Merge pull request #63 from Keyfactor/akv_auth

Auth Providers

.github/workflows/command_10_tests.yml

@@ -0,0 +1,133 @@
+name: KFC 10.X.X Tests
+
+on:
+  push:
+    branches:
+      - "*"
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+      - name: Install dependencies
+        run: go mod download && go mod tidy
+      - name: Install Azure CLI
+        run: |
+          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+          az --version
+
+
+  ### Store Type Tests
+  Test_StoreTypes_KFC_10_4_5:
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      SECRET_NAME: "command-config-1045-clean"
+      KEYFACTOR_HOSTNAME: "int1045-test-clean.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_StoreTypes*"
+  Test_StoreTypes_KFC_10_2_1:
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      SECRET_NAME: "command-config-1021-clean"
+      KEYFACTOR_HOSTNAME: "int1021-test-clean.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_StoreTypes*"
+
+  ### Store Tests
+  Test_Stores_KFC_10_4_5:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - Test_StoreTypes_KFC_10_4_5
+    env:
+      SECRET_NAME: "command-config-1045"
+      KEYFACTOR_HOSTNAME: "integrations1045-lab.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: go test -v ./cmd -run "^Test_Stores_*"
+  Test_Stores_KFC_10_2_1:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - Test_StoreTypes_KFC_10_2_1
+    env:
+      SECRET_NAME: "command-config-1021"
+      KEYFACTOR_HOSTNAME: "integrations1021-lab.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_Stores_*"
+
+  ### PAM Tests
+  Test_PAM_KFC_10_4_5:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - Test_StoreTypes_KFC_10_4_5
+    env:
+      SECRET_NAME: "command-config-1045"
+      KEYFACTOR_HOSTNAME: "integrations1045-lab.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_PAM*"
+  Test_PAM_KFC_10_2_1:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - Test_StoreTypes_KFC_10_2_1
+    env:
+      SECRET_NAME: "command-config-1021"
+      KEYFACTOR_HOSTNAME: "integrations1021-lab.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_PAM*"

.github/workflows/command_11_tests.yml

@@ -0,0 +1,82 @@
+name: KFC 11.X.X Tests
+
+on:
+  push:
+    branches:
+      - "*"
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+      - name: Install dependencies
+        run: go mod download && go mod tidy
+      - name: Install Azure CLI
+        run: |
+          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+          az --version
+
+  ### Store Type Tests
+  Test_StoreTypes_KFC_11_0_0:
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      SECRET_NAME: "command-config-1100-clean"
+      KEYFACTOR_HOSTNAME: "int11-test-clean.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_StoreTypes*"
+
+  ### Store Tests
+  Test_Stores_KFC_11_0_0:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - Test_StoreTypes_KFC_11_0_0
+    env:
+      SECRET_NAME: "command-config-1100"
+      KEYFACTOR_HOSTNAME: "integrations1100b3-lab.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_Stores_*"
+
+  ### PAM Tests
+  Test_PAM_KFC_11_0_0:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - Test_StoreTypes_KFC_11_0_0
+    env:
+      SECRET_NAME: "command-config-1100"
+      KEYFACTOR_HOSTNAME: "integrations1100b3-lab.kfdelivery.com"
+      KEYFACTOR_DOMAIN: "command"
+      KEYFACTOR_USERNAME: ${{ secrets.LAB_USERNAME }}
+      KEYFACTOR_PASSWORD: ${{ secrets.LAB_PASSWORD }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run tests
+        run: |
+          unset KFUTIL_DEBUG
+          go test -v ./cmd -run "^Test_PAM*"

CHANGELOG.md

@@ -1,6 +1,18 @@
+# v1.2.0
+## Features
+feat(auth): Added support for sourcing credentials from [Azure Key Vault using Azure ID](docs/auth_providers#azure-key-vault)
+feat(cli): Added enhanced logging when `KFUTIL_DEBUG` is set.
+feat(store-types): `store-types create` now supports the `--all` flag.
+feat(stores): `stores` sub CLI is now non-experimental. [See docs](docs/kfutil_stores.md)
+feat(stores): Bulk import of stores via `stores import csv` sub CLI is now non-experimental. [See docs](docs/kfutil_stores_import_csv.md)
+feat(stores): Added `delete` command to stores as well as a `--all` option.
+
+## Bug Fixes
+fix(login): the default `APIPath` no longer overwrites preexisting values.
+
 # v1.1.0
 
-Additional Supported CLIs:
+## Features
 - `pam`: [kfutil pam](docs/kfutil_pam.md)
 
 # v1.0.0

GNUmakefile

@@ -8,7 +8,7 @@ NAME=kfutil
 BINARY=${NAME}
 VERSION := $(GITHUB_REF_NAME)
 ifeq ($(VERSION),)
-	VERSION := v1.1.0
+	VERSION := v1.2.0
 endif
 OS_ARCH := $(shell go env GOOS)_$(shell go env GOARCH)
 BASEDIR := ${HOME}/go/bin

README.md

@@ -1,30 +1,61 @@
-# Keyfactor Command Utility (kfutil)
-
-`kfutil` is a go-lang CLI wrapper for Keyfactor Command API. It also includes other utility/helper functions around automating common Keyfactor Command operations.
-
-#### Integration status: Production - Ready for use in production environments.
+- [Keyfactor Command Utility (kfutil)](#keyfactor-command-utility--kfutil-)
+  - [Integration status: Production - Ready for use in production environments.](#integration-status--production---ready-for-use-in-production-environments)
+  * [Support for Keyfactor Command Utility (kfutil)](#support-for-keyfactor-command-utility--kfutil-)
+  * [Quickstart](#quickstart)
+    + [Prerequisites:](#prerequisites-)
+    + [Installation:](#installation-)
+    + [Environmental Variables](#environmental-variables)
+  * [Authentication Providers](#authentication-providers)
+  * [Commands](#commands)
+    + [Login](#login)
+    + [Logout](#logout)
+  * [Commands](#commands-1)
+    + [Bulk operations](#bulk-operations)
+      - [Bulk create cert stores](#bulk-create-cert-stores)
+      - [Bulk create cert store types](#bulk-create-cert-store-types)
+    + [Root of Trust](#root-of-trust)
+    + [Root of Trust Quickstart](#root-of-trust-quickstart)
+      - [Generate Certificate List Template](#generate-certificate-list-template)
+      - [Generate Certificate Store List Template](#generate-certificate-store-list-template)
+      - [Run Root of Trust Audit](#run-root-of-trust-audit)
+      - [Run Root of Trust Reconcile](#run-root-of-trust-reconcile)
+    + [Certificate Store Inventory](#certificate-store-inventory)
+      - [Show the inventory of a certificate store](#show-the-inventory-of-a-certificate-store)
+      - [Add certificates to certificate stores](#add-certificates-to-certificate-stores)
+      - [Remove certificates from certificate stores](#remove-certificates-from-certificate-stores)
+  * [Development](#development)
+    + [Adding a new command](#adding-a-new-command)
 
 
+# Keyfactor Command Utility (kfutil)
 
+`kfutil` is a go-lang CLI wrapper for Keyfactor Command API. It also includes other utility/helper functions around
+automating common Keyfactor Command operations.
 
+#### Integration status: Production - Ready for use in production environments.
 
 ## Support for Keyfactor Command Utility (kfutil)
 
-Keyfactor Command Utility (kfutil) is open source and there is **no SLA** for this tool/library/client. Keyfactor will address issues as resources become available. Keyfactor customers may request escalation by opening up a support ticket through their Keyfactor representative.
-
-###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
-
+Keyfactor Command Utility (kfutil) is open source and there is **no SLA** for this tool/library/client. Keyfactor will
+address issues as resources become available. Keyfactor customers may request escalation by opening up a support ticket
+through their Keyfactor representative.
 
+###### To report a problem or suggest a new feature, use the **[Issues](../../issues)
 
+** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)
+** tab.
 
 ## Quickstart
 
 ### Prerequisites:
+
 - [Github CLI](https://cli.github.com/)
-- [zip](https://linuxize.com/post/how-to-unzip-files-in-linux/#installing-unzip) CLI tool, used to unzip the release files. 
+- [zip](https://linuxize.com/post/how-to-unzip-files-in-linux/#installing-unzip) CLI tool, used to unzip the release
+  files.
 - `$HOME/.local/bin` in your `$PATH` and exists.
 
 ### Installation:
+
 ```bash
 bash <(curl -s https://raw.githubusercontent.com/Keyfactor/kfutil/main/gh-dl-release.sh)
 ````
@@ -45,42 +76,60 @@ and use them if they are set. If they are not set, the utility will fail to conn
 | KFUTIL_DEBUG       | Set to `1` or `true` to enable debug logging.                                            |
 
 Linux/MacOS:
+
 ```bash
 export KEYFACTOR_HOSTNAME="<mykeyfactorhost.mydomain.com>"
 export KEYFACTOR_USERNAME="<myusername>" # Do not include domain
 export KEYFACTOR_PASSWORD="<mypassword>"
 export KEYFACTOR_DOMAIN="<mykeyfactordomain>"
 ```
+
 Additional variables:
+
 ```bash
 export KEYFACTOR_API_PATH="/KeyfactorAPI" # Defaults to /KeyfactorAPI if not set ex. my.domain.com/KeyfactorAPI
 export KFUTIL_EXP=0 # Set to 1 or true to enable experimental features
 export KFUTIL_DEBUG=0 # Set to 1 or true to enable debug logging
 ```
 
 Windows Powershell:
+
 ```powershell
-$env:KEYFACTOR_HOSTNAME="<mykeyfactorhost.mydomain.com>"
-$env:KEYFACTOR_USERNAME="<myusername>" # Do not include domain
-$env:KEYFACTOR_PASSWORD="<mypassword>"
-$env:KEYFACTOR_DOMAIN="<mykeyfactordomain>"
+$env:KEYFACTOR_HOSTNAME = "<mykeyfactorhost.mydomain.com>"
+$env:KEYFACTOR_USERNAME = "<myusername>" # Do not include domain
+$env:KEYFACTOR_PASSWORD = "<mypassword>"
+$env:KEYFACTOR_DOMAIN = "<mykeyfactordomain>"
 ```
 
 Additional variables:
+
 ```bash
 $env:KEYFACTOR_API_PATH="/KeyfactorAPI" # Defaults to /KeyfactorAPI if not set ex. my.domain.com/KeyfactorAPI
 $env:KFUTIL_EXP=0 # Set to 1 or true to enable experimental features
 $env:KFUTIL_DEBUG=0 # Set to 1 or true to enable debug logging
 ```
 
+## Authentication Providers
+
+`kfutil` supports the following authentication providers in order of precedence:
+
+| Provider Type                | Description                                                                                                                                                          |
+|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Azure Key Vault via Azure ID | This provider will read the Keyfactor Command credentials from Azure Key Vault. For more info review the [auth providers](docs/auth_providers#azure-key-vault) docs. |
+| Environment                  | This provider will read the Keyfactor Command credentials from the environment variables listed above.                                                               |
+| File                         | This is the default provider. It will read the credentials from a file on disk at `$HOME/.keyfactor/command_config.json`                                             |
+| User Interactive             | This provider will prompt the user for their credentials.                                                                                                            |
+
 ## Commands
 
 ### Login
+
 For full documentation on the `login` command, see the [login](docs/kfutil_login.md) documentation.
 
 *WARNING* - The `login` command will store your Keyfactor credentials in a file on your local machine. This file is not
 encrypted and is not secure. It is recommended that you use the `login` command only on your local machine and not on a
-shared machine. Instead of using the `login` command, you can set the environmental variables listed above. **You may also
+shared machine. Instead of using the `login` command, you can set the environmental variables listed above. **You may
+also
 choose to use login and provide an empty password, in this mode you will be prompted for your password each time you run
 a command.**
 
@@ -89,6 +138,7 @@ kfutil login
 ```
 
 ### Logout
+
 For full documentation on the `logout` command, see the [logout](docs/kfutil_logout.md) documentation.
 
 *WARNING* - This will delete the file containing your Keyfactor credentials at `$HOME/.keyfactor/command_config.json`.