Skip to content

Commit

Permalink
fix(pam): Fixing remote PAM
Browse files Browse the repository at this point in the history
  • Loading branch information
@spbsoluble
spbsoluble committed Feb 1, 2024
1 parent a98aab6 commit 894c2b5
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 113 deletions.
2 changes: 1 addition & 1 deletion kubernetes-orchestrator-extension/Jobs/Discovery.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ public class Discovery : JobBase, IDiscoveryJobExtension
{
public Discovery(IPAMSecretResolver resolver)
{
Resolver = resolver;
_resolver = resolver;
}
//Job Entry Point
public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate submitDiscovery)
Expand Down
2 changes: 1 addition & 1 deletion kubernetes-orchestrator-extension/Jobs/Inventory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ public class Inventory : JobBase, IInventoryJobExtension
{
public Inventory(IPAMSecretResolver resolver)
{
Resolver = resolver;
_resolver = resolver;
}
//Job Entry Point
public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate submitInventory)
Expand Down
163 changes: 57 additions & 106 deletions kubernetes-orchestrator-extension/Jobs/JobBase.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ static JobBase()

internal protected string Capability { get; set; }

internal protected IPAMSecretResolver Resolver { get; set; }
public IPAMSecretResolver _resolver;

public string StorePath { get; set; }

Expand Down Expand Up @@ -586,48 +586,53 @@ private void InitializeProperties(dynamic storeProperties)

//check if storeProperties contains ServerUsername key

if (string.IsNullOrEmpty(ServerUsername))
if (!string.IsNullOrEmpty(ServerUsername))
{
// check if storeProperties contains ServerUsername ke
Logger.LogDebug("ServerUsername is empty.");
try
{
Logger.LogDebug("Attempting to resolve ServerUsername from store properties or PAM provider. Defaults to 'kubeconfig'.");
ServerUsername = storeProperties.ContainsKey("ServerUsername") && string.IsNullOrEmpty(storeProperties["ServerUsername"])
? (string)ResolvePamField("ServerUsername", storeProperties["ServerUsername"])
: "kubeconfig";
}
catch (Exception)
var pamServerUsername = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "ServerUsername", ServerUsername);
if (!string.IsNullOrEmpty(pamServerUsername))
{
ServerUsername = "kubeconfig";
ServerUsername = pamServerUsername;
}
Logger.LogTrace("ServerUsername: " + ServerUsername);
}
else
{
// check is username is json string and attempt to pam resolve
if (ServerUsername.StartsWith('{') && ServerUsername.EndsWith('}'))
else
{
Logger.LogDebug("ServerUsername is a JSON string. Attempting to resolve ServerUsername from store properties or PAM provider.");
var pamServerUsername = (string)ResolvePamField("ServerUsername", ServerUsername);
pamServerUsername = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "Server Username", ServerUsername);
if (!string.IsNullOrEmpty(pamServerUsername))
{
ServerUsername = pamServerUsername;
}
}
}
if (string.IsNullOrEmpty(ServerPassword))
else
{
ServerUsername = "kubeconfig";
}

// Check if ServerPassword is empty and resolve from store properties or PAM provider
if (!string.IsNullOrEmpty(ServerPassword))
{
Logger.LogDebug("ServerPassword is empty.");
try
{
Logger.LogDebug("Attempting to resolve ServerPassword from store properties or PAM provider.");
ServerPassword = storeProperties.ContainsKey("ServerPassword") ? (string)ResolvePamField("ServerPassword", storeProperties["ServerPassword"]) : "";
if (string.IsNullOrEmpty(ServerPassword))
var pamServerPassword = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "ServerPassword", ServerPassword);
if (!string.IsNullOrEmpty(pamServerPassword))
{
ServerPassword = (string)ResolvePamField("ServerPassword", storeProperties["ServerPassword"]);
ServerPassword = pamServerPassword;
}
else
{
pamServerPassword = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "Server Password", ServerPassword);
if (!string.IsNullOrEmpty(pamServerPassword))
{
ServerPassword = pamServerPassword;
}
else
{
pamServerPassword = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "Server Password", ServerPassword);
if (!string.IsNullOrEmpty(pamServerPassword))
{
ServerPassword = pamServerPassword;
}
}
}
// Logger.LogTrace("ServerPassword: " + ServerPassword);
}
catch (Exception e)
{
Expand All @@ -638,84 +643,47 @@ private void InitializeProperties(dynamic storeProperties)
Logger.LogTrace(e.StackTrace);
throw new ConfigurationException("Invalid configuration. ServerPassword not provided or is invalid.");
}

} else {
Logger.LogError("Unable to resolve ServerPassword from store properties or PAM provider, defaulting to empty string.");
throw new ConfigurationException("Invalid configuration. ServerPassword not provided or is invalid.");
}
else

if (!string.IsNullOrEmpty(StorePassword))
{
// check that password is json and is not a kubeconfig
if (ServerPassword.StartsWith('{') && ServerPassword.EndsWith('}') && !ServerPassword.Contains("apiVersion"))
try
{
Logger.LogDebug("ServerPassword is a JSON string. Attempting to resolve ServerPassword from store properties or PAM provider.");
var pamServerPassword = (string)ResolvePamField("ServerPassword", ServerPassword);
if (!string.IsNullOrEmpty(pamServerPassword))
var pamStorePassword = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "StorePassword", StorePassword);
if (!string.IsNullOrEmpty(pamStorePassword))
{
ServerPassword = pamServerPassword;
StorePassword = pamStorePassword;
}
// Logger.LogTrace("ServerPassword: " + ServerPassword);
}
}
if (string.IsNullOrEmpty(StorePassword))
{
Logger.LogDebug("StorePassword is empty.");
try
{
Logger.LogDebug("Attempting to resolve StorePassword from store properties or PAM provider.");
StorePassword = storeProperties.ContainsKey("StorePassword") ? (string)ResolvePamField("StorePassword", storeProperties["StorePassword"]) : "";
if (string.IsNullOrEmpty(ServerPassword))
else
{
StorePassword = (string)ResolvePamField("StorePassword", storeProperties["StorePassword"]);
pamStorePassword = (string)PAMUtilities.ResolvePAMField(_resolver, Logger, "Store Password", StorePassword);
if (!string.IsNullOrEmpty(pamStorePassword))
{
StorePassword = pamStorePassword;
}
}
// Logger.LogTrace("StorePassword: " + StorePassword);
}
catch (Exception e)
{
Logger.LogError("Unable to resolve StorePassword from store properties or PAM provider, defaulting to empty string.");
ServerPassword = "";
StorePassword = "";
Logger.LogError(e.Message);
Logger.LogTrace(e.ToString());
Logger.LogTrace(e.StackTrace);
throw new ConfigurationException("Invalid configuration. ServerPassword not provided or is invalid.");
throw new ConfigurationException("Invalid configuration. StorePassword not provided or is invalid.");
}

}
else
{
// check that password is json and is not a kubeconfig
if (StorePassword.StartsWith('{') && StorePassword.EndsWith('}') && !StorePassword.Contains("apiVersion"))
{
Logger.LogDebug("StorePassword is a JSON string. Attempting to resolve StorePassword from store properties or PAM provider.");
var pamStorePassword = (string)ResolvePamField("StorePassword", StorePassword);
if (!string.IsNullOrEmpty(pamStorePassword))
{
StorePassword = pamStorePassword;
}
// Logger.LogTrace("StorePassword: " + StorePassword);
}
}
// var storePassword = ResolvePamField("Store Password", storeProperties.CertificateStoreDetails.StorePassword);
//
// if (storePassword != null)
// {
// // Logger.LogWarning($"Store password provided but is not supported by store type {storeProperties.Capability}).");
// storeProperties["StorePassword"] = storePassword;
// }


if (ServerUsername == "kubeconfig" || string.IsNullOrEmpty(ServerUsername))
{
Logger.LogInformation("Using kubeconfig provided by 'Server Password' field");
storeProperties["KubeSvcCreds"] = ServerPassword;
KubeSvcCreds = ServerPassword;
// logger.LogTrace($"KubeSvcCreds: {localCertStore.KubeSvcCreds}"); //Do not log passwords
}

// if (string.IsNullOrEmpty(KubeSvcCreds))
// {
// const string credsErr =
// "No credentials provided to connect to Kubernetes. Please provide a kubeconfig file. See https://github.com/Keyfactor/kubernetes-orchestrator/blob/main/scripts/kubernetes/get_service_account_creds.sh";
// Logger.LogError(credsErr);
// throw new AuthenticationException(credsErr);
// }

switch (KubeSecretType)
{
case "pfx":
Expand All @@ -736,15 +704,6 @@ private void InitializeProperties(dynamic storeProperties)
KubeSecretPassword = storeProperties.ContainsKey("KubeSecretPassword") ? storeProperties["KubeSecretPassword"] : "";
CertificateDataFieldName = storeProperties.ContainsKey("CertificateDataFieldName") ? storeProperties["CertificateDataFieldName"] : DefaultJKSSecretFieldName;
break;

PasswordFieldName = storeProperties.ContainsKey("PasswordFieldName") ? storeProperties["PasswordFieldName"] : DefaultPFXPasswordSecretFieldName;
PasswordIsSeparateSecret = storeProperties.ContainsKey("PasswordIsSeparateSecret") ? bool.Parse(storeProperties["PasswordIsSeparateSecret"]) : false;
StorePasswordPath = storeProperties.ContainsKey("StorePasswordPath") ? storeProperties["StorePasswordPath"] : "";
PasswordIsK8SSecret = storeProperties.ContainsKey("PasswordIsK8SSecret") ? bool.Parse(storeProperties["PasswordIsK8SSecret"]) : false;
KubeSecretPassword = storeProperties.ContainsKey("KubeSecretPassword") ? storeProperties["KubeSecretPassword"] : "";
CertificateDataFieldName = storeProperties.ContainsKey("KubeSecretKey") ? storeProperties["KubeSecretKey"] : DefaultPFXSecretFieldName;
break;

}

KubeClient = new KubeCertificateManagerClient(KubeSvcCreds);
Expand Down Expand Up @@ -774,13 +733,11 @@ private void InitializeProperties(dynamic storeProperties)
Logger.LogDebug($"KubeSecretName: {KubeSecretName}");
Logger.LogDebug($"KubeSecretType: {KubeSecretType}");

if (string.IsNullOrEmpty(KubeSecretName))
{
// KubeSecretName = StorePath.Split("/").Last();
Logger.LogWarning("KubeSecretName is empty. Setting KubeSecretName to StorePath.");
KubeSecretName = StorePath;
Logger.LogTrace("KubeSecretName: " + KubeSecretName);
}
if (!string.IsNullOrEmpty(KubeSecretName)) return;
// KubeSecretName = StorePath.Split("/").Last();
Logger.LogWarning("KubeSecretName is empty. Setting KubeSecretName to StorePath.");
KubeSecretName = StorePath;
Logger.LogTrace("KubeSecretName: " + KubeSecretName);

}

Expand Down Expand Up @@ -853,13 +810,7 @@ public string GetStorePath()
}

}

protected string ResolvePamField(string name, string value)
{
Logger.LogTrace($"Attempting to resolved PAM eligible field {name}");
return Resolver.Resolve(name);
}


protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = null)
{
Logger.LogTrace("Entered GetKeyBytes()");
Expand Down
2 changes: 1 addition & 1 deletion kubernetes-orchestrator-extension/Jobs/Management.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ public class Management : JobBase, IManagementJobExtension
{
public Management(IPAMSecretResolver resolver)
{
Resolver = resolver;
_resolver = resolver;
}

//Job Entry Point
Expand Down
6 changes: 3 additions & 3 deletions ...es-orchestrator-extension/PamUtilities.cs → ...chestrator-extension/Jobs/PAMUtilities.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@

namespace Keyfactor.Extensions.Orchestrator.K8S;

class PamUtilities
class PAMUtilities
{
internal static string ResolvePamField(IPAMSecretResolver resolver, ILogger logger, string name, string key)
internal static string ResolvePAMField(IPAMSecretResolver resolver, ILogger logger, string name, string key)
{
logger.LogDebug($"Attempting to resolve PAM eligible field {name} with key {key}");
return resolver.Resolve(key);
return string.IsNullOrEmpty(key) ? key : resolver.Resolve(key);
}
}
2 changes: 1 addition & 1 deletion kubernetes-orchestrator-extension/Jobs/Reenrollment.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ public class Reenrollment : JobBase, IReenrollmentJobExtension
{
public Reenrollment(IPAMSecretResolver resolver)
{
Resolver = resolver;
_resolver = resolver;
}
//Job Entry Point
public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollmentCSR submitReenrollment)
Expand Down

0 comments on commit 894c2b5

Please sign in to comment.