Merge pull request #17 from Keyfactor/release-2.1

Release 2.1 to main

Author: fiddlermikey

AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator_AzureAppGW.cs

@@ -14,7 +14,6 @@
 
 using System.Security.Cryptography.X509Certificates;
 using Azure.ResourceManager.Network.Models;
-using AzureApplicationGatewayOrchestratorExtension;
 using AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs;
 using AzureApplicationGatewayOrchestratorExtension.Client;
 using Keyfactor.Logging;

AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator_Client.cs

@@ -87,12 +87,12 @@ public void AzureClientIntegrationTest()
         // Step 3 - Get the certificates that exist on the app gateway
 
         // Act
-        IEnumerable<Keyfactor.Orchestrators.Extensions.CurrentInventoryItem> certs = client.GetAppGatewaySslCertificates();
+        OperationResult<IEnumerable<Keyfactor.Orchestrators.Extensions.CurrentInventoryItem>> certs = client.GetAppGatewaySslCertificates();
 
         // Assert
-        Assert.NotNull(certs);
-        Assert.NotEmpty(certs);
-        Assert.Contains(certs, c => c.Alias == certName);
+        Assert.NotNull(certs.Result);
+        Assert.NotEmpty(certs.Result);
+        Assert.Contains(certs.Result, c => c.Alias == certName);
 
         // Step 4 - Try to remove the certificate from the app gateway, which should fail 
         // since it's bound to an HTTPS listener
@@ -119,7 +119,7 @@ public void AzureClientIntegrationTest()
         // Rebind the HTTPS listener with the original certificate, if there was only 1 certificate
         // previously, otherwise bind it with the first certificate in the list.
 
-        ApplicationGatewaySslCertificate replacement = client.GetAppGatewayCertificateByName(certs.First(c => c.Alias != certName).Alias);
+        ApplicationGatewaySslCertificate replacement = client.GetAppGatewayCertificateByName(certs.Result.First(c => c.Alias != certName).Alias);
 
         client.UpdateHttpsListenerCertificate(replacement, httpsListenerName);
 

AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator_FakeClient.cs

@@ -74,7 +74,7 @@ public IAzureAppGatewayClient Build()
     public IEnumerable<string>? AppGatewaysAvailableOnFakeTenant { get; set; }
     public Dictionary<string, ApplicationGatewaySslCertificate>? CertificatesAvailableOnFakeAppGateway { get; set; }
 
-    public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
+    public OperationResult<IEnumerable<CurrentInventoryItem>> GetAppGatewaySslCertificates()
     {
         _logger.LogDebug("Getting App Gateway SSL Certificates from fake app gateway");
 
@@ -84,6 +84,8 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
         }
 
         List<CurrentInventoryItem> inventoryItems = new List<CurrentInventoryItem>();
+        OperationResult<IEnumerable<CurrentInventoryItem>> result = new(inventoryItems);
+
         foreach (ApplicationGatewaySslCertificate cert in CertificatesAvailableOnFakeAppGateway.Values)
         {
             inventoryItems.Add(new CurrentInventoryItem
@@ -98,7 +100,7 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
 
         _logger.LogDebug($"Fake client has {inventoryItems.Count} certificates in inventory");
 
-        return inventoryItems;
+        return result;
     }
 
     public ApplicationGatewaySslCertificate AddCertificate(string certificateName, string certificateData, string certificatePassword)

AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs

@@ -51,9 +51,32 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
         try
         {
-            inventoryItems = Client.GetAppGatewaySslCertificates().ToList();
+            OperationResult<IEnumerable<CurrentInventoryItem>> inventoryResult = Client.GetAppGatewaySslCertificates();
+            if (!inventoryResult.Success)
+            {
+                // Aggregate the messages into the failure message. Since an exception wasn't thrown,
+                // we still have a partial success. We want to return a warning.
+                result.FailureMessage += inventoryResult.ErrorMessage; 
+                result.Result = OrchestratorJobStatusJobResult.Warning;
+                _logger.LogWarning(result.FailureMessage);
+            } 
+            else
+            {
+                result.Result = OrchestratorJobStatusJobResult.Success;
+            }
+
+            // At least partial success is guaranteed, so we can continue with the inventory items
+            // that we were able to pull down.
+            inventoryItems = inventoryResult.Result.ToList();
+
         } catch (Exception ex)
         {
+            // Exception is triggered if we weren't able to pull down the list of certificates
+            // from Azure. This could be due to a number of reasons, including network issues,
+            // or the user not having the correct permissions. An exception won't be triggered
+            // if there are no certificates in the App Gateway, or if we weren't able to assemble
+            // the list of certificates into a CurrentInventoryItem.
+
             _logger.LogError(ex, "Error getting App Gateway SSL Certificates:\n" + ex.Message);
             result.FailureMessage = "Error getting App Gateway SSL Certificates:\n" + ex.Message;
             return result;
@@ -64,7 +87,6 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
         //cb.DynamicInvoke(inventoryItems);
         cb(inventoryItems);
 
-        result.Result = OrchestratorJobStatusJobResult.Success;
         return result;
     }
 }

AzureAppGatewayOrchestrator/Client/GatewayClient.cs

@@ -273,15 +273,16 @@ public ApplicationGatewaySslCertificate GetAppGatewayCertificateByName(string ce
         return gatewaySslCertificate;
     }
 
-    public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
+    public OperationResult<IEnumerable<CurrentInventoryItem>> GetAppGatewaySslCertificates()
     {
-
         ApplicationGatewayResource appGatewayResource =
             _armClient.GetApplicationGatewayResource(AppGatewayResourceId).Get();
         _logger.LogDebug($"Getting SSL certificates from App Gateway called \"{appGatewayResource.Data.Name}\"");
         _logger.LogDebug($"There are {appGatewayResource.Data.SslCertificates.Count()} certificates in the response.");
         List<CurrentInventoryItem> inventoryItems = new List<CurrentInventoryItem>();
 
+        OperationResult<IEnumerable<CurrentInventoryItem>> result = new(inventoryItems);
+
         foreach (ApplicationGatewaySslCertificate certObject in appGatewayResource.Data.SslCertificates)
         {
             List<string> b64EncodedDerCertificateList = new List<string>();
@@ -316,14 +317,19 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
                 }
                 catch (Exception e)
                 {
-                    _logger.LogError($"Error retrieving certificate from Azure Key Vault with ID {certObject.KeyVaultSecretId}: {e.Message}");
+                    string error = $"Failed to download certificate from Azure Key Vault with ID {certObject.KeyVaultSecretId}";
+                    _logger.LogError(error + $": {e.Message}");
+
+                    result.AddRuntimeErrorMessage(error);
                     continue;
                 }
             }
             else 
             {
-                _logger.LogError($"Certificate called \"{certObject.Name}\" ({certObject.Id}) does not have any public certificate data or Key Vault secret ID.");
+                string error = $"Certificate called \"{certObject.Name}\" ({certObject.Id}) does not have any public certificate data or Key Vault secret ID.";
+                _logger.LogError(error);
 
+                result.AddRuntimeErrorMessage(error);
                 continue;
             }
 
@@ -340,8 +346,13 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
             inventoryItems.Add(inventoryItem);
         }
 
+        if (!result.Success)
+        {
+            result.ErrorSummary = $"Application Gateway Certificate inventory may be incomplete. Successfully read {inventoryItems.Count()}/{appGatewayResource.Data.SslCertificates.Count()} certificates present in the Application Gateway called {AppGatewayResourceId.Name} ({AppGatewayResourceId})\nPlease see Orchestrator logs for more details. Error summary:";
+        }
+
         _logger.LogDebug($"Found {inventoryItems.Count()} certificates in app gateway");
-        return inventoryItems;
+        return result;
     }
 
     public void UpdateHttpsListenerCertificate(ApplicationGatewaySslCertificate certificate, string listenerName)

AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs

@@ -28,11 +28,31 @@ public interface IAzureAppGatewayClientBuilder
         public IAzureAppGatewayClient Build();
     }
 
+    public class OperationResult<T>
+    {
+        public T Result { get; set; }
+        public string ErrorSummary { get; set; }
+        public List<string> Messages { get; set; } = new List<string>();
+        public bool Success => Messages.Count == 0;
+
+        public OperationResult(T result)
+        {
+            Result = result;
+        }
+
+        public void AddRuntimeErrorMessage(string message)
+        {
+            Messages.Add("  - " + message);
+        }
+
+        public string ErrorMessage => $"{ErrorSummary}\n{string.Join("\n", Messages)}";
+    }
+
     public interface IAzureAppGatewayClient
     {
         public ApplicationGatewaySslCertificate AddCertificate(string certificateName, string certificateData, string certificatePassword);
         public void RemoveCertificate(string certificateName);
-        public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates();
+        public OperationResult<IEnumerable<CurrentInventoryItem>> GetAppGatewaySslCertificates();
         public ApplicationGatewaySslCertificate GetAppGatewayCertificateByName(string certificateName);
         public bool CertificateExists(string certificateName);
         public IEnumerable<string> DiscoverApplicationGateways();

AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs

@@ -44,7 +44,8 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
         JobResult result = new JobResult
         {
             Result = OrchestratorJobStatusJobResult.Failure,
-                   JobHistoryId = config.JobHistoryId
+                   JobHistoryId = config.JobHistoryId,
+                   FailureMessage = ""
         };
 
         List<CurrentInventoryItem> appGatewayCertificateInventory;
@@ -62,9 +63,32 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
         try
         {
-            appGatewayCertificateInventory = Client.GetAppGatewaySslCertificates().ToList();
+            OperationResult<IEnumerable<CurrentInventoryItem>> inventoryResult = Client.GetAppGatewaySslCertificates();
+            if (!inventoryResult.Success)
+            {
+                // Aggregate the messages into the failure message. Since an exception wasn't thrown,
+                // we still have a partial success. We want to return a warning.
+                result.FailureMessage += inventoryResult.ErrorMessage; 
+                result.Result = OrchestratorJobStatusJobResult.Warning;
+                _logger.LogWarning(result.FailureMessage);
+            } 
+            else
+            {
+                result.Result = OrchestratorJobStatusJobResult.Success;
+            }
+
+            // At least partial success is guaranteed, so we can continue with the inventory items
+            // that we were able to pull down.
+            appGatewayCertificateInventory = inventoryResult.Result.ToList();
+
         } catch (Exception ex)
         {
+            // Exception is triggered if we weren't able to pull down the list of certificates
+            // from Azure. This could be due to a number of reasons, including network issues,
+            // or the user not having the correct permissions. An exception won't be triggered
+            // if there are no certificates in the App Gateway, or if we weren't able to assemble
+            // the list of certificates into a CurrentInventoryItem.
+
             _logger.LogError(ex, "Error getting App Gateway SSL Certificates:\n" + ex.Message);
             result.FailureMessage = "Error getting App Gateway SSL Certificates:\n" + ex.Message;
             return result;
@@ -81,7 +105,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
         } catch (Exception ex)
         {
             _logger.LogError(ex, "Error getting bound App Gateway HTTPS Listener Certificates:\n" + ex.Message);
-            result.FailureMessage = "Error getting bound App Gateway HTTPS Listener Certificates:\n" + ex.Message;
+            result.FailureMessage += "Error getting bound App Gateway HTTPS Listener Certificates:\n" + ex.Message;
             return result;
         }
 
@@ -129,7 +153,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
         cb.DynamicInvoke(certificateBindingInventory);
 
-        result.Result = OrchestratorJobStatusJobResult.Success;
+        // Result is already set correctly by this point.
         return result;
     }
 }

CHANGELOG.md

@@ -17,3 +17,6 @@
   - chore(jobs): Refactored Orchestrator job implementations to prefer dependency injection pattern.
   - chore(tests): Implemented unit testing framework with a fake client interface.
   - chore(tests): Implemented integration tests for both Orchestrator jobs and App Gateway client.
+
+- 2.1.0
+  - chore(client): Pass error back to Command if certificate download from AKV fails

Makefile

@@ -62,33 +62,6 @@ setup: ## Setup the environment for development
 		echo "PROJECT_NAME=$$(basename $$(dirname $$(grep PROJECT_FILE .env | cut -d '=' -f 2)))" >> .env; \
 	fi
 
-.PHONY: newtest
-newtest: setup ## Create a new test project
-	@source .env; \
-	testProjectName="$$PROJECT_NAME".Tests; \
-	echo "Creating new xUnit project called $$testProjectName"; \
-	dotnet new xunit -o $$testProjectName; \
-	dotnet sln add $$testProjectName/$$testProjectName.csproj; \
-	dotnet add $$testProjectName reference $$PROJECT_FILE;
-
-.PHONY: installpackage
-installpackage: ## Install a package to the project
-	@source .env; \
-	echo "Select a project to install the package into"; \
-	PS3="Selection: "; \
-	select opt in $$(ls */*.csproj); do \
-		if [ -n "$$opt" ]; then \
-			echo "You have selected $$opt"; \
-			break; \
-		else \
-			echo "Invalid selection. Please try again."; \
-		fi; \
-	done; \
-	echo "Enter the package name to install: "; \
-	read packageName; \
-	echo "Installing $$packageName to $$opt"; \
-	dotnet add $$opt package $$packageName;
-
 .PHONY: testall
 testall: ## Run all tests.
 	@source .env; \
@@ -105,7 +78,7 @@ test: ## Run a single test.
 	cut -d ' ' -f 5- | \
 	sed 's/(.*//i' | \
 	sort | uniq | \
-	fzf | \
+	fzf  | \
 	xargs -I {} dotnet test --filter {} --logger "console;verbosity=detailed"
 
 ##@ Build

README.md

@@ -15,7 +15,7 @@ The Universal Orchestrator is the successor to the Windows Orchestrator. This Or
 
 ## Support for Azure Application Gateway Orchestrator
 
-Azure Application Gateway Orchestrator is open source and supported on best effort level for this tool/library/client.  This means customers can report Bugs, Feature Requests, Documentation amendment or questions as well as requests for customer information required for setup that needs Keyfactor access to obtain. Such requests do not follow normal SLA commitments for response or resolution. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com/
+Azure Application Gateway Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com
 
 ###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab.
 
@@ -101,9 +101,7 @@ Natively, Azure Application Gateways support integration with Azure Key Vault fo
 
 #### Mechanics of the Azure Key Vault Download Operation for Inventory Jobs that report certificates imported from AKV
 
-If an AzureApplicationSslCertificate references a secret in AKV (was imported to the App Gateway from AKV), the inventory job will create and use a `SecretClient` from the [`Azure.Security.KeyVault.Secrets.SecretClient` dotnet package](https://learn.microsoft.com/en-us/dotnet/api/azure.security.keyvault.secrets.secretclient?view=azure-dotnet). Authentication to AKV via this client is configured using the exact same `TokenCredential` provided by the [Azure Identity client library for .NET](https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet). This means that the Service Principal described in the [Azure Configuration](#azure-configuration) section must also have appropriate permissions to read secrets from the AKV that the App Gateway is integrated with.
-
-The secret referenced in the AzureApplicationSslCertificate will be accessed exactly as reported by Azure, regardless of whether it exists in AKV. Since the App Gateway orchestrator extension doesn't manage AKV secrets in any way, the client will _only log an error_ if the client is unsuccessful in downloading the secret for any reason. IE, if the request to AKV fails after five tries, the imported certificate will not be reported to Keyfactor Command in Inventory operations. This design choice was made based on the logical existance or non-existance of the link between AKV and the App Gateway. 
+If an AzureApplicationSslCertificate references a secret in AKV (was imported to the App Gateway from AKV), the inventory job will create and use a `SecretClient` from the [`Azure.Security.KeyVault.Secrets.SecretClient` dotnet package](https://learn.microsoft.com/en-us/dotnet/api/azure.security.keyvault.secrets.secretclient?view=azure-dotnet). Authentication to AKV via this client is configured using the exact same `TokenCredential` provided by the [Azure Identity client library for .NET](https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet). This means that the Service Principal described in the [Azure Configuration](#azure-configuration) section must also have appropriate permissions to read secrets from the AKV that the App Gateway is integrated with. The secret referenced in the AzureApplicationSslCertificate will be accessed exactly as reported by Azure, regardless of whether it exists in AKV. 
 
 ## Azure Configuration and Permissions