Merge pull request #498 from Venafi/VC-34339/verify-cert-expiry-befor…

…e-provision

Enhances VCert Provision - Filters if Cert is expired

aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature

@@ -46,6 +46,7 @@ Feature: provision to cloud keystore
       | cloudkeystore    |
       | GOOGLE           |
       | AWS              |
+      | AZURE            |
 
   Scenario Outline: Enroll certificate, execute provisioning and then provisioning again for replace
     Given I enroll a random certificate with defined platform VCP with -csr service -no-prompt

pkg/venafi/cloud/certificate.go

@@ -16,11 +16,14 @@
 
 package cloud
 
+import "time"
+
 type VenafiCertificate struct {
-	ID                   string `json:"id,omitempty"`
-	CertificateStatus    string `json:"certificateStatus,omitempty"`
-	CertificateRequestId string `json:"certificateRequestId,omitempty"`
-	DekHash              string `json:"dekHash,omitempty"`
-	Fingerprint          string `json:"fingerprint,omitempty"`
-	CertificateSource    string `json:"certificateSource,omitempty"`
+	ID                   string    `json:"id,omitempty"`
+	CertificateStatus    string    `json:"certificateStatus,omitempty"`
+	CertificateRequestId string    `json:"certificateRequestId,omitempty"`
+	DekHash              string    `json:"dekHash,omitempty"`
+	Fingerprint          string    `json:"fingerprint,omitempty"`
+	CertificateSource    string    `json:"certificateSource,omitempty"`
+	ValidityEnd          time.Time `json:"validityEnd"`
 }

pkg/venafi/cloud/cloudproviders.go

@@ -66,13 +66,13 @@ func (c *Connector) ProvisionCertificate(req *domain.ProvisioningRequest, option
 	certificateIDString := *(reqData.CertificateID)
 	log.Printf("Certificate ID for provisioning: %s", certificateIDString)
 
-	// Is certificate generated by VCP?
-	log.Printf("Validating if certificate is generated by VCP")
-	err := c.validateIfCertIsVCPGeneratedByID(*(reqData.CertificateID))
+	// Is certificate valid for provisioning?
+	log.Printf("Validating if certificate is valid")
+	err := c.validateCertificate(*(reqData.CertificateID))
 	if err != nil {
 		return nil, err
 	}
-	log.Println("Certificate is valid for provisioning (VCP generated)")
+	log.Printf("Good certificate for provisioning!")
 
 	cloudKeystore := reqData.Keystore
 
@@ -175,7 +175,7 @@ func (c *Connector) ProvisionCertificateToMachineIdentity(req domain.Provisionin
 
 	// Is certificate generated by VCP?
 	log.Printf("validating if certificate is generated by VCP")
-	err := c.validateIfCertIsVCPGeneratedByID(certificateID)
+	err := c.validateCertificate(certificateID)
 	if err != nil {
 		return nil, err
 	}
@@ -300,14 +300,26 @@ func setProvisioningOptions(options domain.ProvisioningOptions, keystoreType dom
 	return provisioningOptions, nil
 }
 
-func (c *Connector) validateIfCertIsVCPGeneratedByID(certificateId string) error {
+func (c *Connector) validateCertificate(certificateId string) error {
 	cert, err := c.getCertificates(certificateId)
 	if err != nil {
 		return fmt.Errorf("error trying to get certificate details for cert with ID: %s, error: %s", certificateId, err.Error())
 	}
+
+	// Is certificate not expired?
+	log.Printf("Validating if certificate is not expired")
+	now := time.Now()
+	if now.Unix() > cert.ValidityEnd.Unix() {
+		return fmt.Errorf("error trying to provisioning certificate with ID: %s. Provided certificate is expired", certificateId)
+	}
+	log.Printf("Certificate is still valid")
+
+	// Is certificate generated by VCP?
+	log.Printf("Validating if certificate is generated by VCP")
 	if cert.DekHash == "" {
 		return fmt.Errorf("error trying to provisioning certificate with ID: %s. Provided certificate is not VCP generated", certificateId)
 	}
+	log.Println("Certificate is valid for provisioning (VCP generated)")
 	return nil
 }