From 379b4e025cf39c9b1ac07b81df482f91027ed922 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Mon, 18 May 2026 17:52:09 -0500 Subject: [PATCH 01/13] Added PAM Support --- .../AppGatewayCertificateJobs/Discovery.cs | 15 ++++++++-- .../AppGatewayCertificateJobs/Inventory.cs | 13 ++++++++- .../AppGatewayJobClientBuilder.cs | 29 ++++++++++++------- AzureAppGatewayOrchestrator/PAMUtilities.cs | 27 +++++++++++++++++ CHANGELOG.md | 4 +++ 5 files changed, 75 insertions(+), 13 deletions(-) create mode 100644 AzureAppGatewayOrchestrator/PAMUtilities.cs diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs index a1200a5..955b57e 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs @@ -18,6 +18,7 @@ using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs; @@ -31,6 +32,13 @@ public class Discovery : IDiscoveryJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + + public Discovery(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback) { if (Client != null) _clientInitializedByInjection = true; @@ -49,11 +57,14 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd { _logger.LogTrace($"Processing tenantId: {tenantId}"); - // If the client was not injected, create a new one with the tenant ID determied by + // If the client was not injected, create a new one with the tenant ID determined by // the TenantIdsToSearchFromJobConfig method if (!_clientInitializedByInjection) { - Client = new AppGatewayJobClientBuilder() + var clientBuilder = new AppGatewayJobClientBuilder(); + clientBuilder.resolver = _resolver; + + Client = clientBuilder .WithDiscoveryJobConfiguration(config, tenantId) .Build(); } diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs index 6c93f49..c94d445 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs @@ -19,6 +19,7 @@ using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs; @@ -30,13 +31,23 @@ public class Inventory : IInventoryJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + + public Inventory(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate cb) { _logger.LogDebug($"Beginning App Gateway Inventory Job"); if (Client == null) { - Client = new AppGatewayJobClientBuilder() + var clientBuilder = new AppGatewayJobClientBuilder(); + clientBuilder.resolver = _resolver; + + Client = clientBuilder .WithCertificateStoreDetails(config.CertificateStoreDetails) .Build(); } diff --git a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs index dfc7a34..ce9e741 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs @@ -16,9 +16,11 @@ using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Text; +using AzureAppGatewayOrchestrator; using AzureApplicationGatewayOrchestratorExtension.Client; using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; using Newtonsoft.Json; @@ -28,6 +30,7 @@ namespace AzureApplicationGatewayOrchestratorExtension; { public TBuilder _builder = new TBuilder(); private ILogger _logger = LogHandler.GetClassLogger>(); + public IPAMSecretResolver resolver; public class CertificateStoreProperties { @@ -43,29 +46,32 @@ public AppGatewayJobClientBuilder WithCertificateStoreDetails(Certific CertificateStoreProperties properties = JsonConvert.DeserializeObject(details.Properties); + string serverUserName = PAMUtilities.ResolvePAMField(_logger, resolver, "Server UserName", properties.ServerUsername); + string serverPassword = PAMUtilities.ResolvePAMField(_logger, resolver, "Server Password", properties.ServerPassword); + _logger.LogTrace($"Builder - ClientMachine => TenantId: {details.ClientMachine}"); _logger.LogTrace($"Builder - StorePath => ResourceId: {details.StorePath}"); - _logger.LogTrace($"Builder - ServerUsername => ApplicationId: {properties.ServerUsername}"); - _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {properties.ServerPassword}"); + _logger.LogTrace($"Builder - ServerUsername => ApplicationId: {serverUserName}"); + _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {"********"}"); _logger.LogTrace($"Builder - AzureCloud => AzureCloud: {properties.AzureCloud}"); _builder .WithTenantId(details.ClientMachine) - .WithApplicationId(properties.ServerUsername) + .WithApplicationId(serverUserName) .WithResourceId(details.StorePath) .WithAzureCloud(properties.AzureCloud); if (string.IsNullOrWhiteSpace(properties.ClientCertificate)) { - _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {properties.ServerPassword}"); + _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {"********"}"); _logger.LogDebug("Client certificate not present - Using Client Secret authentication"); - _builder.WithClientSecret(properties.ServerPassword); + _builder.WithClientSecret(serverPassword); } else { - _logger.LogTrace($"Builder - ServerPassword => ClientCertificateKeyPassword: {properties.ServerPassword}"); + _logger.LogTrace($"Builder - ServerPassword => ClientCertificateKeyPassword: {"********"}"); _logger.LogDebug("Client certificate present - Using Client Certificate authentication"); - X509Certificate2 clientCert = SerializeClientCertificate(properties.ClientCertificate, properties.ServerPassword); + X509Certificate2 clientCert = SerializeClientCertificate(properties.ClientCertificate, serverPassword); _builder.WithClientCertificate(clientCert); } @@ -76,12 +82,15 @@ public AppGatewayJobClientBuilder WithDiscoveryJobConfiguration(Discov { _logger.LogTrace($"Builder - tenantId => TenantId: {tenantId}"); _logger.LogTrace($"Builder - ServerUsername => ApplicationId: {config.ServerUsername}"); - _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {config.ServerPassword}"); + _logger.LogTrace($"Builder - ServerPassword => ClientSecret: {"********"}"); + + string serverUserName = PAMUtilities.ResolvePAMField(_logger, resolver, "Server UserName", config.ServerUsername); + string serverPassword = PAMUtilities.ResolvePAMField(_logger, resolver, "Server Password", config.ServerPassword); _builder .WithTenantId(tenantId) - .WithApplicationId(config.ServerUsername) - .WithClientSecret(config.ServerPassword); + .WithApplicationId(serverUserName) + .WithClientSecret(serverPassword); return this; } diff --git a/AzureAppGatewayOrchestrator/PAMUtilities.cs b/AzureAppGatewayOrchestrator/PAMUtilities.cs new file mode 100644 index 0000000..79fd362 --- /dev/null +++ b/AzureAppGatewayOrchestrator/PAMUtilities.cs @@ -0,0 +1,27 @@ +using Keyfactor.Logging; +using Keyfactor.Orchestrators.Extensions.Interfaces; +using Microsoft.Extensions.Logging; + +namespace AzureAppGatewayOrchestrator +{ + internal class PAMUtilities + { + internal static string ResolvePAMField(ILogger logger, IPAMSecretResolver resolver, string description, string key) + { + logger.MethodEntry(); + + if (resolver == null) + { + logger.LogError($"No PAM Resolver was found or configured, using {description} value from PAM."); + logger.MethodExit(); + return key; + } + + logger.LogDebug($"Fetching {description} value from PAM"); + var value = resolver.Resolve(key); + logger.LogDebug($"Successfully fetched {description} value from PAM"); + logger.MethodExit(); + return value; + } + } +} diff --git a/CHANGELOG.md b/CHANGELOG.md index e8d05ed..79b0755 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# 3.5.0 + +- feat: Added PAM Support + # 3.4.0 - Renamed the extension's dll in the manifest.json so the UO would recognize and register the extension. From 2438ad1ca05747b1ed610da56187042a323a558c Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 18 May 2026 22:53:28 +0000 Subject: [PATCH 02/13] Update generated docs --- .../bash/curl_create_store_types.sh | 173 ++++++++++++++++++ .../bash/kfutil_create_store_types.sh | 29 +++ .../powershell/kfutil_create_store_types.ps1 | 30 +++ .../restmethod_create_store_types.ps1 | 169 +++++++++++++++++ 4 files changed, 401 insertions(+) create mode 100755 scripts/store_types/bash/curl_create_store_types.sh create mode 100755 scripts/store_types/bash/kfutil_create_store_types.sh create mode 100644 scripts/store_types/powershell/kfutil_create_store_types.ps1 create mode 100644 scripts/store_types/powershell/restmethod_create_store_types.ps1 diff --git a/scripts/store_types/bash/curl_create_store_types.sh b/scripts/store_types/bash/curl_create_store_types.sh new file mode 100755 index 0000000..5ba88a4 --- /dev/null +++ b/scripts/store_types/bash/curl_create_store_types.sh @@ -0,0 +1,173 @@ +#!/usr/bin/env bash + +# Creates all 2 store types via the Keyfactor Command REST API using curl. +# +# Authentication (first matching method is used): +# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN +# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET +# + KEYFACTOR_AUTH_TOKEN_URL +# Basic auth (AD): KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN +# +# Always required: +# KEYFACTOR_HOSTNAME Command hostname (e.g. my-command.example.com) +# +# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. + +if [ -z "${KEYFACTOR_HOSTNAME}" ]; then + echo "ERROR: KEYFACTOR_HOSTNAME is required" + exit 1 +fi + +BASE_URL="https://${KEYFACTOR_HOSTNAME}/keyfactorapi" + +# --------------------------------------------------------------------------- +# Resolve auth +# --------------------------------------------------------------------------- +if [ -n "${KEYFACTOR_AUTH_ACCESS_TOKEN}" ]; then + BEARER_TOKEN="${KEYFACTOR_AUTH_ACCESS_TOKEN}" +elif [ -n "${KEYFACTOR_AUTH_CLIENT_ID}" ] && [ -n "${KEYFACTOR_AUTH_CLIENT_SECRET}" ] && [ -n "${KEYFACTOR_AUTH_TOKEN_URL}" ]; then + echo "Fetching OAuth token..." + BEARER_TOKEN=$(curl -s -X POST "${KEYFACTOR_AUTH_TOKEN_URL}" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + --data-urlencode "grant_type=client_credentials" \ + --data-urlencode "client_id=${KEYFACTOR_AUTH_CLIENT_ID}" \ + --data-urlencode "client_secret=${KEYFACTOR_AUTH_CLIENT_SECRET}" | jq -r '.access_token') + if [ -z "${BEARER_TOKEN}" ] || [ "${BEARER_TOKEN}" = "null" ]; then + echo "ERROR: Failed to fetch OAuth token from ${KEYFACTOR_AUTH_TOKEN_URL}" + exit 1 + fi +elif [ -n "${KEYFACTOR_USERNAME}" ] && [ -n "${KEYFACTOR_PASSWORD}" ] && [ -n "${KEYFACTOR_DOMAIN}" ]; then + BEARER_TOKEN="" +else + echo "ERROR: Authentication required. Set one of:" + echo " KEYFACTOR_AUTH_ACCESS_TOKEN" + echo " KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET + KEYFACTOR_AUTH_TOKEN_URL" + echo " KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN" + exit 1 +fi + +if [ -n "${BEARER_TOKEN}" ]; then + CURL_AUTH=("-H" "Authorization: Bearer ${BEARER_TOKEN}") +else + CURL_AUTH=("-u" "${KEYFACTOR_USERNAME}@${KEYFACTOR_DOMAIN}:${KEYFACTOR_PASSWORD}") +fi + +create_store_type() { + local name="$1" + local body="$2" + echo "Creating ${name} store type..." + response=$(curl -s -o /dev/null -w "%{http_code}" \ + -X POST "${BASE_URL}/certificatestoretypes" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + "${CURL_AUTH[@]}" \ + -d "${body}") + if [ "$response" = "200" ] || [ "$response" = "201" ]; then + echo " OK (HTTP ${response})" + else + echo " FAILED (HTTP ${response})" + fi +} + +# --------------------------------------------------------------------------- +# AzureAppGw — The Azure Tenant (directory) ID that owns the Service Principal. +# --------------------------------------------------------------------------- +create_store_type "AzureAppGw" '{ + "Name": "Azure Application Gateway Certificate", + "ShortName": "AzureAppGw", + "Capability": "AzureAppGw", + "LocalStore": false, + "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", + "SupportedOperations": { + "Add": true, + "Remove": true, + "Enrollment": false, + "Discovery": true, + "Inventory": true + }, + "Properties": [ + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" +}' + +# --------------------------------------------------------------------------- +# AppGwBin — The Azure Tenant (directory) ID that owns the Service Principal. +# --------------------------------------------------------------------------- +create_store_type "AppGwBin" '{ + "Name": "Azure Application Gateway Certificate Binding", + "ShortName": "AppGwBin", + "Capability": "AzureAppGwBin", + "LocalStore": false, + "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", + "SupportedOperations": { + "Add": true, + "Remove": false, + "Enrollment": false, + "Discovery": true, + "Inventory": false + }, + "Properties": [ + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" +}' + + +echo "Completed." diff --git a/scripts/store_types/bash/kfutil_create_store_types.sh b/scripts/store_types/bash/kfutil_create_store_types.sh new file mode 100755 index 0000000..7f0cb87 --- /dev/null +++ b/scripts/store_types/bash/kfutil_create_store_types.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +# Creates all 2 store types using kfutil. +# kfutil reads definitions from the Keyfactor integration catalog. +# +# Auth environment variables (first matching method is used): +# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN +# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET +# + KEYFACTOR_AUTH_TOKEN_URL +# Basic auth (AD): KEYFACTOR_HOSTNAME + KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD +# + KEYFACTOR_DOMAIN +# +# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. + +if ! command -v kfutil &> /dev/null; then + echo "kfutil could not be found. Please install kfutil" + echo "See https://github.com/Keyfactor/kfutil#quickstart" + exit 1 +fi + +if [ -z "$KEYFACTOR_HOSTNAME" ]; then + echo "KEYFACTOR_HOSTNAME not set — launching kfutil login" + kfutil login +fi + +kfutil store-types create --name "AzureAppGw" +kfutil store-types create --name "AppGwBin" + +echo "Done. All store types created." diff --git a/scripts/store_types/powershell/kfutil_create_store_types.ps1 b/scripts/store_types/powershell/kfutil_create_store_types.ps1 new file mode 100644 index 0000000..7e2142e --- /dev/null +++ b/scripts/store_types/powershell/kfutil_create_store_types.ps1 @@ -0,0 +1,30 @@ +# Creates all 2 store types using kfutil. +# kfutil reads definitions from the Keyfactor integration catalog. +# +# Auth environment variables (first matching method is used): +# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN +# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET +# + KEYFACTOR_AUTH_TOKEN_URL +# Basic auth (AD): KEYFACTOR_HOSTNAME + KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD +# + KEYFACTOR_DOMAIN +# +# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. + +# Uncomment if kfutil is not in your PATH +# Set-Alias -Name kfutil -Value 'C:\Program Files\Keyfactor\kfutil\kfutil.exe' + +if ($null -eq (Get-Command "kfutil" -ErrorAction SilentlyContinue)) { + Write-Host "kfutil could not be found. Please install kfutil" + Write-Host "See https://github.com/Keyfactor/kfutil#quickstart" + exit 1 +} + +if (-not $env:KEYFACTOR_HOSTNAME) { + Write-Host "KEYFACTOR_HOSTNAME not set — launching kfutil login" + & kfutil login +} + +& kfutil store-types create --name "AzureAppGw" +& kfutil store-types create --name "AppGwBin" + +Write-Host "Done. All store types created." diff --git a/scripts/store_types/powershell/restmethod_create_store_types.ps1 b/scripts/store_types/powershell/restmethod_create_store_types.ps1 new file mode 100644 index 0000000..6097279 --- /dev/null +++ b/scripts/store_types/powershell/restmethod_create_store_types.ps1 @@ -0,0 +1,169 @@ +# Creates all 2 store types via the Keyfactor Command REST API +# using PowerShell Invoke-RestMethod. +# +# Authentication (first matching method is used): +# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN +# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET +# + KEYFACTOR_AUTH_TOKEN_URL +# Basic auth (AD): KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN +# +# Always required: +# KEYFACTOR_HOSTNAME Command hostname (e.g. my-command.example.com) +# +# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. + +if (-not $env:KEYFACTOR_HOSTNAME) { + Write-Error "KEYFACTOR_HOSTNAME is required" + exit 1 +} + +$uri = "https://$($env:KEYFACTOR_HOSTNAME)/keyfactorapi/certificatestoretypes" +$headers = @{ + 'Content-Type' = "application/json" + 'x-keyfactor-requested-with' = "APIClient" +} + +# --------------------------------------------------------------------------- +# Resolve auth +# --------------------------------------------------------------------------- +if ($env:KEYFACTOR_AUTH_ACCESS_TOKEN) { + $headers['Authorization'] = "Bearer $($env:KEYFACTOR_AUTH_ACCESS_TOKEN)" +} elseif ($env:KEYFACTOR_AUTH_CLIENT_ID -and $env:KEYFACTOR_AUTH_CLIENT_SECRET -and $env:KEYFACTOR_AUTH_TOKEN_URL) { + Write-Host "Fetching OAuth token..." + $tokenBody = @{ + grant_type = 'client_credentials' + client_id = $env:KEYFACTOR_AUTH_CLIENT_ID + client_secret = $env:KEYFACTOR_AUTH_CLIENT_SECRET + } + $tokenResp = Invoke-RestMethod -Method Post -Uri $env:KEYFACTOR_AUTH_TOKEN_URL -Body $tokenBody + $headers['Authorization'] = "Bearer $($tokenResp.access_token)" +} elseif ($env:KEYFACTOR_USERNAME -and $env:KEYFACTOR_PASSWORD -and $env:KEYFACTOR_DOMAIN) { + $cred = [System.Convert]::ToBase64String( + [System.Text.Encoding]::ASCII.GetBytes( + "$($env:KEYFACTOR_USERNAME)@$($env:KEYFACTOR_DOMAIN):$($env:KEYFACTOR_PASSWORD)")) + $headers['Authorization'] = "Basic $cred" +} else { + Write-Error ("Authentication required. Set one of:`n" + + " KEYFACTOR_AUTH_ACCESS_TOKEN`n" + + " KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET + KEYFACTOR_AUTH_TOKEN_URL`n" + + " KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN") + exit 1 +} + +function New-StoreType { + param([string]$Name, [string]$Body) + Write-Host "Creating $Name store type..." + try { + Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $Body -ContentType "application/json" | Out-Null + Write-Host " OK" + } catch { + Write-Warning " FAILED: $($_.Exception.Message)" + } +} + +# --------------------------------------------------------------------------- +# AzureAppGw — The Azure Tenant (directory) ID that owns the Service Principal. +# --------------------------------------------------------------------------- +New-StoreType "AzureAppGw" @' +{ + "Name": "Azure Application Gateway Certificate", + "ShortName": "AzureAppGw", + "Capability": "AzureAppGw", + "LocalStore": false, + "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", + "SupportedOperations": { + "Add": true, + "Remove": true, + "Enrollment": false, + "Discovery": true, + "Inventory": true + }, + "Properties": [ + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" +} +'@ + +# --------------------------------------------------------------------------- +# AppGwBin — The Azure Tenant (directory) ID that owns the Service Principal. +# --------------------------------------------------------------------------- +New-StoreType "AppGwBin" @' +{ + "Name": "Azure Application Gateway Certificate Binding", + "ShortName": "AppGwBin", + "Capability": "AzureAppGwBin", + "LocalStore": false, + "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", + "SupportedOperations": { + "Add": true, + "Remove": false, + "Enrollment": false, + "Discovery": true, + "Inventory": false + }, + "Properties": [ + { + "Name": "ClientCertificate", + "DisplayName": "Client Certificate", + "Type": "Secret", + "Required": false + }, + { + "Name": "AzureCloud", + "DisplayName": "Azure Global Cloud Authority Host", + "Type": "MultipleChoice", + "DefaultValue": "public,china,germany,government", + "Required": false + }, + { + "Name": "ServerUseSsl", + "DisplayName": "Use SSL", + "Type": "Bool", + "DefaultValue": "true", + "Required": true + } + ], + "PasswordOptions": { + "EntrySupported": false, + "StoreRequired": false, + "Style": "Default" + }, + "PrivateKeyAllowed": "Required", + "ServerRequired": true, + "PowerShell": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required" +} +'@ + + +Write-Host "Completed." From 0d6385d121467edd556c8d092d3a8fec254b1798 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Mon, 18 May 2026 19:15:23 -0700 Subject: [PATCH 03/13] Adding Mocks --- .../MockPAMSecretResolver.cs | 13 +++++++++++++ .../AppGatewayCertificateJobs/Discovery.cs | 5 +++++ .../AzureAppGatewayOrchestrator.csproj | 4 +++- .../ListenerBindingJobs/Discovery.cs | 7 +++++++ 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs diff --git a/AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs b/AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs new file mode 100644 index 0000000..b665666 --- /dev/null +++ b/AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs @@ -0,0 +1,13 @@ +using Keyfactor.Orchestrators.Extensions.Interfaces; +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; + +namespace AzureAppGatewayOrchestrator.Tests +{ + internal class MockPAMSecretResolver : IPAMSecretResolver + { + } +} diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs index 955b57e..3696d02 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs @@ -39,6 +39,11 @@ public Discovery(IPAMSecretResolver resolver) _resolver = resolver; } + public Discovery() + { + + } + public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback) { if (Client != null) _clientInitializedByInjection = true; diff --git a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj index 45cee8c..f4e42ba 100644 --- a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj +++ b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj @@ -2,7 +2,7 @@ true - net6.0;net8.0 + net6.0;net8.0;net10.0 true disable @@ -13,6 +13,8 @@ + + diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs index 3a8d5e0..b15293b 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs @@ -15,6 +15,7 @@ using AzureApplicationGatewayOrchestratorExtension.Client; using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs; @@ -26,6 +27,12 @@ public class Discovery : IDiscoveryJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + public Discovery(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback) { _logger.LogDebug("Beginning App Gateway Listener Binding Discovery Job - using AppGatewayCertificateJobs.Discovery.ProcessJob()"); From 3eacf8398eaaaf9c357b4bb1d090ad0c89cedbdf Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Mon, 18 May 2026 21:35:29 -0500 Subject: [PATCH 04/13] Fixing up unit test --- .../MockPAMSecretResolver.cs | 13 ------------- .../AppGatewayCertificateJobs/Inventory.cs | 6 ++++++ .../ListenerBindingJobs/Discovery.cs | 6 ------ 3 files changed, 6 insertions(+), 19 deletions(-) delete mode 100644 AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs diff --git a/AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs b/AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs deleted file mode 100644 index b665666..0000000 --- a/AzureAppGatewayOrchestrator.Tests/MockPAMSecretResolver.cs +++ /dev/null @@ -1,13 +0,0 @@ -using Keyfactor.Orchestrators.Extensions.Interfaces; -using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; -using System.Threading.Tasks; - -namespace AzureAppGatewayOrchestrator.Tests -{ - internal class MockPAMSecretResolver : IPAMSecretResolver - { - } -} diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs index c94d445..421e233 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs @@ -15,6 +15,7 @@ using System; using System.Collections.Generic; using System.Linq; +using Azure.ResourceManager.Network.Models; using AzureApplicationGatewayOrchestratorExtension.Client; using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; @@ -38,6 +39,11 @@ public Inventory(IPAMSecretResolver resolver) _resolver = resolver; } + public Inventory() + { + + } + public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate cb) { _logger.LogDebug($"Beginning App Gateway Inventory Job"); diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs index b15293b..700820e 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs @@ -27,12 +27,6 @@ public class Discovery : IDiscoveryJobExtension ILogger _logger = LogHandler.GetClassLogger(); - public IPAMSecretResolver _resolver; - public Discovery(IPAMSecretResolver resolver) - { - _resolver = resolver; - } - public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback) { _logger.LogDebug("Beginning App Gateway Listener Binding Discovery Job - using AppGatewayCertificateJobs.Discovery.ProcessJob()"); From 4e5ea5260d515d0867bd85192bd46b6285735962 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Thu, 21 May 2026 07:32:37 -0700 Subject: [PATCH 05/13] Added PAM Support for Bin extension --- .../ListenerBindingJobs/Discovery.cs | 14 +++++++++++++- .../ListenerBindingJobs/Inventory.cs | 18 +++++++++++++++++- .../ListenerBindingJobs/Management.cs | 16 +++++++++++++++- 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs index 700820e..6037d7a 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs @@ -27,13 +27,25 @@ public class Discovery : IDiscoveryJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + public Discovery(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + + public Discovery() + { + + } + public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate callback) { _logger.LogDebug("Beginning App Gateway Listener Binding Discovery Job - using AppGatewayCertificateJobs.Discovery.ProcessJob()"); AppGatewayCertificateJobs.Discovery discovery = new AppGatewayCertificateJobs.Discovery { - Client = Client + Client = Client, + _resolver = this._resolver }; return discovery.ProcessJob(config, callback); diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs index 9ac349e..44490ef 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs @@ -19,6 +19,7 @@ using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs; @@ -30,13 +31,28 @@ public class Inventory : IInventoryJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + + public Inventory(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + + public Inventory() + { + + } + public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate cb) { _logger.LogDebug($"Beginning App Gateway Inventory Job"); if (Client == null) { - Client = new AppGatewayJobClientBuilder() + var clientBuilder = new AppGatewayJobClientBuilder(); + clientBuilder.resolver = _resolver; + + Client = clientBuilder .WithCertificateStoreDetails(config.CertificateStoreDetails) .Build(); } diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs index 4206c46..7522ed1 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs @@ -18,6 +18,7 @@ using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs; @@ -29,13 +30,26 @@ public class Management : IManagementJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + public Management(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + public Management() + { + + } + public JobResult ProcessJob(ManagementJobConfiguration config) { _logger.LogDebug("Beginning App Gateway Binding Management Job"); if (Client == null) { - Client = new AppGatewayJobClientBuilder() + var clientBuilder = new AppGatewayJobClientBuilder(); + clientBuilder.resolver = _resolver; + + Client = clientBuilder .WithCertificateStoreDetails(config.CertificateStoreDetails) .Build(); } From b1d58f905b6e85f72c8506ebf5f0d78acb73745c Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Fri, 29 May 2026 15:35:26 -0500 Subject: [PATCH 06/13] Finsihed changes for PAM support --- .../JobClientBuilder.cs | 66 +++++++++++++++++++ .../AppGatewayCertificateJobs/Management.cs | 17 ++++- .../AppGatewayJobClientBuilder.cs | 2 +- .../Client/GatewayClient.cs | 3 - AzureAppGatewayOrchestrator/PAMUtilities.cs | 2 +- CHANGELOG.md | 1 + README.md | 4 +- integration-manifest.json | 4 +- .../bash/curl_create_store_types.sh | 4 +- .../restmethod_create_store_types.ps1 | 4 +- 10 files changed, 93 insertions(+), 14 deletions(-) diff --git a/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs b/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs index f953d86..e0879b0 100644 --- a/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs +++ b/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs @@ -20,7 +20,9 @@ using AzureApplicationGatewayOrchestratorExtension.Client; using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; +using Moq; using NLog.Extensions.Logging; public class JobClientBuilder @@ -142,6 +144,70 @@ public void AppGatewayJobClientBuilder_ValidCertificateStoreConfigClientCertific _logger.LogInformation("AppGatewayJobClientBuilder_ValidCertificateStoreConfigClientCertificate_BuildValidClient - Success"); } + [Fact] + public void AppGatewayJobClientBuilder_WithPAMResolver_CertificateStoreDetails_ResolvesCredentials() + { + // Arrange + var mockResolver = new Mock(); + mockResolver.Setup(r => r.Resolve("pam-key-for-username")).Returns("resolved-azure-application-id"); + mockResolver.Setup(r => r.Resolve("pam-key-for-password")).Returns("resolved-azure-client-secret"); + + AppGatewayJobClientBuilder jobClientBuilderWithFakeBuilder = new(); + jobClientBuilderWithFakeBuilder.resolver = mockResolver.Object; + + CertificateStore fakeCertificateStoreDetails = new() + { + ClientMachine = "fake-tenant-id", + StorePath = "fake-azure-resource-id", + Properties = "{\"ServerUsername\":\"pam-key-for-username\",\"ServerPassword\":\"pam-key-for-password\",\"AzureCloud\":\"fake-azure-cloud\"}" + }; + + // Act + jobClientBuilderWithFakeBuilder + .WithCertificateStoreDetails(fakeCertificateStoreDetails) + .Build(); + + // Assert + Assert.Equal("resolved-azure-application-id", jobClientBuilderWithFakeBuilder._builder._applicationId); + Assert.Equal("resolved-azure-client-secret", jobClientBuilderWithFakeBuilder._builder._clientSecret); + mockResolver.Verify(r => r.Resolve("pam-key-for-username"), Times.Once); + mockResolver.Verify(r => r.Resolve("pam-key-for-password"), Times.Once); + + _logger.LogInformation("AppGatewayJobClientBuilder_WithPAMResolver_CertificateStoreDetails_ResolvesCredentials - Success"); + } + + [Fact] + public void AppGatewayJobClientBuilder_WithPAMResolver_DiscoveryJobConfiguration_ResolvesCredentials() + { + // Arrange + var mockResolver = new Mock(); + mockResolver.Setup(r => r.Resolve("pam-key-for-username")).Returns("resolved-azure-application-id"); + mockResolver.Setup(r => r.Resolve("pam-key-for-password")).Returns("resolved-azure-client-secret"); + + AppGatewayJobClientBuilder jobClientBuilderWithFakeBuilder = new(); + jobClientBuilderWithFakeBuilder.resolver = mockResolver.Object; + + DiscoveryJobConfiguration config = new() + { + ClientMachine = "fake-tenant-id", + ServerUsername = "pam-key-for-username", + ServerPassword = "pam-key-for-password" + }; + + // Act + jobClientBuilderWithFakeBuilder + .WithDiscoveryJobConfiguration(config, "fake-tenant-id") + .Build(); + + // Assert + Assert.Equal("resolved-azure-application-id", jobClientBuilderWithFakeBuilder._builder._applicationId); + Assert.Equal("resolved-azure-client-secret", jobClientBuilderWithFakeBuilder._builder._clientSecret); + mockResolver.Verify(r => r.Resolve("pam-key-for-username"), Times.Once); + mockResolver.Verify(r => r.Resolve("pam-key-for-password"), Times.Once); + + _logger.LogInformation("AppGatewayJobClientBuilder_WithPAMResolver_DiscoveryJobConfiguration_ResolvesCredentials - Success"); + } + static void ConfigureLogging() { var config = new NLog.Config.LoggingConfiguration(); diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs index e8414eb..134c6ba 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs @@ -17,6 +17,7 @@ using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs; @@ -28,13 +29,27 @@ public class Management : IManagementJobExtension ILogger _logger = LogHandler.GetClassLogger(); + public IPAMSecretResolver _resolver; + + public Management(IPAMSecretResolver resolver) + { + _resolver = resolver; + } + + public Management() + { + } + public JobResult ProcessJob(ManagementJobConfiguration config) { _logger.LogDebug("Beginning App Gateway Management Job"); if (Client == null) { - Client = new AppGatewayJobClientBuilder() + var clientBuilder = new AppGatewayJobClientBuilder(); + clientBuilder.resolver = _resolver; + + Client = clientBuilder .WithCertificateStoreDetails(config.CertificateStoreDetails) .Build(); } diff --git a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs index ce9e741..fc46505 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs @@ -42,7 +42,7 @@ public class CertificateStoreProperties public AppGatewayJobClientBuilder WithCertificateStoreDetails(CertificateStore details) { - _logger.LogDebug($"Builder - Setting values from Certificate Store Details: {JsonConvert.SerializeObject(details)}"); + _logger.LogDebug($"Builder - Configuring client from Certificate Store: ClientMachine={details.ClientMachine}, StorePath={details.StorePath}"); CertificateStoreProperties properties = JsonConvert.DeserializeObject(details.Properties); diff --git a/AzureAppGatewayOrchestrator/Client/GatewayClient.cs b/AzureAppGatewayOrchestrator/Client/GatewayClient.cs index c810faf..b62d8ba 100644 --- a/AzureAppGatewayOrchestrator/Client/GatewayClient.cs +++ b/AzureAppGatewayOrchestrator/Client/GatewayClient.cs @@ -110,9 +110,6 @@ public IAzureAppGatewayClientBuilder WithAzureCloud(string azureCloud) case "china": _azureCloudEndpoint = AzureAuthorityHosts.AzureChina; break; - case "germany": - _azureCloudEndpoint = AzureAuthorityHosts.AzureGermany; - break; case "government": _azureCloudEndpoint = AzureAuthorityHosts.AzureGovernment; break; diff --git a/AzureAppGatewayOrchestrator/PAMUtilities.cs b/AzureAppGatewayOrchestrator/PAMUtilities.cs index 79fd362..b5b0ac6 100644 --- a/AzureAppGatewayOrchestrator/PAMUtilities.cs +++ b/AzureAppGatewayOrchestrator/PAMUtilities.cs @@ -12,7 +12,7 @@ internal static string ResolvePAMField(ILogger logger, IPAMSecretResolver resolv if (resolver == null) { - logger.LogError($"No PAM Resolver was found or configured, using {description} value from PAM."); + logger.LogTrace($"No PAM Resolver configured - using {description} value directly from store configuration."); logger.MethodExit(); return key; } diff --git a/CHANGELOG.md b/CHANGELOG.md index 79b0755..ae5b52b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # 3.5.0 - feat: Added PAM Support +- chore(client): Removed Azure support for Germany datacenter - been depreicated by Microsoft. # 3.4.0 diff --git a/README.md b/README.md index ff47098..aa5b49b 100644 --- a/README.md +++ b/README.md @@ -287,7 +287,7 @@ the Keyfactor Command Portal | ServerUsername | Server Username | Application ID of the service principal, representing the identity used for managing the Application Gateway. | Secret | | 🔲 Unchecked | | ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate | Secret | | 🔲 Unchecked | | ClientCertificate | Client Certificate | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | Secret | | 🔲 Unchecked | - | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked | + | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,government | 🔲 Unchecked | | ServerUseSsl | Use SSL | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | Bool | true | ✅ Checked | The Custom Fields tab should look like this: @@ -497,7 +497,7 @@ the Keyfactor Command Portal | ServerUsername | Server Username | Application ID of the service principal, representing the identity used for managing the Application Gateway. | Secret | | 🔲 Unchecked | | ServerPassword | Server Password | A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate | Secret | | 🔲 Unchecked | | ClientCertificate | Client Certificate | The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | Secret | | 🔲 Unchecked | - | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,germany,government | 🔲 Unchecked | + | AzureCloud | Azure Global Cloud Authority Host | Specifies the Azure Cloud instance used by the organization. | MultipleChoice | public,china,government | 🔲 Unchecked | | ServerUseSsl | Use SSL | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | Bool | true | ✅ Checked | The Custom Fields tab should look like this: diff --git a/integration-manifest.json b/integration-manifest.json index c4e728d..d24dd62 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -54,7 +54,7 @@ "Name": "AzureCloud", "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false }, @@ -118,7 +118,7 @@ "Name": "AzureCloud", "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false }, diff --git a/scripts/store_types/bash/curl_create_store_types.sh b/scripts/store_types/bash/curl_create_store_types.sh index 5ba88a4..d53d5f4 100755 --- a/scripts/store_types/bash/curl_create_store_types.sh +++ b/scripts/store_types/bash/curl_create_store_types.sh @@ -96,7 +96,7 @@ create_store_type "AzureAppGw" '{ "Name": "AzureCloud", "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Required": false }, { @@ -146,7 +146,7 @@ create_store_type "AppGwBin" '{ "Name": "AzureCloud", "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Required": false }, { diff --git a/scripts/store_types/powershell/restmethod_create_store_types.ps1 b/scripts/store_types/powershell/restmethod_create_store_types.ps1 index 6097279..a9b2f1b 100644 --- a/scripts/store_types/powershell/restmethod_create_store_types.ps1 +++ b/scripts/store_types/powershell/restmethod_create_store_types.ps1 @@ -89,7 +89,7 @@ New-StoreType "AzureAppGw" @' "Name": "AzureCloud", "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Required": false }, { @@ -141,7 +141,7 @@ New-StoreType "AppGwBin" @' "Name": "AzureCloud", "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", - "DefaultValue": "public,china,germany,government", + "DefaultValue": "public,china,government", "Required": false }, { From 4192a99f51260299749fdc778f5590a8b9bf0b30 Mon Sep 17 00:00:00 2001 From: Joe VanWanzeele Date: Wed, 24 Jun 2026 12:49:42 -0400 Subject: [PATCH 07/13] Added unit tests, added license headers --- .../AzureAppGW.cs | 20 +- .../AzureAppGatewayOrchestrator.Tests.csproj | 59 ++-- .../AzureAppGwBin.cs | 20 +- AzureAppGatewayOrchestrator.Tests/Client.cs | 20 +- .../FakeClient.cs | 20 +- .../IntegrationTestingFact.cs | 20 +- .../JobClientBuilder.cs | 20 +- .../PAMUtilitiesTests.cs | 293 ++++++++++++++++++ AzureAppGatewayOrchestrator.Tests/Usings.cs | 20 +- .../AppGatewayCertificateJobs/Discovery.cs | 20 +- .../AppGatewayCertificateJobs/Inventory.cs | 20 +- .../AppGatewayCertificateJobs/Management.cs | 20 +- .../AppGatewayJobClientBuilder.cs | 20 +- .../AzureAppGatewayOrchestrator.csproj | 15 +- .../Client/GatewayClient.cs | 20 +- .../Client/IAzureAppGatewayClient.cs | 20 +- .../ListenerBindingJobs/Discovery.cs | 20 +- .../ListenerBindingJobs/Inventory.cs | 20 +- .../ListenerBindingJobs/Management.cs | 20 +- AzureAppGatewayOrchestrator/PAMUtilities.cs | 13 +- 20 files changed, 455 insertions(+), 245 deletions(-) create mode 100644 AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs diff --git a/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs b/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs index 47c3351..045b9a2 100644 --- a/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs +++ b/AzureAppGatewayOrchestrator.Tests/AzureAppGW.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System.Security.Cryptography.X509Certificates; using Azure.ResourceManager.Network.Models; diff --git a/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj b/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj index 4fe114f..f01a97a 100644 --- a/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj +++ b/AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator.Tests.csproj @@ -1,35 +1,36 @@ - - - - net8.0 - enable - enable - - false - - - - - - - - - - runtime; build; native; contentfiles; analyzers; buildtransitive - all - - - runtime; build; native; contentfiles; analyzers; buildtransitive - all - - - + + + + net8.0 + enable + enable + + false + + + + + + + + + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + runtime; build; native; contentfiles; analyzers; buildtransitive + all + + + - + - - + + diff --git a/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs b/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs index 7207547..acebc43 100644 --- a/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs +++ b/AzureAppGatewayOrchestrator.Tests/AzureAppGwBin.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System.Security.Cryptography.X509Certificates; using Azure.ResourceManager.Network.Models; diff --git a/AzureAppGatewayOrchestrator.Tests/Client.cs b/AzureAppGatewayOrchestrator.Tests/Client.cs index d2e3452..dcd8d39 100644 --- a/AzureAppGatewayOrchestrator.Tests/Client.cs +++ b/AzureAppGatewayOrchestrator.Tests/Client.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; diff --git a/AzureAppGatewayOrchestrator.Tests/FakeClient.cs b/AzureAppGatewayOrchestrator.Tests/FakeClient.cs index 651fcb2..bd68e82 100644 --- a/AzureAppGatewayOrchestrator.Tests/FakeClient.cs +++ b/AzureAppGatewayOrchestrator.Tests/FakeClient.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System.Security.Cryptography.X509Certificates; using Azure.ResourceManager.Network.Models; diff --git a/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs b/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs index ce21f39..b1349e0 100644 --- a/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs +++ b/AzureAppGatewayOrchestrator.Tests/IntegrationTestingFact.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. namespace AzureAppGatewayOrchestrator.Tests; diff --git a/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs b/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs index e0879b0..ade1bb3 100644 --- a/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs +++ b/AzureAppGatewayOrchestrator.Tests/JobClientBuilder.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; diff --git a/AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs b/AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs new file mode 100644 index 0000000..7650fcd --- /dev/null +++ b/AzureAppGatewayOrchestrator.Tests/PAMUtilitiesTests.cs @@ -0,0 +1,293 @@ + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using AzureApplicationGatewayOrchestratorExtension; +using AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs; +using FluentAssertions; +using Keyfactor.Logging; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; +using Microsoft.Extensions.Logging; +using Moq; +using NLog.Extensions.Logging; + +namespace AzureAppGatewayOrchestrator.Tests; + +public class PAMUtilitiesTests +{ + ILogger _logger { get; set; } + + public PAMUtilitiesTests() + { + ConfigureLogging(); + _logger = LogHandler.GetClassLogger(); + } + + // ------------------------------------------------------------------------- + // PAMUtilities.ResolvePAMField - direct unit tests + // ------------------------------------------------------------------------- + + [Fact] + public void ResolvePAMField_NullResolver_ReturnsKeyDirectly() + { + // When no PAM resolver is configured, the raw value from store config + // should be passed through unchanged - PAMUtilities is not a middleman. + + // Arrange + string key = "literal-credential-value"; + + // Act + string result = PAMUtilities.ResolvePAMField(_logger, null, "Server Username", key); + + // Assert + result.Should().Be(key); + + _logger.LogInformation("ResolvePAMField_NullResolver_ReturnsKeyDirectly - Success"); + } + + [Fact] + public void ResolvePAMField_WithResolver_CallsResolveAndReturnsResolvedValue() + { + // When a PAM resolver is present, Resolve() must be called with the key + // and its return value used instead of the raw key. + + // Arrange + var mockResolver = new Mock(); + mockResolver.Setup(r => r.Resolve("pam-secret-key")).Returns("resolved-secret-value"); + + // Act + string result = PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "Server Password", "pam-secret-key"); + + // Assert + result.Should().Be("resolved-secret-value"); + mockResolver.Verify(r => r.Resolve("pam-secret-key"), Times.Once); + + _logger.LogInformation("ResolvePAMField_WithResolver_CallsResolveAndReturnsResolvedValue - Success"); + } + + [Fact] + public void ResolvePAMField_WithResolver_ResolverCalledExactlyOnce() + { + // Resolve() should be called exactly once per field - no caching or double-calling. + + // Arrange + var mockResolver = new Mock(); + mockResolver.Setup(r => r.Resolve(It.IsAny())).Returns("any-resolved-value"); + + // Act + PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "description", "any-key"); + + // Assert + mockResolver.Verify(r => r.Resolve(It.IsAny()), Times.Once); + + _logger.LogInformation("ResolvePAMField_WithResolver_ResolverCalledExactlyOnce - Success"); + } + + [Fact] + public void ResolvePAMField_WithResolver_ReturnsNullWhenResolverReturnsNull() + { + // If the PAM provider returns null (e.g. secret not found), null should + // be surfaced as-is rather than silently falling back to the key. + + // Arrange + var mockResolver = new Mock(); + mockResolver.Setup(r => r.Resolve(It.IsAny())).Returns((string)null); + + // Act + string result = PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "Server Password", "pam-key"); + + // Assert + result.Should().BeNull(); + + _logger.LogInformation("ResolvePAMField_WithResolver_ReturnsNullWhenResolverReturnsNull - Success"); + } + + [Theory] + [InlineData("pam-key-one", "resolved-value-one")] + [InlineData("pam-key-two", "resolved-value-two")] + [InlineData("pam-key-three", "resolved-value-three")] + public void ResolvePAMField_WithResolver_CorrectKeyForwardedToResolver(string key, string resolvedValue) + { + // The exact key string from store config must be forwarded to the resolver + // unchanged - PAMUtilities must not mangle or trim the key. + + // Arrange + var mockResolver = new Mock(); + mockResolver.Setup(r => r.Resolve(key)).Returns(resolvedValue); + + // Act + string result = PAMUtilities.ResolvePAMField(_logger, mockResolver.Object, "field description", key); + + // Assert + result.Should().Be(resolvedValue); + mockResolver.Verify(r => r.Resolve(key), Times.Once); + + _logger.LogInformation($"ResolvePAMField_WithResolver_CorrectKeyForwardedToResolver ({key}) - Success"); + } + + // ------------------------------------------------------------------------- + // AppGatewayJobClientBuilder - PAM passthrough (no resolver configured) + // ------------------------------------------------------------------------- + + [Fact] + public void AppGatewayJobClientBuilder_NoPAMResolver_CertificateStoreDetails_UsesValuesDirectly() + { + // Without a resolver, the raw ServerUsername / ServerPassword values from + // store config should be used as-is (no PAM lookup attempted). + + // Arrange + AppGatewayJobClientBuilder builder = new(); + // resolver left null (default) + + CertificateStore storeDetails = new() + { + ClientMachine = "fake-tenant-id", + StorePath = "fake-resource-id", + Properties = "{\"ServerUsername\":\"direct-app-id\",\"ServerPassword\":\"direct-secret\",\"AzureCloud\":\"fake-cloud\"}" + }; + + // Act + builder.WithCertificateStoreDetails(storeDetails).Build(); + + // Assert + builder._builder._applicationId.Should().Be("direct-app-id"); + builder._builder._clientSecret.Should().Be("direct-secret"); + + _logger.LogInformation("AppGatewayJobClientBuilder_NoPAMResolver_CertificateStoreDetails_UsesValuesDirectly - Success"); + } + + [Fact] + public void AppGatewayJobClientBuilder_NoPAMResolver_DiscoveryJobConfiguration_UsesValuesDirectly() + { + // Same passthrough guarantee for the Discovery path. + + // Arrange + AppGatewayJobClientBuilder builder = new(); + + DiscoveryJobConfiguration config = new() + { + ClientMachine = "fake-tenant-id", + ServerUsername = "direct-app-id", + ServerPassword = "direct-secret" + }; + + // Act + builder.WithDiscoveryJobConfiguration(config, "fake-tenant-id").Build(); + + // Assert + builder._builder._applicationId.Should().Be("direct-app-id"); + builder._builder._clientSecret.Should().Be("direct-secret"); + + _logger.LogInformation("AppGatewayJobClientBuilder_NoPAMResolver_DiscoveryJobConfiguration_UsesValuesDirectly - Success"); + } + + // ------------------------------------------------------------------------- + // Job-level: PAM resolver accepted via constructor and threaded through + // ------------------------------------------------------------------------- + + [Fact] + public void AzureAppGw_Inventory_ProcessJob_WithPAMResolver_ResolvesCredentials() + { + // Inventory accepts an IPAMSecretResolver via its constructor and must + // thread it through to the client builder so PAM keys are resolved + // before the Azure client is constructed. + // + // Here we inject a pre-built FakeClient so the builder path is skipped, + // and verify the job completes successfully with the resolver in place. + + // Arrange + var mockResolver = new Mock(); + + var inventory = new Inventory(mockResolver.Object) + { + Client = new FakeClient + { + CertificatesAvailableOnFakeAppGateway = new Dictionary + { + { "cert1", new Azure.ResourceManager.Network.Models.ApplicationGatewaySslCertificate { Name = "cert1" } } + } + } + }; + + var config = new InventoryJobConfiguration + { + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "fake-tenant-id", + StorePath = "fake-resource-id", + Properties = "{\"ServerUsername\":\"pam-username-key\",\"ServerPassword\":\"pam-password-key\",\"AzureCloud\":\"\"}" + }, + JobHistoryId = 1 + }; + + // Act + JobResult result = inventory.ProcessJob(config, items => + { + items.Should().ContainSingle(); + return true; + }); + + // Assert + result.Result.Should().Be(OrchestratorJobStatusJobResult.Success); + + _logger.LogInformation("AzureAppGw_Inventory_ProcessJob_WithPAMResolver_ResolvesCredentials - Success"); + } + + [Fact] + public void AzureAppGwBin_Discovery_ProcessJob_WithPAMResolver_ResolvesCredentials() + { + // Discovery accepts an IPAMSecretResolver via its constructor and must + // thread it through to the client builder. + + // Arrange + var mockResolver = new Mock(); + + var discovery = new AzureApplicationGatewayOrchestratorExtension.ListenerBindingJobs.Discovery(mockResolver.Object) + { + Client = new FakeClient + { + AppGatewaysAvailableOnFakeTenant = new List { "fake-gateway" } + } + }; + + var config = new DiscoveryJobConfiguration + { + ClientMachine = "fake-tenant-id", + ServerUsername = "pam-username-key", + ServerPassword = "pam-password-key", + JobProperties = new Dictionary { { "dirs", "fake-tenant-id" } } + }; + + // Act + JobResult result = discovery.ProcessJob(config, discovered => + { + discovered.Should().ContainSingle().Which.Should().Be("fake-gateway"); + return true; + }); + + // Assert + result.Result.Should().Be(OrchestratorJobStatusJobResult.Success); + + _logger.LogInformation("AzureAppGwBin_Discovery_ProcessJob_WithPAMResolver_ResolvesCredentials - Success"); + } + + static void ConfigureLogging() + { + var config = new NLog.Config.LoggingConfiguration(); + var logconsole = new NLog.Targets.ConsoleTarget("logconsole"); + logconsole.Layout = @"${date:format=HH\:mm\:ss} ${logger} [${level}] - ${message}"; + config.AddRule(NLog.LogLevel.Trace, NLog.LogLevel.Fatal, logconsole); + NLog.LogManager.Configuration = config; + + LogHandler.Factory = LoggerFactory.Create(builder => + { + builder.AddNLog(); + }); + } +} diff --git a/AzureAppGatewayOrchestrator.Tests/Usings.cs b/AzureAppGatewayOrchestrator.Tests/Usings.cs index e56a59f..41cb57d 100644 --- a/AzureAppGatewayOrchestrator.Tests/Usings.cs +++ b/AzureAppGatewayOrchestrator.Tests/Usings.cs @@ -1,15 +1,9 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. global using Xunit; diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs index 3696d02..78084c5 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Discovery.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using System.Collections.Generic; diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs index 421e233..21a7839 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using System.Collections.Generic; diff --git a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs index 134c6ba..7d3ba37 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Management.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using AzureApplicationGatewayOrchestratorExtension.Client; diff --git a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs index fc46505..86ca5ea 100644 --- a/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs +++ b/AzureAppGatewayOrchestrator/AppGatewayJobClientBuilder.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using System.Security.Cryptography; diff --git a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj index f4e42ba..c48caad 100644 --- a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj +++ b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj @@ -1,21 +1,22 @@ - + + true - net6.0;net8.0;net10.0 + net6.0;net8.0 true disable - - - + + + - + - + diff --git a/AzureAppGatewayOrchestrator/Client/GatewayClient.cs b/AzureAppGatewayOrchestrator/Client/GatewayClient.cs index b62d8ba..c186c5b 100644 --- a/AzureAppGatewayOrchestrator/Client/GatewayClient.cs +++ b/AzureAppGatewayOrchestrator/Client/GatewayClient.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using System.Collections.Generic; diff --git a/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs b/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs index f1d8bbd..96f8443 100644 --- a/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs +++ b/AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System.Collections.Generic; using System.Security.Cryptography.X509Certificates; diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs index 6037d7a..6ca56ce 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Discovery.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using AzureApplicationGatewayOrchestratorExtension.Client; using Keyfactor.Logging; diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs index 44490ef..dc3ded0 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using System.Collections.Generic; diff --git a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs index 7522ed1..82ce262 100644 --- a/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs +++ b/AzureAppGatewayOrchestrator/ListenerBindingJobs/Management.cs @@ -1,16 +1,10 @@ -// Copyright 2024 Keyfactor -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. using System; using Azure.ResourceManager.Network.Models; diff --git a/AzureAppGatewayOrchestrator/PAMUtilities.cs b/AzureAppGatewayOrchestrator/PAMUtilities.cs index b5b0ac6..1ae35ab 100644 --- a/AzureAppGatewayOrchestrator/PAMUtilities.cs +++ b/AzureAppGatewayOrchestrator/PAMUtilities.cs @@ -1,7 +1,18 @@ -using Keyfactor.Logging; + +// Copyright 2026 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System.Runtime.CompilerServices; +using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; +[assembly: InternalsVisibleTo("AzureAppGatewayOrchestrator.Tests")] + namespace AzureAppGatewayOrchestrator { internal class PAMUtilities From f59b4f3d62581ddded98acca5ae8e787e7072e1c Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Wed, 24 Jun 2026 14:32:19 -0700 Subject: [PATCH 08/13] Updated workflows to use Version 5 --- .github/workflows/keyfactor-starter-workflow.yml | 11 +++++------ integration-manifest.json | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 9ac93ee..b8c72b2 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,10 +11,9 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.2.0 + uses: keyfactor/actions/.github/workflows/starter.yml@v5 secrets: - token: ${{ secrets.V2BUILDTOKEN}} - APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} - gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} - gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} - scan_token: ${{ secrets.SAST_TOKEN }} + token: ${{ secrets.V2BUILDTOKEN}} # REQUIRED + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} # Only required for golang builds + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} # Only required for golang builds + scan_token: ${{ secrets.SAST_TOKEN }} # REQUIRED diff --git a/integration-manifest.json b/integration-manifest.json index d24dd62..c7a750d 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -12,7 +12,7 @@ "about": { "orchestrator": { "UOFramework": "10.4", - "pam_support": false, + "pam_support": true, "store_types": [ { "Name": "Azure Application Gateway Certificate", From 31b56f63e55ff28670af21917f385225b1c9de2a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 24 Jun 2026 21:32:48 +0000 Subject: [PATCH 09/13] docs: auto-generate README and documentation [skip ci] --- README.md | 153 ++++++------------ .../AppGwBin-advanced-store-type-dialog.svg | 67 ++++++++ .../AppGwBin-basic-store-type-dialog.svg | 83 ++++++++++ ...ppGwBin-custom-field-AzureCloud-dialog.svg | 49 ++++++ ...d-AzureCloud-validation-options-dialog.svg | 39 +++++ ...-custom-field-ClientCertificate-dialog.svg | 49 ++++++ ...tCertificate-validation-options-dialog.svg | 39 +++++ ...GwBin-custom-field-ServerUseSsl-dialog.svg | 54 +++++++ ...ServerUseSsl-validation-options-dialog.svg | 39 +++++ ...pGwBin-custom-fields-store-type-dialog.svg | 88 ++++++++++ .../AzureAppGw-advanced-store-type-dialog.svg | 67 ++++++++ .../AzureAppGw-basic-store-type-dialog.svg | 84 ++++++++++ ...reAppGw-custom-field-AzureCloud-dialog.svg | 49 ++++++ ...d-AzureCloud-validation-options-dialog.svg | 39 +++++ ...-custom-field-ClientCertificate-dialog.svg | 49 ++++++ ...tCertificate-validation-options-dialog.svg | 39 +++++ ...AppGw-custom-field-ServerUseSsl-dialog.svg | 54 +++++++ ...ServerUseSsl-validation-options-dialog.svg | 39 +++++ ...eAppGw-custom-fields-store-type-dialog.svg | 88 ++++++++++ .../bash/curl_create_store_types.sh | 134 +++++++-------- .../bash/kfutil_create_store_types.sh | 33 +--- .../powershell/kfutil_create_store_types.ps1 | 33 +--- .../restmethod_create_store_types.ps1 | 121 ++++++-------- 23 files changed, 1184 insertions(+), 305 deletions(-) create mode 100644 docsource/images/AppGwBin-advanced-store-type-dialog.svg create mode 100644 docsource/images/AppGwBin-basic-store-type-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg create mode 100644 docsource/images/AppGwBin-custom-fields-store-type-dialog.svg create mode 100644 docsource/images/AzureAppGw-advanced-store-type-dialog.svg create mode 100644 docsource/images/AzureAppGw-basic-store-type-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg create mode 100644 docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg diff --git a/README.md b/README.md index aa5b49b..c529c01 100644 --- a/README.md +++ b/README.md @@ -38,17 +38,15 @@ The Azure Application Gateway Orchestrator extension remotely manages certificat > If the certificate management capabilities of Azure Key Vault are desired over direct management of certificates in Application Gateways, the Azure Key Vault orchestrator can be used in conjunction with this extension for accurate certificate location reporting via the inventory job type. This management strategy requires manual binding of certificates imported to an Application Gateway from AKV and can result in broken state in the Azure Application Gateway in the case that the secret is deleted in AKV. The Azure Application Gateway Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to use one, or both of these Certificate Store Types. Descriptions of each are provided below. - - [Azure Application Gateway Certificate](#AzureAppGw) - - [Azure Application Gateway Certificate Binding](#AppGwBin) - ## Compatibility This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later. ## Support + The Azure Application Gateway Universal Orchestrator extension is supported by Keyfactor. If you require support for any issues or have feature request, please open a support ticket by either contacting your Keyfactor representative or via the Keyfactor Support Portal at https://support.keyfactor.com. > If you want to contribute bug fixes or additional enhancements, use the **[Pull requests](../../pulls)** tab. @@ -57,7 +55,6 @@ The Azure Application Gateway Universal Orchestrator extension is supported by K Before installing the Azure Application Gateway Universal Orchestrator extension, we recommend that you install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. - ### Azure Service Principal (Azure Resource Manager Authentication) The Azure Application Gateway Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. @@ -137,7 +134,6 @@ authenticate to the Microsoft Graph API. You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - ## Certificate Store Types To use the Azure Application Gateway Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance. @@ -148,7 +144,6 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
Click to expand details - The Azure Application Gateway Certificate store type, `AzureAppGw`, manages `ApplicationGatewaySslCertificate` objects owned by Azure Application Gateways. This store type collects inventory and manages all ApplicationGatewaySslCertificate objects associated with an Application Gateway. The store type is implemented primarily for Inventory and Management @@ -201,24 +196,22 @@ have appropriate permissions to read secrets from the AKV that the App Gateway i in the AzureApplicationSslCertificate will be accessed exactly as reported by Azure, regardless of whether it exists in AKV. - - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | ✅ Checked | -| Remove | ✅ Checked | -| Discovery | ✅ Checked | +| Operation | Is Supported | +|--------------|--------------| +| Add | ✅ Checked | +| Remove | ✅ Checked | +| Discovery | ✅ Checked | | Reenrollment | 🔲 Unchecked | -| Create | 🔲 Unchecked | +| Create | 🔲 Unchecked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand AzureAppGw kfutil details ##### Using online definition from GitHub: @@ -237,10 +230,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the AzureAppGw store type manually in the Keyfactor Command Portal +
Click to expand manual AzureAppGw details Create a store type called `AzureAppGw` with the attributes in the tables below: @@ -251,11 +244,11 @@ the Keyfactor Command Portal | Name | Azure Application Gateway Certificate | Display name for the store type (may be customized) | | Short Name | AzureAppGw | Short display name for the store type | | Capability | AzureAppGw | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | ✅ Checked | Check the box. Indicates that the Store Type supports Management Remove | - | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery | - | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add | + | Supports Remove | ✅ Checked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | @@ -264,18 +257,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![AzureAppGw Basic Tab](docsource/images/AzureAppGw-basic-store-type-dialog.png) + ![AzureAppGw Basic Tab](docsource/images/AzureAppGw-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![AzureAppGw Advanced Tab](docsource/images/AzureAppGw-advanced-store-type-dialog.png) + ![AzureAppGw Advanced Tab](docsource/images/AzureAppGw-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -292,8 +285,7 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![AzureAppGw Custom Fields Tab](docsource/images/AzureAppGw-custom-fields-store-type-dialog.png) - + ![AzureAppGw Custom Fields Tab](docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg) ###### Server Username Application ID of the service principal, representing the identity used for managing the Application Gateway. @@ -303,8 +295,6 @@ the Keyfactor Command Portal > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. - - ###### Server Password A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate @@ -313,32 +303,22 @@ the Keyfactor Command Portal > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. - - ###### Client Certificate The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. - ![AzureAppGw Custom Field - ClientCertificate](docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.png) - ![AzureAppGw Custom Field - ClientCertificate](docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.png) - + ![AzureAppGw Custom Field - ClientCertificate](docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg) ###### Azure Global Cloud Authority Host Specifies the Azure Cloud instance used by the organization. - ![AzureAppGw Custom Field - AzureCloud](docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.png) - ![AzureAppGw Custom Field - AzureCloud](docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.png) - + ![AzureAppGw Custom Field - AzureCloud](docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg) ###### Use SSL Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. - ![AzureAppGw Custom Field - ServerUseSsl](docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.png) - ![AzureAppGw Custom Field - ServerUseSsl](docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.png) - - - + ![AzureAppGw Custom Field - ServerUseSsl](docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg)
@@ -348,7 +328,6 @@ the Keyfactor Command Portal
Click to expand details - The Azure Application Gateway Certificate Binding store type, `AzureAppGwBin`, represents certificates bound to TLS Listeners on Azure App Gateways. The only supported operations on this store type are Management Add and Inventory. The Management Add operation for this store type creates and binds an ApplicationGatewaySslCertificate to a pre-existing TLS @@ -411,24 +390,22 @@ have appropriate permissions to read secrets from the AKV that the App Gateway i in the AzureApplicationSslCertificate will be accessed exactly as reported by Azure, regardless of whether it exists in AKV. - - - #### Supported Operations -| Operation | Is Supported | -|--------------|------------------------------------------------------------------------------------------------------------------------| -| Add | ✅ Checked | -| Remove | 🔲 Unchecked | -| Discovery | ✅ Checked | +| Operation | Is Supported | +|--------------|--------------| +| Add | ✅ Checked | +| Remove | 🔲 Unchecked | +| Discovery | ✅ Checked | | Reenrollment | 🔲 Unchecked | -| Create | 🔲 Unchecked | +| Create | 🔲 Unchecked | #### Store Type Creation ##### Using kfutil: `kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types. For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart) +
Click to expand AppGwBin kfutil details ##### Using online definition from GitHub: @@ -447,10 +424,10 @@ For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out ```
- #### Manual Creation Below are instructions on how to create the AppGwBin store type manually in the Keyfactor Command Portal +
Click to expand manual AppGwBin details Create a store type called `AppGwBin` with the attributes in the tables below: @@ -461,11 +438,11 @@ the Keyfactor Command Portal | Name | Azure Application Gateway Certificate Binding | Display name for the store type (may be customized) | | Short Name | AppGwBin | Short display name for the store type | | Capability | AzureAppGwBin | Store type name orchestrator will register with. Check the box to allow entry of value | - | Supports Add | ✅ Checked | Check the box. Indicates that the Store Type supports Management Add | - | Supports Remove | 🔲 Unchecked | Indicates that the Store Type supports Management Remove | - | Supports Discovery | ✅ Checked | Check the box. Indicates that the Store Type supports Discovery | - | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | - | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | + | Supports Add | ✅ Checked | Indicates that the Store Type supports Management Add | + | Supports Remove | 🔲 Unchecked | Indicates that the Store Type supports Management Remove | + | Supports Discovery | ✅ Checked | Indicates that the Store Type supports Discovery | + | Supports Reenrollment | 🔲 Unchecked | Indicates that the Store Type supports Reenrollment | + | Supports Create | 🔲 Unchecked | Indicates that the Store Type supports store creation | | Needs Server | ✅ Checked | Determines if a target server name is required when creating store | | Blueprint Allowed | 🔲 Unchecked | Determines if store type may be included in an Orchestrator blueprint | | Uses PowerShell | 🔲 Unchecked | Determines if underlying implementation is PowerShell | @@ -474,18 +451,18 @@ the Keyfactor Command Portal The Basic tab should look like this: - ![AppGwBin Basic Tab](docsource/images/AppGwBin-basic-store-type-dialog.png) + ![AppGwBin Basic Tab](docsource/images/AppGwBin-basic-store-type-dialog.svg) ##### Advanced Tab | Attribute | Value | Description | | --------- | ----- | ----- | | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. | - | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. | + | Private Key Handling | Required | This determines if Keyfactor can send the private key associated with a certificate to the store. | | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) | The Advanced tab should look like this: - ![AppGwBin Advanced Tab](docsource/images/AppGwBin-advanced-store-type-dialog.png) + ![AppGwBin Advanced Tab](docsource/images/AppGwBin-advanced-store-type-dialog.svg) > For Keyfactor **Command versions 24.4 and later**, a Certificate Format dropdown is available with PFX and PEM options. Ensure that **PFX** is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX. @@ -502,8 +479,7 @@ the Keyfactor Command Portal The Custom Fields tab should look like this: - ![AppGwBin Custom Fields Tab](docsource/images/AppGwBin-custom-fields-store-type-dialog.png) - + ![AppGwBin Custom Fields Tab](docsource/images/AppGwBin-custom-fields-store-type-dialog.svg) ###### Server Username Application ID of the service principal, representing the identity used for managing the Application Gateway. @@ -513,8 +489,6 @@ the Keyfactor Command Portal > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. - - ###### Server Password A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate @@ -523,32 +497,22 @@ the Keyfactor Command Portal > This field is created by the `Needs Server` on the Basic tab, do not create this field manually. - - ###### Client Certificate The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. - ![AppGwBin Custom Field - ClientCertificate](docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.png) - ![AppGwBin Custom Field - ClientCertificate](docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.png) - + ![AppGwBin Custom Field - ClientCertificate](docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg) ###### Azure Global Cloud Authority Host Specifies the Azure Cloud instance used by the organization. - ![AppGwBin Custom Field - AzureCloud](docsource/images/AppGwBin-custom-field-AzureCloud-dialog.png) - ![AppGwBin Custom Field - AzureCloud](docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.png) - + ![AppGwBin Custom Field - AzureCloud](docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg) ###### Use SSL Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. - ![AppGwBin Custom Field - ServerUseSsl](docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.png) - ![AppGwBin Custom Field - ServerUseSsl](docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.png) - - - + ![AppGwBin Custom Field - ServerUseSsl](docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg)
@@ -559,14 +523,15 @@ the Keyfactor Command Portal 1. **Download the latest Azure Application Gateway Universal Orchestrator extension from GitHub.** - Navigate to the [Azure Application Gateway Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/azure-appgateway-orchestrator/releases/latest). Refer to the compatibility matrix below to determine the asset should be downloaded. Then, click the corresponding asset to download the zip archive. + Navigate to the [Azure Application Gateway Universal Orchestrator extension GitHub version page](https://github.com/Keyfactor/azure-appgateway-orchestrator/releases/latest). Refer to the compatibility matrix below to determine which asset should be downloaded. Then, click the corresponding asset to download the zip archive. | Universal Orchestrator Version | Latest .NET version installed on the Universal Orchestrator server | `rollForward` condition in `Orchestrator.runtimeconfig.json` | `azure-appgateway-orchestrator` .NET version to download | | --------- | ----------- | ----------- | ----------- | | Older than `11.0.0` | | | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` || Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | - | `11.6` _and_ newer | `net8.0` | | `net8.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | + | `11.6` _and_ newer | `net8.0` | | `net8.0` | Unzip the archive containing extension assemblies to a known location. @@ -588,25 +553,20 @@ the Keyfactor Command Portal Refer to [Starting/Restarting the Universal Orchestrator service](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/StarttheService.htm). - 6. **(optional) PAM Integration** The Azure Application Gateway Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider. To configure a PAM provider, [reference the Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote). - > The above installation steps can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions). - - ## Defining Certificate Stores The Azure Application Gateway Universal Orchestrator extension implements 2 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
Azure Application Gateway Certificate (AzureAppGw) - ### Store Creation #### Manually with the Command UI @@ -621,8 +581,8 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Azure Application Gateway Certificate" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. | @@ -636,8 +596,6 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
- - #### Using kfutil CLI
Click to expand details @@ -672,7 +630,6 @@ The Azure Application Gateway Universal Orchestrator extension implements 2 Cert
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -689,15 +646,12 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). -
Azure Application Gateway Certificate Binding (AppGwBin) - ### Store Creation #### Manually with the Command UI @@ -712,8 +666,8 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov Click the Add button to add a new Certificate Store. Use the table below to populate the **Attributes** in the **Add** form. - | Attribute | Description | - | --------- |---------------------------------------------------------| + | Attribute | Description | + | --------- | ----------- | | Category | Select "Azure Application Gateway Certificate Binding" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | | Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. | @@ -727,8 +681,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- - #### Using kfutil CLI
Click to expand details @@ -763,7 +715,6 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- #### PAM Provider Eligible Fields
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator @@ -780,14 +731,11 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
- > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). -
- ## Discovery Job The Discovery operation discovers all Azure Application Gateways in each resource group that the service principal has access to. The discovered Application Gateways are reported back to Command and can be easily added as certificate stores from the Locations tab. @@ -798,11 +746,10 @@ The Discovery operation uses the "Directories to search" field, and accepts inpu > The Discovery Job only supports Client Secret authentication. - ## License Apache License 2.0, see [LICENSE](LICENSE). ## Related Integrations -See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). \ No newline at end of file +See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). diff --git a/docsource/images/AppGwBin-advanced-store-type-dialog.svg b/docsource/images/AppGwBin-advanced-store-type-dialog.svg new file mode 100644 index 0000000..123a979 --- /dev/null +++ b/docsource/images/AppGwBin-advanced-store-type-dialog.svg @@ -0,0 +1,67 @@ + + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + + Freeform + + Fixed + + Multiple Choice + + + + + Other Settings + + Supports Custom Alias + + Forbidden + + Optional + + + Required + Private Key Handling + + Forbidden + + Optional + + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/AppGwBin-basic-store-type-dialog.svg b/docsource/images/AppGwBin-basic-store-type-dialog.svg new file mode 100644 index 0000000..0314686 --- /dev/null +++ b/docsource/images/AppGwBin-basic-store-type-dialog.svg @@ -0,0 +1,83 @@ + + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Azure Application Gateway Certificate Binding + Short Name + + AppGwBin + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + + Add + + Remove + + Create + + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg b/docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg new file mode 100644 index 0000000..74dd25b --- /dev/null +++ b/docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg @@ -0,0 +1,49 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + + Validation Options + + Name + + AzureCloud + Display Name + + Azure Global Cloud Authority Host + Type + + MultipleChoice + + Multiple Choice Options + + public,china,government + Depends On + + + Server Username + + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg b/docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg @@ -0,0 +1,39 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg b/docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg new file mode 100644 index 0000000..4b82ca9 --- /dev/null +++ b/docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg @@ -0,0 +1,49 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + + Validation Options + + Name + + ClientCertificate + Display Name + + Client Certificate + Type + + Secret + + Default Value + + + Depends On + + + Server Username + + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg b/docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg @@ -0,0 +1,39 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg b/docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg new file mode 100644 index 0000000..08ec420 --- /dev/null +++ b/docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg @@ -0,0 +1,54 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + + Validation Options + + Name + + ServerUseSsl + Display Name + + Use SSL + Type + + Bool + + Default Value + + + True + + False + + Not Set + Depends On + + + Server Username + + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg b/docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg new file mode 100644 index 0000000..7993c23 --- /dev/null +++ b/docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg @@ -0,0 +1,39 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + Validation Options + + + Creating a certificate store + + Optional + + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AppGwBin-custom-fields-store-type-dialog.svg b/docsource/images/AppGwBin-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..9cbdec9 --- /dev/null +++ b/docsource/images/AppGwBin-custom-fields-store-type-dialog.svg @@ -0,0 +1,88 @@ + + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 5 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Client Certificate + Secret + + + + + + + Azure Global Cloud Authority Host + MultipleChoice + public,china,government + + + + + + + Use SSL + Bool + true + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-advanced-store-type-dialog.svg b/docsource/images/AzureAppGw-advanced-store-type-dialog.svg new file mode 100644 index 0000000..123a979 --- /dev/null +++ b/docsource/images/AzureAppGw-advanced-store-type-dialog.svg @@ -0,0 +1,67 @@ + + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + + Custom Fields + Entry Parameters + + + + + Store Path Type + + + + Freeform + + Fixed + + Multiple Choice + + + + + Other Settings + + Supports Custom Alias + + Forbidden + + Optional + + + Required + Private Key Handling + + Forbidden + + Optional + + + Required + PFX Password Style + + + Default + + Custom + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-basic-store-type-dialog.svg b/docsource/images/AzureAppGw-basic-store-type-dialog.svg new file mode 100644 index 0000000..5cdbc82 --- /dev/null +++ b/docsource/images/AzureAppGw-basic-store-type-dialog.svg @@ -0,0 +1,84 @@ + + + + + + + + + Edit Certificate Store Type + + + + Basic + + Advanced + Custom Fields + Entry Parameters + + + + + Details + + Name + + Azure Application Gateway Certificate + Short Name + + AzureAppGw + Custom Capability + + + Custom Capability + + + + Supported Job Types + + + + Inventory + + + Add + + + Remove + + Create + + + Discovery + + ODKG + + + + General Settings + + + + Needs Server + + Blueprint Allowed + + Uses PowerShell + + + + Password Settings + + + Requires Store Password + + Supports Entry Password + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg b/docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg new file mode 100644 index 0000000..74dd25b --- /dev/null +++ b/docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg @@ -0,0 +1,49 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + + Validation Options + + Name + + AzureCloud + Display Name + + Azure Global Cloud Authority Host + Type + + MultipleChoice + + Multiple Choice Options + + public,china,government + Depends On + + + Server Username + + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg b/docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg @@ -0,0 +1,39 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg b/docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg new file mode 100644 index 0000000..4b82ca9 --- /dev/null +++ b/docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg @@ -0,0 +1,49 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + + Validation Options + + Name + + ClientCertificate + Display Name + + Client Certificate + Type + + Secret + + Default Value + + + Depends On + + + Server Username + + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg b/docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg new file mode 100644 index 0000000..22f8bbd --- /dev/null +++ b/docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg @@ -0,0 +1,39 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + Validation Options + + + Creating a certificate store + + + Optional + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg new file mode 100644 index 0000000..08ec420 --- /dev/null +++ b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg @@ -0,0 +1,54 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + + Validation Options + + Name + + ServerUseSsl + Display Name + + Use SSL + Type + + Bool + + Default Value + + + True + + False + + Not Set + Depends On + + + Server Username + + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg new file mode 100644 index 0000000..7993c23 --- /dev/null +++ b/docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg @@ -0,0 +1,39 @@ + + + + + + + + + Edit Custom Field + × + + + + Basic Information + Validation Options + + + Creating a certificate store + + Optional + + + Required + + Hidden + + + CANCEL + + SAVE + \ No newline at end of file diff --git a/docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg b/docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg new file mode 100644 index 0000000..9cbdec9 --- /dev/null +++ b/docsource/images/AzureAppGw-custom-fields-store-type-dialog.svg @@ -0,0 +1,88 @@ + + + + + + + + + Edit Certificate Store Type + + + + Basic + Advanced + Custom Fields + + Entry Parameters + + + + + + ADD + + EDIT + + DELETE + Total: 5 + + + Display Name + Type + Default Value / Options + + + + + + + + + + + Server Username + Secret + + + + + + + Server Password + Secret + + + + + + + Client Certificate + Secret + + + + + + + Azure Global Cloud Authority Host + MultipleChoice + public,china,government + + + + + + + Use SSL + Bool + true + \ No newline at end of file diff --git a/scripts/store_types/bash/curl_create_store_types.sh b/scripts/store_types/bash/curl_create_store_types.sh index d53d5f4..b367afa 100755 --- a/scripts/store_types/bash/curl_create_store_types.sh +++ b/scripts/store_types/bash/curl_create_store_types.sh @@ -1,83 +1,24 @@ -#!/usr/bin/env bash +#!/bin/bash +# Store Type creation script using curl +# Generated by Doctool -# Creates all 2 store types via the Keyfactor Command REST API using curl. -# -# Authentication (first matching method is used): -# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN -# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET -# + KEYFACTOR_AUTH_TOKEN_URL -# Basic auth (AD): KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN -# -# Always required: -# KEYFACTOR_HOSTNAME Command hostname (e.g. my-command.example.com) -# -# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. +set -e -if [ -z "${KEYFACTOR_HOSTNAME}" ]; then - echo "ERROR: KEYFACTOR_HOSTNAME is required" - exit 1 -fi +# Configuration - set these variables before running +KEYFACTOR_HOSTNAME="${KEYFACTOR_HOSTNAME}" +KEYFACTOR_API_PATH="${KEYFACTOR_API_PATH:-KeyfactorAPI}" +KEYFACTOR_AUTH_TOKEN="${KEYFACTOR_AUTH_TOKEN}" -BASE_URL="https://${KEYFACTOR_HOSTNAME}/keyfactorapi" - -# --------------------------------------------------------------------------- -# Resolve auth -# --------------------------------------------------------------------------- -if [ -n "${KEYFACTOR_AUTH_ACCESS_TOKEN}" ]; then - BEARER_TOKEN="${KEYFACTOR_AUTH_ACCESS_TOKEN}" -elif [ -n "${KEYFACTOR_AUTH_CLIENT_ID}" ] && [ -n "${KEYFACTOR_AUTH_CLIENT_SECRET}" ] && [ -n "${KEYFACTOR_AUTH_TOKEN_URL}" ]; then - echo "Fetching OAuth token..." - BEARER_TOKEN=$(curl -s -X POST "${KEYFACTOR_AUTH_TOKEN_URL}" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - --data-urlencode "grant_type=client_credentials" \ - --data-urlencode "client_id=${KEYFACTOR_AUTH_CLIENT_ID}" \ - --data-urlencode "client_secret=${KEYFACTOR_AUTH_CLIENT_SECRET}" | jq -r '.access_token') - if [ -z "${BEARER_TOKEN}" ] || [ "${BEARER_TOKEN}" = "null" ]; then - echo "ERROR: Failed to fetch OAuth token from ${KEYFACTOR_AUTH_TOKEN_URL}" - exit 1 - fi -elif [ -n "${KEYFACTOR_USERNAME}" ] && [ -n "${KEYFACTOR_PASSWORD}" ] && [ -n "${KEYFACTOR_DOMAIN}" ]; then - BEARER_TOKEN="" -else - echo "ERROR: Authentication required. Set one of:" - echo " KEYFACTOR_AUTH_ACCESS_TOKEN" - echo " KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET + KEYFACTOR_AUTH_TOKEN_URL" - echo " KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN" - exit 1 -fi - -if [ -n "${BEARER_TOKEN}" ]; then - CURL_AUTH=("-H" "Authorization: Bearer ${BEARER_TOKEN}") -else - CURL_AUTH=("-u" "${KEYFACTOR_USERNAME}@${KEYFACTOR_DOMAIN}:${KEYFACTOR_PASSWORD}") -fi - -create_store_type() { - local name="$1" - local body="$2" - echo "Creating ${name} store type..." - response=$(curl -s -o /dev/null -w "%{http_code}" \ - -X POST "${BASE_URL}/certificatestoretypes" \ - -H "Content-Type: application/json" \ - -H "x-keyfactor-requested-with: APIClient" \ - "${CURL_AUTH[@]}" \ - -d "${body}") - if [ "$response" = "200" ] || [ "$response" = "201" ]; then - echo " OK (HTTP ${response})" - else - echo " FAILED (HTTP ${response})" - fi -} - -# --------------------------------------------------------------------------- -# AzureAppGw — The Azure Tenant (directory) ID that owns the Service Principal. -# --------------------------------------------------------------------------- -create_store_type "AzureAppGw" '{ +echo "Creating store type: AzureAppGw" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ "Name": "Azure Application Gateway Certificate", "ShortName": "AzureAppGw", "Capability": "AzureAppGw", "LocalStore": false, - "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", "SupportedOperations": { "Add": true, "Remove": true, @@ -86,10 +27,25 @@ create_store_type "AzureAppGw" '{ "Inventory": true }, "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, { "Name": "ClientCertificate", "DisplayName": "Client Certificate", "Type": "Secret", + "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", "Required": false }, { @@ -97,6 +53,7 @@ create_store_type "AzureAppGw" '{ "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", "DefaultValue": "public,china,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false }, { @@ -104,6 +61,7 @@ create_store_type "AzureAppGw" '{ "DisplayName": "Use SSL", "Type": "Bool", "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", "Required": true } ], @@ -119,15 +77,16 @@ create_store_type "AzureAppGw" '{ "CustomAliasAllowed": "Required" }' -# --------------------------------------------------------------------------- -# AppGwBin — The Azure Tenant (directory) ID that owns the Service Principal. -# --------------------------------------------------------------------------- -create_store_type "AppGwBin" '{ +echo "Creating store type: AppGwBin" +curl -s -X POST "https://${KEYFACTOR_HOSTNAME}/${KEYFACTOR_API_PATH}/CertificateStoreTypes" \ + -H "Authorization: Bearer ${KEYFACTOR_AUTH_TOKEN}" \ + -H "Content-Type: application/json" \ + -H "x-keyfactor-requested-with: APIClient" \ + -d '{ "Name": "Azure Application Gateway Certificate Binding", "ShortName": "AppGwBin", "Capability": "AzureAppGwBin", "LocalStore": false, - "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", "SupportedOperations": { "Add": true, "Remove": false, @@ -136,10 +95,25 @@ create_store_type "AppGwBin" '{ "Inventory": false }, "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, { "Name": "ClientCertificate", "DisplayName": "Client Certificate", "Type": "Secret", + "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", "Required": false }, { @@ -147,6 +121,7 @@ create_store_type "AppGwBin" '{ "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", "DefaultValue": "public,china,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false }, { @@ -154,6 +129,7 @@ create_store_type "AppGwBin" '{ "DisplayName": "Use SSL", "Type": "Bool", "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", "Required": true } ], @@ -169,5 +145,3 @@ create_store_type "AppGwBin" '{ "CustomAliasAllowed": "Required" }' - -echo "Completed." diff --git a/scripts/store_types/bash/kfutil_create_store_types.sh b/scripts/store_types/bash/kfutil_create_store_types.sh index 7f0cb87..48b71d9 100755 --- a/scripts/store_types/bash/kfutil_create_store_types.sh +++ b/scripts/store_types/bash/kfutil_create_store_types.sh @@ -1,29 +1,12 @@ -#!/usr/bin/env bash +#!/bin/bash +# Store Type creation script using kfutil +# Generated by Doctool -# Creates all 2 store types using kfutil. -# kfutil reads definitions from the Keyfactor integration catalog. -# -# Auth environment variables (first matching method is used): -# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN -# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET -# + KEYFACTOR_AUTH_TOKEN_URL -# Basic auth (AD): KEYFACTOR_HOSTNAME + KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD -# + KEYFACTOR_DOMAIN -# -# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. +set -e -if ! command -v kfutil &> /dev/null; then - echo "kfutil could not be found. Please install kfutil" - echo "See https://github.com/Keyfactor/kfutil#quickstart" - exit 1 -fi +echo "Creating store type: AzureAppGw" +kfutil store-types create AzureAppGw -if [ -z "$KEYFACTOR_HOSTNAME" ]; then - echo "KEYFACTOR_HOSTNAME not set — launching kfutil login" - kfutil login -fi +echo "Creating store type: AppGwBin" +kfutil store-types create AppGwBin -kfutil store-types create --name "AzureAppGw" -kfutil store-types create --name "AppGwBin" - -echo "Done. All store types created." diff --git a/scripts/store_types/powershell/kfutil_create_store_types.ps1 b/scripts/store_types/powershell/kfutil_create_store_types.ps1 index 7e2142e..50ea6f3 100644 --- a/scripts/store_types/powershell/kfutil_create_store_types.ps1 +++ b/scripts/store_types/powershell/kfutil_create_store_types.ps1 @@ -1,30 +1,9 @@ -# Creates all 2 store types using kfutil. -# kfutil reads definitions from the Keyfactor integration catalog. -# -# Auth environment variables (first matching method is used): -# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN -# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET -# + KEYFACTOR_AUTH_TOKEN_URL -# Basic auth (AD): KEYFACTOR_HOSTNAME + KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD -# + KEYFACTOR_DOMAIN -# -# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. +# Store Type creation script using kfutil +# Generated by Doctool -# Uncomment if kfutil is not in your PATH -# Set-Alias -Name kfutil -Value 'C:\Program Files\Keyfactor\kfutil\kfutil.exe' +Write-Host "Creating store type: AzureAppGw" +kfutil store-types create AzureAppGw -if ($null -eq (Get-Command "kfutil" -ErrorAction SilentlyContinue)) { - Write-Host "kfutil could not be found. Please install kfutil" - Write-Host "See https://github.com/Keyfactor/kfutil#quickstart" - exit 1 -} +Write-Host "Creating store type: AppGwBin" +kfutil store-types create AppGwBin -if (-not $env:KEYFACTOR_HOSTNAME) { - Write-Host "KEYFACTOR_HOSTNAME not set — launching kfutil login" - & kfutil login -} - -& kfutil store-types create --name "AzureAppGw" -& kfutil store-types create --name "AppGwBin" - -Write-Host "Done. All store types created." diff --git a/scripts/store_types/powershell/restmethod_create_store_types.ps1 b/scripts/store_types/powershell/restmethod_create_store_types.ps1 index a9b2f1b..b8f8a49 100644 --- a/scripts/store_types/powershell/restmethod_create_store_types.ps1 +++ b/scripts/store_types/powershell/restmethod_create_store_types.ps1 @@ -1,76 +1,24 @@ -# Creates all 2 store types via the Keyfactor Command REST API -# using PowerShell Invoke-RestMethod. -# -# Authentication (first matching method is used): -# OAuth access token: KEYFACTOR_AUTH_ACCESS_TOKEN -# OAuth client creds: KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET -# + KEYFACTOR_AUTH_TOKEN_URL -# Basic auth (AD): KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN -# -# Always required: -# KEYFACTOR_HOSTNAME Command hostname (e.g. my-command.example.com) -# -# Auto-generated by doctool generate-store-type-scripts — do not edit by hand. +# Store Type creation script using Invoke-RestMethod +# Generated by Doctool -if (-not $env:KEYFACTOR_HOSTNAME) { - Write-Error "KEYFACTOR_HOSTNAME is required" - exit 1 -} - -$uri = "https://$($env:KEYFACTOR_HOSTNAME)/keyfactorapi/certificatestoretypes" -$headers = @{ - 'Content-Type' = "application/json" - 'x-keyfactor-requested-with' = "APIClient" -} - -# --------------------------------------------------------------------------- -# Resolve auth -# --------------------------------------------------------------------------- -if ($env:KEYFACTOR_AUTH_ACCESS_TOKEN) { - $headers['Authorization'] = "Bearer $($env:KEYFACTOR_AUTH_ACCESS_TOKEN)" -} elseif ($env:KEYFACTOR_AUTH_CLIENT_ID -and $env:KEYFACTOR_AUTH_CLIENT_SECRET -and $env:KEYFACTOR_AUTH_TOKEN_URL) { - Write-Host "Fetching OAuth token..." - $tokenBody = @{ - grant_type = 'client_credentials' - client_id = $env:KEYFACTOR_AUTH_CLIENT_ID - client_secret = $env:KEYFACTOR_AUTH_CLIENT_SECRET - } - $tokenResp = Invoke-RestMethod -Method Post -Uri $env:KEYFACTOR_AUTH_TOKEN_URL -Body $tokenBody - $headers['Authorization'] = "Bearer $($tokenResp.access_token)" -} elseif ($env:KEYFACTOR_USERNAME -and $env:KEYFACTOR_PASSWORD -and $env:KEYFACTOR_DOMAIN) { - $cred = [System.Convert]::ToBase64String( - [System.Text.Encoding]::ASCII.GetBytes( - "$($env:KEYFACTOR_USERNAME)@$($env:KEYFACTOR_DOMAIN):$($env:KEYFACTOR_PASSWORD)")) - $headers['Authorization'] = "Basic $cred" -} else { - Write-Error ("Authentication required. Set one of:`n" + - " KEYFACTOR_AUTH_ACCESS_TOKEN`n" + - " KEYFACTOR_AUTH_CLIENT_ID + KEYFACTOR_AUTH_CLIENT_SECRET + KEYFACTOR_AUTH_TOKEN_URL`n" + - " KEYFACTOR_USERNAME + KEYFACTOR_PASSWORD + KEYFACTOR_DOMAIN") - exit 1 -} +# Configuration - set these variables before running +$KeyfactorHostname = $env:KEYFACTOR_HOSTNAME +$KeyfactorApiPath = if ($env:KEYFACTOR_API_PATH) { $env:KEYFACTOR_API_PATH } else { "KeyfactorAPI" } +$KeyfactorAuthToken = $env:KEYFACTOR_AUTH_TOKEN -function New-StoreType { - param([string]$Name, [string]$Body) - Write-Host "Creating $Name store type..." - try { - Invoke-RestMethod -Method Post -Uri $uri -Headers $headers -Body $Body -ContentType "application/json" | Out-Null - Write-Host " OK" - } catch { - Write-Warning " FAILED: $($_.Exception.Message)" - } +$Headers = @{ + "Authorization" = "Bearer $KeyfactorAuthToken" + "Content-Type" = "application/json" + "x-keyfactor-requested-with" = "APIClient" } -# --------------------------------------------------------------------------- -# AzureAppGw — The Azure Tenant (directory) ID that owns the Service Principal. -# --------------------------------------------------------------------------- -New-StoreType "AzureAppGw" @' +Write-Host "Creating store type: AzureAppGw" +$Body = @' { "Name": "Azure Application Gateway Certificate", "ShortName": "AzureAppGw", "Capability": "AzureAppGw", "LocalStore": false, - "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", "SupportedOperations": { "Add": true, "Remove": true, @@ -79,10 +27,25 @@ New-StoreType "AzureAppGw" @' "Inventory": true }, "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, { "Name": "ClientCertificate", "DisplayName": "Client Certificate", "Type": "Secret", + "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", "Required": false }, { @@ -90,6 +53,7 @@ New-StoreType "AzureAppGw" @' "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", "DefaultValue": "public,china,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false }, { @@ -97,6 +61,7 @@ New-StoreType "AzureAppGw" @' "DisplayName": "Use SSL", "Type": "Bool", "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", "Required": true } ], @@ -113,16 +78,15 @@ New-StoreType "AzureAppGw" @' } '@ -# --------------------------------------------------------------------------- -# AppGwBin — The Azure Tenant (directory) ID that owns the Service Principal. -# --------------------------------------------------------------------------- -New-StoreType "AppGwBin" @' +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body + +Write-Host "Creating store type: AppGwBin" +$Body = @' { "Name": "Azure Application Gateway Certificate Binding", "ShortName": "AppGwBin", "Capability": "AzureAppGwBin", "LocalStore": false, - "StorePathDescription": "Azure resource ID of the application gateway, following the format: /subscriptions//resourceGroups//providers/Microsoft.Network/applicationGateways/.", "SupportedOperations": { "Add": true, "Remove": false, @@ -131,10 +95,25 @@ New-StoreType "AppGwBin" @' "Inventory": false }, "Properties": [ + { + "Name": "ServerUsername", + "DisplayName": "Server Username", + "Type": "Secret", + "Description": "Application ID of the service principal, representing the identity used for managing the Application Gateway.", + "Required": false + }, + { + "Name": "ServerPassword", + "DisplayName": "Server Password", + "Type": "Secret", + "Description": "A Client Secret that the extension will use to authenticate with the Azure Resource Management API for managing Application Gateway certificates, OR the password that encrypts the private key in ClientCertificate", + "Required": false + }, { "Name": "ClientCertificate", "DisplayName": "Client Certificate", "Type": "Secret", + "Description": "The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information.", "Required": false }, { @@ -142,6 +121,7 @@ New-StoreType "AppGwBin" @' "DisplayName": "Azure Global Cloud Authority Host", "Type": "MultipleChoice", "DefaultValue": "public,china,government", + "Description": "Specifies the Azure Cloud instance used by the organization.", "Required": false }, { @@ -149,6 +129,7 @@ New-StoreType "AppGwBin" @' "DisplayName": "Use SSL", "Type": "Bool", "DefaultValue": "true", + "Description": "Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it.", "Required": true } ], @@ -165,5 +146,5 @@ New-StoreType "AppGwBin" @' } '@ +Invoke-RestMethod -Uri "https://$KeyfactorHostname/$KeyfactorApiPath/CertificateStoreTypes" -Method POST -Headers $Headers -Body $Body -Write-Host "Completed." From c3c2ecc7012b9728ac44fbea143d901dc8947ca2 Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Wed, 24 Jun 2026 14:37:39 -0700 Subject: [PATCH 10/13] added net 10.0 support --- AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj index c48caad..0b3b8da 100644 --- a/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj +++ b/AzureAppGatewayOrchestrator/AzureAppGatewayOrchestrator.csproj @@ -3,7 +3,7 @@ true - net6.0;net8.0 + net6.0;net8.0;net10.0 true disable From 42accb575e3b412b9b8a4b769eb1f6606c01aa50 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 24 Jun 2026 21:38:15 +0000 Subject: [PATCH 11/13] docs: auto-generate README and documentation [skip ci] --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index c529c01..6249b4d 100644 --- a/README.md +++ b/README.md @@ -307,18 +307,21 @@ the Keyfactor Command Portal The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. ![AzureAppGw Custom Field - ClientCertificate](docsource/images/AzureAppGw-custom-field-ClientCertificate-dialog.svg) + ![AzureAppGw Custom Field - ClientCertificate](docsource/images/AzureAppGw-custom-field-ClientCertificate-validation-options-dialog.svg) ###### Azure Global Cloud Authority Host Specifies the Azure Cloud instance used by the organization. ![AzureAppGw Custom Field - AzureCloud](docsource/images/AzureAppGw-custom-field-AzureCloud-dialog.svg) + ![AzureAppGw Custom Field - AzureCloud](docsource/images/AzureAppGw-custom-field-AzureCloud-validation-options-dialog.svg) ###### Use SSL Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. ![AzureAppGw Custom Field - ServerUseSsl](docsource/images/AzureAppGw-custom-field-ServerUseSsl-dialog.svg) + ![AzureAppGw Custom Field - ServerUseSsl](docsource/images/AzureAppGw-custom-field-ServerUseSsl-validation-options-dialog.svg) @@ -501,18 +504,21 @@ the Keyfactor Command Portal The client certificate used to authenticate with Azure Resource Management API for managing Application Gateway certificates. See the [requirements](#client-certificate-or-client-secret) for more information. ![AppGwBin Custom Field - ClientCertificate](docsource/images/AppGwBin-custom-field-ClientCertificate-dialog.svg) + ![AppGwBin Custom Field - ClientCertificate](docsource/images/AppGwBin-custom-field-ClientCertificate-validation-options-dialog.svg) ###### Azure Global Cloud Authority Host Specifies the Azure Cloud instance used by the organization. ![AppGwBin Custom Field - AzureCloud](docsource/images/AppGwBin-custom-field-AzureCloud-dialog.svg) + ![AppGwBin Custom Field - AzureCloud](docsource/images/AppGwBin-custom-field-AzureCloud-validation-options-dialog.svg) ###### Use SSL Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. ![AppGwBin Custom Field - ServerUseSsl](docsource/images/AppGwBin-custom-field-ServerUseSsl-dialog.svg) + ![AppGwBin Custom Field - ServerUseSsl](docsource/images/AppGwBin-custom-field-ServerUseSsl-validation-options-dialog.svg) From 67a4e77676c3aa2fc1a314d4021acb575d6d921b Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Thu, 25 Jun 2026 21:58:40 -0500 Subject: [PATCH 12/13] Added missing schema value in manifest.json --- integration-manifest.json | 1 + 1 file changed, 1 insertion(+) diff --git a/integration-manifest.json b/integration-manifest.json index c7a750d..55b7054 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -13,6 +13,7 @@ "orchestrator": { "UOFramework": "10.4", "pam_support": true, + "keyfactor_platform_versioin": "9.10", "store_types": [ { "Name": "Azure Application Gateway Certificate", From 70cc4e0bf682fbcd64e34616116522311b57200a Mon Sep 17 00:00:00 2001 From: Bob Pokorny Date: Thu, 25 Jun 2026 22:02:11 -0500 Subject: [PATCH 13/13] --- integration-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index 55b7054..110b2b6 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -13,7 +13,7 @@ "orchestrator": { "UOFramework": "10.4", "pam_support": true, - "keyfactor_platform_versioin": "9.10", + "keyfactor_platform_version": "9.10", "store_types": [ { "Name": "Azure Application Gateway Certificate",