Merge pull request #65 from Venafi/master-VEN-53611-obtain-new-token

Master ven 53611 obtain new token
Venafi · Jan 10, 2020 · 46ed6e7 · 46ed6e7
2 parents 0581a4b + 6c83e09
commit 46ed6e7
Show file tree

Hide file tree

Showing 25 changed files with 618 additions and 126 deletions.
diff --git a/Makefile b/Makefile
@@ -14,6 +14,7 @@ get: gofmt
 
 build_quick: get
 	env GOOS=linux   GOARCH=amd64 go build $(GO_LDFLAGS) -o bin/linux/vcert         ./cmd/vcert
+	cp bin/linux/vcert aruba/bin/vcert
 
 build: get
 	env GOOS=linux   GOARCH=amd64 go build $(GO_LDFLAGS) -o bin/linux/vcert         ./cmd/vcert

diff --git a/aruba/Dockerfile b/aruba/Dockerfile
@@ -1,5 +1,5 @@
 FROM ruby
-MAINTAINER Alexander Tarasenko <alexander.tarasenko@venafi.com>
+MAINTAINER Venafi DevOps Integrations <opensource@venafi.com>
 
 RUN gem install aruba json_spec
 COPY . /vcert/

diff --git a/aruba/cucumber.sh b/aruba/cucumber.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+echo "Using token $TPPACCESS_TOKEN"
 RUN_COMMAND="docker run -t --rm \
           -e VCERT_TPP_URL \
           -e VCERT_TPP_USER \

diff --git a/aruba/features/enroll/basic.enroll.feature b/aruba/features/enroll/basic.enroll.feature
@@ -65,3 +65,7 @@ Feature: Enroll certificate
     Given I enroll a certificate in test-mode with -no-prompt -cn vfidev.example.com -cert-file c.pem -chain-file ch.pem
     Then the file "c.pem" should match /(-----BEGIN CERTIFICATE-----.+){1}/
     Then the file "ch.pem" should match /(-----BEGIN CERTIFICATE-----.+){1}/
+
+  Scenario: enroll with wrong csr option should return error
+    Given I enroll a certificate in test-mode with -cn vfidev.example.com -csr sservice -no-prompt
+    Then the exit status should not be 0
diff --git a/aruba/features/getcred/getcred.feature b/aruba/features/getcred/getcred.feature
@@ -0,0 +1,42 @@
+Feature: Getting credentials tokens from TPP
+
+  As a user
+  I want to get credentials tokens from TPP
+
+  Background:
+    Given the default aruba exit timeout is 180 seconds
+
+  Scenario: request refresh token and refresh access token
+    When I get credentials from TPP
+    And I remember the output
+      And it should output access token
+      And it should output refresh token
+    Then I refresh access token
+      And I remember the output
+      And it should output access token
+      And it should output refresh token
+
+  Scenario: request refresh token in json format
+    When I get credentials from TPP with -format json
+      And I remember the output
+      And it should output access token in JSON
+      And it should output refresh token in JSON
+
+  Scenario: request with PKCS12 if possible
+    When I get credentials from TPP with PKSC12
+    And I remember the output
+      And it should output access token
+      And it should output refresh token
+
+  Scenario: request with PKCS12 if possible with no password
+    When I interactively get credentials from TPP with PKSC12 and no password
+    And I type "newPassw0rd!"
+    And I remember the output
+      And it should output access token
+      And it should output refresh token
+
+  Scenario: request refresh token and refresh access token with username and no password
+    When I interactively get credentials from TPP with username and no password
+    And I remember the output
+      And it should output access token
+      And it should output refresh token
diff --git a/aruba/features/step_definitions/actions.rb b/aruba/features/step_definitions/actions.rb
@@ -70,4 +70,53 @@
   end
   cmd = "vcert gencsr#{cn}#{flags}"
   steps %{Then I try to run `#{cmd}`}
+end
+
+# Getting credentials
+When(/^I( interactively)? get credentials from TPP(?: with)?(.+)?$/) do |interactively, flags|
+  if flags === " PKSC12"
+    if "#{ENV['PKCS12_FILE']}" === ""
+      puts "No PKCS12 file was specified. Skipping scenario"
+      skip_this_scenario
+    else
+      cmd = "vcert getcred -u '#{ENV['VCERT_TPP_MTLS_URL']}' -p12-file '#{ENV['PKCS12_FILE']}' -p12-password "+
+          "'#{ENV['PKCS12_FILE_PASSWORD']}' -trust-bundle '#{ENV['MTLS_TRUST_BUNDLE']}'"
+    end
+  elsif flags === " PKSC12 and no password"
+    if "#{ENV['PKCS12_FILE']}" === ""
+      puts "No PKCS12 file was specified. Skipping scenario"
+      skip_this_scenario
+    else
+      cmd = "vcert getcred -u '#{ENV['VCERT_TPP_URL']}' -p12-file '#{ENV['PKCS12_FILE']}' -p12-password "+
+          "'#{ENV['PKCS12_FILE_PASSWORD']}'"
+    end
+  elsif flags === " username and no password"
+    cmd = "vcert getcred -u '#{ENV['VCERT_TPP_URL']}' -username '#{ENV['VCERT_TPP_USER']}' -insecure"
+  else
+    cmd = "vcert getcred -u '#{ENV['VCERT_TPP_URL']}' -username '#{ENV['VCERT_TPP_USER']}'" +
+        " -password '#{ENV['VCERT_TPP_PASSWORD']}' #{flags} -insecure"
+  end
+
+  if interactively
+    puts cmd
+    steps %{
+      Then I run `#{cmd}` interactively
+      And I type "#{ENV['VCERT_TPP_PASSWORD']}"
+      Then the exit status should be 0
+    }
+  else
+    steps %{
+    Then I try to run `#{cmd}`
+  }
+  end
+end
+
+When(/^I refresh access token$/) do
+  cmd = "vcert getcred -u '#{ENV['VCERT_TPP_URL']}' -t #{@refresh_token} -insecure"
+  steps %{
+    Then I try to run `#{cmd}`
+      And I remember the output
+      And it should output access token
+      And it should output refresh token
+  }
 end
diff --git a/aruba/features/step_definitions/endpoints.rb b/aruba/features/step_definitions/endpoints.rb
@@ -1,4 +1,4 @@
-
+#TODO: we need to rewrite aruba tests to use trust bundle instead of insecure flag
 ENDPOINTS = {
     "test-mode" => "-test-mode -test-mode-delay 0",
 

diff --git a/aruba/features/step_definitions/my_steps.rb b/aruba/features/step_definitions/my_steps.rb
@@ -76,9 +76,44 @@
 
 When(/^the outputs should( not)? be the same$/) do |negated|
   if negated
-    expect(last_command_started.output.to_s).not_to send(:an_output_string_being_eq,  @previous_command_output)
+    expect(last_command_started.output.to_s).not_to send(:an_output_string_being_eq, @previous_command_output)
   else
-    expect(last_command_started.output.to_s).to send(:an_output_string_being_eq,  @previous_command_output)
+    expect(last_command_started.output.to_s).to send(:an_output_string_being_eq, @previous_command_output)
   end
 end
 
+
+Then(/^it should( not)? output (access|refresh) token( in JSON)?$/) do |negated, token, json|
+
+  if @previous_command_output.nil?
+    fail(ArgumentError.new('@previous_command_output is nil'))
+  end
+
+  puts("Checking output:\n"+@previous_command_output)
+  unless json
+    steps %{Then the output should#{negated} contain "access_token:"}
+  end
+
+  unless negated
+    if json then
+      JSON.parse(@previous_command_output)
+      if token === "access"
+        @access_token = unescape_text(normalize_json(@previous_command_output, "access_token")).tr('"', '')
+      elsif token === "refresh"
+        @refresh_token = unescape_text(normalize_json(@previous_command_output, "refresh_token")).tr('"', '')
+      else
+        fail(ArgumentError.new("Cant determine token type for #{token}"))
+      end
+    else
+      if token === "access"
+        m = @previous_command_output.match /access_token:  (.+)$/
+        @access_token = m[1]
+      elsif token === "refresh"
+        m = @previous_command_output.match /^refresh_token:  (.+)$/
+        @refresh_token = m[1]
+      else
+        fail(ArgumentError.new("Cant determine token type for #{token}"))
+      end
+    end
+  end
+end
diff --git a/aruba/features/step_definitions/openssl.rb b/aruba/features/step_definitions/openssl.rb
@@ -113,7 +113,6 @@
   steps %{
     Then I try to run `openssl pkcs12 -in "#{filename}" -passin pass:#{password} -noout`
     And the exit status should be 0
-    And the output should be 0 bytes long
   }
   # -nokeys           Don't output private keys
   # -nocerts          Don't output certificates

diff --git a/client.go b/client.go
@@ -19,6 +19,8 @@ package vcert
 import (
 	"crypto/x509"
 	"fmt"
+	"log"
+	"os"
 
 	"github.com/Venafi/vcert/pkg/endpoint"
 	"github.com/Venafi/vcert/pkg/venafi/cloud"
@@ -31,9 +33,16 @@ import (
 // Returned connector is a concurrency-safe interface to TPP or Venafi Cloud that can be reused without restriction.
 // Connector can also be of type "fake" for local tests, which doesn`t connect to any backend and all certificates enroll locally.
 func (cfg *Config) NewClient() (connector endpoint.Connector, err error) {
-	var connectionTrustBundle *x509.CertPool
+	//TODO: make logger global so we can use it everywhere
+	const UtilityShortName string = "vCert"
+	var (
+		connectionTrustBundle *x509.CertPool
+		logger                = log.New(os.Stderr, UtilityShortName+": ", log.LstdFlags)
+		logf                  = logger.Printf
+	)
+
 	if cfg.ConnectionTrust != "" {
-		fmt.Println("You specified a trust bundle.")
+		logf("You specified a trust bundle.")
 		connectionTrustBundle = x509.NewCertPool()
 		if !connectionTrustBundle.AppendCertsFromPEM([]byte(cfg.ConnectionTrust)) {
 			return nil, fmt.Errorf("Failed to parse PEM trust bundle")

diff --git a/cmd/vcert/args.go b/cmd/vcert/args.go
@@ -35,6 +35,7 @@ const (
 	commandPickup
 	commandRevoke
 	commandRenew
+	commandGetcred
 )
 
 var (
@@ -52,6 +53,9 @@ var (
 
 	renewFlags  = flag.NewFlagSet("renew", flag.PanicOnError)
 	renewParams commandFlags
+
+	getcredFlags  = flag.NewFlagSet("getcred", flag.PanicOnError)
+	getcredParams commandFlags
 )
 
 type commandFlags struct {
@@ -60,7 +64,7 @@ type commandFlags struct {
 	tppURL             string
 	tppUser            string
 	tppPassword        string
-	tppAccessToken     string
+	tppToken           string
 	apiKey             string
 	cloudURL           string
 	zone               string
@@ -104,6 +108,8 @@ type commandFlags struct {
 	profile            string
 	clientP12          string
 	clientP12PW        string
+	clientId           string
+	scope              string
 }
 
 func createFromCommandFlags(co command) *commandFlags {
@@ -120,6 +126,8 @@ func createFromCommandFlags(co command) *commandFlags {
 		f = revokeParams
 	case commandRenew:
 		f = renewParams
+	case commandGetcred:
+		f = getcredParams
 	}
 
 	return &f
@@ -137,6 +145,8 @@ func validateFlags(c command) error {
 		return validateRevokeFlags()
 	case commandRenew:
 		return validateRenewFlags()
+	case commandGetcred:
+		return validateGetcredFlags()
 	}
 
 	return nil
@@ -180,6 +190,12 @@ func parseArgs() (co command, cf *commandFlags, err error) {
 		if err != nil {
 			logger.Panicf("%s", err)
 		}
+	case "getcred":
+		co = commandGetcred
+		err = getcredFlags.Parse(os.Args[2:])
+		if err != nil {
+			logger.Panicf("%s", err)
+		}
 	case "-v", "--v", "-version", "version":
 		printVersion()
 		exit(0)

diff --git a/cmd/vcert/config.go b/cmd/vcert/config.go
@@ -49,19 +49,23 @@ func buildConfig(co command, cf *commandFlags) (cfg vcert.Config, err error) {
 					time.Sleep(1 * time.Second)
 				}
 			}
-		} else if cf.tppUser != "" || cf.tppAccessToken != "" {
+		} else if cf.tppUser != "" || cf.tppToken != "" || cf.clientP12 != "" {
 			connectorType = endpoint.ConnectorTypeTPP
 			if cf.url != "" {
 				baseURL = cf.url
 			} else if cf.tppURL != "" {
 				baseURL = cf.tppURL
 			}
-			if cf.tppAccessToken == "" && cf.tppPassword == "" {
+			if cf.tppToken == "" && cf.tppPassword == "" && cf.clientP12 == "" {
 				logger.Panicf("A password is required to communicate with TPP")
 			}
 
-			if cf.tppAccessToken != "" {
-				auth.AccessToken = cf.tppAccessToken
+			if cf.tppToken != "" {
+				if co == commandGetcred {
+					auth.RefreshToken = cf.tppToken
+				} else {
+					auth.AccessToken = cf.tppToken
+				}
 			} else {
 				auth.User = cf.tppUser
 				auth.Password = cf.tppPassword