From 79ec8602311c3541b40df40b68e5996d9b272b05 Mon Sep 17 00:00:00 2001 From: Lee Fine <50836957+leefine02@users.noreply.github.com> Date: Mon, 24 Apr 2023 15:25:08 +0000 Subject: [PATCH 1/7] Initial version (#10) Co-authored-by: Keyfactor --- README.md | 2 +- integration-manifest.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1e4a1cb..bb7e2b2 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ The Imperva Orchestrator Extension allows for the management of SSL certificates bound to web sites managed by the Imperva cloud-based firewall. -#### Integration status: Pilot - Ready for use in test environments. Not for use in production. +#### Integration status: Production - Ready for use in production environments. ## About the Keyfactor Universal Orchestrator Capability diff --git a/integration-manifest.json b/integration-manifest.json index 5a7b529..c1430d2 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -2,7 +2,7 @@ "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", "integration_type": "orchestrator", "name": "Imperva", - "status": "pilot", + "status": "production", "description": "The Imperva Orchestrator Extension allows for the management of SSL certificates bound to web sites managed by the Imperva cloud-based firewall.", "link_github": false, "update_catalog": false, From 9b5798b5e6b1abaeb97d77a1e77da810aa1944f7 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 24 Apr 2023 15:25:52 +0000 Subject: [PATCH 2/7] Update generated README --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bb7e2b2..4dd21b7 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,13 @@ The Imperva Orchestrator Extension allows for the management of SSL certificates #### Integration status: Production - Ready for use in production environments. -## About the Keyfactor Universal Orchestrator Capability +## About the Keyfactor Universal Orchestrator Extension -This repository contains a Universal Orchestrator Capability which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. +This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. -The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Capabilities, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Capability, see below in this readme. +The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. -The Universal Orchestrator is the successor to the Windows Orchestrator. This Capability plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. +The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. From 4aee2c66a8eb528be13d87bb380abbc218ff3cd8 Mon Sep 17 00:00:00 2001 From: Lee Fine <50836957+leefine02@users.noreply.github.com> Date: Mon, 15 Apr 2024 15:44:03 +0000 Subject: [PATCH 3/7] Ab#56057 (#13) * Update generated README *Fix inventory issue where a 404 on an individual managed web site would cause inventory to end returning no certificates. Now, if one or more individule sites produce a 404, all successfully retreived certificates will be returned and a warning will be produced with a message for the inventory result. --------- Co-authored-by: Keyfactor Co-authored-by: leefine02 --- CHANGELOG.md | 3 +++ Imperva/APIProcessor.cs | 17 +++++++++++++++-- Imperva/Inventory.cs | 11 +++++++++-- Imperva/Management.cs | 3 ++- README.md | 13 +++++++++++++ integration-manifest.json | 28 +++++++++++++++++++++++++++- 6 files changed, 69 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbc3235..4340fb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,2 +1,5 @@ +v1.0.1 +- Bug fix: Individual site timeouts will no longer end inventory but will instead skip that site and move on. Inventory in those cases will produce a warning that certificates could not be retrieved for one or more sites, but it will still return all retrieved certificates. + v1.0 - Initial Version diff --git a/Imperva/APIProcessor.cs b/Imperva/APIProcessor.cs index 94a45b8..8c9aef4 100644 --- a/Imperva/APIProcessor.cs +++ b/Imperva/APIProcessor.cs @@ -107,8 +107,14 @@ public List GetSites() return sites; } - public X509Certificate2 GetServerCertificateAsync(string url) + public X509Certificate2 GetServerCertificateAsync(string url, out bool hadError) { + ILogger logger = LogHandler.GetClassLogger(); + logger.MethodEntry(LogLevel.Debug); + logger.LogTrace($"Calling URL {url}"); + + hadError = false; + if (!url.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) url = "https://" + url; @@ -117,7 +123,9 @@ public X509Certificate2 GetServerCertificateAsync(string url) { ServerCertificateCustomValidationCallback = (_, cert, __, ___) => { + logger.LogTrace("Hit handler"); certificate = new X509Certificate2(cert.GetRawCertData()); + logger.LogTrace($"Cert returned: {cert.GetRawCertData()}"); return true; } }; @@ -128,8 +136,13 @@ public X509Certificate2 GetServerCertificateAsync(string url) { httpClient.SendAsync(new HttpRequestMessage(HttpMethod.Head, url)).GetAwaiter().GetResult(); } - catch (HttpRequestException) { } + catch (Exception ex) + { + logger.LogError(ImpervaException.FlattenExceptionMessages(ex, $"Error retrieving certificate for {url}: ")); + hadError = true; + } + logger.MethodExit(LogLevel.Debug); return certificate; } #endregion diff --git a/Imperva/Inventory.cs b/Imperva/Inventory.cs index 9e68cda..9a83168 100644 --- a/Imperva/Inventory.cs +++ b/Imperva/Inventory.cs @@ -38,6 +38,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd logger.LogDebug($"Store Path: {config.CertificateStoreDetails.StorePath}"); List inventoryItems = new List(); + bool oneOrMoreErrors = false; try { @@ -50,7 +51,10 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd foreach(Site site in sites) { - X509Certificate2 certificate = api.GetServerCertificateAsync(site.Domain); + bool hadError = false; + X509Certificate2 certificate = api.GetServerCertificateAsync(site.Domain, out hadError); + if (hadError) + oneOrMoreErrors = true; if (certificate == null) continue; inventoryItems.Add(new CurrentInventoryItem() @@ -74,7 +78,10 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd try { submitInventory.Invoke(inventoryItems); - return new JobResult() { Result = Keyfactor.Orchestrators.Common.Enums.OrchestratorJobStatusJobResult.Success, JobHistoryId = config.JobHistoryId }; + if (oneOrMoreErrors) + return new JobResult() { Result = Keyfactor.Orchestrators.Common.Enums.OrchestratorJobStatusJobResult.Warning, JobHistoryId = config.JobHistoryId, FailureMessage = "One or more certificates could not be returned. Please see the log for more details." }; + else + return new JobResult() { Result = Keyfactor.Orchestrators.Common.Enums.OrchestratorJobStatusJobResult.Success, JobHistoryId = config.JobHistoryId }; } catch (Exception ex) { diff --git a/Imperva/Management.cs b/Imperva/Management.cs index 79f0238..8c0d87f 100644 --- a/Imperva/Management.cs +++ b/Imperva/Management.cs @@ -60,7 +60,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config) { case CertStoreOperationType.Add: - if (!config.Overwrite && api.GetServerCertificateAsync(site.Domain) != null) + bool hadError = false; + if (!config.Overwrite && api.GetServerCertificateAsync(site.Domain, out hadError) != null) return new JobResult() { Result = Keyfactor.Orchestrators.Common.Enums.OrchestratorJobStatusJobResult.Warning, JobHistoryId = config.JobHistoryId, FailureMessage = $"Overwrite is set to false but there is a certificate that already is bound to {config.JobCertificate.Alias}. Please set overwrite to true and reschedule the job to replace this certificate." }; api.AddCertificate(site.SiteID, config.JobCertificate.Contents, config.JobCertificate.PrivateKeyPassword); diff --git a/README.md b/README.md index 4dd21b7..7518b83 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ The Imperva Orchestrator Extension allows for the management of SSL certificates #### Integration status: Production - Ready for use in production environments. + ## About the Keyfactor Universal Orchestrator Extension This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. @@ -13,6 +14,11 @@ The Universal Orchestrator is part of the Keyfactor software distribution and is The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. +## Support for Imperva + +Imperva + +###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. --- @@ -51,6 +57,11 @@ It is not necessary to use a PAM Provider for all of the secrets available above If a PAM Provider will be used for one of the fields above, start by referencing the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam). The GitHub repo for the PAM Provider to be used contains important information such as the format of the `json` needed. What follows is an example but does not reflect the `json` values for all PAM Providers as they have different "instance" and "initialization" parameter names and values. +
General PAM Provider Configuration +

+ + + ### Example PAM Provider Setup To use a PAM Provider to resolve a field, in this example the __Server Password__ will be resolved by the `Hashicorp-Vault` provider, first install the PAM Provider extension from the [Keyfactor Integration Catalog](https://keyfactor.github.io/integrations-catalog/content/pam) on the Universal Orchestrator. @@ -77,6 +88,8 @@ To have the __Server Password__ field resolved by the `Hashicorp-Vault` provider ~~~ This text would be entered in as the value for the __Server Password__, instead of entering in the actual password. The Orchestrator will attempt to use the PAM Provider to retrieve the __Server Password__. If PAM should not be used, just directly enter in the value for the field. +

+
diff --git a/integration-manifest.json b/integration-manifest.json index c1430d2..864d4cf 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -25,7 +25,33 @@ "supportsManagementRemove": true, "supportsReenrollment": false, "supportsInventory": true + }, + "store_types": { + "Imperva": { + "Name": "Imperva", + "ShortName": "Imperva", + "Capability": "Imperva", + "ServerRequired": false, + "BlueprintAllowed": false, + "CustomAliasAllowed": "Required", + "PowerShell": false, + "PrivateKeyAllowed": "Required", + "SupportedOperations": { + "Add": true, + "Create": false, + "Discovery": false, + "Enrollment": false, + "Remove": true + }, + "PasswordOptions": { + "Style": "Default", + "EntrySupported": false, + "StoreRequired": true + }, + "Properties": [], + "EntryParameters": [] + } } } } -} +} \ No newline at end of file From 024776b2de7b7c9308aec0d81590498ccc1dc36c Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 15 Apr 2024 09:33:39 -0700 Subject: [PATCH 4/7] Update bootstrap and manifest --- .../keyfactor-bootstrap-workflow.yml | 19 +++++++++ .../workflows/keyfactor-starter-workflow.yml | 42 ------------------- integration-manifest.json | 2 + 3 files changed, 21 insertions(+), 42 deletions(-) create mode 100644 .github/workflows/keyfactor-bootstrap-workflow.yml delete mode 100644 .github/workflows/keyfactor-starter-workflow.yml diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml new file mode 100644 index 0000000..6d8de53 --- /dev/null +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -0,0 +1,19 @@ +name: Keyfactor Bootstrap Workflow + +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' + +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v2 + secrets: + token: ${{ secrets.V2BUILDTOKEN}} + APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml deleted file mode 100644 index 3956f02..0000000 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Starter Workflow -on: [workflow_dispatch, push, pull_request] - -jobs: - call-create-github-release-workflow: - uses: Keyfactor/actions/.github/workflows/github-release.yml@main - - get-manifest-properties: - runs-on: windows-latest - outputs: - update_catalog: ${{ steps.read-json.outputs.prop }} - steps: - - uses: actions/checkout@v3 - - name: Read json - id: read-json - shell: pwsh - run: | - $json = Get-Content integration-manifest.json | ConvertFrom-Json - echo "::set-output name=prop::$(echo $json.update_catalog)" - - call-dotnet-build-and-release-workflow: - needs: [call-create-github-release-workflow] - uses: Keyfactor/actions/.github/workflows/dotnet-build-and-release.yml@main - with: - release_version: ${{ needs.call-create-github-release-workflow.outputs.release_version }} - release_url: ${{ needs.call-create-github-release-workflow.outputs.release_url }} - release_dir: Imperva/bin/Release # TODO: set build output directory to upload as a release, relative to checkout workspace - secrets: - token: ${{ secrets.PRIVATE_PACKAGE_ACCESS }} - - call-generate-readme-workflow: - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: Keyfactor/actions/.github/workflows/generate-readme.yml@main - secrets: - token: ${{ secrets.APPROVE_README_PUSH }} - - call-update-catalog-workflow: - needs: get-manifest-properties - if: needs.get-manifest-properties.outputs.update_catalog == 'True' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') - uses: Keyfactor/actions/.github/workflows/update-catalog.yml@main - secrets: - token: ${{ secrets.SDK_SYNC_PAT }} diff --git a/integration-manifest.json b/integration-manifest.json index 864d4cf..7946dd0 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -6,6 +6,8 @@ "description": "The Imperva Orchestrator Extension allows for the management of SSL certificates bound to web sites managed by the Imperva cloud-based firewall.", "link_github": false, "update_catalog": false, + "release_dir": "Imperva/bin/Release", + "support_level": "kf-supported", "about": { "orchestrator": { "UOFramework": "10.1", From bc8e7bf3774a39e2bdbe17f5933580714025ff57 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 15 Apr 2024 16:34:15 +0000 Subject: [PATCH 5/7] Update generated README --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7518b83..380aa62 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ + # Imperva The Imperva Orchestrator Extension allows for the management of SSL certificates bound to web sites managed by the Imperva cloud-based firewall. #### Integration status: Production - Ready for use in production environments. - ## About the Keyfactor Universal Orchestrator Extension This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. @@ -13,23 +13,22 @@ The Universal Orchestrator is part of the Keyfactor software distribution and is The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. - ## Support for Imperva -Imperva +Imperva is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. - --- +--- + ## Keyfactor Version Supported The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.1 - ## Platform Specific Notes The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running. From aafcd2241145a2494635867d5cc7f8fcb7eea18a Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 15 Apr 2024 09:36:51 -0700 Subject: [PATCH 6/7] add missing property --- integration-manifest.json | 1 + 1 file changed, 1 insertion(+) diff --git a/integration-manifest.json b/integration-manifest.json index 7946dd0..7b284ba 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -12,6 +12,7 @@ "orchestrator": { "UOFramework": "10.1", "pam_support": true, + "keyfactor_platform_version": "9.10", "win": { "supportsCreateStore": false, "supportsDiscovery": false, From 413a892e654d8aeaf3c3839b0af098bd0e3737cc Mon Sep 17 00:00:00 2001 From: Michael Henderson Date: Mon, 15 Apr 2024 09:43:08 -0700 Subject: [PATCH 7/7] fix integration manifest --- integration-manifest.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/integration-manifest.json b/integration-manifest.json index d027c5c..9f251cb 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -6,6 +6,8 @@ "description": "The Imperva Orchestrator Extension allows for the management of SSL certificates bound to web sites managed by the Imperva cloud-based firewall.", "release_dir": "Imperva/bin/Release", "support_level": "kf-supported", + "update_catalog": true, + "link_github": true, "about": { "orchestrator": { "UOFramework": "10.1",