chore(deps): Bump keyfactor-auth-client-go to v1.1.2#39
Open
spbsoluble wants to merge 40 commits into
Open
Conversation
go: upgraded github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 => v1.17.0 go: upgraded github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 => v1.8.1 go: upgraded github.com/fatih/color v1.13.0 => v1.18.0 go: upgraded github.com/hashicorp/go-hclog v1.5.0 => v1.6.3 go: upgraded github.com/mattn/go-colorable v0.1.13 => v0.1.14 go: upgraded github.com/mattn/go-isatty v0.0.19 => v0.0.20 go: upgraded golang.org/x/crypto v0.30.0 => v0.32.0 go: upgraded golang.org/x/net v0.32.0 => v0.34.0 go: upgraded golang.org/x/oauth2 v0.24.0 => v0.25.0 go: upgraded golang.org/x/sys v0.28.0 => v0.29.0 ```
… commas. feat(certs): Add `collectionId` support for certificate downloads.
Expand secret type (#47)
… validation logic to require a `subject` or at least 1 `SAN`
…Type`, `AlternativeKeyLength` to `EnrollPFXFctArgsV2`
…KeySizeInBits,AltKeyType,IssuedEmail,AltSigningAlgorithm,AltKeyTypeString,HasAltPrivateKey,CARecordId,Curve,EnrollmentPatternId` to `GetCertificateResponse` model
…to `StorePasswordConfig` on `UpdateStoreFctArgs`
…h empty for enrollments
…Key,RenewalCertificateId,AdditionalEnrollmentFields,EnrollmentPatternId,OwnerRoleId,OwnerRoleName,IncludeSubjectHeader`
V25 enrollment updates
…ayloads. feat(models/stores): Add `RemoteProviderName` to `StorePasswordConfig` Signed-off-by: spbsoluble <1661003+spbsoluble@users.noreply.github.com>
…return raw JSON response in error if possible. Signed-off-by: spbsoluble <1661003+spbsoluble@users.noreply.github.com>
## Summary This PR adds several new API capabilities and bug fixes targeting Keyfactor Command v25+: - **Applications API** — Full CRUD support (`List`, `Get`, `Create`, `Update`, `Delete`) for the `/Applications` endpoint, including all schedule types and backwards compatibility for Command versions prior to v25 - **PAM Providers & Types** — Full CRUD for `/PamProviders` and `/PamProviders/Types`, with a `GetPamProviderByName` helper; model fixes for `ProviderType.Name` and store `Password` field types - **Enrollment Patterns** — Full CRUD for `/EnrollmentPattern`, with new model fields; PFX enrollments can now specify `EnrollmentPatternId` or `Template` (rather than requiring both) - **Certificate enhancements** — New fields on `GetCertificateResponse` (owner role, alt key info, curve, etc.), CSR enrollment args expanded, base64 response from `DownloadCertificate`, `findLeafCert` helper, and graceful handling of ed448 keys - **Store improvements** — Immediate inventory scheduling, `PUT` method capitalization fix, improved error messaging when deserializing store responses, password config model alignment between create/update - **Store types** — Paginate `ListStoreTypes` to avoid truncation on large deployments --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The Applications API returns at most 50 results per page. With 50+ apps in the lab, newly created apps were not visible to ListApplications, causing TestIntKeyfactorApplicationDataSource to fail consistently. Pagination uses existing PageReturned/ReturnLimit query params (same pattern as CertificateStoreTypes). Regression tests added.
## Summary `UnpackPEM` selected the leaf certificate **positionally** — it assumed `certificates[0]` was the end-entity leaf: ```go // before certificate = certificates[0] caCertificates = certificates[1:] ``` This returns the **root CA** as the leaf whenever Keyfactor Command sends a PEM bundle that is not leaf-first. Externally-rooted chains (e.g. DigiCert PKIaaS) are commonly returned **root-first**, so `certificates[0]` is the root. Consumers that trust the returned leaf (e.g. the Terraform provider populating `common_name` / `certificate_pem`) then persist the root CA's subject, forcing certificate replacement on every run. ## Fix Select the leaf by chain topology using the package's existing `findLeafCert` (the cert no other cert in the set issued) — the same helper `DownloadCertificate` already uses for the P7B path. The remaining certs become the CA chain, preserving their original order. Falls back to index 0 when no certs parse, preserving prior behavior for degenerate inputs. This makes leaf selection order-independent and consistent across the P7B and PEM code paths. ## Also included - **go.sum:** added the missing `github.com/spbsoluble/go-pkcs12 v0.4.0` module zip checksum (`h1:`). `go.mod` pins v0.4.0 but `go.sum` only carried the `/go.mod` hash, so clean builds failed with `missing go.sum entry for module providing package github.com/spbsoluble/go-pkcs12`. ## Tests New `v3/api/unpackpem_leaf_test.go`: - `TestUnpackPEM_LeafSelection` — root-first / leaf-first / shuffled orderings, 2- and 3-cert chains; asserts the non-CA leaf is selected and the chain length is correct. - `TestUnpackPEM_WithPrivateKey_RootFirst` — root-first bundle with a private key block; asserts both key extraction and correct leaf selection. - `TestUnpackPEM_SingleCert` — single cert returned as leaf, empty chain. Verified **red→green**: the root-first / shuffled cases fail against the pre-fix code (return `Test Root CA`) and pass after the fix. Full `./api/...` suite green. Fixes #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.