Skip to content

Commit 33c19a4

Browse files
loafoeloafoe
authored
Merge pull request #268 from philips-software/feature/pki-uaa-optional
PKI: make UAA credentials fully optional #267
2 parents 98f05f0 + 91fec08 commit 33c19a4

File tree

6 files changed

+44
-12
lines changed

6 files changed

+44
-12
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
44
The format is based on [Keep a Changelog](http://keepachangelog.com/)
55
and this project adheres to [Semantic Versioning](http://semver.org/).
66

7+
## v0.38.9
8+
9+
- PKI: make UAA credentials fully optional #267
10+
711
## v0.38.8
812

913
- IAM: conditionally check IAM Device/User mixups #265

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ require (
1717
github.com/loafoe/easyssh-proxy/v2 v2.0.4
1818
github.com/loafoe/ferrite v0.2.0
1919
github.com/philips-labs/siderite v0.12.2
20-
github.com/philips-software/go-hsdp-api v0.75.4
20+
github.com/philips-software/go-hsdp-api v0.75.5
2121
github.com/pkg/errors v0.9.1
2222
github.com/robfig/cron/v3 v3.0.1
2323
github.com/stretchr/testify v1.8.1

go.sum

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -749,6 +749,8 @@ github.com/philips-labs/siderite v0.12.2/go.mod h1:wDjyR2ecI8z9S/uw4v7XCtgYK1Vr/
749749
github.com/philips-software/go-hsdp-api v0.50.2/go.mod h1:+/oOyI8Equm7/YcUHJ+PO3HO4U92JcAAoOs5DYRRkIc=
750750
github.com/philips-software/go-hsdp-api v0.75.4 h1:yT7i3hVijpHjvqMsi8imy449v3jHnk7FRTAmNyhDCCo=
751751
github.com/philips-software/go-hsdp-api v0.75.4/go.mod h1:rd6uphXchFcYW2ehT5xWGobAZrIod7qSOLZUqWh61y4=
752+
github.com/philips-software/go-hsdp-api v0.75.5 h1:+v/egzo7HBCCkw+1ggong4qY7CBnOdWwkha6uGgwuY8=
753+
github.com/philips-software/go-hsdp-api v0.75.5/go.mod h1:WLknlRw2GiSmtDufXcy28YHOcbQXn3RfB9RrT5cimxQ=
752754
github.com/philips-software/go-hsdp-signer v1.4.0 h1:yg7UILhmI4xJhr/tQiAiQwJL0EZFvLuMqpH2GZ9ygY4=
753755
github.com/philips-software/go-hsdp-signer v1.4.0/go.mod h1:/QehZ/+Aks2t1TFpjhF/7ZSB8PJIIJHzLc03rOqwLw0=
754756
github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=

internal/config/config.go

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,10 @@ func (c *Config) IAMClient(principal ...*Principal) (*iam.Client, error) {
136136
return c.iamClient, c.iamClientErr
137137
}
138138

139+
func (c *Config) HasUAAuth() bool {
140+
return c.UAAUsername != "" && c.UAAPassword != ""
141+
}
142+
139143
func (c *Config) DiscoveryClient(principal ...*Principal) (*discovery.Client, error) {
140144
if len(principal) > 0 && principal[0] != nil && principal[0].HasAuth() {
141145
region := principal[0].Region
@@ -744,10 +748,7 @@ func (c *Config) SetupPKIClient() {
744748
c.pkiClientErr = fmt.Errorf("IAM client error in setupPKIClient: %w", c.iamClientErr)
745749
return
746750
}
747-
if c.consoleClientErr != nil {
748-
c.pkiClientErr = fmt.Errorf("console client error in setupPKIClient: %w", c.consoleClientErr)
749-
return
750-
}
751+
// We ignore any consoleClient error for now
751752
client, err := pki.NewClient(c.consoleClient, c.iamClient, &pki.Config{
752753
Region: c.Region,
753754
Environment: c.Environment,

internal/services/pki/resource_pki_cert.go

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -125,27 +125,31 @@ func resourcePKICertCreate(_ context.Context, d *schema.ResourceData, m interfac
125125
}
126126
defer client.Close()
127127

128+
roleName := d.Get("role").(string)
128129
tenantID := d.Get("tenant_id").(string)
129130
logicalPath, err := pki.APIEndpoint(tenantID).LogicalPath()
130131
if err != nil {
131132
return diag.FromErr(fmt.Errorf("create PKI cert logicalPath: %w", err))
132133
}
134+
135+
// Only check role if we have a working consoleClient
133136
tenant, _, err := client.Tenants.Retrieve(logicalPath)
134-
if err != nil {
137+
if err == nil {
138+
_, ok := tenant.GetRoleOk(roleName)
139+
if !ok {
140+
return diag.FromErr(fmt.Errorf("role '%s' not found or invalid", roleName))
141+
}
135142
return diag.FromErr(err)
136143
}
137-
roleName := d.Get("role").(string)
144+
138145
ttl := d.Get("ttl").(string)
139146
ipSANS := tools.ExpandStringList(d.Get("ip_sans").(*schema.Set).List())
140147
uriSANS := tools.ExpandStringList(d.Get("uri_sans").(*schema.Set).List())
141148
otherSANS := tools.ExpandStringList(d.Get("other_sans").(*schema.Set).List())
142149
commonName := d.Get("common_name").(string)
143150
altNames := d.Get("alt_names").(string)
144151
excludeCNFromSANS := d.Get("exclude_cn_from_sans").(bool)
145-
role, ok := tenant.GetRoleOk(roleName)
146-
if !ok {
147-
return diag.FromErr(fmt.Errorf("role '%s' not found or invalid", roleName))
148-
}
152+
149153
certRequest := pki.CertificateRequest{
150154
CommonName: commonName,
151155
AltNames: altNames,
@@ -157,7 +161,7 @@ func resourcePKICertCreate(_ context.Context, d *schema.ResourceData, m interfac
157161
PrivateKeyFormat: "pem",
158162
Format: "pem",
159163
}
160-
cert, resp, err := client.Services.IssueCertificate(logicalPath, role.Name, certRequest)
164+
cert, resp, err := client.Services.IssueCertificate(logicalPath, roleName, certRequest)
161165
if err != nil {
162166
if resp != nil && resp.StatusCode == http.StatusForbidden {
163167
return diag.FromErr(fmt.Errorf("you might be missing the 'PKI_CERT.ISSUE' permission for the tenant org: %w", err))

internal/services/pki/resource_pki_tenant.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package pki
22

33
import (
44
"context"
5+
"errors"
56
"fmt"
67

78
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -11,6 +12,10 @@ import (
1112
"github.com/philips-software/terraform-provider-hsdp/internal/tools"
1213
)
1314

15+
var (
16+
missingUAACredentialsErr = errors.New("this resource only works when CF UAA credentials are configured")
17+
)
18+
1419
func ResourcePKITenant() *schema.Resource {
1520
return &schema.Resource{
1621
Importer: &schema.ResourceImporter{
@@ -155,6 +160,10 @@ func resourcePKITenantDelete(_ context.Context, d *schema.ResourceData, m interf
155160
var err error
156161
var client *pki.Client
157162

163+
if !c.HasUAAuth() {
164+
return diag.FromErr(missingUAACredentialsErr)
165+
}
166+
158167
client, err = c.PKIClient()
159168
if err != nil {
160169
return diag.FromErr(err)
@@ -185,6 +194,10 @@ func resourcePKITenantUpdate(_ context.Context, d *schema.ResourceData, m interf
185194
var err error
186195
var client *pki.Client
187196

197+
if !c.HasUAAuth() {
198+
return diag.FromErr(missingUAACredentialsErr)
199+
}
200+
188201
client, err = c.PKIClient()
189202
if err != nil {
190203
return diag.FromErr(err)
@@ -315,6 +328,10 @@ func resourcePKITenantCreate(ctx context.Context, d *schema.ResourceData, m inte
315328
var err error
316329
var client *pki.Client
317330

331+
if !c.HasUAAuth() {
332+
return diag.FromErr(missingUAACredentialsErr)
333+
}
334+
318335
client, err = c.PKIClient()
319336
if err != nil {
320337
return diag.FromErr(err)
@@ -340,6 +357,10 @@ func resourcePKITenantRead(_ context.Context, d *schema.ResourceData, m interfac
340357
var err error
341358
var client *pki.Client
342359

360+
if !c.HasUAAuth() {
361+
return diag.FromErr(missingUAACredentialsErr)
362+
}
363+
343364
client, err = c.PKIClient()
344365
if err != nil {
345366
return diag.FromErr(fmt.Errorf("read PKI Tenant client: %w", err))

0 commit comments

Comments
 (0)