From 1f345cd473730e20471ec9ec942c5b5b1bc6c615 Mon Sep 17 00:00:00 2001
From: Luis Presuel <luis.presuel@venafi.com>
Date: Fri, 31 May 2024 17:15:03 -0600
Subject: [PATCH] fixes bug where wrong pickup-id variable was set. fixes bug
 for ARN as the value from websocket is not responding with that value. Thus
 this required update in function provisionToMachineIdentiy to find out before
 hand the keystore type (if keystore was not provided in request

---
 cmd/vcert/cmdCloudKeystores.go                |  2 +-
 cmd/vcert/utils.go                            |  2 +-
 .../provisionWithCertificateRequest/main.go   |  2 +-
 examples/provisionWithServiceAccount/main.go  |  2 +-
 pkg/domain/provisioning.go                    |  1 -
 pkg/venafi/cloud/cloudproviders.go            | 36 ++++++++++---------
 6 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/cmd/vcert/cmdCloudKeystores.go b/cmd/vcert/cmdCloudKeystores.go
index 6eae7e79..37eaf65e 100644
--- a/cmd/vcert/cmdCloudKeystores.go
+++ b/cmd/vcert/cmdCloudKeystores.go
@@ -79,7 +79,7 @@ func doCommandProvisionCloudKeystore(c *cli.Context) error {
 	}
 	switch metadata.CloudKeystoreType {
 	case domain.CloudKeystoreTypeACM:
-		result.ARN = metadata.ARN
+		result.ARN = metadata.CertificateID
 	case domain.CloudKeystoreTypeAKV:
 		result.AzureID = metadata.CertificateID
 		result.AzureName = metadata.CertificateName
diff --git a/cmd/vcert/utils.go b/cmd/vcert/utils.go
index abe674b5..7ea35373 100644
--- a/cmd/vcert/utils.go
+++ b/cmd/vcert/utils.go
@@ -621,7 +621,7 @@ func randRunes(n int) string {
 func fillProvisioningRequest(req *domain.ProvisioningRequest, keystore domain.CloudKeystore, cf *commandFlags) (*domain.ProvisioningRequest, *domain.ProvisioningOptions) {
 	req.CertificateID = cleanEmptyStringPointer(cf.certificateID)
 	req.Keystore = &keystore
-	req.PickupID = &(cf.pickupID)
+	req.PickupID = &(cf.provisionPickupID)
 
 	if cf.keystoreCertName == "" {
 		return req, nil
diff --git a/examples/provisionWithCertificateRequest/main.go b/examples/provisionWithCertificateRequest/main.go
index ccaf4aee..5802f0d0 100644
--- a/examples/provisionWithCertificateRequest/main.go
+++ b/examples/provisionWithCertificateRequest/main.go
@@ -89,7 +89,7 @@ func main() {
 
 	// Example to get values from other keystores machine identities metadata
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeACM {
-		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.ARN)
+		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.CertificateID)
 	}
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeAKV {
 		log.Printf("Certificate Azure Metadata ID:\n%v", certMetaData.CertificateID)
diff --git a/examples/provisionWithServiceAccount/main.go b/examples/provisionWithServiceAccount/main.go
index fc538b50..027ca57b 100644
--- a/examples/provisionWithServiceAccount/main.go
+++ b/examples/provisionWithServiceAccount/main.go
@@ -103,7 +103,7 @@ func main() {
 
 	// Example to get values from other keystores machine identities metadata
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeACM {
-		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.ARN)
+		log.Printf("Certificate AWS Metadata ARN:\n%v", certMetaData.CertificateID)
 	}
 	if certMetaData.CloudKeystoreType == domain.CloudKeystoreTypeAKV {
 		log.Printf("Certificate Azure Metadata ID:\n%v", certMetaData.CertificateID)
diff --git a/pkg/domain/provisioning.go b/pkg/domain/provisioning.go
index 628e374b..1e344081 100644
--- a/pkg/domain/provisioning.go
+++ b/pkg/domain/provisioning.go
@@ -17,7 +17,6 @@ type ProvisioningRequest struct {
 
 type ProvisioningMetadata struct {
 	CloudKeystoreType         CloudKeystoreType
-	ARN                       string
 	CertificateID             string
 	CertificateName           string
 	CertificateVersion        string
diff --git a/pkg/venafi/cloud/cloudproviders.go b/pkg/venafi/cloud/cloudproviders.go
index 9b3690c7..44185ba3 100644
--- a/pkg/venafi/cloud/cloudproviders.go
+++ b/pkg/venafi/cloud/cloudproviders.go
@@ -18,7 +18,6 @@ import (
 )
 
 type CloudKeystoreProvisioningResult struct {
-	Arn                        string `json:"arn"`
 	CloudProviderCertificateID string `json:"cloudProviderCertificateId"`
 	CloudCertificateName       string `json:"cloudProviderCertificateName"`
 	CloudCertificateVersion    string `json:"cloudProviderCertificateVersion"`
@@ -133,7 +132,7 @@ func (c *Connector) ProvisionCertificate(req *domain.ProvisioningRequest, option
 
 	// parsing metadata from websocket response
 	log.Printf("Getting Cloud Metadata of Certificate ID %s and Keystore ID: %s", certificateIDString, cloudKeystore.ID)
-	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(workflowResponse.Data.Result)
+	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(workflowResponse.Data.Result, cloudKeystore.Type)
 	if err != nil {
 		return nil, err
 	}
@@ -201,9 +200,24 @@ func (c *Connector) ProvisionCertificateToMachineIdentity(req domain.Provisionin
 		return nil, err
 	}
 
+	keystoreType := domain.CloudKeystoreTypeUnknown
+	if req.Keystore == nil {
+		log.Printf("fetching machine identity to get type")
+		machineIdentity, err := c.cloudProvidersClient.GetMachineIdentity(ctx, domain.GetCloudMachineIdentityRequest{
+			MachineIdentityID: req.MachineIdentityID,
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to get machine identity: %w", err)
+		}
+		log.Printf("successfully fetched machine identity")
+		keystoreType = machineIdentity.Metadata.GetKeystoreType()
+	} else {
+		keystoreType = req.Keystore.Type
+	}
+
 	// parsing metadata from websocket response
 	log.Printf("Getting Cloud Metadata of Machine Identity with ID: %s", machineIdentityID)
-	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(ar.Data.Result)
+	cloudMetadata, err := getCloudMetadataFromWebsocketResponse(ar.Data.Result, keystoreType)
 	if err != nil {
 		return nil, err
 	}
@@ -329,7 +343,7 @@ func (c *Connector) getGraphqlHTTPClient() *http.Client {
 	return httpclient
 }
 
-func getCloudMetadataFromWebsocketResponse(resultMap interface{}) (*domain.ProvisioningMetadata, error) {
+func getCloudMetadataFromWebsocketResponse(resultMap interface{}, keystoreType domain.CloudKeystoreType) (*domain.ProvisioningMetadata, error) {
 
 	result := CloudKeystoreProvisioningResult{}
 	resultBytes, err := json.Marshal(resultMap)
@@ -348,8 +362,7 @@ func getCloudMetadataFromWebsocketResponse(resultMap interface{}) (*domain.Provi
 	}
 
 	cloudMetadata := &domain.ProvisioningMetadata{
-		CloudKeystoreType:         domain.CloudKeystoreTypeUnknown,
-		ARN:                       result.Arn,
+		CloudKeystoreType:         keystoreType,
 		CertificateID:             result.CloudProviderCertificateID,
 		CertificateName:           result.CloudCertificateName,
 		CertificateVersion:        result.CloudCertificateVersion,
@@ -357,16 +370,5 @@ func getCloudMetadataFromWebsocketResponse(resultMap interface{}) (*domain.Provi
 		MachineIdentityActionType: result.MachineIdentityActionType,
 	}
 
-	// Only ACM returns an ARN value
-	if result.Arn != "" {
-		cloudMetadata.CloudKeystoreType = domain.CloudKeystoreTypeACM
-	} else if result.CloudCertificateVersion != "" {
-		// Only Azure returns a certificate version value
-		cloudMetadata.CloudKeystoreType = domain.CloudKeystoreTypeAKV
-	} else {
-		// No ARN and no certificate version, default to GCM
-		cloudMetadata.CloudKeystoreType = domain.CloudKeystoreTypeGCM
-	}
-
 	return cloudMetadata, err
 }