diff --git a/aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature b/aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature index a0cb7367..4b89a371 100644 --- a/aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature +++ b/aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature @@ -46,6 +46,7 @@ Feature: provision to cloud keystore | cloudkeystore | | GOOGLE | | AWS | + | AZURE | Scenario Outline: Enroll certificate, execute provisioning and then provisioning again for replace Given I enroll a random certificate with defined platform VCP with -csr service -no-prompt diff --git a/pkg/venafi/cloud/certificate.go b/pkg/venafi/cloud/certificate.go index 93677a19..586e7006 100644 --- a/pkg/venafi/cloud/certificate.go +++ b/pkg/venafi/cloud/certificate.go @@ -16,11 +16,14 @@ package cloud +import "time" + type VenafiCertificate struct { - ID string `json:"id,omitempty"` - CertificateStatus string `json:"certificateStatus,omitempty"` - CertificateRequestId string `json:"certificateRequestId,omitempty"` - DekHash string `json:"dekHash,omitempty"` - Fingerprint string `json:"fingerprint,omitempty"` - CertificateSource string `json:"certificateSource,omitempty"` + ID string `json:"id,omitempty"` + CertificateStatus string `json:"certificateStatus,omitempty"` + CertificateRequestId string `json:"certificateRequestId,omitempty"` + DekHash string `json:"dekHash,omitempty"` + Fingerprint string `json:"fingerprint,omitempty"` + CertificateSource string `json:"certificateSource,omitempty"` + ValidityEnd time.Time `json:"validityEnd"` } diff --git a/pkg/venafi/cloud/cloudproviders.go b/pkg/venafi/cloud/cloudproviders.go index 9d0bcb70..16bc23ba 100644 --- a/pkg/venafi/cloud/cloudproviders.go +++ b/pkg/venafi/cloud/cloudproviders.go @@ -66,13 +66,13 @@ func (c *Connector) ProvisionCertificate(req *domain.ProvisioningRequest, option certificateIDString := *(reqData.CertificateID) log.Printf("Certificate ID for provisioning: %s", certificateIDString) - // Is certificate generated by VCP? - log.Printf("Validating if certificate is generated by VCP") - err := c.validateIfCertIsVCPGeneratedByID(*(reqData.CertificateID)) + // Is certificate valid for provisioning? + log.Printf("Validating if certificate is valid") + err := c.validateCertificate(*(reqData.CertificateID)) if err != nil { return nil, err } - log.Println("Certificate is valid for provisioning (VCP generated)") + log.Printf("Good certificate for provisioning!") cloudKeystore := reqData.Keystore @@ -175,7 +175,7 @@ func (c *Connector) ProvisionCertificateToMachineIdentity(req domain.Provisionin // Is certificate generated by VCP? log.Printf("validating if certificate is generated by VCP") - err := c.validateIfCertIsVCPGeneratedByID(certificateID) + err := c.validateCertificate(certificateID) if err != nil { return nil, err } @@ -300,14 +300,26 @@ func setProvisioningOptions(options domain.ProvisioningOptions, keystoreType dom return provisioningOptions, nil } -func (c *Connector) validateIfCertIsVCPGeneratedByID(certificateId string) error { +func (c *Connector) validateCertificate(certificateId string) error { cert, err := c.getCertificates(certificateId) if err != nil { return fmt.Errorf("error trying to get certificate details for cert with ID: %s, error: %s", certificateId, err.Error()) } + + // Is certificate not expired? + log.Printf("Validating if certificate is not expired") + now := time.Now() + if now.Unix() > cert.ValidityEnd.Unix() { + return fmt.Errorf("error trying to provisioning certificate with ID: %s. Provided certificate is expired", certificateId) + } + log.Printf("Certificate is still valid") + + // Is certificate generated by VCP? + log.Printf("Validating if certificate is generated by VCP") if cert.DekHash == "" { return fmt.Errorf("error trying to provisioning certificate with ID: %s. Provided certificate is not VCP generated", certificateId) } + log.Println("Certificate is valid for provisioning (VCP generated)") return nil }