add SetAuthentication function to authenticate 'passively' (without sending a self-check request to the server)

Signed-off-by: Tim Ramlot <[email protected]>

Author: inteon

pkg/endpoint/endpoint.go

@@ -84,6 +84,10 @@ type Connector interface {
 	// SetHTTPClient allows to set custom http.Client to this Connector.
 	SetHTTPClient(client *http.Client)
 	Ping() (err error)
+	// SetAuthentication can be used to set the authentication details for the connector, it does not perform the validation
+	// done by Authenticate. It is useful when you want to set the authentication details without validating them.
+	SetAuthentication(auth *Authentication) (err error)
+	// Authenticate calls SetAuthentication and then validates the authentication details by making a request to the server.
 	// Authenticate is usually called by NewClient and it is not required that you manually call it.
 	Authenticate(auth *Authentication) (err error)
 

pkg/venafi/cloud/cloud.go

@@ -312,7 +312,7 @@ func (c *Connector) getHTTPClient() *http.Client {
 }
 
 func (c *Connector) request(method string, url string, data interface{}, authNotRequired ...bool) (statusCode int, statusText string, body []byte, err error) {
-	if (c.accessToken == "" && c.user == nil) || (c.user != nil && c.user.Company == nil) {
+	if c.accessToken == "" && c.apiKey == "" {
 		if !(len(authNotRequired) == 1 && authNotRequired[0]) {
 			err = fmt.Errorf("%w: must be autheticated to make requests to TLSPC API", verror.VcertError)
 			return

pkg/venafi/cloud/connector.go

@@ -90,7 +90,6 @@ type Connector struct {
 	apiKey                string
 	accessToken           string
 	verbose               bool
-	user                  *userDetails
 	trust                 *x509.CertPool
 	zone                  cloudZone
 	client                *http.Client
@@ -134,17 +133,42 @@ func (c *Connector) Ping() (err error) {
 	return nil
 }
 
-// Authenticate authenticates the user with Venafi Cloud using the provided API Key
+// Authenticate sets the authentication credentials for the Venafi Cloud API.
+// It will send a request to the API to verify the credentials are correct.
 func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
+	if err := c.SetAuthentication(auth); err != nil {
+		return err
+	}
+
+	url := c.getURL(urlResourceUserAccounts)
+	statusCode, status, body, err := c.request("GET", url, nil, true)
+	if err != nil {
+		return fmt.Errorf("%w: %s", verror.AuthError, err)
+	}
+	if _, err := parseUserDetailsResult(http.StatusOK, statusCode, status, body); err != nil {
+		return fmt.Errorf("%w: %s", verror.AuthError, err)
+	}
+
+	return nil
+}
+
+// SetAuthentication sets the authentication credentials for the Venafi Cloud API.
+func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("%w: %s", verror.AuthError, err)
+		}
+	}()
+
 	if auth == nil {
 		return fmt.Errorf("failed to authenticate: missing credentials")
 	}
 
-	//1. Access token. Assign it to connector
 	if auth.AccessToken != "" {
+		// 1. Access token. Assign it to connector
 		c.accessToken = auth.AccessToken
 	} else if auth.TokenURL != "" && auth.ExternalJWT != "" {
-		//2. JWT and token URL. use it to request new access token
+		// 2. JWT and token URL. use it to request new access token
 		tokenResponse, err := c.GetAccessToken(auth)
 		if err != nil {
 			return err
@@ -153,16 +177,6 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
 	} else if auth.APIKey != "" {
 		// 3. API key. Get user to test authentication
 		c.apiKey = auth.APIKey
-		url := c.getURL(urlResourceUserAccounts)
-		statusCode, status, body, err := c.request("GET", url, nil, true)
-		if err != nil {
-			return err
-		}
-		ud, err := parseUserDetailsResult(http.StatusOK, statusCode, status, body)
-		if err != nil {
-			return err
-		}
-		c.user = ud
 	}
 
 	// Initialize clients
@@ -947,7 +961,7 @@ func (c *Connector) isAuthenticated() bool {
 		return true
 	}
 
-	if c.user != nil && c.user.Company != nil {
+	if c.apiKey != "" {
 		return true
 	}
 
@@ -1430,12 +1444,10 @@ func (c *Connector) CreateUserAccount(userAccount *userAccount) (int, *userDetai
 	if err != nil {
 		return statusCode, nil, err
 	}
-	//c.user = ud
 	return statusCode, ud, nil
 }
 
 func (c *Connector) getUserDetails() (*userDetails, error) {
-
 	url := c.getURL(urlResourceUserAccounts)
 	statusCode, status, body, err := c.request("GET", url, nil)
 	if err != nil {
@@ -1445,7 +1457,6 @@ func (c *Connector) getUserDetails() (*userDetails, error) {
 	if err != nil {
 		return nil, err
 	}
-	c.user = ud
 	return ud, nil
 }
 

pkg/venafi/fake/connector.go

@@ -176,6 +176,10 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {
 	return
 }
 
+func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) {
+	return
+}
+
 type fakeRequestID struct {
 	Req *certificate.Request
 	CSR string

pkg/venafi/firefly/connector.go

@@ -85,7 +85,20 @@ func (c *Connector) GetType() endpoint.ConnectorType {
 	return endpoint.ConnectorTypeFirefly
 }
 
+// Authenticate authenticates the connector to the Firefly server.
+// In the future, this method will send a request to the Firefly server to validate the authentication.
 func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
+	if err := c.SetAuthentication(auth); err != nil {
+		return err
+	}
+
+	// TODO: use the access token to send a request and validate the authentication.
+
+	return nil
+}
+
+// SetAuthentication sets the authentication details to connect to the Firefly server
+func (c *Connector) SetAuthentication(auth *endpoint.Authentication) error {
 	if auth == nil {
 		msg := "failed to authenticate: no credentials provided"
 		zap.L().Error(msg, fieldPlatform)

pkg/venafi/tpp/connector.go

@@ -45,7 +45,6 @@ type Connector struct {
 	apiKey      string
 	accessToken string
 	verbose     bool
-	Identity    identity
 	trust       *x509.CertPool
 	zone        string
 	client      *http.Client
@@ -118,8 +117,22 @@ func (c *Connector) Ping() (err error) {
 	return
 }
 
-// Authenticate authenticates the user to the TPP
-func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {
+// Authenticate sets the Authentication details for the TPP Server and
+// verifies that it can retrieve Self Identity.
+func (c *Connector) Authenticate(auth *endpoint.Authentication) error {
+	if err := c.SetAuthentication(auth); err != nil {
+		return err
+	}
+
+	if _, err := c.retrieveSelfIdentity(); err != nil {
+		return fmt.Errorf("%w: %s", verror.AuthError, err)
+	}
+
+	return nil
+}
+
+// SetAuthentication sets the Authentication details for the TPP Server.
+func (c *Connector) SetAuthentication(auth *endpoint.Authentication) (err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("%w: %s", verror.AuthError, err)
@@ -143,13 +156,6 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {
 
 		resp := result.(authorizeResponse)
 		c.apiKey = resp.APIKey
-
-		if c.client != nil {
-			c.Identity, err = c.retrieveSelfIdentity()
-			if err != nil {
-				return err
-			}
-		}
 		return nil
 
 	} else if auth.RefreshToken != "" {
@@ -161,24 +167,12 @@ func (c *Connector) Authenticate(auth *endpoint.Authentication) (err error) {
 
 		resp := result.(OauthRefreshAccessTokenResponse)
 		c.accessToken = resp.Access_token
+		auth.AccessToken = resp.Access_token
 		auth.RefreshToken = resp.Refresh_token
-		if c.client != nil {
-			c.Identity, err = c.retrieveSelfIdentity()
-			if err != nil {
-				return err
-			}
-		}
 		return nil
 
 	} else if auth.AccessToken != "" {
 		c.accessToken = auth.AccessToken
-
-		if c.client != nil {
-			c.Identity, err = c.retrieveSelfIdentity()
-			if err != nil {
-				return err
-			}
-		}
 		return nil
 	}
 	return fmt.Errorf("failed to authenticate: can't determine valid credentials set")