diff --git a/.github/workflows/keyfactor-release-workflow.yml b/.github/workflows/keyfactor-release-workflow.yml index bd5f384..0f3d3ae 100644 --- a/.github/workflows/keyfactor-release-workflow.yml +++ b/.github/workflows/keyfactor-release-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v4 + uses: keyfactor/actions/.github/workflows/starter.yml@v5 with: command_token_url: ${{ vars.COMMAND_TOKEN_URL }} command_hostname: ${{ vars.COMMAND_HOSTNAME }} @@ -24,4 +24,4 @@ jobs: entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} - command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} \ No newline at end of file + command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} diff --git a/.gitignore b/.gitignore index 270aaaa..e86eb9c 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,11 @@ /hashicorp-vault-orchestrator/obj /hashicorp-vault-orchestrator/Properties /hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj.user +/hashicorp-vault-orchestrator.Tests/bin +/hashicorp-vault-orchestrator.Tests/obj +/hashicorp-vault-orchestrator.Tests/hashicorp-vault-orchestrator.Tests.csproj.user .vs +.idea *.licenseheader README.md /README.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e1f651..292e80f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +## 3.2.1 + +* **bug fix:** Inventory and Management jobs against a Vault Enterprise namespaced KV store no longer fail with `permission denied` when the Vault token is scoped to a namespace. The `X-Vault-Namespace` header is now sent on all job types (Inventory, Management, Discovery) when a namespace is detected in the `MountPoint` field, not just Discovery. +* **bug fix:** `sys/mounts` returning HTTP 403 (token lacks `read` on `sys/mounts`) no longer crashes the job. The extension now logs a warning, defaults to KV v2, and continues normally. +* **bug fix:** KV v1 engine version was not being cached after detection, causing a redundant `sys/mounts` call on every subsequent operation within the same job. +* **fix:** `MountPoint` field now supports the `/` format on Inventory and Management jobs. The namespace is parsed by splitting on the last `/`, supporting nested namespaces (e.g. `ep/common/secret` β†’ namespace `ep/common`, mount `secret`). Previously this parsing only occurred for Discovery jobs. +* **build:** Added `net10.0` to `TargetFrameworks` for compatibility with Universal Orchestrator 25.5.x. +* **fix:** Management-Add against a file-format store (HCVKVPFX, HCVKVJKS, HCVKVP12) that was never successfully Created now auto-seeds an empty store and passphrase on first use rather than failing with a 404. +* **fix:** `StorePath` trailing slash normalization now applied consistently for PEM and PKI store types regardless of whether the value came from store properties or the job configuration directly. +* **fix:** `GetTokenPoliciesAsync` failure during job initialization no longer crashes the orchestrator process β€” errors are caught and logged at debug level. +* **tests:** Added `hashicorp-vault-orchestrator.Tests` xUnit project covering KV version detection (including 403 fallback and caching), Enterprise namespace/mount parsing, CreateFileStore path correctness, and Management-Add write behavior. +* **docs:** Updated README Security Considerations with `sys/mounts` permission requirement, a minimum recommended HCL policy example, and Vault Enterprise namespace guidance. Added Enterprise namespace parsing notes to all `MountPoint` field descriptions. + ## 3.2.0 * added parameter "PassphrasePath" to support custom passphrase path (no longer needs to be a secret named 'passphrase' on the same level) * added support for optional parameter on store path and passphrase path to indicate the property containing the value (if JSON secret) diff --git a/README.md b/README.md index 3fe4cb5..7b4f391 100644 --- a/README.md +++ b/README.md @@ -34,23 +34,18 @@ This integration for the Keyfactor Universal Orchestrator has been tested against Hashicorp Vault 1.10+. It utilizes the **Key-Value** secrets engine to store certificates issues via Keyfactor Command. The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below. - - [Hashicorp Vault PKI](#HCVPKI) - - [Hashicorp Vault Key-Value PEM](#HCVKVPEM) - - [Hashicorp Vault Key-Value JKS](#HCVKVJKS) - - [Hashicorp Vault Key-Value PKCS12](#HCVKVP12) - - [Hashicorp Vault Key-Value PFX](#HCVKVPFX) - ## Compatibility This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later. ## Support + The Hashicorp Vault Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com. > If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab. @@ -59,8 +54,6 @@ The Hashicorp Vault Universal Orchestrator extension is supported by Keyfactor. Before installing the Hashicorp Vault Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. - - ## Certificate Store Types To use the Hashicorp Vault Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance. @@ -71,30 +64,27 @@ The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate St
Click to expand details - The store type "HCVPKI" can perform inventory on certificates that exist in either the Hashicorp Vault PKI Secrets Engine, or the Keyfactor Secrets Engine. - The [Hashicorp Vault PKI Secrets Engine](https://developer.hashicorp.com/vault/api-docs/secret/pki) is intended to allow for issuance and storage of certificates that rely on Certificate Authorities outside of Command; typically in Vault. - The [Keyfactor Secrets Engine](https://github.com/Keyfactor/hashicorp-vault-secretsengine) is designed to support the same interface as the Hashicorp Vault PKI Secrets Engine to issue and enroll certificates using Certificate Authorities managed by Keyfactor Command. - - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | πŸ”² Unchecked | -| Remove | πŸ”² Unchecked | -| Discovery | πŸ”² Unchecked | +| Operation | Is Supported | +|--------------|--------------| +| Add | πŸ”² Unchecked | +| Remove | πŸ”² Unchecked | +| Discovery | πŸ”² Unchecked | | Reenrollment | πŸ”² Unchecked | -| Create | πŸ”² Unchecked | +| Create | πŸ”² Unchecked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand HCVPKI kfutil details ##### Using online definition from GitHub: @@ -113,10 +103,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the HCVPKI store type manually in the Keyfactor Command Portal +
Click to expand manual HCVPKI details Create a store type called `HCVPKI` with the attributes in the tables below: @@ -127,11 +117,11 @@ the Keyfactor Command Portal | Name | Hashicorp Vault PKI | Display name for the store type (may be customized) | | Short Name | HCVPKI | Short display name for the store type | | Capability | HCVPKI | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | πŸ”² Unchecked | Indicates that the Store Type supports Management Add | - | Supports Remove | πŸ”² Unchecked | Indicates that the Store Type supports Management Remove | - | Supports Discovery | πŸ”² Unchecked | Indicates that the Store Type supports Discovery | - | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | πŸ”² Unchecked | Indicates that the Store Type supports store creation | + | Supports Add | πŸ”² Unchecked | Indicates that the Store Type supports Management Add | + | Supports Remove | πŸ”² Unchecked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | πŸ”² Unchecked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | πŸ”² Unchecked | Indicates that the Store Type supports store creation | | Needs Server | βœ… Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | πŸ”² Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | πŸ”² Unchecked | Determines if underlying implementation is PowerShell | @@ -140,18 +130,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![HCVPKI Basic Tab](docsource/images/HCVPKI-basic-store-type-dialog.png) + ![HCVPKI Basic Tab](docsource/images/HCVPKI-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![HCVPKI Advanced Tab](docsource/images/HCVPKI-advanced-store-type-dialog.png) + ![HCVPKI Advanced Tab](docsource/images/HCVPKI-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -167,7 +157,37 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![HCVPKI Custom Fields Tab](docsource/images/HCVPKI-custom-fields-store-type-dialog.png) + ![HCVPKI Custom Fields Tab](docsource/images/HCVPKI-custom-fields-store-type-dialog.svg) + + ###### Server Username + The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Server Password + Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Mount Point + This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: / + + ![HCVPKI Custom Field - MountPoint](docsource/images/HCVPKI-custom-field-MountPoint-dialog.svg) + ![HCVPKI Custom Field - MountPoint](docsource/images/HCVPKI-custom-field-MountPoint-validation-options-dialog.svg) + + + ###### Passphrase Path + This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. + + ![HCVPKI Custom Field - PassphrasePath](docsource/images/HCVPKI-custom-field-PassphrasePath-dialog.svg) + ![HCVPKI Custom Field - PassphrasePath](docsource/images/HCVPKI-custom-field-PassphrasePath-validation-options-dialog.svg) + ###### Server Username @@ -213,7 +233,6 @@ the Keyfactor Command Portal
Click to expand details - The Hashicorp Vault Key-Value PEM Certificate Store manages certificates in the PEM format that are stored in the Hashicorp Vault Key-Value secrets engine. This certificate store type differs from the other Key-Value store types (HCVKVJKS, HCVKVP12, HCVKVPFX) in that rather than a certificate store being defined as a single file, these are defined as a single _path_ that may contain one or more separate PEM-formatted certificate secret entries. @@ -296,24 +315,22 @@ Create a new Certificate Store that resembles the one below: At this point, the certificate store should be created and ready to peform inventory on your certificates stored in PFX certificate store files on the Key-Value secrets engine. - - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | βœ… Checked | -| Remove | βœ… Checked | -| Discovery | βœ… Checked | +| Operation | Is Supported | +|--------------|--------------| +| Add | βœ… Checked | +| Remove | βœ… Checked | +| Discovery | βœ… Checked | | Reenrollment | πŸ”² Unchecked | -| Create | βœ… Checked | +| Create | βœ… Checked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand HCVKVPEM kfutil details ##### Using online definition from GitHub: @@ -332,10 +349,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the HCVKVPEM store type manually in the Keyfactor Command Portal +
Click to expand manual HCVKVPEM details Create a store type called `HCVKVPEM` with the attributes in the tables below: @@ -346,11 +363,11 @@ the Keyfactor Command Portal | Name | Hashicorp Vault Key-Value PEM | Display name for the store type (may be customized) | | Short Name | HCVKVPEM | Short display name for the store type | | Capability | HCVKVPEM | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | βœ… Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | βœ… Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | βœ… Checked | Check the box. Indicates that the Store Type supports Discovery | - | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | βœ… Checked | Check the box. Indicates that the Store Type supports store creation | + | Supports Add | βœ… Checked | Indicates that the Store Type supports Management Add | + | Supports Remove | βœ… Checked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | βœ… Checked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | βœ… Checked | Indicates that the Store Type supports store creation | | Needs Server | βœ… Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | πŸ”² Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | πŸ”² Unchecked | Determines if underlying implementation is PowerShell | @@ -359,18 +376,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![HCVKVPEM Basic Tab](docsource/images/HCVKVPEM-basic-store-type-dialog.png) + ![HCVKVPEM Basic Tab](docsource/images/HCVKVPEM-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![HCVKVPEM Advanced Tab](docsource/images/HCVKVPEM-advanced-store-type-dialog.png) + ![HCVKVPEM Advanced Tab](docsource/images/HCVKVPEM-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -387,7 +404,44 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![HCVKVPEM Custom Fields Tab](docsource/images/HCVKVPEM-custom-fields-store-type-dialog.png) + ![HCVKVPEM Custom Fields Tab](docsource/images/HCVKVPEM-custom-fields-store-type-dialog.svg) + + ###### Server Username + The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Server Password + Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Subfolder Inventory + Should certificates found in sub-paths be included when performing an inventory? + + ![HCVKVPEM Custom Field - SubfolderInventory](docsource/images/HCVKVPEM-custom-field-SubfolderInventory-dialog.svg) + ![HCVKVPEM Custom Field - SubfolderInventory](docsource/images/HCVKVPEM-custom-field-SubfolderInventory-validation-options-dialog.svg) + + + ###### Include Certificate Chain + Should the certificate chain be included when performing an enrollment? + + ![HCVKVPEM Custom Field - IncludeCertChain](docsource/images/HCVKVPEM-custom-field-IncludeCertChain-dialog.svg) + ![HCVKVPEM Custom Field - IncludeCertChain](docsource/images/HCVKVPEM-custom-field-IncludeCertChain-validation-options-dialog.svg) + + + ###### Mount Point + The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / + + ![HCVKVPEM Custom Field - MountPoint](docsource/images/HCVKVPEM-custom-field-MountPoint-dialog.svg) + ![HCVKVPEM Custom Field - MountPoint](docsource/images/HCVKVPEM-custom-field-MountPoint-validation-options-dialog.svg) + ###### Server Username @@ -440,14 +494,10 @@ the Keyfactor Command Portal
Click to expand details - The Hashicorp Vault Key-Value JKS Certificate Store manages certificates in the JKS format that are stored in the Hashicorp Vault Key-Value secrets engine. Each JKS file stored as a secret in the Key-Value secrets engine is treated as its own certificate store. This file should be a valid JKS certificate store, and contain a collection of one or more certificates. The inventory job will catalog the certificates contained within the store. Add/Remove operations will add and remove certificates - - - #### Hashicorp Vault Key-Value JKS Requirements #### Secret naming @@ -486,23 +536,22 @@ One method to encode a binary certificate store is to use the following command `c:\> cat | base64` - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | βœ… Checked | -| Remove | βœ… Checked | -| Discovery | βœ… Checked | +| Operation | Is Supported | +|--------------|--------------| +| Add | βœ… Checked | +| Remove | βœ… Checked | +| Discovery | βœ… Checked | | Reenrollment | πŸ”² Unchecked | -| Create | βœ… Checked | +| Create | βœ… Checked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand HCVKVJKS kfutil details ##### Using online definition from GitHub: @@ -521,10 +570,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the HCVKVJKS store type manually in the Keyfactor Command Portal +
Click to expand manual HCVKVJKS details Create a store type called `HCVKVJKS` with the attributes in the tables below: @@ -535,11 +584,11 @@ the Keyfactor Command Portal | Name | Hashicorp Vault Key-Value JKS | Display name for the store type (may be customized) | | Short Name | HCVKVJKS | Short display name for the store type | | Capability | HCVKVJKS | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | βœ… Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | βœ… Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | βœ… Checked | Check the box. Indicates that the Store Type supports Discovery | - | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | βœ… Checked | Check the box. Indicates that the Store Type supports store creation | + | Supports Add | βœ… Checked | Indicates that the Store Type supports Management Add | + | Supports Remove | βœ… Checked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | βœ… Checked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | βœ… Checked | Indicates that the Store Type supports store creation | | Needs Server | βœ… Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | πŸ”² Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | πŸ”² Unchecked | Determines if underlying implementation is PowerShell | @@ -548,18 +597,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![HCVKVJKS Basic Tab](docsource/images/HCVKVJKS-basic-store-type-dialog.png) + ![HCVKVJKS Basic Tab](docsource/images/HCVKVJKS-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![HCVKVJKS Advanced Tab](docsource/images/HCVKVJKS-advanced-store-type-dialog.png) + ![HCVKVJKS Advanced Tab](docsource/images/HCVKVJKS-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -576,7 +625,44 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![HCVKVJKS Custom Fields Tab](docsource/images/HCVKVJKS-custom-fields-store-type-dialog.png) + ![HCVKVJKS Custom Fields Tab](docsource/images/HCVKVJKS-custom-fields-store-type-dialog.svg) + + ###### Server Username + The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Server Password + Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Include Certificate Chain + Should the certificate chain be included when performing an enrollment? + + ![HCVKVJKS Custom Field - IncludeCertChain](docsource/images/HCVKVJKS-custom-field-IncludeCertChain-dialog.svg) + ![HCVKVJKS Custom Field - IncludeCertChain](docsource/images/HCVKVJKS-custom-field-IncludeCertChain-validation-options-dialog.svg) + + + ###### Mount Point + The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / + + ![HCVKVJKS Custom Field - MountPoint](docsource/images/HCVKVJKS-custom-field-MountPoint-dialog.svg) + ![HCVKVJKS Custom Field - MountPoint](docsource/images/HCVKVJKS-custom-field-MountPoint-validation-options-dialog.svg) + + + ###### Passphrase Path + This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. + + ![HCVKVJKS Custom Field - PassphrasePath](docsource/images/HCVKVJKS-custom-field-PassphrasePath-dialog.svg) + ![HCVKVJKS Custom Field - PassphrasePath](docsource/images/HCVKVJKS-custom-field-PassphrasePath-validation-options-dialog.svg) + ###### Server Username @@ -629,14 +715,10 @@ the Keyfactor Command Portal
Click to expand details - The Hashicorp Vault Key-Value PKCS12 Certificate Store manages certificates in the PKCS12 format that are stored in the Hashicorp Vault Key-Value secrets engine. Each PKCS12 file stored as a secret in the Key-Value secrets engine is treated as its own certificate store. This file should be a valid PKCS12 certificate store, and contain a collection of one or more certificates. The inventory job will catalog the certificates contained within the store. Add/Remove operations will add and remove certificates - - - #### Hashicorp Vault Key-Value PKCS12 Requirements #### Secret naming @@ -675,23 +757,22 @@ One method to encode a binary certificate store is to use the following command `c:\> cat | base64` - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | βœ… Checked | -| Remove | βœ… Checked | -| Discovery | βœ… Checked | +| Operation | Is Supported | +|--------------|--------------| +| Add | βœ… Checked | +| Remove | βœ… Checked | +| Discovery | βœ… Checked | | Reenrollment | πŸ”² Unchecked | -| Create | βœ… Checked | +| Create | βœ… Checked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand HCVKVP12 kfutil details ##### Using online definition from GitHub: @@ -710,10 +791,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the HCVKVP12 store type manually in the Keyfactor Command Portal +
Click to expand manual HCVKVP12 details Create a store type called `HCVKVP12` with the attributes in the tables below: @@ -724,11 +805,11 @@ the Keyfactor Command Portal | Name | Hashicorp Vault Key-Value PKCS12 | Display name for the store type (may be customized) | | Short Name | HCVKVP12 | Short display name for the store type | | Capability | HCVKVP12 | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | βœ… Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | βœ… Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | βœ… Checked | Check the box. Indicates that the Store Type supports Discovery | - | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | βœ… Checked | Check the box. Indicates that the Store Type supports store creation | + | Supports Add | βœ… Checked | Indicates that the Store Type supports Management Add | + | Supports Remove | βœ… Checked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | βœ… Checked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | βœ… Checked | Indicates that the Store Type supports store creation | | Needs Server | βœ… Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | πŸ”² Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | πŸ”² Unchecked | Determines if underlying implementation is PowerShell | @@ -737,18 +818,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![HCVKVP12 Basic Tab](docsource/images/HCVKVP12-basic-store-type-dialog.png) + ![HCVKVP12 Basic Tab](docsource/images/HCVKVP12-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![HCVKVP12 Advanced Tab](docsource/images/HCVKVP12-advanced-store-type-dialog.png) + ![HCVKVP12 Advanced Tab](docsource/images/HCVKVP12-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -765,7 +846,44 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![HCVKVP12 Custom Fields Tab](docsource/images/HCVKVP12-custom-fields-store-type-dialog.png) + ![HCVKVP12 Custom Fields Tab](docsource/images/HCVKVP12-custom-fields-store-type-dialog.svg) + + ###### Server Username + The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Server Password + Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Include Certificate Chain + Should the certificate chain be included when performing an enrollment? + + ![HCVKVP12 Custom Field - IncludeCertChain](docsource/images/HCVKVP12-custom-field-IncludeCertChain-dialog.svg) + ![HCVKVP12 Custom Field - IncludeCertChain](docsource/images/HCVKVP12-custom-field-IncludeCertChain-validation-options-dialog.svg) + + + ###### Mount Point + The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / + + ![HCVKVP12 Custom Field - MountPoint](docsource/images/HCVKVP12-custom-field-MountPoint-dialog.svg) + ![HCVKVP12 Custom Field - MountPoint](docsource/images/HCVKVP12-custom-field-MountPoint-validation-options-dialog.svg) + + + ###### Passphrase Path + This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. + + ![HCVKVP12 Custom Field - PassphrasePath](docsource/images/HCVKVP12-custom-field-PassphrasePath-dialog.svg) + ![HCVKVP12 Custom Field - PassphrasePath](docsource/images/HCVKVP12-custom-field-PassphrasePath-validation-options-dialog.svg) + ###### Server Username @@ -818,14 +936,10 @@ the Keyfactor Command Portal
Click to expand details - The Hashicorp Vault Key-Value PFX Certificate Store manages certificates in the PFX format that are stored in the Hashicorp Vault Key-Value secrets engine. Each PFX file stored as a secret in the Key-Value secrets engine is treated as its own certificate store. This file should be a valid PFX certificate store, and contain a collection of one or more certificates. The inventory job will catalog the certificates contained within the store. Add/Remove operations will add and remove certificates - - - #### Hashicorp Vault Key-Value PFX Requirements #### Secret naming @@ -863,23 +977,22 @@ One method to encode a binary certificate store is to use the following command `c:\> cat | base64` - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | βœ… Checked | -| Remove | βœ… Checked | -| Discovery | βœ… Checked | +| Operation | Is Supported | +|--------------|--------------| +| Add | βœ… Checked | +| Remove | βœ… Checked | +| Discovery | βœ… Checked | | Reenrollment | πŸ”² Unchecked | -| Create | βœ… Checked | +| Create | βœ… Checked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand HCVKVPFX kfutil details ##### Using online definition from GitHub: @@ -898,10 +1011,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the HCVKVPFX store type manually in the Keyfactor Command Portal +
Click to expand manual HCVKVPFX details Create a store type called `HCVKVPFX` with the attributes in the tables below: @@ -912,11 +1025,11 @@ the Keyfactor Command Portal | Name | Hashicorp Vault Key-Value PFX | Display name for the store type (may be customized) | | Short Name | HCVKVPFX | Short display name for the store type | | Capability | HCVKVPFX | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | βœ… Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | βœ… Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | βœ… Checked | Check the box. Indicates that the Store Type supports Discovery | - | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | βœ… Checked | Check the box. Indicates that the Store Type supports store creation | + | Supports Add | βœ… Checked | Indicates that the Store Type supports Management Add | + | Supports Remove | βœ… Checked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | βœ… Checked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | πŸ”² Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | βœ… Checked | Indicates that the Store Type supports store creation | | Needs Server | βœ… Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | πŸ”² Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | πŸ”² Unchecked | Determines if underlying implementation is PowerShell | @@ -925,18 +1038,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![HCVKVPFX Basic Tab](docsource/images/HCVKVPFX-basic-store-type-dialog.png) + ![HCVKVPFX Basic Tab](docsource/images/HCVKVPFX-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![HCVKVPFX Advanced Tab](docsource/images/HCVKVPFX-advanced-store-type-dialog.png) + ![HCVKVPFX Advanced Tab](docsource/images/HCVKVPFX-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -953,7 +1066,44 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![HCVKVPFX Custom Fields Tab](docsource/images/HCVKVPFX-custom-fields-store-type-dialog.png) + ![HCVKVPFX Custom Fields Tab](docsource/images/HCVKVPFX-custom-fields-store-type-dialog.svg) + + ###### Server Username + The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Server Password + Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance + + + > [!IMPORTANT] + > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. + + + ###### Include Certificate Chain + Should the certificate chain be included when performing an enrollment? + + ![HCVKVPFX Custom Field - IncludeCertChain](docsource/images/HCVKVPFX-custom-field-IncludeCertChain-dialog.svg) + ![HCVKVPFX Custom Field - IncludeCertChain](docsource/images/HCVKVPFX-custom-field-IncludeCertChain-validation-options-dialog.svg) + + + ###### Mount Point + The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. / + + ![HCVKVPFX Custom Field - MountPoint](docsource/images/HCVKVPFX-custom-field-MountPoint-dialog.svg) + ![HCVKVPFX Custom Field - MountPoint](docsource/images/HCVKVPFX-custom-field-MountPoint-validation-options-dialog.svg) + + + ###### Passphrase Path + This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret. + + ![HCVKVPFX Custom Field - PassphrasePath](docsource/images/HCVKVPFX-custom-field-PassphrasePath-dialog.svg) + ![HCVKVPFX Custom Field - PassphrasePath](docsource/images/HCVKVPFX-custom-field-PassphrasePath-validation-options-dialog.svg) + ###### Server Username @@ -1007,7 +1157,7 @@ the Keyfactor Command Portal 1. **Download the latest Hashicorp Vault Universal Orchestrator extension from GitHub.** - Navigate to the [Hashicorp Vault Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/hashicorp-vault-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive. + Navigate to the [Hashicorp Vault Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/hashicorp-vault-orchestrator/releases/latest). Refer to the compatibility matrix below to determine which asset should be downloaded. Then, click the corresponding asset to download the zip archive. | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `hashicorp-vault-orchestrator` .NET version to download | | --------- | ----------- | ----------- | ----------- | @@ -1036,17 +1186,14 @@ the Keyfactor Command Portal Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm). - 6. **(optional) PAM Integration** The Hashicorp Vault Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider. To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote). - > The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). - ## Post Installation ### Enroll a certificate via the platform @@ -1085,14 +1232,12 @@ After following the steps to create the store type and certificate store in the ![](images/vault_cli_read.png) - ## Defining Certificate Stores The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
Hashicorp Vault PKI (HCVPKI) - ### Store Creation #### Manually with the Command UI @@ -1107,12 +1252,13 @@ The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate St Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Hashicorp Vault PKI" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | For HCVPKI, this will be '/' | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVPKI` certificates. Specifically, one with the `HCVPKI` capability. | | ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1121,8 +1267,6 @@ The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate St
- - #### Using kfutil CLI
Click to expand details @@ -1142,6 +1286,7 @@ The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate St | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | For HCVPKI, this will be '/' | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVPKI` certificates. Specifically, one with the `HCVPKI` capability. | | Properties.ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | Properties.ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1156,7 +1301,6 @@ The Hashicorp Vault Universal Orchestrator extension implements 5 Certificate St
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -1172,10 +1316,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). - ### The Hashicorp PKI and Keyfactor Plugin secrets engines Both the [Hashicorp PKI](https://developer.hashicorp.com/vault/api-docs/secret/pki) and [Keyfactor Secrets](https://github.com/Keyfactor/hashicorp-vault-secretsengine) Engine plugins are designed to allow managing certifications directly on the Hashicorp Vault instance. @@ -1247,7 +1389,6 @@ At this point, the certificate store should be created and ready to peform inven
Hashicorp Vault Key-Value PEM (HCVKVPEM) - ### Store Creation #### Manually with the Command UI @@ -1262,12 +1403,13 @@ At this point, the certificate store should be created and ready to peform inven Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Hashicorp Vault Key-Value PEM" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path after mount point where the certificates will be stored. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVPEM` certificates. Specifically, one with the `HCVKVPEM` capability. | | ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1277,8 +1419,6 @@ At this point, the certificate store should be created and ready to peform inven
- - #### Using kfutil CLI
Click to expand details @@ -1298,6 +1438,7 @@ At this point, the certificate store should be created and ready to peform inven | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path after mount point where the certificates will be stored. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVPEM` certificates. Specifically, one with the `HCVKVPEM` capability. | | Properties.ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | Properties.ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1313,7 +1454,6 @@ At this point, the certificate store should be created and ready to peform inven
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -1329,15 +1469,12 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). -
Hashicorp Vault Key-Value JKS (HCVKVJKS) - ### Store Creation #### Manually with the Command UI @@ -1352,12 +1489,13 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Hashicorp Vault Key-Value JKS" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path to the secret containing the store. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVJKS` certificates. Specifically, one with the `HCVKVJKS` capability. | | ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1367,8 +1505,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- - #### Using kfutil CLI
Click to expand details @@ -1388,6 +1524,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path to the secret containing the store. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVJKS` certificates. Specifically, one with the `HCVKVJKS` capability. | | Properties.ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | Properties.ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1403,7 +1540,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -1419,10 +1555,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). - ### Configuration in Keyfactor Command #### Create the Store Type @@ -1485,7 +1619,6 @@ In Keyfactor Command create a new Certificate Store that resembles the one below
Hashicorp Vault Key-Value PKCS12 (HCVKVP12) - ### Store Creation #### Manually with the Command UI @@ -1500,12 +1633,13 @@ In Keyfactor Command create a new Certificate Store that resembles the one below Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Hashicorp Vault Key-Value PKCS12" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path to the secret containing the store. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVP12` certificates. Specifically, one with the `HCVKVP12` capability. | | ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1515,8 +1649,6 @@ In Keyfactor Command create a new Certificate Store that resembles the one below
- - #### Using kfutil CLI
Click to expand details @@ -1536,6 +1668,7 @@ In Keyfactor Command create a new Certificate Store that resembles the one below | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path to the secret containing the store. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVP12` certificates. Specifically, one with the `HCVKVP12` capability. | | Properties.ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | Properties.ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1551,7 +1684,6 @@ In Keyfactor Command create a new Certificate Store that resembles the one below
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -1567,10 +1699,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). - ### Configuration in Keyfactor Command #### Create the Store Type @@ -1635,7 +1765,6 @@ At this point, the certificate store should be created and ready to peform inven
Hashicorp Vault Key-Value PFX (HCVKVPFX) - ### Store Creation #### Manually with the Command UI @@ -1650,12 +1779,13 @@ At this point, the certificate store should be created and ready to peform inven Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Hashicorp Vault Key-Value PFX" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path to the secret containing the store. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVPFX` certificates. Specifically, one with the `HCVKVPFX` capability. | | ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1665,8 +1795,6 @@ At this point, the certificate store should be created and ready to peform inven
- - #### Using kfutil CLI
Click to expand details @@ -1686,6 +1814,7 @@ At this point, the certificate store should be created and ready to peform inven | Container | Optional container to associate certificate store with. | | Client Machine | This can be any value to help uniquely identify the store. It is not used by this integration. | | Store Path | This is the path to the secret containing the store. | + | Store Password | Vault token that will be used for authenticating | | Orchestrator | Select an approved orchestrator capable of managing `HCVKVPFX` certificates. Specifically, one with the `HCVKVPFX` capability. | | Properties.ServerUsername | The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200 | | Properties.ServerPassword | Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance | @@ -1701,7 +1830,6 @@ At this point, the certificate store should be created and ready to peform inven
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -1717,10 +1845,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). - ### Configuration in Keyfactor Command #### Create the Store Type @@ -1786,8 +1912,6 @@ At this point, the certificate store should be created and ready to peform inven ## Discovering Certificate Stores with the Discovery Job
Hashicorp Vault Key-Value PEM - - ### Hashicorp Vault Key-Value PEM Discovery Job When the discovery job is executed, it will scan the provided vault path, and any sub-paths contained within it. @@ -1810,12 +1934,9 @@ Set the following fields to configure a discovery job for PEM Certificate Stores ![](images/discovery.png) **Note**: The discovery job will return a collection of any paths beneath the provided root path that contains valid PEM-formatted certificates with the secret name ending in "certificate". -
- +
Hashicorp Vault Key-Value JKS - - ### Hashicorp Vault Key-Value JKS Discovery Job When the discovery job is executed, it will scan the provided vault path, and any sub-paths contained within it. @@ -1842,12 +1963,9 @@ Set the following fields to configure a discovery job for JKS Certificate Stores ![](images/discovery.png) **Note**: The image shows an example configuration for a Discovery job with the HCVKVPEM store type, but the same approach is used across all of the store types. -
- +
Hashicorp Vault Key-Value PKCS12 - - ### Hashicorp Vault Key-Value PKCS12 Discovery Job When the discovery job is executed, it will scan the provided vault path, and any sub-paths contained within it. @@ -1874,12 +1992,9 @@ Set the following fields to configure a discovery job for PKCS12 Certificate Sto ![](images/discovery.png) **Note**: The image shows an example configuration for a Discovery job with the HCVKVPEM store type, but the same approach is used across all of the store types. -
- +
Hashicorp Vault Key-Value PFX - - ### Hashicorp Vault Key-Value PFX Discovery Job When the discovery job is executed, it will scan the provided vault path, and any sub-paths contained within it. @@ -1905,10 +2020,8 @@ Set the following fields to configure a discovery job for PFX Certificate Stores ![](images/discovery.png) **Note**: The image shows an example configuration for a Discovery job with the HCVKVPEM store type, but the same approach is used across all of the store types. -
- - +
## Use Cases @@ -1970,11 +2083,10 @@ This integration was built on the .NET Core 3.1 target framework and are compati - For the Key-Value stores we operate on a single version of the Key Value secret (no versioning capabilities through the Orchesterator Extension / Keyfactor). - ## License Apache License 2.0, see [LICENSE](LICENSE). ## Related Integrations -See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). \ No newline at end of file +See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). diff --git a/docsource/images/HCVKVJKS-advanced-store-type-dialog.svg b/docsource/images/HCVKVJKS-advanced-store-type-dialog.svg new file mode 100644 index 0000000..4bd468b --- /dev/null +++ b/docsource/images/HCVKVJKS-advanced-store-type-dialog.svg @@ -0,0 +1,67 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + + Freeform + + Fixed + + Multiple Choice + + + + + Other Settings + + Supports Custom Alias + + Forbidden + + Optional + + + Required + Private Key Handling + + Forbidden + + + Optional + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-basic-store-type-dialog.svg b/docsource/images/HCVKVJKS-basic-store-type-dialog.svg new file mode 100644 index 0000000..066d24c --- /dev/null +++ b/docsource/images/HCVKVJKS-basic-store-type-dialog.svg @@ -0,0 +1,85 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Hashicorp Vault Key-Value JKS + Short Name + + HCVKVJKS + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + + Add + + + Remove + + + Create + + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-field-IncludeCertChain-dialog.svg b/docsource/images/HCVKVJKS-custom-field-IncludeCertChain-dialog.svg new file mode 100644 index 0000000..31bd7bd --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-field-IncludeCertChain-dialog.svg @@ -0,0 +1,54 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + IncludeCertChain + Display Name + + Include Certificate Chain + Type + + Bool + ∨ + Default Value + + True + + + False + + Not Set + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-field-IncludeCertChain-validation-options-dialog.svg b/docsource/images/HCVKVJKS-custom-field-IncludeCertChain-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-field-IncludeCertChain-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-field-MountPoint-dialog.svg b/docsource/images/HCVKVJKS-custom-field-MountPoint-dialog.svg new file mode 100644 index 0000000..a748017 --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-field-MountPoint-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + MountPoint + Display Name + + Mount Point + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-field-MountPoint-validation-options-dialog.svg b/docsource/images/HCVKVJKS-custom-field-MountPoint-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-field-MountPoint-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-field-PassphrasePath-dialog.svg b/docsource/images/HCVKVJKS-custom-field-PassphrasePath-dialog.svg new file mode 100644 index 0000000..aefe1c7 --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-field-PassphrasePath-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + PassphrasePath + Display Name + + Passphrase Path + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-field-PassphrasePath-validation-options-dialog.svg b/docsource/images/HCVKVJKS-custom-field-PassphrasePath-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-field-PassphrasePath-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVJKS-custom-fields-store-type-dialog.svg b/docsource/images/HCVKVJKS-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..1ef97fd --- /dev/null +++ b/docsource/images/HCVKVJKS-custom-fields-store-type-dialog.svg @@ -0,0 +1,87 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 5 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Include Certificate Chain + Bool + false + + + + + + + Mount Point + String + + + + + + + Passphrase Path + String + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-advanced-store-type-dialog.svg b/docsource/images/HCVKVP12-advanced-store-type-dialog.svg new file mode 100644 index 0000000..4bd468b --- /dev/null +++ b/docsource/images/HCVKVP12-advanced-store-type-dialog.svg @@ -0,0 +1,67 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + + Freeform + + Fixed + + Multiple Choice + + + + + Other Settings + + Supports Custom Alias + + Forbidden + + Optional + + + Required + Private Key Handling + + Forbidden + + + Optional + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-basic-store-type-dialog.svg b/docsource/images/HCVKVP12-basic-store-type-dialog.svg new file mode 100644 index 0000000..f4575d0 --- /dev/null +++ b/docsource/images/HCVKVP12-basic-store-type-dialog.svg @@ -0,0 +1,85 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Hashicorp Vault Key-Value PKCS12 + Short Name + + HCVKVP12 + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + + Add + + + Remove + + + Create + + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-field-IncludeCertChain-dialog.svg b/docsource/images/HCVKVP12-custom-field-IncludeCertChain-dialog.svg new file mode 100644 index 0000000..31bd7bd --- /dev/null +++ b/docsource/images/HCVKVP12-custom-field-IncludeCertChain-dialog.svg @@ -0,0 +1,54 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + IncludeCertChain + Display Name + + Include Certificate Chain + Type + + Bool + ∨ + Default Value + + True + + + False + + Not Set + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-field-IncludeCertChain-validation-options-dialog.svg b/docsource/images/HCVKVP12-custom-field-IncludeCertChain-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVP12-custom-field-IncludeCertChain-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-field-MountPoint-dialog.svg b/docsource/images/HCVKVP12-custom-field-MountPoint-dialog.svg new file mode 100644 index 0000000..a748017 --- /dev/null +++ b/docsource/images/HCVKVP12-custom-field-MountPoint-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + MountPoint + Display Name + + Mount Point + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-field-MountPoint-validation-options-dialog.svg b/docsource/images/HCVKVP12-custom-field-MountPoint-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVP12-custom-field-MountPoint-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-field-PassphrasePath-dialog.svg b/docsource/images/HCVKVP12-custom-field-PassphrasePath-dialog.svg new file mode 100644 index 0000000..aefe1c7 --- /dev/null +++ b/docsource/images/HCVKVP12-custom-field-PassphrasePath-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + PassphrasePath + Display Name + + Passphrase Path + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-field-PassphrasePath-validation-options-dialog.svg b/docsource/images/HCVKVP12-custom-field-PassphrasePath-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVP12-custom-field-PassphrasePath-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVP12-custom-fields-store-type-dialog.svg b/docsource/images/HCVKVP12-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..1ef97fd --- /dev/null +++ b/docsource/images/HCVKVP12-custom-fields-store-type-dialog.svg @@ -0,0 +1,87 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 5 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Include Certificate Chain + Bool + false + + + + + + + Mount Point + String + + + + + + + Passphrase Path + String + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-advanced-store-type-dialog.svg b/docsource/images/HCVKVPEM-advanced-store-type-dialog.svg new file mode 100644 index 0000000..4bd468b --- /dev/null +++ b/docsource/images/HCVKVPEM-advanced-store-type-dialog.svg @@ -0,0 +1,67 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + + Freeform + + Fixed + + Multiple Choice + + + + + Other Settings + + Supports Custom Alias + + Forbidden + + Optional + + + Required + Private Key Handling + + Forbidden + + + Optional + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-basic-store-type-dialog.svg b/docsource/images/HCVKVPEM-basic-store-type-dialog.svg new file mode 100644 index 0000000..e77e4b1 --- /dev/null +++ b/docsource/images/HCVKVPEM-basic-store-type-dialog.svg @@ -0,0 +1,85 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Hashicorp Vault Key-Value PEM + Short Name + + HCVKVPEM + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + + Add + + + Remove + + + Create + + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-field-IncludeCertChain-dialog.svg b/docsource/images/HCVKVPEM-custom-field-IncludeCertChain-dialog.svg new file mode 100644 index 0000000..31bd7bd --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-field-IncludeCertChain-dialog.svg @@ -0,0 +1,54 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + IncludeCertChain + Display Name + + Include Certificate Chain + Type + + Bool + ∨ + Default Value + + True + + + False + + Not Set + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-field-IncludeCertChain-validation-options-dialog.svg b/docsource/images/HCVKVPEM-custom-field-IncludeCertChain-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-field-IncludeCertChain-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-field-MountPoint-dialog.svg b/docsource/images/HCVKVPEM-custom-field-MountPoint-dialog.svg new file mode 100644 index 0000000..a748017 --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-field-MountPoint-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + MountPoint + Display Name + + Mount Point + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-field-MountPoint-validation-options-dialog.svg b/docsource/images/HCVKVPEM-custom-field-MountPoint-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-field-MountPoint-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-field-SubfolderInventory-dialog.svg b/docsource/images/HCVKVPEM-custom-field-SubfolderInventory-dialog.svg new file mode 100644 index 0000000..71fca37 --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-field-SubfolderInventory-dialog.svg @@ -0,0 +1,54 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + SubfolderInventory + Display Name + + Subfolder Inventory + Type + + Bool + ∨ + Default Value + + True + + + False + + Not Set + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-field-SubfolderInventory-validation-options-dialog.svg b/docsource/images/HCVKVPEM-custom-field-SubfolderInventory-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-field-SubfolderInventory-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPEM-custom-fields-store-type-dialog.svg b/docsource/images/HCVKVPEM-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..38a1bba --- /dev/null +++ b/docsource/images/HCVKVPEM-custom-fields-store-type-dialog.svg @@ -0,0 +1,88 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 5 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Subfolder Inventory + Bool + false + + + + + + + Include Certificate Chain + Bool + false + + + + + + + Mount Point + String + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-advanced-store-type-dialog.svg b/docsource/images/HCVKVPFX-advanced-store-type-dialog.svg new file mode 100644 index 0000000..4bd468b --- /dev/null +++ b/docsource/images/HCVKVPFX-advanced-store-type-dialog.svg @@ -0,0 +1,67 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + + Freeform + + Fixed + + Multiple Choice + + + + + Other Settings + + Supports Custom Alias + + Forbidden + + Optional + + + Required + Private Key Handling + + Forbidden + + + Optional + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-basic-store-type-dialog.svg b/docsource/images/HCVKVPFX-basic-store-type-dialog.svg new file mode 100644 index 0000000..6b53fe1 --- /dev/null +++ b/docsource/images/HCVKVPFX-basic-store-type-dialog.svg @@ -0,0 +1,85 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Hashicorp Vault Key-Value PFX + Short Name + + HCVKVPFX + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + + Add + + + Remove + + + Create + + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-field-IncludeCertChain-dialog.svg b/docsource/images/HCVKVPFX-custom-field-IncludeCertChain-dialog.svg new file mode 100644 index 0000000..31bd7bd --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-field-IncludeCertChain-dialog.svg @@ -0,0 +1,54 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + IncludeCertChain + Display Name + + Include Certificate Chain + Type + + Bool + ∨ + Default Value + + True + + + False + + Not Set + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-field-IncludeCertChain-validation-options-dialog.svg b/docsource/images/HCVKVPFX-custom-field-IncludeCertChain-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-field-IncludeCertChain-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-field-MountPoint-dialog.svg b/docsource/images/HCVKVPFX-custom-field-MountPoint-dialog.svg new file mode 100644 index 0000000..a748017 --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-field-MountPoint-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + MountPoint + Display Name + + Mount Point + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-field-MountPoint-validation-options-dialog.svg b/docsource/images/HCVKVPFX-custom-field-MountPoint-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-field-MountPoint-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-field-PassphrasePath-dialog.svg b/docsource/images/HCVKVPFX-custom-field-PassphrasePath-dialog.svg new file mode 100644 index 0000000..aefe1c7 --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-field-PassphrasePath-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + PassphrasePath + Display Name + + Passphrase Path + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-field-PassphrasePath-validation-options-dialog.svg b/docsource/images/HCVKVPFX-custom-field-PassphrasePath-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-field-PassphrasePath-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVKVPFX-custom-fields-store-type-dialog.svg b/docsource/images/HCVKVPFX-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..1ef97fd --- /dev/null +++ b/docsource/images/HCVKVPFX-custom-fields-store-type-dialog.svg @@ -0,0 +1,87 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 5 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Include Certificate Chain + Bool + false + + + + + + + Mount Point + String + + + + + + + Passphrase Path + String + \ No newline at end of file diff --git a/docsource/images/HCVPKI-advanced-store-type-dialog.svg b/docsource/images/HCVPKI-advanced-store-type-dialog.svg new file mode 100644 index 0000000..3804622 --- /dev/null +++ b/docsource/images/HCVPKI-advanced-store-type-dialog.svg @@ -0,0 +1,68 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + Freeform + + + Fixed + + Multiple Choice + + / + + + + Other Settings + + Supports Custom Alias + + + Forbidden + + Optional + + Required + Private Key Handling + + + Forbidden + + Optional + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/HCVPKI-basic-store-type-dialog.svg b/docsource/images/HCVPKI-basic-store-type-dialog.svg new file mode 100644 index 0000000..b8b5174 --- /dev/null +++ b/docsource/images/HCVPKI-basic-store-type-dialog.svg @@ -0,0 +1,81 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Hashicorp Vault PKI + Short Name + + HCVPKI + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + Add + + Remove + + Create + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/HCVPKI-custom-field-MountPoint-dialog.svg b/docsource/images/HCVPKI-custom-field-MountPoint-dialog.svg new file mode 100644 index 0000000..a748017 --- /dev/null +++ b/docsource/images/HCVPKI-custom-field-MountPoint-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + MountPoint + Display Name + + Mount Point + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVPKI-custom-field-MountPoint-validation-options-dialog.svg b/docsource/images/HCVPKI-custom-field-MountPoint-validation-options-dialog.svg new file mode 100644 index 0000000..7993c23 --- /dev/null +++ b/docsource/images/HCVPKI-custom-field-MountPoint-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + Optional + + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVPKI-custom-field-PassphrasePath-dialog.svg b/docsource/images/HCVPKI-custom-field-PassphrasePath-dialog.svg new file mode 100644 index 0000000..aefe1c7 --- /dev/null +++ b/docsource/images/HCVPKI-custom-field-PassphrasePath-dialog.svg @@ -0,0 +1,49 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + + Validation Options + + Name + + PassphrasePath + Display Name + + Passphrase Path + Type + + String + ∨ + Default Value + + + Depends On + + + Server Username + ∨ + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVPKI-custom-field-PassphrasePath-validation-options-dialog.svg b/docsource/images/HCVPKI-custom-field-PassphrasePath-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/HCVPKI-custom-field-PassphrasePath-validation-options-dialog.svg @@ -0,0 +1,39 @@ +ο»Ώ + + + + + + + + Edit Custom Field + Γ— + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/HCVPKI-custom-fields-store-type-dialog.svg b/docsource/images/HCVPKI-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..b7d76d1 --- /dev/null +++ b/docsource/images/HCVPKI-custom-fields-store-type-dialog.svg @@ -0,0 +1,78 @@ +ο»Ώ + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 4 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Mount Point + String + + + + + + + Passphrase Path + String + \ No newline at end of file diff --git a/hashicorp-vault-orchestrator.Tests/HcvKeyValueClientTests.cs b/hashicorp-vault-orchestrator.Tests/HcvKeyValueClientTests.cs new file mode 100644 index 0000000..f5a17d9 --- /dev/null +++ b/hashicorp-vault-orchestrator.Tests/HcvKeyValueClientTests.cs @@ -0,0 +1,417 @@ +// Copyright 2025 Keyfactor +// Licensed under the Apache License, Version 2.0 + +using System; +using System.Collections.Generic; +using System.IO; +using System.Net; +using System.Threading.Tasks; +using FluentAssertions; +using Moq; +using Org.BouncyCastle.Asn1.X509; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Generators; +using Org.BouncyCastle.Crypto.Operators; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.X509; +using VaultSharp.Core; +using Xunit; + +namespace Keyfactor.Extensions.Orchestrator.HashicorpVault.Tests +{ + // ============================================================ + // Shared test helpers + // ============================================================ + + internal static class TestCertHelper + { + public const string Passphrase = "testpass"; + + /// Returns base64-encoded bytes of an empty PFX store. + public static string EmptyPfxBase64(string passphrase = Passphrase) + { + var store = new Pkcs12StoreBuilder().Build(); + using var ms = new MemoryStream(); + store.Save(ms, passphrase.ToCharArray(), new SecureRandom()); + return Convert.ToBase64String(ms.ToArray()); + } + + /// Returns base64-encoded bytes of a PKCS12 containing a self-signed RSA cert. + public static string SelfSignedPfxBase64(string alias, string passphrase = Passphrase) + { + var keyGen = new RsaKeyPairGenerator(); + keyGen.Init(new KeyGenerationParameters(new SecureRandom(), 1024)); + AsymmetricCipherKeyPair keyPair = keyGen.GenerateKeyPair(); + + var certGen = new X509V3CertificateGenerator(); + var dn = new X509Name($"CN={alias}"); + certGen.SetIssuerDN(dn); + certGen.SetSubjectDN(dn); + certGen.SetSerialNumber(BigInteger.ProbablePrime(64, new Random())); + certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1)); + certGen.SetNotAfter(DateTime.UtcNow.AddYears(1)); + certGen.SetPublicKey(keyPair.Public); + var cert = certGen.Generate(new Asn1SignatureFactory("SHA256WithRSA", keyPair.Private)); + + var pfx = new Pkcs12StoreBuilder().Build(); + pfx.SetKeyEntry(alias, new AsymmetricKeyEntry(keyPair.Private), new[] { new X509CertificateEntry(cert) }); + using var ms = new MemoryStream(); + pfx.Save(ms, passphrase.ToCharArray(), new SecureRandom()); + return Convert.ToBase64String(ms.ToArray()); + } + } + + // ============================================================ + // GetKVVersionAsync tests + // ============================================================ + + public class GetKVVersionAsyncTests + { + [Fact] + public async Task ReturnsTwo_WhenMountReportsVersionTwo() + { + var builder = VaultMockBuilder.WithKvVersion("kv-v2", 2); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv-v2"); + + (await client.GetKVVersionAsync()).Should().Be(2); + } + + [Fact] + public async Task ReturnsOne_WhenMountReportsVersionOne() + { + var builder = VaultMockBuilder.WithKvVersion("kv", 1); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv"); + + (await client.GetKVVersionAsync()).Should().Be(1); + } + + [Fact] + public async Task DefaultsToTwo_WhenSysMountsReturnsForbidden() + { + var builder = VaultMockBuilder.WithForbiddenMounts(); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv-v2"); + + // Must not throw β€” 403 is non-fatal, defaults to v2 + (await client.GetKVVersionAsync()).Should().Be(2, + because: "a 403 on sys/mounts should fall back to KV v2 rather than fail the job"); + } + + [Fact] + public async Task UsesCache_AfterFirstSuccessfulCall() + { + var builder = VaultMockBuilder.WithKvVersion("kv-v2", 2); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv-v2"); + + await client.GetKVVersionAsync(); + await client.GetKVVersionAsync(); + + builder.System.Verify(s => s.GetSecretBackendsAsync(), Moq.Times.Once); + } + + [Fact] + public async Task CachesForbiddenDefault_SoSysMountsCalledOnlyOnce() + { + var builder = VaultMockBuilder.WithForbiddenMounts(); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv-v2"); + + await client.GetKVVersionAsync(); + await client.GetKVVersionAsync(); + + builder.System.Verify(s => s.GetSecretBackendsAsync(), Moq.Times.Once); + } + + [Fact] + public async Task Throws_WhenSysMountsReturnsServerError() + { + var builder = VaultMockBuilder.WithMountsError(HttpStatusCode.InternalServerError); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv-v2"); + + Func act = () => client.GetKVVersionAsync(); + await act.Should().ThrowAsync() + .WithMessage("*", + because: "non-403 errors from sys/mounts are unexpected and must surface"); + } + + [Fact] + public async Task Throws_WhenMountPointNotFoundInResponse() + { + var builder = VaultMockBuilder.WithMountNotFound(presentMount: "other/"); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "kv-v2"); + + Func act = () => client.GetKVVersionAsync(); + await act.Should().ThrowAsync() + .WithMessage("*kv-v2*", + because: "the error should name the configured mount point"); + } + + [Fact] + public async Task NormalizesTrailingSlash_WhenMountPointLacksOne() + { + var builder = VaultMockBuilder.WithKvVersion("secret", 2); + var client = new VaultClientInjectableHcvClient(builder.Client.Object, "secret"); + + (await client.GetKVVersionAsync()).Should().Be(2); + } + } + + // ============================================================ + // CreateFileStore tests (Management-Create path) + // ============================================================ + + public class CreateFileStoreTests + { + private const string CertPath = "stores/pfx"; + private const string PassphrasePath = "stores/pfx/passphrase"; + private const string ExpectedCertPath = "/stores/pfx"; + private const string ExpectedPassPath = "/stores/pfx/passphrase"; + + [Fact] + public async Task NonJson_CertWrittenToFullCertPath() + { + var client = new TestableHcvKeyValueClient(CertPath, PassphrasePath); + await client.CreateCertStore(); + + client.WriteCalls.Should().NotBeEmpty(); + client.WriteCalls[0].path.Should().Be(ExpectedCertPath); + } + + [Fact] + public async Task NonJson_PassphraseWrittenToFullPassphrasePath() + { + var client = new TestableHcvKeyValueClient(CertPath, PassphrasePath); + await client.CreateCertStore(); + + client.WriteCalls.Should().HaveCountGreaterThanOrEqualTo(2); + client.WriteCalls[1].path.Should().Be(ExpectedPassPath); + } + + [Fact] + public async Task NonJson_PassphraseUsesWriteNotPatch() + { + var client = new TestableHcvKeyValueClient(CertPath, PassphrasePath); + await client.CreateCertStore(); + + client.PatchCalls.Should().BeEmpty(); + client.WriteCalls.Should().HaveCount(2); + } + + [Fact] + public async Task Json_CertWrittenToFullCertPath() + { + var client = new TestableHcvKeyValueClient(CertPath, PassphrasePath, + certPropName: "certificate", passphrasePropName: "pass"); + await client.CreateCertStore(); + + client.WriteCalls.Should().NotBeEmpty(); + client.WriteCalls[0].path.Should().Be(ExpectedCertPath); + } + + [Fact] + public async Task NonJson_PathsMatchGetCertificateAndPassphrasePaths() + { + var client = new TestableHcvKeyValueClient(CertPath, PassphrasePath); + await client.CreateCertStore(); + + client.WriteCalls.Should().HaveCount(2); + client.WriteCalls[0].path.Should().Be("/stores/pfx"); + client.WriteCalls[1].path.Should().Be("/stores/pfx/passphrase"); + } + } + + // ============================================================ + // PutCertificate tests (Management-Add path) + // ============================================================ + + public class PutCertificateIntoFileStoreTests + { + private const string CertPath = "stores/pfx"; + private const string PassphrasePath = "stores/pfx/passphrase"; + private const string NormCertPath = "/stores/pfx"; + private const string NormPassPath = "/stores/pfx/passphrase"; + + private TestableHcvKeyValueClient MakeSeededClient() + { + var client = new TestableHcvKeyValueClient(CertPath, PassphrasePath); + client.ReadResponses[NormCertPath] = new Dictionary { { "pfx", TestCertHelper.EmptyPfxBase64() } }; + client.ReadResponses[NormPassPath] = new Dictionary { { "passphrase", TestCertHelper.Passphrase } }; + return client; + } + + [Fact] + public async Task NonJson_CertWrittenToFullPath() + { + var client = MakeSeededClient(); + await client.PutCertificate( + certName: "lab-pfx", + contents: TestCertHelper.SelfSignedPfxBase64("lab-pfx"), + pfxPassword: TestCertHelper.Passphrase, + certPath: CertPath, certPropName: null, + keyPath: PassphrasePath, keyPropName: null, + includeChain: false); + + client.WriteCalls.Should().NotBeEmpty(); + client.WriteCalls[0].path.Should().Be(NormCertPath, + because: "the cert must be written to the full secret path, not the parent directory"); + } + + [Fact] + public async Task NonJson_CertUsesWriteNotPatch() + { + var client = MakeSeededClient(); + await client.PutCertificate( + certName: "lab-pfx", + contents: TestCertHelper.SelfSignedPfxBase64("lab-pfx"), + pfxPassword: TestCertHelper.Passphrase, + certPath: CertPath, certPropName: null, + keyPath: PassphrasePath, keyPropName: null, + includeChain: false); + + client.PatchCalls.Should().BeEmpty( + because: "non-JSON cert writes must use Write, not Patch"); + } + } + + // ============================================================ + // MountPoint / Namespace parsing tests + // ============================================================ + + internal static class MountPointParser + { + /// + /// Replicates the InitProps MountPoint/Namespace parsing block exactly, + /// so the algorithm can be unit-tested without a full job pipeline. + /// + public static (string ns, string mountPoint) Parse( + string rawMountPoint, + string existingNamespace = null) + { + var ns = existingNamespace; + string resolvedMount = null; + + if (!string.IsNullOrEmpty(rawMountPoint)) + { + var trimmed = rawMountPoint.TrimEnd('/'); + var lastSlash = trimmed.LastIndexOf('/'); + if (lastSlash > 0) + { + if (string.IsNullOrEmpty(ns)) + ns = trimmed.Substring(0, lastSlash).Trim('/'); + resolvedMount = trimmed.Substring(lastSlash + 1).Trim(); + } + else + { + resolvedMount = trimmed.Trim('/'); + } + } + + return (ns, resolvedMount); + } + } + + public class MountPointNamespaceParsingTests + { + [Fact] + public void BareMountName_NoSplit() + { + var (ns, mount) = MountPointParser.Parse("secret"); + mount.Should().Be("secret"); + ns.Should().BeNullOrEmpty(); + } + + [Fact] + public void SimpleNamespaceAndMount_TwoSegments() + { + var (ns, mount) = MountPointParser.Parse("myns/kv-v2"); + ns.Should().Be("myns"); + mount.Should().Be("kv-v2"); + } + + [Fact] + public void NestedNamespace_IkeaCase_LastSlashWins() + { + var (ns, mount) = MountPointParser.Parse("ep/common/secret"); + ns.Should().Be("ep/common", + because: "everything left of the last slash is the namespace in Vault Enterprise nested namespaces"); + mount.Should().Be("secret"); + } + + [Fact] + public void DeeplyNestedNamespace_ThreeLevels() + { + var (ns, mount) = MountPointParser.Parse("root/level1/level2/mymount"); + ns.Should().Be("root/level1/level2"); + mount.Should().Be("mymount"); + } + + [Fact] + public void PreExistingNamespace_NotOverwritten() + { + var (ns, mount) = MountPointParser.Parse("ep/common/secret", existingNamespace: "already-set"); + ns.Should().Be("already-set", + because: "a namespace resolved by Discovery must not be overwritten by InitProps"); + mount.Should().Be("secret"); + } + + [Fact] + public void NullMountPoint_ReturnsNulls() + { + var (ns, mount) = MountPointParser.Parse(null); + mount.Should().BeNull(); + ns.Should().BeNull(); + } + + [Fact] + public void LeadingSlash_StrippedWithoutEmptyNamespace() + { + var (ns, mount) = MountPointParser.Parse("/secret"); + mount.Should().Be("secret"); + ns.Should().BeNullOrEmpty(); + } + + [Fact] + public void TrailingSlash_NormalisedAway() + { + var (ns, mount) = MountPointParser.Parse("ep/common/secret/"); + ns.Should().Be("ep/common"); + mount.Should().Be("secret"); + } + } + + // ============================================================ + // IHashiClient contract smoke tests + // ============================================================ + + public class GetCertificatesTests + { + [Fact] + public async Task ReturnsEmptyList_WhenStoreContainsNoCertificates() + { + var mockClient = new Mock(); + mockClient + .Setup(c => c.GetCertificates()) + .ReturnsAsync((new List(), new List())); + + var (certs, warnings) = await mockClient.Object.GetCertificates(); + + certs.Should().NotBeNull().And.BeEmpty(); + warnings.Should().NotBeNull().And.BeEmpty(); + } + + [Fact] + public async Task ReturnsWarnings_WhenPartialFailuresOccur() + { + var mockClient = new Mock(); + mockClient + .Setup(c => c.GetCertificates()) + .ReturnsAsync(( + new List(), + new List { "Could not read secret at /test/broken" })); + + var (certs, warnings) = await mockClient.Object.GetCertificates(); + + warnings.Should().ContainSingle().Which.Should().Contain("broken"); + } + } +} diff --git a/hashicorp-vault-orchestrator.Tests/TestableHcvKeyValueClient.cs b/hashicorp-vault-orchestrator.Tests/TestableHcvKeyValueClient.cs new file mode 100644 index 0000000..776cc03 --- /dev/null +++ b/hashicorp-vault-orchestrator.Tests/TestableHcvKeyValueClient.cs @@ -0,0 +1,94 @@ +// Copyright 2025 Keyfactor +// Licensed under the Apache License, Version 2.0 + +using System.Collections.Generic; +using System.Threading.Tasks; +using VaultSharp; + +namespace Keyfactor.Extensions.Orchestrator.HashicorpVault.Tests +{ + /// + /// Subclass used by GetKVVersionAsyncTests. Injects a mock IVaultClient via + /// the protected VaultClient setter so GetKVVersionAsync can be tested against + /// a controlled VaultSharp hierarchy without a real Vault connection. + /// + internal class VaultClientInjectableHcvClient : HcvKeyValueClient + { + public VaultClientInjectableHcvClient(IVaultClient mockVaultClient, string mountPoint = "kv-v2") + : base( + vaultToken: "test-token", + serverUrl: "http://localhost:8200", + mountPoint: mountPoint, + ns: "", + storeType: "Keyfactor.Extensions.Orchestrator.HashicorpVault.HCVKVPEM", + certPath: "/test/certs", + certPropName: "", + passphrasePath: null, + passphrasePropName: "") + { + VaultClient = mockVaultClient; + } + } + + /// + /// Subclass used by CreateFileStore and PutCertificate tests. Overrides the + /// virtual Vault I/O methods so path-level behaviour can be asserted without + /// a real Vault connection. ReadResponses seeds canned responses; all Write + /// and Patch calls are recorded for assertion. + /// + internal class TestableHcvKeyValueClient : HcvKeyValueClient + { + public List<(string path, Dictionary data, string mountPoint)> WriteCalls { get; } + = new List<(string, Dictionary, string)>(); + + public List<(string path, Dictionary data, string mountPoint)> PatchCalls { get; } + = new List<(string, Dictionary, string)>(); + + /// Path β†’ canned response. Paths not listed return an empty dict. + public Dictionary> ReadResponses { get; } + = new Dictionary>(); + + public TestableHcvKeyValueClient( + string certPath, + string passphrasePath, + string certPropName = null, + string passphrasePropName = null, + string storeType = "HCVKVPFX") + : base( + vaultToken: "fake-token", + serverUrl: "http://127.0.0.1:8200", + mountPoint: "secret", + ns: null, + storeType: "Keyfactor.Extensions.Orchestrator.HashicorpVault.HCVKVPFX", + certPath: certPath, + certPropName: certPropName, + passphrasePath: passphrasePath, + passphrasePropName: passphrasePropName, + SubfolderInventory: false) + { + _storeType = storeType; + } + + public override Task GetKVVersionAsync() => Task.FromResult(2); + + public override Task WriteSecretAutoAsync(string path, Dictionary data, string mountPoint) + { + WriteCalls.Add((path, data, mountPoint)); + return Task.CompletedTask; + } + + public override Task PatchSecretAutoAsync(string path, Dictionary data, string mountPoint) + { + PatchCalls.Add((path, data, mountPoint)); + return Task.CompletedTask; + } + + public override Task> ReadSecretAutoAsync(string path, string mountPoint) + { + return Task.FromResult( + ReadResponses.TryGetValue(path, out var resp) + ? resp + : new Dictionary()); + } + } +} diff --git a/hashicorp-vault-orchestrator.Tests/VaultMockBuilder.cs b/hashicorp-vault-orchestrator.Tests/VaultMockBuilder.cs new file mode 100644 index 0000000..8990bcf --- /dev/null +++ b/hashicorp-vault-orchestrator.Tests/VaultMockBuilder.cs @@ -0,0 +1,102 @@ +// Copyright 2025 Keyfactor +// Licensed under the Apache License, Version 2.0 + +using System.Collections.Generic; +using System.Net; +using Moq; +using VaultSharp; +using VaultSharp.Core; +using VaultSharp.V1; +using VaultSharp.V1.Commons; +using VaultSharp.V1.SecretsEngines; +using VaultSharp.V1.SecretsEngines.KeyValue; +using VaultSharp.V1.SecretsEngines.KeyValue.V2; +using VaultSharp.V1.SystemBackend; + +namespace Keyfactor.Extensions.Orchestrator.HashicorpVault.Tests +{ + /// + /// Fluent builder that wires up the VaultSharp mock hierarchy. + /// Used by GetKVVersionAsyncTests which need to mock at the IVaultClient + /// level β€” below the virtual-method seam used by TestableHcvKeyValueClient. + /// + internal class VaultMockBuilder + { + public Mock Client { get; } = new(MockBehavior.Strict); + public Mock V1 { get; } = new(MockBehavior.Strict); + public Mock Secrets { get; } = new(MockBehavior.Strict); + public Mock KeyValue { get; } = new(MockBehavior.Strict); + public Mock KvV2 { get; } = new(MockBehavior.Strict); + public Mock System { get; } = new(MockBehavior.Strict); + + private VaultMockBuilder() { } + + private static VaultApiException MakeVaultApiException(HttpStatusCode statusCode, string errorMessage = "vault error") + => new VaultApiException(statusCode, $"{{\"errors\":[\"{errorMessage}\"]}}"); + + public static VaultMockBuilder WithKvVersion(string mountPoint, int version) + { + var b = new VaultMockBuilder(); + b.WireHierarchy(); + + var normalizedMount = mountPoint.EndsWith("/") ? mountPoint : mountPoint + "/"; + var backends = new Dictionary + { + [normalizedMount] = new SecretsEngine + { + Options = new Dictionary { ["version"] = version.ToString() } + } + }; + + b.System + .Setup(s => s.GetSecretBackendsAsync()) + .ReturnsAsync(new Secret> { Data = backends }); + + return b; + } + + public static VaultMockBuilder WithForbiddenMounts() + { + var b = new VaultMockBuilder(); + b.WireHierarchy(); + b.System + .Setup(s => s.GetSecretBackendsAsync()) + .ThrowsAsync(MakeVaultApiException(HttpStatusCode.Forbidden, "permission denied")); + return b; + } + + public static VaultMockBuilder WithMountsError(HttpStatusCode statusCode = HttpStatusCode.InternalServerError) + { + var b = new VaultMockBuilder(); + b.WireHierarchy(); + b.System + .Setup(s => s.GetSecretBackendsAsync()) + .ThrowsAsync(MakeVaultApiException(statusCode, "internal server error")); + return b; + } + + public static VaultMockBuilder WithMountNotFound(string presentMount = "other/") + { + var b = new VaultMockBuilder(); + b.WireHierarchy(); + var backends = new Dictionary + { + [presentMount] = new SecretsEngine { Options = new Dictionary() } + }; + b.System + .Setup(s => s.GetSecretBackendsAsync()) + .ReturnsAsync(new Secret> { Data = backends }); + return b; + } + + private void WireHierarchy() + { + Client.Setup(c => c.V1).Returns(V1.Object); + V1.Setup(v => v.Secrets).Returns(Secrets.Object); + Secrets.Setup(s => s.KeyValue).Returns(KeyValue.Object); + KeyValue.Setup(k => k.V2).Returns(KvV2.Object); + V1.Setup(v => v.System).Returns(System.Object); + // V1.Auth intentionally not wired β€” IAuthMethodLoginProvider is internal in VaultSharp + } + } +} diff --git a/hashicorp-vault-orchestrator.Tests/hashicorp-vault-orchestrator.Tests.csproj b/hashicorp-vault-orchestrator.Tests/hashicorp-vault-orchestrator.Tests.csproj new file mode 100644 index 0000000..d5a4fde --- /dev/null +++ b/hashicorp-vault-orchestrator.Tests/hashicorp-vault-orchestrator.Tests.csproj @@ -0,0 +1,44 @@ + + + + net8.0 + Keyfactor.Extensions.Orchestrator.HashicorpVault.Tests + Keyfactor.Extensions.Orchestrators.HCV.Tests + disable + enable + false + true + latest + + + + + + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + + + + + + + + + + + + + + + + + + diff --git a/hashicorp-vault-orchestrator.sln b/hashicorp-vault-orchestrator.sln index 84b4e7e..215dcdd 100644 --- a/hashicorp-vault-orchestrator.sln +++ b/hashicorp-vault-orchestrator.sln @@ -24,16 +24,42 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docsource", "docsource", "{ EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "images", "images", "{72529433-ABCD-4B2A-8AD2-727F1F58740C}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "hashicorp-vault-orchestrator.Tests", "hashicorp-vault-orchestrator.Tests\hashicorp-vault-orchestrator.Tests.csproj", "{DD74B25E-5973-443A-9F5D-5110345F8AF3}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Debug|Any CPU.Build.0 = Debug|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Debug|x64.ActiveCfg = Debug|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Debug|x64.Build.0 = Debug|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Debug|x86.ActiveCfg = Debug|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Debug|x86.Build.0 = Debug|Any CPU {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Release|Any CPU.ActiveCfg = Release|Any CPU {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Release|Any CPU.Build.0 = Release|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Release|x64.ActiveCfg = Release|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Release|x64.Build.0 = Release|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Release|x86.ActiveCfg = Release|Any CPU + {76771DD1-BDF1-4C3F-9EAB-C9096A1BBF7B}.Release|x86.Build.0 = Release|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Debug|Any CPU.Build.0 = Debug|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Debug|x64.ActiveCfg = Debug|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Debug|x64.Build.0 = Debug|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Debug|x86.ActiveCfg = Debug|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Debug|x86.Build.0 = Debug|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Release|Any CPU.ActiveCfg = Release|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Release|Any CPU.Build.0 = Release|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Release|x64.ActiveCfg = Release|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Release|x64.Build.0 = Release|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Release|x86.ActiveCfg = Release|Any CPU + {DD74B25E-5973-443A-9F5D-5110345F8AF3}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/hashicorp-vault-orchestrator/AssemblyInfo.cs b/hashicorp-vault-orchestrator/AssemblyInfo.cs new file mode 100644 index 0000000..8a221cf --- /dev/null +++ b/hashicorp-vault-orchestrator/AssemblyInfo.cs @@ -0,0 +1,11 @@ + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System.Runtime.CompilerServices; + +[assembly: InternalsVisibleTo("hashicorp-vault-orchestrator.Tests")] diff --git a/hashicorp-vault-orchestrator/CertUtility.cs b/hashicorp-vault-orchestrator/CertUtility.cs index a6cba28..c596f12 100644 --- a/hashicorp-vault-orchestrator/CertUtility.cs +++ b/hashicorp-vault-orchestrator/CertUtility.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/Constants.cs b/hashicorp-vault-orchestrator/Constants.cs index 02890c1..93018aa 100644 --- a/hashicorp-vault-orchestrator/Constants.cs +++ b/hashicorp-vault-orchestrator/Constants.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/FileStores/FileStoreBase.cs b/hashicorp-vault-orchestrator/FileStores/FileStoreBase.cs index e75d019..1058245 100644 --- a/hashicorp-vault-orchestrator/FileStores/FileStoreBase.cs +++ b/hashicorp-vault-orchestrator/FileStores/FileStoreBase.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/FileStores/IFileStore.cs b/hashicorp-vault-orchestrator/FileStores/IFileStore.cs index aa5e0a1..8dbab4b 100644 --- a/hashicorp-vault-orchestrator/FileStores/IFileStore.cs +++ b/hashicorp-vault-orchestrator/FileStores/IFileStore.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/FileStores/JksFileStore.cs b/hashicorp-vault-orchestrator/FileStores/JksFileStore.cs index 1baff89..68f708b 100644 --- a/hashicorp-vault-orchestrator/FileStores/JksFileStore.cs +++ b/hashicorp-vault-orchestrator/FileStores/JksFileStore.cs @@ -1,5 +1,5 @@ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/FileStores/PfxFileStore.cs b/hashicorp-vault-orchestrator/FileStores/PfxFileStore.cs index 9fe2b48..b90cb25 100644 --- a/hashicorp-vault-orchestrator/FileStores/PfxFileStore.cs +++ b/hashicorp-vault-orchestrator/FileStores/PfxFileStore.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/FileStores/Pkcs12FileStore.cs b/hashicorp-vault-orchestrator/FileStores/Pkcs12FileStore.cs index acb1383..eac70d5 100644 --- a/hashicorp-vault-orchestrator/FileStores/Pkcs12FileStore.cs +++ b/hashicorp-vault-orchestrator/FileStores/Pkcs12FileStore.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/HcvKeyValueClient.cs b/hashicorp-vault-orchestrator/HcvKeyValueClient.cs index 0c6c013..faa28c2 100644 --- a/hashicorp-vault-orchestrator/HcvKeyValueClient.cs +++ b/hashicorp-vault-orchestrator/HcvKeyValueClient.cs @@ -1,5 +1,5 @@ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -34,7 +34,11 @@ public class HcvKeyValueClient : IHashiClient { private IVaultClient _vaultClient { get; set; } - protected IVaultClient VaultClient => _vaultClient; + protected IVaultClient VaultClient + { + get => _vaultClient; + set => _vaultClient = value; // settable for unit-test subclass injection + } private ILogger logger = LogHandler.GetClassLogger(); @@ -44,7 +48,7 @@ public class HcvKeyValueClient : IHashiClient private string _passphrasePropName { get; set; } private string _mountPoint { get; set; } private bool _subfolderInventory { get; set; } - private string _storeType { get; set; } + protected string _storeType { get; set; } private string _namespace { get; set; } private int _kvVersionCache { get; set; } @@ -153,7 +157,7 @@ private async Task CreateFileStore() else { certSecretContent = new Dictionary { { certSecretName, Convert.ToBase64String(newStoreBytes) } }; // the content includes the secret name.. - pathToWriteCert = certParentPath; // we write to the parent path + pathToWriteCert = $"{certParentPath}/{certSecretName}"; // we write to the full secret path } logger.LogTrace($"we will send the request to write the cert secret at the path {pathToWriteCert}, keyed by the secret or property name: '{certSecretContent.Keys.First()}'"); @@ -185,16 +189,23 @@ private async Task CreateFileStore() else { passphraseSecretContent = new Dictionary { { passphraseSecretName, passphrase } }; - pathToWritePassphrase = passphraseParentPath; + pathToWritePassphrase = $"{passphraseParentPath}/{passphraseSecretName}"; // we write to the full secret path } logger.LogTrace($"we will send the request to write the passphrase secret at the path {pathToWritePassphrase}, keyed by the secret or property name: '{passphraseSecretContent.Keys.First()}'"); - // write the passphrase secret + // write the passphrase secret β€” use Write (not Patch) for a brand-new secret; Patch on a non-existent KV v2 path returns 404 logger.LogTrace($"sending request to write new cert store passphrase"); - await PatchSecretAutoAsync(pathToWritePassphrase, passphraseSecretContent, _mountPoint); + if (passphraseSecretIsJSON) + { + await PatchSecretAutoAsync(pathToWritePassphrase, passphraseSecretContent, _mountPoint); + } + else + { + await WriteSecretAutoAsync(pathToWritePassphrase, passphraseSecretContent, _mountPoint); + } logger.LogTrace($"request to write passphrase secret was successful"); @@ -542,6 +553,30 @@ private async Task PutCertificateIntoFileStore(string newCertName, string conten (var certificate, var passphrase) = await GetCertificateAndPassphrase(); + // Create-if-not-exist: when neither the cert blob nor the passphrase exists yet + // in Vault, the file-format store has never been seeded. Rather than failing the + // Management-Add, seed an empty store + random passphrase so the first Add can + // proceed exactly as the second one would. This mirrors how HCVKVPEM behaves + // (CreatePemStore writes an empty PEM secret as part of CreateCertStore) and lets + // Management-Add succeed even when the explicit "Create" op was skipped or has + // never run. + if (string.IsNullOrEmpty(certificate) && string.IsNullOrEmpty(passphrase)) + { + logger.LogTrace("No existing store/passphrase found at the configured path β€” seeding an empty file store with a fresh passphrase before adding the new cert (create-if-not-exist)."); + await CreateFileStore(); + (certificate, passphrase) = await GetCertificateAndPassphrase(); + if (string.IsNullOrEmpty(certificate) || string.IsNullOrEmpty(passphrase)) + { + throw new InvalidOperationException( + $"Auto-create of file-format store at {certParentPath}/{certSecretName} did not produce a readable store + passphrase pair. Check Vault token policy permits create + read on '{_mountPoint}/{certParentPath}'."); + } + } + else if (string.IsNullOrEmpty(passphrase)) + { + throw new DirectoryNotFoundException( + $"Existing store found at {certParentPath}/{certSecretName} but no passphrase at the configured path. Refusing to overwrite β€” set PassphrasePath correctly or delete the orphaned store."); + } + var certSecretIsJSON = !string.IsNullOrEmpty(_certPropName); if (certSecretIsJSON) logger.LogTrace($"the certificate data will be stored at '{_certPath}' as a JSON object with the base64 encoded cert stored in the property '{_certPropName}'"); @@ -608,17 +643,25 @@ private async Task PutCertificateIntoFileStore(string newCertName, string conten } else { - // we will create a dictionary to represent the contents of the parent path + // we will create a dictionary to represent the contents of the secret newCertSecretData = new Dictionary { { certSecretName, newCertFileStore } }; - // and write it to the parent path of the secret - certPathToWrite = certParentPath; + // write to the full secret path (not the parent) + certPathToWrite = $"{certParentPath}/{certSecretName}"; } - // submit the patch request - logger.LogTrace($"patching {newCertSecretData.Keys.First()} to path {certPathToWrite} at mount point {_mountPoint}"); + logger.LogTrace($"writing {newCertSecretData.Keys.First()} to path {certPathToWrite} at mount point {_mountPoint}"); - await PatchSecretAutoAsync(certPathToWrite, newCertSecretData, _mountPoint); + if (certSecretIsJSON) + { + // JSON mode: PATCH to merge the cert property into an existing shared secret + await PatchSecretAutoAsync(certPathToWrite, newCertSecretData, _mountPoint); + } + else + { + // non-JSON mode: WRITE (create-or-replace) β€” the cert is the entire secret; PATCH would 404 if the secret does not yet exist + await WriteSecretAutoAsync(certPathToWrite, newCertSecretData, _mountPoint); + } logger.LogTrace("The certificate and passphrase have been successfully written to Vault."); @@ -955,107 +998,96 @@ private async Task> GetSubPaths(string storagePath) private async Task<(string, string)> GetCertificateAndPassphrase() { - (var certParentPath, var certSecretName, var passphraseParentPath, var passphraseSecretName) = ParsedSecretPaths(); var certSecretIsJSON = !string.IsNullOrEmpty(_certPropName); - var passphraseSecretIsJSON = !string.IsNullOrEmpty(_passphrasePropName); string certContent = string.Empty; string passphrase = string.Empty; - Dictionary certFileObj = null; - // first get cert contents - try + var kvVersion = await GetKVVersionAsync(); + if (kvVersion == 1) { - var kvVersion = await GetKVVersionAsync(); - - if (kvVersion == 1) // in the key-value secrets engine v1; all secrets are stored as JSON - { - if (!certSecretIsJSON) - { - _certPropName = "value"; - certSecretIsJSON = true; - } - if (!passphraseSecretIsJSON) - { - _passphrasePropName = "value"; - passphraseSecretIsJSON = true; - } - } + if (!certSecretIsJSON) { _certPropName = "value"; certSecretIsJSON = true; } + if (!passphraseSecretIsJSON) { _passphrasePropName = "value"; passphraseSecretIsJSON = true; } + } - logger.LogTrace($"cert secret name {certSecretName}"); - logger.LogTrace($"retreiving the certificate store secret at {certParentPath + "/" + certSecretName} from the Key-Value secrets engine mounted at {_mountPoint}.."); - logger.LogTrace($"the cert is {(certSecretIsJSON ? "" : "not")} a JSON property."); - if (certSecretIsJSON) logger.LogTrace($"the cert is stored in the property named {_certPropName}"); + // Read existing cert β€” may not exist for a fresh/empty store; that is OK. + try + { var secretPath = certParentPath + "/" + certSecretName; - certFileObj = await ReadSecretAutoAsync(secretPath, _mountPoint); - - logger.LogTrace($"received a response: {JsonConvert.SerializeObject(certFileObj)}"); + logger.LogTrace($"retreiving cert from {secretPath} on mount {_mountPoint}"); + var certFileObj = await ReadSecretAutoAsync(secretPath, _mountPoint); - if (certFileObj == null || certFileObj?.Keys?.Count == 0) + if (certFileObj != null && certFileObj.Keys.Count > 0) { - logger.LogError($"no secret content was found at path {_certPath}"); - throw new DirectoryNotFoundException($"entry named {certSecretName} not found at {certParentPath} or is empty."); + certContent = certSecretIsJSON + ? certFileObj[_certPropName]?.ToString() + : certFileObj.First().Value?.ToString(); + logger.LogTrace($"retrieved existing cert of length {certContent?.Length ?? 0}"); } - - foreach (var key in certFileObj.Keys) - { - logger.LogTrace($"key = {key}, value = {certFileObj[key]}"); - } - - logger.LogTrace($"getting the contents of {certSecretName}"); - - - if (certSecretIsJSON) + } + catch (VaultApiException ex) + { + // Use a plain catch + StatusCode test rather than the `when` + // filter β€” the filter has been observed not to fire reliably for + // exceptions raised from inside the async state machine on + // .NET 10 + VaultSharp 1.17, sending the flow into the generic + // `catch (Exception)` branch even for 404s. + if (ex.StatusCode == 404 || ex.HttpStatusCode == System.Net.HttpStatusCode.NotFound) { - // if the cert data is stored as a property in a JSON secret object, we get the value from the property - certContent = certFileObj[_certPropName]?.ToString(); + logger.LogTrace($"No existing certificate at {certParentPath}/{certSecretName} β€” treating as empty store for Management-Add."); } else { - // otherwise, the entire secret content is the base64 encoded cert - certContent = certFileObj.First().Value.ToString(); + logger.LogError($"Error reading certificate (status={ex.StatusCode}): {LogHandler.FlattenException(ex)}"); + throw; } + } + catch (Exception ex) + { + logger.LogError($"Error reading certificate: {LogHandler.FlattenException(ex)}"); + throw; + } - logger.LogTrace($"base64 encoded cert: {certContent}"); - - logger.LogTrace($"now we retrieve the passphrase from {passphraseParentPath + passphraseSecretName}"); - - var passphraseObj = await ReadSecretAutoAsync(_passphrasePath, _mountPoint); + // Read passphrase β€” may not exist for a fresh/empty store. Callers detect + // a missing passphrase (empty string) together with a missing certificate + // (empty certContent) as the create-if-not-exist signal. + var passphraseReadPath = !string.IsNullOrEmpty(_passphrasePath) + ? _passphrasePath + : passphraseParentPath + "/" + passphraseSecretName; + try + { + logger.LogTrace($"retreiving passphrase from {passphraseReadPath}"); + var passphraseObj = await ReadSecretAutoAsync(passphraseReadPath, _mountPoint); - foreach (var key in passphraseObj.Keys) + if (passphraseObj != null && passphraseObj.Keys.Count > 0) { - logger.LogTrace($"key = {key}, value = "); + passphrase = passphraseSecretIsJSON + ? passphraseObj[_passphrasePropName]?.ToString() + : passphraseObj.First().Value?.ToString(); + logger.LogTrace($"retrieved passphrase of length {passphrase?.Length ?? 0}"); } - - if (passphraseSecretIsJSON) + } + catch (VaultApiException ex) + { + if (ex.StatusCode == 404 || ex.HttpStatusCode == System.Net.HttpStatusCode.NotFound) { - // the secret is a json object with one of the fields containing the passphrase - passphrase = passphraseObj[_passphrasePropName].ToString(); + logger.LogTrace($"No existing passphrase at {passphraseReadPath} β€” treating as fresh store for create-if-not-exist."); } else { - // the entire contents of the secret is the passphrase - passphrase = passphraseObj.First().Value.ToString(); - } - - if (string.IsNullOrEmpty(passphrase)) - { - throw new DirectoryNotFoundException($"no passphrase found at {_passphrasePath}"); + logger.LogError($"Error reading passphrase (status={ex.StatusCode}): {LogHandler.FlattenException(ex)}"); + throw; } - else { logger.LogTrace($"retrieved passphrase of length {passphrase.Length}"); } } catch (Exception ex) { - logger.LogError($"there was an error when attempting to retrieve the cert and passphrase: {LogHandler.FlattenException(ex)}"); + logger.LogError($"Error reading passphrase: {LogHandler.FlattenException(ex)}"); throw; } - logger.LogTrace("successfully retreived the secrets.. "); - logger.LogTrace($"cert file contents: {certContent}"); - logger.LogTrace($"passphrase length: {passphrase.Length}"); - + logger.LogTrace("successfully retreived the secrets.."); return (certContent, passphrase); } @@ -1082,7 +1114,7 @@ public async Task> GetTokenPoliciesAsync() } } - public async Task GetKVVersionAsync() + public virtual async Task GetKVVersionAsync() { if (_kvVersionCache > 0) { @@ -1113,12 +1145,26 @@ public async Task GetKVVersionAsync() return kvVersion; } - // If no version in options, it's KV v1 + // If no version in options, it's KV v1 + _kvVersionCache = 1; return 1; } throw new Exception($"Mount point '{_mountPoint}' not found"); } + catch (VaultApiException ex) when (ex.HttpStatusCode == System.Net.HttpStatusCode.Forbidden) + { + // The token does not have permission to list secret engine mounts (sys/mounts). + // This is a non-fatal condition: we default to KV v2 and warn so the operator + // can grant the permission or explicitly configure the mount point version. + logger.LogWarning( + $"The Vault token does not have permission to read sys/mounts (HTTP 403). " + + $"Unable to auto-detect the KV secrets engine version for mount '{_mountPoint}'. " + + $"Defaulting to KV v2. To suppress this warning, grant the token 'read' access " + + $"to 'sys/mounts' or ensure the mount point is a KV v2 engine."); + _kvVersionCache = 2; + return 2; + } catch (Exception ex) { throw new Exception($"Failed to determine KV version for mount '{_mountPoint}': {ex.Message}", ex); @@ -1130,7 +1176,7 @@ public async Task GetKVVersionAsync() /// /// Read a secret from KV engine, automatically detecting the version /// - public async Task> ReadSecretAutoAsync( + public virtual async Task> ReadSecretAutoAsync( string path, string mountPoint) { @@ -1191,7 +1237,7 @@ public async Task> ReadSecretAutoAsync( /// /// Write a secret to KV engine, automatically detecting the version /// - public async Task WriteSecretAutoAsync( + public virtual async Task WriteSecretAutoAsync( string path, Dictionary data, string mountPoint) @@ -1239,7 +1285,7 @@ await _vaultClient.V1.Secrets.KeyValue.V1.WriteSecretAsync( /// For KV v1, this does a read-modify-write operation /// For KV v2, this uses native patch support /// - public async Task PatchSecretAutoAsync( + public virtual async Task PatchSecretAutoAsync( string path, Dictionary keysToUpdate, string mountPoint) @@ -1256,11 +1302,31 @@ public async Task PatchSecretAutoAsync( Data = keysToUpdate }; - await _vaultClient.V1.Secrets.KeyValue.V2.PatchSecretAsync( - path: path, - patchSecretDataRequest: patchRequest, - mountPoint: mountPoint - ); + try + { + await _vaultClient.V1.Secrets.KeyValue.V2.PatchSecretAsync( + path: path, + patchSecretDataRequest: patchRequest, + mountPoint: mountPoint + ); + } + catch (VaultApiException ex) + { + if (ex.StatusCode == 404 || ex.HttpStatusCode == System.Net.HttpStatusCode.NotFound) + { + // KV v2 Patch returns 404 when the secret does not yet exist. + // Fall through to Write so the first call to Patch creates the + // secret with the supplied keys β€” same effective behavior, + // idempotent. Plain catch + StatusCode test rather than `when` + // filter (see GetCertificateAndPassphrase for rationale). + logger.LogTrace($"Patch at {mountPoint}/{path} returned 404; falling back to Write (create-if-not-exist)."); + await WriteSecretAutoAsync(path, keysToUpdate, mountPoint); + } + else + { + throw; + } + } } else // v1 { diff --git a/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs b/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs index fe43286..06843f4 100644 --- a/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs +++ b/hashicorp-vault-orchestrator/HcvKeyfactorClient.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/IHashiClient.cs b/hashicorp-vault-orchestrator/IHashiClient.cs index 99119a0..fcff558 100644 --- a/hashicorp-vault-orchestrator/IHashiClient.cs +++ b/hashicorp-vault-orchestrator/IHashiClient.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/JobProperties.cs b/hashicorp-vault-orchestrator/JobProperties.cs index f192428..9271f03 100644 --- a/hashicorp-vault-orchestrator/JobProperties.cs +++ b/hashicorp-vault-orchestrator/JobProperties.cs @@ -1,4 +1,12 @@ -ο»Ώnamespace Keyfactor.Extensions.Orchestrator.HashicorpVault +ο»Ώ +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +namespace Keyfactor.Extensions.Orchestrator.HashicorpVault { public class JobProperties { diff --git a/hashicorp-vault-orchestrator/Jobs/Discovery.cs b/hashicorp-vault-orchestrator/Jobs/Discovery.cs index a5a4a70..10a7b2a 100644 --- a/hashicorp-vault-orchestrator/Jobs/Discovery.cs +++ b/hashicorp-vault-orchestrator/Jobs/Discovery.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/Jobs/Inventory.cs b/hashicorp-vault-orchestrator/Jobs/Inventory.cs index d939165..093c1c9 100644 --- a/hashicorp-vault-orchestrator/Jobs/Inventory.cs +++ b/hashicorp-vault-orchestrator/Jobs/Inventory.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/Jobs/JobBase.cs b/hashicorp-vault-orchestrator/Jobs/JobBase.cs index edf53d2..433177e 100644 --- a/hashicorp-vault-orchestrator/Jobs/JobBase.cs +++ b/hashicorp-vault-orchestrator/Jobs/JobBase.cs @@ -1,5 +1,5 @@ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -8,6 +8,7 @@ using System; using System.Collections.Generic; +using System.Threading.Tasks; using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions; using Keyfactor.Orchestrators.Extensions.Interfaces; @@ -47,7 +48,7 @@ public void Initialize(InventoryJobConfiguration config) var props = JsonConvert.DeserializeObject>(config.CertificateStoreDetails.Properties); - InitProps(props, config.Capability); + InitProps(props, config.Capability).GetAwaiter().GetResult(); LogInitValues(); } @@ -118,7 +119,7 @@ public void Initialize(DiscoveryJobConfiguration config) logger.LogTrace($"Enterprise Namespace: {JobParameters.Namespace}"); logger.LogTrace($"Directories to ignore (subpath to search): {subPath}"); - InitProps(config.JobProperties, config.Capability); + InitProps(config.JobProperties, config.Capability).GetAwaiter().GetResult(); LogInitValues(); } @@ -132,11 +133,11 @@ public void Initialize(ManagementJobConfiguration config) JobParameters.VaultToken = PAMUtilities.ResolvePAMField(PamSecretResolver, logger, "Server Password", config.ServerPassword); JobParameters.StorePath = config.CertificateStoreDetails.StorePath; dynamic props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties.ToString()); - InitProps(props, config.Capability); + InitProps(props, config.Capability).GetAwaiter().GetResult(); LogInitValues(); } - private async void InitProps(dynamic props, string capability) + private async Task InitProps(dynamic props, string capability) { _storeType = capability; @@ -145,16 +146,42 @@ private async void InitProps(dynamic props, string capability) if (props.ContainsKey("StorePath")) { JobParameters.StorePath = props["StorePath"].ToString(); - JobParameters.StorePath = JobParameters.StorePath.TrimStart('/'); - JobParameters.StorePath = JobParameters.StorePath.TrimEnd('/'); - if (_storeType.Contains(StoreType.HCVKVPEM) || _storeType.Contains(StoreType.HCVPKI)) - { - JobParameters.StorePath += "/"; //ensure single trailing slash for path for PKI or PEM stores. Others use the entry value instead of the container. - } + } + + // Normalize StorePath regardless of source (props or config.CertificateStoreDetails.StorePath) + JobParameters.StorePath = JobParameters.StorePath?.TrimStart('/').TrimEnd('/') ?? string.Empty; + if (_storeType.Contains(StoreType.HCVKVPEM) || _storeType.Contains(StoreType.HCVPKI)) + { + JobParameters.StorePath += "/"; // trailing slash required: HcvKeyValueClient prepends "/" and appends entry name directly } var mp = props.ContainsKey("MountPoint") ? props["MountPoint"].ToString() : null; - JobParameters.MountPoint = !string.IsNullOrEmpty(mp) ? mp : JobParameters.MountPoint; + if (!string.IsNullOrEmpty(mp)) + { + // Support the / format for Vault Enterprise. + // Vault supports nested namespaces (e.g. "parent/child/mount"), so we split + // on the LAST slash: everything to the left is the namespace, the final + // segment is the bare mount name. This ensures the X-Vault-Namespace header + // is sent on ALL job types (Inventory, Management, Discovery), not just Discovery. + // If Namespace was already set (Discovery pre-parsed it), we don't overwrite it + // but we still strip the namespace prefix from MountPoint. + var trimmedMp = mp.TrimEnd('/'); + var lastSlash = trimmedMp.LastIndexOf('/'); + if (lastSlash > 0) + { + if (string.IsNullOrEmpty(JobParameters.Namespace)) + { + var ns = trimmedMp.Substring(0, lastSlash).Trim('/'); + logger.LogTrace($"Detected namespace '{ns}' in MountPoint value '{mp}'; splitting into Namespace + MountPoint."); + JobParameters.Namespace = ns; + } + JobParameters.MountPoint = trimmedMp.Substring(lastSlash + 1).Trim(); + } + else + { + JobParameters.MountPoint = trimmedMp.Trim('/'); + } + } JobParameters.SubfolderInventory = props.ContainsKey("SubfolderInventory") ? bool.Parse(props["SubfolderInventory"].ToString()) : false; JobParameters.IncludeCertChain = props.ContainsKey("IncludeCertChain") ? bool.Parse(props["IncludeCertChain"].ToString()) : false; @@ -177,9 +204,16 @@ private async void InitProps(dynamic props, string capability) { VaultClient = new HcvKeyfactorClient(JobParameters.VaultToken, JobParameters.VaultServerUrl, JobParameters.MountPoint, JobParameters.StorePath); } - // logging token policies - var policies = await VaultClient.GetTokenPoliciesAsync(); - logger.LogInformation($"token policies: {string.Join(", ", policies)}"); + // logging token policies (best-effort; token may lack lookup-self or method may be unsupported) + try + { + var policies = await VaultClient.GetTokenPoliciesAsync(); + logger.LogInformation($"token policies: {string.Join(", ", policies)}"); + } + catch (Exception ex) + { + logger.LogDebug($"GetTokenPoliciesAsync skipped: {ex.Message}"); + } } } } \ No newline at end of file diff --git a/hashicorp-vault-orchestrator/Jobs/Management.cs b/hashicorp-vault-orchestrator/Jobs/Management.cs index 6aef348..830661f 100644 --- a/hashicorp-vault-orchestrator/Jobs/Management.cs +++ b/hashicorp-vault-orchestrator/Jobs/Management.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/PamUtilities.cs b/hashicorp-vault-orchestrator/PamUtilities.cs index 4424ed0..57b3a10 100644 --- a/hashicorp-vault-orchestrator/PamUtilities.cs +++ b/hashicorp-vault-orchestrator/PamUtilities.cs @@ -1,5 +1,5 @@ ο»Ώ -// Copyright 2025 Keyfactor +// Copyright 2026 Keyfactor // Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. // You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 // Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/hashicorp-vault-orchestrator/manifest.json b/hashicorp-vault-orchestrator/manifest.json index 0533d5a..9c6f7b1 100644 --- a/hashicorp-vault-orchestrator/manifest.json +++ b/hashicorp-vault-orchestrator/manifest.json @@ -1,7 +1,6 @@ { "extensions": { "Keyfactor.Orchestrators.Extensions.IOrchestratorJobExtension": { - "CertStores.HCVKVPEM.Inventory": { "assemblypath": "hashicorp-vault-orchestrator.dll", "TypeFullName": "Keyfactor.Extensions.Orchestrator.HashicorpVault.Jobs.Inventory" @@ -60,4 +59,4 @@ } } } -} \ No newline at end of file +} diff --git a/nuget.config b/nuget.config new file mode 100644 index 0000000..4d736c1 --- /dev/null +++ b/nuget.config @@ -0,0 +1,7 @@ + + + + + + + diff --git a/scripts/store_types/bash/curl_create_store_types.sh b/scripts/store_types/bash/curl_create_store_types.sh new file mode 100755 index 0000000..8b24666 --- /dev/null +++ b/scripts/store_types/bash/curl_create_store_types.sh @@ -0,0 +1,430 @@ +#!/bin/bash +# Store Type creation script using curl +# Generated by Doctool + +set -e + +# Configuration - set these variables before running +KEYFACTOR_HOSTNAME="${KEYFACTOR_HOSTNAME}" +KEYFACTOR_API_PATH="${KEYFACTOR_API_PATH:-KeyfactorAPI}" +KEYFACTOR_AUTH_TOKEN="${KEYFACTOR_AUTH_TOKEN}" + +echo "Creating store type: HCVPKI" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ + "Name": "Hashicorp Vault PKI", + "ShortName": "HCVPKI", + "Capability": "HCVPKI", + "LocalStore": false, + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "PrivateKeyAllowed": "Forbidden", + "CustomAliasAllowed": "Forbidden", + "StorePathType": "Fixed", + "StorePathValue": "/", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +}' + +echo "Creating store type: HCVKVPEM" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ + "Name": "Hashicorp Vault Key-Value PEM", + "ShortName": "HCVKVPEM", + "Capability": "HCVKVPEM", + "LocalStore": false, + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "SubfolderInventory", + "DisplayName": "Subfolder Inventory", + "Description": "Should certificates found in sub-paths be included when performing an inventory?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +}' + +echo "Creating store type: HCVKVJKS" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ + "Name": "Hashicorp Vault Key-Value JKS", + "ShortName": "HCVKVJKS", + "Capability": "HCVKVJKS", + "LocalStore": false, + "StorePathType": "", + "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +}' + +echo "Creating store type: HCVKVP12" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ + "Name": "Hashicorp Vault Key-Value PKCS12", + "ShortName": "HCVKVP12", + "Capability": "HCVKVP12", + "LocalStore": false, + "StorePathType": "", + "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +}' + +echo "Creating store type: HCVKVPFX" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ + "Name": "Hashicorp Vault Key-Value PFX", + "ShortName": "HCVKVPFX", + "Capability": "HCVKVPFX", + "LocalStore": false, + "StorePathType": "", + "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +}' + diff --git a/scripts/store_types/bash/kfutil_create_store_types.sh b/scripts/store_types/bash/kfutil_create_store_types.sh new file mode 100755 index 0000000..0699243 --- /dev/null +++ b/scripts/store_types/bash/kfutil_create_store_types.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Store Type creation script using kfutil +# Generated by Doctool + +set -e + +echo "Creating store type: HCVPKI" +kfutil store-types create HCVPKI + +echo "Creating store type: HCVKVPEM" +kfutil store-types create HCVKVPEM + +echo "Creating store type: HCVKVJKS" +kfutil store-types create HCVKVJKS + +echo "Creating store type: HCVKVP12" +kfutil store-types create HCVKVP12 + +echo "Creating store type: HCVKVPFX" +kfutil store-types create HCVKVPFX + diff --git a/scripts/store_types/powershell/kfutil_create_store_types.ps1 b/scripts/store_types/powershell/kfutil_create_store_types.ps1 new file mode 100644 index 0000000..dff4d65 --- /dev/null +++ b/scripts/store_types/powershell/kfutil_create_store_types.ps1 @@ -0,0 +1,18 @@ +# Store Type creation script using kfutil +# Generated by Doctool + +Write-Host "Creating store type: HCVPKI" +kfutil store-types create HCVPKI + +Write-Host "Creating store type: HCVKVPEM" +kfutil store-types create HCVKVPEM + +Write-Host "Creating store type: HCVKVJKS" +kfutil store-types create HCVKVJKS + +Write-Host "Creating store type: HCVKVP12" +kfutil store-types create HCVKVP12 + +Write-Host "Creating store type: HCVKVPFX" +kfutil store-types create HCVKVPFX + diff --git a/scripts/store_types/powershell/restmethod_create_store_types.ps1 b/scripts/store_types/powershell/restmethod_create_store_types.ps1 new file mode 100644 index 0000000..d049a7d --- /dev/null +++ b/scripts/store_types/powershell/restmethod_create_store_types.ps1 @@ -0,0 +1,433 @@ +# Store Type creation script using Invoke-RestMethod +# Generated by Doctool + +# Configuration - set these variables before running +$KeyfactorHostname = $env:KEYFACTOR_HOSTNAME +$KeyfactorApiPath = if ($env:KEYFACTOR_API_PATH) { $env:KEYFACTOR_API_PATH } else { "KeyfactorAPI" } +$KeyfactorAuthToken = $env:KEYFACTOR_AUTH_TOKEN + +$Headers = @{ + "Authorization" = "Bearer $KeyfactorAuthToken" + "Content-Type" = "application/json" + "x-keyfactor-requested-with" = "APIClient" +} + +Write-Host "Creating store type: HCVPKI" +$Body = @' +{ + "Name": "Hashicorp Vault PKI", + "ShortName": "HCVPKI", + "Capability": "HCVPKI", + "LocalStore": false, + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "PrivateKeyAllowed": "Forbidden", + "CustomAliasAllowed": "Forbidden", + "StorePathType": "Fixed", + "StorePathValue": "/", + "SupportedOperations": { + "Add": false, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": false + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "This is the mount point of the instance of the PKI or Keyfactor secrets engine plugin. If using enterprise namespaces: /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": true + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +} +'@ + +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body + +Write-Host "Creating store type: HCVKVPEM" +$Body = @' +{ + "Name": "Hashicorp Vault Key-Value PEM", + "ShortName": "HCVKVPEM", + "Capability": "HCVKVPEM", + "LocalStore": false, + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "SubfolderInventory", + "DisplayName": "Subfolder Inventory", + "Description": "Should certificates found in sub-paths be included when performing an inventory?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +} +'@ + +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body + +Write-Host "Creating store type: HCVKVJKS" +$Body = @' +{ + "Name": "Hashicorp Vault Key-Value JKS", + "ShortName": "HCVKVJKS", + "Capability": "HCVKVJKS", + "LocalStore": false, + "StorePathType": "", + "StorePathValue": "example: '/mycerts/certstore.jks?b64cert'", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +} +'@ + +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body + +Write-Host "Creating store type: HCVKVP12" +$Body = @' +{ + "Name": "Hashicorp Vault Key-Value PKCS12", + "ShortName": "HCVKVP12", + "Capability": "HCVKVP12", + "LocalStore": false, + "StorePathType": "", + "StorePathValue": "example: '/mycerts/certstore.p12?b64cert'", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +} +'@ + +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body + +Write-Host "Creating store type: HCVKVPFX" +$Body = @' +{ + "Name": "Hashicorp Vault Key-Value PFX", + "ShortName": "HCVKVPFX", + "Capability": "HCVKVPFX", + "LocalStore": false, + "StorePathType": "", + "StorePathValue": "example: '/mycerts/certstore.pfx?b64cert'", + "PrivateKeyAllowed": "Optional", + "JobProperties": [], + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": true, + "Discovery": true, + "Enrollment": false, + "Remove": true + }, + "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "The base URI (and port) to the instance of Hashicorp Vault ex: https://localhost:8200" + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "DependsOn": "", + "DefaultValue": "", + "Required": true, + "IsPAMEligible": true, + "Description": "Vault token that will be used by the Orchestrator integration for authenticating and performing operations in the Vault instance" + }, + { + "Name": "IncludeCertChain", + "DisplayName": "Include Certificate Chain", + "Description": "Should the certificate chain be included when performing an enrollment?", + "Type": "Bool", + "DependsOn": "", + "DefaultValue": "false", + "Required": false + }, + { + "Name": "MountPoint", + "DisplayName": "Mount Point", + "Description": "The base mount point of the secrets engine. If using Vault Namespaces, include the namespace; ie. /", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false + }, + { + "Name": "PassphrasePath", + "DisplayName": "Passphrase Path", + "Type": "String", + "DependsOn": "", + "DefaultValue": "", + "Required": false, + "Description": "This is the path to the secret that contains the passphrase to the cert store file. If empty or omitted, assume the secret is named 'passphrase' on the same level as the certificate store secret." + } + ], + "EntryParameters": [], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default", + "StorePassword": { + "Description": "Vault token that will be used for authenticating", + "IsPAMEligible": true + } + } +} +'@ + +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body +