From c80d9cda01f36d6150cb756b8bf2f6d3223e0b45 Mon Sep 17 00:00:00 2001
From: Beau Frusetta <beau@frusetta.com>
Date: Fri, 11 Dec 2020 14:32:44 -0700
Subject: [PATCH] feat(security): kong cert paths are now optional (#2940)

The kong config options for CertPath, CertFilePath, and KeyFilePath
in configuration.toml are now optional. By default, those values
are now empty. I also cleaned up a single quote situation in the
token provider configuration.toml.

fixes: #2928

Signed-off-by: Beau Frusetta <beau.frusetta@intel.com>
---
 .../configuration.toml                        |  2 +-
 .../res/configuration.toml                    |  6 +-
 internal/security/secretstore/init.go         | 63 ++++++++++++-------
 3 files changed, 44 insertions(+), 27 deletions(-)

diff --git a/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml b/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml
index 938c73d03d..3b83f25a30 100644
--- a/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml
+++ b/cmd/security-secretstore-setup/res-file-token-provider/configuration.toml
@@ -6,7 +6,7 @@ Protocol = "http"
 Server = "edgex-vault"
 ServerName = ""
 Port = 8200
-CaFilePath = ''
+CaFilePath = ""
 
 [TokenFileProvider]
 PrivilegedTokenPath = "/run/edgex/secrets/tokenprovider/secrets-token.json"
diff --git a/cmd/security-secretstore-setup/res/configuration.toml b/cmd/security-secretstore-setup/res/configuration.toml
index 9520c11df4..0aedc4e455 100644
--- a/cmd/security-secretstore-setup/res/configuration.toml
+++ b/cmd/security-secretstore-setup/res/configuration.toml
@@ -23,10 +23,10 @@ LogLevel = 'DEBUG'
 Protocol = "http"
 Server = "edgex-vault"
 Port = 8200
-CertPath = "v1/secret/edgex/edgex-security-proxy-setup/kong-tls"
+CertPath = ""
 CaFilePath = ""
-CertFilePath = "/tmp/edgex/secrets/edgex-kong/server.crt"
-KeyFilePath = "/tmp/edgex/secrets/edgex-kong/server.key"
+CertFilePath = ""
+KeyFilePath = ""
 TokenFolderPath = "/vault/config/assets"
 TokenFile = "resp-init.json"
 VaultSecretShares = 5
diff --git a/internal/security/secretstore/init.go b/internal/security/secretstore/init.go
index a564c55b3b..88293e7796 100644
--- a/internal/security/secretstore/init.go
+++ b/internal/security/secretstore/init.go
@@ -24,6 +24,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -340,36 +341,52 @@ func (b *Bootstrap) BootstrapHandler(ctx context.Context, _ *sync.WaitGroup, _ s
 		os.Exit(1)
 	}
 
-	cert := NewCerts(req, configuration.SecretService.CertPath, rootToken, configuration.SecretService.GetSecretSvcBaseURL(), lc)
-	existing, err := cert.AlreadyinStore()
-	if err != nil {
-		lc.Error(err.Error())
-		os.Exit(1)
-	}
+	// Concat all cert path config vals together to check for empty vals
+	certPathCheck := configuration.SecretService.CertPath +
+		configuration.SecretService.CertFilePath +
+		configuration.SecretService.KeyFilePath
 
-	if existing == true {
-		lc.Info("proxy certificate pair are in the secret store already, skip uploading")
-		return false
-	}
+	// If any of the previous three proxy cert path values are present (len > 0), attempt to upload to secret store
+	if len(strings.TrimSpace(certPathCheck)) != 0 {
 
-	lc.Info("proxy certificate pair are not in the secret store yet, uploading them")
-	cp, err := cert.ReadFrom(configuration.SecretService.CertFilePath, configuration.SecretService.KeyFilePath)
-	if err != nil {
-		lc.Error("failed to get certificate pair from volume")
-		os.Exit(1)
-	}
+		// Grab the certificate & check to see if it's already in the secret store
+		cert := NewCerts(req, configuration.SecretService.CertPath, rootToken, configuration.SecretService.GetSecretSvcBaseURL(), lc)
+		existing, err := cert.AlreadyinStore()
+		if err != nil {
+			lc.Error(err.Error())
+			os.Exit(1)
+		}
 
-	lc.Info("proxy certificate pair are loaded from volume successfully, will upload to secret store")
+		if existing {
+			lc.Info("proxy certificate pair are in the secret store already, skip uploading")
+			return false
+		}
 
-	err = cert.UploadToStore(cp)
-	if err != nil {
-		lc.Error("failed to upload the proxy cert pair into the secret store")
-		lc.Error(err.Error())
-		os.Exit(1)
+		lc.Info("proxy certificate pair are not in the secret store yet, uploading them")
+		cp, err := cert.ReadFrom(configuration.SecretService.CertFilePath, configuration.SecretService.KeyFilePath)
+		if err != nil {
+			lc.Error("failed to get certificate pair from volume")
+			os.Exit(1)
+		}
+
+		lc.Info("proxy certificate pair are loaded from volume successfully, will upload to secret store")
+
+		err = cert.UploadToStore(cp)
+		if err != nil {
+			lc.Error("failed to upload the proxy cert pair into the secret store")
+			lc.Error(err.Error())
+			os.Exit(1)
+		}
+
+		lc.Info("proxy certificate pair are uploaded to secret store successfully")
+
+	} else {
+		lc.Info("proxy certificate pair upload was skipped because cert config value(s) were blank")
 	}
 
-	lc.Info("proxy certificate pair are uploaded to secret store successfully, Vault init done successfully")
+	lc.Info("Vault init done successfully")
 	return false
+
 }
 
 // XXX Collapse addServiceCredential and addDBCredential together by passing in the path or using