Store SIA certificate creds in AWS parameter store, use custom json …

go.mod

@@ -7,6 +7,7 @@ module github.com/AthenZ/athenz
 require (
 	cloud.google.com/go/secretmanager v1.14.1
 	github.com/ardielle/ardielle-go v1.5.2
+	github.com/aws/aws-sdk-go v1.55.5
 	github.com/aws/aws-sdk-go-v2 v1.30.4
 	github.com/aws/aws-sdk-go-v2/config v1.27.28
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.32.5
@@ -44,7 +45,6 @@ require (
 	cloud.google.com/go/compute/metadata v0.5.0 // indirect
 	cloud.google.com/go/iam v1.2.0 // indirect
 	github.com/ardielle/ardielle-tools v1.5.4 // indirect
-	github.com/aws/aws-sdk-go v1.55.5 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.28 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect

go.sum

@@ -16,6 +16,7 @@ github.com/ardielle/ardielle-go v1.5.2 h1:TilHTpHIQJ27R1Tl/iITBzMwiUGSlVfiVhwDNG
 github.com/ardielle/ardielle-go v1.5.2/go.mod h1:I4hy1n795cUhaVt/ojz83SNVCYIGsAFAONtv2Dr7HUI=
 github.com/ardielle/ardielle-tools v1.5.4 h1:2uL/7wZRUF4LGV7r2eTaaeyhkBoqdiqEitSXMd6k8F8=
 github.com/ardielle/ardielle-tools v1.5.4/go.mod h1:oZN+JRMnqGiIhrzkRN9l26Cej9dEx4jeNG6A+AdkShk=
+github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
 github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8=
 github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
@@ -130,6 +131,7 @@ github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWS
 github.com/jawher/mow.cli v1.0.4/go.mod h1:5hQj2V8g+qYmLUVWqu4Wuja1pI57M83EChYLVZ0sMKk=
 github.com/jawher/mow.cli v1.2.0 h1:e6ViPPy+82A/NFF/cfbq3Lr6q4JHKT9tyHwTCcUQgQw=
 github.com/jawher/mow.cli v1.2.0/go.mod h1:y+pcA3jBAdo/GIZx/0rFjw/K2bVEODP9rfZOfaiq8Ko=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=

libs/go/sia/aws/lambda/lambda.go

@@ -29,6 +29,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ssm"
 	"strings"
 )
 
@@ -104,9 +106,36 @@ func getInternalAthenzIdentity(athenzDomain, athenzService, athenzProvider, ztsU
 //
 // The secret specified by the name must be pre-created
 func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData) error {
+	return StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName, siaCertData, nil)
+}
 
+// StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the
+// specified secret in custom json format. The secret is stored in the following keys:
+//
+//	"<x509-cert-pem-key>":"<x509-cert-pem>,
+//	"<private-pem-key>":"<pkey-pem>,
+//	"<ca-cert-key>":"<ca-cert-pem>,
+//	"<time-key>": <utc-timestamp>
+//
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The secret specified by the name must be pre-created
+func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+
+	var keyCertJson []byte
+	var err error
 	// generate our payload
-	keyCertJson, err := util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	if nil == jsonFieldMapper {
+		keyCertJson, err = util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	} else {
+		keyCertJson, err = util.GenerateCustomSecretJsonData(siaCertData, jsonFieldMapper)
+	}
 	if err != nil {
 		return fmt.Errorf("unable to generate secret json data: %v", err)
 	}
@@ -122,3 +151,69 @@ func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName
 	_, err = svc.PutSecretValue(context.TODO(), input)
 	return err
 }
+
+// StoreAthenzIdentityInParameterStore store the retrieved athenz identity in the
+// specified parameter store as Secure String, without CA certificate. The secret is stored in the following keys:
+//
+//	"<domain>.<service>.cert.pem":"<x509-cert-pem>,
+//	"<domain>.<service>.key.pem":"<pkey-pem>,
+//	"time": <utc-timestamp>
+//
+// The parameter specified by the name must be pre-created
+func StoreAthenzIdentityInParameterStore(athenzDomain, athenzService, parameterName, kmsId string, siaCertData *util.SiaCertData) error {
+	jsonFieldMapper := make(map[string]string)
+	jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey] = fmt.Sprintf("%s.%s.cert.pem", athenzDomain, athenzService)
+	jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey] = fmt.Sprintf("%s.%s.key.pem", athenzDomain, athenzService)
+	//do not set CA cert
+	jsonFieldMapper[util.SiaYieldMapperIssueTimeKey] = "time"
+	return storeAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId, siaCertData, jsonFieldMapper)
+}
+
+// StoreAthenzIdentityInParameterStoreCustomFormat store the retrieved athenz identity in the
+// specified parameter store as Secure String, without CA certificate. The secret is stored in the following keys
+//
+//	"<x509-cert-pem-key>":"<x509-cert-pem>,
+//	"<private-pem-key>":"<pkey-pem>,
+//	"<time-key>": <utc-timestamp>
+//
+// It supports only 3 json fields 'cert_pem', 'key_pem' and 'time', where 'cert_pem' and 'key_pem' are mandatory.
+// The resulted json will contain timestamp only if the corresponding json field name is set. It will ignore 'ca_pem'
+// even if it is set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The parameter specified by the name must be pre-created
+func StoreAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+	// generate our payload
+	if nil != jsonFieldMapper {
+		_, ok := jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey]
+		if ok {
+			// unset 'ca cert' field name
+			jsonFieldMapper[util.SiaYieldMapperCertSignerPemKey] = ""
+		}
+	}
+
+	return storeAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId, siaCertData, jsonFieldMapper)
+}
+
+func storeAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+	// generate our payload
+	keyCertJson, err := util.GenerateCustomSecretJsonData(siaCertData, jsonFieldMapper)
+
+	if err != nil {
+		return fmt.Errorf("unable to generate secret json data: %v", err)
+	}
+	sess := session.Must(session.NewSession())
+	ssmClient := ssm.New(sess)
+	input := &ssm.PutParameterInput{
+		Type:      aws.String(ssm.ParameterTypeSecureString),
+		Name:      aws.String(parameterName),
+		Value:     aws.String(string(keyCertJson)),
+		Overwrite: aws.Bool(true),
+		KeyId:     aws.String(kmsId),
+	}
+	_, err = ssmClient.PutParameterWithContext(context.TODO(), input)
+	return err
+}

libs/go/sia/gcp/functions/identity.go

@@ -94,6 +94,13 @@ func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName
 
 	// Create the GCP secret-manager client.
 	ctx := context.Background()
+
+	// generate our payload
+	keyCertJson, err := util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	if err != nil {
+		return fmt.Errorf("unable to generate secret json data: %v", err)
+	}
+
 	secretManagerClient, err := secretmanager.NewClient(ctx)
 	if err != nil {
 		return fmt.Errorf("unable to create secret manager client: %v", err)
@@ -102,12 +109,90 @@ func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName
 		_ = secretManagerClient.Close()
 	})()
 
+	// Get the project id from metadata
+	gcpProjectId, err := gcpm.GetProject(gcpMetaDataServer)
+	if err != nil {
+		return fmt.Errorf("unable to extract project id: %v", err)
+	}
+
+	// Build the request
+	addSecretVersionReq := &secretmanagerpb.AddSecretVersionRequest{
+		Parent: "projects/" + gcpProjectId + "/secrets/" + secretName,
+		Payload: &secretmanagerpb.SecretPayload{
+			Data: keyCertJson,
+		},
+	}
+
+	// Call the API.
+	_, err = secretManagerClient.AddSecretVersion(ctx, addSecretVersionReq)
+	return err
+}
+
+// StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the
+// specified secret in custom json format. The secret is stored in the following keys:
+//
+//	"<x509-cert-pem-key>":"<x509-cert-pem>,
+//	"<private-pem-key>":"<pkey-pem>,
+//	"<ca-cert-key>":"<ca-cert-pem>,
+//	"<time-key>": <utc-timestamp>
+//
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The secret specified by the name must be pre-created
+
+// StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the
+// specified secret. The secret is stored in the following json format:
+//
+//	{
+//	   "<x509-cert-pem-key>":"<x509-cert-pem>,
+//	   "<private-pem-key>":"<pkey-pem>,
+//	   "<ca-cert-key>":"<ca-cert-pem>,
+//	   "<time-key>": <utc-timestamp>
+//	}
+//
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+//
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like
+//
+//	{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }
+//
+// The secret specified by the name must be pre-created and the service account
+// that the function is invoked with must have been authorized to assume the
+// "Secret Manager Secret Version Adder" role
+func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string) error {
+
+	// Create the GCP secret-manager client.
+	ctx := context.Background()
+
+	var keyCertJson []byte
+	var err error
 	// generate our payload
-	keyCertJson, err := util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	if nil == jsonFieldMapper {
+		keyCertJson, err = util.GenerateSecretJsonData(athenzDomain, athenzService, siaCertData)
+	} else {
+		keyCertJson, err = util.GenerateCustomSecretJsonData(siaCertData, jsonFieldMapper)
+	}
+
 	if err != nil {
 		return fmt.Errorf("unable to generate secret json data: %v", err)
 	}
 
+	secretManagerClient, err := secretmanager.NewClient(ctx)
+	if err != nil {
+		return fmt.Errorf("unable to create secret manager client: %v", err)
+	}
+	defer (func() {
+		_ = secretManagerClient.Close()
+	})()
+
 	// Get the project id from metadata
 	gcpProjectId, err := gcpm.GetProject(gcpMetaDataServer)
 	if err != nil {

libs/go/sia/util/identity.go

@@ -26,9 +26,17 @@ import (
 	"log"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 )
 
+const (
+	SiaYieldMapperX509CertPemKey   = "cert_pem"
+	SiaYieldMapperPvtPemKey        = "key_pem"
+	SiaYieldMapperCertSignerPemKey = "ca_pem"
+	SiaYieldMapperIssueTimeKey     = "time"
+)
+
 // SiaCertData response of GetAthenzIdentity()
 type SiaCertData struct {
 	PrivateKey               *rsa.PrivateKey
@@ -61,6 +69,39 @@ func GenerateSecretJsonData(athenzDomain, athenzService string, siaCertData *Sia
 	return json.MarshalIndent(siaYield, "", "  ")
 }
 
+// GenerateCustomSecretJsonData get SiaCertData data as string in json format with custom field names.
+// It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time', similar to `GenerateSecretJsonData`.
+// Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain  X509CertificateSignerPem
+// and timestamp only if the corresponding json field names are set.
+// sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}]
+func GenerateCustomSecretJsonData(siaCertData *SiaCertData, jsonFieldMapper map[string]string) ([]byte, error) {
+	if nil == jsonFieldMapper {
+		return nil, fmt.Errorf("json keys mapper is misssing, required atleast certificate and private key fields")
+	}
+	x509CertPemKey, okx509 := jsonFieldMapper[SiaYieldMapperX509CertPemKey]
+	pvtPemKey, okPem := jsonFieldMapper[SiaYieldMapperPvtPemKey]
+
+	if !okx509 || !okPem || "" == strings.TrimSpace(x509CertPemKey) || "" == strings.TrimSpace(pvtPemKey) {
+		return nil, fmt.Errorf("x509 certificate pem and private pem keys are mandatory")
+	}
+
+	certSignerPemKey, okCA := jsonFieldMapper[SiaYieldMapperCertSignerPemKey]
+	issueTimeKey, okTime := jsonFieldMapper[SiaYieldMapperIssueTimeKey]
+	siaYield := make(map[string]string)
+	siaYield[strings.TrimSpace(x509CertPemKey)] = siaCertData.X509CertificatePem
+	siaYield[strings.TrimSpace(pvtPemKey)] = siaCertData.PrivateKeyPem
+
+	if okCA {
+		siaYield[strings.TrimSpace(certSignerPemKey)] = siaCertData.X509CertificateSignerPem
+	}
+	if okTime {
+		// Add the current time to the JSON.
+		siaYield[strings.TrimSpace(issueTimeKey)] = strconv.FormatInt(time.Now().Unix(), 10)
+	}
+
+	return json.MarshalIndent(siaYield, "", "  ")
+}
+
 func RegisterIdentity(athenzDomain, athenzService, athenzProvider, ztsUrl, instanceId, attestationData, spiffeTrustDomain string, sanDNSDomains []string, csrSubjectFields CsrSubjectFields, instanceIdSanDNS bool, privateKey *rsa.PrivateKey) (*SiaCertData, error) {
 
 	var csrDetails CertReqDetails