Merge pull request #268 from philips-software/feature/pki-uaa-optional

PKI: make UAA credentials fully optional #267
philips-software · Oct 31, 2022 · 33c19a4 · 33c19a4
2 parents 98f05f0 + 91fec08
commit 33c19a4
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## v0.38.9
+
+- PKI: make UAA credentials fully optional #267
+
 ## v0.38.8
 
 - IAM: conditionally check IAM Device/User mixups #265

diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/loafoe/easyssh-proxy/v2 v2.0.4
 	github.com/loafoe/ferrite v0.2.0
 	github.com/philips-labs/siderite v0.12.2
-	github.com/philips-software/go-hsdp-api v0.75.4
+	github.com/philips-software/go-hsdp-api v0.75.5
 	github.com/pkg/errors v0.9.1
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/stretchr/testify v1.8.1

diff --git a/go.sum b/go.sum
@@ -749,6 +749,8 @@ github.com/philips-labs/siderite v0.12.2/go.mod h1:wDjyR2ecI8z9S/uw4v7XCtgYK1Vr/
 github.com/philips-software/go-hsdp-api v0.50.2/go.mod h1:+/oOyI8Equm7/YcUHJ+PO3HO4U92JcAAoOs5DYRRkIc=
 github.com/philips-software/go-hsdp-api v0.75.4 h1:yT7i3hVijpHjvqMsi8imy449v3jHnk7FRTAmNyhDCCo=
 github.com/philips-software/go-hsdp-api v0.75.4/go.mod h1:rd6uphXchFcYW2ehT5xWGobAZrIod7qSOLZUqWh61y4=
+github.com/philips-software/go-hsdp-api v0.75.5 h1:+v/egzo7HBCCkw+1ggong4qY7CBnOdWwkha6uGgwuY8=
+github.com/philips-software/go-hsdp-api v0.75.5/go.mod h1:WLknlRw2GiSmtDufXcy28YHOcbQXn3RfB9RrT5cimxQ=
 github.com/philips-software/go-hsdp-signer v1.4.0 h1:yg7UILhmI4xJhr/tQiAiQwJL0EZFvLuMqpH2GZ9ygY4=
 github.com/philips-software/go-hsdp-signer v1.4.0/go.mod h1:/QehZ/+Aks2t1TFpjhF/7ZSB8PJIIJHzLc03rOqwLw0=
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -136,6 +136,10 @@ func (c *Config) IAMClient(principal ...*Principal) (*iam.Client, error) {
 	return c.iamClient, c.iamClientErr
 }
 
+func (c *Config) HasUAAuth() bool {
+	return c.UAAUsername != "" && c.UAAPassword != ""
+}
+
 func (c *Config) DiscoveryClient(principal ...*Principal) (*discovery.Client, error) {
 	if len(principal) > 0 && principal[0] != nil && principal[0].HasAuth() {
 		region := principal[0].Region
@@ -744,10 +748,7 @@ func (c *Config) SetupPKIClient() {
 		c.pkiClientErr = fmt.Errorf("IAM client error in setupPKIClient: %w", c.iamClientErr)
 		return
 	}
-	if c.consoleClientErr != nil {
-		c.pkiClientErr = fmt.Errorf("console client error in setupPKIClient: %w", c.consoleClientErr)
-		return
-	}
+	// We ignore any consoleClient error for now
 	client, err := pki.NewClient(c.consoleClient, c.iamClient, &pki.Config{
 		Region:      c.Region,
 		Environment: c.Environment,

diff --git a/internal/services/pki/resource_pki_cert.go b/internal/services/pki/resource_pki_cert.go
@@ -125,27 +125,31 @@ func resourcePKICertCreate(_ context.Context, d *schema.ResourceData, m interfac
 	}
 	defer client.Close()
 
+	roleName := d.Get("role").(string)
 	tenantID := d.Get("tenant_id").(string)
 	logicalPath, err := pki.APIEndpoint(tenantID).LogicalPath()
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("create PKI cert logicalPath: %w", err))
 	}
+
+	// Only check role if we have a working consoleClient
 	tenant, _, err := client.Tenants.Retrieve(logicalPath)
-	if err != nil {
+	if err == nil {
+		_, ok := tenant.GetRoleOk(roleName)
+		if !ok {
+			return diag.FromErr(fmt.Errorf("role '%s' not found or invalid", roleName))
+		}
 		return diag.FromErr(err)
 	}
-	roleName := d.Get("role").(string)
+
 	ttl := d.Get("ttl").(string)
 	ipSANS := tools.ExpandStringList(d.Get("ip_sans").(*schema.Set).List())
 	uriSANS := tools.ExpandStringList(d.Get("uri_sans").(*schema.Set).List())
 	otherSANS := tools.ExpandStringList(d.Get("other_sans").(*schema.Set).List())
 	commonName := d.Get("common_name").(string)
 	altNames := d.Get("alt_names").(string)
 	excludeCNFromSANS := d.Get("exclude_cn_from_sans").(bool)
-	role, ok := tenant.GetRoleOk(roleName)
-	if !ok {
-		return diag.FromErr(fmt.Errorf("role '%s' not found or invalid", roleName))
-	}
+
 	certRequest := pki.CertificateRequest{
 		CommonName:        commonName,
 		AltNames:          altNames,
@@ -157,7 +161,7 @@ func resourcePKICertCreate(_ context.Context, d *schema.ResourceData, m interfac
 		PrivateKeyFormat:  "pem",
 		Format:            "pem",
 	}
-	cert, resp, err := client.Services.IssueCertificate(logicalPath, role.Name, certRequest)
+	cert, resp, err := client.Services.IssueCertificate(logicalPath, roleName, certRequest)
 	if err != nil {
 		if resp != nil && resp.StatusCode == http.StatusForbidden {
 			return diag.FromErr(fmt.Errorf("you might be missing the 'PKI_CERT.ISSUE' permission for the tenant org: %w", err))

diff --git a/internal/services/pki/resource_pki_tenant.go b/internal/services/pki/resource_pki_tenant.go
@@ -2,6 +2,7 @@ package pki
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -11,6 +12,10 @@ import (
 	"github.com/philips-software/terraform-provider-hsdp/internal/tools"
 )
 
+var (
+	missingUAACredentialsErr = errors.New("this resource only works when CF UAA credentials are configured")
+)
+
 func ResourcePKITenant() *schema.Resource {
 	return &schema.Resource{
 		Importer: &schema.ResourceImporter{
@@ -155,6 +160,10 @@ func resourcePKITenantDelete(_ context.Context, d *schema.ResourceData, m interf
 	var err error
 	var client *pki.Client
 
+	if !c.HasUAAuth() {
+		return diag.FromErr(missingUAACredentialsErr)
+	}
+
 	client, err = c.PKIClient()
 	if err != nil {
 		return diag.FromErr(err)
@@ -185,6 +194,10 @@ func resourcePKITenantUpdate(_ context.Context, d *schema.ResourceData, m interf
 	var err error
 	var client *pki.Client
 
+	if !c.HasUAAuth() {
+		return diag.FromErr(missingUAACredentialsErr)
+	}
+
 	client, err = c.PKIClient()
 	if err != nil {
 		return diag.FromErr(err)
@@ -315,6 +328,10 @@ func resourcePKITenantCreate(ctx context.Context, d *schema.ResourceData, m inte
 	var err error
 	var client *pki.Client
 
+	if !c.HasUAAuth() {
+		return diag.FromErr(missingUAACredentialsErr)
+	}
+
 	client, err = c.PKIClient()
 	if err != nil {
 		return diag.FromErr(err)
@@ -340,6 +357,10 @@ func resourcePKITenantRead(_ context.Context, d *schema.ResourceData, m interfac
 	var err error
 	var client *pki.Client
 
+	if !c.HasUAAuth() {
+		return diag.FromErr(missingUAACredentialsErr)
+	}
+
 	client, err = c.PKIClient()
 	if err != nil {
 		return diag.FromErr(fmt.Errorf("read PKI Tenant client: %w", err))