Merge pull request #45 from Venafi/policy-sync-poc

PKI policy sync with Venafi
Venafi · Apr 2, 2020 · 8e2678e · 8e2678e
2 parents 627a060 + 823da8e
commit 8e2678e
Show file tree

Hide file tree

Showing 12 changed files with 1,042 additions and 199 deletions.
diff --git a/README.md b/README.md
@@ -261,14 +261,15 @@ The following options are supported (note: this list can also be viewed from the
 | Parameter               | Type    | Description                                                                   | Default   |
 | ----------------------- | ------- | ------------------------------------------------------------------------------| --------- |
 | `venafi_import`         | bool    | Controls whether certificates are forwarded to the Venafi Platform or Venafi Cloud            | `true`    |
-| `zone`                  | string  | Venafi Platform policy folder where certificates will be imported; for Venafi Cloud this is the endpoint that the certificates will be sent to.             | "Default" |
+| `zone`                  | string  | Venafi Platform policy folder where certificates will be imported; for Venafi Cloud this is the endpoint that the certificates will be sent to.             | |
 | `tpp_url`               | string  | Venafi URL (e.g. "https://tpp.venafi.example:443/vedsdk")                     |           |
 | `tpp_username`          | string  | Venafi Platform WebSDK account username                                       |           |
 | `tpp_password`          | string  | Venafi Platform WebSDK account password                                       |           |
 | `trust_bundle_file`     | string  | PEM trust bundle for Venafi Platform server certificate                       |           |
 | `venafi_import_timeout` | int     | Maximum wait in seconds before re-attempting certificate import from queue    | 15        |
 | `venafi_import_workers` | int     | Maximum number of concurrent threads to use for VCert import                  | 12        |
-| `venafi_check_policy`   | string  | Which Venafi policy check to use                                              | "default" |
+| `venafi_check_policy`   | string  | Which Venafi policy check to use                                              |  |
+| `venafi_sync_policy`    | string  | Policy where to get Venafi connection details for policy synchronization      |  |
 
 ### Import Queue
 After a certificate has been signed by the Vault CA it is added to the import queue. Processing of certificates in the queue
@@ -461,6 +462,56 @@ that restrictions are working):
 
 [![asciicast](https://asciinema.org/a/T6DKJ1gu2B2s22AIglJCsxTkd.svg)](https://asciinema.org/a/T6DKJ1gu2B2s22AIglJCsxTkd)
 
+
+### Venafi Policy Synchronization
+You can automatically synchronize PKI role values (e.g. OU, O, L, ST, and C) with Venafi policy. To do so, simply set the
+`venafi_sync_policy` parameter to the Venafi enforcement policy name as shown in the following example:  
+ 
+1. Configure Venafi policy:
+
+    ```
+    vault write pki/venafi-policy/tpp \ 
+        tpp_url="https://tpp.example.com/vedsdk" \
+        tpp_user="admin" \
+        tpp_password="strongPassword" \ 
+        zone="devops\\vcert" \
+        trust_bundle_file="/opt/venafi/bundle.pem"
+    ```
+
+1. Create a role with the sync parameter:
+
+    ```
+    vault write pki/roles/tpp-sync-role \
+        venafi_sync_policy="tpp"
+    ```
+
+1. After approximately 15 seconds the role values should be synchronized with Venafi policy:
+
+    ```
+    $ vault read pki/roles/tpp-sync-role
+    Key                                   Value
+    ---                                   -----
+    .....
+    country                               [US]
+    .....
+    locality                              [Salt Lake]
+    .....
+    organization                          [Venafi Inc.]
+    ou                                    [Integrations]
+    ......
+    province                              [Utah]
+    ......
+    ```
+    
+1. To check which roles are synchronizing with Venafi policy, read from the _pki/venafi-sync-policies_ path:
+
+    ```
+    $ vault read pki/venafi-sync-policies
+    Key     Value
+    ---     -----
+    keys    [role: tpp-sync-role sync policy: tpp]
+    ```
+
 ## Developer Quickstart (Linux only)
 
 1. We supportiong Go versions from 1.11

diff --git a/go.mod b/go.mod
@@ -12,9 +12,14 @@ require (
 	github.com/hashicorp/vault v1.3.2
 	github.com/hashicorp/vault/api v1.0.5-0.20200117231345-460d63e36490
 	github.com/hashicorp/vault/sdk v0.1.14-0.20200121232954-73f411823aa0
+	github.com/imdario/mergo v0.3.9
 	github.com/michaelklishin/rabbit-hole v1.5.0 // indirect
 	github.com/mitchellh/mapstructure v1.1.2
+	github.com/onsi/ginkgo v1.10.1 // indirect
+	github.com/onsi/gomega v1.7.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0
+	github.com/stretchr/testify v1.4.0 // indirect
 	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
-	golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7
+	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
+	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect
 )
diff --git a/go.sum b/go.sum
@@ -37,8 +37,6 @@ github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWX
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6 h1:fLjPD/aNc3UIOA6tDi6QXUemppXK3P9BI7mr2hd6gx8=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
-github.com/Venafi/vcert v0.0.0-20200204170033-22c7b3700151 h1:0oM/kUF+VbM78m5+id7RfXkRnXy7hl1FB6HFaOK1PGg=
-github.com/Venafi/vcert v0.0.0-20200204170033-22c7b3700151/go.mod h1:5T4bFPhcgGXbdz8nVVRuE2gXSRDlZVL+9T5CwZZ3Yk4=
 github.com/Venafi/vcert v0.0.0-20200305200519-e0c167846479 h1:tNDNIHdGE/yBzFdG6k6UmBOb+rL3EliPEZO1C8LpADo=
 github.com/Venafi/vcert v0.0.0-20200305200519-e0c167846479/go.mod h1:9EegQjmRoMqVT/ydgd54mJj5rTd7ym0qMgEfhnPsce0=
 github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af/go.mod h1:5Jv4cbFiHJMsVxt52+i0Ha45fjshj6wxYr1r19tB9bw=
@@ -388,6 +386,8 @@ github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKe
 github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/imdario/mergo v0.3.9 h1:UauaLniWCFHWd+Jp9oCEkTBj8VO/9DKg3PV3VCNMDIg=
+github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4 h1:3K3KcD4S6/Y2hevi70EzUTNKOS3cryQyhUnkjE6Tz0w=
 github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4/go.mod h1:qZna6X/4elxqT3yI9iZYdZrWWdeFOOprn86kgg4+IzY=
@@ -496,12 +496,16 @@ github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.8.0 h1:VkHVNpR4iVnU8XQR6DBm8BqYjN7CRzw+xKUbVVbbW9w=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
+github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opencontainers/go-digest v1.0.0-rc1 h1:WzifXhOVOEOuFYOJAW6aQqW0TooG2iki3E3Ii+WN7gQ=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
@@ -606,6 +610,8 @@ github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
@@ -681,6 +687,8 @@ golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA=
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b h1:0mm1VjtFUOIlE1SbDlwjYaDxZVDP2S5ou6y0gSgXHu8=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -701,6 +709,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

diff --git a/plugin/pki/backend.go b/plugin/pki/backend.go
@@ -80,6 +80,7 @@ func Backend(conf *logical.BackendConfig) *backend {
 			pathVenafiPolicy(&b),
 			pathVenafiPolicyContent(&b),
 			pathVenafiPolicyList(&b),
+			pathVenafiPolicySync(&b),
 			pathRevoke(&b),
 			pathTidy(&b),
 		},
@@ -100,6 +101,7 @@ func Backend(conf *logical.BackendConfig) *backend {
 	} else {
 		b.taskStorage.init()
 		b.importToTPP(b.storage, conf)
+		b.syncWithVenafiPolicyRegister(b.storage, conf)
 	}
 
 	return &b

diff --git a/plugin/pki/backend_test.go b/plugin/pki/backend_test.go
@@ -1435,7 +1435,7 @@ func TestBackend_PathFetchCertList(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 	// generate root
 	rootData := map[string]interface{}{
 		"common_name": "test.com",
@@ -1562,7 +1562,7 @@ func TestBackend_SignVerbatim(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 
 	// generate root
 	rootData := map[string]interface{}{
@@ -1945,7 +1945,7 @@ func TestBackend_SignSelfIssued(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 
 	// generate root
 	rootData := map[string]interface{}{

diff --git a/plugin/pki/path_import_queue_test.go b/plugin/pki/path_import_queue_test.go
@@ -126,7 +126,7 @@ func testBackend_pathImport(t *testing.T, getRoleData getRoleDataFunc, getConnec
 		t.Fatal(err)
 	}
 
-	writePolicy(b, storage, policy, t)
+	writePolicy(b, storage, policy, t, defaultVenafiPolicyName)
 
 	// generate root
 	rootData := map[string]interface{}{
@@ -248,7 +248,7 @@ func TestBackend_PathImportToTPPTwice(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 
 	// generate root
 	rootData := map[string]interface{}{
@@ -337,9 +337,6 @@ func TestBackend_PathImportToTPPTwice(t *testing.T) {
 		//req.Thumbprint = "111111"
 
 		cl := getTPPConnection(t)
-		if err != nil {
-			t.Fatalf("could not connect to endpoint: %s", err)
-		}
 		pcc, err := cl.RetrieveCertificate(req)
 		if err != nil {
 			t.Fatalf("could not retrieve certificate using requestId %s: %s", req.PickupID, err)
@@ -373,7 +370,7 @@ func TestBackend_PathImportToTPPMultipleCerts(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 
 	// generate root
 	rootData := map[string]interface{}{
@@ -488,9 +485,6 @@ func TestBackend_PathImportToTPPMultipleCerts(t *testing.T) {
 		//req.Thumbprint = "111111"
 
 		cl := getTPPConnection(t)
-		if err != nil {
-			t.Fatalf("could not connect to endpoint: %s", err)
-		}
 		pcc, err := cl.RetrieveCertificate(req)
 		if err != nil {
 			t.Fatalf("could not retrieve certificate using requestId %s: %s", req.PickupID, err)

diff --git a/plugin/pki/path_roles.go b/plugin/pki/path_roles.go
@@ -301,8 +301,7 @@ for "generate_lease".`,
 				Type: framework.TypeString,
 				Description: `Name of Venafi Platform or Cloud policy. 
 Example for Platform: testpolicy\\vault
-Example for Venafi Cloud: Default`,
-				Default: `Default`,
+Example for Venafi Cloud: e33f3e40-4e7e-11ea-8da3-b3c196ebeb0b`,
 			},
 			"tpp_user": {
 				Type:        framework.TypeString,
@@ -348,6 +347,11 @@ Example:
 				Default:     defaultVenafiPolicyName,
 				Description: `Which Venafi policy check to use`,
 			},
+			"venafi_sync_policy": {
+				Type:        framework.TypeString,
+				Description: "If set PKI role will be synchronized with Venafi zone specified in the policy.",
+				Default:     defaultVenafiPolicyName,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -579,6 +583,7 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 		TPPImportTimeout:  data.Get("venafi_import_timeout").(int),
 		TPPImportWorkers:  data.Get("venafi_import_workers").(int),
 		VenafiCheckPolicy: data.Get("venafi_check_policy").(string),
+		VenafiSyncPolicy:  data.Get("venafi_sync_policy").(string),
 	}
 	otherSANs := data.Get("allowed_other_sans").([]string)
 	if len(otherSANs) > 0 {
@@ -777,6 +782,9 @@ type roleEntry struct {
 	TPPImportWorkers  int    `json:"venafi_import_workers"`
 	VenafiCheckPolicy string `json:"venafi_check_policy"`
 
+	//Options for syncing role parameters with Venafi policy
+	VenafiSyncPolicy string `json:"venafi_sync_policy"`
+
 	// Used internally for signing intermediates
 	AllowExpirationPastCA bool
 }
@@ -830,6 +838,7 @@ func (r *roleEntry) ToResponseData() map[string]interface{} {
 		"venafi_import_timeout": r.TPPImportTimeout,
 		"venafi_import_workers": r.TPPImportWorkers,
 		"venafi_check_policy":   r.VenafiCheckPolicy,
+		"venafi_sync_policy":    r.VenafiSyncPolicy,
 	}
 	if r.MaxPathLength != nil {
 		responseData["max_path_length"] = r.MaxPathLength

diff --git a/plugin/pki/path_roles_test.go b/plugin/pki/path_roles_test.go
@@ -560,7 +560,7 @@ func TestPki_RoleNoStore(t *testing.T) {
 		"allowed_domains": "myvault.com",
 		"ttl":             "5h",
 	}
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 
 	roleReq := &logical.Request{
 		Operation: logical.UpdateOperation,
@@ -664,7 +664,7 @@ func TestPki_CertsLease(t *testing.T) {
 	var resp *logical.Response
 	var err error
 	b, storage := createBackendWithStorage(t)
-	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t)
+	writePolicy(b, storage, venafiTestTPPConfigAllAllow, t, defaultVenafiPolicyName)
 
 	caData := map[string]interface{}{
 		"common_name": "myvault.com",