Skip to content

Commit

Permalink
Merge 66da983 into b69be41
Browse files Browse the repository at this point in the history
  • Loading branch information
spbsoluble authored Nov 20, 2024
2 parents b69be41 + 66da983 commit 4f2536e
Show file tree
Hide file tree
Showing 10 changed files with 548 additions and 55 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
# v1.1.0

## Features
- Support for sourcing client config files from Azure Key Vault

# v1.0.0

## Features
Expand Down
54 changes: 54 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -151,4 +151,58 @@ servers:
client_id: client-id
client_secret: client-secret
api_path: KeyfactorAPI
```
## Configuration File Providers
Below are a list of configuration file providers that can be used to load configuration from a file if loading from disk
is not desired.
### Azure Key Vault
To use Azure Key Vault as a configuration file provider, the code must either be running in an Azure environment or the
environment configured with `az login`. The following environment variables can be used and will take precedence over
any configuration file. *NOTE* that the secret must be formatted as specified in the example configuration files above.

| Name | Description | Default |
|---------------------|---------------------------------------|---------|
| AZURE_KEYVAULT_NAME | The name of the Azure KeyVault | |
| AZURE_SECRET_NAME | The name of the Azure KeyVault secret | |

#### JSON

Below is an example of a configuration file that uses Azure Key Vault as a configuration file provider. *NOTE* that the
secret must be formatted as specified in the example configuration files above.

```json
{
"servers": {
"default": {
"auth_provider": {
"type": "azid",
"profile": "default",
"parameters": {
"secret_name": "<akv_secret_name>",
"vault_name": "<akv_vault_name>"
}
}
}
}
}
```

#### YAML

Below is an example of a configuration file that uses Azure Key Vault as a configuration file provider. *NOTE* that the
secret must be formatted as specified in the example configuration files above.

```yaml
servers:
default:
auth_provider:
type: azid
profile: default
parameters:
secret_name: <akv_secret_name>
vault_name: <akv_vault_name>
```
10 changes: 5 additions & 5 deletions auth_providers/auth_basic.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,13 @@ type CommandAuthConfigBasic struct {
CommandAuthConfig

// Username is the username to be used for authentication to Keyfactor Command API
Username string `json:"username,omitempty"`
Username string `json:"username,omitempty" yaml:"username,omitempty"`

// Password is the password to be used for authentication to Keyfactor Command API
Password string `json:"password,omitempty"`
Password string `json:"password,omitempty" yaml:"password,omitempty"`

// Domain is the domain of the Active Directory used to authenticate to Keyfactor Command API
Domain string `json:"domain,omitempty"`
Domain string `json:"domain,omitempty" yaml:"domain,omitempty"`
}

// NewBasicAuthAuthenticatorBuilder creates a new instance of CommandAuthConfigBasic
Expand Down Expand Up @@ -194,8 +194,8 @@ func (a *CommandAuthConfigBasic) Authenticate() error {
return cErr
}

// create oauth Client
authy, err := NewBasicAuthAuthenticatorBuilder().
// create Basic Client
authy, err := a.
WithUsername(a.Username).
WithPassword(a.Password).
WithDomain(a.Domain).
Expand Down
24 changes: 13 additions & 11 deletions auth_providers/auth_core.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ func (f roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
// CommandAuthConfig represents the base configuration needed for authentication to Keyfactor Command API.
type CommandAuthConfig struct {
// ConfigType is the type of configuration
ConfigType string `json:"config_type"`
ConfigType string `json:"config_type,omitempty" yaml:"config_type,omitempty"`

//ConfigProfile is the profile of the configuration
ConfigProfile string
Expand All @@ -110,34 +110,34 @@ type CommandAuthConfig struct {
FileConfig *Server

// AuthHeader is the header to be used for authentication to Keyfactor Command API
AuthHeader string `json:"auth_header"`
AuthHeader string `json:"auth_header,omitempty" yaml:"auth_header,omitempty"`

// CommandHostName is the hostname of the Keyfactor Command API
CommandHostName string `json:"host"`
CommandHostName string `json:"host,omitempty" yaml:"host,omitempty"`

// CommandPort is the port of the Keyfactor Command API
CommandPort int `json:"port"`
CommandPort int `json:"port,omitempty" yaml:"port,omitempty"`

// CommandAPIPath is the path of the Keyfactor Command API, default is "KeyfactorAPI"
CommandAPIPath string `json:"api_path"`
CommandAPIPath string `json:"api_path,omitempty" yaml:"api_path,omitempty"`

// CommandAPIVersion is the version of the Keyfactor Command API, default is "1"
CommandVersion string `json:"command_version"`
CommandVersion string `json:"command_version,omitempty" yaml:"command_version,omitempty"`

// CommandCACert is the CA certificate to be used for authentication to Keyfactor Command API for use with not widely trusted certificates. This can be a filepath or a string of the certificate in PEM format.
CommandCACert string `json:"command_ca_cert"`
CommandCACert string `json:"command_ca_cert,omitempty" yaml:"command_ca_cert,omitempty"`

// SkipVerify is a flag to skip verification of the server's certificate chain and host name. Default is false.
SkipVerify bool `json:"skip_verify"`
SkipVerify bool `json:"skip_verify,omitempty" yaml:"skip_verify,omitempty"`

// HttpClientTimeout is the timeout for the http Client
HttpClientTimeout int `json:"client_timeout"`
HttpClientTimeout int `json:"client_timeout,omitempty" yaml:"client_timeout,omitempty"`

// UserAgent is the user agent to be used for authentication to Keyfactor Command API
UserAgent string `json:"user_agent,omitempty"`
UserAgent string `json:"user_agent,omitempty" yaml:"user_agent,omitempty"`

// Debug
Debug bool `json:"debug,omitempty"`
Debug bool `json:"debug,omitempty" yaml:"debug,omitempty"`

// HttpClient is the http Client to be used for authentication to Keyfactor Command API
HttpClient *http.Client
Expand Down Expand Up @@ -731,6 +731,8 @@ func (c *CommandAuthConfig) GetServerConfig() *Server {
return &server
}

type contextKey string

// Example usage of CommandAuthConfig
//
// This example demonstrates how to use CommandAuthConfig to authenticate to the Keyfactor Command API.
Expand Down
41 changes: 25 additions & 16 deletions auth_providers/auth_oauth.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
// Copyright 2024 Keyfactor
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package auth_providers

import (
Expand Down Expand Up @@ -72,40 +86,34 @@ type CommandConfigOauth struct {
CommandAuthConfig

// ClientID is the Client ID for OAuth authentication
ClientID string `json:"client_id,omitempty"`
ClientID string `json:"client_id,omitempty" yaml:"client_id,omitempty"`

// ClientSecret is the Client secret for OAuth authentication
ClientSecret string `json:"client_secret,omitempty"`
ClientSecret string `json:"client_secret,omitempty" yaml:"client_secret,omitempty"`

// Audience is the audience for OAuth authentication
Audience string `json:"audience,omitempty"`
Audience string `json:"audience,omitempty" yaml:"audience,omitempty"`

// Scopes is the scopes for OAuth authentication
Scopes []string `json:"scopes,omitempty"`
Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`

// CACertificatePath is the path to the CA certificate for OAuth authentication
CACertificatePath string `json:"idp_ca_cert,omitempty"`
CACertificatePath string `json:"idp_ca_cert,omitempty" yaml:"idp_ca_cert,omitempty"`

// CACertificates is the CA certificates for authentication
CACertificates []*x509.Certificate `json:"-"`

// AccessToken is the access token for OAuth authentication
AccessToken string `json:"access_token,omitempty"`
AccessToken string `json:"access_token,omitempty" yaml:"access_token,omitempty"`

// RefreshToken is the refresh token for OAuth authentication
RefreshToken string `json:"refresh_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty" yaml:"refresh_token,omitempty"`

// Expiry is the expiry time of the access token
Expiry time.Time `json:"expiry,omitempty"`
Expiry time.Time `json:"expiry,omitempty" yaml:"expiry,omitempty"`

// TokenURL is the token URL for OAuth authentication
TokenURL string `json:"token_url,omitempty"`

//// AuthPort
//AuthPort string `json:"auth_port,omitempty"`

//// AuthType is the type of OAuth auth to use such as client_credentials, password, etc.
//AuthType string `json:"auth_type,omitempty"`
TokenURL string `json:"token_url,omitempty" yaml:"token_url,omitempty"`
}

// NewOAuthAuthenticatorBuilder creates a new CommandConfigOauth instance.
Expand Down Expand Up @@ -372,7 +380,7 @@ func (b *CommandConfigOauth) ValidateAuthConfig() error {
}
}

if b.Scopes == nil || len(b.Scopes) == 0 {
if len(b.Scopes) == 0 {
if scopes, ok := os.LookupEnv(EnvKeyfactorAuthScopes); ok {
// split the scopes by comma
b.Scopes = strings.Split(scopes, ",")
Expand Down Expand Up @@ -424,6 +432,7 @@ func (b *CommandConfigOauth) GetServerConfig() *Server {
Port: b.CommandPort,
ClientID: b.ClientID,
ClientSecret: b.ClientSecret,
AccessToken: b.AccessToken,
OAuthTokenUrl: b.TokenURL,
APIPath: b.CommandAPIPath,
Scopes: b.Scopes,
Expand Down
Loading

0 comments on commit 4f2536e

Please sign in to comment.