vcert 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a2cf972208fd705b59387e15029d570634fc0c31417c8e675fe876b8cbd4f158
-  data.tar.gz: 65dc71e3ccc17f3bd5dc210198dcf7e0f7d6b8ab3c7e5e65f6545d3fe66da4bb
+  metadata.gz: 64e42e07f9d888bfb7ce44fb88012806021ddc027d153f85c8d525862f974b30
+  data.tar.gz: '08cce53508dac0bd413f4b5d9ce5279995cdf9c4f09f85be1936e9f6255ab529'
 SHA512:
-  metadata.gz: ee6b93da05a44810c9034ad1aa85a5122bcf8d520d98c2055acbb2185c4a53460a7399e89d51fa9977cb91fb3dfa36ff2f3db7dafd45d46665ca1bc7345f39bc
-  data.tar.gz: 83b5964f8300fb15704dc9bf06ebf5afbe95a287f7671fd4f128843a5280a6b9a19680f70479207fc87bc6b5e7b19d626aa491da5b68756c4a3b612885bb134b
+  metadata.gz: 11ac60359d93852be73e6d55440f9453525258f9ee88727fbdf98e8bc899e01264b385589a6b0f77979af8af497689ba152bc94fdc66589a7d12190659c1644c
+  data.tar.gz: 02e16121c702f97653271b3e8b1c172ec1cce57b8e3fbfec2b011a3c87cb5a87f7583b3c6ffdbb8ffb6b162e8379acc1cb2afa94d888da8e9ca9578554e29f98

data/lib/cloud/cloud.rb

@@ -2,9 +2,15 @@ require 'json'
 require 'utils/utils'
 
 class Vcert::CloudConnection
-  def initialize(url, token)
-    @url = url
-    @token = token
+  CLOUD_PREFIX = '<Cloud>'.freeze
+
+  def initialize(url, apikey)
+    @url = if url.nil?
+             'https://api.venafi.cloud/v1'.freeze
+           else
+             url
+           end
+    @apikey = apikey
   end
 
 
@@ -174,10 +180,11 @@ class Vcert::CloudConnection
     url = uri.path + "/" + url
 
 
-    response = request.get(url, {TOKEN_HEADER_NAME => @token})
+    LOG.info("#{CLOUD_PREFIX} GET #{url}")
+    response = request.get(url, { TOKEN_HEADER_NAME => @apikey })
     case response.code.to_i
     when 200, 201, 202, 409
-      LOG.info(("HTTP status OK"))
+      LOG.info("#{CLOUD_PREFIX} GET HTTP status OK")
     when 403
       raise Vcert::AuthenticationError
     else
@@ -206,10 +213,11 @@ class Vcert::CloudConnection
     request.use_ssl = true
     url = uri.path + "/" + url
     encoded_data = JSON.generate(data)
-    response = request.post(url, encoded_data, {TOKEN_HEADER_NAME => @token, "Content-Type" => "application/json", "Accept" => "application/json"})
+    LOG.info("#{CLOUD_PREFIX} POST #{url}")
+    response = request.post(url, encoded_data, { TOKEN_HEADER_NAME => @apikey, "Content-Type" => "application/json", "Accept" => "application/json" })
     case response.code.to_i
     when 200, 201, 202, 409
-      LOG.info(("HTTP status OK"))
+      LOG.info("#{CLOUD_PREFIX} POST HTTP status OK")
     when 403
       raise Vcert::AuthenticationError
     else

data/lib/objects/objects.rb

@@ -58,7 +58,7 @@ module Vcert
         subject_attrs.push(['L', @locality])
       end
 
-      LOG.info("Making request from subject array #{subject_attrs.inspect}")
+      LOG.info("#{VCERT_PREFIX} Making request from subject array #{subject_attrs.inspect}")
       subject = OpenSSL::X509::Name.new subject_attrs
       csr = OpenSSL::X509::Request.new
       csr.version = 0

data/lib/tpp/tpp.rb

@@ -55,43 +55,36 @@ class Vcert::TPPConnection
   end
 
   def renew(request, generate_new_key: true)
-    if request.id == nil && request.thumbprint == nil
-      raise("Either request ID or certificate thumbprint is required to renew the certificate")
+    if request.id.nil? && request.thumbprint.nil?
+      raise('Either request ID or certificate thumbprint is required to renew the certificate')
     end
 
-    if request.thumbprint != nil
-      request.id = search_by_thumbprint(request.thumbprint)
-    end
+    request.id = search_by_thumbprint(request.thumbprint) unless request.thumbprint.nil?
     renew_req_data = {"CertificateDN": request.id}
     if generate_new_key
-      _, r = post(URL_SECRET_STORE_SEARCH, d = {"Namespace": "config", "Owner": request.id, "VaultType": 512})
-      vaultId = r["VaultIDs"][0]
-      _, r = post(URL_SECRET_STORE_RETRIEVE, d = {"VaultID": vaultId})
-      csr_base64_data = r['Base64Data']
-      csr_pem = "-----BEGIN CERTIFICATE REQUEST-----\n#{csr_base64_data}\n-----END CERTIFICATE REQUEST-----\n"
-      parsed_csr = parse_csr_fields(csr_pem)
+      csr_base64_data = retrieve request
+      LOG.info("Retrieved certificate:\n#{csr_base64_data.cert}")
+      parsed_csr = parse_csr_fields_tpp(csr_base64_data.cert)
       renew_request = Vcert::Request.new(
-          common_name: parsed_csr.fetch(:CN, nil),
-          san_dns: parsed_csr.fetch(:DNS, nil),
-          country: parsed_csr.fetch(:C, nil),
-          province: parsed_csr.fetch(:ST, nil),
-          locality: parsed_csr.fetch(:L, nil),
-          organization: parsed_csr.fetch(:O, nil),
-          organizational_unit: parsed_csr.fetch(:OU, nil))
+        common_name: parsed_csr.fetch(:CN, nil),
+        san_dns: parsed_csr.fetch(:DNS, nil),
+        country: parsed_csr.fetch(:C, nil),
+        province: parsed_csr.fetch(:ST, nil),
+        locality: parsed_csr.fetch(:L, nil),
+        organization: parsed_csr.fetch(:O, nil),
+        organizational_unit: parsed_csr.fetch(:OU, nil)
+      )
       renew_req_data.merge!(PKCS10: renew_request.csr)
     end
-    LOG.info("Trying to renew certificate %s" % request.id)
+    LOG.info("Trying to renew certificate #{request.id}")
     _, d = post(URL_CERTIFICATE_RENEW, renew_req_data)
-    if d.key?('Success')
-      if generate_new_key
-        return request.id, renew_request.private_key
-      else
-        return request.id, nil
-      end
+    raise 'Certificate renew error' unless d.key?('Success')
+
+    if generate_new_key
+      [request.id, renew_request.private_key]
     else
-      raise "Certificate renew error"
+      [request.id, nil]
     end
-
   end
 
   private
@@ -140,6 +133,7 @@ class Vcert::TPPConnection
     end
     url = uri.path + url
     encoded_data = JSON.generate(data)
+    LOG.info("#{Vcert::VCERT_PREFIX} POST request: #{request.inspect}\n\tpath: #{url}\n\tdata: #{encoded_data}")
     response = request.post(url, encoded_data, {TOKEN_HEADER_NAME => @token[0], "Content-Type" => "application/json"})
     data = JSON.parse(response.body)
     return response.code.to_i, data
@@ -156,7 +150,8 @@ class Vcert::TPPConnection
       request.ca_file = @trust_bundle
     end
     url = uri.path + url
-    response = request.get(url, {TOKEN_HEADER_NAME => @token[0]})
+    LOG.info("#{Vcert::VCERT_PREFIX} GET request: #{request.inspect}\n\tpath: #{url}")
+    response = request.get(url, { TOKEN_HEADER_NAME => @token[0] })
     # TODO: check valid json
     data = JSON.parse(response.body)
     return response.code.to_i, data

data/lib/tpp/tpp_token.rb

@@ -0,0 +1,430 @@
+require 'json'
+require 'date'
+require 'base64'
+require 'utils/utils'
+
+
+class Vcert::TokenConnection
+
+  # @param [String] url
+  # @param [String] access_token
+  # @param [String] refresh_token
+  # @param [String] user
+  # @param [String] password
+  # @param [String] trust_bundle
+  def initialize(url, access_token: nil, refresh_token: nil, user: nil, password: nil , trust_bundle: nil)
+    @url = normalize_url url
+    @auth = Vcert::Authentication.new access_token: access_token, refresh_token: refresh_token, user: user, password: password
+    @trust_bundle = trust_bundle
+  end
+
+  # @param [String] zone_tag
+  # @param [Vcert::Request] request
+  def request(zone_tag, request)
+    data = { PolicyDN: policy_dn(zone_tag),
+             PKCS10: request.csr,
+             ObjectName: request.friendly_name,
+             DisableAutomaticRenewal: 'true' }
+    code, response = post URL_CERTIFICATE_REQUESTS, data
+    raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}" if code != 200
+
+    request.id = response['CertificateDN']
+  end
+
+  # @param [Request] request
+  # @return [Vcert::Certificate]
+  def retrieve(request)
+    retrieve_request = { CertificateDN: request.id, Format: 'base64', IncludeChain: 'true', RootFirstOrder: 'false' }
+    code, response = post URL_CERTIFICATE_RETRIEVE, retrieve_request
+    return nil if code != 200
+
+    full_chain = Base64.decode64(response['CertificateData'])
+    LOG.info("#{Vcert::VCERT_PREFIX} cert data decoded: #{full_chain}")
+    cert = parse_full_chain full_chain
+    cert.private_key = request.private_key if cert.private_key == nil
+    cert
+  end
+
+  # @param [String] zone_tag
+  # @return [Vcert::Policy]
+  def policy(zone_tag)
+    code, response = post URL_ZONE_CONFIG, { PolicyDN: policy_dn(zone_tag) }
+    raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}" if code != 200
+
+    parse_policy_response response, zone_tag
+  end
+
+  # @param [String] zone_tag
+  # @return [Vcert::ZoneConfiguration]
+  def zone_configuration(zone_tag)
+    LOG.info("#{Vcert::VCERT_PREFIX} Reading zone configuration: #{zone_tag}")
+    code, response = post URL_ZONE_CONFIG, { PolicyDN: policy_dn(zone_tag) }
+    raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}" if code != 200
+
+    parse_zone_configuration response
+  end
+
+  def renew(request, generate_new_key: true)
+    if request.id.nil? && request.thumbprint.nil?
+      raise('Either request ID or certificate thumbprint is required to renew the certificate')
+    end
+
+    request.id = search_by_thumbprint(request.thumbprint) unless request.thumbprint.nil?
+    renew_req_data = { CertificateDN: request.id }
+    if generate_new_key
+      csr_base64_data = retrieve request
+      LOG.info("#{Vcert::VCERT_PREFIX} Retrieved certificate:\n#{csr_base64_data.cert}")
+      parsed_csr = parse_csr_fields_tpp(csr_base64_data.cert)
+      renew_request = Vcert::Request.new(
+        common_name: parsed_csr.fetch(:CN, nil),
+        san_dns: parsed_csr.fetch(:DNS, nil),
+        country: parsed_csr.fetch(:C, nil),
+        province: parsed_csr.fetch(:ST, nil),
+        locality: parsed_csr.fetch(:L, nil),
+        organization: parsed_csr.fetch(:O, nil),
+        organizational_unit: parsed_csr.fetch(:OU, nil)
+      )
+      renew_req_data.merge!(PKCS10: renew_request.csr)
+    end
+    LOG.info("#{Vcert::VCERT_PREFIX} Trying to renew certificate #{request.id}")
+    _, d = post(URL_CERTIFICATE_RENEW, renew_req_data)
+    raise 'Certificate renew error' unless d.key?('Success')
+
+    if generate_new_key
+      [request.id, renew_request.private_key]
+    else
+      [request.id, nil]
+    end
+  end
+
+  # @param [Vcert::Authentication] authentication
+  # @return [Vcert::TokenInfo]
+  def get_access_token(authentication: nil)
+    @auth = authentication unless authentication.nil?
+    return refresh_access_token unless @auth.refresh_token.nil?
+
+    return nil if @auth.user.nil? || @auth.password.nil?
+
+    request_data = {
+      username: @auth.user,
+      password: @auth.password,
+      client_id: @auth.client_id,
+      scope: @auth.scope,
+      state: ''
+    }
+    status, response = post(URL_AUTHORIZE_TOKEN, request_data, check_token: false, include_headers: false)
+    raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}" if status != 200
+
+    token_info = parse_access_token_data response
+    update_authentication(token_info)
+    token_info
+  end
+
+  # @return [Vcert::TokenInfo]
+  def refresh_access_token
+    request_data = {
+      refresh_token: @auth.refresh_token,
+      client_id: @auth.client_id
+    }
+
+    status, response = post(URL_REFRESH_TOKEN, request_data, check_token: false, include_headers: false)
+    if status != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Server returns #{code} status on refreshing access token"
+    end
+
+    token_info = parse_access_token_data(response)
+    update_authentication(token_info)
+    token_info
+  end
+
+  # @return []
+  def revoke_access_token
+    status, response = get(URL_REVOKE_TOKEN, check_token: false)
+    if status != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Server returns #{status} status on revoking access token"
+    end
+
+    response
+  end
+
+  private
+
+  API_TOKEN_URL = 'vedauth/'.freeze
+  API_BASE_URL = 'vedsdk/'.freeze
+
+  URL_AUTHORIZE_TOKEN = "#{API_TOKEN_URL}authorize/oauth".freeze
+  URL_REFRESH_TOKEN = "#{API_TOKEN_URL}authorize/token".freeze
+  URL_REVOKE_TOKEN = "#{API_TOKEN_URL}revoke/token".freeze
+
+  URL_AUTHORIZE = "#{API_BASE_URL}authorize/".freeze
+  URL_CERTIFICATE_REQUESTS = "#{API_BASE_URL}certificates/request".freeze
+  URL_ZONE_CONFIG = "#{API_BASE_URL}certificates/checkpolicy".freeze
+  URL_CERTIFICATE_RETRIEVE = "#{API_BASE_URL}certificates/retrieve".freeze
+  URL_CERTIFICATE_SEARCH = "#{API_BASE_URL}certificates/".freeze
+  URL_CERTIFICATE_RENEW = "#{API_BASE_URL}certificates/renew".freeze
+  URL_SECRET_STORE_SEARCH = "#{API_BASE_URL}SecretStore/LookupByOwner".freeze
+  URL_SECRET_STORE_RETRIEVE = "#{API_BASE_URL}SecretStore/Retrieve".freeze
+  HEADER_NAME_AUTHORIZATION = 'Authorization'.freeze
+  ALL_ALLOWED_REGEX = '.*'.freeze
+
+  # @param [String] url
+  # @param [Hash] data
+  # @param [boolean] check_token
+  # @param [boolean] include_headers
+  # @return [Integer, Array]
+  def post(url, data, check_token: true, include_headers: true)
+    validate_token if check_token
+
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    request.ca_file = @trust_bundle unless @trust_bundle.nil?
+    url = uri.path + url
+    encoded_data = JSON.generate(data)
+    headers = {
+      'Content-Type' => 'application/json'
+    }
+    headers.merge!(HEADER_NAME_AUTHORIZATION => build_authorization_header_value) if include_headers
+    LOG.info("#{Vcert::VCERT_PREFIX} POST request: #{request.inspect}\n\tpath: #{url}\n\tdata: #{encoded_data}\n\theaders: #{headers}")
+    response = request.post(url, encoded_data, headers)
+    LOG.info("#{Vcert::VCERT_PREFIX} POST response: [#{response.body}]")
+    data = JSON.parse(response.body)
+    [response.code.to_i, data]
+  end
+
+  # @param [String] url
+  # @param [boolean] check_token
+  # @param [boolean] include_headers
+  # @return [Integer, Array]
+  def get(url, check_token: true, include_headers: true)
+    validate_token if check_token
+
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    request.ca_file = @trust_bundle unless @trust_bundle.nil?
+
+    url = uri.path + url
+
+    headers = {}
+    headers = { HEADER_NAME_AUTHORIZATION => build_authorization_header_value } if include_headers
+    LOG.info("#{Vcert::VCERT_PREFIX} GET request: #{request.inspect}\n\tpath: #{url}\n\theaders: [#{headers}]")
+    response = request.get(url, headers)
+    LOG.info("#{Vcert::VCERT_PREFIX} GET response with status [#{response.code}]. #{response.inspect} ")
+    # TODO: check valid json
+    data = JSON.parse(response.body) unless response.body.nil? || response.body.eql?('')
+    [response.code.to_i, data]
+  end
+
+  # @param [String] zone
+  # @return [String]
+  def policy_dn(zone)
+    raise Vcert::ClientBadDataError, 'Zone should not be empty' if zone.nil? || zone == ''
+    return zone if zone =~ /^\\\\VED\\\\Policy/
+
+    if zone =~ /^\\\\/
+      "\\VED\\Policy#{zone}"
+    else
+      "\\VED\\Policy\\#{zone}"
+    end
+  end
+
+  # @param [String] url
+  # @return [String]
+  def normalize_url(url)
+    if url.index('http://') == 0
+      url = "https://#{url[7..-1]}"
+    elsif url.index('https://') != 0
+      url = "https://#{url}"
+    end
+    url += '/' unless url.end_with?('/')
+    raise Vcert::ClientBadDataError, 'Invalid URL for TPP' unless url =~ %r{^https://[a-z\d]+[-a-z\d.]+[a-z\d][:\d]*/$}
+
+    url
+  end
+
+  # @param [String] full_chain
+  # @return [Vcert::Certificate]
+  def parse_full_chain(full_chain)
+    pem_list = parse_pem_list(full_chain)
+    Vcert::Certificate.new cert: pem_list[0], chain: pem_list[1..-1], private_key: nil
+  end
+
+  # @param [String] thumbprint
+  # @return [String]
+  def search_by_thumbprint(thumbprint)
+    # thumbprint = re.sub(r'[^\dabcdefABCDEF]', "", thumbprint)
+    thumbprint = thumbprint.upcase
+    status, data = get(URL_CERTIFICATE_SEARCH + "?Thumbprint=#{thumbprint}")
+    # TODO: check that data have valid certificate in it
+    raise Vcert::ServerUnexpectedBehaviorError, "Status: #{status}. Message:\n #{data.body.to_s}" if status != 200
+
+    # TODO: check valid data
+    data['Certificates'][0]['DN']
+  end
+
+  # @param [Hash] data
+  # @return [Vcert::ZoneConfiguration]
+  def parse_zone_configuration(data)
+    LOG.info("#{Vcert::VCERT_PREFIX} Parsing Zone configuration: #{data}")
+    s = data['Policy']['Subject']
+    country = Vcert::CertField.new s['Country']['Value'], locked: s['Country']['Locked']
+    state = Vcert::CertField.new s['State']['Value'], locked: s['State']['Locked']
+    city = Vcert::CertField.new s['City']['Value'], locked: s['City']['Locked']
+    organization = Vcert::CertField.new s['Organization']['Value'], locked: s['Organization']['Locked']
+    organizational_unit = Vcert::CertField.new s['OrganizationalUnit']['Values'], locked: s['OrganizationalUnit']['Locked']
+    key_type = Vcert::KeyType.new data['Policy']['KeyPair']['KeyAlgorithm']['Value'], data['Policy']['KeyPair']['KeySize']['Value']
+    Vcert::ZoneConfiguration.new country: country, province: state, locality: city, organization: organization,
+                                 organizational_unit: organizational_unit, key_type: Vcert::CertField.new(key_type)
+  end
+
+  # @param [Hash] response
+  # @param [String] zone_tag
+  # @return [Vcert::Policy]
+  def parse_policy_response(response, zone_tag)
+    def addStartEnd(s)
+      s = '^' + s unless s.index('^') == 0
+      s = s + '$' unless s.end_with?('$')
+      s
+    end
+
+    def escape(value)
+      if value.kind_of? Array
+        return value.map { |v| addStartEnd(Regexp.escape(v)) }
+      else
+        return addStartEnd(Regexp.escape(value))
+      end
+    end
+
+    policy = response['Policy']
+    s = policy['Subject']
+    if policy['WhitelistedDomains'].empty?
+      subjectCNRegex = [ALL_ALLOWED_REGEX]
+    else
+      if policy['WildcardsAllowed']
+        subjectCNRegex = policy['WhitelistedDomains'].map { |d| addStartEnd('[\w\-*]+' + Regexp.escape('.' + d)) }
+      else
+        subjectCNRegex = policy['WhitelistedDomains'].map { |d| addStartEnd('[\w\-]+' + Regexp.escape('.' + d)) }
+      end
+    end
+    if s['OrganizationalUnit']['Locked']
+      subjectOURegexes = escape(s['OrganizationalUnit']['Values'])
+    else
+      subjectOURegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s['Organization']['Locked']
+      subjectORegexes = [escape(s['Organization']['Value'])]
+    else
+      subjectORegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s['City']['Locked']
+      subjectLRegexes = [escape(s['City']['Value'])]
+    else
+      subjectLRegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s['State']['Locked']
+      subjectSTRegexes = [escape(s['State']['Value'])]
+    else
+      subjectSTRegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s['Country']['Locked']
+      subjectCRegexes = [escape(s['Country']['Value'])]
+    else
+      subjectCRegexes = [ALL_ALLOWED_REGEX]
+    end
+    if policy['SubjAltNameDnsAllowed']
+      if policy['WhitelistedDomains'].length == 0
+        dnsSanRegExs = [ALL_ALLOWED_REGEX]
+      else
+        dnsSanRegExs = policy['WhitelistedDomains'].map { |d| addStartEnd('[\w-]+' + Regexp.escape('.' + d)) }
+      end
+    else
+      dnsSanRegExs = []
+    end
+    if policy['SubjAltNameIpAllowed']
+      ipSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      ipSanRegExs = []
+    end
+    if policy['SubjAltNameEmailAllowed']
+      emailSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      emailSanRegExs = []
+    end
+    if policy['SubjAltNameUriAllowed']
+      uriSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      uriSanRegExs = []
+    end
+
+    if policy['SubjAltNameUpnAllowed']
+      upnSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      upnSanRegExs = []
+    end
+    unless policy['KeyPair']['KeyAlgorithm']['Locked']
+      key_types = [1024, 2048, 4096, 8192].map { |s| Vcert::KeyType.new('rsa', s) } + Vcert::SUPPORTED_CURVES.map { |c| Vcert::KeyType.new('ecdsa', c) }
+    else
+      if policy['KeyPair']['KeyAlgorithm']['Value'] == 'RSA'
+        if policy['KeyPair']['KeySize']['Locked']
+          key_types = [Vcert::KeyType.new('rsa', policy['KeyPair']['KeySize']['Value'])]
+        else
+          key_types = [1024, 2048, 4096, 8192].map { |s| Vcert::KeyType.new('rsa', s) }
+        end
+      elsif policy['KeyPair']['KeyAlgorithm']['Value'] == 'EC'
+        if policy['KeyPair']['EllipticCurve']['Locked']
+          curve = { 'p224' => 'secp224r1', 'p256' => 'prime256v1', 'p521' => 'secp521r1' }[policy['KeyPair']['EllipticCurve']['Value'].downcase]
+          key_types = [Vcert::KeyType.new('ecdsa', curve)]
+        else
+          key_types = Vcert::SUPPORTED_CURVES.map { |c| Vcert::KeyType.new('ecdsa', c) }
+        end
+      end
+    end
+
+    Vcert::Policy.new(policy_id: policy_dn(zone_tag), name: zone_tag, system_generated: false, creation_date: nil,
+                      subject_cn_regexes: subjectCNRegex, subject_o_regexes: subjectORegexes,
+                      subject_ou_regexes: subjectOURegexes, subject_st_regexes: subjectSTRegexes,
+                      subject_l_regexes: subjectLRegexes, subject_c_regexes: subjectCRegexes, san_regexes: dnsSanRegExs,
+                      key_types: key_types)
+  end
+
+  # @param [Hash] response_data
+  # @return [Vcert::TokenInfo]
+  def parse_access_token_data(response_data)
+    Vcert::TokenInfo.new response_data['access_token'],
+                  response_data['expires'],
+                  response_data['identity'],
+                  response_data['refresh_token'],
+                  response_data['refresh_until'],
+                  response_data['scope'],
+                  response_data['token_type']
+  end
+
+  # @param [Vcert::TokenInfo] token_info
+  def update_authentication(token_info)
+    return unless token_info.instance_of?(Vcert::TokenInfo)
+
+    @auth.access_token = token_info.access_token
+    @auth.refresh_token = token_info.refresh_token
+    @auth.token_expiration_date = token_info.expires
+  end
+
+  def validate_token
+    if @auth.access_token.nil?
+      LOG.info("#{Vcert::VCERT_PREFIX} Requesting new Access Token with credentials.")
+      get_access_token
+    elsif !@auth.token_expiration_date.nil? && @auth.token_expiration_date < Time.now.to_i
+      raise Vcert::AuthenticationError, 'Access Token expired. No refresh token provided.' if @auth.refresh_token.nil?
+
+      LOG.info("#{Vcert::VCERT_PREFIX} Requesting new Access Token with refresh token.")
+      refresh_access_token
+    end
+  end
+
+  # @return [String]
+  def build_authorization_header_value
+    return "Bearer #{@auth.access_token}" unless @auth.access_token.nil?
+  end
+end
+
+

data/lib/utils/utils.rb

@@ -19,16 +19,16 @@ def parse_pem_list(multiline)
 end
 
 def parse_csr_fields(csr)
-  LOG.info("Trying to parse CSR:\n#{csr}")
+  LOG.info("#{Vcert::VCERT_PREFIX} Trying to parse CSR:\n#{csr}")
   csr_obj = OpenSSL::X509::Request.new(csr)
   result = Hash.new
 
   subject_array = csr_obj.subject.to_a
-  subject_array.map { |x|
+  subject_array.map do |x|
     if x[1] != ""
       result[x[0].to_sym] = x[1]
     end
-  }
+  end
 
   attributes = csr_obj.attributes
 
@@ -93,6 +93,54 @@ def parse_csr_fields(csr)
   end
 
 
-  LOG.info("Parsed CSR fields:\n #{result.inspect}")
+  LOG.info("#{Vcert::VCERT_PREFIX} Parsed CSR fields:\n #{result.inspect}")
   return result
 end
+
+def parse_csr_fields_tpp(csr)
+  LOG.info("#{Vcert::VCERT_PREFIX} Trying to parse CSR:\n#{csr}")
+  csr_obj = OpenSSL::X509::Certificate.new(csr)
+  result = Hash.new
+
+  subject_array = csr_obj.subject.to_a
+  subject_array.map do |x|
+    result[x[0].to_sym] = x[1] unless x[1] == ''
+  end
+
+  LOG.info("#{Vcert::VCERT_PREFIX} Parsed CSR fields:\n #{result.inspect}")
+  result
+end
+
+CLIENT_ID = 'vcert-sdk'.freeze
+SCOPE = 'certificate:manage,revoke'.freeze
+
+module Vcert
+  class Authentication
+    attr_accessor :access_token, :refresh_token, :user, :password, :token_expiration_date, :client_id, :scope
+
+    def initialize (access_token: nil, refresh_token: nil, user: nil, password: nil, expiration_date: nil, client_id: CLIENT_ID, scope: SCOPE)
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @user = user
+      @password = password
+      @token_expiration_date = expiration_date
+      @client_id = client_id
+      @scope = scope
+    end
+  end
+
+  class TokenInfo
+    attr_reader :access_token, :refresh_token, :refresh_until, :expires, :identity, :scope, :token_type
+
+    def initialize (access_token, expires, identity, refresh_token, refresh_until, scope, token_type)
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @refresh_until = refresh_until
+      @expires = expires
+      @identity = identity
+      @scope = scope
+      @token_type = token_type
+    end
+  end
+end
+

data/lib/vcert.rb

@@ -10,16 +10,28 @@ module Vcert
   class ClientBadDataError < VcertError; end
   class ValidationError < VcertError; end
 
+  VCERT_PREFIX = '<Vcert>'.freeze
+
+  # <b>DEPRECATED</b>
+  # Please use <tt>VenafiConnection<tt> instead.
+  #
+  # This class provides an easy way to configure and retrieve a connector for a Venafi platform.
+  # Usage:
+  # TPP:
+  #     Connection.new url: TPP_URL, user: TPP_USER, password: TPP_PASSWORD, trust_bundle: TRUST_BUNDLE
+  # CLoud:
+  #     Connection.new token: CLOUD_API_KEY
+  #
   class Connection
     def initialize(url: nil, user: nil, password: nil, cloud_token: nil, trust_bundle:nil, fake: false)
       if fake
         @conn = FakeConnection.new
-      elsif cloud_token != nil
+      elsif !cloud_token.nil?
         @conn = CloudConnection.new url, cloud_token
-      elsif user != nil && password != nil && url != nil then
+      elsif !user.nil? && !password.nil? && !url.nil?
         @conn = TPPConnection.new url, user, password, trust_bundle:trust_bundle
       else
-        raise ClientBadDataError, "Invalid credentials list"
+        raise ClientBadDataError, 'Invalid credentials list'
       end
     end
 
@@ -61,31 +73,73 @@ module Vcert
     # @param [Integer] timeout
     # @return [Certificate]
     def request_and_retrieve(req, zone, timeout: TIMEOUT)
+      LOG.info("#{VCERT_PREFIX} Requesting and retrieving Certificate: [#{req}], [#{zone}]")
       request zone, req
-      cert = retrieve_loop(req, timeout: timeout)
-      return cert
+      retrieve_loop(req, timeout: timeout)
     end
 
     def retrieve_loop(req, timeout: TIMEOUT)
-      t = Time.new() + timeout
+      t = Time.new + timeout
       loop do
-        if Time.new() > t
-          LOG.info("Waiting certificate #{req.id}")
+        if Time.new > t
+          LOG.info("#{VCERT_PREFIX} Waiting certificate #{req.id}")
           break
         end
         certificate = @conn.retrieve(req)
-        if certificate != nil
-          return certificate
-        end
+        return certificate unless certificate.nil?
         sleep 10
       end
-      return nil
+      nil
     end
 
   end
+
+  # This class provides an easy way to configure and retrieve a connector for a Venafi platform.
+  # It supports the use of token authentication for TPP, and drops the use of user/password credentials.
+  # Usage:
+  # TPP:
+  #     VenafiConnection.new url: TPP_TOKEN_URL, user: TPPUSER, password: TPPPASSWORD, trust_bundle: TRUST_BUNDLE
+  #     VenafiConnection.new url: TPP_TOKEN_URL, access_token: TPP_ACCESS_TOKEN, trust_bundle: TRUST_BUNDLE
+  #     VenafiConnection.new url: TPP_TOKEN_URL, refresh_token: TPP_REFRESH_TOKEN, trust_bundle: TRUST_BUNDLE
+  # CLoud:
+  #     VenafiConnection.new token: CLOUD_API_KEY
+  #
+  class VenafiConnection < Connection
+
+    def initialize(url: nil, access_token: nil, refresh_token: nil, user: nil, password: nil, apikey: nil, trust_bundle:nil, fake: false)
+      if fake
+        @conn = FakeConnection.new
+      elsif !apikey.nil?
+        @conn = CloudConnection.new url, apikey
+      elsif (!access_token.nil? || !refresh_token.nil? || (!user.nil? && !password.nil?)) && !url.nil?
+        @conn = TokenConnection.new url, access_token: access_token, refresh_token: refresh_token, user: user,
+                                    password: password, trust_bundle: trust_bundle
+      else
+        raise ClientBadDataError, 'Invalid credentials list'
+      end
+    end
+
+    # @param [Vcert::Authentication] authentication
+    # @return [Vcert::TokenInfo]
+    def get_access_token(authentication: nil)
+      @conn.get_access_token authentication: authentication if @conn.is_a?(Vcert::TokenConnection)
+    end
+
+    # @return [Vcert::TokenInfo]
+    def refresh_access_token
+      @conn.refresh_access_token if @conn.is_a?(Vcert::TokenConnection)
+    end
+
+    # @return []
+    def revoke_access_token
+      @conn.revoke_access_token if @conn.is_a?(Vcert::TokenConnection)
+    end
+  end
 end
 
 require 'fake/fake'
 require 'cloud/cloud'
 require 'tpp/tpp'
-require 'objects/objects'
+require 'tpp/tpp_token'
+require 'objects/objects'
+

metadata

@@ -1,15 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: vcert
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Denis Subbotin
 - Alexander Rykalin
+- Russel Vela
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-18 00:00:00.000000000 Z
+date: 2021-01-05 00:00:00.000000000 Z
 dependencies: []
 description: Ruby client for Venafi Cloud and Trust Protection Platform
 email: opensource@venafi.com
@@ -21,6 +22,7 @@ files:
 - lib/fake/fake.rb
 - lib/objects/objects.rb
 - lib/tpp/tpp.rb
+- lib/tpp/tpp_token.rb
 - lib/utils/utils.rb
 - lib/vcert.rb
 homepage: https://rubygems.org/gems/vcert
@@ -42,8 +44,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Library for Venafi products