1.0.4: Updates to Single Cert Sync logic for EV certs

.github/workflows/copy-manifest.yml

@@ -1,5 +1,5 @@
 name: Copy manifest file to integrations-catalog
-on: [push, workflow_dispatch]
+on: [workflow_dispatch]
 
 jobs:
   run:

.github/workflows/generate-readme.yml

@@ -1,5 +1,5 @@
 name: Update README
-on: [push, workflow_dispatch]
+on: [workflow_dispatch]
 
 jobs:
   update_readme:

CHANGELOG.md

@@ -2,3 +2,9 @@
 * Initial Release with support for SSL Certificate Synchronization, Revocation, and Enrollment (New, Renew, Reissue)
 # 1.0.1
 * Enhance the handling of exceptions during enrollment.  Organization and Org Unit checks will now return a failed enrollment result vs. thowing an exception. 
+# 1.0.2
+* Minor bug fix
+# 1.0.3
+* Documentation updates, EsentMigration, and Update Package References
+# 1.0.4
+* Workflow updates, documentation, and enhanced EV support

README.md.tpl

@@ -3,13 +3,36 @@
 
 {{ description }}
 
-# Prerequisites
+### Supported Functionality
+* SSL Certificate Synchronization
+    * Sync can be filtered by any available SSL Certificate List filter defined by the Cert Manager API
+    * All Sync jobs are treated as a full sync becuase the Cert Manager API does not allow for filtering based on a date/time stamp
+    * Certificates will only syncronize once.  If a certificate is found based on Serial Number for the managed CA it will be skipped for subsequent syncs to minimize impact on Cert Manager API load
 
-## Certificate Chain
+* SSL Certificate Enrollment
+   * Note about organizations.  The organization for enrollment is currently selected dynamically based on Organization and/or Org Unit of the CSR.  If a top level Organization is found and is able to issue certs, that organization ID is passed with the enrollment request.  If the Organization does not have any certificate types assigned, it will look for a department based on the OU name. If no matches are found the enrollment will fail as this is a required field for Sectigo. 
+* SSL Certificate Revocation
+
+### Not Implemented/Supported
+* Device Certificates
+* Client Certificates
+* Code Signing
+
+## Prerequisites
+
+### Certificate Chain
 
 In order to enroll for certificates the Keyfactor Command server must trust the trust chain. Once you create your Root and/or Subordinate CA, make sure to import the certificate chain into the Command Server certificate store
 
-# Install
+### Migration
+In the event that a system is being upgraded from the Legacy Sectigo CA Gateway (19.4 or older), a migration from the legacy database format to the AnyGateway format will be required. 
+
+To begin the migration process, the DatabaseManagementConsole.exe.config will need to be updated to reference the SectigoEsentMigrator.  This is one by modifying the mapping for the IDatabaseMigrator inteface in the config file. 
+```xml
+<register type="IDatabaseMigrator" mapTo="Keyfactor.AnyGateway.Sectigo.Database.SectigoEsentMigrator, SectigoEsentMigrator" />
+```
+
+## Install
 * Download latest successful build from GitHub :<br/>
 [GitHub Releases](https://github.com/Keyfactor/sectigo-certmanager-cagateway/releases)
 
@@ -21,10 +44,10 @@ In order to enroll for certificates the Keyfactor Command server must trust the
   <alias alias="CAConnector" type="Keyfactor.AnyGateway.Sectigo.SectigoCAProxy, SectigoCAProxy"/>
   ```
 
-# Configuration
+## Configuration
 The following sections will breakdown the required configurations for the AnyGatewayConfig.json file that will be imported to configure the AnyGateway.
 
-## Templates
+### Templates
 The Template section will map the CA's SSL profile to an AD template. Currently the only required parameter is the MultiDomain flag. This flag lets Keyfactor know if the certificate can contain multiple domain names.  Depending on the setting, the SAN entries of the request will change to support Sectigo Requirements. 
  ```json
   "Templates": {
@@ -36,7 +59,7 @@ The Template section will map the CA's SSL profile to an AD template. Currently
    }
 }
  ```
-## Security
+### Security
 The security section does not change specifically for Sectigo Cert Manager.  Refer to the AnyGateway Documentation for more detail.
 ```json
   /*Grant permissions on the CA to users or groups in the local domain.
@@ -72,7 +95,7 @@ The security section does not change specifically for Sectigo Cert Manager.  Ref
         }
     }
 ```
-## CerificateManagers
+### CerificateManagers
 The Certificate Managers section is optional.
 	If configured, all users or groups granted OFFICER permissions under the Security section
 	must be configured for at least one Template and one Requester. 
@@ -97,7 +120,7 @@ The Certificate Managers section is optional.
 		}
 	}
 ```
-## CAConnection
+### CAConnection
 The CA Connection section will determine the API endpoint and configuration data used to connect to Sectigo Cert Manager. 
 * ```ApiEndpoint```
 This is the endpoint used by the Gateway to connect to the API. There are a few possible values depending on the Customer's configuration.  
@@ -143,7 +166,7 @@ This object will allow the implementation team to determine how the synchronizat
 	}
   }
 ```
-## GatewayRegistration
+### GatewayRegistration
 There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail.
 ```json
   "GatewayRegistration": {
@@ -156,7 +179,7 @@ There are no specific Changes for the GatewayRegistration section. Refer to the
   }
 ```
 
-## ServiceSettings
+### ServiceSettings
 There are no specific Changes for the GatewayRegistration section. Refer to the Refer to the AnyGateway Documentation for more detail.
 ```json
   "ServiceSettings": {
@@ -165,18 +188,3 @@ There are no specific Changes for the GatewayRegistration section. Refer to the
 	"PartialScanPeriodMinutes": 480 /*Note partial sync based on a timestamp is not supported by the Sectigo API. As a result all syncs with the API are treated as full syncronization jobs*/
   }
 ```
-# Migration
-In the event that a system is being upgraded from the Legacy Sectigo CA Gateway (19.4 or older), a migration from the legacy database format to the AnyGateway format will be required. 
-
-To begin the migration process, the DatabaseManagementConsole.exe.config will need to be updated to reference the SectigoEsentMigrator.  This is one by modifying the mapping for the IDatabaseMigrator inteface in the config file. 
-```xml
-<register type="IDatabaseMigrator" mapTo="Keyfactor.AnyGateway.Sectigo.Database.SectigoEsentMigrator, SectigoEsentMigrator" />
-```
-
-Addtionally, to address differences in version, the following ```bindingRedirect``` needs to be added as well:
-```xml
-<dependentAssembly>
-<assemblyIdentity name="CAProxy.AnyGateway.Core" publicKeyToken="0ed89d330114ab09" culture="neutral" />
-<bindingRedirect oldVersion="0.0.0.0-21.3.2.0" newVersion="21.3.2.0" />
-</dependentAssembly>	
-```

SectigoCAProxy.sln

@@ -7,11 +7,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SectigoCAProxy", "src\Secti
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SectigoCAProxyTests", "tests\SectigoCAProxyTests\SectigoCAProxyTests.csproj", "{DF57CB1F-88D4-4F1C-8BCD-91E5DF72F90C}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SectigoSandbox", "src\SectigoSandbox\SectigoSandbox.csproj", "{BCD9F903-4119-42DF-8D04-BCE1F8F5B557}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{D77A55A9-5874-4E6D-AD20-202D457891C7}"
 	ProjectSection(SolutionItems) = preProject
 		CHANGELOG.md = CHANGELOG.md
+		.github\workflows\copy-manifest.yml = .github\workflows\copy-manifest.yml
+		.github\workflows\generate-readme.yml = .github\workflows\generate-readme.yml
+		integration-manifest.json = integration-manifest.json
 		.github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml
 		README.md.tpl = README.md.tpl
 	EndProjectSection
@@ -31,9 +32,6 @@ Global
 		{DF57CB1F-88D4-4F1C-8BCD-91E5DF72F90C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{DF57CB1F-88D4-4F1C-8BCD-91E5DF72F90C}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{DF57CB1F-88D4-4F1C-8BCD-91E5DF72F90C}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{BCD9F903-4119-42DF-8D04-BCE1F8F5B557}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{BCD9F903-4119-42DF-8D04-BCE1F8F5B557}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{BCD9F903-4119-42DF-8D04-BCE1F8F5B557}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{B6BCDCDE-F514-44F0-9897-7886281F52E1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{B6BCDCDE-F514-44F0-9897-7886281F52E1}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{B6BCDCDE-F514-44F0-9897-7886281F52E1}.Release|Any CPU.ActiveCfg = Release|Any CPU

src/SectigoCAProxy/API/RevocationResponse.cs

@@ -0,0 +1,15 @@
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Keyfactor.AnyGateway.Sectigo.API
+{
+    public class RevocationResponse
+    {
+        [JsonProperty(DefaultValueHandling = DefaultValueHandling.Populate)]
+        public bool IsSuccess { get; set; }
+    }
+}

src/SectigoCAProxy/Client/SectigoApiClient.cs

@@ -50,6 +50,7 @@ public async Task CertificateListProducer(BlockingCollection<Certificate> certs,
                         break;
                     }
 
+                    Logger.Info($"Request Certificates at Position {totalCount} with Page Size {pageSize}");
                     certsToAdd = await PageCertificates(totalCount, pageSize, filter);
 
                     foreach (Certificate cert in certsToAdd)
@@ -74,7 +75,7 @@ public async Task CertificateListProducer(BlockingCollection<Certificate> certs,
                         }
                         else { Logger.Trace($"Adding {cert.Id} to queue was blocked. "); }
                     }
-                    Logger.Trace($"Added {batchCount} certificates to queue for processing.");
+                    Logger.Info($"Added {batchCount} certificates to queue for processing.");
                 } while ((certsToAdd.Count + skippedCount) == pageSize);
                 certs.CompleteAdding();
             }
@@ -93,7 +94,6 @@ public async Task CertificateListProducer(BlockingCollection<Certificate> certs,
         }
         public async Task<List<Certificate>> PageCertificates(int position = 0, int size = 25, string filter = "")
         {
-            Logger.Trace($"Request Certificates at Position {position} with Page Size {size}");
             string filterQueryString = String.IsNullOrEmpty(filter) ? string.Empty : $"&{filter}";
             var response = await RestClient.GetAsync($"api/ssl/v1?position={position}&size={size}{filterQueryString}".TrimEnd());
             return await ProcessResponse<List<Certificate>>(response);
@@ -108,7 +108,8 @@ public async Task<bool> RevokeSslCertificateById(int sslId, string revreason)
             {
                 return true;
             }
-            return await ProcessResponse<bool>(response);//Should throw an exception with error message from API
+            var failedResp = ProcessResponse<RevocationResponse>(response).Result;
+            return failedResp.IsSuccess;//Should throw an exception with error message from API
         }
         public async Task<ListOrganizationsResponse> ListOrganizations()
         {

src/SectigoCAProxy/Properties/AssemblyInfo.cs

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyVersion("1.0.3.5")]
+[assembly: AssemblyFileVersion("1.0.3.5")]

src/SectigoCAProxy/SectigoCAConfig.cs

@@ -36,6 +36,8 @@ public SectigoCAConfig()
         public string ExternalRequestorFieldName { get; set; }
         [JsonProperty("SyncFilter")]
         public Dictionary<string, string[]> SyncFilter { get; set; }
+        [JsonProperty("ForceCompleteSync", DefaultValueHandling =DefaultValueHandling.Populate)]
+        public bool ForceCompleteSync { get; set; }
         public string GetSyncFilterQueryString() 
         { 
             string filterQueryString = string.Empty;