Backports for 1.9.x (#74)

* Fix panic caused by shallowed error in create application (#71)

* Remove named returns (#72)

* Remove named returns

* Update per review

* Update per review

* Update deps (#73)


- ci: build with go-1.17.2
- ci: drop support for go-1.1{4,5}.x

* Add rotate-root endpoint (#70)

* Remove bare returns

* Readability cleanup

Removed bare returns
Removed unused return values
Small readability improvements

* Remove errwrap

* Make tests happy again

* Add rotate-root endpoint

* Use correct response value

* Fix merge failure

* Add additional AAD warnings; Respond to code review

* Fix test

* Don't pass config as a pointer so it gets a copy

* Fix expiration date logic; fix inverted warning logic

* Minor code review tweaks

* Move expiration to config

* Don't error if there isn't an error

* Update the config & remove old passwords in the WAL

* Return default_expiration on config get

* Return expiration from GET config

* Update path_rotate_root.go

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

* Update per review

* Rebase

* Fix test

* Revert "Rebase"

This reverts commit a693813.

* Remove named returns

* Update per review

* Update path_config.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update per review

* Use periodicFunc, change wal

* Fix config test

* Add expiration date, update logger

* Fix timer bug

* Change root expiration to timestamp

* Fix named returns

* Update backend.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update per feedback, add more tests

* Add wal min age

* Update mock

* Update go version

* Revert "Update go version"

This reverts commit ac58246.

* Remove unused wal code

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Michael Golowka" OR 1=1); DROP TABLE users; -- <72365+pcman312@users.noreply.github.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

.github/workflows/test.yaml

@@ -11,7 +11,7 @@ jobs:
       GO111MODULE: on
     strategy:
       matrix:
-        go-version: [1.14.x, 1.15.x, 1.16.x]
+        go-version: [1.16.x, 1.17.2]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -38,7 +38,7 @@ Success! Enabled the azure secrets engine at: azure/
 
 If you wish to work on this plugin, you'll first need
 [Go](https://www.golang.org) installed on your machine
-(version 1.10+ is *required*).
+(version 1.17+ is *required*).
 
 For local dev first make sure Go is properly installed, including
 setting up a [GOPATH](https://golang.org/doc/code.html#GOPATH).

api/api.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"context"
+	"time"
 
 	"github.com/Azure/azure-sdk-for-go/profiles/latest/authorization/mgmt/authorization"
 	"github.com/Azure/go-autorest/autorest"
@@ -31,20 +32,17 @@ type ApplicationsClient interface {
 	GetApplication(ctx context.Context, applicationObjectID string) (ApplicationResult, error)
 	CreateApplication(ctx context.Context, displayName string) (ApplicationResult, error)
 	DeleteApplication(ctx context.Context, applicationObjectID string) error
-	AddApplicationPassword(ctx context.Context, applicationObjectID string, displayName string, endDateTime date.Time) (PasswordCredentialResult, error)
+	ListApplications(ctx context.Context, filter string) ([]ApplicationResult, error)
+	AddApplicationPassword(ctx context.Context, applicationObjectID string, displayName string, endDateTime time.Time) (PasswordCredentialResult, error)
 	RemoveApplicationPassword(ctx context.Context, applicationObjectID string, keyID string) error
 }
 
 type PasswordCredential struct {
-	DisplayName *string `json:"displayName"`
-	// StartDate - Start date.
-	StartDate *date.Time `json:"startDateTime,omitempty"`
-	// EndDate - End date.
-	EndDate *date.Time `json:"endDateTime,omitempty"`
-	// KeyID - Key ID.
-	KeyID *string `json:"keyId,omitempty"`
-	// Value - Key value.
-	SecretText *string `json:"secretText,omitempty"`
+	DisplayName *string    `json:"displayName"`
+	StartDate   *date.Time `json:"startDateTime,omitempty"`
+	EndDate     *date.Time `json:"endDateTime,omitempty"`
+	KeyID       *string    `json:"keyId,omitempty"`
+	SecretText  *string    `json:"secretText,omitempty"`
 }
 
 type PasswordCredentialResult struct {

api/application_aad.go

@@ -19,7 +19,7 @@ type ActiveDirectoryApplicationClient struct {
 	Passwords Passwords
 }
 
-func (a *ActiveDirectoryApplicationClient) GetApplication(ctx context.Context, applicationObjectID string) (result ApplicationResult, err error) {
+func (a *ActiveDirectoryApplicationClient) GetApplication(ctx context.Context, applicationObjectID string) (ApplicationResult, error) {
 	app, err := a.Client.Get(ctx, applicationObjectID)
 	if err != nil {
 		return ApplicationResult{}, err
@@ -31,7 +31,40 @@ func (a *ActiveDirectoryApplicationClient) GetApplication(ctx context.Context, a
 	}, nil
 }
 
-func (a *ActiveDirectoryApplicationClient) CreateApplication(ctx context.Context, displayName string) (result ApplicationResult, err error) {
+func (a *ActiveDirectoryApplicationClient) ListApplications(ctx context.Context, filter string) ([]ApplicationResult, error) {
+	resp, err := a.Client.List(ctx, filter)
+	if err != nil {
+		return nil, err
+	}
+
+	results := []ApplicationResult{}
+	for resp.NotDone() {
+		for _, app := range resp.Values() {
+			passCreds := []*PasswordCredential{}
+			for _, rawPC := range *app.PasswordCredentials {
+				pc := &PasswordCredential{
+					StartDate: rawPC.StartDate,
+					EndDate:   rawPC.EndDate,
+					KeyID:     rawPC.KeyID,
+				}
+				passCreds = append(passCreds, pc)
+			}
+			appResult := ApplicationResult{
+				AppID:               app.AppID,
+				ID:                  app.ObjectID,
+				PasswordCredentials: passCreds,
+			}
+			results = append(results, appResult)
+		}
+		err = resp.NextWithContext(ctx)
+		if err != nil {
+			return results, fmt.Errorf("failed to get all results: %w", err)
+		}
+	}
+	return results, nil
+}
+
+func (a *ActiveDirectoryApplicationClient) CreateApplication(ctx context.Context, displayName string) (ApplicationResult, error) {
 	appURL := fmt.Sprintf("https://%s", displayName)
 
 	app, err := a.Client.Create(ctx, graphrbac.ApplicationCreateParameters{
@@ -62,7 +95,7 @@ func (a *ActiveDirectoryApplicationClient) DeleteApplication(ctx context.Context
 	return nil
 }
 
-func (a *ActiveDirectoryApplicationClient) AddApplicationPassword(ctx context.Context, applicationObjectID string, displayName string, endDateTime date.Time) (result PasswordCredentialResult, err error) {
+func (a *ActiveDirectoryApplicationClient) AddApplicationPassword(ctx context.Context, applicationObjectID string, displayName string, endDateTime time.Time) (PasswordCredentialResult, error) {
 	keyID, err := uuid.GenerateUUID()
 	if err != nil {
 		return PasswordCredentialResult{}, err
@@ -80,7 +113,7 @@ func (a *ActiveDirectoryApplicationClient) AddApplicationPassword(ctx context.Co
 	now := date.Time{Time: time.Now().UTC()}
 	cred := graphrbac.PasswordCredential{
 		StartDate: &now,
-		EndDate:   &endDateTime,
+		EndDate:   &date.Time{endDateTime},
 		KeyID:     to.StringPtr(keyID),
 		Value:     to.StringPtr(password),
 	}
@@ -106,19 +139,19 @@ func (a *ActiveDirectoryApplicationClient) AddApplicationPassword(ctx context.Co
 		return PasswordCredentialResult{}, fmt.Errorf("error updating credentials: %w", err)
 	}
 
-	result = PasswordCredentialResult{
+	result := PasswordCredentialResult{
 		PasswordCredential: PasswordCredential{
 			DisplayName: to.StringPtr(displayName),
 			StartDate:   &now,
-			EndDate:     &endDateTime,
+			EndDate:     &date.Time{endDateTime},
 			KeyID:       to.StringPtr(keyID),
 			SecretText:  to.StringPtr(password),
 		},
 	}
 	return result, nil
 }
 
-func (a *ActiveDirectoryApplicationClient) RemoveApplicationPassword(ctx context.Context, applicationObjectID string, keyID string) (err error) {
+func (a *ActiveDirectoryApplicationClient) RemoveApplicationPassword(ctx context.Context, applicationObjectID string, keyID string) error {
 	// Load current credentials
 	resp, err := a.Client.ListPasswordCredentials(ctx, applicationObjectID)
 	if err != nil {

api/application_msgraph.go

@@ -49,7 +49,8 @@ func (c *AppClient) AddToUserAgent(extension string) error {
 	return c.client.AddToUserAgent(extension)
 }
 
-func (c *AppClient) GetApplication(ctx context.Context, applicationObjectID string) (result ApplicationResult, err error) {
+func (c *AppClient) GetApplication(ctx context.Context, applicationObjectID string) (ApplicationResult, error) {
+	var result ApplicationResult
 	req, err := c.getApplicationPreparer(ctx, applicationObjectID)
 	if err != nil {
 		return result, autorest.NewErrorWithError(err, "provider", "GetApplication", nil, "Failure preparing request")
@@ -71,8 +72,35 @@ func (c *AppClient) GetApplication(ctx context.Context, applicationObjectID stri
 	return result, nil
 }
 
+type listApplicationsResponse struct {
+	Value []ApplicationResult `json:"value"`
+}
+
+func (c *AppClient) ListApplications(ctx context.Context, filter string) ([]ApplicationResult, error) {
+	filterArgs := url.Values{}
+	if filter != "" {
+		filterArgs.Set("$filter", filter)
+	}
+	preparer := c.GetPreparer(
+		autorest.AsGet(),
+		autorest.WithPath(fmt.Sprintf("/v1.0/applications?%s", filterArgs.Encode())),
+	)
+	listAppResp := listApplicationsResponse{}
+	err := c.SendRequest(ctx, preparer,
+		azure.WithErrorUnlessStatusCode(http.StatusOK),
+		autorest.ByUnmarshallingJSON(&listAppResp),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return listAppResp.Value, nil
+}
+
 // CreateApplication create a new Azure application object.
-func (c *AppClient) CreateApplication(ctx context.Context, displayName string) (result ApplicationResult, err error) {
+func (c *AppClient) CreateApplication(ctx context.Context, displayName string) (ApplicationResult, error) {
+	var result ApplicationResult
+
 	req, err := c.createApplicationPreparer(ctx, displayName)
 	if err != nil {
 		return result, autorest.NewErrorWithError(err, "provider", "CreateApplication", nil, "Failure preparing request")
@@ -95,7 +123,7 @@ func (c *AppClient) CreateApplication(ctx context.Context, displayName string) (
 
 // DeleteApplication deletes an Azure application object.
 // This will in turn remove the service principal (but not the role assignments).
-func (c *AppClient) DeleteApplication(ctx context.Context, applicationObjectID string) (err error) {
+func (c *AppClient) DeleteApplication(ctx context.Context, applicationObjectID string) error {
 	req, err := c.deleteApplicationPreparer(ctx, applicationObjectID)
 	if err != nil {
 		return autorest.NewErrorWithError(err, "provider", "DeleteApplication", nil, "Failure preparing request")
@@ -111,32 +139,36 @@ func (c *AppClient) DeleteApplication(ctx context.Context, applicationObjectID s
 		c.client.ByInspecting(),
 		azure.WithErrorUnlessStatusCode(http.StatusNoContent, http.StatusNotFound),
 		autorest.ByClosing())
-	return autorest.NewErrorWithError(err, "provider", "DeleteApplication", resp, "Failure responding to request")
+
+	if err != nil {
+		return autorest.NewErrorWithError(err, "provider", "DeleteApplication", resp, "Failure responding to request")
+	}
+	return nil
 }
 
-func (c *AppClient) AddApplicationPassword(ctx context.Context, applicationObjectID string, displayName string, endDateTime date.Time) (result PasswordCredentialResult, err error) {
-	req, err := c.addPasswordPreparer(ctx, applicationObjectID, displayName, endDateTime)
+func (c *AppClient) AddApplicationPassword(ctx context.Context, applicationObjectID string, displayName string, endDateTime time.Time) (PasswordCredentialResult, error) {
+	req, err := c.addPasswordPreparer(ctx, applicationObjectID, displayName, date.Time{endDateTime})
 	if err != nil {
 		return PasswordCredentialResult{}, autorest.NewErrorWithError(err, "provider", "AddApplicationPassword", nil, "Failure preparing request")
 	}
 
 	resp, err := c.addPasswordSender(req)
 	if err != nil {
-		result = PasswordCredentialResult{
+		result := PasswordCredentialResult{
 			Response: autorest.Response{Response: resp},
 		}
 		return result, autorest.NewErrorWithError(err, "provider", "AddApplicationPassword", resp, "Failure sending request")
 	}
 
-	result, err = c.addPasswordResponder(resp)
+	result, err := c.addPasswordResponder(resp)
 	if err != nil {
 		return result, autorest.NewErrorWithError(err, "provider", "AddApplicationPassword", resp, "Failure responding to request")
 	}
 
 	return result, nil
 }
 
-func (c *AppClient) RemoveApplicationPassword(ctx context.Context, applicationObjectID string, keyID string) (err error) {
+func (c *AppClient) RemoveApplicationPassword(ctx context.Context, applicationObjectID string, keyID string) error {
 	req, err := c.removePasswordPreparer(ctx, applicationObjectID, keyID)
 	if err != nil {
 		return autorest.NewErrorWithError(err, "provider", "RemoveApplicationPassword", nil, "Failure preparing request")
@@ -174,8 +206,9 @@ func (c AppClient) getApplicationSender(req *http.Request) (*http.Response, erro
 	return autorest.SendWithSender(c.client, req, sd...)
 }
 
-func (c AppClient) getApplicationResponder(resp *http.Response) (result ApplicationResult, err error) {
-	err = autorest.Respond(
+func (c AppClient) getApplicationResponder(resp *http.Response) (ApplicationResult, error) {
+	var result ApplicationResult
+	err := autorest.Respond(
 		resp,
 		c.client.ByInspecting(),
 		azure.WithErrorUnlessStatusCode(http.StatusOK),
@@ -214,8 +247,9 @@ func (c AppClient) addPasswordSender(req *http.Request) (*http.Response, error)
 	return autorest.SendWithSender(c.client, req, sd...)
 }
 
-func (c AppClient) addPasswordResponder(resp *http.Response) (result PasswordCredentialResult, err error) {
-	err = autorest.Respond(
+func (c AppClient) addPasswordResponder(resp *http.Response) (PasswordCredentialResult, error) {
+	var result PasswordCredentialResult
+	err := autorest.Respond(
 		resp,
 		c.client.ByInspecting(),
 		azure.WithErrorUnlessStatusCode(http.StatusOK),
@@ -251,8 +285,9 @@ func (c AppClient) removePasswordSender(req *http.Request) (*http.Response, erro
 	return autorest.SendWithSender(c.client, req, sd...)
 }
 
-func (c AppClient) removePasswordResponder(resp *http.Response) (result autorest.Response, err error) {
-	err = autorest.Respond(
+func (c AppClient) removePasswordResponder(resp *http.Response) (autorest.Response, error) {
+	var result autorest.Response
+	err := autorest.Respond(
 		resp,
 		c.client.ByInspecting(),
 		azure.WithErrorUnlessStatusCode(http.StatusNoContent),
@@ -284,15 +319,16 @@ func (c AppClient) createApplicationSender(req *http.Request) (*http.Response, e
 	return autorest.SendWithSender(c.client, req, sd...)
 }
 
-func (c AppClient) createApplicationResponder(resp *http.Response) (result ApplicationResult, err error) {
-	err = autorest.Respond(
+func (c AppClient) createApplicationResponder(resp *http.Response) (ApplicationResult, error) {
+	var result ApplicationResult
+	err := autorest.Respond(
 		resp,
 		c.client.ByInspecting(),
 		azure.WithErrorUnlessStatusCode(http.StatusCreated),
 		autorest.ByUnmarshallingJSON(&result),
 		autorest.ByClosing())
 	result.Response = autorest.Response{Response: resp}
-	return result, nil
+	return result, err
 }
 
 func (c AppClient) deleteApplicationPreparer(ctx context.Context, applicationObjectID string) (*http.Request, error) {
@@ -360,7 +396,7 @@ type groupResponse struct {
 	DisplayName string `json:"displayName"`
 }
 
-func (c AppClient) GetGroup(ctx context.Context, groupID string) (result Group, err error) {
+func (c AppClient) GetGroup(ctx context.Context, groupID string) (Group, error) {
 	if groupID == "" {
 		return Group{}, fmt.Errorf("missing groupID")
 	}
@@ -374,7 +410,7 @@ func (c AppClient) GetGroup(ctx context.Context, groupID string) (result Group,
 	)
 
 	groupResp := groupResponse{}
-	err = c.SendRequest(ctx, preparer,
+	err := c.SendRequest(ctx, preparer,
 		azure.WithErrorUnlessStatusCode(http.StatusOK, http.StatusNoContent),
 		autorest.ByUnmarshallingJSON(&groupResp),
 	)
@@ -396,7 +432,7 @@ type listGroupsResponse struct {
 	Groups []groupResponse `json:"value"`
 }
 
-func (c AppClient) ListGroups(ctx context.Context, filter string) (result []Group, err error) {
+func (c AppClient) ListGroups(ctx context.Context, filter string) ([]Group, error) {
 	filterArgs := url.Values{}
 	if filter != "" {
 		filterArgs.Set("$filter", filter)
@@ -408,7 +444,7 @@ func (c AppClient) ListGroups(ctx context.Context, filter string) (result []Grou
 	)
 
 	respBody := listGroupsResponse{}
-	err = c.SendRequest(ctx, preparer,
+	err := c.SendRequest(ctx, preparer,
 		azure.WithErrorUnlessStatusCode(http.StatusOK, http.StatusNoContent),
 		autorest.ByUnmarshallingJSON(&respBody),
 	)
@@ -431,12 +467,12 @@ func (c AppClient) ListGroups(ctx context.Context, filter string) (result []Grou
 	return groups, nil
 }
 
-func (c *AppClient) CreateServicePrincipal(ctx context.Context, appID string, startDate time.Time, endDate time.Time) (spID string, password string, err error) {
-	spID, err = c.createServicePrincipal(ctx, appID)
+func (c *AppClient) CreateServicePrincipal(ctx context.Context, appID string, startDate time.Time, endDate time.Time) (string, string, error) {
+	spID, err := c.createServicePrincipal(ctx, appID)
 	if err != nil {
 		return "", "", err
 	}
-	password, err = c.setPasswordForServicePrincipal(ctx, spID, startDate, endDate)
+	password, err := c.setPasswordForServicePrincipal(ctx, spID, startDate, endDate)
 	if err != nil {
 		dErr := c.deleteServicePrincipal(ctx, spID)
 		merr := multierror.Append(err, dErr)
@@ -445,7 +481,7 @@ func (c *AppClient) CreateServicePrincipal(ctx context.Context, appID string, st
 	return spID, password, nil
 }
 
-func (c *AppClient) createServicePrincipal(ctx context.Context, appID string) (id string, err error) {
+func (c *AppClient) createServicePrincipal(ctx context.Context, appID string) (string, error) {
 	body := map[string]interface{}{
 		"appId":          appID,
 		"accountEnabled": true,
@@ -457,7 +493,7 @@ func (c *AppClient) createServicePrincipal(ctx context.Context, appID string) (i
 	)
 
 	respBody := createServicePrincipalResponse{}
-	err = c.SendRequest(ctx, preparer,
+	err := c.SendRequest(ctx, preparer,
 		autorest.WithErrorUnlessStatusCode(http.StatusOK, http.StatusCreated),
 		autorest.ByUnmarshallingJSON(&respBody),
 	)
@@ -468,13 +504,13 @@ func (c *AppClient) createServicePrincipal(ctx context.Context, appID string) (i
 	return respBody.ID, nil
 }
 
-func (c *AppClient) setPasswordForServicePrincipal(ctx context.Context, spID string, startDate time.Time, endDate time.Time) (password string, err error) {
+func (c *AppClient) setPasswordForServicePrincipal(ctx context.Context, spID string, startDate time.Time, endDate time.Time) (string, error) {
 	pathParams := map[string]interface{}{
 		"id": spID,
 	}
 	reqBody := map[string]interface{}{
 		"startDateTime": startDate.UTC().Format("2006-01-02T15:04:05Z"),
-		"endDateTime":   startDate.UTC().Format("2006-01-02T15:04:05Z"),
+		"endDateTime":   endDate.UTC().Format("2006-01-02T15:04:05Z"),
 	}
 
 	preparer := c.GetPreparer(
@@ -484,7 +520,7 @@ func (c *AppClient) setPasswordForServicePrincipal(ctx context.Context, spID str
 	)
 
 	respBody := PasswordCredential{}
-	err = c.SendRequest(ctx, preparer,
+	err := c.SendRequest(ctx, preparer,
 		autorest.WithErrorUnlessStatusCode(http.StatusOK, http.StatusNoContent),
 		autorest.ByUnmarshallingJSON(&respBody),
 	)