Merge pull request #439 from Venafi/VC-31642/tlspc-svc-account-auth

Fixes to support service account authentication in TLSPC
Venafi · Mar 22, 2024 · b55fc7a · b55fc7a
2 parents a30535a + 5d07987
commit b55fc7a
Show file tree

Hide file tree

Showing 8 changed files with 1,182 additions and 1,122 deletions.
diff --git a/go.mod b/go.mod
@@ -1,6 +1,9 @@
 module github.com/Venafi/vcert/v5
 
+go 1.21
+
 require (
+	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a
 	github.com/google/uuid v1.3.0
 	github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c
 	github.com/pavel-v-chernykh/keystore-go/v4 v4.1.0
@@ -24,7 +27,6 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/magiconair/properties v1.8.1 // indirect
@@ -47,5 +49,3 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )
-
-go 1.20
diff --git a/go.sum b/go.sum
@@ -13,6 +13,7 @@ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiy
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
+github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -21,6 +22,7 @@ github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hC
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@@ -70,6 +72,7 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -213,6 +216,7 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
+go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=

diff --git a/pkg/endpoint/endpoint.go b/pkg/endpoint/endpoint.go
@@ -80,26 +80,26 @@ type Connector interface {
 	GetType() ConnectorType
 	// SetZone sets a zone (by name) for requests with this connector.
 	SetZone(z string)
-	// GetZonesByParent returns a list of valid zones specified by parent
-	GetZonesByParent(parent string) ([]string, error)
+	// SetHTTPClient allows to set custom http.Client to this Connector.
+	SetHTTPClient(client *http.Client)
 	Ping() (err error)
 	// Authenticate is usually called by NewClient and it is not required that you manually call it.
 	Authenticate(auth *Authentication) (err error)
+
 	// ReadPolicyConfiguration returns information about zone policies. It can be used for checking request compatibility with policies.
 	ReadPolicyConfiguration() (policy *Policy, err error)
 	// ReadZoneConfiguration returns the zone configuration. A zone configuration includes zone policy and additional zone information.
 	ReadZoneConfiguration() (config *ZoneConfiguration, err error)
+	// GetZonesByParent returns a list of valid zones specified by parent
+	GetZonesByParent(parent string) ([]string, error)
 	// GenerateRequest update certificate.Request with data from zone configuration.
 	GenerateRequest(config *ZoneConfiguration, req *certificate.Request) (err error)
+
 	// ResetCertificate resets the state of a certificate.
 	// This function is idempotent, i.e., it won't fail if there is nothing to be reset.
 	ResetCertificate(req *certificate.Request, restart bool) (err error)
 	// RequestCertificate makes a request to the server with data for enrolling the certificate.
 	RequestCertificate(req *certificate.Request) (requestID string, err error)
-	// SynchronousRequestCertificate makes a request to the server with data for enrolling the certificate and returns the enrolled certificate.
-	SynchronousRequestCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
-	// SupportSynchronousRequestCertificate returns if the connector support synchronous calls to request a certificate.
-	SupportSynchronousRequestCertificate() bool
 	// RetrieveCertificate immediately returns an enrolled certificate. Otherwise, RetrieveCertificate waits and retries during req.Timeout.
 	RetrieveCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
 	IsCSRServiceGenerated(req *certificate.Request) (bool, error)
@@ -108,29 +108,35 @@ type Connector interface {
 	RetireCertificate(req *certificate.RetireRequest) error
 	// ImportCertificate adds an existing certificate to Venafi Platform even if the certificate was not issued by Venafi Cloud or Venafi Platform. For information purposes.
 	ImportCertificate(req *certificate.ImportRequest) (*certificate.ImportResponse, error)
-	// SetHTTPClient allows to set custom http.Client to this Connector.
-	SetHTTPClient(client *http.Client)
-	// ListCertificates
+	// ListCertificates returns a list of certificates from inventory that matches the filter
 	ListCertificates(filter Filter) ([]certificate.CertificateInfo, error)
-	SetPolicy(name string, ps *policy.PolicySpecification) (string, error)
-	GetPolicy(name string) (*policy.PolicySpecification, error)
-	RequestSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
-	RetrieveSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
-	RetrieveSshConfig(ca *certificate.SshCaTemplateRequest) (*certificate.SshConfig, error)
 	SearchCertificates(req *certificate.SearchRequest) (*certificate.CertSearchResponse, error)
-	// Returns a valid certificate
+	// SearchCertificate returns a valid certificate
 	//
 	// If it returns no error, the certificate returned should be the latest [1]
 	// exact matching zone [2], CN and sans.DNS [3] provided, with a minimum
 	// validity of `certMinTimeLeft`
 	//
-	// [1] the one with longest validity; field named ValidTo for TPP and
+	// [1] the one with the longest validity; field named ValidTo for TPP and
 	// validityEnd for VaaS
 	// [2] application name for VaaS
 	// [3] an array of strings representing the DNS names
 	SearchCertificate(zone string, cn string, sans *certificate.Sans, certMinTimeLeft time.Duration) (*certificate.CertificateInfo, error)
-	RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error)
 	RetrieveCertificateMetaData(dn string) (*certificate.CertificateMetaData, error)
+
+	SetPolicy(name string, ps *policy.PolicySpecification) (string, error)
+	GetPolicy(name string) (*policy.PolicySpecification, error)
+
+	RequestSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
+	RetrieveSSHCertificate(req *certificate.SshCertRequest) (response *certificate.SshCertificateObject, err error)
+	RetrieveSshConfig(ca *certificate.SshCaTemplateRequest) (*certificate.SshConfig, error)
+	RetrieveAvailableSSHTemplates() ([]certificate.SshAvaliableTemplate, error)
+
+	// SynchronousRequestCertificate makes a request to the server with data for enrolling the certificate and returns the enrolled certificate.
+	SynchronousRequestCertificate(req *certificate.Request) (certificates *certificate.PEMCollection, err error)
+	// SupportSynchronousRequestCertificate returns if the connector support synchronous calls to request a certificate.
+	SupportSynchronousRequestCertificate() bool
+
 	RetrieveSystemVersion() (string, error)
 	WriteLog(req *LogRequest) error
 }