKeys = maxKeys - trustCriteria.MaxLeaf = maxLeaves log.Debug().Str("trust_criteria", fmt.Sprintf("%s", trustCriteria.String())). Str("add_file", addRootsFile). Str("remove_file", removeRootsFile). @@ -2569,19 +1548,34 @@ kfutil stores rot reconcile --import-csv Msg("Root of trust audit command") authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - - var lookupFailures []string kfClient, cErr := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if cErr != nil { - log.Error().Err(cErr).Msg("Error initializing Keyfactor client") + log.Error().Err(cErr).Msg("Error initializing Keyfactor Client") return cErr } + rotCriteria := RootOfTrustCriteria{ + MinCerts: minCerts, + MaxLeaves: maxLeaves, + MaxKeys: maxKeys, + } + + rotClient := RootOfTrustManager{ + AddCertsFilePath: addRootsFile, + RemoveCertsFilePath: removeRootsFile, + StoresFilePath: storesFile, + ReportFilePath: "", + TrustStoreCriteria: rotCriteria, + OutputFilePath: outputFilePath, + IsDryRun: dryRun, + Client: kfClient, + } + // validate flags var storesErr error log.Debug().Str("stores_file", storesFile).Bool("no_prompt", noPrompt). Msg(fmt.Sprintf(DebugFuncCall, "validateStoresInput")) - storesFile, storesErr = validateStoresInput(&storesFile, &noPrompt, kfClient) + storesErr = rotClient.validateStoresInput(&storesFile, &noPrompt) if storesErr != nil { return storesErr } @@ -2589,9 +1583,8 @@ kfutil stores rot reconcile --import-csv log.Debug().Str("add_file", addRootsFile).Str("remove_file", removeRootsFile).Bool("no_prompt", noPrompt). Msg(fmt.Sprintf(DebugFuncCall, "validateCertsInput")) var certsErr error - addRootsFile, removeRootsFile, certsErr = validateCertsInput( - addRootsFile, removeRootsFile, - kfClient, + certsErr = rotClient.validateCertsInput( + addRootsFile, removeRootsFile, noPrompt, ) if certsErr != nil { log.Error().Err(cErr).Msg("Invalid certs input please provide certs to add or remove.") @@ -2604,203 +1597,28 @@ kfutil stores rot reconcile --import-csv Bool("dry_run", dryRun). Msg("Performing root of trust audit") - // Read in the stores CSV - log.Debug().Str("stores_file", storesFile).Msg("Reading in stores file") - csvFile, ioErr := os.Open(storesFile) - if ioErr != nil { - log.Error().Err(ioErr).Str("stores_file", storesFile).Msg("Error reading in stores file") - return ioErr - } - - log.Trace().Str("stores_file", storesFile).Msg("Creating CSV reader") - reader := csv.NewReader(bufio.NewReader(csvFile)) - - log.Debug().Str("stores_file", storesFile).Msg("Reading CSV data") - storeEntries, rErr := reader.ReadAll() - if rErr != nil { - log.Error().Err(rErr).Str("stores_file", storesFile).Msg("Error reading in stores file") - return rErr - } - - log.Debug().Str("stores_file", storesFile).Msg("Validating CSV header") - var stores = make(map[string]StoreCSVEntry) - validHeader := false - for _, entry := range storeEntries { - log.Trace().Strs("entry", entry).Msg("Processing row") - if strings.EqualFold(strings.Join(entry, ","), strings.Join(StoreHeader, ",")) { - validHeader = true - continue // Skip header - } - if !validHeader { - log.Error(). - Strs("header", entry). - Strs("expected_header", StoreHeader). - Msg("Invalid header in stores file") - return fmt.Errorf("invalid header in stores file please use '%s'", strings.Join(StoreHeader, ",")) - } - - log.Debug().Strs("entry", entry). - Str("store_id", entry[0]). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateStoreByID")) - apiResp, err := kfClient.GetCertificateStoreByID(entry[0]) - if err != nil { - log.Error().Err(err).Str("store_id", entry[0]).Msg("Error getting cert store") - lookupFailures = append(lookupFailures, strings.Join(entry, ",")) - continue - } - - log.Debug().Str("store_id", entry[0]). - Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertStoreInventoryV1")) - inventory, invErr := kfClient.GetCertStoreInventory(entry[0]) - if invErr != nil { - log.Error().Err(invErr).Str("store_id", entry[0]).Msg("Error getting cert store inventory") - lookupFailures = append(lookupFailures, strings.Join(entry, ",")) - continue - } else if inventory == nil { - log.Error().Str( - "store_id", - entry[0], - ).Msg("No inventory response returned for store from Keyfactor Command") - lookupFailures = append(lookupFailures, strings.Join(entry, ",")) - continue - } - - if !isRootStore(apiResp, inventory, minCerts, maxLeaves, maxKeys) { - fmt.Printf( - "Store %s is not a root store, skipping.\n", - entry[0], - ) //todo: support for output formatting - log.Warn().Str("store_id", entry[0]).Msg("Store is not considered a root of trust store") - continue - } - - log.Info().Str("store_id", entry[0]).Msg("Store is considered a root of trust store") - - log.Trace().Str("store_id", entry[0]).Msg("Creating store entry") - - stores[entry[0]] = StoreCSVEntry{ - ID: entry[0], - Type: entry[1], - Machine: entry[2], - Path: entry[3], - Thumbprints: make(map[string]bool), - Serials: make(map[string]bool), - Ids: make(map[int]bool), - } - - log.Debug().Str("store_id", entry[0]).Msg("Iterating over inventory") - for _, cert := range *inventory { - log.Trace().Str("store_id", entry[0]).Interface("cert", cert).Msg("Processing inventory") - thumb := cert.Thumbprints - trcMsg := "Adding cert to store" - for t, v := range thumb { - //log.Trace().Str("store_id", entry[0]).Str("thumbprint", t).Msg(trcMsg) - //stores[entry[0]].Thumbprints[t] = v - log.Trace().Str("store_id", entry[0]). - Int("thumbprint", t). - Str("value", v). - Msg(trcMsg) - stores[entry[0]].Thumbprints[v] = true - } - for t, v := range cert.Serials { - log.Trace().Str("store_id", entry[0]). - Int("serial", t). - Str("value", v). - Msg(trcMsg) - //stores[entry[0]].Serials[t] = v - //stores[entry[0]].Serials[v] = t - stores[entry[0]].Serials[v] = true - } - for t, v := range cert.Ids { - log.Trace().Str("store_id", entry[0]). - Int("cert_id", t). - Int("value", v). - Msg(trcMsg) - //stores[entry[0]].Ids[t] = v - stores[entry[0]].Ids[v] = true - } - } - log.Trace().Strs("entry", entry).Msg("Row processed") - } - - if len(lookupFailures) > 0 { - log.Error().Strs("lookup_failures", lookupFailures).Msg("The following stores could not be looked up") - return fmt.Errorf( - "the following stores could not be found on Keyfactor Command:\n%s\nThese errors MUST be resolved"+ - " in order to proceed", strings.Join( - lookupFailures, ","+ - "\r\n", - ), - ) - } - - // Read in the add addCerts CSV - var certsToAdd = make(map[string]string) - - if addRootsFile == "" { - log.Debug().Msg("No addCerts file specified") - } else { - log.Info().Str("add_certs_file", addRootsFile).Msg("Reading certs to add file") - var rcfErr error - log.Debug().Str("add_certs_file", addRootsFile).Msg(fmt.Sprintf(DebugFuncCall, "readCertsFile")) - certsToAdd, rcfErr = readCertsFile(addRootsFile, kfClient) - if rcfErr != nil { - log.Error().Err(rcfErr).Str("add_certs_file", addRootsFile).Msg("Error reading certs to add file") - return rcfErr - } - - log.Debug().Str("add_certs_file", addRootsFile).Msg("Creating JSON of certs to add") - addCertsJSON, jErr := json.Marshal(certsToAdd) - if jErr != nil { - log.Error().Err(jErr).Str( - "add_certs_file", - addRootsFile, - ).Msg("Error converting certs to add to JSON") - return jErr - } - log.Trace().Str("add_certs_file", addRootsFile). - Str("add_certs_json", string(addCertsJSON)). - Msg("Certs to add file read successfully") + //Process stores file + sErr := rotClient.processStoresFile() + if sErr != nil { + log.Error().Err(sErr).Msg("Error processing stores file") + return sErr } - // Read in the remove removeCerts CSV - var certsToRemove = make(map[string]string) - if removeRootsFile == "" { - log.Info().Msg("No removeCerts file specified") - } else { - log.Info().Str("remove_certs_file", removeRootsFile).Msg("Reading certs to remove file") - var rcfErr error - log.Debug().Str("remove_certs_file", removeRootsFile).Msg(fmt.Sprintf(DebugFuncCall, "readCertsFile")) - certsToRemove, rcfErr = readCertsFile(removeRootsFile, kfClient) - if rcfErr != nil { - log.Error().Err(rcfErr).Str( - "remove_certs_file", - removeRootsFile, - ).Msg("Error reading certs to remove file") - } - - removeCertsJSON, jErr := json.Marshal(certsToRemove) - if jErr != nil { - log.Error().Err(jErr).Str( - "remove_certs_file", - removeRootsFile, - ).Msg("Error converting certs to remove to JSON") - return jErr - } - log.Trace().Str("remove_certs_file", removeRootsFile). - Str("remove_certs_json", string(removeCertsJSON)). - Msg("Certs to remove file read successfully") + ctErr := rotClient.processCertsFiles() + if ctErr != nil { + log.Error().Err(ctErr).Msg("Error processing certs files") + return ctErr } log.Debug().Msg(fmt.Sprintf(DebugFuncCall, "generateAuditReport")) - _, _, gErr := generateAuditReport(certsToAdd, certsToRemove, stores, outputFilePath, kfClient) + gErr := rotClient.generateAuditReport() if gErr != nil { log.Error().Err(gErr).Msg("Error generating audit report") return gErr } log.Info(). - Str("outputFilePath", outputFilePath). + Str("OutputFilePath", outputFilePath). Msg("Audit report generated successfully") log.Debug(). Msg(fmt.Sprintf(DebugFuncExit, "generateAuditReport")) @@ -2858,7 +1676,7 @@ the utility will first generate an audit report and then execute the add/remove maxLeaves, _ := cmd.Flags().GetInt("max-leaf-certs") maxKeys, _ := cmd.Flags().GetInt("max-keys") dryRun, _ := cmd.Flags().GetBool("dry-run") - outputFilePath, _ := cmd.Flags().GetString("outputFilePath") + outputFilePath, _ := cmd.Flags().GetString("OutputFilePath") // Debug + expEnabled checks isExperimental := false @@ -2868,15 +1686,11 @@ the utility will first generate an audit report and then execute the add/remove } informDebug(debugFlag) - trustCriteria.MinCerts = minCerts - trustCriteria.MaxKeys = maxKeys - trustCriteria.MaxLeaf = maxLeaves - + // Check KFC connection authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) - kfClient, clErr := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if clErr != nil { - log.Error().Err(clErr).Msg("Error initializing Keyfactor client") + log.Error().Err(clErr).Msg("Error initializing Keyfactor Client") return clErr } @@ -2886,9 +1700,27 @@ the utility will first generate an audit report and then execute the add/remove Bool("dry_run", dryRun). Msg("Performing root of trust reconciliation") + rotCriteria := RootOfTrustCriteria{ + MinCerts: minCerts, + MaxLeaves: maxLeaves, + MaxKeys: maxKeys, + } + + rotClient := RootOfTrustManager{ + AddCertsFilePath: addRootsFile, + RemoveCertsFilePath: removeRootsFile, + StoresFilePath: storesFile, + ReportFilePath: reportFile, + TrustStoreCriteria: rotCriteria, + OutputFilePath: outputFilePath, + IsDryRun: dryRun, + Client: kfClient, + } + // Parse existing audit report if isCSV && reportFile != "" { - err := processCSVReportFile(reportFile, kfClient, dryRun) + log.Debug().Str("report_file", reportFile).Msg("Processing audit report") + err := rotClient.processCSVReportFile() if err != nil { log.Error().Err(err).Msg("Error processing audit report") return err @@ -2902,26 +1734,48 @@ the utility will first generate an audit report and then execute the add/remove Str("report_file", reportFile). Bool("dry_run", dryRun). Msg(fmt.Sprintf(DebugFuncCall, "processFromStoresAndCertFiles")) - err := processFromStoresAndCertFiles( - storesFile, - addRootsFile, - removeRootsFile, - reportFile, - outputFilePath, - minCerts, - maxLeaves, - maxKeys, - kfClient, - dryRun, - ) - if err != nil { - log.Error().Err(err).Msg("Error processing from stores file") - return err + + log.Trace().Str("rotClient", fmt.Sprintf("%s", rotClient.String())).Msg("Root of trust Client") + + //Process stores file + sErr := rotClient.processStoresFile() + if sErr != nil { + log.Error().Err(sErr).Msg("Error processing stores file") + return sErr + } + + cErr := rotClient.processCertsFiles() + if cErr != nil { + log.Error().Err(cErr).Msg("Error processing certs files") + return cErr + } + + gErr := rotClient.generateAuditReport() + if gErr != nil { + log.Error().Err(gErr).Msg("Error generating audit report") + return gErr + } + + rErr := rotClient.reconcileRoots() + if rErr != nil { + log.Error().Err(rErr).Msg("Error reconciling roots") + return rErr } + + orchsURL := fmt.Sprintf( + "https://%s/Keyfactor/Portal/AgentJobStatus/Index", + kfClient.Hostname, + ) //todo: this path might not work for everyone + + log.Info(). + Str("orchs_url", orchsURL). + Str("OutputFilePath", outputFilePath). + Msg("Reconciliation completed. Check orchestrator jobs for details.") + fmt.Println(fmt.Sprintf("Reconciliation completed. Check orchestrator jobs for details. %s", orchsURL)) } log.Debug().Str("report_file", reportFile). - Str("outputFilePath", outputFilePath).Msg("Reconciliation report generated successfully") + Str("OutputFilePath", outputFilePath).Msg("Reconciliation report generated successfully") log.Debug().Msg(fmt.Sprintf(DebugFuncExit, "reconcileRoots")) return nil }, @@ -2967,7 +1821,7 @@ the utility will first generate an audit report and then execute the add/remove // Specific Flags templateType, _ := cmd.Flags().GetString("type") format, _ := cmd.Flags().GetString("format") - outputFilePath, _ := cmd.Flags().GetString("outputFilePath") + outputFilePath, _ := cmd.Flags().GetString("OutputFilePath") storeType, _ := cmd.Flags().GetStringSlice("store-type") containerName, _ := cmd.Flags().GetStringSlice("container-name") collection, _ := cmd.Flags().GetStringSlice("collection") @@ -2988,7 +1842,7 @@ the utility will first generate an audit report and then execute the add/remove false, ) if clErr != nil { - log.Error().Err(clErr).Msg("Error initializing Keyfactor client") + log.Error().Err(clErr).Msg("Error initializing Keyfactor Client") return clErr } diff --git a/cmd/rot_manager.go b/cmd/rot_manager.go new file mode 100644 index 0000000..343cba5 --- /dev/null +++ b/cmd/rot_manager.go @@ -0,0 +1,1342 @@ +package cmd + +import ( + "bufio" + "encoding/csv" + "encoding/json" + "fmt" + "os" + "strconv" + "strings" + + "github.com/Keyfactor/keyfactor-go-client/v2/api" + "github.com/rs/zerolog/log" +) + +type RootOfTrustManager struct { + Client *api.Client + OutputFilePath string + addCerts map[string]string // map[alias]certId + removeCerts map[string]string // map[alias]certId + actions map[string][]ROTAction // map[alias]ROTAction + //stores map[string]StoreCSVEntry + Stores map[string]*TrustStore + data [][]string + ReportFilePath string + StoresFilePath string + AddCertsFilePath string + RemoveCertsFilePath string + IsDryRun bool + TrustStoreCriteria RootOfTrustCriteria +} + +type TrustStore struct { + StoreID string + StoreType string + StoreMachine string + StorePath string + Inventory []api.CertStoreInventory + ContainerName string + ContainerID int + LeafCount int + KeyCount int + CertCount int + ThumbPrints map[string]bool + Serials map[string]bool + Aliases map[string]bool + CertIDs map[int]bool +} + +func (t *TrustStore) generateMaps() error { + // check if inventory is empty + log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "generateMaps")) + if len(t.Inventory) == 0 { + log.Warn().Msg("Inventory is empty, unable to generate maps") + log.Debug().Msg(fmt.Sprintf(DebugFuncExit, "generateMaps")) + return nil + } + log.Debug().Msg("Generating thumbprint, serial number, and certificate ID maps") + for _, cert := range t.Inventory { + log.Trace().Str("alias", cert.Name).Msg("Adding alias to map") + t.Aliases[cert.Name] = true + // Thumbprints + for _, thumbprint := range cert.Thumbprints { + log.Trace().Str("thumbprint", thumbprint).Msg("Adding thumbprint to map") + t.ThumbPrints[thumbprint] = true + } + // Serials + for _, serial := range cert.Serials { + log.Trace().Str("serial", serial).Msg("Adding serial number to map") + t.Serials[serial] = true + } + // Cert IDs + for _, id := range cert.Ids { + log.Trace().Int("cert_id", id).Msg("Adding certificate ID to map") + t.CertIDs[id] = true + } + } + return nil +} + +func (t *TrustStore) InventoryCSV(includeHeader bool) string { + // order CSV col based InventoryHeader + InventoryHeader := []string{ + "Thumbprint", + "SerialNumber", + "CertificateID", + } + var output [][]string + + // add header + if includeHeader { + output = append(output, InventoryHeader) + } + + for _, h := range t.Inventory { + row := make([]string, len(InventoryHeader)) + for i, header := range InventoryHeader { + switch header { + case "Alias": + row[i] = h.Name + case "Thumbprint": + row[i] = strings.Join(h.Thumbprints, ",") + // escape any commas in the fields + row[i] = strings.ReplaceAll(row[i], ",", "\\,") + case "SerialNumbers": + row[i] = strings.Join(h.Serials, ",") + // escape any commas in the fields + row[i] = strings.ReplaceAll(row[i], ",", "\\,") + case "CertificateID": + // join int slice to string + var certIDs []string + for _, id := range h.Ids { + certIDs = append(certIDs, strconv.Itoa(id)) + } + row[i] = strings.Join(certIDs, ",") + // escape any commas in the fields + row[i] = strings.ReplaceAll(row[i], ",", "\\,") + } + } + output = append(output, row) + } + // flatten into single string with newlines + var csvOutput []string + for _, o := range output { + //escape any commas in the fields + csvOutput = append(csvOutput, strings.Join(o, ",")) + } + return strings.Join(csvOutput, "\n") +} + +func (t *TrustStore) ToCSV() string { + // order CSV col based StoreHeader + output := make([]string, len(StoreHeader)) + for i, h := range StoreHeader { + switch h { + case "StoreID": + output[i] = t.StoreID + case "StoreType": + output[i] = t.StoreType + case "StoreMachine": + output[i] = t.StoreMachine + case "StorePath": + output[i] = t.StorePath + case "Inventory": + output[i] = fmt.Sprintf("%v", len(t.Inventory)) + case "ContainerName": + output[i] = t.ContainerName + case "ContainerID": + output[i] = fmt.Sprintf("%d", t.ContainerID) + } + } + //escape any commas in the fields + for i, o := range output { + output[i] = strings.ReplaceAll(o, ",", "\\,") + } + return strings.Join(output, ",") +} + +func (t *TrustStore) String() string { + return fmt.Sprintf( + "StoreID: %s, StoreType: %s, StoreMachine: %s, StorePath: %s, Inventory: %v", + t.StoreID, + t.StoreType, + t.StoreMachine, + t.StorePath, + len(t.Inventory), + ) +} + +type RootOfTrustCriteria struct { + MinCerts int + MaxLeaves int + MaxKeys int +} + +func (r *RootOfTrustManager) String() string { + output := "StoresFilePath: " + r.StoresFilePath + "\n" + output += "AddCertsFilePath: " + r.AddCertsFilePath + "\n" + output += "RemoveCertsFilePath: " + r.RemoveCertsFilePath + "\n" + output += "ReportFilePath: " + r.ReportFilePath + "\n" + output += "MinCerts: " + strconv.Itoa(r.TrustStoreCriteria.MinCerts) + "\n" + output += "MaxLeaves: " + strconv.Itoa(r.TrustStoreCriteria.MaxLeaves) + "\n" + output += "MaxKeys: " + strconv.Itoa(r.TrustStoreCriteria.MaxKeys) + "\n" + output += "AddCerts: \n" + for k, v := range r.addCerts { + output += "\t" + k + ": " + v + "\n" + } + output += "RemoveCerts: \n" + for k, v := range r.removeCerts { + output += "\t" + k + ": " + v + "\n" + } + output += "Actions: \n" + for k, v := range r.actions { + output += "\t" + k + ": \n" + for _, a := range v { + output += "\t\t" + a.Thumbprint + "\n" + output += "\t\t\tAddCert: " + fmt.Sprintf("%v", a.AddCert) + "\n" + output += "\t\t\tRemoveCert: " + fmt.Sprintf("%v", a.RemoveCert) + "\n" + } + } + + return output +} + +func (r *RootOfTrustManager) generateAuditReport() error { + log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "generateAuditReport")) + log.Info().Str("output_file", r.OutputFilePath).Msg("Generating audit report") + var ( + data [][]string + ) + + data = append(data, AuditHeader) + var csvFile *os.File + var fErr error + log.Debug().Str("output_file", r.OutputFilePath).Msg("Checking for output file") + if r.OutputFilePath == "" { + log.Debug().Str("output_file", reconcileDefaultFileName).Msg("No output file specified, using default") + csvFile, fErr = os.Create(reconcileDefaultFileName) + r.OutputFilePath = reconcileDefaultFileName + } else { + log.Debug().Str("output_file", r.OutputFilePath).Msg("Creating output file") + csvFile, fErr = os.Create(r.OutputFilePath) + } + + if fErr != nil { + fmt.Printf("%s", fErr) + log.Error().Err(fErr).Str("output_file", r.OutputFilePath).Msg("Error creating output file") + } + + log.Trace().Str("output_file", r.OutputFilePath).Msg("Creating CSV writer") + csvWriter := csv.NewWriter(csvFile) + log.Debug().Str("output_file", r.OutputFilePath).Strs("csv_header", AuditHeader).Msg("Writing header to CSV") + cErr := csvWriter.Write(AuditHeader) + if cErr != nil { + log.Error().Err(cErr).Str("output_file", r.OutputFilePath).Msg("Error writing header to CSV") + return cErr + } + + log.Trace().Str("output_file", r.OutputFilePath).Msg("Creating actions map") + actions := make(map[string][]ROTAction) + + var errs []error + + // process certs to add + addData, addActions, addErrs := r.processAddCerts(csvWriter) + errs = append( + errs, + addErrs..., + ) + data = append(data, addData...) + for k, v := range addActions { + actions[k] = append(actions[k], v...) + } + + // process certs to remove + removeData, removeActions, removeErrs := r.processRemoveCerts(csvWriter) + errs = append( + errs, + removeErrs..., + ) + data = append(data, removeData...) + for k, v := range removeActions { + actions[k] = append(actions[k], v...) + } + log.Trace(). + Str("output_file", r.OutputFilePath). + Msg("Flushing CSV writer") + csvWriter.Flush() + log.Trace(). + Str("output_file", r.OutputFilePath). + Msg("Closing CSV file") + ioErr := csvFile.Close() + if ioErr != nil { + log.Error(). + Err(ioErr). + Str("output_file", r.OutputFilePath). + Msg("Error closing CSV file") + } + log.Info(). + Str("output_file", r.OutputFilePath). + Msg("Audit report written to disk successfully") + fmt.Printf("Audit report written to %s\n", r.OutputFilePath) //todo: send to output formatter + fmt.Printf( + "Please review the report and run `kfutil stores rot reconcile --import-csv --input"+ + "-file %s` apply the changes\n", r.OutputFilePath, + ) //todo: send to output formatter + + r.actions = actions + r.data = data + + if len(errs) > 0 { + errStr := mergeErrsToString(&errs, false) + log.Trace().Str("output_file", r.OutputFilePath).Str( + "errors", + errStr, + ).Msg("The following errors occurred while generating audit report") + return fmt.Errorf("the following errors occurred while generating audit report:\r\n%s", errStr) + } + log.Debug().Msg(fmt.Sprintf(DebugFuncExit, "generateAuditReport")) + return nil +} + +func (r *RootOfTrustManager) processRemoveCerts( + csvWriter *csv.Writer, +) ( + [][]string, + map[string][]ROTAction, + []error, +) { + var ( + data [][]string + errs []error + actions = make(map[string][]ROTAction) + ) + for tp, cId := range r.removeCerts { + log.Debug().Str("thumbprint", tp). + Str("cert_id", cId). + Msg("Looking up certificate") + certLookupReq := api.GetCertificateContextArgs{} + if cId != "" { + certIdInt, cErr := strconv.Atoi(cId) + if cErr != nil { + log.Error(). + Err(cErr). + Str("thumbprint", tp). + Msg("Error converting cert ID to integer, skipping") + errs = append(errs, cErr) + continue + } + certLookupReq = api.GetCertificateContextArgs{ + IncludeMetadata: boolToPointer(true), + IncludeLocations: boolToPointer(true), + CollectionId: nil, //todo: add CollectionID support + Thumbprint: "", + Id: certIdInt, + } + } else { + certLookupReq = api.GetCertificateContextArgs{ + IncludeMetadata: boolToPointer(true), + IncludeLocations: boolToPointer(true), + CollectionId: nil, //todo: add CollectionID support + Thumbprint: tp, + Id: 0, //todo: should also allow KFC ID + } + } + + log.Debug(). + Str("thumbprint", tp). + Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertificateContext")) + certLookup, err := r.Client.GetCertificateContext(&certLookupReq) + if err != nil { + log.Error(). + Err(err). + Str("thumbprint", tp). + Msg("Error looking up certificate, skipping") + errMsg := fmt.Errorf( + "error recieved from Keyfactor Command when looking up thumbprint '%s':'%w'", + tp, + err, + ) + errs = append(errs, errMsg) + continue + } + certID := certLookup.Id + log.Debug().Int("certID", certID).Msg("Processing cert to remove") + //certIDStr := certLookup.Id + log.Debug().Str("thumbprint", tp).Msg("Iterating over stores") + for _, store := range r.Stores { + log.Debug().Str("thumbprint", tp).Str( + "store_id", + store.StoreID, + ).Msg("Checking if cert is deployed to store") + //TODO: This logic should be replaced by receiver method on TrustStore + //if _, ok := store.Inventory; !ok { + // // Cert is already in the store do nothing + // log.Info().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Cert is not deployed to store") + // row := []string{ + // //todo: this should be a toCSV field on whatever object this is + // tp, + // certIDStr, + // certLookup.IssuedDN, + // certLookup.IssuerDN, + // store.ID, + // store.Type, + // store.Machine, + // store.Path, + // "false", // Add to store + // "false", // Remove from store + // "false", // Is Deployed + // getCurrentTime(""), + // } + // log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Appending data row") + // data = append(data, row) + // log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Writing data row to CSV") + // wErr := csvWriter.Write(row) + // if wErr != nil { + // log.Error(). + // Err(wErr). + // Str("thumbprint", tp). + // Str("output_file", r.OutputFilePath). + // Strs("row", row). + // Msg("Error writing row to CSV") + // } + //} else { + // // Cert is deployed to this store and will need to be removed + // log.Info(). + // Str("thumbprint", tp). + // Str("store_id", store.ID). + // Msg("Cert is deployed to store") + // row := []string{ + // //todo: this should be a toCSV + // tp, + // certIDStr, + // certLookup.IssuedDN, + // certLookup.IssuerDN, + // store.ID, + // store.Type, + // store.Machine, + // store.Path, + // "false", // Add to store + // "true", // Remove from store + // "true", // Is Deployed + // getCurrentTime(""), + // } + // log.Trace(). + // Str("thumbprint", tp). + // Strs("row", row). + // Msg("Appending data row") + // data = append(data, row) + // log.Debug(). + // Str("thumbprint", tp). + // Strs("row", row). + // Msg("Writing data row to CSV") + // wErr := csvWriter.Write(row) + // if wErr != nil { + // log.Error(). + // Err(wErr). + // Str("thumbprint", tp). + // Str("output_file", r.OutputFilePath). + // Strs("row", row). + // Msg("Error writing row to CSV") + // } + // log.Debug(). + // Str("thumbprint", tp). + // Msg("Adding 'remove' action to actions map") + // actions[tp] = append( + // actions[tp], ROTAction{ + // Thumbprint: tp, + // StoreAlias: "", //TODO get this value + // CertID: certID, + // StoreID: store.ID, + // StoreType: store.Type, + // StorePath: store.Path, + // AddCert: false, + // RemoveCert: true, + // Deployed: true, + // }, + // ) + //} + } + } + return data, actions, errs +} + +func (r *RootOfTrustManager) processAddCerts( + csvWriter *csv.Writer, +) ( + [][]string, + map[string][]ROTAction, + []error, +) { + var ( + data [][]string + errs []error + actions = make(map[string][]ROTAction) + ) + for tp, cId := range r.addCerts { + log.Debug().Str("thumbprint", tp). + Str("cert_id", cId). + Msg("Looking up certificate") + certLookupReq := api.GetCertificateContextArgs{} + if cId != "" { + certIdInt, cErr := strconv.Atoi(cId) + if cErr != nil { + log.Error(). + Err(cErr). + Str("thumbprint", tp). + Msg("Error converting cert ID to integer, skipping") + errs = append(errs, cErr) + continue + } + certLookupReq = api.GetCertificateContextArgs{ + IncludeMetadata: boolToPointer(true), + IncludeLocations: boolToPointer(true), + CollectionId: nil, //todo: add CollectionID support + Thumbprint: "", + Id: certIdInt, + } + } else { + certLookupReq = api.GetCertificateContextArgs{ + IncludeMetadata: boolToPointer(true), + IncludeLocations: boolToPointer(true), + CollectionId: nil, //todo: add CollectionID support + Thumbprint: tp, + Id: 0, //todo: should also allow KFC ID + } + } + + log.Debug(). + Str("thumbprint", tp). + Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertificateContext")) + certLookup, err := r.Client.GetCertificateContext(&certLookupReq) + if err != nil { + log.Error(). + Err(err). + Str("thumbprint", tp). + Msg("Error looking up certificate, skipping") + errMsg := fmt.Errorf( + "error recieved from Keyfactor Command when looking up thumbprint '%s':'%w'", + tp, + err, + ) + errs = append(errs, errMsg) + continue + } + certID := certLookup.Id + log.Debug().Int("certID", certID).Msg("Processing cert to add") + log.Debug().Str("thumbprint", tp).Msg("Iterating over stores") + for _, store := range r.Stores { + log.Debug().Str("thumbprint", tp).Str( + "store_id", + store.StoreID, + ).Msg("Checking if cert is deployed to store") + //TODO: this should all be handled by a receiver function on TrustStore + //if _, ok := store.Thumbprints[tp]; ok { + // // Cert is already in the store do nothing + // log.Info().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Cert is already deployed to store") + // row := []string{ + // //todo: this should be a toCSV field on whatever object this is + // tp, + // certIDStr, + // certLookup.IssuedDN, + // certLookup.IssuerDN, + // store.ID, + // store.Type, + // store.Machine, + // store.Path, + // "false", + // "false", + // "true", + // getCurrentTime(""), + // } + // log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Appending data row") + // data = append(data, row) + // log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Writing data row to CSV") + // wErr := csvWriter.Write(row) + // if wErr != nil { + // log.Error(). + // Err(wErr). + // Str("thumbprint", tp). + // Str("output_file", r.OutputFilePath). + // Strs("row", row). + // Msg("Error writing row to CSV") + // } + //} else { + // // Cert is not deployed to this store and will need to be added + // log.Info(). + // Str("thumbprint", tp). + // Str("store_id", store.ID). + // Msg("Cert is not deployed to store") + // row := []string{ + // //todo: this should be a toCSV + // tp, + // certIDStr, + // certLookup.IssuedDN, + // certLookup.IssuerDN, + // store.ID, + // store.Type, + // store.Machine, + // store.Path, + // "true", + // "false", + // "false", + // getCurrentTime(""), + // } + // log.Trace(). + // Str("thumbprint", tp). + // Strs("row", row). + // Msg("Appending data row") + // data = append(data, row) + // log.Debug(). + // Str("thumbprint", tp). + // Strs("row", row). + // Msg("Writing data row to CSV") + // wErr := csvWriter.Write(row) + // if wErr != nil { + // log.Error(). + // Err(wErr). + // Str("thumbprint", tp). + // Str("output_file", r.OutputFilePath). + // Strs("row", row). + // Msg("Error writing row to CSV") + // } + // log.Debug(). + // Str("thumbprint", tp). + // Msg("Adding 'add' action to actions map") + // actions[tp] = append( + // actions[tp], ROTAction{ + // Thumbprint: tp, + // CertID: certID, + // StoreID: store.ID, + // StoreType: store.Type, + // StorePath: store.Path, + // StoreAlias: "", //TODO get this value + // AddCert: true, + // RemoveCert: false, + // Deployed: false, + // }, + // ) + //} + } + } + return data, actions, errs +} + +func (r *RootOfTrustManager) reconcileRoots() error { + log.Debug().Msg(fmt.Sprintf(DebugFuncEnter, "reconcileRoots")) + if len(r.actions) == 0 { + log.Info().Msg("No actions to reconcile detected, root of trust stores are up-to-date.") + return nil + } + log.Info().Msg("Reconciling root of trust stores") + + rFileName := fmt.Sprintf("%s_reconciled.csv", strings.Split(r.ReportFilePath, ".csv")[0]) + log.Debug(). + Str("report_file", r.ReportFilePath). + Str("reconciled_file", rFileName). + Msg("Creating reconciled report file") + csvFile, fErr := os.Create(rFileName) + if fErr != nil { + log.Error(). + Err(fErr). + Str("reconciled_file", rFileName). + Msg("Error creating reconciled report file") + return fErr + } + log.Trace().Str("reconciled_file", rFileName).Msg("Creating CSV writer") + csvWriter := csv.NewWriter(csvFile) + + log.Debug().Str("reconciled_file", rFileName).Strs("csv_header", ReconciledAuditHeader).Msg("Writing header to CSV") + cErr := csvWriter.Write(ReconciledAuditHeader) + if cErr != nil { + log.Error().Err(cErr).Str("reconciled_file", rFileName).Msg("Error writing header to CSV") + return cErr + } + log.Info().Str("report_file", r.ReportFilePath).Msg("Processing reconciliation actions") + var errs []error + for thumbprint, action := range r.actions { + for _, a := range action { + if a.AddCert { + if !r.IsDryRun { + log.Info().Str("thumbprint", thumbprint).Str("store_id", a.StoreID).Str( + "store_path", + a.StorePath, + ).Msg("Attempting to add cert to store") + log.Debug().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating orchestrator 'add' job request") + + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating certificate store object") + apiStore := api.CertificateStore{ + CertificateStoreId: a.StoreID, + Overwrite: true, + } + + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating certificate store array") + var stores []api.CertificateStore + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Appending certificate store to array") + stores = append(stores, apiStore) + + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating inventory 'immediate' schedule") + schedule := &api.InventorySchedule{ + Immediate: boolToPointer(true), + } + + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating add certificate request") + addReq := api.AddCertificateToStore{ + CertificateId: a.CertID, + CertificateStores: &stores, + InventorySchedule: schedule, + } + + log.Trace().Str("thumbprint", thumbprint).Interface( + "add_request", + addReq, + ).Msg("Converting add request to JSON") + addReqJSON, jErr := json.Marshal(addReq) + if jErr != nil { + log.Error().Err(jErr).Str("thumbprint", thumbprint).Msg("Error converting add request to JSON") + errMsg := fmt.Errorf( + "error converting add request for '%s' in stores '%v' to JSON: %s", + thumbprint, stores, jErr, + ) + errs = append(errs, errMsg) + continue + } + log.Debug().Str("thumbprint", thumbprint).Str( + "add_request", + string(addReqJSON), + ).Msg(fmt.Sprintf(DebugFuncCall, "Client.AddCertificateToStores")) + _, err := r.Client.AddCertificateToStores(&addReq) + if err != nil { + fmt.Printf( + "ERROR adding cert %s(%d) to store %s: %s\n", + a.Thumbprint, + a.CertID, + a.StoreID, + err, + ) + log.Error().Err(err).Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Str("store_path", a.StorePath).Msg("unable to add cert to store") + continue + } + } else { + log.Info().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("DRY RUN: Would have added cert to store") + } + } else if a.RemoveCert { + if !r.IsDryRun { + log.Info().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Attempting to remove cert from store") + cStore := api.CertificateStore{ + CertificateStoreId: a.StoreID, + Alias: a.Thumbprint, //todo: support non-thumbprint aliases + } + log.Trace().Interface("store_object", cStore).Msg("Converting store to slice of single store") + var stores []api.CertificateStore + stores = append(stores, cStore) + + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating inventory 'immediate' schedule") + schedule := &api.InventorySchedule{ + Immediate: boolToPointer(true), + } + + log.Trace().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("Creating remove certificate request") + removeReq := api.RemoveCertificateFromStore{ + CertificateId: a.CertID, + CertificateStores: &stores, + InventorySchedule: schedule, + } + log.Debug().Str("thumbprint", thumbprint).Interface( + "remove_request", + removeReq, + ).Msg(fmt.Sprintf(DebugFuncCall, "Client.RemoveCertificateFromStores")) + _, err := r.Client.RemoveCertificateFromStores(&removeReq) + if err != nil { + log.Error().Err(err).Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Str("store_path", a.StorePath).Msg("unable to remove cert from store") + fmt.Printf( + "ERROR removing cert %s(%d) from store %s: %s\n", + a.Thumbprint, + a.CertID, + a.StoreID, + err, + ) + } + } else { + fmt.Printf( + "DRY RUN: Would have removed cert %s from store %s\n", thumbprint, + a.StoreID, + ) //todo: propagate back to CLI + log.Info().Str("thumbprint", thumbprint).Str( + "store_id", + a.StoreID, + ).Msg("DRY RUN: Would have removed cert from store") + } + } + } + } + log.Info().Str("reconciled_file", rFileName).Msg("Reconciliation actions scheduled on Keyfactor Command") + if len(errs) > 0 { + errStr := mergeErrsToString(&errs, false) + log.Trace().Str("reconciled_file", rFileName).Str( + "errors", + errStr, + ).Msg("The following errors occurred while reconciling actions") + return fmt.Errorf("The following errors occurred while reconciling actions:\r\n%s", errStr) + } + log.Debug().Msg(fmt.Sprintf(DebugFuncExit, "reconcileRoots")) + return nil +} + +func (r *RootOfTrustManager) processStoresFile() error { + log.Debug().Str("stores_file", r.StoresFilePath).Msg("Reading in stores file") + csvFile, _ := os.Open(r.StoresFilePath) + reader := csv.NewReader(bufio.NewReader(csvFile)) + storeEntries, _ := reader.ReadAll() + var stores = make(map[string]StoreCSVEntry) + var lookupFailures []string + var errs []error + for i, row := range storeEntries { + if len(row) == 0 { + log.Warn(). + Str("stores_file", r.StoresFilePath). + Int("row", i).Msg("Skipping empty row") + continue + } else if row[0] == "StoreID" || row[0] == "StoreId" || i == 0 { + log.Trace().Strs("row", row).Msg("Skipping header row") + continue // Skip header + } + + log.Debug().Strs("row", row). + Str("store_id", row[0]). + Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertificateStoreByID")) + apiResp, err := r.Client.GetCertificateStoreByID(row[0]) + if err != nil { + errs = append(errs, err) + log.Error().Err(err).Str("store_id", row[0]).Msg("failed to retrieve store from Keyfactor Command") + lookupFailures = append(lookupFailures, row[0]) + continue + } + + log.Debug().Str("store_id", row[0]).Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertStoreInventoryV1")) + inventory, invErr := r.Client.GetCertStoreInventory(row[0]) + if invErr != nil { + errs = append(errs, invErr) + log.Error().Err(invErr).Str( + "store_id", + row[0], + ).Msg("failed to retrieve inventory for certificate store from Keyfactor Command") + continue + } + + if !isRootStore( + apiResp, + inventory, + r.TrustStoreCriteria.MinCerts, + r.TrustStoreCriteria.MaxLeaves, + r.TrustStoreCriteria.MaxKeys, + ) { + log.Error().Str( + "store_id", + row[0], + ).Msg("Store is not considered a root of trust store and will be excluded.") + errs = append(errs, fmt.Errorf("store '%s' is not considered a root of trust store", row[0])) + continue + } + + log.Info().Str("store_id", row[0]).Msg("Store is considered a root of trust store") + log.Trace().Str("store_id", row[0]).Msg("Creating StoreCSVEntry object") + stores[row[0]] = StoreCSVEntry{ + ID: row[0], + Type: row[1], + Machine: row[2], + Path: row[3], + Thumbprints: make(map[string]bool), + Serials: make(map[string]bool), + Ids: make(map[int]bool), + Aliases: make(map[string]bool), + } + + log.Debug().Str("store_id", row[0]).Msg( + "Iterating over inventory for thumbprints, " + + "serial numbers and cert IDs", + ) + + if _, exists := r.Stores[row[0]]; !exists { + log.Trace().Str("store_id", row[0]).Msg("Store not found in TrustStore map") + return fmt.Errorf("unable to process stores file, store '%s' not found in TrustStore map", row[0]) + } + + // Directly modify the Inventory field without needing to reassign the struct + r.Stores[row[0]].Inventory = *inventory + } + if len(lookupFailures) > 0 { + errMsg := fmt.Errorf("The following stores were not found:\r\n%s", strings.Join(lookupFailures, ",\r\n")) + fmt.Printf(errMsg.Error()) + log.Error().Err(errMsg). + Strs("lookup_failures", lookupFailures). + Msg("The following stores could not be found") + if len(errs) > 0 { + apiErrs := mergeErrsToString(&errs, false) + errMsg = fmt.Errorf("%s\r\n%s", errMsg, apiErrs) + } + return errMsg + } + if len(stores) == 0 { + errMsg := fmt.Errorf("no root of trust stores found that meet the defined criteria") + log.Error(). + Err(errMsg). + Int("min_certs", r.TrustStoreCriteria.MinCerts). + Int("max_leaves", r.TrustStoreCriteria.MaxLeaves). + Int("max_keys", r.TrustStoreCriteria.MaxKeys).Send() + errs = append(errs, errMsg) + } + + if len(errs) > 0 { + apiErrs := mergeErrsToString(&errs, false) + return fmt.Errorf(apiErrs) + } + + //r.stores = stores + return nil +} + +func (r *RootOfTrustManager) processAddCertsFile() (map[string]string, error) { + var errs []error + log.Info().Str("add_certs_file", r.AddCertsFilePath).Msg("Reading certs to add file") + log.Debug().Str("add_certs_file", r.AddCertsFilePath).Msg(fmt.Sprintf(DebugFuncCall, "readCertsFile")) + certsToAdd, rErr := readCertsFile(r.AddCertsFilePath) + if rErr != nil { + log.Error().Err(rErr).Str("add_certs_file", r.AddCertsFilePath).Msg("Error reading certs to add file") + errs = append(errs, rErr) + } + + if len(errs) > 0 { + apiErrs := mergeErrsToString(&errs, false) + return certsToAdd, fmt.Errorf(apiErrs) + } + + log.Debug().Str("add_certs_file", r.AddCertsFilePath).Msg("finished reading certs to add file") + return certsToAdd, nil +} + +func (r *RootOfTrustManager) processRemoveCertsFile() (map[string]string, error) { + var errs []error + log.Info().Str("remove_certs_file", r.RemoveCertsFilePath).Msg("Reading certs to remove file") + log.Debug().Str("remove_certs_file", r.RemoveCertsFilePath).Msg(fmt.Sprintf(DebugFuncCall, "readCertsFile")) + certsToRemove, rErr := readCertsFile(r.RemoveCertsFilePath) + if rErr != nil { + log.Error().Err(rErr).Str("remove_certs_file", r.RemoveCertsFilePath).Msg("Error reading certs to remove file") + errs = append(errs, rErr) + } + + if len(errs) > 0 { + apiErrs := mergeErrsToString(&errs, false) + return certsToRemove, fmt.Errorf(apiErrs) + } + + log.Debug().Str("remove_certs_file", r.RemoveCertsFilePath).Msg("finished reading certs to remove file") + return certsToRemove, nil +} + +func (r *RootOfTrustManager) processCertsFiles() error { + var errs []error + var certsToAdd = make(map[string]string) + var rErr error + if r.AddCertsFilePath == "" { + log.Info().Msg("No add certs file specified, add operations will not be performed") + } else { + certsToAdd, rErr = r.processAddCertsFile() + if rErr != nil { + errs = append(errs, rErr) + } + } + + // Read in the remove removeCerts CSV + var certsToRemove = make(map[string]string) + if r.RemoveCertsFilePath == "" { + log.Info().Msg("No remove certs file specified, remove operations will not be performed") + } else { + certsToRemove, rErr = r.processRemoveCertsFile() + if rErr != nil { + errs = append(errs, rErr) + } + } + + if len(errs) > 0 { + apiErrs := mergeErrsToString(&errs, false) + return fmt.Errorf(apiErrs) + } + + if len(certsToAdd) == 0 && len(certsToRemove) == 0 { + errMsg := "no ADD or REMOVE operations specified, please verify your configuration" + e := fmt.Errorf(errMsg) + log.Error().Err(e).Send() + fmt.Println(errMsg) + return e + } + + r.addCerts = certsToAdd + r.removeCerts = certsToRemove + + return nil +} + +func (r *RootOfTrustManager) processAuditReportFile() error { + log.Trace(). + Interface("certs_to_add", r.addCerts). + Interface("certs_to_remove", r.removeCerts). + Str("stores_file", r.StoresFilePath). + Msg("Generating audit report") + + log.Debug(). + Msg(fmt.Sprintf(DebugFuncCall, "generateAuditReport")) + err := r.generateAuditReport() + log.Trace().Interface("data", r.data).Msg("Audit report data") + if err != nil { + log.Error(). + Err(err). + Str("OutputFilePath", r.OutputFilePath). + Msg("Error generating audit report") + return err + } + if len(r.actions) == 0 { + msg := "no reconciliation actions to take, the specified root of trust stores are up-to-date" + log.Warn(). + Str("stores_file", r.StoresFilePath). + Str("add_certs_file", r.AddCertsFilePath). + Str("remove_certs_file", r.RemoveCertsFilePath). + Msg(msg) + fmt.Println(msg) //todo send to output formatter + } + return nil +} + +func (r *RootOfTrustManager) processCSVReportFile() error { + log.Debug(). + Str("report_file", r.ReportFilePath). + Bool("dry_run", r.IsDryRun). + Msg("Parsing existing audit report") + // Read in the CSV + + log.Debug(). + Str("report_file", r.ReportFilePath). + Msg("reading audit report file") + + csvFile, err := os.Open(r.ReportFilePath) + if err != nil { + log.Error().Err(err).Str("report_file", r.ReportFilePath).Msg("Error reading audit report file") + return err + } + + validHeader := false + log.Trace().Str("report_file", r.ReportFilePath).Msg("Creating CSV reader") + aCSV := csv.NewReader(csvFile) + aCSV.FieldsPerRecord = -1 + log.Debug().Str("report_file", r.ReportFilePath).Msg("Reading CSV data") + inFile, cErr := aCSV.ReadAll() + if cErr != nil { + log.Error().Err(cErr).Str("report_file", r.ReportFilePath).Msg("Error reading CSV file") + return cErr + } + + actions := make(map[string][]ROTAction) + fieldMap := make(map[int]string) + + log.Debug().Str("report_file", r.ReportFilePath). + Strs("csv_header", AuditHeader). + Msg("Creating field map, index to header name") + for i, field := range AuditHeader { + log.Trace().Str("report_file", r.ReportFilePath).Str("field", field).Int( + "index", + i, + ).Msg("Processing field") + fieldMap[i] = field + } + + log.Debug().Str("report_file", r.ReportFilePath).Msg("Iterating over CSV rows") + var errs []error + for ri, row := range inFile { + log.Trace().Str("report_file", r.ReportFilePath).Strs("row", row).Msg("Processing row") + if strings.EqualFold(strings.Join(row, ","), strings.Join(AuditHeader, ",")) { + log.Trace().Str("report_file", r.ReportFilePath).Strs("row", row).Msg("Skipping header row") + validHeader = true + continue // Skip header + } + if !validHeader { + invalidHeaderErr := fmt.Errorf( + "invalid header in audit report file please use '%s'", strings.Join( + AuditHeader, + ",", + ), + ) + log.Error().Err(invalidHeaderErr).Str( + "report_file", + r.ReportFilePath, + ).Msg("Invalid header in audit report file") + return invalidHeaderErr + } + + log.Debug().Str("report_file", r.ReportFilePath).Msg("Creating action map") + action := make(map[string]interface{}) + for i, field := range row { + log.Trace().Str("report_file", r.ReportFilePath).Str("field", field).Int( + "index", + i, + ).Msg("Processing field") + fieldInt, iErr := strconv.Atoi(field) + if iErr != nil { + log.Trace().Err(iErr).Str("report_file", r.ReportFilePath). + Str("field", field). + Int("index", i). + Msg("Field is not an integer, replacing with index value") + action[fieldMap[i]] = field + } else { + log.Trace().Err(iErr).Str("report_file", r.ReportFilePath). + Str("field", field). + Int("index", i). + Msg("Field is an integer") + action[fieldMap[i]] = fieldInt + } + } + + log.Debug().Str("report_file", r.ReportFilePath).Msg("Processing add cert action") + addCertStr, aOk := action["AddCert"].(string) + if !aOk { + log.Warn().Str("report_file", r.ReportFilePath).Msg( + "AddCert field not found in action, " + + "using empty string", + ) + addCertStr = "" + } + + log.Trace().Str("report_file", r.ReportFilePath).Str( + "add_cert", + addCertStr, + ).Msg("Converting addCertStr to bool") + addCert, acErr := strconv.ParseBool(addCertStr) + if acErr != nil { + log.Warn().Str("report_file", r.ReportFilePath).Err(acErr).Msg( + "Unable to parse bool from addCertStr, defaulting to FALSE", + ) + addCert = false + } + + log.Debug().Str("report_file", r.ReportFilePath).Msg("Processing remove cert action") + removeCertStr, rOk := action["RemoveCert"].(string) + if !rOk { + log.Warn().Str("report_file", r.ReportFilePath).Msg( + "RemoveCert field not found in action, " + + "using empty string", + ) + removeCertStr = "" + } + log.Trace().Str("report_file", r.ReportFilePath).Str( + "remove_cert", + removeCertStr, + ).Msg("Converting removeCertStr to bool") + removeCert, rcErr := strconv.ParseBool(removeCertStr) + if rcErr != nil { + log.Warn(). + Str("report_file", r.ReportFilePath). + Err(rcErr). + Msg("Unable to parse bool from removeCertStr, defaulting to FALSE") + removeCert = false + } + + log.Trace().Str("report_file", r.ReportFilePath).Msg("Processing store type") + sType, sOk := action["StoreType"].(string) + if !sOk { + log.Warn().Str("report_file", r.ReportFilePath).Msg( + "StoreType field not found in action, " + + "using empty string", + ) + sType = "" + } + + log.Trace().Str("report_file", r.ReportFilePath).Msg("Processing store path") + sPath, pOk := action["Path"].(string) + if !pOk { + log.Warn().Str("report_file", r.ReportFilePath).Msg( + "Path field not found in action, " + + "using empty string", + ) + sPath = "" + } + + log.Trace().Str("report_file", r.ReportFilePath).Msg("Processing thumbprint") + tp, tpOk := action["Thumbprint"].(string) + if !tpOk { + log.Warn().Str("report_file", r.ReportFilePath).Msg( + "Thumbprint field not found in action, " + + "using empty string", + ) + tp = "" + } + + log.Trace().Str("report_file", r.ReportFilePath).Msg("Processing cert id") + cid, cidOk := action["CertID"].(int) + if !cidOk { + log.Warn().Str("report_file", r.ReportFilePath).Msg( + "CertID field not found in action, " + + "using -1", + ) + cid = -1 + } + + if !tpOk && !cidOk { + errMsg := fmt.Errorf("row is missing Thumbprint or CertID") + log.Error().Err(errMsg). + Str("report_file", r.ReportFilePath). + Int("row", ri). + Msg("Invalid row in audit report file") + errs = append(errs, errMsg) + continue + } + + sId, sIdOk := action["StoreID"].(string) + if !sIdOk { + errMsg := fmt.Errorf("row is missing StoreID") + log.Error().Err(errMsg). + Str("report_file", r.ReportFilePath). + Int("row", ri). + Msg("Invalid row in audit report file") + errs = append(errs, errMsg) + continue + } + if cid == -1 && tp != "" { + log.Debug().Str("report_file", r.ReportFilePath). + Int("row", ri). + Str("thumbprint", tp). + Msg("Looking up certificate by thumbprint") + certLookupReq := api.GetCertificateContextArgs{ + IncludeMetadata: boolToPointer(true), + IncludeLocations: boolToPointer(true), + CollectionId: nil, //todo: add support for collection ID + Thumbprint: tp, + Id: 0, //force to 0 as -1 will error out the API request + } + log.Debug().Str("report_file", r.ReportFilePath). + Int("row", ri). + Str("thumbprint", tp). + Msg(fmt.Sprintf(DebugFuncCall, "Client.GetCertificateContext")) + + certLookup, err := r.Client.GetCertificateContext(&certLookupReq) + if err != nil { + log.Error().Err(err).Str("report_file", r.ReportFilePath). + Int("row", ri). + Str("thumbprint", tp). + Msg("Error looking up certificate by thumbprint") + continue + } + cid = certLookup.Id + log.Debug().Str("report_file", r.ReportFilePath). + Int("row", ri). + Str("thumbprint", tp). + Int("cert_id", cid). + Msg("Certificate found by thumbprint") + } + + log.Trace().Str("report_file", r.ReportFilePath). + Int("row", ri). + Str("store_id", sId). + Str("store_type", sType). + Str("store_path", sPath). + Str("thumbprint", tp). + Int("cert_id", cid). + Bool("add_cert", addCert). + Bool("remove_cert", removeCert). + Msg("Creating reconciliation action") + a := ROTAction{ + StoreID: sId, + StoreType: sType, + StorePath: sPath, + Thumbprint: tp, + CertID: cid, + AddCert: addCert, + RemoveCert: removeCert, + } + + log.Trace().Str("report_file", r.ReportFilePath). + Int("row", ri).Interface("action", a).Msg("Adding action to actions map") + actions[a.Thumbprint] = append(actions[a.Thumbprint], a) + } + + log.Info().Str("report_file", r.ReportFilePath).Msg("Audit report parsed successfully") + if len(actions) == 0 { + rtMsg := "No reconciliation actions to take, root stores are up-to-date. Exiting." + log.Info().Str("report_file", r.ReportFilePath). + Msg(rtMsg) + fmt.Println(rtMsg) + if len(errs) > 0 { + errStr := mergeErrsToString(&errs, false) + log.Error().Str("report_file", r.ReportFilePath). + Str("errors", errStr). + Msg("Errors encountered while parsing audit report") + return fmt.Errorf("errors encountered while parsing audit report: %s", errStr) + } + return nil + } + + r.actions = actions + log.Debug().Str("report_file", r.ReportFilePath).Msg(fmt.Sprintf(DebugFuncCall, "reconcileRoots")) + rErr := r.reconcileRoots() + if rErr != nil { + log.Error().Err(rErr).Str("report_file", r.ReportFilePath).Msg("Error reconciling roots") + return rErr + } + defer csvFile.Close() + + orchsURL := fmt.Sprintf( + "https://%s/Keyfactor/Portal/AgentJobStatus/Index", + r.Client.Hostname, + ) //todo: this pathing might not work for everyone + + if len(errs) > 0 { + errStr := mergeErrsToString(&errs, false) + log.Error().Str("report_file", r.ReportFilePath). + Str("errors", errStr). + Msg("Errors encountered while reconciling root of trust stores") + return fmt.Errorf("errors encountered while reconciling roots:\r\n%s", errStr) + + } + + log.Info().Str("report_file", r.ReportFilePath). + Str("orchs_url", orchsURL). + Msg("Reconciliation completed. Check orchestrator jobs for details") + fmt.Println(fmt.Sprintf("Reconciliation completed. Check orchestrator jobs for details. %s", orchsURL)) + + return nil +} diff --git a/cmd/rot_models.go b/cmd/rot_models.go index 84ed203..b647c87 100644 --- a/cmd/rot_models.go +++ b/cmd/rot_models.go @@ -9,6 +9,7 @@ import ( var ( AuditHeader = []string{ + "Alias", "Thumbprint", "CertID", "SubjectName", @@ -23,6 +24,7 @@ var ( "AuditDate", } ReconciledAuditHeader = []string{ + "Alias", "Thumbprint", "CertID", "SubjectName", @@ -78,6 +80,7 @@ type StoreCSVEntry struct { Path string `json:"path"` Thumbprints map[string]bool `json:"thumbprints,omitempty"` Serials map[string]bool `json:"serials,omitempty"` + Aliases map[string]bool `json:"aliases,omitempty"` Ids map[int]bool `json:"ids,omitempty"` } type ROTCert struct { @@ -125,7 +128,6 @@ type ROTAction struct { StoreType string `json:"store_type" mapstructure:"StoreType"` Machine string `json:"client_machine" mapstructure:"Machine"` StorePath string `json:"store_path" mapstructure:"Path"` - Alias string `json:"alias" mapstructure:"Alias,omitempty"` AddCert bool `json:"add" mapstructure:"AddCert"` RemoveCert bool `json:"remove" mapstructure:"RemoveCert"` Deployed bool `json:"deployed" mapstructure:"Deployed"` diff --git a/cmd/status.go b/cmd/status.go index 5e1a9b8..635fb56 100644 --- a/cmd/status.go +++ b/cmd/status.go @@ -16,8 +16,9 @@ package cmd import ( "fmt" - "github.com/spf13/cobra" "log" + + "github.com/spf13/cobra" ) // statusCmd represents the status command @@ -40,8 +41,8 @@ var statusCmd = &cobra.Command{ log.Fatalf("[ERROR]: %s", expErr) } - //kfClient, _ := initClient(configFile, profile, noPrompt) - //status, err := kfClient.GetStatus() + //Client, _ := initClient(configFile, profile, noPrompt) + //status, err := Client.GetStatus() //if err != nil { // log.Printf("Error: %s", err) //} diff --git a/cmd/storeTypes.go b/cmd/storeTypes.go index e9ef5b2..ab1c350 100644 --- a/cmd/storeTypes.go +++ b/cmd/storeTypes.go @@ -402,7 +402,7 @@ func createStoreFromFile(filename string, kfClient *api.Client) (*api.Certificat return nil, err } - // Use the Keyfactor client to create the store type + // Use the Keyfactor Client to create the store type createResp, err := kfClient.CreateStoreType(&storeType) if err != nil { return nil, err @@ -443,7 +443,7 @@ func getStoreTypesInternet(gitRef string) (map[string]interface{}, error) { return result2, nil } -//func getStoreTypesFromCommand(kfClient *api.Client) (map[string]interface{}, error) { +//func getStoreTypesFromCommand(Client *api.Client) (map[string]interface{}, error) { // //} diff --git a/cmd/storeTypes_get.go b/cmd/storeTypes_get.go index 74f8c85..dda93db 100644 --- a/cmd/storeTypes_get.go +++ b/cmd/storeTypes_get.go @@ -19,6 +19,7 @@ package cmd import ( "encoding/json" "fmt" + "github.com/AlecAivazis/survey/v2" "github.com/Keyfactor/keyfactor-go-client/v2/api" "github.com/rs/zerolog/log" @@ -65,9 +66,27 @@ func CreateStoreTypesGetFlags() *StoreTypesGetFlags { func (f *StoreTypesGetFlags) AddFlags(flags *pflag.FlagSet) { flags.IntVarP(f.storeTypeID, "id", "i", -1, "ID of the certificate store type to get.") flags.StringVarP(f.storeTypeName, "name", "n", "", "Name of the certificate store type to get.") - flags.BoolVarP(f.genericFormat, "generic", "g", false, "Output the store type in a generic format stripped of all fields specific to the Command instance.") - flags.StringVarP(f.gitRef, FlagGitRef, "b", "main", "The git branch or tag to reference when pulling store-types from the internet.") - flags.BoolVarP(f.outputToIntegrationManifest, "output-to-integration-manifest", "", false, "Update the integration manifest with the store type. It overrides the store type in the manifest if it already exists. If the integration manifest does not exist in the current directory, it will be created.") + flags.BoolVarP( + f.genericFormat, + "generic", + "g", + false, + "Output the store type in a generic format stripped of all fields specific to the Command instance.", + ) + flags.StringVarP( + f.gitRef, + FlagGitRef, + "b", + "main", + "The git branch or tag to reference when pulling store-types from the internet.", + ) + flags.BoolVarP( + f.outputToIntegrationManifest, + "output-to-integration-manifest", + "", + false, + "Update the integration manifest with the store type. It overrides the store type in the manifest if it already exists. If the integration manifest does not exist in the current directory, it will be created.", + ) } func CreateCmdStoreTypesGet() *cobra.Command { @@ -102,12 +121,17 @@ func CreateCmdStoreTypesGet() *cobra.Command { kfClient, _ := initClient(configFile, profile, providerType, providerProfile, noPrompt, authConfig, false) if kfClient == nil { - return fmt.Errorf("failed to initialize Keyfactor client") + return fmt.Errorf("failed to initialize Keyfactor Client") } storeTypes, err := kfClient.GetCertificateStoreType(options.storeTypeInterface) if err != nil { - log.Error().Err(err).Msg(fmt.Sprintf("unable to get certificate store type %s", options.storeTypeInterface)) + log.Error().Err(err).Msg( + fmt.Sprintf( + "unable to get certificate store type %s", + options.storeTypeInterface, + ), + ) return err } log.Trace().Msg(fmt.Sprintf("storeTypes: %+v", storeTypes)) @@ -136,7 +160,12 @@ func CreateCmdStoreTypesGet() *cobra.Command { return err } - _, err = cmd.OutOrStdout().Write([]byte(fmt.Sprintf("Successfully updated integration manifest with store type %s\n", options.storeTypeInterface))) + _, err = cmd.OutOrStdout().Write( + []byte(fmt.Sprintf( + "Successfully updated integration manifest with store type %s\n", + options.storeTypeInterface, + )), + ) } else { _, err = cmd.OutOrStdout().Write([]byte(output)) if err != nil { @@ -256,7 +285,10 @@ func (f *StoreTypesGetOptions) Validate() error { return nil } -func formatStoreTypeOutput(storeType *api.CertificateStoreType, outputFormat string, outputType string) (string, error) { +func formatStoreTypeOutput(storeType *api.CertificateStoreType, outputFormat string, outputType string) ( + string, + error, +) { var sOut interface{} sOut = storeType if outputType == "generic" { diff --git a/cmd/storesBulkOperations.go b/cmd/storesBulkOperations.go index 216ed45..6c1391b 100644 --- a/cmd/storesBulkOperations.go +++ b/cmd/storesBulkOperations.go @@ -19,14 +19,15 @@ import ( "encoding/csv" "encoding/json" "fmt" + "os" + "strconv" + "strings" + "github.com/AlecAivazis/survey/v2" "github.com/Jeffail/gabs" "github.com/Keyfactor/keyfactor-go-client/v2/api" "github.com/rs/zerolog/log" "github.com/spf13/cobra" - "os" - "strconv" - "strings" ) var ( @@ -231,7 +232,10 @@ var storesCreateFromCSVCmd = &cobra.Command{ if conversionError != nil { //outputError(conversionError, true, outputFormat) - log.Error().Err(conversionError).Msgf("Unable to convert the json into the request parameters object. %s", conversionError.Error()) + log.Error().Err(conversionError).Msgf( + "Unable to convert the json into the request parameters object. %s", + conversionError.Error(), + ) return conversionError } @@ -289,7 +293,8 @@ var storesCreateFromCSVCmd = &cobra.Command{ //fmt.Printf("\nImport results written to %s\n\n", outPath) outputResult(fmt.Sprintf("Import results written to %s", outPath), outputFormat) return nil - }} + }, +} var storesCreateImportTemplateCmd = &cobra.Command{ Use: "generate-template --store-type-id --store-type-name --outpath ", @@ -322,7 +327,7 @@ Store type IDs can be found by running the "store-types" command.`, authConfig := createAuthConfigFromParams(kfcHostName, kfcUsername, kfcPassword, kfcDomain, kfcAPIPath) kfClient, clientErr := initClient(configFile, profile, "", "", noPrompt, authConfig, false) if clientErr != nil { - log.Error().Err(clientErr).Msg("Error initializing client") + log.Error().Err(clientErr).Msg("Error initializing Client") return clientErr } @@ -421,7 +426,10 @@ Store type IDs can be found by running the "store-types" command.`, return csvWriteErr } log.Info().Str("filePath", filePath).Msg("Template file written") - outputResult(fmt.Sprintf("Template file for store type with id %d written to %s", intID, filePath), outputFormat) + outputResult( + fmt.Sprintf("Template file for store type with id %d written to %s", intID, filePath), + outputFormat, + ) return nil }, } @@ -992,24 +1000,76 @@ func init() { importStoresCmd.AddCommand(storesCreateImportTemplateCmd) importStoresCmd.AddCommand(storesCreateFromCSVCmd) - storesCreateImportTemplateCmd.Flags().StringVarP(&storeTypeName, "store-type-name", "n", "", "The name of the cert store type for the template. Use if store-type-id is unknown.") - storesCreateImportTemplateCmd.Flags().IntVarP(&storeTypeId, "store-type-id", "i", -1, "The ID of the cert store type for the template.") - storesCreateImportTemplateCmd.Flags().StringVarP(&outPath, "outpath", "o", "", - "Path and name of the template file to generate.. If not specified, the file will be written to the current directory.") + storesCreateImportTemplateCmd.Flags().StringVarP( + &storeTypeName, + "store-type-name", + "n", + "", + "The name of the cert store type for the template. Use if store-type-id is unknown.", + ) + storesCreateImportTemplateCmd.Flags().IntVarP( + &storeTypeId, + "store-type-id", + "i", + -1, + "The ID of the cert store type for the template.", + ) + storesCreateImportTemplateCmd.Flags().StringVarP( + &outPath, + "outpath", + "o", + "", + "Path and name of the template file to generate.. If not specified, the file will be written to the current directory.", + ) storesCreateImportTemplateCmd.MarkFlagsMutuallyExclusive("store-type-name", "store-type-id") - storesCreateFromCSVCmd.Flags().StringVarP(&storeTypeName, "store-type-name", "n", "", "The name of the cert store type. Use if store-type-id is unknown.") - storesCreateFromCSVCmd.Flags().IntVarP(&storeTypeId, "store-type-id", "i", -1, "The ID of the cert store type for the stores.") + storesCreateFromCSVCmd.Flags().StringVarP( + &storeTypeName, + "store-type-name", + "n", + "", + "The name of the cert store type. Use if store-type-id is unknown.", + ) + storesCreateFromCSVCmd.Flags().IntVarP( + &storeTypeId, + "store-type-id", + "i", + -1, + "The ID of the cert store type for the stores.", + ) storesCreateFromCSVCmd.Flags().StringVarP(&file, "file", "f", "", "CSV file containing cert stores to create.") storesCreateFromCSVCmd.MarkFlagRequired("file") storesCreateFromCSVCmd.Flags().BoolP("dry-run", "d", false, "Do not import, just check for necessary fields.") - storesCreateFromCSVCmd.Flags().StringVarP(&resultsPath, "results-path", "o", "", "CSV file containing cert stores to create. defaults to _results.csv") + storesCreateFromCSVCmd.Flags().StringVarP( + &resultsPath, + "results-path", + "o", + "", + "CSV file containing cert stores to create. defaults to _results.csv", + ) storesExportCmd.Flags().BoolVarP(&exportAll, "all", "a", false, "Export all stores grouped by store-type.") - storesExportCmd.Flags().StringVarP(&storeTypeName, "store-type-name", "n", "", "The name of the cert store type for the template. Use if store-type-id is unknown.") - storesExportCmd.Flags().IntVarP(&storeTypeId, "store-type-id", "i", -1, "The ID of the cert store type for the template.") - storesExportCmd.Flags().StringVarP(&outPath, "outpath", "o", "", - "Path and name of the template file to generate.. If not specified, the file will be written to the current directory.") + storesExportCmd.Flags().StringVarP( + &storeTypeName, + "store-type-name", + "n", + "", + "The name of the cert store type for the template. Use if store-type-id is unknown.", + ) + storesExportCmd.Flags().IntVarP( + &storeTypeId, + "store-type-id", + "i", + -1, + "The ID of the cert store type for the template.", + ) + storesExportCmd.Flags().StringVarP( + &outPath, + "outpath", + "o", + "", + "Path and name of the template file to generate.. If not specified, the file will be written to the current directory.", + ) storesExportCmd.MarkFlagsMutuallyExclusive("store-type-name", "store-type-id") } diff --git a/store_types.json b/store_types.json index 8b7cb27..3460b5b 100644 --- a/store_types.json +++ b/store_types.json @@ -1,16 +1,19 @@ [ { - "Name": "Azure Keyvault", - "ShortName": "AKV", + "BlueprintAllowed": false, "Capability": "AKV", + "CustomAliasAllowed": "Optional", + "EntryParameters": null, + "JobProperties": [], "LocalStore": false, - "SupportedOperations": { - "Add": true, - "Create": true, - "Discovery": true, - "Enrollment": false, - "Remove": true + "Name": "Azure Keyvault", + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" }, + "PowerShell": false, + "PrivateKeyAllowed": "Optional", "Properties": [ { "Name": "TenantId", @@ -49,30 +52,1247 @@ "DisplayName": "Private KeyVault Endpoint", "Type": "String", "DependsOn": "", - "DefaultValue": null, - "Required": false + "DefaultValue": null, + "Required": false + } + ], + "ServerRequired": true, + "ShortName": "AKV", + "StorePathType": "", + "StorePathValue": "", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + } + }, + { + "Name": "AWS Certificate Manager", + "ShortName": "AWS-ACM", + "Capability": "AWS-ACM", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "UseOAuth", + "DisplayName": "Use OAuth 2.0 Provider", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "false", + "Required": true + }, + { + "Name": "UseIAM", + "DisplayName": "Use IAM User Auth", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "false", + "Required": true + }, + { + "Name": "OAuthScope", + "DisplayName": "OAuth Scope", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": null, + "Required": false + }, + { + "Name": "OAuthGrantType", + "DisplayName": "OAuth Grant Type", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "client_credentials", + "Required": false + }, + { + "Name": "OAuthUrl", + "DisplayName": "OAuth Url", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": "https://***/oauth2/default/v1/token", + "Required": false + }, + { + "Name": "IamAccountId", + "DisplayName": "IAM AWS Account ID", + "Type": "String", + "DependsOn": "UseIAM", + "DefaultValue": null, + "Required": false + }, + { + "Name": "OAuthAccountId", + "DisplayName": "OAuth AWS Account ID", + "Type": "String", + "DependsOn": "UseOAuth", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": [ + { + "Name": "AWS Region", + "DisplayName": "AWS Region", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Optional" + }, + { + "Name": "Akamai Certificate Provisioning Service", + "ShortName": "Akamai", + "Capability": "Akamai", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "Properties": [ + { + "StoreTypeId;omitempty": 0, + "Name": "access_token", + "DisplayName": "Access Token", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": true + }, + { + "StoreTypeId;omitempty": 0, + "Name": "client_token", + "DisplayName": "Client Token", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": true + }, + { + "StoreTypeId;omitempty": 0, + "Name": "client_secret", + "DisplayName": "Client Secret", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": true + } + ], + "EntryParameters": [ + { + "StoreTypeId;omitempty": 0, + "Name": "EnrollmentId", + "DisplayName": "Enrollment ID", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "StoreTypeId;omitempty": 0, + "Name": "ContractId", + "DisplayName": "Contract ID", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "Sans", + "DisplayName": "SANs", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + } + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-addressLineOne", + "DisplayName": "Admin - Address Line 1", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-addressLineTwo", + "DisplayName": "Admin - Address Line 2", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-city", + "DisplayName": "Admin - City", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-country", + "DisplayName": "Admin - Country", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-email", + "DisplayName": "Admin - Email", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-firstName", + "DisplayName": "Admin - First Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-lastName", + "DisplayName": "Admin - Last Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-organizationName", + "DisplayName": "Admin - Organization Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-phone", + "DisplayName": "Admin - Phone", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-postalCode", + "DisplayName": "Admin - Postal Code", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-region", + "DisplayName": "Admin - Region", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "admin-title", + "DisplayName": "Admin - Title", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-addressLineOne", + "DisplayName": "Org - Address Line 1", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-addressLineTwo", + "DisplayName": "Org - Address Line 2", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-city", + "DisplayName": "Org - City", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-country", + "DisplayName": "Org - Country", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-organizationName", + "DisplayName": "Org - Organization Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-phone", + "DisplayName": "Org - Phone", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-postalCode", + "DisplayName": "Org - Postal Code", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "org-region", + "DisplayName": "Org - Region", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-addressLineOne", + "DisplayName": "Tech - Address Line 1", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-addressLineTwo", + "DisplayName": "Tech - Address Line 2", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-city", + "DisplayName": "Tech - City", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-country", + "DisplayName": "Tech - Country", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-email", + "DisplayName": "Tech - Email", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-firstName", + "DisplayName": "Tech - First Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-lastName", + "DisplayName": "Tech - Last Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-organizationName", + "DisplayName": "Tech - Organization Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-phone", + "DisplayName": "Tech - Phone", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-postalCode", + "DisplayName": "Tech - Postal Code", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-region", + "DisplayName": "Tech - Region", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + }, + { + "StoreTypeId;omitempty": 0, + "Name": "tech-title", + "DisplayName": "Tech - Title", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DefaultValue": null + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "MultipleChoice", + "StorePathValue": "[\"Production\",\"Staging\"]", + "PrivateKeyAllowed": "Forbidden", + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden" + }, + { + "Name": "Azure Application Gateway Certificate Binding", + "ShortName": "AppGwBin", + "Capability": "AzureAppGwBin", + "LocalStore": false, + "ClientMachineDescription": "The Azure Tenant (directory) ID that owns the Service Principal.", + "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", + "SupportedOperations": { + "Add": true, + "Remove": false, + "Enrollment": false, + "Discovery": true, + "Inventory": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "Azure App Registration (Application)", + "ShortName": "AzureApp", + "Capability": "AzureApp", + "LocalStore": false, + "ClientMachineDescription": "The Azure Tenant (directory) ID that owns the Service Principal.", + "StorePathDescription": "The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension.", + "SupportedOperations": { + "Add": true, + "Remove": true, + "Enrollment": false, + "Discovery": true, + "Inventory": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Description": "The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "Azure Application Gateway Certificate", + "ShortName": "AzureAppGw", + "Capability": "AzureAppGw", + "LocalStore": false, + "ClientMachineDescription": "The Azure Tenant (directory) ID that owns the Service Principal.", + "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", + "SupportedOperations": { + "Add": true, + "Remove": true, + "Enrollment": false, + "Discovery": true, + "Inventory": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "Azure Enterprise Application (Service Principal)", + "ShortName": "AzureSP", + "Capability": "AzureSP", + "LocalStore": false, + "ClientMachineDescription": "The Azure Tenant (directory) ID that owns the Service Principal.", + "StorePathDescription": "The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension.", + "SupportedOperations": { + "Add": true, + "Remove": true, + "Enrollment": false, + "Discovery": true, + "Inventory": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Description": "The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" + }, + { + "Name": "Bosch IP Camera", + "ShortName": "BIPCamera", + "Capability": "BoschIpCamera", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": [ + { + "Name": "CertificateUsage", + "DisplayName": "Certificate Usage", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",HTTPS,EAP-TLS-client,TLS-DATE-client" + }, + { + "Name": "Name", + "DisplayName": "Name (Alias)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + } + }, + { + "Name": "Overwrite", + "DisplayName": "Overwrite", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "false" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required" + }, + { + "Name": "CiscoAsa", + "ShortName": "CiscoAsa", + "Capability": "CiscoAsa", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "CommitToDisk", + "DisplayName": "Commit To Disk", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "false", + "Required": false + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": [ + { + "Name": "interfaces", + "DisplayName": "Interfaces Comma Separated", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required" + }, + { + "Name": "CitrixAdc", + "ShortName": "CitrixAdc", + "Capability": "CitrixAdc", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": true + }, + { + "Name": "linkToIssuer", + "DisplayName": "Link To Issuer", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "false", + "Required": false + } + ], + "EntryParameters": [ + { + "Name": "virtualServerName", + "DisplayName": "Virtual Server Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "sniCert", + "DisplayName": "SNI Cert", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": true, + "OnRemove": false, + "OnReenrollment": false + }, + "DefaultValue": "FALSE" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "InventoryEndpoint": "/AnyInventory/Update" + }, + { + "Name": "F5 Big IQ", + "ShortName": "F5-BigIQ", + "Capability": "F5-BigIQ", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": true, + "Remove": true + }, + "Properties": [ + { + "Name": "DeployCertificateOnRenewal", + "DisplayName": "Deploy Certificate to Linked Big IP on Renewal", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "LoginProviderName", + "DisplayName": "Authentication Provider Name", + "Type": "String", + "DependsOn": "UseTokenAuth", + "DefaultValue": "", + "Required": false + } + ], + "EntryParameters": [ + { + "Name": "Alias", + "DisplayName": "Alias (Reenrollment only)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "" + }, + { + "Name": "Overwrite", + "DisplayName": "Overwrite (Reenrollment only)", + "Type": "Bool", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "False", + "Options": "" + }, + { + "Name": "SANs", + "DisplayName": "SANs (Reenrollment only)", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "" } ], - "EntryParameters": null, "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, - "StorePathType": "", - "StorePathValue": "", - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Required", "JobProperties": [], "ServerRequired": true, "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Optional" + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required" }, { - "Name": "Azure Application (Auth)", - "ShortName": "AzureApp", - "Capability": "AzureApp", - "LocalStore": false, + "Name": "F5 CA Profiles REST", + "ShortName": "F5-CA-REST", + "Capability": "F5-CA-REST", "SupportedOperations": { "Add": true, "Create": false, @@ -82,31 +1302,84 @@ }, "Properties": [ { - "StoreTypeId": 279, + "Name": "PrimaryNode", + "DisplayName": "Primary Node", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "", + "Required": true + }, + { + "Name": "PrimaryNodeCheckRetryWaitSecs", + "DisplayName": "Primary Node Check Retry Wait Seconds", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "120", + "Required": true + }, + { + "Name": "PrimaryNodeCheckRetryMax", + "DisplayName": "Primary Node Check Retry Maximum", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "3", + "Required": true + }, + { + "Name": "F5Version", + "DisplayName": "Version of F5", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "v12,v13,v14,v15", + "Required": true + }, + { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": "", + "DefaultValue": null, "Required": false }, { - "StoreTypeId": 279, "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": "", + "DefaultValue": null, "Required": false }, { - "StoreTypeId": 279, "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", "DefaultValue": "true", "Required": true + }, + { + "Name": "PrimaryNodeOnlineRequired", + "DisplayName": "Primary Node Online Required", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "", + "Required": true + }, + { + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "False", + "Required": true + }, + { + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true } ], "EntryParameters": [], @@ -119,14 +1392,13 @@ "JobProperties": [], "ServerRequired": true, "PowerShell": false, - "BlueprintAllowed": false, + "BlueprintAllowed": true, "CustomAliasAllowed": "Required" }, { - "Name": "Azure Application Gateway", - "ShortName": "AzureAppGW", - "Capability": "AzureAppGW", - "LocalStore": false, + "Name": "F5 SSL Profiles REST", + "ShortName": "F5-SL-REST", + "Capability": "F5-SL-REST", "SupportedOperations": { "Add": true, "Create": false, @@ -135,96 +1407,191 @@ "Remove": true }, "Properties": [ + { + "Name": "PrimaryNode", + "DisplayName": "Primary Node", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "", + "Required": true + }, + { + "Name": "PrimaryNodeCheckRetryWaitSecs", + "DisplayName": "Primary Node Check Retry Wait Seconds", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "120", + "Required": true + }, + { + "Name": "PrimaryNodeCheckRetryMax", + "DisplayName": "Primary Node Check Retry Maximum", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "3", + "Required": true + }, + { + "Name": "F5Version", + "DisplayName": "Version of F5", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "v12,v13,v14,v15", + "Required": true + }, { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", - "DependsOn": null, + "DependsOn": "", "DefaultValue": null, - "Required": true + "Required": false }, { "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", - "DependsOn": null, + "DependsOn": "", "DefaultValue": null, - "Required": true + "Required": false }, { "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", - "DependsOn": null, + "DependsOn": "", "DefaultValue": "true", - "Required": false - } - ], - "EntryParameters": [ + "Required": true + }, { - "Name": "HTTPListenerName", - "DisplayName": "HTTP Listener Name", - "Type": "String", - "RequiredWhen": { - "HasPrivateKey": false, - "OnAdd": false, - "OnRemove": false, - "OnReenrollment": false - } + "Name": "PrimaryNodeOnlineRequired", + "DisplayName": "Primary Node Online Required", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "", + "Required": true + }, + { + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "False", + "Required": true + }, + { + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true } ], + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, - "PrivateKeyAllowed": "Required", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], "ServerRequired": true, "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required", - "ServerRegistration": 13, - "InventoryEndpoint": "/AnyInventory/Update" + "BlueprintAllowed": true, + "CustomAliasAllowed": "Required" }, { - "Name": "Azure Service Principal (SSO/SAML)", - "ShortName": "AzureSP", - "Capability": "AzureSP", - "LocalStore": false, + "Name": "F5 WS Profiles REST", + "ShortName": "F5-WS-REST", + "Capability": "F5-WS-REST", "SupportedOperations": { "Add": true, "Create": false, - "Discovery": true, + "Discovery": false, "Enrollment": false, - "Remove": true + "Remove": false }, "Properties": [ { - "StoreTypeId": 280, + "Name": "PrimaryNode", + "DisplayName": "Primary Node", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "", + "Required": true + }, + { + "Name": "PrimaryNodeCheckRetryWaitSecs", + "DisplayName": "Primary Node Check Retry Wait Seconds", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "120", + "Required": true + }, + { + "Name": "PrimaryNodeCheckRetryMax", + "DisplayName": "Primary Node Check Retry Maximum", + "Type": "String", + "DependsOn": "PrimaryNodeOnlineRequired", + "DefaultValue": "3", + "Required": true + }, + { + "Name": "F5Version", + "DisplayName": "Version of F5", + "Type": "MultipleChoice", + "DependsOn": "", + "DefaultValue": "v12,v13,v14,v15", + "Required": true + }, + { "Name": "ServerUsername", "DisplayName": "Server Username", "Type": "Secret", "DependsOn": "", - "DefaultValue": "", + "DefaultValue": null, "Required": false }, { - "StoreTypeId": 280, "Name": "ServerPassword", "DisplayName": "Server Password", "Type": "Secret", "DependsOn": "", - "DefaultValue": "", + "DefaultValue": null, "Required": false }, { - "StoreTypeId": 280, "Name": "ServerUseSsl", "DisplayName": "Use SSL", "Type": "Bool", "DependsOn": "", "DefaultValue": "true", "Required": true + }, + { + "Name": "PrimaryNodeOnlineRequired", + "DisplayName": "Primary Node Online Required", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "", + "Required": true + }, + { + "Name": "IgnoreSSLWarning", + "DisplayName": "Ignore SSL Warning", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "False", + "Required": true + }, + { + "Name": "UseTokenAuth", + "DisplayName": "Use Token Authentication", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": true } ], "EntryParameters": [], @@ -237,8 +1604,8 @@ "JobProperties": [], "ServerRequired": true, "PowerShell": false, - "BlueprintAllowed": false, - "CustomAliasAllowed": "Required" + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden" }, { "Name": "Fortigate", @@ -264,6 +1631,82 @@ "Properties": [], "EntryParameters": [] }, + { + "Name": "GCP Load Balancer", + "ShortName": "GCPLoadBal", + "Capability": "GCPLoadBal", + "ServerRequired": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Optional", + "PowerShell": false, + "PrivateKeyAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": false + }, + "Properties": [ + { + "Name": "jsonKey", + "DisplayName": "Service Account Key", + "Required": true, + "DependsOn": "", + "Type": "Secret", + "DefaultValue": "" + } + ], + "EntryParameters": [] + }, + { + "Name": "GCP Certificate Manager", + "ShortName": "GcpCertMgr", + "Capability": "GcpCertMgr", + "ServerRequired": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Required", + "StorePathType": "", + "StorePathValue": "n/a", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": false + }, + "Properties": [ + { + "Name": "Location", + "DisplayName": "Location", + "Type": "String", + "DependsOn": "", + "DefaultValue": "global", + "Required": true + }, + { + "Name": "ServiceAccountKey", + "DisplayName": "Service Account Key File Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": null, + "Required": false + } + ], + "EntryParameters": [] + }, { "Name": "Hashicorp Vault Key-Value", "ShortName": "HCVKV", @@ -401,6 +1844,8 @@ "StoreRequired": false, "Style": "Default" }, + "StorePathType": "", + "StorePathValue": "", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -476,6 +1921,8 @@ "StoreRequired": false, "Style": "Default" }, + "StorePathType": "", + "StorePathValue": "", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -626,6 +2073,8 @@ "StoreRequired": false, "Style": "Default" }, + "StorePathType": "", + "StorePathValue": "", "PrivateKeyAllowed": "Optional", "JobProperties": [], "ServerRequired": true, @@ -853,7 +2302,7 @@ "HasPrivateKey": false, "OnAdd": false, "OnRemove": false, - "OnReenrollment": false + "OnReenrollment": true }, "DependsOn": "", "DefaultValue": "", @@ -872,6 +2321,30 @@ "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden" }, + { + "Name": "Imperva", + "ShortName": "Imperva", + "Capability": "Imperva", + "ServerRequired": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": true + }, + "Properties": [], + "EntryParameters": [] + }, { "Name": "K8SCert", "ShortName": "K8SCert", @@ -908,6 +2381,30 @@ "DependsOn": "", "DefaultValue": "cert", "Required": true + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": true + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true } ], "EntryParameters": null, @@ -939,18 +2436,28 @@ }, "Properties": [ { - "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", - "Type": "Bool", - "DefaultValue": "false", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": true + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", + "DependsOn": "", "DefaultValue": "true", - "Required": false + "Required": true } ], "EntryParameters": null, @@ -1010,8 +2517,8 @@ "DisplayName": "CertificateDataFieldName", "Type": "String", "DependsOn": "", - "DefaultValue": ".jks", - "Required": true + "DefaultValue": null, + "Required": false }, { "Name": "PasswordFieldName", @@ -1099,18 +2606,28 @@ "Required": false }, { - "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", - "Type": "Bool", - "DefaultValue": "false", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": true + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", + "DependsOn": "", "DefaultValue": "true", - "Required": false + "Required": true } ], "EntryParameters": null, @@ -1141,14 +2658,6 @@ "Remove": true }, "Properties": [ - { - "Name": "KubeSecretType", - "DisplayName": "Kube Secret Type", - "Type": "String", - "DependsOn": "", - "DefaultValue": "pkcs12", - "Required": true - }, { "Name": "KubeSecretKey", "DisplayName": "Kube Secret Key", @@ -1157,14 +2666,6 @@ "DefaultValue": "pfx", "Required": false }, - { - "Name": "CertificateDataFieldName", - "DisplayName": "CertificateDataFieldName", - "Type": "String", - "DependsOn": "", - "DefaultValue": ".p12", - "Required": true - }, { "Name": "PasswordFieldName", "DisplayName": "Password Field Name", @@ -1197,6 +2698,38 @@ "DefaultValue": null, "Required": false }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": true + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true + }, + { + "Name": "KubeSecretType", + "DisplayName": "Kube Secret Type", + "Type": "String", + "DependsOn": "", + "DefaultValue": "pkcs12", + "Required": true + }, { "Name": "StorePasswordPath", "DisplayName": "StorePasswordPath", @@ -1259,21 +2792,153 @@ "Required": true }, { - "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", - "Type": "Bool", - "DefaultValue": "false", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": true + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", "Type": "Bool", + "DependsOn": "", "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": null, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden" + }, + { + "Name": "K8STLSSecr", + "ShortName": "K8STLSSecr", + "Capability": "K8STLSSecr", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "KubeNamespace", + "DisplayName": "KubeNamespace", + "Type": "String", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "KubeSecretName", + "DisplayName": "KubeSecretName", + "Type": "String", + "DependsOn": "", + "DefaultValue": null, + "Required": false + }, + { + "Name": "KubeSecretType", + "DisplayName": "KubeSecretType", + "Type": "String", + "DependsOn": "", + "DefaultValue": "tls_secret", + "Required": true + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": null, + "Required": true + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "true", + "Required": true + } + ], + "EntryParameters": null, + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "", + "StorePathValue": "", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Forbidden" + }, + { + "Name": "MyOrchestratorStoreType", + "ShortName": "MOST", + "Capability": "MOST", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": true, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "CustomField1", + "DisplayName": "CustomField1", + "Type": "String", + "DependsOn": "", + "DefaultValue": "default", + "Required": true + }, + { + "Name": "CustomField2", + "DisplayName": "CustomField2", + "Type": "String", + "DependsOn": "", + "DefaultValue": null, + "Required": true } ], - "EntryParameters": null, + "EntryParameters": [], "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, @@ -1281,7 +2946,7 @@ }, "StorePathType": "", "StorePathValue": "", - "PrivateKeyAllowed": "Optional", + "PrivateKeyAllowed": "Forbidden", "JobProperties": [], "ServerRequired": true, "PowerShell": false, @@ -1289,71 +2954,127 @@ "CustomAliasAllowed": "Forbidden" }, { - "Name": "K8STLSSecr", - "ShortName": "K8STLSSecr", - "Capability": "K8STLSSecr", + "Name": "Nmap Orchestrator", + "ShortName": "Nmap", + "Capability": "Nmap", + "LocalStore": false, + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Inventory": true, + "Reenrollment": false, + "Remove": true + }, + "Properties": [], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathType": "Freeform", + "StorePathValue": "", + "PrivateKeyAllowed": "Forbidden", + "ServerRequired": false, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Optional" + }, + { + "Name": "PaloAlto", + "ShortName": "PaloAlto", + "Capability": "PaloAlto", "LocalStore": false, "SupportedOperations": { "Add": true, - "Create": true, - "Discovery": true, + "Create": false, + "Discovery": false, "Enrollment": false, "Remove": true }, "Properties": [ { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Type": "String", - "DependsOn": "", + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, "DefaultValue": null, "Required": false }, { - "Name": "KubeSecretName", - "DisplayName": "KubeSecretName", - "Type": "String", - "DependsOn": "", + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, "DefaultValue": null, "Required": false }, { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", - "Type": "String", - "DependsOn": "", - "DefaultValue": "tls_secret", + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", "Required": true }, { - "Name": "SeparateChain", - "DisplayName": "Separate Certificate Chain", - "Type": "Bool", - "DefaultValue": "false", + "Name": "DeviceGroup", + "DisplayName": "Device Group", + "Type": "String", + "DependsOn": null, + "DefaultValue": null, "Required": false + } + ], + "EntryParameters": [ + { + "Name": "TlsMinVersion", + "DisplayName": "TLS Min Version", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",tls1-0,tls1-1,tls1-2" }, { - "Name": "IncludeCertChain", - "DisplayName": "Include Certificate Chain", - "Type": "Bool", - "DefaultValue": "true", - "Required": false + "Name": "TLSMaxVersion", + "DisplayName": "TLS Max Version", + "Type": "MultipleChoice", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "Options": ",tls1-0,tls1-1,tls1-2,max" + }, + { + "Name": "TlsProfileName", + "DisplayName": "TLS Profile Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } } ], - "EntryParameters": null, "PasswordOptions": { "EntrySupported": false, "StoreRequired": false, "Style": "Default" }, - "StorePathType": "", - "StorePathValue": "", "PrivateKeyAllowed": "Optional", - "JobProperties": [], "ServerRequired": true, "PowerShell": false, "BlueprintAllowed": false, - "CustomAliasAllowed": "Forbidden" + "CustomAliasAllowed": "Required" }, { "Name": "RFDER", @@ -1393,6 +3114,14 @@ "Type": "String", "DefaultValue": "" }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" + }, { "Name": "SeparatePrivateKeyFilePath", "DisplayName": "Separate Private Key File Location", @@ -1441,6 +3170,14 @@ "DependsOn": "", "Type": "String", "DefaultValue": "" + }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" } ], "EntryParameters": [] @@ -1482,6 +3219,14 @@ "DependsOn": "", "Type": "String", "DefaultValue": "" + }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" } ], "EntryParameters": [] @@ -1524,6 +3269,14 @@ "Type": "String", "DefaultValue": "" }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" + }, { "Name": "WorkFolder", "DisplayName": "Location to use for creation/removal of work files", @@ -1573,6 +3326,14 @@ "Type": "String", "DefaultValue": "" }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" + }, { "Name": "IsTrustStore", "DisplayName": "Trust Store", @@ -1604,6 +3365,14 @@ "DependsOn": "", "Type": "Bool", "DefaultValue": false + }, + { + "Name": "IgnorePrivateKeyOnInventory", + "DisplayName": "Ignore Private Key On Inventory", + "Required": false, + "DependsOn": "", + "Type": "Bool", + "DefaultValue": false } ], "EntryParameters": [] @@ -1645,6 +3414,14 @@ "DependsOn": "", "Type": "String", "DefaultValue": "" + }, + { + "Name": "SudoImpersonatingUser", + "DisplayName": "Sudo Impersonating User", + "Required": false, + "DependsOn": "", + "Type": "String", + "DefaultValue": "" } ], "EntryParameters": [] @@ -1904,5 +3681,120 @@ "PowerShell": false, "BlueprintAllowed": false, "CustomAliasAllowed": "Forbidden" + }, + { + "Name": "WinSql", + "ShortName": "WinSql", + "Capability": "WinSql", + "LocalStore": false, + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "WinRm Protocol", + "DisplayName": "WinRm Protocol", + "Type": "MultipleChoice", + "DependsOn": null, + "DefaultValue": "https,http", + "Required": true + }, + { + "Name": "WinRm Port", + "DisplayName": "WinRm Port", + "Type": "String", + "DependsOn": null, + "DefaultValue": "5986", + "Required": true + }, + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": null, + "DefaultValue": null, + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "true", + "Required": true + }, + { + "Name": "RestartService", + "DisplayName": "Restart SQL Service After Cert Installed", + "Type": "Bool", + "DependsOn": null, + "DefaultValue": "false", + "Required": true + } + ], + "EntryParameters": [ + { + "Name": "InstanceName", + "DisplayName": "Instance Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + } + }, + { + "Name": "ProviderName", + "DisplayName": "Crypto Provider Name", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": false + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "" + }, + { + "Name": "SAN", + "DisplayName": "SAN", + "Type": "String", + "RequiredWhen": { + "HasPrivateKey": false, + "OnAdd": false, + "OnRemove": false, + "OnReenrollment": true + }, + "DependsOn": "", + "DefaultValue": "", + "Options": "" + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "StorePathValue": "My", + "PrivateKeyAllowed": "Optional", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": true, + "CustomAliasAllowed": "Forbidden" } ] \ No newline at end of file