Merge Release 1.3 to master (#34)

Fix for issue where plugin was not enforcing plugin-side role limitations for AllowedDomains and AllowSubDomains, and was relying exclusively on the certificate template for these values. ab#55667 ab#16822
Keyfactor · May 20, 2024 · 3438786 · 3438786
1 parent 0754030
commit 3438786
Show file tree

Hide file tree

Showing 30 changed files with 1,027 additions and 233 deletions.
diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml
@@ -1,43 +1,19 @@
-name: Starter Workflow
-on: workflow_dispatch
+name: Keyfactor Bootstrap Workflow
 
-jobs:
-  catalog-update-check:
-    runs-on: windows-latest
-    outputs:
-      upd_cat: ${{ steps.read-json.outputs.prop }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Read json
-        id: read-json
-        shell: pwsh
-        run: |
-          $json = Get-Content integration-manifest.json | ConvertFrom-Json
-          echo "::set-output name=prop::$(echo $json.update_catalog)"
-
-  #call-create-github-release-workflow:
-  #  uses: Keyfactor/actions/.github/workflows/github-release.yml@main
-
-  #call-dotnet-build-and-release-workflow:
-  #  needs: [call-create-github-release-workflow]
-  #  uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main
-  #  with:
-  #    release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }}
-  #    release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }}
-  #    release_dir: SslStoreCaProxy/bin/Release
-  #  secrets: 
-  #    token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }}
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, closed, synchronize, edited, reopened]
+  push:
+  create:
+    branches:
+      - 'release-*.*'
 
-  call-generate-readme-workflow:
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-    uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main
+jobs:
+  call-starter-workflow:
+    uses: keyfactor/actions/.github/workflows/starter.yml@v2
     secrets:
-      token: ${{ secrets.APPROVE_README_PUSH }}
-
-  call-update-catalog-workflow:
-    needs: catalog-update-check
-    if: needs.catalog-update-check.outputs.upd_cat == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
-    uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main
-    secrets: 
-      token: ${{ secrets.SDK_SYNC_PAT }}
-
+      token: ${{ secrets.V2BUILDTOKEN}}
+      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
+      gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,10 @@
 .vs/*
-vaultSecretsEngine-update.zip
+*.zip
 vault/plugins/*
+*.sh
 *.exe
+keyfactor
+Keyfactor Vault Secrets Engine Guide.docx
+Makefile
+sample_config.json
+README.md
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -9,7 +9,7 @@ builds:
       # goreleaser does not work with CGO, it could also complicate
       # usage by users in CI/CD systems like Terraform Cloud where
       # they are unable to install libraries.
-      - CGO_ENABLED=0
+    - CGO_ENABLED=0
     mod_timestamp: '{{ .CommitTimestamp }}'
     flags:
       - -trimpath
@@ -28,15 +28,21 @@ builds:
     ignore:
       - goos: darwin
         goarch: '386'
-    binary: 'kfutil'
+      - goos: freebsd
+        goarch: 'arm64'
+    binary: 'keyfactor'
+    id: "keyfactor"
+    main: './cmd/keyfactor'
+    hooks:
+      post:
+        # - cmd:  sh -c "echo $(echo -n '{{split .Target "_"}}'; echo -ne "\t"; sha256sum {{.Path}} | cut -d ' ' -f 1,2) >> binary_checksums.txt"
+        - cmd:  sh -c "echo $(echo -n '{{.Os}} '; echo -n '{{.Arch}}  '; sha256sum {{.Path}} | cut -d ' ' -f 1,2) >> binary_checksums.txt"
+          dir: './dist'
 archives:
   - format: zip
     name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
 checksum:
-  extra_files:
-    - glob: 'integration-manifest.json'
-      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
-  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
+  name_template: '{{ .ProjectName }}.{{ .Version }}.sha256'
   algorithm: sha256
 signs:
   - artifacts: checksum
@@ -53,8 +59,9 @@ signs:
 release:
   prerelease: auto
   extra_files:
-    - glob: 'integration-manifest.json'
-      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
+    - glob: 'installation.txt'
+    - glob: 'LICENSE.txt'
+    - glob: './dist/binary_checksums.txt'
   # If you want to manually examine the release before its live, uncomment this line:
   draft: true
 changelog:

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,5 @@
+{
+  "files.associations": {
+    "*.yaml": "home-assistant"
+  }
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,18 @@
+- 1.3.1 
+  - Fix for issue where plugin was not enforcing plugin-side role limitations for AllowedDomains and AllowSubDomains, and was relying exclusively on the certificate template for these values.
+
+- 1.3.0
+  - Fix for double encoding certificates when viewed in the terminal.
+
+- 1.2.0
+  - Updated the plugin to use it's own internal configuration settings storage per instance.
+
+- 1.1.0
+  - added subject parameters to certificate enrollment
+  - now defaulting to role values for subject parameters if not provided.
+
+- 1.0.1
+  - This release fixes a bug where the CA logical name was not being URL encoded before sending the request to Keyfactor.
+
+- 1.00
+  - initial release
diff --git a/Keyfactor Vault Secrets Engine Guide.docx b/Keyfactor Vault Secrets Engine Guide.docx
diff --git a/LICENSE.txt b/LICENSE.txt
@@ -0,0 +1,6 @@
+Copyright 2024 Keyfactor
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+and limitations under the License.
diff --git a/Makefile b/Makefile
@@ -1,3 +1,6 @@
+BINARY = "keyfactor"
+VERSION = "v1.3.1"
+
 GOARCH = amd64
 
 UNAME = $(shell uname -s)
@@ -31,4 +34,20 @@ clean:
 fmt:
 	go fmt $$(go list ./...)
 
+
+release:
+	GOOS=darwin GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_darwin_amd64
+	GOOS=freebsd GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_freebsd_386
+	GOOS=freebsd GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_freebsd_amd64
+	GOOS=freebsd GOARCH=arm go build -o ./bin/${BINARY}_${VERSION}_freebsd_arm
+	GOOS=linux GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_linux_386
+	GOOS=linux GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_linux_amd64
+	GOOS=linux GOARCH=arm go build -o ./bin/${BINARY}_${VERSION}_linux_arm
+	GOOS=openbsd GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_openbsd_386
+	GOOS=openbsd GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_openbsd_amd64
+	GOOS=solaris GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_solaris_amd64
+	GOOS=windows GOARCH=386 go build -o ./bin/${BINARY}_${VERSION}_windows_386
+	GOOS=windows GOARCH=amd64 go build -o ./bin/${BINARY}_${VERSION}_windows_amd64
+
+
 .PHONY: build clean fmt start enable