Skip to content

Commit

Permalink
feat(rot): Remove certs lookup passing ID as thumbprint.
Browse files Browse the repository at this point in the history 
chore(deps): Bump `keyfactor-go-client` version to `v2.2.8`

Signed-off-by: sbailey <[email protected]>
  • Loading branch information
@spbsoluble
spbsoluble committed May 9, 2024
1 parent fa0b36d commit 1cb716c
Show file tree
Hide file tree
Showing 3 changed files with 93 additions and 79 deletions.
166 changes: 90 additions & 76 deletions cmd/rot.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,90 +281,135 @@ func generateAuditReport(
}
}
}
for _, cert := range removeCerts {
log.Debug().Str("thumbprint", cert).Msg("Looking up certificate to remove")
certLookupReq := api.GetCertificateContextArgs{
IncludeMetadata: boolToPointer(true),
IncludeLocations: boolToPointer(true),
CollectionId: nil, //todo: add support for collection ID
Thumbprint: cert,
Id: 0,
for tp, cId := range removeCerts {
log.Debug().Str("thumbprint", tp).
Str("cert_id", cId).
Msg("Looking up certificate")
certLookupReq := api.GetCertificateContextArgs{}
if cId != "" {
certIdInt, cErr := strconv.Atoi(cId)
if cErr != nil {
log.Error().
Err(cErr).
Str("thumbprint", tp).
Msg("Error converting cert ID to integer, skipping")
errs = append(errs, cErr)
continue
}
certLookupReq = api.GetCertificateContextArgs{
IncludeMetadata: boolToPointer(true),
IncludeLocations: boolToPointer(true),
CollectionId: nil, //todo: add CollectionID support
Thumbprint: "",
Id: certIdInt,
}
} else {
certLookupReq = api.GetCertificateContextArgs{
IncludeMetadata: boolToPointer(true),
IncludeLocations: boolToPointer(true),
CollectionId: nil, //todo: add CollectionID support
Thumbprint: tp,
Id: 0, //todo: should also allow KFC ID
}
}
log.Debug().Str("thumbprint", cert).Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateContext"))

log.Debug().
Str("thumbprint", tp).
Msg(fmt.Sprintf(DebugFuncCall, "kfClient.GetCertificateContext"))
certLookup, err := kfClient.GetCertificateContext(&certLookupReq)
if err != nil {
log.Error().
Err(err).
Str("thumbprint", cert).
Msg("Error looking up certificate, unable to remove from store")
errs = append(errs, err)
continue
} else if certLookup == nil {
log.Error().
Err(ErrKfcEmptyResponse).
Str("thumbprint", cert).
Msg(fmt.Sprintf("%s when looking up certificate", ErrMsgEmptyResponse))
errs = append(errs, ErrKfcEmptyResponse)
Str("thumbprint", tp).
Msg("Error looking up certificate, skipping")
errMsg := fmt.Errorf(
"error recieved from Keyfactor Command when looking up thumbprint '%s':'%w'",
tp,
err,
)
errs = append(errs, errMsg)
continue
}

certID := certLookup.Id
log.Trace().
Str("thumbprint", cert).
Int("cert_id", certID).
Msg("Converting cert ID to string")
certIDStr := strconv.Itoa(certID)
log.Debug().Str("thumbprint", tp).Msg("Iterating over stores")
for _, store := range stores {
storeIdentifier := fmt.Sprintf("%s/%s", store.Machine, store.Path)
log.Debug().Str("thumbprint", cert).
Str("store_id", store.ID).
Str("store_name", storeIdentifier).
Msg("Checking if cert is deployed to store")
if _, ok := store.Thumbprints[cert]; ok {
log.Debug().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Checking if cert is deployed to store")
if _, ok := store.Thumbprints[tp]; !ok {
// Cert is already in the store do nothing
log.Info().Str("thumbprint", tp).Str("store_id", store.ID).Msg("Cert is not deployed to store")
row := []string{
//todo: this should be a toCSV field on whatever object this is
tp,
certIDStr,
certLookup.IssuedDN,
certLookup.IssuerDN,
store.ID,
store.Type,
store.Machine,
store.Path,
"false", // Add to store
"false", // Remove from store
"false", // Is Deployed
getCurrentTime(""),
}
log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Appending data row")
data = append(data, row)
log.Trace().Str("thumbprint", tp).Strs("row", row).Msg("Writing data row to CSV")
wErr := csvWriter.Write(row)
if wErr != nil {
log.Error().
Err(wErr).
Str("thumbprint", tp).
Str("output_file", outputFilePath).
Strs("row", row).
Msg("Error writing row to CSV")
}
} else {
// Cert is deployed to this store and will need to be removed
log.Info().
Str("thumbprint", cert).
Str("thumbprint", tp).
Str("store_id", store.ID).
Str("store_name", storeIdentifier).
Msg("Cert is deployed to store")
row := []string{
cert,
//todo: this should be a toCSV
tp,
certIDStr,
certLookup.IssuedDN,
certLookup.IssuerDN,
store.ID,
store.Type,
store.Machine,
store.Path,
"false",
"true",
"true",
"false", // Add to store
"true", // Remove from store
"false", // Is Deployed
getCurrentTime(""),
}
log.Trace().
Str("thumbprint", cert).
Str("thumbprint", tp).
Strs("row", row).
Msg("Appending data row")
data = append(data, row)
log.Debug().
Str("thumbprint", cert).
Str("thumbprint", tp).
Strs("row", row).
Msg("Writing data row to CSV")
wErr := csvWriter.Write(row)
if wErr != nil {
log.Error().
Err(wErr).
Str("thumbprint", cert).
Str("thumbprint", tp).
Str("output_file", outputFilePath).
Strs("row", row).
Msg("Error writing row to CSV")
errs = append(errs, wErr)
//todo: continue?
}
log.Debug().Str("thumbprint", cert).Msg("Adding remove action to actions map")
actions[cert] = append(
actions[cert], ROTAction{
Thumbprint: cert,
log.Debug().
Str("thumbprint", tp).
Msg("Adding 'add' action to actions map")
actions[tp] = append(
actions[tp], ROTAction{
Thumbprint: tp,
CertID: certID,
StoreID: store.ID,
StoreType: store.Type,
Expand All @@ -373,37 +418,6 @@ func generateAuditReport(
RemoveCert: true,
},
)
} else {
// Cert is not deployed to this store do nothing
log.Info().Str("thumbprint", cert).Str(
"store_id",
store.ID,
).Msg("Cert is not deployed to store, skipping")
row := []string{
cert,
certIDStr,
certLookup.IssuedDN,
certLookup.IssuerDN,
store.ID,
store.Type,
store.Machine,
store.Path,
"false",
"false",
"false",
getCurrentTime(""),
}
log.Trace().Str("thumbprint", cert).Strs("row", row).Msg("Appending data row")
data = append(data, row)
log.Debug().Str("thumbprint", cert).Strs("row", row).Msg("Writing data row to CSV")
wErr := csvWriter.Write(row)
if wErr != nil {
log.Error().Err(wErr).Str("thumbprint", cert).Str("output_file", outputFilePath).Strs(
"row",
row,
).Msg("Error writing row to CSV")
errs = append(errs, wErr)
}
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
github.com/Jeffail/gabs v1.4.0
github.com/Keyfactor/keyfactor-go-client-sdk v1.0.2
github.com/Keyfactor/keyfactor-go-client/v2 v2.2.7
github.com/Keyfactor/keyfactor-go-client/v2 v2.2.8
github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2
github.com/creack/pty v1.1.21
github.com/google/go-cmp v0.6.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ github.com/Keyfactor/keyfactor-go-client v1.4.3 h1:CmGvWcuIbDRFM0PfYOQH6UdtAgplv
github.com/Keyfactor/keyfactor-go-client v1.4.3/go.mod h1:3ZymLNCaSazglcuYeNfm9nrzn22wcwLjIWURrnUygBo=
github.com/Keyfactor/keyfactor-go-client-sdk v1.0.2 h1:caLlzFCz2L4Dth/9wh+VlypFATmOMmCSQkCPKOKMxw8=
github.com/Keyfactor/keyfactor-go-client-sdk v1.0.2/go.mod h1:Z5pSk8YFGXHbKeQ1wTzVN8A4P/fZmtAwqu3NgBHbDOs=
github.com/Keyfactor/keyfactor-go-client/v2 v2.2.7 h1:fHZF5lDEWKQEI8QOPeseG/y9Bd4h2DhOiUWkNx+rKJU=
github.com/Keyfactor/keyfactor-go-client/v2 v2.2.7/go.mod h1:3mfxdcwntB532QIATokBEkBCH0eXN2G/cdMZtu9NwNg=
github.com/Keyfactor/keyfactor-go-client/v2 v2.2.8 h1:eIcdz8XwmoPlRPnAZMhp3/qIXR+pBGSzS3MTFnApbF0=
github.com/Keyfactor/keyfactor-go-client/v2 v2.2.8/go.mod h1:YRCG/SbM3wshb00YOe6hisKTRUSaCJ6oIqRBT9y652E=
github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
Expand Down

0 comments on commit 1cb716c

Please sign in to comment.