Release 2.6 (#56)

v2.6.0 (ab#55565 ab#56848 ab#48866 ab#55923 ab#55599) - Added ability for Linux installed universal orchestrator to manage stores as an "agent" (stores reside on same server as universal orchestrator) without the need to have SSH enabled. - Added ability for Linux installed universal orchestrator to manage certificate stores on Windows servers by using SSH to communicate between the Linux UO server and the Windows machines hosting the certificate stores. - Modified Discovery against Linux servers to use the -name option instead of -iname for the Linux shell "find" command, so Discovery will work for AIX servers. - Upgraded several NuGet packages. --------- Co-authored-by: leefine02 <kfadmin@LFINE-KF10-ORCH> Co-authored-by: Lee Fine <50836957+leefine02@users.noreply.github.com>
Keyfactor · May 13, 2024 · 379b747 · 379b747
1 parent 8748d2a
commit 379b747
Show file tree

Hide file tree

Showing 11 changed files with 1,060 additions and 457 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+v2.6.0
+- Added ability for Linux installed universal orchestrator to manage stores as an "agent" (stores reside on same server as universal orchestrator) without the need to have SSH enabled.
+- Added ability for Linux installed universal orchestrator to manage certificate stores on Windows servers by using SSH to communicate between the Linux UO server and the Windows machines hosting the certificate stores.
+- Modified Discovery against Linux servers to use the -name option instead of -iname for the Linux shell "find" command, so Discovery will work for AIX servers.
+- Upgraded several NuGet packages.
+
 v2.5.0
 - Add new optional custom field and config.json entries to supply a user id other than "root" for the user to "sudo into" when UseSudo = "Y".  There is an optional config.json DefaultSudoImpersonatedUser that will be used at the orchestrator level, and an optional new store type custom field, SudoImpersonatedUser, that overrides the config.json setting for each certificate store.
 - Modified the optional sudo command prefix to remove the "-i" option which was creating a new shell for the impersonated id (always root up until this release).  Without this option the profile for the logged in user and not the impersonated user will be used when running commands.

diff --git a/README.md b/README.md
diff --git a/RemoteFile/ManagementBase.cs b/RemoteFile/ManagementBase.cs
@@ -64,7 +64,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                 switch (config.OperationType)
                 {
                     case CertStoreOperationType.Add:
-                        logger.LogDebug($"BEGIN create Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
+                        logger.LogDebug($"BEGIN add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
                         if (!certificateStore.DoesStoreExist())
                         {
                             if (ApplicationSettings.CreateStoreIfMissing)
@@ -76,7 +76,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                         certificateStore.AddCertificate((config.JobCertificate.Alias ?? new X509Certificate2(Convert.FromBase64String(config.JobCertificate.Contents), config.JobCertificate.PrivateKeyPassword).Thumbprint), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword);
                         certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, storePassword, certificateStore.RemoteHandler));
 
-                        logger.LogDebug($"END create Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
+                        logger.LogDebug($"END add Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
                         break;
 
                     case CertStoreOperationType.Remove:

diff --git a/RemoteFile/RemoteCertificateStore.cs b/RemoteFile/RemoteCertificateStore.cs
@@ -12,7 +12,6 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.RegularExpressions;
-using System.Threading;
 
 using Microsoft.Extensions.Logging;
 
@@ -22,14 +21,15 @@
 using Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers;
 using Keyfactor.Extensions.Orchestrator.RemoteFile.Models;
 using Keyfactor.Logging;
-using System.Management.Automation;
+using System.Runtime.InteropServices;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
     internal class RemoteCertificateStore
     {
         private const string NO_EXTENSION = "noext";
         private const string FULL_SCAN = "fullscan";
+        private const string LOCAL_MACHINE_SUFFIX = "|localmachine";
 
         internal enum ServerTypeEnum
         {
@@ -340,10 +340,12 @@ internal void Initialize(string sudoImpersonatedUser)
         {
             logger.MethodEntry(LogLevel.Debug);
 
-            if (ServerType == ServerTypeEnum.Linux)
-                RemoteHandler = new SSHHandler(Server, ServerId, ServerPassword, sudoImpersonatedUser);
+            bool treatAsLocal = Server.ToLower().EndsWith(LOCAL_MACHINE_SUFFIX);
+
+            if (ServerType == ServerTypeEnum.Linux || RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
+                RemoteHandler = treatAsLocal ? new LinuxLocalHandler() as IRemoteHandler : new SSHHandler(Server, ServerId, ServerPassword, ServerType == ServerTypeEnum.Linux, sudoImpersonatedUser) as IRemoteHandler;
             else
-                RemoteHandler = new WinRMHandler(Server, ServerId, ServerPassword);
+                RemoteHandler = new WinRMHandler(Server, ServerId, ServerPassword, treatAsLocal);
 
             RemoteHandler.Initialize();
 
@@ -389,10 +391,10 @@ private List<string> FindStoresLinux(string[] paths, string[] extensions, string
                 {
                     foreach (string fileName in fileNames)
                     {
-                        command += (command.IndexOf("-iname") == -1 ? string.Empty : "-or ");
-                        command += $"-iname '{fileName.Trim()}";
+                        command += (command.IndexOf("-name") == -1 ? string.Empty : "-or ");
+                        command += $"-name '{fileName.Trim()}";
                         if (extension.ToLower() == NO_EXTENSION)
-                            command += $"' ! -iname '*.*' ";
+                            command += $"' ! -name '*.*' ";
                         else
                             command += $".{extension.Trim()}' ";
                     }

diff --git a/RemoteFile/RemoteFile.csproj b/RemoteFile/RemoteFile.csproj
@@ -2,22 +2,30 @@
 
   <PropertyGroup>
     <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net6.0</TargetFramework>
     <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
+    <DebugType>none</DebugType>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
+    <DebugType>none</DebugType>
+  </PropertyGroup>
+
   <ItemGroup>
     <Compile Remove="ImplementedStoreTypes\JKS\JksStore.cs" />
     <Compile Remove="RemoteHandlers\SSHHelper.cs" />
   </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="BouncyCastle.Cryptography" Version="2.3.0" />
+    <PackageReference Include="CliWrap" Version="3.6.6" />
     <PackageReference Include="Keyfactor.Logging" Version="1.1.1" />
     <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="0.7.0" />
     <PackageReference Include="Keyfactor.PKI" Version="5.0.0" />
-    <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.0.7" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.2.12" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs b/RemoteFile/RemoteHandlers/BaseRemoteHandler.cs
@@ -8,6 +8,7 @@
 using Keyfactor.Logging;
 
 using Microsoft.Extensions.Logging;
+using System.Text.RegularExpressions;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers
 {
@@ -16,6 +17,7 @@ abstract class BaseRemoteHandler : IRemoteHandler
         internal ILogger _logger;
         internal const string PASSWORD_MASK_VALUE = "[PASSWORD]";
         internal const int PASSWORD_LENGTH_MAX = 100;
+        internal const string LINUX_PERMISSION_REGEXP = "^[0-7]{3}$";
 
         public string Server { get; set; }
 
@@ -24,6 +26,13 @@ public BaseRemoteHandler()
             _logger = LogHandler.GetClassLogger(this.GetType());
         }
 
+        public static void AreLinuxPermissionsValid(string permissions)
+        {
+            Regex regex = new Regex(LINUX_PERMISSION_REGEXP);
+            if (!regex.IsMatch(permissions))
+                throw new RemoteFileException($"Invalid format for Linux file permissions.  This value must be exactly 3 digits long with each digit between 0-7 but found {permissions} instead.");
+        }
+
         public abstract void Initialize();
 
         public abstract void Terminate();

diff --git a/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs b/RemoteFile/RemoteHandlers/LinuxLocalHandler.cs
@@ -0,0 +1,166 @@
+// Copyright 2021 Keyfactor
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+// and limitations under the License.
+
+using System;
+using System.IO;
+using System.Security.Cryptography;
+
+using CliWrap;
+using CliWrap.Buffered;
+
+using Renci.SshNet;
+
+using Microsoft.Extensions.Logging;
+
+using Keyfactor.Logging;
+using Keyfactor.PKI.PrivateKeys;
+using Keyfactor.PKI.PEM;
+
+namespace Keyfactor.Extensions.Orchestrator.RemoteFile.RemoteHandlers
+{
+    class LinuxLocalHandler : BaseRemoteHandler
+    {
+        private Command BaseCommand { get; set; }
+
+        internal LinuxLocalHandler()
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            _logger.MethodExit(LogLevel.Debug);
+        }
+
+        public override void Initialize()
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+
+            BaseCommand = Cli.Wrap("/bin/bash");
+
+            _logger.MethodExit(LogLevel.Debug);
+        }
+
+        public override void Terminate()
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            _logger.MethodExit(LogLevel.Debug);
+        }
+
+        public override string RunCommand(string commandText, object[] arguments, bool withSudo, string[] passwordsToMaskInLog)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+
+            string sudo = $"echo -e \\n | sudo -S ";
+
+            try
+            {
+                if (withSudo)
+                    commandText = sudo + commandText;
+
+                string displayCommand = commandText;
+                if (passwordsToMaskInLog != null)
+                {
+                    foreach (string password in passwordsToMaskInLog)
+                        displayCommand = displayCommand.Replace(password, PASSWORD_MASK_VALUE);
+                }
+
+                _logger.LogDebug($"RunCommand: {displayCommand}");
+
+                Command cmd = BaseCommand.WithArguments($@"-c ""{commandText}""");
+                BufferedCommandResult result = cmd.ExecuteBufferedAsync().GetAwaiter().GetResult();
+
+                _logger.LogDebug($"Linux Local Results: {displayCommand}::: {result.StandardOutput}::: {result.StandardError}");
+
+                if (!String.IsNullOrEmpty(result.StandardError))
+                    throw new ApplicationException(result.StandardError);
+
+                _logger.MethodExit(LogLevel.Debug);
+
+                return result.StandardOutput;
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError($"Exception during RunCommand...{RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
+                throw ex;
+            }
+        }
+
+        public override void UploadCertificateFile(string path, string fileName, byte[] certBytes)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            _logger.LogDebug($"UploadCertificateFile: {path}{fileName}");
+
+            string uploadPath = path+fileName;
+
+            try
+            {
+                File.WriteAllBytes(uploadPath, certBytes);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError($"Error attempting upload file to {uploadPath}...");
+                _logger.LogError($"Upload Exception: {RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
+                throw new RemoteFileException($"Error attempting upload file to {uploadPath}.", ex);
+            }
+
+            _logger.MethodExit(LogLevel.Debug);
+        }
+
+        public override byte[] DownloadCertificateFile(string path)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            _logger.LogDebug($"DownloadCertificateFile: {path}");
+
+            byte[] rtnStore = new byte[] { };
+
+            try
+            {
+                rtnStore = File.ReadAllBytes(path);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError($"Error attempting download file {path}...");
+                _logger.LogError($"Download Exception: {RemoteFileException.FlattenExceptionMessages(ex, ex.Message)}");
+                throw new RemoteFileException($"Error attempting download file {path}.", ex);
+            }
+
+            _logger.MethodExit(LogLevel.Debug);
+
+            return rtnStore;
+        }
+
+        public override void CreateEmptyStoreFile(string path, string linuxFilePermissions, string linuxFileOwner)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            string[] linuxGroupOwner = linuxFileOwner.Split(":");
+            string linuxFileGroup = linuxFileOwner;
+
+            if (linuxGroupOwner.Length == 2)
+            {
+                linuxFileOwner = linuxGroupOwner[0];
+                linuxFileGroup = linuxGroupOwner[1];
+            }
+
+            AreLinuxPermissionsValid(linuxFilePermissions);
+            RunCommand($"install -m {linuxFilePermissions} -o {linuxFileOwner} -g {linuxFileGroup} /dev/null {path}", null, ApplicationSettings.UseSudo, null);
+
+            _logger.MethodExit(LogLevel.Debug);
+        }
+
+        public override bool DoesFileExist(string path)
+        {
+            _logger.MethodEntry(LogLevel.Debug);
+            _logger.LogDebug($"DoesFileExist: {path}");
+
+            return File.Exists(path);
+        }
+
+        public override void RemoveCertificateFile(string path, string fileName)
+        {
+            _logger.LogDebug($"RemoveCertificateFile: {path} {fileName}");
+
+            RunCommand($"rm {path}{fileName}", null, ApplicationSettings.UseSudo, null);
+        }
+    }
+}