diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 00000000..93c0b8d6 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,193 @@ +name: ๐Ÿ› Bug Report +description: Report a bug or unexpected behavior in the Kubernetes Orchestrator Extension +title: "[Bug]: " +labels: ["bug", "needs-triage"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to report this bug! Please fill out the information below to help us resolve the issue. + + - type: textarea + id: description + attributes: + label: Bug Description + description: A clear and concise description of what the bug is. + placeholder: When I try to..., I expect... but instead... + validations: + required: true + + - type: dropdown + id: store-type + attributes: + label: Affected Store Type + description: Which Kubernetes store type is affected? + options: + - K8SCluster + - K8SNS + - K8SJKS + - K8SPKCS12 + - K8SSecret + - K8STLSSecr + - K8SCert + - Multiple store types + - Not sure / Not applicable + validations: + required: true + + - type: dropdown + id: operation + attributes: + label: Affected Operation + description: Which orchestrator operation is affected? + options: + - Inventory + - Management (Add) + - Management (Remove) + - Discovery + - Reenrollment + - Store Creation + - Multiple operations + - Not sure / Not applicable + validations: + required: true + + - type: textarea + id: steps-to-reproduce + attributes: + label: Steps to Reproduce + description: Detailed steps to reproduce the behavior + placeholder: | + 1. Configure store with... + 2. Run operation... + 3. See error... + validations: + required: true + + - type: textarea + id: expected-behavior + attributes: + label: Expected Behavior + description: What did you expect to happen? + placeholder: The certificate should be added to the secret... + validations: + required: true + + - type: textarea + id: actual-behavior + attributes: + label: Actual Behavior + description: What actually happened? + placeholder: Instead, I received error... + validations: + required: true + + - type: input + id: orchestrator-version + attributes: + label: Orchestrator Extension Version + description: Version of the Kubernetes Orchestrator Extension + placeholder: e.g., 1.2.2 + validations: + required: true + + - type: input + id: command-version + attributes: + label: Keyfactor Command Version + description: Version of Keyfactor Command + placeholder: e.g., 12.4, 24.4 + validations: + required: true + + - type: dropdown + id: kubernetes-distro + attributes: + label: Kubernetes Distribution + description: Which Kubernetes distribution are you using? + options: + - Azure Kubernetes Service (AKS) + - Amazon Elastic Kubernetes Service (EKS) + - Google Kubernetes Engine (GKE) + - Red Hat OpenShift + - Rancher + - K3s + - Vanilla Kubernetes + - Other (please specify in Additional Context) + validations: + required: true + + - type: input + id: kubernetes-version + attributes: + label: Kubernetes Version + description: Version of Kubernetes + placeholder: e.g., 1.28, 1.29 + validations: + required: true + + - type: dropdown + id: orchestrator-platform + attributes: + label: Orchestrator Platform + description: Where is the Universal Orchestrator running? + options: + - Windows + - Linux + - Container + - Not sure + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant Log Output + description: | + Please copy and paste any relevant log output. This will be automatically formatted. + **Important**: Redact any sensitive information (passwords, tokens, server names). + render: shell + placeholder: | + [Error] Failed to add certificate to secret... + [Debug] Connecting to Kubernetes API at... + + - type: textarea + id: store-configuration + attributes: + label: Store Configuration + description: | + If relevant, provide your store configuration (redact sensitive information). + Include custom properties, store path pattern, etc. + render: json + placeholder: | + { + "StorePath": "my-namespace", + "Properties": { + "SeparateChain": "true", + "IncludeCertChain": "false" + } + } + + - type: textarea + id: additional-context + attributes: + label: Additional Context + description: | + Add any other context about the problem here. + - Screenshots + - Network configuration + - Service account permissions + - Related issues + + - type: checkboxes + id: checklist + attributes: + label: Pre-submission Checklist + description: Please confirm the following before submitting + options: + - label: I have searched existing issues to ensure this is not a duplicate + required: true + - label: I have redacted all sensitive information from logs and configurations + required: true + - label: I have provided all required version information + required: true diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 00000000..6474d6c3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,17 @@ +blank_issues_enabled: false +contact_links: + - name: ๐Ÿ” GitHub Security Advisory (Private Vulnerability Reporting) + url: https://github.com/Keyfactor/k8s-orchestrator/security/advisories/new + about: Report critical security vulnerabilities privately through GitHub Security Advisories (recommended for security issues) + + - name: ๐Ÿ“ž Keyfactor Support Portal + url: https://support.keyfactor.com + about: For Keyfactor Command support, licensing questions, or enterprise support + + - name: ๐Ÿ’ฌ Community Discussions + url: https://github.com/Keyfactor/k8s-orchestrator/discussions + about: Ask questions, share ideas, and discuss with the community + + - name: ๐Ÿ“– Documentation + url: https://github.com/Keyfactor/k8s-orchestrator/blob/main/README.md + about: Read the complete documentation including installation guides and store type references diff --git a/.github/ISSUE_TEMPLATE/documentation.yml b/.github/ISSUE_TEMPLATE/documentation.yml new file mode 100644 index 00000000..8f8d4b5d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/documentation.yml @@ -0,0 +1,119 @@ +name: ๐Ÿ“š Documentation or Question +description: Report a documentation issue or ask a question about the Kubernetes Orchestrator Extension +title: "[Docs]: " +labels: ["documentation", "question"] +body: + - type: markdown + attributes: + value: | + Thanks for helping improve our documentation or asking a question! + + **Note**: For general Keyfactor Command support, please contact Keyfactor Support at https://support.keyfactor.com + + - type: dropdown + id: issue-type + attributes: + label: Issue Type + description: What type of issue is this? + options: + - Documentation Error / Typo + - Missing Documentation + - Unclear Documentation + - Documentation Improvement Suggestion + - General Question / Support Request + - How-to / Best Practices Question + validations: + required: true + + - type: textarea + id: description + attributes: + label: Description + description: Describe the documentation issue or ask your question + placeholder: | + The documentation says... but I'm confused about... + OR + How do I configure... + validations: + required: true + + - type: input + id: documentation-link + attributes: + label: Documentation Link + description: If reporting a documentation issue, provide a link to the relevant documentation + placeholder: https://github.com/Keyfactor/k8s-orchestrator/blob/main/README.md#... + + - type: dropdown + id: topic-area + attributes: + label: Topic Area + description: Which area does this relate to? + options: + - Installation / Setup + - Store Type Configuration + - Service Account / Authentication + - Certificate Operations (Add/Remove/Inventory) + - Discovery Configuration + - Store Types (K8SCluster, K8SNS, etc.) + - Custom Properties / Parameters + - Troubleshooting + - Integration with Keyfactor Command + - Best Practices + - API / Development + - Other + + - type: textarea + id: current-understanding + attributes: + label: Current Understanding / What You've Tried + description: | + For questions: What have you tried so far? + For doc issues: What does the current documentation say? + placeholder: | + I've read the documentation at... + I've tried... + I expected the documentation to explain... + + - type: textarea + id: expected-information + attributes: + label: Expected Information / Desired Outcome + description: | + For doc issues: What should the documentation say instead? + For questions: What are you trying to accomplish? + placeholder: | + The documentation should explain... + OR + I'm trying to accomplish... + + - type: textarea + id: environment-info + attributes: + label: Environment Information (if applicable) + description: | + If your question relates to a specific setup, provide version information + placeholder: | + Orchestrator Extension Version: 1.2.2 + Keyfactor Command Version: 24.4 + Kubernetes Distribution: AKS + Store Type: K8SCluster + + - type: textarea + id: additional-context + attributes: + label: Additional Context + description: | + Any additional context, screenshots, configuration examples, or links that might help. + + - type: checkboxes + id: checklist + attributes: + label: Pre-submission Checklist + options: + - label: I have searched existing issues and documentation + required: true + - label: I have checked the README and store type documentation + required: false + - label: For Keyfactor Command questions, I understand I should contact Keyfactor Support + required: false diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 00000000..65af0773 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,108 @@ +name: โœจ Feature Request +description: Suggest a new feature or enhancement for the Kubernetes Orchestrator Extension +title: "[Feature]: " +labels: ["enhancement", "needs-triage"] +body: + - type: markdown + attributes: + value: | + Thanks for suggesting a new feature! Please provide as much detail as possible. + + - type: dropdown + id: feature-type + attributes: + label: Feature Type + description: What type of feature are you requesting? + options: + - New Store Type Support + - New Operation Support + - Enhancement to Existing Feature + - Performance Improvement + - Better Error Handling + - Documentation Improvement + - Other + validations: + required: true + + - type: textarea + id: problem + attributes: + label: Problem Statement + description: Is your feature request related to a problem? Please describe. + placeholder: I'm frustrated when... It would be helpful if... + validations: + required: true + + - type: textarea + id: solution + attributes: + label: Proposed Solution + description: Describe the solution you'd like + placeholder: I would like to see... + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: Alternatives Considered + description: Have you considered any alternative solutions or workarounds? + placeholder: I've tried... but it doesn't work because... + + - type: dropdown + id: affected-store-types + attributes: + label: Affected Store Types + description: Which store types would this feature affect? (select one, or "Multiple") + options: + - K8SCluster + - K8SNS + - K8SJKS + - K8SPKCS12 + - K8SSecret + - K8STLSSecr + - K8SCert + - Multiple store types + - New store type + - All store types + - Not applicable + + - type: textarea + id: use-case + attributes: + label: Use Case / Business Justification + description: Describe your use case and why this feature would be valuable + placeholder: | + In our environment, we need to... + This would benefit users who... + validations: + required: true + + - type: textarea + id: implementation-ideas + attributes: + label: Implementation Ideas + description: | + If you have ideas about how this could be implemented, share them here. + Technical details, configuration examples, etc. + placeholder: | + This could be implemented by... + Configuration might look like... + + - type: textarea + id: additional-context + attributes: + label: Additional Context + description: | + Add any other context, screenshots, or examples about the feature request. + Links to related documentation, similar features in other projects, etc. + + - type: checkboxes + id: checklist + attributes: + label: Pre-submission Checklist + options: + - label: I have searched existing issues and feature requests to ensure this is not a duplicate + required: true + - label: This feature aligns with the scope of the Kubernetes Orchestrator Extension + required: true diff --git a/.github/ISSUE_TEMPLATE/security_vulnerability.yml b/.github/ISSUE_TEMPLATE/security_vulnerability.yml new file mode 100644 index 00000000..5f749c3c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/security_vulnerability.yml @@ -0,0 +1,156 @@ +name: ๐Ÿ”’ Security Vulnerability +description: Report a security vulnerability (private submission recommended) +title: "[Security]: " +labels: ["security", "needs-triage"] +body: + - type: markdown + attributes: + value: | + ## โš ๏ธ Security Disclosure + + **IMPORTANT**: If this is a critical security vulnerability that could be actively exploited, + please report it privately through GitHub Security Advisories instead: + + 1. Go to the Security tab + 2. Click "Report a vulnerability" + 3. Fill out the private form + + This ensures the vulnerability is not publicly disclosed before a fix is available. + + For non-critical security improvements or concerns, you can continue with this public issue. + + - type: dropdown + id: severity + attributes: + label: Severity Assessment + description: How severe do you believe this vulnerability is? + options: + - Critical (Immediate exploitation possible, affects all users) + - High (Exploitation likely, affects many users) + - Medium (Exploitation requires specific conditions) + - Low (Minor security improvement) + - Informational (Security best practice suggestion) + validations: + required: true + + - type: textarea + id: vulnerability-description + attributes: + label: Vulnerability Description + description: Describe the security issue (be as detailed as possible) + placeholder: | + A security vulnerability exists in... + This could allow an attacker to... + validations: + required: true + + - type: dropdown + id: vulnerability-type + attributes: + label: Vulnerability Type + description: What type of security issue is this? + options: + - Authentication / Authorization + - Credential Exposure + - Code Injection + - Privilege Escalation + - Information Disclosure + - Denial of Service + - Cryptographic Issue + - Dependency Vulnerability + - Configuration Issue + - Other (please specify) + validations: + required: true + + - type: textarea + id: attack-scenario + attributes: + label: Attack Scenario + description: | + Describe how this vulnerability could be exploited. + What would an attacker need to do? + placeholder: | + An attacker could exploit this by... + Prerequisites: ... + Impact: ... + validations: + required: true + + - type: textarea + id: affected-versions + attributes: + label: Affected Versions + description: Which versions of the orchestrator are affected? + placeholder: | + e.g., All versions, v1.2.0 and earlier, v1.1.x only + validations: + required: true + + - type: dropdown + id: affected-components + attributes: + label: Affected Components + description: Which components are affected? + multiple: true + options: + - K8SCluster Store Type + - K8SNS Store Type + - K8SJKS Store Type + - K8SPKCS12 Store Type + - K8SSecret Store Type + - K8STLSSecr Store Type + - K8SCert Store Type + - Kubernetes Client / Authentication + - Certificate Handling + - Secret Management + - PAM Integration + - All Components + + - type: textarea + id: reproduction-steps + attributes: + label: Steps to Reproduce + description: | + If applicable, provide steps to reproduce the vulnerability. + **Warning**: Do not provide exploit code that could harm users. + placeholder: | + 1. Configure a store with... + 2. Send a request to... + 3. Observe that... + + - type: textarea + id: proposed-fix + attributes: + label: Proposed Fix or Mitigation + description: | + If you have ideas for fixing this vulnerability or mitigating it, share them here. + placeholder: | + This could be fixed by... + Users can mitigate this by... + + - type: textarea + id: references + attributes: + label: References + description: | + Links to related CVEs, CWEs, security advisories, or documentation. + placeholder: | + - CVE-XXXX-XXXXX + - CWE-XX + - https://... + + - type: checkboxes + id: disclosure + attributes: + label: Responsible Disclosure Agreement + description: Please confirm your understanding of responsible disclosure + options: + - label: I understand this issue will be publicly visible + required: true + - label: I have not included exploit code that could harm users + required: true + - label: I agree to allow reasonable time for a fix before public disclosure (if applicable) + required: true + - label: For critical vulnerabilities, I understand I should use GitHub Security Advisories for private reporting + required: true diff --git a/.github/SECURITY_WORKFLOWS.md b/.github/SECURITY_WORKFLOWS.md new file mode 100644 index 00000000..4500c528 --- /dev/null +++ b/.github/SECURITY_WORKFLOWS.md @@ -0,0 +1,251 @@ +# GitHub Advanced Security Workflows + +This document describes the security and code quality workflows configured for this repository. + +## GitHub Advanced Security (GHAS) Workflows + +### 1. CodeQL Analysis (`codeql-analysis.yml`) +**Purpose**: Automated security vulnerability detection in C# code + +**Runs on**: +- Push to `main` and `release-*` branches +- Pull requests to `main` and `release-*` branches +- Weekly schedule (Mondays at 6:00 AM UTC) +- Manual trigger + +**What it does**: +- Analyzes C# code for security vulnerabilities +- Uses GitHub's CodeQL engine with security-extended and security-and-quality query packs +- Reports findings to GitHub Security tab +- Builds the project to ensure complete analysis + +**Configuration**: Uses default CodeQL queries plus extended security queries for comprehensive coverage. + +--- + +### 2. Dependency Review (`dependency-review.yml`) +**Purpose**: Automated dependency vulnerability scanning on pull requests + +**Runs on**: +- Pull requests to `main` and `release-*` branches + +**What it does**: +- Scans all dependencies for known vulnerabilities +- Checks licenses for compliance +- Fails PRs with moderate or higher severity vulnerabilities +- Posts summary comments on PRs + +**Configuration**: +- Fails on: moderate or higher severity vulnerabilities +- License checks: enabled +- Vulnerability checks: enabled + +--- + +### 3. Dependency Submission (`dependency-submission.yml`) +**Purpose**: Keep GitHub's dependency graph updated + +**Runs on**: +- Push to `main` branch +- Manual trigger + +**What it does**: +- Submits dependency snapshot to GitHub +- Updates dependency graph automatically +- Enables Dependabot alerts + +--- + +## Security Scanning Workflows + +### 4. .NET Security Scan (`dotnet-security-scan.yml`) +**Purpose**: Scan for vulnerable NuGet packages + +**Runs on**: +- Push to `main` and `release-*` branches +- Pull requests +- Weekly schedule (Tuesdays at 8:00 AM UTC) +- Manual trigger + +**What it does**: +- Runs `dotnet list package --vulnerable` to find vulnerable dependencies +- Checks for outdated packages using dotnet-outdated tool +- Fails build if critical vulnerabilities are found +- Uploads scan results as artifacts + +--- + +### 5. Secret Scanning (`secret-scanning.yml`) +**Purpose**: Detect exposed secrets and credentials + +**Runs on**: +- Push to any branch +- Pull requests to `main` and `release-*` branches +- Manual trigger + +**What it does**: +- Uses TruffleHog OSS to scan for secrets +- Scans full git history +- Reports findings to Security tab + +**Note**: GitHub's native Secret Scanning with push protection should also be enabled in repository settings. + +--- + +## Code Quality Workflows + +### 6. Code Quality Analysis (`code-quality.yml`) +**Purpose**: Enforce code quality standards + +**Runs on**: +- Push to `main` and `release-*` branches +- Pull requests +- Manual trigger + +**What it does**: +- Checks code formatting with `dotnet format` +- Runs .NET code analyzers +- Generates code metrics +- Reports quality issues + +--- + +### 7. PR Quality Gate (`pr-quality-gate.yml`) +**Purpose**: Comprehensive PR validation + +**Runs on**: +- Pull requests to `main` and `release-*` branches + +**What it does**: +- Builds and tests the solution +- Checks PR size and provides warnings for large PRs +- Validates PR title format (Conventional Commits) +- Checks for required files +- Warns about prohibited keywords (TODO, FIXME, etc.) +- Auto-labels PRs based on changed files + +**PR Title Format**: Must follow Conventional Commits: +``` +: + +Types: feat, fix, docs, style, refactor, perf, test, chore, ci +Example: feat: Add support for PKCS12 certificates +``` + +--- + +### 8. License Compliance (`license-compliance.yml`) +**Purpose**: Track and validate dependency licenses + +**Runs on**: +- Push to `main` +- Pull requests +- Monthly schedule (1st of each month at 9:00 AM UTC) +- Manual trigger + +**What it does**: +- Generates license reports for all dependencies +- Exports license texts +- Warns about restricted licenses (GPL, AGPL) +- Uploads reports as artifacts + +--- + +## Supply Chain Security + +### 9. SBOM Generation (`sbom-generation.yml`) +**Purpose**: Generate Software Bill of Materials + +**Runs on**: +- Push to `main` +- Tagged releases (`v*.*.*`) +- Release published events +- Manual trigger + +**What it does**: +- Generates SBOM using CycloneDX +- Creates JSON and XML formats +- Uploads as build artifacts +- Attaches SBOM to GitHub releases + +**Formats**: CycloneDX JSON and XML + +--- + +### 10. Container Security Scan (`container-security-scan.yml`) +**Purpose**: Scan Docker container images for vulnerabilities + +**Runs on**: +- Push to branches (when Dockerfile changes) +- Pull requests (when Dockerfile changes) +- Manual trigger + +**Status**: Currently disabled (`if: false`) - enable when Dockerfile is added + +**What it does**: +- Builds container image +- Scans with Trivy for vulnerabilities +- Scans with Grype/Anchore +- Reports to GitHub Security tab +- Fails on HIGH or CRITICAL vulnerabilities + +--- + +## Required Secrets + +The following secrets should already be configured in repository settings: + +| Secret Name | Used By | Purpose | +|------------|---------|---------| +| `V2BUILDTOKEN` | Keyfactor Workflow | Already configured | +| `SAST_TOKEN` | Keyfactor Workflow | Already configured | + +No additional secrets are required for the security and quality workflows. + +## GitHub Advanced Security Features + +Ensure these are enabled in repository settings: + +1. **Secret scanning** - Automatically detect exposed secrets +2. **Secret scanning push protection** - Block pushes containing secrets +3. **Dependency graph** - Track project dependencies +4. **Dependabot alerts** - Get notified of vulnerable dependencies +5. **Dependabot security updates** - Auto-create PRs to fix vulnerabilities +6. **Code scanning** - CodeQL analysis results + +## Best Practices + +1. **Review security alerts promptly**: Check the Security tab regularly +2. **Keep dependencies updated**: Review Dependabot PRs weekly +3. **Fix vulnerabilities before merging**: All security checks should pass +4. **Monitor SBOM changes**: Review supply chain changes in releases +5. **Use semantic PR titles**: Helps with changelog generation +6. **Keep PRs small**: Aim for < 500 lines changed per PR +7. **Run manual scans**: Use workflow_dispatch for on-demand scanning + +## Scheduled Scans Summary + +| Workflow | Schedule | Day | Time (UTC) | +|----------|----------|-----|------------| +| CodeQL Analysis | Weekly | Monday | 6:00 AM | +| .NET Security Scan | Weekly | Tuesday | 8:00 AM | +| License Compliance | Monthly | 1st | 9:00 AM | + +## Troubleshooting + +**CodeQL fails to build**: Ensure all .NET SDKs are correctly specified in the workflow. + +**Dependency Review blocking PRs**: Check for vulnerable dependencies with `dotnet list package --vulnerable`. + +**Secret scanning false positives**: Mark as false positive in Security tab, or update `.github/secret_scanning.yml` to exclude patterns. + +**SBOM generation fails**: Ensure CycloneDX tool is compatible with your .NET version. + +**Container scan disabled**: Enable by setting `if: true` in `container-security-scan.yml` once you have a Dockerfile. + +## Additional Resources + +- [GitHub Advanced Security Documentation](https://docs.github.com/en/code-security) +- [CodeQL for C#](https://codeql.github.com/docs/codeql-language-guides/codeql-for-csharp/) +- [Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) +- [CycloneDX SBOM Standard](https://cyclonedx.org/) diff --git a/.github/SETUP_COMPLETE.md b/.github/SETUP_COMPLETE.md new file mode 100644 index 00000000..4499a8f7 --- /dev/null +++ b/.github/SETUP_COMPLETE.md @@ -0,0 +1,324 @@ +# โœ… GitHub Advanced Security & Issue Templates - Setup Complete! + +## ๐Ÿ“ฆ What Was Created + +### Security & Quality Workflows (10 workflows) + +All workflows are configured for GitHub Advanced Security Enterprise: + +#### Core GHAS Workflows +1. **`codeql-analysis.yml`** - CodeQL security scanning (C#) +2. **`dependency-review.yml`** - Dependency vulnerability scanning on PRs +3. **`dependency-submission.yml`** - Keep GitHub dependency graph updated + +#### Additional Security Workflows +4. **`dotnet-security-scan.yml`** - .NET-specific vulnerability scanning +5. **`secret-scanning.yml`** - Secret detection (TruffleHog OSS) +6. **`license-compliance.yml`** - License tracking and compliance + +#### Code Quality Workflows +7. **`code-quality.yml`** - Code quality and formatting checks +8. **`pr-quality-gate.yml`** - Comprehensive PR validation + +#### Supply Chain Security +9. **`sbom-generation.yml`** - Software Bill of Materials (SBOM) +10. **`container-security-scan.yml`** - Container image scanning (disabled - enable when needed) + +### Issue Templates (4 templates + config) + +Modern GitHub issue forms with auto-labeling: + +1. **`bug_report.yml`** ๐Ÿ› + - Store type selection + - Operation type selection + - K8s distribution dropdown (AKS, EKS, GKE, OpenShift, Rancher, K3s, Vanilla) + - Required: Orchestrator version + Command version + - Log output with syntax highlighting + - Store configuration JSON field + +2. **`feature_request.yml`** โœจ + - Feature type classification + - Use case / business justification + - Affected store types + - Implementation ideas + +3. **`security_vulnerability.yml`** ๐Ÿ”’ + - Severity assessment + - Vulnerability type classification + - Attack scenario description + - Responsible disclosure agreement + - Links to private GitHub Security Advisories + +4. **`documentation.yml`** ๐Ÿ“š + - Documentation issues + - Questions / support requests + - Topic area selection + - Environment information + +5. **`config.yml`** - Issue template configuration + - Disables blank issues + - Links to Security Advisories + - Links to Keyfactor Support Portal + - Links to GitHub Discussions + - Links to Documentation + +### Configuration Files + +- **`labeler.yml`** - Auto-label PRs based on changed files +- **`dependabot.yml`** - Enhanced with NuGet package updates +- **`SECURITY_WORKFLOWS.md`** - Complete workflow documentation +- **`WORKFLOWS_SUMMARY.md`** - Quick reference guide + +--- + +## ๐Ÿš€ Quick Start + +### 1. Enable GitHub Advanced Security Features + +Go to **Settings โ†’ Code security and analysis** and enable: + +- โœ… Dependency graph (should already be enabled) +- โœ… Dependabot alerts +- โœ… Dependabot security updates +- โœ… Secret scanning +- โœ… Secret scanning push protection โš ๏ธ **Important!** +- โœ… Code scanning (CodeQL) + +### 2. Verify Existing Secrets + +All required secrets are already configured: + +โœ… **Existing secrets** (already configured): +- `V2BUILDTOKEN` - Keyfactor build token +- `SAST_TOKEN` - Security scanning token +- All other Keyfactor-related secrets + +**Note**: No additional secrets are needed for the new security and quality workflows. + +### 3. Test the Workflows + +**Option A: Via GitHub UI** +1. Go to **Actions** tab +2. Select a workflow (e.g., "CodeQL Security Analysis") +3. Click "Run workflow" button +4. Select branch and click "Run workflow" + +**Option B: Via GitHub CLI** +```bash +gh workflow run codeql-analysis.yml +gh workflow run dotnet-security-scan.yml +gh workflow run pr-quality-gate.yml +``` + +### 4. Test Issue Templates + +1. Go to **Issues** โ†’ **New issue** +2. You'll see 4 template options: + - ๐Ÿ› Bug Report + - โœจ Feature Request + - ๐Ÿ”’ Security Vulnerability + - ๐Ÿ“š Documentation or Question + +3. Select a template and test the form + +--- + +## ๐Ÿ“… Automated Scanning Schedule + +| Workflow | Frequency | Day | Time (UTC) | +|----------|-----------|-----|------------| +| CodeQL Analysis | Weekly | Monday | 6:00 AM | +| .NET Security Scan | Weekly | Tuesday | 8:00 AM | +| License Compliance | Monthly | 1st | 9:00 AM | +| Dependabot Updates | Daily | - | Various | + +--- + +## ๐ŸŽฏ Next Steps & Best Practices + +### Immediate Actions +1. โœ… **Enable GHAS features** (see Quick Start #1 above) +2. โœ… **Merge this PR** to activate all workflows +3. โœ… **Monitor first scan results** in Security tab (24-48 hours) +4. โœ… **Review Dependabot PRs** as they arrive + +### Within First Week +- ๐Ÿ“Š Review CodeQL findings in Security tab +- ๐Ÿ” Check for vulnerable dependencies +- ๐Ÿ“ Update any outdated packages +- ๐Ÿงช Create a test issue to verify templates + +### Ongoing Maintenance +- **Daily**: Review Dependabot PRs for critical updates +- **Weekly**: Check Security tab for new alerts +- **Monthly**: Review license compliance reports +- **Quarterly**: Audit workflow configurations +- **Annually**: Review security policies + +--- + +## ๐Ÿ“Š Monitoring & Dashboards + +### Security Dashboard +**Navigate to: Security tab** + +View: +- ๐Ÿ” Code scanning alerts (CodeQL) +- ๐Ÿ” Secret scanning alerts +- ๐Ÿ“ฆ Dependabot alerts +- ๐Ÿ›ก๏ธ Security advisories + +### Workflow Status +**Navigate to: Actions tab** + +Monitor: +- โœ… Successful runs +- โŒ Failed runs +- ๐Ÿ“ฆ Workflow artifacts +- โฑ๏ธ Run duration + +### Issue Management +**Navigate to: Issues tab** + +Use labels to filter: +- `bug` - Bug reports +- `enhancement` - Feature requests +- `security` - Security issues +- `documentation` - Docs/questions +- `needs-triage` - Needs review + +--- + +## ๐Ÿ”ง Workflow Customization + +### Adjust Scan Schedules + +Edit workflow files to change scanning frequency: + +```yaml +# Example: Change CodeQL to run daily instead of weekly +schedule: + - cron: '0 6 * * *' # Daily at 6 AM UTC +``` + +### Adjust Security Thresholds + +```yaml +# In dependency-review.yml +fail-on-severity: high # Change from 'moderate' + +# In dotnet-security-scan.yml +# Add --severity critical flag for stricter checks +``` + +### Enable Container Scanning + +When you add a Dockerfile: + +1. Edit `container-security-scan.yml` +2. Change `if: false` to `if: true` +3. Update Docker build command if needed + +--- + +## ๐Ÿ“– Documentation + +| Document | Purpose | +|----------|---------| +| [SECURITY_WORKFLOWS.md](.github/SECURITY_WORKFLOWS.md) | Complete workflow documentation | +| [WORKFLOWS_SUMMARY.md](.github/WORKFLOWS_SUMMARY.md) | Quick reference guide | +| This file | Setup completion checklist | + +--- + +## ๐Ÿ› Troubleshooting + +### Common Issues + +**CodeQL fails to build** +- Check .NET SDK versions in workflow match project requirements +- Verify solution builds locally: `dotnet build` + +**Dependency Review blocking PRs** +- Run locally: `dotnet list package --vulnerable` +- Update vulnerable packages before merging +- Or adjust `fail-on-severity` threshold + +**Secret scanning false positives** +- Mark as false positive in Security tab +- Or add to `.github/secret_scanning.yml` exclusions + +**Dependabot PRs not appearing** +- Ensure dependency graph is enabled +- Check `dependabot.yml` syntax +- Wait 24 hours after initial setup + +**Issue templates not showing** +- Ensure `.github/ISSUE_TEMPLATE/` directory exists +- Check YAML syntax in template files +- Clear browser cache and refresh + +--- + +## ๐Ÿ”’ Security Best Practices + +### For Contributors +1. โœ… Run `dotnet list package --vulnerable` before PRs +2. โœ… Fix security warnings before requesting review +3. โœ… Use semantic commit messages +4. โœ… Keep PRs focused and < 1000 lines +5. โœ… Never commit secrets or credentials + +### For Maintainers +1. โœ… Review security alerts weekly +2. โœ… Merge Dependabot PRs promptly +3. โœ… Investigate failed security scans +4. โœ… Keep SBOM up to date +5. โœ… Audit permissions quarterly + +--- + +## ๐Ÿ“ž Support & Resources + +### GitHub Advanced Security +- [GHAS Documentation](https://docs.github.com/en/code-security) +- [CodeQL for C#](https://codeql.github.com/docs/codeql-language-guides/codeql-for-csharp/) +- [Secret Scanning](https://docs.github.com/en/code-security/secret-scanning) + +### Keyfactor Resources +- [Support Portal](https://support.keyfactor.com) +- [Repository Discussions](https://github.com/Keyfactor/k8s-orchestrator/discussions) +- [Main Documentation](https://github.com/Keyfactor/k8s-orchestrator/blob/main/README.md) + +### Issue Templates +- [Issue Forms Syntax](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-issue-forms) +- [Labeler Configuration](https://github.com/actions/labeler) + +--- + +## โœจ Summary + +You now have a **production-ready GitHub Advanced Security setup** with: + +โœ… **10 automated security workflows** +โœ… **4 comprehensive issue templates** +โœ… **Automatic dependency updates** +โœ… **PR quality gates** +โœ… **SBOM generation** +โœ… **License compliance tracking** +โœ… **Secret scanning** + +**All workflows follow enterprise security best practices and are optimized for .NET/C# projects.** + +--- + +## ๐ŸŽ‰ You're All Set! + +The Kubernetes Orchestrator Extension repository now has comprehensive security and quality automation. + +**Next:** Enable GHAS features in repository settings and monitor the Security tab! + +--- + +*Last Updated: 2026-02-18* +*Setup created by: Claude Code* diff --git a/.github/WORKFLOWS_SUMMARY.md b/.github/WORKFLOWS_SUMMARY.md new file mode 100644 index 00000000..e1e118af --- /dev/null +++ b/.github/WORKFLOWS_SUMMARY.md @@ -0,0 +1,204 @@ +# GitHub Workflows Summary + +This repository now has comprehensive security and code quality workflows configured for GitHub Advanced Security Enterprise. + +## ๐Ÿ“‹ Quick Overview + +โœ… **10 security and quality workflows** configured +โœ… **GitHub Advanced Security** features integrated +โœ… **Automated PR quality gates** enabled +โœ… **Supply chain security** (SBOM generation) enabled +โœ… **License compliance** tracking enabled + +--- + +## ๐Ÿš€ Workflows Created + +### Core Security Workflows (GitHub Advanced Security) + +1. **`codeql-analysis.yml`** - CodeQL security vulnerability scanning + - Runs on: push, PR, weekly (Monday 6am UTC) + - Detects: Security vulnerabilities in C# code + - Queries: security-extended, security-and-quality + +2. **`dependency-review.yml`** - Automated dependency scanning on PRs + - Runs on: all PRs + - Blocks: PRs with moderate+ severity vulnerabilities + - Checks: CVEs, licenses + +3. **`dependency-submission.yml`** - Keep dependency graph updated + - Runs on: push to main + - Updates: GitHub dependency graph for Dependabot + +### Additional Security Workflows + +4. **`dotnet-security-scan.yml`** - .NET-specific vulnerability scanning + - Runs on: push, PR, weekly (Tuesday 8am UTC) + - Tools: `dotnet list package --vulnerable`, dotnet-outdated + - Fails: on critical vulnerabilities + +5. **`secret-scanning.yml`** - Detect exposed secrets + - Runs on: all pushes and PRs + - Tools: TruffleHog OSS + - Scans: Full git history + +6. **`license-compliance.yml`** - Track and validate licenses + - Runs on: push, PR, monthly (1st at 9am UTC) + - Generates: License reports (JSON, Markdown) + - Warns: GPL, AGPL licenses + +### Code Quality Workflows + +7. **`code-quality.yml`** - Code quality and formatting checks + - Runs on: push, PR + - Checks: Code formatting, analyzers, metrics + - Tools: `dotnet format`, `dotnet-code-metrics` + +8. **`pr-quality-gate.yml`** - Comprehensive PR validation + - Runs on: all PRs + - Validates: Build, tests, coverage, PR title, size + - Auto-labels: PRs based on changed files + - Enforces: Conventional Commits format + +### Supply Chain Security + +9. **`sbom-generation.yml`** - Software Bill of Materials + - Runs on: main push, releases, tags + - Format: CycloneDX (JSON, XML) + - Attaches: SBOM to GitHub releases + +10. **`container-security-scan.yml`** - Container image scanning + - Status: Disabled (enable when Dockerfile added) + - Tools: Trivy, Grype/Anchore + - Scans: Container vulnerabilities + +--- + +## โš™๏ธ Configuration Files + +| File | Purpose | +|------|---------| +| `labeler.yml` | Auto-label PRs based on file changes | +| `dependabot.yml` | Dependabot configuration (already existed) | +| `SECURITY_WORKFLOWS.md` | Detailed workflow documentation | + +--- + +## ๐Ÿ” Required Repository Settings + +Ensure these GitHub Advanced Security features are enabled: + +### Security & Analysis Settings +- [x] Dependency graph +- [x] Dependabot alerts +- [x] Dependabot security updates +- [x] Secret scanning +- [x] Secret scanning push protection +- [x] Code scanning (CodeQL) + +### Required Secrets +The following secrets are already configured: + +| Secret | Required By | Status | +|--------|-------------|--------| +| `V2BUILDTOKEN` | Keyfactor Workflow | โœ… Already configured | +| `SAST_TOKEN` | Keyfactor Workflow | โœ… Already configured | + +**Note**: No additional secrets are needed for security and quality workflows. + +--- + +## ๐Ÿ“… Scheduled Scans + +| Workflow | Frequency | Day | Time (UTC) | +|----------|-----------|-----|------------| +| CodeQL Analysis | Weekly | Monday | 6:00 AM | +| .NET Security Scan | Weekly | Tuesday | 8:00 AM | +| License Compliance | Monthly | 1st | 9:00 AM | + +--- + +## ๐ŸŽฏ Next Steps + +1. **Enable GitHub Advanced Security features** (see above) +2. **Review and merge** this PR to activate all workflows +3. **Monitor Security tab** for initial scan results (24-48 hours) +4. **Review Dependabot PRs** as they arrive +5. **Enable container scanning** when Dockerfile is added (set `if: true` in workflow) +6. **Enable container scanning** when Dockerfile is added (set `if: true` in workflow) + +--- + +## ๐Ÿงช Testing Workflows + +Test individual workflows using manual triggers: + +```bash +# Navigate to Actions tab โ†’ Select workflow โ†’ Run workflow +``` + +Or use GitHub CLI: + +```bash +gh workflow run codeql-analysis.yml +gh workflow run dotnet-security-scan.yml +gh workflow run pr-quality-gate.yml +``` + +--- + +## ๐Ÿ“Š Monitoring + +### Security Dashboard +- Navigate to **Security** tab for: + - CodeQL alerts + - Secret scanning alerts + - Dependabot alerts + - Security advisories + +### Workflow Status +- Navigate to **Actions** tab for: + - Workflow run history + - Failure notifications + - Artifact downloads + +--- + +## ๐Ÿ“– Documentation + +For detailed information about each workflow, see: +- [SECURITY_WORKFLOWS.md](.github/SECURITY_WORKFLOWS.md) - Complete workflow documentation +- [GitHub Advanced Security Docs](https://docs.github.com/en/code-security) + +--- + +## ๐Ÿค Contributing + +When creating PRs: +1. Follow Conventional Commits format: `type: description` +2. Keep PRs under 1000 lines changed +3. Ensure all quality checks pass +4. Review security scan results + +--- + +## ๐Ÿ”„ Workflow Maintenance + +### Monthly +- Review license compliance reports +- Update vulnerable dependencies +- Check for workflow updates + +### Quarterly +- Review and update CodeQL queries +- Audit security scan configurations +- Update workflow actions to latest versions + +### Annually +- Review all security policies +- Audit secret scanning exclusions +- Update SBOM generation process + +--- + +Last Updated: 2026-02-18 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fa3ed220..a33b064d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,11 +2,61 @@ # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates version: 2 updates: + # GitHub Actions dependencies - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily" + labels: + - "dependencies" + - "ci/cd" + commit-message: + prefix: "chore(deps)" + prefix-development: "chore(deps-dev)" + + # Go module dependencies (if used) - package-ecosystem: "gomod" directory: "/" schedule: - interval: "daily" \ No newline at end of file + interval: "daily" + labels: + - "dependencies" + commit-message: + prefix: "chore(deps)" + + # .NET NuGet dependencies - Main project + - package-ecosystem: "nuget" + directory: "/kubernetes-orchestrator-extension" + schedule: + interval: "daily" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "dotnet" + commit-message: + prefix: "chore(deps)" + prefix-development: "chore(deps-dev)" + groups: + keyfactor-packages: + patterns: + - "Keyfactor.*" + update-types: + - "minor" + - "patch" + security-updates: + patterns: + - "*" + update-types: + - "patch" + + # .NET NuGet dependencies - Test project + - package-ecosystem: "nuget" + directory: "/TestConsole" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "tests" + commit-message: + prefix: "chore(deps)" \ No newline at end of file diff --git a/.github/kind-config.yaml b/.github/kind-config.yaml new file mode 100644 index 00000000..f76d19f3 --- /dev/null +++ b/.github/kind-config.yaml @@ -0,0 +1,4 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 00000000..4abb5302 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,37 @@ +# Automatically label PRs based on changed files +# Used by the PR Quality Gate workflow + +'documentation': + - changed-files: + - any-glob-to-any-file: ['*.md', 'docs/**/*', 'docsource/**/*'] + +'dependencies': + - changed-files: + - any-glob-to-any-file: ['**/packages.lock.json', '**/*.csproj', '**/Directory.Build.props'] + +'ci/cd': + - changed-files: + - any-glob-to-any-file: ['.github/**/*', 'Makefile', '*.yml', '*.yaml'] + +'security': + - changed-files: + - any-glob-to-any-file: ['**/security/**/*', '**/auth/**/*'] + +'tests': + - changed-files: + - any-glob-to-any-file: ['TestConsole/**/*', '**/*Test*.cs', '**/*Tests/**/*'] + +'bug-fix': + - head-branch: ['^fix/', '^bugfix/', '^hotfix/'] + +'feature': + - head-branch: ['^feature/', '^feat/'] + +'breaking-change': + - body-contains: ['BREAKING CHANGE', 'breaking change', 'breaking-change'] + +'needs-review': + - changed-files: + - any-glob-to-any-file: + - 'kubernetes-orchestrator-extension/Jobs/**/*' + - 'kubernetes-orchestrator-extension/Clients/**/*' diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 00000000..838edc65 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,415 @@ +# GitHub Actions Workflows + +This directory contains CI/CD workflows for the Keyfactor Kubernetes Universal Orchestrator Extension. + +## Workflows Overview + +### ๐Ÿงช Testing Workflows + +#### `unit-tests.yml` - Unit Test Suite +**Trigger:** Pull requests, pushes to main, manual dispatch +**Duration:** ~5 minutes +**Purpose:** Comprehensive unit testing across .NET versions + +**What it does:** +- Runs all 134 unit tests +- Tests on .NET 8.0 and 10.0 (matrix) +- Collects code coverage +- Uploads coverage to Codecov (if configured) +- Generates HTML coverage report +- Publishes test results to PR + +**Artifacts:** +- `unit-test-results-8.0.x` - Test results for .NET 8.0 +- `unit-test-results-10.0.x` - Test results for .NET 10.0 +- `coverage-report-net8` - HTML coverage report (.NET 8.0 only) + +**Required secrets:** +- `CODECOV_TOKEN` (optional) - For uploading coverage to Codecov + +**Manual trigger:** +```bash +gh workflow run unit-tests.yml +``` + +--- + +#### `integration-tests.yml` - Integration Test Suite +**Trigger:** Pull requests, pushes to main, manual dispatch +**Duration:** ~10 minutes +**Purpose:** End-to-end testing against real Kubernetes cluster + +**What it does:** +- Creates kind (Kubernetes in Docker) cluster with K8s v1.29 +- Runs all 55 integration tests +- Tests all 7 store types against live cluster +- Collects diagnostic info on failure +- Cleans up test resources +- Publishes test results to PR + +**Artifacts:** +- `integration-test-results-k8s-v1.29.0` - Test results +- `kind-logs-k8s-v1.29.0` - Cluster logs (on failure only) + +**Manual trigger with custom K8s version:** +```bash +gh workflow run integration-tests.yml -f kubernetes-version=v1.28.0 +``` + +**Available K8s versions:** +- `v1.29.0` (default) +- `v1.28.0` +- `v1.27.0` + +--- + +### ๐Ÿ” Quality & Security Workflows + +#### `pr-quality-gate.yml` - PR Quality Gate +**Trigger:** Pull requests to main/release branches +**Duration:** ~3 minutes +**Purpose:** Fast quality checks for PRs + +**What it does:** +- Builds solution (Release configuration) +- Runs quick unit tests (excludes integration tests) +- Checks PR size (warns if >1000 lines changed) +- Validates PR title (conventional commits) +- Checks for breaking changes in commits +- Verifies required files exist +- Warns about prohibited keywords (TODO, FIXME, etc.) +- Auto-labels PR based on files changed + +**Note:** This provides fast feedback. Comprehensive tests run in `unit-tests.yml` and `integration-tests.yml`. + +--- + +#### `code-quality.yml` - Code Quality Analysis +**Trigger:** Pull requests, scheduled +**Purpose:** Static code analysis and linting + +--- + +#### `codeql-analysis.yml` - CodeQL Security Scanning +**Trigger:** Pull requests, scheduled, push to main +**Purpose:** Automated security vulnerability detection + +--- + +#### `container-security-scan.yml` - Container Security +**Trigger:** Pull requests affecting Dockerfiles, scheduled +**Purpose:** Docker image security scanning + +--- + +#### `dotnet-security-scan.yml` - .NET Security Analysis +**Trigger:** Pull requests, scheduled +**Purpose:** .NET-specific security vulnerability scanning + +--- + +#### `dependency-review.yml` - Dependency Review +**Trigger:** Pull requests +**Purpose:** Reviews dependency changes for known vulnerabilities + +--- + +#### `dependency-submission.yml` - Dependency Graph +**Trigger:** Push to main +**Purpose:** Submits dependency graph to GitHub + +--- + +#### `license-compliance.yml` - License Compliance Check +**Trigger:** Pull requests, scheduled +**Purpose:** Ensures all dependencies have compatible licenses + +--- + +#### `sbom-generation.yml` - Software Bill of Materials +**Trigger:** Releases, manual +**Purpose:** Generates SBOM (Software Bill of Materials) + +--- + +#### `secret-scanning.yml` - Secret Scanning +**Trigger:** Push, pull requests +**Purpose:** Prevents committing secrets/credentials + +--- + +## Workflow Dependencies + +``` +โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” +โ”‚ Pull Request โ”‚ +โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ + โ”‚ + โ”œโ”€โ”€โ–บ pr-quality-gate.yml (fast feedback) + โ”‚ โ””โ”€โ”€โ–บ Build + Quick Tests (~3 min) + โ”‚ + โ”œโ”€โ”€โ–บ unit-tests.yml (comprehensive) + โ”‚ โ”œโ”€โ”€โ–บ .NET 8.0 Tests + Coverage (~5 min) + โ”‚ โ””โ”€โ”€โ–บ .NET 10.0 Tests (~5 min) + โ”‚ + โ”œโ”€โ”€โ–บ integration-tests.yml (e2e) + โ”‚ โ””โ”€โ”€โ–บ K8s v1.29 Tests (~10 min) + โ”‚ + โ”œโ”€โ”€โ–บ code-quality.yml + โ”œโ”€โ”€โ–บ codeql-analysis.yml + โ”œโ”€โ”€โ–บ dotnet-security-scan.yml + โ”œโ”€โ”€โ–บ dependency-review.yml + โ”œโ”€โ”€โ–บ license-compliance.yml + โ””โ”€โ”€โ–บ secret-scanning.yml +``` + +## Test Workflow Details + +### Unit Tests Matrix + +| .NET Version | Tests Run | Coverage | Artifacts | +|--------------|-----------|----------|-----------| +| 8.0.x | 134 unit tests | โœ… Yes | Results + Coverage | +| 10.0.x | 134 unit tests | โŒ No | Results only | + +**Why matrix?** +- Ensures compatibility with both target frameworks +- Catches framework-specific issues early +- Coverage collected once (.NET 8.0) to avoid duplication + +### Integration Tests Setup + +**Kubernetes Cluster:** +- **Provider:** kind (Kubernetes in Docker) +- **Version:** v1.29.0 (configurable via workflow_dispatch) +- **Configuration:** Single control-plane node +- **Context:** Renamed to `kf-integrations` for test compatibility + +**Test Namespaces Created:** +``` +keyfactor-k8sjks-integration-tests +keyfactor-k8spkcs12-integration-tests +keyfactor-k8scert-integration-tests +keyfactor-k8ssecret-integration-tests +keyfactor-k8stlssecr-integration-tests +keyfactor-k8scluster-test-ns1 +keyfactor-k8scluster-test-ns2 +keyfactor-k8sns-integration-tests +``` + +**Cleanup:** +- Automatic cleanup after tests complete +- Cleans up even if tests fail +- Exports logs on failure for debugging + +## Understanding Test Results + +### Where to Find Results + +**In GitHub UI:** +1. Go to PR/commit โ†’ "Checks" tab +2. Click on workflow name +3. View test results inline + +**As Artifacts:** +1. Go to workflow run +2. Scroll to "Artifacts" section +3. Download test results or coverage reports + +### Test Result Formats + +**Unit Tests:** +- `.trx` files - Test results (TRX format) +- `coverage.opencover.xml` - Code coverage (OpenCover format) +- HTML report - Human-readable coverage report + +**Integration Tests:** +- `.trx` files - Test results (TRX format) +- Kind logs - Cluster logs (on failure) + +### Reading Test Summaries + +Test results are automatically added to PR as comments: + +```markdown +## Unit Test Results (.NET 8.0) +โœ… 134 tests passed +โŒ 0 tests failed +โญ๏ธ 0 tests skipped + +## Integration Test Results +โœ… 55 tests passed +โŒ 0 tests failed +โญ๏ธ 0 tests skipped +``` + +### Coverage Report + +Coverage reports show: +- **Line coverage** - % of lines executed +- **Branch coverage** - % of conditional branches taken +- **Method coverage** - % of methods called + +**Target metrics:** +- Line coverage: >80% (good), >90% (excellent) +- Branch coverage: >70% (good), >85% (excellent) + +## Troubleshooting Workflow Failures + +### Unit Test Failures + +**Check:** +1. Review test output in workflow logs +2. Download `unit-test-results` artifact +3. Open `.trx` file in Visual Studio or rider +4. Check if failure is .NET version specific + +**Common causes:** +- Framework-specific API differences +- Nullable reference warnings treated as errors +- Missing dependencies + +### Integration Test Failures + +**Check:** +1. Review test output in workflow logs +2. Download `integration-test-results` artifact +3. If available, download `kind-logs` artifact +4. Review namespace diagnostic info in logs + +**Common causes:** +- Cluster not ready (timeout issues) +- Resource limits (kind cluster too small) +- Test namespace conflicts +- Kubeconfig context issues + +### Workflow Syntax Errors + +**Check:** +```bash +# Validate workflow syntax locally +gh workflow view unit-tests.yml + +# Check workflow runs +gh run list --workflow=unit-tests.yml + +# View logs +gh run view --log +``` + +## Local Testing + +### Test Workflows Locally + +Use [act](https://github.com/nektos/act) to run workflows locally: + +```bash +# Install act (macOS) +brew install act + +# Run unit tests workflow +act pull_request --workflows .github/workflows/unit-tests.yml + +# Run integration tests (requires Docker) +act pull_request --workflows .github/workflows/integration-tests.yml + +# Run specific job +act -j test --workflows .github/workflows/unit-tests.yml +``` + +**Note:** Integration tests work best in actual CI due to kind cluster requirements. + +## Maintenance + +### Updating Workflow Versions + +Dependencies to keep updated: +- `actions/checkout` - Currently v4 +- `actions/setup-dotnet` - Currently v4 +- `actions/upload-artifact` - Currently v4 +- `EnricoMi/publish-unit-test-result-action` - Currently v2 +- `helm/kind-action` - Currently using kind v0.20.0 +- `codecov/codecov-action` - Currently v4 + +### Adding New Workflows + +When adding new workflows: +1. Follow existing naming convention: `kebab-case.yml` +2. Add comprehensive comments +3. Include `workflow_dispatch` for manual testing +4. Set appropriate `timeout-minutes` +5. Add to this README +6. Test locally with `act` if possible + +### Modifying Test Workflows + +When modifying test workflows: +1. Test changes on a branch first +2. Verify both success and failure paths work +3. Check artifact uploads work correctly +4. Update this README if behavior changes +5. Consider backward compatibility + +## Performance Optimization + +### Workflow Speed Tips + +**Unit Tests:** +- โœ… Cache restored packages (coming soon) +- โœ… Run .NET versions in parallel (matrix) +- โœ… Skip coverage on non-primary version +- โš ๏ธ Consider: Splitting into separate jobs by store type + +**Integration Tests:** +- โœ… Use kind (faster than minikube/k3s) +- โœ… Single control-plane node (faster startup) +- โœ… Proper cleanup (prevents resource buildup) +- โš ๏ธ Consider: Reuse cluster across test suites + +### Cost Optimization + +**Free tier limits (GitHub Actions):** +- Public repos: Unlimited minutes +- Private repos: 2000 minutes/month + +**Current usage per PR:** +- PR Quality Gate: ~3 minutes +- Unit Tests (matrix): ~10 minutes total (2x 5 min) +- Integration Tests: ~10 minutes +- **Total: ~23 minutes per PR** + +## Best Practices + +### โœ… Do's + +- โœ… Run tests locally before pushing +- โœ… Keep workflows focused (single responsibility) +- โœ… Use matrices for version testing +- โœ… Upload artifacts for debugging +- โœ… Add timeouts to prevent hanging jobs +- โœ… Clean up resources after tests +- โœ… Use meaningful job/step names +- โœ… Add workflow dispatch for manual testing + +### โŒ Don'ts + +- โŒ Don't skip test failures in workflows +- โŒ Don't commit secrets (use GitHub Secrets) +- โŒ Don't run integration tests unnecessarily +- โŒ Don't ignore workflow warnings +- โŒ Don't make workflows too complex +- โŒ Don't forget to add `continue-on-error` where appropriate +- โŒ Don't leave hanging resources + +## Additional Resources + +- **Testing Guide:** See `TESTING.md` +- **Test Implementation:** See `UNIT_TEST_COMPLETION_SUMMARY.md` +- **Development Guide:** See `Development.md` +- **GitHub Actions Docs:** https://docs.github.com/en/actions + +--- + +**Questions about workflows?** + +Create an issue at: https://github.com/Keyfactor/k8s-orchestrator/issues diff --git a/.github/workflows/autochangelog.yml b/.github/workflows/autochangelog.yml deleted file mode 100644 index 8c944892..00000000 --- a/.github/workflows/autochangelog.yml +++ /dev/null @@ -1,48 +0,0 @@ -#name: Auto Changelog -#on: -# push: -# branches: -# - main -# - release* -# - pan_feedback -##name: autochangelog -## -##on: -## repository_dispatch: -## types: [autochangelog] -# -#jobs: -# push: -# name: Push Container -# runs-on: ubuntu-latest -# steps: -# - name: Checkout Code -# uses: actions/checkout@v2 -# with: -# fetch-depth: '0' -# - run: git fetch --depth=1 origin +refs/tags/*:refs/tags/* -# - name: autochangelog-action -# id: ac -# uses: rubenfiszel/autochangelog-action@v0.16.0 -# with: -# changelog_file: './CHANGELOG.md' -# manifest_file: './manifest.yaml' -# dry_run: false -# issues_url_prefix: 'https://github.com/org/repo/issues/' -# tag_prefix: 'v' -# - name: Create Pull Request -# id: cpr -# uses: peter-evans/create-pull-request@v2 -# with: -# token: ${{ secrets.GITHUB_TOKEN }} -# commit-message: 'Update changelog and manifest' -# title: 'ci: release ${{ steps.ac.outputs.version }}' -# body: | -# Release [${{ steps.ac.outputs.version }}](https://github.com/org/repo/releases/tag/v${{ steps.ac.outputs.version }}) -# labels: autorelease -# branch: automatic-release-prs -# reviewers: your-reviewers-list -# - name: Check outputs -# run: | -# echo "Pull Request Number - ${{ env.PULL_REQUEST_NUMBER }}" -# echo "Pull Request Number - ${{ steps.cpr.outputs.pr_number }}" \ No newline at end of file diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml new file mode 100644 index 00000000..354735f7 --- /dev/null +++ b/.github/workflows/code-quality.yml @@ -0,0 +1,61 @@ +name: "Code Quality Analysis" + +on: + push: + branches: [ "main", "release-*" ] + pull_request: + branches: [ "main", "release-*" ] + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + checks: write + packages: read + +jobs: + code-quality: + name: Code Quality Checks + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for better analysis + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 10.0.x + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore + + - name: Build solution + run: dotnet build --configuration Release --no-restore + + # Run .NET Format to check code style + - name: Check code formatting + run: | + dotnet format --verify-no-changes --verbosity diagnostic + continue-on-error: true + + # Run .NET Code Analysis + - name: Run code analysis + run: | + dotnet build --configuration Release /p:EnableNETAnalyzers=true /p:AnalysisLevel=latest /p:TreatWarningsAsErrors=false + continue-on-error: true + + # Add summary + - name: Add quality summary + if: always() + run: | + echo "## Code Quality Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "- Code formatting check completed" >> $GITHUB_STEP_SUMMARY + echo "- Code analysis completed" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..94a7149a --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,35 @@ +name: "Dependency Review" + +on: + pull_request: + branches: [ "main", "release-*" ] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + name: Review Dependencies + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + # Fail the action if vulnerabilities are found + fail-on-severity: moderate + # Deny licenses (add any licenses you want to block) + # deny-licenses: GPL-3.0, AGPL-3.0 + # Allow licenses (optional - specify approved licenses) + # allow-licenses: MIT, Apache-2.0, BSD-3-Clause + # Additional configuration + comment-summary-in-pr: always + # Vulnerability check enabled + vulnerability-check: true + # License check enabled + license-check: true + # Configuration file (optional) + # config-file: '.github/dependency-review-config.yml' diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml new file mode 100644 index 00000000..26b60b82 --- /dev/null +++ b/.github/workflows/dependency-submission.yml @@ -0,0 +1,33 @@ +name: "Dependency Submission" + +on: + push: + branches: [ "main" ] + workflow_dispatch: + +permissions: + contents: write + packages: read + +jobs: + dependency-submission: + name: Submit Dependencies to GitHub + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Submit NuGet Dependencies + uses: darenm/nuget-dependency-submission@v1 + with: + solution: Keyfactor.Orchestrators.K8S.sln + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dotnet-security-scan.yml b/.github/workflows/dotnet-security-scan.yml new file mode 100644 index 00000000..14ce3eda --- /dev/null +++ b/.github/workflows/dotnet-security-scan.yml @@ -0,0 +1,70 @@ +name: ".NET Security Scan" + +on: + push: + branches: [ "main", "release-*" ] + pull_request: + branches: [ "main", "release-*" ] + schedule: + # Run weekly security scan + - cron: '0 8 * * 2' + workflow_dispatch: + +permissions: + contents: read + security-events: write + actions: read + packages: read + +jobs: + security-scan: + name: Security Vulnerability Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 10.0.x + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore + + # Run .NET Security Scan for known vulnerabilities in NuGet packages + - name: Run dotnet list package --vulnerable + run: | + dotnet list package --vulnerable --include-transitive 2>&1 | tee vulnerable-packages.txt + continue-on-error: true + + - name: Check for vulnerable packages + run: | + if grep -q "has the following vulnerable packages" vulnerable-packages.txt; then + echo "::error::Vulnerable packages detected!" + cat vulnerable-packages.txt + exit 1 + else + echo "No vulnerable packages detected." + fi + + # Run .NET Outdated Packages Check + - name: Install dotnet-outdated tool + run: dotnet tool install --global dotnet-outdated-tool + + - name: Check for outdated packages + run: dotnet outdated --upgrade --include-auto-references + continue-on-error: true + + # Upload results + - name: Upload scan results + uses: actions/upload-artifact@v4 + if: always() + with: + name: security-scan-results + path: vulnerable-packages.txt diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml new file mode 100644 index 00000000..050ce604 --- /dev/null +++ b/.github/workflows/integration-tests.yml @@ -0,0 +1,219 @@ +name: Integration Tests + +on: + pull_request: + branches: [ main, release-* ] + paths: + - '**.cs' + - '**.csproj' + - '.github/workflows/integration-tests.yml' + push: + branches: [ main ] + paths: + - '**.cs' + - '**.csproj' + - '.github/workflows/integration-tests.yml' + workflow_dispatch: + inputs: + kubernetes-version: + description: 'Kubernetes version to test against' + required: false + default: 'v1.29.0' + type: choice + options: + - 'v1.29.0' + - 'v1.28.0' + - 'v1.27.0' + +permissions: + contents: read + checks: write + pull-requests: write + packages: read + +env: + KUBERNETES_VERSION: ${{ inputs.kubernetes-version || 'v1.29.0' }} + KIND_CLUSTER_NAME: kf-integrations + +jobs: + integration-test: + name: Integration Tests (K8s ${{ inputs.kubernetes-version || 'v1.29.0' }}) + runs-on: ubuntu-latest + timeout-minutes: 30 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup .NET 8.0 + uses: actions/setup-dotnet@v4 + with: + dotnet-version: '8.0.x' + + - name: Display .NET version + run: dotnet --version + + - name: Setup kind + uses: helm/kind-action@v1 + with: + version: v0.20.0 + cluster_name: ${{ env.KIND_CLUSTER_NAME }} + node_image: kindest/node:${{ env.KUBERNETES_VERSION }} + wait: 5m + config: .github/kind-config.yaml + + - name: Verify cluster is ready + run: | + kubectl cluster-info --context kind-${{ env.KIND_CLUSTER_NAME }} + kubectl get nodes + kubectl get pods --all-namespaces + + - name: Configure kubeconfig context + run: | + # Rename context to match what tests expect + kubectl config rename-context kind-${{ env.KIND_CLUSTER_NAME }} kf-integrations || true + kubectl config use-context kf-integrations + + # Verify context + kubectl config current-context + kubectl config get-contexts + + - name: Verify cluster permissions + run: | + echo "Checking cluster permissions..." + kubectl auth can-i create namespaces + kubectl auth can-i create secrets --all-namespaces + kubectl auth can-i delete namespaces + kubectl auth can-i delete secrets --all-namespaces + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore + + - name: Build solution + run: dotnet build --configuration Release --no-restore + + - name: Run integration tests + env: + RUN_INTEGRATION_TESTS: 'true' + run: | + dotnet test \ + --configuration Release \ + --no-build \ + --framework net8.0 \ + --verbosity normal \ + --filter "FullyQualifiedName~Integration" \ + --logger "trx;LogFileName=integration-test-results.trx" \ + --results-directory ./IntegrationTestResults + + - name: Publish test results + uses: EnricoMi/publish-unit-test-result-action@v2 + if: always() + with: + files: | + IntegrationTestResults/**/*.trx + check_name: Integration Test Results + comment_title: Integration Test Results (K8s ${{ env.KUBERNETES_VERSION }}) + + - name: Upload test results as artifact + uses: actions/upload-artifact@v4 + if: always() + with: + name: integration-test-results-k8s-${{ env.KUBERNETES_VERSION }} + path: ./IntegrationTestResults/ + retention-days: 30 + + - name: Collect test namespace info on failure + if: failure() + run: | + echo "Collecting diagnostic information..." + + # List all test namespaces + echo "Test namespaces:" + kubectl get namespaces -l managed-by=keyfactor-k8s-orchestrator-tests + + # Get details of test namespaces + for ns in $(kubectl get namespaces -l managed-by=keyfactor-k8s-orchestrator-tests -o name); do + echo "=== Details for $ns ===" + kubectl describe $ns + kubectl get secrets -n ${ns##*/} 2>/dev/null || echo "No secrets found" + kubectl get events -n ${ns##*/} --sort-by='.lastTimestamp' 2>/dev/null || echo "No events found" + done + + - name: Cleanup test resources + if: always() + run: | + echo "Cleaning up test resources..." + kubectl delete namespaces -l managed-by=keyfactor-k8s-orchestrator-tests --timeout=60s || true + + # Verify cleanup + remaining=$(kubectl get namespaces -l managed-by=keyfactor-k8s-orchestrator-tests --no-headers 2>/dev/null | wc -l) + if [ "$remaining" -gt 0 ]; then + echo "::warning::$remaining test namespace(s) still exist after cleanup" + else + echo "All test namespaces cleaned up successfully" + fi + + - name: Export kind logs on failure + if: failure() + run: | + mkdir -p ./kind-logs + kind export logs ./kind-logs --name ${{ env.KIND_CLUSTER_NAME }} + + - name: Upload kind logs + uses: actions/upload-artifact@v4 + if: failure() + with: + name: kind-logs-k8s-${{ env.KUBERNETES_VERSION }} + path: ./kind-logs/ + retention-days: 7 + + integration-test-summary: + name: Integration Test Summary + runs-on: ubuntu-latest + needs: integration-test + if: always() + steps: + - name: Check test results + run: | + if [ "${{ needs.integration-test.result }}" == "failure" ]; then + echo "::error::Integration tests failed. Please review the test results and logs." + exit 1 + elif [ "${{ needs.integration-test.result }}" == "cancelled" ]; then + echo "::warning::Integration tests were cancelled." + exit 1 + else + echo "::notice::All integration tests passed successfully!" + fi + + - name: Add summary + if: always() + run: | + echo "## Integration Test Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Kubernetes Version:** ${{ env.KUBERNETES_VERSION }}" >> $GITHUB_STEP_SUMMARY + echo "**Status:** ${{ needs.integration-test.result }}" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + if [ "${{ needs.integration-test.result }}" == "success" ]; then + echo "โœ… All integration tests passed" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Store Types Tested (86 total test cases)" >> $GITHUB_STEP_SUMMARY + echo "- K8SJKS (Java Keystores)" >> $GITHUB_STEP_SUMMARY + echo "- K8SPKCS12 (PKCS12/PFX)" >> $GITHUB_STEP_SUMMARY + echo "- K8SCert (CSRs) - read-only" >> $GITHUB_STEP_SUMMARY + echo "- K8SSecret (Opaque PEM) - includes all key types" >> $GITHUB_STEP_SUMMARY + echo "- K8STLSSecr (TLS Secrets) - includes all key types" >> $GITHUB_STEP_SUMMARY + echo "- K8SCluster (Cluster-wide) - includes TLS chain tests" >> $GITHUB_STEP_SUMMARY + echo "- K8SNS (Namespace) - includes all key types" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Key types covered:** RSA-2048, RSA-4096, EC P-256, EC P-384, EC P-521, Ed25519" >> $GITHUB_STEP_SUMMARY + else + echo "โŒ Integration tests failed or were cancelled" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Please check the test results and logs for details." >> $GITHUB_STEP_SUMMARY + fi diff --git a/.github/workflows/license-compliance.yml b/.github/workflows/license-compliance.yml new file mode 100644 index 00000000..da9ed00c --- /dev/null +++ b/.github/workflows/license-compliance.yml @@ -0,0 +1,73 @@ +name: "License Compliance Check" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main", "release-*" ] + schedule: + # Run monthly license compliance check + - cron: '0 9 1 * *' + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + packages: read + +jobs: + license-check: + name: Check License Compliance + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 10.0.x + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore + + # Install dotnet-project-licenses tool + - name: Install license tool + run: dotnet tool install --global dotnet-project-licenses + + - name: Generate license report (JSON) + run: | + dotnet-project-licenses --input kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj \ + --output-directory license-reports \ + --export-license-texts \ + --json \ + --unique + continue-on-error: true + + - name: Generate license report (Markdown) + run: | + dotnet-project-licenses --input kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj \ + --output-directory license-reports \ + --markdown + continue-on-error: true + + - name: Check for restricted licenses + run: | + # Add logic to fail if certain licenses are detected + # For example, GPL, AGPL if your organization doesn't allow them + if grep -i "GPL-3.0\|AGPL" license-reports/*.json; then + echo "::warning::Potentially restricted license detected. Please review." + fi + continue-on-error: true + + - name: Upload license reports + uses: actions/upload-artifact@v4 + with: + name: license-compliance-reports + path: license-reports/ + retention-days: 90 diff --git a/.github/workflows/pr-quality-gate.yml b/.github/workflows/pr-quality-gate.yml new file mode 100644 index 00000000..5c50934d --- /dev/null +++ b/.github/workflows/pr-quality-gate.yml @@ -0,0 +1,178 @@ +name: "PR Quality Gate" + +on: + pull_request: + branches: [ "main", "release-*" ] + types: [ opened, synchronize, reopened ] + +permissions: + contents: read + pull-requests: write + checks: write + statuses: write + packages: read + +jobs: + quality-checks: + name: Quality Gate Checks + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 10.0.x + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + # Build and Test + - name: Restore dependencies + run: dotnet restore + + - name: Build solution + run: dotnet build --configuration Release --no-restore + + - name: Run quick tests + run: | + # Run unit tests only (integration tests run in separate workflow) + dotnet test --configuration Release --no-build --verbosity normal \ + --filter "FullyQualifiedName!~Integration" + continue-on-error: true + + # PR Size Check + - name: Check PR size + uses: actions/github-script@v7 + with: + script: | + const pr = context.payload.pull_request; + const additions = pr.additions || 0; + const deletions = pr.deletions || 0; + const totalChanges = additions + deletions; + + if (totalChanges > 1000) { + core.warning(`โš ๏ธ Large PR detected: ${totalChanges} lines changed. Consider breaking into smaller PRs.`); + } + + const changedFiles = pr.changed_files || 0; + if (changedFiles > 30) { + core.warning(`โš ๏ธ Many files changed: ${changedFiles} files. Consider breaking into smaller PRs.`); + } + + # Check for breaking changes + - name: Check for breaking changes + run: | + echo "Checking commit messages for breaking changes..." + if git log origin/main..HEAD --oneline | grep -i "BREAKING CHANGE"; then + echo "::warning::Breaking changes detected in commit messages." + fi + + # PR Title Check + - name: Validate PR title + uses: amannn/action-semantic-pull-request@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + types: | + feat + fix + docs + style + refactor + perf + test + chore + ci + requireScope: false + subjectPattern: ^[A-Z].+$ + subjectPatternError: | + The subject "{subject}" found in the pull request title "{title}" + didn't match the configured pattern. Please ensure that the subject + starts with an uppercase character. + + # Check for required files + required-files: + name: Check Required Files + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Verify required files exist + run: | + files=( + "README.md" + "LICENSE" + "CHANGELOG.md" + ".gitignore" + ) + + missing_files=() + for file in "${files[@]}"; do + if [ ! -f "$file" ]; then + missing_files+=("$file") + fi + done + + if [ ${#missing_files[@]} -gt 0 ]; then + echo "::error::Missing required files: ${missing_files[*]}" + exit 1 + fi + + # Block PRs with certain keywords + block-keywords: + name: Block Prohibited Keywords + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for prohibited keywords + run: | + # Check for common placeholder/debug keywords that shouldn't be committed + prohibited_keywords=( + "TODO" + "FIXME" + "HACK" + "XXX" + "debugger" + "console.log" + ) + + found_issues=false + for keyword in "${prohibited_keywords[@]}"; do + if git diff origin/main...HEAD | grep -i "$keyword"; then + echo "::warning::Found prohibited keyword: $keyword" + found_issues=true + fi + done + + # This is a warning, not an error - adjust based on your needs + if [ "$found_issues" = true ]; then + echo "::warning::Prohibited keywords found. Please review before merging." + fi + + pr-labeler: + name: Auto-label PR + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Auto-label PR + uses: actions/labeler@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + configuration-path: .github/labeler.yml + continue-on-error: true diff --git a/.github/workflows/sbom-generation.yml b/.github/workflows/sbom-generation.yml new file mode 100644 index 00000000..a121815c --- /dev/null +++ b/.github/workflows/sbom-generation.yml @@ -0,0 +1,70 @@ +name: "SBOM Generation" + +on: + push: + branches: [ "main" ] + tags: [ "v*.*.*" ] + release: + types: [ published ] + workflow_dispatch: + +permissions: + contents: write + actions: read + packages: read + +jobs: + sbom-generation: + name: Generate Software Bill of Materials + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.0.x + 10.0.x + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore + + - name: Install CycloneDX tool + run: dotnet tool install --global CycloneDX + + - name: Generate SBOM for main project + run: | + dotnet CycloneDX kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj \ + -o sbom \ + -f k8s-orchestrator-sbom.json \ + --json + + - name: Generate SBOM in SPDX format + run: | + dotnet CycloneDX kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj \ + -o sbom \ + -f k8s-orchestrator-sbom.xml \ + --xml + continue-on-error: true + + - name: Upload SBOM artifacts + uses: actions/upload-artifact@v4 + with: + name: sbom-artifacts + path: sbom/ + retention-days: 90 + + - name: Attach SBOM to Release + if: github.event_name == 'release' + uses: softprops/action-gh-release@v1 + with: + files: | + sbom/k8s-orchestrator-sbom.json + sbom/k8s-orchestrator-sbom.xml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/secret-scanning.yml b/.github/workflows/secret-scanning.yml new file mode 100644 index 00000000..82ff8f65 --- /dev/null +++ b/.github/workflows/secret-scanning.yml @@ -0,0 +1,30 @@ +name: "Secret Scanning" + +on: + push: + branches: [ "**" ] + pull_request: + branches: [ "main", "release-*" ] + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + trufflehog-scan: + name: TruffleHog Secret Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Full history for comprehensive scan + + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --debug --only-verified diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml new file mode 100644 index 00000000..4f858f01 --- /dev/null +++ b/.github/workflows/unit-tests.yml @@ -0,0 +1,143 @@ +name: Unit Tests + +on: + pull_request: + branches: [ main, release-* ] + paths: + - '**.cs' + - '**.csproj' + - '.github/workflows/unit-tests.yml' + push: + branches: [ main ] + paths: + - '**.cs' + - '**.csproj' + - '.github/workflows/unit-tests.yml' + workflow_dispatch: + +permissions: + contents: read + checks: write + pull-requests: write + packages: read + +jobs: + test: + name: Unit Tests (.NET ${{ matrix.dotnet-version }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - dotnet-version: '8.0.x' + framework: 'net8.0' + - dotnet-version: '10.0.x' + framework: 'net10.0' + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup .NET ${{ matrix.dotnet-version }} + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ matrix.dotnet-version }} + + - name: Display .NET version + run: dotnet --version + + - name: Authenticate NuGet with GitHub Packages + run: dotnet nuget add source https://nuget.pkg.github.com/Keyfactor/index.json --name keyfactor-github --username ${{ github.actor }} --password ${{ secrets.V2BUILDTOKEN }} --store-password-in-clear-text + + - name: Restore dependencies + run: dotnet restore + + - name: Build solution + run: dotnet build --configuration Release --no-restore + + - name: Run unit tests with coverage + run: | + dotnet test \ + --configuration Release \ + --no-build \ + --framework ${{ matrix.framework }} \ + --verbosity normal \ + --collect:"XPlat Code Coverage" \ + --results-directory ./TestResults \ + --logger "trx;LogFileName=test-results-${{ matrix.dotnet-version }}.trx" \ + -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover + + - name: Publish test results + uses: EnricoMi/publish-unit-test-result-action@v2 + if: always() + with: + files: | + TestResults/**/*.trx + check_name: Unit Test Results (.NET ${{ matrix.dotnet-version }}) + comment_title: Unit Test Results (.NET ${{ matrix.dotnet-version }}) + + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v4 + if: matrix.dotnet-version == '8.0.x' + with: + files: ./TestResults/**/coverage.opencover.xml + flags: unittests + name: unit-tests-net8 + fail_ci_if_error: false + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + + - name: Generate coverage report + if: matrix.dotnet-version == '8.0.x' + continue-on-error: true + run: | + dotnet tool install -g dotnet-reportgenerator-globaltool + reportgenerator \ + -reports:"./TestResults/**/coverage.opencover.xml" \ + -targetdir:"./TestResults/CoverageReport" \ + -reporttypes:"Html;MarkdownSummaryGithub" \ + -verbosity:Warning + + - name: Upload coverage report + uses: actions/upload-artifact@v4 + if: matrix.dotnet-version == '8.0.x' + with: + name: coverage-report-net8 + path: ./TestResults/CoverageReport/ + retention-days: 30 + + - name: Add coverage summary to PR + if: matrix.dotnet-version == '8.0.x' && github.event_name == 'pull_request' + run: | + if [ -f "./TestResults/CoverageReport/SummaryGithub.md" ]; then + echo "## Unit Test Coverage Report (.NET 8.0)" >> $GITHUB_STEP_SUMMARY + cat ./TestResults/CoverageReport/SummaryGithub.md >> $GITHUB_STEP_SUMMARY + fi + + - name: Upload test results as artifact + uses: actions/upload-artifact@v4 + if: always() + with: + name: unit-test-results-${{ matrix.dotnet-version }} + path: ./TestResults/**/*.trx + retention-days: 30 + + test-summary: + name: Unit Test Summary + runs-on: ubuntu-latest + needs: test + if: always() + steps: + - name: Check test results + run: | + if [ "${{ needs.test.result }}" == "failure" ]; then + echo "::error::Unit tests failed. Please review the test results." + exit 1 + elif [ "${{ needs.test.result }}" == "cancelled" ]; then + echo "::warning::Unit tests were cancelled." + exit 1 + else + echo "::notice::All unit tests passed successfully!" + fi diff --git a/.gitignore b/.gitignore index dfcfd56f..345f9ad3 100644 --- a/.gitignore +++ b/.gitignore @@ -348,3 +348,7 @@ MigrationBackup/ # Ionide (cross platform F# VS Code tools) working folder .ionide/ + +# OAuth token cache (Makefile) +.oauth_token +.oauth_token_expiry diff --git a/CHANGELOG.md b/CHANGELOG.md index f643ebb4..28d46d8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,27 @@ +# 1.3.0 + +## Features +- feat(storetypes): `K8SCert` supports inventory of all signed K8S cluster CSRs. +- feat(crypto): Replace `X509Certificate2` with BouncyCastle for all cryptographic operations, improving cross-platform compatibility. +- feat(crypto): Add `CertificateUtilities` class with comprehensive certificate parsing, key extraction, and format detection. +- feat(crypto): Support for all key types: `RSA (1024-8192 bit), ECDSA (P-256, P-384, P-521), DSA (1024, 2048 bit), Ed25519, Ed448`. + +## Bug Fixes +- fix(client): Fix null reference issues in kubeconfig parsing when optional fields are missing. +- fix(inventory): Initialize logger before all other operations to ensure proper error reporting. +- fix(management): Fix alias parsing for `K8SNS` and `K8SCluster` store-types when alias contains multiple path segments. +- fix(management): Add `IncludeCertChain` at base job level, and include in management jobs. +- fix(management): `K8SPKCS12` and `K8SJKS` respect `IncludeCertChain` flag. + +## Chores: +- chore(tests): Add comprehensive unit test suite covering all store types and cryptographic operations. +- chore(tests): Add integration test suite validating end-to-end operations against live Kubernetes clusters. +- chore(ci): Add GitHub Actions workflows for unit tests, integration tests, code quality, and security scanning. +- chore(ci): Add CodeQL, dependency review, SBOM generation, and license compliance workflows. +- chore(ci): Add PR quality gate with semantic versioning validation and auto-labeling. +- chore(docs): Document supported key types for all store types. +- chore(util): Add verbose logging to PAM credential resolver. + # 1.2.2 ## Bug Fixes diff --git a/Keyfactor.Orchestrators.K8S.sln b/Keyfactor.Orchestrators.K8S.sln index a88ed547..c1eb62b1 100644 --- a/Keyfactor.Orchestrators.K8S.sln +++ b/Keyfactor.Orchestrators.K8S.sln @@ -7,24 +7,65 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Keyfactor.Orchestrators.K8S EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestConsole", "TestConsole\TestConsole.csproj", "{8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}" EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "kubernetes-orchestrator-extension.Tests", "kubernetes-orchestrator-extension.Tests", "{4D988838-9BAF-C253-004D-7C7673F12805}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Keyfactor.Orchestrators.K8S.Tests", "kubernetes-orchestrator-extension.Tests\Keyfactor.Orchestrators.K8S.Tests.csproj", "{7976404A-58D7-4709-99A9-DBBA31431C69}" +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "kubernetes-orchestrator-extension", "kubernetes-orchestrator-extension", "{78D107B4-EAC6-4BC8-2939-7D7450B24926}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Debug|Any CPU.Build.0 = Debug|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Debug|x64.ActiveCfg = Debug|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Debug|x64.Build.0 = Debug|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Debug|x86.ActiveCfg = Debug|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Debug|x86.Build.0 = Debug|Any CPU {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Release|Any CPU.ActiveCfg = Release|Any CPU {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Release|Any CPU.Build.0 = Release|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Release|x64.ActiveCfg = Release|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Release|x64.Build.0 = Release|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Release|x86.ActiveCfg = Release|Any CPU + {F497D7FA-AC9F-4BB2-935F-6A7569ACC173}.Release|x86.Build.0 = Release|Any CPU {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Debug|x64.ActiveCfg = Debug|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Debug|x64.Build.0 = Debug|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Debug|x86.ActiveCfg = Debug|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Debug|x86.Build.0 = Debug|Any CPU {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Release|Any CPU.ActiveCfg = Release|Any CPU {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Release|Any CPU.Build.0 = Release|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Release|x64.ActiveCfg = Release|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Release|x64.Build.0 = Release|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Release|x86.ActiveCfg = Release|Any CPU + {8C2C6B52-E386-4DAE-B596-7EE4E64EB0F4}.Release|x86.Build.0 = Release|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Debug|Any CPU.Build.0 = Debug|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Debug|x64.ActiveCfg = Debug|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Debug|x64.Build.0 = Debug|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Debug|x86.ActiveCfg = Debug|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Debug|x86.Build.0 = Debug|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Release|Any CPU.ActiveCfg = Release|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Release|Any CPU.Build.0 = Release|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Release|x64.ActiveCfg = Release|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Release|x64.Build.0 = Release|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Release|x86.ActiveCfg = Release|Any CPU + {7976404A-58D7-4709-99A9-DBBA31431C69}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE EndGlobalSection + GlobalSection(NestedProjects) = preSolution + {7976404A-58D7-4709-99A9-DBBA31431C69} = {4D988838-9BAF-C253-004D-7C7673F12805} + EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution SolutionGuid = {2B11E9FA-B238-44FC-875F-EEEA0F5AD7EC} EndGlobalSection diff --git a/MAKEFILE_GUIDE.md b/MAKEFILE_GUIDE.md new file mode 100644 index 00000000..b99940c7 --- /dev/null +++ b/MAKEFILE_GUIDE.md @@ -0,0 +1,522 @@ +# Makefile Reference Guide + +This guide documents all available Make targets for the Kubernetes Orchestrator Extension project. + +## Quick Reference + +| Category | Common Targets | +|----------|---------------| +| **Build** | `make build` | +| **Testing** | `make test-unit`, `make test-integration`, `make test` | +| **Coverage** | `make test-coverage-unit`, `make test-coverage-open` | +| **Debugging** | `make debug-loop`, `make debug-logs` | +| **OAuth** | `make token`, `make token-show` | +| **API** | `make api-list-stores`, `make api-list-certs` | + +Run `make help` to see all available targets with descriptions. + +--- + +## General + +### `make help` +Display all available targets organized by category with descriptions. + +### `make all` (default) +Alias for `make build`. + +--- + +## Development + +### `make setup` +Interactive setup wizard that creates environment configuration files: +- Creates `.test.env` with Azure-related environment variables +- Creates `.env` with project configuration + +### `make reset` +Removes `.env` and `test.env` files to reset the development environment. + +### `make newtest` +Creates a new xUnit test project linked to the main project. + +### `make installpackage` +Interactive helper to install a NuGet package into a selected project. + +--- + +## Testing + +### Unit Tests + +#### `make test-unit` +Run all unit tests (excludes integration tests). +```bash +make test-unit +``` + +### Integration Tests + +Integration tests require: +- A Kubernetes cluster accessible via `~/.kube/config` +- Cluster permissions to create/delete namespaces and secrets + +#### `make test-integration` +Run all integration tests on both frameworks (net8.0 and net10.0). +```bash +make test-integration +``` + +#### `make test-integration-fast` +Run integration tests on net8.0 only (~50% faster). +```bash +make test-integration-fast +``` + +#### `make test-integration-full` +Run integration tests on all frameworks (explicit target for clarity). + +#### `make test-integration-smoke-net10` +Run a subset of Inventory tests on net10.0 only for quick validation. + +#### `make test-integration-no-cleanup` +Run integration tests without cleaning up secrets afterward. Useful for manual inspection of created resources. + +### Store-Type Specific Tests + +Run integration tests for a specific certificate store type: + +| Target | Store Type | Description | +|--------|------------|-------------| +| `make test-store-jks` | K8SJKS | Java Keystores | +| `make test-store-pkcs12` | K8SPKCS12 | PKCS12/PFX files | +| `make test-store-secret` | K8SSecret | Opaque secrets | +| `make test-store-tls` | K8STLSSecr | TLS secrets | +| `make test-store-cluster` | K8SCluster | Cluster-wide management | +| `make test-store-ns` | K8SNS | Namespace-level management | +| `make test-store-cert` | K8SCert | Certificate Signing Requests | + +#### `make test-store-type STORE=` +Run tests for a specific store type with cleanup: +```bash +make test-store-type STORE=K8SSecret +make test-store-type STORE=K8STLSSecr +``` + +### Combined/CI Tests + +#### `make testall` +Run all tests (unit + integration). + +#### `make test-all-with-cleanup` +Run all tests with cluster cleanup before and after. + +#### `make test-ci` +CI-optimized test runner: +- On `main` branch: runs full integration tests +- On PR branches: runs fast tests + net10.0 smoke tests + +### Utilities + +#### `make test` +Interactive single test selection using `fzf`. Select a test from the list to run it with detailed output. + +#### `make test-watch` +Run tests in watch mode - automatically re-runs tests when files change. + +### Code Coverage + +#### `make test-coverage` +Run all tests (unit + integration) with code coverage and generate an HTML report. +```bash +make test-coverage +# Report generated at ./coverage/html/index.html +``` + +#### `make test-coverage-unit` +Run unit tests only with code coverage (faster, excludes integration tests). +```bash +make test-coverage-unit +# Report generated at ./coverage/unit/html/index.html +``` + +#### `make test-coverage-summary` +Display coverage summary in the terminal (requires running coverage first). +```bash +make test-coverage-unit +make test-coverage-summary +``` + +#### `make test-coverage-open` +Open the HTML coverage report in your browser (macOS). +```bash +make test-coverage-open +``` + +#### `make test-coverage-clean` +Remove all coverage reports and artifacts. +```bash +make test-coverage-clean +``` + +### Utilities + +#### `make test-cluster-setup` +Display instructions for setting up the test Kubernetes cluster, including: +- Current kubectl context +- Available contexts +- Test namespace information + +#### `make test-cluster-cleanup` +Clean up all test namespaces and CSRs from the cluster: +- `keyfactor-k8sjks-integration-tests` +- `keyfactor-k8spkcs12-integration-tests` +- `keyfactor-k8ssecret-integration-tests` +- `keyfactor-k8stlssecr-integration-tests` +- `keyfactor-k8scluster-test-ns1`, `keyfactor-k8scluster-test-ns2` +- `keyfactor-k8sns-integration-tests` +- `keyfactor-k8scert-integration-tests` +- `keyfactor-manual-test` + +--- + +## OAuth Token Management + +OAuth tokens are cached to `.oauth_token` for 50 minutes (3000 seconds) to reduce authentication requests. + +### `make token` +Get an OAuth token. Uses cached token if valid, otherwise fetches a new one. +```bash +make token +# Output: Using cached token (expires in 45 minutes) +# eyJhbGciOiJS... +``` + +### `make token-refresh` +Force refresh the OAuth token and cache it. + +### `make token-show` +Display cached token status without exposing the full token: +```bash +make token-show +# Token status: VALID +# Expires in: 45 minutes +# Token preview: eyJhbGciOiJSUzI1Ni... +``` + +### `make token-clear` +Clear the cached OAuth token. + +### `make token-get` +Get token silently (for use in scripts). Returns just the token string. + +--- + +## Keyfactor Command API + +These targets interact with the Keyfactor Command API using cached OAuth tokens. + +### `make api-list-stores` +List all certificate stores from Command: +```bash +make api-list-stores +# e523b800-fe18-4e68-b7be-8f2034ffdc16 | k8s-agent | manual-tlssecr +# 27b16153-742c-4b4c-9b2d-02ec9cc90fa5 | k8s-agent | manual-opaque +``` + +### `make api-list-certs` +List first 20 certificates from Command: +```bash +make api-list-certs +# 43 | meow | F3127840482241A1251498545A598C6D765BA03E | HasKey=true +# 44 | ec-csr | FA3BFCD6966AC297B1A3AA9FA43EB1C55EE1048B | HasKey=false +``` + +### `make api-get-cert CERT_ID=` +Get detailed certificate information: +```bash +make api-get-cert CERT_ID=43 +# { +# "Id": 43, +# "Thumbprint": "F3127840482241A1251498545A598C6D765BA03E", +# "IssuedCN": "meow", +# "HasPrivateKey": true, +# "IssuerDN": "CN=Sub-CA", +# "KeyType": "RSA" +# } +``` + +### `make api-get-jobs` +List recent orchestrator jobs (last 10): +```bash +make api-get-jobs +# guid-1234 | Management | Completed | 2024-02-25T10:00:00Z +``` + +--- + +## Debugging (Container-based Testing) + +These targets facilitate debugging the orchestrator extension with a local Keyfactor Command container. + +### Configuration Variables + +Override these with environment variables or on the command line: + +| Variable | Default | Description | +|----------|---------|-------------| +| `DEBUG_ENV_FILE` | `~/.env_ses2541` | Environment file with Keyfactor credentials | +| `DEBUG_CONTAINER_DIR` | `~/Desktop/Container` | Docker compose directory | +| `DEBUG_COMPOSE_FILE` | `docker-compose-ses.yml` | Docker compose file | +| `DEBUG_SERVICE_NAME` | `ses_2541_uo_25_4_oauth` | Container service name | +| `DEBUG_TLS_STORE_ID` | `e523b800-...` | TLS secret store GUID | +| `DEBUG_OPAQUE_STORE_ID` | `27b16153-...` | Opaque secret store GUID | +| `DEBUG_PFX_PASSWORD` | `3ceZRxdQffny` | Default PFX password | +| `DEBUG_CERT_ID` | `44` | Default certificate ID | + +### Build & Container Management + +#### `make debug-build` +Build the extension and verify the DLL is in the container folder. + +#### `make debug-restart` +Restart the orchestrator container (down + up). + +#### `make debug-container-id` +Get the current container ID. + +### Logs + +#### `make debug-logs` +Show last 100 lines of container logs. + +#### `make debug-logs-follow` +Follow container logs in real-time (Ctrl+C to stop). + +### Scheduling Jobs + +#### `make debug-schedule-tls` +Schedule a management job for the TLS secret store using the default certificate. + +#### `make debug-schedule-opaque` +Schedule a management job for the Opaque secret store. + +#### `make debug-schedule-both` +Schedule jobs for both TLS and Opaque stores. + +#### `make debug-schedule-tls-cert CERT_ID= [PFX_PASSWORD=]` +Schedule a TLS job with a specific certificate: +```bash +make debug-schedule-tls-cert CERT_ID=43 +make debug-schedule-tls-cert CERT_ID=43 PFX_PASSWORD=mypassword +``` + +### Checking Results + +#### `make debug-check-tls-secret` +Check the TLS secret (`manual-tlssecr`) in Kubernetes. + +#### `make debug-check-opaque-secret` +Check the Opaque secret (`manual-opaque`) in Kubernetes. + +#### `make debug-check-secrets` +Check both TLS and Opaque secrets. + +#### `make debug-wait-job` +Wait for jobs to complete (polls logs for completion message). + +### Debug Loops (Full Workflows) + +These targets run complete debug workflows: build, restart, schedule, wait, check logs and secrets. + +#### `make debug-loop` +Full debug loop for TLS store with default certificate. + +#### `make debug-loop-both` +Full debug loop for both TLS and Opaque stores. + +#### `make debug-loop-cert43` +Full debug loop with certificate 43 (has private key + chain). + +#### `make debug-loop-cert44` +Full debug loop with certificate 44 (no private key, DER format). + +### Certificate Information + +#### `make debug-get-token` +Get OAuth token (alias for `make token-get`). + +#### `make debug-get-cert-info CERT_ID=` +Get certificate information from Command: +```bash +make debug-get-cert-info CERT_ID=43 +``` + +--- + +## Build + +### `make build` +Build the entire solution: +```bash +make build +# Builds both net8.0 and net10.0 targets +``` + +--- + +## Environment Setup + +### Required Files + +1. **`.env`** - Project configuration (created by `make setup`) + ``` + PROJECT_ROOT=/path/to/k8s-orchestrator + PROJECT_FILE=kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj + PROJECT_NAME=kubernetes-orchestrator-extension + ``` + +2. **`.test.env`** - Test environment variables (created by `make setup`) + ```bash + export AZURE_TENANT_ID=... + export AZURE_CLIENT_SECRET=... + export AZURE_CLIENT_ID=... + export AZURE_APP_GATEWAY_RESOURCE_ID=... + ``` + +3. **`~/.env_ses2541`** (or custom `DEBUG_ENV_FILE`) - Keyfactor credentials for debugging + ```bash + export KEYFACTOR_HOSTNAME=my.keyfactor.kfdelivery.com + export KEYFACTOR_API_PATH=KeyfactorAPI + export KEYFACTOR_AUTH_TOKEN_URL=https://login.keyfactor.com/oauth/token + export KEYFACTOR_AUTH_CLIENT_ID=... + export KEYFACTOR_AUTH_CLIENT_SECRET=... + ``` + +### Files Created by Make Targets + +| File | Purpose | Gitignored | +|------|---------|------------| +| `.oauth_token` | Cached OAuth token | Yes | +| `.oauth_token_expiry` | Token expiry timestamp | Yes | +| `.env` | Project configuration | Yes | +| `.test.env` | Test environment variables | Yes | + +--- + +## Kubernetes CSR Management (K8SCert Testing) + +These targets help create and manage Kubernetes Certificate Signing Requests for testing the K8SCert store type. + +### Creating CSRs + +#### `make csr-create [NAME=my-csr] [CN=test-cert]` +Create a single test CSR: +```bash +make csr-create # Creates test-csr- +make csr-create NAME=my-test-csr # Creates my-test-csr +make csr-create NAME=my-csr CN=myapp.example.com +``` + +#### `make csr-create-approved [NAME=my-csr]` +Create a CSR and immediately approve it: +```bash +make csr-create-approved NAME=my-approved-csr +``` + +#### `make csr-create-batch [COUNT=10] [APPROVE=true]` +Create multiple test CSRs at once: +```bash +make csr-create-batch # Creates 10 pending CSRs +make csr-create-batch COUNT=5 # Creates 5 pending CSRs +make csr-create-batch APPROVE=true # Creates 10 approved CSRs +make csr-create-batch COUNT=3 APPROVE=true +``` + +### Managing CSRs + +#### `make csr-approve NAME=my-csr` +Approve a pending CSR: +```bash +make csr-approve NAME=test-csr-123456 +``` + +#### `make csr-deny NAME=my-csr` +Deny a pending CSR: +```bash +make csr-deny NAME=test-csr-123456 +``` + +#### `make csr-delete NAME=my-csr` +Delete a specific CSR: +```bash +make csr-delete NAME=test-csr-123456 +``` + +### Viewing CSRs + +#### `make csr-list` +List all CSRs in the cluster. + +#### `make csr-list-test` +List only test CSRs (those prefixed with `test-`). + +#### `make csr-describe NAME=my-csr` +Show detailed information about a specific CSR. + +### Cleanup + +#### `make csr-cleanup` +Delete all test CSRs (those prefixed with `test-`). + +--- + +## Common Workflows + +### Running Tests for Development +```bash +# Quick unit test check +make test-unit + +# Single store type integration test +make test-store-tls + +# Full integration test (slower) +make test-integration +``` + +### Debugging a Certificate Deployment Issue +```bash +# 1. Check token is valid +make token-show + +# 2. Get certificate info +make api-get-cert CERT_ID=43 + +# 3. Run full debug loop +make debug-loop-cert43 + +# 4. Check logs if something went wrong +make debug-logs +``` + +### Testing with Fresh Cluster State +```bash +# Clean up any leftover resources +make test-cluster-cleanup + +# Run integration tests +make test-integration + +# Or run all tests with cleanup +make test-all-with-cleanup +``` + +### CI/CD Usage +```bash +# Use optimized CI test target +make test-ci + +# Or for full validation +make test-all-with-cleanup +``` diff --git a/Makefile b/Makefile index 08385e21..e85c47aa 100644 --- a/Makefile +++ b/Makefile @@ -89,14 +89,16 @@ installpackage: ## Install a package to the project echo "Installing $$packageName to $$opt"; \ dotnet add $$opt package $$packageName; +##@ Testing + .PHONY: testall -testall: ## Run all tests. +testall: ## Run all tests (unit + integration if RUN_INTEGRATION_TESTS=true) @source .env; \ source .test.env; \ dotnet test .PHONY: test -test: ## Run a single test. +test: ## Run a single test (interactive selection with fzf) @source .env; \ source .test.env; \ dotnet test --no-restore --list-tests | \ @@ -108,8 +110,865 @@ test: ## Run a single test. fzf | \ xargs -I {} dotnet test --filter {} --logger "console;verbosity=detailed" +.PHONY: test-unit +test-unit: ## Run unit tests only (excludes integration tests) + @source .env; \ + source .test.env; \ + dotnet test --filter "FullyQualifiedName!~Integration" + +.PHONY: test-integration +test-integration: ## Run integration tests only (requires RUN_INTEGRATION_TESTS=true) + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + if [ -n "$$INTEGRATION_TEST_KUBECONFIG" ]; then \ + export INTEGRATION_TEST_KUBECONFIG; \ + fi; \ + dotnet test --filter "FullyQualifiedName~Integration" + +.PHONY: test-integration-fast +test-integration-fast: ## Run integration tests on single framework (net8.0 only, ~50% faster) + @source .env 2>/dev/null || true; \ + source .test.env 2>/dev/null || true; \ + export RUN_INTEGRATION_TESTS=true; \ + if [ -n "$$INTEGRATION_TEST_KUBECONFIG" ]; then \ + export INTEGRATION_TEST_KUBECONFIG; \ + fi; \ + dotnet test -f net8.0 --filter "FullyQualifiedName~Integration" + +.PHONY: test-integration-full +test-integration-full: ## Run integration tests on all frameworks (net8.0 + net10.0) + @source .env 2>/dev/null || true; \ + source .test.env 2>/dev/null || true; \ + export RUN_INTEGRATION_TESTS=true; \ + if [ -n "$$INTEGRATION_TEST_KUBECONFIG" ]; then \ + export INTEGRATION_TEST_KUBECONFIG; \ + fi; \ + dotnet test --filter "FullyQualifiedName~Integration" + +.PHONY: test-integration-smoke-net10 +test-integration-smoke-net10: ## Run smoke tests on net10.0 only (Inventory tests) + @source .env 2>/dev/null || true; \ + source .test.env 2>/dev/null || true; \ + export RUN_INTEGRATION_TESTS=true; \ + if [ -n "$$INTEGRATION_TEST_KUBECONFIG" ]; then \ + export INTEGRATION_TEST_KUBECONFIG; \ + fi; \ + dotnet test -f net10.0 --filter "FullyQualifiedName~Integration&FullyQualifiedName~Inventory_" + +.PHONY: test-ci +test-ci: ## Run CI-optimized tests (fast on PRs, full on main branch) + @if [ "$$CI_BRANCH" = "main" ] || [ "$$GITHUB_REF" = "refs/heads/main" ]; then \ + echo "Running full test suite (main branch)..."; \ + $(MAKE) test-integration-full; \ + else \ + echo "Running fast test suite (PR branch)..."; \ + $(MAKE) test-integration-fast; \ + $(MAKE) test-integration-smoke-net10; \ + fi + +.PHONY: test-coverage +test-coverage: ## Run all tests with code coverage and generate HTML report + @echo "Running all tests with coverage..."; \ + source .env 2>/dev/null || true; \ + source .test.env 2>/dev/null || true; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test \ + --collect:"XPlat Code Coverage" \ + --results-directory ./coverage \ + -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=cobertura; \ + reportgenerator \ + -reports:./coverage/**/coverage.cobertura.xml \ + -targetdir:./coverage/html \ + -reporttypes:Html; \ + echo "Coverage report generated at ./coverage/html/index.html" + +.PHONY: test-coverage-unit +test-coverage-unit: ## Run unit tests only with code coverage + @echo "Running unit tests with coverage..."; \ + dotnet test \ + --filter "Category!=Integration" \ + --collect:"XPlat Code Coverage" \ + --results-directory ./coverage/unit \ + -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=cobertura; \ + reportgenerator \ + -reports:./coverage/unit/**/coverage.cobertura.xml \ + -targetdir:./coverage/unit/html \ + -reporttypes:"Html;MarkdownSummary"; \ + echo "Unit test coverage report generated at ./coverage/unit/html/index.html" + +.PHONY: test-coverage-summary +test-coverage-summary: ## Show coverage summary in terminal (requires test-coverage-unit first) + @if [ -f ./coverage/unit/html/Summary.md ]; then \ + cat ./coverage/unit/html/Summary.md; \ + else \ + echo "No coverage summary found. Run 'make test-coverage-unit' first."; \ + fi + +.PHONY: test-coverage-open +test-coverage-open: ## Open coverage HTML report in browser (macOS) + @if [ -f ./coverage/html/index.html ]; then \ + open ./coverage/html/index.html; \ + elif [ -f ./coverage/unit/html/index.html ]; then \ + open ./coverage/unit/html/index.html; \ + else \ + echo "No coverage report found. Run 'make test-coverage' or 'make test-coverage-unit' first."; \ + fi + +.PHONY: test-coverage-clean +test-coverage-clean: ## Remove coverage reports + @rm -rf ./coverage + @echo "Coverage reports removed." + +.PHONY: test-watch +test-watch: ## Run tests in watch mode (auto-rerun on file changes) + @source .env; \ + source .test.env; \ + dotnet watch test + +.PHONY: test-store-jks +test-store-jks: ## Run K8SJKS store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8SJKSStoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-store-pkcs12 +test-store-pkcs12: ## Run K8SPKCS12 store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8SPKCS12StoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-store-secret +test-store-secret: ## Run K8SSecret store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8SSecretStoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-store-tls +test-store-tls: ## Run K8STLSSecr store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8STLSSecrStoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-store-cluster +test-store-cluster: ## Run K8SCluster store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8SClusterStoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-store-ns +test-store-ns: ## Run K8SNS store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8SNSStoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-store-cert +test-store-cert: ## Run K8SCert store type integration tests + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test --filter "FullyQualifiedName~K8SCertStoreIntegrationTests" --logger "console;verbosity=minimal" + +.PHONY: test-cluster-setup +test-cluster-setup: ## Display instructions for setting up test cluster + @echo "=== Kubernetes Test Cluster Setup ===" + @echo "" + @echo "For integration tests, ensure your kubeconfig has a context named 'kf-integrations'." + @echo "" + @echo "Current kubectl context:" + @kubectl config current-context 2>/dev/null || echo " kubectl not configured" + @echo "" + @echo "Available contexts:" + @kubectl config get-contexts 2>/dev/null || echo " kubectl not configured" + @echo "" + @echo "To switch to kf-integrations:" + @echo " kubectl config use-context kf-integrations" + @echo "" + @echo "To verify cluster connectivity:" + @echo " kubectl cluster-info" + @echo "" + @echo "Integration tests will create/cleanup these namespaces:" + @echo " - keyfactor-test-k8sjks" + @echo " - keyfactor-test-k8spkcs12" + @echo " - keyfactor-test-k8ssecret" + @echo " - keyfactor-test-k8stlssecr" + @echo " - keyfactor-test-k8scluster" + @echo " - keyfactor-test-k8sns" + @echo " - keyfactor-test-k8scert" + +.PHONY: test-cluster-cleanup +test-cluster-cleanup: ## Clean up test namespaces and CSRs from cluster + @echo "=== Cleaning up test namespaces ===" + @# Clean up framework-specific namespaces (net8, net10) and legacy namespaces + @for ns in keyfactor-k8sjks-integration-tests keyfactor-k8sjks-integration-tests-net8 keyfactor-k8sjks-integration-tests-net10 \ + keyfactor-k8spkcs12-integration-tests keyfactor-k8spkcs12-integration-tests-net8 keyfactor-k8spkcs12-integration-tests-net10 \ + keyfactor-k8ssecret-integration-tests keyfactor-k8ssecret-integration-tests-net8 keyfactor-k8ssecret-integration-tests-net10 \ + keyfactor-k8stlssecr-integration-tests keyfactor-k8stlssecr-integration-tests-net8 keyfactor-k8stlssecr-integration-tests-net10 \ + keyfactor-k8scluster-test-ns1 keyfactor-k8scluster-test-ns1-net8 keyfactor-k8scluster-test-ns1-net10 \ + keyfactor-k8scluster-test-ns2 keyfactor-k8scluster-test-ns2-net8 keyfactor-k8scluster-test-ns2-net10 \ + keyfactor-k8sns-integration-tests keyfactor-k8sns-integration-tests-net8 keyfactor-k8sns-integration-tests-net10 \ + keyfactor-k8scert-integration-tests keyfactor-k8scert-integration-tests-net8 keyfactor-k8scert-integration-tests-net10 \ + keyfactor-manual-test; do \ + if kubectl get namespace $$ns 2>/dev/null; then \ + echo "Deleting namespace $$ns..."; \ + kubectl delete namespace $$ns; \ + else \ + echo "Namespace $$ns does not exist, skipping"; \ + fi; \ + done + @echo "=== Cleaning up test CSRs ===" + @kubectl get csr --no-headers 2>/dev/null | grep "test-" | awk '{print $$1}' | \ + while read csr; do \ + echo "Deleting CSR $$csr..."; \ + kubectl delete csr $$csr 2>/dev/null || true; \ + done || echo "No test CSRs found" + @echo "Cleanup complete" + +.PHONY: test-store-type +test-store-type: ## Run integration tests for a single store type with cleanup (usage: make test-store-type STORE=K8SSecret) + @if [ -z "$(STORE)" ]; then \ + echo "ERROR: STORE parameter required"; \ + echo "Usage: make test-store-type STORE="; \ + echo ""; \ + echo "Available store types:"; \ + echo " K8SSecret - Opaque secrets"; \ + echo " K8STLSSecr - TLS secrets"; \ + echo " K8SJKS - Java Keystores"; \ + echo " K8SPKCS12 - PKCS12/PFX files"; \ + echo " K8SCluster - Cluster-wide management"; \ + echo " K8SNS - Namespace-level management"; \ + echo " K8SCert - Certificate Signing Requests"; \ + exit 1; \ + fi + @echo "=== Running tests for $(STORE) store type ===" + @$(MAKE) test-cluster-cleanup + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + dotnet test \ + --filter "FullyQualifiedName~$(STORE)StoreIntegrationTests" \ + --logger "console;verbosity=normal" + +.PHONY: test-integration-no-cleanup +test-integration-no-cleanup: ## Run integration tests without cleanup (leaves secrets for manual inspection) + @source .env; \ + source .test.env; \ + export RUN_INTEGRATION_TESTS=true; \ + export SKIP_INTEGRATION_TEST_CLEANUP=true; \ + if [ -n "$$INTEGRATION_TEST_KUBECONFIG" ]; then \ + export INTEGRATION_TEST_KUBECONFIG; \ + fi; \ + dotnet test --filter "FullyQualifiedName~Integration" + +.PHONY: test-all-with-cleanup +test-all-with-cleanup: ## Run all tests (unit + integration) with cleanup before and after + @echo "=== Pre-test cleanup ===" + @$(MAKE) test-cluster-cleanup + @echo "" + @echo "=== Running unit tests ===" + @source .env 2>/dev/null || true; \ + source .test.env 2>/dev/null || true; \ + dotnet test --filter "FullyQualifiedName!~Integration" --logger "console;verbosity=minimal" + @echo "" + @echo "=== Running integration tests ===" + @source .env 2>/dev/null || true; \ + source .test.env 2>/dev/null || true; \ + export RUN_INTEGRATION_TESTS=true; \ + if [ -n "$$INTEGRATION_TEST_KUBECONFIG" ]; then \ + export INTEGRATION_TEST_KUBECONFIG; \ + fi; \ + dotnet test --filter "FullyQualifiedName~Integration" --logger "console;verbosity=minimal" + @echo "" + @echo "=== Post-test cleanup ===" + @$(MAKE) test-cluster-cleanup + @echo "" + @echo "=== All tests complete ===" + +##@ Debugging (Container-based testing with Keyfactor Command) + +# Configuration - override with environment variables or command line +DEBUG_ENV_FILE ?= ~/.env_ses2541 +DEBUG_CONTAINER_DIR ?= ~/Desktop/Container +DEBUG_COMPOSE_FILE ?= docker-compose-ses.yml +DEBUG_SERVICE_NAME ?= ses_2541_uo_25_4_oauth +DEBUG_TLS_STORE_ID ?= e523b800-fe18-4e68-b7be-8f2034ffdc16 +DEBUG_OPAQUE_STORE_ID ?= 27b16153-742c-4b4c-9b2d-02ec9cc90fa5 +# PfxPassword must be 12+ alphanumeric characters per Command policy +DEBUG_PFX_PASSWORD ?= 3ceZRxdQffny +DEBUG_CERT_ID ?= 44 +DEBUG_CERT_THUMBPRINT ?= FA3BFCD6966AC297B1A3AA9FA43EB1C55EE1048B + +# Test certificates +# Cert 43: Has private key + chain (meow, issued by Sub-CA) +DEBUG_CERT_43_ID := 43 +DEBUG_CERT_43_THUMBPRINT := F3127840482241A1251498545A598C6D765BA03E +# Cert 44: No private key, DER format (ec-csr, issued by Sub-CA) +DEBUG_CERT_44_ID := 44 +DEBUG_CERT_44_THUMBPRINT := FA3BFCD6966AC297B1A3AA9FA43EB1C55EE1048B + +.PHONY: debug-build +debug-build: ## Build extension and verify DLL is in container folder + @echo "=== Building extension ===" + @dotnet build kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj + @echo "" + @echo "=== Verifying DLL in container folder ===" + @ls -la $(DEBUG_CONTAINER_DIR)/extensions/K8S/Local/net10.0/Keyfactor.Orchestrators.K8S.dll 2>/dev/null || \ + echo "WARNING: DLL not found in container folder. You may need to set up a symlink." + +.PHONY: debug-container-id +debug-container-id: ## Get the current container ID + @docker ps --filter "name=ses" --format "{{.ID}}" | head -1 + +.PHONY: debug-restart +debug-restart: ## Restart the orchestrator container + @echo "=== Restarting container ===" + @source $(DEBUG_ENV_FILE) && cd $(DEBUG_CONTAINER_DIR) && docker compose -f $(DEBUG_COMPOSE_FILE) down $(DEBUG_SERVICE_NAME) 2>/dev/null || true + @source $(DEBUG_ENV_FILE) && cd $(DEBUG_CONTAINER_DIR) && docker compose -f $(DEBUG_COMPOSE_FILE) up -d $(DEBUG_SERVICE_NAME) + @echo "Waiting for container to start..." + @sleep 5 + @echo "Container ID: $$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1)" + +.PHONY: debug-logs +debug-logs: ## Show recent container logs (last 100 lines) + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + if [ -z "$$CONTAINER_ID" ]; then \ + echo "ERROR: No running container found"; \ + exit 1; \ + fi; \ + docker logs --tail 100 $$CONTAINER_ID + +.PHONY: debug-logs-follow +debug-logs-follow: ## Follow container logs in real-time + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + if [ -z "$$CONTAINER_ID" ]; then \ + echo "ERROR: No running container found"; \ + exit 1; \ + fi; \ + docker logs -f $$CONTAINER_ID + +.PHONY: debug-get-token +debug-get-token: ## Get OAuth token from Keyfactor (uses cache, outputs token to stdout) + @$(MAKE) -s token-get + +.PHONY: debug-schedule-tls +debug-schedule-tls: ## Schedule a management job for TLS secret store + @echo "=== Scheduling TLS secret management job ===" + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + RESULT=$$(curl -s --insecure -X POST "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/CertificateStores/Certificates/Add" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" \ + -H "Content-Type: application/json" \ + -d '{"CertificateId": $(DEBUG_CERT_ID), "CertificateStores": [{"CertificateStoreId": "$(DEBUG_TLS_STORE_ID)", "Alias": "$(DEBUG_CERT_THUMBPRINT)", "Overwrite": true, "JobFields": {}}], "Schedule": {"Immediate": true}}'); \ + echo "$$RESULT" | jq -r 'if type == "array" then "Job scheduled: " + .[0] else "Error: " + .Message end' + +.PHONY: debug-schedule-opaque +debug-schedule-opaque: ## Schedule a management job for Opaque secret store + @echo "=== Scheduling Opaque secret management job ===" + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + RESULT=$$(curl -s --insecure -X POST "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/CertificateStores/Certificates/Add" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" \ + -H "Content-Type: application/json" \ + -d '{"CertificateId": $(DEBUG_CERT_ID), "CertificateStores": [{"CertificateStoreId": "$(DEBUG_OPAQUE_STORE_ID)", "Alias": "$(DEBUG_CERT_THUMBPRINT)", "Overwrite": true, "JobFields": {}}], "Schedule": {"Immediate": true}}'); \ + echo "$$RESULT" | jq -r 'if type == "array" then "Job scheduled: " + .[0] else "Error: " + .Message end' + +.PHONY: debug-schedule-both +debug-schedule-both: ## Schedule management jobs for both TLS and Opaque stores + @$(MAKE) debug-schedule-tls + @$(MAKE) debug-schedule-opaque + +.PHONY: debug-check-tls-secret +debug-check-tls-secret: ## Check the TLS secret in Kubernetes + @echo "=== TLS Secret (manual-tlssecr) ===" + @kubectl get secret manual-tlssecr -n default -o yaml | grep -E "^ (tls\.|ca\.)" | while read line; do \ + key=$$(echo "$$line" | cut -d: -f1 | tr -d ' '); \ + value=$$(echo "$$line" | cut -d: -f2- | tr -d ' '); \ + if [ -z "$$value" ] || [ "$$value" = '""' ]; then \ + echo "$$key: (empty)"; \ + else \ + decoded=$$(echo "$$value" | base64 -d 2>/dev/null | head -1); \ + echo "$$key: $$decoded..."; \ + fi; \ + done + +.PHONY: debug-check-opaque-secret +debug-check-opaque-secret: ## Check the Opaque secret in Kubernetes + @echo "=== Opaque Secret (manual-opaque) ===" + @kubectl get secret manual-opaque -n default -o yaml | grep -E "^ [a-zA-Z]" | head -10 + +.PHONY: debug-check-secrets +debug-check-secrets: ## Check both TLS and Opaque secrets + @$(MAKE) debug-check-tls-secret + @echo "" + @$(MAKE) debug-check-opaque-secret + +.PHONY: debug-wait-job +debug-wait-job: ## Wait for jobs to complete (polls logs for completion message) + @echo "=== Waiting for job completion ===" + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + for i in 1 2 3 4 5 6 7 8 9 10; do \ + if docker logs --tail 20 $$CONTAINER_ID 2>&1 | grep -q "End MANAGEMENT job.*Success"; then \ + echo "Job completed successfully!"; \ + exit 0; \ + fi; \ + echo "Waiting... ($$i/10)"; \ + sleep 2; \ + done; \ + echo "Timeout waiting for job completion" + +.PHONY: debug-loop +debug-loop: ## Full debug loop: build, restart, schedule TLS job, wait, check logs and secret + @echo "==========================================" + @echo "=== Starting Debug Loop ===" + @echo "==========================================" + @$(MAKE) debug-build + @echo "" + @$(MAKE) debug-restart + @echo "" + @echo "=== Scheduling job ===" + @$(MAKE) debug-schedule-tls + @echo "" + @$(MAKE) debug-wait-job + @echo "" + @echo "=== Container Logs (last 50 lines) ===" + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + docker logs --tail 50 $$CONTAINER_ID 2>&1 | grep -E "(InitJobCertificate|DER|PEM|Certificate data|NO PASSWORD|JobCertificate|MANAGEMENT)" + @echo "" + @$(MAKE) debug-check-tls-secret + @echo "" + @echo "==========================================" + @echo "=== Debug Loop Complete ===" + @echo "==========================================" + +.PHONY: debug-loop-both +debug-loop-both: ## Full debug loop for both TLS and Opaque stores + @echo "==========================================" + @echo "=== Starting Debug Loop (Both Stores) ===" + @echo "==========================================" + @$(MAKE) debug-build + @echo "" + @$(MAKE) debug-restart + @echo "" + @echo "=== Scheduling jobs ===" + @$(MAKE) debug-schedule-both + @echo "" + @$(MAKE) debug-wait-job + @sleep 2 + @echo "" + @echo "=== Container Logs (filtered) ===" + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + docker logs --tail 80 $$CONTAINER_ID 2>&1 | grep -E "(InitJobCertificate|DER|PEM|Certificate data|NO PASSWORD|JobCertificate|MANAGEMENT|properties)" + @echo "" + @$(MAKE) debug-check-secrets + @echo "" + @echo "==========================================" + @echo "=== Debug Loop Complete ===" + @echo "==========================================" + +.PHONY: debug-schedule-tls-cert +debug-schedule-tls-cert: ## Schedule TLS job with specific cert (usage: make debug-schedule-tls-cert CERT_ID=43 [PFX_PASSWORD=xxx]) + @if [ -z "$(CERT_ID)" ]; then \ + echo "ERROR: CERT_ID required"; \ + echo "Usage: make debug-schedule-tls-cert CERT_ID=43"; \ + echo " make debug-schedule-tls-cert CERT_ID=43 PFX_PASSWORD=mypassword"; \ + exit 1; \ + fi + @echo "=== Scheduling TLS job for cert $(CERT_ID) (IncludePrivateKey=true) ===" + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + PFX_PASS="$(if $(PFX_PASSWORD),$(PFX_PASSWORD),$(DEBUG_PFX_PASSWORD))"; \ + BODY='{"CertificateId": $(CERT_ID), "CertificateStores": [{"CertificateStoreId": "$(DEBUG_TLS_STORE_ID)", "IncludePrivateKey": true, "PfxPassword": "'$$PFX_PASS'", "JobFields": {}}], "Schedule": {"Immediate": true}}'; \ + RESULT=$$(curl -s --insecure -X POST "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/CertificateStores/Certificates/Add" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" \ + -H "Content-Type: application/json" \ + -d "$$BODY"); \ + echo "$$RESULT" | jq -r 'if type == "array" then "Job scheduled: " + .[0] else "Error: " + .Message end' + +.PHONY: debug-loop-cert43 +debug-loop-cert43: ## Full debug loop with cert 43 (has private key + chain in Command) + @echo "==========================================" + @echo "=== Debug Loop - Cert 43 (with key+chain) ===" + @echo "==========================================" + @$(MAKE) debug-build + @echo "" + @$(MAKE) debug-restart + @echo "" + @echo "=== Scheduling job for cert 43 ===" + @$(MAKE) debug-schedule-tls-cert CERT_ID=$(DEBUG_CERT_43_ID) + @echo "" + @$(MAKE) debug-wait-job + @sleep 3 + @echo "" + @echo "=== Container Logs (filtered) ===" + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + docker logs --tail 80 $$CONTAINER_ID 2>&1 | grep -E "(InitJobCertificate|DER|PEM|Certificate|NO PASSWORD|JobCertificate|MANAGEMENT|properties|ContentsFormat|chain|bytes)" + @echo "" + @$(MAKE) debug-check-tls-secret + @echo "" + @echo "==========================================" + @echo "=== Debug Loop Complete ===" + @echo "==========================================" + +.PHONY: debug-loop-cert44 +debug-loop-cert44: ## Full debug loop with cert 44 (no private key, DER format) + @echo "==========================================" + @echo "=== Debug Loop - Cert 44 (no key, DER) ===" + @echo "==========================================" + @$(MAKE) debug-build + @echo "" + @$(MAKE) debug-restart + @echo "" + @echo "=== Scheduling job for cert 44 ===" + @$(MAKE) debug-schedule-tls-cert CERT_ID=$(DEBUG_CERT_44_ID) + @echo "" + @$(MAKE) debug-wait-job + @sleep 3 + @echo "" + @echo "=== Container Logs (filtered) ===" + @CONTAINER_ID=$$(docker ps --filter "name=ses" --format "{{.ID}}" | head -1); \ + docker logs --tail 80 $$CONTAINER_ID 2>&1 | grep -E "(InitJobCertificate|DER|PEM|Certificate|NO PASSWORD|JobCertificate|MANAGEMENT|properties|ContentsFormat|chain|bytes)" + @echo "" + @$(MAKE) debug-check-tls-secret + @echo "" + @echo "==========================================" + @echo "=== Debug Loop Complete ===" + @echo "==========================================" + +.PHONY: debug-get-cert-info +debug-get-cert-info: ## Get certificate info from Command (usage: make debug-get-cert-info CERT_ID=43) + @if [ -z "$(CERT_ID)" ]; then \ + echo "ERROR: CERT_ID required"; \ + echo "Usage: make debug-get-cert-info CERT_ID=43"; \ + exit 1; \ + fi + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + curl -s --insecure "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/Certificates/$(CERT_ID)" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" | \ + jq '{Id, Thumbprint, IssuedCN, HasPrivateKey, IssuerDN, KeyType: .KeyTypeString}' + +##@ OAuth Token Management + +# Token cache file and expiry (tokens valid for 55 minutes, refresh at 50 min) +TOKEN_FILE := .oauth_token +TOKEN_EXPIRY_FILE := .oauth_token_expiry +TOKEN_VALIDITY_SECONDS := 3000 + +.PHONY: token +token: ## Get OAuth token (uses cache if valid, otherwise fetches new) + @if [ -f "$(TOKEN_FILE)" ] && [ -f "$(TOKEN_EXPIRY_FILE)" ]; then \ + EXPIRY=$$(cat $(TOKEN_EXPIRY_FILE)); \ + NOW=$$(date +%s); \ + if [ "$$NOW" -lt "$$EXPIRY" ]; then \ + echo "Using cached token (expires in $$(( ($$EXPIRY - $$NOW) / 60 )) minutes)"; \ + cat $(TOKEN_FILE); \ + exit 0; \ + fi; \ + fi; \ + $(MAKE) token-refresh + +.PHONY: token-refresh +token-refresh: ## Force refresh OAuth token and cache to disk + @echo "Fetching new OAuth token..." + @source $(DEBUG_ENV_FILE); \ + TOKEN=$$(curl -s --insecure -X POST "$$KEYFACTOR_AUTH_TOKEN_URL" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "grant_type=client_credentials&client_id=$$KEYFACTOR_AUTH_CLIENT_ID&client_secret=$$KEYFACTOR_AUTH_CLIENT_SECRET&scope=openid" | \ + jq -r '.access_token'); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get OAuth token" >&2; \ + exit 1; \ + fi; \ + echo "$$TOKEN" > $(TOKEN_FILE); \ + echo $$(( $$(date +%s) + $(TOKEN_VALIDITY_SECONDS) )) > $(TOKEN_EXPIRY_FILE); \ + echo "Token cached to $(TOKEN_FILE) (valid for $(TOKEN_VALIDITY_SECONDS) seconds)"; \ + echo "$$TOKEN" + +.PHONY: token-show +token-show: ## Show cached token info (without exposing full token) + @if [ -f "$(TOKEN_FILE)" ] && [ -f "$(TOKEN_EXPIRY_FILE)" ]; then \ + TOKEN=$$(cat $(TOKEN_FILE)); \ + EXPIRY=$$(cat $(TOKEN_EXPIRY_FILE)); \ + NOW=$$(date +%s); \ + if [ "$$NOW" -lt "$$EXPIRY" ]; then \ + echo "Token status: VALID"; \ + echo "Expires in: $$(( ($$EXPIRY - $$NOW) / 60 )) minutes"; \ + echo "Token preview: $${TOKEN:0:20}..."; \ + else \ + echo "Token status: EXPIRED"; \ + echo "Expired: $$(( ($$NOW - $$EXPIRY) / 60 )) minutes ago"; \ + fi; \ + else \ + echo "Token status: NOT CACHED"; \ + echo "Run 'make token' to fetch a new token"; \ + fi + +.PHONY: token-clear +token-clear: ## Clear cached OAuth token + @rm -f $(TOKEN_FILE) $(TOKEN_EXPIRY_FILE) + @echo "Token cache cleared" + +# Helper function to get token (for use in other targets) +# Usage: TOKEN=$$($(MAKE) -s token-get) +.PHONY: token-get +token-get: ## Get token silently (for use in scripts) + @if [ -f "$(TOKEN_FILE)" ] && [ -f "$(TOKEN_EXPIRY_FILE)" ]; then \ + EXPIRY=$$(cat $(TOKEN_EXPIRY_FILE)); \ + NOW=$$(date +%s); \ + if [ "$$NOW" -lt "$$EXPIRY" ]; then \ + cat $(TOKEN_FILE); \ + exit 0; \ + fi; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + TOKEN=$$(curl -s --insecure -X POST "$$KEYFACTOR_AUTH_TOKEN_URL" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "grant_type=client_credentials&client_id=$$KEYFACTOR_AUTH_CLIENT_ID&client_secret=$$KEYFACTOR_AUTH_CLIENT_SECRET&scope=openid" | \ + jq -r '.access_token'); \ + if [ "$$TOKEN" != "null" ] && [ -n "$$TOKEN" ]; then \ + echo "$$TOKEN" > $(TOKEN_FILE); \ + echo $$(( $$(date +%s) + $(TOKEN_VALIDITY_SECONDS) )) > $(TOKEN_EXPIRY_FILE); \ + fi; \ + echo "$$TOKEN" + +##@ Keyfactor Command API + +.PHONY: api-list-stores +api-list-stores: ## List certificate stores from Command + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + curl -s --insecure "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/CertificateStores" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" | \ + jq -r '.[] | "\(.Id) | \(.ClientMachine) | \(.StorePath)"' + +.PHONY: api-list-certs +api-list-certs: ## List certificates from Command (first 20) + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + curl -s --insecure "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/Certificates?pq.pageReturned=1&pq.returnLimit=20" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" | \ + jq -r '.[] | "\(.Id) | \(.IssuedCN) | \(.Thumbprint) | HasKey=\(.HasPrivateKey)"' + +.PHONY: api-get-cert +api-get-cert: ## Get certificate details (usage: make api-get-cert CERT_ID=43) + @if [ -z "$(CERT_ID)" ]; then \ + echo "ERROR: CERT_ID required"; \ + echo "Usage: make api-get-cert CERT_ID=43"; \ + exit 1; \ + fi; \ + TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + curl -s --insecure "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/Certificates/$(CERT_ID)" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" | \ + jq '{Id, Thumbprint, IssuedCN, HasPrivateKey, IssuerDN, KeyType: .KeyTypeString, NotBefore, NotAfter}' + +.PHONY: api-get-jobs +api-get-jobs: ## Get recent orchestrator jobs (last 10) + @TOKEN=$$($(MAKE) -s token-get); \ + if [ "$$TOKEN" = "null" ] || [ -z "$$TOKEN" ]; then \ + echo "ERROR: Failed to get token" >&2; \ + exit 1; \ + fi; \ + source $(DEBUG_ENV_FILE); \ + curl -s --insecure "https://$$KEYFACTOR_HOSTNAME/$$KEYFACTOR_API_PATH/OrchestratorJobs/ScheduledJobs?pq.pageReturned=1&pq.returnLimit=10&pq.sortAscending=0" \ + -H "Authorization: Bearer $$TOKEN" \ + -H "x-keyfactor-requested-with: APIClient" | \ + jq -r '.[] | "\(.JobId) | \(.JobTypeName) | \(.Status) | \(.Requested)"' + +##@ Kubernetes CSR Management (for K8SCert testing) + +.PHONY: csr-create +csr-create: ## Create a test CSR (usage: make csr-create [NAME=my-csr] [CN=test-cert]) + @NAME=$${NAME:-test-csr-$$(date +%s)}; \ + CN=$${CN:-test-certificate}; \ + TMPDIR=$$(mktemp -d); \ + echo "=== Creating CSR: $$NAME (CN=$$CN) ==="; \ + openssl genrsa -out $$TMPDIR/key.pem 2048 2>/dev/null; \ + openssl req -new -key $$TMPDIR/key.pem -out $$TMPDIR/csr.pem -subj "/CN=$$CN" 2>/dev/null; \ + CSR_BASE64=$$(cat $$TMPDIR/csr.pem | base64 | tr -d '\n'); \ + printf 'apiVersion: certificates.k8s.io/v1\nkind: CertificateSigningRequest\nmetadata:\n name: %s\nspec:\n request: %s\n signerName: kubernetes.io/kube-apiserver-client\n usages:\n - client auth\n' "$$NAME" "$$CSR_BASE64" | kubectl apply -f -; \ + rm -rf $$TMPDIR; \ + echo "CSR created: $$NAME"; \ + echo "To approve: make csr-approve NAME=$$NAME"; \ + echo "To view: kubectl get csr $$NAME" + +.PHONY: csr-create-approved +csr-create-approved: ## Create and approve a test CSR (usage: make csr-create-approved [NAME=my-csr]) + @NAME=$${NAME:-test-csr-$$(date +%s)}; \ + $(MAKE) csr-create NAME=$$NAME; \ + sleep 1; \ + $(MAKE) csr-approve NAME=$$NAME + +.PHONY: csr-approve +csr-approve: ## Approve a CSR (usage: make csr-approve NAME=my-csr) + @if [ -z "$(NAME)" ]; then \ + echo "ERROR: NAME required"; \ + echo "Usage: make csr-approve NAME=my-csr"; \ + exit 1; \ + fi + @echo "=== Approving CSR: $(NAME) ===" + @kubectl certificate approve $(NAME) + @echo "CSR approved" + +.PHONY: csr-deny +csr-deny: ## Deny a CSR (usage: make csr-deny NAME=my-csr) + @if [ -z "$(NAME)" ]; then \ + echo "ERROR: NAME required"; \ + echo "Usage: make csr-deny NAME=my-csr"; \ + exit 1; \ + fi + @echo "=== Denying CSR: $(NAME) ===" + @kubectl certificate deny $(NAME) + @echo "CSR denied" + +.PHONY: csr-list +csr-list: ## List all CSRs in the cluster + @echo "=== Certificate Signing Requests ===" + @kubectl get csr -o wide + +.PHONY: csr-list-test +csr-list-test: ## List only test CSRs (prefixed with test-) + @echo "=== Test CSRs ===" + @kubectl get csr -o wide | grep -E "^NAME|^test-" || echo "No test CSRs found" + +.PHONY: csr-describe +csr-describe: ## Describe a CSR (usage: make csr-describe NAME=my-csr) + @if [ -z "$(NAME)" ]; then \ + echo "ERROR: NAME required"; \ + echo "Usage: make csr-describe NAME=my-csr"; \ + exit 1; \ + fi + @kubectl describe csr $(NAME) + +.PHONY: csr-delete +csr-delete: ## Delete a CSR (usage: make csr-delete NAME=my-csr) + @if [ -z "$(NAME)" ]; then \ + echo "ERROR: NAME required"; \ + echo "Usage: make csr-delete NAME=my-csr"; \ + exit 1; \ + fi + @echo "=== Deleting CSR: $(NAME) ===" + @kubectl delete csr $(NAME) + @echo "CSR deleted" + +.PHONY: csr-cleanup +csr-cleanup: ## Delete all test CSRs (prefixed with test-) + @echo "=== Cleaning up test CSRs ===" + @kubectl get csr --no-headers 2>/dev/null | grep "^test-" | awk '{print $$1}' | \ + while read csr; do \ + echo "Deleting CSR $$csr..."; \ + kubectl delete csr $$csr 2>/dev/null || true; \ + done || echo "No test CSRs found" + @echo "Cleanup complete" + +.PHONY: csr-create-batch +csr-create-batch: ## Create multiple test CSRs (usage: make csr-create-batch [COUNT=10] [APPROVE=true]) + @COUNT=$${COUNT:-10}; \ + APPROVE=$${APPROVE:-false}; \ + echo "=== Creating $$COUNT test CSRs (approve=$$APPROVE) ==="; \ + for i in $$(seq 1 $$COUNT); do \ + NAME="test-batch-csr-$$i-$$(date +%s)"; \ + if [ "$$APPROVE" = "true" ]; then \ + $(MAKE) csr-create-approved NAME=$$NAME; \ + else \ + $(MAKE) csr-create NAME=$$NAME; \ + fi; \ + echo ""; \ + done; \ + echo "=== Created $$COUNT CSRs ===" + +.PHONY: csr-create-with-chain +csr-create-with-chain: ## Create a CSR with a certificate chain (for testing chain handling) + @NAME=$${NAME:-test-chain-csr-$$(date +%s)}; \ + TMPDIR=$$(mktemp -d); \ + echo "=== Creating CSR with certificate chain: $$NAME ==="; \ + echo "Generating test CA chain (root -> intermediate -> leaf)..."; \ + openssl genrsa -out $$TMPDIR/root-ca.key 2048 2>/dev/null; \ + openssl req -x509 -new -nodes -key $$TMPDIR/root-ca.key -sha256 -days 365 \ + -out $$TMPDIR/root-ca.pem -subj "/CN=Test Root CA" 2>/dev/null; \ + openssl genrsa -out $$TMPDIR/intermediate-ca.key 2048 2>/dev/null; \ + openssl req -new -key $$TMPDIR/intermediate-ca.key \ + -out $$TMPDIR/intermediate-ca.csr -subj "/CN=Test Intermediate CA" 2>/dev/null; \ + openssl x509 -req -in $$TMPDIR/intermediate-ca.csr -CA $$TMPDIR/root-ca.pem \ + -CAkey $$TMPDIR/root-ca.key -CAcreateserial -out $$TMPDIR/intermediate-ca.pem \ + -days 365 -sha256 2>/dev/null; \ + openssl genrsa -out $$TMPDIR/leaf.key 2048 2>/dev/null; \ + openssl req -new -key $$TMPDIR/leaf.key \ + -out $$TMPDIR/leaf.csr -subj "/CN=Test Leaf Certificate" 2>/dev/null; \ + openssl x509 -req -in $$TMPDIR/leaf.csr -CA $$TMPDIR/intermediate-ca.pem \ + -CAkey $$TMPDIR/intermediate-ca.key -CAcreateserial -out $$TMPDIR/leaf.pem \ + -days 365 -sha256 2>/dev/null; \ + cat $$TMPDIR/leaf.pem $$TMPDIR/intermediate-ca.pem $$TMPDIR/root-ca.pem > $$TMPDIR/chain.pem; \ + echo "Creating K8S CSR with custom signer (to allow manual certificate injection)..."; \ + CSR_BASE64=$$(cat $$TMPDIR/leaf.csr | base64 | tr -d '\n'); \ + printf 'apiVersion: certificates.k8s.io/v1\nkind: CertificateSigningRequest\nmetadata:\n name: %s\nspec:\n request: %s\n signerName: keyfactor.com/test-signer\n usages:\n - client auth\n' "$$NAME" "$$CSR_BASE64" | kubectl apply -f -; \ + echo "Approving CSR..."; \ + kubectl certificate approve $$NAME; \ + sleep 1; \ + echo "Injecting certificate chain (3 certs: leaf + intermediate + root)..."; \ + CHAIN_BASE64=$$(cat $$TMPDIR/chain.pem | base64 | tr -d '\n'); \ + kubectl patch csr $$NAME --type=json --subresource=status \ + -p "[{\"op\": \"add\", \"path\": \"/status/certificate\", \"value\": \"$$CHAIN_BASE64\"}]"; \ + rm -rf $$TMPDIR; \ + echo ""; \ + echo "=== CSR created with 3-certificate chain: $$NAME ==="; \ + kubectl get csr $$NAME -o jsonpath='{.status.certificate}' | base64 -d | grep -c "BEGIN CERTIFICATE" | xargs -I{} echo "Certificate count: {}"; \ + echo "To view chain: kubectl get csr $$NAME -o jsonpath='{.status.certificate}' | base64 -d" + +.PHONY: csr-create-batch-with-chain +csr-create-batch-with-chain: ## Create multiple CSRs with certificate chains (usage: make csr-create-batch-with-chain [COUNT=3]) + @COUNT=$${COUNT:-3}; \ + echo "=== Creating $$COUNT CSRs with certificate chains ==="; \ + for i in $$(seq 1 $$COUNT); do \ + NAME="test-chain-csr-$$i-$$(date +%s)"; \ + $(MAKE) csr-create-with-chain NAME=$$NAME; \ + echo ""; \ + done; \ + echo "=== Created $$COUNT CSRs with chains ===" + ##@ Build .PHONY: build build: ## Build the test project - dotnet build + dotnet build diff --git a/README.md b/README.md index 3e1fa8cc..9a9e1044 100644 --- a/README.md +++ b/README.md @@ -31,18 +31,18 @@ ## Overview -The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. -The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and -kubernetes certificates `certificates.k8s.io/v1` +The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. +The following types of Kubernetes resources are supported: Kubernetes secrets of type `kubernetes.io/tls` or `Opaque`, and +Kubernetes certificates of type `certificates.k8s.io/v1`. The certificate store types that can be managed in the current version are: - `K8SCert` - Kubernetes certificates of type `certificates.k8s.io/v1` - `K8SSecret` - Kubernetes secrets of type `Opaque` -- `K8STLSSecret` - Kubernetes secrets of type `kubernetes.io/tls` -- `K8SCluster` - This allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`. - This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores across all k8s namespaces. -- `K8SNS` - This allows for a single store to manage a k8s namespace's secrets or type `Opaque` and `kubernetes.io/tls`. - This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores for a single k8s namespace. +- `K8STLSSecr` - Kubernetes secrets of type `kubernetes.io/tls` +- `K8SCluster` - This allows for a single store to manage a Kubernetes cluster's secrets of type `Opaque` and `kubernetes.io/tls`. + This can be thought of as a container of `K8SSecret` and `K8STLSSecr` stores across all Kubernetes namespaces. +- `K8SNS` - This allows for a single store to manage a Kubernetes namespace's secrets of type `Opaque` and `kubernetes.io/tls`. + This can be thought of as a container of `K8SSecret` and `K8STLSSecr` stores for a single Kubernetes namespace. - `K8SJKS` - Kubernetes secrets of type `Opaque` that contain one or more Java Keystore(s). These cannot be managed at the cluster or namespace level as they should all require unique credentials. - `K8SPKCS12` - Kubernetes secrets of type `Opaque` that contain one or more PKCS12(s). These cannot be managed at the @@ -85,6 +85,7 @@ Before installing the Kubernetes Universal Orchestrator extension, we recommend ### Kubernetes API Access + This orchestrator extension makes use of the Kubernetes API by using a service account to communicate remotely with certificate stores. The service account must exist and have the appropriate permissions. The service account token can be provided to the extension in one of two ways: @@ -92,6 +93,7 @@ The service account token can be provided to the extension in one of two ways: - As a base64 encoded string that contains the service account credentials #### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension. For full information on the required permissions, see the [service account setup guide](./scripts/kubernetes/README.md). @@ -107,10 +109,9 @@ The Kubernetes Universal Orchestrator extension implements 7 Certificate Store T
Click to expand details -The `K8SCert` store type is used to manage Kubernetes certificates of type `certificates.k8s.io/v1`. +The `K8SCert` store type is used to manage Kubernetes Certificate Signing Requests (CSRs) of type `certificates.k8s.io/v1`. -**NOTE**: only `inventory` and `discovery` of these resources is supported with this extension. To provision these certs use the -[k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer). +**NOTE**: Only `inventory` and `discovery` of these resources is supported with this extension. CSRs are read-only - to provision certificates through CSRs, use the [k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer). @@ -197,9 +198,7 @@ the Keyfactor Command Portal | ---- | ------------ | ---- | --------------------- | -------- | ----------- | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | โœ… Checked | - | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | default | ๐Ÿ”ฒ Unchecked | - | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | | ๐Ÿ”ฒ Unchecked | - | KubeSecretType | KubeSecretType | This defaults to and must be `csr` | String | cert | โœ… Checked | + | KubeSecretName | KubeSecretName | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. | String | | ๐Ÿ”ฒ Unchecked | The Custom Fields tab should look like this: @@ -226,30 +225,14 @@ the Keyfactor Command Portal - ###### KubeNamespace - The K8S namespace to use to manage the K8S secret object. - - ![K8SCert Custom Field - KubeNamespace](docsource/images/K8SCert-custom-field-KubeNamespace-dialog.png) - ![K8SCert Custom Field - KubeNamespace](docsource/images/K8SCert-custom-field-KubeNamespace-validation-options-dialog.png) - - - ###### KubeSecretName - The name of the K8S secret object. + The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. ![K8SCert Custom Field - KubeSecretName](docsource/images/K8SCert-custom-field-KubeSecretName-dialog.png) ![K8SCert Custom Field - KubeSecretName](docsource/images/K8SCert-custom-field-KubeSecretName-validation-options-dialog.png) - ###### KubeSecretType - This defaults to and must be `csr` - - ![K8SCert Custom Field - KubeSecretType](docsource/images/K8SCert-custom-field-KubeSecretType-dialog.png) - ![K8SCert Custom Field - KubeSecretType](docsource/images/K8SCert-custom-field-KubeSecretType-validation-options-dialog.png) - - -
@@ -260,7 +243,7 @@ the Keyfactor Command Portal
Click to expand details -The `K8SCluster` store type allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`. +The `K8SCluster` store type allows for a single store to manage a Kubernetes cluster's secrets of type `Opaque` and `kubernetes.io/tls`. @@ -345,7 +328,7 @@ the Keyfactor Command Portal | Name | Display Name | Description | Type | Default Value/Options | Required | | ---- | ------------ | ---- | --------------------- | -------- | ----------- | - | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | Bool | true | ๐Ÿ”ฒ Unchecked | + | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked | | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked | @@ -356,7 +339,7 @@ the Keyfactor Command Portal ###### Include Certificate Chain - Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. + Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. ![K8SCluster Custom Field - IncludeCertChain](docsource/images/K8SCluster-custom-field-IncludeCertChain-dialog.png) ![K8SCluster Custom Field - IncludeCertChain](docsource/images/K8SCluster-custom-field-IncludeCertChain-validation-options-dialog.png) @@ -405,7 +388,7 @@ The `K8SJKS` store type is used to manage Kubernetes secrets of type `Opaque`. must have a field that ends in `.jks`. The orchestrator will inventory and manage using a *custom alias* of the following pattern: `/`. For example, if the secret has a field named `mykeystore.jks` and the keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the -alias `mykeystore.jks/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they +alias `mykeystore.jks/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they should all require unique credentials.* @@ -493,11 +476,11 @@ the Keyfactor Command Portal | ---- | ------------ | ---- | --------------------- | -------- | ----------- | | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | default | ๐Ÿ”ฒ Unchecked | | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked | - | KubeSecretType | KubeSecretType | This defaults to and must be `jks` | String | jks | โœ… Checked | + | KubeSecretType | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. | String | jks | ๐Ÿ”ฒ Unchecked | | CertificateDataFieldName | CertificateDataFieldName | The field name to use when looking for certificate data in the K8S secret. | String | None | ๐Ÿ”ฒ Unchecked | | PasswordFieldName | PasswordFieldName | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | String | password | ๐Ÿ”ฒ Unchecked | | PasswordIsK8SSecret | PasswordIsK8SSecret | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. | Bool | false | ๐Ÿ”ฒ Unchecked | - | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | Bool | true | ๐Ÿ”ฒ Unchecked | + | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked | | StorePasswordPath | StorePasswordPath | The path to the K8S secret object to use as the password to the JKS keystore. Example: `/` | String | None | ๐Ÿ”ฒ Unchecked | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked | @@ -524,7 +507,7 @@ the Keyfactor Command Portal ###### KubeSecretType - This defaults to and must be `jks` + DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. ![K8SJKS Custom Field - KubeSecretType](docsource/images/K8SJKS-custom-field-KubeSecretType-dialog.png) ![K8SJKS Custom Field - KubeSecretType](docsource/images/K8SJKS-custom-field-KubeSecretType-validation-options-dialog.png) @@ -556,7 +539,7 @@ the Keyfactor Command Portal ###### Include Certificate Chain - Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. + Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. ![K8SJKS Custom Field - IncludeCertChain](docsource/images/K8SJKS-custom-field-IncludeCertChain-dialog.png) ![K8SJKS Custom Field - IncludeCertChain](docsource/images/K8SJKS-custom-field-IncludeCertChain-validation-options-dialog.png) @@ -601,8 +584,8 @@ the Keyfactor Command Portal
Click to expand details -The `K8SNS` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` and/or type `Opaque` in a single -Keyfactor Command certificate store using an alias pattern of +The `K8SNS` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` and/or type `Opaque` in a single +Keyfactor Command certificate store. This store type manages all secrets within a specific Kubernetes namespace. @@ -688,7 +671,7 @@ the Keyfactor Command Portal | Name | Display Name | Description | Type | Default Value/Options | Required | | ---- | ------------ | ---- | --------------------- | -------- | ----------- | | KubeNamespace | Kube Namespace | The K8S namespace to use to manage the K8S secret object. | String | default | ๐Ÿ”ฒ Unchecked | - | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | Bool | true | ๐Ÿ”ฒ Unchecked | + | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked | | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked | @@ -707,7 +690,7 @@ the Keyfactor Command Portal ###### Include Certificate Chain - Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. + Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. ![K8SNS Custom Field - IncludeCertChain](docsource/images/K8SNS-custom-field-IncludeCertChain-dialog.png) ![K8SNS Custom Field - IncludeCertChain](docsource/images/K8SNS-custom-field-IncludeCertChain-validation-options-dialog.png) @@ -842,7 +825,7 @@ the Keyfactor Command Portal | Name | Display Name | Description | Type | Default Value/Options | Required | | ---- | ------------ | ---- | --------------------- | -------- | ----------- | - | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | Bool | true | ๐Ÿ”ฒ Unchecked | + | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked | | CertificateDataFieldName | CertificateDataFieldName | | String | .p12 | โœ… Checked | | PasswordFieldName | Password Field Name | The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | String | password | ๐Ÿ”ฒ Unchecked | | PasswordIsK8SSecret | Password Is K8S Secret | Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object. | Bool | false | ๐Ÿ”ฒ Unchecked | @@ -850,7 +833,7 @@ the Keyfactor Command Portal | KubeSecretName | Kube Secret Name | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked | - | KubeSecretType | Kube Secret Type | This defaults to and must be `pkcs12` | String | pkcs12 | โœ… Checked | + | KubeSecretType | Kube Secret Type | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. | String | pkcs12 | ๐Ÿ”ฒ Unchecked | | StorePasswordPath | StorePasswordPath | The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/` | String | None | ๐Ÿ”ฒ Unchecked | The Custom Fields tab should look like this: @@ -859,7 +842,7 @@ the Keyfactor Command Portal ###### Include Certificate Chain - Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. + Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. ![K8SPKCS12 Custom Field - IncludeCertChain](docsource/images/K8SPKCS12-custom-field-IncludeCertChain-dialog.png) ![K8SPKCS12 Custom Field - IncludeCertChain](docsource/images/K8SPKCS12-custom-field-IncludeCertChain-validation-options-dialog.png) @@ -927,7 +910,7 @@ the Keyfactor Command Portal ###### Kube Secret Type - This defaults to and must be `pkcs12` + DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. ![K8SPKCS12 Custom Field - KubeSecretType](docsource/images/K8SPKCS12-custom-field-KubeSecretType-dialog.png) ![K8SPKCS12 Custom Field - KubeSecretType](docsource/images/K8SPKCS12-custom-field-KubeSecretType-validation-options-dialog.png) @@ -1039,8 +1022,8 @@ the Keyfactor Command Portal | ---- | ------------ | ---- | --------------------- | -------- | ----------- | | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked | | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked | - | KubeSecretType | KubeSecretType | This defaults to and must be `secret` | String | secret | โœ… Checked | - | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | Bool | true | ๐Ÿ”ฒ Unchecked | + | KubeSecretType | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. | String | secret | ๐Ÿ”ฒ Unchecked | + | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked | | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked | @@ -1067,7 +1050,7 @@ the Keyfactor Command Portal ###### KubeSecretType - This defaults to and must be `secret` + DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. ![K8SSecret Custom Field - KubeSecretType](docsource/images/K8SSecret-custom-field-KubeSecretType-dialog.png) ![K8SSecret Custom Field - KubeSecretType](docsource/images/K8SSecret-custom-field-KubeSecretType-validation-options-dialog.png) @@ -1075,7 +1058,7 @@ the Keyfactor Command Portal ###### Include Certificate Chain - Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. + Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. ![K8SSecret Custom Field - IncludeCertChain](docsource/images/K8SSecret-custom-field-IncludeCertChain-dialog.png) ![K8SSecret Custom Field - IncludeCertChain](docsource/images/K8SSecret-custom-field-IncludeCertChain-validation-options-dialog.png) @@ -1120,7 +1103,7 @@ the Keyfactor Command Portal
Click to expand details -The `K8STLSSecret` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` +The `K8STLSSecr` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls`. @@ -1207,8 +1190,8 @@ the Keyfactor Command Portal | ---- | ------------ | ---- | --------------------- | -------- | ----------- | | KubeNamespace | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked | | KubeSecretName | KubeSecretName | The name of the K8S secret object. | String | None | ๐Ÿ”ฒ Unchecked | - | KubeSecretType | KubeSecretType | This defaults to and must be `tls_secret` | String | tls_secret | โœ… Checked | - | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | Bool | true | ๐Ÿ”ฒ Unchecked | + | KubeSecretType | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. | String | tls_secret | ๐Ÿ”ฒ Unchecked | + | IncludeCertChain | Include Certificate Chain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | Bool | true | ๐Ÿ”ฒ Unchecked | | SeparateChain | Separate Chain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | Bool | false | ๐Ÿ”ฒ Unchecked | | ServerUsername | Server Username | This should be no value or `kubeconfig` | Secret | None | ๐Ÿ”ฒ Unchecked | | ServerPassword | Server Password | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | Secret | None | ๐Ÿ”ฒ Unchecked | @@ -1235,7 +1218,7 @@ the Keyfactor Command Portal ###### KubeSecretType - This defaults to and must be `tls_secret` + DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. ![K8STLSSecr Custom Field - KubeSecretType](docsource/images/K8STLSSecr-custom-field-KubeSecretType-dialog.png) ![K8STLSSecr Custom Field - KubeSecretType](docsource/images/K8STLSSecr-custom-field-KubeSecretType-validation-options-dialog.png) @@ -1243,7 +1226,7 @@ the Keyfactor Command Portal ###### Include Certificate Chain - Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. + Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. ![K8STLSSecr Custom Field - IncludeCertChain](docsource/images/K8STLSSecr-custom-field-IncludeCertChain-dialog.png) ![K8STLSSecr Custom Field - IncludeCertChain](docsource/images/K8STLSSecr-custom-field-IncludeCertChain-validation-options-dialog.png) @@ -1352,14 +1335,12 @@ The Kubernetes Universal Orchestrator extension implements 7 Certificate Store T | --------- |---------------------------------------------------------| | Category | Select "K8SCert" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | - | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. | + | Client Machine | The Kubernetes cluster name or identifier. | | Store Path | | | Orchestrator | Select an approved orchestrator capable of managing `K8SCert` certificates. Specifically, one with the `K8SCert` capability. | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | - | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | - | KubeSecretName | The name of the K8S secret object. | - | KubeSecretType | This defaults to and must be `csr` | + | KubeSecretName | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. |
@@ -1382,14 +1363,12 @@ The Kubernetes Universal Orchestrator extension implements 7 Certificate Store T | --------- | ----------- | | Category | Select "K8SCert" or the customized certificate store name from the previous step. | | Container | Optional container to associate certificate store with. | - | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. | + | Client Machine | The Kubernetes cluster name or identifier. | | Store Path | | | Orchestrator | Select an approved orchestrator capable of managing `K8SCert` certificates. Specifically, one with the `K8SCert` capability. | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | - | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. | - | Properties.KubeSecretName | The name of the K8S secret object. | - | Properties.KubeSecretType | This defaults to and must be `csr` | + | Properties.KubeSecretName | The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster. | 3. **Import the CSV file to create the certificate stores** @@ -1419,6 +1398,66 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). +### Inventory Modes + +K8SCert supports two inventory modes: + +#### Single CSR Mode (Legacy) + +When `KubeSecretName` is set to a specific CSR name, the store inventories only that single CSR. This is useful when you want to track a specific certificate issued through a CSR. + +**Configuration:** +- `KubeSecretName`: The name of the specific CSR to inventory (e.g., `my-app-csr`) + +#### Cluster-Wide Mode + +When `KubeSecretName` is left empty or set to `*`, the store inventories ALL issued CSRs in the cluster. This provides a single-pane view of all certificates issued through Kubernetes CSRs. + +**Configuration:** +- `KubeSecretName`: Leave empty or set to `*` + +**Note:** Only CSRs that have been approved AND have an issued certificate are included in the inventory. Pending or denied CSRs are skipped. + +### Store Configuration + +| Property | Description | Required | +|----------|-------------|----------| +| **Client Machine** | A descriptive name for the Kubernetes cluster | Yes | +| **Store Path** | Can be any value (not used for CSR inventory) | Yes | +| **Server Username** | Leave empty or set to `kubeconfig` | No | +| **Server Password** | The kubeconfig JSON for connecting to the cluster | Yes | +| **KubeSecretName** | CSR name for single mode, or empty/`*` for cluster-wide mode | No | + +### Discovery + +Discovery will find all CSRs in the cluster that have issued certificates and return them as potential store locations. Each discovered CSR can be added as a separate K8SCert store (single CSR mode). + +### Example Use Cases + +#### Track All Cluster Certificates + +Create a single K8SCert store with `KubeSecretName` empty to get visibility into all certificates issued through Kubernetes CSRs: + +1. Create a K8SCert store +2. Set `Client Machine` to your cluster name +3. Leave `KubeSecretName` empty +4. Run inventory to see all issued CSR certificates + +#### Track a Specific Application Certificate + +Create a K8SCert store for a specific CSR: + +1. Create a K8SCert store +2. Set `Client Machine` to your cluster name +3. Set `KubeSecretName` to the CSR name (e.g., `my-app-client-cert`) +4. Run inventory to track that specific certificate + +### Limitations + +- **Read-Only**: K8SCert does not support Add or Remove operations. CSRs must be created and approved through Kubernetes APIs or kubectl. +- **No Private Keys**: CSR certificates do not include private keys in Kubernetes (the private key stays with the requestor). +- **Cluster-Scoped**: CSRs are cluster-scoped resources (not namespaced). +
K8SCluster (K8SCluster) @@ -1456,7 +1495,7 @@ have specific keys in the Kubernetes secret. | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. | | Store Path | | | Orchestrator | Select an approved orchestrator capable of managing `K8SCluster` certificates. Specifically, one with the `K8SCluster` capability. | - | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1485,7 +1524,7 @@ have specific keys in the Kubernetes secret. | Client Machine | This can be anything useful, recommend using the k8s cluster name or identifier. | | Store Path | | | Orchestrator | Select an approved orchestrator capable of managing `K8SCluster` certificates. Specifically, one with the `K8SCluster` capability. | - | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | Properties.SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1562,11 +1601,11 @@ the certificate alias in the `jks` data store. | Orchestrator | Select an approved orchestrator capable of managing `K8SJKS` certificates. Specifically, one with the `K8SJKS` capability. | | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | | KubeSecretName | The name of the K8S secret object. | - | KubeSecretType | This defaults to and must be `jks` | + | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. | | CertificateDataFieldName | The field name to use when looking for certificate data in the K8S secret. | | PasswordFieldName | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | | PasswordIsK8SSecret | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. | - | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | StorePasswordPath | The path to the K8S secret object to use as the password to the JKS keystore. Example: `/` | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1598,11 +1637,11 @@ the certificate alias in the `jks` data store. | Orchestrator | Select an approved orchestrator capable of managing `K8SJKS` certificates. Specifically, one with the `K8SJKS` capability. | | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. | | Properties.KubeSecretName | The name of the K8S secret object. | - | Properties.KubeSecretType | This defaults to and must be `jks` | + | Properties.KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`. | | Properties.CertificateDataFieldName | The field name to use when looking for certificate data in the K8S secret. | | Properties.PasswordFieldName | The field name to use when looking for the JKS keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | | Properties.PasswordIsK8SSecret | Indicates whether the password to the JKS keystore is stored in a separate K8S secret. | - | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | Properties.StorePasswordPath | The path to the K8S secret object to use as the password to the JKS keystore. Example: `/` | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1636,6 +1675,18 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). +### Supported Key Types + +The K8SJKS store type supports certificates with the following key algorithms: + +| Key Type | Supported | +|----------|-----------| +| RSA (1024, 2048, 4096, 8192 bit) | Yes | +| ECDSA (P-256, P-384, P-521) | Yes | +| DSA (1024, 2048 bit) | Yes | +| Ed25519 | Yes | +| Ed448 | Yes | +
K8SNS (K8SNS) @@ -1646,10 +1697,12 @@ have specific keys in the Kubernetes secret. - Additional keys: `tls.key` ### Storepath Patterns + - `` - `/` ### Alias Patterns + - `secrets//` @@ -1675,7 +1728,7 @@ have specific keys in the Kubernetes secret. | Store Path | | | Orchestrator | Select an approved orchestrator capable of managing `K8SNS` certificates. Specifically, one with the `K8SNS` capability. | | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | - | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1705,7 +1758,7 @@ have specific keys in the Kubernetes secret. | Store Path | | | Orchestrator | Select an approved orchestrator capable of managing `K8SNS` certificates. Specifically, one with the `K8SNS` capability. | | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. | - | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | Properties.SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1747,11 +1800,13 @@ the Kubernetes secret. - Valid Keys: `*.pfx`, `*.pkcs12`, `*.p12` ### Storepath Patterns + - `/` - `/secrets/` - `//secrets/` ### Alias Patterns + - `/` Example: `test.pkcs12/load_balancer` where `test.pkcs12` is the field name on the `Opaque` secret and `load_balancer` is @@ -1780,7 +1835,7 @@ the certificate alias in the `pkcs12` data store. | Store Path | | | Store Password | Password to use when reading/writing to store | | Orchestrator | Select an approved orchestrator capable of managing `K8SPKCS12` certificates. Specifically, one with the `K8SPKCS12` capability. | - | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | CertificateDataFieldName | | | PasswordFieldName | The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | | PasswordIsK8SSecret | Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object. | @@ -1788,7 +1843,7 @@ the certificate alias in the `pkcs12` data store. | KubeSecretName | The name of the K8S secret object. | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | - | KubeSecretType | This defaults to and must be `pkcs12` | + | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. | | StorePasswordPath | The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/` |
@@ -1816,7 +1871,7 @@ the certificate alias in the `pkcs12` data store. | Store Path | | | Store Password | Password to use when reading/writing to store | | Orchestrator | Select an approved orchestrator capable of managing `K8SPKCS12` certificates. Specifically, one with the `K8SPKCS12` capability. | - | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | Properties.CertificateDataFieldName | | | Properties.PasswordFieldName | The field name to use when looking for the PKCS12 keystore password in the K8S secret. This is either the field name to look at on the same secret, or if `PasswordIsK8SSecret` is set to `true`, the field name to look at on the secret specified in `StorePasswordPath`. | | Properties.PasswordIsK8SSecret | Indicates whether the password to the PKCS12 keystore is stored in a separate K8S secret object. | @@ -1824,7 +1879,7 @@ the certificate alias in the `pkcs12` data store. | Properties.KubeSecretName | The name of the K8S secret object. | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | - | Properties.KubeSecretType | This defaults to and must be `pkcs12` | + | Properties.KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`. | | Properties.StorePasswordPath | The path to the K8S secret object to use as the password to the PFX/PKCS12 data. Example: `/` | 3. **Import the CSV file to create the certificate stores** @@ -1856,15 +1911,36 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov > The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store). +### Supported Key Types + +The K8SPKCS12 store type supports certificates with the following key algorithms: + +| Key Type | Supported | +|----------|-----------| +| RSA (1024, 2048, 4096, 8192 bit) | Yes | +| ECDSA (P-256, P-384, P-521) | Yes | +| DSA (1024, 2048 bit) | Yes | +| Ed25519 | Yes | +| Ed448 | Yes | +
K8SSecret (K8SSecret) -In order for certificates of type `Opaque` to be inventoried as `K8SSecret` store types, they must have specific keys in -the Kubernetes secret. -- Required keys: `tls.crt` or `ca.crt` +In order for certificates of type `Opaque` to be inventoried as `K8SSecret` store types, they must have specific keys in +the Kubernetes secret. +- Required keys: `tls.crt` or `ca.crt` - Additional keys: `tls.key` +### Storepath Patterns + +- `` +- `/` + +### Alias Patterns + +- `` (when certificate is stored directly) + ### Store Creation @@ -1889,8 +1965,8 @@ the Kubernetes secret. | Orchestrator | Select an approved orchestrator capable of managing `K8SSecret` certificates. Specifically, one with the `K8SSecret` capability. | | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | | KubeSecretName | The name of the K8S secret object. | - | KubeSecretType | This defaults to and must be `secret` | - | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. | + | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1921,8 +1997,8 @@ the Kubernetes secret. | Orchestrator | Select an approved orchestrator capable of managing `K8SSecret` certificates. Specifically, one with the `K8SSecret` capability. | | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. | | Properties.KubeSecretName | The name of the K8S secret object. | - | Properties.KubeSecretType | This defaults to and must be `secret` | - | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | Properties.KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`. | + | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | Properties.SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -1964,6 +2040,15 @@ the Kubernetes secret. - Required keys: `tls.crt` and `tls.key` - Optional keys: `ca.crt` +### Storepath Patterns + +- `` +- `/` + +### Alias Patterns + +- `` (the TLS secret name) + ### Store Creation @@ -1988,8 +2073,8 @@ the Kubernetes secret. | Orchestrator | Select an approved orchestrator capable of managing `K8STLSSecr` certificates. Specifically, one with the `K8STLSSecr` capability. | | KubeNamespace | The K8S namespace to use to manage the K8S secret object. | | KubeSecretName | The name of the K8S secret object. | - | KubeSecretType | This defaults to and must be `tls_secret` | - | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. | + | IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | ServerUsername | This should be no value or `kubeconfig` | | ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -2020,8 +2105,8 @@ the Kubernetes secret. | Orchestrator | Select an approved orchestrator capable of managing `K8STLSSecr` certificates. Specifically, one with the `K8STLSSecr` capability. | | Properties.KubeNamespace | The K8S namespace to use to manage the K8S secret object. | | Properties.KubeSecretName | The name of the K8S secret object. | - | Properties.KubeSecretType | This defaults to and must be `tls_secret` | - | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. | + | Properties.KubeSecretType | DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`. | + | Properties.IncludeCertChain | Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting. | | Properties.SeparateChain | Will default to `false` if not set. Set this to `true` if you want to deploy certificate chain to the `ca.crt` field for Opaque and tls secrets. | | Properties.ServerUsername | This should be no value or `kubeconfig` | | Properties.ServerPassword | The credentials to use to connect to the K8S cluster API. This needs to be in `kubeconfig` format. Example: https://github.com/Keyfactor/k8s-orchestrator/tree/main/scripts/kubernetes#example-service-account-json | @@ -2079,7 +2164,7 @@ The Kubernetes Orchestrator Extension supports certificate discovery jobs. This ### K8SJKS Discovery Job -For discovery of `K8SJKS` stores toy can use the following params to filter the certificates that will be discovered: +For discovery of `K8SJKS` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* - `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or JKS data. Will use @@ -2092,7 +2177,7 @@ the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.jks`,` ### K8SNS Discovery Job -For discovery of K8SNS stores you can use the following params to filter the certificates that will be discovered: +For discovery of `K8SNS` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.*
@@ -2106,8 +2191,8 @@ namespaces. *This cannot be left blank.* For discovery of `K8SPKCS12` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* -- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or PKCS12 data. Will use - the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.pkcs12`,`pkcs12`. +- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 data. Will use + the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.p12`,`p12`. @@ -2116,7 +2201,7 @@ For discovery of `K8SPKCS12` stores you can use the following params to filter t ### K8SSecret Discovery Job -For discovery of K8SNS stores you can use the following params to filter the certificates that will be discovered: +For discovery of `K8SSecret` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* @@ -2127,7 +2212,7 @@ For discovery of K8SNS stores you can use the following params to filter the cer ### K8STLSSecr Discovery Job -For discovery of K8SNS stores you can use the following params to filter the certificates that will be discovered: +For discovery of `K8STLSSecr` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* @@ -2135,6 +2220,20 @@ For discovery of K8SNS stores you can use the following params to filter the cer +## Supported Key Types + +The Kubernetes Orchestrator Extension supports certificates with the following key algorithms across all store types: + +| Key Type | Sizes/Curves | Supported | +|----------|--------------|-----------| +| RSA | 1024, 2048, 4096, 8192 bit | Yes | +| ECDSA | P-256 (secp256r1), P-384 (secp384r1), P-521 (secp521r1) | Yes | +| DSA | 1024, 2048 bit | Yes | +| Ed25519 | - | Yes | +| Ed448 | - | Yes | + +**Note:** DSA 2048-bit keys use FIPS 186-3/4 compliant generation with SHA-256. Edwards curve keys (Ed25519/Ed448) are fully supported for all store types including JKS and PKCS12. + ## License diff --git a/TESTING.md b/TESTING.md new file mode 100644 index 00000000..a7d7a668 --- /dev/null +++ b/TESTING.md @@ -0,0 +1,815 @@ +# Testing Guide + +Comprehensive testing guide for the Keyfactor Kubernetes Universal Orchestrator Extension. + +## Table of Contents + +- [Overview](#overview) +- [Test Structure](#test-structure) +- [Running Tests](#running-tests) + - [Unit Tests](#unit-tests) + - [Integration Tests](#integration-tests) +- [Test Coverage](#test-coverage) +- [CI/CD Integration](#cicd-integration) +- [Writing New Tests](#writing-new-tests) +- [Troubleshooting](#troubleshooting) + +--- + +## Overview + +The test suite includes **603+ tests** across all 7 Kubernetes Orchestrator store types: + +- **457 unit tests** - Fast, isolated tests with no external dependencies +- **146+ integration tests** - End-to-end tests against real Kubernetes clusters + +All tests use **xUnit** framework with **Moq** for mocking, **BouncyCastle** for cryptographic operations, and **Keyfactor.PKI** for certificate utilities. + +### Test Coverage by Store Type + +| Store Type | Unit Tests | Integration Tests | Total | +|------------|-----------|------------------|-------| +| K8SJKS (Java Keystores) | ~80 | 14 | ~94 | +| K8SPKCS12 (PKCS12/PFX) | ~75 | 13 | ~88 | +| K8SCert (CSRs) | ~25 | 7 | ~32 | +| K8SSecret (Opaque PEM) | ~53 | 25 | ~78 | +| K8STLSSecr (TLS Secrets) | ~58 | 25 | ~83 | +| K8SCluster (Cluster-wide) | ~55 | 21 | ~76 | +| K8SNS (Namespace) | ~55 | 27 | ~82 | +| Utilities/CertificateFormat | ~56 | - | ~56 | +| **Total** | **~457** | **~146** | **~603** | + +> **Note**: Counts are approximate due to parameterized tests. Run `dotnet test --list-tests` for exact counts. + +--- + +## Quick Start with Makefile + +The project includes convenient Makefile targets for all common test operations: + +```bash +# Testing +make test-unit # Run unit tests only +make test-integration # Run integration tests only +make test-store-jks # Test specific store type + +# Code Coverage +make test-coverage-unit # Unit tests with coverage report +make test-coverage # All tests with coverage report +make test-coverage-open # Open HTML coverage report in browser +make test-coverage-summary # Show coverage summary in terminal + +# Cluster Management +make test-cluster-setup # Show cluster configuration +make test-cluster-cleanup # Clean up test resources +``` + +See [MAKEFILE_GUIDE.md](MAKEFILE_GUIDE.md) for complete documentation of all Makefile targets. + +--- + +## Test Structure + +``` +kubernetes-orchestrator-extension.Tests/ +โ”œโ”€โ”€ Attributes/ +โ”‚ โ””โ”€โ”€ SkipUnlessAttribute.cs # Conditional test execution +โ”œโ”€โ”€ Helpers/ +โ”‚ โ””โ”€โ”€ CertificateTestHelper.cs # Certificate generation utilities +โ”œโ”€โ”€ Integration/ # Integration tests (require K8s) +โ”‚ โ”œโ”€โ”€ K8SCertStoreIntegrationTests.cs +โ”‚ โ”œโ”€โ”€ K8SClusterStoreIntegrationTests.cs +โ”‚ โ”œโ”€โ”€ K8SJKSStoreIntegrationTests.cs +โ”‚ โ”œโ”€โ”€ K8SNSStoreIntegrationTests.cs +โ”‚ โ”œโ”€โ”€ K8SPKCS12StoreIntegrationTests.cs +โ”‚ โ”œโ”€โ”€ K8SSecretStoreIntegrationTests.cs +โ”‚ โ””โ”€โ”€ K8STLSSecrStoreIntegrationTests.cs +โ”œโ”€โ”€ Utilities/ # Utility tests +โ”‚ โ””โ”€โ”€ CertificateUtilitiesTests.cs +โ”œโ”€โ”€ K8SCertStoreTests.cs # Unit tests +โ”œโ”€โ”€ K8SClusterStoreTests.cs +โ”œโ”€โ”€ K8SJKSStoreTests.cs +โ”œโ”€โ”€ K8SNSStoreTests.cs +โ”œโ”€โ”€ K8SPKCS12StoreTests.cs +โ”œโ”€โ”€ K8SSecretStoreTests.cs +โ””โ”€โ”€ K8STLSSecrStoreTests.cs +``` + +### Test Naming Convention + +All tests follow the pattern: `MethodName_Scenario_ExpectedResult` + +Examples: +- `DeserializeRemoteCertificateStore_ValidJks_ReturnsStore` +- `Inventory_NonExistentSecret_ReturnsFailure` +- `PemCertificate_WithWhitespace_StillValid` + +--- + +## Running Tests + +### Prerequisites + +**For Unit Tests:** +- .NET SDK 8.0 or 10.0 +- No external dependencies required + +**For Integration Tests:** +- .NET SDK 8.0 or 10.0 +- Kubernetes cluster (or kind/minikube) +- Kubeconfig at `~/.kube/config` with context named `kf-integrations` +- Cluster permissions to create/delete namespaces and secrets + +--- + +### Unit Tests + +Unit tests run quickly (3-5 minutes) and have no external dependencies. + +#### Run All Unit Tests + +```bash +# From repository root +dotnet test kubernetes-orchestrator-extension.Tests/Keyfactor.Orchestrators.K8S.Tests.csproj + +# Or with detailed output +dotnet test kubernetes-orchestrator-extension.Tests/Keyfactor.Orchestrators.K8S.Tests.csproj \ + --verbosity detailed +``` + +#### Run Tests for Specific Store Type + +```bash +# K8SJKS tests +dotnet test --filter "FullyQualifiedName~K8SJKSStoreTests&FullyQualifiedName!~Integration" + +# K8STLSSecr tests +dotnet test --filter "FullyQualifiedName~K8STLSSecrStoreTests&FullyQualifiedName!~Integration" + +# All PEM-based store tests (K8SSecret + K8STLSSecr) +dotnet test --filter "FullyQualifiedName~K8SSecret|FullyQualifiedName~K8STLSSecr" +``` + +#### Run with Code Coverage + +**Using Makefile (Recommended):** +```bash +# Run unit tests with coverage (fastest) +make test-coverage-unit + +# Run all tests (unit + integration) with coverage +make test-coverage + +# View coverage summary in terminal +make test-coverage-summary + +# Open HTML report in browser (macOS) +make test-coverage-open + +# Clean up coverage reports +make test-coverage-clean +``` + +**Manual Method:** +```bash +# Install coverage tool (one-time) +dotnet tool install -g dotnet-coverage + +# Run tests with coverage +dotnet test --collect:"XPlat Code Coverage" \ + --results-directory ./TestResults + +# Generate HTML report +reportgenerator \ + -reports:"./TestResults/**/coverage.cobertura.xml" \ + -targetdir:"./TestResults/CoverageReport" \ + -reporttypes:Html + +# View report +open ./TestResults/CoverageReport/index.html # macOS +xdg-open ./TestResults/CoverageReport/index.html # Linux +``` + +#### Run Tests on Specific Framework + +```bash +# .NET 8.0 only +dotnet test --framework net8.0 + +# .NET 10.0 only +dotnet test --framework net10.0 +``` + +--- + +### Integration Tests + +Integration tests create real Kubernetes resources and validate end-to-end functionality. + +#### Setup Prerequisites + +**Option 1: Use Existing Cluster** + +1. Ensure kubeconfig exists at `~/.kube/config` +2. Create or use context named `kf-integrations`: + ```bash + kubectl config get-contexts + kubectl config use-context kf-integrations + ``` +3. Verify permissions: + ```bash + kubectl auth can-i create namespaces + kubectl auth can-i create secrets --all-namespaces + ``` + +**Option 2: Create Local Cluster with kind** + +```bash +# Install kind (if not installed) +# macOS +brew install kind +# Linux +curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 +chmod +x ./kind && sudo mv ./kind /usr/local/bin/kind + +# Create cluster +kind create cluster --name kf-integrations --wait 5m + +# Verify cluster +kubectl cluster-info --context kind-kf-integrations + +# Rename context to match expected name +kubectl config rename-context kind-kf-integrations kf-integrations +``` + +**Option 3: Use Minikube** + +```bash +# Start minikube +minikube start --profile=kf-integrations + +# Set context +kubectl config use-context kf-integrations +``` + +#### Run Integration Tests + +```bash +# Enable integration tests +export RUN_INTEGRATION_TESTS=true + +# Run all integration tests +dotnet test kubernetes-orchestrator-extension.Tests/Keyfactor.Orchestrators.K8S.Tests.csproj + +# Run integration tests for specific store type +dotnet test --filter "FullyQualifiedName~K8SJKSStoreIntegrationTests" + +# Run with verbose output +dotnet test --filter "FullyQualifiedName~Integration" --verbosity detailed +``` + +#### Integration Test Behavior + +Each integration test: +1. **Creates** dedicated test namespace (e.g., `keyfactor-k8sjks-integration-tests`) +2. **Executes** test operations (create secrets, run inventory, etc.) +3. **Cleans up** all created resources in `DisposeAsync()` +4. **Never modifies** existing cluster resources outside test namespaces + +**Test Namespaces Created:** + +Each test namespace includes a framework suffix (`-net8` or `-net10`) to enable parallel execution across .NET frameworks without resource conflicts: + +- `keyfactor-k8sjks-integration-tests-net8` / `keyfactor-k8sjks-integration-tests-net10` +- `keyfactor-k8spkcs12-integration-tests-net8` / `keyfactor-k8spkcs12-integration-tests-net10` +- `keyfactor-k8scert-integration-tests-net8` / `keyfactor-k8scert-integration-tests-net10` +- `keyfactor-k8ssecret-integration-tests-net8` / `keyfactor-k8ssecret-integration-tests-net10` +- `keyfactor-k8stlssecr-integration-tests-net8` / `keyfactor-k8stlssecr-integration-tests-net10` +- `keyfactor-k8scluster-test-ns1-net8` / `keyfactor-k8scluster-test-ns1-net10` +- `keyfactor-k8scluster-test-ns2-net8` / `keyfactor-k8scluster-test-ns2-net10` +- `keyfactor-k8sns-integration-tests-net8` / `keyfactor-k8sns-integration-tests-net10` + +#### Cleanup After Integration Tests + +Normally, tests clean up automatically. If tests are interrupted, manually clean up: + +```bash +# Delete all test namespaces +kubectl delete namespace -l managed-by=keyfactor-k8s-orchestrator-tests + +# Or delete specific namespace +kubectl delete namespace keyfactor-k8sjks-integration-tests +``` + +--- + +## Test Coverage + +### Current Coverage Metrics + +**Store Type Tests (100% implementation complete):** +- โœ… All 7 store types have comprehensive unit tests +- โœ… All 7 store types have integration tests +- โœ… All 381 unit tests passing (100% success rate) +- โœ… All 120 integration tests passing (100% success rate) + +**Test Scenarios Covered:** + +#### Key Types (11 variations) +- RSA: 1024, 2048, 4096, 8192 bits +- EC: P-256, P-384, P-521 curves +- DSA: 1024, 2048 bits +- EdDSA: Ed25519, Ed448 + +#### Password Scenarios (20+) +- Empty password +- Simple password +- Complex password (special characters) +- Very long password (256+ chars) +- Unicode password +- Password with spaces +- Numeric-only password +- Password with newlines (trimmed) + +#### Certificate Chains +- Single certificate (self-signed) +- Certificate with intermediate CA +- Full chain (leaf + intermediate + root) +- Separate ca.crt field storage + +#### Error Conditions +- Wrong password +- Corrupted keystore data +- Missing secret +- Invalid namespace +- Malformed PEM data +- Empty keystores + +#### Create Store If Missing +Tests for the "Create Store If Missing" feature in Keyfactor Command: +- K8SJKS: Creates empty JKS keystore when no certificate data provided +- K8SPKCS12: Creates empty PKCS12 keystore when no certificate data provided +- K8SSecret: Creates empty Opaque secret when no certificate data provided +- K8STLSSecr: Creates empty TLS secret when no certificate data provided +- K8SCluster: Returns success with warning (not supported for aggregate store types) +- K8SNS: Returns success with warning (not supported for aggregate store types) + +#### Edge Cases +- Empty secrets +- Whitespace in PEM data +- Very large keystores (100+ certs) +- Special characters in secret names +- Cross-namespace operations (K8SCluster) +- Namespace boundaries (K8SNS) +- KubeSecretType property derivation from Capability (deprecated property support) + +--- + +## CI/CD Integration + +### GitHub Actions Workflows + +**1. Unit Tests (`unit-tests.yml`)** +- Runs on: Every PR, push to main +- Tests: All 381 unit tests +- Frameworks: .NET 8.0 and 10.0 +- Coverage: Uploads code coverage reports +- Duration: ~5 minutes + +**2. Integration Tests (`integration-tests.yml`)** +- Runs on: Every PR, push to main +- Tests: All 120 integration tests +- Kubernetes: kind cluster (v1.29) +- Frameworks: .NET 8.0 and 10.0 (parallel with framework-specific namespaces) +- Duration: ~10 minutes + +**3. PR Quality Gate (`pr-quality-gate.yml`)** +- Runs on: Every PR +- Includes: Build + basic tests +- Purpose: Fast feedback before detailed testing + +### Running Tests Locally Like CI + +```bash +# Simulate unit test workflow +dotnet restore +dotnet build --configuration Release --no-restore +dotnet test --configuration Release --no-build \ + --framework net8.0 \ + --collect:"XPlat Code Coverage" + +# Simulate integration test workflow (requires kind) +kind create cluster --name kf-integrations +export RUN_INTEGRATION_TESTS=true +dotnet test --configuration Release --no-build --framework net8.0 +kind delete cluster --name kf-integrations +``` + +### Test Result Artifacts + +CI workflows upload test results as artifacts: +- **Unit Tests**: Test results + code coverage reports +- **Integration Tests**: Test results + logs + +Download artifacts from GitHub Actions run page: +1. Go to Actions tab +2. Select workflow run +3. Scroll to "Artifacts" section +4. Download desired artifact + +--- + +## Writing New Tests + +### Unit Test Template + +```csharp +using Xunit; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +public class YourStoreTypeTests +{ + [Fact] + public void MethodName_Scenario_ExpectedResult() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test Cert"); + + // Act + var result = YourMethod(certInfo.Certificate); + + // Assert + Assert.NotNull(result); + Assert.Equal(expectedValue, result); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + public void MethodName_VariousKeyTypes_AllWork(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType); + + // Act & Assert + Assert.NotNull(certInfo.Certificate); + } +} +``` + +### Integration Test Template + +```csharp +using System; +using System.Threading.Tasks; +using Xunit; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using k8s; +using k8s.Models; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +[Collection("Integration Tests")] +public class YourStoreIntegrationTests : IAsyncLifetime +{ + private Kubernetes _k8sClient; + private const string TestNamespace = "your-test-namespace"; + + public async Task InitializeAsync() + { + var runIntegrationTests = Environment.GetEnvironmentVariable("RUN_INTEGRATION_TESTS"); + if (string.IsNullOrEmpty(runIntegrationTests) || + !runIntegrationTests.Equals("true", StringComparison.OrdinalIgnoreCase)) + { + return; + } + + // Initialize K8s client and create test namespace + var config = KubernetesClientConfiguration.BuildConfigFromConfigFile( + kubeConfigPath: "~/.kube/config", + currentContext: "kf-integrations"); + _k8sClient = new Kubernetes(config); + + await CreateNamespaceIfNotExists(); + } + + public async Task DisposeAsync() + { + // Clean up resources + _k8sClient?.Dispose(); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task YourTest_Scenario_ExpectedResult() + { + // Arrange + var secret = new V1Secret { /* ... */ }; + await _k8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Act + var result = await YourOperation(); + + // Assert + Assert.Equal(expectedValue, result); + } +} +``` + +### Using CertificateTestHelper + +```csharp +// Generate certificate with specific key type +var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "CN=test.example.com"); + +// Access components +var certificate = certInfo.Certificate; // BouncyCastle X509Certificate +var keyPair = certInfo.KeyPair; // AsymmetricCipherKeyPair +var privateKey = certInfo.KeyPair.Private; +var publicKey = certInfo.KeyPair.Public; + +// Generate certificate chain (leaf, intermediate, root) +var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); +var leafCert = chain[0].Certificate; +var intermediateCert = chain[1].Certificate; +var rootCert = chain[2].Certificate; + +// Convert to PEM format +var certPem = CertificateTestHelper.ConvertCertificateToPem(certificate); +var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(privateKey); + +// Generate PKCS12/JKS +var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12( + certificate, keyPair, password: "test123", alias: "mycert"); +var jksBytes = CertificateTestHelper.GenerateJks( + certificate, keyPair, password: "test123", alias: "mycert"); + +// Generate corrupted data for negative tests +var corruptedData = CertificateTestHelper.GenerateCorruptedPkcs12(); +``` + +--- + +## Known Limitations + +### IncludeCertChain with Certificates Without Private Keys + +When `IncludeCertChain=true` is configured for a certificate store, but the certificate being deployed in Keyfactor Command does **not** have a private key, the certificate chain **cannot** be included. + +**Why?** +- Keyfactor Command sends certificates in DER format when they have no private key +- DER format can only contain a single certificate (the leaf certificate) +- Certificate chains require PKCS12 format, which requires a private key + +**Symptoms:** +- A warning is logged: "IncludeCertChain is enabled but the certificate was received in DER format..." +- Only the leaf certificate is deployed, regardless of the IncludeCertChain setting + +**Solution:** +- Ensure certificates in Keyfactor Command have "Private Key" set if you need the chain included +- Alternatively, use `SeparateChain=true` to manually manage chain certificates + +### JKS vs PKCS12 Inventory Behavior + +JKS and PKCS12 inventories behave differently for keystores with mixed entry types: + +- **JKS Inventory**: Only returns entries with private keys (PrivateKeyEntry). Trusted certificate entries (certificate-only, no private key) are **not** returned. +- **PKCS12 Inventory**: Returns **all** entries including trusted certificate entries. + +This is the current implemented behavior and is tested/documented. If you need to manage trusted certificates in JKS stores, you can add them but they won't appear in inventory. + +### Invalid Configuration: IncludeCertChain=false with SeparateChain=true + +When `SeparateChain=true` but `IncludeCertChain=false`, this is an invalid/conflicting configuration: +- `SeparateChain=true` means "put the chain in ca.crt and leaf in tls.crt" +- `IncludeCertChain=false` means "don't include any chain certificates" + +**Behavior:** +- A warning is logged: "Invalid configuration: SeparateChain=true but IncludeCertChain=false..." +- `IncludeCertChain=false` takes precedence - only the leaf certificate is deployed +- `SeparateChain` is effectively ignored + +**Recommendation:** +- Use `IncludeCertChain=true,SeparateChain=true` if you want chain in ca.crt +- Use `IncludeCertChain=true,SeparateChain=false` if you want full chain in tls.crt +- Use `IncludeCertChain=false` (any SeparateChain value) if you want leaf only + +### KubeSecretType Property Deprecation + +The `KubeSecretType` store property is **deprecated** and will be removed in a future release. + +**Why?** +- The secret type is now automatically derived from the store's Capability +- This eliminates redundant configuration and potential mismatches + +**Behavior:** +- If `KubeSecretType` is provided in store properties, a deprecation warning is logged +- The derived value from Capability takes precedence over the store property value +- Store type definitions have been updated to mark this property as `Required: false` + +**Mapping (Capability โ†’ Derived KubeSecretType):** +| Capability | Derived Type | +|------------|--------------| +| K8SJKS | jks | +| K8SPKCS12 | pkcs12 | +| K8SSecret | secret | +| K8STLSSecr | tls_secret | +| K8SCluster | cluster | +| K8SNS | namespace | +| K8SCert | certificate | + +### Create Store If Missing - Aggregate Store Types + +K8SCluster and K8SNS store types do **not** support the "Create Store If Missing" feature. + +**Why?** +- K8SCluster and K8SNS are "aggregate" store types that manage multiple secrets +- There is no single "store" to create - they represent all secrets in a cluster/namespace +- The concept of "creating" an empty cluster or namespace doesn't apply + +**Behavior:** +- A warning is logged explaining that this operation is not supported +- The job returns **success** with a descriptive message +- No secrets are created or modified + +--- + +## Troubleshooting + +### Common Issues + +#### 1. Integration Tests Skipped + +**Problem**: All integration tests show as "Skipped" + +**Solution**: +```bash +# Ensure environment variable is set +export RUN_INTEGRATION_TESTS=true + +# Verify it's set +echo $RUN_INTEGRATION_TESTS + +# Run tests +dotnet test +``` + +#### 2. Kubeconfig Not Found + +**Problem**: `FileNotFoundException: Kubeconfig not found at ~/.kube/config` + +**Solution**: +```bash +# Verify kubeconfig exists +ls -la ~/.kube/config + +# Or set KUBECONFIG environment variable +export KUBECONFIG=/path/to/your/kubeconfig + +# Verify cluster connectivity +kubectl cluster-info +``` + +#### 3. Context 'kf-integrations' Not Found + +**Problem**: Integration tests fail with context not found + +**Solution**: +```bash +# List available contexts +kubectl config get-contexts + +# Rename existing context +kubectl config rename-context your-context-name kf-integrations + +# Or create new kind cluster with correct name +kind create cluster --name kf-integrations +kubectl config rename-context kind-kf-integrations kf-integrations +``` + +#### 4. Permission Denied Errors + +**Problem**: `forbidden: User "..." cannot create resource "namespaces"` + +**Solution**: +```bash +# Check permissions +kubectl auth can-i create namespaces +kubectl auth can-i create secrets --all-namespaces + +# For kind/minikube, you have cluster-admin by default +# For remote clusters, ensure service account has required permissions +``` + +#### 5. Tests Timing Out + +**Problem**: Integration tests hang or timeout + +**Solution**: +```bash +# Check cluster health +kubectl get nodes +kubectl get pods --all-namespaces + +# Increase test timeout (in test project) +dotnet test -- RunConfiguration.TestSessionTimeout=600000 # 10 minutes + +# Check for hanging namespaces from previous runs +kubectl get namespaces | grep keyfactor +kubectl delete namespace +``` + +#### 6. Build Errors + +**Problem**: `error MSB3644: The reference assemblies were not found` + +**Solution**: +```bash +# Ensure correct .NET SDK versions installed +dotnet --list-sdks + +# Install required versions +# .NET 8.0: https://dotnet.microsoft.com/download/dotnet/8.0 +# .NET 10.0: https://dotnet.microsoft.com/download/dotnet/10.0 + +# Clean and rebuild +dotnet clean +dotnet restore +dotnet build +``` + +#### 7. Coverage Report Not Generated + +**Problem**: No coverage data collected + +**Solution**: +```bash +# Install required tools +dotnet tool install -g coverlet.console +dotnet tool install -g dotnet-reportgenerator-globaltool + +# Run with explicit collector +dotnet test --collect:"XPlat Code Coverage" --results-directory ./TestResults + +# Verify coverage files created +ls -la ./TestResults/**/coverage.cobertura.xml +``` + +### Debug Mode + +Run tests with maximum verbosity for troubleshooting: + +```bash +# Diagnostic level logging +dotnet test --verbosity diagnostic --logger "console;verbosity=detailed" + +# With specific test +dotnet test --filter "FullyQualifiedName~YourTestName" --verbosity diagnostic +``` + +### Getting Help + +**For test failures:** +1. Check `UNIT_TEST_COMPLETION_SUMMARY.md` for known issues +2. Review test logs with `--verbosity detailed` +3. Verify environment setup matches prerequisites +4. Check GitHub Actions logs for CI failures + +**For integration test issues:** +1. Verify cluster connectivity: `kubectl cluster-info` +2. Check test namespace status: `kubectl get namespaces` +3. Review pod logs: `kubectl logs -n ` +4. Enable trace logging in test code for debugging + +--- + +## Best Practices + +### Do's โœ… + +- โœ… Run unit tests before committing +- โœ… Run integration tests before creating PR +- โœ… Use `CertificateTestHelper` for test data generation +- โœ… Follow naming convention: `MethodName_Scenario_ExpectedResult` +- โœ… Clean up resources in integration tests +- โœ… Use `SkipUnless` attribute for integration tests +- โœ… Test both success and failure scenarios +- โœ… Include edge cases in test coverage + +### Don'ts โŒ + +- โŒ Don't check in certificate files (use dynamic generation) +- โŒ Don't hardcode passwords or secrets in tests +- โŒ Don't skip integration tests locally before PR +- โŒ Don't modify cluster resources outside test namespaces +- โŒ Don't use production clusters for integration tests +- โŒ Don't ignore test failures ("I'll fix later") +- โŒ Don't write tests without assertions + +--- + +**Questions or Issues?** + +Create an issue at: https://github.com/Keyfactor/k8s-orchestrator/issues diff --git a/TESTING_QUICKSTART.md b/TESTING_QUICKSTART.md new file mode 100644 index 00000000..8411a9df --- /dev/null +++ b/TESTING_QUICKSTART.md @@ -0,0 +1,239 @@ +# Testing Quick Start Guide + +**5-minute guide to running tests for the Keyfactor Kubernetes Orchestrator Extension** + +--- + +## ๐ŸŽฏ Makefile Shortcuts (Recommended) + +```bash +make test-unit # Run all unit tests +make test-integration # Run integration tests +make test-coverage # Generate coverage report +make test-store-jks # Test JKS store type only +make test-store-pkcs12 # Test PKCS12 store type only +make test-cluster-setup # Show cluster setup info +make test-cluster-cleanup # Clean up test resources +``` + +**๐Ÿ“– Full documentation:** [MAKEFILE_TEST_TARGETS.md](MAKEFILE_TEST_TARGETS.md) + +--- + +## ๐Ÿš€ Quick Commands (Using dotnet directly) + +### Run All Unit Tests +```bash +cd /Users/sbailey/RiderProjects/k8s-orchestrator +dotnet test +``` + +### Run Unit Tests for Specific Store Type +```bash +# K8SJKS tests only +dotnet test --filter "FullyQualifiedName~K8SJKS&FullyQualifiedName!~Integration" + +# All PEM-based tests (K8SSecret + K8STLSSecr) +dotnet test --filter "FullyQualifiedName~K8SSecret|FullyQualifiedName~K8STLSSecr" +``` + +### Run Integration Tests (Requires K8s Cluster) +```bash +# Option 1: Use existing cluster +export RUN_INTEGRATION_TESTS=true +dotnet test + +# Option 2: Create kind cluster first +kind create cluster --name kf-integrations +kubectl config rename-context kind-kf-integrations kf-integrations +export RUN_INTEGRATION_TESTS=true +dotnet test +``` + +### Generate Code Coverage Report +```bash +# Run tests with coverage +dotnet test --collect:"XPlat Code Coverage" --results-directory ./TestResults + +# Install report generator (one-time) +dotnet tool install -g dotnet-reportgenerator-globaltool + +# Generate HTML report +reportgenerator \ + -reports:"./TestResults/**/coverage.cobertura.xml" \ + -targetdir:"./TestResults/CoverageReport" \ + -reporttypes:Html + +# Open report (macOS) +open ./TestResults/CoverageReport/index.html +``` + +--- + +## ๐Ÿ“Š Test Results Summary + +### Current Status +- **Unit Tests:** 412 tests, 100% passing โœ… +- **Integration Tests:** 120 tests, 100% passing โœ… +- **Total:** 532 tests across 7 store types + +### What's Tested +โœ… All 7 Kubernetes store types +โœ… 11 key types (RSA, EC, DSA, Ed25519, Ed448) +โœ… 20+ password scenarios +โœ… Certificate chains +โœ… Error conditions +โœ… Edge cases + +--- + +## ๐Ÿค– GitHub Actions (Automatic) + +### What Runs on Every PR +1. **PR Quality Gate** (~3 min) + - Fast build + quick unit tests + - PR size and title validation + +2. **Unit Tests** (~10 min) + - All 412 unit tests + - .NET 8.0 and 10.0 + - Code coverage + +3. **Integration Tests** (~10 min) + - All 120 integration tests + - kind cluster (K8s v1.29) + - Framework-specific namespace isolation + - Automatic cleanup + +**Total:** ~23 minutes for complete validation + +### Manual Workflow Triggers +```bash +# Trigger unit tests +gh workflow run unit-tests.yml + +# Trigger integration tests with specific K8s version +gh workflow run integration-tests.yml -f kubernetes-version=v1.28.0 +``` + +--- + +## ๐Ÿ“ Documentation + +| Document | Purpose | +|----------|---------| +| **`TESTING.md`** | Comprehensive testing guide (main reference) | +| **`TESTING_QUICKSTART.md`** | This file - quick commands | +| **`.github/workflows/README.md`** | GitHub Actions workflow details | + +--- + +## ๐Ÿ› Common Issues & Solutions + +### Issue: Integration tests skipped +```bash +# Solution: Set environment variable +export RUN_INTEGRATION_TESTS=true +dotnet test +``` + +### Issue: Kubeconfig not found +```bash +# Solution: Verify kubeconfig exists +ls -la ~/.kube/config + +# Or create kind cluster +kind create cluster --name kf-integrations +``` + +### Issue: Context 'kf-integrations' not found +```bash +# Solution: Rename your context +kubectl config rename-context kf-integrations + +# Or for kind +kubectl config rename-context kind-kf-integrations kf-integrations +``` + +### Issue: Tests hang or timeout +```bash +# Solution: Check cluster health +kubectl cluster-info +kubectl get nodes + +# Cleanup stuck namespaces +kubectl delete namespace -l managed-by=keyfactor-k8s-orchestrator-tests +``` + +--- + +## ๐ŸŽฏ Before Creating a PR + +**Checklist:** +- [ ] Run unit tests locally: `dotnet test` +- [ ] All tests passing +- [ ] No compilation errors +- [ ] (Optional) Run integration tests if changes affect K8s operations +- [ ] Review changed files + +**Then:** +1. Push branch to GitHub +2. Create PR +3. Wait for CI workflows (~23 min) +4. Review automated test results in PR + +--- + +## ๐Ÿ’ก Pro Tips + +### Run Tests Faster +```bash +# Run specific test class +dotnet test --filter "FullyQualifiedName~K8SJKSStoreTests" + +# Run specific test method +dotnet test --filter "FullyQualifiedName~K8SJKSStoreTests.DeserializeRemoteCertificateStore_ValidJks" + +# Skip slow tests +dotnet test --filter "FullyQualifiedName!~Integration" +``` + +### Watch Mode (Auto-rerun on Changes) +```bash +dotnet watch test +``` + +### Parallel Execution +```bash +# Run with maximum parallelism +dotnet test --parallel +``` + +### Detailed Output +```bash +# Verbose logging +dotnet test --verbosity detailed + +# Diagnostic logging +dotnet test --verbosity diagnostic +``` + +--- + +## ๐Ÿ“ž Need Help? + +1. **Check the docs:** + - `TESTING.md` - Comprehensive guide + - `.github/workflows/README.md` - CI/CD workflows + +2. **Review test output:** + ```bash + dotnet test --verbosity detailed --logger "console;verbosity=detailed" + ``` + +3. **Create an issue:** + https://github.com/Keyfactor/k8s-orchestrator/issues + +--- + +**Ready to test? Run:** `dotnet test` ๐Ÿš€ diff --git a/TestConsole/Program.cs b/TestConsole/Program.cs index a3bfed65..87eee0c3 100644 --- a/TestConsole/Program.cs +++ b/TestConsole/Program.cs @@ -576,8 +576,8 @@ private static async Task Main(string[] args) if (input == "SerializeTest") { - var xml = - " cannot be deleted because of references from: certificate-profile -> Keyfactor -> CA -> Boingy"; + // Example XML for testing serialization (currently disabled) + // var xml = " cannot be deleted because of references from: certificate-profile -> Keyfactor -> CA -> Boingy"; // using System.Xml.Serialization; // var serializer = new XmlSerializer(typeof(ErrorSuccessResponse)); // using var reader = new StringReader(xml); diff --git a/docsource/content.md b/docsource/content.md index fd31393a..76993004 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -1,17 +1,17 @@ ## Overview -The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. -The following types of Kubernetes resources are supported: kubernetes secrets of `kubernetes.io/tls` or `Opaque` and -kubernetes certificates `certificates.k8s.io/v1` +The Kubernetes Orchestrator allows for the remote management of certificate stores defined in a Kubernetes cluster. +The following types of Kubernetes resources are supported: Kubernetes secrets of type `kubernetes.io/tls` or `Opaque`, and +Kubernetes certificates of type `certificates.k8s.io/v1`. The certificate store types that can be managed in the current version are: - `K8SCert` - Kubernetes certificates of type `certificates.k8s.io/v1` - `K8SSecret` - Kubernetes secrets of type `Opaque` -- `K8STLSSecret` - Kubernetes secrets of type `kubernetes.io/tls` -- `K8SCluster` - This allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`. - This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores across all k8s namespaces. -- `K8SNS` - This allows for a single store to manage a k8s namespace's secrets or type `Opaque` and `kubernetes.io/tls`. - This can be thought of as a container of `K8SSecret` and `K8STLSSecret` stores for a single k8s namespace. +- `K8STLSSecr` - Kubernetes secrets of type `kubernetes.io/tls` +- `K8SCluster` - This allows for a single store to manage a Kubernetes cluster's secrets of type `Opaque` and `kubernetes.io/tls`. + This can be thought of as a container of `K8SSecret` and `K8STLSSecr` stores across all Kubernetes namespaces. +- `K8SNS` - This allows for a single store to manage a Kubernetes namespace's secrets of type `Opaque` and `kubernetes.io/tls`. + This can be thought of as a container of `K8SSecret` and `K8STLSSecr` stores for a single Kubernetes namespace. - `K8SJKS` - Kubernetes secrets of type `Opaque` that contain one or more Java Keystore(s). These cannot be managed at the cluster or namespace level as they should all require unique credentials. - `K8SPKCS12` - Kubernetes secrets of type `Opaque` that contain one or more PKCS12(s). These cannot be managed at the @@ -22,9 +22,24 @@ to communicate remotely with certificate stores. The service account must have t in order to perform the desired operations. For more information on the required permissions, see the [service account setup guide](#service-account-setup). +## Supported Key Types + +The Kubernetes Orchestrator Extension supports certificates with the following key algorithms across all store types: + +| Key Type | Sizes/Curves | Supported | +|----------|--------------|-----------| +| RSA | 1024, 2048, 4096, 8192 bit | Yes | +| ECDSA | P-256 (secp256r1), P-384 (secp384r1), P-521 (secp521r1) | Yes | +| DSA | 1024, 2048 bit | Yes | +| Ed25519 | - | Yes | +| Ed448 | - | Yes | + +**Note:** DSA 2048-bit keys use FIPS 186-3/4 compliant generation with SHA-256. Edwards curve keys (Ed25519/Ed448) are fully supported for all store types including JKS and PKCS12. + ## Requirements ### Kubernetes API Access + This orchestrator extension makes use of the Kubernetes API by using a service account to communicate remotely with certificate stores. The service account must exist and have the appropriate permissions. The service account token can be provided to the extension in one of two ways: @@ -32,6 +47,7 @@ The service account token can be provided to the extension in one of two ways: - As a base64 encoded string that contains the service account credentials #### Service Account Setup + To set up a service account user on your Kubernetes cluster to be used by the Kubernetes Orchestrator Extension. For full information on the required permissions, see the [service account setup guide](./scripts/kubernetes/README.md). diff --git a/docsource/images/K8SCert-basic-store-type-dialog.png b/docsource/images/K8SCert-basic-store-type-dialog.png index cf73dec5..6c727cb9 100644 Binary files a/docsource/images/K8SCert-basic-store-type-dialog.png and b/docsource/images/K8SCert-basic-store-type-dialog.png differ diff --git a/docsource/images/K8SCert-custom-field-KubeSecretName-dialog.png b/docsource/images/K8SCert-custom-field-KubeSecretName-dialog.png index 6c7474f3..4a9422ec 100644 Binary files a/docsource/images/K8SCert-custom-field-KubeSecretName-dialog.png and b/docsource/images/K8SCert-custom-field-KubeSecretName-dialog.png differ diff --git a/docsource/images/K8SCert-custom-field-KubeSecretName-validation-options-dialog.png b/docsource/images/K8SCert-custom-field-KubeSecretName-validation-options-dialog.png index 19c86e9f..3eb0d190 100644 Binary files a/docsource/images/K8SCert-custom-field-KubeSecretName-validation-options-dialog.png and b/docsource/images/K8SCert-custom-field-KubeSecretName-validation-options-dialog.png differ diff --git a/docsource/images/K8SCert-custom-fields-store-type-dialog.png b/docsource/images/K8SCert-custom-fields-store-type-dialog.png index 19d2b0d5..a8c6755b 100644 Binary files a/docsource/images/K8SCert-custom-fields-store-type-dialog.png and b/docsource/images/K8SCert-custom-fields-store-type-dialog.png differ diff --git a/docsource/images/K8SCluster-basic-store-type-dialog.png b/docsource/images/K8SCluster-basic-store-type-dialog.png index be0b7ece..0519073b 100644 Binary files a/docsource/images/K8SCluster-basic-store-type-dialog.png and b/docsource/images/K8SCluster-basic-store-type-dialog.png differ diff --git a/docsource/images/K8SJKS-custom-field-KubeSecretType-dialog.png b/docsource/images/K8SJKS-custom-field-KubeSecretType-dialog.png index 2d2f6a70..b59505e6 100644 Binary files a/docsource/images/K8SJKS-custom-field-KubeSecretType-dialog.png and b/docsource/images/K8SJKS-custom-field-KubeSecretType-dialog.png differ diff --git a/docsource/images/K8SJKS-custom-field-KubeSecretType-validation-options-dialog.png b/docsource/images/K8SJKS-custom-field-KubeSecretType-validation-options-dialog.png index 5b807025..b61c749b 100644 Binary files a/docsource/images/K8SJKS-custom-field-KubeSecretType-validation-options-dialog.png and b/docsource/images/K8SJKS-custom-field-KubeSecretType-validation-options-dialog.png differ diff --git a/docsource/images/K8SNS-basic-store-type-dialog.png b/docsource/images/K8SNS-basic-store-type-dialog.png index 3425d444..4864cba7 100644 Binary files a/docsource/images/K8SNS-basic-store-type-dialog.png and b/docsource/images/K8SNS-basic-store-type-dialog.png differ diff --git a/docsource/images/K8SPKCS12-basic-store-type-dialog.png b/docsource/images/K8SPKCS12-basic-store-type-dialog.png index d8cd4b33..fa123252 100644 Binary files a/docsource/images/K8SPKCS12-basic-store-type-dialog.png and b/docsource/images/K8SPKCS12-basic-store-type-dialog.png differ diff --git a/docsource/images/K8SPKCS12-custom-field-KubeSecretType-dialog.png b/docsource/images/K8SPKCS12-custom-field-KubeSecretType-dialog.png index fb11d44b..0f58bbd8 100644 Binary files a/docsource/images/K8SPKCS12-custom-field-KubeSecretType-dialog.png and b/docsource/images/K8SPKCS12-custom-field-KubeSecretType-dialog.png differ diff --git a/docsource/images/K8SPKCS12-custom-field-KubeSecretType-validation-options-dialog.png b/docsource/images/K8SPKCS12-custom-field-KubeSecretType-validation-options-dialog.png index 8b8618ef..154ce416 100644 Binary files a/docsource/images/K8SPKCS12-custom-field-KubeSecretType-validation-options-dialog.png and b/docsource/images/K8SPKCS12-custom-field-KubeSecretType-validation-options-dialog.png differ diff --git a/docsource/images/K8SSecret-custom-field-KubeSecretType-dialog.png b/docsource/images/K8SSecret-custom-field-KubeSecretType-dialog.png index b27b9ca2..e2cf8a26 100644 Binary files a/docsource/images/K8SSecret-custom-field-KubeSecretType-dialog.png and b/docsource/images/K8SSecret-custom-field-KubeSecretType-dialog.png differ diff --git a/docsource/images/K8SSecret-custom-field-KubeSecretType-validation-options-dialog.png b/docsource/images/K8SSecret-custom-field-KubeSecretType-validation-options-dialog.png index 5b807025..b61c749b 100644 Binary files a/docsource/images/K8SSecret-custom-field-KubeSecretType-validation-options-dialog.png and b/docsource/images/K8SSecret-custom-field-KubeSecretType-validation-options-dialog.png differ diff --git a/docsource/images/K8STLSSecr-basic-store-type-dialog.png b/docsource/images/K8STLSSecr-basic-store-type-dialog.png index 37d40bac..1002e885 100644 Binary files a/docsource/images/K8STLSSecr-basic-store-type-dialog.png and b/docsource/images/K8STLSSecr-basic-store-type-dialog.png differ diff --git a/docsource/images/K8STLSSecr-custom-field-KubeSecretType-dialog.png b/docsource/images/K8STLSSecr-custom-field-KubeSecretType-dialog.png index 897d773b..1594161b 100644 Binary files a/docsource/images/K8STLSSecr-custom-field-KubeSecretType-dialog.png and b/docsource/images/K8STLSSecr-custom-field-KubeSecretType-dialog.png differ diff --git a/docsource/images/K8STLSSecr-custom-field-KubeSecretType-validation-options-dialog.png b/docsource/images/K8STLSSecr-custom-field-KubeSecretType-validation-options-dialog.png index 5b807025..b61c749b 100644 Binary files a/docsource/images/K8STLSSecr-custom-field-KubeSecretType-validation-options-dialog.png and b/docsource/images/K8STLSSecr-custom-field-KubeSecretType-validation-options-dialog.png differ diff --git a/docsource/k8scert.md b/docsource/k8scert.md index abd1f27c..2cb4d0ce 100644 --- a/docsource/k8scert.md +++ b/docsource/k8scert.md @@ -1,7 +1,65 @@ ## Overview -The `K8SCert` store type is used to manage Kubernetes certificates of type `certificates.k8s.io/v1`. +The `K8SCert` store type is used to manage Kubernetes Certificate Signing Requests (CSRs) of type `certificates.k8s.io/v1`. -**NOTE**: only `inventory` and `discovery` of these resources is supported with this extension. To provision these certs use the -[k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer). +**NOTE**: Only `inventory` and `discovery` of these resources is supported with this extension. CSRs are read-only - to provision certificates through CSRs, use the [k8s-csr-signer](https://github.com/Keyfactor/k8s-csr-signer). +## Inventory Modes + +K8SCert supports two inventory modes: + +### Single CSR Mode (Legacy) + +When `KubeSecretName` is set to a specific CSR name, the store inventories only that single CSR. This is useful when you want to track a specific certificate issued through a CSR. + +**Configuration:** +- `KubeSecretName`: The name of the specific CSR to inventory (e.g., `my-app-csr`) + +### Cluster-Wide Mode + +When `KubeSecretName` is left empty or set to `*`, the store inventories ALL issued CSRs in the cluster. This provides a single-pane view of all certificates issued through Kubernetes CSRs. + +**Configuration:** +- `KubeSecretName`: Leave empty or set to `*` + +**Note:** Only CSRs that have been approved AND have an issued certificate are included in the inventory. Pending or denied CSRs are skipped. + +## Store Configuration + +| Property | Description | Required | +|----------|-------------|----------| +| **Client Machine** | A descriptive name for the Kubernetes cluster | Yes | +| **Store Path** | Can be any value (not used for CSR inventory) | Yes | +| **Server Username** | Leave empty or set to `kubeconfig` | No | +| **Server Password** | The kubeconfig JSON for connecting to the cluster | Yes | +| **KubeSecretName** | CSR name for single mode, or empty/`*` for cluster-wide mode | No | + +## Discovery + +Discovery will find all CSRs in the cluster that have issued certificates and return them as potential store locations. Each discovered CSR can be added as a separate K8SCert store (single CSR mode). + +## Example Use Cases + +### Track All Cluster Certificates + +Create a single K8SCert store with `KubeSecretName` empty to get visibility into all certificates issued through Kubernetes CSRs: + +1. Create a K8SCert store +2. Set `Client Machine` to your cluster name +3. Leave `KubeSecretName` empty +4. Run inventory to see all issued CSR certificates + +### Track a Specific Application Certificate + +Create a K8SCert store for a specific CSR: + +1. Create a K8SCert store +2. Set `Client Machine` to your cluster name +3. Set `KubeSecretName` to the CSR name (e.g., `my-app-client-cert`) +4. Run inventory to track that specific certificate + +## Limitations + +- **Read-Only**: K8SCert does not support Add or Remove operations. CSRs must be created and approved through Kubernetes APIs or kubectl. +- **No Private Keys**: CSR certificates do not include private keys in Kubernetes (the private key stays with the requestor). +- **Cluster-Scoped**: CSRs are cluster-scoped resources (not namespaced). diff --git a/docsource/k8scluster.md b/docsource/k8scluster.md index aeb6e827..f9c6d8e1 100644 --- a/docsource/k8scluster.md +++ b/docsource/k8scluster.md @@ -1,6 +1,6 @@ ## Overview -The `K8SCluster` store type allows for a single store to manage a k8s cluster's secrets or type `Opaque` and `kubernetes.io/tls`. +The `K8SCluster` store type allows for a single store to manage a Kubernetes cluster's secrets of type `Opaque` and `kubernetes.io/tls`. ## Certificate Store Configuration diff --git a/docsource/k8sjks.md b/docsource/k8sjks.md index ae678ade..8d931a59 100644 --- a/docsource/k8sjks.md +++ b/docsource/k8sjks.md @@ -4,12 +4,24 @@ The `K8SJKS` store type is used to manage Kubernetes secrets of type `Opaque`. must have a field that ends in `.jks`. The orchestrator will inventory and manage using a *custom alias* of the following pattern: `/`. For example, if the secret has a field named `mykeystore.jks` and the keystore contains a certificate with an alias of `mycert`, the orchestrator will manage the certificate using the -alias `mykeystore.jks/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they +alias `mykeystore.jks/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they should all require unique credentials.* +## Supported Key Types + +The K8SJKS store type supports certificates with the following key algorithms: + +| Key Type | Supported | +|----------|-----------| +| RSA (1024, 2048, 4096, 8192 bit) | Yes | +| ECDSA (P-256, P-384, P-521) | Yes | +| DSA (1024, 2048 bit) | Yes | +| Ed25519 | Yes | +| Ed448 | Yes | + ## Discovery Job Configuration -For discovery of `K8SJKS` stores toy can use the following params to filter the certificates that will be discovered: +For discovery of `K8SJKS` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* - `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or JKS data. Will use diff --git a/docsource/k8sns.md b/docsource/k8sns.md index 57a37095..e273c40e 100644 --- a/docsource/k8sns.md +++ b/docsource/k8sns.md @@ -1,11 +1,11 @@ ## Overview -The `K8SNS` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` and/or type `Opaque` in a single -Keyfactor Command certificate store using an alias pattern of +The `K8SNS` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` and/or type `Opaque` in a single +Keyfactor Command certificate store. This store type manages all secrets within a specific Kubernetes namespace. ## Discovery Job Configuration -For discovery of K8SNS stores you can use the following params to filter the certificates that will be discovered: +For discovery of `K8SNS` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* @@ -17,10 +17,12 @@ have specific keys in the Kubernetes secret. - Additional keys: `tls.key` ### Storepath Patterns + - `` - `/` ### Alias Patterns + - `secrets//` diff --git a/docsource/k8spkcs12.md b/docsource/k8spkcs12.md index cbcf3921..a1ec8069 100644 --- a/docsource/k8spkcs12.md +++ b/docsource/k8spkcs12.md @@ -7,13 +7,25 @@ the keystore contains a certificate with an alias of `mycert`, the orchestrator alias `mykeystore.pkcs12/mycert`. *NOTE* *This store type cannot be managed at the `cluster` or `namespace` level as they should all require unique credentials.* +## Supported Key Types + +The K8SPKCS12 store type supports certificates with the following key algorithms: + +| Key Type | Supported | +|----------|-----------| +| RSA (1024, 2048, 4096, 8192 bit) | Yes | +| ECDSA (P-256, P-384, P-521) | Yes | +| DSA (1024, 2048 bit) | Yes | +| Ed25519 | Yes | +| Ed448 | Yes | + ## Discovery Job Configuration For discovery of `K8SPKCS12` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* -- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 or PKCS12 data. Will use - the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.pkcs12`,`pkcs12`. +- `File name patterns to match` - comma separated list of K8S secret keys to search for PKCS12 data. Will use + the following keys by default: `tls.pfx`,`tls.pkcs12`,`pfx`,`pkcs12`,`tls.p12`,`p12`. ## Certificate Store Configuration @@ -22,11 +34,13 @@ the Kubernetes secret. - Valid Keys: `*.pfx`, `*.pkcs12`, `*.p12` ### Storepath Patterns + - `/` - `/secrets/` - `//secrets/` ### Alias Patterns + - `/` Example: `test.pkcs12/load_balancer` where `test.pkcs12` is the field name on the `Opaque` secret and `load_balancer` is diff --git a/docsource/k8ssecret.md b/docsource/k8ssecret.md index b339ed25..6f9b72ae 100644 --- a/docsource/k8ssecret.md +++ b/docsource/k8ssecret.md @@ -4,15 +4,24 @@ The `K8SSecret` store type is used to manage Kubernetes secrets of type `Opaque` ## Discovery Job Configuration -For discovery of K8SNS stores you can use the following params to filter the certificates that will be discovered: +For discovery of `K8SSecret` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* ## Certificate Store Configuration -In order for certificates of type `Opaque` to be inventoried as `K8SSecret` store types, they must have specific keys in -the Kubernetes secret. -- Required keys: `tls.crt` or `ca.crt` +In order for certificates of type `Opaque` to be inventoried as `K8SSecret` store types, they must have specific keys in +the Kubernetes secret. +- Required keys: `tls.crt` or `ca.crt` - Additional keys: `tls.key` +### Storepath Patterns + +- `` +- `/` + +### Alias Patterns + +- `` (when certificate is stored directly) + diff --git a/docsource/k8stlssecr.md b/docsource/k8stlssecr.md index adc910d1..1c119fe97 100644 --- a/docsource/k8stlssecr.md +++ b/docsource/k8stlssecr.md @@ -1,10 +1,10 @@ ## Overview -The `K8STLSSecret` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls` +The `K8STLSSecr` store type is used to manage Kubernetes secrets of type `kubernetes.io/tls`. ## Discovery Job Configuration -For discovery of K8SNS stores you can use the following params to filter the certificates that will be discovered: +For discovery of `K8STLSSecr` stores you can use the following params to filter the certificates that will be discovered: - `Directories to search` - comma separated list of namespaces to search for certificates OR `all` to search all namespaces. *This cannot be left blank.* @@ -15,3 +15,12 @@ the Kubernetes secret. - Required keys: `tls.crt` and `tls.key` - Optional keys: `ca.crt` +### Storepath Patterns + +- `` +- `/` + +### Alias Patterns + +- `` (the TLS secret name) + diff --git a/integration-manifest.json b/integration-manifest.json index b6a39677..97cb46f4 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -50,7 +50,7 @@ "Name": "K8SCert", "ShortName": "K8SCert", "Capability": "K8SCert", - "ClientMachineDescription": "This can be anything useful, recommend using the k8s cluster name or identifier.", + "ClientMachineDescription": "The Kubernetes cluster name or identifier.", "LocalStore": false, "SupportedOperations": { "Add": false, @@ -78,32 +78,14 @@ "DefaultValue": null, "Required": true }, - { - "Name": "KubeNamespace", - "DisplayName": "KubeNamespace", - "Description": "The K8S namespace to use to manage the K8S secret object.", - "Type": "String", - "DependsOn": "", - "DefaultValue": "default", - "Required": false - }, { "Name": "KubeSecretName", "DisplayName": "KubeSecretName", - "Description": "The name of the K8S secret object.", + "Description": "The name of a specific CSR to inventory. Leave empty or set to '*' to inventory ALL issued CSRs in the cluster.", "Type": "String", "DependsOn": "", "DefaultValue": "", "Required": false - }, - { - "Name": "KubeSecretType", - "DisplayName": "KubeSecretType", - "Description": "This defaults to and must be `csr`", - "Type": "String", - "DependsOn": "", - "DefaultValue": "cert", - "Required": true } ], "EntryParameters": [], @@ -142,7 +124,7 @@ "DependsOn": null, "DefaultValue": "true", "Required": false, - "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed." + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", @@ -222,11 +204,11 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", - "Description": "This defaults to and must be `jks`", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `jks`.", "Type": "String", "DependsOn": "", "DefaultValue": "jks", - "Required": true + "Required": false }, { "Name": "CertificateDataFieldName", @@ -262,7 +244,7 @@ "DependsOn": null, "DefaultValue": "true", "Required": false, - "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed." + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "StorePasswordPath", @@ -337,7 +319,7 @@ "DependsOn": null, "DefaultValue": "true", "Required": false, - "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed." + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", @@ -403,7 +385,7 @@ "DependsOn": null, "DefaultValue": "true", "Required": false, - "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed." + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "CertificateDataFieldName", @@ -470,11 +452,11 @@ { "Name": "KubeSecretType", "DisplayName": "Kube Secret Type", - "Description": "This defaults to and must be `pkcs12`", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `pkcs12`.", "Type": "String", "DependsOn": "", "DefaultValue": "pkcs12", - "Required": true + "Required": false }, { "Name": "StorePasswordPath", @@ -536,11 +518,11 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", - "Description": "This defaults to and must be `secret`", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "secret", - "Required": true + "Required": false }, { "Name": "IncludeCertChain", @@ -549,7 +531,7 @@ "DependsOn": null, "DefaultValue": "true", "Required": false, - "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed." + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", @@ -629,11 +611,11 @@ { "Name": "KubeSecretType", "DisplayName": "KubeSecretType", - "Description": "This defaults to and must be `tls_secret`", + "Description": "DEPRECATED: This property is deprecated and will be removed in a future release. The secret type is now automatically derived from the store type. This defaults to and must be `tls_secret`.", "Type": "String", "DependsOn": "", "DefaultValue": "tls_secret", - "Required": true + "Required": false }, { "Name": "IncludeCertChain", @@ -642,7 +624,7 @@ "DependsOn": null, "DefaultValue": "true", "Required": false, - "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed." + "Description": "Will default to `true` if not set. If set to `false` only the leaf cert will be deployed. Note: If the certificate in Keyfactor Command does not have a private key, it will be sent in DER format (leaf certificate only), and the chain cannot be included regardless of this setting." }, { "Name": "SeparateChain", diff --git a/kubernetes-orchestrator-extension.Tests/Attributes/SkipUnlessAttribute.cs b/kubernetes-orchestrator-extension.Tests/Attributes/SkipUnlessAttribute.cs new file mode 100644 index 00000000..8cfdcb72 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Attributes/SkipUnlessAttribute.cs @@ -0,0 +1,58 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Attributes; + +/// +/// Custom xUnit attribute that skips test execution unless a specified environment variable is set to "true". +/// +/// +/// [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] +/// public void MyIntegrationTest() { ... } +/// +public class SkipUnlessAttribute : FactAttribute +{ + /// + /// Gets or sets the name of the environment variable to check. + /// + public string EnvironmentVariable { get; set; } + + /// + /// Gets or sets the expected value of the environment variable (defaults to "true"). + /// + public string ExpectedValue { get; set; } = "true"; + + public SkipUnlessAttribute() + { + } + + public override string Skip + { + get + { + if (string.IsNullOrEmpty(EnvironmentVariable)) + { + return "SkipUnless attribute requires EnvironmentVariable property to be set"; + } + + var value = Environment.GetEnvironmentVariable(EnvironmentVariable); + + if (string.IsNullOrEmpty(value) || + !value.Equals(ExpectedValue, StringComparison.OrdinalIgnoreCase)) + { + return $"Test skipped because environment variable '{EnvironmentVariable}' is not set to '{ExpectedValue}'. " + + $"Current value: '{value ?? "(not set)"}'"; + } + + return null; // Don't skip + } + set { } + } +} diff --git a/kubernetes-orchestrator-extension.Tests/Attributes/SkipUnlessTheoryAttribute.cs b/kubernetes-orchestrator-extension.Tests/Attributes/SkipUnlessTheoryAttribute.cs new file mode 100644 index 00000000..f3fb96ba --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Attributes/SkipUnlessTheoryAttribute.cs @@ -0,0 +1,60 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Attributes; + +/// +/// Custom xUnit attribute that combines Theory behavior with environment variable skip logic. +/// Skips all test cases in the Theory unless the specified environment variable is set to the expected value. +/// +/// +/// [SkipUnlessTheory(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] +/// [MemberData(nameof(KeyTypeTestData.AllKeyTypes), MemberType = typeof(KeyTypeTestData))] +/// public void MyKeyTypeTest(KeyType keyType) { ... } +/// +public class SkipUnlessTheoryAttribute : TheoryAttribute +{ + /// + /// Gets or sets the name of the environment variable to check. + /// + public string EnvironmentVariable { get; set; } = string.Empty; + + /// + /// Gets or sets the expected value of the environment variable (defaults to "true"). + /// + public string ExpectedValue { get; set; } = "true"; + + public SkipUnlessTheoryAttribute() + { + } + + public override string? Skip + { + get + { + if (string.IsNullOrEmpty(EnvironmentVariable)) + { + return "SkipUnlessTheory attribute requires EnvironmentVariable property to be set"; + } + + var value = Environment.GetEnvironmentVariable(EnvironmentVariable); + + if (string.IsNullOrEmpty(value) || + !value.Equals(ExpectedValue, StringComparison.OrdinalIgnoreCase)) + { + return $"Test skipped because environment variable '{EnvironmentVariable}' is not set to '{ExpectedValue}'. " + + $"Current value: '{value ?? "(not set)"}'"; + } + + return null; // Don't skip + } + set { } + } +} diff --git a/kubernetes-orchestrator-extension.Tests/Helpers/CachedCertificateProvider.cs b/kubernetes-orchestrator-extension.Tests/Helpers/CachedCertificateProvider.cs new file mode 100644 index 00000000..439eb2d0 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Helpers/CachedCertificateProvider.cs @@ -0,0 +1,111 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Concurrent; +using System.Collections.Generic; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Helpers; + +/// +/// Thread-safe cached certificate provider that eliminates redundant certificate generation +/// during test execution. Certificates are cached by key type and subject CN for reuse +/// across read-only tests (Inventory, Discovery). +/// +public static class CachedCertificateProvider +{ + private static readonly ConcurrentDictionary _certificateCache = new(); + private static readonly ConcurrentDictionary> _chainCache = new(); + private static readonly object _chainLock = new(); + + /// + /// Gets or creates a cached certificate with the specified key type and subject CN. + /// Thread-safe for concurrent access from parallel tests. + /// + /// The type of cryptographic key to use + /// The subject common name for the certificate + /// A cached or newly generated CertificateInfo + public static CertificateInfo GetOrCreate(KeyType keyType, string subjectCN = "Cached Test Certificate") + { + var cacheKey = $"{keyType}:{subjectCN}"; + return _certificateCache.GetOrAdd(cacheKey, _ => + CertificateTestHelper.GenerateCertificate(keyType, subjectCN)); + } + + /// + /// Gets or creates a cached certificate chain (leaf -> intermediate -> root) with the specified key type. + /// Thread-safe for concurrent access from parallel tests. + /// + /// The type of cryptographic key to use for all certificates in the chain + /// Optional leaf certificate CN (default: "Leaf Certificate") + /// A cached or newly generated certificate chain (leaf at index 0, root at last index) + public static List GetOrCreateChain(KeyType keyType, string leafCN = "Cached Leaf Certificate") + { + var cacheKey = $"chain:{keyType}:{leafCN}"; + + // Use double-checked locking for chain generation since it's more expensive + if (_chainCache.TryGetValue(cacheKey, out var existingChain)) + { + return existingChain; + } + + lock (_chainLock) + { + // Check again after acquiring lock + if (_chainCache.TryGetValue(cacheKey, out existingChain)) + { + return existingChain; + } + + var newChain = CertificateTestHelper.GenerateCertificateChain( + keyType, + leafCN, + $"Intermediate CA ({keyType})", + $"Root CA ({keyType})"); + + _chainCache[cacheKey] = newChain; + return newChain; + } + } + + /// + /// Gets a pre-generated PKCS12 byte array for the specified key type. + /// Useful for management tests that need PKCS12 format. + /// + /// The type of cryptographic key to use + /// The password for the PKCS12 store + /// The alias for the certificate entry + /// PKCS12 byte array containing the cached certificate + public static byte[] GetOrCreatePkcs12(KeyType keyType, string password = "testpassword", string alias = "testcert") + { + var certInfo = GetOrCreate(keyType); + return CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, password, alias); + } + + /// + /// Clears all cached certificates. Should be called between test collections + /// if memory pressure becomes an issue, or in fixture disposal. + /// + public static void ClearCache() + { + _certificateCache.Clear(); + lock (_chainLock) + { + _chainCache.Clear(); + } + } + + /// + /// Gets the current cache statistics for debugging/monitoring. + /// + /// Tuple of (certificate count, chain count) + public static (int CertificateCount, int ChainCount) GetCacheStats() + { + return (_certificateCache.Count, _chainCache.Count); + } +} diff --git a/kubernetes-orchestrator-extension.Tests/Helpers/CertificateTestHelper.cs b/kubernetes-orchestrator-extension.Tests/Helpers/CertificateTestHelper.cs new file mode 100644 index 00000000..09718e8f --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Helpers/CertificateTestHelper.cs @@ -0,0 +1,755 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.IO; +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; +using Org.BouncyCastle.Asn1; +using Org.BouncyCastle.Asn1.Pkcs; +using Org.BouncyCastle.Asn1.X509; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Generators; +using Org.BouncyCastle.Crypto.Operators; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities.IO.Pem; +using Org.BouncyCastle.X509; +using X509Certificate = Org.BouncyCastle.X509.X509Certificate; + +namespace Keyfactor.Orchestrators.K8S.Tests.Helpers; + +/// +/// Comprehensive test helper for generating certificates with various key types, sizes, and configurations. +/// Supports RSA, EC, DSA, Ed25519, and Ed448 key types for comprehensive testing. +/// +public static class CertificateTestHelper +{ + private static readonly SecureRandom Random = new SecureRandom(); + + public enum KeyType + { + Rsa1024, + Rsa2048, + Rsa4096, + Rsa8192, + EcP256, // secp256r1 / prime256v1 + EcP384, // secp384r1 + EcP521, // secp521r1 + Dsa1024, + Dsa2048, + Ed25519, + Ed448 + } + + public class CertificateInfo + { + public X509Certificate Certificate { get; set; } + public AsymmetricCipherKeyPair KeyPair { get; set; } + public KeyType KeyType { get; set; } + public string SubjectCN { get; set; } + public string IssuerCN { get; set; } + public DateTime NotBefore { get; set; } + public DateTime NotAfter { get; set; } + } + + #region Key Pair Generation + + /// + /// Generates an RSA key pair with the specified key size. + /// + public static AsymmetricCipherKeyPair GenerateRsaKeyPair(int keySize) + { + var keyPairGenerator = new RsaKeyPairGenerator(); + keyPairGenerator.Init(new KeyGenerationParameters(Random, keySize)); + return keyPairGenerator.GenerateKeyPair(); + } + + /// + /// Generates an EC key pair with the specified curve. + /// + public static AsymmetricCipherKeyPair GenerateEcKeyPair(string curveName) + { + var ecParams = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName(curveName); + var domainParams = new ECDomainParameters(ecParams.Curve, ecParams.G, ecParams.N, ecParams.H, ecParams.GetSeed()); + var keyGenParams = new ECKeyGenerationParameters(domainParams, Random); + + var keyPairGenerator = new ECKeyPairGenerator(); + keyPairGenerator.Init(keyGenParams); + return keyPairGenerator.GenerateKeyPair(); + } + + /// + /// Generates a DSA key pair with the specified key size. + /// For key sizes > 1024 bits, uses FIPS 186-3/4 style generation with SHA-256. + /// + public static AsymmetricCipherKeyPair GenerateDsaKeyPair(int keySize) + { + DsaParametersGenerator paramGen; + + if (keySize <= 1024) + { + // Legacy DSA (FIPS 186-2): must use SHA-1 for key size 512-1024 + paramGen = new DsaParametersGenerator(); + paramGen.Init(keySize, 80, Random); + } + else + { + // FIPS 186-3/4 style: use SHA-256 for larger keys + // For 2048-bit keys, use 256-bit q (N) per FIPS 186-3 + paramGen = new DsaParametersGenerator(new Org.BouncyCastle.Crypto.Digests.Sha256Digest()); + var dsaParamGenParams = new DsaParameterGenerationParameters( + keySize, 256, 80, Random); + paramGen.Init(dsaParamGenParams); + } + + var dsaParams = paramGen.GenerateParameters(); + + var keyGenParams = new DsaKeyGenerationParameters(Random, dsaParams); + var keyPairGenerator = new DsaKeyPairGenerator(); + keyPairGenerator.Init(keyGenParams); + return keyPairGenerator.GenerateKeyPair(); + } + + /// + /// Generates an Ed25519 key pair. + /// + public static AsymmetricCipherKeyPair GenerateEd25519KeyPair() + { + var keyPairGenerator = new Ed25519KeyPairGenerator(); + keyPairGenerator.Init(new Ed25519KeyGenerationParameters(Random)); + return keyPairGenerator.GenerateKeyPair(); + } + + /// + /// Generates an Ed448 key pair. + /// + public static AsymmetricCipherKeyPair GenerateEd448KeyPair() + { + var keyPairGenerator = new Ed448KeyPairGenerator(); + keyPairGenerator.Init(new Ed448KeyGenerationParameters(Random)); + return keyPairGenerator.GenerateKeyPair(); + } + + /// + /// Generates a key pair based on the specified key type. + /// + public static AsymmetricCipherKeyPair GenerateKeyPair(KeyType keyType) + { + return keyType switch + { + KeyType.Rsa1024 => GenerateRsaKeyPair(1024), + KeyType.Rsa2048 => GenerateRsaKeyPair(2048), + KeyType.Rsa4096 => GenerateRsaKeyPair(4096), + KeyType.Rsa8192 => GenerateRsaKeyPair(8192), + KeyType.EcP256 => GenerateEcKeyPair("secp256r1"), + KeyType.EcP384 => GenerateEcKeyPair("secp384r1"), + KeyType.EcP521 => GenerateEcKeyPair("secp521r1"), + KeyType.Dsa1024 => GenerateDsaKeyPair(1024), + KeyType.Dsa2048 => GenerateDsaKeyPair(2048), + KeyType.Ed25519 => GenerateEd25519KeyPair(), + KeyType.Ed448 => GenerateEd448KeyPair(), + _ => throw new ArgumentException($"Unsupported key type: {keyType}") + }; + } + + #endregion + + #region Certificate Generation + + /// + /// Gets the appropriate signature algorithm for the given key type. + /// + private static string GetSignatureAlgorithm(KeyType keyType) + { + return keyType switch + { + KeyType.Rsa1024 or KeyType.Rsa2048 or KeyType.Rsa4096 or KeyType.Rsa8192 => "SHA256WithRSA", + KeyType.EcP256 or KeyType.EcP384 or KeyType.EcP521 => "SHA256WithECDSA", + KeyType.Dsa1024 or KeyType.Dsa2048 => "SHA256WithDSA", + KeyType.Ed25519 => "Ed25519", + KeyType.Ed448 => "Ed448", + _ => throw new ArgumentException($"Unsupported key type: {keyType}") + }; + } + + /// + /// Generates a test certificate with the specified parameters. + /// + public static CertificateInfo GenerateCertificate( + KeyType keyType = KeyType.Rsa2048, + string subjectCN = "Test Certificate", + string issuerCN = null, + DateTime? notBefore = null, + DateTime? notAfter = null, + AsymmetricCipherKeyPair signingKeyPair = null) + { + var keyPair = GenerateKeyPair(keyType); + var actualIssuerCN = issuerCN ?? subjectCN; + var actualNotBefore = notBefore ?? DateTime.UtcNow.AddDays(-1); + var actualNotAfter = notAfter ?? DateTime.UtcNow.AddYears(1); + + var certGen = new X509V3CertificateGenerator(); + var subjectDN = new X509Name($"CN={subjectCN}"); + var issuerDN = new X509Name($"CN={actualIssuerCN}"); + + certGen.SetSerialNumber(BigInteger.ProbablePrime(120, Random)); + certGen.SetIssuerDN(issuerDN); + certGen.SetSubjectDN(subjectDN); + certGen.SetNotBefore(actualNotBefore); + certGen.SetNotAfter(actualNotAfter); + certGen.SetPublicKey(keyPair.Public); + + // Use signing key pair if provided (for CA-signed certs), otherwise self-sign + var signingKey = signingKeyPair?.Private ?? keyPair.Private; + var signatureAlgorithm = GetSignatureAlgorithm(keyType); + var signatureFactory = new Asn1SignatureFactory(signatureAlgorithm, signingKey, Random); + var certificate = certGen.Generate(signatureFactory); + + return new CertificateInfo + { + Certificate = certificate, + KeyPair = keyPair, + KeyType = keyType, + SubjectCN = subjectCN, + IssuerCN = actualIssuerCN, + NotBefore = actualNotBefore, + NotAfter = actualNotAfter + }; + } + + /// + /// Generates a certificate chain (leaf -> intermediate -> root). + /// + public static List GenerateCertificateChain( + KeyType keyType = KeyType.Rsa2048, + string leafCN = "Leaf Certificate", + string intermediateCN = "Intermediate CA", + string rootCN = "Root CA") + { + // Generate root CA (self-signed) + var rootInfo = GenerateCertificate( + keyType: keyType, + subjectCN: rootCN, + issuerCN: rootCN); + + // Generate intermediate CA (signed by root) + var intermediateInfo = GenerateCertificate( + keyType: keyType, + subjectCN: intermediateCN, + issuerCN: rootCN, + signingKeyPair: rootInfo.KeyPair); + + // Generate leaf certificate (signed by intermediate) + var leafInfo = GenerateCertificate( + keyType: keyType, + subjectCN: leafCN, + issuerCN: intermediateCN, + signingKeyPair: intermediateInfo.KeyPair); + + return new List { leafInfo, intermediateInfo, rootInfo }; + } + + #endregion + + #region PKCS12 Generation + + /// + /// Generates a PKCS12/PFX store with the specified certificate and options. + /// + public static byte[] GeneratePkcs12( + X509Certificate certificate, + AsymmetricCipherKeyPair keyPair, + string password = "password", + string alias = "testcert", + X509Certificate[] chain = null) + { + var store = new Pkcs12StoreBuilder().Build(); + var certEntry = new X509CertificateEntry(certificate); + + // Build certificate chain + var certChain = new X509CertificateEntry[chain != null ? chain.Length + 1 : 1]; + certChain[0] = certEntry; + if (chain != null) + { + for (int i = 0; i < chain.Length; i++) + { + certChain[i + 1] = new X509CertificateEntry(chain[i]); + } + } + + store.SetKeyEntry(alias, new AsymmetricKeyEntry(keyPair.Private), certChain); + + using var ms = new MemoryStream(); + store.Save(ms, password.ToCharArray(), Random); + return ms.ToArray(); + } + + /// + /// Generates a PKCS12 store with multiple certificates/aliases. + /// + public static byte[] GeneratePkcs12WithMultipleEntries( + Dictionary entries, + string password = "password") + { + var store = new Pkcs12StoreBuilder().Build(); + + foreach (var kvp in entries) + { + var alias = kvp.Key; + var (cert, keyPair) = kvp.Value; + + var certEntry = new X509CertificateEntry(cert); + var certChain = new[] { certEntry }; + + store.SetKeyEntry(alias, new AsymmetricKeyEntry(keyPair.Private), certChain); + } + + using var ms = new MemoryStream(); + store.Save(ms, password.ToCharArray(), Random); + return ms.ToArray(); + } + + /// + /// Generates a PKCS12 with a certificate chain. + /// Convenience wrapper for GeneratePkcs12 with explicit chain parameter. + /// + public static byte[] GeneratePkcs12WithChain( + X509Certificate leafCertificate, + AsymmetricKeyParameter privateKey, + X509Certificate[] chain, + string password = "password", + string alias = "testcert") + { + // Create key pair from private key (public key is in the certificate) + var keyPair = new AsymmetricCipherKeyPair(leafCertificate.GetPublicKey(), privateKey); + return GeneratePkcs12(leafCertificate, keyPair, password, alias, chain); + } + + #endregion + + #region JKS Generation + + /// + /// Generates a JKS keystore with the specified certificate and options. + /// Uses BouncyCastle's JksStore implementation. + /// + public static byte[] GenerateJks( + X509Certificate certificate, + AsymmetricCipherKeyPair keyPair, + string password = "password", + string alias = "testcert", + X509Certificate[] chain = null) + { + var jksStore = new Org.BouncyCastle.Security.JksStore(); + + // Build certificate chain + var certChain = new X509Certificate[chain != null ? chain.Length + 1 : 1]; + certChain[0] = certificate; + if (chain != null) + { + Array.Copy(chain, 0, certChain, 1, chain.Length); + } + + jksStore.SetKeyEntry(alias, keyPair.Private, password.ToCharArray(), certChain); + + using var ms = new MemoryStream(); + jksStore.Save(ms, password.ToCharArray()); + return ms.ToArray(); + } + + /// + /// Generates a JKS keystore with multiple certificates/aliases. + /// Uses BouncyCastle's JksStore implementation. + /// + public static byte[] GenerateJksWithMultipleEntries( + Dictionary entries, + string password = "password") + { + var jksStore = new Org.BouncyCastle.Security.JksStore(); + + foreach (var kvp in entries) + { + var alias = kvp.Key; + var (cert, keyPair) = kvp.Value; + + jksStore.SetKeyEntry(alias, keyPair.Private, password.ToCharArray(), new[] { cert }); + } + + using var ms = new MemoryStream(); + jksStore.Save(ms, password.ToCharArray()); + return ms.ToArray(); + } + + #endregion + + #region PEM Conversion + + /// + /// Converts a certificate to PEM format. + /// + public static string ConvertCertificateToPem(X509Certificate certificate) + { + using var stringWriter = new StringWriter(); + var pemWriter = new Org.BouncyCastle.Utilities.IO.Pem.PemWriter(stringWriter); + pemWriter.WriteObject(new PemObject("CERTIFICATE", certificate.GetEncoded())); + pemWriter.Writer.Flush(); + return stringWriter.ToString(); + } + + /// + /// Converts a private key to PEM format (PKCS#8). + /// + public static string ConvertPrivateKeyToPem(AsymmetricKeyParameter privateKey) + { + using var stringWriter = new StringWriter(); + var pemWriter = new Org.BouncyCastle.Utilities.IO.Pem.PemWriter(stringWriter); + + var pkcs8 = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey); + pemWriter.WriteObject(new PemObject("PRIVATE KEY", pkcs8.GetEncoded())); + pemWriter.Writer.Flush(); + return stringWriter.ToString(); + } + + /// + /// Generates a PKCS#10 Certificate Signing Request (CSR) in PEM format using .NET CertificateRequest. + /// This produces CSRs that are compatible with Kubernetes API server validation. + /// + public static string GenerateCertificateRequest(KeyType keyType, string subjectName) + { + // Generate key pair using BouncyCastle + var keyInfo = GenerateKeyPair(keyType); + + // Convert to .NET types and create CSR + byte[] csrDer; + + switch (keyType) + { + case KeyType.Rsa1024: + case KeyType.Rsa2048: + case KeyType.Rsa4096: + case KeyType.Rsa8192: + // Convert BouncyCastle RSA key to .NET RSA + var rsaParams = (RsaPrivateCrtKeyParameters)keyInfo.Private; + using (var rsa = RSA.Create()) + { + rsa.ImportParameters(new RSAParameters + { + Modulus = rsaParams.Modulus.ToByteArrayUnsigned(), + Exponent = rsaParams.PublicExponent.ToByteArrayUnsigned(), + D = rsaParams.Exponent.ToByteArrayUnsigned(), + P = rsaParams.P.ToByteArrayUnsigned(), + Q = rsaParams.Q.ToByteArrayUnsigned(), + DP = rsaParams.DP.ToByteArrayUnsigned(), + DQ = rsaParams.DQ.ToByteArrayUnsigned(), + InverseQ = rsaParams.QInv.ToByteArrayUnsigned() + }); + + // Create certificate request + var request = new System.Security.Cryptography.X509Certificates.CertificateRequest( + $"CN={subjectName}", + rsa, + HashAlgorithmName.SHA256, + RSASignaturePadding.Pkcs1); + + csrDer = request.CreateSigningRequest(); + } + break; + + case KeyType.EcP256: + case KeyType.EcP384: + case KeyType.EcP521: + // Convert BouncyCastle EC key to .NET ECDsa + var ecParams = (ECPrivateKeyParameters)keyInfo.Private; + using (var ecdsa = ECDsa.Create()) + { + // Map curve + ECCurve curve = keyType switch + { + KeyType.EcP256 => ECCurve.NamedCurves.nistP256, + KeyType.EcP384 => ECCurve.NamedCurves.nistP384, + KeyType.EcP521 => ECCurve.NamedCurves.nistP521, + _ => throw new NotSupportedException($"Unsupported EC curve: {keyType}") + }; + + var ecPoint = ((ECPublicKeyParameters)keyInfo.Public).Q; + ecdsa.ImportParameters(new ECParameters + { + Curve = curve, + D = ecParams.D.ToByteArrayUnsigned(), + Q = new ECPoint + { + X = ecPoint.AffineXCoord.ToBigInteger().ToByteArrayUnsigned(), + Y = ecPoint.AffineYCoord.ToBigInteger().ToByteArrayUnsigned() + } + }); + + var hashAlgorithm = keyType switch + { + KeyType.EcP256 => HashAlgorithmName.SHA256, + KeyType.EcP384 => HashAlgorithmName.SHA384, + KeyType.EcP521 => HashAlgorithmName.SHA512, + _ => HashAlgorithmName.SHA256 + }; + + var request = new System.Security.Cryptography.X509Certificates.CertificateRequest( + $"CN={subjectName}", + ecdsa, + hashAlgorithm); + + csrDer = request.CreateSigningRequest(); + } + break; + + default: + throw new NotSupportedException($"CSR generation not implemented for key type: {keyType}. Use RSA or EC keys."); + } + + // Convert DER to PEM + var base64 = Convert.ToBase64String(csrDer); + var sb = new System.Text.StringBuilder(); + sb.AppendLine("-----BEGIN CERTIFICATE REQUEST-----"); + for (int i = 0; i < base64.Length; i += 64) + { + sb.AppendLine(base64.Substring(i, Math.Min(64, base64.Length - i))); + } + sb.AppendLine("-----END CERTIFICATE REQUEST-----"); + return sb.ToString(); + } + + #endregion + + #region Password Scenarios + + /// + /// Gets a variety of password test cases. + /// + public static List GetPasswordTestCases() + { + return new List + { + "", // Empty + "password", // Simple ASCII + "P@ssw0rd!", // Special characters + "ๅฏ†็ ", // Unicode (Chinese) + "ะฟะฐั€ะพะปัŒ", // Unicode (Russian) + "๐Ÿ”๐Ÿ”‘", // Emoji + "a", // Single character + new string('x', 100), // Long password (100 chars) + new string('y', 1000), // Very long password (1000 chars) + "pass word", // With space + "pass\tword", // With tab + "pass\nword", // With newline (common kubectl issue) + "pass\r\nword", // With CRLF + "\"quoted\"", // With quotes + "'single'", // With single quotes + "`backtick`", // With backtick + "$VAR", // Shell-like variable + "$(cmd)", // Shell-like command substitution + "test", // XML-like + "{\"key\":\"value\"}", // JSON-like + "C:\\Windows\\Path", // Windows path + "/usr/local/bin", // Unix path + }; + } + + #endregion + + #region Corrupt Data Generation + + /// + /// Generates corrupted/invalid certificate data for negative testing. + /// + public static byte[] GenerateCorruptedData(int size = 100) + { + var data = new byte[size]; + Random.NextBytes(data); + return data; + } + + /// + /// Corrupts valid certificate data by modifying random bytes. + /// + public static byte[] CorruptData(byte[] validData, int bytesToCorrupt = 5) + { + var corrupted = new byte[validData.Length]; + Array.Copy(validData, corrupted, validData.Length); + + for (int i = 0; i < bytesToCorrupt; i++) + { + var index = Random.Next(corrupted.Length); + corrupted[index] = (byte)~corrupted[index]; // Flip all bits + } + + return corrupted; + } + + #endregion + + #region Mixed Entry Types (Private Keys + Trusted Certs) + + /// + /// Generates a JKS keystore with mixed entry types (private key entries and trusted certificate entries). + /// Private key entries contain a certificate + private key (PrivateKeyEntry). + /// Trusted certificate entries contain only a certificate, no private key (TrustedCertificateEntry). + /// This is common in real-world keystores that contain both server certs and CA trust anchors. + /// + /// Dictionary of alias -> (certificate, keyPair) for private key entries + /// Dictionary of alias -> certificate for trusted certificate entries (no private key) + /// Password for the keystore + /// JKS keystore bytes containing both entry types + public static byte[] GenerateJksWithMixedEntries( + Dictionary privateKeyEntries, + Dictionary trustedCertEntries, + string storePassword) + { + var jksStore = new Org.BouncyCastle.Security.JksStore(); + + // Add private key entries (PrivateKeyEntry - cert + key) + foreach (var kvp in privateKeyEntries) + { + var alias = kvp.Key; + var (cert, keyPair) = kvp.Value; + jksStore.SetKeyEntry(alias, keyPair.Private, storePassword.ToCharArray(), new[] { cert }); + } + + // Add trusted certificate entries (TrustedCertificateEntry - cert only, no key) + foreach (var kvp in trustedCertEntries) + { + var alias = kvp.Key; + var cert = kvp.Value; + jksStore.SetCertificateEntry(alias, cert); + } + + using var ms = new MemoryStream(); + jksStore.Save(ms, storePassword.ToCharArray()); + return ms.ToArray(); + } + + /// + /// Generates a PKCS12 keystore with mixed entry types (private key entries and trusted certificate entries). + /// Private key entries contain a certificate + private key. + /// Trusted certificate entries contain only a certificate, no private key. + /// + /// Dictionary of alias -> (certificate, keyPair) for private key entries + /// Dictionary of alias -> certificate for trusted certificate entries (no private key) + /// Password for the keystore + /// PKCS12 keystore bytes containing both entry types + public static byte[] GeneratePkcs12WithMixedEntries( + Dictionary privateKeyEntries, + Dictionary trustedCertEntries, + string storePassword) + { + var store = new Pkcs12StoreBuilder().Build(); + + // Add private key entries (with private key) + foreach (var kvp in privateKeyEntries) + { + var alias = kvp.Key; + var (cert, keyPair) = kvp.Value; + var certEntry = new X509CertificateEntry(cert); + store.SetKeyEntry(alias, new AsymmetricKeyEntry(keyPair.Private), new[] { certEntry }); + } + + // Add trusted certificate entries (certificate only, no private key) + foreach (var kvp in trustedCertEntries) + { + var alias = kvp.Key; + var cert = kvp.Value; + store.SetCertificateEntry(alias, new X509CertificateEntry(cert)); + } + + using var ms = new MemoryStream(); + store.Save(ms, storePassword.ToCharArray(), Random); + return ms.ToArray(); + } + + #endregion + + #region JKS/PKCS12 Format Detection + + /// + /// Checks if byte array is in native JKS format by checking magic bytes. + /// JKS files start with 0xFEEDFEED (4 bytes: 0xFE, 0xED, 0xFE, 0xED) + /// + /// The byte array to check + /// True if the data starts with JKS magic bytes (0xFEEDFEED) + public static bool IsNativeJksFormat(byte[] data) + { + if (data == null || data.Length < 4) return false; + return data[0] == 0xFE && data[1] == 0xED && data[2] == 0xFE && data[3] == 0xED; + } + + /// + /// Checks if byte array is in PKCS12 format by checking for ASN.1 SEQUENCE tag. + /// PKCS12 files typically start with 0x30 (ASN.1 SEQUENCE tag) + /// + /// The byte array to check + /// True if the data starts with PKCS12/ASN.1 SEQUENCE tag (0x30) + public static bool IsPkcs12Format(byte[] data) + { + if (data == null || data.Length < 1) return false; + return data[0] == 0x30; + } + + /// + /// Gets the JKS magic bytes constant (0xFEEDFEED). + /// + public static readonly byte[] JksMagicBytes = { 0xFE, 0xED, 0xFE, 0xED }; + + /// + /// Gets the PKCS12 ASN.1 SEQUENCE tag. + /// + public const byte Pkcs12SequenceTag = 0x30; + + #endregion + + #region DER/PEM Certificate Generation (No Private Key) + + /// + /// Generates a DER-encoded certificate (no private key). + /// Used for testing certificate-only scenarios where Command sends certificates without private keys. + /// + /// Key type for the certificate + /// Subject common name + /// DER-encoded certificate bytes + public static byte[] GenerateDerCertificate(KeyType keyType = KeyType.Rsa2048, string subjectCN = "Test Certificate") + { + var certInfo = GenerateCertificate(keyType, subjectCN); + return certInfo.Certificate.GetEncoded(); + } + + /// + /// Generates a PEM-encoded certificate string (no private key). + /// Used for testing certificate-only scenarios. + /// + /// Key type for the certificate + /// Subject common name + /// PEM-encoded certificate string + public static string GeneratePemCertificateOnly(KeyType keyType = KeyType.Rsa2048, string subjectCN = "Test Certificate") + { + var certInfo = GenerateCertificate(keyType, subjectCN); + return ConvertCertificateToPem(certInfo.Certificate); + } + + /// + /// Generates a Base64-encoded DER certificate (how Command might send it). + /// + /// Key type for the certificate + /// Subject common name + /// Base64-encoded DER certificate + public static string GenerateBase64DerCertificate(KeyType keyType = KeyType.Rsa2048, string subjectCN = "Test Certificate") + { + var derBytes = GenerateDerCertificate(keyType, subjectCN); + return Convert.ToBase64String(derBytes); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Helpers/KeyTypeTestData.cs b/kubernetes-orchestrator-extension.Tests/Helpers/KeyTypeTestData.cs new file mode 100644 index 00000000..32b7e161 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Helpers/KeyTypeTestData.cs @@ -0,0 +1,61 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System.Collections.Generic; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Helpers; + +/// +/// Provides test data for parameterized key type tests using xUnit Theory/MemberData. +/// This allows consolidation of duplicate key type test methods into single parameterized tests. +/// +public static class KeyTypeTestData +{ + /// + /// All supported key types for comprehensive certificate testing. + /// Includes RSA, EC, and Ed25519 key types. + /// + public static IEnumerable AllKeyTypes => new[] + { + new object[] { KeyType.Rsa2048 }, + new object[] { KeyType.Rsa4096 }, + new object[] { KeyType.EcP256 }, + new object[] { KeyType.EcP384 }, + new object[] { KeyType.EcP521 }, + new object[] { KeyType.Ed25519 } + }; + + /// + /// Common key types for quick smoke tests. + /// Covers RSA and EC with representative key sizes. + /// + public static IEnumerable CommonKeyTypes => new[] + { + new object[] { KeyType.Rsa2048 }, + new object[] { KeyType.EcP256 } + }; + + /// + /// RSA key types only. + /// + public static IEnumerable RsaKeyTypes => new[] + { + new object[] { KeyType.Rsa2048 }, + new object[] { KeyType.Rsa4096 } + }; + + /// + /// EC (Elliptic Curve) key types only. + /// + public static IEnumerable EcKeyTypes => new[] + { + new object[] { KeyType.EcP256 }, + new object[] { KeyType.EcP384 }, + new object[] { KeyType.EcP521 } + }; +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SCertCollection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SCertCollection.cs new file mode 100644 index 00000000..9af78a7f --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SCertCollection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8SCert integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8SCert Integration Tests")] +public class K8SCertCollection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SClusterCollection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SClusterCollection.cs new file mode 100644 index 00000000..f968026c --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SClusterCollection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8SCluster integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8SCluster Integration Tests")] +public class K8SClusterCollection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SJKSCollection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SJKSCollection.cs new file mode 100644 index 00000000..a5859ff2 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SJKSCollection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8SJKS integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8SJKS Integration Tests")] +public class K8SJKSCollection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SNSCollection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SNSCollection.cs new file mode 100644 index 00000000..a761e7f1 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SNSCollection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8SNS integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8SNS Integration Tests")] +public class K8SNSCollection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SPKCS12Collection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SPKCS12Collection.cs new file mode 100644 index 00000000..470d88c7 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SPKCS12Collection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8SPKCS12 integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8SPKCS12 Integration Tests")] +public class K8SPKCS12Collection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SSecretCollection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SSecretCollection.cs new file mode 100644 index 00000000..700591f9 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8SSecretCollection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8SSecret integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8SSecret Integration Tests")] +public class K8SSecretCollection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8STLSSecrCollection.cs b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8STLSSecrCollection.cs new file mode 100644 index 00000000..031fceb0 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Collections/K8STLSSecrCollection.cs @@ -0,0 +1,20 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Collections; + +/// +/// Collection definition for K8STLSSecr integration tests. +/// Enables parallel execution with other store type collections. +/// +[CollectionDefinition("K8STLSSecr Integration Tests")] +public class K8STLSSecrCollection : ICollectionFixture +{ +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/Fixtures/IntegrationTestFixture.cs b/kubernetes-orchestrator-extension.Tests/Integration/Fixtures/IntegrationTestFixture.cs new file mode 100644 index 00000000..c4c0b7f7 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/Fixtures/IntegrationTestFixture.cs @@ -0,0 +1,257 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; +using System.Text.Json; +using System.Threading.Tasks; +using k8s; +using Keyfactor.Orchestrators.Extensions.Interfaces; +using Moq; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; + +/// +/// Shared fixture for integration tests. Provides kubeconfig loading and K8S client creation. +/// This fixture is initialized once per test collection, reducing duplication across test classes. +/// +public class IntegrationTestFixture : IAsyncLifetime +{ + /// + /// The kubeconfig JSON string used for Kubernetes authentication. + /// + public string KubeconfigJson { get; private set; } = string.Empty; + + /// + /// Whether integration tests are enabled (RUN_INTEGRATION_TESTS=true). + /// + public bool IsEnabled { get; private set; } + + /// + /// Whether to skip cleanup of test resources (SKIP_INTEGRATION_TEST_CLEANUP=true). + /// + public bool SkipCleanup { get; private set; } + + /// + /// Path to the kubeconfig file. + /// + public string KubeconfigPath { get; private set; } = string.Empty; + + /// + /// The Kubernetes context to use. + /// + public string ClusterContext { get; private set; } = string.Empty; + + public Task InitializeAsync() + { + // Check if integration tests are enabled + var runIntegrationTests = Environment.GetEnvironmentVariable("RUN_INTEGRATION_TESTS"); + IsEnabled = !string.IsNullOrEmpty(runIntegrationTests) && + runIntegrationTests.Equals("true", StringComparison.OrdinalIgnoreCase); + + if (!IsEnabled) + { + return Task.CompletedTask; + } + + // Check cleanup setting + var skipCleanup = Environment.GetEnvironmentVariable("SKIP_INTEGRATION_TEST_CLEANUP"); + SkipCleanup = !string.IsNullOrEmpty(skipCleanup) && + skipCleanup.Equals("true", StringComparison.OrdinalIgnoreCase); + + // Load kubeconfig path and context + KubeconfigPath = (Environment.GetEnvironmentVariable("INTEGRATION_TEST_KUBECONFIG") ?? "~/.kube/config") + .Replace("~", Environment.GetEnvironmentVariable("HOME") ?? Environment.GetFolderPath(Environment.SpecialFolder.UserProfile)); + ClusterContext = Environment.GetEnvironmentVariable("INTEGRATION_TEST_CONTEXT") ?? "kf-integrations"; + + if (!File.Exists(KubeconfigPath)) + { + throw new FileNotFoundException($"Kubeconfig not found at {KubeconfigPath}"); + } + + // Load and convert kubeconfig to JSON + var kubeconfigContent = File.ReadAllText(KubeconfigPath); + KubeconfigJson = ConvertKubeconfigToJson(kubeconfigContent); + + return Task.CompletedTask; + } + + public Task DisposeAsync() + { + // No shared resources to dispose + return Task.CompletedTask; + } + + /// + /// Creates a new Kubernetes client configured with the loaded kubeconfig. + /// + public Kubernetes CreateK8sClient() + { + if (!IsEnabled) + { + throw new InvalidOperationException("Integration tests are not enabled"); + } + + var config = KubernetesClientConfiguration.BuildConfigFromConfigFile( + KubeconfigPath, + currentContext: ClusterContext); + return new Kubernetes(config); + } + + /// + /// Creates a mock PAM secret resolver that returns null for all password lookups. + /// + public Mock CreateMockPamResolver() + { + var mockPamResolver = new Mock(); + mockPamResolver.Setup(x => x.Resolve(It.IsAny())).Returns((string)null!); + return mockPamResolver; + } + + /// + /// Gets the kubeconfig JSON with the namespace field set to the specified namespace. + /// + public string GetKubeconfigJsonForNamespace(string targetNamespace) + { + if (!IsEnabled || string.IsNullOrEmpty(KubeconfigJson)) + { + return string.Empty; + } + + // Parse and modify the kubeconfig to use the specified namespace + var kubeconfigPath = KubeconfigPath; + var fileContent = File.ReadAllText(kubeconfigPath); + + // Detect if the file is already JSON + if (fileContent.TrimStart().StartsWith("{")) + { + return fileContent; + } + + // Rebuild with the specified namespace + var config = KubernetesClientConfiguration.BuildConfigFromConfigFile( + kubeconfigPath, + currentContext: ClusterContext); + + var kubeconfigObj = new Dictionary + { + ["kind"] = "Config", + ["apiVersion"] = "v1", + ["current-context"] = ClusterContext, + ["clusters"] = new[] + { + new Dictionary + { + ["name"] = ClusterContext, + ["cluster"] = new Dictionary + { + ["server"] = config.Host, + ["certificate-authority-data"] = config.SslCaCerts?.Any() == true + ? Convert.ToBase64String(config.SslCaCerts.First().Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)) + : null! + } + } + }, + ["users"] = new[] + { + new Dictionary + { + ["name"] = ClusterContext, + ["user"] = new Dictionary + { + ["token"] = config.AccessToken!, + ["client-certificate-data"] = config.ClientCertificateData!, + ["client-key-data"] = config.ClientCertificateKeyData! + } + } + }, + ["contexts"] = new[] + { + new Dictionary + { + ["name"] = ClusterContext, + ["context"] = new Dictionary + { + ["cluster"] = ClusterContext, + ["user"] = ClusterContext, + ["namespace"] = targetNamespace + } + } + } + }; + + return JsonSerializer.Serialize(kubeconfigObj); + } + + private string ConvertKubeconfigToJson(string kubeconfigContent) + { + var fileContent = File.ReadAllText(KubeconfigPath); + + // Detect if the file is already JSON (starts with '{') + if (fileContent.TrimStart().StartsWith("{")) + { + return fileContent; + } + + // File is YAML, convert using KubernetesClientConfiguration + var config = KubernetesClientConfiguration.BuildConfigFromConfigFile( + KubeconfigPath, + currentContext: ClusterContext); + + var kubeconfigObj = new Dictionary + { + ["kind"] = "Config", + ["apiVersion"] = "v1", + ["current-context"] = ClusterContext, + ["clusters"] = new[] + { + new Dictionary + { + ["name"] = ClusterContext, + ["cluster"] = new Dictionary + { + ["server"] = config.Host, + ["certificate-authority-data"] = config.SslCaCerts?.Any() == true + ? Convert.ToBase64String(config.SslCaCerts.First().Export(System.Security.Cryptography.X509Certificates.X509ContentType.Cert)) + : null! + } + } + }, + ["users"] = new[] + { + new Dictionary + { + ["name"] = ClusterContext, + ["user"] = new Dictionary + { + ["token"] = config.AccessToken!, + ["client-certificate-data"] = config.ClientCertificateData!, + ["client-key-data"] = config.ClientCertificateKeyData! + } + } + }, + ["contexts"] = new[] + { + new Dictionary + { + ["name"] = ClusterContext, + ["context"] = new Dictionary + { + ["cluster"] = ClusterContext, + ["user"] = ClusterContext, + ["namespace"] = "default" + } + } + } + }; + + return JsonSerializer.Serialize(kubeconfigObj); + } +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/IntegrationTestBase.cs b/kubernetes-orchestrator-extension.Tests/Integration/IntegrationTestBase.cs new file mode 100644 index 00000000..6f998caf --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/IntegrationTestBase.cs @@ -0,0 +1,217 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Net; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Orchestrators.Extensions.Interfaces; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Moq; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Abstract base class for integration tests. Provides common setup/teardown logic +/// including namespace creation, secret tracking, and cleanup. +/// +public abstract class IntegrationTestBase : IAsyncLifetime +{ + /// + /// Standard label used to identify secrets created by integration tests. + /// + protected const string TestManagedByLabel = "keyfactor-integration-tests"; + + /// + /// Label key for the managed-by label. + /// + protected const string ManagedByLabelKey = "app.kubernetes.io/managed-by"; + + /// + /// Label key for the test run ID. + /// + protected const string TestRunIdLabelKey = "keyfactor.com/test-run-id"; + + protected readonly IntegrationTestFixture Fixture; + protected Kubernetes K8sClient = null!; + protected string KubeconfigJson = string.Empty; + protected Mock MockPamResolver = null!; + protected readonly List CreatedSecrets = new(); + + /// + /// Unique ID for this test run, used for targeted cleanup. + /// + protected readonly string TestRunId = Guid.NewGuid().ToString("N")[..8]; + + /// + /// The .NET framework suffix for namespace isolation between parallel framework runs. + /// Example: "net8" or "net10" + /// + protected static readonly string FrameworkSuffix = $"net{Environment.Version.Major}"; + + /// + /// The base Kubernetes namespace for this test class (without framework suffix). + /// Each test class should return a unique base namespace. + /// + protected abstract string BaseTestNamespace { get; } + + /// + /// The full Kubernetes namespace including framework suffix for test isolation. + /// This ensures net8.0 and net10.0 tests don't interfere when running in parallel. + /// + protected virtual string TestNamespace => $"{BaseTestNamespace}-{FrameworkSuffix}"; + + protected IntegrationTestBase(IntegrationTestFixture fixture) + { + Fixture = fixture; + } + + public virtual async Task InitializeAsync() + { + if (!Fixture.IsEnabled) + { + return; + } + + // Get kubeconfig JSON for this test's namespace + KubeconfigJson = Fixture.GetKubeconfigJsonForNamespace(TestNamespace); + + // Create K8S client + K8sClient = Fixture.CreateK8sClient(); + + // Create mock PAM resolver + MockPamResolver = Fixture.CreateMockPamResolver(); + + // Create test namespace if it doesn't exist + await CreateNamespaceIfNotExistsAsync(); + } + + public virtual async Task DisposeAsync() + { + if (!Fixture.IsEnabled) + { + return; + } + + if (!Fixture.SkipCleanup) + { + await CleanupTestSecretsAsync(); + } + + K8sClient?.Dispose(); + } + + /// + /// Cleans up test secrets using batch delete with label selectors. + /// Falls back to individual deletion if batch delete fails. + /// + private async Task CleanupTestSecretsAsync() + { + try + { + // Try batch delete using label selector for this test run + var labelSelector = $"{ManagedByLabelKey}={TestManagedByLabel},{TestRunIdLabelKey}={TestRunId}"; + + await K8sClient.CoreV1.DeleteCollectionNamespacedSecretAsync( + TestNamespace, + labelSelector: labelSelector); + } + catch (Exception) + { + // Fall back to individual deletion if batch delete fails + // (e.g., if K8s version doesn't support DeleteCollection well) + foreach (var secretName in CreatedSecrets) + { + try + { + await K8sClient.CoreV1.DeleteNamespacedSecretAsync(secretName, TestNamespace); + } + catch (Exception) + { + // Ignore cleanup errors + } + } + } + } + + /// + /// Creates the test namespace if it doesn't already exist. + /// + protected async Task CreateNamespaceIfNotExistsAsync() + { + try + { + await K8sClient.CoreV1.ReadNamespaceAsync(TestNamespace); + } + catch (k8s.Autorest.HttpOperationException ex) when (ex.Response.StatusCode == HttpStatusCode.NotFound) + { + var ns = new V1Namespace + { + Metadata = new V1ObjectMeta + { + Name = TestNamespace, + Labels = new Dictionary + { + { "purpose", "integration-tests" }, + { "managed-by", "keyfactor-k8s-orchestrator-tests" } + } + } + }; + await K8sClient.CoreV1.CreateNamespaceAsync(ns); + } + } + + /// + /// Tracks a secret name for cleanup during test disposal. + /// + protected void TrackSecret(string secretName) + { + CreatedSecrets.Add(secretName); + } + + /// + /// Gets standard labels for test-created secrets. + /// These labels enable batch cleanup via label selectors. + /// + /// Dictionary of labels to apply to test secrets + protected Dictionary GetTestSecretLabels() + { + return new Dictionary + { + { ManagedByLabelKey, TestManagedByLabel }, + { TestRunIdLabelKey, TestRunId } + }; + } + + /// + /// Creates a V1ObjectMeta with standard test labels already applied. + /// + /// The secret name + /// Optional additional labels to merge + /// V1ObjectMeta with labels configured + protected V1ObjectMeta CreateTestSecretMetadata(string name, Dictionary? additionalLabels = null) + { + var labels = GetTestSecretLabels(); + if (additionalLabels != null) + { + foreach (var kvp in additionalLabels) + { + labels[kvp.Key] = kvp.Value; + } + } + + return new V1ObjectMeta + { + Name = name, + NamespaceProperty = TestNamespace, + Labels = labels + }; + } +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8SCertStoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8SCertStoreIntegrationTests.cs new file mode 100644 index 00000000..bb9dac39 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8SCertStoreIntegrationTests.cs @@ -0,0 +1,443 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Net; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Moq; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8SCert store type operations against a real Kubernetes cluster. +/// K8SCert is READ-ONLY - only Inventory and Discovery operations are tested. +/// +/// K8SCert supports two inventory modes: +/// - Single CSR mode: When KubeSecretName is set, inventories that specific CSR +/// - Cluster-wide mode: When KubeSecretName is empty or "*", inventories ALL issued CSRs +/// +/// No Management operations are supported for CSRs. +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// +[Collection("K8SCert Integration Tests")] +public class K8SCertStoreIntegrationTests : IAsyncLifetime +{ + /// + /// Framework suffix for namespace isolation between parallel framework runs. + /// + private static readonly string FrameworkSuffix = $"net{Environment.Version.Major}"; + + private static readonly string TestNamespace = $"keyfactor-k8scert-integration-tests-{FrameworkSuffix}"; + + private readonly IntegrationTestFixture _fixture; + private Kubernetes _k8sClient = null!; + private string _kubeconfigJson = string.Empty; + private readonly List _createdCsrs = new(); + private Mock _mockPamResolver = null!; + + public K8SCertStoreIntegrationTests(IntegrationTestFixture fixture) + { + _fixture = fixture; + } + + public async Task InitializeAsync() + { + if (!_fixture.IsEnabled) + { + return; + } + + _kubeconfigJson = _fixture.KubeconfigJson; + _k8sClient = _fixture.CreateK8sClient(); + _mockPamResolver = _fixture.CreateMockPamResolver(); + + await CreateNamespaceIfNotExists(); + } + + public async Task DisposeAsync() + { + if (!_fixture.IsEnabled) + { + return; + } + + if (!_fixture.SkipCleanup) + { + foreach (var csrName in _createdCsrs) + { + try + { + await _k8sClient.CertificatesV1.DeleteCertificateSigningRequestAsync(csrName); + } + catch (Exception) + { + // Ignore cleanup errors + } + } + } + + _k8sClient?.Dispose(); + } + + private async Task CreateNamespaceIfNotExists() + { + try + { + await _k8sClient.CoreV1.ReadNamespaceAsync(TestNamespace); + } + catch (k8s.Autorest.HttpOperationException ex) when (ex.Response.StatusCode == HttpStatusCode.NotFound) + { + var ns = new V1Namespace + { + Metadata = new V1ObjectMeta + { + Name = TestNamespace, + Labels = new Dictionary + { + { "purpose", "integration-tests" }, + { "managed-by", "keyfactor-k8s-orchestrator-tests" } + } + } + }; + await _k8sClient.CoreV1.CreateNamespaceAsync(ns); + } + } + + private async Task CreateTestCsr(string name, bool approve = false) + { + // Generate a proper PKCS#10 Certificate Signing Request + var csrPem = CertificateTestHelper.GenerateCertificateRequest(KeyType.Rsa2048, $"CSR {name}"); + + // Create CSR object for Kubernetes + var csr = new V1CertificateSigningRequest + { + Metadata = new V1ObjectMeta + { + Name = name + }, + Spec = new V1CertificateSigningRequestSpec + { + Request = System.Text.Encoding.UTF8.GetBytes(csrPem), + SignerName = "kubernetes.io/kube-apiserver-client", + Usages = new List { "client auth" } + } + }; + + var created = await _k8sClient.CertificatesV1.CreateCertificateSigningRequestAsync(csr); + _createdCsrs.Add(name); + + if (approve) + { + // Approve the CSR + created.Status = new V1CertificateSigningRequestStatus + { + Conditions = new List + { + new V1CertificateSigningRequestCondition + { + Type = "Approved", + Status = "True", + Reason = "TestApproval", + Message = "Approved by integration test", + LastUpdateTime = DateTime.UtcNow + } + } + }; + created = await _k8sClient.CertificatesV1.ReplaceCertificateSigningRequestApprovalAsync(created, name); + } + + return created; + } + + #region Single CSR Mode Tests (Legacy Behavior) + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SingleMode_ApprovedCSR_ReturnsSuccess() + { + // Arrange + var csrName = $"test-single-approved-{Guid.NewGuid():N}"; + await CreateTestCsr(csrName, approve: true); + await Task.Delay(2000); // Wait for certificate to be issued + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCert", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = csrName, + Properties = $"{{\"KubeSecretName\":\"{csrName}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SingleMode_PendingCSR_ReturnsSuccessWithEmptyInventory() + { + // Arrange - CSR not approved, so no certificate issued + var csrName = $"test-single-pending-{Guid.NewGuid():N}"; + await CreateTestCsr(csrName, approve: false); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCert", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = csrName, + Properties = $"{{\"KubeSecretName\":\"{csrName}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert - Should succeed but with empty inventory (CSR has no certificate) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SingleMode_NonExistentCSR_ReturnsSuccessWithMessage() + { + // Arrange + var nonExistentCsr = $"does-not-exist-{Guid.NewGuid():N}"; + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCert", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = nonExistentCsr, + Properties = $"{{\"KubeSecretName\":\"{nonExistentCsr}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert - Returns success with message about CSR not found + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("not found", result.FailureMessage); + } + + #endregion + + #region Cluster-Wide Mode Tests (New Behavior) + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ClusterWideMode_EmptyName_ReturnsAllIssuedCSRs() + { + // Arrange - Create multiple CSRs + var approvedCsr1 = $"test-cw-approved-1-{Guid.NewGuid():N}"; + var approvedCsr2 = $"test-cw-approved-2-{Guid.NewGuid():N}"; + var pendingCsr = $"test-cw-pending-{Guid.NewGuid():N}"; + + await CreateTestCsr(approvedCsr1, approve: true); + await CreateTestCsr(approvedCsr2, approve: true); + await CreateTestCsr(pendingCsr, approve: false); + await Task.Delay(2000); // Wait for certificates to be issued + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCert", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretName\":\"\"}" // Empty = cluster-wide mode + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Should find at least our 2 approved CSRs + Assert.True(inventoryItems.Count >= 2, + $"Expected at least 2 inventory items but got {inventoryItems.Count}"); + + var aliases = inventoryItems.Select(i => i.Alias).ToList(); + Assert.Contains(approvedCsr1, aliases); + Assert.Contains(approvedCsr2, aliases); + Assert.DoesNotContain(pendingCsr, aliases); // Pending CSR should not be included + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ClusterWideMode_Wildcard_ReturnsAllIssuedCSRs() + { + // Arrange + var approvedCsr = $"test-wc-approved-{Guid.NewGuid():N}"; + await CreateTestCsr(approvedCsr, approve: true); + await Task.Delay(2000); + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCert", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretName\":\"*\"}" // Wildcard = cluster-wide mode + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + var aliases = inventoryItems.Select(i => i.Alias).ToList(); + Assert.Contains(approvedCsr, aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ClusterWideMode_CSRsHaveNoPrivateKey() + { + // Arrange + var csrName = $"test-no-pk-cw-{Guid.NewGuid():N}"; + await CreateTestCsr(csrName, approve: true); + await Task.Delay(2000); + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCert", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // All CSR inventory items should have PrivateKeyEntry = false + foreach (var item in inventoryItems) + { + Assert.False(item.PrivateKeyEntry, $"CSR {item.Alias} should not have private key"); + } + } + + #endregion + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_FindsMultipleCSRs_ReturnsSuccess() + { + // Arrange - Create multiple CSRs + var csr1Name = $"test-discover-1-{Guid.NewGuid():N}"; + var csr2Name = $"test-discover-2-{Guid.NewGuid():N}"; + await CreateTestCsr(csr1Name, approve: true); + await CreateTestCsr(csr2Name, approve: false); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SCert", + ClientMachine = "cluster", + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", "cluster" }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8SClusterStoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8SClusterStoreIntegrationTests.cs new file mode 100644 index 00000000..973328e7 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8SClusterStoreIntegrationTests.cs @@ -0,0 +1,1401 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Net; +using System.Text; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.Extensions.Interfaces; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Moq; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8SCluster store type operations against a real Kubernetes cluster. +/// K8SCluster manages ALL secrets across ALL namespaces cluster-wide. +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// Note: This test class uses two namespaces for cross-namespace testing. +/// +[Collection("K8SCluster Integration Tests")] +public class K8SClusterStoreIntegrationTests : IAsyncLifetime +{ + /// + /// Framework suffix for namespace isolation between parallel framework runs. + /// + private static readonly string FrameworkSuffix = $"net{Environment.Version.Major}"; + + private static readonly string TestNamespace1 = $"keyfactor-k8scluster-test-ns1-{FrameworkSuffix}"; + private static readonly string TestNamespace2 = $"keyfactor-k8scluster-test-ns2-{FrameworkSuffix}"; + + private readonly IntegrationTestFixture _fixture; + private Kubernetes _k8sClient = null!; + private string _kubeconfigJson = string.Empty; + private readonly List<(string secretName, string ns)> _createdSecrets = new(); + private Mock _mockPamResolver = null!; + + public K8SClusterStoreIntegrationTests(IntegrationTestFixture fixture) + { + _fixture = fixture; + } + + public async Task InitializeAsync() + { + if (!_fixture.IsEnabled) + { + return; + } + + _kubeconfigJson = _fixture.KubeconfigJson; + _k8sClient = _fixture.CreateK8sClient(); + _mockPamResolver = _fixture.CreateMockPamResolver(); + + await CreateNamespaceIfNotExists(TestNamespace1); + await CreateNamespaceIfNotExists(TestNamespace2); + } + + public async Task DisposeAsync() + { + if (!_fixture.IsEnabled) + { + return; + } + + if (!_fixture.SkipCleanup) + { + foreach (var (secretName, ns) in _createdSecrets) + { + try + { + await _k8sClient.CoreV1.DeleteNamespacedSecretAsync(secretName, ns); + } + catch (Exception) + { + // Ignore cleanup errors + } + } + } + + _k8sClient?.Dispose(); + } + + private async Task CreateNamespaceIfNotExists(string namespaceName) + { + try + { + await _k8sClient.CoreV1.ReadNamespaceAsync(namespaceName); + } + catch (k8s.Autorest.HttpOperationException ex) when (ex.Response.StatusCode == HttpStatusCode.NotFound) + { + var ns = new V1Namespace + { + Metadata = new V1ObjectMeta + { + Name = namespaceName, + Labels = new Dictionary + { + { "purpose", "integration-tests" }, + { "managed-by", "keyfactor-k8s-orchestrator-tests" } + } + } + }; + await _k8sClient.CoreV1.CreateNamespaceAsync(ns); + } + } + + /// + /// Standard label used to identify secrets created by integration tests. + /// + private const string TestManagedByLabel = "keyfactor-integration-tests"; + private const string ManagedByLabelKey = "app.kubernetes.io/managed-by"; + private const string TestRunIdLabelKey = "keyfactor.com/test-run-id"; + private readonly string _testRunId = Guid.NewGuid().ToString("N")[..8]; + + private Dictionary GetTestSecretLabels() + { + return new Dictionary + { + { ManagedByLabelKey, TestManagedByLabel }, + { TestRunIdLabelKey, _testRunId } + }; + } + + private async Task CreateTestSecret(string name, string namespaceName, KeyType keyType = KeyType.Rsa2048, string secretType = "Opaque") + { + var certInfo = CachedCertificateProvider.GetOrCreate(keyType, $"Integration Test {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = name, + NamespaceProperty = namespaceName, + Labels = GetTestSecretLabels() + }, + Type = secretType, + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + var created = await _k8sClient.CoreV1.CreateNamespacedSecretAsync(secret, namespaceName); + _createdSecrets.Add((name, namespaceName)); + return created; + } + + private async Task CreateTestSecretWithChain(string name, string namespaceName, KeyType keyType = KeyType.Rsa2048, string secretType = "Opaque", bool separateChain = true) + { + var chain = CachedCertificateProvider.GetOrCreateChain(keyType); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var data = new Dictionary + { + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + }; + + if (separateChain) + { + data["tls.crt"] = Encoding.UTF8.GetBytes(leafCertPem); + data["ca.crt"] = Encoding.UTF8.GetBytes(intermediatePem + rootPem); + } + else + { + data["tls.crt"] = Encoding.UTF8.GetBytes(leafCertPem + intermediatePem + rootPem); + } + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = name, + NamespaceProperty = namespaceName, + Labels = GetTestSecretLabels() + }, + Type = secretType, + Data = data + }; + + var created = await _k8sClient.CoreV1.CreateNamespacedSecretAsync(secret, namespaceName); + _createdSecrets.Add((name, namespaceName)); + return created; + } + + private async Task CreateTestSecretCertOnly(string name, string namespaceName, KeyType keyType = KeyType.Rsa2048) + { + var certInfo = CachedCertificateProvider.GetOrCreate(keyType, $"Integration Test CertOnly {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = name, + NamespaceProperty = namespaceName, + Labels = GetTestSecretLabels() + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }; + + var created = await _k8sClient.CoreV1.CreateNamespacedSecretAsync(secret, namespaceName); + _createdSecrets.Add((name, namespaceName)); + return created; + } + + /// + /// Runs a cluster-wide inventory job with retry logic to handle race conditions + /// from parallel test execution. Cluster-wide scans may encounter secrets from + /// other tests being created/deleted, causing transient NotFound errors. + /// + private async Task RunClusterInventoryWithRetry(InventoryJobConfiguration jobConfig, int maxRetries = 3) + { + var inventory = new Inventory(_mockPamResolver.Object); + JobResult? result = null; + + for (int attempt = 1; attempt <= maxRetries; attempt++) + { + result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Success - return immediately + if (result.Result == OrchestratorJobStatusJobResult.Success) + { + return result; + } + + // Check if it's a transient NotFound error from parallel test interference + if (result.FailureMessage != null && + result.FailureMessage.Contains("NotFound") && + attempt < maxRetries) + { + // Wait briefly before retry to let parallel tests settle + await Task.Delay(500 * attempt); + continue; + } + + // Non-transient error or max retries reached + break; + } + + return result!; + } + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_MultipleNamespaces_FindsAllSecrets() + { + // Arrange - Create secrets in multiple namespaces + var secret1Name = $"test-cluster-ns1-{Guid.NewGuid():N}"; + var secret2Name = $"test-cluster-ns2-{Guid.NewGuid():N}"; + await CreateTestSecret(secret1Name, TestNamespace1); + await CreateTestSecret(secret2Name, TestNamespace2); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SCluster", + ClientMachine = "cluster", + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", "cluster" }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_MixedSecretTypes_FindsAllTypes() + { + // Arrange - Create different secret types in different namespaces + var opaqueSecret = $"test-opaque-{Guid.NewGuid():N}"; + var tlsSecret = $"test-tls-{Guid.NewGuid():N}"; + await CreateTestSecret(opaqueSecret, TestNamespace1, KeyType.Rsa2048, "Opaque"); + await CreateTestSecret(tlsSecret, TestNamespace2, KeyType.Rsa2048, "kubernetes.io/tls"); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SCluster", + ClientMachine = "cluster", + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", "cluster" }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ClusterWide_ReturnsAllCertificates() + { + // Arrange - Create secrets across multiple namespaces + var secret1Name = $"test-inv-cluster-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-inv-cluster-2-{Guid.NewGuid():N}"; + await CreateTestSecret(secret1Name, TestNamespace1); + await CreateTestSecret(secret2Name, TestNamespace2); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ClusterWide_ReturnsCorrectPrivateKeyStatus() + { + // Arrange - Create one secret with private key and one without + var secretWithKey = $"test-cluster-withkey-{Guid.NewGuid():N}"; + var secretWithoutKey = $"test-cluster-nokey-{Guid.NewGuid():N}"; + + // Create secret WITH private key + await CreateTestSecret(secretWithKey, TestNamespace1); + + // Create secret WITHOUT private key (cert only) + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Cluster No Key Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var secretNoKey = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretWithoutKey, + NamespaceProperty = TestNamespace2, + Labels = GetTestSecretLabels() + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + // No tls.key field + } + }; + await _k8sClient.CoreV1.CreateNamespacedSecretAsync(secretNoKey, TestNamespace2); + _createdSecrets.Add((secretWithoutKey, TestNamespace2)); + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Find our test secrets and verify private key status + var withKeyItem = inventoryItems.Find(i => i.Alias.Contains(secretWithKey)); + var noKeyItem = inventoryItems.Find(i => i.Alias.Contains(secretWithoutKey)); + + Assert.NotNull(withKeyItem); + Assert.NotNull(noKeyItem); + Assert.True(withKeyItem.PrivateKeyEntry, $"Secret {secretWithKey} should have PrivateKeyEntry=true"); + Assert.False(noKeyItem.PrivateKeyEntry, $"Secret {secretWithoutKey} should have PrivateKeyEntry=false"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ClusterWide_ReturnsFullCertificateChains() + { + // Arrange - Create a secret with a certificate chain + var secretName = $"test-cluster-chain-{Guid.NewGuid():N}"; + + // Create secret with certificate chain (leaf + intermediate + root) + var chain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048, "Cluster Chain Test"); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Bundle all certs in tls.crt field + var bundledCertPem = leafCertPem + intermediatePem + rootPem; + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretName, + NamespaceProperty = TestNamespace1, + Labels = GetTestSecretLabels() + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(bundledCertPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + await _k8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace1); + _createdSecrets.Add((secretName, TestNamespace1)); + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Find our chain secret + var chainItem = inventoryItems.Find(i => i.Alias.Contains(secretName)); + Assert.NotNull(chainItem); + + // Should have 3 certificates (leaf + intermediate + root) + Assert.True(chainItem.Certificates.Count() >= 3, + $"Expected at least 3 certificates in chain but got {chainItem.Certificates.Count()}"); + Assert.True(chainItem.UseChainLevel, + "UseChainLevel should be true for secrets with certificate chains"); + } + + #endregion + + #region Management Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToSpecificNamespace_ReturnsSuccess() + { + // K8SCluster management should be able to target specific namespace + // Arrange + var secretName = $"test-mgmt-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cluster Management Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/opaque/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created in the correct namespace + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal(TestNamespace1, secret.Metadata.NamespaceProperty); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificateFromNamespace_ReturnsSuccess() + { + // Arrange + var secretName = $"test-remove-cluster-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, TestNamespace1); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Remove, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/opaque/{secretName}" + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Cross-Namespace Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task CrossNamespace_SecretsInDifferentNamespaces_AreIndependent() + { + // Verify that secrets with the same name in different namespaces are independent + // Arrange + var secretName = $"test-same-name-{Guid.NewGuid():N}"; + var secret1 = await CreateTestSecret(secretName, TestNamespace1, KeyType.Rsa2048); + var secret2 = await CreateTestSecret(secretName, TestNamespace2, KeyType.EcP256); + + // Assert - Same name, different namespaces + Assert.Equal(secretName, secret1.Metadata.Name); + Assert.Equal(secretName, secret2.Metadata.Name); + Assert.NotEqual(secret1.Metadata.NamespaceProperty, secret2.Metadata.NamespaceProperty); + + // Verify both can be read independently + var readSecret1 = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + var readSecret2 = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace2); + + Assert.NotNull(readSecret1); + Assert.NotNull(readSecret2); + Assert.Equal(TestNamespace1, readSecret1.Metadata.NamespaceProperty); + Assert.Equal(TestNamespace2, readSecret2.Metadata.NamespaceProperty); + } + + #endregion + + #region Error Handling Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_InvalidClusterCredentials_ReturnsFailure() + { + // Arrange - Create invalid kubeconfig + var invalidKubeconfig = "{\"invalid\": \"json\"}"; + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = invalidKubeconfig, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + } + + #endregion + + #region TLS Secret Operations via Cluster + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretInCluster_ReturnsSuccess() + { + // Arrange + var secretName = $"test-tls-cluster-inv-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, TestNamespace1, KeyType.Rsa2048, "kubernetes.io/tls"); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTlsSecretToCluster_ReturnsSuccess() + { + // Arrange + var secretName = $"test-add-tls-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cluster TLS Add Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with TLS type + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + } + + #endregion + + #region Opaque Secret Operations via Cluster + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretInCluster_ReturnsSuccess() + { + // Arrange + var secretName = $"test-opaque-cluster-inv-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, TestNamespace1, KeyType.Rsa2048, "Opaque"); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithChain_ReturnsSuccess() + { + // Arrange + var secretName = $"test-opaque-chain-cluster-{Guid.NewGuid():N}"; + await CreateTestSecretWithChain(secretName, TestNamespace1, KeyType.Rsa2048, "Opaque", separateChain: true); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretCertOnly_ReturnsSuccess() + { + // Arrange + var secretName = $"test-opaque-certonly-{Guid.NewGuid():N}"; + await CreateTestSecretCertOnly(secretName, TestNamespace1); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddOpaqueSecretToCluster_ReturnsSuccess() + { + // Arrange + var secretName = $"test-add-opaque-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cluster Opaque Add Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/opaque/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with Opaque type + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + } + + #endregion + + #region Key Type Coverage via Cluster + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddRsaCertificateViaCluster_AllKeySizes() + { + // Test RSA 2048 via cluster + var secretName = $"test-rsa2048-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "RSA 2048 Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddEcCertificateViaCluster_AllCurves() + { + // Test EC P-256 via cluster + var secretName = $"test-ecp256-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "EC P-256 Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddEd25519CertificateViaCluster_Success() + { + // Test Ed25519 via cluster + var secretName = $"test-ed25519-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Ed25519, "Ed25519 Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region TLS Chain Tests via K8SCluster + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTlsSecretWithChainBundled_CreatesCorrectFields() + { + // Arrange - Test that when SeparateChain=false, the chain is bundled into tls.crt + var secretName = $"test-tls-bundled-chain-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\",\"IncludeCertChain\":true,\"SeparateChain\":false}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with bundled chain in tls.crt + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify required fields exist + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + + // Should NOT have ca.crt (chain is bundled into tls.crt) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when SeparateChain=false"); + + // Verify tls.crt contains the full chain (leaf + intermediate + root) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount >= 3, $"Expected leaf + chain (3+ certs) in tls.crt when SeparateChain=false, but found {certCount} certificate(s)"); + + // Verify tls.key contains a private key + var tlsKeyData = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN PRIVATE KEY-----", tlsKeyData); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTlsSecretWithChainSeparate_CreatesCorrectFields() + { + // Arrange - Test that when SeparateChain=true (default), the chain goes to ca.crt + var secretName = $"test-tls-separate-chain-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\",\"IncludeCertChain\":true,\"SeparateChain\":true}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with separate ca.crt + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify all required fields exist + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + Assert.True(secret.Data.ContainsKey("ca.crt"), "Secret should contain ca.crt when SeparateChain=true"); + + // Verify tls.crt contains only the leaf certificate + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsCertCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(tlsCertCount == 1, $"tls.crt should contain only the leaf certificate when SeparateChain=true, but found {tlsCertCount}"); + + // Verify ca.crt contains the chain certificates + var caCrtData = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + var chainCertCount = System.Text.RegularExpressions.Regex.Matches(caCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(chainCertCount >= 1, $"ca.crt should contain chain certificates, but found {chainCertCount}"); + + // Verify tls.key contains a private key + var tlsKeyData = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN PRIVATE KEY-----", tlsKeyData); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretWithChainBundled_ReturnsSuccess() + { + // Arrange - Create TLS secret with chain bundled in tls.crt + var secretName = $"test-inv-tls-bundled-{Guid.NewGuid():N}"; + await CreateTestSecretWithChain(secretName, TestNamespace1, KeyType.Rsa2048, "kubernetes.io/tls", separateChain: false); + + // Verify the created secret has the chain bundled + var createdSecret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.Equal("kubernetes.io/tls", createdSecret.Type); + Assert.False(createdSecret.Data.ContainsKey("ca.crt"), "Bundled chain should not have ca.crt"); + + var tlsCrtData = Encoding.UTF8.GetString(createdSecret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount >= 3, $"tls.crt should contain bundled chain, but found {certCount} cert(s)"); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretWithChainSeparate_ReturnsSuccess() + { + // Arrange - Create TLS secret with chain in separate ca.crt + var secretName = $"test-inv-tls-separate-{Guid.NewGuid():N}"; + await CreateTestSecretWithChain(secretName, TestNamespace1, KeyType.Rsa2048, "kubernetes.io/tls", separateChain: true); + + // Verify the created secret has the chain separated + var createdSecret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.Equal("kubernetes.io/tls", createdSecret.Type); + Assert.True(createdSecret.Data.ContainsKey("ca.crt"), "Separate chain should have ca.crt"); + Assert.True(createdSecret.Data.ContainsKey("tls.crt"), "Should have tls.crt"); + Assert.True(createdSecret.Data.ContainsKey("tls.key"), "Should have tls.key"); + + var tlsCrtData = Encoding.UTF8.GetString(createdSecret.Data["tls.crt"]); + var tlsCertCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(tlsCertCount == 1, $"tls.crt should contain only leaf cert, but found {tlsCertCount}"); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SCluster", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "cluster", + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"cluster\"}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true + }; + + // Act - Use retry logic to handle race conditions from parallel test execution + var result = await RunClusterInventoryWithRetry(jobConfig); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTlsSecretWithChain_IncludeCertChainFalse_OnlyLeafCertStored() + { + // Arrange - Test that when IncludeCertChain=false, only the leaf certificate is stored + var secretName = $"test-tls-nochain-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "cluster", + Properties = "{\"KubeSecretType\":\"tls\",\"IncludeCertChain\":false}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Job should succeed + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify tls.crt contains ONLY the leaf certificate (not the chain) + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, + $"Expected only 1 certificate in tls.crt when IncludeCertChain=false, but found {certCount}"); + + // Verify tls.key contains a private key + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + var tlsKeyData = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN PRIVATE KEY-----", tlsKeyData); + + // Verify ca.crt is NOT present (since we're not including the chain) + Assert.False(secret.Data.ContainsKey("ca.crt"), + "Secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the single certificate is the leaf certificate by parsing and comparing subjects + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + var storedSubject = storedCert.SubjectDN.ToString(); + var leafSubject = leafCert.SubjectDN.ToString(); + Assert.Equal(leafSubject, storedSubject); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTlsSecretWithChain_InvalidConfig_IncludeCertChainFalse_SeparateChainTrue_RespectsIncludeCertChain() + { + // Arrange - Test invalid configuration: IncludeCertChain=false, SeparateChain=true + // The code should log a warning and respect IncludeCertChain=false (only leaf cert deployed) + var secretName = $"test-invalid-config-cluster-{Guid.NewGuid():N}"; + _createdSecrets.Add((secretName, TestNamespace1)); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SCluster", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"{TestNamespace1}/secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace1, + StorePath = "*", + // Invalid config: SeparateChain=true but IncludeCertChain=false + // Should warn and respect IncludeCertChain=false + Properties = "{\"KubeSecretType\":\"tls\",\"IncludeCertChain\":false,\"SeparateChain\":true}" + }, + ServerUsername = string.Empty, + ServerPassword = _kubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(_mockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed (with warning logged) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await _k8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace1); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify IncludeCertChain=false is respected: only leaf certificate, no chain + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = System.Text.Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, $"tls.crt should contain only the leaf certificate when IncludeCertChain=false, but found {certCount} certificate(s)"); + + // Verify there is NO ca.crt (IncludeCertChain=false takes precedence over SeparateChain=true) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false (even if SeparateChain=true)"); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8SJKSStoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8SJKSStoreIntegrationTests.cs new file mode 100644 index 00000000..a5095582 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8SJKSStoreIntegrationTests.cs @@ -0,0 +1,1833 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SJKS; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8SJKS store type operations against a real Kubernetes cluster. +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// Uses ~/.kube/config with kf-integrations context. +/// All resources are cleaned up after tests. +/// +[Collection("K8SJKS Integration Tests")] +public class K8SJKSStoreIntegrationTests : IntegrationTestBase +{ + protected override string BaseTestNamespace => "keyfactor-k8sjks-integration-tests"; + + public K8SJKSStoreIntegrationTests(IntegrationTestFixture fixture) : base(fixture) + { + } + + #region Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EmptyJksSecret_ReturnsEmptyList() + { + // Arrange + var secretName = $"test-empty-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Integration Test Cert"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Inventory job config + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.JobHistoryId); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_JksSecretWithMultipleCerts_ReturnsAllCertificates() + { + // Arrange + var secretName = $"test-multi-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var cert1 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Cert 1"); + var cert2 = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Cert 2"); + var cert3 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa4096, "Cert 3"); + + var entries = new Dictionary + { + { "alias1", (cert1.Certificate, cert1.KeyPair) }, + { "alias2", (cert2.Certificate, cert2.KeyPair) }, + { "alias3", (cert3.Certificate, cert3.KeyPair) } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(entries, "testpassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Inventory job config + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.JobHistoryId); + // Verify we got back 3 certificates + // Note: The actual certificate data would be in result.JobHistoryId serialized data + } + + #endregion + + #region Management Add Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToNewSecret_CreatesSecretWithCertificate() + { + // Arrange + var secretName = $"test-add-new-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New Cert"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "certpassword", "newcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.True(secret.Data.ContainsKey("keystore.jks")); + Assert.NotEmpty(secret.Data["keystore.jks"]); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_IncludeCertChainFalse_OnlyLeafCertInKeystore() + { + // Arrange + var secretName = $"test-include-chain-false-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048, + leafCN: "Leaf Cert", + intermediateCN: "Intermediate CA", + rootCN: "Root CA"); + + var leafCert = chain[0]; + var intermediateCert = chain[1]; + var rootCert = chain[2]; + + // Create PKCS12 with the full chain (leaf + intermediate + root) + var chainCerts = new[] { intermediateCert.Certificate, rootCert.Certificate }; + var pfxBytes = CertificateTestHelper.GeneratePkcs12WithChain( + leafCert.Certificate, + leafCert.KeyPair.Private, + chainCerts, + password: "certpassword", + alias: "leafcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config with IncludeCertChain=false + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\",\"IncludeCertChain\":\"false\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "leafcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Job should succeed + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.True(secret.Data.ContainsKey("keystore.jks"), "Secret should contain keystore.jks"); + + // Load the JKS and verify the chain length + var jksStore = new Org.BouncyCastle.Security.JksStore(); + using (var ms = new System.IO.MemoryStream(secret.Data["keystore.jks"])) + { + jksStore.Load(ms, "storepassword".ToCharArray()); + } + + // Verify the alias exists + Assert.True(jksStore.ContainsAlias("leafcert"), "JKS should contain the 'leafcert' alias"); + + // Get the certificate chain for the alias + var certChain = jksStore.GetCertificateChain("leafcert"); + + // With IncludeCertChain=false, only the leaf certificate should be in the chain + Assert.NotNull(certChain); + Assert.Single(certChain); // Should have exactly 1 certificate (only the leaf) + + // Verify the certificate is the leaf certificate + var storedCert = certChain[0]; + Assert.Equal(leafCert.Certificate.SubjectDN.ToString(), storedCert.SubjectDN.ToString()); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToExistingSecret_UpdatesSecret() + { + // Arrange + var secretName = $"test-add-existing-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with one certificate + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Cert"); + var existingJks = CertificateTestHelper.GenerateJks(existingCert.Certificate, existingCert.KeyPair, "storepassword", "existing"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare new certificate to add + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "New Cert"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword", "newcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was updated + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + Assert.True(updatedSecret.Data.ContainsKey("keystore.jks")); + + // Verify both certificates are in the store + var serializer = new JksCertificateStoreSerializer(null); + var store = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["keystore.jks"], "/test", "storepassword"); + var aliases = store.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("existing", aliases); + Assert.Contains("newcert", aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_NoCertificateData_CreatesEmptyJksStore() + { + // Arrange - "Create store if missing" scenario: no certificate data provided + var secretName = $"test-create-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create Management Add job config with no certificate contents (simulates "create store if missing") + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + // No alias, no contents - simulates "create store if missing" + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with an empty but valid JKS keystore + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.True(secret.Data.ContainsKey("keystore.jks"), "Expected 'keystore.jks' key in secret data"); + Assert.NotEmpty(secret.Data["keystore.jks"]); + + // Verify the JKS store is valid and empty (no aliases) + var serializer = new JksCertificateStoreSerializer(null); + var jksStore = serializer.DeserializeRemoteCertificateStore(secret.Data["keystore.jks"], "/test", "storepassword"); + var aliases = jksStore.Aliases.ToList(); + Assert.Empty(aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_SecretAlreadyExists_ReturnsExistingSecret() + { + // Arrange - Secret already exists, "create store if missing" should return the existing secret + var secretName = $"test-existing-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with one certificate + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Cert"); + var existingJks = CertificateTestHelper.GenerateJks(existingCert.Certificate, existingCert.KeyPair, "storepassword", "existing"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Add job config with no certificate contents + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed without modifying the existing store + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the existing certificate is still present + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var serializer = new JksCertificateStoreSerializer(null); + var jksStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["keystore.jks"], "/test", "storepassword"); + var aliases = jksStore.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("existing", aliases); + } + + #endregion + + #region Management Remove Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificateFromSecret_RemovesCertificate() + { + // Arrange + var secretName = $"test-remove-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create secret with two certificates + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + + var entries = new Dictionary + { + { "cert1", (cert1.Certificate, cert1.KeyPair) }, + { "cert2", (cert2.Certificate, cert2.KeyPair) } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(entries, "storepassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Remove job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Remove, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "cert1" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify cert1 was removed and cert2 remains + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var serializer = new JksCertificateStoreSerializer(null); + var store = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["keystore.jks"], "/test", "storepassword"); + var aliases = store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("cert2", aliases); + Assert.DoesNotContain("cert1", aliases); + } + + #endregion + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_FindsJksSecretsInNamespace() + { + // Arrange - Create multiple JKS secrets + var secret1Name = $"test-discover-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-discover-2-{Guid.NewGuid():N}"; + TrackSecret(secret1Name); + TrackSecret(secret2Name); + + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Discovery Test"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "testpassword"); + + foreach (var secretName in new[] { secret1Name, secret2Name }) + { + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretName, + NamespaceProperty = TestNamespace, + Labels = new Dictionary + { + { "keyfactor.com/store-type", "K8SJKS" } + } + }, + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + } + + // Create Discovery job config + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SJKS", + ClientMachine = TestNamespace, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", TestNamespace }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + // Note: Discovery returns store paths in the result + } + + #endregion + + #region Error Handling Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddWithWrongPassword_ReturnsFailure() + { + // Arrange + var secretName = $"test-wrong-password-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with one password + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing"); + var existingJks = CertificateTestHelper.GenerateJks(existingCert.Certificate, existingCert.KeyPair, "correctpassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Try to add with wrong password + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword"); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "wrongpassword", // Wrong password! + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"wrongpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = Convert.ToBase64String(pfxBytes) + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("password", result.FailureMessage.ToLower()); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_NonExistentSecret_ReturnsSuccessWithEmptyInventory() + { + // Arrange - Test that non-existent secrets return success with empty inventory + // This behavior supports the "create store if missing" feature + var nonExistentSecretName = $"does-not-exist-{Guid.NewGuid():N}"; + var inventoryItems = new List(); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{nonExistentSecretName}", + StorePassword = "password", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"password\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert - Should return Success with warning message and empty inventory + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.Contains("not found", result.FailureMessage ?? "", StringComparison.OrdinalIgnoreCase); + Assert.Empty(inventoryItems); + } + + #endregion + + #region StorePath Pattern Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_StorePathWithSecretsKeyword_WorksCorrectly() + { + // Test the /secrets/ storepath pattern + // Arrange + var secretName = $"test-path-secrets-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Path Pattern Test"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Use /secrets/ pattern + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/secrets/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.True(inventoryItems.Count > 0, "Should find certificates with /secrets/ path pattern"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_StorePathWithClusterNamespaceSecrets_WorksCorrectly() + { + // Test the //secrets/ storepath pattern + // Arrange + var secretName = $"test-path-cluster-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Cluster Path Test"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Use //secrets/ pattern + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "kf-integrations", + StorePath = $"kf-integrations/{TestNamespace}/secrets/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.True(inventoryItems.Count > 0, "Should find certificates with //secrets/ path pattern"); + } + + #endregion + + #region Mixed Entry Types Tests (Private Keys + Trusted Certs) + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_JksWithMixedEntries_ReturnsCorrectPrivateKeyFlags() + { + // Arrange - Create JKS with 2 private key entries + 2 trusted cert entries + var secretName = $"test-mixed-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate certificates for private key entries (with keys) + var serverCert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert 1"); + var serverCert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Server Cert 2"); + + // Generate certificates for trusted cert entries (no keys) + var trustedRootCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted Root CA"); + var trustedIntermediateCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Trusted Intermediate CA"); + + var privateKeyEntries = new Dictionary + { + { "server1", (serverCert1.Certificate, serverCert1.KeyPair) }, + { "server2", (serverCert2.Certificate, serverCert2.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "root-ca", trustedRootCa.Certificate }, + { "intermediate-ca", trustedIntermediateCa.Certificate } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMixedEntries(privateKeyEntries, trustedCertEntries, "testpassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Create Inventory job config + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // NOTE: JKS inventory only returns entries with private keys (PrivateKeyEntry). + // Trusted certificate entries (certificate-only, no private key) are NOT returned. + // This is because GetCertificateChain() returns null for certificate-only entries, + // which causes them to be marked as "skip" in the JKS inventory handler. + // Should have 2 inventory items (only the private key entries) + Assert.Equal(2, inventoryItems.Count); + + // Verify private key entries are returned + // Note: JKS inventory uses full alias format: / + var server1Item = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.jks/server1"); + var server2Item = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.jks/server2"); + + Assert.NotNull(server1Item); + Assert.NotNull(server2Item); + + // Private key entries should have PrivateKeyEntry = true + Assert.True(server1Item.PrivateKeyEntry, "server1 should have PrivateKeyEntry = true"); + Assert.True(server2Item.PrivateKeyEntry, "server2 should have PrivateKeyEntry = true"); + + // Verify trusted cert entries are NOT returned (expected behavior for JKS) + var rootCaItem = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.jks/root-ca"); + var intermediateCaItem = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.jks/intermediate-ca"); + Assert.Null(rootCaItem); // Trusted certs are not included in JKS inventory + Assert.Null(intermediateCaItem); // Trusted certs are not included in JKS inventory + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTrustedCert_ToExistingJks_Success() + { + // Arrange - Create existing JKS with a private key entry + var secretName = $"test-add-trusted-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var serverCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var existingJks = CertificateTestHelper.GenerateJks(serverCert.Certificate, serverCert.KeyPair, "storepassword", "server"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Generate a trusted certificate (certificate only, no private key) + var trustedCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + // For adding a certificate-only entry, we send the DER-encoded certificate + // The management job should detect this and add it as a trusted cert entry + var certOnlyBase64 = Convert.ToBase64String(trustedCa.Certificate.GetEncoded()); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "trusted-ca", + PrivateKeyPassword = null, // No private key password for certificate-only entry + Contents = certOnlyBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the JKS was updated with both entries + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + + // Load the JKS and verify both entries exist + var jksStore = new Org.BouncyCastle.Security.JksStore(); + using (var ms = new System.IO.MemoryStream(updatedSecret.Data["keystore.jks"])) + { + jksStore.Load(ms, "storepassword".ToCharArray()); + } + + var aliases = jksStore.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("server", aliases); + Assert.Contains("trusted-ca", aliases); + + // Verify entry types + Assert.True(jksStore.IsKeyEntry("server"), "server should be a key entry"); + Assert.False(jksStore.IsKeyEntry("trusted-ca"), "trusted-ca should be a certificate-only entry"); + } + + #endregion + + #region PKCS12 Format Detection Tests + + /// + /// Tests that the JKS store type correctly fails when encountering PKCS12 format data. + /// Note: BouncyCastle's JksStore reports PKCS12 data as "password incorrect or store tampered with" + /// because the file format doesn't match the JKS magic bytes. The intended auto-delegation + /// via JkSisPkcs12Exception does not work because IOException is thrown instead. + /// Users should use the K8SPKCS12 store type for PKCS12 files. + /// + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_Pkcs12FileInJksSecret_ReturnsFailureWithPasswordError() + { + // Arrange - Create a K8s secret with PKCS12 data but configure as JKS store + // This tests that PKCS12 files cannot be processed by the JKS store type + var secretName = $"test-pkcs12-in-jks-inv-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate PKCS12 data (NOT JKS) + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "PKCS12 in JKS Test"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "testpassword", "testcert"); + + // Create secret with PKCS12 data but named as a keystore file + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", pkcs12Bytes } // PKCS12 data in a .jks filename + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Create Inventory job config as K8SJKS store type + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act - The inventory job will fail because JKS parser cannot read PKCS12 format + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert - Should fail with password/format error + // The JKS parser interprets PKCS12 format as "password incorrect or store tampered with" + Assert.True(result.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("password", result.FailureMessage.ToLower()); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddToJksStore_ExistingSecretIsPkcs12_ReturnsFailure() + { + // Arrange - Create a secret with PKCS12 data but configure as JKS store + // Then try to add a certificate to it - should fail because JKS cannot read PKCS12 + var secretName = $"test-add-pkcs12-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with PKCS12 data + var existingCertInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing PKCS12"); + var existingPkcs12Bytes = CertificateTestHelper.GeneratePkcs12( + existingCertInfo.Certificate, + existingCertInfo.KeyPair, + "storepassword", + "existing"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingPkcs12Bytes } // PKCS12 data + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare new certificate to add + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "New Cert for PKCS12"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword", "newcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config as K8SJKS + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act - Should fail because JKS parser cannot read PKCS12 + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should fail with password/format error + Assert.True(result.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("password", result.FailureMessage.ToLower()); + } + + /// + /// Verifies that actual JKS files work correctly with the JKS store type. + /// This is a sanity check alongside the PKCS12 failure tests. + /// + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_ActualJksFile_SucceedsCorrectly() + { + // Arrange + var secretName = $"test-actual-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate actual JKS data + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Actual JKS Test"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", jksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert - Should succeed with actual JKS data + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.True(inventoryItems.Count > 0, "Should find certificates in actual JKS store"); + } + + #endregion + + #region Multiple JKS Files in Single Secret Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SecretWithMultipleJksFiles_ReturnsAllCertificatesFromAllFiles() + { + // Arrange - Create a K8s secret with multiple JKS files (app.jks, ca.jks, truststore.jks) + var secretName = $"test-multi-jks-files-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate different certificates for each JKS file + var appCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "App Server Cert"); + var caCert = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "CA Certificate"); + var trustCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa4096, "Truststore Cert"); + + // Generate separate JKS files with unique aliases + var appJksBytes = CertificateTestHelper.GenerateJks(appCert.Certificate, appCert.KeyPair, "testpassword", "app-server"); + var caJksBytes = CertificateTestHelper.GenerateJks(caCert.Certificate, caCert.KeyPair, "testpassword", "ca-cert"); + var trustJksBytes = CertificateTestHelper.GenerateJks(trustCert.Certificate, trustCert.KeyPair, "testpassword", "trust-cert"); + + // Create secret with multiple JKS files + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.jks", appJksBytes }, + { "ca.jks", caJksBytes }, + { "truststore.jks", trustJksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Create Inventory job config - Note: without StoreFileName, it should process ALL JKS files + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Should find all 3 certificates from all 3 JKS files + Assert.True(inventoryItems.Count >= 3, + $"Expected at least 3 certificates but found {inventoryItems.Count}"); + + // Verify aliases from each file are present (format: /) + var aliasStrings = inventoryItems.Select(i => i.Alias).ToList(); + Assert.Contains(aliasStrings, a => a.Contains("app-server") || a.Contains("app.jks")); + Assert.Contains(aliasStrings, a => a.Contains("ca-cert") || a.Contains("ca.jks")); + Assert.Contains(aliasStrings, a => a.Contains("trust-cert") || a.Contains("truststore.jks")); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SecretWithMultipleJksFiles_EachFileHasMultipleEntries_ReturnsAll() + { + // Arrange - Create a K8s secret with 2 JKS files, each containing 2 certificates + var secretName = $"test-multi-jks-multi-entries-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate certificates for app.jks (2 entries) + var appCert1 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "App Cert 1"); + var appCert2 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "App Cert 2"); + + // Generate certificates for backend.jks (2 entries) + var backendCert1 = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Backend Cert 1"); + var backendCert2 = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Backend Cert 2"); + + var appEntries = new Dictionary + { + { "app-cert-1", (appCert1.Certificate, appCert1.KeyPair) }, + { "app-cert-2", (appCert2.Certificate, appCert2.KeyPair) } + }; + + var backendEntries = new Dictionary + { + { "backend-cert-1", (backendCert1.Certificate, backendCert1.KeyPair) }, + { "backend-cert-2", (backendCert2.Certificate, backendCert2.KeyPair) } + }; + + var appJksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(appEntries, "testpassword"); + var backendJksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(backendEntries, "testpassword"); + + // Create secret with multiple JKS files + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.jks", appJksBytes }, + { "backend.jks", backendJksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SJKS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"testpassword\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Should find all 4 certificates (2 from each JKS file) + Assert.True(inventoryItems.Count >= 4, + $"Expected at least 4 certificates but found {inventoryItems.Count}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificate_ToSpecificJksFile_UpdatesCorrectFile() + { + // Arrange - Create a K8s secret with multiple JKS files + var secretName = $"test-add-specific-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate existing JKS files + var appCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Existing App Cert"); + var backendCert = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Existing Backend Cert"); + + var appJksBytes = CertificateTestHelper.GenerateJks(appCert.Certificate, appCert.KeyPair, "storepassword", "existing-app"); + var backendJksBytes = CertificateTestHelper.GenerateJks(backendCert.Certificate, backendCert.KeyPair, "storepassword", "existing-backend"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.jks", appJksBytes }, + { "backend.jks", backendJksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare new certificate to add to app.jks specifically + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New App Cert"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword", "new-app-cert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config targeting app.jks specifically + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + // Use StoreFileName to target a specific JKS file + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"app.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "new-app-cert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the secret was updated + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + Assert.True(updatedSecret.Data.ContainsKey("app.jks"), "app.jks should still exist"); + Assert.True(updatedSecret.Data.ContainsKey("backend.jks"), "backend.jks should still exist"); + + // Verify app.jks was updated with the new cert + var serializer = new JksCertificateStoreSerializer(null); + var appStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["app.jks"], "/test", "storepassword"); + var appAliases = appStore.Aliases.ToList(); + Assert.Equal(2, appAliases.Count); + Assert.Contains("existing-app", appAliases); + Assert.Contains("new-app-cert", appAliases); + + // Verify backend.jks was NOT modified (should still have only 1 cert) + var backendStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["backend.jks"], "/test", "storepassword"); + var backendAliases = backendStore.Aliases.ToList(); + Assert.Single(backendAliases); + Assert.Contains("existing-backend", backendAliases); + Assert.DoesNotContain("new-app-cert", backendAliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificate_FromSpecificJksFile_UpdatesCorrectFile() + { + // Arrange - Create a K8s secret with multiple JKS files, each with multiple certs + var secretName = $"test-remove-specific-jks-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create app.jks with 2 certs + var appCert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Cert 1"); + var appCert2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Cert 2"); + var appEntries = new Dictionary + { + { "app-cert-1", (appCert1.Certificate, appCert1.KeyPair) }, + { "app-cert-2", (appCert2.Certificate, appCert2.KeyPair) } + }; + var appJksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(appEntries, "storepassword"); + + // Create backend.jks with 2 certs + var backendCert1 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend Cert 1"); + var backendCert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend Cert 2"); + var backendEntries = new Dictionary + { + { "backend-cert-1", (backendCert1.Certificate, backendCert1.KeyPair) }, + { "backend-cert-2", (backendCert2.Certificate, backendCert2.KeyPair) } + }; + var backendJksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(backendEntries, "storepassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.jks", appJksBytes }, + { "backend.jks", backendJksBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Remove app-cert-1 from app.jks specifically + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Remove, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"app.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "app-cert-1" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the correct file was updated + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var serializer = new JksCertificateStoreSerializer(null); + + // app.jks should now have only 1 cert (app-cert-2) + var appStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["app.jks"], "/test", "storepassword"); + var appAliases = appStore.Aliases.ToList(); + Assert.Single(appAliases); + Assert.Contains("app-cert-2", appAliases); + Assert.DoesNotContain("app-cert-1", appAliases); + + // backend.jks should be unchanged (still have 2 certs) + var backendStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["backend.jks"], "/test", "storepassword"); + var backendAliases = backendStore.Aliases.ToList(); + Assert.Equal(2, backendAliases.Count); + Assert.Contains("backend-cert-1", backendAliases); + Assert.Contains("backend-cert-2", backendAliases); + } + + #endregion + + #region Native JKS Format Preservation Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertToNativeJks_PreservesJksFormat() + { + // Arrange - Create a native JKS secret + var secretName = $"test-jks-format-add-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var existingCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Existing JKS Cert"); + var existingJks = CertificateTestHelper.GenerateJks(existingCert.Certificate, existingCert.KeyPair, "storepassword", "existing"); + + // Verify initial JKS is in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(existingJks), "Initial JKS should be in native JKS format"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare new certificate to add + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "New Cert JKS Format"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword", "newcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the updated secret is still in native JKS format (not PKCS12) + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + Assert.True(updatedSecret.Data.ContainsKey("keystore.jks")); + + var updatedJksBytes = updatedSecret.Data["keystore.jks"]; + + // Verify JKS format is preserved (magic bytes 0xFEEDFEED) + Assert.True(CertificateTestHelper.IsNativeJksFormat(updatedJksBytes), + $"Updated keystore should remain in native JKS format but got magic bytes: 0x{updatedJksBytes[0]:X2}{updatedJksBytes[1]:X2}{updatedJksBytes[2]:X2}{updatedJksBytes[3]:X2}"); + Assert.False(CertificateTestHelper.IsPkcs12Format(updatedJksBytes), + "Updated keystore should NOT be in PKCS12 format"); + + // Verify both certificates are in the store + var jksStore = new Org.BouncyCastle.Security.JksStore(); + using (var ms = new System.IO.MemoryStream(updatedJksBytes)) + { + jksStore.Load(ms, "storepassword".ToCharArray()); + } + + var aliases = jksStore.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("existing", aliases); + Assert.Contains("newcert", aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_UpdateCertInNativeJks_PreservesJksFormat() + { + // Arrange - Create a native JKS secret with a certificate + var secretName = $"test-jks-format-update-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var existingCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Existing Cert Update"); + var existingJks = CertificateTestHelper.GenerateJks(existingCert.Certificate, existingCert.KeyPair, "storepassword", "testcert"); + + // Verify initial JKS is in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(existingJks), "Initial JKS should be in native JKS format"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare replacement certificate (same alias, different cert) + var replacementCert = CertificateTestHelper.GenerateCertificate(KeyType.EcP384, "Replacement Cert"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(replacementCert.Certificate, replacementCert.KeyPair, "certpassword", "testcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config with Overwrite=true + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Add, + Overwrite = true, // Overwrite existing certificate + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the updated secret is still in native JKS format + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var updatedJksBytes = updatedSecret.Data["keystore.jks"]; + + Assert.True(CertificateTestHelper.IsNativeJksFormat(updatedJksBytes), + "Updated keystore should remain in native JKS format after certificate update"); + Assert.False(CertificateTestHelper.IsPkcs12Format(updatedJksBytes), + "Updated keystore should NOT be in PKCS12 format"); + + // Verify the certificate was updated (still only 1 certificate with same alias) + var jksStore = new Org.BouncyCastle.Security.JksStore(); + using (var ms = new System.IO.MemoryStream(updatedJksBytes)) + { + jksStore.Load(ms, "storepassword".ToCharArray()); + } + + var aliases = jksStore.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("testcert", aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertFromNativeJks_PreservesJksFormat() + { + // Arrange - Create a native JKS secret with multiple certificates + var secretName = $"test-jks-format-remove-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var cert1 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Cert 1 Remove Format"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2 Remove Format"); + + var entries = new Dictionary + { + { "cert1", (cert1.Certificate, cert1.KeyPair) }, + { "cert2", (cert2.Certificate, cert2.KeyPair) } + }; + + var existingJks = CertificateTestHelper.GenerateJksWithMultipleEntries(entries, "storepassword"); + + // Verify initial JKS is in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(existingJks), "Initial JKS should be in native JKS format"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.jks", existingJks } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Remove job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SJKS", + OperationType = CertStoreOperationType.Remove, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"jks\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.jks\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "cert1" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the updated secret is still in native JKS format + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var updatedJksBytes = updatedSecret.Data["keystore.jks"]; + + Assert.True(CertificateTestHelper.IsNativeJksFormat(updatedJksBytes), + $"Updated keystore should remain in native JKS format after certificate removal but got magic bytes: 0x{updatedJksBytes[0]:X2}{updatedJksBytes[1]:X2}{updatedJksBytes[2]:X2}{updatedJksBytes[3]:X2}"); + Assert.False(CertificateTestHelper.IsPkcs12Format(updatedJksBytes), + "Updated keystore should NOT be in PKCS12 format"); + + // Verify cert1 was removed and cert2 remains + var jksStore = new Org.BouncyCastle.Security.JksStore(); + using (var ms = new System.IO.MemoryStream(updatedJksBytes)) + { + jksStore.Load(ms, "storepassword".ToCharArray()); + } + + var aliases = jksStore.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("cert2", aliases); + Assert.DoesNotContain("cert1", aliases); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8SNSStoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8SNSStoreIntegrationTests.cs new file mode 100644 index 00000000..d94be114 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8SNSStoreIntegrationTests.cs @@ -0,0 +1,1034 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Text; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8SNS store type operations against a real Kubernetes cluster. +/// K8SNS manages ALL secrets within a SINGLE namespace. +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// +[Collection("K8SNS Integration Tests")] +public class K8SNSStoreIntegrationTests : IntegrationTestBase +{ + protected override string BaseTestNamespace => "keyfactor-k8sns-integration-tests"; + + public K8SNSStoreIntegrationTests(IntegrationTestFixture fixture) : base(fixture) + { + } + + private async Task CreateTestSecret(string name, KeyType keyType = KeyType.Rsa2048, string secretType = "Opaque", bool useCache = false) + { + var certInfo = useCache + ? CachedCertificateProvider.GetOrCreate(keyType, $"Integration Test {keyType}") + : CertificateTestHelper.GenerateCertificate(keyType, $"Integration Test {name}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(name), + Type = secretType, + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + var created = await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + TrackSecret(name); + return created; + } + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_SingleNamespace_FindsAllSecrets() + { + // Arrange - Create secrets in the namespace (read-only test uses cached certs) + var secret1Name = $"test-ns-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-ns-2-{Guid.NewGuid():N}"; + await CreateTestSecret(secret1Name, useCache: true); + await CreateTestSecret(secret2Name, useCache: true); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SNS", + ClientMachine = TestNamespace, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", TestNamespace }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_MixedSecretTypes_FindsAllTypes() + { + // Arrange - Create different secret types in the namespace (read-only test uses cached certs) + var opaqueSecret = $"test-opaque-ns-{Guid.NewGuid():N}"; + var tlsSecret = $"test-tls-ns-{Guid.NewGuid():N}"; + await CreateTestSecret(opaqueSecret, KeyType.Rsa2048, "Opaque", useCache: true); + await CreateTestSecret(tlsSecret, KeyType.Rsa2048, "kubernetes.io/tls", useCache: true); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SNS", + ClientMachine = TestNamespace, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", TestNamespace }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_NamespaceScope_ReturnsAllCertificates() + { + // Arrange - Create secrets in the namespace (read-only test uses cached certs) + var secret1Name = $"test-inv-ns-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-inv-ns-2-{Guid.NewGuid():N}"; + await CreateTestSecret(secret1Name, useCache: true); + await CreateTestSecret(secret2Name, useCache: true); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Management Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToNamespace_ReturnsSuccess() + { + // Arrange + var secretName = $"test-mgmt-ns-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Namespace Management Test"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/opaque/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created in the correct namespace + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal(TestNamespace, secret.Metadata.NamespaceProperty); + Assert.Equal("Opaque", secret.Type); + + // Verify required fields exist + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + + // Verify field contents are valid PEM format + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsKeyData = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", tlsCrtData); + Assert.Contains("-----BEGIN PRIVATE KEY-----", tlsKeyData); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificateFromNamespace_ReturnsSuccess() + { + // Arrange + var secretName = $"test-remove-ns-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Remove, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/opaque/{secretName}" + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_IncludeCertChainFalse_OnlyLeafCertStored() + { + // Arrange - Test that when IncludeCertChain=false, only the leaf certificate is stored + var secretName = $"test-no-chain-ns-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = $"{{\"KubeSecretType\":\"tls\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":false}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created - read directly from Kubernetes + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify tls.crt contains ONLY the leaf certificate (not the chain) + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, $"tls.crt should contain only the leaf certificate when IncludeCertChain=false, but found {certCount} certificate(s)"); + + // Verify there is no ca.crt field (chain was excluded) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the single certificate is indeed the leaf certificate by checking its subject + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + var storedSubject = storedCert.SubjectDN.ToString(); + var leafSubject = leafCert.SubjectDN.ToString(); + + Assert.Equal(leafSubject, storedSubject); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_SeparateChainFalse_ChainBundledInTlsCrt() + { + // Arrange - Test that when SeparateChain=false, the full chain is bundled into tls.crt + var secretName = $"test-bundle-chain-ns-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = $"{{\"KubeSecretType\":\"tls\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":true,\"SeparateChain\":false}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify there is NO ca.crt (chain bundled into tls.crt) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when SeparateChain=false"); + + // Verify tls.crt contains the full chain (leaf + intermediate + root = 3 certs) + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount >= 3, $"Expected leaf + chain (3+ certs) in tls.crt when SeparateChain=false, but found {certCount} certificate(s)"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_SeparateChainTrue_ChainInCaCrt() + { + // Arrange - Test that when SeparateChain=true, the chain goes to ca.crt + var secretName = $"test-separate-chain-ns-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = $"{{\"KubeSecretType\":\"tls\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":true,\"SeparateChain\":true}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify ca.crt contains the chain (intermediate + root) + Assert.True(secret.Data.ContainsKey("ca.crt"), "Secret should contain ca.crt when SeparateChain=true"); + var caCrtData = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + var caCertCount = System.Text.RegularExpressions.Regex.Matches(caCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(caCertCount >= 2, $"ca.crt should contain chain certificates (2+), but found {caCertCount}"); + + // Verify tls.crt contains ONLY the leaf certificate + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsCertCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(tlsCertCount == 1, $"tls.crt should contain only the leaf certificate when SeparateChain=true, but found {tlsCertCount}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_InvalidConfig_IncludeCertChainFalse_SeparateChainTrue_RespectsIncludeCertChain() + { + // Arrange - Test invalid configuration: IncludeCertChain=false, SeparateChain=true + // The code should log a warning and respect IncludeCertChain=false (only leaf cert deployed) + var secretName = $"test-invalid-config-ns-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/tls/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + // Invalid config: SeparateChain=true but IncludeCertChain=false + // Should warn and respect IncludeCertChain=false + Properties = $"{{\"KubeSecretType\":\"tls\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":false,\"SeparateChain\":true}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed (with warning logged) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify IncludeCertChain=false is respected: only leaf certificate, no chain + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, $"tls.crt should contain only the leaf certificate when IncludeCertChain=false, but found {certCount} certificate(s)"); + + // Verify there is NO ca.crt (IncludeCertChain=false takes precedence over SeparateChain=true) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false (even if SeparateChain=true)"); + } + + #endregion + + #region Boundary Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task NamespaceScope_OnlySeesSecretsInNamespace_NotOtherNamespaces() + { + // Verify that K8SNS only sees secrets in its namespace (read-only test uses cached certs) + // This requires creating a secret in another namespace (if we have cluster permissions) + // For this test, we just verify our namespace secrets are correctly scoped + + // Arrange + var secretName = $"test-boundary-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, useCache: true); + + // Act - Read secret + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + + // Assert + Assert.NotNull(secret); + Assert.Equal(TestNamespace, secret.Metadata.NamespaceProperty); + } + + #endregion + + #region Error Handling Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_NonExistentNamespace_ReturnsFailure() + { + // Arrange - Use a namespace that doesn't exist + var nonExistentNamespace = $"does-not-exist-{Guid.NewGuid():N}"; + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = nonExistentNamespace, + StorePath = nonExistentNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + // Depending on implementation, this may succeed with empty results or fail + // The important thing is it doesn't crash and provides appropriate feedback + Assert.NotNull(result); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EmptyNamespace_ReturnsSuccess() + { + // An empty namespace (no secrets) should return success with empty results + // We'll use our test namespace and ensure it has no matching secrets by using a filter + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"nonexistent-secret-{Guid.NewGuid():N}", + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert - Non-existent stores return Success with empty inventory (lenient behavior) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success (lenient behavior for missing stores) but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_Namespace_ReturnsCorrectPrivateKeyStatus() + { + // Arrange - Create one secret with private key and one without (read-only test uses cached certs) + var secretWithKey = $"test-ns-withkey-{Guid.NewGuid():N}"; + var secretWithoutKey = $"test-ns-nokey-{Guid.NewGuid():N}"; + + // Create secret WITH private key + await CreateTestSecret(secretWithKey, useCache: true); + + // Create secret WITHOUT private key (cert only) + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "NS No Key Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var secretNoKey = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretWithoutKey, + NamespaceProperty = TestNamespace, + Labels = new Dictionary + { + { "app.kubernetes.io/managed-by", "keyfactor-integration-tests" } + } + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + // No tls.key field + } + }; + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secretNoKey, TestNamespace); + TrackSecret(secretWithoutKey); + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Find our test secrets and verify private key status + var withKeyItem = inventoryItems.Find(i => i.Alias.Contains(secretWithKey)); + var noKeyItem = inventoryItems.Find(i => i.Alias.Contains(secretWithoutKey)); + + Assert.NotNull(withKeyItem); + Assert.NotNull(noKeyItem); + Assert.True(withKeyItem.PrivateKeyEntry, $"Secret {secretWithKey} should have PrivateKeyEntry=true"); + Assert.False(noKeyItem.PrivateKeyEntry, $"Secret {secretWithoutKey} should have PrivateKeyEntry=false"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_Namespace_ReturnsFullCertificateChains() + { + // Arrange - Create a secret with a certificate chain (read-only test uses cached certs) + var secretName = $"test-ns-chain-{Guid.NewGuid():N}"; + + // Create secret with certificate chain (leaf + intermediate + root) + var chain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Bundle all certs in tls.crt field + var bundledCertPem = leafCertPem + intermediatePem + rootPem; + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretName, + NamespaceProperty = TestNamespace, + Labels = new Dictionary + { + { "app.kubernetes.io/managed-by", "keyfactor-integration-tests" } + } + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(bundledCertPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + TrackSecret(secretName); + + var inventoryItems = new List(); + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Find our chain secret + var chainItem = inventoryItems.Find(i => i.Alias.Contains(secretName)); + Assert.NotNull(chainItem); + + // Should have 3 certificates (leaf + intermediate + root) + Assert.True(chainItem.Certificates.Count() >= 3, + $"Expected at least 3 certificates in chain but got {chainItem.Certificates.Count()}"); + Assert.True(chainItem.UseChainLevel, + "UseChainLevel should be true for secrets with certificate chains"); + } + + #endregion + + #region KubeNamespace Property Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_KubeNamespaceProperty_TakesPriorityOverStorePath() + { + // This test verifies that when KubeNamespace is set in store properties, + // it takes priority over the StorePath value for determining which namespace + // to inventory. This was a bug where StorePath "default" would overwrite + // the configured KubeNamespace. + + // Arrange - Create a unique secret in our test namespace (read-only test uses cached certs) + var secretName = $"test-nsprop-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, useCache: true); + + var inventoryItems = new List(); + + // Configure with StorePath="default" but KubeNamespace=TestNamespace + // The inventory should use KubeNamespace (TestNamespace), NOT StorePath (default) + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = "default", // This should be ignored when KubeNamespace is set + Properties = $"{{\"KubeSecretType\":\"namespace\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert - The key assertion is that inventory succeeded and found secrets + // If StorePath "default" was used instead of KubeNamespace, this would fail + // because our secret only exists in TestNamespace + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify inventory returned items (proving correct namespace was used) + Assert.True(inventoryItems.Count > 0, + "Inventory should return items when KubeNamespace property is set correctly"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EmptyKubeNamespaceProperty_UsesStorePath() + { + // This test verifies that when KubeNamespace is empty/not provided, + // the StorePath is used as the namespace (fallback behavior). + + // Arrange - Create a unique secret in our test namespace (read-only test uses cached certs) + var secretName = $"test-nsfallback-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, useCache: true); + + var inventoryItems = new List(); + + // Configure with StorePath=TestNamespace and KubeNamespace empty + // The inventory should use StorePath (TestNamespace) as fallback + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, // This should be used when KubeNamespace is empty + Properties = "{\"KubeSecretType\":\"namespace\"}" // No KubeNamespace provided + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert - Should succeed using StorePath as namespace + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify inventory returned items (proving StorePath was used as namespace) + Assert.True(inventoryItems.Count > 0, + "Inventory should return items when StorePath is used as namespace fallback"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_StorePathWithClusterNamespace_WorksCorrectly() + { + // Test the / storepath pattern for K8SNS + // This is documented as a valid pattern in docsource/k8sns.md + + // Arrange - Create a unique secret in our test namespace (read-only test uses cached certs) + var secretName = $"test-clusterpath-{Guid.NewGuid():N}"; + await CreateTestSecret(secretName, useCache: true); + + var inventoryItems = new List(); + + // Use / pattern + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "kf-integrations", + StorePath = $"kf-integrations/{TestNamespace}", // / pattern + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify inventory returned items + Assert.True(inventoryItems.Count > 0, + "Inventory should return items with / path pattern"); + } + + #endregion + + #region Multiple Secret Type Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Namespace_WithMultipleSecretTypes_HandlesAllTypes() + { + // Verify K8SNS can handle multiple secret types in the same namespace (read-only test uses cached certs) + // Arrange + var opaqueSecret = $"test-multi-opaque-{Guid.NewGuid():N}"; + var tlsSecret = $"test-multi-tls-{Guid.NewGuid():N}"; + var ecSecret = $"test-multi-ec-{Guid.NewGuid():N}"; + + await CreateTestSecret(opaqueSecret, KeyType.Rsa2048, "Opaque", useCache: true); + await CreateTestSecret(tlsSecret, KeyType.Rsa2048, "kubernetes.io/tls", useCache: true); + await CreateTestSecret(ecSecret, KeyType.EcP256, "Opaque", useCache: true); + + // Act - List all secrets in namespace + var secrets = await K8sClient.CoreV1.ListNamespacedSecretAsync(TestNamespace); + + // Assert - Verify our created secrets exist + Assert.Contains(secrets.Items, s => s.Metadata.Name == opaqueSecret); + Assert.Contains(secrets.Items, s => s.Metadata.Name == tlsSecret); + Assert.Contains(secrets.Items, s => s.Metadata.Name == ecSecret); + } + + #endregion + + #region Key Type Coverage Tests + + [SkipUnlessTheory(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + [MemberData(nameof(KeyTypeTestData.AllKeyTypes), MemberType = typeof(KeyTypeTestData))] + public async Task Management_Certificate_AddAndInventory_Success(KeyType keyType) + { + var secretName = $"test-{keyType.ToString().ToLowerInvariant()}-ns-{Guid.NewGuid():N}"; + TrackSecret(secretName); + await AddAndInventoryCertificate(secretName, keyType); + } + + private async Task AddAndInventoryCertificate(string secretName, KeyType keyType) + { + // Generate certificate with specified key type + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"KeyType Test {keyType}"); + var pfxPassword = "testpassword"; + + // Add certificate + var addJobConfig = new ManagementJobConfiguration + { + Capability = "K8SNS", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = $"secrets/opaque/{secretName}", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + var addResult = await Task.Run(() => management.ProcessJob(addJobConfig)); + + Assert.True(addResult.Result == OrchestratorJobStatusJobResult.Success, + $"Add {keyType} certificate expected Success but got {addResult.Result}. FailureMessage: {addResult.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + + // Inventory the certificate + var invJobConfig = new InventoryJobConfiguration + { + Capability = "K8SNS", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = TestNamespace, + Properties = "{\"KubeSecretType\":\"namespace\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var invResult = await Task.Run(() => inventory.ProcessJob(invJobConfig, (inventoryItems) => true)); + + Assert.True(invResult.Result == OrchestratorJobStatusJobResult.Success, + $"Inventory {keyType} certificate expected Success but got {invResult.Result}. FailureMessage: {invResult.FailureMessage}"); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8SPKCS12StoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8SPKCS12StoreIntegrationTests.cs new file mode 100644 index 00000000..c5ad4de9 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8SPKCS12StoreIntegrationTests.cs @@ -0,0 +1,1359 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SPKCS12; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8SPKCS12 store type operations against a real Kubernetes cluster. +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// Uses ~/.kube/config with kf-integrations context. +/// All resources are cleaned up after tests. +/// +[Collection("K8SPKCS12 Integration Tests")] +public class K8SPKCS12StoreIntegrationTests : IntegrationTestBase +{ + protected override string BaseTestNamespace => "keyfactor-k8spkcs12-integration-tests"; + + public K8SPKCS12StoreIntegrationTests(IntegrationTestFixture fixture) : base(fixture) + { + } + + #region Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EmptyPkcs12Secret_ReturnsEmptyList() + { + // Arrange + var secretName = $"test-empty-pkcs12-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var pfxBytes = CachedCertificateProvider.GetOrCreatePkcs12(KeyType.Rsa2048, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Inventory job config + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.JobHistoryId); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_Pkcs12SecretWithMultipleCerts_ReturnsAllCertificates() + { + // Arrange + var secretName = $"test-multi-pkcs12-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var cert1 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Inventory Multi Cert 1"); + var cert2 = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Inventory Multi Cert 2"); + var cert3 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa4096, "Inventory Multi Cert 3"); + + var entries = new Dictionary + { + { "alias1", (cert1.Certificate, cert1.KeyPair) }, + { "alias2", (cert2.Certificate, cert2.KeyPair) }, + { "alias3", (cert3.Certificate, cert3.KeyPair) } + }; + + var pfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(entries, "testpassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Inventory job config + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.JobHistoryId); + // Verify we got back 3 certificates + // Note: The actual certificate data would be in result.JobHistoryId serialized data + } + + #endregion + + #region Management Add Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToNewSecret_CreatesSecretWithCertificate() + { + // Arrange + var secretName = $"test-add-new-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New Cert"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "certpassword", "newcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.True(secret.Data.ContainsKey("keystore.pfx")); + Assert.NotEmpty(secret.Data["keystore.pfx"]); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToExistingSecret_UpdatesSecret() + { + // Arrange + var secretName = $"test-add-existing-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with one certificate + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Cert"); + var existingPkcs12 = CertificateTestHelper.GeneratePkcs12(existingCert.Certificate, existingCert.KeyPair, "storepassword", "existing"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", existingPkcs12 } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare new certificate to add + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "New Cert"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword", "newcert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was updated + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + Assert.True(updatedSecret.Data.ContainsKey("keystore.pfx")); + + // Verify both certificates are in the store + var serializer = new Pkcs12CertificateStoreSerializer(null); + var store = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["keystore.pfx"], "/test", "storepassword"); + var aliases = store.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("existing", aliases); + Assert.Contains("newcert", aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_IncludeCertChainFalse_OnlyLeafCertInKeystore() + { + // Arrange - Test that when IncludeCertChain=false, only the leaf certificate is stored in the PKCS12 + var secretName = $"test-no-chain-pkcs12-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + var storePassword = "storepassword"; + + // Create a PKCS12 with the full chain included + var pfxWithChain = CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = storePassword, + Properties = $"{{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"{storePassword}\",\"StoreFileName\":\"keystore.pfx\",\"IncludeCertChain\":false}}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String(pfxWithChain) + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.True(secret.Data.ContainsKey("keystore.pfx"), "Secret should contain keystore.pfx"); + + // Load the PKCS12 from the secret and verify certificate count + var serializer = new Pkcs12CertificateStoreSerializer(null); + var store = serializer.DeserializeRemoteCertificateStore(secret.Data["keystore.pfx"], "/test", storePassword); + + // Get the certificate chain for the alias + var certChain = store.GetCertificateChain("testcert"); + Assert.NotNull(certChain); + + // With IncludeCertChain=false, the chain should contain only the leaf certificate (1 cert) + Assert.True(certChain.Length == 1, + $"Expected only 1 certificate (leaf) in PKCS12 when IncludeCertChain=false, but found {certChain.Length} certificate(s)"); + + // Verify the single certificate is indeed the leaf certificate + var storedCert = certChain[0].Certificate; + var storedSubject = storedCert.SubjectDN.ToString(); + var leafSubject = leafCert.SubjectDN.ToString(); + Assert.Equal(leafSubject, storedSubject); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_NoCertificateData_CreatesEmptyPkcs12Store() + { + // Arrange - "Create store if missing" scenario: no certificate data provided + var secretName = $"test-create-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create Management Add job config with no certificate contents (simulates "create store if missing") + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + // No alias, no contents - simulates "create store if missing" + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with an empty but valid PKCS12 keystore + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.True(secret.Data.ContainsKey("keystore.pfx"), "Expected 'keystore.pfx' key in secret data"); + Assert.NotEmpty(secret.Data["keystore.pfx"]); + + // Verify the PKCS12 store is valid and empty (no aliases) + var serializer = new Pkcs12CertificateStoreSerializer(null); + var pkcs12Store = serializer.DeserializeRemoteCertificateStore(secret.Data["keystore.pfx"], "/test", "storepassword"); + var aliases = pkcs12Store.Aliases.ToList(); + Assert.Empty(aliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_SecretAlreadyExists_ReturnsExistingSecret() + { + // Arrange - Secret already exists, "create store if missing" should return the existing secret + var secretName = $"test-existing-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with one certificate + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Cert"); + var existingPkcs12 = CertificateTestHelper.GeneratePkcs12(existingCert.Certificate, existingCert.KeyPair, "storepassword", "existing"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", existingPkcs12 } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Add job config with no certificate contents + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed without modifying the existing store + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the existing certificate is still present + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var serializer = new Pkcs12CertificateStoreSerializer(null); + var pkcs12Store = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["keystore.pfx"], "/test", "storepassword"); + var aliases = pkcs12Store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("existing", aliases); + } + + #endregion + + #region Management Remove Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificateFromSecret_RemovesCertificate() + { + // Arrange + var secretName = $"test-remove-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create secret with two certificates + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + + var entries = new Dictionary + { + { "cert1", (cert1.Certificate, cert1.KeyPair) }, + { "cert2", (cert2.Certificate, cert2.KeyPair) } + }; + + var pfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(entries, "storepassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Remove job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Remove, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "cert1" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify cert1 was removed and cert2 remains + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var serializer = new Pkcs12CertificateStoreSerializer(null); + var store = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["keystore.pfx"], "/test", "storepassword"); + var aliases = store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("cert2", aliases); + Assert.DoesNotContain("cert1", aliases); + } + + #endregion + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_FindsPkcs12SecretsInNamespace() + { + // Arrange - Create multiple PKCS12 secrets + var secret1Name = $"test-discover-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-discover-2-{Guid.NewGuid():N}"; + TrackSecret(secret1Name); + TrackSecret(secret2Name); + + var pfxBytes = CachedCertificateProvider.GetOrCreatePkcs12(KeyType.Rsa2048, "testpassword", "discovery-test"); + + foreach (var secretName in new[] { secret1Name, secret2Name }) + { + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretName, + NamespaceProperty = TestNamespace, + Labels = new Dictionary + { + { "keyfactor.com/store-type", "K8SPKCS12" } + } + }, + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + } + + // Create Discovery job config + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SPKCS12", + ClientMachine = TestNamespace, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", TestNamespace }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + // Note: Discovery returns store paths in the result + } + + #endregion + + #region Error Handling Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddWithWrongPassword_ReturnsFailure() + { + // Arrange + var secretName = $"test-wrong-password-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with one password + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing"); + var existingPkcs12 = CertificateTestHelper.GeneratePkcs12(existingCert.Certificate, existingCert.KeyPair, "correctpassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", existingPkcs12 } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Try to add with wrong password + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword"); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "wrongpassword", // Wrong password! + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"wrongpassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "newcert", + PrivateKeyPassword = "certpassword", + Contents = Convert.ToBase64String(pfxBytes) + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("password", result.FailureMessage.ToLower()); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_NonExistentSecret_ReturnsSuccessWithEmptyInventory() + { + // Arrange - Test that non-existent secrets return success with empty inventory + // This behavior supports the "create store if missing" feature + var nonExistentSecretName = $"does-not-exist-{Guid.NewGuid():N}"; + var inventoryItems = new List(); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{nonExistentSecretName}", + StorePassword = "password", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"password\",\"StoreFileName\":\"keystore.pfx\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert - Should return Success with warning message and empty inventory + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.Contains("not found", result.FailureMessage ?? "", StringComparison.OrdinalIgnoreCase); + Assert.Empty(inventoryItems); + } + + #endregion + + #region StorePath Pattern Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_StorePathWithSecretsKeyword_WorksCorrectly() + { + // Test the /secrets/ storepath pattern + // Arrange + var secretName = $"test-path-secrets-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var pfxBytes = CachedCertificateProvider.GetOrCreatePkcs12(KeyType.Rsa2048, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Use /secrets/ pattern + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/secrets/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.True(inventoryItems.Count > 0, "Should find certificates with /secrets/ path pattern"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_StorePathWithClusterNamespaceSecrets_WorksCorrectly() + { + // Test the //secrets/ storepath pattern + // Arrange + var secretName = $"test-path-cluster-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var pfxBytes = CachedCertificateProvider.GetOrCreatePkcs12(KeyType.Rsa2048, "testpassword", "testcert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Use //secrets/ pattern + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = "kf-integrations", + StorePath = $"kf-integrations/{TestNamespace}/secrets/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.True(inventoryItems.Count > 0, "Should find certificates with //secrets/ path pattern"); + } + + #endregion + + #region Mixed Entry Types Tests (Private Keys + Trusted Certs) + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_Pkcs12WithMixedEntries_ReturnsCorrectPrivateKeyFlags() + { + // Arrange - Create PKCS12 with 2 private key entries + 2 trusted cert entries + var secretName = $"test-mixed-pkcs12-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate certificates for private key entries (with keys) + var serverCert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert 1"); + var serverCert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Server Cert 2"); + + // Generate certificates for trusted cert entries (no keys) + var trustedRootCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted Root CA"); + var trustedIntermediateCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Trusted Intermediate CA"); + + var privateKeyEntries = new Dictionary + { + { "server1", (serverCert1.Certificate, serverCert1.KeyPair) }, + { "server2", (serverCert2.Certificate, serverCert2.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "root-ca", trustedRootCa.Certificate }, + { "intermediate-ca", trustedIntermediateCa.Certificate } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMixedEntries(privateKeyEntries, trustedCertEntries, "testpassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", pkcs12Bytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Create Inventory job config + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // NOTE: PKCS12 inventory returns ALL entries including trusted certificate entries. + // This differs from JKS inventory which only returns key entries. + // Should have 4 inventory items (2 private key entries + 2 trusted cert entries) + Assert.Equal(4, inventoryItems.Count); + + // Verify all entries are returned with full alias format: / + var server1Item = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.pfx/server1"); + var server2Item = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.pfx/server2"); + var rootCaItem = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.pfx/root-ca"); + var intermediateCaItem = inventoryItems.FirstOrDefault(i => i.Alias == "keystore.pfx/intermediate-ca"); + + Assert.NotNull(server1Item); + Assert.NotNull(server2Item); + Assert.NotNull(rootCaItem); + Assert.NotNull(intermediateCaItem); + + // All entries have PrivateKeyEntry=true because the PKCS12 inventory + // sets this globally based on whether ANY entry has a private key + Assert.True(server1Item.PrivateKeyEntry, "server1 should have PrivateKeyEntry = true"); + Assert.True(server2Item.PrivateKeyEntry, "server2 should have PrivateKeyEntry = true"); + // Note: Trusted certs also get PrivateKeyEntry=true because the flag is set globally + Assert.True(rootCaItem.PrivateKeyEntry, "root-ca has PrivateKeyEntry = true (global flag)"); + Assert.True(intermediateCaItem.PrivateKeyEntry, "intermediate-ca has PrivateKeyEntry = true (global flag)"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddTrustedCert_ToExistingPkcs12_Success() + { + // Arrange - Create existing PKCS12 with a private key entry + var secretName = $"test-add-trusted-pkcs12-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var serverCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var existingPkcs12 = CertificateTestHelper.GeneratePkcs12(serverCert.Certificate, serverCert.KeyPair, "storepassword", "server"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "keystore.pfx", existingPkcs12 } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Generate a trusted certificate (certificate only, no private key) + var trustedCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + // For adding a certificate-only entry, we send the DER-encoded certificate + var certOnlyBase64 = Convert.ToBase64String(trustedCa.Certificate.GetEncoded()); + + // Create Management Add job config + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"keystore.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "trusted-ca", + PrivateKeyPassword = null, // No private key password for certificate-only entry + Contents = certOnlyBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the PKCS12 was updated with both entries + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + + // Load the PKCS12 and verify both entries exist + var pkcs12Store = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder().Build(); + using (var ms = new System.IO.MemoryStream(updatedSecret.Data["keystore.pfx"])) + { + pkcs12Store.Load(ms, "storepassword".ToCharArray()); + } + + var aliases = pkcs12Store.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("server", aliases); + Assert.Contains("trusted-ca", aliases); + + // Verify entry types + Assert.True(pkcs12Store.IsKeyEntry("server"), "server should be a key entry"); + Assert.False(pkcs12Store.IsKeyEntry("trusted-ca"), "trusted-ca should be a certificate-only entry"); + } + + #endregion + + #region Multiple PKCS12 Files in Single Secret Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SecretWithMultiplePkcs12Files_ReturnsAllCertificatesFromAllFiles() + { + // Arrange - Create a K8s secret with multiple PKCS12 files (app.pfx, ca.p12, truststore.pfx) + var secretName = $"test-multi-pfx-files-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate different certificates for each PKCS12 file + var appCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "App Server PKCS12"); + var caCert = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "CA Certificate PKCS12"); + var trustCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa4096, "Truststore PKCS12"); + + // Generate separate PKCS12 files with unique aliases + var appPfxBytes = CertificateTestHelper.GeneratePkcs12(appCert.Certificate, appCert.KeyPair, "testpassword", "app-server"); + var caP12Bytes = CertificateTestHelper.GeneratePkcs12(caCert.Certificate, caCert.KeyPair, "testpassword", "ca-cert"); + var trustPfxBytes = CertificateTestHelper.GeneratePkcs12(trustCert.Certificate, trustCert.KeyPair, "testpassword", "trust-cert"); + + // Create secret with multiple PKCS12 files + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.pfx", appPfxBytes }, + { "ca.p12", caP12Bytes }, + { "truststore.pfx", trustPfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + // Create Inventory job config - Note: without StoreFileName, it should process ALL PKCS12 files + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Should find all 3 certificates from all 3 PKCS12 files + Assert.True(inventoryItems.Count >= 3, + $"Expected at least 3 certificates but found {inventoryItems.Count}"); + + // Verify aliases from each file are present + var aliasStrings = inventoryItems.Select(i => i.Alias).ToList(); + Assert.Contains(aliasStrings, a => a.Contains("app-server") || a.Contains("app.pfx")); + Assert.Contains(aliasStrings, a => a.Contains("ca-cert") || a.Contains("ca.p12")); + Assert.Contains(aliasStrings, a => a.Contains("trust-cert") || a.Contains("truststore.pfx")); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_SecretWithMultiplePkcs12Files_EachFileHasMultipleEntries_ReturnsAll() + { + // Arrange - Create a K8s secret with 2 PKCS12 files, each containing 2 certificates + var secretName = $"test-multi-pfx-multi-entries-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate certificates for app.pfx (2 entries) + var appCert1 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "App Cert 1 PFX"); + var appCert2 = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "App Cert 2 PFX"); + + // Generate certificates for backend.pfx (2 entries) + var backendCert1 = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Backend Cert 1 PFX"); + var backendCert2 = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Backend Cert 2 PFX"); + + var appEntries = new Dictionary + { + { "app-cert-1", (appCert1.Certificate, appCert1.KeyPair) }, + { "app-cert-2", (appCert2.Certificate, appCert2.KeyPair) } + }; + + var backendEntries = new Dictionary + { + { "backend-cert-1", (backendCert1.Certificate, backendCert1.KeyPair) }, + { "backend-cert-2", (backendCert2.Certificate, backendCert2.KeyPair) } + }; + + var appPfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(appEntries, "testpassword"); + var backendPfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(backendEntries, "testpassword"); + + // Create secret with multiple PKCS12 files + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.pfx", appPfxBytes }, + { "backend.pfx", backendPfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var inventoryItems = new List(); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SPKCS12", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "testpassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"testpassword\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoryItems.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Should find all 4 certificates (2 from each PKCS12 file) + Assert.True(inventoryItems.Count >= 4, + $"Expected at least 4 certificates but found {inventoryItems.Count}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificate_ToSpecificPkcs12File_UpdatesCorrectFile() + { + // Arrange - Create a K8s secret with multiple PKCS12 files + var secretName = $"test-add-specific-pfx-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate existing PKCS12 files + var appCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Existing App Cert PFX"); + var backendCert = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Existing Backend Cert PFX"); + + var appPfxBytes = CertificateTestHelper.GeneratePkcs12(appCert.Certificate, appCert.KeyPair, "storepassword", "existing-app"); + var backendPfxBytes = CertificateTestHelper.GeneratePkcs12(backendCert.Certificate, backendCert.KeyPair, "storepassword", "existing-backend"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.pfx", appPfxBytes }, + { "backend.pfx", backendPfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Prepare new certificate to add to app.pfx specifically + var newCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New App Cert PFX"); + var pfxBytes = CertificateTestHelper.GeneratePkcs12(newCert.Certificate, newCert.KeyPair, "certpassword", "new-app-cert"); + var pfxBase64 = Convert.ToBase64String(pfxBytes); + + // Create Management Add job config targeting app.pfx specifically + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + // Use StoreFileName to target a specific PKCS12 file + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"app.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "new-app-cert", + PrivateKeyPassword = "certpassword", + Contents = pfxBase64 + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the secret was updated + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(updatedSecret); + Assert.True(updatedSecret.Data.ContainsKey("app.pfx"), "app.pfx should still exist"); + Assert.True(updatedSecret.Data.ContainsKey("backend.pfx"), "backend.pfx should still exist"); + + // Verify app.pfx was updated with the new cert + var serializer = new Pkcs12CertificateStoreSerializer(null); + var appStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["app.pfx"], "/test", "storepassword"); + var appAliases = appStore.Aliases.ToList(); + Assert.Equal(2, appAliases.Count); + Assert.Contains("existing-app", appAliases); + Assert.Contains("new-app-cert", appAliases); + + // Verify backend.pfx was NOT modified (should still have only 1 cert) + var backendStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["backend.pfx"], "/test", "storepassword"); + var backendAliases = backendStore.Aliases.ToList(); + Assert.Single(backendAliases); + Assert.Contains("existing-backend", backendAliases); + Assert.DoesNotContain("new-app-cert", backendAliases); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificate_FromSpecificPkcs12File_UpdatesCorrectFile() + { + // Arrange - Create a K8s secret with multiple PKCS12 files, each with multiple certs + var secretName = $"test-remove-specific-pfx-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create app.pfx with 2 certs + var appCert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Cert 1 PFX Remove"); + var appCert2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Cert 2 PFX Remove"); + var appEntries = new Dictionary + { + { "app-cert-1", (appCert1.Certificate, appCert1.KeyPair) }, + { "app-cert-2", (appCert2.Certificate, appCert2.KeyPair) } + }; + var appPfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(appEntries, "storepassword"); + + // Create backend.pfx with 2 certs + var backendCert1 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend Cert 1 PFX Remove"); + var backendCert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend Cert 2 PFX Remove"); + var backendEntries = new Dictionary + { + { "backend-cert-1", (backendCert1.Certificate, backendCert1.KeyPair) }, + { "backend-cert-2", (backendCert2.Certificate, backendCert2.KeyPair) } + }; + var backendPfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(backendEntries, "storepassword"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "app.pfx", appPfxBytes }, + { "backend.pfx", backendPfxBytes } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Remove app-cert-1 from app.pfx specifically + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SPKCS12", + OperationType = CertStoreOperationType.Remove, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + StorePassword = "storepassword", + Properties = "{\"KubeSecretType\":\"pkcs12\",\"StorePassword\":\"storepassword\",\"StoreFileName\":\"app.pfx\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = "app-cert-1" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the correct file was updated + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + var serializer = new Pkcs12CertificateStoreSerializer(null); + + // app.pfx should now have only 1 cert (app-cert-2) + var appStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["app.pfx"], "/test", "storepassword"); + var appAliases = appStore.Aliases.ToList(); + Assert.Single(appAliases); + Assert.Contains("app-cert-2", appAliases); + Assert.DoesNotContain("app-cert-1", appAliases); + + // backend.pfx should be unchanged (still have 2 certs) + var backendStore = serializer.DeserializeRemoteCertificateStore(updatedSecret.Data["backend.pfx"], "/test", "storepassword"); + var backendAliases = backendStore.Aliases.ToList(); + Assert.Equal(2, backendAliases.Count); + Assert.Contains("backend-cert-1", backendAliases); + Assert.Contains("backend-cert-2", backendAliases); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8SSecretStoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8SSecretStoreIntegrationTests.cs new file mode 100644 index 00000000..bf5e2bda --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8SSecretStoreIntegrationTests.cs @@ -0,0 +1,1325 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Text; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; +using CertificateUtilities = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8SSecret store type operations against a real Kubernetes cluster. +/// K8SSecret manages Opaque secrets with PEM-formatted certificates and keys. +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// +[Collection("K8SSecret Integration Tests")] +public class K8SSecretStoreIntegrationTests : IntegrationTestBase +{ + protected override string BaseTestNamespace => "keyfactor-k8ssecret-integration-tests"; + + public K8SSecretStoreIntegrationTests(IntegrationTestFixture fixture) : base(fixture) + { + } + + private async Task CreateTestOpaqueSecret(string name, KeyType keyType = KeyType.Rsa2048, bool includePrivateKey = true, bool includeChain = false) + { + // Use cached certificates for read-only inventory/discovery tests + var certInfo = CachedCertificateProvider.GetOrCreate(keyType, $"Cached Opaque Secret {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + }; + + if (includePrivateKey) + { + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + data["tls.key"] = Encoding.UTF8.GetBytes(keyPem); + } + + if (includeChain) + { + var chain = CachedCertificateProvider.GetOrCreateChain(keyType); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + data["ca.crt"] = Encoding.UTF8.GetBytes(intermediatePem + rootPem); + } + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(name), + Type = "Opaque", + Data = data + }; + + var created = await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + TrackSecret(name); + return created; + } + + #region Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithCertificate_ReturnsSuccess() + { + // Arrange + var secretName = $"test-opaque-cert-{Guid.NewGuid():N}"; + await CreateTestOpaqueSecret(secretName, KeyType.Rsa2048, includePrivateKey: true); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = "{\"KubeSecretType\":\"opaque\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithChain_ReturnsSuccess() + { + // Arrange + var secretName = $"test-opaque-chain-{Guid.NewGuid():N}"; + await CreateTestOpaqueSecret(secretName, KeyType.Rsa2048, includePrivateKey: true, includeChain: true); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = "{\"KubeSecretType\":\"opaque\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_CertificateOnlySecret_ReturnsSuccess() + { + // Arrange - Some secrets may contain only certificates without private keys + var secretName = $"test-certonly-{Guid.NewGuid():N}"; + await CreateTestOpaqueSecret(secretName, KeyType.Rsa2048, includePrivateKey: false); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = "{\"KubeSecretType\":\"opaque\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Management Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToNewSecret_ReturnsSuccess() + { + // Arrange + var secretName = $"test-add-new-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Management Test Add"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with correct type + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + + // Verify required fields exist + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key for certificates with private key"); + + // Verify field contents are valid PEM + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsKeyData = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", tlsCrtData); + Assert.Contains("-----BEGIN PRIVATE KEY-----", tlsKeyData); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificateFromSecret_ReturnsSuccess() + { + // Arrange + var secretName = $"test-remove-{Guid.NewGuid():N}"; + await CreateTestOpaqueSecret(secretName, KeyType.Rsa2048, includePrivateKey: true); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Remove, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert" + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = "{\"KubeSecretType\":\"opaque\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChainBundled_CreatesBundledSecret() + { + // Arrange + var secretName = $"test-add-bundled-chain-{Guid.NewGuid():N}"; + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":true,\"SeparateChain\":false}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with bundled chain + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + + // Should have tls.crt and tls.key + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + + // Should NOT have ca.crt (chain is bundled into tls.crt) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when SeparateChain=false"); + + // Verify tls.crt contains BOTH leaf certificate AND chain certificates (bundled together) + // When SeparateChain=false and IncludeCertChain=true, the Management job should concatenate + // the leaf cert and chain certs into a single tls.crt field + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount >= 3, $"Expected leaf + chain (3+ certs total: leaf, intermediate, root) in tls.crt, but found {certCount} certificate(s)"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChainSeparate_CreatesSeparateChainSecret() + { + // Arrange + var secretName = $"test-add-separate-chain-{Guid.NewGuid():N}"; + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":true,\"SeparateChain\":true}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with separate chain + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + + // Should have tls.crt, tls.key, and ca.crt + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + Assert.True(secret.Data.ContainsKey("ca.crt"), "Secret should contain ca.crt when SeparateChain=true"); + + // Verify tls.crt contains only the leaf certificate + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsCertCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(tlsCertCount == 1, $"tls.crt should contain only the leaf certificate when SeparateChain=true, but found {tlsCertCount}"); + + // Verify ca.crt contains the chain certificates + var caCrtData = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + var chainCertCount = System.Text.RegularExpressions.Regex.Matches(caCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(chainCertCount >= 1, $"ca.crt should contain chain certificates, but found {chainCertCount}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_IncludeCertChainFalse_OnlyLeafCertStored() + { + // Arrange + var secretName = $"test-add-no-chain-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + // Create PKCS12 with full chain + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String(pkcs12Bytes) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":false}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Job should succeed + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Read the secret directly from Kubernetes + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + + // Verify tls.crt exists + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + + // Parse tls.crt and verify it contains ONLY the leaf certificate (not intermediate or root) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.Equal(1, certCount); + + // Verify the single certificate is the leaf cert by checking subject + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var parsedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + Assert.Equal(leafCert.SubjectDN.ToString(), parsedCert.SubjectDN.ToString()); + + // Verify no ca.crt field exists (chain was excluded) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_InvalidConfig_IncludeCertChainFalse_SeparateChainTrue_RespectsIncludeCertChain() + { + // Arrange - Test invalid configuration: IncludeCertChain=false, SeparateChain=true + // The code should log a warning and respect IncludeCertChain=false (only leaf cert deployed) + var secretName = $"test-invalid-config-opaque-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = secretName, + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + // Invalid config: SeparateChain=true but IncludeCertChain=false + // Should warn and respect IncludeCertChain=false + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":false,\"SeparateChain\":true}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed (with warning logged) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + + // Verify IncludeCertChain=false is respected: only leaf certificate, no chain + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, $"tls.crt should contain only the leaf certificate when IncludeCertChain=false, but found {certCount} certificate(s)"); + + // Verify there is NO ca.crt (IncludeCertChain=false takes precedence over SeparateChain=true) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false (even if SeparateChain=true)"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_NoCertificateData_CreatesEmptyOpaqueSecret() + { + // Arrange - "Create store if missing" scenario: no certificate data provided + var secretName = $"test-create-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create Management Add job config with no certificate contents (simulates "create store if missing") + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + Properties = "{\"KubeSecretType\":\"secret\"}" + }, + JobCertificate = new ManagementJobCertificate + { + // No alias, no contents - simulates "create store if missing" + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created as empty Opaque secret + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_SecretAlreadyExists_ReturnsExistingSecret() + { + // Arrange - Secret already exists, "create store if missing" should return the existing secret + var secretName = $"test-existing-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing secret with certificate + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Cert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(CertificateTestHelper.ConvertCertificateToPem(existingCert.Certificate)) }, + { "tls.key", Encoding.UTF8.GetBytes(CertificateTestHelper.ConvertPrivateKeyToPem(existingCert.KeyPair.Private)) } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Add job config with no certificate contents + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + Properties = "{\"KubeSecretType\":\"secret\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed without modifying the existing secret + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the existing certificate is still present + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.True(updatedSecret.Data.ContainsKey("tls.crt"), "Existing tls.crt should be preserved"); + Assert.True(updatedSecret.Data.ContainsKey("tls.key"), "Existing tls.key should be preserved"); + } + + #endregion + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_FindsOpaqueSecrets_ReturnsSuccess() + { + // Arrange - Create multiple Opaque secrets + var secret1Name = $"test-discover-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-discover-2-{Guid.NewGuid():N}"; + await CreateTestOpaqueSecret(secret1Name, KeyType.Rsa2048); + await CreateTestOpaqueSecret(secret2Name, KeyType.EcP256); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8SSecret", + ClientMachine = TestNamespace, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", TestNamespace }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Error Handling Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EmptyOpaqueSecret_ReturnsSuccessWithEmptyInventory() + { + // Arrange - Create an empty Opaque secret (exists but has no certificate data) + var secretName = $"test-empty-opaque-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Array.Empty() }, + { "tls.key", Array.Empty() } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert - Empty secrets should return success, not fail + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success for empty secret but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithNoCertificateFields_ReturnsSuccessWithEmptyInventory() + { + // Arrange - Create an Opaque secret with no certificate-related fields + var secretName = $"test-nocertfields-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "some-other-data", Encoding.UTF8.GetBytes("not a certificate") } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert - Secrets without certificate fields should return success with empty inventory + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success for secret without certificate fields but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_NonExistentSecret_ReturnsFailure() + { + // Arrange + var nonExistentSecret = $"does-not-exist-{Guid.NewGuid():N}"; + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = nonExistentSecret, + Properties = "{\"KubeSecretType\":\"opaque\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + // Non-existent stores return Success with empty inventory and a FailureMessage explaining the issue + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success (lenient behavior for missing stores) but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("not found", result.FailureMessage); + } + + #endregion + + #region Certificate Chain Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithMultipleCertsInCaCrt_ReturnsAllCertificates() + { + // Arrange - Create an Opaque secret with leaf cert in tls.crt and multiple CA certs in ca.crt + var secretName = $"test-opaque-chain-multi-ca-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain: Root -> Sub-CA -> Leaf + // Use cached chain for read-only inventory test + var chain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var subCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var leafKeyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // ca.crt contains both Sub-CA and Root-CA + var caCrtContent = subCaPem + rootCaPem; + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafCertPem) }, + { "tls.key", Encoding.UTF8.GetBytes(leafKeyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(caCrtContent) } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var inventoriedCerts = new List(); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoriedCerts.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Chain certificates are returned as ONE inventory item with multiple certificates in the Certificates array + Assert.Single(inventoriedCerts); + // The single inventory item should contain all 3 certificates from the chain + Assert.Equal(3, inventoriedCerts[0].Certificates.Count()); + + // Verify we have all three certificates by checking subjects + var certSubjects = inventoriedCerts[0].Certificates.Select(certPem => + { + using var reader = new System.IO.StringReader(certPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var cert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + return cert.SubjectDN.ToString(); + }).ToList(); + + Assert.Contains(certSubjects, s => s.Contains("Leaf")); + Assert.Contains(certSubjects, s => s.Contains("Intermediate") || s.Contains("Sub")); + Assert.Contains(certSubjects, s => s.Contains("Root")); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithChainInTlsCrt_ReturnsAllCertificates() + { + // Arrange - Create an Opaque secret with full chain in tls.crt (no separate ca.crt) + var secretName = $"test-opaque-chain-in-tlscrt-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain + // Use cached chain for read-only inventory test + var chain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var subCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var leafKeyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // tls.crt contains full chain: Leaf + Sub-CA + Root + var tlsCrtContent = leafCertPem + subCaPem + rootCaPem; + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(tlsCrtContent) }, + { "tls.key", Encoding.UTF8.GetBytes(leafKeyPem) } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var inventoriedCerts = new List(); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoriedCerts.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Chain certificates are returned as ONE inventory item with multiple certificates in the Certificates array + Assert.Single(inventoriedCerts); + // The single inventory item should contain all 3 certificates from the chain + Assert.Equal(3, inventoriedCerts[0].Certificates.Count()); + } + + #endregion + + #region Certificate Without Private Key Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithoutPrivateKey_DerFormat_ReturnsSuccess() + { + // Arrange - Test adding a certificate in DER format (no private key) + // Opaque secrets can store certificate-only without requiring a private key + var secretName = $"test-der-nopk-opaque-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate DER-encoded certificate (no private key) + var derCertBase64 = CertificateTestHelper.GenerateBase64DerCertificate(KeyType.Rsa2048, "DER No Private Key Test"); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert-nopk", + PrivateKeyPassword = "", // No password since no private key + Contents = derCertBase64 + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Opaque secrets should succeed without private key + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with certificate only (no tls.key) + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + // Opaque secrets without private key should NOT have tls.key + Assert.False(secret.Data.ContainsKey("tls.key"), "Secret should NOT contain tls.key when no private key provided"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithoutPrivateKey_PemFormat_ReturnsSuccess() + { + // Arrange - Test adding a certificate in PEM format (no private key) + var secretName = $"test-pem-nopk-opaque-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate PEM-encoded certificate (no private key) + var pemCert = CertificateTestHelper.GeneratePemCertificateOnly(KeyType.Rsa2048, "PEM No Private Key Test"); + var pemCertBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(pemCert)); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert-pem-nopk", + PrivateKeyPassword = "", // No password since no private key + Contents = pemCertBase64 + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Opaque secrets should succeed without private key + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with certificate only + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.False(secret.Data.ContainsKey("tls.key"), "Secret should NOT contain tls.key when no private key provided"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_OpaqueSecretWithCertificateOnly_ReturnsSuccess() + { + // Arrange - Create a secret with only a certificate (no private key) + var secretName = $"test-certonly-inv-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Use cached certificate for read-only inventory test + var certInfo = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Cert Only Inventory Test"); + var pemCert = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(pemCert) } + // No tls.key - certificate only + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_UpdateExistingSecretWithCertificateOnly_FailsWhenExistingKeyPresent() + { + // Arrange - First create a secret WITH a private key + var secretName = $"test-update-certonly-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Original Cert"); + var pfxPassword = "testpassword"; + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword); + + // Create initial secret with certificate AND private key + var createJobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String(pkcs12Bytes) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + var createResult = await Task.Run(() => management.ProcessJob(createJobConfig)); + Assert.True(createResult.Result == OrchestratorJobStatusJobResult.Success, + $"Failed to create initial secret: {createResult.FailureMessage}"); + + // Verify initial secret has tls.key + var initialSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.True(initialSecret.Data.ContainsKey("tls.key"), "Initial secret should have tls.key"); + + // Now try to update with certificate-only (no private key) - using DER format + var newCertDer = CertificateTestHelper.GenerateBase64DerCertificate(KeyType.Rsa2048, "Updated Cert No Key"); + + var updateJobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert-updated", + PrivateKeyPassword = "", // No password - certificate only + Contents = newCertDer + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = true // Update existing + }; + + // Act + var updateResult = await Task.Run(() => management.ProcessJob(updateJobConfig)); + + // Assert - Should FAIL because we're trying to update a secret that has a private key + // with a certificate-only (no private key), which would leave a mismatched key + Assert.True(updateResult.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {updateResult.Result}. " + + "Deploying cert-only to a secret with existing private key should fail to prevent key mismatch."); + + // Verify the failure message explains the issue + Assert.Contains("private key", updateResult.FailureMessage, StringComparison.OrdinalIgnoreCase); + Assert.Contains("mismatched", updateResult.FailureMessage, StringComparison.OrdinalIgnoreCase); + } + + #endregion + + #region Key Type Coverage Tests + + [SkipUnlessTheory(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + [MemberData(nameof(KeyTypeTestData.AllKeyTypes), MemberType = typeof(KeyTypeTestData))] + public async Task Management_Certificate_AddAndInventory_Success(KeyType keyType) + { + var secretName = $"test-{keyType.ToString().ToLowerInvariant()}-secret-{Guid.NewGuid():N}"; + TrackSecret(secretName); + await AddAndInventoryCertificate(secretName, keyType); + } + + private async Task AddAndInventoryCertificate(string secretName, KeyType keyType) + { + // Generate certificate with specified key type + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"KeyType Test {keyType}"); + var pfxPassword = "testpassword"; + + // Calculate expected thumbprint BEFORE deployment + var expectedThumbprint = CertificateUtilities.GetThumbprint(certInfo.Certificate); + var expectedSubject = certInfo.Certificate.SubjectDN.ToString(); + + // Add certificate + var addJobConfig = new ManagementJobConfiguration + { + Capability = "K8SSecret", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + var addResult = await Task.Run(() => management.ProcessJob(addJobConfig)); + + Assert.True(addResult.Result == OrchestratorJobStatusJobResult.Success, + $"Add {keyType} certificate expected Success but got {addResult.Result}. FailureMessage: {addResult.FailureMessage}"); + + // Verify secret was created with correct certificate + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("Opaque", secret.Type); + + // Verify the deployed certificate matches the input certificate + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should have tls.crt field"); + var deployedCertPem = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + using var reader = new System.IO.StringReader(deployedCertPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var deployedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + + var deployedThumbprint = CertificateUtilities.GetThumbprint(deployedCert); + var deployedSubject = deployedCert.SubjectDN.ToString(); + + Assert.True(expectedThumbprint == deployedThumbprint, + $"Deployed certificate thumbprint doesn't match. Expected: {expectedThumbprint}, Got: {deployedThumbprint}"); + Assert.True(expectedSubject == deployedSubject, + $"Deployed certificate subject doesn't match. Expected: {expectedSubject}, Got: {deployedSubject}"); + + // Inventory the certificate + var invJobConfig = new InventoryJobConfiguration + { + Capability = "K8SSecret", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"opaque\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var inventoriedCerts = new List(); + var invResult = await Task.Run(() => inventory.ProcessJob(invJobConfig, (inventoryItems) => + { + inventoriedCerts.AddRange(inventoryItems); + return true; + })); + + Assert.True(invResult.Result == OrchestratorJobStatusJobResult.Success, + $"Inventory {keyType} certificate expected Success but got {invResult.Result}. FailureMessage: {invResult.FailureMessage}"); + + // Verify inventoried certificate matches the input certificate + Assert.NotEmpty(inventoriedCerts); + var inventoriedCertPem = inventoriedCerts[0].Certificates.First(); + using var invReader = new System.IO.StringReader(inventoriedCertPem); + var invPemReader = new Org.BouncyCastle.OpenSsl.PemReader(invReader); + var inventoriedCert = (Org.BouncyCastle.X509.X509Certificate)invPemReader.ReadObject(); + var inventoriedThumbprint = CertificateUtilities.GetThumbprint(inventoriedCert); + + Assert.True(expectedThumbprint == inventoriedThumbprint, + $"Inventoried certificate thumbprint doesn't match. Expected: {expectedThumbprint}, Got: {inventoriedThumbprint}"); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Integration/K8STLSSecrStoreIntegrationTests.cs b/kubernetes-orchestrator-extension.Tests/Integration/K8STLSSecrStoreIntegrationTests.cs new file mode 100644 index 00000000..711a07bb --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Integration/K8STLSSecrStoreIntegrationTests.cs @@ -0,0 +1,1280 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Text; +using System.Threading.Tasks; +using k8s; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Orchestrators.Common.Enums; +using Keyfactor.Orchestrators.Extensions; +using Keyfactor.Orchestrators.K8S.Tests.Attributes; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Keyfactor.Orchestrators.K8S.Tests.Integration.Fixtures; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; +using CertificateUtilities = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities; + +namespace Keyfactor.Orchestrators.K8S.Tests.Integration; + +/// +/// Integration tests for K8STLSSecr store type operations against a real Kubernetes cluster. +/// K8STLSSecr manages kubernetes.io/tls secrets with strict field names (tls.crt, tls.key, ca.crt). +/// Tests are gated by RUN_INTEGRATION_TESTS=true environment variable. +/// +[Collection("K8STLSSecr Integration Tests")] +public class K8STLSSecrStoreIntegrationTests : IntegrationTestBase +{ + protected override string BaseTestNamespace => "keyfactor-k8stlssecr-integration-tests"; + + public K8STLSSecrStoreIntegrationTests(IntegrationTestFixture fixture) : base(fixture) + { + } + + private async Task CreateTestTlsSecret(string name, KeyType keyType = KeyType.Rsa2048, bool includeChain = false) + { + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Integration Test {name}"); + return await CreateTestTlsSecretFromCertInfo(name, certInfo, keyType, includeChain); + } + + /// + /// Creates a TLS secret using a pre-generated certificate. Useful for read-only tests + /// that can share cached certificates to reduce test execution time. + /// + private async Task CreateTestTlsSecretFromCertInfo( + string name, + CertificateInfo certInfo, + KeyType keyType = KeyType.Rsa2048, + bool includeChain = false, + List? chainCerts = null) + { + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + }; + + if (includeChain) + { + var chain = chainCerts ?? CachedCertificateProvider.GetOrCreateChain(keyType); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + data["ca.crt"] = Encoding.UTF8.GetBytes(intermediatePem + rootPem); + } + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(name), + Type = "kubernetes.io/tls", + Data = data + }; + + var created = await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + TrackSecret(name); + return created; + } + + #region Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretWithCertificate_ReturnsSuccess() + { + // Arrange - Use cached certificate for read-only inventory test + var secretName = $"test-tls-cert-{Guid.NewGuid():N}"; + var cachedCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Inventory TLS Test"); + await CreateTestTlsSecretFromCertInfo(secretName, cachedCert, KeyType.Rsa2048); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretWithChain_ReturnsSuccess() + { + // Arrange - Use cached certificate and chain for read-only inventory test + var secretName = $"test-tls-chain-{Guid.NewGuid():N}"; + var cachedChain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048, "Inventory Chain TLS Test"); + await CreateTestTlsSecretFromCertInfo(secretName, cachedChain[0], KeyType.Rsa2048, includeChain: true, chainCerts: cachedChain); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EcCertificate_ReturnsSuccess() + { + // Arrange - Test with EC certificate using cached certificate for read-only test + var secretName = $"test-tls-ec-{Guid.NewGuid():N}"; + var cachedCert = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Inventory EC TLS Test"); + await CreateTestTlsSecretFromCertInfo(secretName, cachedCert, KeyType.EcP256); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Management Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateToNewTlsSecret_ReturnsSuccess() + { + // Arrange + var secretName = $"test-add-new-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Management Test Add"); + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with correct type + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify required fields exist for TLS secrets + Assert.True(secret.Data.ContainsKey("tls.crt"), "TLS secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "TLS secret should contain tls.key"); + + // Verify field contents are valid PEM format + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsKeyData = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", tlsCrtData); + Assert.Contains("-----BEGIN PRIVATE KEY-----", tlsKeyData); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_RemoveCertificateFromTlsSecret_ReturnsSuccess() + { + // Arrange + var secretName = $"test-remove-tls-{Guid.NewGuid():N}"; + await CreateTestTlsSecret(secretName, KeyType.Rsa2048); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Remove, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert" + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChainBundled_CreatesBundledTlsCrt() + { + // Arrange - Test that when SeparateChain=false, the chain is bundled into tls.crt + var secretName = $"test-bundled-chain-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":true,\"SeparateChain\":false}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with bundled chain in tls.crt + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Should have tls.crt and tls.key + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + + // Should NOT have ca.crt (chain is bundled into tls.crt) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when SeparateChain=false"); + + // Verify tls.crt contains the full chain (leaf + intermediate + root) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount >= 3, $"Expected leaf + chain (3+ certs) in tls.crt when SeparateChain=false, but found {certCount} certificate(s)"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChainSeparate_CreatesSeparateCaCrt() + { + // Arrange - Test that when SeparateChain=true (default), the chain goes to ca.crt + var secretName = $"test-separate-chain-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":true,\"SeparateChain\":true}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created with separate ca.crt + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Should have tls.crt, tls.key, and ca.crt + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + Assert.True(secret.Data.ContainsKey("tls.key"), "Secret should contain tls.key"); + Assert.True(secret.Data.ContainsKey("ca.crt"), "Secret should contain ca.crt when SeparateChain=true"); + + // Verify tls.crt contains only the leaf certificate + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var tlsCertCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(tlsCertCount == 1, $"tls.crt should contain only the leaf certificate when SeparateChain=true, but found {tlsCertCount}"); + + // Verify ca.crt contains the chain certificates + var caCrtData = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + var chainCertCount = System.Text.RegularExpressions.Regex.Matches(caCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(chainCertCount >= 1, $"ca.crt should contain chain certificates, but found {chainCertCount}"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_IncludeCertChainFalse_OnlyLeafCertStored() + { + // Arrange - Test that when IncludeCertChain=false, only the leaf certificate is stored + var secretName = $"test-no-chain-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":false}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created - read directly from Kubernetes + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify tls.crt contains ONLY the leaf certificate (not the chain) + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, $"tls.crt should contain only the leaf certificate when IncludeCertChain=false, but found {certCount} certificate(s)"); + + // Verify there is no ca.crt field (chain was excluded) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the single certificate is indeed the leaf certificate by checking its subject + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + var storedSubject = storedCert.SubjectDN.ToString(); + var leafSubject = leafCert.SubjectDN.ToString(); + + Assert.Equal(leafSubject, storedSubject); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithChain_InvalidConfig_IncludeCertChainFalse_SeparateChainTrue_RespectsIncludeCertChain() + { + // Arrange - Test invalid configuration: IncludeCertChain=false, SeparateChain=true + // The code should log a warning and respect IncludeCertChain=false (only leaf cert deployed) + var secretName = $"test-invalid-config-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate a certificate chain (root -> intermediate -> leaf) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKey = chain[0].KeyPair.Private; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pfxPassword = "testpassword"; + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = secretName, + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12WithChain( + leafCert, + leafKey, + new[] { intermediateCert, rootCert }, + pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + // Invalid config: SeparateChain=true but IncludeCertChain=false + // Should warn and respect IncludeCertChain=false + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\",\"IncludeCertChain\":false,\"SeparateChain\":true}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed (with warning logged) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify IncludeCertChain=false is respected: only leaf certificate, no chain + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = System.Text.RegularExpressions.Regex.Matches(tlsCrtData, "-----BEGIN CERTIFICATE-----").Count; + Assert.True(certCount == 1, $"tls.crt should contain only the leaf certificate when IncludeCertChain=false, but found {certCount} certificate(s)"); + + // Verify there is NO ca.crt (IncludeCertChain=false takes precedence over SeparateChain=true) + Assert.False(secret.Data.ContainsKey("ca.crt"), "Secret should NOT contain ca.crt when IncludeCertChain=false (even if SeparateChain=true)"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_NoCertificateData_CreatesEmptyTlsSecret() + { + // Arrange - "Create store if missing" scenario: no certificate data provided + var secretName = $"test-create-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create Management Add job config with no certificate contents (simulates "create store if missing") + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + Properties = "{\"KubeSecretType\":\"tls_secret\"}" + }, + JobCertificate = new ManagementJobCertificate + { + // No alias, no contents - simulates "create store if missing" + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created as TLS secret type + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_CreateStoreIfMissing_SecretAlreadyExists_ReturnsExistingSecret() + { + // Arrange - Secret already exists, "create store if missing" should return the existing secret + var secretName = $"test-existing-store-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Create existing TLS secret with certificate + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing TLS Cert"); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(CertificateTestHelper.ConvertCertificateToPem(existingCert.Certificate)) }, + { "tls.key", Encoding.UTF8.GetBytes(CertificateTestHelper.ConvertPrivateKeyToPem(existingCert.KeyPair.Private)) } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + // Create Management Add job config with no certificate contents + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + Overwrite = false, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = $"{TestNamespace}/{secretName}", + Properties = "{\"KubeSecretType\":\"tls_secret\"}" + }, + JobCertificate = new ManagementJobCertificate + { + Alias = null, + PrivateKeyPassword = null, + Contents = null + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed without modifying the existing secret + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify the existing certificate is still present + var updatedSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.True(updatedSecret.Data.ContainsKey("tls.crt"), "Existing tls.crt should be preserved"); + Assert.True(updatedSecret.Data.ContainsKey("tls.key"), "Existing tls.key should be preserved"); + } + + #endregion + + #region Discovery Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Discovery_FindsTlsSecrets_ReturnsSuccess() + { + // Arrange - Create multiple TLS secrets using cached certificates for read-only discovery test + var secret1Name = $"test-discover-tls-1-{Guid.NewGuid():N}"; + var secret2Name = $"test-discover-tls-2-{Guid.NewGuid():N}"; + var cachedRsaCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Discovery RSA TLS Test"); + var cachedEcCert = CachedCertificateProvider.GetOrCreate(KeyType.EcP256, "Discovery EC TLS Test"); + await CreateTestTlsSecretFromCertInfo(secret1Name, cachedRsaCert, KeyType.Rsa2048); + await CreateTestTlsSecretFromCertInfo(secret2Name, cachedEcCert, KeyType.EcP256); + + var jobConfig = new DiscoveryJobConfiguration + { + Capability = "K8STLSSecr", + ClientMachine = TestNamespace, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + JobProperties = new Dictionary + { + { "dirs", TestNamespace }, + { "ignoreddirs", "" }, + { "patterns", "" } + } + }; + + var discovery = new Discovery(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => discovery.ProcessJob(jobConfig, (discoveryItems) => true)); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + #endregion + + #region Error Handling Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_EmptyTlsSecret_ReturnsSuccessWithEmptyInventory() + { + // Arrange - Create an empty TLS secret (exists but has no certificate data) + var secretName = $"test-empty-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Array.Empty() }, + { "tls.key", Array.Empty() } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert - Empty secrets should return success, not fail + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success for empty secret but got {result.Result}. FailureMessage: {result.FailureMessage}"); + } + + // NOTE: This test was removed because Kubernetes enforces schema validation on TLS secrets. + // You CANNOT create a kubernetes.io/tls secret without tls.crt - the K8s API server rejects it + // with HTTP 422: "data[tls.crt]: Required value". The scenario is impossible in Kubernetes. + // If you need to test missing certificate handling, use an Opaque secret type instead. + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_NonExistentTlsSecret_ReturnsFailure() + { + // Arrange + var nonExistentSecret = $"does-not-exist-tls-{Guid.NewGuid():N}"; + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = nonExistentSecret, + Properties = "{\"KubeSecretType\":\"tls_secret\"}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (inventoryItems) => true)); + + // Assert + // Non-existent stores return Success with empty inventory and a FailureMessage explaining the issue + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success (lenient behavior for missing stores) but got {result.Result}. FailureMessage: {result.FailureMessage}"); + Assert.NotNull(result.FailureMessage); + Assert.Contains("not found", result.FailureMessage); + } + + #endregion + + #region Native Kubernetes Compatibility Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task TlsSecret_CompatibleWithK8sIngress_CorrectFormat() + { + // Verify that K8STLSSecr secrets are compatible with native K8S resources like Ingress + // Arrange - Use cached certificate for read-only compatibility test + var secretName = $"test-ingress-tls-{Guid.NewGuid():N}"; + var cachedCert = CachedCertificateProvider.GetOrCreate(KeyType.Rsa2048, "Ingress Compat TLS Test"); + await CreateTestTlsSecretFromCertInfo(secretName, cachedCert, KeyType.Rsa2048); + + // Act - Read back the secret + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + + // Assert - Verify it matches native K8S TLS secret format + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + + // Verify PEM format + var certPem = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var keyPem = Encoding.UTF8.GetString(secret.Data["tls.key"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----BEGIN PRIVATE KEY-----", keyPem); + } + + #endregion + + #region Certificate Chain Inventory Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretWithMultipleCertsInCaCrt_ReturnsAllCertificates() + { + // Arrange - Create a TLS secret with leaf cert in tls.crt and multiple CA certs in ca.crt + // Use cached chain for read-only inventory test + var secretName = $"test-chain-multi-ca-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Get cached certificate chain: Root -> Sub-CA -> Leaf + // Chain returns List with [0]=leaf, [1]=intermediate, [2]=root + var chain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048, "Multi CA Inventory Test"); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var subCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var leafKeyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // ca.crt contains both Sub-CA and Root-CA + var caCrtContent = subCaPem + rootCaPem; + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafCertPem) }, + { "tls.key", Encoding.UTF8.GetBytes(leafKeyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(caCrtContent) } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var inventoriedCerts = new List(); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoriedCerts.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Chain certificates are returned as ONE inventory item with multiple certificates in the Certificates array + Assert.Single(inventoriedCerts); + // The single inventory item should contain all 3 certificates from the chain + Assert.Equal(3, inventoriedCerts[0].Certificates.Count()); + + // Verify we have all three certificates by checking subjects + var certSubjects = inventoriedCerts[0].Certificates.Select(certPem => + { + using var reader = new System.IO.StringReader(certPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var cert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + return cert.SubjectDN.ToString(); + }).ToList(); + + // Cached chain has: leaf CN = "Multi CA Inventory Test", intermediate = "Intermediate CA (Rsa2048)", root = "Root CA (Rsa2048)" + Assert.Contains(certSubjects, s => s.Contains("Multi CA Inventory Test")); + Assert.Contains(certSubjects, s => s.Contains("Intermediate")); + Assert.Contains(certSubjects, s => s.Contains("Root")); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Inventory_TlsSecretWithChainInTlsCrt_ReturnsAllCertificates() + { + // Arrange - Create a TLS secret with full chain in tls.crt (no separate ca.crt) + // Use cached chain for read-only inventory test + var secretName = $"test-chain-in-tlscrt-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Get cached certificate chain + // Chain returns List with [0]=leaf, [1]=intermediate, [2]=root + var chain = CachedCertificateProvider.GetOrCreateChain(KeyType.Rsa2048, "Chain In TlsCrt Inventory Test"); + var leafCertPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var subCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCaPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var leafKeyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // tls.crt contains full chain: Leaf + Sub-CA + Root + var tlsCrtContent = leafCertPem + subCaPem + rootCaPem; + + var secret = new V1Secret + { + Metadata = CreateTestSecretMetadata(secretName), + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(tlsCrtContent) }, + { "tls.key", Encoding.UTF8.GetBytes(leafKeyPem) } + } + }; + + await K8sClient.CoreV1.CreateNamespacedSecretAsync(secret, TestNamespace); + + var jobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var inventoriedCerts = new List(); + + // Act + var result = await Task.Run(() => inventory.ProcessJob(jobConfig, (items) => + { + inventoriedCerts.AddRange(items); + return true; + })); + + // Assert + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Chain certificates are returned as ONE inventory item with multiple certificates in the Certificates array + Assert.Single(inventoriedCerts); + // The single inventory item should contain all 3 certificates from the chain + Assert.Equal(3, inventoriedCerts[0].Certificates.Count()); + } + + #endregion + + #region Certificate Without Private Key Tests + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithoutPrivateKey_DerFormat_ReturnsSuccess() + { + // Arrange - Test adding a certificate in DER format (no private key) + // This simulates when Command sends a certificate without private key + var secretName = $"test-der-nopk-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate DER-encoded certificate (no private key) + var derCertBase64 = CertificateTestHelper.GenerateBase64DerCertificate(KeyType.Rsa2048, "DER No Private Key Test"); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert-nopk", + PrivateKeyPassword = "", // No password since no private key + Contents = derCertBase64 + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed even without private key (with warning) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_AddCertificateWithoutPrivateKey_PemFormat_ReturnsSuccess() + { + // Arrange - Test adding a certificate in PEM format (no private key) + var secretName = $"test-pem-nopk-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + // Generate PEM-encoded certificate (no private key) + var pemCert = CertificateTestHelper.GeneratePemCertificateOnly(KeyType.Rsa2048, "PEM No Private Key Test"); + var pemCertBase64 = Convert.ToBase64String(Encoding.UTF8.GetBytes(pemCert)); + + var jobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert-pem-nopk", + PrivateKeyPassword = "", // No password since no private key + Contents = pemCertBase64 + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + + // Act + var result = await Task.Run(() => management.ProcessJob(jobConfig)); + + // Assert - Should succeed even without private key (with warning) + Assert.True(result.Result == OrchestratorJobStatusJobResult.Success, + $"Expected Success but got {result.Result}. FailureMessage: {result.FailureMessage}"); + + // Verify secret was created + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should contain tls.crt"); + } + + [SkipUnless(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + public async Task Management_UpdateExistingTlsSecretWithCertificateOnly_FailsWhenExistingKeyPresent() + { + // Arrange - First create a TLS secret WITH a private key + var secretName = $"test-tls-update-certonly-{Guid.NewGuid():N}"; + TrackSecret(secretName); + + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Original TLS Cert"); + var pfxPassword = "testpassword"; + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword); + + // Create initial TLS secret with certificate AND private key + var createJobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String(pkcs12Bytes) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + var createResult = await Task.Run(() => management.ProcessJob(createJobConfig)); + Assert.True(createResult.Result == OrchestratorJobStatusJobResult.Success, + $"Failed to create initial TLS secret: {createResult.FailureMessage}"); + + // Verify initial secret has tls.key + var initialSecret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.True(initialSecret.Data.ContainsKey("tls.key"), "Initial TLS secret should have tls.key"); + + // Now try to update with certificate-only (no private key) + var newCertDer = CertificateTestHelper.GenerateBase64DerCertificate(KeyType.Rsa2048, "Updated TLS Cert No Key"); + + var updateJobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert-updated", + PrivateKeyPassword = "", // No password - certificate only + Contents = newCertDer + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = true // Update existing + }; + + // Act + var updateResult = await Task.Run(() => management.ProcessJob(updateJobConfig)); + + // Assert - Should FAIL because we're trying to update a TLS secret that has a private key + // with a certificate-only (no private key), which would leave a mismatched key + Assert.True(updateResult.Result == OrchestratorJobStatusJobResult.Failure, + $"Expected Failure but got {updateResult.Result}. " + + "Deploying cert-only to a TLS secret with existing private key should fail to prevent key mismatch."); + + // Verify the failure message explains the issue + Assert.Contains("private key", updateResult.FailureMessage, StringComparison.OrdinalIgnoreCase); + Assert.Contains("mismatched", updateResult.FailureMessage, StringComparison.OrdinalIgnoreCase); + } + + #endregion + + #region Key Type Coverage Tests + + [SkipUnlessTheory(EnvironmentVariable = "RUN_INTEGRATION_TESTS")] + [MemberData(nameof(KeyTypeTestData.AllKeyTypes), MemberType = typeof(KeyTypeTestData))] + public async Task Management_Certificate_AddAndInventory_Success(KeyType keyType) + { + var secretName = $"test-{keyType.ToString().ToLowerInvariant()}-tls-{Guid.NewGuid():N}"; + TrackSecret(secretName); + await AddAndInventoryCertificate(secretName, keyType); + } + + private async Task AddAndInventoryCertificate(string secretName, KeyType keyType) + { + // Generate certificate with specified key type + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"KeyType Test {keyType}"); + var pfxPassword = "testpassword"; + + // Calculate expected thumbprint BEFORE deployment + var expectedThumbprint = CertificateUtilities.GetThumbprint(certInfo.Certificate); + var expectedSubject = certInfo.Certificate.SubjectDN.ToString(); + + // Add certificate + var addJobConfig = new ManagementJobConfiguration + { + Capability = "K8STLSSecr", + OperationType = CertStoreOperationType.Add, + JobCertificate = new ManagementJobCertificate + { + Alias = "testcert", + PrivateKeyPassword = pfxPassword, + Contents = Convert.ToBase64String( + CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, pfxPassword)) + }, + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true, + Overwrite = false + }; + + var management = new Management(MockPamResolver.Object); + var addResult = await Task.Run(() => management.ProcessJob(addJobConfig)); + + Assert.True(addResult.Result == OrchestratorJobStatusJobResult.Success, + $"Add {keyType} certificate expected Success but got {addResult.Result}. FailureMessage: {addResult.FailureMessage}"); + + // Verify secret was created with correct certificate + var secret = await K8sClient.CoreV1.ReadNamespacedSecretAsync(secretName, TestNamespace); + Assert.NotNull(secret); + Assert.Equal("kubernetes.io/tls", secret.Type); + + // Verify the deployed certificate matches the input certificate + Assert.True(secret.Data.ContainsKey("tls.crt"), "Secret should have tls.crt field"); + var deployedCertPem = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + using var reader = new System.IO.StringReader(deployedCertPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var deployedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + + var deployedThumbprint = CertificateUtilities.GetThumbprint(deployedCert); + var deployedSubject = deployedCert.SubjectDN.ToString(); + + Assert.True(expectedThumbprint == deployedThumbprint, + $"Deployed certificate thumbprint doesn't match. Expected: {expectedThumbprint}, Got: {deployedThumbprint}"); + Assert.True(expectedSubject == deployedSubject, + $"Deployed certificate subject doesn't match. Expected: {expectedSubject}, Got: {deployedSubject}"); + + // Inventory the certificate + var invJobConfig = new InventoryJobConfiguration + { + Capability = "K8STLSSecr", + CertificateStoreDetails = new CertificateStore + { + ClientMachine = TestNamespace, + StorePath = secretName, + Properties = $"{{\"KubeSecretType\":\"tls_secret\",\"KubeNamespace\":\"{TestNamespace}\"}}" + }, + ServerUsername = string.Empty, + ServerPassword = KubeconfigJson, + UseSSL = true + }; + + var inventory = new Inventory(MockPamResolver.Object); + var inventoriedCerts = new List(); + var invResult = await Task.Run(() => inventory.ProcessJob(invJobConfig, (inventoryItems) => + { + inventoriedCerts.AddRange(inventoryItems); + return true; + })); + + Assert.True(invResult.Result == OrchestratorJobStatusJobResult.Success, + $"Inventory {keyType} certificate expected Success but got {invResult.Result}. FailureMessage: {invResult.FailureMessage}"); + + // Verify inventoried certificate matches the input certificate + Assert.NotEmpty(inventoriedCerts); + var inventoriedCertPem = inventoriedCerts[0].Certificates.First(); + using var invReader = new System.IO.StringReader(inventoriedCertPem); + var invPemReader = new Org.BouncyCastle.OpenSsl.PemReader(invReader); + var inventoriedCert = (Org.BouncyCastle.X509.X509Certificate)invPemReader.ReadObject(); + var inventoriedThumbprint = CertificateUtilities.GetThumbprint(inventoriedCert); + + Assert.True(expectedThumbprint == inventoriedThumbprint, + $"Inventoried certificate thumbprint doesn't match. Expected: {expectedThumbprint}, Got: {inventoriedThumbprint}"); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Jobs/CertificateFormatTests.cs b/kubernetes-orchestrator-extension.Tests/Jobs/CertificateFormatTests.cs new file mode 100644 index 00000000..6fb4abdd --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Jobs/CertificateFormatTests.cs @@ -0,0 +1,402 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests.Jobs; + +/// +/// Unit tests for DER and PEM certificate format detection and parsing. +/// Tests the ability to handle certificates without private keys from Command. +/// +public class CertificateFormatTests +{ + #region DER Format Detection Tests + + [Fact] + public void IsDerFormat_ValidDerCertificate_ReturnsTrue() + { + // Arrange + var derBytes = GenerateDerCertificate(KeyType.Rsa2048); + + // Act + var result = CertificateUtilities.IsDerFormat(derBytes); + + // Assert + Assert.True(result); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.Ed25519)] + public void IsDerFormat_VariousKeyTypes_ReturnsTrue(KeyType keyType) + { + // Arrange + var derBytes = GenerateDerCertificate(keyType); + + // Act + var result = CertificateUtilities.IsDerFormat(derBytes); + + // Assert + Assert.True(result); + } + + [Fact] + public void IsDerFormat_Pkcs12Data_ReturnsFalse() + { + // Arrange - PKCS12 is not DER certificate format + var certInfo = GenerateCertificate(KeyType.Rsa2048); + var pkcs12Bytes = GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var result = CertificateUtilities.IsDerFormat(pkcs12Bytes); + + // Assert + Assert.False(result); + } + + [Fact] + public void IsDerFormat_RandomBytes_ReturnsFalse() + { + // Arrange + var randomBytes = new byte[100]; + new Random().NextBytes(randomBytes); + + // Act + var result = CertificateUtilities.IsDerFormat(randomBytes); + + // Assert + Assert.False(result); + } + + [Fact] + public void IsDerFormat_EmptyBytes_ReturnsFalse() + { + // Arrange + var emptyBytes = Array.Empty(); + + // Act + var result = CertificateUtilities.IsDerFormat(emptyBytes); + + // Assert + Assert.False(result); + } + + [Fact] + public void IsDerFormat_NullBytes_ReturnsFalse() + { + // Act + var result = CertificateUtilities.IsDerFormat(null); + + // Assert + Assert.False(result); + } + + #endregion + + #region Certificate Generation Without Private Key Tests + + [Fact] + public void GenerateDerCertificate_ReturnsValidDerBytes() + { + // Arrange & Act + var derBytes = GenerateDerCertificate(KeyType.Rsa2048); + + // Assert + Assert.NotNull(derBytes); + Assert.NotEmpty(derBytes); + + // Verify it can be parsed as a certificate + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var cert = parser.ReadCertificate(derBytes); + Assert.NotNull(cert); + } + + [Fact] + public void GeneratePemCertificateOnly_ReturnsPemWithoutPrivateKey() + { + // Arrange & Act + var pemCert = GeneratePemCertificateOnly(KeyType.Rsa2048); + + // Assert + Assert.NotNull(pemCert); + Assert.Contains("-----BEGIN CERTIFICATE-----", pemCert); + Assert.Contains("-----END CERTIFICATE-----", pemCert); + Assert.DoesNotContain("-----BEGIN PRIVATE KEY-----", pemCert); + Assert.DoesNotContain("-----BEGIN RSA PRIVATE KEY-----", pemCert); + Assert.DoesNotContain("-----BEGIN EC PRIVATE KEY-----", pemCert); + } + + [Fact] + public void GenerateBase64DerCertificate_ReturnsValidBase64() + { + // Arrange & Act + var base64Der = GenerateBase64DerCertificate(KeyType.Rsa2048); + + // Assert + Assert.NotNull(base64Der); + + // Verify it can be decoded + var decoded = Convert.FromBase64String(base64Der); + Assert.NotEmpty(decoded); + + // Verify it's a valid DER certificate + Assert.True(CertificateUtilities.IsDerFormat(decoded)); + } + + #endregion + + #region Certificate Thumbprint Tests + + [Fact] + public void GetThumbprint_DerCertificate_ReturnsValidThumbprint() + { + // Arrange + var derBytes = GenerateDerCertificate(KeyType.Rsa2048); + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var cert = parser.ReadCertificate(derBytes); + + // Act + var thumbprint = CertificateUtilities.GetThumbprint(cert); + + // Assert + Assert.NotNull(thumbprint); + Assert.NotEmpty(thumbprint); + // SHA1 thumbprint is 40 hex characters + Assert.Equal(40, thumbprint.Length); + Assert.Matches("^[0-9A-Fa-f]+$", thumbprint); + } + + #endregion + + #region PEM/DER Round-Trip Tests + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.Ed25519)] + public void DerToPem_RoundTrip_PreservesData(KeyType keyType) + { + // Arrange + var certInfo = GenerateCertificate(keyType); + var originalDer = certInfo.Certificate.GetEncoded(); + + // Convert to PEM + var pem = ConvertCertificateToPem(certInfo.Certificate); + + // Parse from PEM back to certificate + using var reader = new System.IO.StringReader(pem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var parsedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + + // Get DER from parsed cert + var roundTripDer = parsedCert.GetEncoded(); + + // Assert + Assert.Equal(originalDer, roundTripDer); + } + + #endregion + + #region Certificate Chain Parsing Tests + + [Fact] + public void CertificateChain_MultiplePemCertificates_ParsesAllCerts() + { + // Arrange - Create a PEM string with multiple certificates + // GenerateCertificateChain returns List with [0]=leaf, [1]=intermediate, [2]=root + var chain = GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = ConvertCertificateToPem(chain[0].Certificate); + var subCaPem = ConvertCertificateToPem(chain[1].Certificate); + var rootPem = ConvertCertificateToPem(chain[2].Certificate); + + // Combine into a single PEM string (like ca.crt would contain) + var combinedPem = subCaPem + rootPem; + + // Act - Parse using PemReader loop (similar to LoadCertificateChain) + var certificates = new List(); + using var stringReader = new System.IO.StringReader(combinedPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(stringReader); + + object pemObject; + while ((pemObject = pemReader.ReadObject()) != null) + { + if (pemObject is Org.BouncyCastle.X509.X509Certificate cert) + { + certificates.Add(cert); + } + } + + // Assert + Assert.Equal(2, certificates.Count); + Assert.Contains(certificates, c => c.SubjectDN.ToString().Contains("Intermediate") || c.SubjectDN.ToString().Contains("Sub")); + Assert.Contains(certificates, c => c.SubjectDN.ToString().Contains("Root")); + } + + [Fact] + public void CertificateChain_FullChainInSingleField_ParsesAllThreeCerts() + { + // Arrange - Create a full chain (Leaf + Sub-CA + Root) in a single PEM string + // GenerateCertificateChain returns List with [0]=leaf, [1]=intermediate, [2]=root + var chain = GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = ConvertCertificateToPem(chain[0].Certificate); + var subCaPem = ConvertCertificateToPem(chain[1].Certificate); + var rootPem = ConvertCertificateToPem(chain[2].Certificate); + + var fullChainPem = leafPem + subCaPem + rootPem; + + // Act + var certificates = new List(); + using var stringReader = new System.IO.StringReader(fullChainPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(stringReader); + + object pemObject; + while ((pemObject = pemReader.ReadObject()) != null) + { + if (pemObject is Org.BouncyCastle.X509.X509Certificate cert) + { + certificates.Add(cert); + } + } + + // Assert + Assert.Equal(3, certificates.Count); + Assert.Contains(certificates, c => c.SubjectDN.ToString().Contains("Leaf")); + Assert.Contains(certificates, c => c.SubjectDN.ToString().Contains("Intermediate") || c.SubjectDN.ToString().Contains("Sub")); + Assert.Contains(certificates, c => c.SubjectDN.ToString().Contains("Root")); + } + + [Fact] + public void CertificateChain_SingleCertificate_ParsesOneCert() + { + // Arrange - Single certificate PEM + var certInfo = GenerateCertificate(KeyType.Rsa2048); + var certPem = ConvertCertificateToPem(certInfo.Certificate); + + // Act + var certificates = new List(); + using var stringReader = new System.IO.StringReader(certPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(stringReader); + + object pemObject; + while ((pemObject = pemReader.ReadObject()) != null) + { + if (pemObject is Org.BouncyCastle.X509.X509Certificate cert) + { + certificates.Add(cert); + } + } + + // Assert + Assert.Single(certificates); + } + + [Fact] + public void CertificateChain_EmptyString_ReturnsEmptyList() + { + // Arrange + var emptyPem = ""; + + // Act + var certificates = new List(); + using var stringReader = new System.IO.StringReader(emptyPem); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(stringReader); + + object pemObject; + while ((pemObject = pemReader.ReadObject()) != null) + { + if (pemObject is Org.BouncyCastle.X509.X509Certificate cert) + { + certificates.Add(cert); + } + } + + // Assert + Assert.Empty(certificates); + } + + #endregion + + #region IncludeCertChain Limitation Tests + + /// + /// Documents the limitation that DER certificates (sent by Command when no private key) + /// cannot include the certificate chain regardless of IncludeCertChain setting. + /// + [Fact] + public void DerCertificate_ContainsOnlyLeafCertificate_NoChain() + { + // Arrange - Create a chain with leaf, intermediate, and root + var chain = GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + + // When Command sends a certificate without private key, only the leaf DER is sent + var derBytes = leafCert.GetEncoded(); + + // Act - Parse the DER bytes (simulating what ParseDerCertificate does) + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var parsedCert = parser.ReadCertificate(derBytes); + + // Assert - DER format can only contain a single certificate + // This is why IncludeCertChain=true cannot work when certificate has no private key + Assert.NotNull(parsedCert); + Assert.Equal(leafCert.SubjectDN.ToString(), parsedCert.SubjectDN.ToString()); + + // DER is single certificate - no way to include chain + // When IncludeCertChain=true but cert has no private key: + // - Command sends DER format (leaf only) + // - Chain information is NOT available + // - A warning is logged by ParseDerCertificate + } + + /// + /// Verifies that PKCS12 format CAN include the certificate chain, + /// demonstrating the difference from DER format. + /// + [Fact] + public void Pkcs12Certificate_CanIncludeCertificateChain() + { + // Arrange - Create a chain with leaf, intermediate, and root + var chain = GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0]; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + // Create PKCS12 with full chain (requires private key) + var pkcs12Bytes = GeneratePkcs12( + leafCert.Certificate, + leafCert.KeyPair, + "password", + "alias", + new[] { intermediateCert, rootCert }); + + // Act - Parse PKCS12 + var store = new Org.BouncyCastle.Pkcs.Pkcs12StoreBuilder().Build(); + using var ms = new System.IO.MemoryStream(pkcs12Bytes); + store.Load(ms, "password".ToCharArray()); + + // Find the alias with the key entry + var alias = store.Aliases.First(a => store.IsKeyEntry(a)); + var certChain = store.GetCertificateChain(alias); + + // Assert - PKCS12 CAN include the full chain + Assert.NotNull(certChain); + Assert.Equal(3, certChain.Length); // leaf + intermediate + root + + // This is why IncludeCertChain=true works with PKCS12 (private key required) + // but NOT with DER format (no private key) + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8SCertStoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8SCertStoreTests.cs new file mode 100644 index 00000000..7f0f77f9 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8SCertStoreTests.cs @@ -0,0 +1,421 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Linq; +using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Clients; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Moq; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Unit tests for K8SCert store type operations. +/// K8SCert is READ-ONLY - only Inventory and Discovery are supported. +/// No Management (Add/Remove) or Reenrollment operations. +/// Tests focus on CertificateSigningRequest handling. +/// +public class K8SCertStoreTests +{ + #region CSR Helper Methods + + private V1CertificateSigningRequest CreateTestCsr( + string name, + string status = "Approved", + bool includeCertificate = true, + KeyType keyType = KeyType.Rsa2048) + { + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"CSR {name}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var certBytes = System.Text.Encoding.UTF8.GetBytes(certPem); + + var csr = new V1CertificateSigningRequest + { + Metadata = new V1ObjectMeta + { + Name = name, + CreationTimestamp = DateTime.UtcNow + }, + Status = new V1CertificateSigningRequestStatus() + }; + + // Add conditions based on status + if (status == "Approved") + { + csr.Status.Conditions = new List + { + new V1CertificateSigningRequestCondition + { + Type = "Approved", + Status = "True", + Reason = "AutoApproved", + Message = "This CSR was approved by test automation" + } + }; + + if (includeCertificate) + { + csr.Status.Certificate = certBytes; + } + } + else if (status == "Denied") + { + csr.Status.Conditions = new List + { + new V1CertificateSigningRequestCondition + { + Type = "Denied", + Status = "True", + Reason = "PolicyViolation", + Message = "CSR denied by policy" + } + }; + } + else if (status == "Pending") + { + // No conditions means pending + csr.Status.Conditions = null; + } + + return csr; + } + + #endregion + + #region CSR Status Tests + + [Fact] + public void CertificateSigningRequest_ApprovedWithCertificate_HasValidStatus() + { + // Arrange + var csr = CreateTestCsr("test-approved", status: "Approved", includeCertificate: true); + + // Assert + Assert.NotNull(csr.Status); + Assert.NotNull(csr.Status.Conditions); + Assert.Single(csr.Status.Conditions); + Assert.Equal("Approved", csr.Status.Conditions[0].Type); + Assert.NotNull(csr.Status.Certificate); + Assert.NotEmpty(csr.Status.Certificate); + } + + [Fact] + public void CertificateSigningRequest_Pending_HasNoConditions() + { + // Arrange + var csr = CreateTestCsr("test-pending", status: "Pending", includeCertificate: false); + + // Assert + Assert.NotNull(csr.Status); + Assert.Null(csr.Status.Conditions); + Assert.Null(csr.Status.Certificate); + } + + [Fact] + public void CertificateSigningRequest_Denied_HasDeniedCondition() + { + // Arrange + var csr = CreateTestCsr("test-denied", status: "Denied", includeCertificate: false); + + // Assert + Assert.NotNull(csr.Status); + Assert.NotNull(csr.Status.Conditions); + Assert.Single(csr.Status.Conditions); + Assert.Equal("Denied", csr.Status.Conditions[0].Type); + Assert.Null(csr.Status.Certificate); + } + + [Fact] + public void CertificateSigningRequest_ApprovedWithoutCertificate_IsIncomplete() + { + // Arrange - CSR approved but certificate not yet issued + var csr = CreateTestCsr("test-approved-no-cert", status: "Approved", includeCertificate: false); + + // Assert + Assert.NotNull(csr.Status); + Assert.NotNull(csr.Status.Conditions); + Assert.Equal("Approved", csr.Status.Conditions[0].Type); + Assert.Null(csr.Status.Certificate); // Certificate not yet issued + } + + #endregion + + #region CSR Certificate Parsing Tests + + [Fact] + public void CertificateSigningRequest_WithValidCertificate_CanBeParsed() + { + // Arrange + var csr = CreateTestCsr("test-parse", status: "Approved", includeCertificate: true, keyType: KeyType.Rsa2048); + + // Act + var certBytes = csr.Status.Certificate; + var certPem = System.Text.Encoding.UTF8.GetString(certBytes); + + // Assert + Assert.NotNull(certPem); + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----END CERTIFICATE-----", certPem); + } + + [Theory] + [InlineData(KeyType.Rsa1024)] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.Rsa8192)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.EcP521)] + [InlineData(KeyType.Dsa1024)] + [InlineData(KeyType.Dsa2048)] + [InlineData(KeyType.Ed25519)] + [InlineData(KeyType.Ed448)] + public void CertificateSigningRequest_VariousKeyTypes_CanBeCreated(KeyType keyType) + { + // Arrange & Act + var csr = CreateTestCsr($"test-{keyType}", status: "Approved", includeCertificate: true, keyType: keyType); + + // Assert + Assert.NotNull(csr); + Assert.NotNull(csr.Status.Certificate); + var certPem = System.Text.Encoding.UTF8.GetString(csr.Status.Certificate); + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + } + + #endregion + + #region CSR Collection Tests + + [Fact] + public void CertificateSigningRequests_MultipleCSRs_CanBeEnumerated() + { + // Arrange + var csrs = new List + { + CreateTestCsr("csr-1", "Approved", true), + CreateTestCsr("csr-2", "Pending", false), + CreateTestCsr("csr-3", "Denied", false), + CreateTestCsr("csr-4", "Approved", true) + }; + + // Act + var approvedCount = csrs.Count(c => + c.Status.Conditions?.Any(cond => cond.Type == "Approved") == true); + var pendingCount = csrs.Count(c => + c.Status.Conditions == null || c.Status.Conditions.Count == 0); + var deniedCount = csrs.Count(c => + c.Status.Conditions?.Any(cond => cond.Type == "Denied") == true); + var withCertificates = csrs.Count(c => c.Status.Certificate != null); + + // Assert + Assert.Equal(4, csrs.Count); + Assert.Equal(2, approvedCount); + Assert.Equal(1, pendingCount); + Assert.Equal(1, deniedCount); + Assert.Equal(2, withCertificates); + } + + #endregion + + #region Edge Case Tests + + [Fact] + public void CertificateSigningRequest_NullStatus_HandledGracefully() + { + // Arrange + var csr = new V1CertificateSigningRequest + { + Metadata = new V1ObjectMeta { Name = "test-null-status" }, + Status = null + }; + + // Assert + Assert.NotNull(csr); + Assert.Null(csr.Status); + } + + [Fact] + public void CertificateSigningRequest_EmptyConditions_TreatedAsPending() + { + // Arrange + var csr = new V1CertificateSigningRequest + { + Metadata = new V1ObjectMeta { Name = "test-empty-conditions" }, + Status = new V1CertificateSigningRequestStatus + { + Conditions = new List() + } + }; + + // Assert + Assert.NotNull(csr.Status); + Assert.NotNull(csr.Status.Conditions); + Assert.Empty(csr.Status.Conditions); + } + + [Fact] + public void CertificateSigningRequest_MultipleConditions_LatestTakesPrecedence() + { + // Arrange - CSR that was pending, then approved + var csr = new V1CertificateSigningRequest + { + Metadata = new V1ObjectMeta { Name = "test-multi-conditions" }, + Status = new V1CertificateSigningRequestStatus + { + Conditions = new List + { + new V1CertificateSigningRequestCondition + { + Type = "Approved", + Status = "True", + LastUpdateTime = DateTime.UtcNow + }, + new V1CertificateSigningRequestCondition + { + Type = "Failed", + Status = "False", + LastUpdateTime = DateTime.UtcNow.AddMinutes(-5) + } + } + } + }; + + // Assert + Assert.Equal(2, csr.Status.Conditions.Count); + // The first condition in the list should be the most recent (Approved) + Assert.Equal("Approved", csr.Status.Conditions[0].Type); + } + + #endregion + + #region Metadata Tests + + [Fact] + public void CertificateSigningRequest_Metadata_ContainsRequiredFields() + { + // Arrange + var csr = CreateTestCsr("test-metadata", "Approved", true); + + // Assert + Assert.NotNull(csr.Metadata); + Assert.Equal("test-metadata", csr.Metadata.Name); + Assert.NotNull(csr.Metadata.CreationTimestamp); + } + + #endregion + + #region Inventory Mode Detection Tests + + [Theory] + [InlineData(null, true)] // null = cluster-wide mode + [InlineData("", true)] // empty = cluster-wide mode + [InlineData(" ", true)] // whitespace = cluster-wide mode + [InlineData("*", true)] // wildcard = cluster-wide mode + [InlineData("my-csr", false)] // specific name = single mode + [InlineData("test-csr-123", false)] + public void InventoryMode_DeterminesCorrectMode(string kubeSecretName, bool expectedClusterWide) + { + // Act + var isClusterWideMode = string.IsNullOrWhiteSpace(kubeSecretName) || kubeSecretName == "*"; + + // Assert + Assert.Equal(expectedClusterWide, isClusterWideMode); + } + + #endregion + + #region Cluster-Wide Inventory Tests + + [Fact] + public void ClusterWideMode_OnlyReturnsIssuedCertificates() + { + // Arrange - Simulate a cluster with mixed CSRs + var csrs = new List + { + CreateTestCsr("approved-1", "Approved", includeCertificate: true), + CreateTestCsr("approved-2", "Approved", includeCertificate: true), + CreateTestCsr("pending-1", "Pending", includeCertificate: false), + CreateTestCsr("denied-1", "Denied", includeCertificate: false), + CreateTestCsr("approved-no-cert", "Approved", includeCertificate: false) // Approved but cert not yet issued + }; + + // Act - Filter to only those with certificates (what ListAllCertificateSigningRequests does) + var issuedCerts = csrs + .Where(c => c.Status?.Certificate != null && c.Status.Certificate.Length > 0) + .ToDictionary(c => c.Metadata.Name, c => System.Text.Encoding.UTF8.GetString(c.Status.Certificate)); + + // Assert + Assert.Equal(2, issuedCerts.Count); + Assert.Contains("approved-1", issuedCerts.Keys); + Assert.Contains("approved-2", issuedCerts.Keys); + Assert.DoesNotContain("pending-1", issuedCerts.Keys); + Assert.DoesNotContain("denied-1", issuedCerts.Keys); + Assert.DoesNotContain("approved-no-cert", issuedCerts.Keys); + } + + [Fact] + public void ClusterWideMode_UsesCsrNameAsAlias() + { + // Arrange + var csrs = new List + { + CreateTestCsr("my-custom-csr-name", "Approved", includeCertificate: true), + CreateTestCsr("another-csr", "Approved", includeCertificate: true) + }; + + // Act - CSR name should be used as the dictionary key (alias) + var issuedCerts = csrs + .Where(c => c.Status?.Certificate != null && c.Status.Certificate.Length > 0) + .ToDictionary(c => c.Metadata.Name, c => System.Text.Encoding.UTF8.GetString(c.Status.Certificate)); + + // Assert + Assert.Equal(2, issuedCerts.Count); + Assert.True(issuedCerts.ContainsKey("my-custom-csr-name")); + Assert.True(issuedCerts.ContainsKey("another-csr")); + } + + [Fact] + public void ClusterWideMode_EmptyCluster_ReturnsEmptyDictionary() + { + // Arrange - Empty cluster + var csrs = new List(); + + // Act + var issuedCerts = csrs + .Where(c => c.Status?.Certificate != null && c.Status.Certificate.Length > 0) + .ToDictionary(c => c.Metadata.Name, c => System.Text.Encoding.UTF8.GetString(c.Status.Certificate)); + + // Assert + Assert.Empty(issuedCerts); + } + + [Fact] + public void ClusterWideMode_AllPending_ReturnsEmptyDictionary() + { + // Arrange - All CSRs are pending + var csrs = new List + { + CreateTestCsr("pending-1", "Pending", includeCertificate: false), + CreateTestCsr("pending-2", "Pending", includeCertificate: false), + CreateTestCsr("pending-3", "Pending", includeCertificate: false) + }; + + // Act + var issuedCerts = csrs + .Where(c => c.Status?.Certificate != null && c.Status.Certificate.Length > 0) + .ToDictionary(c => c.Metadata.Name, c => System.Text.Encoding.UTF8.GetString(c.Status.Certificate)); + + // Assert + Assert.Empty(issuedCerts); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8SClusterStoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8SClusterStoreTests.cs new file mode 100644 index 00000000..4288da0c --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8SClusterStoreTests.cs @@ -0,0 +1,1237 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Text; +using k8s.Models; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Unit tests for K8SCluster store type operations. +/// K8SCluster manages ALL secrets across ALL namespaces in a cluster. +/// A single K8SCluster store represents the entire cluster. +/// Tests focus on multi-namespace operations, collection handling, and discovery. +/// +public class K8SClusterStoreTests +{ + #region Cluster Scope Tests + + [Fact] + public void ClusterStore_RepresentsAllNamespaces_NotSingleNamespace() + { + // K8SCluster operates on all namespaces, unlike K8SNS which operates on single namespace + // The StorePath for K8SCluster is typically "cluster" or similar generic value + var storePath = "cluster"; + + Assert.NotNull(storePath); + Assert.DoesNotContain("/", storePath); // Not a namespace/secret path + } + + [Fact] + public void ClusterStore_CanContainMultipleSecretTypes_InDifferentNamespaces() + { + // A cluster can contain Opaque, TLS, JKS, and PKCS12 secrets across different namespaces + var secrets = new List + { + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "opaque-secret", NamespaceProperty = "namespace1" }, + Type = "Opaque" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "tls-secret", NamespaceProperty = "namespace2" }, + Type = "kubernetes.io/tls" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "jks-secret", NamespaceProperty = "namespace3" }, + Type = "Opaque" + } + }; + + // Assert - All belong to different namespaces + Assert.Equal(3, secrets.Count); + Assert.Equal("namespace1", secrets[0].Metadata.NamespaceProperty); + Assert.Equal("namespace2", secrets[1].Metadata.NamespaceProperty); + Assert.Equal("namespace3", secrets[2].Metadata.NamespaceProperty); + } + + #endregion + + #region Secret Collection Tests + + [Fact] + public void SecretList_MultipleNamespaces_CanBeGrouped() + { + // Arrange + var secrets = new List + { + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret1", NamespaceProperty = "default" }, + Type = "Opaque" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret2", NamespaceProperty = "default" }, + Type = "kubernetes.io/tls" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret3", NamespaceProperty = "kube-system" }, + Type = "Opaque" + } + }; + + // Act - Group by namespace + var groupedByNamespace = new Dictionary>(); + foreach (var secret in secrets) + { + var ns = secret.Metadata.NamespaceProperty; + if (!groupedByNamespace.ContainsKey(ns)) + { + groupedByNamespace[ns] = new List(); + } + groupedByNamespace[ns].Add(secret); + } + + // Assert + Assert.Equal(2, groupedByNamespace.Count); // 2 namespaces + Assert.Equal(2, groupedByNamespace["default"].Count); + Assert.Single(groupedByNamespace["kube-system"]); + } + + [Fact] + public void SecretList_FilterByType_ReturnsOnlyMatchingSecrets() + { + // Arrange + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque1" }, Type = "Opaque" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls1" }, Type = "kubernetes.io/tls" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque2" }, Type = "Opaque" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls2" }, Type = "kubernetes.io/tls" } + }; + + // Act - Filter for TLS secrets + var tlsSecrets = secrets.FindAll(s => s.Type == "kubernetes.io/tls"); + + // Assert + Assert.Equal(2, tlsSecrets.Count); + Assert.All(tlsSecrets, s => Assert.Equal("kubernetes.io/tls", s.Type)); + } + + #endregion + + #region Discovery Tests + + [Fact] + public void Discovery_EmptyCluster_ReturnsEmptyList() + { + // An empty cluster with no secrets should return empty discovery results + var secrets = new List(); + + Assert.Empty(secrets); + } + + [Fact] + public void Discovery_MultipleSecrets_ReturnsAllSecrets() + { + // Arrange + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "s1", NamespaceProperty = "ns1" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s2", NamespaceProperty = "ns2" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s3", NamespaceProperty = "ns3" } } + }; + + // Assert + Assert.Equal(3, secrets.Count); + } + + #endregion + + #region Namespace Filtering Tests + + [Fact] + public void NamespaceFilter_ExcludeSystemNamespaces_FilterCorrectly() + { + // Common pattern: exclude system namespaces like kube-system, kube-public, kube-node-lease + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "s1", NamespaceProperty = "default" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s2", NamespaceProperty = "kube-system" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s3", NamespaceProperty = "my-app" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s4", NamespaceProperty = "kube-public" } } + }; + + // Act - Filter out system namespaces + var systemNamespaces = new[] { "kube-system", "kube-public", "kube-node-lease" }; + var filtered = secrets.FindAll(s => !Array.Exists(systemNamespaces, ns => ns == s.Metadata.NamespaceProperty)); + + // Assert + Assert.Equal(2, filtered.Count); + Assert.Contains(filtered, s => s.Metadata.NamespaceProperty == "default"); + Assert.Contains(filtered, s => s.Metadata.NamespaceProperty == "my-app"); + } + + [Fact] + public void NamespaceFilter_IncludeOnlySpecificNamespaces_FilterCorrectly() + { + // Pattern: only include secrets from specific namespaces + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "s1", NamespaceProperty = "production" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s2", NamespaceProperty = "staging" } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s3", NamespaceProperty = "development" } } + }; + + // Act - Only include production and staging + var includedNamespaces = new[] { "production", "staging" }; + var filtered = secrets.FindAll(s => Array.Exists(includedNamespaces, ns => ns == s.Metadata.NamespaceProperty)); + + // Assert + Assert.Equal(2, filtered.Count); + Assert.DoesNotContain(filtered, s => s.Metadata.NamespaceProperty == "development"); + } + + #endregion + + #region Certificate Data Tests + + [Fact] + public void ClusterSecret_WithPemCertificate_CanBeRead() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cluster Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-cert", + NamespaceProperty = "production" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }; + + // Assert + Assert.NotNull(secret.Data); + Assert.True(secret.Data.ContainsKey("tls.crt")); + var retrievedPem = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", retrievedPem); + } + + [Fact] + public void ClusterSecret_MultipleSecretsWithCertificates_CanBeEnumerated() + { + // Arrange - Create secrets with certificates across multiple namespaces + var secrets = new List(); + for (int i = 0; i < 5; i++) + { + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, $"Cert {i}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + secrets.Add(new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = $"secret-{i}", + NamespaceProperty = $"namespace-{i}" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }); + } + + // Assert + Assert.Equal(5, secrets.Count); + Assert.All(secrets, s => Assert.True(s.Data.ContainsKey("tls.crt"))); + } + + #endregion + + #region Permission Tests (Conceptual) + + [Fact] + public void ClusterStore_RequiresClusterWidePermissions_NotNamespaceScoped() + { + // K8SCluster requires cluster-wide RBAC permissions + // Unlike K8SNS which only needs namespace-scoped permissions + // This is a conceptual test - permissions are validated by Kubernetes at runtime + var requiredPermissions = new[] + { + "secrets.list (cluster-wide)", + "secrets.get (cluster-wide)", + "secrets.create (cluster-wide)", + "secrets.update (cluster-wide)", + "secrets.delete (cluster-wide)" + }; + + Assert.Equal(5, requiredPermissions.Length); + Assert.Contains("cluster-wide", requiredPermissions[0]); + } + + #endregion + + #region Edge Cases + + [Fact] + public void ClusterStore_NamespaceWithNoSecrets_ReturnsEmpty() + { + // A namespace might exist but contain no secrets + var namespaceName = "empty-namespace"; + var secrets = new List(); // Empty list for this namespace + + Assert.Empty(secrets); + } + + [Fact] + public void ClusterStore_LargeNumberOfSecrets_CanBeHandled() + { + // Test handling of large number of secrets across cluster + var secrets = new List(); + for (int i = 0; i < 100; i++) + { + secrets.Add(new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = $"secret-{i}", + NamespaceProperty = $"namespace-{i % 10}" // 10 namespaces + } + }); + } + + // Assert + Assert.Equal(100, secrets.Count); + + // Verify distribution across namespaces + var byNamespace = new Dictionary(); + foreach (var secret in secrets) + { + var ns = secret.Metadata.NamespaceProperty; + if (!byNamespace.ContainsKey(ns)) + { + byNamespace[ns] = 0; + } + byNamespace[ns]++; + } + + Assert.Equal(10, byNamespace.Count); // 10 unique namespaces + Assert.All(byNamespace.Values, count => Assert.Equal(10, count)); // 10 secrets per namespace + } + + #endregion + + #region TLS Secret Operations via Cluster Store + + [Fact] + public void ClusterTlsSecret_WithCertAndKey_HasCorrectStructure() + { + // K8SCluster can manage TLS secrets across the cluster + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cluster TLS Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-tls-secret", + NamespaceProperty = "production" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void ClusterTlsSecret_WithCertificateChain_CanStoreSeparateCaField() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediateCert = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCert = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-tls-with-chain", + NamespaceProperty = "production" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafCert) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediateCert + rootCert) } + } + }; + + // Assert + Assert.Equal(3, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("ca.crt")); + var caCerts = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", caCerts); + } + + [Fact] + public void ClusterTlsSecret_StrictFieldNames_OnlyTlsCrtAndTlsKey() + { + // TLS secrets managed via K8SCluster still enforce strict field names + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "strict-fields", NamespaceProperty = "default" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Must have exactly tls.crt and tls.key + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + Assert.False(secret.Data.ContainsKey("cert")); // Not allowed for TLS + Assert.False(secret.Data.ContainsKey("certificate")); // Not allowed for TLS + } + + [Fact] + public void ClusterTlsSecret_Type_MustBeKubernetesIoTls() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "tls-type", NamespaceProperty = "staging" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.NotEqual("Opaque", secret.Type); + } + + [Fact] + public void ClusterTlsSecret_WithBundledChain_AllCertsInTlsCrt() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var bundledChain = leafPem + intermediatePem + rootPem; + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-tls", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(bundledChain) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal(2, secret.Data.Count); + Assert.False(secret.Data.ContainsKey("ca.crt")); + + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, certCount); + } + + [Fact] + public void ClusterTlsSecret_SeparateChainVsBundled_DifferentStructures() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Separate chain + var separateChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "separate", NamespaceProperty = "ns1" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediatePem + rootPem) } + } + }; + + // Bundled chain + var bundledChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled", NamespaceProperty = "ns2" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Separate chain has 3 fields + Assert.Equal(3, separateChainSecret.Data.Count); + Assert.True(separateChainSecret.Data.ContainsKey("ca.crt")); + + // Assert - Bundled chain has 2 fields + Assert.Equal(2, bundledChainSecret.Data.Count); + Assert.False(bundledChainSecret.Data.ContainsKey("ca.crt")); + } + + [Fact] + public void ClusterTlsSecret_NativeKubernetesFormat_Compatible() + { + // TLS secrets created via K8SCluster should be compatible with K8S Ingress + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "ingress-compatible-tls", + NamespaceProperty = "ingress-namespace" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Matches native K8S TLS secret format + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void ClusterTlsSecret_MissingRequiredFields_Invalid() + { + // TLS secrets require both tls.crt and tls.key + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "missing-key", NamespaceProperty = "default" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + // Missing tls.key + } + }; + + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.False(secret.Data.ContainsKey("tls.key")); // Missing required field + } + + #endregion + + #region Opaque Secret Operations via Cluster Store + + [Fact] + public void ClusterOpaqueSecret_WithPemCertAndKey_HasCorrectStructure() + { + // K8SCluster can manage Opaque secrets across the cluster + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cluster Opaque Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-opaque-secret", + NamespaceProperty = "production" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + Assert.Equal("Opaque", secret.Type); + Assert.Equal(2, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void ClusterOpaqueSecret_WithCertificateChain_CanStoreSeparateCaField() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediateCert = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCert = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-opaque-with-chain", + NamespaceProperty = "staging" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafCert) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediateCert + rootCert) } + } + }; + + Assert.Equal(3, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("ca.crt")); + } + + [Theory] + [InlineData("tls.crt")] + [InlineData("cert")] + [InlineData("certificate")] + [InlineData("crt")] + public void ClusterOpaqueSecret_FlexibleFieldNames_SupportedVariations(string certFieldName) + { + // K8SCluster managing Opaque secrets supports flexible field names + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "flexible-fields", NamespaceProperty = "default" }, + Type = "Opaque", + Data = new Dictionary + { + { certFieldName, Encoding.UTF8.GetBytes(certPem) } + } + }; + + Assert.True(secret.Data.ContainsKey(certFieldName)); + } + + [Fact] + public void ClusterOpaqueSecret_WithBundledChain_AllCertsInTlsCrt() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var bundledChain = leafPem + intermediatePem + rootPem; + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-opaque", NamespaceProperty = "production" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(bundledChain) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + Assert.Equal(2, secret.Data.Count); + Assert.False(secret.Data.ContainsKey("ca.crt")); + + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, certCount); + } + + [Fact] + public void ClusterOpaqueSecret_SeparateChainVsBundled_DifferentStructures() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var separateChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "separate-opaque", NamespaceProperty = "ns1" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediatePem + rootPem) } + } + }; + + var bundledChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-opaque", NamespaceProperty = "ns2" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + Assert.Equal(3, separateChainSecret.Data.Count); + Assert.True(separateChainSecret.Data.ContainsKey("ca.crt")); + + Assert.Equal(2, bundledChainSecret.Data.Count); + Assert.False(bundledChainSecret.Data.ContainsKey("ca.crt")); + } + + [Fact] + public void ClusterOpaqueSecret_OnlyCertificateNoKey_ValidStructure() + { + // Some Opaque secrets may only contain certificates without private keys + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "cert-only", NamespaceProperty = "production" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }; + + Assert.Single(secret.Data); + Assert.False(secret.Data.ContainsKey("tls.key")); + } + + #endregion + + #region Key Type Coverage via Cluster Store + + [Theory] + [InlineData(KeyType.Rsa1024)] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.Rsa8192)] + public void ClusterSecret_RsaKeyTypes_ValidPemFormat(KeyType keyType) + { + // K8SCluster can manage secrets with various RSA key sizes + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"RSA {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"rsa-{keyType}", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----BEGIN PRIVATE KEY-----", keyPem); + } + + [Theory] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.EcP521)] + public void ClusterSecret_EcKeyTypes_ValidPemFormat(KeyType keyType) + { + // K8SCluster can manage secrets with various EC curves + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"EC {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"ec-{keyType}", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----BEGIN PRIVATE KEY-----", keyPem); + } + + [Theory] + [InlineData(KeyType.Ed25519)] + [InlineData(KeyType.Ed448)] + public void ClusterSecret_EdwardsKeyTypes_ValidPemFormat(KeyType keyType) + { + // K8SCluster can manage secrets with Edwards curve keys + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Edwards {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"edwards-{keyType}", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----BEGIN PRIVATE KEY-----", keyPem); + } + + #endregion + + #region Cross-Type Cluster Operations + + [Fact] + public void ClusterStore_MixedSecretTypes_SameNamespace_CanCoexist() + { + // Both TLS and Opaque secrets can coexist in the same namespace + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var tlsSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "tls-secret", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + var opaqueSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "opaque-secret", NamespaceProperty = "production" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Both in same namespace + Assert.Equal(tlsSecret.Metadata.NamespaceProperty, opaqueSecret.Metadata.NamespaceProperty); + // Different types + Assert.NotEqual(tlsSecret.Type, opaqueSecret.Type); + // Different names + Assert.NotEqual(tlsSecret.Metadata.Name, opaqueSecret.Metadata.Name); + } + + [Fact] + public void ClusterStore_SameSecretName_DifferentNamespaces_AreIndependent() + { + // Same secret name can exist in different namespaces independently + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secretInProd = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "my-cert", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary { { "tls.crt", Encoding.UTF8.GetBytes(certPem) } } + }; + + var secretInStaging = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "my-cert", NamespaceProperty = "staging" }, + Type = "kubernetes.io/tls", + Data = new Dictionary { { "tls.crt", Encoding.UTF8.GetBytes(certPem) } } + }; + + // Same name + Assert.Equal(secretInProd.Metadata.Name, secretInStaging.Metadata.Name); + // Different namespaces + Assert.NotEqual(secretInProd.Metadata.NamespaceProperty, secretInStaging.Metadata.NamespaceProperty); + } + + [Fact] + public void ClusterStore_FilterTlsSecrets_ReturnsOnlyTlsType() + { + // Arrange + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls1", NamespaceProperty = "ns1" }, Type = "kubernetes.io/tls" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque1", NamespaceProperty = "ns1" }, Type = "Opaque" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls2", NamespaceProperty = "ns2" }, Type = "kubernetes.io/tls" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque2", NamespaceProperty = "ns2" }, Type = "Opaque" } + }; + + // Act + var tlsSecrets = secrets.FindAll(s => s.Type == "kubernetes.io/tls"); + + // Assert + Assert.Equal(2, tlsSecrets.Count); + Assert.All(tlsSecrets, s => Assert.Equal("kubernetes.io/tls", s.Type)); + } + + [Fact] + public void ClusterStore_FilterOpaqueSecrets_ReturnsOnlyOpaqueType() + { + // Arrange + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls1", NamespaceProperty = "ns1" }, Type = "kubernetes.io/tls" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque1", NamespaceProperty = "ns1" }, Type = "Opaque" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls2", NamespaceProperty = "ns2" }, Type = "kubernetes.io/tls" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque2", NamespaceProperty = "ns2" }, Type = "Opaque" } + }; + + // Act + var opaqueSecrets = secrets.FindAll(s => s.Type == "Opaque"); + + // Assert + Assert.Equal(2, opaqueSecrets.Count); + Assert.All(opaqueSecrets, s => Assert.Equal("Opaque", s.Type)); + } + + #endregion + + #region Encoding and Conversion Tests + + [Fact] + public void ClusterSecret_Utf8Encoding_RoundTripSuccessful() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var originalPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Act - Encode to bytes and decode back + var bytes = Encoding.UTF8.GetBytes(originalPem); + var decodedPem = Encoding.UTF8.GetString(bytes); + + // Assert + Assert.Equal(originalPem, decodedPem); + } + + [Fact] + public void ClusterSecret_DerToPemConversion_ValidFormat() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var derBytes = certInfo.Certificate.GetEncoded(); + + // Act - Parse from DER and convert to PEM + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var cert = parser.ReadCertificate(derBytes); + var pemCert = CertificateTestHelper.ConvertCertificateToPem(cert); + + // Assert + Assert.NotNull(pemCert); + Assert.Contains("-----BEGIN CERTIFICATE-----", pemCert); + Assert.Contains("-----END CERTIFICATE-----", pemCert); + } + + [Fact] + public void ClusterSecret_PemWithWhitespace_StillValid() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Add extra whitespace + var pemWithWhitespace = "\n" + certPem + "\n\n"; + + // Assert - Should still contain valid markers + Assert.Contains("-----BEGIN CERTIFICATE-----", pemWithWhitespace); + Assert.Contains("-----END CERTIFICATE-----", pemWithWhitespace); + } + + #endregion + + #region IncludeCertChain=false Tests + + [Fact] + public void Management_IncludeCertChainFalse_TlsSecret_OnlyLeafCertStored() + { + // When IncludeCertChain=false is set for K8SCluster TLS secrets, only the leaf certificate + // should be stored, not the intermediate or root certificates. + + // Arrange - Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Create TLS secret with ONLY the leaf certificate (simulating IncludeCertChain=false behavior) + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-tls-include-cert-chain-false", + NamespaceProperty = "production" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); // Only tls.crt and tls.key, NO ca.crt + + // Verify tls.crt contains ONLY the leaf certificate (1 certificate) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + + // Verify NO ca.crt field exists + Assert.False(secret.Data.ContainsKey("ca.crt"), + "Cluster TLS secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the stored certificate is the leaf certificate + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + Assert.Equal(leafCert.SubjectDN.ToString(), storedCert.SubjectDN.ToString()); + } + + [Fact] + public void Management_IncludeCertChainFalse_OpaqueSecret_OnlyLeafCertStored() + { + // When IncludeCertChain=false is set for K8SCluster Opaque secrets, only the leaf certificate + // should be stored, not the intermediate or root certificates. + + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Create Opaque secret with ONLY the leaf certificate + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "cluster-opaque-include-cert-chain-false", + NamespaceProperty = "staging" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("Opaque", secret.Type); + Assert.Equal(2, secret.Data.Count); + + // Verify tls.crt contains ONLY the leaf certificate + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + + Assert.False(secret.Data.ContainsKey("ca.crt"), + "Cluster Opaque secret should NOT contain ca.crt when IncludeCertChain=false"); + } + + [Fact] + public void IncludeCertChainFalse_VersusTrue_ClusterSecrets_DifferentStructures() + { + // Compare the expected output between IncludeCertChain=true vs IncludeCertChain=false for cluster secrets + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // IncludeCertChain=false: Only leaf certificate + var includeCertChainFalseSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "cluster-include-chain-false", NamespaceProperty = "ns1" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // IncludeCertChain=true (SeparateChain=false): Full chain bundled + var includeCertChainTrueSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "cluster-include-chain-true", NamespaceProperty = "ns2" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - IncludeCertChain=false has only 1 certificate + var falseChainCount = Encoding.UTF8.GetString(includeCertChainFalseSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, falseChainCount); + Assert.False(includeCertChainFalseSecret.Data.ContainsKey("ca.crt")); + + // Assert - IncludeCertChain=true has 3 certificates + var trueChainCount = Encoding.UTF8.GetString(includeCertChainTrueSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, trueChainCount); + } + + [Fact] + public void IncludeCertChainFalse_MultipleNamespaces_ConsistentBehavior() + { + // Verify IncludeCertChain=false behavior is consistent across multiple namespaces + var namespaces = new[] { "production", "staging", "development" }; + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + foreach (var ns in namespaces) + { + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"secret-{ns}", NamespaceProperty = ns }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Each secret should have only 1 certificate + var certCount = Encoding.UTF8.GetString(secret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + Assert.False(secret.Data.ContainsKey("ca.crt")); + } + } + + #endregion + + #region Metadata Tests + + [Fact] + public void ClusterSecret_WithLabels_PreservesMetadata() + { + // Arrange + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "labeled-cluster-secret", + NamespaceProperty = "production", + Labels = new Dictionary + { + { "keyfactor.com/managed", "true" }, + { "keyfactor.com/store-type", "K8SCluster" }, + { "app.kubernetes.io/name", "my-app" } + } + }, + Type = "kubernetes.io/tls" + }; + + // Assert + Assert.NotNull(secret.Metadata.Labels); + Assert.Equal(3, secret.Metadata.Labels.Count); + Assert.Equal("K8SCluster", secret.Metadata.Labels["keyfactor.com/store-type"]); + } + + [Fact] + public void ClusterSecret_WithAnnotations_PreservesMetadata() + { + // Arrange + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "annotated-cluster-secret", + NamespaceProperty = "staging", + Annotations = new Dictionary + { + { "keyfactor.com/certificate-id", "12345" }, + { "keyfactor.com/last-synced", "2024-01-15T10:30:00Z" } + } + }, + Type = "kubernetes.io/tls" + }; + + // Assert + Assert.NotNull(secret.Metadata.Annotations); + Assert.Equal(2, secret.Metadata.Annotations.Count); + Assert.Equal("12345", secret.Metadata.Annotations["keyfactor.com/certificate-id"]); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8SJKSStoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8SJKSStoreTests.cs new file mode 100644 index 00000000..4dfd99fe --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8SJKSStoreTests.cs @@ -0,0 +1,1506 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; +using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SJKS; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Org.BouncyCastle.Pkcs; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Comprehensive unit tests for K8SJKS store type operations. +/// Tests cover all key types, password scenarios, chain handling, and edge cases. +/// +public class K8SJKSStoreTests +{ + private readonly JksCertificateStoreSerializer _serializer; + + public K8SJKSStoreTests() + { + _serializer = new JksCertificateStoreSerializer(storeProperties: null); + } + + #region Basic Deserialization Tests + + [Fact] + public void DeserializeRemoteCertificateStore_ValidJksWithPassword_ReturnsStore() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test JKS Cert"); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Note: JKS deserialization will attempt to load as PKCS12 if JKS format fails + // This tests the fallback behavior documented in the implementation + + // Act & Assert + var exception = Record.Exception(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password")); + + // The deserializer should handle both JKS and PKCS12 formats + Assert.Null(exception); + } + + [Fact] + public void DeserializeRemoteCertificateStore_EmptyPassword_ThrowsArgumentException() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair); + + // Act & Assert + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "")); + + Assert.Contains("password is null or empty", exception.Message); + } + + [Fact] + public void DeserializeRemoteCertificateStore_NullPassword_ThrowsArgumentException() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair); + + // Act & Assert + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", null)); + + Assert.Contains("password is null or empty", exception.Message); + } + + [Fact] + public void DeserializeRemoteCertificateStore_WrongPassword_ThrowsException() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "correctpassword"); + + // Act & Assert + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "wrongpassword")); + + Assert.Contains("password incorrect", exception.Message); + } + + [Fact] + public void DeserializeRemoteCertificateStore_CorruptedData_ThrowsException() + { + // Arrange + var corruptedData = CertificateTestHelper.GenerateCorruptedData(500); + + // Act & Assert - Accept any exception type since corrupted data can throw various exceptions + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(corruptedData, "/test/path", "password")); + } + + [Fact] + public void DeserializeRemoteCertificateStore_NullData_ThrowsException() + { + // Act & Assert - Null data will cause NullReferenceException or ArgumentNullException + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(null, "/test/path", "password")); + } + + [Fact] + public void DeserializeRemoteCertificateStore_EmptyData_ThrowsException() + { + // Act & Assert - Empty data will cause IOException or similar + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(Array.Empty(), "/test/path", "password")); + } + + #endregion + + #region Key Type Coverage Tests + + [Theory] + [InlineData(KeyType.Rsa1024)] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.Rsa8192)] + public void DeserializeRemoteCertificateStore_RsaKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Theory] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.EcP521)] + public void DeserializeRemoteCertificateStore_EcKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Theory] + [InlineData(KeyType.Dsa1024)] + [InlineData(KeyType.Dsa2048)] + public void DeserializeRemoteCertificateStore_DsaKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Theory] + [InlineData(KeyType.Ed25519)] + [InlineData(KeyType.Ed448)] + public void DeserializeRemoteCertificateStore_EdwardsKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange - Edwards curve keys (Ed25519/Ed448) are supported via BouncyCastle JKS + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + #endregion + + #region Password Scenarios Tests + + [Theory] + [InlineData("password")] + [InlineData("P@ssw0rd!")] + [InlineData("ๅฏ†็ ")] + [InlineData("๐Ÿ”๐Ÿ”‘")] + [InlineData("pass word")] + public void DeserializeRemoteCertificateStore_VariousPasswords_SuccessfullyLoadsStore(string password) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, password); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", password); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Fact] + public void DeserializeRemoteCertificateStore_PasswordWithNewline_HandlesCorrectly() + { + // This tests the common kubectl secret issue where passwords have trailing newlines + // Arrange + var password = "password"; + var passwordWithNewline = "password\n"; + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, password); + + // Act & Assert + // The implementation should trim the password, but if not trimmed, it should fail + var exception = Record.Exception(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", passwordWithNewline)); + + // This may throw an exception if the implementation doesn't trim + // The actual behavior depends on the JksCertificateStoreSerializer implementation + } + + [Fact] + public void DeserializeRemoteCertificateStore_VeryLongPassword_SuccessfullyLoadsStore() + { + // Arrange + var longPassword = new string('x', 1000); + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, longPassword); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", longPassword); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + #endregion + + #region Certificate Chain Tests + + [Fact] + public void DeserializeRemoteCertificateStore_CertificateWithChain_LoadsAllCertificates() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048, "Leaf", "Intermediate", "Root"); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pkcs12Bytes = CertificateTestHelper.GenerateJks( + leafCert, + leafKeyPair, + "password", + "leaf", + new[] { intermediateCert, rootCert }); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var certChain = store.GetCertificateChain("leaf"); + Assert.NotNull(certChain); + Assert.Equal(3, certChain.Length); // Leaf + Intermediate + Root + } + + [Fact] + public void DeserializeRemoteCertificateStore_SingleCertificate_LoadsWithoutChain() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var certChain = store.GetCertificateChain("testcert"); + Assert.NotNull(certChain); + Assert.Single(certChain); // Only the leaf certificate + } + + #endregion + + #region Multiple Aliases Tests + + [Fact] + public void DeserializeRemoteCertificateStore_MultipleAliases_LoadsAllCertificates() + { + // Arrange + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2Info = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + var cert3Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Cert 3"); + + var entries = new Dictionary + { + { "alias1", (cert1Info.Certificate, cert1Info.KeyPair) }, + { "alias2", (cert2Info.Certificate, cert2Info.KeyPair) }, + { "alias3", (cert3Info.Certificate, cert3Info.KeyPair) } + }; + + var pkcs12Bytes = CertificateTestHelper.GenerateJksWithMultipleEntries(entries, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var aliases = store.Aliases.ToList(); + Assert.Equal(3, aliases.Count); + Assert.Contains("alias1", aliases); + Assert.Contains("alias2", aliases); + Assert.Contains("alias3", aliases); + } + + #endregion + + #region Serialization Tests + + [Fact] + public void SerializeRemoteCertificateStore_ValidStore_ReturnsSerializedData() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Act + var serialized = _serializer.SerializeRemoteCertificateStore(store, "/test/path", "store.jks", "password"); + + // Assert + Assert.NotNull(serialized); + Assert.Single(serialized); + Assert.Equal("/test/path/store.jks", serialized[0].FilePath); + Assert.NotNull(serialized[0].Contents); + Assert.NotEmpty(serialized[0].Contents); + } + + [Fact] + public void SerializeRemoteCertificateStore_RoundTrip_PreservesData() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + var originalStore = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Act - Serialize + var serialized = _serializer.SerializeRemoteCertificateStore(originalStore, "/test/path", "store.jks", "password"); + + // Act - Deserialize again + var roundTripStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password"); + + // Assert + Assert.NotNull(roundTripStore); + var originalAliases = originalStore.Aliases.ToList(); + var roundTripAliases = roundTripStore.Aliases.ToList(); + Assert.Equal(originalAliases.Count, roundTripAliases.Count); + + foreach (var alias in originalAliases) + { + Assert.Contains(alias, roundTripAliases); + var originalCert = originalStore.GetCertificate(alias); + var roundTripCert = roundTripStore.GetCertificate(alias); + Assert.Equal(originalCert.Certificate.GetEncoded(), roundTripCert.Certificate.GetEncoded()); + } + } + + #endregion + + #region GetPrivateKeyPath Tests + + [Fact] + public void GetPrivateKeyPath_ReturnsNull() + { + // JKS stores contain private keys inline, so this should return null + // Act + var path = _serializer.GetPrivateKeyPath(); + + // Assert + Assert.Null(path); + } + + #endregion + + #region IncludeCertChain=false Tests + + [Fact] + public void Management_IncludeCertChainFalse_OnlyLeafCertInChain() + { + // When IncludeCertChain=false is set for JKS stores, only the leaf certificate + // should be stored in the keystore, not the intermediate or root certificates. + + // Arrange - Generate a certificate chain and create JKS with ONLY the leaf + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + // Create JKS with only the leaf certificate (no chain) - simulating IncludeCertChain=false + var jksBytes = CertificateTestHelper.GenerateJks( + leafCert, + leafKeyPair, + "password", + "leaf-only", + chain: null // No chain certificates + ); + + // Act - Deserialize and verify + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var certChain = store.GetCertificateChain("leaf-only"); + Assert.NotNull(certChain); + + // When IncludeCertChain=false, only the leaf certificate should be present + Assert.Single(certChain); + + // Verify it's the leaf certificate + var storedCert = certChain[0].Certificate; + Assert.Equal(leafCert.SubjectDN.ToString(), storedCert.SubjectDN.ToString()); + } + + [Fact] + public void IncludeCertChainFalse_VersusTrue_DifferentChainLengths() + { + // Compare JKS with IncludeCertChain=true vs IncludeCertChain=false + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + // IncludeCertChain=false: Only leaf certificate + var jksFalse = CertificateTestHelper.GenerateJks( + leafCert, + leafKeyPair, + "password", + "leaf-only", + chain: null + ); + + // IncludeCertChain=true: Leaf + full chain + var jksTrue = CertificateTestHelper.GenerateJks( + leafCert, + leafKeyPair, + "password", + "with-chain", + chain: new[] { intermediateCert, rootCert } + ); + + // Deserialize both + var storeFalse = _serializer.DeserializeRemoteCertificateStore(jksFalse, "/test/path", "password"); + var storeTrue = _serializer.DeserializeRemoteCertificateStore(jksTrue, "/test/path", "password"); + + // Assert - IncludeCertChain=false has only 1 cert in chain + var chainFalse = storeFalse.GetCertificateChain("leaf-only"); + Assert.Single(chainFalse); + + // Assert - IncludeCertChain=true has 3 certs in chain + var chainTrue = storeTrue.GetCertificateChain("with-chain"); + Assert.Equal(3, chainTrue.Length); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + public void IncludeCertChainFalse_VariousKeyTypes_OnlyLeafCertInChain(KeyType keyType) + { + // Verify that IncludeCertChain=false behavior works with various key types for JKS + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(keyType); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + // Create JKS with only the leaf certificate + var jksBytes = CertificateTestHelper.GenerateJks( + leafCert, + leafKeyPair, + "password", + "testcert", + chain: null + ); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert - Only 1 certificate in the chain + var certChain = store.GetCertificateChain("testcert"); + Assert.Single(certChain); + Assert.Equal(leafCert.SubjectDN.ToString(), certChain[0].Certificate.SubjectDN.ToString()); + } + + [Fact] + public void IncludeCertChainFalse_RoundTrip_PreservesLeafOnly() + { + // Verify that round-trip serialization preserves the leaf-only chain + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + var originalJks = CertificateTestHelper.GenerateJks( + leafCert, + leafKeyPair, + "password", + "leaf-only", + chain: null + ); + + var originalStore = _serializer.DeserializeRemoteCertificateStore(originalJks, "/test/path", "password"); + + // Act - Round-trip: serialize and deserialize again + var serialized = _serializer.SerializeRemoteCertificateStore(originalStore, "/test/path", "store.jks", "password"); + var roundTripStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password"); + + // Assert - Still only 1 certificate in chain after round-trip + var roundTripChain = roundTripStore.GetCertificateChain("leaf-only"); + Assert.Single(roundTripChain); + Assert.Equal(leafCert.SubjectDN.ToString(), roundTripChain[0].Certificate.SubjectDN.ToString()); + } + + #endregion + + #region Multiple JKS Files in Single Secret Tests + + [Fact] + public void Inventory_SecretWithMultipleJksFiles_LoadsAllKeystores() + { + // Test that multiple JKS files stored in a single Kubernetes secret are all loaded correctly. + // This simulates a K8s secret with multiple data fields like: + // data: + // app.jks: + // ca.jks: + // truststore.jks: + + // Arrange - Create separate JKS files with different certificates + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Certificate"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "CA Certificate"); + var cert3 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Truststore Certificate"); + + // Generate separate JKS files + var appJksBytes = CertificateTestHelper.GenerateJks(cert1.Certificate, cert1.KeyPair, "password", "appcert"); + var caJksBytes = CertificateTestHelper.GenerateJks(cert2.Certificate, cert2.KeyPair, "password", "cacert"); + var truststoreJksBytes = CertificateTestHelper.GenerateJks(cert3.Certificate, cert3.KeyPair, "password", "trustcert"); + + // Simulate multiple JKS files in a secret's Inventory dictionary + var inventoryDict = new Dictionary + { + { "app.jks", appJksBytes }, + { "ca.jks", caJksBytes }, + { "truststore.jks", truststoreJksBytes } + }; + + // Act - Deserialize each JKS file and collect all aliases + var allAliases = new Dictionary>(); + foreach (var (keyName, keyBytes) in inventoryDict) + { + var store = _serializer.DeserializeRemoteCertificateStore(keyBytes, $"/test/{keyName}", "password"); + allAliases[keyName] = store.Aliases.ToList(); + } + + // Assert - All three JKS files should be loaded + Assert.Equal(3, allAliases.Count); + Assert.Contains("app.jks", allAliases.Keys); + Assert.Contains("ca.jks", allAliases.Keys); + Assert.Contains("truststore.jks", allAliases.Keys); + } + + [Fact] + public void Inventory_SecretWithMultipleJksFiles_EachHasCorrectAliases() + { + // Test that aliases from each JKS file are correctly attributed to the right file. + // Each JKS file has unique aliases that should be identifiable. + + // Arrange - Create JKS files with different unique aliases + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Web Server"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Database"); + var cert3 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "API Gateway"); + + // Create JKS files with specific unique aliases + var webJksBytes = CertificateTestHelper.GenerateJks(cert1.Certificate, cert1.KeyPair, "password", "webserver-cert"); + var dbJksBytes = CertificateTestHelper.GenerateJks(cert2.Certificate, cert2.KeyPair, "password", "database-cert"); + var apiJksBytes = CertificateTestHelper.GenerateJks(cert3.Certificate, cert3.KeyPair, "password", "apigateway-cert"); + + var inventoryDict = new Dictionary + { + { "web.jks", webJksBytes }, + { "db.jks", dbJksBytes }, + { "api.jks", apiJksBytes } + }; + + // Act - Deserialize each JKS and verify aliases + var webStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["web.jks"], "/test/web.jks", "password"); + var dbStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["db.jks"], "/test/db.jks", "password"); + var apiStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["api.jks"], "/test/api.jks", "password"); + + // Assert - Each store has exactly one alias with the expected name + var webAliases = webStore.Aliases.ToList(); + var dbAliases = dbStore.Aliases.ToList(); + var apiAliases = apiStore.Aliases.ToList(); + + Assert.Single(webAliases); + Assert.Single(dbAliases); + Assert.Single(apiAliases); + + Assert.Contains("webserver-cert", webAliases); + Assert.Contains("database-cert", dbAliases); + Assert.Contains("apigateway-cert", apiAliases); + + // Verify that aliases are NOT mixed between files + Assert.DoesNotContain("database-cert", webAliases); + Assert.DoesNotContain("apigateway-cert", webAliases); + Assert.DoesNotContain("webserver-cert", dbAliases); + } + + [Fact] + public void Inventory_SecretWithMultipleJksFiles_DifferentPasswords_ThrowsOnWrongPassword() + { + // Test behavior when JKS files have different passwords. + // In practice, K8S stores usually have the same password for all files, + // but we should handle cases where they differ. + + // Arrange + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 2"); + + var jks1Bytes = CertificateTestHelper.GenerateJks(cert1.Certificate, cert1.KeyPair, "password1", "cert1"); + var jks2Bytes = CertificateTestHelper.GenerateJks(cert2.Certificate, cert2.KeyPair, "password2", "cert2"); + + // Act & Assert - First file loads with correct password + var store1 = _serializer.DeserializeRemoteCertificateStore(jks1Bytes, "/test/file1.jks", "password1"); + Assert.NotNull(store1); + Assert.Single(store1.Aliases); + + // Second file should throw with wrong password + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(jks2Bytes, "/test/file2.jks", "password1")); + + // Second file loads with correct password + var store2 = _serializer.DeserializeRemoteCertificateStore(jks2Bytes, "/test/file2.jks", "password2"); + Assert.NotNull(store2); + Assert.Single(store2.Aliases); + } + + [Fact] + public void Inventory_SecretWithMultipleJksFiles_EachWithMultipleEntries_LoadsAllCorrectly() + { + // Test that multiple JKS files, each containing multiple entries, all load correctly. + + // Arrange - Create two JKS files, each with multiple aliases + var cert1a = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Server 1"); + var cert1b = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Server 2"); + var cert2a = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend 1"); + var cert2b = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend 2"); + var cert2c = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend 3"); + + var appEntries = new Dictionary + { + { "app-server-1", (cert1a.Certificate, cert1a.KeyPair) }, + { "app-server-2", (cert1b.Certificate, cert1b.KeyPair) } + }; + + var backendEntries = new Dictionary + { + { "backend-1", (cert2a.Certificate, cert2a.KeyPair) }, + { "backend-2", (cert2b.Certificate, cert2b.KeyPair) }, + { "backend-3", (cert2c.Certificate, cert2c.KeyPair) } + }; + + var appJksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(appEntries, "password"); + var backendJksBytes = CertificateTestHelper.GenerateJksWithMultipleEntries(backendEntries, "password"); + + var inventoryDict = new Dictionary + { + { "app.jks", appJksBytes }, + { "backend.jks", backendJksBytes } + }; + + // Act + var appStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["app.jks"], "/test/app.jks", "password"); + var backendStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["backend.jks"], "/test/backend.jks", "password"); + + // Assert + var appAliases = appStore.Aliases.ToList(); + var backendAliases = backendStore.Aliases.ToList(); + + Assert.Equal(2, appAliases.Count); + Assert.Equal(3, backendAliases.Count); + + Assert.Contains("app-server-1", appAliases); + Assert.Contains("app-server-2", appAliases); + + Assert.Contains("backend-1", backendAliases); + Assert.Contains("backend-2", backendAliases); + Assert.Contains("backend-3", backendAliases); + + // Total aliases across all files + Assert.Equal(5, appAliases.Count + backendAliases.Count); + } + + #endregion + + #region Edge Case Tests + + [Fact] + public void DeserializeRemoteCertificateStore_PartiallyCorruptedData_ThrowsException() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var validJksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password"); + var corruptedBytes = CertificateTestHelper.CorruptData(validJksBytes, bytesToCorrupt: 10); + + // Act & Assert - Corrupted data can throw various exceptions (IOException, FormatException, etc.) + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(corruptedBytes, "/test/path", "password")); + } + + [Fact] + public void SerializeRemoteCertificateStore_EmptyStore_ReturnsValidOutput() + { + // Arrange + var emptyStore = new Pkcs12StoreBuilder().Build(); + + // Act + var serialized = _serializer.SerializeRemoteCertificateStore(emptyStore, "/test/path", "empty.jks", "password"); + + // Assert + Assert.NotNull(serialized); + Assert.Single(serialized); + Assert.NotNull(serialized[0].Contents); + } + + [Fact] + public void SerializeRemoteCertificateStore_DifferentPassword_SuccessfullySerializes() + { + // Tests that we can deserialize with one password and serialize with a different one + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password1"); + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password1"); + + // Act + var serialized = _serializer.SerializeRemoteCertificateStore(store, "/test/path", "store.jks", "password2"); + + // Assert - Deserialize with new password + var newStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password2"); + Assert.NotNull(newStore); + Assert.Equal(store.Aliases.ToList().Count, newStore.Aliases.ToList().Count); + } + + #endregion + + #region Mixed Entry Types Tests (Private Keys + Trusted Certs) + + [Fact] + public void DeserializeRemoteCertificateStore_MixedEntryTypes_LoadsBothTypes() + { + // Arrange - Create a JKS with both private key entries and trusted certificate entries + var privateKeyEntry1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert 1"); + var privateKeyEntry2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Server Cert 2"); + var trustedCert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted Root CA"); + var trustedCert2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Trusted Intermediate CA"); + + var privateKeyEntries = new Dictionary + { + { "server1", (privateKeyEntry1.Certificate, privateKeyEntry1.KeyPair) }, + { "server2", (privateKeyEntry2.Certificate, privateKeyEntry2.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "root-ca", trustedCert1.Certificate }, + { "intermediate-ca", trustedCert2.Certificate } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert - All 4 entries should be loaded + Assert.NotNull(store); + var aliases = store.Aliases.ToList(); + Assert.Equal(4, aliases.Count); + Assert.Contains("server1", aliases); + Assert.Contains("server2", aliases); + Assert.Contains("root-ca", aliases); + Assert.Contains("intermediate-ca", aliases); + } + + [Fact] + public void Inventory_MixedEntryTypes_ReportsCorrectPrivateKeyStatus() + { + // Arrange - Create a JKS with both private key entries and trusted certificate entries + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert - Verify IsKeyEntry returns correct values + Assert.True(store.IsKeyEntry("server"), "server should be a key entry (has private key)"); + Assert.False(store.IsKeyEntry("trusted-ca"), "trusted-ca should NOT be a key entry (certificate only)"); + + // Verify we can get the certificate from both entries + var serverCert = store.GetCertificate("server"); + var trustedCaCert = store.GetCertificate("trusted-ca"); + Assert.NotNull(serverCert); + Assert.NotNull(trustedCaCert); + } + + [Fact] + public void CreateOrUpdateJks_AddTrustedCertEntry_PreservesExistingEntries() + { + // Arrange - Create initial JKS with a private key entry + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Server Cert"); + var existingJks = CertificateTestHelper.GenerateJks(existingCert.Certificate, existingCert.KeyPair, "password", "existing-server"); + + // Create a trusted certificate (no private key) to add + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + // Convert trusted cert to DER bytes (certificate only, no private key) + var trustedCertBytes = trustedCert.Certificate.GetEncoded(); + + // Act - Add the trusted certificate entry + var updatedJksBytes = _serializer.CreateOrUpdateJks( + trustedCertBytes, + null, // No password for certificate-only + "trusted-ca", + existingJks, + "password", + remove: false, + includeChain: true); + + // Deserialize and verify + var store = _serializer.DeserializeRemoteCertificateStore(updatedJksBytes, "/test/path", "password"); + + // Assert - Both entries should exist + var aliases = store.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("existing-server", aliases); + Assert.Contains("trusted-ca", aliases); + + // Verify entry types are preserved + Assert.True(store.IsKeyEntry("existing-server"), "existing-server should still be a key entry"); + Assert.False(store.IsKeyEntry("trusted-ca"), "trusted-ca should be a certificate-only entry"); + } + + [Fact] + public void SerializeRemoteCertificateStore_MixedEntryTypes_PreservesEntryTypes() + { + // Arrange - Create a JKS with mixed entry types + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + var originalStore = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Act - Serialize and deserialize + var serialized = _serializer.SerializeRemoteCertificateStore(originalStore, "/test/path", "store.jks", "password"); + var roundTripStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password"); + + // Assert - Entry types should be preserved after round-trip + Assert.True(roundTripStore.IsKeyEntry("server"), "server should still be a key entry after round-trip"); + Assert.False(roundTripStore.IsKeyEntry("trusted-ca"), "trusted-ca should still be certificate-only after round-trip"); + } + + [Fact] + public void DeserializeRemoteCertificateStore_MixedEntryTypes_CorrectCertificateChainForKeyEntries() + { + // Arrange - Create a JKS with a private key entry that has a chain and a trusted cert entry + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048, "Server", "Intermediate", "Root"); + var serverCert = chain[0]; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + var trustedCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "External Trusted CA"); + + // Create JKS manually with chain for key entry + var jksStore = new Org.BouncyCastle.Security.JksStore(); + jksStore.SetKeyEntry("server", serverCert.KeyPair.Private, "password".ToCharArray(), + new[] { serverCert.Certificate, intermediateCert, rootCert }); + jksStore.SetCertificateEntry("external-ca", trustedCa.Certificate); + + using var ms = new MemoryStream(); + jksStore.Save(ms, "password".ToCharArray()); + var jksBytes = ms.ToArray(); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert - Key entry should have full chain + var serverChain = store.GetCertificateChain("server"); + Assert.NotNull(serverChain); + Assert.Equal(3, serverChain.Length); + + // Trusted cert entry should have no chain (just the certificate) + var externalCaChain = store.GetCertificateChain("external-ca"); + Assert.Null(externalCaChain); // Certificate entries don't have chains, only key entries do + } + + [Fact] + public void CreateOrUpdateJks_RemoveTrustedCertEntry_PreservesKeyEntries() + { + // Arrange - Create JKS with both entry types + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var jksBytes = CertificateTestHelper.GenerateJksWithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + + // Act - Remove the trusted cert entry + var updatedJksBytes = _serializer.CreateOrUpdateJks( + Array.Empty(), + null, + "trusted-ca", + jksBytes, + "password", + remove: true, + includeChain: true); + + // Deserialize and verify + var store = _serializer.DeserializeRemoteCertificateStore(updatedJksBytes, "/test/path", "password"); + + // Assert - Only the key entry should remain + var aliases = store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("server", aliases); + Assert.DoesNotContain("trusted-ca", aliases); + Assert.True(store.IsKeyEntry("server"), "server should still be a key entry"); + } + + #endregion + + #region PKCS12 Format Detection Tests + + /// + /// Tests that the JKS deserializer correctly rejects PKCS12 format data. + /// Note: BouncyCastle's JksStore reports PKCS12 data as "password incorrect or store tampered with" + /// because the file format doesn't match the JKS magic bytes. This IOException triggers + /// the fallback logic in the Inventory and Management jobs to try PKCS12 format. + /// + [Fact] + public void DeserializeRemoteCertificateStore_Pkcs12FileInsteadOfJks_ThrowsIOException() + { + // Arrange - Generate a PKCS12 file (not JKS) and try to deserialize as JKS + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "PKCS12 Test Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Act & Assert - The JKS deserializer cannot parse PKCS12 format and throws IOException + // This is expected behavior - the calling code (Inventory/Management jobs) catches this + // and falls back to PKCS12 handling + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password")); + + // BouncyCastle's JksStore reports format mismatches as password errors + Assert.Contains("password incorrect", exception.Message); + } + + [Fact] + public void DeserializeRemoteCertificateStore_Pkcs12WithMultipleEntries_ThrowsIOException() + { + // Arrange - Generate a PKCS12 file with multiple entries + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2Info = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + + var entries = new Dictionary + { + { "alias1", (cert1Info.Certificate, cert1Info.KeyPair) }, + { "alias2", (cert2Info.Certificate, cert2Info.KeyPair) } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(entries, "password"); + + // Act & Assert - The JKS deserializer cannot parse PKCS12 format + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password")); + + Assert.Contains("password incorrect", exception.Message); + } + + [Fact] + public void CreateOrUpdateJks_ExistingStoreIsPkcs12_ThrowsIOException() + { + // Arrange - Create a PKCS12 store as the "existing" store + var existingCertInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing PKCS12 Cert"); + var existingPkcs12Bytes = CertificateTestHelper.GeneratePkcs12(existingCertInfo.Certificate, existingCertInfo.KeyPair, "password", "existing"); + + // Create new certificate to add + var newCertInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New Cert"); + var newPkcs12Bytes = CertificateTestHelper.GeneratePkcs12(newCertInfo.Certificate, newCertInfo.KeyPair, "password", "newcert"); + + // Act & Assert - Attempting to update a PKCS12 store as JKS should throw IOException + // The calling code catches this and falls back to PKCS12 handling + var exception = Assert.Throws(() => + _serializer.CreateOrUpdateJks( + newPkcs12Bytes, + "password", + "newcert", + existingPkcs12Bytes, + "password", + remove: false, + includeChain: true)); + + Assert.Contains("password incorrect", exception.Message); + } + + [Fact] + public void CreateOrUpdateJks_RemoveFromExistingPkcs12Store_ThrowsIOException() + { + // Arrange - Create a PKCS12 store as the "existing" store + var existingCertInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing PKCS12 Cert"); + var existingPkcs12Bytes = CertificateTestHelper.GeneratePkcs12(existingCertInfo.Certificate, existingCertInfo.KeyPair, "password", "existing"); + + // Act & Assert - Attempting to remove from a PKCS12 store as JKS should throw IOException + var exception = Assert.Throws(() => + _serializer.CreateOrUpdateJks( + Array.Empty(), + null, + "existing", + existingPkcs12Bytes, + "password", + remove: true, + includeChain: true)); + + Assert.Contains("password incorrect", exception.Message); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + public void DeserializeRemoteCertificateStore_Pkcs12VariousKeyTypes_ThrowsIOException(KeyType keyType) + { + // Arrange - Generate PKCS12 with various key types + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"PKCS12 {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Act & Assert - All should throw IOException when attempting to parse as JKS + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password")); + + Assert.Contains("password incorrect", exception.Message); + } + + /// + /// Verifies that actual JKS files can still be loaded successfully + /// (as a sanity check alongside the PKCS12 rejection tests). + /// + [Fact] + public void DeserializeRemoteCertificateStore_ActualJksFile_LoadsSuccessfully() + { + // Arrange - Generate a proper JKS file + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Actual JKS Cert"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(jksBytes, "/test/path", "password"); + + // Assert - JKS should load without any exception + Assert.NotNull(store); + var aliases = store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("testcert", aliases); + } + + #endregion + + #region Native JKS Format Preservation Tests + + [Fact] + public void NativeJksFormat_MagicBytesValidation_JksHasCorrectMagicBytes() + { + // Arrange - Generate a JKS file using BouncyCastle + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "JKS Magic Bytes Test"); + var jksBytes = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Act & Assert - Verify JKS magic bytes (0xFEEDFEED) + Assert.True(CertificateTestHelper.IsNativeJksFormat(jksBytes), + $"Expected JKS magic bytes (0xFEEDFEED) but got: 0x{jksBytes[0]:X2}{jksBytes[1]:X2}{jksBytes[2]:X2}{jksBytes[3]:X2}"); + + // Verify magic bytes directly + Assert.Equal(0xFE, jksBytes[0]); + Assert.Equal(0xED, jksBytes[1]); + Assert.Equal(0xFE, jksBytes[2]); + Assert.Equal(0xED, jksBytes[3]); + } + + [Fact] + public void Pkcs12Format_MagicBytesValidation_Pkcs12DoesNotHaveJksMagicBytes() + { + // Arrange - Generate a PKCS12 file using BouncyCastle + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "PKCS12 Magic Bytes Test"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Act & Assert - Verify PKCS12 does NOT have JKS magic bytes + Assert.False(CertificateTestHelper.IsNativeJksFormat(pkcs12Bytes), + $"PKCS12 should NOT have JKS magic bytes but first 4 bytes are: 0x{pkcs12Bytes[0]:X2}{pkcs12Bytes[1]:X2}{pkcs12Bytes[2]:X2}{pkcs12Bytes[3]:X2}"); + + // Verify PKCS12 starts with ASN.1 SEQUENCE tag (0x30) + Assert.True(CertificateTestHelper.IsPkcs12Format(pkcs12Bytes), + $"Expected PKCS12 to start with 0x30 (ASN.1 SEQUENCE) but got: 0x{pkcs12Bytes[0]:X2}"); + } + + [Fact] + public void CreateOrUpdateJks_NativeJksStore_OutputRemainsJksFormat() + { + // Arrange - Create an initial JKS store + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Initial Cert"); + var initialJks = CertificateTestHelper.GenerateJks(cert1Info.Certificate, cert1Info.KeyPair, "storepassword", "initial"); + + // Verify initial JKS is in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(initialJks), "Initial JKS should be in native JKS format"); + + // Create a new certificate to add (as PKCS12) + var cert2Info = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "New Cert"); + var newCertPkcs12 = CertificateTestHelper.GeneratePkcs12(cert2Info.Certificate, cert2Info.KeyPair, "certpassword", "newcert"); + + // Act - Add new certificate to existing JKS + var updatedJks = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: newCertPkcs12, + newCertPassword: "certpassword", + alias: "newcert", + existingStore: initialJks, + existingStorePassword: "storepassword", + remove: false, + includeChain: true); + + // Assert - Output should still be in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(updatedJks), + $"Updated JKS should remain in native JKS format but got magic bytes: 0x{updatedJks[0]:X2}{updatedJks[1]:X2}{updatedJks[2]:X2}{updatedJks[3]:X2}"); + Assert.False(CertificateTestHelper.IsPkcs12Format(updatedJks), + "Updated JKS should NOT be in PKCS12 format"); + } + + [Fact] + public void CreateOrUpdateJks_AddMultipleCerts_OutputRemainsJksFormat() + { + // Arrange - Create an initial JKS store with one certificate + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var initialJks = CertificateTestHelper.GenerateJks(cert1Info.Certificate, cert1Info.KeyPair, "storepassword", "cert1"); + + // Verify initial JKS is in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(initialJks), "Initial JKS should be in native JKS format"); + + // Act - Add multiple certificates sequentially + var currentJks = initialJks; + for (int i = 2; i <= 5; i++) + { + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, $"Cert {i}"); + var certPkcs12 = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "certpassword", $"cert{i}"); + + currentJks = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: certPkcs12, + newCertPassword: "certpassword", + alias: $"cert{i}", + existingStore: currentJks, + existingStorePassword: "storepassword", + remove: false, + includeChain: true); + + // Assert after each addition - should remain JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(currentJks), + $"JKS should remain in native format after adding cert {i}"); + } + + // Final verification - should have 5 certificates and still be JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(currentJks), + "Final JKS with 5 certs should still be in native JKS format"); + + // Verify all 5 certs are in the store + var store = _serializer.DeserializeRemoteCertificateStore(currentJks, "/test/path", "storepassword"); + Assert.Equal(5, store.Aliases.ToList().Count); + } + + [Fact] + public void CreateOrUpdateJks_RemoveCert_OutputRemainsJksFormat() + { + // Arrange - Create a JKS store with two certificates + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2Info = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + + var entries = new Dictionary + { + { "cert1", (cert1Info.Certificate, cert1Info.KeyPair) }, + { "cert2", (cert2Info.Certificate, cert2Info.KeyPair) } + }; + + var initialJks = CertificateTestHelper.GenerateJksWithMultipleEntries(entries, "storepassword"); + + // Verify initial JKS is in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(initialJks), "Initial JKS should be in native JKS format"); + + // Act - Remove one certificate + var updatedJks = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: Array.Empty(), + newCertPassword: "", + alias: "cert1", + existingStore: initialJks, + existingStorePassword: "storepassword", + remove: true, + includeChain: true); + + // Assert - Output should still be in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(updatedJks), + $"JKS should remain in native format after removing a certificate"); + Assert.False(CertificateTestHelper.IsPkcs12Format(updatedJks), + "Updated JKS should NOT be in PKCS12 format"); + + // Verify cert1 was removed and cert2 remains + var store = _serializer.DeserializeRemoteCertificateStore(updatedJks, "/test/path", "storepassword"); + var aliases = store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("cert2", aliases); + Assert.DoesNotContain("cert1", aliases); + } + + [Fact] + public void CreateOrUpdateJks_CreateNewStore_OutputIsJksFormat() + { + // Arrange - Create a new certificate as PKCS12 + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New Store Cert"); + var certPkcs12 = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "certpassword", "testcert"); + + // Act - Create a new JKS store (existingStore = null) + var newJks = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: certPkcs12, + newCertPassword: "certpassword", + alias: "testcert", + existingStore: null, + existingStorePassword: "storepassword", + remove: false, + includeChain: true); + + // Assert - Output should be in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(newJks), + $"Newly created JKS should be in native JKS format but got magic bytes: 0x{newJks[0]:X2}{newJks[1]:X2}{newJks[2]:X2}{newJks[3]:X2}"); + Assert.False(CertificateTestHelper.IsPkcs12Format(newJks), + "Newly created JKS should NOT be in PKCS12 format"); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + public void CreateOrUpdateJks_VariousKeyTypes_OutputRemainsJksFormat(KeyType keyType) + { + // Arrange - Create initial JKS store + var initialCertInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Initial Cert"); + var initialJks = CertificateTestHelper.GenerateJks(initialCertInfo.Certificate, initialCertInfo.KeyPair, "storepassword", "initial"); + + // Create a new certificate with the specified key type + var newCertInfo = CertificateTestHelper.GenerateCertificate(keyType, $"New Cert {keyType}"); + var newCertPkcs12 = CertificateTestHelper.GeneratePkcs12(newCertInfo.Certificate, newCertInfo.KeyPair, "certpassword", "newcert"); + + // Act - Add new certificate + var updatedJks = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: newCertPkcs12, + newCertPassword: "certpassword", + alias: $"newcert-{keyType}", + existingStore: initialJks, + existingStorePassword: "storepassword", + remove: false, + includeChain: true); + + // Assert - Output should remain in native JKS format + Assert.True(CertificateTestHelper.IsNativeJksFormat(updatedJks), + $"JKS should remain in native format after adding {keyType} certificate"); + } + + [Fact] + public void SerializeRemoteCertificateStore_OutputIsJksFormat() + { + // Arrange - Create a JKS store and deserialize it (converts to PKCS12 internally) + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Serialize Test"); + var originalJks = CertificateTestHelper.GenerateJks(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Verify original is JKS + Assert.True(CertificateTestHelper.IsNativeJksFormat(originalJks), "Original should be JKS format"); + + // Deserialize (converts to PKCS12 internally) + var store = _serializer.DeserializeRemoteCertificateStore(originalJks, "/test/path", "password"); + + // Act - Serialize back to JKS + var serialized = _serializer.SerializeRemoteCertificateStore(store, "/test/path", "store.jks", "password"); + + // Assert - Output should be in native JKS format, not PKCS12 + Assert.Single(serialized); + Assert.True(CertificateTestHelper.IsNativeJksFormat(serialized[0].Contents), + "Serialized output should be in native JKS format"); + Assert.False(CertificateTestHelper.IsPkcs12Format(serialized[0].Contents), + "Serialized output should NOT be in PKCS12 format"); + } + + [Fact] + public void CreateOrUpdateJks_RoundTrip_PreservesJksFormat() + { + // Arrange - Create initial JKS, add cert, remove cert, verify format is preserved throughout + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2Info = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + + // Step 1: Create initial JKS + var initialJks = CertificateTestHelper.GenerateJks(cert1Info.Certificate, cert1Info.KeyPair, "storepassword", "cert1"); + Assert.True(CertificateTestHelper.IsNativeJksFormat(initialJks), "Step 1: Initial JKS should be JKS format"); + + // Step 2: Add second certificate + var cert2Pkcs12 = CertificateTestHelper.GeneratePkcs12(cert2Info.Certificate, cert2Info.KeyPair, "certpassword", "cert2"); + var afterAdd = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: cert2Pkcs12, + newCertPassword: "certpassword", + alias: "cert2", + existingStore: initialJks, + existingStorePassword: "storepassword", + remove: false, + includeChain: true); + Assert.True(CertificateTestHelper.IsNativeJksFormat(afterAdd), "Step 2: After add should be JKS format"); + + // Step 3: Remove first certificate + var afterRemove = _serializer.CreateOrUpdateJks( + newPkcs12Bytes: Array.Empty(), + newCertPassword: "", + alias: "cert1", + existingStore: afterAdd, + existingStorePassword: "storepassword", + remove: true, + includeChain: true); + Assert.True(CertificateTestHelper.IsNativeJksFormat(afterRemove), "Step 3: After remove should be JKS format"); + + // Step 4: Deserialize and serialize (round-trip) + var store = _serializer.DeserializeRemoteCertificateStore(afterRemove, "/test/path", "storepassword"); + var serialized = _serializer.SerializeRemoteCertificateStore(store, "/test/path", "store.jks", "storepassword"); + Assert.True(CertificateTestHelper.IsNativeJksFormat(serialized[0].Contents), "Step 4: After round-trip should be JKS format"); + } + + [Fact] + public void FormatDetection_NullOrEmptyData_ReturnsFalse() + { + // Test edge cases for format detection helpers + Assert.False(CertificateTestHelper.IsNativeJksFormat(null)); + Assert.False(CertificateTestHelper.IsNativeJksFormat(Array.Empty())); + Assert.False(CertificateTestHelper.IsNativeJksFormat(new byte[] { 0xFE })); // Too short + Assert.False(CertificateTestHelper.IsNativeJksFormat(new byte[] { 0xFE, 0xED })); // Too short + Assert.False(CertificateTestHelper.IsNativeJksFormat(new byte[] { 0xFE, 0xED, 0xFE })); // Too short + + Assert.False(CertificateTestHelper.IsPkcs12Format(null)); + Assert.False(CertificateTestHelper.IsPkcs12Format(Array.Empty())); + } + + [Fact] + public void FormatDetection_ManualMagicBytes_DetectsCorrectly() + { + // Test with manually constructed magic bytes + var jksMagic = new byte[] { 0xFE, 0xED, 0xFE, 0xED, 0x00, 0x01, 0x02 }; + Assert.True(CertificateTestHelper.IsNativeJksFormat(jksMagic)); + Assert.False(CertificateTestHelper.IsPkcs12Format(jksMagic)); + + var pkcs12Magic = new byte[] { 0x30, 0x82, 0x01, 0x02 }; + Assert.False(CertificateTestHelper.IsNativeJksFormat(pkcs12Magic)); + Assert.True(CertificateTestHelper.IsPkcs12Format(pkcs12Magic)); + } + + #endregion + + #region Empty Store Tests (Create Store If Missing) + + [Fact] + public void CreateEmptyJksStore_WithPassword_CanBeLoadedWithSamePassword() + { + // Arrange - Create an empty JKS store (simulates "create store if missing") + var emptyJksStore = new Org.BouncyCastle.Security.JksStore(); + var password = "testpassword"; + + // Act - Save the empty store + using var outStream = new MemoryStream(); + emptyJksStore.Save(outStream, password.ToCharArray()); + var emptyJksBytes = outStream.ToArray(); + + // Assert - Should be valid JKS that can be loaded + Assert.NotNull(emptyJksBytes); + Assert.NotEmpty(emptyJksBytes); + + // Verify it has JKS magic bytes + Assert.True(CertificateTestHelper.IsNativeJksFormat(emptyJksBytes), "Empty JKS store should have JKS magic bytes"); + + // Verify it can be loaded + var loadedStore = new Org.BouncyCastle.Security.JksStore(); + using var inStream = new MemoryStream(emptyJksBytes); + loadedStore.Load(inStream, password.ToCharArray()); + Assert.Empty(loadedStore.Aliases); + } + + [Fact] + public void CreateEmptyJksStore_WithEmptyPassword_CanBeLoadedWithEmptyPassword() + { + // Arrange - Create an empty JKS store with empty password + var emptyJksStore = new Org.BouncyCastle.Security.JksStore(); + + // Act - Save the empty store with empty password + using var outStream = new MemoryStream(); + emptyJksStore.Save(outStream, Array.Empty()); + var emptyJksBytes = outStream.ToArray(); + + // Assert - Should be valid JKS that can be loaded + Assert.NotNull(emptyJksBytes); + Assert.NotEmpty(emptyJksBytes); + + // Verify it has JKS magic bytes + Assert.True(CertificateTestHelper.IsNativeJksFormat(emptyJksBytes), "Empty JKS store should have JKS magic bytes"); + + // Verify it can be loaded + var loadedStore = new Org.BouncyCastle.Security.JksStore(); + using var inStream = new MemoryStream(emptyJksBytes); + loadedStore.Load(inStream, Array.Empty()); + Assert.Empty(loadedStore.Aliases); + } + + [Fact] + public void CreateEmptyJksStore_ThenAddCertificate_Success() + { + // Arrange - Create an empty JKS store + var emptyJksStore = new Org.BouncyCastle.Security.JksStore(); + var password = "testpassword"; + + using var outStream = new MemoryStream(); + emptyJksStore.Save(outStream, password.ToCharArray()); + var emptyJksBytes = outStream.ToArray(); + + // Create a certificate to add + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New Cert"); + var newCertPkcs12 = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, password, "newcert"); + + // Act - Use CreateOrUpdateJks to add the certificate to the empty store + var updatedJksBytes = _serializer.CreateOrUpdateJks( + newCertPkcs12, + password, + "newcert", + emptyJksBytes, + password, + false, + true); + + // Assert - Should have one certificate + var loadedStore = new Org.BouncyCastle.Security.JksStore(); + using var inStream = new MemoryStream(updatedJksBytes); + loadedStore.Load(inStream, password.ToCharArray()); + var aliases = loadedStore.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("newcert", aliases); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8SNSStoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8SNSStoreTests.cs new file mode 100644 index 00000000..128307d1 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8SNSStoreTests.cs @@ -0,0 +1,653 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using k8s.Models; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Unit tests for K8SNS store type operations. +/// K8SNS manages ALL secrets within a SINGLE namespace. +/// A single K8SNS store represents one namespace. +/// Tests focus on namespace-scoped operations, collection handling, and boundary enforcement. +/// +public class K8SNSStoreTests +{ + #region Namespace Scope Tests + + [Fact] + public void NamespaceStore_RepresentsSingleNamespace_NotClusterWide() + { + // K8SNS operates on a single namespace, unlike K8SCluster which operates on all namespaces + // The StorePath for K8SNS is the namespace name + var storePath = "production"; + + Assert.NotNull(storePath); + Assert.DoesNotContain("cluster", storePath.ToLower()); // Not cluster-wide + } + + [Fact] + public void NamespaceStore_CanContainMultipleSecretTypes_InSameNamespace() + { + // A namespace can contain Opaque, TLS, JKS, and PKCS12 secrets + var namespaceName = "production"; + var secrets = new List + { + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "opaque-secret", NamespaceProperty = namespaceName }, + Type = "Opaque" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "tls-secret", NamespaceProperty = namespaceName }, + Type = "kubernetes.io/tls" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "jks-secret", NamespaceProperty = namespaceName }, + Type = "Opaque" + } + }; + + // Assert - All belong to the same namespace + Assert.All(secrets, s => Assert.Equal(namespaceName, s.Metadata.NamespaceProperty)); + } + + [Fact] + public void NamespaceStore_EnforcesNamespaceBoundary_NoOtherNamespaces() + { + // K8SNS should only manage secrets within its designated namespace + var targetNamespace = "production"; + var secrets = new List + { + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret1", NamespaceProperty = "production" } + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret2", NamespaceProperty = "staging" } + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret3", NamespaceProperty = "production" } + } + }; + + // Act - Filter to only target namespace + var namespaceSecrets = secrets.FindAll(s => s.Metadata.NamespaceProperty == targetNamespace); + + // Assert + Assert.Equal(2, namespaceSecrets.Count); + Assert.All(namespaceSecrets, s => Assert.Equal(targetNamespace, s.Metadata.NamespaceProperty)); + } + + #endregion + + #region Secret Collection Tests + + [Fact] + public void SecretList_SingleNamespace_CanBeEnumerated() + { + // Arrange + var namespaceName = "default"; + var secrets = new List + { + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret1", NamespaceProperty = namespaceName }, + Type = "Opaque" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret2", NamespaceProperty = namespaceName }, + Type = "kubernetes.io/tls" + }, + new V1Secret + { + Metadata = new V1ObjectMeta { Name = "secret3", NamespaceProperty = namespaceName }, + Type = "Opaque" + } + }; + + // Assert + Assert.Equal(3, secrets.Count); + Assert.All(secrets, s => Assert.Equal(namespaceName, s.Metadata.NamespaceProperty)); + } + + [Fact] + public void SecretList_FilterByType_ReturnsOnlyMatchingSecrets() + { + // Arrange + var namespaceName = "production"; + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque1", NamespaceProperty = namespaceName }, Type = "Opaque" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "tls1", NamespaceProperty = namespaceName }, Type = "kubernetes.io/tls" }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "opaque2", NamespaceProperty = namespaceName }, Type = "Opaque" } + }; + + // Act - Filter for Opaque secrets + var opaqueSecrets = secrets.FindAll(s => s.Type == "Opaque"); + + // Assert + Assert.Equal(2, opaqueSecrets.Count); + Assert.All(opaqueSecrets, s => Assert.Equal("Opaque", s.Type)); + } + + [Fact] + public void SecretList_GroupByName_CanIdentifyDuplicates() + { + // Within a single namespace, secret names must be unique + var namespaceName = "default"; + var secretNames = new[] { "secret1", "secret2", "secret1" }; // Duplicate name (invalid) + + // Act - Check for duplicates + var uniqueNames = new HashSet(); + var duplicates = new List(); + + foreach (var name in secretNames) + { + if (!uniqueNames.Add(name)) + { + duplicates.Add(name); + } + } + + // Assert + Assert.Single(duplicates); + Assert.Contains("secret1", duplicates); + } + + #endregion + + #region Discovery Tests + + [Fact] + public void Discovery_EmptyNamespace_ReturnsEmptyList() + { + // An empty namespace with no secrets should return empty discovery results + var secrets = new List(); + + Assert.Empty(secrets); + } + + [Fact] + public void Discovery_NamespaceWithSecrets_ReturnsAllSecrets() + { + // Arrange + var namespaceName = "production"; + var secrets = new List + { + new V1Secret { Metadata = new V1ObjectMeta { Name = "s1", NamespaceProperty = namespaceName } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s2", NamespaceProperty = namespaceName } }, + new V1Secret { Metadata = new V1ObjectMeta { Name = "s3", NamespaceProperty = namespaceName } } + }; + + // Assert + Assert.Equal(3, secrets.Count); + Assert.All(secrets, s => Assert.Equal(namespaceName, s.Metadata.NamespaceProperty)); + } + + #endregion + + #region Certificate Data Tests + + [Fact] + public void NamespaceSecret_WithPemCertificate_CanBeRead() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Namespace Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "namespace-cert", + NamespaceProperty = "production" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }; + + // Assert + Assert.NotNull(secret.Data); + Assert.True(secret.Data.ContainsKey("tls.crt")); + var retrievedPem = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", retrievedPem); + } + + [Fact] + public void NamespaceSecret_MultipleSecretsWithCertificates_CanBeEnumerated() + { + // Arrange - Create secrets with certificates in the same namespace + var namespaceName = "production"; + var secrets = new List(); + for (int i = 0; i < 5; i++) + { + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, $"Cert {i}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + secrets.Add(new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = $"secret-{i}", + NamespaceProperty = namespaceName + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }); + } + + // Assert + Assert.Equal(5, secrets.Count); + Assert.All(secrets, s => Assert.Equal(namespaceName, s.Metadata.NamespaceProperty)); + Assert.All(secrets, s => Assert.True(s.Data.ContainsKey("tls.crt"))); + } + + #endregion + + #region Permission Tests (Conceptual) + + [Fact] + public void NamespaceStore_RequiresNamespaceScopedPermissions_NotClusterWide() + { + // K8SNS requires namespace-scoped RBAC permissions + // Unlike K8SCluster which requires cluster-wide permissions + // This is a conceptual test - permissions are validated by Kubernetes at runtime + var namespaceName = "production"; + var requiredPermissions = new[] + { + $"secrets.list (namespace: {namespaceName})", + $"secrets.get (namespace: {namespaceName})", + $"secrets.create (namespace: {namespaceName})", + $"secrets.update (namespace: {namespaceName})", + $"secrets.delete (namespace: {namespaceName})" + }; + + Assert.Equal(5, requiredPermissions.Length); + Assert.Contains(namespaceName, requiredPermissions[0]); + Assert.DoesNotContain("cluster-wide", requiredPermissions[0]); + } + + #endregion + + #region Edge Cases + + [Fact] + public void NamespaceStore_LargeNumberOfSecrets_CanBeHandled() + { + // Test handling of large number of secrets in a single namespace + var namespaceName = "production"; + var secrets = new List(); + for (int i = 0; i < 100; i++) + { + secrets.Add(new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = $"secret-{i}", + NamespaceProperty = namespaceName + } + }); + } + + // Assert + Assert.Equal(100, secrets.Count); + Assert.All(secrets, s => Assert.Equal(namespaceName, s.Metadata.NamespaceProperty)); + } + + [Fact] + public void NamespaceStore_SpecialCharactersInSecretNames_Handled() + { + // Kubernetes allows certain special characters in secret names + var namespaceName = "default"; + var secretNames = new[] + { + "my-secret", + "my.secret", + "my-secret-123", + "secret-with-dots.and-dashes" + }; + + var secrets = secretNames.Select(name => new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = name, + NamespaceProperty = namespaceName + } + }).ToList(); + + // Assert + Assert.Equal(4, secrets.Count); + Assert.All(secrets, s => Assert.NotNull(s.Metadata.Name)); + } + + #endregion + + #region KubeNamespace Property Priority Tests + + [Fact] + public void NamespaceStore_KubeNamespaceProperty_TakesPriorityOverStorePath() + { + // K8SNS stores should use KubeNamespace from store properties when set, + // NOT the StorePath value. This test validates that the namespace configuration + // is properly respected. + + // Arrange - Simulate a store where KubeNamespace property differs from StorePath + var storePathNamespace = "default"; // StorePath value (often "default") + var configuredNamespace = "production"; // KubeNamespace property value + + // The expected behavior is that inventory should use the configured namespace + // NOT the store path namespace + Assert.NotEqual(storePathNamespace, configuredNamespace); + + // When KubeNamespace is set in store properties, it should take priority + var effectiveNamespace = !string.IsNullOrEmpty(configuredNamespace) + ? configuredNamespace + : storePathNamespace; + + Assert.Equal("production", effectiveNamespace); + } + + [Fact] + public void NamespaceStore_EmptyKubeNamespaceProperty_FallsBackToStorePath() + { + // When KubeNamespace property is empty/null, StorePath should be used as fallback + + // Arrange + var storePathNamespace = "default"; + string? configuredNamespace = null; + + // Act - Determine effective namespace (same logic as ResolveStorePath) + var effectiveNamespace = !string.IsNullOrEmpty(configuredNamespace) + ? configuredNamespace + : storePathNamespace; + + Assert.Equal("default", effectiveNamespace); + } + + [Fact] + public void NamespaceStore_WhitespaceKubeNamespaceProperty_ShouldBeTrimmed() + { + // Leading/trailing whitespace in namespace values should be trimmed + // This tests the .Trim() fix in JobBase.cs property retrieval + + // Arrange + var namespaceWithWhitespace = " production "; + var expectedNamespace = "production"; + + // Act - Trim is applied during property retrieval + var trimmedNamespace = namespaceWithWhitespace.Trim(); + + Assert.Equal(expectedNamespace, trimmedNamespace); + } + + [Fact] + public void NamespaceStore_StorePathParsing_SinglePartPath() + { + // For K8SNS with single-part StorePath (e.g., "default"), + // KubeNamespace from properties should NOT be overwritten + + // Arrange + var storePath = "default"; + var kubeNamespaceFromProperties = "production"; + + // Act - Simulate ResolveStorePath behavior (after fix) + // Only set KubeNamespace from StorePath if not already set + var finalNamespace = !string.IsNullOrEmpty(kubeNamespaceFromProperties) + ? kubeNamespaceFromProperties // Keep property value + : storePath; // Fallback to StorePath + + // Assert - Should keep the property value, not overwrite with StorePath + Assert.Equal("production", finalNamespace); + Assert.NotEqual(storePath, finalNamespace); + } + + #endregion + + #region IncludeCertChain=false Tests + + [Fact] + public void Management_IncludeCertChainFalse_TlsSecret_OnlyLeafCertStored() + { + // When IncludeCertChain=false is set for K8SNS TLS secrets, only the leaf certificate + // should be stored, not the intermediate or root certificates. + + // Arrange - Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Create TLS secret with ONLY the leaf certificate (simulating IncludeCertChain=false behavior) + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "ns-tls-include-cert-chain-false", + NamespaceProperty = "production" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); // Only tls.crt and tls.key, NO ca.crt + + // Verify tls.crt contains ONLY the leaf certificate (1 certificate) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + + // Verify NO ca.crt field exists + Assert.False(secret.Data.ContainsKey("ca.crt"), + "K8SNS TLS secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the stored certificate is the leaf certificate + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + Assert.Equal(leafCert.SubjectDN.ToString(), storedCert.SubjectDN.ToString()); + } + + [Fact] + public void Management_IncludeCertChainFalse_OpaqueSecret_OnlyLeafCertStored() + { + // When IncludeCertChain=false is set for K8SNS Opaque secrets, only the leaf certificate + // should be stored, not the intermediate or root certificates. + + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Create Opaque secret with ONLY the leaf certificate + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "ns-opaque-include-cert-chain-false", + NamespaceProperty = "production" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("Opaque", secret.Type); + Assert.Equal(2, secret.Data.Count); + + // Verify tls.crt contains ONLY the leaf certificate + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + + Assert.False(secret.Data.ContainsKey("ca.crt"), + "K8SNS Opaque secret should NOT contain ca.crt when IncludeCertChain=false"); + } + + [Fact] + public void IncludeCertChainFalse_VersusTrue_NamespaceSecrets_DifferentStructures() + { + // Compare the expected output between IncludeCertChain=true vs IncludeCertChain=false for namespace secrets + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // IncludeCertChain=false: Only leaf certificate + var includeCertChainFalseSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "ns-include-chain-false", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // IncludeCertChain=true (SeparateChain=false): Full chain bundled + var includeCertChainTrueSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "ns-include-chain-true", NamespaceProperty = "production" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - IncludeCertChain=false has only 1 certificate + var falseChainCount = Encoding.UTF8.GetString(includeCertChainFalseSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, falseChainCount); + Assert.False(includeCertChainFalseSecret.Data.ContainsKey("ca.crt")); + + // Assert - IncludeCertChain=true has 3 certificates + var trueChainCount = Encoding.UTF8.GetString(includeCertChainTrueSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, trueChainCount); + } + + [Fact] + public void IncludeCertChainFalse_NamespaceBoundary_Enforced() + { + // Verify that IncludeCertChain=false respects namespace boundaries + var namespaceName = "production"; + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + var secrets = new List(); + for (int i = 0; i < 3; i++) + { + secrets.Add(new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"secret-{i}", NamespaceProperty = namespaceName }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }); + } + + // Assert - All secrets are in the same namespace and have only leaf cert + Assert.All(secrets, s => Assert.Equal(namespaceName, s.Metadata.NamespaceProperty)); + Assert.All(secrets, s => + { + var certCount = Encoding.UTF8.GetString(s.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + Assert.False(s.Data.ContainsKey("ca.crt")); + }); + } + + #endregion + + #region Namespace Validation Tests + + [Fact] + public void NamespaceStore_ValidNamespace_AcceptsValidNames() + { + // Valid Kubernetes namespace names + var validNamespaces = new[] + { + "default", + "kube-system", + "my-namespace", + "prod-123" + }; + + // All should be valid (no exceptions or null) + foreach (var ns in validNamespaces) + { + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "test-secret", + NamespaceProperty = ns + } + }; + + Assert.Equal(ns, secret.Metadata.NamespaceProperty); + } + } + + [Fact] + public void NamespaceStore_DefaultNamespace_HandledCorrectly() + { + // The "default" namespace is a special case that should be handled + var namespaceName = "default"; + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "test-secret", + NamespaceProperty = namespaceName + } + }; + + Assert.Equal("default", secret.Metadata.NamespaceProperty); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8SPKCS12StoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8SPKCS12StoreTests.cs new file mode 100644 index 00000000..21ecdd12 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8SPKCS12StoreTests.cs @@ -0,0 +1,1132 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; +using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SPKCS12; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Org.BouncyCastle.Pkcs; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Comprehensive unit tests for K8SPKCS12 store type operations. +/// Tests cover all key types, password scenarios, chain handling, and edge cases. +/// +public class K8SPKCS12StoreTests +{ + private readonly Pkcs12CertificateStoreSerializer _serializer; + + public K8SPKCS12StoreTests() + { + _serializer = new Pkcs12CertificateStoreSerializer(storeProperties: null); + } + + #region Basic Deserialization Tests + + [Fact] + public void DeserializeRemoteCertificateStore_ValidPkcs12WithPassword_ReturnsStore() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test PKCS12 Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Fact] + public void DeserializeRemoteCertificateStore_EmptyPassword_SuccessfullyLoadsStore() + { + // Arrange - PKCS12 can have empty passwords + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "", "testcert"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", ""); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Fact] + public void DeserializeRemoteCertificateStore_NullPassword_SuccessfullyLoadsStore() + { + // Arrange - PKCS12 treats null same as empty + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "", "testcert"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", null); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Fact] + public void DeserializeRemoteCertificateStore_WrongPassword_ThrowsException() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "correctpassword"); + + // Act & Assert + var exception = Assert.Throws(() => + _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "wrongpassword")); + + Assert.Contains("password", exception.Message.ToLower()); + } + + [Fact] + public void DeserializeRemoteCertificateStore_CorruptedData_ThrowsException() + { + // Arrange + var corruptedData = CertificateTestHelper.GenerateCorruptedData(500); + + // Act & Assert + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(corruptedData, "/test/path", "password")); + } + + [Fact] + public void DeserializeRemoteCertificateStore_NullData_ThrowsException() + { + // Act & Assert + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(null, "/test/path", "password")); + } + + [Fact] + public void DeserializeRemoteCertificateStore_EmptyData_ThrowsException() + { + // Act & Assert + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(Array.Empty(), "/test/path", "password")); + } + + #endregion + + #region Key Type Coverage Tests + + [Theory] + [InlineData(KeyType.Rsa1024)] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.Rsa8192)] + public void DeserializeRemoteCertificateStore_RsaKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Theory] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.EcP521)] + public void DeserializeRemoteCertificateStore_EcKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Theory] + [InlineData(KeyType.Dsa1024)] + [InlineData(KeyType.Dsa2048)] + public void DeserializeRemoteCertificateStore_DsaKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Theory] + [InlineData(KeyType.Ed25519)] + [InlineData(KeyType.Ed448)] + public void DeserializeRemoteCertificateStore_EdwardsKeys_SuccessfullyLoadsStore(KeyType keyType) + { + // Arrange - Edwards curve keys (Ed25519/Ed448) are supported via BouncyCastle PKCS12 + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType} Cert"); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + #endregion + + #region Password Scenarios Tests + + [Theory] + [InlineData("password")] + [InlineData("P@ssw0rd!")] + [InlineData("ๅฏ†็ ")] + [InlineData("๐Ÿ”๐Ÿ”‘")] + [InlineData("pass word")] + public void DeserializeRemoteCertificateStore_VariousPasswords_SuccessfullyLoadsStore(string password) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, password); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", password); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Fact] + public void DeserializeRemoteCertificateStore_VeryLongPassword_SuccessfullyLoadsStore() + { + // Arrange + var longPassword = new string('x', 1000); + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, longPassword); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", longPassword); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + #endregion + + #region Certificate Chain Tests + + [Fact] + public void DeserializeRemoteCertificateStore_CertificateWithChain_LoadsAllCertificates() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048, "Leaf", "Intermediate", "Root"); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "password", + "leaf", + new[] { intermediateCert, rootCert }); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var certChain = store.GetCertificateChain("leaf"); + Assert.NotNull(certChain); + Assert.Equal(3, certChain.Length); // Leaf + Intermediate + Root + } + + [Fact] + public void DeserializeRemoteCertificateStore_SingleCertificate_LoadsWithoutChain() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var certChain = store.GetCertificateChain("testcert"); + Assert.NotNull(certChain); + Assert.Single(certChain); // Only the leaf certificate + } + + #endregion + + #region Multiple Aliases Tests + + [Fact] + public void DeserializeRemoteCertificateStore_MultipleAliases_LoadsAllCertificates() + { + // Arrange + var cert1Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2Info = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Cert 2"); + var cert3Info = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Cert 3"); + + var entries = new Dictionary + { + { "alias1", (cert1Info.Certificate, cert1Info.KeyPair) }, + { "alias2", (cert2Info.Certificate, cert2Info.KeyPair) }, + { "alias3", (cert3Info.Certificate, cert3Info.KeyPair) } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(entries, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var aliases = store.Aliases.ToList(); + Assert.Equal(3, aliases.Count); + Assert.Contains("alias1", aliases); + Assert.Contains("alias2", aliases); + Assert.Contains("alias3", aliases); + } + + #endregion + + #region Serialization Tests + + [Fact] + public void SerializeRemoteCertificateStore_ValidStore_ReturnsSerializedData() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Act + var serialized = _serializer.SerializeRemoteCertificateStore(store, "/test/path", "store.pfx", "password"); + + // Assert + Assert.NotNull(serialized); + Assert.Single(serialized); + Assert.Equal("/test/path/store.pfx", serialized[0].FilePath); + Assert.NotNull(serialized[0].Contents); + Assert.NotEmpty(serialized[0].Contents); + } + + [Fact] + public void SerializeRemoteCertificateStore_RoundTrip_PreservesData() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password", "testcert"); + var originalStore = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Act - Serialize + var serialized = _serializer.SerializeRemoteCertificateStore(originalStore, "/test/path", "store.pfx", "password"); + + // Act - Deserialize again + var roundTripStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password"); + + // Assert + Assert.NotNull(roundTripStore); + var originalAliases = originalStore.Aliases.ToList(); + var roundTripAliases = roundTripStore.Aliases.ToList(); + Assert.Equal(originalAliases.Count, roundTripAliases.Count); + + foreach (var alias in originalAliases) + { + Assert.Contains(alias, roundTripAliases); + var originalCert = originalStore.GetCertificate(alias); + var roundTripCert = roundTripStore.GetCertificate(alias); + Assert.Equal(originalCert.Certificate.GetEncoded(), roundTripCert.Certificate.GetEncoded()); + } + } + + #endregion + + #region GetPrivateKeyPath Tests + + [Fact] + public void GetPrivateKeyPath_ReturnsNull() + { + // PKCS12 stores contain private keys inline, so this should return null + // Act + var path = _serializer.GetPrivateKeyPath(); + + // Assert + Assert.Null(path); + } + + #endregion + + #region IncludeCertChain=false Tests + + [Fact] + public void Management_IncludeCertChainFalse_OnlyLeafCertInChain() + { + // When IncludeCertChain=false is set for PKCS12 stores, only the leaf certificate + // should be stored in the keystore, not the intermediate or root certificates. + + // Arrange - Generate a certificate chain and create PKCS12 with ONLY the leaf + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + // Create PKCS12 with only the leaf certificate (no chain) - simulating IncludeCertChain=false + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "password", + "leaf-only", + chain: null // No chain certificates + ); + + // Act - Deserialize and verify + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(store); + var certChain = store.GetCertificateChain("leaf-only"); + Assert.NotNull(certChain); + + // When IncludeCertChain=false, only the leaf certificate should be present + Assert.Single(certChain); + + // Verify it's the leaf certificate + var storedCert = certChain[0].Certificate; + Assert.Equal(leafCert.SubjectDN.ToString(), storedCert.SubjectDN.ToString()); + } + + [Fact] + public void IncludeCertChainFalse_VersusTrue_DifferentChainLengths() + { + // Compare PKCS12 with IncludeCertChain=true vs IncludeCertChain=false + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + + // IncludeCertChain=false: Only leaf certificate + var pkcs12False = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "password", + "leaf-only", + chain: null + ); + + // IncludeCertChain=true: Leaf + full chain + var pkcs12True = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "password", + "with-chain", + chain: new[] { intermediateCert, rootCert } + ); + + // Deserialize both + var storeFalse = _serializer.DeserializeRemoteCertificateStore(pkcs12False, "/test/path", "password"); + var storeTrue = _serializer.DeserializeRemoteCertificateStore(pkcs12True, "/test/path", "password"); + + // Assert - IncludeCertChain=false has only 1 cert in chain + var chainFalse = storeFalse.GetCertificateChain("leaf-only"); + Assert.Single(chainFalse); + + // Assert - IncludeCertChain=true has 3 certs in chain + var chainTrue = storeTrue.GetCertificateChain("with-chain"); + Assert.Equal(3, chainTrue.Length); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + public void IncludeCertChainFalse_VariousKeyTypes_OnlyLeafCertInChain(KeyType keyType) + { + // Verify that IncludeCertChain=false behavior works with various key types for PKCS12 + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(keyType); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + // Create PKCS12 with only the leaf certificate + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "password", + "testcert", + chain: null + ); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert - Only 1 certificate in the chain + var certChain = store.GetCertificateChain("testcert"); + Assert.Single(certChain); + Assert.Equal(leafCert.SubjectDN.ToString(), certChain[0].Certificate.SubjectDN.ToString()); + } + + [Fact] + public void IncludeCertChainFalse_RoundTrip_PreservesLeafOnly() + { + // Verify that round-trip serialization preserves the leaf-only chain + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + var originalPkcs12 = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "password", + "leaf-only", + chain: null + ); + + var originalStore = _serializer.DeserializeRemoteCertificateStore(originalPkcs12, "/test/path", "password"); + + // Act - Round-trip: serialize and deserialize again + var serialized = _serializer.SerializeRemoteCertificateStore(originalStore, "/test/path", "store.pfx", "password"); + var roundTripStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password"); + + // Assert - Still only 1 certificate in chain after round-trip + var roundTripChain = roundTripStore.GetCertificateChain("leaf-only"); + Assert.Single(roundTripChain); + Assert.Equal(leafCert.SubjectDN.ToString(), roundTripChain[0].Certificate.SubjectDN.ToString()); + } + + [Fact] + public void IncludeCertChainFalse_EmptyPassword_OnlyLeafCertInChain() + { + // PKCS12 supports empty passwords - verify IncludeCertChain=false works with empty password + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafKeyPair = chain[0].KeyPair; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12( + leafCert, + leafKeyPair, + "", // Empty password + "leaf-only", + chain: null + ); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", ""); + + // Assert + var certChain = store.GetCertificateChain("leaf-only"); + Assert.Single(certChain); + Assert.Equal(leafCert.SubjectDN.ToString(), certChain[0].Certificate.SubjectDN.ToString()); + } + + #endregion + + #region Multiple PKCS12 Files in Single Secret Tests + + [Fact] + public void Inventory_SecretWithMultiplePkcs12Files_LoadsAllKeystores() + { + // Test that multiple PKCS12 files stored in a single Kubernetes secret are all loaded correctly. + // This simulates a K8s secret with multiple data fields like: + // data: + // app.pfx: + // ca.p12: + // truststore.pfx: + + // Arrange - Create separate PKCS12 files with different certificates + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Certificate"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "CA Certificate"); + var cert3 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Truststore Certificate"); + + // Generate separate PKCS12 files + var appPfxBytes = CertificateTestHelper.GeneratePkcs12(cert1.Certificate, cert1.KeyPair, "password", "appcert"); + var caP12Bytes = CertificateTestHelper.GeneratePkcs12(cert2.Certificate, cert2.KeyPair, "password", "cacert"); + var truststorePfxBytes = CertificateTestHelper.GeneratePkcs12(cert3.Certificate, cert3.KeyPair, "password", "trustcert"); + + // Simulate multiple PKCS12 files in a secret's Inventory dictionary + var inventoryDict = new Dictionary + { + { "app.pfx", appPfxBytes }, + { "ca.p12", caP12Bytes }, + { "truststore.pfx", truststorePfxBytes } + }; + + // Act - Deserialize each PKCS12 file and collect all aliases + var allAliases = new Dictionary>(); + foreach (var (keyName, keyBytes) in inventoryDict) + { + var store = _serializer.DeserializeRemoteCertificateStore(keyBytes, $"/test/{keyName}", "password"); + allAliases[keyName] = store.Aliases.ToList(); + } + + // Assert - All three PKCS12 files should be loaded + Assert.Equal(3, allAliases.Count); + Assert.Contains("app.pfx", allAliases.Keys); + Assert.Contains("ca.p12", allAliases.Keys); + Assert.Contains("truststore.pfx", allAliases.Keys); + } + + [Fact] + public void Inventory_SecretWithMultiplePkcs12Files_EachHasCorrectAliases() + { + // Test that aliases from each PKCS12 file are correctly attributed to the right file. + // Each PKCS12 file has unique aliases that should be identifiable. + + // Arrange - Create PKCS12 files with different unique aliases + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Web Server"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Database"); + var cert3 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "API Gateway"); + + // Create PKCS12 files with specific unique aliases + var webPfxBytes = CertificateTestHelper.GeneratePkcs12(cert1.Certificate, cert1.KeyPair, "password", "webserver-cert"); + var dbPfxBytes = CertificateTestHelper.GeneratePkcs12(cert2.Certificate, cert2.KeyPair, "password", "database-cert"); + var apiPfxBytes = CertificateTestHelper.GeneratePkcs12(cert3.Certificate, cert3.KeyPair, "password", "apigateway-cert"); + + var inventoryDict = new Dictionary + { + { "web.pfx", webPfxBytes }, + { "db.pfx", dbPfxBytes }, + { "api.pfx", apiPfxBytes } + }; + + // Act - Deserialize each PKCS12 and verify aliases + var webStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["web.pfx"], "/test/web.pfx", "password"); + var dbStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["db.pfx"], "/test/db.pfx", "password"); + var apiStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["api.pfx"], "/test/api.pfx", "password"); + + // Assert - Each store has exactly one alias with the expected name + var webAliases = webStore.Aliases.ToList(); + var dbAliases = dbStore.Aliases.ToList(); + var apiAliases = apiStore.Aliases.ToList(); + + Assert.Single(webAliases); + Assert.Single(dbAliases); + Assert.Single(apiAliases); + + Assert.Contains("webserver-cert", webAliases); + Assert.Contains("database-cert", dbAliases); + Assert.Contains("apigateway-cert", apiAliases); + + // Verify that aliases are NOT mixed between files + Assert.DoesNotContain("database-cert", webAliases); + Assert.DoesNotContain("apigateway-cert", webAliases); + Assert.DoesNotContain("webserver-cert", dbAliases); + } + + [Fact] + public void Inventory_SecretWithMultiplePkcs12Files_DifferentPasswords_ThrowsOnWrongPassword() + { + // Test behavior when PKCS12 files have different passwords. + // In practice, K8S stores usually have the same password for all files, + // but we should handle cases where they differ. + + // Arrange + var cert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 1"); + var cert2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Cert 2"); + + var pfx1Bytes = CertificateTestHelper.GeneratePkcs12(cert1.Certificate, cert1.KeyPair, "password1", "cert1"); + var pfx2Bytes = CertificateTestHelper.GeneratePkcs12(cert2.Certificate, cert2.KeyPair, "password2", "cert2"); + + // Act & Assert - First file loads with correct password + var store1 = _serializer.DeserializeRemoteCertificateStore(pfx1Bytes, "/test/file1.pfx", "password1"); + Assert.NotNull(store1); + Assert.Single(store1.Aliases); + + // Second file should throw with wrong password + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(pfx2Bytes, "/test/file2.pfx", "password1")); + + // Second file loads with correct password + var store2 = _serializer.DeserializeRemoteCertificateStore(pfx2Bytes, "/test/file2.pfx", "password2"); + Assert.NotNull(store2); + Assert.Single(store2.Aliases); + } + + [Fact] + public void Inventory_SecretWithMultiplePkcs12Files_EachWithMultipleEntries_LoadsAllCorrectly() + { + // Test that multiple PKCS12 files, each containing multiple entries, all load correctly. + + // Arrange - Create two PKCS12 files, each with multiple aliases + var cert1a = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Server 1"); + var cert1b = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "App Server 2"); + var cert2a = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend 1"); + var cert2b = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend 2"); + var cert2c = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Backend 3"); + + var appEntries = new Dictionary + { + { "app-server-1", (cert1a.Certificate, cert1a.KeyPair) }, + { "app-server-2", (cert1b.Certificate, cert1b.KeyPair) } + }; + + var backendEntries = new Dictionary + { + { "backend-1", (cert2a.Certificate, cert2a.KeyPair) }, + { "backend-2", (cert2b.Certificate, cert2b.KeyPair) }, + { "backend-3", (cert2c.Certificate, cert2c.KeyPair) } + }; + + var appPfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(appEntries, "password"); + var backendPfxBytes = CertificateTestHelper.GeneratePkcs12WithMultipleEntries(backendEntries, "password"); + + var inventoryDict = new Dictionary + { + { "app.pfx", appPfxBytes }, + { "backend.pfx", backendPfxBytes } + }; + + // Act + var appStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["app.pfx"], "/test/app.pfx", "password"); + var backendStore = _serializer.DeserializeRemoteCertificateStore(inventoryDict["backend.pfx"], "/test/backend.pfx", "password"); + + // Assert + var appAliases = appStore.Aliases.ToList(); + var backendAliases = backendStore.Aliases.ToList(); + + Assert.Equal(2, appAliases.Count); + Assert.Equal(3, backendAliases.Count); + + Assert.Contains("app-server-1", appAliases); + Assert.Contains("app-server-2", appAliases); + + Assert.Contains("backend-1", backendAliases); + Assert.Contains("backend-2", backendAliases); + Assert.Contains("backend-3", backendAliases); + + // Total aliases across all files + Assert.Equal(5, appAliases.Count + backendAliases.Count); + } + + #endregion + + #region Edge Case Tests + + [Fact] + public void DeserializeRemoteCertificateStore_PartiallyCorruptedData_ThrowsException() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var validPkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password"); + var corruptedBytes = CertificateTestHelper.CorruptData(validPkcs12Bytes, bytesToCorrupt: 10); + + // Act & Assert + Assert.ThrowsAny(() => + _serializer.DeserializeRemoteCertificateStore(corruptedBytes, "/test/path", "password")); + } + + [Fact] + public void SerializeRemoteCertificateStore_EmptyStore_ReturnsValidOutput() + { + // Arrange + var emptyStore = new Pkcs12StoreBuilder().Build(); + + // Act + var serialized = _serializer.SerializeRemoteCertificateStore(emptyStore, "/test/path", "empty.pfx", "password"); + + // Assert + Assert.NotNull(serialized); + Assert.Single(serialized); + Assert.NotNull(serialized[0].Contents); + } + + [Fact] + public void SerializeRemoteCertificateStore_DifferentPassword_SuccessfullySerializes() + { + // Tests that we can deserialize with one password and serialize with a different one + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, "password1"); + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password1"); + + // Act + var serialized = _serializer.SerializeRemoteCertificateStore(store, "/test/path", "store.pfx", "password2"); + + // Assert - Deserialize with new password + var newStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password2"); + Assert.NotNull(newStore); + Assert.Equal(store.Aliases.ToList().Count, newStore.Aliases.ToList().Count); + } + + [Fact] + public void DeserializeRemoteCertificateStore_CertificateOnlyEntry_SuccessfullyLoadsStore() + { + // PKCS12 can contain certificate entries without private keys + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var storeBuilder = new Pkcs12StoreBuilder(); + var store = storeBuilder.Build(); + + // Add certificate without private key + store.SetCertificateEntry("certonly", new Org.BouncyCastle.Pkcs.X509CertificateEntry(certInfo.Certificate)); + + using var ms = new MemoryStream(); + store.Save(ms, "password".ToCharArray(), new Org.BouncyCastle.Security.SecureRandom()); + var pkcs12Bytes = ms.ToArray(); + + // Act + var loadedStore = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert + Assert.NotNull(loadedStore); + Assert.Contains("certonly", loadedStore.Aliases.ToList()); + Assert.False(loadedStore.IsKeyEntry("certonly")); + } + + #endregion + + #region Mixed Entry Types Tests (Private Keys + Trusted Certs) + + [Fact] + public void DeserializeRemoteCertificateStore_MixedEntryTypes_LoadsBothTypes() + { + // Arrange - Create a PKCS12 with both private key entries and trusted certificate entries + var privateKeyEntry1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert 1"); + var privateKeyEntry2 = CertificateTestHelper.GenerateCertificate(KeyType.EcP256, "Server Cert 2"); + var trustedCert1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted Root CA"); + var trustedCert2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa4096, "Trusted Intermediate CA"); + + var privateKeyEntries = new Dictionary + { + { "server1", (privateKeyEntry1.Certificate, privateKeyEntry1.KeyPair) }, + { "server2", (privateKeyEntry2.Certificate, privateKeyEntry2.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "root-ca", trustedCert1.Certificate }, + { "intermediate-ca", trustedCert2.Certificate } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert - All 4 entries should be loaded + Assert.NotNull(store); + var aliases = store.Aliases.ToList(); + Assert.Equal(4, aliases.Count); + Assert.Contains("server1", aliases); + Assert.Contains("server2", aliases); + Assert.Contains("root-ca", aliases); + Assert.Contains("intermediate-ca", aliases); + } + + [Fact] + public void Inventory_MixedEntryTypes_ReportsCorrectPrivateKeyStatus() + { + // Arrange - Create a PKCS12 with both private key entries and trusted certificate entries + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert - Verify IsKeyEntry returns correct values + Assert.True(store.IsKeyEntry("server"), "server should be a key entry (has private key)"); + Assert.False(store.IsKeyEntry("trusted-ca"), "trusted-ca should NOT be a key entry (certificate only)"); + + // Verify we can get the certificate from both entries + var serverCert = store.GetCertificate("server"); + var trustedCaCert = store.GetCertificate("trusted-ca"); + Assert.NotNull(serverCert); + Assert.NotNull(trustedCaCert); + } + + [Fact] + public void CreateOrUpdatePkcs12_AddTrustedCertEntry_PreservesExistingEntries() + { + // Arrange - Create initial PKCS12 with a private key entry + var existingCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Existing Server Cert"); + var existingPkcs12 = CertificateTestHelper.GeneratePkcs12(existingCert.Certificate, existingCert.KeyPair, "password", "existing-server"); + + // Create a trusted certificate (no private key) to add + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + // Convert trusted cert to DER bytes (certificate only, no private key) + var trustedCertBytes = trustedCert.Certificate.GetEncoded(); + + // Act - Add the trusted certificate entry + var updatedPkcs12Bytes = _serializer.CreateOrUpdatePkcs12( + trustedCertBytes, + null, // No password for certificate-only + "trusted-ca", + existingPkcs12, + "password", + remove: false, + includeChain: true); + + // Deserialize and verify + var store = _serializer.DeserializeRemoteCertificateStore(updatedPkcs12Bytes, "/test/path", "password"); + + // Assert - Both entries should exist + var aliases = store.Aliases.ToList(); + Assert.Equal(2, aliases.Count); + Assert.Contains("existing-server", aliases); + Assert.Contains("trusted-ca", aliases); + + // Verify entry types are preserved + Assert.True(store.IsKeyEntry("existing-server"), "existing-server should still be a key entry"); + Assert.False(store.IsKeyEntry("trusted-ca"), "trusted-ca should be a certificate-only entry"); + } + + [Fact] + public void SerializeRemoteCertificateStore_MixedEntryTypes_PreservesEntryTypes() + { + // Arrange - Create a PKCS12 with mixed entry types + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + var originalStore = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Act - Serialize and deserialize + var serialized = _serializer.SerializeRemoteCertificateStore(originalStore, "/test/path", "store.pfx", "password"); + var roundTripStore = _serializer.DeserializeRemoteCertificateStore(serialized[0].Contents, "/test/path", "password"); + + // Assert - Entry types should be preserved after round-trip + Assert.True(roundTripStore.IsKeyEntry("server"), "server should still be a key entry after round-trip"); + Assert.False(roundTripStore.IsKeyEntry("trusted-ca"), "trusted-ca should still be certificate-only after round-trip"); + } + + [Fact] + public void DeserializeRemoteCertificateStore_MixedEntryTypes_CorrectCertificateChainForKeyEntries() + { + // Arrange - Create a PKCS12 with a private key entry that has a chain and a trusted cert entry + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048, "Server", "Intermediate", "Root"); + var serverCert = chain[0]; + var intermediateCert = chain[1].Certificate; + var rootCert = chain[2].Certificate; + var trustedCa = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "External Trusted CA"); + + // Create PKCS12 manually with chain for key entry + var store = new Pkcs12StoreBuilder().Build(); + var certChain = new[] + { + new X509CertificateEntry(serverCert.Certificate), + new X509CertificateEntry(intermediateCert), + new X509CertificateEntry(rootCert) + }; + store.SetKeyEntry("server", new AsymmetricKeyEntry(serverCert.KeyPair.Private), certChain); + store.SetCertificateEntry("external-ca", new X509CertificateEntry(trustedCa.Certificate)); + + using var ms = new MemoryStream(); + store.Save(ms, "password".ToCharArray(), new Org.BouncyCastle.Security.SecureRandom()); + var pkcs12Bytes = ms.ToArray(); + + // Act + var loadedStore = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", "password"); + + // Assert - Key entry should have full chain + var serverChain = loadedStore.GetCertificateChain("server"); + Assert.NotNull(serverChain); + Assert.Equal(3, serverChain.Length); + + // Trusted cert entry should have no chain (just the certificate) + var externalCaChain = loadedStore.GetCertificateChain("external-ca"); + Assert.Null(externalCaChain); // Certificate entries don't have chains, only key entries do + } + + [Fact] + public void CreateOrUpdatePkcs12_RemoveTrustedCertEntry_PreservesKeyEntries() + { + // Arrange - Create PKCS12 with both entry types + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMixedEntries(privateKeyEntries, trustedCertEntries, "password"); + + // Act - Remove the trusted cert entry + var updatedPkcs12Bytes = _serializer.CreateOrUpdatePkcs12( + Array.Empty(), + null, + "trusted-ca", + pkcs12Bytes, + "password", + remove: true, + includeChain: true); + + // Deserialize and verify + var store = _serializer.DeserializeRemoteCertificateStore(updatedPkcs12Bytes, "/test/path", "password"); + + // Assert - Only the key entry should remain + var aliases = store.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("server", aliases); + Assert.DoesNotContain("trusted-ca", aliases); + Assert.True(store.IsKeyEntry("server"), "server should still be a key entry"); + } + + [Fact] + public void DeserializeRemoteCertificateStore_MixedEntryTypesWithEmptyPassword_LoadsCorrectly() + { + // Arrange - PKCS12 supports empty passwords + var privateKeyEntry = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Server Cert"); + var trustedCert = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Trusted CA"); + + var privateKeyEntries = new Dictionary + { + { "server", (privateKeyEntry.Certificate, privateKeyEntry.KeyPair) } + }; + + var trustedCertEntries = new Dictionary + { + { "trusted-ca", trustedCert.Certificate } + }; + + var pkcs12Bytes = CertificateTestHelper.GeneratePkcs12WithMixedEntries(privateKeyEntries, trustedCertEntries, ""); + + // Act + var store = _serializer.DeserializeRemoteCertificateStore(pkcs12Bytes, "/test/path", ""); + + // Assert + Assert.True(store.IsKeyEntry("server"), "server should be a key entry"); + Assert.False(store.IsKeyEntry("trusted-ca"), "trusted-ca should NOT be a key entry"); + } + + #endregion + + #region Empty Store Tests (Create Store If Missing) + + [Fact] + public void CreateEmptyPkcs12Store_WithPassword_CanBeLoadedWithSamePassword() + { + // Arrange - Create an empty PKCS12 store (simulates "create store if missing") + var storeBuilder = new Pkcs12StoreBuilder(); + var emptyStore = storeBuilder.Build(); + var password = "testpassword"; + + // Act - Save the empty store + using var outStream = new MemoryStream(); + emptyStore.Save(outStream, password.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom()); + var emptyPkcs12Bytes = outStream.ToArray(); + + // Assert - Should be valid PKCS12 that can be loaded + Assert.NotNull(emptyPkcs12Bytes); + Assert.NotEmpty(emptyPkcs12Bytes); + + // Verify it can be loaded + var loadedStore = _serializer.DeserializeRemoteCertificateStore(emptyPkcs12Bytes, "/test/path", password); + Assert.NotNull(loadedStore); + Assert.Empty(loadedStore.Aliases.ToList()); + } + + [Fact] + public void CreateEmptyPkcs12Store_WithEmptyPassword_CanBeLoadedWithEmptyPassword() + { + // Arrange - Create an empty PKCS12 store with empty password + var storeBuilder = new Pkcs12StoreBuilder(); + var emptyStore = storeBuilder.Build(); + + // Act - Save the empty store with empty password + using var outStream = new MemoryStream(); + emptyStore.Save(outStream, Array.Empty(), new Org.BouncyCastle.Security.SecureRandom()); + var emptyPkcs12Bytes = outStream.ToArray(); + + // Assert - Should be valid PKCS12 that can be loaded + Assert.NotNull(emptyPkcs12Bytes); + Assert.NotEmpty(emptyPkcs12Bytes); + + // Verify it can be loaded + var loadedStore = _serializer.DeserializeRemoteCertificateStore(emptyPkcs12Bytes, "/test/path", ""); + Assert.NotNull(loadedStore); + Assert.Empty(loadedStore.Aliases.ToList()); + } + + [Fact] + public void CreateEmptyPkcs12Store_ThenAddCertificate_Success() + { + // Arrange - Create an empty PKCS12 store + var storeBuilder = new Pkcs12StoreBuilder(); + var emptyStore = storeBuilder.Build(); + var password = "testpassword"; + + using var outStream = new MemoryStream(); + emptyStore.Save(outStream, password.ToCharArray(), new Org.BouncyCastle.Security.SecureRandom()); + var emptyPkcs12Bytes = outStream.ToArray(); + + // Create a certificate to add + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "New Cert"); + var newCertPkcs12 = CertificateTestHelper.GeneratePkcs12(certInfo.Certificate, certInfo.KeyPair, password, "newcert"); + + // Act - Use CreateOrUpdatePkcs12 to add the certificate to the empty store + var updatedPkcs12Bytes = _serializer.CreateOrUpdatePkcs12( + newCertPkcs12, + password, + "newcert", + emptyPkcs12Bytes, + password, + false, + true); + + // Assert - Should have one certificate + var loadedStore = _serializer.DeserializeRemoteCertificateStore(updatedPkcs12Bytes, "/test/path", password); + var aliases = loadedStore.Aliases.ToList(); + Assert.Single(aliases); + Assert.Contains("newcert", aliases); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8SSecretStoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8SSecretStoreTests.cs new file mode 100644 index 00000000..849fa6f3 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8SSecretStoreTests.cs @@ -0,0 +1,780 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Text; +using k8s.Models; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Unit tests for K8SSecret store type operations (Opaque secrets with PEM format). +/// K8SSecret uses PEM format directly without a serializer - certificates and keys are stored as UTF-8 text. +/// Tests focus on PEM handling, field name flexibility, and certificate chain management. +/// +public class K8SSecretStoreTests +{ + #region PEM Certificate Parsing Tests + + [Fact] + public void PemCertificate_ValidFormat_CanBeParsed() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test PEM Cert"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Assert + Assert.NotNull(certPem); + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----END CERTIFICATE-----", certPem); + Assert.DoesNotContain("-----BEGIN PRIVATE KEY-----", certPem); + } + + [Fact] + public void PemPrivateKey_ValidFormat_CanBeParsed() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test"); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + // Assert + Assert.NotNull(keyPem); + Assert.Contains("-----BEGIN PRIVATE KEY-----", keyPem); + Assert.Contains("-----END PRIVATE KEY-----", keyPem); + } + + [Theory] + [InlineData(KeyType.Rsa1024)] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.Rsa8192)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.EcP521)] + [InlineData(KeyType.Dsa1024)] + [InlineData(KeyType.Dsa2048)] + [InlineData(KeyType.Ed25519)] + [InlineData(KeyType.Ed448)] + public void PemCertificate_VariousKeyTypes_ValidFormat(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Assert + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----END CERTIFICATE-----", certPem); + } + + #endregion + + #region K8S Secret Structure Tests + + [Fact] + public void OpaqueSecret_WithPemCertAndKey_HasCorrectStructure() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "test-secret", + NamespaceProperty = "default" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("Opaque", secret.Type); + Assert.Equal(2, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void OpaqueSecret_WithCertificateChain_CanStoreSeparateCaField() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediateCert = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCert = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Create secret with separate ca.crt field + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "test-with-chain" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafCert) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediateCert + rootCert) } + } + }; + + // Assert + Assert.Equal(3, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("ca.crt")); + var caCerts = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", caCerts); + } + + [Theory] + [InlineData("tls.crt")] + [InlineData("cert")] + [InlineData("certificate")] + [InlineData("crt")] + public void OpaqueSecret_FlexibleFieldNames_SupportedVariations(string certFieldName) + { + // K8SSecret supports multiple field name variations (unlike K8STLSSecr which is strict) + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Type = "Opaque", + Data = new Dictionary + { + { certFieldName, Encoding.UTF8.GetBytes(certPem) } + } + }; + + // Assert + Assert.True(secret.Data.ContainsKey(certFieldName)); + } + + #endregion + + #region Certificate Chain Tests + + [Fact] + public void CertificateChain_ConcatenatedInSingleField_ValidFormat() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + + // Concatenate chain + var fullChainPem = leafPem + intermediatePem + rootPem; + + // Assert + Assert.Contains("-----BEGIN CERTIFICATE-----", fullChainPem); + var certCount = fullChainPem.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, certCount); + } + + [Fact] + public void CertificateChain_SingleCertificate_NoChainField() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }; + + // Assert - no ca.crt field for single certificate + Assert.False(secret.Data.ContainsKey("ca.crt")); + } + + [Fact] + public void OpaqueSecret_WithBundledChain_AllCertsInTlsCrt() + { + // When SeparateChain=false, the full chain should be bundled into tls.crt + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Bundle the full chain into tls.crt (SeparateChain=false behavior) + var bundledChain = leafPem + intermediatePem + rootPem; + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-chain-opaque" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(bundledChain) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal(2, secret.Data.Count); // Only tls.crt and tls.key, no ca.crt + Assert.False(secret.Data.ContainsKey("ca.crt"), "Should NOT have ca.crt when chain is bundled"); + + // Verify tls.crt contains all 3 certificates + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, certCount); + } + + [Fact] + public void OpaqueSecret_SeparateChainVsBundled_DifferentStructures() + { + // Compare the two chain storage strategies for Opaque secrets + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // SeparateChain=true: leaf in tls.crt, chain in ca.crt + var separateChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "separate-chain" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediatePem + rootPem) } + } + }; + + // SeparateChain=false: full chain bundled in tls.crt + var bundledChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-chain" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Separate chain has 3 fields + Assert.Equal(3, separateChainSecret.Data.Count); + Assert.True(separateChainSecret.Data.ContainsKey("ca.crt")); + var separateTlsCertCount = Encoding.UTF8.GetString(separateChainSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, separateTlsCertCount); // Only leaf in tls.crt + + // Assert - Bundled chain has 2 fields + Assert.Equal(2, bundledChainSecret.Data.Count); + Assert.False(bundledChainSecret.Data.ContainsKey("ca.crt")); + var bundledTlsCertCount = Encoding.UTF8.GetString(bundledChainSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, bundledTlsCertCount); // Full chain in tls.crt + } + + #endregion + + #region DER to PEM Conversion Tests + + [Fact] + public void DerCertificate_ConvertedToPem_ValidFormat() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var derBytes = certInfo.Certificate.GetEncoded(); + + // Act - Parse from DER and convert to PEM + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var cert = parser.ReadCertificate(derBytes); + var pemCert = CertificateTestHelper.ConvertCertificateToPem(cert); + + // Assert + Assert.NotNull(pemCert); + Assert.Contains("-----BEGIN CERTIFICATE-----", pemCert); + Assert.Contains("-----END CERTIFICATE-----", pemCert); + } + + #endregion + + #region Encoding Tests + + [Fact] + public void PemCertificate_Utf8Encoding_RoundTripSuccessful() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var originalPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Act - Encode to bytes and decode back + var bytes = Encoding.UTF8.GetBytes(originalPem); + var decodedPem = Encoding.UTF8.GetString(bytes); + + // Assert + Assert.Equal(originalPem, decodedPem); + } + + [Fact] + public void PemData_StoredAsBytes_CorrectlyDecoded() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var certBytes = Encoding.UTF8.GetBytes(certPem); + + // Simulate storing in K8S secret + var secret = new V1Secret + { + Data = new Dictionary + { + { "tls.crt", certBytes } + } + }; + + // Act - Retrieve and decode + var retrievedBytes = secret.Data["tls.crt"]; + var retrievedPem = Encoding.UTF8.GetString(retrievedBytes); + + // Assert + Assert.Equal(certPem, retrievedPem); + Assert.Contains("-----BEGIN CERTIFICATE-----", retrievedPem); + } + + #endregion + + #region Edge Cases + + [Fact] + public void OpaqueSecret_EmptyData_ValidStructure() + { + // Arrange + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "empty-secret" }, + Type = "Opaque", + Data = new Dictionary() + }; + + // Assert + Assert.NotNull(secret.Data); + Assert.Empty(secret.Data); + } + + [Fact] + public void OpaqueSecret_OnlyCertificateNoKey_ValidStructure() + { + // Some secrets may only contain certificates without private keys + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + } + }; + + // Assert + Assert.Single(secret.Data); + Assert.False(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void PemCertificate_WithWhitespace_StillValid() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Add extra whitespace (common in manual creation) + var pemWithWhitespace = "\n" + certPem + "\n\n"; + + // Assert - Should still contain valid markers + Assert.Contains("-----BEGIN CERTIFICATE-----", pemWithWhitespace); + Assert.Contains("-----END CERTIFICATE-----", pemWithWhitespace); + } + + [Fact] + public void OpaqueSecret_UpdateWithCertificateOnly_PreservesExistingKey() + { + // Simulates the scenario where an existing secret with a private key + // is updated with certificate-only data (no private key). + // The existing private key should be preserved. + + // Arrange - Existing secret with certificate and key + var certInfo1 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Original"); + var certPem1 = CertificateTestHelper.ConvertCertificateToPem(certInfo1.Certificate); + var keyPem1 = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo1.KeyPair.Private); + + var existingSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "test-secret" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem1) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem1) } + } + }; + + // New secret with certificate only (no key) + var certInfo2 = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Updated"); + var certPem2 = CertificateTestHelper.ConvertCertificateToPem(certInfo2.Certificate); + + var newSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "test-secret" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem2) } + // No tls.key - simulating certificate-only update + } + }; + + // Act - Simulate the update logic (as done in UpdateOpaqueSecret) + // Update tls.key only if provided in the new secret + if (newSecret.Data.TryGetValue("tls.key", out var newKeyData)) + { + existingSecret.Data["tls.key"] = newKeyData; + } + // Always update tls.crt + existingSecret.Data["tls.crt"] = newSecret.Data["tls.crt"]; + + // Assert + Assert.True(existingSecret.Data.ContainsKey("tls.key"), "Existing key should be preserved"); + Assert.Equal(keyPem1, Encoding.UTF8.GetString(existingSecret.Data["tls.key"])); // Key unchanged + Assert.Equal(certPem2, Encoding.UTF8.GetString(existingSecret.Data["tls.crt"])); // Cert updated + } + + [Fact] + public void OpaqueSecret_NewSecretWithoutKey_DoesNotContainTlsKey() + { + // Tests that when creating a new Opaque secret without a private key, + // the tls.key field should not be present at all. + + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + string keyPem = null; // No private key + + // Act - Simulate CreateNewSecret logic for Opaque secrets + var opaqueData = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem ?? "") } + }; + if (!string.IsNullOrEmpty(keyPem)) + { + opaqueData["tls.key"] = Encoding.UTF8.GetBytes(keyPem); + } + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "test-certonly" }, + Type = "Opaque", + Data = opaqueData + }; + + // Assert + Assert.True(secret.Data.ContainsKey("tls.crt"), "Should have tls.crt"); + Assert.False(secret.Data.ContainsKey("tls.key"), "Should NOT have tls.key when no private key provided"); + } + + #endregion + + #region Opaque Secret Field Name Tests + + /// + /// Verifies that opaque secrets can use various field names for certificate data, + /// not just 'tls.crt'. This tests the fix for the bug where opaque secrets were + /// incorrectly processed using HandleTlsSecret which only looks for 'tls.crt'. + /// + [Theory] + [InlineData("tls.crt")] + [InlineData("cert")] + [InlineData("certificate")] + [InlineData("certs")] + [InlineData("certificates")] + [InlineData("crt")] + public void OpaqueSecret_WithVariousCertificateFieldNames_ValidStructure(string fieldName) + { + // Arrange - Create opaque secret with different field names for certificate + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"test-{fieldName}-secret" }, + Type = "Opaque", + Data = new Dictionary + { + { fieldName, Encoding.UTF8.GetBytes(certPem) } + } + }; + + // Assert - Secret should be valid with any of these field names + Assert.NotNull(secret.Data); + Assert.True(secret.Data.ContainsKey(fieldName)); + var certData = Encoding.UTF8.GetString(secret.Data[fieldName]); + Assert.Contains("-----BEGIN CERTIFICATE-----", certData); + } + + /// + /// Verifies that TLS secrets use the standard 'tls.crt' and 'tls.key' fields. + /// This is the expected format for kubernetes.io/tls secrets. + /// + [Fact] + public void TlsSecret_RequiresStandardFields() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "tls-secret" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - TLS secrets must have these specific fields + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + Assert.Equal("kubernetes.io/tls", secret.Type); + } + + /// + /// Verifies that opaque and TLS secrets have different field requirements. + /// This tests the distinction that was causing the K8SNS inventory bug. + /// + [Fact] + public void OpaqueVsTlsSecret_DifferentFieldRequirements() + { + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + // Opaque secret can use 'cert' field name + var opaqueSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "opaque-secret" }, + Type = "Opaque", + Data = new Dictionary + { + { "cert", Encoding.UTF8.GetBytes(certPem) }, + { "key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // TLS secret must use standard fields + var tlsSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "tls-secret" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Different field names are valid for each type + Assert.True(opaqueSecret.Data.ContainsKey("cert")); + Assert.False(opaqueSecret.Data.ContainsKey("tls.crt")); // Opaque can use 'cert' instead + Assert.True(tlsSecret.Data.ContainsKey("tls.crt")); + Assert.Equal("kubernetes.io/tls", tlsSecret.Type); + Assert.Equal("Opaque", opaqueSecret.Type); + } + + #endregion + + #region IncludeCertChain=false Tests + + [Fact] + public void Management_IncludeCertChainFalse_OnlyLeafCertStored() + { + // When IncludeCertChain=false is set for Opaque secrets, only the leaf certificate + // should be stored, not the intermediate or root certificates. + + // Arrange - Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Create Opaque secret with ONLY the leaf certificate (simulating IncludeCertChain=false behavior) + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "test-opaque-include-cert-chain-false", + NamespaceProperty = "default" + }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("Opaque", secret.Type); + Assert.Equal(2, secret.Data.Count); // Only tls.crt and tls.key, NO ca.crt + + // Verify tls.crt contains ONLY the leaf certificate (1 certificate) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + + // Verify NO ca.crt field exists + Assert.False(secret.Data.ContainsKey("ca.crt"), + "Opaque secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the stored certificate is the leaf certificate by checking its subject + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + var storedSubject = storedCert.SubjectDN.ToString(); + var leafSubject = leafCert.SubjectDN.ToString(); + + Assert.Equal(leafSubject, storedSubject); + } + + [Fact] + public void IncludeCertChainFalse_VersusTrue_DifferentStructures() + { + // Compare the expected output between IncludeCertChain=true vs IncludeCertChain=false for Opaque secrets + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // IncludeCertChain=false: Only leaf certificate in tls.crt, no chain + var includeCertChainFalseSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "opaque-include-chain-false" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // IncludeCertChain=true (SeparateChain=false): Full chain bundled in tls.crt + var includeCertChainTrueBundledSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "opaque-include-chain-true-bundled" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - IncludeCertChain=false has only 1 certificate in tls.crt + var falseChainCount = Encoding.UTF8.GetString(includeCertChainFalseSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, falseChainCount); + Assert.False(includeCertChainFalseSecret.Data.ContainsKey("ca.crt")); + + // Assert - IncludeCertChain=true (bundled) has 3 certificates in tls.crt + var trueBundledChainCount = Encoding.UTF8.GetString(includeCertChainTrueBundledSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, trueBundledChainCount); + Assert.False(includeCertChainTrueBundledSecret.Data.ContainsKey("ca.crt")); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + public void IncludeCertChainFalse_VariousKeyTypes_OnlyLeafCertStored(KeyType keyType) + { + // Verify that IncludeCertChain=false behavior works with various key types for Opaque secrets + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(keyType); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Simulate IncludeCertChain=false output + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"test-opaque-no-chain-{keyType}" }, + Type = "Opaque", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Only 1 certificate in tls.crt + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + Assert.False(secret.Data.ContainsKey("ca.crt")); + } + + #endregion + + #region Metadata Tests + + [Fact] + public void OpaqueSecret_WithLabels_PreservesMetadata() + { + // Arrange + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "labeled-secret", + NamespaceProperty = "default", + Labels = new Dictionary + { + { "keyfactor.com/managed", "true" }, + { "keyfactor.com/store-type", "K8SSecret" } + } + }, + Type = "Opaque" + }; + + // Assert + Assert.NotNull(secret.Metadata.Labels); + Assert.Equal(2, secret.Metadata.Labels.Count); + Assert.Equal("K8SSecret", secret.Metadata.Labels["keyfactor.com/store-type"]); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/K8STLSSecrStoreTests.cs b/kubernetes-orchestrator-extension.Tests/K8STLSSecrStoreTests.cs new file mode 100644 index 00000000..25808474 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/K8STLSSecrStoreTests.cs @@ -0,0 +1,699 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using System.Collections.Generic; +using System.Text; +using k8s.Models; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Xunit; +using static Keyfactor.Orchestrators.K8S.Tests.Helpers.CertificateTestHelper; + +namespace Keyfactor.Orchestrators.K8S.Tests; + +/// +/// Unit tests for K8STLSSecr store type operations (kubernetes.io/tls secrets with PEM format). +/// K8STLSSecr enforces strict field names (tls.crt, tls.key, ca.crt) and secret type kubernetes.io/tls. +/// Tests focus on PEM handling, strict field validation, and certificate chain management. +/// +public class K8STLSSecrStoreTests +{ + #region PEM Certificate Parsing Tests + + [Fact] + public void PemCertificate_ValidFormat_CanBeParsed() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test PEM Cert"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Assert + Assert.NotNull(certPem); + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----END CERTIFICATE-----", certPem); + Assert.DoesNotContain("-----BEGIN PRIVATE KEY-----", certPem); + } + + [Fact] + public void PemPrivateKey_ValidFormat_CanBeParsed() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test"); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + // Assert + Assert.NotNull(keyPem); + Assert.Contains("-----BEGIN PRIVATE KEY-----", keyPem); + Assert.Contains("-----END PRIVATE KEY-----", keyPem); + } + + [Theory] + [InlineData(KeyType.Rsa1024)] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.Rsa4096)] + [InlineData(KeyType.Rsa8192)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + [InlineData(KeyType.EcP521)] + [InlineData(KeyType.Dsa1024)] + [InlineData(KeyType.Dsa2048)] + [InlineData(KeyType.Ed25519)] + [InlineData(KeyType.Ed448)] + public void PemCertificate_VariousKeyTypes_ValidFormat(KeyType keyType) + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(keyType, $"Test {keyType}"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Assert + Assert.Contains("-----BEGIN CERTIFICATE-----", certPem); + Assert.Contains("-----END CERTIFICATE-----", certPem); + } + + #endregion + + #region K8S TLS Secret Structure Tests + + [Fact] + public void TlsSecret_WithCertAndKey_HasCorrectStructure() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048, "Test"); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "test-tls-secret", + NamespaceProperty = "default" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void TlsSecret_WithCertificateChain_CanStoreSeparateCaField() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediateCert = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootCert = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Create TLS secret with separate ca.crt field + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "test-with-chain" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafCert) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediateCert + rootCert) } + } + }; + + // Assert + Assert.Equal(3, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("ca.crt")); + var caCerts = Encoding.UTF8.GetString(secret.Data["ca.crt"]); + Assert.Contains("-----BEGIN CERTIFICATE-----", caCerts); + } + + [Fact] + public void TlsSecret_StrictFieldNames_OnlyTlsCrtAndTlsKey() + { + // K8STLSSecr enforces strict field names - MUST use tls.crt and tls.key + // Unlike K8SSecret which supports flexible field names + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Must have exactly tls.crt and tls.key + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + Assert.False(secret.Data.ContainsKey("cert")); // Not allowed + Assert.False(secret.Data.ContainsKey("certificate")); // Not allowed + } + + [Fact] + public void TlsSecret_Type_MustBeKubernetesIoTls() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Type = "kubernetes.io/tls", // Must be this exact type + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.NotEqual("Opaque", secret.Type); // NOT Opaque like K8SSecret + } + + #endregion + + #region Certificate Chain Tests + + [Fact] + public void CertificateChain_ConcatenatedInSingleField_ValidFormat() + { + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + + // Concatenate chain + var fullChainPem = leafPem + intermediatePem + rootPem; + + // Assert + Assert.Contains("-----BEGIN CERTIFICATE-----", fullChainPem); + var certCount = fullChainPem.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, certCount); + } + + [Fact] + public void CertificateChain_SingleCertificate_NoChainField() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - no ca.crt field for single certificate + Assert.False(secret.Data.ContainsKey("ca.crt")); + } + + [Fact] + public void TlsSecret_WithBundledChain_AllCertsInTlsCrt() + { + // When SeparateChain=false, the full chain should be bundled into tls.crt + // This is useful for ingress controllers that expect the full chain in tls.crt + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Bundle the full chain into tls.crt (SeparateChain=false behavior) + var bundledChain = leafPem + intermediatePem + rootPem; + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-chain-tls" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(bundledChain) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal(2, secret.Data.Count); // Only tls.crt and tls.key, no ca.crt + Assert.False(secret.Data.ContainsKey("ca.crt"), "Should NOT have ca.crt when chain is bundled"); + + // Verify tls.crt contains all 3 certificates + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, certCount); + } + + [Fact] + public void TlsSecret_SeparateChainVsBundled_DifferentStructures() + { + // Compare the two chain storage strategies + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // SeparateChain=true: leaf in tls.crt, chain in ca.crt + var separateChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "separate-chain" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(intermediatePem + rootPem) } + } + }; + + // SeparateChain=false: full chain bundled in tls.crt + var bundledChainSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "bundled-chain" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Separate chain has 3 fields + Assert.Equal(3, separateChainSecret.Data.Count); + Assert.True(separateChainSecret.Data.ContainsKey("ca.crt")); + var separateTlsCertCount = Encoding.UTF8.GetString(separateChainSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, separateTlsCertCount); // Only leaf in tls.crt + + // Assert - Bundled chain has 2 fields + Assert.Equal(2, bundledChainSecret.Data.Count); + Assert.False(bundledChainSecret.Data.ContainsKey("ca.crt")); + var bundledTlsCertCount = Encoding.UTF8.GetString(bundledChainSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, bundledTlsCertCount); // Full chain in tls.crt + } + + #endregion + + #region DER to PEM Conversion Tests + + [Fact] + public void DerCertificate_ConvertedToPem_ValidFormat() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(KeyType.Rsa2048); + var derBytes = certInfo.Certificate.GetEncoded(); + + // Act - Parse from DER and convert to PEM + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var cert = parser.ReadCertificate(derBytes); + var pemCert = CertificateTestHelper.ConvertCertificateToPem(cert); + + // Assert + Assert.NotNull(pemCert); + Assert.Contains("-----BEGIN CERTIFICATE-----", pemCert); + Assert.Contains("-----END CERTIFICATE-----", pemCert); + } + + #endregion + + #region Encoding Tests + + [Fact] + public void PemCertificate_Utf8Encoding_RoundTripSuccessful() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var originalPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Act - Encode to bytes and decode back + var bytes = Encoding.UTF8.GetBytes(originalPem); + var decodedPem = Encoding.UTF8.GetString(bytes); + + // Assert + Assert.Equal(originalPem, decodedPem); + } + + [Fact] + public void PemData_StoredAsBytes_CorrectlyDecoded() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var certBytes = Encoding.UTF8.GetBytes(certPem); + + // Simulate storing in K8S TLS secret + var secret = new V1Secret + { + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", certBytes } + } + }; + + // Act - Retrieve and decode + var retrievedBytes = secret.Data["tls.crt"]; + var retrievedPem = Encoding.UTF8.GetString(retrievedBytes); + + // Assert + Assert.Equal(certPem, retrievedPem); + Assert.Contains("-----BEGIN CERTIFICATE-----", retrievedPem); + } + + #endregion + + #region Field Validation Tests + + [Fact] + public void TlsSecret_MissingTlsCrt_Invalid() + { + // TLS secrets REQUIRE tls.crt field + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + // Missing tls.crt - this is invalid + } + }; + + // Assert + Assert.False(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void TlsSecret_MissingTlsKey_Invalid() + { + // TLS secrets REQUIRE tls.key field for proper TLS function + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + var secret = new V1Secret + { + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + // Missing tls.key - this is invalid for TLS + } + }; + + // Assert + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.False(secret.Data.ContainsKey("tls.key")); + } + + [Fact] + public void TlsSecret_OptionalCaCrt_Allowed() + { + // ca.crt is optional for certificate chain + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var caPem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + + var secret = new V1Secret + { + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, + { "ca.crt", Encoding.UTF8.GetBytes(caPem) } // Optional + } + }; + + // Assert + Assert.Equal(3, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("ca.crt")); + } + + #endregion + + #region Edge Cases + + [Fact] + public void TlsSecret_EmptyData_ValidStructure() + { + // Arrange + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "empty-tls-secret" }, + Type = "kubernetes.io/tls", + Data = new Dictionary() + }; + + // Assert + Assert.NotNull(secret.Data); + Assert.Empty(secret.Data); + } + + [Fact] + public void PemCertificate_WithWhitespace_StillValid() + { + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + + // Add extra whitespace (common in manual creation) + var pemWithWhitespace = "\n" + certPem + "\n\n"; + + // Assert - Should still contain valid markers + Assert.Contains("-----BEGIN CERTIFICATE-----", pemWithWhitespace); + Assert.Contains("-----END CERTIFICATE-----", pemWithWhitespace); + } + + #endregion + + #region IncludeCertChain=false Tests + + [Fact] + public void Management_IncludeCertChainFalse_OnlyLeafCertStored() + { + // When IncludeCertChain=false is set, only the leaf certificate should be stored, + // not the intermediate or root certificates. This tests the expected output structure. + + // Arrange - Generate a certificate chain (leaf -> intermediate -> root) + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Create TLS secret with ONLY the leaf certificate (simulating IncludeCertChain=false behavior) + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "test-include-cert-chain-false", + NamespaceProperty = "default" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); // Only tls.crt and tls.key, NO ca.crt + + // Verify tls.crt contains ONLY the leaf certificate (1 certificate) + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + + // Verify NO ca.crt field exists + Assert.False(secret.Data.ContainsKey("ca.crt"), + "Secret should NOT contain ca.crt when IncludeCertChain=false"); + + // Verify the stored certificate is the leaf certificate by checking its subject + using var reader = new System.IO.StringReader(tlsCrtData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(reader); + var storedCert = (Org.BouncyCastle.X509.X509Certificate)pemReader.ReadObject(); + var storedSubject = storedCert.SubjectDN.ToString(); + var leafSubject = leafCert.SubjectDN.ToString(); + + Assert.Equal(leafSubject, storedSubject); + } + + [Fact] + public void IncludeCertChainFalse_VersusTrue_DifferentStructures() + { + // Compare the expected output between IncludeCertChain=true vs IncludeCertChain=false + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(KeyType.Rsa2048); + var leafPem = CertificateTestHelper.ConvertCertificateToPem(chain[0].Certificate); + var intermediatePem = CertificateTestHelper.ConvertCertificateToPem(chain[1].Certificate); + var rootPem = CertificateTestHelper.ConvertCertificateToPem(chain[2].Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // IncludeCertChain=false: Only leaf certificate in tls.crt, no chain + var includeCertChainFalseSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "include-chain-false" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // IncludeCertChain=true (SeparateChain=false): Full chain bundled in tls.crt + var includeCertChainTrueBundledSecret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = "include-chain-true-bundled" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem + intermediatePem + rootPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - IncludeCertChain=false has only 1 certificate in tls.crt + var falseChainCount = Encoding.UTF8.GetString(includeCertChainFalseSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, falseChainCount); + Assert.False(includeCertChainFalseSecret.Data.ContainsKey("ca.crt")); + + // Assert - IncludeCertChain=true (bundled) has 3 certificates in tls.crt + var trueBundledChainCount = Encoding.UTF8.GetString(includeCertChainTrueBundledSecret.Data["tls.crt"]) + .Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(3, trueBundledChainCount); + Assert.False(includeCertChainTrueBundledSecret.Data.ContainsKey("ca.crt")); + } + + [Theory] + [InlineData(KeyType.Rsa2048)] + [InlineData(KeyType.EcP256)] + [InlineData(KeyType.EcP384)] + public void IncludeCertChainFalse_VariousKeyTypes_OnlyLeafCertStored(KeyType keyType) + { + // Verify that IncludeCertChain=false behavior works with various key types + // Arrange + var chain = CertificateTestHelper.GenerateCertificateChain(keyType); + var leafCert = chain[0].Certificate; + var leafPem = CertificateTestHelper.ConvertCertificateToPem(leafCert); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(chain[0].KeyPair.Private); + + // Act - Simulate IncludeCertChain=false output + var secret = new V1Secret + { + Metadata = new V1ObjectMeta { Name = $"test-no-chain-{keyType}" }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(leafPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Only 1 certificate in tls.crt + var tlsCrtData = Encoding.UTF8.GetString(secret.Data["tls.crt"]); + var certCount = tlsCrtData.Split("-----BEGIN CERTIFICATE-----").Length - 1; + Assert.Equal(1, certCount); + Assert.False(secret.Data.ContainsKey("ca.crt")); + } + + #endregion + + #region Metadata Tests + + [Fact] + public void TlsSecret_WithLabels_PreservesMetadata() + { + // Arrange + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "labeled-tls-secret", + NamespaceProperty = "default", + Labels = new Dictionary + { + { "keyfactor.com/managed", "true" }, + { "keyfactor.com/store-type", "K8STLSSecr" } + } + }, + Type = "kubernetes.io/tls" + }; + + // Assert + Assert.NotNull(secret.Metadata.Labels); + Assert.Equal(2, secret.Metadata.Labels.Count); + Assert.Equal("K8STLSSecr", secret.Metadata.Labels["keyfactor.com/store-type"]); + } + + [Fact] + public void TlsSecret_NativeKubernetesFormat_Compatible() + { + // K8STLSSecr secrets should be compatible with native Kubernetes TLS secrets + // that other K8S components (like Ingress) can consume + // Arrange + var certInfo = CertificateTestHelper.GenerateCertificate(); + var certPem = CertificateTestHelper.ConvertCertificateToPem(certInfo.Certificate); + var keyPem = CertificateTestHelper.ConvertPrivateKeyToPem(certInfo.KeyPair.Private); + + var secret = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = "ingress-tls", + NamespaceProperty = "default" + }, + Type = "kubernetes.io/tls", + Data = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem) }, + { "tls.key", Encoding.UTF8.GetBytes(keyPem) } + } + }; + + // Assert - Matches native K8S TLS secret format + Assert.Equal("kubernetes.io/tls", secret.Type); + Assert.Equal(2, secret.Data.Count); + Assert.True(secret.Data.ContainsKey("tls.crt")); + Assert.True(secret.Data.ContainsKey("tls.key")); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Keyfactor.Orchestrators.K8S.Tests.csproj b/kubernetes-orchestrator-extension.Tests/Keyfactor.Orchestrators.K8S.Tests.csproj new file mode 100644 index 00000000..5ddeccb7 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Keyfactor.Orchestrators.K8S.Tests.csproj @@ -0,0 +1,35 @@ + + + + net8.0;net10.0 + enable + enable + + + $(NoWarn);CS8600;CS8601;CS8602;CS8603;CS8604;CS8618;CS8625;CS0219;xUnit2002;SYSLIB0057 + + false + true + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes-orchestrator-extension.Tests/LoggingSafetyTests.cs b/kubernetes-orchestrator-extension.Tests/LoggingSafetyTests.cs new file mode 100644 index 00000000..7f0629c0 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/LoggingSafetyTests.cs @@ -0,0 +1,366 @@ +// Copyright 2025 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.IO; +using System.Linq; +using System.Text.RegularExpressions; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Generators; +using Org.BouncyCastle.Security; +using Xunit; + +namespace Keyfactor.Extensions.Orchestrator.K8S.Tests +{ + /// + /// Tests to ensure sensitive data is never logged + /// + public class LoggingSafetyTests + { + private readonly string _projectRoot; + + public LoggingSafetyTests() + { + // Get the project root directory + var currentDir = Directory.GetCurrentDirectory(); + _projectRoot = Path.GetFullPath(Path.Combine(currentDir, "..", "..", "..", "..")); + } + + [Fact] + public void SourceCode_ShouldNotContain_DirectPasswordLogging() + { + // Arrange + var sourceFiles = Directory.GetFiles( + Path.Combine(_projectRoot, "kubernetes-orchestrator-extension"), + "*.cs", + SearchOption.AllDirectories + ).Where(f => !f.Contains("obj") && !f.Contains("bin")).ToList(); + + var violations = new System.Collections.Generic.List(); + + // Define patterns that indicate insecure password logging + var insecurePatterns = new[] + { + // Direct password logging without redaction (but not correlation IDs or redaction calls) + @"Logger\.Log.*[Pp]assword[^,]*,\s*[^""]*\b(password|Password|passwd|storePassword|StorePassword|pKeyPassword|keyPasswordStr|KubeSecretPassword)\b\s*\)", + // TODO comments marked as insecure + @"TODO.*[Ii]nsecure", + @"TODO.*[Rr]emove.*insecure" + }; + + // Act + foreach (var file in sourceFiles) + { + var content = File.ReadAllText(file); + var lines = content.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + var line = lines[i]; + + // Skip if line is commented out + if (line.TrimStart().StartsWith("//")) + continue; + + // Skip if line uses LoggingUtilities.RedactPassword + if (line.Contains("LoggingUtilities.RedactPassword") || + line.Contains("LoggingUtilities.GetPasswordCorrelationId")) + continue; + + foreach (var pattern in insecurePatterns) + { + if (Regex.IsMatch(line, pattern, RegexOptions.IgnoreCase)) + { + violations.Add($"{Path.GetFileName(file)}:{i + 1}: {line.Trim()}"); + } + } + } + } + + // Assert + Assert.Empty(violations); + } + + [Fact] + public void SourceCode_ShouldNotContain_DirectPrivateKeyLogging() + { + // Arrange + var sourceFiles = Directory.GetFiles( + Path.Combine(_projectRoot, "kubernetes-orchestrator-extension"), + "*.cs", + SearchOption.AllDirectories + ).Where(f => !f.Contains("obj") && !f.Contains("bin")).ToList(); + + var violations = new System.Collections.Generic.List(); + + // Define patterns that indicate insecure private key logging + var insecurePatterns = new[] + { + // Direct private key variable logging (actual key objects, not boolean flags or method names) + @"Logger\.Log.*,\s*\bprivateKey\b\s*\)", + @"Logger\.Log.*,\s*\bPrivateKey\b\s*\)", + @"Logger\.Log.*,\s*\bpKey\b\s*\)", + // Logging PEM keys directly + @"Logger\.Log.*BEGIN PRIVATE KEY" + }; + + // Act + foreach (var file in sourceFiles) + { + var content = File.ReadAllText(file); + var lines = content.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + var line = lines[i]; + + // Skip if line is commented out + if (line.TrimStart().StartsWith("//")) + continue; + + // Skip if line uses LoggingUtilities redaction + if (line.Contains("LoggingUtilities.RedactPrivateKey") || + line.Contains("LoggingUtilities.GetCertificateSummary")) + continue; + + foreach (var pattern in insecurePatterns) + { + if (Regex.IsMatch(line, pattern, RegexOptions.IgnoreCase)) + { + violations.Add($"{Path.GetFileName(file)}:{i + 1}: {line.Trim()}"); + } + } + } + } + + // Assert + Assert.Empty(violations); + } + + [Fact] + public void SourceCode_ShouldNotContain_DirectTokenLogging() + { + // Arrange + var sourceFiles = Directory.GetFiles( + Path.Combine(_projectRoot, "kubernetes-orchestrator-extension"), + "*.cs", + SearchOption.AllDirectories + ).Where(f => !f.Contains("obj") && !f.Contains("bin")).ToList(); + + var violations = new System.Collections.Generic.List(); + + // Define patterns that indicate insecure token logging + var insecurePatterns = new[] + { + // Direct token logging + @"Logger\.Log.*[Tt]oken[^,]*,\s*[^L][^o][^g][^g][^i][^n][^g].*\)" + }; + + // Act + foreach (var file in sourceFiles) + { + var content = File.ReadAllText(file); + var lines = content.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + var line = lines[i]; + + // Skip if line is commented out + if (line.TrimStart().StartsWith("//")) + continue; + + // Skip if line uses LoggingUtilities.RedactToken + if (line.Contains("LoggingUtilities.RedactToken")) + continue; + + foreach (var pattern in insecurePatterns) + { + if (Regex.IsMatch(line, pattern, RegexOptions.IgnoreCase)) + { + violations.Add($"{Path.GetFileName(file)}:{i + 1}: {line.Trim()}"); + } + } + } + } + + // Assert + Assert.Empty(violations); + } + + [Fact] + public void NoTodoInsecureCommentsRemain() + { + // Arrange + var sourceFiles = Directory.GetFiles( + Path.Combine(_projectRoot, "kubernetes-orchestrator-extension"), + "*.cs", + SearchOption.AllDirectories + ).Where(f => !f.Contains("obj") && !f.Contains("bin")).ToList(); + + var violations = new System.Collections.Generic.List(); + + // Act + foreach (var file in sourceFiles) + { + var content = File.ReadAllText(file); + var lines = content.Split('\n'); + + for (int i = 0; i < lines.Length; i++) + { + var line = lines[i]; + + // Check for TODO comments marked as insecure + if (Regex.IsMatch(line, @"TODO.*[Ii]nsecure", RegexOptions.IgnoreCase) || + Regex.IsMatch(line, @"TODO.*[Rr]emove.*insecure", RegexOptions.IgnoreCase)) + { + violations.Add($"{Path.GetFileName(file)}:{i + 1}: {line.Trim()}"); + } + } + } + + // Assert + Assert.Empty(violations); + } + + [Fact] + public void LoggingUtilities_RedactPassword_ShouldNotRevealPassword() + { + // Arrange + var testPassword = "MySecretPassword123!"; + + // Act + var redacted = LoggingUtilities.RedactPassword(testPassword); + + // Assert + Assert.DoesNotContain("MySecretPassword", redacted); + Assert.DoesNotContain("123!", redacted); + Assert.Contains("REDACTED", redacted); + Assert.Contains($"length: {testPassword.Length}", redacted); + } + + [Fact] + public void LoggingUtilities_GetPasswordCorrelationId_ShouldBeConsistent() + { + // Arrange + var testPassword = "MySecretPassword123!"; + + // Act + var correlationId1 = LoggingUtilities.GetPasswordCorrelationId(testPassword); + var correlationId2 = LoggingUtilities.GetPasswordCorrelationId(testPassword); + + // Assert + Assert.Equal(correlationId1, correlationId2); + Assert.DoesNotContain("MySecretPassword", correlationId1); + Assert.StartsWith("hash:", correlationId1); + } + + [Fact] + public void LoggingUtilities_GetPasswordCorrelationId_ShouldBeDifferentForDifferentPasswords() + { + // Arrange + var password1 = "Password1"; + var password2 = "Password2"; + + // Act + var correlationId1 = LoggingUtilities.GetPasswordCorrelationId(password1); + var correlationId2 = LoggingUtilities.GetPasswordCorrelationId(password2); + + // Assert + Assert.NotEqual(correlationId1, correlationId2); + } + + [Fact] + public void LoggingUtilities_RedactPrivateKeyPem_ShouldNotRevealKeyMaterial() + { + // Arrange + var testKeyPem = @"-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1234567890abcdefghijklmnopqrstuvwxyz +-----END RSA PRIVATE KEY-----"; + + // Act + var redacted = LoggingUtilities.RedactPrivateKeyPem(testKeyPem); + + // Assert + Assert.DoesNotContain("MIIEpAIBAAKCAQEA", redacted); + Assert.DoesNotContain("1234567890", redacted); + Assert.Contains("REDACTED", redacted); + Assert.Contains("RSA", redacted); + } + + [Fact] + public void LoggingUtilities_RedactPrivateKey_ShouldShowKeyTypeOnly() + { + // Arrange - Generate a test RSA key + var keyPairGenerator = new RsaKeyPairGenerator(); + keyPairGenerator.Init(new Org.BouncyCastle.Crypto.KeyGenerationParameters(new SecureRandom(), 2048)); + var keyPair = keyPairGenerator.GenerateKeyPair(); + var privateKey = keyPair.Private; + + // Act + var redacted = LoggingUtilities.RedactPrivateKey(privateKey); + + // Assert + Assert.Contains("REDACTED", redacted); + Assert.Contains("isPrivate: True", redacted); + // Should not contain any key material + Assert.DoesNotContain("MII", redacted); // Common prefix in base64 encoded keys + } + + [Fact] + public void LoggingUtilities_RedactPkcs12Bytes_ShouldNotRevealContents() + { + // Arrange + var testBytes = new byte[] { 0x30, 0x82, 0x01, 0x02, 0x03, 0x04 }; + + // Act + var redacted = LoggingUtilities.RedactPkcs12Bytes(testBytes); + + // Assert + Assert.Contains("REDACTED", redacted); + Assert.Contains($"bytes: {testBytes.Length}", redacted); + Assert.DoesNotContain("30", redacted); // Should not contain hex values + Assert.DoesNotContain("82", redacted); + } + + [Fact] + public void LoggingUtilities_RedactToken_ShouldShowOnlyPrefixSuffixAndLength() + { + // Arrange + var testToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U"; + + // Act + var redacted = LoggingUtilities.RedactToken(testToken); + + // Assert + Assert.Contains("REDACTED", redacted); + Assert.Contains($"length: {testToken.Length}", redacted); + Assert.DoesNotContain("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", redacted); // Should not contain full token + Assert.DoesNotContain("dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U", redacted); + } + + [Fact] + public void LoggingUtilities_GetFieldPresence_ShouldIndicatePresenceNotValue() + { + // Arrange + var sensitiveValue = "SensitiveData123!"; + + // Act + var result = LoggingUtilities.GetFieldPresence("myField", sensitiveValue); + + // Assert + Assert.Contains("PRESENT", result); + Assert.DoesNotContain("SensitiveData", result); + Assert.DoesNotContain("123!", result); + } + } +} diff --git a/kubernetes-orchestrator-extension.Tests/README.md b/kubernetes-orchestrator-extension.Tests/README.md new file mode 100644 index 00000000..04d12c7e --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/README.md @@ -0,0 +1,663 @@ +# Kubernetes Orchestrator Extension Tests + +This document provides an overview of all test cases for the Keyfactor Kubernetes Universal Orchestrator Extension, organized by store type. + +## Test Categories + +The test suite is divided into two main categories: + +- **Unit Tests** - Tests that run without external dependencies, validating serialization, data structures, and certificate handling logic +- **Integration Tests** - Tests that require a real Kubernetes cluster, validating end-to-end orchestrator operations + +## Running Tests + +### Unit Tests Only +```bash +make test-unit +# or +dotnet test --filter "Category!=Integration" +``` + +### Integration Tests +Integration tests require: +- `RUN_INTEGRATION_TESTS=true` environment variable +- Access to a Kubernetes cluster via `~/.kube/config` (or `INTEGRATION_TEST_KUBECONFIG`) +- Cluster permissions to create/delete namespaces and secrets + +```bash +make test-integration +# or store-type specific: +make test-store-jks +make test-store-pkcs12 +make test-store-secret +make test-store-tls +make test-store-cluster +make test-store-ns +make test-store-cert +``` + +### All Tests +```bash +make testall +``` + +--- + +## K8SJKS - Java Keystore Store Type + +Manages JKS (Java KeyStore) files stored as base64 in Kubernetes Opaque secrets. + +### Unit Tests (`K8SJKSStoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Basic Deserialization** | | +| `DeserializeRemoteCertificateStore_ValidJksWithPassword_ReturnsStore` | Valid JKS with correct password loads successfully | +| `DeserializeRemoteCertificateStore_EmptyPassword_ThrowsArgumentException` | Empty password throws ArgumentException | +| `DeserializeRemoteCertificateStore_NullPassword_ThrowsArgumentException` | Null password throws ArgumentException | +| `DeserializeRemoteCertificateStore_WrongPassword_ThrowsException` | Wrong password throws IOException | +| `DeserializeRemoteCertificateStore_CorruptedData_ThrowsException` | Corrupted data throws exception | +| `DeserializeRemoteCertificateStore_NullData_ThrowsException` | Null data throws exception | +| `DeserializeRemoteCertificateStore_EmptyData_ThrowsException` | Empty data throws exception | +| **Key Type Coverage** | | +| `DeserializeRemoteCertificateStore_RsaKeys_SuccessfullyLoadsStore` | RSA keys (1024, 2048, 4096, 8192) load correctly | +| `DeserializeRemoteCertificateStore_EcKeys_SuccessfullyLoadsStore` | EC keys (P-256, P-384, P-521) load correctly | +| `DeserializeRemoteCertificateStore_DsaKeys_SuccessfullyLoadsStore` | DSA keys (1024, 2048) load correctly | +| `DeserializeRemoteCertificateStore_EdwardsKeys_SuccessfullyLoadsStore` | Edwards curve keys (Ed25519, Ed448) load correctly | +| **Password Scenarios** | | +| `DeserializeRemoteCertificateStore_VariousPasswords_SuccessfullyLoadsStore` | Various passwords (special chars, Unicode, emoji, spaces) work | +| `DeserializeRemoteCertificateStore_PasswordWithNewline_HandlesCorrectly` | Passwords with trailing newlines are handled | +| `DeserializeRemoteCertificateStore_VeryLongPassword_SuccessfullyLoadsStore` | Very long passwords (1000+ chars) work | +| **Certificate Chain** | | +| `DeserializeRemoteCertificateStore_CertificateWithChain_LoadsAllCertificates` | Certificate chains (leaf + intermediate + root) load correctly | +| `DeserializeRemoteCertificateStore_SingleCertificate_LoadsWithoutChain` | Single certificates load without chain | +| **Multiple Aliases** | | +| `DeserializeRemoteCertificateStore_MultipleAliases_LoadsAllCertificates` | Multiple certificate entries load with correct aliases | +| **Serialization** | | +| `SerializeRemoteCertificateStore_ValidStore_ReturnsSerializedData` | Valid store serializes correctly | +| `SerializeRemoteCertificateStore_RoundTrip_PreservesData` | Serialize/deserialize round-trip preserves data | +| `SerializeRemoteCertificateStore_EmptyStore_ReturnsValidOutput` | Empty store serializes without error | +| `SerializeRemoteCertificateStore_DifferentPassword_SuccessfullySerializes` | Re-serializing with different password works | +| **Edge Cases** | | +| `GetPrivateKeyPath_ReturnsNull` | Private key path returns null (inline keys) | +| `DeserializeRemoteCertificateStore_PartiallyCorruptedData_ThrowsException` | Partially corrupted data throws exception | + +### Integration Tests (`K8SJKSStoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Inventory** | | +| `Inventory_EmptyJksSecret_ReturnsEmptyList` | Inventory on JKS secret returns success | +| `Inventory_JksSecretWithMultipleCerts_ReturnsAllCertificates` | Inventory returns all certificates in JKS | +| `Inventory_NonExistentSecret_ReturnsFailure` | Non-existent secret returns failure | +| **Management Add** | | +| `Management_AddCertificateToNewSecret_CreatesSecretWithCertificate` | Add creates new secret with certificate | +| `Management_AddCertificateToExistingSecret_UpdatesSecret` | Add to existing secret appends certificate | +| **Management Remove** | | +| `Management_RemoveCertificateFromSecret_RemovesCertificate` | Remove deletes certificate by alias | +| **Discovery** | | +| `Discovery_FindsJksSecretsInNamespace` | Discovery finds JKS secrets | +| **Error Handling** | | +| `Management_AddWithWrongPassword_ReturnsFailure` | Wrong password returns failure | + +--- + +## K8SPKCS12 - PKCS12/PFX Store Type + +Manages PKCS12 (.p12, .pfx) files stored as base64 in Kubernetes Opaque secrets. + +### Unit Tests (`K8SPKCS12StoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Basic Deserialization** | | +| `DeserializeRemoteCertificateStore_ValidPkcs12WithPassword_ReturnsStore` | Valid PKCS12 with password loads successfully | +| `DeserializeRemoteCertificateStore_EmptyPassword_SuccessfullyLoadsStore` | PKCS12 with empty password loads (differs from JKS) | +| `DeserializeRemoteCertificateStore_NullPassword_SuccessfullyLoadsStore` | PKCS12 with null password loads | +| `DeserializeRemoteCertificateStore_WrongPassword_ThrowsException` | Wrong password throws IOException | +| `DeserializeRemoteCertificateStore_CorruptedData_ThrowsException` | Corrupted data throws exception | +| `DeserializeRemoteCertificateStore_NullData_ThrowsException` | Null data throws exception | +| `DeserializeRemoteCertificateStore_EmptyData_ThrowsException` | Empty data throws exception | +| **Key Type Coverage** | | +| `DeserializeRemoteCertificateStore_RsaKeys_SuccessfullyLoadsStore` | RSA keys (1024, 2048, 4096, 8192) load correctly | +| `DeserializeRemoteCertificateStore_EcKeys_SuccessfullyLoadsStore` | EC keys (P-256, P-384, P-521) load correctly | +| `DeserializeRemoteCertificateStore_DsaKeys_SuccessfullyLoadsStore` | DSA keys (1024, 2048) load correctly | +| `DeserializeRemoteCertificateStore_EdwardsKeys_SuccessfullyLoadsStore` | Edwards curve keys (Ed25519, Ed448) load correctly | +| **Password Scenarios** | | +| `DeserializeRemoteCertificateStore_VariousPasswords_SuccessfullyLoadsStore` | Various passwords (special chars, Unicode, emoji, spaces) work | +| `DeserializeRemoteCertificateStore_VeryLongPassword_SuccessfullyLoadsStore` | Very long passwords work | +| **Certificate Chain** | | +| `DeserializeRemoteCertificateStore_CertificateWithChain_LoadsAllCertificates` | Certificate chains load correctly | +| `DeserializeRemoteCertificateStore_SingleCertificate_LoadsWithoutChain` | Single certificates load without chain | +| **Multiple Aliases** | | +| `DeserializeRemoteCertificateStore_MultipleAliases_LoadsAllCertificates` | Multiple certificate entries load correctly | +| **Serialization** | | +| `SerializeRemoteCertificateStore_ValidStore_ReturnsSerializedData` | Valid store serializes correctly | +| `SerializeRemoteCertificateStore_RoundTrip_PreservesData` | Round-trip preserves data | +| `SerializeRemoteCertificateStore_EmptyStore_ReturnsValidOutput` | Empty store serializes | +| `SerializeRemoteCertificateStore_DifferentPassword_SuccessfullySerializes` | Re-serializing with different password works | +| **Edge Cases** | | +| `GetPrivateKeyPath_ReturnsNull` | Private key path returns null (inline keys) | +| `DeserializeRemoteCertificateStore_PartiallyCorruptedData_ThrowsException` | Partially corrupted data throws exception | +| `DeserializeRemoteCertificateStore_CertificateOnlyEntry_SuccessfullyLoadsStore` | Certificate-only entries (no private key) load | + +### Integration Tests (`K8SPKCS12StoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Inventory** | | +| `Inventory_EmptyPkcs12Secret_ReturnsEmptyList` | Inventory on PKCS12 secret returns success | +| `Inventory_Pkcs12SecretWithMultipleCerts_ReturnsAllCertificates` | Inventory returns all certificates | +| `Inventory_NonExistentSecret_ReturnsFailure` | Non-existent secret returns failure | +| **Management Add** | | +| `Management_AddCertificateToNewSecret_CreatesSecretWithCertificate` | Add creates new secret | +| `Management_AddCertificateToExistingSecret_UpdatesSecret` | Add to existing secret appends | +| **Management Remove** | | +| `Management_RemoveCertificateFromSecret_RemovesCertificate` | Remove deletes certificate by alias | +| **Discovery** | | +| `Discovery_FindsPkcs12SecretsInNamespace` | Discovery finds PKCS12 secrets | +| **Error Handling** | | +| `Management_AddWithWrongPassword_ReturnsFailure` | Wrong password returns failure | + +--- + +## K8SSecret - Opaque Secret Store Type + +Manages Kubernetes Opaque secrets with PEM-formatted certificates and keys. + +### Unit Tests (`K8SSecretStoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **PEM Certificate Parsing** | | +| `PemCertificate_ValidFormat_CanBeParsed` | Valid PEM certificate can be parsed | +| `PemPrivateKey_ValidFormat_CanBeParsed` | Valid PEM private key can be parsed | +| `PemCertificate_VariousKeyTypes_ValidFormat` | All key types (RSA, EC, DSA, Ed25519, Ed448) produce valid PEM | +| **K8S Secret Structure** | | +| `OpaqueSecret_WithPemCertAndKey_HasCorrectStructure` | Opaque secret has correct structure | +| `OpaqueSecret_WithCertificateChain_CanStoreSeparateCaField` | Certificate chain can use separate ca.crt field | +| `OpaqueSecret_FlexibleFieldNames_SupportedVariations` | Flexible field names (tls.crt, cert, certificate, crt) supported | +| **Certificate Chain** | | +| `CertificateChain_ConcatenatedInSingleField_ValidFormat` | Concatenated chain in single field is valid | +| `CertificateChain_SingleCertificate_NoChainField` | Single certificate has no ca.crt field | +| `OpaqueSecret_WithBundledChain_AllCertsInTlsCrt` | Bundled chain puts all certs in tls.crt | +| `OpaqueSecret_SeparateChainVsBundled_DifferentStructures` | Separate vs bundled chain produces different structures | +| **DER to PEM Conversion** | | +| `DerCertificate_ConvertedToPem_ValidFormat` | DER to PEM conversion works | +| **Encoding** | | +| `PemCertificate_Utf8Encoding_RoundTripSuccessful` | UTF-8 encoding round-trip works | +| `PemData_StoredAsBytes_CorrectlyDecoded` | PEM stored as bytes decodes correctly | +| **Edge Cases** | | +| `OpaqueSecret_EmptyData_ValidStructure` | Empty data is valid structure | +| `OpaqueSecret_OnlyCertificateNoKey_ValidStructure` | Certificate without key is valid | +| `PemCertificate_WithWhitespace_StillValid` | PEM with extra whitespace is valid | +| **Metadata** | | +| `OpaqueSecret_WithLabels_PreservesMetadata` | Labels and metadata are preserved | + +### Integration Tests (`K8SSecretStoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Inventory** | | +| `Inventory_OpaqueSecretWithCertificate_ReturnsSuccess` | Inventory on Opaque secret succeeds | +| `Inventory_OpaqueSecretWithChain_ReturnsSuccess` | Inventory with chain succeeds | +| `Inventory_CertificateOnlySecret_ReturnsSuccess` | Certificate-only secret succeeds | +| `Inventory_NonExistentSecret_ReturnsFailure` | Non-existent secret handled gracefully | +| **Management** | | +| `Management_AddCertificateToNewSecret_ReturnsSuccess` | Add creates new Opaque secret | +| `Management_RemoveCertificateFromSecret_ReturnsSuccess` | Remove certificate succeeds | +| `Management_AddCertificateWithChainBundled_CreatesBundledSecret` | Add with SeparateChain=false bundles chain | +| `Management_AddCertificateWithChainSeparate_CreatesSeparateChainSecret` | Add with SeparateChain=true creates ca.crt | +| **Discovery** | | +| `Discovery_FindsOpaqueSecrets_ReturnsSuccess` | Discovery finds Opaque secrets | +| **Certificate Without Private Key** | | +| `Management_AddCertificateWithoutPrivateKey_DerFormat_ReturnsSuccess` | DER cert-only to new secret succeeds | +| `Management_AddCertificateWithoutPrivateKey_PemFormat_ReturnsSuccess` | PEM cert-only to new secret succeeds | +| `Inventory_OpaqueSecretWithCertificateOnly_ReturnsSuccess` | Inventory cert-only secret succeeds | +| `Management_UpdateExistingSecretWithCertificateOnly_FailsWhenExistingKeyPresent` | Cert-only update to secret with key fails (prevents mismatched key) | +| **Key Type Coverage** | | +| `Management_Rsa2048Certificate_AddAndInventory_Success` | RSA 2048 add and inventory | +| `Management_Rsa4096Certificate_AddAndInventory_Success` | RSA 4096 add and inventory | +| `Management_EcP256Certificate_AddAndInventory_Success` | EC P-256 add and inventory | +| `Management_EcP384Certificate_AddAndInventory_Success` | EC P-384 add and inventory | +| `Management_EcP521Certificate_AddAndInventory_Success` | EC P-521 add and inventory | +| `Management_Ed25519Certificate_AddAndInventory_Success` | Ed25519 add and inventory | + +--- + +## K8STLSSecr - TLS Secret Store Type + +Manages Kubernetes `kubernetes.io/tls` secrets with strict field names (tls.crt, tls.key, ca.crt). + +### Unit Tests (`K8STLSSecrStoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **PEM Certificate Parsing** | | +| `PemCertificate_ValidFormat_CanBeParsed` | Valid PEM certificate can be parsed | +| `PemPrivateKey_ValidFormat_CanBeParsed` | Valid PEM private key can be parsed | +| `PemCertificate_VariousKeyTypes_ValidFormat` | All key types produce valid PEM | +| **K8S TLS Secret Structure** | | +| `TlsSecret_WithCertAndKey_HasCorrectStructure` | TLS secret has correct structure | +| `TlsSecret_WithCertificateChain_CanStoreSeparateCaField` | Certificate chain uses ca.crt | +| `TlsSecret_StrictFieldNames_OnlyTlsCrtAndTlsKey` | Only tls.crt and tls.key allowed (strict) | +| `TlsSecret_Type_MustBeKubernetesIoTls` | Type must be kubernetes.io/tls | +| **Certificate Chain** | | +| `CertificateChain_ConcatenatedInSingleField_ValidFormat` | Concatenated chain is valid | +| `CertificateChain_SingleCertificate_NoChainField` | Single cert has no ca.crt | +| `TlsSecret_WithBundledChain_AllCertsInTlsCrt` | Bundled chain puts all in tls.crt | +| `TlsSecret_SeparateChainVsBundled_DifferentStructures` | Separate vs bundled produces different structures | +| **Field Validation** | | +| `TlsSecret_MissingTlsCrt_Invalid` | Missing tls.crt is invalid | +| `TlsSecret_MissingTlsKey_Invalid` | Missing tls.key is invalid | +| `TlsSecret_OptionalCaCrt_Allowed` | ca.crt is optional | +| **Edge Cases** | | +| `TlsSecret_EmptyData_ValidStructure` | Empty data is valid structure | +| `PemCertificate_WithWhitespace_StillValid` | PEM with whitespace is valid | +| **Metadata** | | +| `TlsSecret_WithLabels_PreservesMetadata` | Labels are preserved | +| `TlsSecret_NativeKubernetesFormat_Compatible` | Compatible with native K8S TLS secrets | + +### Integration Tests (`K8STLSSecrStoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Inventory** | | +| `Inventory_TlsSecretWithCertificate_ReturnsSuccess` | Inventory on TLS secret succeeds | +| `Inventory_TlsSecretWithChain_ReturnsSuccess` | Inventory with chain succeeds | +| `Inventory_EcCertificate_ReturnsSuccess` | EC certificate inventory succeeds | +| `Inventory_NonExistentTlsSecret_ReturnsFailure` | Non-existent secret handled gracefully | +| **Management** | | +| `Management_AddCertificateToNewTlsSecret_ReturnsSuccess` | Add creates new TLS secret | +| `Management_RemoveCertificateFromTlsSecret_ReturnsSuccess` | Remove certificate succeeds | +| `Management_AddCertificateWithChainBundled_CreatesBundledTlsCrt` | SeparateChain=false bundles chain | +| `Management_AddCertificateWithChainSeparate_CreatesSeparateCaCrt` | SeparateChain=true creates ca.crt | +| **Discovery** | | +| `Discovery_FindsTlsSecrets_ReturnsSuccess` | Discovery finds TLS secrets | +| **Native Kubernetes Compatibility** | | +| `TlsSecret_CompatibleWithK8sIngress_CorrectFormat` | TLS secrets are Ingress-compatible | +| **Certificate Without Private Key** | | +| `Management_AddCertificateWithoutPrivateKey_DerFormat_ReturnsSuccess` | DER cert-only to new TLS secret succeeds | +| `Management_AddCertificateWithoutPrivateKey_PemFormat_ReturnsSuccess` | PEM cert-only to new TLS secret succeeds | +| `Management_UpdateExistingTlsSecretWithCertificateOnly_FailsWhenExistingKeyPresent` | Cert-only update to TLS secret with key fails (prevents mismatched key) | +| **Key Type Coverage** | | +| `Management_Rsa2048Certificate_AddAndInventory_Success` | RSA 2048 add and inventory | +| `Management_Rsa4096Certificate_AddAndInventory_Success` | RSA 4096 add and inventory | +| `Management_EcP256Certificate_AddAndInventory_Success` | EC P-256 add and inventory | +| `Management_EcP384Certificate_AddAndInventory_Success` | EC P-384 add and inventory | +| `Management_EcP521Certificate_AddAndInventory_Success` | EC P-521 add and inventory | +| `Management_Ed25519Certificate_AddAndInventory_Success` | Ed25519 add and inventory | + +--- + +## K8SCluster - Cluster-Wide Store Type + +Manages ALL secrets across ALL namespaces in a Kubernetes cluster. + +### Unit Tests (`K8SClusterStoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Cluster Scope** | | +| `ClusterStore_RepresentsAllNamespaces_NotSingleNamespace` | Store path is cluster-wide | +| `ClusterStore_CanContainMultipleSecretTypes_InDifferentNamespaces` | Multiple secret types across namespaces | +| **Secret Collection** | | +| `SecretList_MultipleNamespaces_CanBeGrouped` | Secrets grouped by namespace | +| `SecretList_FilterByType_ReturnsOnlyMatchingSecrets` | Filtering by type works | +| **Discovery** | | +| `Discovery_EmptyCluster_ReturnsEmptyList` | Empty cluster returns empty | +| `Discovery_MultipleSecrets_ReturnsAllSecrets` | Multiple secrets are discovered | +| **Namespace Filtering** | | +| `NamespaceFilter_ExcludeSystemNamespaces_FilterCorrectly` | System namespaces can be excluded | +| `NamespaceFilter_IncludeOnlySpecificNamespaces_FilterCorrectly` | Namespace inclusion filter works | +| **Certificate Data** | | +| `ClusterSecret_WithPemCertificate_CanBeRead` | PEM certificates can be read | +| `ClusterSecret_MultipleSecretsWithCertificates_CanBeEnumerated` | Multiple certificates enumerated | +| **Permissions (Conceptual)** | | +| `ClusterStore_RequiresClusterWidePermissions_NotNamespaceScoped` | Documents cluster-wide RBAC needs | +| **Edge Cases** | | +| `ClusterStore_NamespaceWithNoSecrets_ReturnsEmpty` | Empty namespace returns empty | +| `ClusterStore_LargeNumberOfSecrets_CanBeHandled` | 100+ secrets handled | +| **TLS Secret Operations via Cluster Store** | | +| `ClusterTlsSecret_WithCertAndKey_HasCorrectStructure` | TLS secret structure via cluster | +| `ClusterTlsSecret_WithCertificateChain_CanStoreSeparateCaField` | Chain with separate ca.crt field | +| `ClusterTlsSecret_StrictFieldNames_OnlyTlsCrtAndTlsKey` | TLS secrets enforce strict field names | +| `ClusterTlsSecret_Type_MustBeKubernetesIoTls` | Type validation for TLS secrets | +| `ClusterTlsSecret_WithBundledChain_AllCertsInTlsCrt` | Bundled chain in tls.crt | +| `ClusterTlsSecret_SeparateChainVsBundled_DifferentStructures` | Compare chain storage strategies | +| `ClusterTlsSecret_NativeKubernetesFormat_Compatible` | Ingress compatibility | +| `ClusterTlsSecret_MissingRequiredFields_Invalid` | Field validation | +| **Opaque Secret Operations via Cluster Store** | | +| `ClusterOpaqueSecret_WithPemCertAndKey_HasCorrectStructure` | Opaque secret structure via cluster | +| `ClusterOpaqueSecret_WithCertificateChain_CanStoreSeparateCaField` | Chain with separate ca.crt field | +| `ClusterOpaqueSecret_FlexibleFieldNames_SupportedVariations` | Flexible field names (cert, crt, certificate) | +| `ClusterOpaqueSecret_WithBundledChain_AllCertsInTlsCrt` | Bundled chain in tls.crt | +| `ClusterOpaqueSecret_SeparateChainVsBundled_DifferentStructures` | Compare chain storage strategies | +| `ClusterOpaqueSecret_OnlyCertificateNoKey_ValidStructure` | Certificate-only secrets | +| **Key Type Coverage via Cluster Store** | | +| `ClusterSecret_RsaKeyTypes_ValidPemFormat` | RSA 1024/2048/4096/8192 via cluster | +| `ClusterSecret_EcKeyTypes_ValidPemFormat` | EC P-256/P-384/P-521 via cluster | +| `ClusterSecret_EdwardsKeyTypes_ValidPemFormat` | Ed25519/Ed448 via cluster | +| **Cross-Type Cluster Operations** | | +| `ClusterStore_MixedSecretTypes_SameNamespace_CanCoexist` | TLS + Opaque in same namespace | +| `ClusterStore_SameSecretName_DifferentNamespaces_AreIndependent` | Same name, different namespaces | +| `ClusterStore_FilterTlsSecrets_ReturnsOnlyTlsType` | Filter for kubernetes.io/tls only | +| `ClusterStore_FilterOpaqueSecrets_ReturnsOnlyOpaqueType` | Filter for Opaque only | +| **Encoding and Conversion** | | +| `ClusterSecret_Utf8Encoding_RoundTripSuccessful` | UTF-8 encoding round-trip | +| `ClusterSecret_DerToPemConversion_ValidFormat` | DER to PEM conversion | +| `ClusterSecret_PemWithWhitespace_StillValid` | Whitespace handling | +| **Metadata** | | +| `ClusterSecret_WithLabels_PreservesMetadata` | Labels are preserved | +| `ClusterSecret_WithAnnotations_PreservesMetadata` | Annotations are preserved | + +### Integration Tests (`K8SClusterStoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Discovery** | | +| `Discovery_MultipleNamespaces_FindsAllSecrets` | Discovery across namespaces | +| `Discovery_MixedSecretTypes_FindsAllTypes` | Discovers Opaque and TLS | +| **Inventory** | | +| `Inventory_ClusterWide_ReturnsAllCertificates` | Cluster-wide inventory | +| **Management** | | +| `Management_AddCertificateToSpecificNamespace_ReturnsSuccess` | Add to specific namespace | +| `Management_RemoveCertificateFromNamespace_ReturnsSuccess` | Remove from namespace | +| **Cross-Namespace** | | +| `CrossNamespace_SecretsInDifferentNamespaces_AreIndependent` | Same-name secrets in different namespaces are independent | +| **Error Handling** | | +| `Inventory_InvalidClusterCredentials_ReturnsFailure` | Invalid credentials fail | +| **TLS Secret Operations via Cluster** | | +| `Inventory_TlsSecretInCluster_ReturnsSuccess` | Inventory TLS secret via cluster | +| `Inventory_TlsSecretWithChain_ReturnsSuccess` | Inventory TLS secret with chain | +| `Inventory_TlsSecretWithEcCert_ReturnsSuccess` | Inventory EC TLS secret | +| `Management_AddTlsSecretToCluster_ReturnsSuccess` | Add TLS secret via cluster | +| `Management_RemoveTlsSecretFromCluster_ReturnsSuccess` | Remove TLS secret via cluster | +| `Management_AddTlsSecretWithBundledChain_CreatesBundledTlsCrt` | IncludeCertChain=true, SeparateChain=false | +| `Management_AddTlsSecretWithSeparateChain_CreatesSeparateCaCrt` | IncludeCertChain=true, SeparateChain=true | +| `Management_AddTlsSecretWithoutChain_NoChainIncluded` | IncludeCertChain=false | +| `Management_OverwriteTlsSecret_UpdatesCorrectly` | Overwrite existing TLS secret | +| `TlsSecret_CreatedViaCluster_CompatibleWithIngress` | Native K8S Ingress compatibility | +| `Inventory_MultipleTlsSecretsAcrossNamespaces_ReturnsAll` | Multiple TLS secrets cluster-wide | +| **Opaque Secret Operations via Cluster** | | +| `Inventory_OpaqueSecretInCluster_ReturnsSuccess` | Inventory Opaque secret via cluster | +| `Inventory_OpaqueSecretWithChain_ReturnsSuccess` | Inventory Opaque secret with chain | +| `Inventory_OpaqueSecretCertOnly_ReturnsSuccess` | Inventory certificate-only Opaque secret | +| `Management_AddOpaqueSecretToCluster_ReturnsSuccess` | Add Opaque secret via cluster | +| `Management_RemoveOpaqueSecretFromCluster_ReturnsSuccess` | Remove Opaque secret via cluster | +| `Management_AddOpaqueSecretWithBundledChain_CreatesBundledSecret` | IncludeCertChain=true, SeparateChain=false | +| `Management_AddOpaqueSecretWithSeparateChain_CreatesSeparateCaCrt` | IncludeCertChain=true, SeparateChain=true | +| `Management_AddOpaqueSecretWithoutChain_NoChainIncluded` | IncludeCertChain=false | +| `Management_OverwriteOpaqueSecret_UpdatesCorrectly` | Overwrite existing Opaque secret | +| `Inventory_MultipleOpaqueSecretsAcrossNamespaces_ReturnsAll` | Multiple Opaque secrets cluster-wide | +| **Key Type Coverage via Cluster** | | +| `Management_AddRsaCertificateViaCluster_AllKeySizes` | RSA 2048 via cluster | +| `Management_AddEcCertificateViaCluster_AllCurves` | EC P-256 via cluster | +| `Management_AddEd25519CertificateViaCluster_Success` | Ed25519 via cluster | +| `Management_AddRsa4096CertificateViaCluster_Success` | RSA 4096 add and inventory | +| `Management_AddEcP384CertificateViaCluster_Success` | EC P-384 add and inventory | +| `Management_AddEcP521CertificateViaCluster_Success` | EC P-521 add and inventory | +| `Management_AddRsa2048OpaqueSecretViaCluster_Success` | RSA 2048 Opaque via cluster | +| `Management_AddEcP256OpaqueSecretViaCluster_Success` | EC P-256 Opaque via cluster | +| **Cross-Type and Cross-Namespace Operations** | | +| `Inventory_MixedSecretTypes_ReturnsAllTypes` | TLS + Opaque in single inventory | +| `Discovery_MixedSecretTypes_ReturnsCorrectMetadata` | Discovery identifies secret types | +| `Management_AddTlsAndOpaqueToSameNamespace_BothSucceed` | Multiple types in same namespace | +| `CrossNamespace_TlsSecretsSameNameDifferentNs_AreIndependent` | TLS secrets same name different ns | +| `CrossNamespace_OpaqueSecretsSameNameDifferentNs_AreIndependent` | Opaque secrets same name different ns | +| `Management_TargetSpecificSecretType_UsesCorrectAlias` | Alias format targets correct type | +| **Additional Error Handling** | | +| `Inventory_NonExistentTlsSecretInCluster_ReturnsGracefully` | Non-existent TLS secret handling | +| `Inventory_NonExistentOpaqueSecretInCluster_ReturnsGracefully` | Non-existent Opaque secret handling | +| `Management_AddToNonExistentNamespace_ReturnsFailure` | Invalid namespace handling | + +--- + +## K8SNS - Namespace-Level Store Type + +Manages ALL secrets within a SINGLE namespace. + +### Unit Tests (`K8SNSStoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Namespace Scope** | | +| `NamespaceStore_RepresentsSingleNamespace_NotClusterWide` | Store path is namespace name | +| `NamespaceStore_CanContainMultipleSecretTypes_InSameNamespace` | Multiple secret types in namespace | +| `NamespaceStore_EnforcesNamespaceBoundary_NoOtherNamespaces` | Only sees secrets in target namespace | +| **Secret Collection** | | +| `SecretList_SingleNamespace_CanBeEnumerated` | Secrets enumerated correctly | +| `SecretList_FilterByType_ReturnsOnlyMatchingSecrets` | Filtering by type works | +| `SecretList_GroupByName_CanIdentifyDuplicates` | Duplicate names detected | +| **Discovery** | | +| `Discovery_EmptyNamespace_ReturnsEmptyList` | Empty namespace returns empty | +| `Discovery_NamespaceWithSecrets_ReturnsAllSecrets` | All secrets discovered | +| **Certificate Data** | | +| `NamespaceSecret_WithPemCertificate_CanBeRead` | PEM certificates can be read | +| `NamespaceSecret_MultipleSecretsWithCertificates_CanBeEnumerated` | Multiple certificates enumerated | +| **Permissions (Conceptual)** | | +| `NamespaceStore_RequiresNamespaceScopedPermissions_NotClusterWide` | Documents namespace-scoped RBAC | +| **Edge Cases** | | +| `NamespaceStore_LargeNumberOfSecrets_CanBeHandled` | 100+ secrets handled | +| `NamespaceStore_SpecialCharactersInSecretNames_Handled` | Special characters in names work | +| **Namespace Validation** | | +| `NamespaceStore_ValidNamespace_AcceptsValidNames` | Valid namespace names accepted | +| `NamespaceStore_DefaultNamespace_HandledCorrectly` | Default namespace works | + +### Integration Tests (`K8SNSStoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Discovery** | | +| `Discovery_SingleNamespace_FindsAllSecrets` | Discovery in single namespace | +| `Discovery_MixedSecretTypes_FindsAllTypes` | Discovers all secret types | +| **Inventory** | | +| `Inventory_NamespaceScope_ReturnsAllCertificates` | Namespace-scoped inventory | +| **Management** | | +| `Management_AddCertificateToNamespace_ReturnsSuccess` | Add to namespace | +| `Management_RemoveCertificateFromNamespace_ReturnsSuccess` | Remove from namespace | +| **Boundary Tests** | | +| `NamespaceScope_OnlySeesSecretsInNamespace_NotOtherNamespaces` | Only sees own namespace | +| **Error Handling** | | +| `Inventory_NonExistentNamespace_ReturnsFailure` | Non-existent namespace handled | +| `Inventory_EmptyNamespace_ReturnsSuccess` | Empty namespace returns success | +| **Multiple Secret Types** | | +| `Namespace_WithMultipleSecretTypes_HandlesAllTypes` | Handles Opaque, TLS, EC in same namespace | +| **Key Type Coverage** | | +| `Management_Rsa2048Certificate_AddAndInventory_Success` | RSA 2048 add and inventory | +| `Management_Rsa4096Certificate_AddAndInventory_Success` | RSA 4096 add and inventory | +| `Management_EcP256Certificate_AddAndInventory_Success` | EC P-256 add and inventory | +| `Management_EcP384Certificate_AddAndInventory_Success` | EC P-384 add and inventory | +| `Management_EcP521Certificate_AddAndInventory_Success` | EC P-521 add and inventory | +| `Management_Ed25519Certificate_AddAndInventory_Success` | Ed25519 add and inventory | + +--- + +## K8SCert - Certificate Signing Request Store Type + +Manages Kubernetes Certificate Signing Requests (CSRs). **READ-ONLY** - only Inventory and Discovery operations are supported. + +### Unit Tests (`K8SCertStoreTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **CSR Status** | | +| `CertificateSigningRequest_ApprovedWithCertificate_HasValidStatus` | Approved CSR with certificate | +| `CertificateSigningRequest_Pending_HasNoConditions` | Pending CSR has no conditions | +| `CertificateSigningRequest_Denied_HasDeniedCondition` | Denied CSR has denied condition | +| `CertificateSigningRequest_ApprovedWithoutCertificate_IsIncomplete` | Approved but no cert is incomplete | +| **CSR Certificate Parsing** | | +| `CertificateSigningRequest_WithValidCertificate_CanBeParsed` | Certificate from CSR can be parsed | +| `CertificateSigningRequest_VariousKeyTypes_CanBeCreated` | All key types create valid CSRs | +| **CSR Collection** | | +| `CertificateSigningRequests_MultipleCSRs_CanBeEnumerated` | Multiple CSRs enumerated with correct counts | +| **Edge Cases** | | +| `CertificateSigningRequest_NullStatus_HandledGracefully` | Null status handled | +| `CertificateSigningRequest_EmptyConditions_TreatedAsPending` | Empty conditions = pending | +| `CertificateSigningRequest_MultipleConditions_LatestTakesPrecedence` | Latest condition takes precedence | +| **Metadata** | | +| `CertificateSigningRequest_Metadata_ContainsRequiredFields` | Required metadata fields present | + +### Integration Tests (`K8SCertStoreIntegrationTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Inventory** | | +| `Inventory_SingleApprovedCSR_ReturnsSuccess` | Approved CSR inventory | +| `Inventory_PendingCSR_ReturnsSuccess` | Pending CSR inventory | +| `Inventory_NonExistentCSR_ReturnsFailure` | Non-existent CSR handled gracefully | +| **Discovery** | | +| `Discovery_FindsMultipleCSRs_ReturnsSuccess` | Discovery finds multiple CSRs | + +--- + +## Certificate Format Detection Tests + +Tests for DER and PEM certificate format detection and parsing. These tests validate the ability to handle certificates without private keys from Command. + +### Unit Tests (`CertificateFormatTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **DER Format Detection** | | +| `IsDerFormat_ValidDerCertificate_ReturnsTrue` | Valid DER certificate is detected | +| `IsDerFormat_VariousKeyTypes_ReturnsTrue` | DER detection works for RSA, EC, Ed25519 keys | +| `IsDerFormat_Pkcs12Data_ReturnsFalse` | PKCS12 data is not detected as DER | +| `IsDerFormat_RandomBytes_ReturnsFalse` | Random bytes are not detected as DER | +| `IsDerFormat_EmptyBytes_ReturnsFalse` | Empty bytes return false | +| `IsDerFormat_NullBytes_ReturnsFalse` | Null bytes return false | +| **Certificate Generation Without Private Key** | | +| `GenerateDerCertificate_ReturnsValidDerBytes` | DER certificate generation works | +| `GeneratePemCertificateOnly_ReturnsPemWithoutPrivateKey` | PEM without private key is generated | +| `GenerateBase64DerCertificate_ReturnsValidBase64` | Base64 DER certificate is valid | +| **Certificate Thumbprint** | | +| `GetThumbprint_DerCertificate_ReturnsValidThumbprint` | DER certificate thumbprint extraction | +| **PEM/DER Round-Trip** | | +| `DerToPem_RoundTrip_PreservesData` | Round-trip conversion preserves data | +| **Certificate Chain Parsing** | | +| `CertificateChain_MultiplePemCertificates_ParsesAllCerts` | Multiple PEM certs parsed correctly | +| `CertificateChain_FullChainInSingleField_ParsesAllThreeCerts` | Full chain (leaf+intermediate+root) parsed | +| `CertificateChain_SingleCertificate_ParsesOneCert` | Single certificate parsed | +| `CertificateChain_EmptyString_ReturnsEmptyList` | Empty string returns empty list | + +--- + +## Certificate Utilities + +Utility functions for certificate parsing, conversion, and property extraction. + +### Unit Tests (`CertificateUtilitiesTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Certificate Parsing** | | +| `ParseCertificateFromPem_ValidPem_ReturnsValidCertificate` | PEM parsing works | +| `ParseCertificateFromPem_NullString_ThrowsArgumentException` | Null PEM throws | +| `ParseCertificateFromPem_EmptyString_ThrowsArgumentException` | Empty PEM throws | +| `ParseCertificateFromDer_ValidDer_ReturnsValidCertificate` | DER parsing works | +| `ParseCertificateFromDer_NullBytes_ThrowsArgumentException` | Null DER throws | +| `ParseCertificateFromDer_EmptyBytes_ThrowsArgumentException` | Empty DER throws | +| `ParseCertificateFromPkcs12_ValidPkcs12_ReturnsValidCertificate` | PKCS12 parsing works | +| `ParseCertificateFromPkcs12_WithAlias_ReturnsCorrectCertificate` | PKCS12 with alias works | +| **Certificate Properties** | | +| `GetThumbprint_ValidCertificate_ReturnsUppercaseHex` | Thumbprint is uppercase hex | +| `GetThumbprint_MatchesX509Certificate2_ForValidation` | Thumbprint matches .NET X509Certificate2 | +| `GetSubjectCN_ValidCertificate_ExtractsCorrectCN` | Subject CN extraction | +| `GetSubjectDN_ValidCertificate_ReturnsFullDN` | Full subject DN | +| `GetIssuerCN_ValidCertificate_ExtractsCorrectCN` | Issuer CN extraction | +| `GetNotBefore_ValidCertificate_ReturnsValidDate` | Not before date | +| `GetNotAfter_ValidCertificate_ReturnsValidDate` | Not after date | +| `GetSerialNumber_ValidCertificate_ReturnsHexString` | Serial number as hex | +| `GetKeyAlgorithm_RsaCertificate_ReturnsRSA` | RSA algorithm detection | +| `GetKeyAlgorithm_EcCertificate_ReturnsECDSA` | ECDSA algorithm detection | +| `GetPublicKey_ValidCertificate_ReturnsNonEmptyBytes` | Public key bytes | +| **Private Key Operations** | | +| `ExtractPrivateKey_ValidStore_ReturnsPrivateKey` | Private key extraction | +| `ExtractPrivateKey_WithAlias_ReturnsCorrectKey` | Extraction with alias | +| `ExtractPrivateKeyAsPem_RsaKey_ReturnsValidPem` | RSA key to PEM | +| `ExtractPrivateKeyAsPem_EcKey_ReturnsValidPem` | EC key to PEM | +| `ExportPrivateKeyPkcs8_RsaKey_ReturnsValidBytes` | RSA key to PKCS8 | +| `ExportPrivateKeyPkcs8_EcKey_ReturnsValidBytes` | EC key to PKCS8 | +| `GetPrivateKeyType_RsaKey_ReturnsRSA` | RSA key type detection | +| `GetPrivateKeyType_EcKey_ReturnsEC` | EC key type detection | +| **Chain Operations** | | +| `LoadCertificateChain_SingleCertPem_ReturnsOneCertificate` | Single cert chain | +| `LoadCertificateChain_MultipleCertsPem_ReturnsMultipleCertificates` | Multi cert chain | +| `LoadCertificateChain_EmptyString_ReturnsEmptyList` | Empty string = empty list | +| `ExtractChainFromPkcs12_WithChain_ReturnsFullChain` | PKCS12 chain extraction | +| **Format Detection** | | +| `DetectFormat_PemData_ReturnsPem` | PEM format detection | +| `DetectFormat_DerData_ReturnsDer` | DER format detection | +| `DetectFormat_Pkcs12Data_ReturnsPkcs12` | PKCS12 format detection | +| `DetectFormat_NullData_ReturnsUnknown` | Null = unknown | +| `DetectFormat_EmptyData_ReturnsUnknown` | Empty = unknown | +| **Format Conversion** | | +| `ConvertToPem_ValidCertificate_ReturnsValidPem` | Certificate to PEM | +| `ConvertToDer_ValidCertificate_ReturnsValidDer` | Certificate to DER | +| `ConvertToPem_RoundTrip_PreservesData` | PEM round-trip | +| **Helper Methods** | | +| `LoadPkcs12Store_ValidData_ReturnsStore` | PKCS12 store loading | +| `LoadPkcs12Store_InvalidPassword_ThrowsException` | Invalid password throws | +| `IsDerFormat_ValidDer_ReturnsTrue` | DER detection | +| `IsDerFormat_InvalidData_ReturnsFalse` | Invalid data detection | +| **Null Argument Tests** | | +| `GetThumbprint_NullCertificate_ThrowsArgumentNullException` | Null cert throws | +| `GetSubjectCN_NullCertificate_ThrowsArgumentNullException` | Null cert throws | +| `ConvertToPem_NullCertificate_ThrowsArgumentNullException` | Null cert throws | +| `ConvertToDer_NullCertificate_ThrowsArgumentNullException` | Null cert throws | +| `ExtractPrivateKeyAsPem_NullKey_ThrowsArgumentNullException` | Null key throws | +| `ExportPrivateKeyPkcs8_NullKey_ThrowsArgumentNullException` | Null key throws | + +--- + +## Logging Safety Tests + +Tests to ensure sensitive data is never logged. + +### Unit Tests (`LoggingSafetyTests.cs`) + +| Test Name | Description | +|-----------|-------------| +| **Source Code Analysis** | | +| `SourceCode_ShouldNotContain_DirectPasswordLogging` | No direct password logging in source | +| `SourceCode_ShouldNotContain_DirectPrivateKeyLogging` | No direct private key logging | +| `SourceCode_ShouldNotContain_DirectTokenLogging` | No direct token logging | +| `NoTodoInsecureCommentsRemain` | No TODO insecure comments remain | +| **LoggingUtilities** | | +| `LoggingUtilities_RedactPassword_ShouldNotRevealPassword` | Password redaction works | +| `LoggingUtilities_GetPasswordCorrelationId_ShouldBeConsistent` | Consistent correlation IDs | +| `LoggingUtilities_GetPasswordCorrelationId_ShouldBeDifferentForDifferentPasswords` | Different passwords = different IDs | +| `LoggingUtilities_RedactPrivateKeyPem_ShouldNotRevealKeyMaterial` | Private key PEM redaction | +| `LoggingUtilities_RedactPrivateKey_ShouldShowKeyTypeOnly` | Private key redaction shows type only | +| `LoggingUtilities_RedactPkcs12Bytes_ShouldNotRevealContents` | PKCS12 bytes redaction | +| `LoggingUtilities_RedactToken_ShouldShowOnlyPrefixSuffixAndLength` | Token redaction | +| `LoggingUtilities_GetFieldPresence_ShouldIndicatePresenceNotValue` | Field presence indicator | + +--- + +## Test Infrastructure + +### Helpers + +- **`CertificateTestHelper.cs`** - Generates test certificates with various key types (RSA, EC, DSA, Ed25519, Ed448) and chain configurations +- **`SkipUnlessAttribute.cs`** - Custom xUnit attribute to skip tests unless specific environment variables are set + +### Environment Variables + +| Variable | Description | Default | +|----------|-------------|---------| +| `RUN_INTEGRATION_TESTS` | Set to `true` to enable integration tests | (not set) | +| `INTEGRATION_TEST_KUBECONFIG` | Path to kubeconfig file | `~/.kube/config` | +| `INTEGRATION_TEST_CONTEXT` | Kubernetes context to use | `kf-integrations` | +| `SKIP_INTEGRATION_TEST_CLEANUP` | Set to `true` to skip cleanup after tests | (not set) | + +### Test Namespaces + +Integration tests create dedicated namespaces for isolation: +- `keyfactor-k8sjks-integration-tests` +- `keyfactor-k8spkcs12-integration-tests` +- `keyfactor-k8ssecret-integration-tests` +- `keyfactor-k8stlssecr-integration-tests` +- `keyfactor-k8scluster-test-ns1`, `keyfactor-k8scluster-test-ns2` +- `keyfactor-k8sns-integration-tests` +- `keyfactor-k8scert-integration-tests` diff --git a/kubernetes-orchestrator-extension.Tests/UnitTest1.cs b/kubernetes-orchestrator-extension.Tests/UnitTest1.cs new file mode 100644 index 00000000..9d04eda9 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace Keyfactor.Orchestrators.K8S.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} \ No newline at end of file diff --git a/kubernetes-orchestrator-extension.Tests/Utilities/CertificateUtilitiesTests.cs b/kubernetes-orchestrator-extension.Tests/Utilities/CertificateUtilitiesTests.cs new file mode 100644 index 00000000..ca3e8cb8 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Utilities/CertificateUtilitiesTests.cs @@ -0,0 +1,867 @@ +using System; +using System.IO; +using System.Linq; +using System.Security.Cryptography; +using System.Security.Cryptography.X509Certificates; +using System.Text; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Org.BouncyCastle.Asn1.X509; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Generators; +using Org.BouncyCastle.Crypto.Operators; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Math; +using Org.BouncyCastle.OpenSsl; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities.IO.Pem; +using Org.BouncyCastle.X509; +using Xunit; +using X509Certificate = Org.BouncyCastle.X509.X509Certificate; + +namespace Keyfactor.Orchestrators.K8S.Tests.Utilities; + +public class CertificateUtilitiesTests +{ + #region Test Certificate Generation + + private static (X509Certificate cert, AsymmetricCipherKeyPair keyPair) GenerateTestRsaCertificate( + string subjectCn = "Test Certificate", + string issuerCn = null, + int keySize = 2048) + { + var random = new SecureRandom(); + var keyPairGenerator = new RsaKeyPairGenerator(); + keyPairGenerator.Init(new KeyGenerationParameters(random, keySize)); + var keyPair = keyPairGenerator.GenerateKeyPair(); + + var certGen = new X509V3CertificateGenerator(); + var subjectDN = new X509Name($"CN={subjectCn}"); + var issuerDN = issuerCn != null ? new X509Name($"CN={issuerCn}") : subjectDN; + + certGen.SetSerialNumber(BigInteger.ProbablePrime(120, random)); + certGen.SetIssuerDN(issuerDN); + certGen.SetSubjectDN(subjectDN); + certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1)); + certGen.SetNotAfter(DateTime.UtcNow.AddYears(1)); + certGen.SetPublicKey(keyPair.Public); + + var signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", keyPair.Private, random); + var certificate = certGen.Generate(signatureFactory); + + return (certificate, keyPair); + } + + private static (X509Certificate cert, AsymmetricCipherKeyPair keyPair) GenerateTestEcCertificate( + string subjectCn = "Test EC Certificate", + string curveName = "secp256r1") + { + var random = new SecureRandom(); + var ecP256 = Org.BouncyCastle.Asn1.Sec.SecNamedCurves.GetByName(curveName); + var ecParams = new ECKeyGenerationParameters( + new ECDomainParameters(ecP256.Curve, ecP256.G, ecP256.N, ecP256.H, ecP256.GetSeed()), + random); + + var keyPairGenerator = new ECKeyPairGenerator(); + keyPairGenerator.Init(ecParams); + var keyPair = keyPairGenerator.GenerateKeyPair(); + + var certGen = new X509V3CertificateGenerator(); + var subjectDN = new X509Name($"CN={subjectCn}"); + + certGen.SetSerialNumber(BigInteger.ProbablePrime(120, random)); + certGen.SetIssuerDN(subjectDN); + certGen.SetSubjectDN(subjectDN); + certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1)); + certGen.SetNotAfter(DateTime.UtcNow.AddYears(1)); + certGen.SetPublicKey(keyPair.Public); + + var signatureFactory = new Asn1SignatureFactory("SHA256WithECDSA", keyPair.Private, random); + var certificate = certGen.Generate(signatureFactory); + + return (certificate, keyPair); + } + + private static byte[] GeneratePkcs12( + X509Certificate cert, + AsymmetricCipherKeyPair keyPair, + string password = "password", + string alias = "testcert", + X509Certificate[] chain = null) + { + var store = new Pkcs12StoreBuilder().Build(); + var certEntry = new X509CertificateEntry(cert); + + // Build certificate chain + var certChain = new X509CertificateEntry[chain != null ? chain.Length + 1 : 1]; + certChain[0] = certEntry; + if (chain != null) + { + for (int i = 0; i < chain.Length; i++) + { + certChain[i + 1] = new X509CertificateEntry(chain[i]); + } + } + + store.SetKeyEntry(alias, new AsymmetricKeyEntry(keyPair.Private), certChain); + + using var ms = new MemoryStream(); + store.Save(ms, password.ToCharArray(), new SecureRandom()); + return ms.ToArray(); + } + + #endregion + + #region Certificate Parsing Tests + + [Fact] + public void ParseCertificateFromPem_ValidPem_ReturnsValidCertificate() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate("Test Cert"); + var pemObject = new PemObject("CERTIFICATE", cert.GetEncoded()); + using var stringWriter = new StringWriter(); + var pemWriter = new Org.BouncyCastle.Utilities.IO.Pem.PemWriter(stringWriter); + pemWriter.WriteObject(pemObject); + pemWriter.Writer.Flush(); + var pemString = stringWriter.ToString(); + + // Act + var parsedCert = CertificateUtilities.ParseCertificateFromPem(pemString); + + // Assert + Assert.NotNull(parsedCert); + Assert.Equal(cert.SerialNumber, parsedCert.SerialNumber); + Assert.Equal(cert.SubjectDN.ToString(), parsedCert.SubjectDN.ToString()); + } + + [Fact] + public void ParseCertificateFromPem_NullString_ThrowsArgumentException() + { + // Act & Assert + Assert.Throws(() => CertificateUtilities.ParseCertificateFromPem(null)); + } + + [Fact] + public void ParseCertificateFromPem_EmptyString_ThrowsArgumentException() + { + // Act & Assert + Assert.Throws(() => CertificateUtilities.ParseCertificateFromPem("")); + } + + [Fact] + public void ParseCertificateFromDer_ValidDer_ReturnsValidCertificate() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate("Test DER Cert"); + var derBytes = cert.GetEncoded(); + + // Act + var parsedCert = CertificateUtilities.ParseCertificateFromDer(derBytes); + + // Assert + Assert.NotNull(parsedCert); + Assert.Equal(cert.SerialNumber, parsedCert.SerialNumber); + Assert.Equal(cert.SubjectDN.ToString(), parsedCert.SubjectDN.ToString()); + } + + [Fact] + public void ParseCertificateFromDer_NullBytes_ThrowsArgumentException() + { + // Act & Assert + Assert.Throws(() => CertificateUtilities.ParseCertificateFromDer(null)); + } + + [Fact] + public void ParseCertificateFromDer_EmptyBytes_ThrowsArgumentException() + { + // Act & Assert + Assert.Throws(() => CertificateUtilities.ParseCertificateFromDer(Array.Empty())); + } + + [Fact] + public void ParseCertificateFromPkcs12_ValidPkcs12_ReturnsValidCertificate() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate("Test PKCS12 Cert"); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair); + + // Act + var parsedCert = CertificateUtilities.ParseCertificateFromPkcs12(pkcs12Bytes, "password"); + + // Assert + Assert.NotNull(parsedCert); + Assert.Equal(cert.SerialNumber, parsedCert.SerialNumber); + Assert.Equal(cert.SubjectDN.ToString(), parsedCert.SubjectDN.ToString()); + } + + [Fact] + public void ParseCertificateFromPkcs12_WithAlias_ReturnsCorrectCertificate() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate("Test Alias Cert"); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair, alias: "myalias"); + + // Act + var parsedCert = CertificateUtilities.ParseCertificateFromPkcs12(pkcs12Bytes, "password", "myalias"); + + // Assert + Assert.NotNull(parsedCert); + Assert.Equal(cert.SerialNumber, parsedCert.SerialNumber); + } + + #endregion + + #region Certificate Property Tests + + [Fact] + public void GetThumbprint_ValidCertificate_ReturnsUppercaseHex() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var thumbprint = CertificateUtilities.GetThumbprint(cert); + + // Assert + Assert.NotNull(thumbprint); + Assert.NotEmpty(thumbprint); + Assert.Equal(40, thumbprint.Length); // SHA-1 hash is 40 hex characters + Assert.All(thumbprint, c => Assert.True(char.IsDigit(c) || (c >= 'A' && c <= 'F'))); + } + + [Fact] + public void GetThumbprint_MatchesX509Certificate2_ForValidation() + { + // Arrange + var (bcCert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(bcCert, keyPair); + + // Convert to X509Certificate2 for comparison + var x509Cert2 = new X509Certificate2(pkcs12Bytes, "password"); + + // Act + var bcThumbprint = CertificateUtilities.GetThumbprint(bcCert); + var x509Thumbprint = x509Cert2.Thumbprint; + + // Assert + Assert.Equal(x509Thumbprint, bcThumbprint); + } + + [Fact] + public void GetSubjectCN_ValidCertificate_ExtractsCorrectCN() + { + // Arrange + var expectedCN = "Test Subject CN"; + var (cert, _) = GenerateTestRsaCertificate(expectedCN); + + // Act + var actualCN = CertificateUtilities.GetSubjectCN(cert); + + // Assert + Assert.Equal(expectedCN, actualCN); + } + + [Fact] + public void GetSubjectDN_ValidCertificate_ReturnsFullDN() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate("Test DN"); + + // Act + var dn = CertificateUtilities.GetSubjectDN(cert); + + // Assert + Assert.NotNull(dn); + Assert.Contains("CN=Test DN", dn); + } + + [Fact] + public void GetIssuerCN_ValidCertificate_ExtractsCorrectCN() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate("Subject", "Issuer"); + + // Act + var issuerCN = CertificateUtilities.GetIssuerCN(cert); + + // Assert + Assert.Equal("Issuer", issuerCN); + } + + [Fact] + public void GetNotBefore_ValidCertificate_ReturnsValidDate() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var notBefore = CertificateUtilities.GetNotBefore(cert); + + // Assert + Assert.True(notBefore < DateTime.UtcNow); + Assert.True(notBefore > DateTime.UtcNow.AddDays(-2)); + } + + [Fact] + public void GetNotAfter_ValidCertificate_ReturnsValidDate() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var notAfter = CertificateUtilities.GetNotAfter(cert); + + // Assert + Assert.True(notAfter > DateTime.UtcNow); + Assert.True(notAfter < DateTime.UtcNow.AddYears(2)); + } + + [Fact] + public void GetSerialNumber_ValidCertificate_ReturnsHexString() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var serialNumber = CertificateUtilities.GetSerialNumber(cert); + + // Assert + Assert.NotNull(serialNumber); + Assert.NotEmpty(serialNumber); + Assert.All(serialNumber, c => Assert.True(char.IsDigit(c) || (c >= 'A' && c <= 'F'))); + } + + [Fact] + public void GetKeyAlgorithm_RsaCertificate_ReturnsRSA() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var algorithm = CertificateUtilities.GetKeyAlgorithm(cert); + + // Assert + Assert.Equal("RSA", algorithm); + } + + [Fact] + public void GetKeyAlgorithm_EcCertificate_ReturnsECDSA() + { + // Arrange + var (cert, _) = GenerateTestEcCertificate(); + + // Act + var algorithm = CertificateUtilities.GetKeyAlgorithm(cert); + + // Assert + Assert.Equal("ECDSA", algorithm); + } + + [Fact] + public void GetPublicKey_ValidCertificate_ReturnsNonEmptyBytes() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var publicKey = CertificateUtilities.GetPublicKey(cert); + + // Assert + Assert.NotNull(publicKey); + Assert.NotEmpty(publicKey); + } + + #endregion + + #region Private Key Operation Tests + + [Fact] + public void ExtractPrivateKey_ValidStore_ReturnsPrivateKey() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair); + var store = CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, "password"); + + // Act + var privateKey = CertificateUtilities.ExtractPrivateKey(store); + + // Assert + Assert.NotNull(privateKey); + Assert.True(privateKey.IsPrivate); + } + + [Fact] + public void ExtractPrivateKey_WithAlias_ReturnsCorrectKey() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair, alias: "testkey"); + var store = CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, "password"); + + // Act + var privateKey = CertificateUtilities.ExtractPrivateKey(store, "testkey"); + + // Assert + Assert.NotNull(privateKey); + Assert.True(privateKey.IsPrivate); + } + + [Fact] + public void ExtractPrivateKeyAsPem_RsaKey_ReturnsValidPem() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair); + var store = CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, "password"); + var privateKey = CertificateUtilities.ExtractPrivateKey(store); + + // Act + var pemKey = CertificateUtilities.ExtractPrivateKeyAsPem(privateKey); + + // Assert + Assert.NotNull(pemKey); + Assert.Contains("-----BEGIN", pemKey); + Assert.Contains("-----END", pemKey); + Assert.Contains("PRIVATE KEY", pemKey); + } + + [Fact] + public void ExtractPrivateKeyAsPem_EcKey_ReturnsValidPem() + { + // Arrange + var (cert, keyPair) = GenerateTestEcCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair); + var store = CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, "password"); + var privateKey = CertificateUtilities.ExtractPrivateKey(store); + + // Act + var pemKey = CertificateUtilities.ExtractPrivateKeyAsPem(privateKey); + + // Assert + Assert.NotNull(pemKey); + Assert.Contains("-----BEGIN", pemKey); + Assert.Contains("-----END", pemKey); + Assert.Contains("PRIVATE KEY", pemKey); + } + + [Fact] + public void ExportPrivateKeyPkcs8_RsaKey_ReturnsValidBytes() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + + // Act + var pkcs8Bytes = CertificateUtilities.ExportPrivateKeyPkcs8(keyPair.Private); + + // Assert + Assert.NotNull(pkcs8Bytes); + Assert.NotEmpty(pkcs8Bytes); + } + + [Fact] + public void ExportPrivateKeyPkcs8_EcKey_ReturnsValidBytes() + { + // Arrange + var (cert, keyPair) = GenerateTestEcCertificate(); + + // Act + var pkcs8Bytes = CertificateUtilities.ExportPrivateKeyPkcs8(keyPair.Private); + + // Assert + Assert.NotNull(pkcs8Bytes); + Assert.NotEmpty(pkcs8Bytes); + } + + [Fact] + public void GetPrivateKeyType_RsaKey_ReturnsRSA() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + + // Act + var keyType = CertificateUtilities.GetPrivateKeyType(keyPair.Private); + + // Assert + Assert.Equal("RSA", keyType); + } + + [Fact] + public void GetPrivateKeyType_EcKey_ReturnsEC() + { + // Arrange + var (cert, keyPair) = GenerateTestEcCertificate(); + + // Act + var keyType = CertificateUtilities.GetPrivateKeyType(keyPair.Private); + + // Assert + Assert.Equal("EC", keyType); + } + + #endregion + + #region Chain Operation Tests + + [Fact] + public void LoadCertificateChain_SingleCertPem_ReturnsOneCertificate() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + var pem = CertificateUtilities.ConvertToPem(cert); + + // Act + var chain = CertificateUtilities.LoadCertificateChain(pem); + + // Assert + Assert.NotNull(chain); + Assert.Single(chain); + Assert.Equal(cert.SerialNumber, chain[0].SerialNumber); + } + + [Fact] + public void LoadCertificateChain_MultipleCertsPem_ReturnsMultipleCertificates() + { + // Arrange + var (cert1, _) = GenerateTestRsaCertificate("Cert1"); + var (cert2, _) = GenerateTestRsaCertificate("Cert2"); + var pem1 = CertificateUtilities.ConvertToPem(cert1); + var pem2 = CertificateUtilities.ConvertToPem(cert2); + var combinedPem = pem1 + pem2; + + // Act + var chain = CertificateUtilities.LoadCertificateChain(combinedPem); + + // Assert + Assert.NotNull(chain); + Assert.Equal(2, chain.Count); + } + + [Fact] + public void LoadCertificateChain_EmptyString_ReturnsEmptyList() + { + // Act + var chain = CertificateUtilities.LoadCertificateChain(""); + + // Assert + Assert.NotNull(chain); + Assert.Empty(chain); + } + + [Fact] + public void ExtractChainFromPkcs12_WithChain_ReturnsFullChain() + { + // Arrange - Create a proper certificate chain (CA signs Leaf) + var (caCert, caKeyPair) = GenerateTestRsaCertificate("CA"); + var (leafCert, leafKeyPair) = GenerateSignedCertificate("Leaf", caCert, caKeyPair); + var pkcs12Bytes = GeneratePkcs12(leafCert, leafKeyPair, chain: new[] { caCert }); + + // Act + var chain = CertificateUtilities.ExtractChainFromPkcs12(pkcs12Bytes, "password"); + + // Assert + Assert.NotNull(chain); + Assert.Equal(2, chain.Count); // Leaf + CA + } + + private static (X509Certificate cert, AsymmetricCipherKeyPair keyPair) GenerateSignedCertificate( + string subjectCn, + X509Certificate issuerCert, + AsymmetricCipherKeyPair issuerKeyPair) + { + var random = new SecureRandom(); + var keyPairGenerator = new RsaKeyPairGenerator(); + keyPairGenerator.Init(new KeyGenerationParameters(random, 2048)); + var keyPair = keyPairGenerator.GenerateKeyPair(); + + var certGen = new X509V3CertificateGenerator(); + var subjectDN = new X509Name($"CN={subjectCn}"); + + certGen.SetSerialNumber(BigInteger.ProbablePrime(120, random)); + certGen.SetIssuerDN(issuerCert.SubjectDN); + certGen.SetSubjectDN(subjectDN); + certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1)); + certGen.SetNotAfter(DateTime.UtcNow.AddYears(1)); + certGen.SetPublicKey(keyPair.Public); + + // Sign with the issuer's private key + var signatureFactory = new Asn1SignatureFactory("SHA256WithRSA", issuerKeyPair.Private, random); + var certificate = certGen.Generate(signatureFactory); + + return (certificate, keyPair); + } + + #endregion + + #region Format Detection and Conversion Tests + + [Fact] + public void DetectFormat_PemData_ReturnsPem() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + var pem = CertificateUtilities.ConvertToPem(cert); + var pemBytes = Encoding.UTF8.GetBytes(pem); + + // Act + var format = CertificateUtilities.DetectFormat(pemBytes); + + // Assert + Assert.Equal(CertificateFormat.Pem, format); + } + + [Fact] + public void DetectFormat_DerData_ReturnsDer() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + var derBytes = cert.GetEncoded(); + + // Act + var format = CertificateUtilities.DetectFormat(derBytes); + + // Assert + Assert.Equal(CertificateFormat.Der, format); + } + + [Fact] + public void DetectFormat_Pkcs12Data_ReturnsPkcs12() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair); + + // Act + var format = CertificateUtilities.DetectFormat(pkcs12Bytes); + + // Assert + // Note: PKCS12 detection may be tricky, might return Unknown in some cases + Assert.True(format == CertificateFormat.Pkcs12 || format == CertificateFormat.Unknown); + } + + [Fact] + public void DetectFormat_NullData_ReturnsUnknown() + { + // Act + var format = CertificateUtilities.DetectFormat(null); + + // Assert + Assert.Equal(CertificateFormat.Unknown, format); + } + + [Fact] + public void DetectFormat_EmptyData_ReturnsUnknown() + { + // Act + var format = CertificateUtilities.DetectFormat(Array.Empty()); + + // Assert + Assert.Equal(CertificateFormat.Unknown, format); + } + + [Fact] + public void ConvertToPem_ValidCertificate_ReturnsValidPem() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var pem = CertificateUtilities.ConvertToPem(cert); + + // Assert + Assert.NotNull(pem); + Assert.Contains("-----BEGIN CERTIFICATE-----", pem); + Assert.Contains("-----END CERTIFICATE-----", pem); + } + + [Fact] + public void ConvertToDer_ValidCertificate_ReturnsValidDer() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + + // Act + var derBytes = CertificateUtilities.ConvertToDer(cert); + + // Assert + Assert.NotNull(derBytes); + Assert.NotEmpty(derBytes); + // DER should start with 0x30 (SEQUENCE tag) + Assert.Equal(0x30, derBytes[0]); + } + + [Fact] + public void ConvertToPem_RoundTrip_PreservesData() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + var originalDer = cert.GetEncoded(); + + // Act + var pem = CertificateUtilities.ConvertToPem(cert); + var parsedCert = CertificateUtilities.ParseCertificateFromPem(pem); + var roundTripDer = parsedCert.GetEncoded(); + + // Assert + Assert.Equal(originalDer, roundTripDer); + } + + #endregion + + #region Helper Method Tests + + [Fact] + public void LoadPkcs12Store_ValidData_ReturnsStore() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair); + + // Act + var store = CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, "password"); + + // Assert + Assert.NotNull(store); + Assert.NotEmpty(store.Aliases.ToList()); + } + + [Fact] + public void LoadPkcs12Store_InvalidPassword_ThrowsException() + { + // Arrange + var (cert, keyPair) = GenerateTestRsaCertificate(); + var pkcs12Bytes = GeneratePkcs12(cert, keyPair, password: "correct"); + + // Act & Assert - BouncyCastle throws IOException for invalid password + Assert.ThrowsAny(() => + CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, "wrong")); + } + + [Fact] + public void IsDerFormat_ValidDer_ReturnsTrue() + { + // Arrange + var (cert, _) = GenerateTestRsaCertificate(); + var derBytes = cert.GetEncoded(); + + // Act + var isDer = CertificateUtilities.IsDerFormat(derBytes); + + // Assert + Assert.True(isDer); + } + + [Fact] + public void IsDerFormat_InvalidData_ReturnsFalse() + { + // Arrange + var invalidData = new byte[] { 0x00, 0x01, 0x02, 0x03 }; + + // Act + var isDer = CertificateUtilities.IsDerFormat(invalidData); + + // Assert + Assert.False(isDer); + } + + #endregion + + #region Certificate Parsing Edge Cases + + /// + /// Verifies that invalid/corrupt certificate data doesn't cause null reference exceptions. + /// This tests the fix for the Ed25519 null reference bug where both PEM and DER parsing + /// could fail, leading to a null object being passed to ConvertToPem. + /// + [Fact] + public void ParseCertificateFromPem_InvalidData_ReturnsNullNotException() + { + // Arrange - Invalid/corrupt data that can't be parsed as PEM + var invalidData = "This is not a valid PEM certificate"; + + // Act - Should return null or throw meaningful exception, not NullReferenceException + try + { + var result = CertificateUtilities.ParseCertificateFromPem(invalidData); + // If it returns null, that's acceptable behavior + // The calling code should handle null appropriately + } + catch (NullReferenceException) + { + // This is the bug we're preventing - should never get NullReferenceException + Assert.Fail("ParseCertificateFromPem should not throw NullReferenceException for invalid data"); + } + catch (Exception ex) + { + // Other exceptions (like format exceptions) are acceptable + Assert.NotNull(ex.Message); + } + } + + [Fact] + public void ParseCertificateFromDer_InvalidData_ReturnsNullNotException() + { + // Arrange - Random bytes that can't be parsed as DER + var invalidData = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }; + + // Act - Should return null or throw meaningful exception, not NullReferenceException + try + { + var result = CertificateUtilities.ParseCertificateFromDer(invalidData); + // If it returns null, that's acceptable behavior + } + catch (NullReferenceException) + { + // This is the bug we're preventing - should never get NullReferenceException + Assert.Fail("ParseCertificateFromDer should not throw NullReferenceException for invalid data"); + } + catch (Exception ex) + { + // Other exceptions (like format exceptions) are acceptable + Assert.NotNull(ex.Message); + } + } + + #endregion + + #region Null Argument Tests + + [Fact] + public void GetThumbprint_NullCertificate_ThrowsArgumentNullException() + { + Assert.Throws(() => CertificateUtilities.GetThumbprint(null)); + } + + [Fact] + public void GetSubjectCN_NullCertificate_ThrowsArgumentNullException() + { + Assert.Throws(() => CertificateUtilities.GetSubjectCN(null)); + } + + [Fact] + public void ConvertToPem_NullCertificate_ThrowsArgumentNullException() + { + Assert.Throws(() => CertificateUtilities.ConvertToPem(null)); + } + + [Fact] + public void ConvertToDer_NullCertificate_ThrowsArgumentNullException() + { + Assert.Throws(() => CertificateUtilities.ConvertToDer(null)); + } + + [Fact] + public void ExtractPrivateKeyAsPem_NullKey_ThrowsArgumentNullException() + { + Assert.Throws(() => CertificateUtilities.ExtractPrivateKeyAsPem(null)); + } + + [Fact] + public void ExportPrivateKeyPkcs8_NullKey_ThrowsArgumentNullException() + { + Assert.Throws(() => CertificateUtilities.ExportPrivateKeyPkcs8(null)); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/Utilities/PrivateKeyFormatUtilitiesTests.cs b/kubernetes-orchestrator-extension.Tests/Utilities/PrivateKeyFormatUtilitiesTests.cs new file mode 100644 index 00000000..f645592d --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/Utilities/PrivateKeyFormatUtilitiesTests.cs @@ -0,0 +1,467 @@ +// Copyright 2024 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. +// You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions +// and limitations under the License. + +using System; +using Keyfactor.Extensions.Orchestrator.K8S.Enums; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Keyfactor.Orchestrators.K8S.Tests.Helpers; +using Org.BouncyCastle.Crypto; +using Xunit; + +namespace Keyfactor.Orchestrators.K8S.Tests.Utilities; + +/// +/// Unit tests for PrivateKeyFormatUtilities - format detection, PKCS1 support checking, +/// and PEM export functionality. +/// +public class PrivateKeyFormatUtilitiesTests +{ + #region Format Detection Tests + + [Fact] + public void DetectFormat_Pkcs8Header_ReturnsPkcs8() + { + var pemData = @"-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7... +-----END PRIVATE KEY-----"; + + var result = PrivateKeyFormatUtilities.DetectFormat(pemData); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + [Fact] + public void DetectFormat_EncryptedPkcs8Header_ReturnsPkcs8() + { + var pemData = @"-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI... +-----END ENCRYPTED PRIVATE KEY-----"; + + var result = PrivateKeyFormatUtilities.DetectFormat(pemData); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + [Fact] + public void DetectFormat_RsaPkcs1Header_ReturnsPkcs1() + { + var pemData = @"-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAz... +-----END RSA PRIVATE KEY-----"; + + var result = PrivateKeyFormatUtilities.DetectFormat(pemData); + + Assert.Equal(PrivateKeyFormat.Pkcs1, result); + } + + [Fact] + public void DetectFormat_EcPkcs1Header_ReturnsPkcs1() + { + var pemData = @"-----BEGIN EC PRIVATE KEY----- +MHQCAQEEICXNdFAO5... +-----END EC PRIVATE KEY-----"; + + var result = PrivateKeyFormatUtilities.DetectFormat(pemData); + + Assert.Equal(PrivateKeyFormat.Pkcs1, result); + } + + [Fact] + public void DetectFormat_DsaPkcs1Header_ReturnsPkcs1() + { + var pemData = @"-----BEGIN DSA PRIVATE KEY----- +MIIDVgIBAAKCAQEA... +-----END DSA PRIVATE KEY-----"; + + var result = PrivateKeyFormatUtilities.DetectFormat(pemData); + + Assert.Equal(PrivateKeyFormat.Pkcs1, result); + } + + [Fact] + public void DetectFormat_EmptyString_ReturnsPkcs8Default() + { + var result = PrivateKeyFormatUtilities.DetectFormat(""); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + [Fact] + public void DetectFormat_NullString_ReturnsPkcs8Default() + { + var result = PrivateKeyFormatUtilities.DetectFormat(null); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + [Fact] + public void DetectFormat_UnknownFormat_ReturnsPkcs8Default() + { + var pemData = "some random data without PEM headers"; + + var result = PrivateKeyFormatUtilities.DetectFormat(pemData); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + #endregion + + #region SupportsPkcs1 Tests + + [Theory] + [InlineData(CertificateTestHelper.KeyType.Rsa2048)] + [InlineData(CertificateTestHelper.KeyType.Rsa4096)] + public void SupportsPkcs1_RsaKey_ReturnsTrue(CertificateTestHelper.KeyType keyType) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + var result = PrivateKeyFormatUtilities.SupportsPkcs1(keyPair.Private); + + Assert.True(result); + } + + [Theory] + [InlineData(CertificateTestHelper.KeyType.EcP256)] + [InlineData(CertificateTestHelper.KeyType.EcP384)] + public void SupportsPkcs1_EcKey_ReturnsTrue(CertificateTestHelper.KeyType keyType) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + var result = PrivateKeyFormatUtilities.SupportsPkcs1(keyPair.Private); + + Assert.True(result); + } + + [Fact] + public void SupportsPkcs1_DsaKey_ReturnsTrue() + { + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Dsa2048); + + var result = PrivateKeyFormatUtilities.SupportsPkcs1(keyPair.Private); + + Assert.True(result); + } + + [Fact] + public void SupportsPkcs1_Ed25519Key_ReturnsFalse() + { + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed25519); + + var result = PrivateKeyFormatUtilities.SupportsPkcs1(keyPair.Private); + + Assert.False(result); + } + + [Fact] + public void SupportsPkcs1_Ed448Key_ReturnsFalse() + { + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed448); + + var result = PrivateKeyFormatUtilities.SupportsPkcs1(keyPair.Private); + + Assert.False(result); + } + + [Fact] + public void SupportsPkcs1_NullKey_ReturnsFalse() + { + var result = PrivateKeyFormatUtilities.SupportsPkcs1(null); + + Assert.False(result); + } + + #endregion + + #region GetAlgorithmName Tests + + [Theory] + [InlineData(CertificateTestHelper.KeyType.Rsa2048, "RSA")] + [InlineData(CertificateTestHelper.KeyType.EcP256, "EC")] + [InlineData(CertificateTestHelper.KeyType.Dsa2048, "DSA")] + [InlineData(CertificateTestHelper.KeyType.Ed25519, "Ed25519")] + [InlineData(CertificateTestHelper.KeyType.Ed448, "Ed448")] + public void GetAlgorithmName_ReturnsCorrectName(CertificateTestHelper.KeyType keyType, string expectedName) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + var result = PrivateKeyFormatUtilities.GetAlgorithmName(keyPair.Private); + + Assert.Equal(expectedName, result); + } + + #endregion + + #region ExportAsPkcs1Pem Tests + + [Theory] + [InlineData(CertificateTestHelper.KeyType.Rsa2048, "-----BEGIN RSA PRIVATE KEY-----")] + [InlineData(CertificateTestHelper.KeyType.EcP256, "-----BEGIN EC PRIVATE KEY-----")] + public void ExportAsPkcs1Pem_SupportedKeyType_HasCorrectHeader( + CertificateTestHelper.KeyType keyType, string expectedHeader) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + var result = PrivateKeyFormatUtilities.ExportAsPkcs1Pem(keyPair.Private); + + Assert.Contains(expectedHeader, result); + } + + [Fact] + public void ExportAsPkcs1Pem_Ed25519Key_ThrowsNotSupportedException() + { + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed25519); + + Assert.Throws(() => + PrivateKeyFormatUtilities.ExportAsPkcs1Pem(keyPair.Private)); + } + + [Fact] + public void ExportAsPkcs1Pem_Ed448Key_ThrowsNotSupportedException() + { + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed448); + + Assert.Throws(() => + PrivateKeyFormatUtilities.ExportAsPkcs1Pem(keyPair.Private)); + } + + [Fact] + public void ExportAsPkcs1Pem_NullKey_ThrowsArgumentNullException() + { + Assert.Throws(() => + PrivateKeyFormatUtilities.ExportAsPkcs1Pem(null)); + } + + #endregion + + #region ExportAsPkcs8Pem Tests + + [Theory] + [InlineData(CertificateTestHelper.KeyType.Rsa2048)] + [InlineData(CertificateTestHelper.KeyType.EcP256)] + [InlineData(CertificateTestHelper.KeyType.Dsa2048)] + [InlineData(CertificateTestHelper.KeyType.Ed25519)] + [InlineData(CertificateTestHelper.KeyType.Ed448)] + public void ExportAsPkcs8Pem_AnyKeyType_HasCorrectHeader(CertificateTestHelper.KeyType keyType) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + var result = PrivateKeyFormatUtilities.ExportAsPkcs8Pem(keyPair.Private); + + Assert.Contains("-----BEGIN PRIVATE KEY-----", result); + Assert.Contains("-----END PRIVATE KEY-----", result); + } + + [Fact] + public void ExportAsPkcs8Pem_NullKey_ThrowsArgumentNullException() + { + Assert.Throws(() => + PrivateKeyFormatUtilities.ExportAsPkcs8Pem(null)); + } + + #endregion + + #region ExportPrivateKeyAsPem Tests + + [Theory] + [InlineData(CertificateTestHelper.KeyType.Rsa2048, PrivateKeyFormat.Pkcs1, "-----BEGIN RSA PRIVATE KEY-----")] + [InlineData(CertificateTestHelper.KeyType.Rsa2048, PrivateKeyFormat.Pkcs8, "-----BEGIN PRIVATE KEY-----")] + [InlineData(CertificateTestHelper.KeyType.EcP256, PrivateKeyFormat.Pkcs1, "-----BEGIN EC PRIVATE KEY-----")] + [InlineData(CertificateTestHelper.KeyType.EcP256, PrivateKeyFormat.Pkcs8, "-----BEGIN PRIVATE KEY-----")] + public void ExportPrivateKeyAsPem_RequestedFormat_ProducesCorrectOutput( + CertificateTestHelper.KeyType keyType, PrivateKeyFormat format, string expectedHeader) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + var result = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(keyPair.Private, format); + + Assert.Contains(expectedHeader, result); + } + + [Fact] + public void ExportPrivateKeyAsPem_Ed25519WithPkcs1_FallsBackToPkcs8() + { + // Ed25519 doesn't support PKCS1, so it should fall back to PKCS8 + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed25519); + + var result = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(keyPair.Private, PrivateKeyFormat.Pkcs1); + + // Should NOT contain RSA/EC header since Ed25519 doesn't support PKCS1 + Assert.DoesNotContain("-----BEGIN RSA PRIVATE KEY-----", result); + Assert.DoesNotContain("-----BEGIN EC PRIVATE KEY-----", result); + // Should contain PKCS8 header + Assert.Contains("-----BEGIN PRIVATE KEY-----", result); + } + + [Fact] + public void ExportPrivateKeyAsPem_Ed448WithPkcs1_FallsBackToPkcs8() + { + // Ed448 doesn't support PKCS1, so it should fall back to PKCS8 + var keyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed448); + + var result = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(keyPair.Private, PrivateKeyFormat.Pkcs1); + + // Should NOT contain RSA/EC header since Ed448 doesn't support PKCS1 + Assert.DoesNotContain("-----BEGIN RSA PRIVATE KEY-----", result); + Assert.DoesNotContain("-----BEGIN EC PRIVATE KEY-----", result); + // Should contain PKCS8 header + Assert.Contains("-----BEGIN PRIVATE KEY-----", result); + } + + [Fact] + public void ExportPrivateKeyAsPem_NullKey_ThrowsArgumentNullException() + { + Assert.Throws(() => + PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(null, PrivateKeyFormat.Pkcs8)); + } + + #endregion + + #region ParseFormat Tests + + [Theory] + [InlineData("PKCS1", PrivateKeyFormat.Pkcs1)] + [InlineData("pkcs1", PrivateKeyFormat.Pkcs1)] + [InlineData("Pkcs1", PrivateKeyFormat.Pkcs1)] + [InlineData("PKCS8", PrivateKeyFormat.Pkcs8)] + [InlineData("pkcs8", PrivateKeyFormat.Pkcs8)] + [InlineData("Pkcs8", PrivateKeyFormat.Pkcs8)] + public void ParseFormat_ValidInput_ReturnsCorrectFormat(string input, PrivateKeyFormat expected) + { + var result = PrivateKeyFormatUtilities.ParseFormat(input); + + Assert.Equal(expected, result); + } + + [Theory] + [InlineData("")] + [InlineData(" ")] + [InlineData("invalid")] + [InlineData("RSA")] + public void ParseFormat_InvalidOrEmpty_ReturnsPkcs8Default(string input) + { + var result = PrivateKeyFormatUtilities.ParseFormat(input); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + [Fact] + public void ParseFormat_Null_ReturnsPkcs8Default() + { + var result = PrivateKeyFormatUtilities.ParseFormat(null); + + Assert.Equal(PrivateKeyFormat.Pkcs8, result); + } + + #endregion + + #region Algorithm Switch Tests (RSA->Ed25519 scenario) + + [Fact] + public void AlgorithmSwitch_RsaThenEd25519_FormatChangesToPkcs8() + { + // Scenario: Existing secret has RSA key in PKCS1 format + // New certificate has Ed25519 key + // Result: Format should change to PKCS8 because Ed25519 doesn't support PKCS1 + + // 1. Simulate existing RSA key in PKCS1 format + var rsaKeyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Rsa2048); + var existingKeyPem = PrivateKeyFormatUtilities.ExportAsPkcs1Pem(rsaKeyPair.Private); + var detectedFormat = PrivateKeyFormatUtilities.DetectFormat(existingKeyPem); + Assert.Equal(PrivateKeyFormat.Pkcs1, detectedFormat); + + // 2. New Ed25519 key + var ed25519KeyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Ed25519); + + // 3. Try to export in the detected format (PKCS1) + var newKeyPem = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(ed25519KeyPair.Private, detectedFormat); + + // 4. Verify it fell back to PKCS8 + var newFormat = PrivateKeyFormatUtilities.DetectFormat(newKeyPem); + Assert.Equal(PrivateKeyFormat.Pkcs8, newFormat); + Assert.Contains("-----BEGIN PRIVATE KEY-----", newKeyPem); + } + + [Fact] + public void AlgorithmSwitch_EcThenRsa_FormatPreserved() + { + // Scenario: Existing secret has EC key in PKCS1 format + // New certificate has RSA key (also supports PKCS1) + // Result: Format should be preserved as PKCS1 + + // 1. Simulate existing EC key in PKCS1 format + var ecKeyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.EcP256); + var existingKeyPem = PrivateKeyFormatUtilities.ExportAsPkcs1Pem(ecKeyPair.Private); + var detectedFormat = PrivateKeyFormatUtilities.DetectFormat(existingKeyPem); + Assert.Equal(PrivateKeyFormat.Pkcs1, detectedFormat); + + // 2. New RSA key + var rsaKeyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Rsa2048); + + // 3. Export in the detected format (PKCS1) + var newKeyPem = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(rsaKeyPair.Private, detectedFormat); + + // 4. Verify format was preserved as PKCS1 + var newFormat = PrivateKeyFormatUtilities.DetectFormat(newKeyPem); + Assert.Equal(PrivateKeyFormat.Pkcs1, newFormat); + Assert.Contains("-----BEGIN RSA PRIVATE KEY-----", newKeyPem); + } + + [Fact] + public void AlgorithmSwitch_RsaPkcs8ThenEc_FormatPreserved() + { + // Scenario: Existing secret has RSA key in PKCS8 format + // New certificate has EC key + // Result: Format should be preserved as PKCS8 + + // 1. Simulate existing RSA key in PKCS8 format + var rsaKeyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.Rsa2048); + var existingKeyPem = PrivateKeyFormatUtilities.ExportAsPkcs8Pem(rsaKeyPair.Private); + var detectedFormat = PrivateKeyFormatUtilities.DetectFormat(existingKeyPem); + Assert.Equal(PrivateKeyFormat.Pkcs8, detectedFormat); + + // 2. New EC key + var ecKeyPair = CertificateTestHelper.GenerateKeyPair(CertificateTestHelper.KeyType.EcP256); + + // 3. Export in the detected format (PKCS8) + var newKeyPem = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(ecKeyPair.Private, detectedFormat); + + // 4. Verify format was preserved as PKCS8 + var newFormat = PrivateKeyFormatUtilities.DetectFormat(newKeyPem); + Assert.Equal(PrivateKeyFormat.Pkcs8, newFormat); + Assert.Contains("-----BEGIN PRIVATE KEY-----", newKeyPem); + } + + #endregion + + #region Round-Trip Tests + + [Theory] + [InlineData(CertificateTestHelper.KeyType.Rsa2048, PrivateKeyFormat.Pkcs1)] + [InlineData(CertificateTestHelper.KeyType.Rsa2048, PrivateKeyFormat.Pkcs8)] + [InlineData(CertificateTestHelper.KeyType.EcP256, PrivateKeyFormat.Pkcs1)] + [InlineData(CertificateTestHelper.KeyType.EcP256, PrivateKeyFormat.Pkcs8)] + [InlineData(CertificateTestHelper.KeyType.Ed25519, PrivateKeyFormat.Pkcs8)] + [InlineData(CertificateTestHelper.KeyType.Ed448, PrivateKeyFormat.Pkcs8)] + public void RoundTrip_ExportAndDetect_FormatMatches(CertificateTestHelper.KeyType keyType, PrivateKeyFormat format) + { + var keyPair = CertificateTestHelper.GenerateKeyPair(keyType); + + // Skip if the combination is invalid (Ed25519/Ed448 with PKCS1) + if (!PrivateKeyFormatUtilities.SupportsPkcs1(keyPair.Private) && format == PrivateKeyFormat.Pkcs1) + { + // This would fall back to PKCS8, so we skip + return; + } + + var pem = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(keyPair.Private, format); + var detected = PrivateKeyFormatUtilities.DetectFormat(pem); + + Assert.Equal(format, detected); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension.Tests/xunit.runner.json b/kubernetes-orchestrator-extension.Tests/xunit.runner.json new file mode 100644 index 00000000..227cb153 --- /dev/null +++ b/kubernetes-orchestrator-extension.Tests/xunit.runner.json @@ -0,0 +1,5 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json", + "parallelizeTestCollections": true, + "maxParallelThreads": 7 +} diff --git a/kubernetes-orchestrator-extension/Clients/KubeClient.cs b/kubernetes-orchestrator-extension/Clients/KubeClient.cs index 0385a0c0..b3fc1177 100644 --- a/kubernetes-orchestrator-extension/Clients/KubeClient.cs +++ b/kubernetes-orchestrator-extension/Clients/KubeClient.cs @@ -21,7 +21,9 @@ using k8s.Exceptions; using k8s.KubeConfigModels; using k8s.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Enums; using Keyfactor.Extensions.Orchestrator.K8S.Jobs; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; using Keyfactor.Logging; using Keyfactor.Orchestrators.Extensions; using Microsoft.Extensions.Logging; @@ -36,56 +38,136 @@ namespace Keyfactor.Extensions.Orchestrator.K8S.Clients; +/// +/// Provides Kubernetes API client operations for certificate management. +/// Handles authentication, secret CRUD operations, certificate signing requests, +/// and discovery of certificate stores across namespaces and clusters. +/// public class KubeCertificateManagerClient { private readonly ILogger _logger; + /// + /// Initializes a new instance of the class. + /// + /// JSON-formatted kubeconfig containing cluster, user, and context information. + /// When true, validates TLS certificates; when false, skips TLS verification. public KubeCertificateManagerClient(string kubeconfig, bool useSSL = true) { _logger = LogHandler.GetClassLogger(MethodBase.GetCurrentMethod()?.DeclaringType); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Kubeconfig: {Kubeconfig}", LoggingUtilities.RedactKubeconfig(kubeconfig)); + _logger.LogTrace("UseSSL: {UseSSL}", useSSL); + Client = GetKubeClient(kubeconfig); ConfigJson = kubeconfig; try { ConfigObj = ParseKubeConfig(kubeconfig, !useSSL); // invert useSSL to skip TLS verification + _logger.LogDebug("Successfully parsed kubeconfig for cluster: {ClusterName}", ConfigObj.CurrentContext ?? "unknown"); } - catch (Exception) + catch (Exception ex) { + _logger.LogWarning("Failed to parse kubeconfig, using empty configuration: {Message}", ex.Message); ConfigObj = new K8SConfiguration(); } + _logger.MethodExit(LogLevel.Debug); } + /// + /// Gets or sets the raw JSON kubeconfig string. + /// private string ConfigJson { get; set; } + /// + /// Gets the parsed Kubernetes configuration object. + /// private K8SConfiguration ConfigObj { get; } + /// + /// Gets or sets the Kubernetes API client instance. + /// private IKubernetes Client { get; set; } + /// + /// Gets the name of the Kubernetes cluster from the configuration. + /// Falls back to the host URL if the cluster name cannot be determined. + /// + /// The cluster name or host URL. public string GetClusterName() { - _logger.LogTrace("Entered GetClusterName()"); + _logger.MethodEntry(LogLevel.Debug); try { - _logger.LogTrace("Returning cluster name from ConfigObj"); - return ConfigObj.Clusters.FirstOrDefault()?.Name; + if (ConfigObj == null) + { + _logger.LogWarning("ConfigObj is null, falling back to GetHost()"); + var host = GetHost(); + _logger.MethodExit(LogLevel.Debug); + return host; + } + if (ConfigObj.Clusters == null) + { + _logger.LogWarning("ConfigObj.Clusters is null, falling back to GetHost()"); + var host = GetHost(); + _logger.MethodExit(LogLevel.Debug); + return host; + } + var clusterName = ConfigObj.Clusters.FirstOrDefault()?.Name; + _logger.LogDebug("Returning cluster name: {ClusterName}", clusterName); + _logger.MethodExit(LogLevel.Debug); + return clusterName; } - catch (Exception) + catch (Exception ex) { - _logger.LogWarning("Error getting cluster name from ConfigObj attempting to return client base uri"); - return GetHost(); + _logger.LogWarning(ex, "Error getting cluster name from ConfigObj, attempting to return client base uri"); + var host = GetHost(); + _logger.MethodExit(LogLevel.Debug); + return host; } } + /// + /// Gets the base URL of the Kubernetes API server. + /// + /// The API server base URL as a string. + /// Thrown when the client or its BaseUri is null. public string GetHost() { - _logger.LogTrace("Entered GetHost()"); - return Client.BaseUri.ToString(); + _logger.MethodEntry(LogLevel.Debug); + if (Client == null) + { + _logger.LogError("Client is null in GetHost()"); + throw new InvalidOperationException("Kubernetes client is not initialized. Check kubeconfig configuration."); + } + if (Client.BaseUri == null) + { + _logger.LogError("Client.BaseUri is null in GetHost()"); + throw new InvalidOperationException("Kubernetes client BaseUri is null. Check kubeconfig configuration."); + } + var host = Client.BaseUri.ToString(); + _logger.LogDebug("Returning host: {Host}", host); + _logger.MethodExit(LogLevel.Debug); + return host; } + /// + /// Parses a kubeconfig JSON string into a K8SConfiguration object. + /// Extracts cluster, user, and context information for API authentication. + /// + /// JSON-formatted kubeconfig string. + /// When true, skips TLS certificate verification. + /// Parsed K8SConfiguration object. private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = false) { - _logger.LogTrace("Entered ParseKubeConfig()"); - var k8SConfiguration = new K8SConfiguration(); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Kubeconfig length: {Length}, skipTLSVerify: {SkipTLS}", kubeconfig?.Length ?? 0, skipTLSVerify); + _logger.LogTrace("Kubeconfig: {Kubeconfig}", LoggingUtilities.RedactKubeconfig(kubeconfig)); + + try + { + var k8SConfiguration = new K8SConfiguration(); + _logger.LogTrace("K8SConfiguration object created"); _logger.LogTrace("Checking if kubeconfig is null or empty"); if (string.IsNullOrEmpty(kubeconfig)) @@ -180,8 +262,10 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = SkipTlsVerify = skipTLSVerify } }; - _logger.LogTrace("Adding cluster '{Name}'({@Endpoint}) to K8SConfiguration", clusterObj.Name, - clusterObj.ClusterEndpoint); + _logger.LogDebug("Cluster metadata - Name: {Name}, Server: {Server}, SkipTlsVerify: {SkipTls}", + clusterObj.Name, clusterObj.ClusterEndpoint?.Server, skipTLSVerify); + _logger.LogTrace("Certificate authority data: {CaDataPresence}", + LoggingUtilities.GetFieldPresence("certificate-authority-data", clusterObj.ClusterEndpoint?.CertificateAuthorityData)); k8SConfiguration.Clusters = new List { clusterObj }; } @@ -192,16 +276,19 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = // parse users foreach (var user in JsonConvert.DeserializeObject(configDict["users"].ToString() ?? string.Empty)) { + var token = user["user"]?["token"]?.ToString(); var userObj = new User { Name = user["name"]?.ToString(), UserCredentials = new UserCredentials { UserName = user["name"]?.ToString(), - Token = user["user"]?["token"]?.ToString() + Token = token } }; - _logger.LogTrace("Adding user {Name} to K8SConfiguration object", userObj.Name); + _logger.LogDebug("User metadata - Name: {Name}, HasToken: {HasToken}", + userObj.Name, !string.IsNullOrEmpty(token)); + _logger.LogTrace("Token: {Token}", LoggingUtilities.RedactToken(token)); k8SConfiguration.Users = new List { userObj }; } @@ -222,19 +309,35 @@ private K8SConfiguration ParseKubeConfig(string kubeconfig, bool skipTLSVerify = User = ctx["context"]?["user"]?.ToString() } }; - _logger.LogTrace("Adding context '{Name}' to K8SConfiguration object", contextObj.Name); + _logger.LogDebug("Context metadata - Name: {Name}, Cluster: {Cluster}, Namespace: {Namespace}, User: {User}", + contextObj.Name, contextObj.ContextDetails?.Cluster, contextObj.ContextDetails?.Namespace, contextObj.ContextDetails?.User); k8SConfiguration.Contexts = new List { contextObj }; } - _logger.LogTrace("Finished parsing contexts"); - _logger.LogDebug("Finished parsing kubeconfig"); + _logger.LogTrace("Finished parsing contexts"); + _logger.LogDebug("Finished parsing kubeconfig"); - return k8SConfiguration; + _logger.MethodExit(LogLevel.Debug); + return k8SConfiguration; + } + catch (Exception ex) + { + _logger.LogError(ex, "CRITICAL ERROR in ParseKubeConfig: {Message}", ex.Message); + _logger.LogError("Exception Type: {Type}", ex.GetType().FullName); + _logger.LogError("Stack Trace: {StackTrace}", ex.StackTrace); + throw; + } } + /// + /// Creates and configures a Kubernetes API client from the provided kubeconfig. + /// Implements retry logic for transient connection failures. + /// + /// JSON-formatted kubeconfig string. + /// Configured IKubernetes client instance. private IKubernetes GetKubeClient(string kubeconfig) { - _logger.LogTrace("Entered GetKubeClient()"); + _logger.MethodEntry(LogLevel.Debug); _logger.LogTrace("Getting executing assembly location"); var strExeFilePath = Assembly.GetExecutingAssembly().Location; _logger.LogTrace("Executing assembly location: {ExeFilePath}", strExeFilePath); @@ -287,15 +390,108 @@ private IKubernetes GetKubeClient(string kubeconfig) } _logger.LogDebug("Creating Kubernetes client"); - IKubernetes client = new Kubernetes(config); - _logger.LogDebug("Finished creating Kubernetes client"); + try + { + IKubernetes client = new Kubernetes(config); + _logger.LogDebug("Finished creating Kubernetes client"); - _logger.LogTrace("Setting Client property"); - Client = client; - _logger.LogTrace("Exiting GetKubeClient()"); - return client; + _logger.LogTrace("Setting Client property"); + Client = client; + _logger.MethodExit(LogLevel.Debug); + return client; + } + catch (Exception ex) + { + _logger.LogError(ex, "Failed to create Kubernetes client: {Message}", ex.Message); + _logger.LogError("Config Host: {Host}", config?.Host ?? "null"); + throw new InvalidOperationException($"Failed to create Kubernetes client. Check kubeconfig configuration. Error: {ex.Message}", ex); + } + } + + /// + /// Finds an alias in a PKCS12 store by matching the certificate's Common Name. + /// + /// The PKCS12 store to search. + /// The Common Name to match (case-insensitive, partial match). + /// The matching alias, or null if not found. + private string FindAliasByCN(Pkcs12Store store, string cn) + { + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Searching for CN: {CN}", cn); + if (store == null || string.IsNullOrEmpty(cn)) + { + _logger.LogDebug("Store or CN is null/empty, returning null"); + _logger.MethodExit(LogLevel.Debug); + return null; + } + + foreach (var alias in store.Aliases) + { + if (!store.IsKeyEntry(alias)) + continue; + + var certEntry = store.GetCertificate(alias); + if (certEntry?.Certificate == null) + continue; + + var subjectCN = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetSubjectCN(certEntry.Certificate); + if (!string.IsNullOrEmpty(subjectCN) && subjectCN.Contains(cn, StringComparison.OrdinalIgnoreCase)) + return alias; + } + + return null; } + /// + /// Find an alias in a PKCS12 store by thumbprint + /// + private string FindAliasByThumbprint(Pkcs12Store store, string thumbprint) + { + if (store == null || string.IsNullOrEmpty(thumbprint)) + return null; + + foreach (var alias in store.Aliases) + { + var certEntry = store.GetCertificate(alias); + if (certEntry?.Certificate == null) + continue; + + var certThumbprint = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(certEntry.Certificate); + if (certThumbprint.Equals(thumbprint, StringComparison.OrdinalIgnoreCase)) + return alias; + } + + return null; + } + + /// + /// Find an alias in a PKCS12 store by alias name (partial match on subject DN) + /// + private string FindAliasByName(Pkcs12Store store, string aliasSearch) + { + if (store == null || string.IsNullOrEmpty(aliasSearch)) + return null; + + // First try exact match + if (store.ContainsAlias(aliasSearch)) + return aliasSearch; + + // Then try partial match on subject DN + foreach (var alias in store.Aliases) + { + var certEntry = store.GetCertificate(alias); + if (certEntry?.Certificate == null) + continue; + + var subjectDN = certEntry.Certificate.SubjectDN.ToString(); + if (!string.IsNullOrEmpty(subjectDN) && subjectDN.Contains(aliasSearch, StringComparison.OrdinalIgnoreCase)) + return alias; + } + + return null; + } + + [Obsolete("Use FindAliasByCN with Pkcs12Store instead")] public X509Certificate2 FindCertificateByCN(X509Certificate2Collection certificates, string cn) { var foundCertificate = certificates @@ -305,6 +501,7 @@ public X509Certificate2 FindCertificateByCN(X509Certificate2Collection certifica return foundCertificate; } + [Obsolete("Use FindAliasByThumbprint with Pkcs12Store instead")] public X509Certificate2 FindCertificateByThumbprint(X509Certificate2Collection certificates, string thumbprint) { var foundCertificate = certificates @@ -314,6 +511,7 @@ public X509Certificate2 FindCertificateByThumbprint(X509Certificate2Collection c return foundCertificate; } + [Obsolete("Use FindAliasByName with Pkcs12Store instead")] public X509Certificate2 FindCertificateByAlias(X509Certificate2Collection certificates, string alias) { var foundCertificate = certificates @@ -323,6 +521,24 @@ public X509Certificate2 FindCertificateByAlias(X509Certificate2Collection certif return foundCertificate; } + /// + /// Removes a certificate from a PKCS12 secret store in Kubernetes. + /// Loads the existing store, removes the matching certificate entry, and updates the secret. + /// + /// The certificate to remove, containing thumbprint or alias for matching. + /// Name of the Kubernetes secret containing the PKCS12 store. + /// Kubernetes namespace where the secret resides. + /// Type of secret (e.g., "pkcs12", "pfx"). + /// Field name within the secret containing the PKCS12 data. + /// Password for the PKCS12 store. + /// Existing secret data object. + /// When true, appends to existing entries. + /// When true, overwrites existing entries. + /// When true, password is stored in a separate Kubernetes secret. + /// Path to the password secret if passwdIsK8SSecret is true. + /// Field name containing the password in the password secret. + /// Array of allowed field names to process. + /// The updated V1Secret object. public V1Secret RemoveFromPKCS12SecretStore(K8SJobCertificate jobCertificate, string secretName, string namespaceName, string secretType, string certDataFieldName, string storePasswd, V1Secret k8SSecretData, @@ -330,15 +546,17 @@ public V1Secret RemoveFromPKCS12SecretStore(K8SJobCertificate jobCertificate, st string passwordFieldName = "password", string[] certdataFieldNames = null) { - _logger.LogTrace("Entered UpdatePKCS12SecretStore()"); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Parameters - SecretName: {SecretName}, Namespace: {Namespace}, SecretType: {SecretType}", + secretName, namespaceName, secretType); + _logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(storePasswd)); _logger.LogTrace("Calling GetSecret()"); var existingPkcs12DataObj = Client.CoreV1.ReadNamespacedSecret(secretName, namespaceName); - // iterate through existingPkcs12DataObj.Data and add to existingPkcs12 - var existingPkcs12 = new X509Certificate2Collection(); - var newPkcs12Collection = new X509Certificate2Collection(); - var k8sCollection = new X509Certificate2Collection(); + // Load existing PKCS12 store + var storeBuilder = new Pkcs12StoreBuilder(); + Pkcs12Store existingStore = null; var storePasswordBytes = Encoding.UTF8.GetBytes(""); if (existingPkcs12DataObj?.Data == null) @@ -363,69 +581,103 @@ public V1Secret RemoveFromPKCS12SecretStore(K8SJobCertificate jobCertificate, st if (certdataFieldNames != null && !certdataFieldNames.Contains(searchFieldName)) continue; - _logger.LogTrace($"Adding cert '{fieldName}' to existingPkcs12"); + _logger.LogTrace($"Loading PKCS12 store from field '{fieldName}'"); if (jobCertificate.PasswordIsK8SSecret) { if (!string.IsNullOrEmpty(jobCertificate.StorePasswordPath)) { + _logger.LogDebug("Password is stored in K8S secret at path: {Path}", jobCertificate.StorePasswordPath); var passwordPath = jobCertificate.StorePasswordPath.Split("/"); var passwordNamespace = passwordPath[0]; var passwordSecretName = passwordPath[1]; - // Get password from k8s secre + _logger.LogDebug("Buddy secret metadata - Name: {Name}, Namespace: {Namespace}, Field: {Field}", + passwordSecretName, passwordNamespace, passwordFieldName); + + // Get password from k8s secret var k8sPasswordObj = ReadBuddyPass(passwordSecretName, passwordNamespace); + _logger.LogTrace("Buddy secret: {Summary}", LoggingUtilities.GetSecretSummary(k8sPasswordObj)); + storePasswordBytes = k8sPasswordObj.Data[passwordFieldName]; - var storePasswdString = Encoding.UTF8.GetString(storePasswordBytes); - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], storePasswdString, - X509KeyStorageFlags.Exportable); + var storePasswdString = Encoding.UTF8.GetString(storePasswordBytes).TrimEnd('\r', '\n'); + _logger.LogTrace("Password from buddy secret: {Password}", LoggingUtilities.RedactPassword(storePasswdString)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePasswdString)); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, storePasswdString.ToCharArray()); } else { + _logger.LogDebug("Password is stored in same secret, field: {Field}", passwordFieldName); storePasswordBytes = existingPkcs12DataObj.Data[passwordFieldName]; - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], - Encoding.UTF8.GetString(storePasswordBytes), X509KeyStorageFlags.Exportable); + var storePasswdString = Encoding.UTF8.GetString(storePasswordBytes).TrimEnd('\r', '\n'); + _logger.LogTrace("Password from secret field: {Password}", LoggingUtilities.RedactPassword(storePasswdString)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePasswdString)); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, storePasswdString.ToCharArray()); } } else if (!string.IsNullOrEmpty(jobCertificate.StorePassword)) { + _logger.LogDebug("Using password from job configuration"); storePasswordBytes = Encoding.UTF8.GetBytes(jobCertificate.StorePassword); - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], - Encoding.UTF8.GetString(storePasswordBytes), X509KeyStorageFlags.Exportable); + var storePasswdString = Encoding.UTF8.GetString(storePasswordBytes); + _logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(storePasswdString)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePasswdString)); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, storePasswdString.ToCharArray()); } else { + _logger.LogDebug("Using default store password"); storePasswordBytes = Encoding.UTF8.GetBytes(storePasswd); - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], - Encoding.UTF8.GetString(storePasswordBytes), X509KeyStorageFlags.Exportable); + var storePasswdString = Encoding.UTF8.GetString(storePasswordBytes); + _logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(storePasswdString)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePasswdString)); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, storePasswdString.ToCharArray()); } } - if (existingPkcs12.Count > 0) + if (existingStore != null && existingStore.Count > 0) { - // Check if overwrite is true, if so, replace existing cert with new cert + // Check if overwrite is true, if so, remove the certificate if (overwrite) { - _logger.LogTrace("Overwrite is true, replacing existing cert with new cert"); + _logger.LogTrace("Overwrite is true, removing existing cert"); - var foundCertificate = FindCertificateByAlias(existingPkcs12, jobCertificate.Alias); - if (foundCertificate != null) + var foundAlias = FindAliasByName(existingStore, jobCertificate.Alias); + if (foundAlias != null) { // Certificate found - // replace the found certificate with the new certificate - _logger.LogTrace("Certificate found, replacing the found certificate with the new certificate"); - existingPkcs12.Remove(foundCertificate); + // remove the found certificate + _logger.LogTrace($"Certificate found with alias '{foundAlias}', removing it"); + existingStore.DeleteEntry(foundAlias); } } - - _logger.LogTrace("Importing jobCertificate.CertBytes into existingPkcs12"); - // existingPkcs12.Import(jobCertificate.CertBytes, storePasswd, X509KeyStorageFlags.Exportable); - k8sCollection = existingPkcs12; } } _logger.LogTrace("Creating V1Secret object"); - var p12bytes = k8sCollection.Export(X509ContentType.Pkcs12, Encoding.UTF8.GetString(storePasswordBytes)); + byte[] p12bytes; + if (existingStore != null) + { + using var outStream = new MemoryStream(); + existingStore.Save(outStream, Encoding.UTF8.GetString(storePasswordBytes).ToCharArray(), new SecureRandom()); + p12bytes = outStream.ToArray(); + } + else + { + p12bytes = Array.Empty(); + } var secret = new V1Secret { @@ -520,10 +772,29 @@ when string.IsNullOrEmpty(passwordSecretPath) && passwdIsK8SSecret _logger.LogTrace("Finished creating V1Secret object"); - _logger.LogTrace("Exiting UpdatePKCS12SecretStore()"); + _logger.MethodExit(LogLevel.Debug); return updatedSecret; } + /// + /// Updates a PKCS12 secret store in Kubernetes by adding or modifying certificate entries. + /// Supports password storage in a separate "buddy" secret for security. + /// + /// The certificate to add/update in the store. + /// Name of the Kubernetes secret containing the PKCS12 store. + /// Kubernetes namespace where the secret resides. + /// Type of secret (e.g., "pkcs12", "pfx"). + /// Field name within the secret containing the PKCS12 data. + /// Password for the PKCS12 store. + /// Existing secret data object. + /// When true, appends to existing entries. + /// When true, overwrites existing entries with same alias. + /// When true, password is stored in a separate Kubernetes secret. + /// Path to the password secret if passwdIsK8sSecret is true. + /// Field name containing the password in the password secret. + /// Array of allowed field names to process. + /// When true, removes the certificate instead of adding. + /// The updated V1Secret object. public V1Secret UpdatePKCS12SecretStore(K8SJobCertificate jobCertificate, string secretName, string namespaceName, string secretType, string certdataFieldName, string storePasswd, V1Secret k8SSecretData, @@ -531,17 +802,18 @@ public V1Secret UpdatePKCS12SecretStore(K8SJobCertificate jobCertificate, string string passwordFieldName = "password", string[] certdataFieldNames = null, bool remove = false) { - _logger.LogTrace("Entered UpdatePKCS12SecretStore()"); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Parameters - SecretName: {SecretName}, Namespace: {Namespace}, Overwrite: {Overwrite}, Append: {Append}", + secretName, namespaceName, overwrite, append); _logger.LogTrace("Calling GetSecret()"); var existingPkcs12DataObj = Client.CoreV1.ReadNamespacedSecret(secretName, namespaceName); // var existingPkcs12Bytes = existingPkcs12DataObj.Data[certdataFieldName]; // var existingPkcs12 = new X509Certificate2Collection(); // existingPkcs12.Import(existingPkcs12Bytes, storePasswd, X509KeyStorageFlags.Exportable); - // iterate through existingPkcs12DataObj.Data and add to existingPkcs12 - var existingPkcs12 = new X509Certificate2Collection(); - var newPkcs12Collection = new X509Certificate2Collection(); - var k8sCollection = new X509Certificate2Collection(); + // Load existing PKCS12 store + var storeBuilder = new Pkcs12StoreBuilder(); + Pkcs12Store existingStore = null; var storePasswordBytes = Encoding.UTF8.GetBytes(""); if (existingPkcs12DataObj?.Data == null) @@ -638,10 +910,11 @@ public V1Secret UpdatePKCS12SecretStore(K8SJobCertificate jobCertificate, string } var storePasswdString = Encoding.UTF8.GetString(storePasswordBytes); - // _logger.LogTrace("Importing existing PKCS12 data with store password: {StorePassword}", - // storePasswdString); //TODO: INSECURE COMMENT OUT - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], storePasswdString, - X509KeyStorageFlags.Exportable); + // _logger.LogTrace("Loading existing PKCS12 store with password"); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, storePasswdString.ToCharArray()); } else { @@ -657,10 +930,10 @@ public V1Secret UpdatePKCS12SecretStore(K8SJobCertificate jobCertificate, string ); } - // _logger.LogTrace("Importing existing PKCS12 data with store password: {StorePassword}", - // Encoding.UTF8.GetString(storePasswordBytes)); //TODO: INSECURE COMMENT OUT - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], - Encoding.UTF8.GetString(storePasswordBytes), X509KeyStorageFlags.Exportable); + // _logger.LogTrace("Loading existing PKCS12 store with password"); + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, Encoding.UTF8.GetString(storePasswordBytes).ToCharArray()); } } else if (!string.IsNullOrEmpty(jobCertificate.StorePassword)) @@ -668,89 +941,107 @@ public V1Secret UpdatePKCS12SecretStore(K8SJobCertificate jobCertificate, string _logger.LogDebug( "Job certificate store password is not empty, using job certificate store password"); storePasswordBytes = Encoding.UTF8.GetBytes(jobCertificate.StorePassword); - // _logger.LogTrace("Importing existing PKCS12 data with store password: {StorePassword}", - // Encoding.UTF8.GetString(storePasswordBytes)); //TODO: INSECURE COMMENT OUT - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], - Encoding.UTF8.GetString(storePasswordBytes), X509KeyStorageFlags.Exportable); + // _logger.LogTrace("Loading existing PKCS12 store with password"); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, Encoding.UTF8.GetString(storePasswordBytes).ToCharArray()); } else { _logger.LogDebug("Job certificate store password is empty, using provided store password"); storePasswordBytes = Encoding.UTF8.GetBytes(storePasswd); - // _logger.LogTrace("Importing existing PKCS12 data with store password: {StorePassword}", - // Encoding.UTF8.GetString(storePasswordBytes)); //TODO: INSECURE COMMENT OUT - existingPkcs12.Import(existingPkcs12DataObj.Data[fieldName], - Encoding.UTF8.GetString(storePasswordBytes), X509KeyStorageFlags.Exportable); + // _logger.LogTrace("Loading existing PKCS12 store with password"); + + existingStore = storeBuilder.Build(); + using var ms = new MemoryStream(existingPkcs12DataObj.Data[fieldName]); + existingStore.Load(ms, Encoding.UTF8.GetString(storePasswordBytes).ToCharArray()); } } - if (existingPkcs12.Count > 0) + if (existingStore != null && existingStore.Count > 0) { - // create x509Certificate2 from jobCertificate.CertBytes + // Process existing store if (remove) { - var foundCertificate = FindCertificateByAlias(existingPkcs12, jobCertificate.Alias); - if (foundCertificate != null) + var foundAlias = FindAliasByName(existingStore, jobCertificate.Alias); + if (foundAlias != null) { - // Certificate found - // replace the found certificate with the new certificate - _logger.LogTrace("Certificate found, replacing the found certificate with the new certificate"); - existingPkcs12.Remove(foundCertificate); + // Certificate found - remove it + _logger.LogTrace($"Certificate found with alias '{foundAlias}', removing it"); + existingStore.DeleteEntry(foundAlias); } } else { - var newCert = new X509Certificate2(jobCertificate.CertBytes, storePasswd, - X509KeyStorageFlags.Exportable); - var newCertCn = newCert.GetNameInfo(X509NameType.SimpleName, false); - //import jobCertificate.CertBytes into existingPkcs12 + // Load new certificate to get its CN + var newCertStore = storeBuilder.Build(); + using var newCertMs = new MemoryStream(jobCertificate.Pkcs12 ?? jobCertificate.CertBytes); + newCertStore.Load(newCertMs, storePasswd.ToCharArray()); - // Check if overwrite is true, if so, replace existing cert with new cert - if (overwrite) + var newCertAlias = newCertStore.Aliases.FirstOrDefault(newCertStore.IsKeyEntry); + if (newCertAlias != null) { - _logger.LogTrace("Overwrite is true, replacing existing cert with new cert"); + var newCertEntry = newCertStore.GetCertificate(newCertAlias); + var newCertCn = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetSubjectCN(newCertEntry.Certificate); - var foundCertificate = FindCertificateByCN(existingPkcs12, newCertCn); - if (foundCertificate != null) + // Check if overwrite is true, if so, replace existing cert with new cert + if (overwrite) { - // Certificate found - // replace the found certificate with the new certificate - _logger.LogTrace( - "Certificate found, replacing the found certificate with the new certificate"); - existingPkcs12.Remove(foundCertificate); - existingPkcs12.Add(newCert); + _logger.LogTrace("Overwrite is true, replacing existing cert with new cert"); + + var foundAlias = FindAliasByCN(existingStore, newCertCn); + if (foundAlias != null) + { + // Certificate found - replace it + _logger.LogTrace($"Certificate found with alias '{foundAlias}', replacing it"); + existingStore.DeleteEntry(foundAlias); + } + + // Add new certificate with its alias or jobCertificate.Alias + var targetAlias = string.IsNullOrEmpty(jobCertificate.Alias) ? newCertAlias : jobCertificate.Alias; + var newKey = newCertStore.GetKey(newCertAlias); + var newChain = newCertStore.GetCertificateChain(newCertAlias); + existingStore.SetKeyEntry(targetAlias, newKey, newChain); } else { - // Certificate not found - // add the new certificate to the existingPkcs12 - var storePasswordString = Encoding.UTF8.GetString(storePasswordBytes); - _logger.LogDebug("Certificate not found, adding the new certificate to the existingPkcs12"); - // _logger.LogTrace( - // "Importing jobCertificate.CertBytes into existingPkcs12 with store password: {StorePassword}", - // storePasswd); //TODO: INSECURE COMMENT OUT - existingPkcs12.Import(jobCertificate.Pkcs12, storePasswd, X509KeyStorageFlags.Exportable); + // Check if certificate doesn't exist, then add + var foundAlias = FindAliasByCN(existingStore, newCertCn); + if (foundAlias == null) + { + _logger.LogDebug("Certificate not found, adding the new certificate to the store"); + var targetAlias = string.IsNullOrEmpty(jobCertificate.Alias) ? newCertAlias : jobCertificate.Alias; + var newKey = newCertStore.GetKey(newCertAlias); + var newChain = newCertStore.GetCertificateChain(newCertAlias); + existingStore.SetKeyEntry(targetAlias, newKey, newChain); + } } } } - - _logger.LogTrace("Importing jobCertificate.CertBytes into existingPkcs12"); - k8sCollection = existingPkcs12; } else { - _logger.LogDebug("No existing PKCS12 data found, creating new PKCS12 collection"); - // _logger.LogTrace( - // "Importing jobCertificate.CertBytes into newPkcs12Collection with store password: {StorePassword}", - // storePasswd); //TODO: INSECURE COMMENT OUT - newPkcs12Collection.Import(jobCertificate.CertBytes, storePasswd, X509KeyStorageFlags.Exportable); - k8sCollection = newPkcs12Collection; + // No existing store - create new one from jobCertificate data + _logger.LogDebug("No existing PKCS12 data found, creating new PKCS12 store"); + existingStore = storeBuilder.Build(); + using var newStoreMs = new MemoryStream(jobCertificate.Pkcs12 ?? jobCertificate.CertBytes); + existingStore.Load(newStoreMs, storePasswd.ToCharArray()); } } - // _logger.LogDebug("Exporting PKCS12 data to byte array using store password: {StorePassword}", - // Encoding.UTF8.GetString(storePasswordBytes)); //TODO: INSECURE COMMENT OUT - var p12Bytes = k8sCollection.Export(X509ContentType.Pkcs12, Encoding.UTF8.GetString(storePasswordBytes)); + // Export PKCS12 store to bytes + byte[] p12Bytes; + if (existingStore != null) + { + using var outStream = new MemoryStream(); + existingStore.Save(outStream, Encoding.UTF8.GetString(storePasswordBytes).ToCharArray(), new SecureRandom()); + p12Bytes = outStream.ToArray(); + } + else + { + p12Bytes = Array.Empty(); + } _logger.LogDebug("Creating V1Secret object for PKCS12 data with name {SecretName} in namespace {NamespaceName}", secretName, namespaceName); @@ -860,18 +1151,38 @@ when string.IsNullOrEmpty(passwordSecretPath) && passwdIsK8sSecret _logger.LogTrace("Finished creating V1Secret object"); - _logger.LogTrace("Exiting UpdatePKCS12SecretStore()"); + _logger.MethodExit(LogLevel.Debug); return updatedSecret; } + /// + /// Creates or updates a certificate store secret in Kubernetes. + /// Routes to appropriate handler based on secret type (PKCS12, PFX, JKS). + /// + /// The certificate to store. + /// Name of the Kubernetes secret. + /// Kubernetes namespace. + /// Type of store (pkcs12, pfx, jks). + /// When true, overwrites existing entries. + /// Field name for certificate data. + /// Field name for password. + /// Path to password secret if stored separately. + /// When true, password is in a separate secret. + /// Store password. + /// Allowed field names to process. + /// When true, removes instead of adds. + /// The created or updated V1Secret. public V1Secret CreateOrUpdateCertificateStoreSecret(K8SJobCertificate jobCertificate, string secretName, string namespaceName, string secretType, bool overwrite = false, string certDataFieldName = "pkcs12", string passwordFieldName = "password", string passwordSecretPath = "", bool passwordIsK8SSecret = false, string password = "", string[] allowedKeys = null, bool remove = false) { + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Parameters - SecretName: {SecretName}, Namespace: {Namespace}, SecretType: {SecretType}, Remove: {Remove}", + secretName, namespaceName, secretType, remove); var storePasswd = string.IsNullOrEmpty(password) ? jobCertificate.Password : password; - _logger.LogTrace("Entered CreateOrUpdateCertificateStoreSecret()"); + _logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(storePasswd)); _logger.LogTrace("Calling CreateNewSecret()"); V1Secret k8SSecretData; switch (secretType) @@ -995,22 +1306,27 @@ public Pkcs12Store CreatePKCS12Collection(byte[] pkcs12bytes, string currentPass var storeBuilder = new Pkcs12StoreBuilder(); var certs = storeBuilder.Build(); - var newCertBytes = pkcs12bytes; - var newEntry = storeBuilder.Build(); - var cert = new X509Certificate2(newCertBytes, currentPassword, X509KeyStorageFlags.Exportable); - var binaryCert = cert.Export(X509ContentType.Pkcs12, currentPassword); - - using (var ms = new MemoryStream(string.IsNullOrEmpty(currentPassword) ? binaryCert : newCertBytes)) + // Load the PKCS12 data directly with BouncyCastle + using (var ms = new MemoryStream(pkcs12bytes)) { newEntry.Load(ms, string.IsNullOrEmpty(currentPassword) ? new char[0] : currentPassword.ToCharArray()); } var checkAliasExists = string.Empty; - var alias = cert.Thumbprint; + string alias = null; + + // Get the first certificate to use its thumbprint as alias foreach (var newEntryAlias in newEntry.Aliases) { + var certEntry = newEntry.GetCertificate(newEntryAlias); + if (certEntry?.Certificate != null && alias == null) + { + // Use thumbprint as alias + alias = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(certEntry.Certificate); + } + if (!newEntry.IsKeyEntry(newEntryAlias)) continue; @@ -1022,10 +1338,17 @@ public Pkcs12Store CreatePKCS12Collection(byte[] pkcs12bytes, string currentPass if (string.IsNullOrEmpty(checkAliasExists)) { - var bcCert = DotNetUtilities.FromX509Certificate(cert); - var bcEntry = new X509CertificateEntry(bcCert); - if (certs.ContainsAlias(alias)) certs.DeleteEntry(alias); - certs.SetCertificateEntry(alias, bcEntry); + // No private key found, add certificate only + var firstAlias = newEntry.Aliases.FirstOrDefault(); + if (firstAlias != null) + { + var certEntry = newEntry.GetCertificate(firstAlias); + if (certEntry != null) + { + if (certs.ContainsAlias(alias)) certs.DeleteEntry(alias); + certs.SetCertificateEntry(alias, certEntry); + } + } } using (var outStream = new MemoryStream()) @@ -1275,7 +1598,9 @@ private V1Secret CreateNewSecret(string secretName, string namespaceName, string case "pfx": case "pkcs12": secretType = "pkcs12"; - + break; + case "jks": + secretType = "jks"; break; default: _logger.LogError("Unknown secret type: " + secretType); @@ -1287,6 +1612,19 @@ private V1Secret CreateNewSecret(string secretName, string namespaceName, string switch (secretType) { case "secret": + // Opaque secrets can store certificate-only (no private key) + var opaqueData = new Dictionary + { + { "tls.crt", Encoding.UTF8.GetBytes(certPem ?? "") } + }; + if (!string.IsNullOrEmpty(keyPem)) + { + opaqueData["tls.key"] = Encoding.UTF8.GetBytes(keyPem); + } + else + { + _logger.LogDebug("No private key provided for Opaque secret - storing certificate only"); + } k8SSecretData = new V1Secret { Metadata = new V1ObjectMeta @@ -1294,15 +1632,15 @@ private V1Secret CreateNewSecret(string secretName, string namespaceName, string Name = secretName, NamespaceProperty = namespaceName }, - - Data = new Dictionary - { - { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, - { "tls.crt", Encoding.UTF8.GetBytes(certPem) } - } + Data = opaqueData }; break; case "tls_secret": + // TLS secrets require both tls.crt and tls.key per Kubernetes specification + if (string.IsNullOrEmpty(keyPem)) + { + _logger.LogWarning("TLS secrets require a private key. Certificate was provided without private key - creating with empty tls.key field"); + } k8SSecretData = new V1Secret { Metadata = new V1ObjectMeta @@ -1315,11 +1653,42 @@ private V1Secret CreateNewSecret(string secretName, string namespaceName, string Data = new Dictionary { - { "tls.key", Encoding.UTF8.GetBytes(keyPem) }, - { "tls.crt", Encoding.UTF8.GetBytes(certPem) } + { "tls.key", Encoding.UTF8.GetBytes(keyPem ?? "") }, + { "tls.crt", Encoding.UTF8.GetBytes(certPem ?? "") } } }; break; + case "pkcs12": + case "pfx": + // PKCS12/PFX secrets are stored as Opaque secrets with the keystore data + // For "create store if missing", create an empty Opaque secret + _logger.LogDebug("Creating empty Opaque secret for PKCS12/PFX store"); + k8SSecretData = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretName, + NamespaceProperty = namespaceName + }, + Type = "Opaque", + Data = new Dictionary() + }; + break; + case "jks": + // JKS secrets are stored as Opaque secrets with the keystore data + // For "create store if missing", create an empty Opaque secret + _logger.LogDebug("Creating empty Opaque secret for JKS store"); + k8SSecretData = new V1Secret + { + Metadata = new V1ObjectMeta + { + Name = secretName, + NamespaceProperty = namespaceName + }, + Type = "Opaque", + Data = new Dictionary() + }; + break; default: throw new NotImplementedException( $"Secret type {secretType} not implemented. Unable to create or update certificate store {secretName} in {namespaceName} on {GetHost()}."); @@ -1344,7 +1713,17 @@ private V1Secret UpdateOpaqueSecret(string secretName, string namespaceName, V1S { _logger.LogTrace("Entered UpdateOpaqueSecret()"); - existingSecret.Data["tls.key"] = newSecret.Data["tls.key"]; + // Update tls.key only if provided in the new secret (certificate-only updates don't have tls.key) + if (newSecret.Data.TryGetValue("tls.key", out var newKeyData)) + { + existingSecret.Data["tls.key"] = newKeyData; + } + else + { + _logger.LogDebug("No private key provided in update - keeping existing tls.key if present"); + } + + // Always update tls.crt existingSecret.Data["tls.crt"] = newSecret.Data["tls.crt"]; //check if existing secret has ca.crt and if new secret has ca.crt @@ -1743,12 +2122,12 @@ public List DiscoverCertificates() continue; } - _logger.LogDebug("Converting UTF8 encoded certificate to X509Certificate2 object."); - var cert = new X509Certificate2(Encoding.UTF8.GetBytes(utfCert)); + _logger.LogDebug("Parsing certificate using BouncyCastle."); + var cert = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ParseCertificateFromPem(utfCert); _logger.LogTrace("cert: " + cert); - _logger.LogDebug("Getting certificate name from X509Certificate2 object."); - var certName = cert.GetNameInfo(X509NameType.SimpleName, false); + _logger.LogDebug("Getting certificate Common Name."); + var certName = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetSubjectCN(cert); _logger.LogTrace("certName: " + certName); _logger.LogDebug($"Adding certificate {certName} discovered location to list."); @@ -1758,80 +2137,170 @@ public List DiscoverCertificates() _logger.LogDebug("Completed discovering certificates from k8s certificate resources."); _logger.LogTrace("locations.Count: " + locations.Count); _logger.LogTrace("locations: " + locations); - _logger.LogTrace("Exiting DiscoverCertificates()"); + _logger.MethodExit(LogLevel.Debug); return locations; } + /// + /// Gets the status of a Kubernetes Certificate Signing Request. + /// Returns the signed certificate PEM if the CSR has been approved and signed. + /// + /// Name of the CSR resource. + /// Array containing the certificate PEM, or empty if not yet signed. public string[] GetCertificateSigningRequestStatus(string name) { - _logger.LogTrace("Entered GetCertificateSigningRequestStatus()"); - _logger.LogDebug($"Attempting to read {name} certificate signing request from {GetHost()}..."); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("CSR Name: {Name}", name); + _logger.LogDebug("Attempting to read {Name} certificate signing request from {Host}...", name, GetHost()); var cr = Client.CertificatesV1.ReadCertificateSigningRequest(name); _logger.LogDebug($"Successfully read {name} certificate signing request from {GetHost()}."); _logger.LogTrace("cr: " + cr); _logger.LogTrace("Attempting to parse certificate from certificate resource."); - var utfCert = cr.Status.Certificate != null ? Encoding.UTF8.GetString(cr.Status.Certificate) : ""; + + // Check if CSR has been signed yet + if (cr.Status?.Certificate == null || cr.Status.Certificate.Length == 0) + { + _logger.LogInformation($"CSR {name} has no certificate yet (pending or denied). Returning empty inventory."); + _logger.LogTrace("Exiting GetCertificateSigningRequestStatus() - no certificate"); + return Array.Empty(); + } + + var utfCert = Encoding.UTF8.GetString(cr.Status.Certificate); _logger.LogTrace("utfCert: " + utfCert); - _logger.LogDebug($"Attempting to parse certificate signing request from certificate resource {name}."); - var cert = new X509Certificate2(Encoding.UTF8.GetBytes(utfCert)); + _logger.LogDebug($"Attempting to parse certificate from certificate resource {name}."); + var cert = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ParseCertificateFromPem(utfCert); _logger.LogTrace("cert: " + cert); - _logger.LogTrace("Exiting GetCertificateSigningRequestStatus()"); + _logger.MethodExit(LogLevel.Debug); return new[] { utfCert }; } + /// + /// Lists all Certificate Signing Requests in the cluster and returns their issued certificates. + /// Only returns CSRs that have been approved and have a signed certificate. + /// + /// Dictionary mapping CSR name to certificate PEM string. + public Dictionary ListAllCertificateSigningRequests() + { + _logger.MethodEntry(LogLevel.Debug); + var results = new Dictionary(); + + _logger.LogDebug("Listing all Certificate Signing Requests from cluster {Host}", GetHost()); + var csrList = Client.CertificatesV1.ListCertificateSigningRequest(); + _logger.LogDebug("Found {Count} CSRs in cluster", csrList.Items.Count); + + foreach (var csr in csrList.Items) + { + var csrName = csr.Metadata.Name; + _logger.LogTrace("Processing CSR: {Name}", csrName); + + // Skip CSRs that haven't been signed yet + if (csr.Status?.Certificate == null || csr.Status.Certificate.Length == 0) + { + _logger.LogDebug("CSR {Name} has no certificate (pending or denied), skipping", csrName); + continue; + } + + var utfCert = Encoding.UTF8.GetString(csr.Status.Certificate); + _logger.LogTrace("CSR {Name} has certificate: {CertPreview}...", csrName, + utfCert.Length > 50 ? utfCert.Substring(0, 50) : utfCert); + + results[csrName] = utfCert; + } + + _logger.LogDebug("Returning {Count} issued certificates from CSRs", results.Count); + _logger.MethodExit(LogLevel.Debug); + return results; + } + + /// + /// Reads a DER-encoded certificate from a base64 string. + /// + /// Base64-encoded DER certificate data. + /// Parsed X509Certificate object. public X509Certificate ReadDerCertificate(string derString) { + _logger.MethodEntry(LogLevel.Debug); var derData = Convert.FromBase64String(derString); var certificateParser = new X509CertificateParser(); - return certificateParser.ReadCertificate(derData); + var cert = certificateParser.ReadCertificate(derData); + _logger.LogDebug("Parsed DER certificate: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + _logger.MethodExit(LogLevel.Debug); + return cert; } + /// + /// Reads a PEM-encoded certificate from a string. + /// + /// PEM-encoded certificate string. + /// Parsed X509Certificate object, or null if not a valid certificate. public X509Certificate ReadPemCertificate(string pemString) { + _logger.MethodEntry(LogLevel.Debug); using var reader = new StringReader(pemString); var pemReader = new PemReader(reader); var pemObject = pemReader.ReadPemObject(); - if (pemObject is not { Type: "CERTIFICATE" }) return null; + if (pemObject is not { Type: "CERTIFICATE" }) + { + _logger.LogDebug("PEM object is not a certificate, returning null"); + _logger.MethodExit(LogLevel.Debug); + return null; + } var certificateBytes = pemObject.Content; var certificateParser = new X509CertificateParser(); - return certificateParser.ReadCertificate(certificateBytes); + var cert = certificateParser.ReadCertificate(certificateBytes); + _logger.LogDebug("Parsed PEM certificate: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + _logger.MethodExit(LogLevel.Debug); + return cert; } - public string ExtractPrivateKeyAsPem(Pkcs12Store store, string password) + /// + /// Extracts a private key from a PKCS12 store and converts it to PEM format. + /// Supports RSA, EC, Ed25519, and Ed448 private keys. + /// + /// The PKCS12 store containing the private key. + /// Password for the store (currently unused, key is already decrypted). + /// The desired PEM format (PKCS1 or PKCS8). Defaults to PKCS8. + /// PEM-formatted private key string. + /// Thrown when no private key is found or key type is unsupported. + public string ExtractPrivateKeyAsPem(Pkcs12Store store, string password, PrivateKeyFormat format = PrivateKeyFormat.Pkcs8) { - // Get the first private key entry + _logger.MethodEntry(LogLevel.Debug); // Get the first private key entry var alias = store.Aliases.FirstOrDefault(entryAlias => store.IsKeyEntry(entryAlias)); - if (alias == null) throw new Exception("No private key found in the provided PFX/P12 file."); + if (alias == null) + { + _logger.LogError("No private key found in the provided PFX/P12 file"); + throw new Exception("No private key found in the provided PFX/P12 file."); + } + _logger.LogDebug("Found private key with alias: {Alias}", alias); // Get the private key var keyEntry = store.GetKey(alias); var privateKeyParams = keyEntry.Key; - var pemType = privateKeyParams switch - { - RsaPrivateCrtKeyParameters => "RSA PRIVATE KEY", - ECPrivateKeyParameters => "EC PRIVATE KEY", - _ => throw new Exception("Unsupported private key type.") - }; + var keyTypeName = PrivateKeyFormatUtilities.GetAlgorithmName(privateKeyParams); + _logger.LogDebug("Private key type: {KeyType}, requested format: {Format}", keyTypeName, format); - // Convert the private key to PEM format - var sw = new StringWriter(); - var pemWriter = new PemWriter(sw); - var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKeyParams); - var privateKeyBytes = privateKeyInfo.ToAsn1Object().GetEncoded(); - var pemObject = new PemObject(pemType, privateKeyBytes); - pemWriter.WriteObject(pemObject); - pemWriter.Writer.Flush(); + // Use PrivateKeyFormatUtilities to export in the requested format + // It will automatically fall back to PKCS8 if PKCS1 is not supported for the key type + var pem = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(privateKeyParams, format); - return sw.ToString(); + _logger.LogTrace("Private key: {Key}", LoggingUtilities.RedactPrivateKeyPem(pem)); + _logger.MethodExit(LogLevel.Debug); + return pem; } + /// + /// Loads a certificate chain from PEM data containing multiple certificates. + /// + /// PEM string potentially containing multiple certificates. + /// List of parsed X509Certificate objects. public List LoadCertificateChain(string pemData) { + _logger.MethodEntry(LogLevel.Debug); var pemReader = new PemReader(new StringReader(pemData)); var certificates = new List(); @@ -1844,24 +2313,45 @@ public List LoadCertificateChain(string pemData) certificates.Add(certificate); } + _logger.LogDebug("Loaded {Count} certificates from chain", certificates.Count); + _logger.MethodExit(LogLevel.Debug); return certificates; } + /// + /// Converts a BouncyCastle X509Certificate to PEM format. + /// + /// The certificate to convert. + /// PEM-formatted certificate string. public string ConvertToPem(X509Certificate certificate) { + _logger.MethodEntry(LogLevel.Debug); var pemObject = new PemObject("CERTIFICATE", certificate.GetEncoded()); using var stringWriter = new StringWriter(); var pemWriter = new PemWriter(stringWriter); pemWriter.WriteObject(pemObject); pemWriter.Writer.Flush(); + _logger.MethodExit(LogLevel.Debug); return stringWriter.ToString(); } + /// + /// Discovers secrets across namespaces in the Kubernetes cluster. + /// Filters by secret type and allowed keys. + /// + /// Array of allowed secret data field names. + /// Secret type filter (e.g., "Opaque", "kubernetes.io/tls"). + /// Namespace to search, or "default". + /// When true, treats entire namespace as a single store. + /// When true, treats entire cluster as a single store. + /// List of discovered secret locations. public List DiscoverSecrets( string[] allowedKeys, string secType, string ns = "default", bool namespaceIsStore = false, bool clusterIsStore = false) { - _logger.LogTrace("Entered DiscoverSecrets()"); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Parameters - AllowedKeys: [{Keys}], SecType: {SecType}, Namespace: {Ns}", + string.Join(", ", allowedKeys ?? Array.Empty()), secType, ns); var locations = new List(); var clusterName = GetClusterName() ?? GetHost(); _logger.LogTrace("ClusterName: {ClusterName}", clusterName); @@ -1890,20 +2380,34 @@ public List DiscoverSecrets( nsObj.Metadata.Name, allowedKeys, secType, locations, clusterName); } - _logger.LogDebug("Discovered locations: {Locations}", locations); - _logger.LogTrace("Exiting DiscoverSecrets()"); + _logger.LogDebug("Discovered {Count} locations", locations.Count); + _logger.MethodExit(LogLevel.Debug); return locations; } + /// + /// Fetches all namespaces from the Kubernetes cluster. + /// + /// Name of the cluster for logging. + /// Enumerable of V1Namespace objects. private IEnumerable FetchNamespaces(string clusterName) { - return RetryPolicy(() => + _logger.MethodEntry(LogLevel.Debug); + var result = RetryPolicy(() => { _logger.LogDebug("Attempting to list Kubernetes namespaces from {ClusterName}", clusterName); return Client.CoreV1.ListNamespace().Items; }); + _logger.MethodExit(LogLevel.Debug); + return result; } + /// + /// Filters namespaces based on the provided list. + /// + /// All available namespaces. + /// List of namespace names to include, or "all" for all namespaces. + /// Filtered enumerable of namespaces. private IEnumerable FilterNamespaces(IEnumerable namespaces, string[] nsList) { foreach (var nsObj in namespaces) @@ -1914,10 +2418,16 @@ private IEnumerable FilterNamespaces(IEnumerable names } else { - _logger.LogDebug("Skipping namespace '{Namespace}' as it does not match filter", nsObj.Metadata.Name); + _logger.LogTrace("Skipping namespace '{Namespace}' as it does not match filter", nsObj.Metadata.Name); } } + /// + /// Adds a namespace-level location to the discovery results. + /// + /// List to add the location to. + /// Name of the cluster. + /// Name of the namespace. private void AddNamespaceLocation(List locations, string clusterName, string namespaceName) { var nsLocation = $"{clusterName}/namespace/{namespaceName}"; @@ -1925,9 +2435,18 @@ private void AddNamespaceLocation(List locations, string clusterName, st _logger.LogDebug("Added namespace-level location: {NamespaceLocation}", nsLocation); } + /// + /// Discovers secrets within a specific namespace. + /// + /// Namespace to search. + /// Allowed secret data field names. + /// Secret type filter. + /// List to add discovered locations to. + /// Name of the cluster. private void DiscoverSecretsInNamespace( string namespaceName, string[] allowedKeys, string secType, List locations, string clusterName) { + _logger.MethodEntry(LogLevel.Debug); _logger.LogDebug("Discovering secrets in namespace: {Namespace}", namespaceName); var secrets = RetryPolicy(() => @@ -2036,6 +2555,7 @@ private void ProcessSecret(V1Secret secret, V1Secret secretData, string[] allowe } } +#nullable enable private string? ParseTlsSecret(V1Secret secretData, string secretName) { try @@ -2051,6 +2571,7 @@ private void ProcessSecret(V1Secret secret, V1Secret secretData, string[] allowe return null; } } +#nullable restore private void ParseOpaqueSecret(V1Secret secretData, string[] allowedKeys) { @@ -2074,11 +2595,24 @@ private void ParseOpaqueSecret(V1Secret secretData, string[] allowedKeys) } } + /// + /// Retrieves a JKS (Java KeyStore) secret from Kubernetes. + /// Filters secret data by allowed key extensions. + /// + /// Name of the Kubernetes secret. + /// Namespace containing the secret. + /// Password for the JKS store. + /// Path to password secret if stored separately. + /// List of allowed file extensions/keys (defaults to jks). + /// JksSecret object containing the secret data. + /// Thrown when the secret exists but has no data. + /// Thrown when the secret does not exist. public JksSecret GetJksSecret(string secretName, string namespaceName, string password = null, string passwordPath = null, List allowedKeys = null) { - _logger.LogTrace("Entered GetJKSSecret()"); - _logger.LogTrace("secretName: " + secretName); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("SecretName: {SecretName}, Namespace: {Namespace}", secretName, namespaceName); + _logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(password)); // Read k8s secret _logger.LogTrace("Calling CoreV1.ReadNamespacedSecret()"); try @@ -2121,10 +2655,11 @@ public JksSecret GetJksSecret(string secretName, string namespaceName, string pa AllowedKeys = allowedKeys, Inventory = secretData }; - _logger.LogTrace("Exiting GetJKSSecret()"); + _logger.MethodExit(LogLevel.Debug); return output; } + _logger.LogError("K8S secret {SecretName} in namespace {Namespace} has no data", secretName, namespaceName); throw new InvalidK8SSecretException($"K8S secret {namespaceName}/secrets/{secretName} is empty."); } catch (HttpOperationException e) @@ -2147,15 +2682,25 @@ public JksSecret GetJksSecret(string secretName, string namespaceName, string pa namespaceName); throw new StoreNotFoundException($"K8S secret not found {namespaceName}/secrets/{secretName}"); } - - return new JksSecret(); } + /// + /// Retrieves a PKCS12/PFX secret from Kubernetes. + /// Filters secret data by allowed key extensions. + /// + /// Name of the Kubernetes secret. + /// Namespace containing the secret. + /// Password for the PKCS12 store. + /// Path to password secret if stored separately. + /// List of allowed file extensions/keys (defaults to p12, pfx, pkcs12). + /// Pkcs12Secret object containing the secret data. + /// Thrown when the secret does not exist. public Pkcs12Secret GetPkcs12Secret(string secretName, string namespaceName, string password = null, string passwordPath = null, List allowedKeys = null) { - _logger.LogTrace("Entered GetPKCS12Secret()"); - _logger.LogTrace("secretName: " + secretName); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("SecretName: {SecretName}, Namespace: {Namespace}", secretName, namespaceName); + _logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(password)); // Read k8s secret _logger.LogTrace("Calling CoreV1.ReadNamespacedSecret()"); try @@ -2207,13 +2752,19 @@ public Pkcs12Secret GetPkcs12Secret(string secretName, string namespaceName, str throw new StoreNotFoundException($"K8S secret not found {namespaceName}/secrets/{secretName}"); } - - return new Pkcs12Secret(); } + /// + /// Creates a Kubernetes Certificate Signing Request (CSR). + /// + /// Name of the CSR resource. + /// Namespace for the CSR metadata. + /// PEM-encoded certificate signing request. + /// The created V1CertificateSigningRequest object. public V1CertificateSigningRequest CreateCertificateSigningRequest(string name, string namespaceName, string csr) { - _logger.LogTrace("Entered CreateCertificateSigningRequest()"); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("CSR Name: {Name}, Namespace: {Namespace}", name, namespaceName); var request = new V1CertificateSigningRequest { ApiVersion = "certificates.k8s.io/v1", @@ -2233,13 +2784,26 @@ public V1CertificateSigningRequest CreateCertificateSigningRequest(string name, }; _logger.LogTrace("request: " + request); _logger.LogTrace("Calling CertificatesV1.CreateCertificateSigningRequest()"); - return Client.CertificatesV1.CreateCertificateSigningRequest(request); + var result = Client.CertificatesV1.CreateCertificateSigningRequest(request); + _logger.MethodExit(LogLevel.Debug); + return result; } + /// + /// Generates a new certificate signing request (CSR) with private key. + /// Creates an RSA key pair and builds a CSR with the specified SANs and IPs. + /// + /// Common Name for the certificate. + /// Subject Alternative Names (DNS names). + /// IP addresses to include in SAN. + /// Key algorithm type (default: RSA). + /// Key size in bits (default: 4096). + /// CsrObject containing CSR, private key, and public key in PEM format. public CsrObject GenerateCertificateRequest(string name, string[] sans, IPAddress[] ips, string keyType = "RSA", int keyBits = 4096) { - _logger.LogTrace("Entered GenerateCertificateRequest()"); + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("Name: {Name}, KeyType: {KeyType}, KeyBits: {KeyBits}", name, keyType, keyBits); var sanBuilder = new SubjectAlternativeNameBuilder(); _logger.LogDebug($"Building IP and SAN lists for CSR {name}"); @@ -2279,37 +2843,68 @@ public CsrObject GenerateCertificateRequest(string name, string[] sans, IPAddres var pubKeyPem = "-----BEGIN PUBLIC KEY-----\r\n" + Convert.ToBase64String(pubkey) + "\r\n-----END PUBLIC KEY-----"; - return new CsrObject + var result = new CsrObject { Csr = csrPem, PrivateKey = keyPem, PublicKey = pubKeyPem }; + _logger.LogTrace("Generated CSR: {CSR}", LoggingUtilities.RedactCertificatePem(csrPem)); + _logger.MethodExit(LogLevel.Debug); + return result; } + /// + /// Gets certificate inventory from Opaque secrets. + /// Currently returns empty list - placeholder for future implementation. + /// + /// Empty list of inventory items. public IEnumerable GetOpaqueSecretCertificateInventory() { + _logger.MethodEntry(LogLevel.Debug); var inventoryItems = new List(); + _logger.MethodExit(LogLevel.Debug); return inventoryItems; } + /// + /// Gets certificate inventory from TLS secrets. + /// Currently returns empty list - placeholder for future implementation. + /// + /// Empty list of inventory items. public IEnumerable GetTlsSecretCertificateInventory() { + _logger.MethodEntry(LogLevel.Debug); var inventoryItems = new List(); + _logger.MethodExit(LogLevel.Debug); return inventoryItems; } + /// + /// Gets certificate inventory from all certificate resources. + /// Currently returns empty list - placeholder for future implementation. + /// + /// Empty list of inventory items. public IEnumerable GetCertificateInventory() { + _logger.MethodEntry(LogLevel.Debug); var inventoryItems = new List(); + _logger.MethodExit(LogLevel.Debug); return inventoryItems; } + /// + /// Creates or updates a JKS secret in Kubernetes. + /// Preserves existing data fields while updating the inventory items. + /// + /// JksSecret containing the data to store. + /// Name of the Kubernetes secret. + /// Namespace for the secret. + /// The created or updated V1Secret. public V1Secret CreateOrUpdateJksSecret(JksSecret k8SData, string kubeSecretName, string kubeNamespace) { - // Create V1Secret object and replace existing secret - _logger.LogDebug("Entered CreateOrUpdateJksSecret()"); + _logger.MethodEntry(LogLevel.Debug); _logger.LogTrace("kubeSecretName: {Name}", kubeSecretName); _logger.LogTrace("kubeNamespace: {Namespace}", kubeNamespace); var s1 = new V1Secret @@ -2351,11 +2946,23 @@ public V1Secret CreateOrUpdateJksSecret(JksSecret k8SData, string kubeSecretName // Replace existing secret _logger.LogDebug("Replacing secret {Name} in namespace {Namespace}", kubeSecretName, kubeNamespace); - return Client.CoreV1.ReplaceNamespacedSecret(s1, kubeSecretName, kubeNamespace); + var result = Client.CoreV1.ReplaceNamespacedSecret(s1, kubeSecretName, kubeNamespace); + _logger.MethodExit(LogLevel.Debug); + return result; } + /// + /// Creates or updates a PKCS12 secret in Kubernetes. + /// Preserves existing data fields while updating the inventory items. + /// + /// Pkcs12Secret containing the data to store. + /// Name of the Kubernetes secret. + /// Namespace for the secret. + /// The created or updated V1Secret. public V1Secret CreateOrUpdatePkcs12Secret(Pkcs12Secret k8SData, string kubeSecretName, string kubeNamespace) { + _logger.MethodEntry(LogLevel.Debug); + _logger.LogTrace("SecretName: {Name}, Namespace: {Namespace}", kubeSecretName, kubeNamespace); // Create V1Secret object and replace existing secret var s1 = new V1Secret { @@ -2385,35 +2992,64 @@ public V1Secret CreateOrUpdatePkcs12Secret(Pkcs12Secret k8SData, string kubeSecr } // Replace existing secret - return Client.CoreV1.ReplaceNamespacedSecret(s1, kubeSecretName, kubeNamespace); + _logger.LogDebug("Replacing secret {Name} in namespace {Namespace}", kubeSecretName, kubeNamespace); + var result = Client.CoreV1.ReplaceNamespacedSecret(s1, kubeSecretName, kubeNamespace); + _logger.MethodExit(LogLevel.Debug); + return result; } + /// + /// Represents a JKS (Java KeyStore) secret in Kubernetes. + /// public struct JksSecret { + /// Path to the secret in format namespace/secrets/name. public string SecretPath; + /// Field name within the secret containing the JKS data. public string SecretFieldName; + /// The underlying Kubernetes V1Secret object. public V1Secret Secret; + /// Password for the JKS store. public string Password; + /// Path to a separate secret containing the password. public string PasswordPath; + /// List of allowed file extensions/keys. public List AllowedKeys; + /// Dictionary of field names to JKS data bytes. public Dictionary Inventory; } + /// + /// Represents a PKCS12/PFX secret in Kubernetes. + /// public struct Pkcs12Secret { + /// Path to the secret in format namespace/secrets/name. public string SecretPath; + /// Field name within the secret containing the PKCS12 data. public string SecretFieldName; + /// The underlying Kubernetes V1Secret object. public V1Secret Secret; + /// Password for the PKCS12 store. public string Password; + /// Path to a separate secret containing the password. public string PasswordPath; + /// List of allowed file extensions/keys. public List AllowedKeys; + /// Dictionary of field names to PKCS12 data bytes. public Dictionary Inventory; } + /// + /// Represents a Certificate Signing Request with associated key pair. + /// public struct CsrObject { + /// PEM-encoded certificate signing request. public string Csr; + /// PEM-encoded private key. public string PrivateKey; + /// PEM-encoded public key. public string PublicKey; } } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/Enums/PrivateKeyFormat.cs b/kubernetes-orchestrator-extension/Enums/PrivateKeyFormat.cs new file mode 100644 index 00000000..36159c19 --- /dev/null +++ b/kubernetes-orchestrator-extension/Enums/PrivateKeyFormat.cs @@ -0,0 +1,19 @@ +namespace Keyfactor.Extensions.Orchestrator.K8S.Enums; + +/// +/// Specifies the format for private key PEM encoding. +/// +public enum PrivateKeyFormat +{ + /// + /// PKCS#8 format (BEGIN PRIVATE KEY) - Supports all key types including Ed25519/Ed448. + /// This is the default format. + /// + Pkcs8, + + /// + /// PKCS#1/SEC1 format (BEGIN RSA/EC PRIVATE KEY) - Traditional format for RSA/EC keys. + /// Not supported for Ed25519/Ed448 keys. + /// + Pkcs1 +} diff --git a/kubernetes-orchestrator-extension/Jobs/Discovery.cs b/kubernetes-orchestrator-extension/Jobs/Discovery.cs index 3dded076..2e3ef8ae 100644 --- a/kubernetes-orchestrator-extension/Jobs/Discovery.cs +++ b/kubernetes-orchestrator-extension/Jobs/Discovery.cs @@ -14,34 +14,60 @@ using Keyfactor.Orchestrators.Extensions; using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; namespace Keyfactor.Extensions.Orchestrator.K8S.Jobs; -// The Discovery class implements IAgentJobExtension and is meant to find all certificate stores based on the information passed when creating the job in KF Command +/// +/// Discovery job implementation for Kubernetes certificate stores. +/// Finds all certificate stores (secrets, JKS, PKCS12) in specified namespaces +/// based on job configuration and returns them to Keyfactor Command for approval. +/// +/// +/// Supports discovery for the following store types: +/// - K8SCluster: Cluster-wide secret discovery +/// - K8SNS: Namespace-level secret discovery +/// - K8STLSSecr: TLS secrets (kubernetes.io/tls) +/// - K8SSecret: Opaque secrets +/// - K8SPKCS12/K8SPFX: PKCS12 keystores +/// - K8SJKS: JKS keystores +/// +/// Discovery parameters from job properties: +/// - dirs: Namespaces to search (comma-separated) +/// - extensions: Secret data keys to check +/// - ignoreddirs: Namespaces to ignore +/// - patterns: File name patterns to match +/// public class Discovery : JobBase, IDiscoveryJobExtension { + /// + /// Initializes a new instance of the Discovery job with the specified PAM resolver. + /// + /// PAM secret resolver for credential retrieval. public Discovery(IPAMSecretResolver resolver) { _resolver = resolver; } - //Job Entry Point + /// + /// Main entry point for the discovery job. Searches for certificate stores + /// in Kubernetes based on the job configuration. + /// + /// Discovery job configuration containing search parameters. + /// Callback delegate to submit discovered store locations to Keyfactor Command. + /// JobResult indicating success or failure of the discovery operation. + /// + /// Configuration parameters available in config: + /// - config.ServerUsername, config.ServerPassword - credentials for K8S API authentication + /// - config.JobProperties["dirs"] - Namespaces to search (comma-separated, defaults to "default") + /// - config.JobProperties["extensions"] - Secret data keys to check for certificate data + /// - config.JobProperties["ignoreddirs"] - Namespaces to ignore + /// - config.JobProperties["patterns"] - File name patterns to match + /// public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpdate submitDiscovery) { - //METHOD ARGUMENTS... - //config - contains context information passed from KF Command to this job run: - // - // config.ServerUsername, config.ServerPassword - credentials for orchestrated server - use to authenticate to certificate store server. - // config.ClientMachine - server name or IP address of orchestrated server - // - // config.JobProperties["dirs"] - Directories to search - // config.JobProperties["extensions"] - Extensions to search - // config.JobProperties["ignoreddirs"] - Directories to ignore - // config.JobProperties["patterns"] - File name patterns to match - - - //NLog Logging to c:\CMS\Logs\CMS_Agent_Log.txt Logger = LogHandler.GetClassLogger(GetType()); + Logger.MethodEntry(MsLogLevel.Debug); Logger.LogInformation("Begin Discovery for K8S Orchestrator Extension for job {JobID}", config.JobId); Logger.LogInformation("Discovery for store type: {Capability}", config.Capability); try @@ -236,6 +262,8 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd submitDiscovery.Invoke(locations.Distinct().ToArray()); Logger.LogDebug("Returned from submitDiscovery.Invoke()"); //Status: 2=Success, 3=Warning, 4=Error + Logger.LogInformation("Discovery job {JobId} completed successfully with {Count} locations", config.JobId, locations.Count); + Logger.MethodExit(MsLogLevel.Debug); return new JobResult { Result = OrchestratorJobStatusJobResult.Success, @@ -247,18 +275,19 @@ public JobResult ProcessJob(DiscoveryJobConfiguration config, SubmitDiscoveryUpd { // NOTE: if the cause of the submitInventory.Invoke exception is a communication issue between the Orchestrator server and the Command server, the job status returned here // may not be reflected in Keyfactor Command. - Logger.LogError("Discovery job has failed due to an unknown error: `{Error}`", ex.Message); - Logger.LogTrace("{Message}", ex.ToString()); + Logger.LogError("Discovery job has failed due to an unknown error: {Error}", ex.Message); + Logger.LogTrace("Exception details: {Details}", ex.ToString()); var inner = ex.InnerException; while (inner != null) { Logger.LogError("Inner Exception: {Message}", inner.Message); - Logger.LogTrace("{Message}", inner.ToString()); + Logger.LogTrace("Inner exception details: {Details}", inner.ToString()); inner = inner.InnerException; } Logger.LogInformation("End DISCOVERY for K8S Orchestrator Extension for job '{JobID}' with failure", config.JobId); + Logger.MethodExit(MsLogLevel.Debug); return FailJob(ex.Message, config.JobHistoryId); } } diff --git a/kubernetes-orchestrator-extension/Jobs/Inventory.cs b/kubernetes-orchestrator-extension/Jobs/Inventory.cs index ac849e04..c2bc387c 100644 --- a/kubernetes-orchestrator-extension/Jobs/Inventory.cs +++ b/kubernetes-orchestrator-extension/Jobs/Inventory.cs @@ -5,6 +5,9 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions // and limitations under the License. +// Suppress warnings for variables used for state tracking but not read (future functionality) +#pragma warning disable CS0219 + using System; using System.Collections.Generic; using System.Linq; @@ -13,44 +16,124 @@ using k8s.Autorest; using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SJKS; using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SPKCS12; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; using Org.BouncyCastle.Pkcs; namespace Keyfactor.Extensions.Orchestrator.K8S.Jobs; -// The Inventory class implements IAgentJobExtension and is meant to find all of the certificates in a given certificate store on a given server -// and return those certificates back to Keyfactor for storing in its database. Private keys will NOT be passed back to Keyfactor Command +/// +/// Inventory job implementation for Kubernetes certificate stores. +/// Finds all certificates in a given Kubernetes certificate store (secrets, CSRs, JKS, PKCS12) +/// and returns them to Keyfactor Command for storage in its database. +/// Private keys are NOT passed back to Keyfactor Command. +/// +/// +/// Supports the following store types: +/// - Opaque secrets (K8SSecret) +/// - TLS secrets (K8STLSSecr) +/// - Certificate Signing Requests (K8SCert) +/// - JKS keystores (K8SJKS) +/// - PKCS12 keystores (K8SPKCS12) +/// - Cluster-wide inventory (K8SCluster) +/// - Namespace-wide inventory (K8SNS) +/// public class Inventory : JobBase, IInventoryJobExtension { + /// + /// Represents a single inventory entry with per-item private key status and certificate chain. + /// Used for K8SNS and K8SCluster inventory where each secret may have different private key status. + /// + private class InventoryEntry + { + /// The alias/identifier for this inventory item. + public string Alias { get; set; } = string.Empty; + + /// The certificate chain (leaf cert first, then intermediates, then root). + public List Certificates { get; set; } = new(); + + /// Whether this entry has a private key in the store. + public bool HasPrivateKey { get; set; } + } + + /// + /// Stores the original KubeSecretName value from the job config properties. + /// This is needed for K8SCert cluster-wide mode detection because InitializeStore + /// may modify KubeSecretName by setting it from StorePath if empty. + /// + private string _originalKubeSecretName; + + /// + /// Initializes a new instance of the Inventory job with the specified PAM resolver. + /// + /// PAM secret resolver for credential retrieval. public Inventory(IPAMSecretResolver resolver) { _resolver = resolver; } - //Job Entry Point + /// + /// Main entry point for the inventory job. Processes the job configuration and returns + /// all certificates found in the specified Kubernetes certificate store. + /// + /// Inventory job configuration containing store details and credentials. + /// Callback delegate to submit discovered certificates to Keyfactor Command. + /// JobResult indicating success or failure of the inventory operation. + /// + /// Configuration parameters available in config: + /// - config.ServerUsername, config.ServerPassword - credentials for K8S API authentication + /// - config.CertificateStoreDetails.StorePath - location path of certificate store + /// - config.CertificateStoreDetails.StorePassword - password for protected stores (JKS/PKCS12) + /// - config.CertificateStoreDetails.Properties - JSON string with custom store properties + /// public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpdate submitInventory) { - //METHOD ARGUMENTS... - //config - contains context information passed from KF Command to this job run: - // - // config.Server.Username, config.Server.Password - credentials for orchestrated server - use to authenticate to certificate store server. - // - // config.ServerUsername, config.ServerPassword - credentials for orchestrated server - use to authenticate to certificate store server. - // config.CertificateStoreDetails.ClientMachine - server name or IP address of orchestrated server - // config.CertificateStoreDetails.StorePath - location path of certificate store on orchestrated server - // config.CertificateStoreDetails.StorePassword - if the certificate store has a password, it would be passed here - // config.CertificateStoreDetails.Properties - JSON string containing custom store properties for this specific store type - - //NLog Logging to c:\CMS\Logs\CMS_Agent_Log.txt + Logger ??= LogHandler.GetClassLogger(GetType()); + Logger.MethodEntry(MsLogLevel.Debug); + try { + // For K8SCert cluster-wide mode detection, we need to capture the original KubeSecretName + // BEFORE InitializeStore modifies it (it may get set from StorePath if empty) + string originalKubeSecretName = null; + if (!string.IsNullOrEmpty(config.CertificateStoreDetails?.Properties)) + { + try + { + var props = System.Text.Json.JsonSerializer.Deserialize>( + config.CertificateStoreDetails.Properties); + if (props != null && props.TryGetValue("KubeSecretName", out var val)) + { + originalKubeSecretName = val?.ToString(); + } + } + catch + { + // Ignore JSON parsing errors - will use default behavior + } + } + + Logger.LogDebug("Initializing store for inventory job {JobId}", config.JobId); InitializeStore(config); + Logger.LogTrace("Returned from InitializeStore()"); + + // Store the original KubeSecretName for K8SCert cluster-wide mode detection + _originalKubeSecretName = originalKubeSecretName; + Logger.LogInformation("Begin INVENTORY for K8S Orchestrator Extension for job " + config.JobId); Logger.LogInformation($"Inventory for store type: {config.Capability}"); + Logger.LogTrace("KubeClient is null: {IsNull}", KubeClient == null); + if (KubeClient == null) + { + throw new InvalidOperationException("KubeClient is null after InitializeStore()"); + } + Logger.LogDebug("Server: {Host}", KubeClient.GetHost()); Logger.LogDebug("Store Path: {StorePath}", StorePath); Logger.LogDebug("KubeSecretType: {KubeSecretType}", KubeSecretType); @@ -60,16 +143,27 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd Logger.LogTrace("Inventory entering switch based on KubeSecretType: " + KubeSecretType + "..."); - var hasPrivateKey = false; - Logger.LogTrace("Inventory entering switch based on KubeSecretType: " + KubeSecretType + "..."); - - if (Capability.Contains("Cluster")) KubeSecretType = "cluster"; - if (Capability.Contains("NS")) KubeSecretType = "namespace"; + // Note: KubeSecretType is now derived from Capability in JobBase.DeriveSecretTypeFromCapability() + // The following store types are handled: + // - K8SCluster -> "cluster" + // - K8SNS -> "namespace" + // - K8SCert -> "certificate" + // - K8SJKS -> "jks" + // - K8SPKCS12 -> "pkcs12" + // - K8SSecret -> "secret" + // - K8STLSSecr -> "tls_secret" var allowedKeys = new List(); if (!string.IsNullOrEmpty(CertificateDataFieldName)) allowedKeys = CertificateDataFieldName.Split(',').ToList(); + // Handle null KubeSecretType gracefully + if (string.IsNullOrEmpty(KubeSecretType)) + { + Logger.LogWarning("KubeSecretType is null or empty, defaulting to 'secret'"); + KubeSecretType = "secret"; + } + switch (KubeSecretType.ToLower()) { case "secret": @@ -79,8 +173,15 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd OpaqueAllowedKeys?.ToString()); try { - var opaqueInventory = HandleTlsSecret(config.JobHistoryId); + var opaqueInventory = HandleOpaqueSecretAsList(config.JobHistoryId); Logger.LogDebug("Returned inventory count: {Count}", opaqueInventory.Count.ToString()); + if (opaqueInventory.Count == 0) + { + Logger.LogInformation("No certificates found in Opaque secret {Namespace}/{Name}", + KubeNamespace, KubeSecretName); + submitInventory.Invoke(new List()); + return SuccessJob(config.JobHistoryId, "No certificates found in Opaque secret"); + } return PushInventory(opaqueInventory, config.JobHistoryId, submitInventory, true); } catch (StoreNotFoundException) @@ -88,7 +189,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd Logger.LogWarning("Unable to locate Opaque secret {Namespace}/{Name}. Sending empty inventory.", KubeNamespace, KubeSecretName); return PushInventory(new List(), config.JobHistoryId, submitInventory, false, - "WARNING: Store not found in Kubernetes cluster. Assuming empty inventory."); + "WARNING: Opaque secret not found in Kubernetes cluster. Assuming empty inventory."); } catch (Exception ex) { @@ -116,14 +217,21 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd { var tlsCertsInv = HandleTlsSecret(config.JobHistoryId); Logger.LogDebug("Returned inventory count: {Count}", tlsCertsInv.Count.ToString()); + if (tlsCertsInv.Count == 0) + { + Logger.LogInformation("No certificates found in TLS secret {Namespace}/{Name}", + KubeNamespace, KubeSecretName); + submitInventory.Invoke(new List()); + return SuccessJob(config.JobHistoryId, "No certificates found in TLS secret"); + } return PushInventory(tlsCertsInv, config.JobHistoryId, submitInventory, true); } - catch (StoreNotFoundException ex) + catch (StoreNotFoundException) { - Logger.LogWarning("Unable to locate tls secret {Namespace}/{Name}. Sending empty inventory.", + Logger.LogWarning("Unable to locate TLS secret {Namespace}/{Name}. Sending empty inventory.", KubeNamespace, KubeSecretName); return PushInventory(new List(), config.JobHistoryId, submitInventory, false, - "WARNING: Store not found in Kubernetes cluster. Assuming empty inventory."); + "WARNING: TLS secret not found in Kubernetes cluster. Assuming empty inventory."); } case "certificate": @@ -140,22 +248,57 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd //combine allowed keys and CertificateDataFields into one list allowedKeys.AddRange(Pkcs12AllowedKeys); Logger.LogInformation("Inventorying PKCS12 using the following allowed keys: {Keys}", allowedKeys); - var pkcs12Inventory = HandlePkcs12Secret(config, allowedKeys); - Logger.LogDebug("Returned inventory count: {Count}", pkcs12Inventory.Count.ToString()); - return PushInventory(pkcs12Inventory, config.JobHistoryId, submitInventory, true); + try + { + var pkcs12Inventory = HandlePkcs12Secret(config, allowedKeys); + Logger.LogDebug("Returned inventory count: {Count}", pkcs12Inventory.Count.ToString()); + if (pkcs12Inventory.Count == 0) + { + Logger.LogInformation("No certificates found in PKCS12 keystore {Namespace}/{Name}", + KubeNamespace, KubeSecretName); + submitInventory.Invoke(new List()); + return SuccessJob(config.JobHistoryId, "No certificates found in PKCS12 keystore"); + } + return PushInventory(pkcs12Inventory, config.JobHistoryId, submitInventory, true); + } + catch (StoreNotFoundException) + { + Logger.LogWarning("Unable to locate PKCS12 secret {Namespace}/{Name}. Sending empty inventory.", + KubeNamespace, KubeSecretName); + return PushInventory(new List(), config.JobHistoryId, submitInventory, false, + "WARNING: PKCS12 store not found in Kubernetes cluster. Assuming empty inventory."); + } case "jks": allowedKeys.AddRange(JksAllowedKeys); Logger.LogInformation("Inventorying JKS using the following allowed keys: {Keys}", allowedKeys); - var jksInventory = HandleJKSSecret(config, allowedKeys); - Logger.LogDebug("Returned inventory count: {Count}", jksInventory.Count.ToString()); - return PushInventory(jksInventory, config.JobHistoryId, submitInventory, true); + try + { + var jksInventory = HandleJKSSecret(config, allowedKeys); + Logger.LogDebug("Returned inventory count: {Count}", jksInventory.Count.ToString()); + if (jksInventory.Count == 0) + { + Logger.LogInformation("No certificates found in JKS keystore {Namespace}/{Name}", + KubeNamespace, KubeSecretName); + submitInventory.Invoke(new List()); + return SuccessJob(config.JobHistoryId, "No certificates found in JKS keystore"); + } + return PushInventory(jksInventory, config.JobHistoryId, submitInventory, true); + } + catch (StoreNotFoundException) + { + Logger.LogWarning("Unable to locate JKS secret {Namespace}/{Name}. Sending empty inventory.", + KubeNamespace, KubeSecretName); + return PushInventory(new List(), config.JobHistoryId, submitInventory, false, + "WARNING: JKS store not found in Kubernetes cluster. Assuming empty inventory."); + } case "cluster": var clusterOpaqueSecrets = KubeClient.DiscoverSecrets(OpaqueAllowedKeys, "Opaque", "all"); var clusterTlsSecrets = KubeClient.DiscoverSecrets(TLSAllowedKeys, "tls", "all"); var errors = new List(); - var clusterInventoryDict = new Dictionary>(); + // Use List to track per-secret private key status and full certificate chains + var clusterInventoryEntries = new List(); foreach (var opaqueSecret in clusterOpaqueSecrets) { KubeSecretName = ""; @@ -163,20 +306,42 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd KubeSecretType = "secret"; try { - ResolveStorePath(opaqueSecret); + // DiscoverSecrets returns format: cluster/namespace/secrets/secretname + // Parse the path directly since ResolveStorePath doesn't handle cluster stores with 4 parts + var pathParts = opaqueSecret.Split('/'); + if (pathParts.Length >= 4) + { + // Format: cluster/namespace/secrets/secretname + KubeNamespace = pathParts[1]; + KubeSecretName = pathParts[pathParts.Length - 1]; + Logger.LogDebug("Cluster inventory: Parsed namespace={Namespace}, secretName={SecretName} from path {Path}", + KubeNamespace, KubeSecretName, opaqueSecret); + } + else + { + // Fallback to ResolveStorePath for other formats + ResolveStorePath(opaqueSecret); + } StorePath = opaqueSecret.Replace("secrets", "secrets/opaque"); //Split storepath by / and remove first 1 elements var storePathSplit = StorePath.Split('/'); var storePathSplitList = storePathSplit.ToList(); storePathSplitList.RemoveAt(0); - StorePath = string.Join("/", storePathSplitList); - - var opaqueObj = HandleTlsSecret(config.JobHistoryId); - clusterInventoryDict[StorePath] = opaqueObj; + var alias = string.Join("/", storePathSplitList); + + var entry = HandleOpaqueSecretAsEntry(config.JobHistoryId, alias); + if (entry.Certificates.Count > 0) + { + clusterInventoryEntries.Add(entry); + Logger.LogDebug("Cluster inventory: Added opaque secret '{Alias}' with HasPrivateKey={HasPrivateKey}, CertCount={CertCount}", + entry.Alias, entry.HasPrivateKey, entry.Certificates.Count); + Logger.LogTrace("Cluster inventory: Alias '{Alias}' certificate chain:\n{Chain}", + entry.Alias, string.Join("\n---\n", entry.Certificates)); + } } catch (Exception ex) { - Logger.LogError("Error processing TLS Secret: " + opaqueSecret + " - " + ex.Message + + Logger.LogError("Error processing Opaque Secret: " + opaqueSecret + " - " + ex.Message + "\n\t" + ex.StackTrace); errors.Add(ex.Message); } @@ -189,16 +354,38 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd KubeSecretType = "tls_secret"; try { - ResolveStorePath(tlsSecret); + // DiscoverSecrets returns format: cluster/namespace/secrets/secretname + // Parse the path directly since ResolveStorePath doesn't handle cluster stores with 4 parts + var pathParts = tlsSecret.Split('/'); + if (pathParts.Length >= 4) + { + // Format: cluster/namespace/secrets/secretname + KubeNamespace = pathParts[1]; + KubeSecretName = pathParts[pathParts.Length - 1]; + Logger.LogDebug("Cluster inventory: Parsed namespace={Namespace}, secretName={SecretName} from path {Path}", + KubeNamespace, KubeSecretName, tlsSecret); + } + else + { + // Fallback to ResolveStorePath for other formats + ResolveStorePath(tlsSecret); + } StorePath = tlsSecret.Replace("secrets", "secrets/tls"); //Split storepath by / and remove first 1 elements var storePathSplit = StorePath.Split('/'); var storePathSplitList = storePathSplit.ToList(); storePathSplitList.RemoveAt(0); - StorePath = string.Join("/", storePathSplitList); - - var tlsObj = HandleTlsSecret(config.JobHistoryId); - clusterInventoryDict[StorePath] = tlsObj; + var alias = string.Join("/", storePathSplitList); + + var entry = HandleTlsSecretAsEntry(config.JobHistoryId, alias); + if (entry.Certificates.Count > 0) + { + clusterInventoryEntries.Add(entry); + Logger.LogDebug("Cluster inventory: Added TLS secret '{Alias}' with HasPrivateKey={HasPrivateKey}, CertCount={CertCount}", + entry.Alias, entry.HasPrivateKey, entry.Certificates.Count); + Logger.LogTrace("Cluster inventory: Alias '{Alias}' certificate chain:\n{Chain}", + entry.Alias, string.Join("\n---\n", entry.Certificates)); + } } catch (Exception ex) { @@ -208,13 +395,15 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd } } - return PushInventory(clusterInventoryDict, config.JobHistoryId, submitInventory, true); + Logger.LogDebug("Cluster inventory complete: {Count} secrets with per-item private key status", clusterInventoryEntries.Count); + return PushInventory(clusterInventoryEntries, config.JobHistoryId, submitInventory); case "namespace": var namespaceOpaqueSecrets = KubeClient.DiscoverSecrets(OpaqueAllowedKeys, "Opaque", KubeNamespace); var namespaceTlsSecrets = KubeClient.DiscoverSecrets(TLSAllowedKeys, "tls", KubeNamespace); var namespaceErrors = new List(); - var namespaceInventoryDict = new Dictionary(); + // Use List to track per-secret private key status and full certificate chains + var namespaceInventoryEntries = new List(); foreach (var opaqueSecret in namespaceOpaqueSecrets) { KubeSecretName = ""; @@ -222,21 +411,43 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd KubeSecretType = "secret"; try { - ResolveStorePath(opaqueSecret); + // DiscoverSecrets returns format: cluster/namespace/secrets/secretname + // Parse the path directly since ResolveStorePath doesn't handle NS stores with 4 parts + var pathParts = opaqueSecret.Split('/'); + if (pathParts.Length >= 4) + { + // Format: cluster/namespace/secrets/secretname + // KubeNamespace is already set from store config, just need secret name + KubeSecretName = pathParts[pathParts.Length - 1]; + Logger.LogDebug("Namespace inventory: Parsed secretName={SecretName} from path {Path}", + KubeSecretName, opaqueSecret); + } + else + { + // Fallback to ResolveStorePath for other formats + ResolveStorePath(opaqueSecret); + } StorePath = opaqueSecret.Replace("secrets", "secrets/opaque"); //Split storepath by / and remove first 2 elements var storePathSplit = StorePath.Split('/'); var storePathSplitList = storePathSplit.ToList(); storePathSplitList.RemoveAt(0); storePathSplitList.RemoveAt(0); - StorePath = string.Join("/", storePathSplitList); - - var opaqueObj = HandleTlsSecret(config.JobHistoryId); - namespaceInventoryDict[StorePath] = opaqueObj[0]; + var alias = string.Join("/", storePathSplitList); + + var entry = HandleOpaqueSecretAsEntry(config.JobHistoryId, alias); + if (entry.Certificates.Count > 0) + { + namespaceInventoryEntries.Add(entry); + Logger.LogDebug("Namespace inventory: Added opaque secret '{Alias}' with HasPrivateKey={HasPrivateKey}, CertCount={CertCount}", + entry.Alias, entry.HasPrivateKey, entry.Certificates.Count); + Logger.LogTrace("Namespace inventory: Alias '{Alias}' certificate chain:\n{Chain}", + entry.Alias, string.Join("\n---\n", entry.Certificates)); + } } catch (Exception ex) { - Logger.LogError("Error processing TLS Secret: " + opaqueSecret + " - " + ex.Message + + Logger.LogError("Error processing Opaque Secret: " + opaqueSecret + " - " + ex.Message + "\n\t" + ex.StackTrace); namespaceErrors.Add(ex.Message); } @@ -249,7 +460,22 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd KubeSecretType = "tls_secret"; try { - ResolveStorePath(tlsSecret); + // DiscoverSecrets returns format: cluster/namespace/secrets/secretname + // Parse the path directly since ResolveStorePath doesn't handle NS stores with 4 parts + var pathParts = tlsSecret.Split('/'); + if (pathParts.Length >= 4) + { + // Format: cluster/namespace/secrets/secretname + // KubeNamespace is already set from store config, just need secret name + KubeSecretName = pathParts[pathParts.Length - 1]; + Logger.LogDebug("Namespace inventory: Parsed secretName={SecretName} from path {Path}", + KubeSecretName, tlsSecret); + } + else + { + // Fallback to ResolveStorePath for other formats + ResolveStorePath(tlsSecret); + } StorePath = tlsSecret.Replace("secrets", "secrets/tls"); //Split storepath by / and remove first 2 elements @@ -257,11 +483,17 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd var storePathSplitList = storePathSplit.ToList(); storePathSplitList.RemoveAt(0); storePathSplitList.RemoveAt(0); - StorePath = string.Join("/", storePathSplitList); - - - var tlsObj = HandleTlsSecret(config.JobHistoryId); - namespaceInventoryDict[StorePath] = tlsObj[0]; + var alias = string.Join("/", storePathSplitList); + + var entry = HandleTlsSecretAsEntry(config.JobHistoryId, alias); + if (entry.Certificates.Count > 0) + { + namespaceInventoryEntries.Add(entry); + Logger.LogDebug("Namespace inventory: Added TLS secret '{Alias}' with HasPrivateKey={HasPrivateKey}, CertCount={CertCount}", + entry.Alias, entry.HasPrivateKey, entry.Certificates.Count); + Logger.LogTrace("Namespace inventory: Alias '{Alias}' certificate chain:\n{Chain}", + entry.Alias, string.Join("\n---\n", entry.Certificates)); + } } catch (Exception ex) { @@ -271,7 +503,8 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd } } - return PushInventory(namespaceInventoryDict, config.JobHistoryId, submitInventory, true); + Logger.LogDebug("Namespace inventory complete: {Count} secrets with per-item private key status", namespaceInventoryEntries.Count); + return PushInventory(namespaceInventoryEntries, config.JobHistoryId, submitInventory); default: Logger.LogError("Inventory failed with exception: " + KubeSecretType + " not supported."); @@ -304,9 +537,16 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd } } + /// + /// Handles inventory of JKS (Java KeyStore) secrets stored in Kubernetes. + /// Deserializes JKS data and extracts all certificates and their chains. + /// + /// Job configuration containing store properties. + /// List of allowed secret data keys to process. + /// Dictionary mapping certificate aliases to their PEM certificate chains. private Dictionary> HandleJKSSecret(JobConfiguration config, List allowedKeys) { - Logger.LogDebug("Enter HandleJKSSecret()"); + Logger.MethodEntry(MsLogLevel.Debug); var hasPrivateKeyJks = false; Logger.LogDebug("Attempting to serialize JKS store"); var jksStore = new JksCertificateStoreSerializer(config.JobProperties?.ToString()); @@ -323,8 +563,8 @@ private Dictionary> HandleJKSSecret(JobConfiguration config Logger.LogDebug("Fetching store password for K8S secret " + KubeSecretName + " in namespace " + KubeNamespace + " and key " + keyName); var keyPassword = getK8SStorePassword(k8sData.Secret); - var passwordHash = GetSHA256Hash(keyPassword); - // Logger.LogTrace("Password hash for '{Secret}/{Key}': {Hash}", KubeSecretName, keyName, passwordHash); //TODO: Insecure comment out! + Logger.LogTrace("Password correlation for '{Secret}/{Key}': {CorrelationId}", + KubeSecretName, keyName, LoggingUtilities.GetPasswordCorrelationId(keyPassword)); var keyAlias = keyName; Logger.LogTrace("Key alias: {Alias}", keyAlias); Logger.LogDebug("Attempting to deserialize JKS store '{Secret}/{Key}'", KubeSecretName, keyName); @@ -440,36 +680,79 @@ private Dictionary> HandleJKSSecret(JobConfiguration config } } + Logger.LogDebug("JKS inventory complete with {Count} entries", jksInventoryDict.Count); + Logger.MethodExit(MsLogLevel.Debug); return jksInventoryDict; } + /// + /// Handles inventory of Kubernetes Certificate Signing Requests (CSRs). + /// If KubeSecretName is specified, inventories that specific CSR (legacy single-CSR mode). + /// If KubeSecretName is empty or "*", inventories ALL issued CSRs in the cluster (cluster-wide mode). + /// + /// The job history ID for tracking. + /// Callback delegate to submit discovered certificates. + /// JobResult indicating success or failure. private JobResult HandleCertificate(long jobId, SubmitInventoryUpdate submitInventory) { - Logger.LogDebug("Entering HandleCertificate for job id " + jobId + "..."); + Logger.MethodEntry(MsLogLevel.Debug); Logger.LogTrace("submitInventory: " + submitInventory); - const bool hasPrivateKey = false; - Logger.LogTrace("Calling GetCertificateSigningRequestStatus for job id " + jobId + "..."); + // Determine mode: single CSR or cluster-wide + // Use the ORIGINAL KubeSecretName value from job config, not the potentially modified one + // (InitializeStore may set KubeSecretName from StorePath if it was empty) + var secretNameToCheck = _originalKubeSecretName ?? KubeSecretName; + var isClusterWideMode = string.IsNullOrWhiteSpace(secretNameToCheck) || secretNameToCheck == "*"; + + Logger.LogDebug("K8SCert mode detection: originalKubeSecretName='{Original}', KubeSecretName='{Current}', isClusterWideMode={IsClusterWide}", + _originalKubeSecretName ?? "(null)", KubeSecretName, isClusterWideMode); + + if (isClusterWideMode) + { + Logger.LogDebug("Processing CSR inventory for job {JobId} - cluster-wide mode (all CSRs)", jobId); + return HandleCertificateClusterWide(jobId, submitInventory); + } + else + { + // For single CSR mode, use the original KubeSecretName if it was explicitly set + var csrName = !string.IsNullOrWhiteSpace(_originalKubeSecretName) ? _originalKubeSecretName : KubeSecretName; + Logger.LogDebug("Processing CSR inventory for job {JobId} - single CSR mode (name: {CsrName})", jobId, csrName); + return HandleCertificateSingle(jobId, submitInventory, csrName); + } + } + + /// + /// Handles inventory of a single CSR by name (legacy behavior). + /// + /// The job history ID for tracking. + /// Callback delegate to submit discovered certificates. + /// The name of the CSR to inventory. + private JobResult HandleCertificateSingle(long jobId, SubmitInventoryUpdate submitInventory, string csrName) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogTrace("Calling GetCertificateSigningRequestStatus for CSR '{CsrName}'...", csrName); + try { - var certificates = KubeClient.GetCertificateSigningRequestStatus(KubeSecretName); - Logger.LogDebug("GetCertificateSigningRequestStatus returned " + certificates.Count() + " certificates."); + var certificates = KubeClient.GetCertificateSigningRequestStatus(csrName); + Logger.LogDebug("GetCertificateSigningRequestStatus returned {Count} certificates.", certificates.Count()); Logger.LogTrace(string.Join(",", certificates)); - Logger.LogDebug("Calling PushInventory for job id " + jobId + "..."); - return PushInventory(certificates, jobId, submitInventory); + Logger.LogDebug("Pushing {Count} certificates to inventory", certificates.Count()); + var result = PushInventory(certificates, jobId, submitInventory); + Logger.MethodExit(MsLogLevel.Debug); + return result; } catch (HttpOperationException e) { - Logger.LogError("HttpOperationException: " + e.Message); + Logger.LogError("HttpOperationException: {Message}", e.Message); Logger.LogTrace(e.ToString()); Logger.LogTrace(e.StackTrace); var certDataErrorMsg = - $"Kubernetes {KubeSecretType} '{KubeSecretName}' was not found in namespace '{KubeNamespace}' on host '{KubeClient.GetHost()}'."; + $"Kubernetes CSR '{csrName}' was not found on host '{KubeClient.GetHost()}'."; Logger.LogError(certDataErrorMsg); var inventoryItems = new List(); submitInventory.Invoke(inventoryItems); - Logger.LogTrace("Exiting HandleCertificate for job id " + jobId + "..."); - // return FailJob(certDataErrorMsg, jobId); + Logger.LogTrace("Exiting HandleCertificateSingle for job id " + jobId + "..."); return new JobResult { Result = OrchestratorJobStatusJobResult.Success, @@ -479,20 +762,124 @@ private JobResult HandleCertificate(long jobId, SubmitInventoryUpdate submitInve } catch (Exception e) { - Logger.LogError("HttpOperationException: " + e.Message); + Logger.LogError("Exception: " + e.Message); Logger.LogTrace(e.ToString()); Logger.LogTrace(e.StackTrace); - var certDataErrorMsg = $"Error querying Kubernetes secret API: {e.Message}"; + var certDataErrorMsg = $"Error querying Kubernetes CSR API: {e.Message}"; Logger.LogError(certDataErrorMsg); - Logger.LogTrace("Exiting HandleCertificate for job id " + jobId + "..."); + Logger.LogTrace("Exiting HandleCertificateSingle for job id " + jobId + "..."); + return FailJob(certDataErrorMsg, jobId); + } + } + + /// + /// Handles inventory of all CSRs in the cluster (new cluster-wide behavior). + /// + private JobResult HandleCertificateClusterWide(long jobId, SubmitInventoryUpdate submitInventory) + { + Logger.MethodEntry(MsLogLevel.Debug); + + try + { + // List all CSRs in the cluster that have issued certificates + var csrCertificates = KubeClient.ListAllCertificateSigningRequests(); + Logger.LogDebug("Found {Count} issued certificates from CSRs", csrCertificates.Count); + + if (csrCertificates.Count == 0) + { + Logger.LogInformation("No issued CSR certificates found in cluster"); + submitInventory.Invoke(new List()); + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Success, + JobHistoryId = jobId, + FailureMessage = "No issued CSR certificates found in cluster" + }; + } + + var inventoryItems = new List(); + foreach (var kvp in csrCertificates) + { + var csrName = kvp.Key; + var certPem = kvp.Value; + + Logger.LogDebug("Processing CSR {CsrName}", csrName); + Logger.LogTrace("Certificate PEM: {CertPem}", certPem); + + try + { + // Parse the certificate chain - CSRs can contain multiple certificates if signed by a CA with intermediates + var certChain = KubeClient.LoadCertificateChain(certPem); + if (certChain == null || certChain.Count == 0) + { + Logger.LogWarning("Failed to parse certificate chain from CSR {CsrName}, skipping", csrName); + continue; + } + + // Convert each certificate in the chain to PEM format + var certPemList = new List(); + foreach (var cert in certChain) + { + var pem = KubeClient.ConvertToPem(cert); + certPemList.Add(pem); + } + + Logger.LogDebug("CSR {CsrName} has {Count} certificate(s) in chain", csrName, certPemList.Count); + Logger.LogTrace("CSR {CsrName} certificate chain:\n{Chain}", csrName, string.Join("\n---\n", certPemList)); + + // Use CSR name as the alias for easy identification + var inventoryItem = new CurrentInventoryItem + { + Alias = csrName, + PrivateKeyEntry = false, // CSRs never have private keys in K8s + UseChainLevel = certPemList.Count > 1, + ItemStatus = OrchestratorInventoryItemStatus.Unknown, + Certificates = certPemList.ToArray() + }; + + inventoryItems.Add(inventoryItem); + Logger.LogDebug("Added CSR {CsrName} to inventory with {CertCount} certificates", csrName, certPemList.Count); + } + catch (Exception ex) + { + Logger.LogWarning(ex, "Error processing certificate from CSR {CsrName}, skipping", csrName); + } + } + + Logger.LogDebug("Submitting {Count} CSR certificates to inventory", inventoryItems.Count); + submitInventory.Invoke(inventoryItems); + + Logger.MethodExit(MsLogLevel.Debug); + return new JobResult + { + Result = OrchestratorJobStatusJobResult.Success, + JobHistoryId = jobId + }; + } + catch (Exception e) + { + Logger.LogError(e, "Error listing CSRs from cluster: {Message}", e.Message); + var certDataErrorMsg = $"Error querying Kubernetes CSR API: {e.Message}"; + Logger.LogTrace("Exiting HandleCertificateClusterWide for job id " + jobId + "..."); return FailJob(certDataErrorMsg, jobId); } } + /// + /// Submits discovered certificates to Keyfactor Command. + /// Converts certificate strings to CurrentInventoryItem objects and invokes the submit callback. + /// + /// Collection of PEM-formatted certificate strings. + /// The job history ID for tracking. + /// Callback delegate to submit certificates to Keyfactor Command. + /// Whether the certificates have associated private keys in the store. + /// Optional message to include in the job result. + /// JobResult indicating success or failure of the submission. private JobResult PushInventory(IEnumerable certsList, long jobId, SubmitInventoryUpdate submitInventory, bool hasPrivateKey = false, string jobMessage = null) { - Logger.LogDebug("Entering PushInventory for job id " + jobId + "..."); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing certificate list for job {JobId}", jobId); Logger.LogTrace("submitInventory: " + submitInventory); Logger.LogTrace("certsList: " + certsList); var inventoryItems = new List(); @@ -510,14 +897,14 @@ private JobResult PushInventory(IEnumerable certsList, long jobId, Submi try { - Logger.LogDebug("Attempting to load cert as X509Certificate2..."); - var certFormatted = cert.Contains("BEGIN CERTIFICATE") - ? new X509Certificate2(Encoding.UTF8.GetBytes(cert)) - : new X509Certificate2(Convert.FromBase64String(cert)); - Logger.LogTrace("Cert loaded as X509Certificate2: " + certFormatted); - Logger.LogDebug("Attempting to get cert thumbprint..."); - alias = certFormatted.Thumbprint; - Logger.LogDebug("Cert thumbprint: " + alias); + Logger.LogDebug("Attempting to parse certificate using BouncyCastle..."); + var bcCert = cert.Contains("BEGIN CERTIFICATE") + ? Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ParseCertificateFromPem(cert) + : Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ParseCertificateFromDer(Convert.FromBase64String(cert)); + Logger.LogTrace("Certificate parsed successfully: " + bcCert.SubjectDN); + Logger.LogDebug("Attempting to get certificate thumbprint..."); + alias = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(bcCert); + Logger.LogDebug("Certificate thumbprint: " + alias); } catch (Exception e) { @@ -567,10 +954,20 @@ private JobResult PushInventory(IEnumerable certsList, long jobId, Submi } } + /// + /// Submits discovered certificates (dictionary variant) to Keyfactor Command. + /// Used for namespace-level inventory where certificates are keyed by their store path. + /// + /// Dictionary mapping store paths to PEM certificate strings. + /// The job history ID for tracking. + /// Callback delegate to submit certificates to Keyfactor Command. + /// Whether the certificates have associated private keys in the store. + /// JobResult indicating success or failure of the submission. private JobResult PushInventory(Dictionary certsList, long jobId, SubmitInventoryUpdate submitInventory, bool hasPrivateKey = false) { - Logger.LogDebug("Entering PushInventory for job id " + jobId + "..."); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing {Count} certificate entries for job {JobId}", certsList.Count, jobId); Logger.LogTrace("submitInventory: " + submitInventory); Logger.LogTrace("certsList: " + certsList); var inventoryItems = new List(); @@ -591,11 +988,11 @@ private JobResult PushInventory(Dictionary certsList, long jobId try { - Logger.LogDebug("Attempting to load cert as X509Certificate2..."); - var certFormatted = cert.Contains("BEGIN CERTIFICATE") - ? new X509Certificate2(Encoding.UTF8.GetBytes(cert)) - : new X509Certificate2(Convert.FromBase64String(cert)); - Logger.LogTrace("Cert loaded as X509Certificate2: " + certFormatted); + Logger.LogDebug("Attempting to parse certificate using BouncyCastle..."); + var bcCert = cert.Contains("BEGIN CERTIFICATE") + ? Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ParseCertificateFromPem(cert) + : Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ParseCertificateFromDer(Convert.FromBase64String(cert)); + Logger.LogTrace("Certificate parsed successfully: " + bcCert.SubjectDN); } catch (Exception e) { @@ -645,10 +1042,20 @@ private JobResult PushInventory(Dictionary certsList, long jobId } } + /// + /// Submits discovered certificates with chains (dictionary variant) to Keyfactor Command. + /// Used for JKS/PKCS12 inventory where each alias has a certificate chain. + /// + /// Dictionary mapping aliases to lists of PEM certificates (chains). + /// The job history ID for tracking. + /// Callback delegate to submit certificates to Keyfactor Command. + /// Whether the certificates have associated private keys in the store. + /// JobResult indicating success or failure of the submission. private JobResult PushInventory(Dictionary> certsList, long jobId, SubmitInventoryUpdate submitInventory, bool hasPrivateKey = false) { - Logger.LogDebug("Entering PushInventory for job id " + jobId + "..."); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing {Count} certificate chain entries for job {JobId}", certsList.Count, jobId); Logger.LogTrace("submitInventory: " + submitInventory); Logger.LogTrace("certsList: " + certsList); var inventoryItems = new List(); @@ -705,10 +1112,239 @@ private JobResult PushInventory(Dictionary> certsList, long } } + /// + /// Submits discovered certificates with per-item private key status to Keyfactor Command. + /// Used for K8SNS and K8SCluster inventory where each secret may have different private key status. + /// + /// List of inventory entries with per-item private key status and certificate chains. + /// The job history ID for tracking. + /// Callback delegate to submit certificates to Keyfactor Command. + /// JobResult indicating success or failure of the submission. + private JobResult PushInventory(List entries, long jobId, SubmitInventoryUpdate submitInventory) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing {Count} inventory entries with per-item private key status for job {JobId}", entries.Count, jobId); + + var inventoryItems = new List(); + + foreach (var entry in entries) + { + if (entry.Certificates == null || entry.Certificates.Count == 0) + { + Logger.LogWarning("Skipping entry '{Alias}' - no certificates", entry.Alias); + continue; + } + + Logger.LogDebug("Adding entry '{Alias}' with {CertCount} certificates, HasPrivateKey={HasPrivateKey}", + entry.Alias, entry.Certificates.Count, entry.HasPrivateKey); + + inventoryItems.Add(new CurrentInventoryItem + { + ItemStatus = OrchestratorInventoryItemStatus.Unknown, + Alias = entry.Alias, + PrivateKeyEntry = entry.HasPrivateKey, + UseChainLevel = entry.Certificates.Count > 1, + Certificates = entry.Certificates.ToArray() + }); + } + + try + { + Logger.LogDebug("Submitting {Count} inventory items to Keyfactor Command...", inventoryItems.Count); + submitInventory.Invoke(inventoryItems); + Logger.LogInformation("End INVENTORY completed successfully for job id {JobId}.", jobId); + return SuccessJob(jobId); + } + catch (Exception ex) + { + Logger.LogError(ex, "Unable to submit inventory to Keyfactor Command for job id {JobId}.", jobId); + return FailJob(ex.Message, jobId); + } + } + + /// + /// Handles inventory of Kubernetes Opaque secrets and returns certificate list. + /// Extracts certificates from the secret's data fields using OpaqueAllowedKeys. + /// + /// The job history ID for tracking. + /// List of PEM-formatted certificates found in the opaque secret. + /// Thrown when the secret cannot be found. + /// Thrown when an error occurs querying the K8S API. + private List HandleOpaqueSecretAsList(long jobId) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing opaque secret inventory for job {JobId}", jobId); + Logger.LogTrace("KubeNamespace: " + KubeNamespace); + Logger.LogTrace("KubeSecretName: " + KubeSecretName); + Logger.LogTrace("StorePath: " + StorePath); + + if (string.IsNullOrEmpty(KubeNamespace)) + { + Logger.LogWarning("KubeNamespace is null or empty. Attempting to parse from StorePath..."); + if (!string.IsNullOrEmpty(StorePath)) + { + KubeNamespace = StorePath.Split("/").First(); + Logger.LogTrace("KubeNamespace: " + KubeNamespace); + if (KubeNamespace == KubeSecretName) + { + Logger.LogWarning("KubeNamespace was equal to KubeSecretName. Setting KubeNamespace to 'default'..."); + KubeNamespace = "default"; + } + } + else + { + Logger.LogWarning("StorePath was null or empty. Setting KubeNamespace to 'default'..."); + KubeNamespace = "default"; + } + } + + if (string.IsNullOrEmpty(KubeSecretName) && !string.IsNullOrEmpty(StorePath)) + { + Logger.LogWarning("KubeSecretName is null or empty. Attempting to parse from StorePath..."); + KubeSecretName = StorePath.Split("/").Last(); + Logger.LogTrace("KubeSecretName: " + KubeSecretName); + } + + Logger.LogDebug($"Querying Kubernetes opaque secret API for {KubeSecretName} in namespace {KubeNamespace}..."); + try + { + var certData = KubeClient.GetCertificateStoreSecret(KubeSecretName, KubeNamespace); + var certsList = new List(); + + // First, process the primary certificate field (tls.crt, cert, etc.) - excludes ca.crt + var primaryCertKeys = OpaqueAllowedKeys.Where(k => k != "ca.crt").ToArray(); + foreach (var allowedKey in primaryCertKeys) + { + if (!certData.Data.ContainsKey(allowedKey)) continue; + + Logger.LogDebug("Found certificate data in key: {Key}", allowedKey); + var certificatesBytes = certData.Data[allowedKey]; + + // Skip empty certificate data + if (certificatesBytes == null || certificatesBytes.Length == 0) + { + Logger.LogDebug("Certificate data in key '{Key}' is empty, skipping", allowedKey); + continue; + } + + var certPemData = Encoding.UTF8.GetString(certificatesBytes); + + // Skip empty or whitespace-only certificate data + if (string.IsNullOrWhiteSpace(certPemData)) + { + Logger.LogDebug("Certificate data in key '{Key}' is empty or whitespace, skipping", allowedKey); + continue; + } + + // Use LoadCertificateChain to handle multiple certificates in the field + var certChain = KubeClient.LoadCertificateChain(certPemData); + if (certChain != null && certChain.Count > 0) + { + Logger.LogDebug("Found {Count} certificate(s) in key '{Key}'", certChain.Count, allowedKey); + foreach (var cert in certChain) + { + var certPem = KubeClient.ConvertToPem(cert); + Logger.LogTrace("Adding certificate from '{Key}': {Subject}", allowedKey, cert.SubjectDN); + certsList.Add(certPem); + } + // Found certificates in this key, don't process other primary keys + break; + } + else + { + // Try to parse as single DER certificate + Logger.LogDebug("Failed to parse as PEM chain. Attempting to parse as DER..."); + var certObj = KubeClient.ReadDerCertificate(certPemData); + if (certObj != null) + { + var certPem = KubeClient.ConvertToPem(certObj); + certsList.Add(certPem); + break; + } + else + { + Logger.LogWarning( + "Failed to parse certificate from secret '{SecretName}' key '{Key}' in namespace '{Namespace}'. " + + "The certificate data could not be parsed as PEM or DER format. Skipping this key.", + KubeSecretName, allowedKey, KubeNamespace); + } + } + } + + // Then, process ca.crt separately to add chain certificates + if (certData.Data.TryGetValue("ca.crt", out var caBytes)) + { + if (caBytes != null && caBytes.Length > 0) + { + var caCertPemData = Encoding.UTF8.GetString(caBytes); + if (!string.IsNullOrWhiteSpace(caCertPemData)) + { + // ca.crt can contain multiple certificates (intermediate + root) + var caCertChain = KubeClient.LoadCertificateChain(caCertPemData); + if (caCertChain != null && caCertChain.Count > 0) + { + Logger.LogDebug("Found {Count} certificate(s) in ca.crt", caCertChain.Count); + foreach (var caCert in caCertChain) + { + var caPem = KubeClient.ConvertToPem(caCert); + // Avoid duplicates - check if certificate is already in the list + if (!certsList.Contains(caPem)) + { + Logger.LogTrace("Adding CA certificate from ca.crt: {Subject}", caCert.SubjectDN); + certsList.Add(caPem); + } + } + } + else + { + // Fallback: try to read as a single DER certificate + var caObj = KubeClient.ReadDerCertificate(caCertPemData); + if (caObj != null) + { + var caPem = KubeClient.ConvertToPem(caObj); + if (!certsList.Contains(caPem)) + { + certsList.Add(caPem); + } + } + } + } + } + } + + Logger.LogTrace("certsList count: " + certsList.Count); + Logger.MethodExit(MsLogLevel.Debug); + return certsList; + } + catch (HttpOperationException e) + { + Logger.LogError(e.Message); + var certDataErrorMsg = $"Kubernetes opaque secret '{KubeSecretName}' was not found in namespace '{KubeNamespace}'."; + Logger.LogError(certDataErrorMsg); + throw new StoreNotFoundException(certDataErrorMsg); + } + catch (Exception e) when (e is not StoreNotFoundException && e is not InvalidOperationException) + { + var certDataErrorMsg = $"Error querying Kubernetes secret API: {e.Message}"; + Logger.LogError(certDataErrorMsg); + throw new Exception(certDataErrorMsg); + } + } + + /// + /// Handles inventory of Kubernetes Opaque secrets containing certificate data. + /// Extracts certificates from the secret's data fields using the specified managed keys. + /// + /// The job history ID for tracking. + /// Callback delegate to submit discovered certificates. + /// Array of secret data keys to check for certificate data. + /// Optional path specification for the secret. + /// JobResult indicating success or failure. private JobResult HandleOpaqueSecret(long jobId, SubmitInventoryUpdate submitInventory, string[] secretManagedKeys, string secretPath = "") { - Logger.LogDebug("Inventory entering HandleOpaqueSecret for job id " + jobId + "..."); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing opaque secret inventory for job {JobId}", jobId); const bool hasPrivateKey = true; //check if secretAllowedKeys is null or empty if (secretManagedKeys == null || secretManagedKeys.Length == 0) secretManagedKeys = new[] { "certificates" }; @@ -781,9 +1417,71 @@ private JobResult HandleOpaqueSecret(long jobId, SubmitInventoryUpdate submitInv } - private List HandleTlsSecret(long jobId) + /// + /// Handles inventory of a TLS secret and returns an InventoryEntry with certificate chain and private key status. + /// Used for K8SNS and K8SCluster inventory where per-item private key status is needed. + /// + /// The job history ID for tracking. + /// The alias to use for the inventory entry. + /// InventoryEntry with certificates and private key status. + private InventoryEntry HandleTlsSecretAsEntry(long jobId, string alias) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing TLS secret as inventory entry for job {JobId}, alias {Alias}", jobId, alias); + + var certs = HandleTlsSecretWithPrivateKeyStatus(jobId, out var hasPrivateKey); + + var entry = new InventoryEntry + { + Alias = alias, + Certificates = certs, + HasPrivateKey = hasPrivateKey + }; + + Logger.LogDebug("Created inventory entry for alias '{Alias}' with {CertCount} certificates, HasPrivateKey={HasPrivateKey}", + alias, certs.Count, hasPrivateKey); + Logger.MethodExit(MsLogLevel.Debug); + return entry; + } + + /// + /// Handles inventory of an opaque secret and returns an InventoryEntry with certificate chain and private key status. + /// Used for K8SNS and K8SCluster inventory where per-item private key status is needed. + /// + /// The job history ID for tracking. + /// The alias to use for the inventory entry. + /// InventoryEntry with certificates and private key status. + private InventoryEntry HandleOpaqueSecretAsEntry(long jobId, string alias) { - Logger.LogDebug("Inventory entering HandleTlsSecret for job id " + jobId + "..."); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing opaque secret as inventory entry for job {JobId}, alias {Alias}", jobId, alias); + + var certs = HandleOpaqueSecretWithPrivateKeyStatus(jobId, out var hasPrivateKey); + + var entry = new InventoryEntry + { + Alias = alias, + Certificates = certs, + HasPrivateKey = hasPrivateKey + }; + + Logger.LogDebug("Created inventory entry for alias '{Alias}' with {CertCount} certificates, HasPrivateKey={HasPrivateKey}", + alias, certs.Count, hasPrivateKey); + Logger.MethodExit(MsLogLevel.Debug); + return entry; + } + + /// + /// Handles inventory of Kubernetes TLS secrets with private key status detection. + /// + /// The job history ID for tracking. + /// Output parameter indicating whether the secret has a private key. + /// List of PEM-formatted certificates (chain if present). + private List HandleTlsSecretWithPrivateKeyStatus(long jobId, out bool hasPrivateKey) + { + hasPrivateKey = false; + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing TLS secret inventory with private key status for job {JobId}", jobId); Logger.LogTrace("KubeNamespace: " + KubeNamespace); Logger.LogTrace("KubeSecretName: " + KubeSecretName); Logger.LogTrace("StorePath: " + StorePath); @@ -821,8 +1519,7 @@ private List HandleTlsSecret(long jobId) Logger.LogDebug( $"Querying Kubernetes {KubeSecretType} API for {KubeSecretName} in namespace {KubeNamespace} on host {KubeClient.GetHost()}..."); - var hasPrivateKey = true; - Logger.LogTrace("Entering try block for HandleTlsSecret..."); + Logger.LogTrace("Entering try block for HandleTlsSecretWithPrivateKeyStatus..."); try { Logger.LogTrace("Calling KubeClient.GetCertificateStoreSecret()..."); @@ -832,13 +1529,47 @@ private List HandleTlsSecret(long jobId) ); Logger.LogDebug("KubeClient.GetCertificateStoreSecret() returned successfully."); Logger.LogTrace("certData: " + certData); - var certificatesBytes = certData.Data["tls.crt"]; + + // Check if tls.crt exists and has data + if (!certData.Data.TryGetValue("tls.crt", out var certificatesBytes) || + certificatesBytes == null || certificatesBytes.Length == 0) + { + Logger.LogWarning("Secret '{SecretName}' in namespace '{Namespace}' has no certificate data (tls.crt is empty or missing). Returning empty inventory.", + KubeSecretName, KubeNamespace); + return new List(); + } + Logger.LogTrace("certificatesBytes: " + certificatesBytes); - var privateKeyBytes = certData.Data["tls.key"]; + + // Check if tls.key exists and has actual content (not empty/whitespace) + if (certData.Data.TryGetValue("tls.key", out var privateKeyBytes) && + privateKeyBytes != null && privateKeyBytes.Length > 0) + { + var privateKeyContent = Encoding.UTF8.GetString(privateKeyBytes); + // Check if it's not just whitespace or empty + hasPrivateKey = !string.IsNullOrWhiteSpace(privateKeyContent); + Logger.LogDebug("tls.key exists with content: {HasContent}, HasPrivateKey={HasPrivateKey}", + !string.IsNullOrWhiteSpace(privateKeyContent), hasPrivateKey); + } + else + { + Logger.LogDebug("tls.key is missing or empty. HasPrivateKey=false"); + hasPrivateKey = false; + } + byte[] caBytes = null; var certsList = new List(); var certPem = Encoding.UTF8.GetString(certificatesBytes); + + // Check if the certificate data is empty or whitespace-only + if (string.IsNullOrWhiteSpace(certPem)) + { + Logger.LogWarning("Secret '{SecretName}' in namespace '{Namespace}' has empty certificate data. Returning empty inventory.", + KubeSecretName, KubeNamespace); + return new List(); + } + Logger.LogTrace("certPem: " + certPem); var certObj = KubeClient.ReadPemCertificate(certPem); if (certObj == null) @@ -854,7 +1585,10 @@ private List HandleTlsSecret(long jobId) } else { - certPem = KubeClient.ConvertToPem(certObj); + // Both PEM and DER parsing failed - throw a meaningful error + throw new InvalidOperationException( + $"Failed to parse certificate from secret '{KubeSecretName}' in namespace '{KubeNamespace}'. " + + "The certificate data could not be parsed as PEM or DER format."); } Logger.LogTrace("certPem: " + certPem); @@ -867,31 +1601,414 @@ private List HandleTlsSecret(long jobId) if (!string.IsNullOrEmpty(certPem)) certsList.Add(certPem); - var caPem = ""; if (certData.Data.TryGetValue("ca.crt", out var value)) { caBytes = value; - Logger.LogTrace("caBytes: " + caBytes); - var caObj = KubeClient.ReadPemCertificate(Encoding.UTF8.GetString(caBytes)); - if (caObj == null) - { - Logger.LogDebug( - "Failed to parse certificate from opaque secret data as PEM. Attempting to parse as DER"); - // Attempt to read data as DER - caObj = KubeClient.ReadDerCertificate(Encoding.UTF8.GetString(caBytes)); + Logger.LogTrace("caBytes length: {Length}", caBytes?.Length ?? 0); + + // ca.crt can contain multiple certificates (e.g., intermediate + root) + // Use LoadCertificateChain to parse all certificates + var caCertChain = KubeClient.LoadCertificateChain(Encoding.UTF8.GetString(caBytes)); + if (caCertChain != null && caCertChain.Count > 0) + { + Logger.LogDebug("Found {Count} certificate(s) in ca.crt", caCertChain.Count); + foreach (var caCert in caCertChain) + { + var caPem = KubeClient.ConvertToPem(caCert); + Logger.LogTrace("Adding CA certificate to inventory: {Subject}", caCert.SubjectDN); + certsList.Add(caPem); + } + } + else + { + Logger.LogDebug("Failed to parse certificate chain from ca.crt as PEM. Attempting to parse as single DER certificate"); + // Fallback: try to read as a single DER certificate + var caObj = KubeClient.ReadDerCertificate(Encoding.UTF8.GetString(caBytes)); if (caObj != null) { - caPem = KubeClient.ConvertToPem(caObj); + var caPem = KubeClient.ConvertToPem(caObj); Logger.LogTrace("caPem: " + caPem); + certsList.Add(caPem); + } + } + } + else + { + // Determine if chain is present in tls.crt + var certChain = KubeClient.LoadCertificateChain(Encoding.UTF8.GetString(certificatesBytes)); + if (certChain != null && certChain.Count > 1) + { + certsList.Clear(); + Logger.LogDebug("Certificate chain detected in tls.crt. Attempting to parse chain..."); + foreach (var cert in certChain) + { + Logger.LogTrace("cert: " + cert); + certsList.Add(KubeClient.ConvertToPem(cert)); + } + } + } + + Logger.LogTrace("certsList: " + certsList); + Logger.LogDebug("Returning certificate list with {Count} certificates and HasPrivateKey={HasPrivateKey}", certsList.Count, hasPrivateKey); + return certsList.ToList(); + } + catch (HttpOperationException e) + { + Logger.LogError(e.Message); + Logger.LogTrace(e.ToString()); + Logger.LogTrace(e.StackTrace); + var certDataErrorMsg = + $"Kubernetes {KubeSecretType} '{KubeSecretName}' was not found in namespace '{KubeNamespace}'."; + Logger.LogError(certDataErrorMsg); + Logger.LogInformation("End INVENTORY for K8S Orchestrator Extension for job " + jobId + " with failure."); + throw new StoreNotFoundException(certDataErrorMsg); + } + catch (Exception e) + { + Logger.LogError(e.Message); + Logger.LogTrace(e.ToString()); + Logger.LogTrace(e.StackTrace); + var certDataErrorMsg = $"Error querying Kubernetes secret API: {e.Message}"; + Logger.LogError(certDataErrorMsg); + Logger.LogInformation("End INVENTORY for K8S Orchestrator Extension for job " + jobId + " with failure."); + throw new Exception(certDataErrorMsg); + } + } + + /// + /// Handles inventory of Kubernetes Opaque secrets with private key status detection. + /// + /// The job history ID for tracking. + /// Output parameter indicating whether the secret has a private key. + /// List of PEM-formatted certificates found in the opaque secret. + private List HandleOpaqueSecretWithPrivateKeyStatus(long jobId, out bool hasPrivateKey) + { + hasPrivateKey = false; + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing opaque secret inventory with private key status for job {JobId}", jobId); + Logger.LogTrace("KubeNamespace: " + KubeNamespace); + Logger.LogTrace("KubeSecretName: " + KubeSecretName); + Logger.LogTrace("StorePath: " + StorePath); + + if (string.IsNullOrEmpty(KubeNamespace)) + { + Logger.LogWarning("KubeNamespace is null or empty. Attempting to parse from StorePath..."); + if (!string.IsNullOrEmpty(StorePath)) + { + KubeNamespace = StorePath.Split("/").First(); + Logger.LogTrace("KubeNamespace: " + KubeNamespace); + if (KubeNamespace == KubeSecretName) + { + Logger.LogWarning("KubeNamespace was equal to KubeSecretName. Setting KubeNamespace to 'default'..."); + KubeNamespace = "default"; + } + } + else + { + Logger.LogWarning("StorePath was null or empty. Setting KubeNamespace to 'default'..."); + KubeNamespace = "default"; + } + } + + if (string.IsNullOrEmpty(KubeSecretName) && !string.IsNullOrEmpty(StorePath)) + { + Logger.LogWarning("KubeSecretName is null or empty. Attempting to parse from StorePath..."); + KubeSecretName = StorePath.Split("/").Last(); + Logger.LogTrace("KubeSecretName: " + KubeSecretName); + } + + Logger.LogDebug($"Querying Kubernetes opaque secret API for {KubeSecretName} in namespace {KubeNamespace}..."); + try + { + var certData = KubeClient.GetCertificateStoreSecret(KubeSecretName, KubeNamespace); + var certsList = new List(); + + // Check for private key in common key field names + var privateKeyFields = new[] { "tls.key", "key", "private.key", "privateKey", "key.pem" }; + foreach (var keyField in privateKeyFields) + { + if (certData.Data.TryGetValue(keyField, out var keyBytes) && + keyBytes != null && keyBytes.Length > 0) + { + var keyContent = Encoding.UTF8.GetString(keyBytes); + if (!string.IsNullOrWhiteSpace(keyContent)) + { + hasPrivateKey = true; + Logger.LogDebug("Found private key in field '{KeyField}'", keyField); + break; + } + } + } + + // First, process the primary certificate field (tls.crt, cert, etc.) - excludes ca.crt + var primaryCertKeys = OpaqueAllowedKeys.Where(k => k != "ca.crt").ToArray(); + foreach (var allowedKey in primaryCertKeys) + { + if (!certData.Data.ContainsKey(allowedKey)) continue; + + Logger.LogDebug("Found certificate data in key: {Key}", allowedKey); + var certificatesBytes = certData.Data[allowedKey]; + + // Skip empty certificate data + if (certificatesBytes == null || certificatesBytes.Length == 0) + { + Logger.LogDebug("Certificate data in key '{Key}' is empty, skipping", allowedKey); + continue; + } + + var certPemData = Encoding.UTF8.GetString(certificatesBytes); + + // Skip empty or whitespace-only certificate data + if (string.IsNullOrWhiteSpace(certPemData)) + { + Logger.LogDebug("Certificate data in key '{Key}' is empty or whitespace, skipping", allowedKey); + continue; + } + + // Use LoadCertificateChain to handle multiple certificates in the field + var certChain = KubeClient.LoadCertificateChain(certPemData); + if (certChain != null && certChain.Count > 0) + { + Logger.LogDebug("Found {Count} certificate(s) in key '{Key}'", certChain.Count, allowedKey); + foreach (var cert in certChain) + { + var certPem = KubeClient.ConvertToPem(cert); + Logger.LogTrace("Adding certificate from '{Key}': {Subject}", allowedKey, cert.SubjectDN); + certsList.Add(certPem); + } + // Found certificates in this key, don't process other primary keys + break; + } + else + { + // Try to parse as single DER certificate + Logger.LogDebug("Failed to parse as PEM chain. Attempting to parse as DER..."); + var certObj = KubeClient.ReadDerCertificate(certPemData); + if (certObj != null) + { + var certPem = KubeClient.ConvertToPem(certObj); + certsList.Add(certPem); + break; + } + else + { + Logger.LogWarning( + "Failed to parse certificate from secret '{SecretName}' key '{Key}' in namespace '{Namespace}'. " + + "The certificate data could not be parsed as PEM or DER format. Skipping this key.", + KubeSecretName, allowedKey, KubeNamespace); + } + } + } + + // Then, process ca.crt separately to add chain certificates + if (certData.Data.TryGetValue("ca.crt", out var caBytes)) + { + if (caBytes != null && caBytes.Length > 0) + { + var caCertPemData = Encoding.UTF8.GetString(caBytes); + if (!string.IsNullOrWhiteSpace(caCertPemData)) + { + // ca.crt can contain multiple certificates (intermediate + root) + var caCertChain = KubeClient.LoadCertificateChain(caCertPemData); + if (caCertChain != null && caCertChain.Count > 0) + { + Logger.LogDebug("Found {Count} certificate(s) in ca.crt", caCertChain.Count); + foreach (var caCert in caCertChain) + { + var caPem = KubeClient.ConvertToPem(caCert); + // Avoid duplicates - check if certificate is already in the list + if (!certsList.Contains(caPem)) + { + Logger.LogTrace("Adding CA certificate from ca.crt: {Subject}", caCert.SubjectDN); + certsList.Add(caPem); + } + } + } + else + { + // Fallback: try to read as a single DER certificate + var caObj = KubeClient.ReadDerCertificate(caCertPemData); + if (caObj != null) + { + var caPem = KubeClient.ConvertToPem(caObj); + if (!certsList.Contains(caPem)) + { + certsList.Add(caPem); + } + } + } } } + } + + Logger.LogTrace("certsList count: " + certsList.Count); + Logger.LogDebug("Returning certificate list with {Count} certificates and HasPrivateKey={HasPrivateKey}", certsList.Count, hasPrivateKey); + Logger.MethodExit(MsLogLevel.Debug); + return certsList; + } + catch (HttpOperationException e) + { + Logger.LogError(e.Message); + var certDataErrorMsg = $"Kubernetes opaque secret '{KubeSecretName}' was not found in namespace '{KubeNamespace}'."; + Logger.LogError(certDataErrorMsg); + throw new StoreNotFoundException(certDataErrorMsg); + } + catch (Exception e) when (e is not StoreNotFoundException && e is not InvalidOperationException) + { + var certDataErrorMsg = $"Error querying Kubernetes secret API: {e.Message}"; + Logger.LogError(certDataErrorMsg); + throw new Exception(certDataErrorMsg); + } + } + + /// + /// Handles inventory of Kubernetes TLS secrets (kubernetes.io/tls type). + /// Extracts certificate from tls.crt and optionally the CA from ca.crt. + /// + /// The job history ID for tracking. + /// List of PEM-formatted certificates (chain if present). + /// Thrown when the secret cannot be found. + /// Thrown when an error occurs querying the K8S API. + private List HandleTlsSecret(long jobId) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing TLS secret inventory for job {JobId}", jobId); + Logger.LogTrace("KubeNamespace: " + KubeNamespace); + Logger.LogTrace("KubeSecretName: " + KubeSecretName); + Logger.LogTrace("StorePath: " + StorePath); + + if (string.IsNullOrEmpty(KubeNamespace)) + { + Logger.LogWarning("KubeNamespace is null or empty. Attempting to parse from StorePath..."); + if (!string.IsNullOrEmpty(StorePath)) + { + Logger.LogTrace("StorePath was not null or empty. Parsing KubeNamespace from StorePath..."); + KubeNamespace = StorePath.Split("/").First(); + Logger.LogTrace("KubeNamespace: " + KubeNamespace); + if (KubeNamespace == KubeSecretName) + { + Logger.LogWarning( + "KubeNamespace was equal to KubeSecretName. Setting KubeNamespace to 'default' for job id " + + jobId + "..."); + KubeNamespace = "default"; + } + } + else + { + Logger.LogWarning("StorePath was null or empty. Setting KubeNamespace to 'default' for job id " + + jobId + "..."); + KubeNamespace = "default"; + } + } + + if (string.IsNullOrEmpty(KubeSecretName) && !string.IsNullOrEmpty(StorePath)) + { + Logger.LogWarning("KubeSecretName is null or empty. Attempting to parse from StorePath..."); + KubeSecretName = StorePath.Split("/").Last(); + Logger.LogTrace("KubeSecretName: " + KubeSecretName); + } + + Logger.LogDebug( + $"Querying Kubernetes {KubeSecretType} API for {KubeSecretName} in namespace {KubeNamespace} on host {KubeClient.GetHost()}..."); + var hasPrivateKey = true; + Logger.LogTrace("Entering try block for HandleTlsSecret..."); + try + { + Logger.LogTrace("Calling KubeClient.GetCertificateStoreSecret()..."); + var certData = KubeClient.GetCertificateStoreSecret( + KubeSecretName, + KubeNamespace + ); + Logger.LogDebug("KubeClient.GetCertificateStoreSecret() returned successfully."); + Logger.LogTrace("certData: " + certData); + + // Check if tls.crt exists and has data + if (!certData.Data.TryGetValue("tls.crt", out var certificatesBytes) || + certificatesBytes == null || certificatesBytes.Length == 0) + { + Logger.LogWarning("Secret '{SecretName}' in namespace '{Namespace}' has no certificate data (tls.crt is empty or missing). Returning empty inventory.", + KubeSecretName, KubeNamespace); + return new List(); + } + + Logger.LogTrace("certificatesBytes: " + certificatesBytes); + + // Check if tls.key exists (may be empty for cert-only secrets) + certData.Data.TryGetValue("tls.key", out var privateKeyBytes); + byte[] caBytes = null; + var certsList = new List(); + + var certPem = Encoding.UTF8.GetString(certificatesBytes); + + // Check if the certificate data is empty or whitespace-only + if (string.IsNullOrWhiteSpace(certPem)) + { + Logger.LogWarning("Secret '{SecretName}' in namespace '{Namespace}' has empty certificate data. Returning empty inventory.", + KubeSecretName, KubeNamespace); + return new List(); + } + + Logger.LogTrace("certPem: " + certPem); + var certObj = KubeClient.ReadPemCertificate(certPem); + if (certObj == null) + { + Logger.LogDebug( + "Failed to parse certificate from opaque secret data as PEM. Attempting to parse as DER"); + // Attempt to read data as DER + certObj = KubeClient.ReadDerCertificate(certPem); + if (certObj != null) + { + certPem = KubeClient.ConvertToPem(certObj); + Logger.LogTrace("certPem: " + certPem); + } else { - caPem = KubeClient.ConvertToPem(caObj); + // Both PEM and DER parsing failed - throw a meaningful error + throw new InvalidOperationException( + $"Failed to parse certificate from secret '{KubeSecretName}' in namespace '{KubeNamespace}'. " + + "The certificate data could not be parsed as PEM or DER format."); } - Logger.LogTrace("caPem: " + caPem); - if (!string.IsNullOrEmpty(caPem)) certsList.Add(caPem); + Logger.LogTrace("certPem: " + certPem); + } + else + { + certPem = KubeClient.ConvertToPem(certObj); + Logger.LogTrace("certPem: " + certPem); + } + + if (!string.IsNullOrEmpty(certPem)) certsList.Add(certPem); + + if (certData.Data.TryGetValue("ca.crt", out var value)) + { + caBytes = value; + Logger.LogTrace("caBytes length: {Length}", caBytes?.Length ?? 0); + + // ca.crt can contain multiple certificates (e.g., intermediate + root) + // Use LoadCertificateChain to parse all certificates + var caCertChain = KubeClient.LoadCertificateChain(Encoding.UTF8.GetString(caBytes)); + if (caCertChain != null && caCertChain.Count > 0) + { + Logger.LogDebug("Found {Count} certificate(s) in ca.crt", caCertChain.Count); + foreach (var caCert in caCertChain) + { + var caPem = KubeClient.ConvertToPem(caCert); + Logger.LogTrace("Adding CA certificate to inventory: {Subject}", caCert.SubjectDN); + certsList.Add(caPem); + } + } + else + { + Logger.LogDebug("Failed to parse certificate chain from ca.crt as PEM. Attempting to parse as single DER certificate"); + // Fallback: try to read as a single DER certificate + var caObj = KubeClient.ReadDerCertificate(Encoding.UTF8.GetString(caBytes)); + if (caObj != null) + { + var caPem = KubeClient.ConvertToPem(caObj); + Logger.LogTrace("caPem: " + caPem); + certsList.Add(caPem); + } + } } else { @@ -945,8 +2062,16 @@ private List HandleTlsSecret(long jobId) } } + /// + /// Handles inventory of PKCS12/PFX keystores stored in Kubernetes secrets. + /// Deserializes PKCS12 data and extracts all certificates and their chains. + /// + /// Job configuration containing store properties. + /// List of allowed secret data keys to process. + /// Dictionary mapping certificate aliases to their PEM certificate chains. private Dictionary> HandlePkcs12Secret(JobConfiguration config, List allowedKeys) { + Logger.MethodEntry(MsLogLevel.Debug); var hasPrivateKey = false; var pkcs12Store = new Pkcs12CertificateStoreSerializer(config.JobProperties?.ToString()); var k8sData = KubeClient.GetPkcs12Secret(KubeSecretName, KubeNamespace, "", "", allowedKeys); @@ -1009,6 +2134,8 @@ private Dictionary> HandlePkcs12Secret(JobConfiguration con } } + Logger.LogDebug("PKCS12 inventory complete with {Count} entries", pkcs12InventoryDict.Count); + Logger.MethodExit(MsLogLevel.Debug); return pkcs12InventoryDict; } } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/Jobs/JobBase.cs b/kubernetes-orchestrator-extension/Jobs/JobBase.cs index 027b16a4..1cb6567f 100644 --- a/kubernetes-orchestrator-extension/Jobs/JobBase.cs +++ b/kubernetes-orchestrator-extension/Jobs/JobBase.cs @@ -15,6 +15,9 @@ using Common.Logging; using k8s.Models; using Keyfactor.Extensions.Orchestrator.K8S.Clients; +using Keyfactor.Extensions.Orchestrator.K8S.Enums; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Org.BouncyCastle.Crypto; using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; @@ -22,6 +25,7 @@ using Keyfactor.PKI.Extensions; using Keyfactor.PKI.PrivateKeys; using Microsoft.Extensions.Logging; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; using Newtonsoft.Json; using Org.BouncyCastle.Pkcs; using Org.BouncyCastle.Security; @@ -31,95 +35,201 @@ namespace Keyfactor.Extensions.Orchestrator.K8S.Jobs; +/// +/// Data model representing a Kubernetes certificate store configuration. +/// Contains namespace, secret name, secret type, credentials, and certificate data. +/// public class KubernetesCertStore { + /// Kubernetes namespace where the secret resides. public string KubeNamespace { get; set; } = ""; + /// Name of the Kubernetes secret. public string KubeSecretName { get; set; } = ""; + /// Type of Kubernetes secret (e.g., Opaque, kubernetes.io/tls). public string KubeSecretType { get; set; } = ""; + /// Service account credentials for Kubernetes API access (kubeconfig JSON). public string KubeSvcCreds { get; set; } = ""; + /// Array of certificates contained in this store. public Cert[] Certs { get; set; } } +/// +/// Data model containing Kubernetes cluster credentials for API authentication. +/// public class KubeCreds { + /// Kubernetes API server URL. public string KubeServer { get; set; } = ""; + /// Service account bearer token for authentication. public string KubeToken { get; set; } = ""; + /// Cluster CA certificate (base64 encoded). public string KubeCert { get; set; } = ""; } +/// +/// Data model representing a certificate with optional private key. +/// public class Cert { + /// Alias/friendly name for the certificate. public string Alias { get; set; } = ""; + /// Certificate data (typically PEM or base64 encoded). public string CertData { get; set; } = ""; + /// Private key data (typically PEM format). public string PrivateKey { get; set; } = ""; } +/// +/// Comprehensive data model for a certificate processed during a Keyfactor orchestrator job. +/// Contains certificate data in multiple formats (PEM, bytes, base64), private key data, +/// certificate chain information, and password details. +/// public class K8SJobCertificate { + /// Alias/friendly name for the certificate entry. public string Alias { get; set; } = ""; + /// Base64 encoded certificate data. public string CertB64 { get; set; } = ""; + /// Certificate in PEM format. public string CertPem { get; set; } = ""; + /// SHA-1 thumbprint of the certificate for identification. public string CertThumbprint { get; set; } = ""; + /// Raw certificate bytes (DER encoded). public byte[] CertBytes { get; set; } + /// Private key in PEM format (unencrypted). public string PrivateKeyPem { get; set; } = ""; + /// Raw private key bytes (PKCS#8 format). public byte[] PrivateKeyBytes { get; set; } + /// BouncyCastle AsymmetricKeyParameter for the private key. Used for format-preserving re-export. + public AsymmetricKeyParameter PrivateKeyParameter { get; set; } + + /// Password protecting the private key (if encrypted). public string Password { get; set; } = ""; + /// Indicates if the password is stored in a separate Kubernetes secret. public bool PasswordIsK8SSecret { get; set; } = false; + /// Password for the certificate store (JKS/PKCS12). public string StorePassword { get; set; } = ""; + /// Path to a separate Kubernetes secret containing the store password. public string StorePasswordPath { get; set; } = ""; + /// Indicates whether this certificate has an associated private key. public bool HasPrivateKey { get; set; } = false; + /// Indicates whether the certificate/key is password protected. public bool HasPassword { get; set; } = false; + /// + /// BouncyCastle X509CertificateEntry containing the certificate + /// public X509CertificateEntry CertificateEntry { get; set; } + /// + /// BouncyCastle X509CertificateEntry array containing the certificate chain + /// public X509CertificateEntry[] CertificateEntryChain { get; set; } public byte[] Pkcs12 { get; set; } public List ChainPem { get; set; } + + /// + /// Optional: K8SCertificateContext providing BouncyCastle-based certificate operations. + /// This property can be used for modern certificate handling without X509Certificate2 dependencies. + /// + public Keyfactor.Extensions.Orchestrator.K8S.Models.K8SCertificateContext CertificateContext { get; set; } + + /// + /// Factory method to create K8SCertificateContext from this job certificate's data + /// + /// K8SCertificateContext instance or null if certificate data is unavailable + public Keyfactor.Extensions.Orchestrator.K8S.Models.K8SCertificateContext GetCertificateContext() + { + if (CertificateEntry?.Certificate == null) + return null; + + var context = new Keyfactor.Extensions.Orchestrator.K8S.Models.K8SCertificateContext + { + Certificate = CertificateEntry.Certificate, + CertPem = CertPem, + PrivateKeyPem = PrivateKeyPem + }; + + // Add chain if available + if (CertificateEntryChain != null && CertificateEntryChain.Length > 0) + { + context.Chain = CertificateEntryChain + .Skip(1) // Skip the first one (leaf cert) + .Select(entry => entry.Certificate) + .ToList(); + + if (ChainPem != null && ChainPem.Count > 0) + { + context.ChainPem = ChainPem.Skip(1).ToList(); + } + } + + return context; + } } +/// +/// Abstract base class for all Kubernetes orchestrator jobs (Inventory, Management, Discovery, Reenrollment). +/// Provides common functionality for Kubernetes client initialization, credential parsing, store type detection, +/// certificate handling, and PAM integration. +/// public abstract class JobBase { + /// Default field name for PKCS12/PFX data in secrets. private const string DefaultPFXSecretFieldName = "pfx"; + /// Default field name for JKS data in secrets. private const string DefaultJKSSecretFieldName = "jks"; + /// Default field name for password data in secrets. private const string DefaultPFXPasswordSecretFieldName = "password"; + /// Separator used when joining certificate chains. protected const string CertChainSeparator = ","; + /// Array of supported Kubernetes store types. protected static readonly string[] SupportedKubeStoreTypes; + /// Array of required job properties. private static readonly string[] RequiredProperties; + /// Allowed keys for TLS secrets (tls.crt, tls.key, ca.crt). protected static readonly string[] TLSAllowedKeys; + /// Allowed keys for Opaque secrets containing certificates. protected static readonly string[] OpaqueAllowedKeys; + /// Allowed keys for certificate resources. protected static readonly string[] CertAllowedKeys; + /// Allowed keys for PKCS12/PFX files. protected static readonly string[] Pkcs12AllowedKeys; + /// Allowed keys for JKS files. protected static readonly string[] JksAllowedKeys; + /// PAM secret resolver for retrieving secrets from Privileged Access Management systems. protected IPAMSecretResolver _resolver; + /// Kubernetes client for API operations. protected KubeCertificateManagerClient KubeClient; + /// Logger instance for this job. protected ILogger Logger; static JobBase() @@ -192,42 +302,67 @@ static JobBase() public object KubeSecretPassword { get; set; } + /// + /// Initializes the store configuration for an Inventory job. + /// Parses job configuration, extracts credentials, and sets up the Kubernetes client. + /// + /// The inventory job configuration from Keyfactor. protected void InitializeStore(InventoryJobConfiguration config) { Logger ??= LogHandler.GetClassLogger(GetType()); - Logger.LogDebug("Entered InitializeStore() for INVENTORY"); - InventoryConfig = config; - Capability = config.Capability; - Logger.LogTrace("Capability: {Capability}", Capability); + Logger.MethodEntry(MsLogLevel.Debug); + + try + { + InventoryConfig = config; + Capability = config.Capability; + Logger.LogTrace("Capability: {Capability}", Capability); - Logger.LogDebug("Calling JsonConvert.DeserializeObject()"); - var props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties); - // Logger.LogTrace("Properties: {Properties}", props); // Commented out to avoid logging sensitive information + Logger.LogDebug("Calling JsonConvert.DeserializeObject()"); + var props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties); + Logger.LogTrace("Props type: {Type}", props?.GetType()?.Name ?? "null"); + // Logger.LogTrace("Properties: {Properties}", props); // Commented out to avoid logging sensitive information - ServerUsername = config.ServerUsername; - Logger.LogTrace("ServerUsername: {ServerUsername}", ServerUsername); + ServerUsername = config.ServerUsername; + Logger.LogTrace("ServerUsername: {ServerUsername}", ServerUsername); - ServerPassword = config.ServerPassword; - if (!string.IsNullOrEmpty(ServerPassword)) Logger.LogTrace("ServerPassword: {ServerPassword}", ""); + ServerPassword = config.ServerPassword; + Logger.LogTrace("ServerPassword: {Password}", LoggingUtilities.RedactPassword(ServerPassword)); + Logger.LogTrace("ServerPassword correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(ServerPassword)); - StorePassword = config.CertificateStoreDetails?.StorePassword; - if (!string.IsNullOrEmpty(StorePassword)) Logger.LogTrace("StorePassword: {StorePassword}", ""); + StorePassword = config.CertificateStoreDetails?.StorePassword; + Logger.LogTrace("StorePassword: {Password}", LoggingUtilities.RedactPassword(StorePassword)); + Logger.LogTrace("StorePassword correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(StorePassword)); - StorePath = config.CertificateStoreDetails?.StorePath; - Logger.LogTrace("StorePath: {StorePath}", StorePath); + StorePath = config.CertificateStoreDetails?.StorePath; + Logger.LogTrace("StorePath: {StorePath}", StorePath); - Logger.LogDebug("Calling InitializeProperties()"); - InitializeProperties(props); - Logger.LogDebug("Returned from InitializeStore()"); - Logger.LogInformation( - "Initialized Inventory Job Configuration for `{Capability}` with store path `{StorePath}`", Capability, - StorePath); + Logger.LogDebug("Calling InitializeProperties()"); + InitializeProperties(props); + Logger.LogDebug("Returned from InitializeProperties()"); + Logger.LogInformation( + "Initialized Inventory Job Configuration for `{Capability}` with store path `{StorePath}`", Capability, + StorePath); + Logger.MethodExit(MsLogLevel.Debug); + } + catch (Exception ex) + { + Logger.LogError(ex, "CRITICAL ERROR in InitializeStore(Inventory): {Message}", ex.Message); + Logger.LogError("Exception Type: {Type}", ex.GetType().FullName); + Logger.LogError("Stack Trace: {StackTrace}", ex.StackTrace); + throw; + } } + /// + /// Initializes the store configuration for a Discovery job. + /// Parses job configuration and sets up SSL/TLS validation settings. + /// + /// The discovery job configuration from Keyfactor. protected void InitializeStore(DiscoveryJobConfiguration config) { Logger ??= LogHandler.GetClassLogger(GetType()); - Logger.LogDebug("Entered InitializeStore() for DISCOVERY"); + Logger.MethodEntry(MsLogLevel.Debug); DiscoveryConfig = config; var props = config.JobProperties; Capability = config.Capability; @@ -248,41 +383,65 @@ protected void InitializeStore(DiscoveryJobConfiguration config) Logger.LogTrace("ServerUsername: {ServerUsername}", ServerUsername); Logger.LogDebug("Calling InitializeProperties()"); InitializeProperties(props); - Logger.LogDebug("Returned from InitializeStore()"); Logger.LogInformation( "Initialized Discovery Job Configuration for `{Capability}` with store path `{StorePath}`", Capability, StorePath); + Logger.MethodExit(MsLogLevel.Debug); } + /// + /// Initializes the store configuration for a Management job (Add/Remove certificates). + /// Parses job configuration, extracts credentials, and initializes the job certificate. + /// + /// The management job configuration from Keyfactor. protected void InitializeStore(ManagementJobConfiguration config) { Logger ??= LogHandler.GetClassLogger(GetType()); - Logger.LogDebug("Entered InitializeStore() for MANAGEMENT"); - ManagementConfig = config; - - Logger.LogDebug("Calling JsonConvert.DeserializeObject()"); - var props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties); - Logger.LogDebug("Returned from JsonConvert.DeserializeObject()"); - Capability = config.Capability; - ServerUsername = config.ServerUsername; - ServerPassword = config.ServerPassword; - StorePath = config.CertificateStoreDetails?.StorePath; + Logger.MethodEntry(MsLogLevel.Debug); - Logger.LogTrace("ServerUsername: {ServerUsername}", ServerUsername); - Logger.LogTrace("StorePath: {StorePath}", StorePath); - - Logger.LogDebug("Calling InitializeProperties()"); - InitializeProperties(props); - Logger.LogDebug("Returned from InitializeProperties()"); - // StorePath = config.CertificateStoreDetails?.StorePath; - // StorePath = GetStorePath(); - Overwrite = config.Overwrite; - Logger.LogTrace("Overwrite: {Overwrite}", Overwrite); - Logger.LogInformation( - "Initialized Management Job Configuration for `{Capability}` with store path `{StorePath}`", Capability, - StorePath); + try + { + ManagementConfig = config; + + Logger.LogDebug("Calling JsonConvert.DeserializeObject()"); + var props = JsonConvert.DeserializeObject(config.CertificateStoreDetails.Properties); + Logger.LogTrace("Props type: {Type}", props?.GetType()?.Name ?? "null"); + Logger.LogDebug("Returned from JsonConvert.DeserializeObject()"); + + Capability = config.Capability; + ServerUsername = config.ServerUsername; + ServerPassword = config.ServerPassword; + StorePath = config.CertificateStoreDetails?.StorePath; + + Logger.LogTrace("ServerUsername: {ServerUsername}", ServerUsername); + Logger.LogTrace("StorePath: {StorePath}", StorePath); + + Logger.LogDebug("Calling InitializeProperties()"); + InitializeProperties(props); + Logger.LogDebug("Returned from InitializeProperties()"); + // StorePath = config.CertificateStoreDetails?.StorePath; + // StorePath = GetStorePath(); + Overwrite = config.Overwrite; + Logger.LogTrace("Overwrite: {Overwrite}", Overwrite); + Logger.LogInformation( + "Initialized Management Job Configuration for `{Capability}` with store path `{StorePath}`", Capability, + StorePath); + } + catch (Exception ex) + { + Logger.LogError(ex, "CRITICAL ERROR in InitializeStore(Management): {Message}", ex.Message); + Logger.LogError("Exception Type: {Type}", ex.GetType().FullName); + Logger.LogError("Stack Trace: {StackTrace}", ex.StackTrace); + throw; + } } + /// + /// Inserts line breaks into a string at regular intervals (e.g., for PEM formatting). + /// + /// The input string to format. + /// Maximum characters per line. + /// The formatted string with line breaks. private static string InsertLineBreaks(string input, int lineLength) { var sb = new StringBuilder(); @@ -298,29 +457,144 @@ private static string InsertLineBreaks(string input, int lineLength) } + /// + /// Initializes a K8SJobCertificate from the job configuration's certificate data. + /// Parses PKCS12 data, extracts certificates and private keys, and builds certificate chains. + /// + /// Dynamic configuration object containing JobCertificate with certificate data. + /// A populated K8SJobCertificate with certificate, private key, and chain information. protected K8SJobCertificate InitJobCertificate(dynamic config) { Logger ??= LogHandler.GetClassLogger(GetType()); - Logger.LogTrace("Entered InitJobCertificate()"); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("=== InitJobCertificate - DER/PEM detection enabled ==="); var jobCertObject = new K8SJobCertificate(); + + // Diagnostic logging - cast dynamic results to concrete types first to avoid CS1973 + bool jobCertIsNull = config.JobCertificate == null; + Logger.LogTrace("JobCertificate is null: {IsNull}", jobCertIsNull); + if (!jobCertIsNull) + { + string contents = (string)config.JobCertificate.Contents; + string password = (string)config.JobCertificate.PrivateKeyPassword; + bool contentsEmpty = string.IsNullOrEmpty(contents); + bool passwordEmpty = string.IsNullOrEmpty(password); + Logger.LogTrace("JobCertificate.Contents is null/empty: {IsEmpty}", contentsEmpty); + Logger.LogDebug("JobCertificate.PrivateKeyPassword is null/empty: {IsEmpty}", passwordEmpty); + + // Log all available properties on JobCertificate to discover chain field + try + { + var certType = ((object)config.JobCertificate).GetType(); + var props = certType.GetProperties(); + Logger.LogTrace("JobCertificate has {Count} properties: {Names}", + props.Length, + string.Join(", ", props.Select(p => p.Name))); + + // Log ContentsFormat + string contentsFormat = (string)config.JobCertificate.ContentsFormat; + Logger.LogTrace("JobCertificate.ContentsFormat: {Format}", contentsFormat ?? "(null)"); + + // Log first bytes of decoded content to see the format + if (!string.IsNullOrEmpty(contents)) + { + try + { + byte[] decoded = Convert.FromBase64String(contents); + string decodedStr = System.Text.Encoding.UTF8.GetString(decoded); + // Check if it starts with PEM header or is binary (DER) + if (decodedStr.StartsWith("-----BEGIN")) + { + Logger.LogTrace("Contents is PEM format"); + int certCount = System.Text.RegularExpressions.Regex.Matches(decodedStr, "-----BEGIN CERTIFICATE-----").Count; + Logger.LogTrace("PEM contains {Count} certificate(s)", certCount); + } + else + { + Logger.LogTrace("Contents is binary (DER) format, first bytes: {Bytes}", + BitConverter.ToString(decoded.Take(20).ToArray())); + } + } + catch (Exception decodeEx) + { + Logger.LogDebug("Could not decode contents for format detection: {Error}", decodeEx.Message); + } + } + } + catch (Exception ex) + { + Logger.LogDebug("Could not enumerate JobCertificate properties: {Error}", ex.Message); + } + } + var pKeyPassword = config.JobCertificate.PrivateKeyPassword; // Logger.LogTrace($"pKeyPassword: {pKeyPassword}"); // Commented out to avoid logging sensitive information jobCertObject.Password = pKeyPassword; if (!string.IsNullOrEmpty(pKeyPassword)) { - Logger.LogDebug("Certificate {CertThumbprint} does not have a password", jobCertObject.CertThumbprint); - Logger.LogTrace("Attempting to create certificate without password"); + Logger.LogDebug("Certificate {CertThumbprint} has a password", jobCertObject.CertThumbprint); + Logger.LogTrace("Attempting to create certificate with password"); + Logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword((string)pKeyPassword)); try { - Logger.LogDebug("Calling LoadPkcs12Store()"); - Pkcs12Store pkcs12Store = LoadPkcs12Store(Convert.FromBase64String(config.JobCertificate.Contents), - pKeyPassword); - Logger.LogDebug("Returned from LoadPkcs12Store()"); + byte[] certBytes = Convert.FromBase64String(config.JobCertificate.Contents); + Logger.LogDebug("Certificate data length: {Length} bytes", certBytes.Length); + + // Try PKCS12 parsing FIRST (with password) - this is the expected format for certs with keys + Logger.LogTrace("Attempting to parse as PKCS12 format with password..."); + Pkcs12Store pkcs12Store = null; + string alias = null; + bool isPkcs12 = false; + try + { + Logger.LogTrace("PKCS12 data: {Data}", LoggingUtilities.RedactPkcs12Bytes(certBytes)); + Logger.LogTrace("Calling LoadPkcs12Store()"); + pkcs12Store = LoadPkcs12Store(certBytes, pKeyPassword); + Logger.LogTrace("Returned from LoadPkcs12Store()"); + + Logger.LogTrace("Attempting to get alias from pkcs12Store"); + alias = pkcs12Store.Aliases.FirstOrDefault(pkcs12Store.IsKeyEntry); + if (alias != null) + { + isPkcs12 = true; + Logger.LogDebug("Successfully parsed as PKCS12 format with key entry, alias: {Alias}", alias); + } + else + { + Logger.LogDebug("PKCS12 parsed but no key entry found, will try other formats"); + } + } + catch (Exception pkcs12Ex) + { + Logger.LogDebug("Not PKCS12 format or wrong password: {Error}", pkcs12Ex.Message); + } + + // If not valid PKCS12 with key, try DER/PEM formats (cert-only, no private key) + if (!isPkcs12) + { + // Check if it's DER format (certificate only, no private key) + if (Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.IsDerFormat(certBytes)) + { + Logger.LogDebug("Certificate data is in DER format (certificate only, no private key)"); + return ParseDerCertificate(certBytes, jobCertObject); + } + + // Check if it's PEM format (certificate only, no private key) + var dataStr = System.Text.Encoding.UTF8.GetString(certBytes); + if (dataStr.Contains("-----BEGIN CERTIFICATE-----") && !dataStr.Contains("PRIVATE KEY")) + { + Logger.LogDebug("Certificate data is in PEM format (certificate only, no private key)"); + return ParsePemCertificate(dataStr, jobCertObject); + } + + // If we get here, we couldn't parse the data + Logger.LogError("Failed to parse certificate data as PKCS12, DER, or PEM format"); + throw new InvalidOperationException( + "Failed to parse certificate data. The data does not appear to be a valid PKCS12, DER, or PEM certificate."); + } - Logger.LogDebug("Attempting to get alias from pkcs12Store"); - var alias = pkcs12Store.Aliases.FirstOrDefault(pkcs12Store.IsKeyEntry); Logger.LogTrace("Alias: {Alias}", alias); Logger.LogTrace("Calling pkcs12Store.GetKey() with `{Alias}`", alias); @@ -332,6 +606,8 @@ protected K8SJobCertificate InitJobCertificate(dynamic config) { Logger.LogDebug("Attempting to extract private key as PEM"); Logger.LogTrace("Calling ExtractPrivateKeyAsPem()"); + // Store the key parameter for format-preserving re-export later + jobCertObject.PrivateKeyParameter = key.Key; var pKeyPem = KubeClient.ExtractPrivateKeyAsPem(pkcs12Store, pKeyPassword); Logger.LogTrace("Returned from ExtractPrivateKeyAsPem()"); jobCertObject.PrivateKeyPem = pKeyPem; @@ -352,15 +628,18 @@ protected K8SJobCertificate InitJobCertificate(dynamic config) jobCertObject.CertificateEntry = x509Obj; jobCertObject.CertificateEntryChain = chain; - jobCertObject.CertThumbprint = x509Obj.Certificate.Thumbprint(); + jobCertObject.CertThumbprint = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(x509Obj.Certificate); jobCertObject.ChainPem = chainList; jobCertObject.CertPem = KubeClient.ConvertToPem(x509Obj.Certificate); + + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(x509Obj.Certificate)); + Logger.LogDebug("Certificate chain: {Count} certificates", chain?.Length ?? 0); } catch (Exception e) { - Logger.LogError("Error parsing certificate data from pkcs12 format without password: {Error}", - e.Message); - Logger.LogTrace("{Message}", e.StackTrace); + Logger.LogError(e, "Error parsing certificate data from pkcs12 format: {Error}", e.Message); + Logger.LogError("Certificate thumbprint: {Thumbprint}", (string)(config.JobCertificate?.Thumbprint) ?? "UNKNOWN"); + Logger.LogTrace("Stack trace: {StackTrace}", e.StackTrace); jobCertObject.CertThumbprint = config.JobCertificate.Thumbprint; //todo: should this throw an exception? } @@ -368,7 +647,7 @@ protected K8SJobCertificate InitJobCertificate(dynamic config) else { pKeyPassword = ""; - Logger.LogDebug("Certificate {CertThumbprint} does have a password", jobCertObject.CertThumbprint); + Logger.LogDebug("Certificate does NOT have a password, trying auto-detection of format"); if (config.JobCertificate == null || string.IsNullOrEmpty(config.JobCertificate.Contents)) @@ -377,9 +656,9 @@ protected K8SJobCertificate InitJobCertificate(dynamic config) return jobCertObject; } - Logger.LogTrace("Calling Convert.FromBase64String()"); + Logger.LogTrace("Calling Convert.FromBase64String()..."); byte[] certBytes = Convert.FromBase64String(config.JobCertificate.Contents); - Logger.LogTrace("Returned from Convert.FromBase64String()"); + Logger.LogDebug("Certificate data length: {Length} bytes", certBytes.Length); if (certBytes.Length == 0) { @@ -388,89 +667,236 @@ protected K8SJobCertificate InitJobCertificate(dynamic config) return jobCertObject; } - Logger.LogTrace("Calling new X509Certificate2()"); - var x509 = new X509Certificate2(certBytes, pKeyPassword); - Logger.LogTrace("Returned from new X509Certificate2()"); + // Try PKCS12 parsing FIRST (this is the most common format for certs with keys) + Logger.LogTrace("Attempting to parse as PKCS12 format first..."); + Pkcs12Store pkcs12Store = null; + bool isPkcs12 = false; + try + { + Logger.LogTrace("Calling LoadPkcs12Store()"); + pkcs12Store = LoadPkcs12Store(certBytes, pKeyPassword); + Logger.LogTrace("Returned from LoadPkcs12Store()"); + // Check if we actually got a valid PKCS12 with a key entry + var testAlias = pkcs12Store.Aliases.FirstOrDefault(pkcs12Store.IsKeyEntry); + if (testAlias != null) + { + isPkcs12 = true; + Logger.LogDebug("Successfully parsed as PKCS12 format with key entry"); + } + else + { + Logger.LogDebug("PKCS12 parsed but no key entry found, will try other formats"); + } + } + catch (Exception ex) + { + Logger.LogDebug("Not PKCS12 format: {Error}", ex.Message); + } + + // If not valid PKCS12 with key, try DER/PEM formats + if (!isPkcs12) + { + // Check if it's DER format (certificate only, no private key) + if (Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.IsDerFormat(certBytes)) + { + Logger.LogDebug("Certificate data is in DER format (certificate only, no private key)"); + return ParseDerCertificate(certBytes, jobCertObject); + } + + // Check if it's PEM format + var dataStr = System.Text.Encoding.UTF8.GetString(certBytes); + if (dataStr.Contains("-----BEGIN CERTIFICATE-----")) + { + Logger.LogDebug("Certificate data is in PEM format"); + return ParsePemCertificate(dataStr, jobCertObject); + } + + // If we get here, we couldn't parse the data + Logger.LogError("Failed to parse certificate data as PKCS12, DER, or PEM format"); + throw new InvalidOperationException( + "Failed to parse certificate data. The data does not appear to be a valid PKCS12, DER, or PEM certificate."); + } + + Logger.LogDebug("Attempting to get alias from pkcs12Store"); + var alias = pkcs12Store.Aliases.FirstOrDefault(pkcs12Store.IsKeyEntry); + Logger.LogTrace("Alias: {Alias}", alias); + + if (alias == null) + { + Logger.LogError("No key entry found in PKCS12 store"); + return jobCertObject; + } + + Logger.LogTrace("Calling pkcs12Store.GetCertificate()"); + var x509Obj = pkcs12Store.GetCertificate(alias); + Logger.LogTrace("Returned from pkcs12Store.GetCertificate()"); + + if (x509Obj?.Certificate == null) + { + Logger.LogError("Unable to retrieve certificate from PKCS12 store"); + return jobCertObject; + } + + var bcCertificate = x509Obj.Certificate; - Logger.LogTrace("Calling x509.Export()"); - var rawData = x509.Export(X509ContentType.Cert); - Logger.LogTrace("Returned from x509.Export()"); + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(bcCertificate)); - Logger.LogDebug("Attempting to export certificate `{CertThumbprint}` to PEM format", - jobCertObject.CertThumbprint); - //check if certBytes are null or empty - var pemCert = - "-----BEGIN CERTIFICATE-----\n" + - Convert.ToBase64String(rawData, Base64FormattingOptions.InsertLineBreaks) + - "\n-----END CERTIFICATE-----"; + Logger.LogDebug("Attempting to export certificate to PEM format"); + var pemCert = KubeClient.ConvertToPem(bcCertificate); + Logger.LogTrace("Certificate exported to PEM format"); jobCertObject.CertPem = pemCert; - jobCertObject.CertBytes = x509.RawData; - jobCertObject.CertThumbprint = x509.Thumbprint; + jobCertObject.CertBytes = bcCertificate.GetEncoded(); + jobCertObject.CertThumbprint = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(bcCertificate); jobCertObject.Pkcs12 = certBytes; + jobCertObject.CertificateEntry = x509Obj; + + // Get certificate chain + Logger.LogDebug("Attempting to get certificate chain from pkcs12Store"); + Logger.LogTrace("Calling pkcs12Store.GetCertificateChain()"); + var chain = pkcs12Store.GetCertificateChain(alias); + Logger.LogTrace("Returned from pkcs12Store.GetCertificateChain()"); + + if (chain != null && chain.Length > 0) + { + Logger.LogDebug("Certificate chain: {Count} certificates", chain.Length); + var chainList = chain.Select(c => KubeClient.ConvertToPem(c.Certificate)).ToList(); + jobCertObject.CertificateEntryChain = chain; + jobCertObject.ChainPem = chainList; + } + else + { + Logger.LogDebug("No certificate chain found"); + } try { - Logger.LogDebug("Attempting to export private key for `{CertThumbprint}` to PKCS8", + Logger.LogDebug("Attempting to extract private key for `{CertThumbprint}`", jobCertObject.CertThumbprint); - Logger.LogTrace("Calling PrivateKeyConverterFactory.FromPKCS12()"); - PrivateKeyConverter pkey = PrivateKeyConverterFactory.FromPKCS12(certBytes, pKeyPassword); - Logger.LogTrace("Returned from PrivateKeyConverterFactory.FromPKCS12()"); - string keyType; - Logger.LogTrace("Calling x509.GetRSAPublicKey()"); - using (AsymmetricAlgorithm keyAlg = x509.GetRSAPublicKey()) + // Get private key + Logger.LogTrace("Calling pkcs12Store.GetKey()"); + var keyEntry = pkcs12Store.GetKey(alias); + Logger.LogTrace("Returned from pkcs12Store.GetKey()"); + + if (keyEntry?.Key != null) { - keyType = keyAlg != null ? "RSA" : "EC"; - } + var privateKey = keyEntry.Key; - Logger.LogTrace("Returned from x509.GetRSAPublicKey()"); + // Determine key type using BouncyCastle + var keyType = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetPrivateKeyType(privateKey); + Logger.LogTrace("Private key type is {Type}", keyType); + + // Extract private key as PEM + Logger.LogTrace("Calling ExtractPrivateKeyAsPem()"); + var pKeyPem = KubeClient.ExtractPrivateKeyAsPem(pkcs12Store, pKeyPassword); + Logger.LogTrace("Returned from ExtractPrivateKeyAsPem()"); - Logger.LogTrace("Private key type is {Type}", keyType); - Logger.LogTrace("Calling pkey.ToPkcs8BlobUnencrypted()"); - var pKeyB64 = Convert.ToBase64String(pkey.ToPkcs8BlobUnencrypted(), - Base64FormattingOptions.InsertLineBreaks); - Logger.LogTrace("Returned from pkey.ToPkcs8BlobUnencrypted()"); + // Store the key parameter for format-preserving re-export later + jobCertObject.PrivateKeyParameter = privateKey; + jobCertObject.PrivateKeyPem = pKeyPem; + jobCertObject.PrivateKeyBytes = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ExportPrivateKeyPkcs8(privateKey); + jobCertObject.HasPrivateKey = true; - Logger.LogDebug("Creating private key PEM for `{CertThumbprint}`", jobCertObject.CertThumbprint); - jobCertObject.PrivateKeyPem = - $"-----BEGIN {keyType} PRIVATE KEY-----\n{pKeyB64}\n-----END {keyType} PRIVATE KEY-----"; - // Logger.LogTrace("Private key: {PrivateKey}", jobCertObject.PrivateKeyPem); // Commented out to avoid logging sensitive information - Logger.LogDebug("Private key extracted for `{CertThumbprint}`", jobCertObject.CertThumbprint); + Logger.LogDebug("Private key extracted for certificate: {Thumbprint}", jobCertObject.CertThumbprint); + Logger.LogTrace("Private key: {Key}", LoggingUtilities.RedactPrivateKey(privateKey)); + } + else + { + Logger.LogDebug("No private key found for alias `{Alias}`", alias); + } } - catch (ArgumentException) + catch (Exception ex) { - Logger.LogDebug("Private key extraction failed for `{CertThumbprint}`", jobCertObject.CertThumbprint); + Logger.LogError(ex, "Private key extraction failed for certificate: {Thumbprint}", jobCertObject.CertThumbprint); var refStr = string.IsNullOrEmpty(jobCertObject.Alias) ? jobCertObject.CertThumbprint : jobCertObject.Alias; - var pkeyErr = $"Unable to unpack private key from `{refStr}`, invalid password"; - Logger.LogError("{Error}", pkeyErr); + Logger.LogError("Unable to unpack private key from `{Ref}`: invalid password or error", refStr); + Logger.LogTrace("Error details: {Message}", ex.Message); // todo: should this throw an exception? } } jobCertObject.StorePassword = config.CertificateStoreDetails.StorePassword; - Logger.LogDebug("Returning from InitJobCertificate()"); + Logger.LogDebug("Successfully initialized job certificate with thumbprint: {Thumbprint}", jobCertObject.CertThumbprint); + Logger.MethodExit(MsLogLevel.Debug); return jobCertObject; } + /// + /// Determines if the current capability indicates a namespace-level store (K8SNS). + /// + /// The store capability string. + /// True if this is a namespace-level store; otherwise, false. private static bool IsNamespaceStore(string capability) { return !string.IsNullOrEmpty(capability) && capability.Contains("K8SNS", StringComparison.OrdinalIgnoreCase); } + /// + /// Determines if the current capability indicates a cluster-level store (K8SCluster). + /// + /// The store capability string. + /// True if this is a cluster-level store; otherwise, false. private static bool IsClusterStore(string capability) { return !string.IsNullOrEmpty(capability) && capability.Contains("K8SCLUSTER", StringComparison.OrdinalIgnoreCase); } + /// + /// Derives the KubeSecretType from the Capability string. + /// This replaces the need for the KubeSecretType store property for most store types. + /// + /// The capability string (e.g., "CertStores.K8SJKS.Inventory") + /// The derived secret type, or null if it cannot be determined from Capability alone. + /// + /// Mapping: + /// - K8SJKS -> "jks" + /// - K8SPKCS12 -> "pkcs12" + /// - K8SSecret -> "secret" + /// - K8STLSSecr -> "tls_secret" + /// - K8SCluster -> "cluster" (actual secret type determined at runtime from alias) + /// - K8SNS -> "namespace" (actual secret type determined at runtime from alias) + /// - K8SCert -> "certificate" + /// + protected static string DeriveSecretTypeFromCapability(string capability) + { + if (string.IsNullOrEmpty(capability)) + return null; + + // Order matters - check more specific patterns first + if (capability.Contains("K8STLSSecr", StringComparison.OrdinalIgnoreCase)) + return "tls_secret"; + if (capability.Contains("K8SSecret", StringComparison.OrdinalIgnoreCase)) + return "secret"; + if (capability.Contains("K8SJKS", StringComparison.OrdinalIgnoreCase)) + return "jks"; + if (capability.Contains("K8SPKCS12", StringComparison.OrdinalIgnoreCase)) + return "pkcs12"; + if (capability.Contains("K8SCluster", StringComparison.OrdinalIgnoreCase)) + return "cluster"; + if (capability.Contains("K8SNS", StringComparison.OrdinalIgnoreCase)) + return "namespace"; + if (capability.Contains("K8SCert", StringComparison.OrdinalIgnoreCase)) + return "certificate"; + + return null; + } + + /// + /// Resolves and parses the store path to extract namespace, secret name, and secret type. + /// Handles various path formats: secret_name, namespace/secret, cluster/namespace/secret, etc. + /// + /// The store path to resolve. + /// The canonical store path in format: cluster/namespace/type/name. protected string ResolveStorePath(string spath) { - Logger.LogDebug("Entered resolveStorePath()"); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Resolving store path: {StorePath}", spath); Logger.LogTrace("Store path: {StorePath}", spath); Logger.LogTrace("Attempting to split store path by '/'"); @@ -480,11 +906,20 @@ protected string ResolveStorePath(string spath) switch (sPathParts.Length) { case 1 when IsNamespaceStore(Capability): - Logger.LogInformation( - "Store is of type `K8SNS` and `StorePath` is length 1; setting `KubeSecretName` to empty and `KubeNamespace` to `StorePath`"); - KubeSecretName = ""; - KubeNamespace = sPathParts[0]; + if (string.IsNullOrEmpty(KubeNamespace)) + { + Logger.LogInformation( + "Store is of type `K8SNS` and `StorePath` is length 1; `KubeNamespace` is empty, setting `KubeNamespace` to `StorePath` value `{StorePath}`", + sPathParts[0]); + KubeNamespace = sPathParts[0]; + } + else + { + Logger.LogInformation( + "Store is of type `K8SNS` and `StorePath` is length 1; `KubeNamespace` is already set to `{KubeNamespace}`, ignoring `StorePath` value `{StorePath}`", + KubeNamespace, sPathParts[0]); + } break; case 1 when IsClusterStore(Capability): Logger.LogInformation( @@ -621,12 +1056,14 @@ protected string ResolveStorePath(string spath) var kS = sPathParts[2]; Logger.LogTrace("kS: {KubeSecretName}", kS); - if (kN is "secret" or "tls" or "certificate" or "namespace") + if (kN is "secret" or "secrets" or "tls" or "certificate" or "namespace") { Logger.LogInformation( - "Store path is 3 parts and the second part is a reserved keyword, assuming that it is the '//'"); + "Store path is 3 parts and the second part '{Keyword}' is a reserved keyword, " + + "re-interpreting as '/{Keyword}/' pattern", + kN, kN); kN = sPathParts[0]; - kS = sPathParts[1]; + kS = sPathParts[2]; } if (string.IsNullOrEmpty(KubeNamespace)) @@ -668,19 +1105,32 @@ protected string ResolveStorePath(string spath) break; default: Logger.LogWarning("Unable to resolve store path, please check the store path and try again"); - //todo: does anything need to be handled because of this error? + //todo: does anything need to be handled because of this error? break; } - return GetStorePath(); + var resolvedPath = GetStorePath(); + Logger.LogDebug("Resolved store path: {ResolvedPath}", resolvedPath); + Logger.MethodExit(MsLogLevel.Debug); + return resolvedPath; } + /// + /// Initializes job properties from the store properties dictionary. + /// Extracts Kubernetes configuration (namespace, secret name, type, credentials), + /// resolves PAM fields, and creates the Kubernetes client. + /// + /// Dynamic dictionary of store properties from job configuration. + /// Thrown when required properties are missing. private void InitializeProperties(dynamic storeProperties) { - Logger.MethodEntry(); + Logger.MethodEntry(MsLogLevel.Debug); + string storePropsType = storeProperties != null ? (string)storeProperties.GetType().FullName : "null"; + Logger.LogTrace("InitializeProperties called with storeProperties type: {Type}", storePropsType); + if (storeProperties == null) { - Logger.MethodExit(); + Logger.MethodExit(MsLogLevel.Debug); throw new ConfigurationException( $"Invalid configuration. Please provide {RequiredProperties}. Or review the documentation at https://github.com/Keyfactor/kubernetes-orchestrator#custom-fields-tab"); } @@ -690,10 +1140,35 @@ private void InitializeProperties(dynamic storeProperties) try { Logger.LogDebug("Setting K8S values from store properties"); - KubeNamespace = storeProperties["KubeNamespace"]; - KubeSecretName = storeProperties["KubeSecretName"]; - KubeSecretType = storeProperties["KubeSecretType"]; + Logger.LogTrace("Attempting to get KubeNamespace from storeProperties"); + KubeNamespace = (storeProperties["KubeNamespace"]?.ToString())?.Trim(); + Logger.LogDebug("KubeNamespace from store properties: '{Value}'", KubeNamespace ?? "(null)"); + + Logger.LogTrace("Attempting to get KubeSecretName from storeProperties"); + KubeSecretName = (storeProperties["KubeSecretName"]?.ToString())?.Trim(); + Logger.LogTrace("KubeSecretName retrieved: {Value}", KubeSecretName ?? "null"); + + // Derive KubeSecretType from Capability first (preferred method) + Logger.LogTrace("Attempting to derive KubeSecretType from Capability: {Capability}", Capability); + var derivedSecretType = DeriveSecretTypeFromCapability(Capability); + Logger.LogTrace("Derived KubeSecretType from Capability: {Value}", derivedSecretType ?? "null"); + + // Check if KubeSecretType is provided in store properties (deprecated) + string storePropertySecretType = (storeProperties["KubeSecretType"]?.ToString())?.Trim(); + if (!string.IsNullOrEmpty(storePropertySecretType)) + { + Logger.LogWarning( + $"DEPRECATION WARNING: The 'KubeSecretType' store property is deprecated and will be removed in a future release. " + + $"The secret type is now derived from the Capability. Property value '{storePropertySecretType}' will be ignored in favor of derived value '{derivedSecretType ?? "null"}'."); + } + + // Use derived value if available, otherwise fall back to store property + KubeSecretType = derivedSecretType ?? storePropertySecretType; + Logger.LogTrace("Final KubeSecretType: {Value}", KubeSecretType ?? "null"); + + Logger.LogTrace("Attempting to get KubeSvcCreds from storeProperties"); KubeSvcCreds = storeProperties["KubeSvcCreds"]; + Logger.LogTrace("KubeSvcCreds retrieved: {Present}", !string.IsNullOrEmpty(KubeSvcCreds)); // check if storeProperties contains PasswordIsSeparateSecret key and if it does, set PasswordIsSeparateSecret to the value of the key if (storeProperties.ContainsKey("PasswordIsSeparateSecret")) @@ -743,10 +1218,28 @@ private void InitializeProperties(dynamic storeProperties) { SeparateChain = storeProperties["SeparateChain"]; } + + if (storeProperties.ContainsKey("IncludeCertChain")) + { + IncludeCertChain = storeProperties["IncludeCertChain"]; + } + + // Validate conflicting configuration: SeparateChain=true requires IncludeCertChain=true + // If IncludeCertChain=false, there's no chain to separate, so SeparateChain is meaningless + if (SeparateChain && !IncludeCertChain) + { + Logger.LogWarning( + "Invalid configuration: SeparateChain=true but IncludeCertChain=false. " + + "Cannot separate a certificate chain that is not being included. " + + "SeparateChain will be ignored and only the leaf certificate will be deployed"); + SeparateChain = false; + } } - catch (Exception) + catch (Exception ex) { - Logger.LogError("Unknown error while parsing store properties"); + Logger.LogError($"CRITICAL ERROR while parsing store properties: {ex.Message}"); + Logger.LogError($"Exception Type: {ex.GetType().FullName}"); + Logger.LogError($"Stack Trace: {ex.StackTrace}"); Logger.LogWarning("Setting KubeSecretType and KubeSvcCreds to empty strings"); KubeSecretType = ""; KubeSvcCreds = ""; @@ -866,8 +1359,21 @@ private void InitializeProperties(dynamic storeProperties) if (ServerUsername == "kubeconfig" || string.IsNullOrEmpty(ServerUsername)) { Logger.LogInformation("Using kubeconfig provided by 'Server Password' field"); - storeProperties["KubeSvcCreds"] = ServerPassword; - KubeSvcCreds = ServerPassword; + try + { + Logger.LogTrace("Attempting to set KubeSvcCreds in storeProperties dictionary"); + storeProperties["KubeSvcCreds"] = ServerPassword; + Logger.LogTrace("Successfully set KubeSvcCreds in storeProperties"); + KubeSvcCreds = ServerPassword; + } + catch (Exception ex) + { + Logger.LogError($"CRITICAL ERROR setting KubeSvcCreds: {ex.Message}"); + Logger.LogError($"storeProperties is null: {storeProperties == null}"); + var propsType = storeProperties != null ? storeProperties.GetType().FullName : "null"; + Logger.LogError($"storeProperties type: {propsType}"); + throw; + } } if (string.IsNullOrEmpty(KubeSvcCreds)) @@ -923,7 +1429,7 @@ private void InitializeProperties(dynamic storeProperties) StorePasswordPath = storeProperties.ContainsKey("StorePasswordPath") ? storeProperties["StorePasswordPath"] : ""; - // Logger.LogTrace("StorePasswordPath: {StorePasswordPath}", StorePasswordPath); // TODO: Remove this it's insecure + Logger.LogTrace("StorePasswordPath presence: {Presence}", LoggingUtilities.GetFieldPresence("StorePasswordPath", StorePasswordPath)); Logger.LogDebug("Parsing 'PasswordIsK8SSecret' from store properties"); PasswordIsK8SSecret = storeProperties.ContainsKey("PasswordIsK8SSecret") && @@ -936,7 +1442,7 @@ private void InitializeProperties(dynamic storeProperties) KubeSecretPassword = storeProperties.ContainsKey("KubeSecretPassword") ? storeProperties["KubeSecretPassword"] : ""; - Logger.LogTrace("KubeSecretPassword: {KubeSecretPassword}", KubeSecretPassword); + Logger.LogTrace("KubeSecretPassword: {Password}", LoggingUtilities.RedactPassword(KubeSecretPassword?.ToString())); Logger.LogDebug("Parsing 'CertificateDataFieldName' from store properties"); CertificateDataFieldName = storeProperties.ContainsKey("CertificateDataFieldName") @@ -948,18 +1454,45 @@ private void InitializeProperties(dynamic storeProperties) } Logger.LogTrace("Creating new KubeCertificateManagerClient object"); - KubeClient = new KubeCertificateManagerClient(KubeSvcCreds); + Logger.LogTrace("KubeSvcCreds length: {Length}", KubeSvcCreds?.Length ?? 0); + try + { + KubeClient = new KubeCertificateManagerClient(KubeSvcCreds); + Logger.LogTrace("KubeCertificateManagerClient created successfully"); + } + catch (Exception ex) + { + Logger.LogError(ex, "CRITICAL ERROR creating KubeCertificateManagerClient: {Message}", ex.Message); + Logger.LogError("Exception Type: {Type}", ex.GetType().FullName); + throw; + } Logger.LogTrace("Getting KubeHost and KubeCluster from KubeClient"); - KubeHost = KubeClient.GetHost(); - Logger.LogTrace("KubeHost: {KubeHost}", KubeHost); + try + { + KubeHost = KubeClient.GetHost(); + Logger.LogTrace("KubeHost: {KubeHost}", KubeHost); + } + catch (Exception ex) + { + Logger.LogError(ex, "CRITICAL ERROR calling KubeClient.GetHost(): {Message}", ex.Message); + throw; + } Logger.LogTrace("Getting cluster name from KubeClient"); - KubeCluster = KubeClient.GetClusterName(); - Logger.LogTrace("KubeCluster: {KubeCluster}", KubeCluster); + try + { + KubeCluster = KubeClient.GetClusterName(); + Logger.LogTrace("KubeCluster: {KubeCluster}", KubeCluster); + } + catch (Exception ex) + { + Logger.LogError(ex, "CRITICAL ERROR calling KubeClient.GetClusterName(): {Message}", ex.Message); + throw; + } - if (string.IsNullOrEmpty(KubeSecretName) && !string.IsNullOrEmpty(StorePath) && !Capability.Contains("NS") && - !Capability.Contains("Cluster")) + if (string.IsNullOrEmpty(KubeSecretName) && !string.IsNullOrEmpty(StorePath) && + !string.IsNullOrEmpty(Capability) && !Capability.Contains("NS") && !Capability.Contains("Cluster")) { Logger.LogDebug("KubeSecretName is empty, attempting to set 'KubeSecretName' from StorePath"); ResolveStorePath(StorePath); @@ -986,12 +1519,17 @@ private void InitializeProperties(dynamic storeProperties) Logger.LogWarning("KubeSecretName is empty, setting 'KubeSecretName' to StorePath"); KubeSecretName = StorePath; Logger.LogTrace("KubeSecretName: {KubeSecretName}", KubeSecretName); - Logger.MethodExit(); + Logger.MethodExit(MsLogLevel.Debug); } + /// + /// Constructs the canonical store path based on cluster, namespace, secret type, and secret name. + /// Format varies based on store type (namespace, cluster, or individual secret). + /// + /// The canonical store path string. public string GetStorePath() { - Logger.LogTrace("Entered GetStorePath()"); + Logger.MethodEntry(MsLogLevel.Debug); try { var secretType = ""; @@ -1031,11 +1569,13 @@ public string GetStorePath() "Setting store path to 'cluster/namespace/namespacename' for 'namespace' secret type"); storePath = $"{KubeClient.GetClusterName()}/namespace/{KubeNamespace}"; Logger.LogDebug("Returning storePath: {StorePath}", storePath); + Logger.MethodExit(MsLogLevel.Debug); return storePath; case "cluster": Logger.LogDebug("Kubernetes cluster resource type, setting secretType to 'cluster'"); KubeSecretType = "cluster"; Logger.LogDebug("Returning storePath: {StorePath}", storePath); + Logger.MethodExit(MsLogLevel.Debug); return storePath; default: Logger.LogWarning("Unknown secret type '{SecretType}' will use value provided", secretType); @@ -1046,35 +1586,122 @@ public string GetStorePath() Logger.LogDebug("Building StorePath"); storePath = $"{KubeClient.GetClusterName()}/{KubeNamespace}/{secretType}/{KubeSecretName}"; Logger.LogDebug("Returning storePath: {StorePath}", storePath); + Logger.MethodExit(MsLogLevel.Debug); return storePath; } catch (Exception e) { - Logger.LogError("Unknown error constructing canonical store path {Error}", e.Message); + Logger.LogError("Unknown error constructing canonical store path: {Error}", e.Message); + Logger.LogTrace("Stack trace: {StackTrace}", e.StackTrace); + Logger.MethodExit(MsLogLevel.Debug); return StorePath; } } + /// + /// Resolves a PAM (Privileged Access Management) field value using the configured PAM resolver. + /// Falls back to the original value if resolution fails. + /// + /// Name of the PAM field (for logging purposes). + /// The value to resolve (may contain PAM reference). + /// The resolved value, or the original value if resolution fails. protected string ResolvePamField(string name, string value) { + Logger.MethodEntry(MsLogLevel.Debug); try { - Logger.LogTrace($"Attempting to resolved PAM eligible field {name}"); - return _resolver.Resolve(value); + Logger.LogTrace("Attempting to resolve PAM eligible field: {FieldName}", name); + var resolved = _resolver.Resolve(value); + Logger.LogDebug("Successfully resolved PAM field: {FieldName}", name); + Logger.MethodExit(MsLogLevel.Debug); + return resolved; } catch (Exception e) { - Logger.LogError($"Unable to resolve PAM field {name}. Returning original value."); - Logger.LogError(e.Message); - Logger.LogTrace(e.ToString()); - Logger.LogTrace(e.StackTrace); + Logger.LogError("Unable to resolve PAM field {FieldName}, returning original value", name); + Logger.LogError("Error: {Message}", e.Message); + Logger.LogTrace("Exception details: {Details}", e.ToString()); + Logger.LogTrace("Stack trace: {StackTrace}", e.StackTrace); + Logger.MethodExit(MsLogLevel.Debug); return value; } } + /// + /// Extract private key bytes from a PKCS12 store in PKCS#8 format + /// + /// PKCS12 store containing the private key + /// Alias of the key entry. If null, uses the first key entry. + /// Optional password (not typically used for key export from already-loaded store) + /// Private key bytes in PKCS#8 format + protected byte[] GetKeyBytes(Pkcs12Store store, string alias = null, string password = null) + { + Logger.MethodEntry(MsLogLevel.Debug); + + if (store == null) + throw new ArgumentNullException(nameof(store)); + + if (string.IsNullOrEmpty(alias)) + { + alias = store.Aliases.FirstOrDefault(store.IsKeyEntry); + Logger.LogTrace("Using first key entry alias: {Alias}", alias); + } + + if (string.IsNullOrEmpty(alias)) + { + Logger.LogError("No key entry found in PKCS12 store"); + throw new InvalidKeyException("No key entry found in PKCS12 store"); + } + + if (!store.IsKeyEntry(alias)) + { + Logger.LogError("Alias '{Alias}' does not have a private key", alias); + throw new InvalidKeyException($"Alias '{alias}' does not have a private key"); + } + + try + { + Logger.LogDebug("Attempting to extract private key with alias '{Alias}'", alias); + var keyEntry = store.GetKey(alias); + if (keyEntry?.Key == null) + { + Logger.LogError("Unable to retrieve private key for alias '{Alias}'", alias); + throw new InvalidKeyException($"Unable to retrieve private key for alias '{alias}'"); + } + + var privateKey = keyEntry.Key; + var keyType = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetPrivateKeyType(privateKey); + Logger.LogTrace("Private key type: {KeyType}", keyType); + + Logger.LogDebug("Exporting private key as PKCS#8"); + var keyBytes = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.ExportPrivateKeyPkcs8(privateKey); + Logger.LogTrace("Successfully exported private key, {Length} bytes", keyBytes?.Length ?? 0); + + Logger.MethodExit(MsLogLevel.Debug); + return keyBytes; + } + catch (Exception e) + { + Logger.LogError("Error extracting private key: {Message}", e.Message); + Logger.LogTrace("Stack trace: {StackTrace}", e.StackTrace); + // Note: MethodExit not called here as we're throwing + throw new InvalidKeyException($"Unable to extract private key from alias '{alias}'", e); + } + } + + /// + /// DEPRECATED: Use GetKeyBytes(Pkcs12Store, string, string) instead. + /// Extract private key bytes from X509Certificate2 (uses deprecated APIs) + /// + /// The X509Certificate2 object containing the private key. + /// Optional password for the certificate. + /// Private key bytes in the appropriate format. + [Obsolete("Use GetKeyBytes(Pkcs12Store, string, string) instead to avoid deprecated X509Certificate2.PrivateKey API")] protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = null) { - Logger.LogDebug("Entered GetKeyBytes()"); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogWarning("GetKeyBytes(X509Certificate2) is deprecated. Use GetKeyBytes(Pkcs12Store) instead."); + Logger.LogWarning("GetKeyBytes(X509Certificate2) is deprecated. Use GetKeyBytes(Pkcs12Store) instead."); Logger.LogTrace("Key algo: {KeyAlgo}", certObj.GetKeyAlgorithm()); Logger.LogTrace("Has private key: {HasPrivateKey}", certObj.HasPrivateKey); Logger.LogTrace("Pub key: {PublicKey}", certObj.GetPublicKey()); @@ -1111,18 +1738,22 @@ protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = nul break; } - if (keyBytes != null) return keyBytes; + if (keyBytes != null) + { + Logger.MethodExit(MsLogLevel.Debug); + return keyBytes; + } Logger.LogError("Unable to parse private key"); - + // Note: MethodExit not called here as we're throwing throw new InvalidKeyException($"Unable to parse private key from certificate '{certObj.Thumbprint}'"); } catch (Exception e) { Logger.LogError("Unknown error getting key bytes, but we're going to try a different method"); - Logger.LogError("{Message}", e.Message); - Logger.LogTrace("{Message}", e.ToString()); - Logger.LogTrace("{Trace}", e.StackTrace); + Logger.LogError("Error: {Message}", e.Message); + Logger.LogTrace("Exception details: {Details}", e.ToString()); + Logger.LogTrace("Stack trace: {StackTrace}", e.StackTrace); try { if (certObj.HasPrivateKey) @@ -1130,43 +1761,54 @@ protected byte[] GetKeyBytes(X509Certificate2 certObj, string certPassword = nul { Logger.LogDebug("Attempting to export private key as PKCS8"); Logger.LogTrace("ExportPkcs8PrivateKey()"); + #pragma warning disable SYSLIB0028 keyBytes = certObj.PrivateKey.ExportPkcs8PrivateKey(); + #pragma warning restore SYSLIB0028 Logger.LogTrace("ExportPkcs8PrivateKey() complete"); - // Logger.LogTrace("keyBytes: " + keyBytes); - // Logger.LogTrace("Converted to string: " + Encoding.UTF8.GetString(keyBytes)); + Logger.MethodExit(MsLogLevel.Debug); return keyBytes; } catch (Exception e2) { Logger.LogError( - "Unknown error exporting private key as PKCS8, but we're going to try a a final method "); - Logger.LogError(e2.Message); - Logger.LogTrace(e2.ToString()); - Logger.LogTrace(e2.StackTrace); + "Unknown error exporting private key as PKCS8, attempting final method"); + Logger.LogError("Error: {Message}", e2.Message); + Logger.LogTrace("Exception details: {Details}", e2.ToString()); + Logger.LogTrace("Stack trace: {StackTrace}", e2.StackTrace); //attempt to export encrypted pkcs8 Logger.LogDebug("Attempting to export encrypted PKCS8 private key"); Logger.LogTrace("ExportEncryptedPkcs8PrivateKey()"); + #pragma warning disable SYSLIB0028 keyBytes = certObj.PrivateKey.ExportEncryptedPkcs8PrivateKey(certPassword, new PbeParameters( PbeEncryptionAlgorithm.Aes128Cbc, HashAlgorithmName.SHA256, 1)); + #pragma warning restore SYSLIB0028 Logger.LogTrace("ExportEncryptedPkcs8PrivateKey() complete"); + Logger.MethodExit(MsLogLevel.Debug); return keyBytes; } } catch (Exception ie) { - Logger.LogError("Unknown error exporting private key as PKCS8, returning null"); - Logger.LogError("{Message}", ie.Message); - Logger.LogTrace("{Message}", ie.ToString()); - Logger.LogTrace("{Trace}", ie.StackTrace); + Logger.LogError("Unknown error exporting private key as PKCS8, returning empty array"); + Logger.LogError("Error: {Message}", ie.Message); + Logger.LogTrace("Exception details: {Details}", ie.ToString()); + Logger.LogTrace("Stack trace: {StackTrace}", ie.StackTrace); } + Logger.MethodExit(MsLogLevel.Debug); return Array.Empty(); } } + /// + /// Creates a JobResult indicating job failure with the specified message. + /// + /// The failure message describing why the job failed. + /// The job history ID for tracking. + /// A JobResult with Failure status. protected static JobResult FailJob(string message, long jobHistoryId) { return new JobResult @@ -1177,6 +1819,12 @@ protected static JobResult FailJob(string message, long jobHistoryId) }; } + /// + /// Creates a JobResult indicating job success. + /// + /// The job history ID for tracking. + /// Optional message to include with the result. + /// A JobResult with Success status. protected static JobResult SuccessJob(long jobHistoryId, string jobMessage = null) { var result = new JobResult @@ -1190,15 +1838,21 @@ protected static JobResult SuccessJob(long jobHistoryId, string jobMessage = nul return result; } + /// + /// Parses and extracts the private key from a management job's PKCS12 certificate data. + /// Looks for a private key entry matching the specified alias. + /// + /// The management job configuration containing certificate data. + /// The private key in PEM format, or null if not found. protected string ParseJobPrivateKey(ManagementJobConfiguration config) { - Logger.LogTrace("Entered ParseJobPrivateKey()"); + Logger.MethodEntry(MsLogLevel.Debug); if (string.IsNullOrWhiteSpace(config.JobCertificate.Alias)) Logger.LogTrace("No Alias Found"); // Load PFX Logger.LogTrace("Loading PFX from job contents"); var pfxBytes = Convert.FromBase64String(config.JobCertificate.Contents); - Logger.LogTrace("PFX loaded successfully"); + Logger.LogTrace("PFX loaded successfully, {Length} bytes", pfxBytes.Length); var alias = config.JobCertificate.Alias; Logger.LogTrace("Alias: {Alias}", alias); @@ -1212,12 +1866,12 @@ protected string ParseJobPrivateKey(ManagementJobConfiguration config) store.Load(pkcs12Stream, config.JobCertificate.PrivateKeyPassword.ToCharArray()); // Find the private key entry with the given alias - Logger.LogDebug("Attempting to get private key entry with alias"); + Logger.LogDebug("Searching for private key entry with alias: {Alias}", alias); foreach (var aliasName in store.Aliases) { - Logger.LogTrace("Alias: {Alias}", aliasName); + Logger.LogTrace("Checking alias: {Alias}", aliasName); if (!aliasName.Equals(alias) || !store.IsKeyEntry(aliasName)) continue; - Logger.LogDebug("Alias found, attempting to get private key"); + Logger.LogDebug("Alias found, extracting private key"); var keyEntry = store.GetKey(aliasName); // Convert the private key to unencrypted PEM format @@ -1226,24 +1880,36 @@ protected string ParseJobPrivateKey(ManagementJobConfiguration config) pemWriter.WriteObject(keyEntry.Key); pemWriter.Writer.Flush(); - Logger.LogDebug("Private key found for alias {Alias}, returning private key", alias); + Logger.LogDebug("Private key extracted for alias: {Alias}", alias); + Logger.MethodExit(MsLogLevel.Debug); return stringWriter.ToString(); } - Logger.LogDebug("Alias '{Alias}' not found, returning null private key", alias); + Logger.LogDebug("Alias '{Alias}' not found, returning null", alias); + Logger.MethodExit(MsLogLevel.Debug); return null; // Private key with the given alias not found } + /// + /// Retrieves the store password from configuration or from a Kubernetes buddy secret. + /// Handles password stored directly, in a separate K8S secret, or embedded in the certificate secret. + /// + /// The certificate secret that may contain an embedded password. + /// The store password as a string. + /// Thrown when password cannot be retrieved from K8S secret. + /// Thrown when no valid password source is available. protected string getK8SStorePassword(V1Secret certData) { - Logger.MethodEntry(); - Logger.LogDebug("Attempting to get store password from K8S secret"); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Retrieving store password from K8S secret or configuration"); var storePasswordBytes = Array.Empty(); // if secret is a buddy pass if (!string.IsNullOrEmpty(StorePassword)) { Logger.LogDebug("Using provided 'StorePassword'"); + Logger.LogTrace("StorePassword: {Password}", LoggingUtilities.RedactPassword(StorePassword)); + Logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(StorePassword)); storePasswordBytes = Encoding.UTF8.GetBytes(StorePassword); } else if (!string.IsNullOrEmpty(StorePasswordPath)) @@ -1290,7 +1956,8 @@ protected string getK8SStorePassword(V1Secret certData) $"Unable to read K8S buddy secret {passwordSecretName} in namespace {passwordNamespace}"); } - Logger.LogTrace("Secret response fields: {Keys}", k8sPasswordObj.Data.Keys); + Logger.LogTrace("Buddy secret: {Summary}", LoggingUtilities.GetSecretSummary(k8sPasswordObj)); + Logger.LogTrace("Secret response fields: {Keys}", LoggingUtilities.GetSecretDataKeysSummary(k8sPasswordObj.Data)); if (!k8sPasswordObj.Data.TryGetValue(PasswordFieldName, out storePasswordBytes) || storePasswordBytes == null) @@ -1333,18 +2000,31 @@ protected string getK8SStorePassword(V1Secret certData) //convert password to string var storePassword = Encoding.UTF8.GetString(storePasswordBytes); - // Logger.LogTrace("K8S Store Password show new lines: {StorePassword}", storePassword.Replace("\n","\\n")); // Removed insecure logging + Logger.LogTrace("Password (before trimming): {Password}", LoggingUtilities.RedactPassword(storePassword)); + Logger.LogTrace("Password length (before trimming): {Length}", storePassword.Length); + // remove any trailing new line characters from the string storePassword = storePassword.TrimEnd('\r','\n'); - // Logger.LogTrace("Store password bytes converted to string: {StorePassword}", storePassword); // Removed insecure logging - - Logger.MethodExit(); + Logger.LogDebug("Store password loaded and trimmed"); + Logger.LogTrace("Password (after trimming): {Password}", LoggingUtilities.RedactPassword(storePassword)); + Logger.LogTrace("Password length (after trimming): {Length}", storePassword.Length); + Logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePassword)); + + Logger.MethodExit(MsLogLevel.Debug); return storePassword; } + /// + /// Loads a PKCS12/PFX store from byte data using the provided password. + /// + /// The PKCS12 data bytes. + /// The password to decrypt the store. + /// A loaded Pkcs12Store instance. protected Pkcs12Store LoadPkcs12Store(byte[] pkcs12Data, string password) { - Logger.LogDebug("Entered LoadPkcs12Store()"); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogTrace("PKCS12 data size: {Length} bytes", pkcs12Data?.Length ?? 0); + var storeBuilder = new Pkcs12StoreBuilder(); var store = storeBuilder.Build(); @@ -1353,69 +2033,246 @@ protected Pkcs12Store LoadPkcs12Store(byte[] pkcs12Data, string password) if (password != null) store.Load(pkcs12Stream, password.ToCharArray()); Logger.LogDebug("PKCS12 store loaded successfully"); + Logger.MethodExit(MsLogLevel.Debug); return store; } + /// + /// Parses a DER-encoded certificate and populates the job certificate object. + /// Used when Command sends a certificate without a private key in DER format. + /// + /// The DER-encoded certificate bytes. + /// The job certificate object to populate. + /// The populated K8SJobCertificate. + protected K8SJobCertificate ParseDerCertificate(byte[] derBytes, K8SJobCertificate jobCertObject) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Parsing DER-encoded certificate ({ByteCount} bytes)", derBytes.Length); + + // Log warning if IncludeCertChain is true but certificate has no private key + // When Command sends a certificate without a private key, it arrives in DER format + // which only contains the leaf certificate - the chain cannot be included. + if (IncludeCertChain) + { + Logger.LogWarning( + "IncludeCertChain is enabled but the certificate was received in DER format (no private key). " + + "DER format only contains the leaf certificate, so the certificate chain cannot be included. " + + "To include the certificate chain, ensure the certificate in Keyfactor Command has 'Private Key' set."); + } + + try + { + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var bcCertificate = parser.ReadCertificate(derBytes); + + if (bcCertificate == null) + { + Logger.LogError("Failed to parse DER certificate - parser returned null"); + return jobCertObject; + } + + Logger.LogDebug("DER certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(bcCertificate)); + + // Convert to PEM format + var pemCert = ConvertCertificateToPem(bcCertificate); + + jobCertObject.CertPem = pemCert; + jobCertObject.CertBytes = bcCertificate.GetEncoded(); + jobCertObject.CertThumbprint = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(bcCertificate); + jobCertObject.CertificateEntry = new Org.BouncyCastle.Pkcs.X509CertificateEntry(bcCertificate); + jobCertObject.HasPrivateKey = false; + + // For DER certificates, set up single-entry chain (leaf only, no issuer chain) + jobCertObject.CertificateEntryChain = new[] { jobCertObject.CertificateEntry }; + jobCertObject.ChainPem = new List { pemCert }; + + Logger.LogDebug("DER certificate parsed successfully (no private key)"); + Logger.MethodExit(MsLogLevel.Debug); + return jobCertObject; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error parsing DER certificate: {Error}", ex.Message); + throw new InvalidOperationException($"Failed to parse DER-encoded certificate: {ex.Message}", ex); + } + } + + /// + /// Parses a PEM-encoded certificate and populates the job certificate object. + /// Used when Command sends a certificate without a private key in PEM format. + /// + /// The PEM-encoded certificate string. + /// The job certificate object to populate. + /// The populated K8SJobCertificate. + protected K8SJobCertificate ParsePemCertificate(string pemData, K8SJobCertificate jobCertObject) + { + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Parsing PEM-encoded certificate(s)"); + + try + { + // Parse all certificates from the PEM data (there may be a full chain) + var certificates = new List(); + using var stringReader = new StringReader(pemData); + var pemReader = new Org.BouncyCastle.OpenSsl.PemReader(stringReader); + + object pemObject; + while ((pemObject = pemReader.ReadObject()) != null) + { + if (pemObject is Org.BouncyCastle.X509.X509Certificate cert) + { + certificates.Add(cert); + Logger.LogDebug("Found certificate in PEM: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + } + } + + if (certificates.Count == 0) + { + // Try parsing as DER from the PEM content as a fallback + var parser = new Org.BouncyCastle.X509.X509CertificateParser(); + var bcCert = parser.ReadCertificate(Encoding.UTF8.GetBytes(pemData)); + if (bcCert != null) + { + certificates.Add(bcCert); + } + } + + if (certificates.Count == 0) + { + Logger.LogError("Failed to parse PEM certificate - no certificates found"); + return jobCertObject; + } + + // First certificate is the leaf/end-entity certificate + var leafCertificate = certificates[0]; + Logger.LogDebug("Leaf certificate: {Summary}", LoggingUtilities.GetCertificateSummary(leafCertificate)); + + // Set the leaf certificate properties + jobCertObject.CertPem = ConvertCertificateToPem(leafCertificate); + jobCertObject.CertBytes = leafCertificate.GetEncoded(); + jobCertObject.CertThumbprint = Keyfactor.Extensions.Orchestrator.K8S.Utilities.CertificateUtilities.GetThumbprint(leafCertificate); + jobCertObject.CertificateEntry = new Org.BouncyCastle.Pkcs.X509CertificateEntry(leafCertificate); + jobCertObject.HasPrivateKey = false; + + // Set the full chain (including leaf as first entry) + jobCertObject.CertificateEntryChain = certificates + .Select(c => new Org.BouncyCastle.Pkcs.X509CertificateEntry(c)) + .ToArray(); + + // Set chain PEM (all certificates) + jobCertObject.ChainPem = certificates + .Select(ConvertCertificateToPem) + .ToList(); + + Logger.LogInformation("PEM certificate(s) parsed successfully: {Count} certificate(s), no private key", certificates.Count); + Logger.MethodExit(MsLogLevel.Debug); + return jobCertObject; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error parsing PEM certificate: {Error}", ex.Message); + throw new InvalidOperationException($"Failed to parse PEM-encoded certificate: {ex.Message}", ex); + } + } + + /// + /// Converts a BouncyCastle X509Certificate to PEM format. + /// This is a local helper method that doesn't depend on KubeClient initialization. + /// + /// The certificate to convert. + /// The certificate in PEM format. + private static string ConvertCertificateToPem(Org.BouncyCastle.X509.X509Certificate certificate) + { + var pemObject = new Org.BouncyCastle.Utilities.IO.Pem.PemObject("CERTIFICATE", certificate.GetEncoded()); + using var stringWriter = new StringWriter(); + var pemWriter = new PemWriter(stringWriter); + pemWriter.WriteObject(pemObject); + pemWriter.Writer.Flush(); + return stringWriter.ToString(); + } + + /// + /// Extracts a certificate from a PKCS12 store and converts it to PEM format. + /// + /// The PKCS12 store containing the certificate. + /// The store password (may be needed for certain operations). + /// Optional alias of the certificate. If empty, uses the first key entry. + /// The certificate in PEM format. protected string GetCertificatePem(Pkcs12Store store, string password, string alias = "") { - Logger.LogDebug("Entered GetCertificatePem()"); + Logger.MethodEntry(MsLogLevel.Debug); if (string.IsNullOrEmpty(alias)) alias = store.Aliases.FirstOrDefault(store.IsKeyEntry); - Logger.LogDebug("Attempting to get certificate with alias {Alias}", alias); + Logger.LogDebug("Extracting certificate with alias: {Alias}", alias); var cert = store.GetCertificate(alias).Certificate; using var stringWriter = new StringWriter(); var pemWriter = new PemWriter(stringWriter); - Logger.LogDebug("Attempting to write certificate to PEM format"); + Logger.LogDebug("Converting certificate to PEM format"); pemWriter.WriteObject(cert); pemWriter.Writer.Flush(); - Logger.LogTrace("certificate:\n{Cert}", stringWriter.ToString()); + Logger.LogTrace("Certificate: {Cert}", LoggingUtilities.RedactCertificatePem(stringWriter.ToString())); Logger.LogDebug("Returning certificate in PEM format"); + Logger.MethodExit(MsLogLevel.Debug); return stringWriter.ToString(); } + /// + /// Extracts a private key from a PKCS12 store and converts it to PEM format. + /// + /// The PKCS12 store containing the private key. + /// The store password (may be needed for certain operations). + /// Optional alias of the key entry. If empty, uses the first key entry. + /// The private key in PEM format (unencrypted). protected string getPrivateKeyPem(Pkcs12Store store, string password, string alias = "") { - Logger.LogDebug("Entered getPrivateKeyPem()"); + Logger.MethodEntry(MsLogLevel.Debug); if (string.IsNullOrEmpty(alias)) { - Logger.LogDebug("Alias is empty, attempting to get key entry alias"); + Logger.LogDebug("Alias is empty, using first key entry alias"); alias = store.Aliases.FirstOrDefault(store.IsKeyEntry); } - Logger.LogDebug("Attempting to get private key with alias {Alias}", alias); + Logger.LogDebug("Extracting private key with alias: {Alias}", alias); var privateKey = store.GetKey(alias).Key; using var stringWriter = new StringWriter(); var pemWriter = new PemWriter(stringWriter); - Logger.LogDebug("Attempting to write private key to PEM format"); + Logger.LogDebug("Converting private key to PEM format"); pemWriter.WriteObject(privateKey); pemWriter.Writer.Flush(); - // Logger.LogTrace("private key:\n{Key}", stringWriter.ToString()); - Logger.LogDebug("Returning private key in PEM format for alias '{Alias}'", alias); + Logger.LogDebug("Returning private key in PEM format for alias: {Alias}", alias); + Logger.MethodExit(MsLogLevel.Debug); return stringWriter.ToString(); } + /// + /// Extracts the certificate chain from a PKCS12 store as a list of PEM-formatted certificates. + /// + /// The PKCS12 store containing the certificate chain. + /// The store password (may be needed for certain operations). + /// Optional alias of the key entry. If empty, uses the first key entry. + /// A list of PEM-formatted certificates representing the chain. protected List getCertChain(Pkcs12Store store, string password, string alias = "") { - Logger.LogDebug("Entered getCertChain()"); + Logger.MethodEntry(MsLogLevel.Debug); if (string.IsNullOrEmpty(alias)) { - Logger.LogDebug("Alias is empty, attempting to get key entry alias"); + Logger.LogDebug("Alias is empty, using first key entry alias"); alias = store.Aliases.FirstOrDefault(store.IsKeyEntry); } var chain = new List(); - Logger.LogDebug("Attempting to get certificate chain with alias {Alias}", alias); + Logger.LogDebug("Extracting certificate chain with alias: {Alias}", alias); var chainCerts = store.GetCertificateChain(alias); foreach (var chainCert in chainCerts) { - Logger.LogTrace("Adding certificate to chain"); + Logger.LogTrace("Adding certificate to chain list"); using var stringWriter = new StringWriter(); var pemWriter = new PemWriter(stringWriter); pemWriter.WriteObject(chainCert.Certificate); @@ -1423,11 +2280,16 @@ protected List getCertChain(Pkcs12Store store, string password, string a chain.Add(stringWriter.ToString()); } - Logger.LogTrace("Certificate chain:\n{Chain}", string.Join("\n", chain)); - Logger.LogDebug("Returning certificate chain"); + Logger.LogDebug("Certificate chain extracted with {Count} certificates", chain.Count); + Logger.MethodExit(MsLogLevel.Debug); return chain; } + /// + /// Determines if the provided byte data is in DER (binary) certificate format. + /// + /// The byte data to check. + /// True if the data is valid DER-encoded certificate; otherwise, false. public static bool IsDerFormat(byte[] data) { try @@ -1441,6 +2303,11 @@ public static bool IsDerFormat(byte[] data) } } + /// + /// Converts DER-encoded certificate data to PEM format. + /// + /// The DER-encoded certificate bytes. + /// The certificate in PEM format. public static string ConvertDerToPem(byte[] data) { var pemObject = new PemObject("CERTIFICATE", data); @@ -1451,6 +2318,12 @@ public static string ConvertDerToPem(byte[] data) return stringWriter.ToString(); } + /// + /// Computes a SHA-256 hash of the input string. + /// Useful for creating consistent identifiers without exposing sensitive data. + /// + /// The input string to hash. + /// The SHA-256 hash as a lowercase hexadecimal string. protected static string GetSHA256Hash(string input) { var passwordHashBytes = SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(input)); @@ -1459,51 +2332,79 @@ protected static string GetSHA256Hash(string input) } } +/// +/// Exception thrown when a certificate store cannot be found in Kubernetes. +/// public class StoreNotFoundException : Exception { + /// Initializes a new instance of StoreNotFoundException. public StoreNotFoundException() { } + /// Initializes a new instance with the specified error message. + /// The error message describing the missing store. public StoreNotFoundException(string message) : base(message) { } + /// Initializes a new instance with the specified error message and inner exception. + /// The error message describing the missing store. + /// The exception that caused this exception. public StoreNotFoundException(string message, Exception innerException) : base(message, innerException) { } } +/// +/// Exception thrown when a Kubernetes secret is invalid, malformed, or missing required fields. +/// public class InvalidK8SSecretException : Exception { + /// Initializes a new instance of InvalidK8SSecretException. public InvalidK8SSecretException() { } + /// Initializes a new instance with the specified error message. + /// The error message describing the invalid secret. public InvalidK8SSecretException(string message) : base(message) { } + /// Initializes a new instance with the specified error message and inner exception. + /// The error message describing the invalid secret. + /// The exception that caused this exception. public InvalidK8SSecretException(string message, Exception innerException) : base(message, innerException) { } } +/// +/// Exception thrown when a JKS keystore contains PKCS12 data instead of proper JKS format, +/// or vice versa (format mismatch between expected and actual store format). +/// public class JkSisPkcs12Exception : Exception { + /// Initializes a new instance of JkSisPkcs12Exception. public JkSisPkcs12Exception() { } + /// Initializes a new instance with the specified error message. + /// The error message describing the format mismatch. public JkSisPkcs12Exception(string message) : base(message) { } + /// Initializes a new instance with the specified error message and inner exception. + /// The error message describing the format mismatch. + /// The exception that caused this exception. public JkSisPkcs12Exception(string message, Exception innerException) : base(message, innerException) { diff --git a/kubernetes-orchestrator-extension/Jobs/Management.cs b/kubernetes-orchestrator-extension/Jobs/Management.cs index d771d915..8dfad897 100644 --- a/kubernetes-orchestrator-extension/Jobs/Management.cs +++ b/kubernetes-orchestrator-extension/Jobs/Management.cs @@ -7,30 +7,74 @@ using System; using System.Collections.Generic; +using System.IO; using k8s.Autorest; using k8s.Models; +using System.Text; using Keyfactor.Extensions.Orchestrator.K8S.Clients; +using Keyfactor.Extensions.Orchestrator.K8S.Enums; using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SJKS; using Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SPKCS12; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; using Keyfactor.Logging; using Keyfactor.Orchestrators.Common.Enums; using Keyfactor.Orchestrators.Extensions; using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Security; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; namespace Keyfactor.Extensions.Orchestrator.K8S.Jobs; +/// +/// Management job implementation for Kubernetes certificate stores. +/// Handles Add, Remove, and Create operations for certificates in Kubernetes secrets, +/// JKS keystores, and PKCS12 keystores. +/// +/// +/// Supports the following operations: +/// - Add/Create: Add a certificate to a store (Opaque, TLS, JKS, PKCS12) +/// - Remove: Remove a certificate from a store +/// +/// Supports the following store types: +/// - Opaque secrets (K8SSecret) +/// - TLS secrets (K8STLSSecr) +/// - JKS keystores (K8SJKS) +/// - PKCS12 keystores (K8SPKCS12) +/// - Namespace-wide operations (K8SNS) +/// - Cluster-wide operations (K8SCluster) +/// public class Management : JobBase, IManagementJobExtension { + /// + /// Initializes a new instance of the Management job with the specified PAM resolver. + /// + /// PAM secret resolver for credential retrieval. public Management(IPAMSecretResolver resolver) { _resolver = resolver; } - //Job Entry Point + /// + /// Main entry point for the management job. Processes Add, Remove, or Create operations + /// for certificates in Kubernetes certificate stores. + /// + /// Management job configuration containing operation details and certificate data. + /// JobResult indicating success or failure of the management operation. + /// + /// Configuration parameters available in config: + /// - config.ServerUsername, config.ServerPassword - credentials for K8S API authentication + /// - config.CertificateStoreDetails.StorePath - location path of certificate store + /// - config.CertificateStoreDetails.StorePassword - password for protected stores (JKS/PKCS12) + /// - config.JobCertificate.Contents - Base64 encoded certificate (PKCS12 or DER) + /// - config.JobCertificate.Alias - certificate alias (for JKS/PKCS12) + /// - config.OperationType - Add, Remove, or Create + /// - config.Overwrite - whether to overwrite existing certificates + /// - config.JobCertificate.PrivateKeyPassword - password for private key in PKCS12 + /// public JobResult ProcessJob(ManagementJobConfiguration config) { - //METHOD ARGUMENTS... //config - contains context information passed from KF Command to this job run: // // config.Server.Username, config.Server.Password - credentials for orchestrated server - use to authenticate to certificate store server. @@ -50,7 +94,8 @@ public JobResult ProcessJob(ManagementJobConfiguration config) //NLog Logging to c:\CMS\Logs\CMS_Agent_Log.txt Logger = LogHandler.GetClassLogger(GetType()); - Logger.MethodEntry(); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing management job {JobId} with operation type {OperationType}", config.JobId, config.OperationType); K8SJobCertificate jobCertObj; try { @@ -126,8 +171,15 @@ public JobResult ProcessJob(ManagementJobConfiguration config) } + /// + /// Creates an empty Kubernetes secret of the specified type. + /// Used when no certificate data is provided for a create operation. + /// + /// The type of secret to create (e.g., "tls", "secret"). + /// The created V1Secret object. private V1Secret creatEmptySecret(string secretType) { + Logger.MethodEntry(MsLogLevel.Debug); Logger.LogWarning( "Certificate object and certificate alias are both null or empty. Assuming this is a 'create_store' action and populating an empty store."); var emptyStrArray = Array.Empty(); @@ -144,42 +196,231 @@ private V1Secret creatEmptySecret(string secretType) Logger.LogTrace(createResponse.ToString()); Logger.LogInformation( $"Successfully created or updated secret '{KubeSecretName}' in Kubernetes namespace '{KubeNamespace}' on cluster '{KubeClient.GetHost()}' with no data."); + Logger.MethodExit(MsLogLevel.Debug); return createResponse; } + /// + /// Handles creation or update of an Opaque secret containing certificate data. + /// + /// Alias/thumbprint of the certificate. + /// Job certificate object containing certificate and key data. + /// Password for the private key. + /// Whether to overwrite existing certificate. + /// Whether to append to existing data. + /// The created or updated V1Secret object. private V1Secret HandleOpaqueSecret(string certAlias, K8SJobCertificate certObj, string keyPasswordStr = "", bool overwrite = false, bool append = false) { - Logger.LogTrace("Entered HandleOpaqueSecret()"); - Logger.LogTrace("certAlias: " + certAlias); - // Logger.LogTrace("keyPasswordStr: " + keyPasswordStr); - Logger.LogTrace("overwrite: " + overwrite); - Logger.LogTrace("append: " + append); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Certificate alias: {Alias}", certAlias); + Logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(keyPasswordStr)); + Logger.LogDebug("Operation parameters - Overwrite: {Overwrite}, Append: {Append}", overwrite, append); + Logger.LogDebug("Certificate metadata - SeparateChain: {SeparateChain}, IncludeCertChain: {IncludeCertChain}", + SeparateChain, IncludeCertChain); + + // Handle "create store if missing" - when no certificate data is provided + // If secret already exists and no new certificate data, just return the existing secret + if (string.IsNullOrEmpty(certAlias) && string.IsNullOrEmpty(certObj.CertPem)) + { + try + { + var existingSecret = KubeClient.GetCertificateStoreSecret(KubeSecretName, KubeNamespace); + if (existingSecret != null) + { + Logger.LogInformation("Secret already exists, nothing to do for empty certificate data"); + return existingSecret; + } + } + catch (Exception ex) when (ex.Message.Contains("NotFound") || ex.Message.Contains("404")) + { + Logger.LogDebug("Secret not found, will create empty secret"); + } + Logger.LogWarning("No alias or certificate found. Creating empty Opaque secret."); + return creatEmptySecret("secret"); + } + + // Validate cert-only updates: prevent deploying certificate without private key to existing secret that has a key + var incomingHasNoPrivateKey = string.IsNullOrEmpty(certObj.PrivateKeyPem); + if ((overwrite || append) && incomingHasNoPrivateKey) + { + ValidateNoMismatchedKeyUpdate("Opaque"); + } + + // Log certificate information + if (!string.IsNullOrEmpty(certObj.CertPem)) + { + Logger.LogDebug("Certificate summary: {Summary}", LoggingUtilities.GetCertificateSummaryFromPem(certObj.CertPem)); + } + + Logger.LogTrace("Has private key: {HasKey}", !string.IsNullOrEmpty(certObj.PrivateKeyPem)); + Logger.LogTrace("Chain certificates: {Count}", certObj.ChainPem?.Count ?? 0); + + if (certObj.ChainPem != null && certObj.ChainPem.Count > 0) + { + for (int i = 0; i < certObj.ChainPem.Count; i++) + { + Logger.LogTrace("Chain certificate {Index}: {Summary}", i + 1, + LoggingUtilities.GetCertificateSummaryFromPem(certObj.ChainPem[i])); + } + } + + // Preserve existing private key format if updating + var privateKeyPem = certObj.PrivateKeyPem; + if ((overwrite || append) && certObj.PrivateKeyParameter != null && !string.IsNullOrEmpty(privateKeyPem)) + { + privateKeyPem = PreservePrivateKeyFormat(certObj, "tls.key"); + } Logger.LogDebug("Calling CreateOrUpdateCertificateStoreSecret() to create or update secret in Kubernetes..."); var createResponse = KubeClient.CreateOrUpdateCertificateStoreSecret( - certObj.PrivateKeyPem, + privateKeyPem, certObj.CertPem, certObj.ChainPem, KubeSecretName, KubeNamespace, "secret", append, - overwrite + overwrite, + false, + SeparateChain, + IncludeCertChain ); + if (createResponse == null) - Logger.LogError("createResponse is null"); - else - Logger.LogTrace(createResponse.ToString()); + { + var errorMsg = $"Failed to create or update Opaque secret '{KubeSecretName}' in namespace '{KubeNamespace}' on cluster '{KubeClient.GetHost()}'. CreateOrUpdateCertificateStoreSecret returned null."; + Logger.LogError(errorMsg); + throw new Exception(errorMsg); + } + Logger.LogDebug("Secret operation result: {Summary}", LoggingUtilities.GetSecretSummary(createResponse)); Logger.LogInformation( $"Successfully created or updated secret '{KubeSecretName}' in Kubernetes namespace '{KubeNamespace}' on cluster '{KubeClient.GetHost()}' with certificate '{certAlias}'"); + Logger.MethodExit(MsLogLevel.Debug); return createResponse; } + /// + /// Validates that a certificate-only update is not being applied to a secret that has an existing private key. + /// This prevents creating an invalid state where tls.crt has a new certificate but tls.key has the old + /// (mismatched) private key. + /// + /// Type of secret for error message (e.g., "TLS", "Opaque"). + /// + /// Thrown when attempting to deploy a certificate without a private key to an existing secret that has a private key. + /// + private void ValidateNoMismatchedKeyUpdate(string secretType) + { + Logger.LogDebug("Validating cert-only update for {SecretType} secret '{SecretName}' in namespace '{Namespace}'", + secretType, KubeSecretName, KubeNamespace); + + try + { + var existingSecret = KubeClient.GetCertificateStoreSecret(KubeSecretName, KubeNamespace); + if (existingSecret?.Data != null && existingSecret.Data.TryGetValue("tls.key", out var existingKeyBytes)) + { + // Check if the existing key has actual content (not empty) + if (existingKeyBytes != null && existingKeyBytes.Length > 0) + { + var existingKeyPem = System.Text.Encoding.UTF8.GetString(existingKeyBytes).Trim(); + if (!string.IsNullOrEmpty(existingKeyPem) && existingKeyPem.Contains("PRIVATE KEY")) + { + var errorMsg = $"Cannot update {secretType} secret '{KubeSecretName}' in namespace '{KubeNamespace}' " + + $"with a certificate that has no private key. The existing secret contains a private key (tls.key) " + + $"which would become mismatched with the new certificate. " + + $"Either include the private key with the certificate, or delete the existing secret first."; + Logger.LogError(errorMsg); + throw new InvalidOperationException(errorMsg); + } + } + } + Logger.LogDebug("Validation passed: existing secret either doesn't exist or has no private key"); + } + catch (StoreNotFoundException) + { + // Secret doesn't exist yet, no validation needed + Logger.LogDebug("Secret '{SecretName}' does not exist yet, no validation needed", KubeSecretName); + } + catch (InvalidOperationException) + { + // Re-throw our validation exception + throw; + } + catch (Exception ex) + { + // Log but don't fail on other errors - the actual create/update will handle them + Logger.LogWarning(ex, "Could not validate existing secret state, proceeding with update"); + } + } + + /// + /// Preserves the private key format when updating an existing secret. + /// Detects the existing key format and re-exports the new key in the same format. + /// If the new key algorithm doesn't support the existing format (e.g., Ed25519 with PKCS1), + /// falls back to PKCS8. + /// + /// Certificate object containing the new private key. + /// Name of the field containing the private key in the secret (e.g., "tls.key"). + /// PEM-encoded private key in the preserved format. + private string PreservePrivateKeyFormat(K8SJobCertificate certObj, string keyFieldName) + { + Logger.LogTrace("PreservePrivateKeyFormat called for field: {FieldName}", keyFieldName); + + // Default format if we can't detect existing + var targetFormat = PrivateKeyFormat.Pkcs8; + + try + { + // Try to read the existing secret to detect format + var existingSecret = KubeClient.GetCertificateStoreSecret(KubeSecretName, KubeNamespace); + if (existingSecret?.Data != null && existingSecret.Data.TryGetValue(keyFieldName, out var existingKeyBytes)) + { + var existingKeyPem = Encoding.UTF8.GetString(existingKeyBytes); + targetFormat = PrivateKeyFormatUtilities.DetectFormat(existingKeyPem); + Logger.LogDebug("Detected existing private key format: {Format}", targetFormat); + } + else + { + Logger.LogDebug("No existing private key found, using default format: {Format}", targetFormat); + } + } + catch (Exception ex) + { + Logger.LogDebug("Could not read existing secret for format detection: {Message}. Using default format.", ex.Message); + } + + // Re-export the new key in the detected/target format + // PrivateKeyFormatUtilities.ExportPrivateKeyAsPem handles fallback to PKCS8 + // if the key algorithm doesn't support PKCS1 (e.g., Ed25519, Ed448) + var newKeyPem = PrivateKeyFormatUtilities.ExportPrivateKeyAsPem(certObj.PrivateKeyParameter, targetFormat); + + var newAlgorithm = PrivateKeyFormatUtilities.GetAlgorithmName(certObj.PrivateKeyParameter); + var actualFormat = PrivateKeyFormatUtilities.DetectFormat(newKeyPem); + + if (actualFormat != targetFormat) + { + Logger.LogInformation( + "Private key format changed from {OldFormat} to {NewFormat} because {Algorithm} does not support {OldFormat}", + targetFormat, actualFormat, newAlgorithm, targetFormat); + } + else + { + Logger.LogDebug("Private key format preserved: {Format}", actualFormat); + } + + return newKeyPem; + } + + /// + /// Handles creation, update, or removal of a JKS keystore secret. + /// + /// Management job configuration containing JKS and certificate data. + /// Whether this is a remove operation. + /// The created or updated V1Secret object, or null if nothing to remove. private V1Secret HandleJksSecret(ManagementJobConfiguration config, bool remove = false) { - Logger.MethodEntry(); + Logger.MethodEntry(MsLogLevel.Debug); // get the jks store from the secret Logger.LogDebug("Attempting to serialize JKS store"); var jksStore = new JksCertificateStoreSerializer(config.JobProperties?.ToString()); @@ -217,7 +458,30 @@ private V1Secret HandleJksSecret(ManagementJobConfiguration config, bool remove var alias = string.IsNullOrEmpty(config.JobCertificate?.Alias) ? "default" : config.JobCertificate.Alias; Logger.LogTrace("alias: {Alias}", alias); + + // Try to get StoreFileName from Properties JSON, default to "jks" if not found var existingDataFieldName = "jks"; + if (!string.IsNullOrEmpty(config.CertificateStoreDetails?.Properties)) + { + try + { + using var jsonDoc = System.Text.Json.JsonDocument.Parse(config.CertificateStoreDetails.Properties); + if (jsonDoc.RootElement.TryGetProperty("StoreFileName", out var storeFileNameElement)) + { + var storeFileName = storeFileNameElement.GetString(); + if (!string.IsNullOrEmpty(storeFileName)) + { + existingDataFieldName = storeFileName; + Logger.LogDebug("Using StoreFileName from Properties: {StoreFileName}", storeFileName); + } + } + } + catch (Exception ex) + { + Logger.LogWarning("Error parsing StoreFileName from Properties: {Message}. Using default 'jks'", ex.Message); + } + } + // if alias contains a '/' then the pattern is 'k8s-secret-field-name/alias' if (!string.IsNullOrEmpty(alias) && alias.Contains('/')) { @@ -229,6 +493,49 @@ private V1Secret HandleJksSecret(ManagementJobConfiguration config, bool remove Logger.LogTrace("existingDataFieldName: {Name}", existingDataFieldName); Logger.LogTrace("alias: {Alias}", alias); + + // Handle "create store if missing" - when no certificate data is provided (but NOT for Remove operations) + if (newCertBytes.Length == 0 && !remove) + { + Logger.LogInformation("No certificate data provided. Checking if this is a 'create store if missing' operation..."); + + if (k8sData.Secret != null) + { + Logger.LogInformation("Secret already exists, nothing to do for empty certificate data"); + return k8sData.Secret; + } + + Logger.LogInformation("Creating empty JKS keystore for 'create store if missing' operation"); + + // Get the store password + if (!string.IsNullOrEmpty(config.CertificateStoreDetails.StorePassword)) + StorePassword = config.CertificateStoreDetails.StorePassword; + var emptyStorePassword = getK8SStorePassword(null); + + // Create an empty JKS store with the password + var emptyJksStore = new JksStore(); + using var emptyStoreStream = new MemoryStream(); + emptyJksStore.Save(emptyStoreStream, + string.IsNullOrEmpty(emptyStorePassword) ? Array.Empty() : emptyStorePassword.ToCharArray()); + var emptyJksBytes = emptyStoreStream.ToArray(); + + Logger.LogDebug("Created empty JKS keystore with {ByteCount} bytes", emptyJksBytes.Length); + + // Create k8sData with the empty keystore + k8sData.Inventory = new Dictionary + { + { existingDataFieldName, emptyJksBytes } + }; + + // Create the secret with the empty keystore + Logger.LogDebug("Calling CreateOrUpdateJksSecret() to create empty keystore secret..."); + var createResponse = KubeClient.CreateOrUpdateJksSecret(k8sData, KubeSecretName, KubeNamespace); + Logger.LogInformation("Successfully created empty JKS keystore secret '{Name}' in namespace '{Namespace}'", + KubeSecretName, KubeNamespace); + Logger.MethodExit(MsLogLevel.Debug); + return createResponse; + } + byte[] existingData = null; if (k8sData.Secret?.Data != null) { @@ -267,18 +574,26 @@ private V1Secret HandleJksSecret(ManagementJobConfiguration config, bool remove // update the secret Logger.LogDebug("Calling CreateOrUpdateJksSecret()..."); var updateResponse = KubeClient.CreateOrUpdateJksSecret(k8sData, KubeSecretName, KubeNamespace); - Logger.LogDebug("Exiting HandleJKSSecret()..."); + Logger.LogDebug("JKS secret operation completed successfully"); + Logger.MethodExit(MsLogLevel.Debug); return updateResponse; } catch (JkSisPkcs12Exception) { + Logger.LogDebug("JKS data is actually PKCS12, delegating to HandlePkcs12Secret"); return HandlePkcs12Secret(config, remove); } } + /// + /// Handles creation, update, or removal of a PKCS12/PFX keystore secret. + /// + /// Management job configuration containing PKCS12 and certificate data. + /// Whether this is a remove operation. + /// The created or updated V1Secret object, or null if nothing to remove. private V1Secret HandlePkcs12Secret(ManagementJobConfiguration config, bool remove = false) { - Logger.LogDebug("Entering HandlePkcs12Secret()..."); + Logger.MethodEntry(MsLogLevel.Debug); // get the pkcs12 store from the secret var pkcs12Store = new Pkcs12CertificateStoreSerializer(config.JobProperties?.ToString()); //getPkcs12BytesFromKubeSecret @@ -300,13 +615,39 @@ private V1Secret HandlePkcs12Secret(ManagementJobConfiguration config, bool remo } // get newCert bytes from config.JobCertificate.Contents - var newCertBytes = Convert.FromBase64String(config.JobCertificate.Contents); + Logger.LogDebug("Attempting to get newCert bytes from config.JobCertificate.Contents"); + var newCertBytes = config.JobCertificate?.Contents == null + ? [] + : Convert.FromBase64String(config.JobCertificate.Contents); - var alias = config.JobCertificate.Alias; - Logger.LogDebug("alias: " + alias); + var alias = string.IsNullOrEmpty(config.JobCertificate?.Alias) ? "default" : config.JobCertificate.Alias; + Logger.LogDebug("alias: {Alias}", alias); + + // Try to get StoreFileName from Properties JSON, default to "pkcs12" if not found var existingDataFieldName = "pkcs12"; + if (!string.IsNullOrEmpty(config.CertificateStoreDetails?.Properties)) + { + try + { + using var jsonDoc = System.Text.Json.JsonDocument.Parse(config.CertificateStoreDetails.Properties); + if (jsonDoc.RootElement.TryGetProperty("StoreFileName", out var storeFileNameElement)) + { + var storeFileName = storeFileNameElement.GetString(); + if (!string.IsNullOrEmpty(storeFileName)) + { + existingDataFieldName = storeFileName; + Logger.LogDebug("Using StoreFileName from Properties: {StoreFileName}", storeFileName); + } + } + } + catch (Exception ex) + { + Logger.LogWarning("Error parsing StoreFileName from Properties: {Message}. Using default 'pkcs12'", ex.Message); + } + } + // if alias contains a '/' then the pattern is 'k8s-secret-field-name/alias' - if (alias.Contains('/')) + if (!string.IsNullOrEmpty(alias) && alias.Contains('/')) { Logger.LogDebug("alias contains a '/' so splitting on '/'..."); var aliasParts = alias.Split("/"); @@ -316,6 +657,51 @@ private V1Secret HandlePkcs12Secret(ManagementJobConfiguration config, bool remo Logger.LogDebug("existingDataFieldName: " + existingDataFieldName); Logger.LogDebug("alias: " + alias); + + // Handle "create store if missing" - when no certificate data is provided (but NOT for Remove operations) + if (newCertBytes.Length == 0 && !remove) + { + Logger.LogInformation("No certificate data provided. Checking if this is a 'create store if missing' operation..."); + + if (k8sData.Secret != null) + { + Logger.LogInformation("Secret already exists, nothing to do for empty certificate data"); + return k8sData.Secret; + } + + Logger.LogInformation("Creating empty PKCS12 keystore for 'create store if missing' operation"); + + // Get the store password + if (!string.IsNullOrEmpty(config.CertificateStoreDetails.StorePassword)) + StorePassword = config.CertificateStoreDetails.StorePassword; + var emptyStorePassword = getK8SStorePassword(null); + + // Create an empty PKCS12 store with the password + var emptyStoreBuilder = new Pkcs12StoreBuilder(); + var emptyPkcs12Store = emptyStoreBuilder.Build(); + using var emptyStoreStream = new MemoryStream(); + emptyPkcs12Store.Save(emptyStoreStream, + string.IsNullOrEmpty(emptyStorePassword) ? Array.Empty() : emptyStorePassword.ToCharArray(), + new SecureRandom()); + var emptyPkcs12Bytes = emptyStoreStream.ToArray(); + + Logger.LogDebug("Created empty PKCS12 keystore with {ByteCount} bytes", emptyPkcs12Bytes.Length); + + // Create k8sData with the empty keystore + k8sData.Inventory = new Dictionary + { + { existingDataFieldName, emptyPkcs12Bytes } + }; + + // Create the secret with the empty keystore + Logger.LogDebug("Calling CreateOrUpdatePkcs12Secret() to create empty keystore secret..."); + var createResponse = KubeClient.CreateOrUpdatePkcs12Secret(k8sData, KubeSecretName, KubeNamespace); + Logger.LogInformation("Successfully created empty PKCS12 keystore secret '{Name}' in namespace '{Namespace}'", + KubeSecretName, KubeNamespace); + Logger.MethodExit(MsLogLevel.Debug); + return createResponse; + } + byte[] existingData = null; if (k8sData.Secret?.Data != null) existingData = k8sData.Secret.Data.TryGetValue(existingDataFieldName, out var value) ? value : null; @@ -326,7 +712,7 @@ private V1Secret HandlePkcs12Secret(ManagementJobConfiguration config, bool remo var sPass = getK8SStorePassword(k8sData.Secret); Logger.LogDebug("Calling CreateOrUpdatePkcs12()..."); var newPkcs12Store = pkcs12Store.CreateOrUpdatePkcs12(newCertBytes, config.JobCertificate.PrivateKeyPassword, - alias, existingData, sPass, remove); + alias, existingData, sPass, remove, IncludeCertChain); if (k8sData.Inventory == null || k8sData.Inventory.Count == 0) { Logger.LogDebug("k8sData.Pkcs12Inventory is null or empty so creating new Dictionary..."); @@ -342,7 +728,8 @@ private V1Secret HandlePkcs12Secret(ManagementJobConfiguration config, bool remo // update the secret Logger.LogDebug("Calling CreateOrUpdatePkcs12Secret()..."); var updateResponse = KubeClient.CreateOrUpdatePkcs12Secret(k8sData, KubeSecretName, KubeNamespace); - Logger.LogDebug("Exiting HandlePKCS12Secret()..."); + Logger.LogDebug("PKCS12 secret operation completed successfully"); + Logger.MethodExit(MsLogLevel.Debug); return updateResponse; } @@ -398,23 +785,55 @@ private V1Secret HandlePkcs12Secret(ManagementJobConfiguration config, bool remo // return createResponse; // } + /// + /// Handles creation or update of a kubernetes.io/tls secret containing certificate data. + /// + /// Alias/thumbprint of the certificate. + /// Job certificate object containing certificate and key data. + /// Password for the certificate. + /// Whether to overwrite existing certificate. + /// Whether to append to existing data. + /// The created or updated V1Secret object. private V1Secret HandleTlsSecret(string certAlias, K8SJobCertificate certObj, string certPassword, bool overwrite = false, bool append = true) { - Logger.LogTrace("Entered HandleTlsSecret()"); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing TLS secret for certificate: {Alias}", certAlias); Logger.LogTrace("certAlias: " + certAlias); // Logger.LogTrace("keyPasswordStr: " + keyPasswordStr); Logger.LogTrace("overwrite: " + overwrite); Logger.LogTrace("append: " + append); - try + // Handle "create store if missing" - when no certificate data is provided + // If secret already exists and no new certificate data, just return the existing secret + if (string.IsNullOrEmpty(certAlias) && string.IsNullOrEmpty(certObj.CertPem)) { - //if (certObj.Equals(new X509Certificate2()) && string.IsNullOrEmpty(certAlias)) - if (string.IsNullOrEmpty(certAlias) && string.IsNullOrEmpty(certObj.CertPem)) + try + { + var existingSecret = KubeClient.GetCertificateStoreSecret(KubeSecretName, KubeNamespace); + if (existingSecret != null) + { + Logger.LogInformation("Secret already exists, nothing to do for empty certificate data"); + return existingSecret; + } + } + catch (Exception ex) when (ex.Message.Contains("NotFound") || ex.Message.Contains("404")) { - Logger.LogWarning("No alias or certificate found. Creating empty secret."); - return creatEmptySecret("tls"); + Logger.LogDebug("Secret not found, will create empty secret"); } + Logger.LogWarning("No alias or certificate found. Creating empty TLS secret."); + return creatEmptySecret("tls"); + } + + // Validate cert-only updates: prevent deploying certificate without private key to existing secret that has a key + var incomingHasNoPrivateKey = string.IsNullOrEmpty(certObj.PrivateKeyPem); + if ((overwrite || append) && incomingHasNoPrivateKey) + { + ValidateNoMismatchedKeyUpdate("TLS"); + } + + try + { } catch (Exception ex) { @@ -450,10 +869,17 @@ private V1Secret HandleTlsSecret(string certAlias, K8SJobCertificate certObj, st var keyPem = certObj.PrivateKeyPem; if (!string.IsNullOrEmpty(keyPem)) keyPems = new[] { keyPem }; - + + // Preserve existing private key format if updating + var privateKeyPem = certObj.PrivateKeyPem; + if ((overwrite || append) && certObj.PrivateKeyParameter != null && !string.IsNullOrEmpty(privateKeyPem)) + { + privateKeyPem = PreservePrivateKeyFormat(certObj, "tls.key"); + } + Logger.LogDebug("Calling CreateOrUpdateCertificateStoreSecret() to create or update secret in Kubernetes..."); var createResponse = KubeClient.CreateOrUpdateCertificateStoreSecret( - certObj.PrivateKeyPem, + privateKeyPem, certObj.CertPem, certObj.ChainPem, KubeSecretName, @@ -462,7 +888,8 @@ private V1Secret HandleTlsSecret(string certAlias, K8SJobCertificate certObj, st append, overwrite, false, - SeparateChain + SeparateChain, + IncludeCertChain ); if (createResponse == null) Logger.LogError("createResponse is null"); @@ -471,14 +898,41 @@ private V1Secret HandleTlsSecret(string certAlias, K8SJobCertificate certObj, st Logger.LogInformation( $"Successfully created or updated secret '{KubeSecretName}' in Kubernetes namespace '{KubeNamespace}' on cluster '{KubeClient.GetHost()}' with certificate '{certAlias}'"); + Logger.MethodExit(MsLogLevel.Debug); return createResponse; } + /// + /// Handles Add or Create operations for certificates based on secret type. + /// Routes to appropriate handler based on the store type. + /// + /// Type of secret (tls, opaque, jks, pkcs12, etc.). + /// Management job configuration. + /// Job certificate object with certificate data. + /// Whether to overwrite existing certificates. + /// JobResult indicating success or failure. private JobResult HandleCreateOrUpdate(string secretType, ManagementJobConfiguration config, K8SJobCertificate jobCertObj, bool overwrite = false) { + Logger.MethodEntry(MsLogLevel.Debug); + + // Check for "create store if missing" operation for store types that don't support it + // K8SNS and K8SCluster are aggregate store types that manage multiple secrets across + // a namespace or cluster - there's no single "store" to create + var isCreateStoreIfMissing = string.IsNullOrEmpty(config.JobCertificate?.Contents); + if (isCreateStoreIfMissing && (secretType == "namespace" || secretType == "cluster")) + { + var storeTypeName = secretType == "namespace" ? "K8SNS" : "K8SCluster"; + var warningMsg = $"'Create store if missing' is not supported for {storeTypeName} store type. " + + $"{storeTypeName} manages multiple secrets across a {secretType} and does not represent a single secret that can be created. " + + "No action taken."; + Logger.LogWarning(warningMsg); + Logger.LogInformation("End MANAGEMENT job {JobId} - {Message}", config.JobId, warningMsg); + return SuccessJob(config.JobHistoryId, warningMsg); + } + var certPassword = jobCertObj.Password; - Logger.LogDebug("Entered HandleCreateOrUpdate()"); + Logger.LogDebug("Processing create/update for secret type: {SecretType}", secretType); var jobCert = config.JobCertificate; var certAlias = config.JobCertificate.Alias; @@ -603,10 +1057,10 @@ private JobResult HandleCreateOrUpdate(string secretType, ManagementJobConfigura //pattern: namespace/secrets/secret_type/secert_name var clusterSplitAlias = jobCertObj.Alias.Split("/"); - // Check splitAlias length - if (clusterSplitAlias.Length < 3) + // Check splitAlias length - K8SCluster expects: /secrets// (4 parts) + if (clusterSplitAlias.Length < 4) { - var invalidAliasErrMsg = "Invalid alias format for K8SCluster store type. Alias"; + var invalidAliasErrMsg = $"Invalid alias format for K8SCluster store type. Expected pattern: '/secrets//' but got '{jobCertObj.Alias}'"; Logger.LogError(invalidAliasErrMsg); Logger.LogInformation("End MANAGEMENT job " + config.JobId + " " + invalidAliasErrMsg + " Failed!"); return FailJob(invalidAliasErrMsg, config.JobHistoryId); @@ -653,13 +1107,22 @@ private JobResult HandleCreateOrUpdate(string secretType, ManagementJobConfigura } Logger.LogInformation("End MANAGEMENT job " + config.JobId + " Success!"); + Logger.MethodExit(MsLogLevel.Debug); return SuccessJob(config.JobHistoryId); } + /// + /// Handles Remove operations for certificates. + /// Deletes certificates from the specified Kubernetes secret based on store type. + /// + /// Type of secret (tls, opaque, jks, pkcs12, etc.). + /// Management job configuration. + /// JobResult indicating success or failure. private JobResult HandleRemove(string secretType, ManagementJobConfiguration config) { - //OperationType == Remove - Delete a certificate from the certificate store passed in the config object + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing remove for secret type: {SecretType}", secretType); var kubeHost = KubeClient.GetHost(); var jobCert = config.JobCertificate; var certAlias = config.JobCertificate.Alias; @@ -688,6 +1151,13 @@ private JobResult HandleRemove(string secretType, ManagementJobConfiguration con var splitAlias = certAlias.Split("/"); if (Capability.Contains("K8SNS")) { + // K8SNS expects: secrets// (3 parts) + if (splitAlias.Length < 3) + { + var errMsg = $"Invalid alias format for K8SNS store type. Expected pattern: 'secrets//' but got '{certAlias}'"; + Logger.LogError(errMsg); + return FailJob(errMsg, config.JobHistoryId); + } // Split alias by / and get second to last element KubeSecretType KubeSecretType = splitAlias[^2]; KubeSecretName = splitAlias[^1]; @@ -695,6 +1165,13 @@ private JobResult HandleRemove(string secretType, ManagementJobConfiguration con } else if (Capability.Contains("K8SCluster")) { + // K8SCluster expects: /secrets// (4 parts) + if (splitAlias.Length < 4) + { + var errMsg = $"Invalid alias format for K8SCluster store type. Expected pattern: '/secrets//' but got '{certAlias}'"; + Logger.LogError(errMsg); + return FailJob(errMsg, config.JobHistoryId); + } KubeSecretType = splitAlias[^2]; KubeSecretName = splitAlias[^1]; KubeNamespace = splitAlias[0]; @@ -737,6 +1214,7 @@ private JobResult HandleRemove(string secretType, ManagementJobConfiguration con } Logger.LogInformation("End MANAGEMENT job " + config.JobId + " Success!"); + Logger.MethodExit(MsLogLevel.Debug); return SuccessJob(config.JobHistoryId); } } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/Jobs/PAMUtilities.cs b/kubernetes-orchestrator-extension/Jobs/PAMUtilities.cs index 873d0c4d..482142ca 100644 --- a/kubernetes-orchestrator-extension/Jobs/PAMUtilities.cs +++ b/kubernetes-orchestrator-extension/Jobs/PAMUtilities.cs @@ -5,16 +5,38 @@ // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions // and limitations under the License. +using System; using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; namespace Keyfactor.Extensions.Orchestrator.K8S.Jobs; +/// +/// Utility class for Privileged Access Management (PAM) integration. +/// Provides methods to resolve PAM-protected field values. +/// internal class PAMUtilities { + /// + /// Attempts to resolve a PAM-protected field value using the configured PAM resolver. + /// PAM fields are identified by being valid JSON strings (starting with '{' and ending with '}'). + /// + /// The PAM secret resolver from the orchestrator framework. + /// Logger for diagnostic output. + /// Friendly name of the field being resolved (for logging). + /// The field value to resolve (may be a PAM reference or plain value). + /// + /// The resolved value if successful, or the original value if: + /// - The value is empty + /// - The value is not a JSON string (not PAM-protected) + /// - PAM resolution fails + /// internal static string ResolvePAMField(IPAMSecretResolver resolver, ILogger logger, string name, string key) { logger.LogDebug("Attempting to resolve PAM eligible field '{Name}'", name); + logger.LogTrace("Resolver is null: {IsNull}", resolver == null); + logger.LogTrace("Key is null: {IsNull}", key == null); + if (string.IsNullOrEmpty(key)) { logger.LogWarning("PAM field is empty, skipping PAM resolution"); @@ -24,9 +46,18 @@ internal static string ResolvePAMField(IPAMSecretResolver resolver, ILogger logg // test if field is JSON string if (key.StartsWith("{") && key.EndsWith("}")) { - var resolved = resolver.Resolve(key); - if (string.IsNullOrEmpty(resolved)) logger.LogWarning("Failed to resolve PAM field {Name}", name); - return resolved; + try + { + logger.LogTrace("Calling resolver.Resolve() for field '{Name}'", name); + var resolved = resolver.Resolve(key); + logger.LogTrace("Resolver returned: {HasValue}", !string.IsNullOrEmpty(resolved)); + if (string.IsNullOrEmpty(resolved)) logger.LogWarning("Failed to resolve PAM field {Name}", name); + return resolved; + } + catch (Exception ex) + { + logger.LogWarning(ex, "PAM resolution failed for field '{Name}': {Message}", name, ex.Message); + } } logger.LogDebug("Field '{Name}' is not a JSON string, skipping PAM resolution", name); diff --git a/kubernetes-orchestrator-extension/Jobs/Reenrollment.cs b/kubernetes-orchestrator-extension/Jobs/Reenrollment.cs index 84f738db..fc5e194a 100644 --- a/kubernetes-orchestrator-extension/Jobs/Reenrollment.cs +++ b/kubernetes-orchestrator-extension/Jobs/Reenrollment.cs @@ -12,50 +12,61 @@ using Keyfactor.Orchestrators.Extensions; using Keyfactor.Orchestrators.Extensions.Interfaces; using Microsoft.Extensions.Logging; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; using Newtonsoft.Json; namespace Keyfactor.Extensions.Orchestrator.K8S.Jobs; -// The Re-enrollment class implements IAgentJobExtension and is meant to: -// 1) Generate a new public/private keypair locally -// 2) Generate a CSR from the keypair, -// 3) Submit the CSR to KF Command to enroll the certificate and retrieve the certificate back -// 4) Deploy the newly re-enrolled certificate to a certificate store +/// +/// Re-enrollment job implementation for Kubernetes certificate stores. +/// This job type is intended to: +/// 1) Generate a new public/private keypair locally +/// 2) Generate a CSR from the keypair +/// 3) Submit the CSR to Keyfactor Command to enroll the certificate +/// 4) Deploy the newly re-enrolled certificate to a certificate store +/// +/// +/// NOTE: Re-enrollment is not currently implemented for Kubernetes stores. +/// This class provides a placeholder that returns a failure indicating +/// the operation is not supported. +/// public class Reenrollment : JobBase, IReenrollmentJobExtension { + /// + /// Initializes a new instance of the Reenrollment job with the specified PAM resolver. + /// + /// PAM secret resolver for credential retrieval. public Reenrollment(IPAMSecretResolver resolver) { _resolver = resolver; } - //Job Entry Point + + /// + /// Main entry point for the reenrollment job. + /// Currently not implemented - returns a failure result. + /// + /// Reenrollment job configuration. + /// Callback delegate to submit CSR for enrollment. + /// JobResult indicating failure (not implemented). + /// + /// Future implementation should: + /// 1. Generate keypair using BouncyCastle + /// 2. Create CSR with appropriate subject and extensions + /// 3. Submit CSR via submitReenrollment callback + /// 4. Receive enrolled certificate and deploy to store + /// public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollmentCSR submitReenrollment) { - //METHOD ARGUMENTS... - //config - contains context information passed from KF Command to this job run: - // - // config.Server.Username, config.Server.Password - credentials for orchestrated server - use to authenticate to certificate store server. - // - // config.ServerUsername, config.ServerPassword - credentials for orchestrated server - use to authenticate to certificate store server. - // config.CertificateStoreDetails.ClientMachine - server name or IP address of orchestrated server - // config.CertificateStoreDetails.StorePath - location path of certificate store on orchestrated server - // config.CertificateStoreDetails.StorePassword - if the certificate store has a password, it would be passed here - // config.CertificateStoreDetails.Properties - JSON string containing custom store properties for this specific store type - // - // config.JobProperties = Dictionary of custom parameters to use in building CSR and placing enrolled certificate in a the proper certificate store - - //NLog Logging to c:\CMS\Logs\CMS_Agent_Log.txt Logger = LogHandler.GetClassLogger(GetType()); - Logger.LogDebug("Begin Reenrollment..."); - Logger.LogDebug("Following info received from command:"); - Logger.LogDebug(JsonConvert.SerializeObject(config)); + Logger.MethodEntry(MsLogLevel.Debug); + Logger.LogDebug("Processing reenrollment job {JobId} for capability {Capability}", config.JobId, config.Capability); - Logger.LogDebug($"Begin {config.Capability} for job id {config.JobId.ToString()}..."); - // logger.LogTrace($"Store password: {storePassword}"); //Do not log passwords - Logger.LogTrace($"Server: {config.CertificateStoreDetails.ClientMachine}"); - Logger.LogTrace($"Store Path: {config.CertificateStoreDetails.StorePath}"); - Logger.LogTrace($"Canonical Store Path: {GetStorePath()}"); + Logger.LogTrace("Server: {Server}", config.CertificateStoreDetails.ClientMachine); + Logger.LogTrace("Store Path: {StorePath}", config.CertificateStoreDetails.StorePath); - //Status: 2=Success, 3=Warning, 4=Error + // Re-enrollment is not implemented for Kubernetes stores + Logger.LogWarning("Re-enrollment not implemented for {Capability}", config.Capability); + Logger.MethodExit(MsLogLevel.Debug); return FailJob($"Re-enrollment not implemented for {config.Capability}", config.JobHistoryId); } } diff --git a/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj b/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj index a7415f14..c4945434 100644 --- a/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj +++ b/kubernetes-orchestrator-extension/Keyfactor.Orchestrators.K8S.csproj @@ -8,12 +8,18 @@ true true Keyfactor.Orchestrators.K8S + + $(NoWarn);SYSLIB0026;SYSLIB0057;MSB3277;NU1701;CA2200 true portable false + + + + Always @@ -30,8 +36,8 @@ - - + + diff --git a/kubernetes-orchestrator-extension/Models/K8SCertificateContext.cs b/kubernetes-orchestrator-extension/Models/K8SCertificateContext.cs new file mode 100644 index 00000000..6c5a0092 --- /dev/null +++ b/kubernetes-orchestrator-extension/Models/K8SCertificateContext.cs @@ -0,0 +1,499 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; +using Keyfactor.Logging; +using Microsoft.Extensions.Logging; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.X509; + +namespace Keyfactor.Extensions.Orchestrator.K8S.Models; + +/// +/// Certificate context wrapper that provides BouncyCastle-based certificate operations. +/// This class replaces X509Certificate2-dependent functionality to avoid deprecated APIs. +/// +public class K8SCertificateContext +{ + private static readonly ILogger Logger = LogHandler.GetClassLogger(typeof(K8SCertificateContext)); + + /// + /// The BouncyCastle X509Certificate + /// + public X509Certificate Certificate { get; set; } + + /// + /// The private key (if available) + /// + public AsymmetricKeyParameter PrivateKey { get; set; } + + /// + /// Certificate chain (excluding the leaf certificate) + /// + public List Chain { get; set; } = new List(); + + /// + /// Certificate thumbprint (SHA-1 hash, uppercase hex) + /// + public string Thumbprint => Certificate != null + ? CertificateUtilities.GetThumbprint(Certificate) + : string.Empty; + + /// + /// Certificate subject Common Name + /// + public string SubjectCN => Certificate != null + ? CertificateUtilities.GetSubjectCN(Certificate) + : string.Empty; + + /// + /// Certificate subject Distinguished Name + /// + public string SubjectDN => Certificate != null + ? CertificateUtilities.GetSubjectDN(Certificate) + : string.Empty; + + /// + /// Certificate issuer Common Name + /// + public string IssuerCN => Certificate != null + ? CertificateUtilities.GetIssuerCN(Certificate) + : string.Empty; + + /// + /// Certificate issuer Distinguished Name + /// + public string IssuerDN => Certificate != null + ? CertificateUtilities.GetIssuerDN(Certificate) + : string.Empty; + + /// + /// Certificate validity start date + /// + public DateTime NotBefore => Certificate?.NotBefore ?? DateTime.MinValue; + + /// + /// Certificate validity end date + /// + public DateTime NotAfter => Certificate?.NotAfter ?? DateTime.MaxValue; + + /// + /// Certificate serial number + /// + public string SerialNumber => Certificate != null + ? CertificateUtilities.GetSerialNumber(Certificate) + : string.Empty; + + /// + /// Public key algorithm (RSA, ECDSA, DSA) + /// + public string KeyAlgorithm => Certificate != null + ? CertificateUtilities.GetKeyAlgorithm(Certificate) + : string.Empty; + + /// + /// Indicates whether a private key is present + /// + public bool HasPrivateKey => PrivateKey != null; + + /// + /// PEM representation of the certificate + /// + public string CertPem + { + get => _certPem ?? (Certificate != null ? CertificateUtilities.ConvertToPem(Certificate) : string.Empty); + set => _certPem = value; + } + private string _certPem; + + /// + /// PEM representation of the private key + /// + public string PrivateKeyPem + { + get => _privateKeyPem ?? (PrivateKey != null ? CertificateUtilities.ExtractPrivateKeyAsPem(PrivateKey) : string.Empty); + set => _privateKeyPem = value; + } + private string _privateKeyPem; + + /// + /// PEM representations of certificates in the chain + /// + public List ChainPem + { + get => _chainPem ?? (Chain?.Select(CertificateUtilities.ConvertToPem).ToList() ?? new List()); + set => _chainPem = value; + } + private List _chainPem; + + #region Factory Methods + + /// + /// Create context from PKCS12/PFX data + /// + /// PKCS12 store bytes + /// Store password + /// Optional alias. If null, first key entry will be used + /// Certificate context + public static K8SCertificateContext FromPkcs12(byte[] pkcs12Bytes, string password, string alias = null) + { + Logger.LogTrace("FromPkcs12 called with {ByteCount} bytes, alias: {Alias}", + pkcs12Bytes?.Length ?? 0, alias ?? "null"); + Logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(password)); + + if (pkcs12Bytes == null || pkcs12Bytes.Length == 0) + { + Logger.LogError("PKCS12 bytes are null or empty"); + throw new ArgumentException("PKCS12 bytes cannot be null or empty", nameof(pkcs12Bytes)); + } + + try + { + var store = CertificateUtilities.LoadPkcs12Store(pkcs12Bytes, password); + + if (string.IsNullOrEmpty(alias)) + { + alias = store.Aliases.FirstOrDefault(a => store.IsKeyEntry(a)); + Logger.LogDebug("No alias specified, using first key entry: {Alias}", alias ?? "null"); + } + + if (alias == null) + { + Logger.LogError("No key entry found in PKCS12 store"); + throw new ArgumentException("No key entry found in PKCS12 store"); + } + + var context = new K8SCertificateContext + { + Certificate = CertificateUtilities.ParseCertificateFromPkcs12(pkcs12Bytes, password, alias), + PrivateKey = CertificateUtilities.ExtractPrivateKey(store, alias, password) + }; + + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(context.Certificate)); + Logger.LogDebug("Private key present: {HasKey}", context.HasPrivateKey); + + // Extract chain (excluding the leaf certificate) + var fullChain = CertificateUtilities.ExtractChainFromPkcs12(pkcs12Bytes, password, alias); + if (fullChain != null && fullChain.Count > 1) + { + context.Chain = fullChain.Skip(1).ToList(); // Skip the first one (leaf cert) + Logger.LogDebug("Certificate chain loaded: {Count} certificates", context.Chain.Count); + } + else + { + Logger.LogDebug("No certificate chain found or chain has only leaf certificate"); + } + + return context; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error creating context from PKCS12: {Message}", ex.Message); + throw; + } + } + + /// + /// Create context from PKCS12 store + /// + /// PKCS12 store + /// Optional alias. If null, first key entry will be used + /// Optional password for key extraction + /// Certificate context + public static K8SCertificateContext FromPkcs12Store(Pkcs12Store store, string alias = null, string password = null) + { + if (store == null) + throw new ArgumentNullException(nameof(store)); + + if (string.IsNullOrEmpty(alias)) + alias = store.Aliases.FirstOrDefault(a => store.IsKeyEntry(a)); + + if (alias == null) + throw new ArgumentException("No key entry found in PKCS12 store"); + + var context = new K8SCertificateContext + { + Certificate = store.GetCertificate(alias)?.Certificate, + PrivateKey = store.GetKey(alias)?.Key + }; + + // Extract chain (excluding the leaf certificate) + var fullChain = store.GetCertificateChain(alias); + if (fullChain != null && fullChain.Length > 1) + { + context.Chain = fullChain.Skip(1).Select(entry => entry.Certificate).ToList(); + } + + return context; + } + + /// + /// Create context from PEM string (certificate only, no private key) + /// + /// PEM-encoded certificate string + /// Certificate context + public static K8SCertificateContext FromPem(string pemString) + { + Logger.LogTrace("FromPem called with PEM length: {Length}", pemString?.Length ?? 0); + + if (string.IsNullOrWhiteSpace(pemString)) + { + Logger.LogError("PEM string is null or empty"); + throw new ArgumentException("PEM string cannot be null or empty", nameof(pemString)); + } + + try + { + // Try to load multiple certificates (chain) + var certificates = CertificateUtilities.LoadCertificateChain(pemString); + + if (certificates == null || certificates.Count == 0) + { + Logger.LogError("No valid certificates found in PEM data"); + throw new ArgumentException("No valid certificates found in PEM data"); + } + + Logger.LogDebug("Loaded {Count} certificates from PEM data", certificates.Count); + + var context = new K8SCertificateContext + { + Certificate = certificates[0], + PrivateKey = null // PEM certificate data typically doesn't include private key + }; + + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(context.Certificate)); + Logger.LogDebug("Private key present: {HasKey}", context.HasPrivateKey); + + // If multiple certificates, treat the rest as chain + if (certificates.Count > 1) + { + context.Chain = certificates.Skip(1).ToList(); + Logger.LogDebug("Certificate chain loaded: {Count} certificates", context.Chain.Count); + } + + return context; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error creating context from PEM: {Message}", ex.Message); + throw; + } + } + + /// + /// Create context from PEM certificate and private key strings + /// + /// PEM-encoded certificate + /// PEM-encoded private key + /// Optional PEM-encoded certificate chain + /// Certificate context + public static K8SCertificateContext FromPemWithKey(string certPem, string privateKeyPem, string chainPem = null) + { + Logger.LogTrace("FromPemWithKey called with cert PEM length: {CertLength}, key PEM length: {KeyLength}, chain PEM length: {ChainLength}", + certPem?.Length ?? 0, privateKeyPem?.Length ?? 0, chainPem?.Length ?? 0); + + if (string.IsNullOrWhiteSpace(certPem)) + { + Logger.LogError("Certificate PEM is null or empty"); + throw new ArgumentException("Certificate PEM cannot be null or empty", nameof(certPem)); + } + + try + { + var context = new K8SCertificateContext + { + Certificate = CertificateUtilities.ParseCertificateFromPem(certPem), + _certPem = certPem, + _privateKeyPem = privateKeyPem + }; + + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(context.Certificate)); + + // Parse private key if provided + if (!string.IsNullOrWhiteSpace(privateKeyPem)) + { + Logger.LogTrace("Private key PEM provided: {PrivateKeyPem}", LoggingUtilities.RedactPrivateKeyPem(privateKeyPem)); + // Note: Parsing private key from PEM requires additional logic + // This is a placeholder for now - will be implemented when needed + // For now, we'll store the PEM string + } + else + { + Logger.LogDebug("No private key PEM provided"); + } + + // Parse chain if provided + if (!string.IsNullOrWhiteSpace(chainPem)) + { + context.Chain = CertificateUtilities.LoadCertificateChain(chainPem); + context._chainPem = context.Chain.Select(CertificateUtilities.ConvertToPem).ToList(); + Logger.LogDebug("Certificate chain loaded: {Count} certificates", context.Chain.Count); + } + else + { + Logger.LogDebug("No chain PEM provided"); + } + + return context; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error creating context from PEM with key: {Message}", ex.Message); + throw; + } + } + + /// + /// Create context from DER-encoded bytes + /// + /// DER-encoded certificate bytes + /// Certificate context + public static K8SCertificateContext FromDer(byte[] derBytes) + { + Logger.LogTrace("FromDer called with {ByteCount} bytes", derBytes?.Length ?? 0); + + if (derBytes == null || derBytes.Length == 0) + { + Logger.LogError("DER bytes are null or empty"); + throw new ArgumentException("DER bytes cannot be null or empty", nameof(derBytes)); + } + + try + { + var context = new K8SCertificateContext + { + Certificate = CertificateUtilities.ParseCertificateFromDer(derBytes), + PrivateKey = null // DER format typically doesn't include private key + }; + + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(context.Certificate)); + Logger.LogDebug("Private key present: {HasKey}", context.HasPrivateKey); + + return context; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error creating context from DER: {Message}", ex.Message); + throw; + } + } + + /// + /// Create context from X509Certificate and optional private key + /// + /// BouncyCastle X509Certificate + /// Optional private key + /// Optional certificate chain + /// Certificate context + public static K8SCertificateContext FromCertificate( + X509Certificate certificate, + AsymmetricKeyParameter privateKey = null, + List chain = null) + { + Logger.LogTrace("FromCertificate called"); + + if (certificate == null) + { + Logger.LogError("Certificate is null"); + throw new ArgumentNullException(nameof(certificate)); + } + + var context = new K8SCertificateContext + { + Certificate = certificate, + PrivateKey = privateKey, + Chain = chain ?? new List() + }; + + Logger.LogDebug("Certificate loaded: {Summary}", LoggingUtilities.GetCertificateSummary(context.Certificate)); + Logger.LogDebug("Private key present: {HasKey}", context.HasPrivateKey); + Logger.LogDebug("Certificate chain: {Count} certificates", context.Chain.Count); + + return context; + } + + #endregion + + #region Export Methods + + /// + /// Export certificate as PEM string + /// + /// PEM-encoded certificate + public string ExportCertificatePem() + { + Logger.LogTrace("ExportCertificatePem called"); + + if (Certificate == null) + { + Logger.LogError("No certificate available to export"); + throw new InvalidOperationException("No certificate available to export"); + } + + try + { + var pem = CertificateUtilities.ConvertToPem(Certificate); + Logger.LogTrace("Certificate exported to PEM: {Pem}", LoggingUtilities.RedactCertificatePem(pem)); + return pem; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error exporting certificate to PEM: {Message}", ex.Message); + throw; + } + } + + /// + /// Export certificate as DER bytes + /// + /// DER-encoded certificate + public byte[] ExportCertificateDer() + { + if (Certificate == null) + throw new InvalidOperationException("No certificate available to export"); + + return CertificateUtilities.ConvertToDer(Certificate); + } + + /// + /// Export private key as PKCS#8 bytes + /// + /// PKCS#8 encoded private key + public byte[] ExportPrivateKeyPkcs8() + { + Logger.LogTrace("ExportPrivateKeyPkcs8 called"); + + if (PrivateKey == null) + { + Logger.LogError("No private key available to export"); + throw new InvalidOperationException("No private key available to export"); + } + + try + { + var pkcs8 = CertificateUtilities.ExportPrivateKeyPkcs8(PrivateKey); + Logger.LogTrace("Private key exported to PKCS#8: {KeyBytes}", LoggingUtilities.RedactPrivateKeyBytes(pkcs8)); + return pkcs8; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error exporting private key to PKCS#8: {Message}", ex.Message); + throw; + } + } + + /// + /// Export private key as PEM string + /// + /// PEM-encoded private key + public string ExportPrivateKeyPem() + { + if (PrivateKey == null) + throw new InvalidOperationException("No private key available to export"); + + return CertificateUtilities.ExtractPrivateKeyAsPem(PrivateKey); + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension/Models/SerializedStoreInfo.cs b/kubernetes-orchestrator-extension/Models/SerializedStoreInfo.cs index e5af7d7e..6992e91e 100644 --- a/kubernetes-orchestrator-extension/Models/SerializedStoreInfo.cs +++ b/kubernetes-orchestrator-extension/Models/SerializedStoreInfo.cs @@ -9,9 +9,18 @@ namespace Keyfactor.Extensions.Orchestrator.K8S.Models; +/// +/// Data model containing the serialized contents of a certificate store along with its path. +/// Used to transport serialized store data between operations. +/// +/// +/// Inherits from X509Certificate2 to allow treating the store info as a certificate when needed. +/// internal class SerializedStoreInfo : X509Certificate2 { + /// Full file path where the serialized store should be written. public string FilePath { get; set; } + /// The serialized store contents as raw bytes. public byte[] Contents { get; set; } } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/StoreTypes/ICertificateStoreSerializer.cs b/kubernetes-orchestrator-extension/StoreTypes/ICertificateStoreSerializer.cs index 5f859be0..7ce63e41 100644 --- a/kubernetes-orchestrator-extension/StoreTypes/ICertificateStoreSerializer.cs +++ b/kubernetes-orchestrator-extension/StoreTypes/ICertificateStoreSerializer.cs @@ -11,12 +11,36 @@ namespace Keyfactor.Extensions.Orchestrator.K8S.StoreTypes; +/// +/// Interface for certificate store serializers that handle different keystore formats. +/// Implemented by JKS and PKCS12 serializers to provide a consistent API for +/// reading and writing certificate stores. +/// internal interface ICertificateStoreSerializer { + /// + /// Deserializes a certificate store from raw bytes into a Pkcs12Store for manipulation. + /// + /// The raw store bytes. + /// Path to the store (for logging context). + /// Password to decrypt the store. + /// A Pkcs12Store containing the certificates and keys. Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, string storePath, string storePassword); + /// + /// Serializes a Pkcs12Store back to the appropriate format for storage. + /// + /// The store to serialize. + /// Directory path for the store. + /// Filename for the serialized store. + /// Password to encrypt the store. + /// List of SerializedStoreInfo containing the serialized bytes and path. List SerializeRemoteCertificateStore(Pkcs12Store certificateStore, string storePath, string storeFileName, string storePassword); + /// + /// Gets the path for the private key file (for stores that separate private keys). + /// + /// The private key path, or null if not applicable. string GetPrivateKeyPath(); } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/StoreTypes/K8SJKS/Store.cs b/kubernetes-orchestrator-extension/StoreTypes/K8SJKS/Store.cs index 591483e8..4c71de9b 100644 --- a/kubernetes-orchestrator-extension/StoreTypes/K8SJKS/Store.cs +++ b/kubernetes-orchestrator-extension/StoreTypes/K8SJKS/Store.cs @@ -13,26 +13,51 @@ using System.Text; using Keyfactor.Extensions.Orchestrator.K8S.Jobs; using Keyfactor.Extensions.Orchestrator.K8S.Models; +using Keyfactor.Extensions.Orchestrator.K8S.Utilities; using Keyfactor.Logging; using Microsoft.Extensions.Logging; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; using Org.BouncyCastle.Pkcs; using Org.BouncyCastle.Security; using Org.BouncyCastle.X509; namespace Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SJKS; +/// +/// Serializer for Java KeyStore (JKS) certificate stores in Kubernetes secrets. +/// Handles conversion between JKS format and BouncyCastle's Pkcs12Store for internal processing. +/// +/// +/// JKS stores are converted to PKCS12 internally because BouncyCastle provides better +/// manipulation capabilities for PKCS12 stores. The conversion is transparent to callers. +/// internal class JksCertificateStoreSerializer : ICertificateStoreSerializer { + /// Logger instance for diagnostic output. private readonly ILogger _logger; + /// + /// Initializes a new instance of the JKS certificate store serializer. + /// + /// JSON string of store properties (currently unused). public JksCertificateStoreSerializer(string storeProperties) { _logger = LogHandler.GetClassLogger(GetType()); } + /// + /// Deserializes a JKS keystore from byte data into a Pkcs12Store for manipulation. + /// Handles both true JKS format and PKCS12 format that may have been stored as JKS. + /// + /// The JKS keystore bytes. + /// Path to the store (for logging context). + /// Password to decrypt the keystore. + /// A Pkcs12Store containing the certificates and keys from the JKS. + /// Thrown when store password is null or empty. + /// Thrown when the data is actually PKCS12 format. public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, string storePath, string storePassword) { - _logger.MethodEntry(); + _logger.MethodEntry(MsLogLevel.Debug); var storeBuilder = new Pkcs12StoreBuilder(); var pkcs12Store = storeBuilder.Build(); var pkcs12StoreNew = storeBuilder.Build(); @@ -44,20 +69,17 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin _logger.LogError("JKS store password is null or empty for store at path '{Path}'", storePath); throw new ArgumentException("JKS store password is null or empty"); } - - // _logger.LogTrace("storePassword: {Pass}", storePassword.Replace("\n","\\n")); //TODO: INSECURE - Remove this line, it is for debugging purposes only - // var hashedStorePassword = GetSha256Hash(storePassword); - // _logger.LogTrace("hashedStorePassword: {Pass}", hashedStorePassword ?? "null"); + + _logger.LogTrace("StorePassword: {Password}", LoggingUtilities.RedactPassword(storePassword)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePassword)); var jksStore = new JksStore(); _logger.LogDebug("Loading JKS store"); try { - // _logger.LogTrace("Attempting to load JKS store w/ password"); - // _logger.LogTrace("Attempting to load JKS store w/ password '{Pass}'", - // storePassword.Replace("\n","\\n")); //TODO: INSECURE - Remove this line, it is for debugging purposes only - + _logger.LogTrace("Attempting to load JKS store with provided password"); + using (var ms = new MemoryStream(storeContents)) { jksStore.Load(ms, string.IsNullOrEmpty(storePassword) ? [] : storePassword.ToCharArray()); @@ -76,9 +98,8 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin } else { - _logger.LogError("Unable to load JKS store using provided password '******'"); - // _logger.LogError("Unable to load JKS store using password '{Pass}'", - // storePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only + _logger.LogError("Unable to load JKS store using provided password: {Password}", LoggingUtilities.RedactPassword(storePassword)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(storePassword)); } throw; @@ -94,9 +115,7 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin } _logger.LogDebug("Attempting to load JKS store as Pkcs12Store using provided password"); - // _logger.LogTrace("Attempting to load JKS store as Pkcs12Store w/ password '{Pass}'", - // storePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only - + using (var ms = new MemoryStream(storeContents)) { pkcs12Store.Load(ms, string.IsNullOrEmpty(storePassword) ? [] : storePassword.ToCharArray()); @@ -147,25 +166,30 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin // internal hashtables necessary to avoid an error later when processing store. var ms2 = new MemoryStream(); _logger.LogDebug("Saving Pkcs12Store to MemoryStream using provided password"); - // _logger.LogTrace("Saving Pkcs12Store to MemoryStream w/ password '{Pass}'", - // storePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only pkcs12Store.Save(ms2, string.IsNullOrEmpty(storePassword) ? [] : storePassword.ToCharArray(), new SecureRandom()); ms2.Position = 0; _logger.LogDebug("Loading Pkcs12Store from MemoryStream"); - // _logger.LogTrace("Loading Pkcs12Store from MemoryStream w/ password '{Pass}'", - // storePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only pkcs12StoreNew.Load(ms2, string.IsNullOrEmpty(storePassword) ? [] : storePassword.ToCharArray()); _logger.LogDebug("Returning Pkcs12Store"); + _logger.MethodExit(MsLogLevel.Debug); return pkcs12StoreNew; } + /// + /// Serializes a Pkcs12Store back to JKS format for storage in Kubernetes. + /// + /// The Pkcs12Store to serialize. + /// Directory path for the store. + /// Filename for the serialized store. + /// Password to encrypt the keystore. + /// List of SerializedStoreInfo containing the JKS bytes and path. public List SerializeRemoteCertificateStore(Pkcs12Store certificateStore, string storePath, string storeFileName, string storePassword) { - _logger.MethodEntry(); + _logger.MethodEntry(MsLogLevel.Debug); var jksStore = new JksStore(); @@ -178,8 +202,6 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer { certificates.AddRange(certificateChain.Select(certificateEntry => certificateEntry.Certificate)); _logger.LogDebug("Processing key entry for alias '{Alias}' using provided password", alias); - // _logger.LogDebug("Alias '{Alias}' is a key entry, setting key entry in JKS store using store password '{Pass}'", - // alias, storePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only jksStore.SetKeyEntry(alias, keyEntry.Key, string.IsNullOrEmpty(storePassword) ? [] : storePassword.ToCharArray(), certificates.ToArray()); } @@ -191,36 +213,50 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer using var outStream = new MemoryStream(); _logger.LogDebug("Saving JKS store to MemoryStream using provided password"); - // _logger.LogDebug("Saving JKS store to MemoryStream w/ password '{Pass}'", - // storePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only jksStore.Save(outStream, string.IsNullOrEmpty(storePassword) ? [] : storePassword.ToCharArray()); var storeInfo = new List { new() { FilePath = Path.Combine(storePath, storeFileName), Contents = outStream.ToArray() } }; - _logger.MethodExit(); + _logger.MethodExit(MsLogLevel.Debug); return storeInfo; } + /// + /// Returns the private key path (not applicable for JKS stores). + /// + /// Always returns null for JKS stores. public string GetPrivateKeyPath() { return null; } + /// + /// Creates a new JKS store or updates an existing one with a new certificate. + /// Handles both add and remove operations. + /// + /// PKCS12 bytes containing the new certificate to add. + /// Password for the new certificate's private key. + /// Alias for the certificate entry in the JKS. + /// Existing JKS store bytes (null for new store). + /// Password for the existing store. + /// True to remove the certificate, false to add. + /// Whether to include the certificate chain. + /// The updated JKS store as byte array. + /// Thrown when the existing store is actually PKCS12 format. public byte[] CreateOrUpdateJks(byte[] newPkcs12Bytes, string newCertPassword, string alias, byte[] existingStore = null, string existingStorePassword = null, bool remove = false, bool includeChain = true) { - _logger.MethodEntry(); + _logger.MethodEntry(MsLogLevel.Debug); // If existingStore is null, create a new store var existingJksStore = new JksStore(); var newJksStore = new JksStore(); var createdNewStore = false; _logger.LogTrace("alias: {Alias}", alias); - // _logger.LogTrace("newCertPassword: {Pass}", - // newCertPassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only - // _logger.LogTrace("existingStorePassword: {Pass}", existingStorePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only + _logger.LogTrace("newCertPassword: {Password}", LoggingUtilities.RedactPassword(newCertPassword)); + _logger.LogTrace("existingStorePassword: {Password}", LoggingUtilities.RedactPassword(existingStorePassword)); // If existingStore is not null, load it into jksStore if (existingStore != null) @@ -239,10 +275,8 @@ public byte[] CreateOrUpdateJks(byte[] newPkcs12Bytes, string newCertPassword, s if (ex.Message.Contains("password incorrect or store tampered with")) { - _logger.LogError("Unable to load existing JKS store using provided password '******'"); - // _logger.LogError("Unable to load existing JKS store using password '{Pass}'", - // existingStorePassword ?? - // "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only + _logger.LogError("Unable to load existing JKS store using provided password: {Password}", LoggingUtilities.RedactPassword(existingStorePassword)); + _logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(existingStorePassword)); throw; } @@ -308,8 +342,7 @@ public byte[] CreateOrUpdateJks(byte[] newPkcs12Bytes, string newCertPassword, s try { _logger.LogDebug("Loading new Pkcs12Store from newPkcs12Bytes"); - // _logger.LogTrace("newCertPassword: {Pass}", - // newCertPassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only + _logger.LogTrace("PKCS12 data: {Data}", LoggingUtilities.RedactPkcs12Bytes(newPkcs12Bytes)); using var pkcs12Ms = new MemoryStream(newPkcs12Bytes); if (pkcs12Ms.Length != 0) newCert.Load(pkcs12Ms, (newCertPassword ?? string.Empty).ToCharArray()); } @@ -399,22 +432,19 @@ public byte[] CreateOrUpdateJks(byte[] newPkcs12Bytes, string newCertPassword, s if (createdNewStore) { _logger.LogDebug("Created new JKS store, saving it to outStream"); - // _logger.LogTrace("Saving new JKS store to outStream w/ password '{Pass}'", - // existingStorePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only newJksStore.Save(outStream, string.IsNullOrEmpty(existingStorePassword) ? [] : existingStorePassword.ToCharArray()); } else { _logger.LogDebug("Saving existing JKS store to outStream"); - // _logger.LogTrace("Saving existing JKS store to outStream w/ password '{Pass}'", - // existingStorePassword ?? "null"); //TODO: INSECURE - Remove this line, it is for debugging purposes only existingJksStore.Save(outStream, string.IsNullOrEmpty(existingStorePassword) ? [] : existingStorePassword.ToCharArray()); } // Return existingJksStore as byte[] - _logger.MethodExit(); + _logger.LogDebug("JKS store operation complete"); + _logger.MethodExit(MsLogLevel.Debug); return outStream.ToArray(); } } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/StoreTypes/K8SPKCS12/Store.cs b/kubernetes-orchestrator-extension/StoreTypes/K8SPKCS12/Store.cs index 87aca636..825904f5 100644 --- a/kubernetes-orchestrator-extension/StoreTypes/K8SPKCS12/Store.cs +++ b/kubernetes-orchestrator-extension/StoreTypes/K8SPKCS12/Store.cs @@ -11,24 +11,41 @@ using Keyfactor.Extensions.Orchestrator.K8S.Models; using Keyfactor.Logging; using Microsoft.Extensions.Logging; +using MsLogLevel = Microsoft.Extensions.Logging.LogLevel; using Org.BouncyCastle.Pkcs; using Org.BouncyCastle.Security; using Org.BouncyCastle.X509; namespace Keyfactor.Extensions.Orchestrator.K8S.StoreTypes.K8SPKCS12; +/// +/// Serializer for PKCS12/PFX certificate stores in Kubernetes secrets. +/// Handles loading, saving, and manipulation of PKCS12 stores. +/// internal class Pkcs12CertificateStoreSerializer : ICertificateStoreSerializer { + /// Logger instance for diagnostic output. private readonly ILogger _logger; + /// + /// Initializes a new instance of the PKCS12 certificate store serializer. + /// + /// JSON string of store properties (currently unused). public Pkcs12CertificateStoreSerializer(string storeProperties) { _logger = LogHandler.GetClassLogger(GetType()); } + /// + /// Deserializes a PKCS12 keystore from byte data. + /// + /// The PKCS12 keystore bytes. + /// Path to the store (for logging context). + /// Password to decrypt the keystore. + /// A Pkcs12Store containing the certificates and keys. public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, string storePath, string storePassword) { - _logger.MethodEntry(LogLevel.Debug); + _logger.MethodEntry(MsLogLevel.Debug); var storeBuilder = new Pkcs12StoreBuilder(); var store = storeBuilder.Build(); @@ -37,14 +54,22 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin _logger.LogDebug("Loading Pkcs12Store from MemoryStream from {Path}", storePath); store.Load(ms, string.IsNullOrEmpty(storePassword) ? Array.Empty() : storePassword.ToCharArray()); _logger.LogDebug("Pkcs12Store loaded from {Path}", storePath); - + _logger.MethodExit(MsLogLevel.Debug); return store; } + /// + /// Serializes a Pkcs12Store back to PKCS12 format for storage in Kubernetes. + /// + /// The Pkcs12Store to serialize. + /// Directory path for the store. + /// Filename for the serialized store. + /// Password to encrypt the keystore. + /// List of SerializedStoreInfo containing the PKCS12 bytes and path. public List SerializeRemoteCertificateStore(Pkcs12Store certificateStore, string storePath, string storeFileName, string storePassword) { - _logger.MethodEntry(LogLevel.Debug); + _logger.MethodEntry(MsLogLevel.Debug); var storeBuilder = new Pkcs12StoreBuilder(); var pkcs12Store = storeBuilder.Build(); @@ -86,20 +111,36 @@ public List SerializeRemoteCertificateStore(Pkcs12Store cer Contents = outStream.ToArray() }); - _logger.MethodExit(LogLevel.Debug); + _logger.MethodExit(MsLogLevel.Debug); return storeInfo; } + /// + /// Returns the private key path (not applicable for PKCS12 stores). + /// + /// Always returns null for PKCS12 stores. public string GetPrivateKeyPath() { return null; } + /// + /// Creates a new PKCS12 store or updates an existing one with a new certificate. + /// Handles both add and remove operations. + /// + /// PKCS12 bytes containing the new certificate to add. + /// Password for the new certificate's private key. + /// Alias for the certificate entry in the store. + /// Existing PKCS12 store bytes (null for new store). + /// Password for the existing store. + /// True to remove the certificate, false to add. + /// Whether to include the certificate chain. + /// The updated PKCS12 store as byte array. public byte[] CreateOrUpdatePkcs12(byte[] newPkcs12Bytes, string newCertPassword, string alias, byte[] existingStore = null, string existingStorePassword = null, bool remove = false, bool includeChain = true) { - _logger.MethodEntry(LogLevel.Debug); + _logger.MethodEntry(MsLogLevel.Debug); _logger.LogDebug("Creating or updating PKCS12 store for alias '{Alias}'", alias); // If existingStore is null, create a new store @@ -138,7 +179,7 @@ public byte[] CreateOrUpdatePkcs12(byte[] newPkcs12Bytes, string newCertPassword : existingStorePassword.ToCharArray(), new SecureRandom()); _logger.LogDebug("Converting existingPkcs12Store to byte[] and returning"); - _logger.MethodExit(LogLevel.Debug); + _logger.MethodExit(MsLogLevel.Debug); return mms.ToArray(); } } @@ -154,7 +195,7 @@ public byte[] CreateOrUpdatePkcs12(byte[] newPkcs12Bytes, string newCertPassword new SecureRandom()); _logger.LogDebug("Converting existingPkcs12Store to byte[] and returning"); - _logger.MethodExit(LogLevel.Debug); + _logger.MethodExit(MsLogLevel.Debug); return existingPkcs12StoreMs.ToArray(); } } @@ -279,7 +320,7 @@ public byte[] CreateOrUpdatePkcs12(byte[] newPkcs12Bytes, string newCertPassword // Return existingPkcs12Store as byte[] _logger.LogDebug("Converting existingPkcs12Store to byte[] and returning"); - _logger.MethodExit(LogLevel.Debug); + _logger.MethodExit(MsLogLevel.Debug); return outStream.ToArray(); } } \ No newline at end of file diff --git a/kubernetes-orchestrator-extension/Utilities/CertificateUtilities.cs b/kubernetes-orchestrator-extension/Utilities/CertificateUtilities.cs new file mode 100644 index 00000000..b09dc688 --- /dev/null +++ b/kubernetes-orchestrator-extension/Utilities/CertificateUtilities.cs @@ -0,0 +1,752 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; +using System.Text; +using Keyfactor.Logging; +using Keyfactor.PKI.Enums; +using Keyfactor.PKI.Extensions; +using Keyfactor.PKI.PEM; +using Microsoft.Extensions.Logging; +using Org.BouncyCastle.Asn1.Pkcs; +using Org.BouncyCastle.Asn1.X509; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Math.EC.Rfc8032; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Security; +using Org.BouncyCastle.Utilities.IO.Pem; +using Org.BouncyCastle.X509; + +namespace Keyfactor.Extensions.Orchestrator.K8S.Utilities; + +/// +/// Certificate format enumeration +/// +public enum CertificateFormat +{ + Unknown, + Pem, + Der, + Pkcs12 +} + +/// +/// Utility class providing BouncyCastle-based implementations for certificate operations. +/// This class replaces X509Certificate2 usage to avoid deprecated APIs and ensure cross-platform compatibility. +/// +public static class CertificateUtilities +{ + private static readonly ILogger Logger = LogHandler.GetClassLogger(typeof(CertificateUtilities)); + + #region Certificate Parsing + + /// + /// Parse a certificate from byte array data, automatically detecting the format + /// + /// Certificate data bytes + /// Optional format hint. If Unknown, format will be auto-detected + /// Parsed X509Certificate + public static X509Certificate ParseCertificate(byte[] certData, CertificateFormat format = CertificateFormat.Unknown) + { + Logger.LogTrace("ParseCertificate called with {ByteCount} bytes, format hint: {Format}", + certData?.Length ?? 0, format); + + if (certData == null || certData.Length == 0) + { + Logger.LogError("Certificate data is null or empty"); + throw new ArgumentException("Certificate data cannot be null or empty", nameof(certData)); + } + + if (format == CertificateFormat.Unknown) + { + Logger.LogTrace("Format not specified, detecting format"); + format = DetectFormat(certData); + Logger.LogDebug("Detected certificate format: {Format}", format); + } + + try + { + var cert = format switch + { + CertificateFormat.Pem => ParseCertificateFromPem(Encoding.UTF8.GetString(certData)), + CertificateFormat.Der => ParseCertificateFromDer(certData), + CertificateFormat.Pkcs12 => throw new ArgumentException( + "Use ParseCertificateFromPkcs12 for PKCS12 format certificates"), + _ => throw new ArgumentException($"Unknown certificate format: {format}") + }; + + Logger.LogDebug("Certificate parsed successfully: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + return cert; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error parsing certificate: {Message}", ex.Message); + throw; + } + } + + /// + /// Parse a certificate from PEM string + /// + /// PEM-encoded certificate string + /// Parsed X509Certificate + public static X509Certificate ParseCertificateFromPem(string pemString) + { + Logger.LogTrace("ParseCertificateFromPem called with PEM length: {Length}", pemString?.Length ?? 0); + + if (string.IsNullOrWhiteSpace(pemString)) + { + Logger.LogError("PEM string is null or empty"); + throw new ArgumentException("PEM string cannot be null or empty", nameof(pemString)); + } + + try + { + var derBytes = PemUtilities.PEMToDER(pemString); + var certificateParser = new X509CertificateParser(); + var cert = certificateParser.ReadCertificate(derBytes); + + if (cert == null) + { + Logger.LogError("Failed to parse certificate from PEM"); + throw new ArgumentException("Invalid PEM certificate format"); + } + + Logger.LogDebug("Certificate parsed from PEM: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + return cert; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error parsing certificate from PEM: {Message}", ex.Message); + throw; + } + } + + /// + /// Parse a certificate from DER-encoded bytes + /// + /// DER-encoded certificate bytes + /// Parsed X509Certificate + public static X509Certificate ParseCertificateFromDer(byte[] derBytes) + { + Logger.LogTrace("ParseCertificateFromDer called with {ByteCount} bytes", derBytes?.Length ?? 0); + + if (derBytes == null || derBytes.Length == 0) + { + Logger.LogError("DER bytes are null or empty"); + throw new ArgumentException("DER bytes cannot be null or empty", nameof(derBytes)); + } + + try + { + var certificateParser = new X509CertificateParser(); + var cert = certificateParser.ReadCertificate(derBytes); + + Logger.LogDebug("Certificate parsed from DER: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + return cert; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error parsing certificate from DER: {Message}", ex.Message); + throw; + } + } + + /// + /// Parse a certificate from a PKCS12/PFX store + /// + /// PKCS12 store bytes + /// Store password + /// Optional alias. If null, first key entry will be used + /// Parsed X509Certificate + public static X509Certificate ParseCertificateFromPkcs12(byte[] pkcs12Bytes, string password, string alias = null) + { + Logger.LogTrace("ParseCertificateFromPkcs12 called with {ByteCount} bytes, alias: {Alias}", + pkcs12Bytes?.Length ?? 0, alias ?? "null"); + Logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(password)); + + if (pkcs12Bytes == null || pkcs12Bytes.Length == 0) + { + Logger.LogError("PKCS12 bytes are null or empty"); + throw new ArgumentException("PKCS12 bytes cannot be null or empty", nameof(pkcs12Bytes)); + } + + try + { + var store = LoadPkcs12Store(pkcs12Bytes, password); + + if (string.IsNullOrEmpty(alias)) + { + alias = store.Aliases.FirstOrDefault(a => store.IsKeyEntry(a)); + Logger.LogDebug("No alias specified, using first key entry: {Alias}", alias ?? "null"); + } + + if (alias == null) + { + Logger.LogError("No key entry found in PKCS12 store"); + throw new ArgumentException("No key entry found in PKCS12 store"); + } + + var certEntry = store.GetCertificate(alias); + var cert = certEntry?.Certificate; + + if (cert != null) + { + Logger.LogDebug("Certificate loaded from PKCS12: {Summary}", LoggingUtilities.GetCertificateSummary(cert)); + } + else + { + Logger.LogWarning("Certificate entry for alias '{Alias}' is null", alias); + } + + return cert; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error parsing certificate from PKCS12: {Message}", ex.Message); + throw; + } + } + + #endregion + + #region Certificate Properties + + /// + /// Get the certificate thumbprint (SHA-1 hash of DER-encoded certificate) + /// + /// Certificate + /// Uppercase hexadecimal string representation of SHA-1 hash + public static string GetThumbprint(X509Certificate cert) + { + Logger.LogTrace("GetThumbprint called for certificate: {Subject}", cert?.SubjectDN?.ToString() ?? "null"); + + if (cert == null) + { + Logger.LogError("Certificate is null"); + throw new ArgumentNullException(nameof(cert)); + } + + try + { + var thumbprint = BouncyCastleX509Extensions.Thumbprint(cert); + Logger.LogTrace("Computed thumbprint: {Thumbprint}", thumbprint); + return thumbprint; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error computing thumbprint: {Message}", ex.Message); + throw; + } + } + + /// + /// Get the Common Name (CN) from the certificate subject + /// + /// Certificate + /// Subject Common Name or empty string if not found + public static string GetSubjectCN(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return BouncyCastleX509Extensions.CommonName(cert) ?? string.Empty; + } + + /// + /// Get the full subject Distinguished Name + /// + /// Certificate + /// Subject DN string + public static string GetSubjectDN(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return cert.SubjectDN.ToString(); + } + + /// + /// Get the Common Name (CN) from the certificate issuer + /// + /// Certificate + /// Issuer Common Name or empty string if not found + public static string GetIssuerCN(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + var issuer = cert.IssuerDN; + var oids = issuer.GetOidList(); + var values = issuer.GetValueList(); + + for (var i = 0; i < oids.Count; i++) + { + if (oids[i].ToString() == X509Name.CN.Id) + return values[i].ToString(); + } + + return string.Empty; + } + + /// + /// Get the full issuer Distinguished Name + /// + /// Certificate + /// Issuer DN string + public static string GetIssuerDN(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return cert.IssuerDN.ToString(); + } + + /// + /// Get the certificate validity start date + /// + /// Certificate + /// NotBefore date + public static DateTime GetNotBefore(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return cert.NotBefore; + } + + /// + /// Get the certificate validity end date + /// + /// Certificate + /// NotAfter date + public static DateTime GetNotAfter(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return cert.NotAfter; + } + + /// + /// Get the certificate serial number + /// + /// Certificate + /// Serial number as hexadecimal string + public static string GetSerialNumber(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return BouncyCastleX509Extensions.SerialNumber(cert); + } + + /// + /// Get the public key algorithm name + /// + /// Certificate + /// Algorithm name: "RSA", "ECDSA", "DSA", or "Unknown" + public static string GetKeyAlgorithm(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + // Use direct type checking instead of obsolete EncryptionKeyType enum + var publicKey = cert.GetPublicKey(); + return publicKey switch + { + RsaKeyParameters => "RSA", + ECPublicKeyParameters => "ECDSA", + DsaPublicKeyParameters => "DSA", + Ed25519PublicKeyParameters => "Ed25519", + Ed448PublicKeyParameters => "Ed448", + _ => "Unknown" + }; + } + + /// + /// Get the public key bytes + /// + /// Certificate + /// Public key bytes + public static byte[] GetPublicKey(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + var publicKeyInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(cert.GetPublicKey()); + return publicKeyInfo.GetEncoded(); + } + + #endregion + + #region Private Key Operations + + /// + /// Extract private key from PKCS12 store + /// + /// PKCS12 store + /// Key alias. If null, first key entry will be used + /// Key password (may differ from store password) + /// Private key parameter + public static AsymmetricKeyParameter ExtractPrivateKey(Pkcs12Store store, string alias = null, string password = null) + { + Logger.LogTrace("ExtractPrivateKey called with alias: {Alias}", alias ?? "null"); + + if (store == null) + { + Logger.LogError("PKCS12 store is null"); + throw new ArgumentNullException(nameof(store)); + } + + try + { + if (string.IsNullOrEmpty(alias)) + { + alias = store.Aliases.FirstOrDefault(a => store.IsKeyEntry(a)); + Logger.LogDebug("No alias specified, using first key entry: {Alias}", alias ?? "null"); + } + + if (alias == null) + { + Logger.LogError("No key entry found in PKCS12 store"); + throw new ArgumentException("No key entry found in PKCS12 store"); + } + + if (!store.IsKeyEntry(alias)) + { + Logger.LogError("Alias '{Alias}' does not have a private key entry", alias); + throw new ArgumentException($"Alias '{alias}' does not have a private key entry"); + } + + var keyEntry = store.GetKey(alias); + var key = keyEntry?.Key; + + if (key != null) + { + Logger.LogDebug("Private key extracted: {KeyInfo}", LoggingUtilities.RedactPrivateKey(key)); + } + else + { + Logger.LogWarning("Key entry for alias '{Alias}' is null", alias); + } + + return key; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error extracting private key: {Message}", ex.Message); + throw; + } + } + + /// + /// Extract private key as PEM string + /// + /// Private key parameter + /// Key type for PEM header (e.g., "RSA PRIVATE KEY", "EC PRIVATE KEY"). If null, will be auto-detected. + /// PEM-encoded private key + public static string ExtractPrivateKeyAsPem(AsymmetricKeyParameter privateKey, string keyType = null) + { + if (privateKey == null) + throw new ArgumentNullException(nameof(privateKey)); + + if (string.IsNullOrEmpty(keyType)) + { + keyType = privateKey switch + { + RsaPrivateCrtKeyParameters => "RSA PRIVATE KEY", + ECPrivateKeyParameters => "EC PRIVATE KEY", + DsaPrivateKeyParameters => "DSA PRIVATE KEY", + _ => throw new ArgumentException("Unsupported private key type") + }; + } + + using var stringWriter = new StringWriter(); + var pemWriter = new PemWriter(stringWriter); + var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey); + var privateKeyBytes = privateKeyInfo.ToAsn1Object().GetEncoded(); + var pemObject = new PemObject(keyType, privateKeyBytes); + pemWriter.WriteObject(pemObject); + pemWriter.Writer.Flush(); + + return stringWriter.ToString(); + } + + /// + /// Export private key in PKCS#8 format + /// + /// Private key parameter + /// PKCS#8 encoded private key bytes + public static byte[] ExportPrivateKeyPkcs8(AsymmetricKeyParameter privateKey) + { + Logger.LogTrace("ExportPrivateKeyPkcs8 called"); + + if (privateKey == null) + { + Logger.LogError("Private key is null"); + throw new ArgumentNullException(nameof(privateKey)); + } + + try + { + var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey); + var encoded = privateKeyInfo.ToAsn1Object().GetEncoded(); + + Logger.LogTrace("Private key exported to PKCS#8: {KeyBytes}", LoggingUtilities.RedactPrivateKeyBytes(encoded)); + return encoded; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error exporting private key to PKCS#8: {Message}", ex.Message); + throw; + } + } + + /// + /// Get the private key algorithm type + /// + /// Private key parameter + /// Key type: "RSA", "EC", "DSA", or "Unknown" + public static string GetPrivateKeyType(AsymmetricKeyParameter privateKey) + { + if (privateKey == null) + throw new ArgumentNullException(nameof(privateKey)); + + return privateKey switch + { + RsaPrivateCrtKeyParameters => "RSA", + ECPrivateKeyParameters => "EC", + DsaPrivateKeyParameters => "DSA", + _ => "Unknown" + }; + } + + #endregion + + #region Chain Operations + + /// + /// Load certificate chain from PEM data + /// + /// PEM data containing multiple certificates + /// List of certificates in order + public static List LoadCertificateChain(string pemData) + { + Logger.LogTrace("LoadCertificateChain called with PEM data length: {Length}", pemData?.Length ?? 0); + + if (string.IsNullOrWhiteSpace(pemData)) + { + Logger.LogDebug("PEM data is null or empty, returning empty certificate list"); + return new List(); + } + + try + { + var pemReader = new PemReader(new StringReader(pemData)); + var certificates = new List(); + + PemObject pemObject; + while ((pemObject = pemReader.ReadPemObject()) != null) + { + if (pemObject.Type == "CERTIFICATE") + { + var certificateParser = new X509CertificateParser(); + var certificate = certificateParser.ReadCertificate(pemObject.Content); + certificates.Add(certificate); + Logger.LogTrace("Loaded certificate {Index}: {Summary}", + certificates.Count, LoggingUtilities.GetCertificateSummary(certificate)); + } + } + + Logger.LogDebug("Loaded {Count} certificates from PEM chain", certificates.Count); + return certificates; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error loading certificate chain from PEM: {Message}", ex.Message); + throw; + } + } + + /// + /// Extract certificate chain from PKCS12 store + /// + /// PKCS12 store bytes + /// Store password + /// Optional alias. If null, first key entry will be used + /// List of certificates in chain order + public static List ExtractChainFromPkcs12(byte[] pkcs12Bytes, string password, string alias = null) + { + if (pkcs12Bytes == null || pkcs12Bytes.Length == 0) + throw new ArgumentException("PKCS12 bytes cannot be null or empty", nameof(pkcs12Bytes)); + + var store = LoadPkcs12Store(pkcs12Bytes, password); + + if (string.IsNullOrEmpty(alias)) + alias = store.Aliases.FirstOrDefault(a => store.IsKeyEntry(a)); + + if (alias == null) + return new List(); + + var chain = store.GetCertificateChain(alias); + return chain?.Select(entry => entry.Certificate).ToList() ?? new List(); + } + + #endregion + + #region Format Detection and Conversion + + /// + /// Detect the certificate format from byte array data + /// + /// Certificate data bytes + /// Detected format + public static CertificateFormat DetectFormat(byte[] data) + { + Logger.LogTrace("DetectFormat called with {ByteCount} bytes", data?.Length ?? 0); + + if (data == null || data.Length == 0) + { + Logger.LogDebug("Data is null or empty, format: Unknown"); + return CertificateFormat.Unknown; + } + + // Check for PEM format (starts with "-----BEGIN") + var header = Encoding.UTF8.GetString(data.Take(Math.Min(30, data.Length)).ToArray()); + if (header.Contains("-----BEGIN")) + { + Logger.LogDebug("Detected format: PEM"); + return CertificateFormat.Pem; + } + + // Check for PKCS12 format (starts with 0x30 0x82 or 0x30 0x80) + if (data.Length >= 2 && data[0] == 0x30 && (data[1] == 0x82 || data[1] == 0x80 || data[1] == 0x84)) + { + Logger.LogTrace("Data starts with ASN.1 sequence tag, checking if DER or PKCS12"); + + // Try to parse as DER certificate first + try + { + var parser = new X509CertificateParser(); + parser.ReadCertificate(data); + Logger.LogDebug("Detected format: DER"); + return CertificateFormat.Der; + } + catch + { + // If DER parsing fails, it might be PKCS12 + Logger.LogTrace("Not DER format, checking if PKCS12"); + try + { + var storeBuilder = new Pkcs12StoreBuilder(); + var store = storeBuilder.Build(); + using var ms = new MemoryStream(data); + store.Load(ms, Array.Empty()); + Logger.LogDebug("Detected format: PKCS12"); + return CertificateFormat.Pkcs12; + } + catch + { + Logger.LogDebug("Could not detect format, returning Unknown"); + return CertificateFormat.Unknown; + } + } + } + + Logger.LogDebug("No recognizable format detected, returning Unknown"); + return CertificateFormat.Unknown; + } + + /// + /// Convert certificate to PEM format + /// + /// Certificate + /// PEM-encoded certificate string + public static string ConvertToPem(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return PemUtilities.DERToPEM(cert.GetEncoded(), PemUtilities.PemObjectType.Certificate); + } + + /// + /// Convert certificate to DER format + /// + /// Certificate + /// DER-encoded certificate bytes + public static byte[] ConvertToDer(X509Certificate cert) + { + if (cert == null) + throw new ArgumentNullException(nameof(cert)); + + return cert.GetEncoded(); + } + + #endregion + + #region Helper Methods + + /// + /// Load a PKCS12 store from bytes + /// + /// PKCS12 store bytes + /// Store password + /// Loaded PKCS12 store + public static Pkcs12Store LoadPkcs12Store(byte[] pkcs12Data, string password) + { + Logger.LogTrace("LoadPkcs12Store called with {ByteCount} bytes", pkcs12Data?.Length ?? 0); + Logger.LogTrace("Password: {Password}", LoggingUtilities.RedactPassword(password)); + Logger.LogTrace("Password correlation: {CorrelationId}", LoggingUtilities.GetPasswordCorrelationId(password)); + + if (pkcs12Data == null || pkcs12Data.Length == 0) + { + Logger.LogError("PKCS12 data is null or empty"); + throw new ArgumentException("PKCS12 data cannot be null or empty", nameof(pkcs12Data)); + } + + try + { + var storeBuilder = new Pkcs12StoreBuilder(); + var store = storeBuilder.Build(); + + using var ms = new MemoryStream(pkcs12Data); + var passwordChars = string.IsNullOrEmpty(password) ? Array.Empty() : password.ToCharArray(); + store.Load(ms, passwordChars); + + var aliasCount = store.Aliases.Count(); + Logger.LogDebug("PKCS12 store loaded successfully with {AliasCount} aliases", aliasCount); + + return store; + } + catch (Exception ex) + { + Logger.LogError(ex, "Error loading PKCS12 store: {Message}", ex.Message); + throw; + } + } + + /// + /// Check if data is in DER format + /// + /// Data bytes + /// True if DER format + public static bool IsDerFormat(byte[] data) + { + try + { + var parser = new X509CertificateParser(); + var cert = parser.ReadCertificate(data); + // ReadCertificate returns null for invalid/incomplete data instead of throwing + return cert != null; + } + catch + { + return false; + } + } + + #endregion +} diff --git a/kubernetes-orchestrator-extension/Utilities/LoggingUtilities.cs b/kubernetes-orchestrator-extension/Utilities/LoggingUtilities.cs new file mode 100644 index 00000000..d3f0def5 --- /dev/null +++ b/kubernetes-orchestrator-extension/Utilities/LoggingUtilities.cs @@ -0,0 +1,445 @@ +// Copyright 2025 Keyfactor +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// http://www.apache.org/licenses/LICENSE-2.0 +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Security.Cryptography; +using System.Text; +using k8s.Models; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.OpenSsl; +using Org.BouncyCastle.X509; +using X509Certificate = System.Security.Cryptography.X509Certificates.X509Certificate2; + +namespace Keyfactor.Extensions.Orchestrator.K8S.Utilities +{ + /// + /// Provides utilities for safe logging of sensitive data by redacting or summarizing + /// passwords, private keys, certificates, and other sensitive information. + /// + public static class LoggingUtilities + { + #region Password Redaction + + /// + /// Redacts a password for safe logging. Returns a string indicating the password + /// is redacted along with its length. + /// + /// The password to redact + /// A redacted string like "***REDACTED*** (length: N)" or "EMPTY" or "NULL" + public static string RedactPassword(string password) + { + if (password == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(password)) + { + return "EMPTY"; + } + + return $"***REDACTED*** (length: {password.Length})"; + } + + /// + /// Generates a correlation ID for a password based on its SHA-256 hash. + /// This allows tracking the same password across multiple operations without + /// logging the actual password value. + /// + /// The password to generate a correlation ID for + /// A correlation ID like "hash:abc123..." or "NULL" or "EMPTY" + public static string GetPasswordCorrelationId(string password) + { + if (password == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(password)) + { + return "EMPTY"; + } + + using (var sha256 = SHA256.Create()) + { + var hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(password)); + var hashPrefix = BitConverter.ToString(hashBytes).Replace("-", "").Substring(0, 16).ToLower(); + return $"hash:{hashPrefix}"; + } + } + + #endregion + + #region Private Key Redaction + + /// + /// Redacts a private key in PEM format for safe logging. Shows the key type and + /// length only, never the actual key material. + /// + /// The PEM-encoded private key + /// A redacted string showing key type and length, or "EMPTY" or "NULL" + public static string RedactPrivateKeyPem(string privateKeyPem) + { + if (privateKeyPem == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(privateKeyPem)) + { + return "EMPTY"; + } + + // Detect key type from PEM header + string keyType = "UNKNOWN"; + if (privateKeyPem.Contains("BEGIN RSA PRIVATE KEY")) + { + keyType = "RSA"; + } + else if (privateKeyPem.Contains("BEGIN EC PRIVATE KEY")) + { + keyType = "EC"; + } + else if (privateKeyPem.Contains("BEGIN PRIVATE KEY")) + { + keyType = "PKCS8"; + } + else if (privateKeyPem.Contains("BEGIN ENCRYPTED PRIVATE KEY")) + { + keyType = "ENCRYPTED_PKCS8"; + } + + return $"***REDACTED_PRIVATE_KEY*** (type: {keyType}, length: {privateKeyPem.Length})"; + } + + /// + /// Redacts a private key in byte array format for safe logging. + /// + /// The private key bytes + /// A redacted string showing byte count, or "EMPTY" or "NULL" + public static string RedactPrivateKeyBytes(byte[] privateKeyBytes) + { + if (privateKeyBytes == null) + { + return "NULL"; + } + + if (privateKeyBytes.Length == 0) + { + return "EMPTY"; + } + + return $"***REDACTED_PRIVATE_KEY_BYTES*** (count: {privateKeyBytes.Length})"; + } + + /// + /// Redacts a BouncyCastle AsymmetricKeyParameter for safe logging. + /// + /// The private key parameter + /// A redacted string showing key type, or "NULL" + public static string RedactPrivateKey(AsymmetricKeyParameter privateKey) + { + if (privateKey == null) + { + return "NULL"; + } + + var keyType = privateKey.GetType().Name; + return $"***REDACTED_PRIVATE_KEY*** (type: {keyType}, isPrivate: {privateKey.IsPrivate})"; + } + + #endregion + + #region Certificate Data Redaction + + /// + /// Gets a safe summary of a certificate for logging. Includes subject, thumbprint, + /// and validity period, but not the certificate data itself. + /// + /// The certificate to summarize + /// A summary string with certificate metadata + public static string GetCertificateSummary(X509Certificate certificate) + { + if (certificate == null) + { + return "NULL"; + } + + try + { + var subject = certificate.Subject; + var thumbprint = certificate.Thumbprint; + var notBefore = certificate.NotBefore.ToString("yyyy-MM-dd"); + var notAfter = certificate.NotAfter.ToString("yyyy-MM-dd"); + + return $"Subject: {subject}, Thumbprint: {thumbprint}, Valid: {notBefore} to {notAfter}"; + } + catch (Exception ex) + { + return $"ERROR_READING_CERTIFICATE: {ex.Message}"; + } + } + + /// + /// Gets a safe summary of a BouncyCastle certificate for logging. + /// + /// The BouncyCastle certificate to summarize + /// A summary string with certificate metadata + public static string GetCertificateSummary(Org.BouncyCastle.X509.X509Certificate certificate) + { + if (certificate == null) + { + return "NULL"; + } + + try + { + var subject = certificate.SubjectDN.ToString(); + var thumbprint = CertificateUtilities.GetThumbprint(certificate); + var notBefore = certificate.NotBefore.ToString("yyyy-MM-dd"); + var notAfter = certificate.NotAfter.ToString("yyyy-MM-dd"); + + return $"Subject: {subject}, Thumbprint: {thumbprint}, Valid: {notBefore} to {notAfter}"; + } + catch (Exception ex) + { + return $"ERROR_READING_CERTIFICATE: {ex.Message}"; + } + } + + /// + /// Gets a safe summary of a certificate from PEM string for logging. + /// + /// The PEM-encoded certificate + /// A summary string with certificate metadata or error message + public static string GetCertificateSummaryFromPem(string certificatePem) + { + if (certificatePem == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(certificatePem)) + { + return "EMPTY"; + } + + try + { + var cert = CertificateUtilities.ParseCertificateFromPem(certificatePem); + return GetCertificateSummary(cert); + } + catch (Exception ex) + { + return $"ERROR_PARSING_CERTIFICATE: {ex.Message}"; + } + } + + /// + /// Redacts a certificate in PEM format for safe logging. Shows length only. + /// + /// The PEM-encoded certificate + /// A redacted string showing length, or "EMPTY" or "NULL" + public static string RedactCertificatePem(string certificatePem) + { + if (certificatePem == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(certificatePem)) + { + return "EMPTY"; + } + + return $"***REDACTED_CERTIFICATE_PEM*** (length: {certificatePem.Length})"; + } + + /// + /// Redacts PKCS12/PFX bytes for safe logging. Shows size only. + /// + /// The PKCS12 data + /// A redacted string showing byte count, or "EMPTY" or "NULL" + public static string RedactPkcs12Bytes(byte[] pkcs12Bytes) + { + if (pkcs12Bytes == null) + { + return "NULL"; + } + + if (pkcs12Bytes.Length == 0) + { + return "EMPTY"; + } + + return $"***REDACTED_PKCS12*** (bytes: {pkcs12Bytes.Length})"; + } + + #endregion + + #region Kubernetes Secret Redaction + + /// + /// Gets a safe summary of a Kubernetes secret for logging. Includes metadata + /// but never the secret data itself. + /// + /// The Kubernetes secret + /// A summary string with secret metadata + public static string GetSecretSummary(V1Secret secret) + { + if (secret == null) + { + return "NULL"; + } + + try + { + var name = secret.Metadata?.Name ?? "UNKNOWN"; + var ns = secret.Metadata?.NamespaceProperty ?? "UNKNOWN"; + var type = secret.Type ?? "UNKNOWN"; + var dataKeyCount = secret.Data?.Count ?? 0; + var dataKeys = secret.Data != null ? string.Join(", ", secret.Data.Keys) : "NONE"; + + return $"Name: {name}, Namespace: {ns}, Type: {type}, DataKeys: [{dataKeys}] (count: {dataKeyCount})"; + } + catch (Exception ex) + { + return $"ERROR_READING_SECRET: {ex.Message}"; + } + } + + /// + /// Gets a safe summary of secret data keys for logging. Shows keys but never values. + /// + /// The secret data dictionary + /// A comma-separated list of keys or "EMPTY" or "NULL" + public static string GetSecretDataKeysSummary(IDictionary secretData) + { + if (secretData == null) + { + return "NULL"; + } + + if (secretData.Count == 0) + { + return "EMPTY"; + } + + return string.Join(", ", secretData.Keys); + } + + /// + /// Redacts a kubeconfig JSON string for safe logging. Shows structure but not + /// sensitive data like tokens or certificates. + /// + /// The kubeconfig JSON string + /// A safe summary of the kubeconfig structure + public static string RedactKubeconfig(string kubeconfigJson) + { + if (kubeconfigJson == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(kubeconfigJson)) + { + return "EMPTY"; + } + + // Count the number of clusters, users, and contexts + int clusterCount = kubeconfigJson.Split(new[] { "\"cluster\"" }, StringSplitOptions.None).Length - 1; + int userCount = kubeconfigJson.Split(new[] { "\"user\"" }, StringSplitOptions.None).Length - 1; + int contextCount = kubeconfigJson.Split(new[] { "\"context\"" }, StringSplitOptions.None).Length - 1; + + return $"***REDACTED_KUBECONFIG*** (length: {kubeconfigJson.Length}, clusters: ~{clusterCount}, users: ~{userCount}, contexts: ~{contextCount})"; + } + + #endregion + + #region Helper Methods + + /// + /// Returns a string indicating whether a field is present, empty, or null. + /// Useful for logging the presence of optional fields without revealing their values. + /// + /// The name of the field + /// The field value + /// A string like "fieldName: PRESENT" or "fieldName: EMPTY" or "fieldName: NULL" + public static string GetFieldPresence(string fieldName, string value) + { + if (value == null) + { + return $"{fieldName}: NULL"; + } + + if (string.IsNullOrEmpty(value)) + { + return $"{fieldName}: EMPTY"; + } + + return $"{fieldName}: PRESENT"; + } + + /// + /// Returns a string indicating whether a field is present, empty, or null. + /// Useful for logging the presence of optional fields without revealing their values. + /// + /// The name of the field + /// The field value + /// A string like "fieldName: PRESENT (count: N)" or "fieldName: EMPTY" or "fieldName: NULL" + public static string GetFieldPresence(string fieldName, byte[] value) + { + if (value == null) + { + return $"{fieldName}: NULL"; + } + + if (value.Length == 0) + { + return $"{fieldName}: EMPTY"; + } + + return $"{fieldName}: PRESENT (count: {value.Length})"; + } + + /// + /// Redacts a token string for safe logging. + /// + /// The token to redact + /// A redacted string showing length, or "EMPTY" or "NULL" + public static string RedactToken(string token) + { + if (token == null) + { + return "NULL"; + } + + if (string.IsNullOrEmpty(token)) + { + return "EMPTY"; + } + + // Show first and last 4 characters for correlation if token is long enough + if (token.Length > 12) + { + var prefix = token.Substring(0, 4); + var suffix = token.Substring(token.Length - 4); + return $"***REDACTED_TOKEN*** ({prefix}...{suffix}, length: {token.Length})"; + } + + return $"***REDACTED_TOKEN*** (length: {token.Length})"; + } + + #endregion + } +} diff --git a/kubernetes-orchestrator-extension/Utilities/PrivateKeyFormatUtilities.cs b/kubernetes-orchestrator-extension/Utilities/PrivateKeyFormatUtilities.cs new file mode 100644 index 00000000..c72b1d47 --- /dev/null +++ b/kubernetes-orchestrator-extension/Utilities/PrivateKeyFormatUtilities.cs @@ -0,0 +1,223 @@ +using System; +using System.IO; +using Keyfactor.Extensions.Orchestrator.K8S.Enums; +using Keyfactor.Logging; +using Microsoft.Extensions.Logging; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.Parameters; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Utilities.IO.Pem; +using OpenSslPemWriter = Org.BouncyCastle.OpenSsl.PemWriter; + +namespace Keyfactor.Extensions.Orchestrator.K8S.Utilities; + +/// +/// Utility class for private key format detection and conversion between PKCS#1 and PKCS#8 formats. +/// +public static class PrivateKeyFormatUtilities +{ + private static readonly ILogger Logger = LogHandler.GetClassLogger(typeof(PrivateKeyFormatUtilities)); + + // PEM delimiters for format detection + private const string Pkcs8Header = "-----BEGIN PRIVATE KEY-----"; + private const string Pkcs8EncryptedHeader = "-----BEGIN ENCRYPTED PRIVATE KEY-----"; + private const string RsaPkcs1Header = "-----BEGIN RSA PRIVATE KEY-----"; + private const string EcPkcs1Header = "-----BEGIN EC PRIVATE KEY-----"; + private const string DsaPkcs1Header = "-----BEGIN DSA PRIVATE KEY-----"; + + /// + /// Detects the private key format from PEM data by examining the header. + /// + /// PEM-encoded private key data + /// Detected format (defaults to Pkcs8 if unable to detect) + public static PrivateKeyFormat DetectFormat(string pemData) + { + Logger.LogTrace("DetectFormat called"); + + if (string.IsNullOrWhiteSpace(pemData)) + { + Logger.LogDebug("PEM data is null or empty, defaulting to PKCS8"); + return PrivateKeyFormat.Pkcs8; + } + + // Check for PKCS#1 formats first (more specific) + if (pemData.Contains(RsaPkcs1Header) || + pemData.Contains(EcPkcs1Header) || + pemData.Contains(DsaPkcs1Header)) + { + Logger.LogDebug("Detected PKCS#1 format"); + return PrivateKeyFormat.Pkcs1; + } + + // Check for PKCS#8 formats + if (pemData.Contains(Pkcs8Header) || pemData.Contains(Pkcs8EncryptedHeader)) + { + Logger.LogDebug("Detected PKCS#8 format"); + return PrivateKeyFormat.Pkcs8; + } + + // Default to PKCS#8 + Logger.LogDebug("Unable to detect format, defaulting to PKCS8"); + return PrivateKeyFormat.Pkcs8; + } + + /// + /// Determines if the given private key algorithm supports PKCS#1 format. + /// + /// The private key to check + /// True if PKCS#1 is supported (RSA, EC, DSA), false otherwise (Ed25519, Ed448) + public static bool SupportsPkcs1(AsymmetricKeyParameter privateKey) + { + if (privateKey == null) + { + Logger.LogWarning("Private key is null, returning false for PKCS1 support"); + return false; + } + + var supported = privateKey switch + { + RsaPrivateCrtKeyParameters => true, + ECPrivateKeyParameters => true, + DsaPrivateKeyParameters => true, + Ed25519PrivateKeyParameters => false, + Ed448PrivateKeyParameters => false, + _ => false + }; + + Logger.LogTrace("SupportsPkcs1 for {KeyType}: {Supported}", + privateKey.GetType().Name, supported); + + return supported; + } + + /// + /// Gets the algorithm name for a private key. + /// + /// The private key + /// Algorithm name (RSA, EC, DSA, Ed25519, Ed448, or Unknown) + public static string GetAlgorithmName(AsymmetricKeyParameter privateKey) + { + return privateKey switch + { + RsaPrivateCrtKeyParameters => "RSA", + ECPrivateKeyParameters => "EC", + DsaPrivateKeyParameters => "DSA", + Ed25519PrivateKeyParameters => "Ed25519", + Ed448PrivateKeyParameters => "Ed448", + _ => "Unknown" + }; + } + + /// + /// Exports a private key as PKCS#1 PEM format. + /// Uses BouncyCastle's PemWriter.WriteObject which outputs native PKCS#1/SEC1 format. + /// + /// The private key to export + /// PEM-encoded private key in PKCS#1 format + /// If privateKey is null + /// If key type doesn't support PKCS#1 + public static string ExportAsPkcs1Pem(AsymmetricKeyParameter privateKey) + { + Logger.LogTrace("ExportAsPkcs1Pem called"); + + if (privateKey == null) + throw new ArgumentNullException(nameof(privateKey)); + + if (!SupportsPkcs1(privateKey)) + { + var algorithm = GetAlgorithmName(privateKey); + throw new NotSupportedException( + $"PKCS#1 format is not supported for {algorithm} keys. Use PKCS#8 format instead."); + } + + // BouncyCastle's OpenSsl.PemWriter.WriteObject() outputs native PKCS#1/SEC1 format + // when given the raw key parameter object (RSA PRIVATE KEY, EC PRIVATE KEY, etc.) + using var stringWriter = new StringWriter(); + var pemWriter = new OpenSslPemWriter(stringWriter); + pemWriter.WriteObject(privateKey); + pemWriter.Writer.Flush(); + + var pem = stringWriter.ToString(); + Logger.LogTrace("Exported private key as PKCS#1 PEM"); + return pem; + } + + /// + /// Exports a private key as PKCS#8 PEM format. + /// + /// The private key to export + /// PEM-encoded private key in PKCS#8 format + /// If privateKey is null + public static string ExportAsPkcs8Pem(AsymmetricKeyParameter privateKey) + { + Logger.LogTrace("ExportAsPkcs8Pem called"); + + if (privateKey == null) + throw new ArgumentNullException(nameof(privateKey)); + + // Wrap key in PKCS#8 PrivateKeyInfo structure + var privateKeyInfo = PrivateKeyInfoFactory.CreatePrivateKeyInfo(privateKey); + var privateKeyBytes = privateKeyInfo.ToAsn1Object().GetEncoded(); + + using var stringWriter = new StringWriter(); + var pemWriter = new PemWriter(stringWriter); + var pemObject = new PemObject("PRIVATE KEY", privateKeyBytes); + pemWriter.WriteObject(pemObject); + pemWriter.Writer.Flush(); + + var pem = stringWriter.ToString(); + Logger.LogTrace("Exported private key as PKCS#8 PEM"); + return pem; + } + + /// + /// Exports a private key as PEM in the specified format. + /// If PKCS#1 is requested but not supported by the algorithm, falls back to PKCS#8. + /// + /// The private key to export + /// Desired format + /// PEM-encoded private key + /// If privateKey is null + public static string ExportPrivateKeyAsPem(AsymmetricKeyParameter privateKey, PrivateKeyFormat format) + { + Logger.LogTrace("ExportPrivateKeyAsPem called with format: {Format}", format); + + if (privateKey == null) + throw new ArgumentNullException(nameof(privateKey)); + + // If PKCS#1 requested but not supported, fall back to PKCS#8 + if (format == PrivateKeyFormat.Pkcs1 && !SupportsPkcs1(privateKey)) + { + var algorithm = GetAlgorithmName(privateKey); + Logger.LogWarning( + "PKCS#1 format not supported for {Algorithm} keys, falling back to PKCS#8", + algorithm); + format = PrivateKeyFormat.Pkcs8; + } + + return format switch + { + PrivateKeyFormat.Pkcs1 => ExportAsPkcs1Pem(privateKey), + PrivateKeyFormat.Pkcs8 => ExportAsPkcs8Pem(privateKey), + _ => ExportAsPkcs8Pem(privateKey) + }; + } + + /// + /// Parses a format string to PrivateKeyFormat enum. + /// + /// Format string ("PKCS1", "PKCS8", or null/empty for default) + /// Parsed format (defaults to Pkcs8) + public static PrivateKeyFormat ParseFormat(string formatString) + { + if (string.IsNullOrWhiteSpace(formatString)) + return PrivateKeyFormat.Pkcs8; + + return formatString.Trim().ToUpperInvariant() switch + { + "PKCS1" => PrivateKeyFormat.Pkcs1, + "PKCS8" => PrivateKeyFormat.Pkcs8, + _ => PrivateKeyFormat.Pkcs8 + }; + } +}