Merge f260e78 into 1c8de0f

CHANGELOG.md

@@ -1,3 +1,6 @@
+- 1.4.0
+  - Added support for oAuth2 authentication to Keyfactor Command.
+
 - 1.3.1 
   - Fix for issue where plugin was not enforcing plugin-side role limitations for AllowedDomains and AllowSubDomains, and was relying exclusively on the certificate template for these values.
 

Makefile

@@ -1,40 +1,56 @@
 BINARY = "keyfactor"
 VERSION = "v1.3.1"
 
-GOARCH = amd64
+UNAME_S := $(shell uname -s)
+UNAME_M := $(shell uname -m)
 
-UNAME = $(shell uname -s)
-
-OS = linux
+ifeq ($(UNAME_S),Linux)
+	OS = linux
+else ifeq ($(UNAME_S),Darwin)
+	OS = darwin
+endif
 
-ifndef OS
-	ifeq ($(UNAME), Linux)
-		OS = linux
-	else ifeq ($(UNAME), Darwin)
-		OS = darwin
-	endif
+ifeq ($(UNAME_M),x86_64)
+	GOARCH = amd64
+else ifeq ($(UNAME_M),arm64)
+	GOARCH = arm64
+else ifeq ($(UNAME_M),i386)
+	GOARCH = 386
 endif
 
 .DEFAULT_GOAL := all
 
 all: fmt build start
 
 build:
-	GOOS=$(OS) GOARCH="$(GOARCH)" go build -o vault/plugins/keyfactor cmd/keyfactor/main.go
+	GOOS=$(OS) GOARCH=$(GOARCH) go build -o vault/plugins/keyfactor cmd/keyfactor/main.go
 
 start:
-	vault server -dev -dev-root-token-id=root -dev-plugin-dir=/vault/plugins
+	vault server -dev -dev-root-token-id=root -dev-plugin-dir=./vault/plugins
+
+register:
+	vault write sys/plugins/catalog/secret/keyfactor sha_256=$(shell shasum -a 256 ./vault/plugins/keyfactor | cut -d ' ' -f 1) command="keyfactor"
 
 enable:
+	export VAULT_ADDR=http://localhost:8200
+	export VAULT_TOKEN=root
 	vault secrets enable keyfactor
 
+config_oauth:
+	vault write keyfactor/config \
+		url="https://int1230-oauth.eastus2.cloudapp.azure.com" \
+		client_id="vault-secrets-engine" \
+		client_secret="c6rxzs6Hz8JjlkFR87ra18WBqlhXdwMO" \
+		token_url="https://int1230-oauth.eastus2.cloudapp.azure.com/oauth2/token" \
+		template="SslServerProfile" \
+		CA="TestDriveSub-G1"
+
 clean:
 	rm -f ./vault/plugins/keyfactor
 
 fmt:
 	go fmt $$(go list ./...)
 
-
 release:
 	GOOS=darwin GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_darwin_amd64
 	GOOS=freebsd GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_freebsd_386
@@ -49,5 +65,4 @@ release:
 	GOOS=windows GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_windows_386
 	GOOS=windows GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_windows_amd64
 
-
-.PHONY: build clean fmt start enable
+.PHONY: build clean fmt start enable register release

client.go

@@ -11,11 +11,11 @@ package keyfactor
 
 import (
 	"errors"
-	"fmt"
 	"log"
 	"strings"
 
-	"github.com/Keyfactor/keyfactor-go-client/api"
+	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
+	"github.com/Keyfactor/keyfactor-go-client/v3/api"
 )
 
 type keyfactorClient struct {
@@ -27,33 +27,58 @@ func newClient(config *keyfactorConfig) (*api.Client, error) {
 		return nil, errors.New("client configuration was nil")
 	}
 
-	if config.Username == "" {
-		return nil, errors.New("client username was not defined")
-	}
-
-	if config.Password == "" {
-		return nil, errors.New("client password was not defined")
-	}
-
 	if config.KeyfactorUrl == "" {
 		return nil, errors.New("client URL was not defined")
 	}
-	username := strings.Split(config.Username, "//")[1]
-	domain := strings.Split(config.Username, "//")[1]
 	hostname := config.KeyfactorUrl
 	if strings.HasPrefix(config.KeyfactorUrl, "http") {
 		hostname = strings.Split(config.KeyfactorUrl, "//")[1] //extract just the domain
 	}
 
-	var clientAuth api.AuthConfig
-	clientAuth.Username = username
-	clientAuth.Password = config.Password
-	clientAuth.Domain = domain
-	clientAuth.Hostname = hostname
+	isBasicAuth := config.Username != "" && config.Password != ""
+	isOAuth := (config.ClientId != "" && config.ClientSecret != "" && config.TokenUrl != "") || config.AccessToken != ""
+
+	if !isBasicAuth && !isOAuth {
+		return nil, errors.New(
+			"invalid Keyfactor Command client configuration, " +
+				"please provide a valid Basic auth or OAuth configuration",
+		)
+	}
 
-	fmt.Printf("clientAuth values: \n %s", clientAuth)
+	serverConfig := &auth_providers.Server{}
+	if isBasicAuth {
+		basicAuthConfig := &auth_providers.CommandAuthConfigBasic{}
+		_ = basicAuthConfig.WithCommandHostName(hostname).
+			WithCommandAPIPath(config.CommandAPIPath)
+
+		bErr := basicAuthConfig.
+			WithUsername(config.Username).
+			WithPassword(config.Password).
+			Authenticate()
+
+		if bErr != nil {
+			return nil, bErr
+		}
+		serverConfig = basicAuthConfig.GetServerConfig()
+	} else if isOAuth {
+		oauthConfig := &auth_providers.CommandConfigOauth{}
+		_ = oauthConfig.WithCommandHostName(hostname).
+			WithCommandAPIPath(config.CommandAPIPath)
+
+		oErr := oauthConfig.
+			WithClientId(config.ClientId).
+			WithClientSecret(config.ClientSecret).
+			WithTokenUrl(config.TokenUrl).
+			WithAccessToken(config.AccessToken).
+			Authenticate()
+
+		if oErr != nil {
+			return nil, oErr
+		}
+		serverConfig = oauthConfig.GetServerConfig()
+	}
 
-	c, err := api.NewKeyfactorClient(&clientAuth)
+	c, err := api.NewKeyfactorClient(serverConfig, nil)
 	if err != nil {
 		log.Fatalf("[ERROR] creating Keyfactor client: %s", err)
 	}

go.mod

@@ -1,11 +1,14 @@
 module github.com/keyfactor/hashicorp-vault-secrets-engine
 
-go 1.20
+go 1.23
+
+toolchain go1.23.3
 
 require (
-	github.com/Keyfactor/keyfactor-go-client v1.2.0
+	github.com/Keyfactor/keyfactor-auth-client-go v1.0.0-rc.2
+	github.com/Keyfactor/keyfactor-go-client/v3 v3.0.0
 	github.com/hashicorp/errwrap v1.0.0
-	github.com/hashicorp/go-hclog v0.16.2
+	github.com/hashicorp/go-hclog v1.5.0
 	github.com/hashicorp/vault/api v1.1.1
 	github.com/hashicorp/vault/sdk v0.2.1
 )
@@ -14,7 +17,7 @@ require (
 	github.com/armon/go-metrics v0.3.3 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
-	github.com/fatih/color v1.7.0 // indirect
+	github.com/fatih/color v1.13.0 // indirect
 	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
@@ -29,27 +32,30 @@ require (
 	github.com/hashicorp/go-version v1.2.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/mapstructure v1.3.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/spbsoluble/go-pkcs12 v0.3.1 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	github.com/spbsoluble/go-pkcs12 v0.3.3 // indirect
+	go.mozilla.org/pkcs7 v0.9.0 // indirect
 	go.uber.org/atomic v1.6.0 // indirect
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
-	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
-	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
 	google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect
 	google.golang.org/grpc v1.29.1 // indirect
 	google.golang.org/protobuf v1.25.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )