VC-32829 / Adds GCP cucumber tests for provisioning

.gitignore

@@ -18,3 +18,4 @@ aruba/log.log
 credentials
 *.DS_Store
 vendor
+google_auth.json

aruba/Dockerfile

@@ -2,10 +2,14 @@ FROM ruby:3.2
 MAINTAINER Venafi DevOps Integrations <[email protected]>
 
 RUN gem install aruba json_spec
+RUN gem install google-cloud-certificate_manager-v1
 COPY . /vcert/
 ENV BUNDLE_PATH="/vcert/tpp"
+ENV GCP_AUTH_PATH="/vcert/cloud_providers"
 RUN mkdir -p $BUNDLE_PATH
+RUN mkdir -p $GCP_AUTH_PATH
 COPY tpp-bundle.pem $BUNDLE_PATH
+COPY google_auth.json $GCP_AUTH_PATH
 ENV FIREFLY_BUNDLE_PATH="/vcert/firefly"
 RUN mkdir -p $FIREFLY_BUNDLE_PATH
 COPY firefly-bundle.pem $FIREFLY_BUNDLE_PATH

aruba/cucumber.sh

@@ -26,7 +26,13 @@ RUN_COMMAND="docker run -t --rm \
           -e OKTA_SCOPE \
           -e FIREFLY_ZONE \
           -e FIREFLY_URL \
-          -e FIREFLY_CA_BUNDLE"
+          -e FIREFLY_CA_BUNDLE \
+          -e GCP_AUTH_PATH \
+          -e GCP_PROJECT \
+          -e GCP_REGION \
+          -e GCP_PROVIDER_NAME \
+          -e GCP_KEYSTORE_NAME \
+          -e GCP_KEYSTORE_ID"
 
 # Use getopts to handle command-line options
 while getopts "a:b:" opt; do

aruba/features/playbook/steps_definitions/my_steps.rb

@@ -8,7 +8,7 @@
     }
   }
 
-  if platform == "TPP"
+  if platform == $platform_tpp
     validate_tpp_envs
     connection_tpp = {
       platform: "tpp",
@@ -21,7 +21,7 @@
     }
     connection_tpp['credentials'] = credentials
     @playbook_data[:config][:connection] = connection_tpp
-  elsif platform == "VaaS"
+  elsif platform == $platform_vaas or platform == $platform_vcp
     validate_vaas_envs
     connection_vaas = {
       platform: "vaas"

aruba/features/provision/cloudkeystore/provision_cloudkeystore.feature

@@ -0,0 +1,30 @@
+@VAAS
+Feature: provision to cloud keystore
+
+  As a user
+  I want provision certificates to cloud keystore from Venafi Control Plane
+
+  Background:
+    And the default aruba exit timeout is 180 seconds
+
+  Scenario Outline: Enroll certificate and execute provisioning for cloud keystore
+    Given I enroll a random certificate with defined platform VCP with -csr service -no-prompt
+    And I remember the output
+    And I use previous Pickup ID to provision from VCP a certificate to cloudkeystore "<cloudkeystore>" setting keystore and provider names
+    And I remember the output
+    And it should output cloud ID
+    Then I clean up previous installed certificate from cloudkeystore
+    Examples:
+      | cloudkeystore    |
+      | GOOGLE           |
+
+  Scenario Outline: Enroll certificate and execute provisioning for cloud keystore and get output in JSON
+    Given I enroll a random certificate with defined platform VCP with -csr service -no-prompt
+    And I remember the output
+    And I use previous Pickup ID to provision from VCP a certificate to cloudkeystore "<cloudkeystore>" setting keystore and provider names with -format json
+    And I remember the output
+      And it should output cloud ID in JSON
+    Then I clean up previous installed certificate from cloudkeystore
+    Examples:
+      | cloudkeystore    |
+      | GOOGLE           |

aruba/features/provision/cloudkeystore/steps_definitions/my_steps.rb

@@ -0,0 +1,95 @@
+And(/^I use previous Pickup ID to provision (?:from|using) (\S+) a certificate to cloudkeystore "(.*)"( setting keystore and provider names)?$/) do |platform, cloudkeystore_type, keystore_provider_names|
+
+  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names)
+
+  steps %{Then I try to run `#{cmd}`}
+end
+
+And(/^I use previous Pickup ID to provision (?:from|using) (\S+) a certificate to cloudkeystore "(.*)"( setting keystore and provider names)? with (.+)?/) do |platform, cloudkeystore_type, keystore_provider_names, flags|
+
+  cmd = build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, flags)
+
+  steps %{Then I try to run `#{cmd}`}
+end
+
+def build_provision_cmd(platform, cloudkeystore_type, keystore_provider_names, flags = "")
+
+  platform_flag = " -platform " + platform
+
+  cmd = "vcert provision cloudkeystore #{platform_flag} #{ENDPOINTS[$platform_vcp]} -pickup-id #{@pickup_id}"
+
+  keystore_name = ""
+  provider_name = ""
+  keystore_id = ""
+  case cloudkeystore_type
+  when $keystore_type_azure
+  when $keystore_type_gcp
+    if keystore_provider_names
+      keystore_name = $gcp_keystore_name
+      provider_name = $gcp_provider_name
+      @cloudkeystore_type = $keystore_type_gcp
+    else
+      keystore_id = $gcp_keystore_id
+    end
+  else
+    fail(ArgumentError.new("Unexpected : #{cloudkeystore_type}"))
+  end
+  if keystore_provider_names
+    keystore_name_flag = " -keystore-name '#{keystore_name}'"
+    provider_name_flag = " -provider-name '#{provider_name}'"
+
+    cmd = "#{cmd} #{keystore_name_flag} #{provider_name_flag}"
+  else
+    keystore_id_flag = " -keystore-id " + keystore_id
+    cmd = "#{cmd} #{keystore_id_flag}"
+  end
+
+  if flags != ""
+    cmd += " #{flags}"
+  end
+
+  return cmd
+end
+
+Then(/^it should output cloud ID( in JSON)?$/) do |json|
+
+  if @previous_command_output.nil?
+    fail(ArgumentError.new('@previous_command_output is nil'))
+  end
+
+  Kernel.puts("Checking output:\n"+@previous_command_output)
+  cloud_id = ""
+  case @cloudkeystore_type
+  when $keystore_type_aws
+  when $keystore_type_azure
+  when $keystore_type_gcp
+    cloud_id = "gcpId"
+  else
+    fail(ArgumentError.new("Unexpected : #{@cloudkeystore_type}"))
+  end
+  if json
+    json_string = extract_json_from_output(@previous_command_output)
+    JSON.parse(json_string)
+    @cloud_id = unescape_text(normalize_json(json_string, "#{cloud_id}")).tr('"', '')
+  else
+    m = @previous_command_output.match /#{cloud_id} (.+)$/
+    @cloud_id = m[1]
+  end
+end
+
+And(/^I clean up previous installed certificate from cloudkeystore/) do ||
+  case @cloudkeystore_type
+  when $keystore_type_aws
+  when $keystore_type_azure
+  when $keystore_type_gcp
+    cleanup_google
+  else
+    fail(ArgumentError.new("Unexpected : #{@cloudkeystore_type}"))
+  end
+end
+
+def cleanup_google
+  client = create_certificate_manager_client
+  certificate_name = "projects/#{ENV['GCP_PROJECT']}/locations/#{ENV['GCP_REGION']}/certificates/#{@cloud_id}"
+  delete_certificate(client, certificate_name)
+end

aruba/features/step_definitions/actions.rb

@@ -181,13 +181,30 @@
 
 When(/^I enroll(?: a)?( random)? certificate with defined platform (.*) with (.+)?$/) do |random, platform, flags|
   if random
-    cn = " -cn " + random_cn
+    cn = " -cn " + $prefix_cn + "-" + random_cn
   end
 
   platform_flag = " -platform " + platform
 
-  trust_bundle_flag = " -trust-bundle '#{ENV["FIREFLY_CA_BUNDLE"]}' "
+  trust_bundle_flag = ""
+  case platform
+  when $platform_tpp
+    trust_bundle_flag = " -trust-bundle '#{ENV["TPP_TRUST_BUNDLE"]}' "
+  when $platform_firefly
+    trust_bundle_flag = " -trust-bundle '#{ENV["FIREFLY_CA_BUNDLE"]}' "
+  end
+
 
-  cmd = "vcert enroll #{platform_flag} #{ENDPOINTS[platform]} #{ZONE[platform]} #{cn} #{flags} #{trust_bundle_flag}"
+  cmd = "vcert enroll #{platform_flag} #{ENDPOINTS[platform]} #{ZONE[platform]} #{cn} #{flags}"
+
+  if trust_bundle_flag != ""
+    cmd = "#{cmd} #{trust_bundle_flag}"
+  end
   steps %{Then I try to run `#{cmd}`}
+
+  # grabbing PickupID
+  m = last_command_started.output.match /^PickupID="(.+)"$/
+  if m
+    @pickup_id = m[1]
+  end
 end

aruba/features/step_definitions/endpoints.rb

@@ -20,7 +20,9 @@
     "Firefly" => "-u '#{ENV['FIREFLY_URL']}' -t '#{ENV['IDP_ACCESS_TOKEN']}'"
 }
 
-ENDPOINTS["VaaS"] = ENDPOINTS["Cloud"]
+ENDPOINTS[$platform_vaas] = ENDPOINTS["Cloud"]
+
+ENDPOINTS[$platform_vcp] = ENDPOINTS[$platform_vaas]
 
 ZONE = {
     "test-mode" => "-z Default",
@@ -35,7 +37,9 @@
 
     "Firefly" => "-z '#{ENV['FIREFLY_ZONE']}'"
 }
-ZONE["VaaS"] = ZONE["Cloud"]
+ZONE[$platform_vaas] = ZONE["Cloud"]
+
+ZONE[$platform_vcp] = ZONE[$platform_vaas]
 
 ENDPOINT_CONFIGS = {
     "test-mode" => "

aruba/features/step_definitions/my_steps.rb

@@ -88,6 +88,7 @@
 end
 
 And(/^I remember the output$/) do
+  last_command_started
   @previous_command_output = last_command_started.output.to_s
 end
 

aruba/features/support/aruba.rb

@@ -5,10 +5,24 @@
   config.allow_absolute_paths = true
 end
 
-$path_separator = "/"
+$prefix_cn = "vcert"
+
+$platform_tpp = "TPP"
+$platform_vaas = "VaaS" # places already use it as is
+$platform_vcp = "VCP"
+$platform_firefly = "Firefly"
 
+$path_separator = "/"
 $temp_path = "tmp/aruba"
 
+$keystore_type_aws = "AWS"
+$keystore_type_azure = "AZURE"
+$keystore_type_gcp = "GOOGLE"
+
+$gcp_keystore_id = ENV["GCP_KEYSTORE_ID"]
+$gcp_keystore_name = ENV["GCP_KEYSTORE_NAME"]
+$gcp_provider_name = ENV["GCP_PROVIDER_NAME"]
+
 def last_json
   last_command_started.stdout.to_s
 end

aruba/features/support/google_provider.rb

@@ -0,0 +1,25 @@
+require 'google/cloud/certificate_manager/v1'
+
+# Set the environment variable for Google Cloud credentials
+ENV['GOOGLE_APPLICATION_CREDENTIALS'] = ENV['GCP_AUTH_PATH']
+
+# Initialize the Certificate Manager Client
+def create_certificate_manager_client
+  Google::Cloud::CertificateManager::V1::CertificateManager::Client.new
+end
+
+# Delete a certificate
+def delete_certificate(client, certificate_name)
+  request = Google::Cloud::CertificateManager::V1::DeleteCertificateRequest.new(
+    name: certificate_name
+  )
+
+  operation = client.delete_certificate(request)
+  operation.wait_until_done!
+
+  if operation.error?
+    puts "Error deleting certificate: #{operation.error.message}"
+  else
+    puts "Certificate deleted successfully."
+  end
+end

cmd/vcert/validators.go

@@ -737,7 +737,7 @@ func validateProvisionFlags(commandName string) error {
 	}
 
 	if flags.pickupIDFile != "" {
-		if flags.pickupID != "" {
+		if flags.provisionPickupID != "" {
 			return fmt.Errorf("both --pickup-id and --pickup-id-file options cannot be specified at the same time")
 		}
 		if flags.certificateID != "" {
@@ -746,7 +746,7 @@ func validateProvisionFlags(commandName string) error {
 	}
 
 	if flags.certificateIDFile != "" {
-		if flags.pickupID != "" {
+		if flags.provisionPickupID != "" {
 			return fmt.Errorf("both --certificate-id and --pickup-id-file options cannot be specified at the same time")
 		}
 		if flags.certificateID != "" {