Enables direct supply of a valid accessToken via the playbook for VCP…

…. Improves errors on expired access token. Improves playbook validation for VCP credentials
Venafi · Apr 12, 2024 · 64a0c92 · 64a0c92
1 parent 039d25d
commit 64a0c92
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 10 deletions.
diff --git a/pkg/playbook/app/domain/connection.go b/pkg/playbook/app/domain/connection.go
@@ -104,30 +104,63 @@ func isValidTpp(c Connection) (bool, error) {
 }
 
 func isValidVaaS(c Connection) (bool, error) {
-	// Credentials are not empty
+	// Check if an API key has been provided
 	apikey := false
 	if c.Credentials.APIKey != "" {
 		apikey = true
 	}
 
-	svcaccount := false
+	accesstoken := false
+	if c.Credentials.AccessToken != "" {
+		accesstoken = true
+	}
+
+	// Check if an TokenURL has been provided
+	tokenurl := false
 	if c.Credentials.TokenURL != "" {
+		tokenurl = true
+	}
+
+	// Check if externalJWT has been provided
+	externalJWT := false
+	if c.Credentials.ExternalJWT != "" {
+		externalJWT = true
+	}
+
+	// There's a valid service account IF both externalJWT and tokenURL provided
+	svcaccount := false
+	if externalJWT && tokenurl {
 		svcaccount = true
+	} else if externalJWT && !tokenurl {
+		// JWT Provided without token url
+		return false, ErrNoVCPTokenURL
+	} else if tokenurl && !externalJWT {
+		// Tokenurl without an external JWT
+		return false, ErrNoExternalJWT
 	}
 
-	if !apikey && !svcaccount {
-		return false, ErrNoCredentials
+	// If there's just an API key provided, that's good
+	if apikey && !accesstoken && !svcaccount {
+		return true, nil
 	}
 
-	if apikey {
+	// If there's just an accessToken provided, that's good
+	if !apikey && accesstoken && !svcaccount {
 		return true, nil
 	}
 
-	if c.Credentials.ExternalJWT == "" {
-		return false, ErrNoExternalJWT
+	// If there's just a svcaccount defined, that's fine too
+	if !apikey && !accesstoken && svcaccount {
+		return true, nil
 	}
 
-	return true, nil
+	// At this point, there are no valid credentials. Figure out why.
+	if !apikey && !svcaccount && !accesstoken {
+		return false, ErrNoCredentials
+	}
+
+	// If we get here, it's because too many credentials were provided
+	return false, ErrAmbiguousVCPCreds
 }
 
 func isValidFirefly(c Connection) (bool, error) {

diff --git a/pkg/playbook/app/domain/error.go b/pkg/playbook/app/domain/error.go
@@ -84,6 +84,10 @@ var (
 	ErrNoClientId = fmt.Errorf("no cliendId defined. Firefly platform requires a clientId to request OAuth2 token")
 	// ErrNoIdentityProviderURL is thrown when platform is Firefly and no config.credentials.tokenURL is defined to request an OAuth2 Token
 	ErrNoIdentityProviderURL = fmt.Errorf("no tokenURL defined in credentials. tokenURL is required to request OAuth2 token")
-	// ErrNoExternalJWT is thrown when platform is TLSPC/VAAS/VCP, a tokenURL has been passed but no config.credentials.externalJWT is set
-	ErrNoExternalJWT = fmt.Errorf("no externalJWT defined in credentials. externalJWT is required to request an access token from VCP")
+	// ErrNoExternalJWT is thrown when platform is TLSPC/VAAS/VCP, a tokenURL has been passed but no config.credentials.ExternalJWT is set
+	ErrNoExternalJWT = fmt.Errorf("no externalJWT defined in credentials. externalJWT and tokenURL are both required to request an access token from VCP")
+	// ErrNoVaaSTokenURL is thrown when platform is TLSPC/VAAS/VCP, an externaJWT has been provided, but no config.credentials.TokenURL has been passed
+	ErrNoVCPTokenURL = fmt.Errorf("no tokenURL defined in credentials. tokenURL and externalJWT are both required to request an access token from VCP when using an externalJWT")
+	// ErrAmbiguousVCPCreds is thrown when platform is TLSPC/VAAS/VCP, and more than one type (apiKey, accessToken, or externalJWT) was provided
+	ErrAmbiguousVCPCreds = fmt.Errorf("unable to disambiguate multiple VCP credentials. Only ONE of apiKey, accessToken, or tokenURL WITH externalJWT should be defined")
 )
diff --git a/pkg/venafi/cloud/cloud.go b/pkg/venafi/cloud/cloud.go
@@ -528,6 +528,8 @@ func parseCertificateTemplateResult(httpStatusCode int, httpStatus string, body
 		return parseCertificateTemplateData(body)
 	case http.StatusBadRequest:
 		return nil, verror.ZoneNotFoundError
+	case http.StatusUnauthorized:
+		return nil, verror.UnauthorizedError
 	default:
 		respErrors, err := parseResponseErrors(body)
 		if err != nil {

diff --git a/pkg/verror/errors.go b/pkg/verror/errors.go
@@ -12,6 +12,7 @@ var (
 	PolicyValidationError           = fmt.Errorf("%w: policy doesn't match request", VcertError)
 	CertificateCheckError           = fmt.Errorf("%w: request doesn't match certificate", UserDataError)
 	AuthError                       = fmt.Errorf("%w: auth error", UserDataError)
+	UnauthorizedError               = fmt.Errorf("%w: unauthorized or expired access credentials", ServerError)
 	ZoneNotFoundError               = fmt.Errorf("%w: zone not found", UserDataError)
 	ApplicationNotFoundError        = fmt.Errorf("%w: application not found", UserDataError)
 	// certificate search errors