Merge pull request #524 from vmware/cert-strings

Allow certificates to be passed as strings

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/hashicorp/go-version v1.2.1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.0.2
 	github.com/stretchr/testify v1.6.1 // indirect
-	github.com/vmware/go-vmware-nsxt v0.0.0-20191219213550-f4221331f638
+	github.com/vmware/go-vmware-nsxt v0.0.0-20201201191552-e8b90e7eb469
 	github.com/vmware/vsphere-automation-sdk-go/lib v0.3.1
 	github.com/vmware/vsphere-automation-sdk-go/runtime v0.3.1
 	github.com/vmware/vsphere-automation-sdk-go/services/nsxt v0.4.0

go.sum

@@ -43,6 +43,8 @@ github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBb
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
+github.com/antihax/optional v1.0.0 h1:xK2lYat7ZLaVVcIuj82J8kIro4V6kDe0AUDFboUCwcg=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/apparentlymart/go-cidr v1.0.1 h1:NmIwLZ/KdsjIUlhf+/Np40atNXm/+lZ5txfTJ/SpF+U=
 github.com/apparentlymart/go-cidr v1.0.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
 github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM=
@@ -278,8 +280,10 @@ github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oW
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.1+incompatible h1:RMF1enSPeKTlXrXdOcqjFUElywVZjjC6pqse21bKbEU=
 github.com/vmihailenco/msgpack v4.0.1+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/vmware/go-vmware-nsxt v0.0.0-20191219213550-f4221331f638 h1:IhIA83a2W1hu+0OqAfAqAuImpQQ4Ot4G/Kn8n04qrxg=
-github.com/vmware/go-vmware-nsxt v0.0.0-20191219213550-f4221331f638/go.mod h1:AzmozsuEImWQcg9Cfef9oMNoPQKcNaps6VkyJhzbSf0=
+github.com/vmware/go-vmware-nsxt v0.0.0-20201110195518-0d17c798219b h1:BNOXM12mMbmXblf8YtP6zeuaw7avNs4mMyqnidLXPDQ=
+github.com/vmware/go-vmware-nsxt v0.0.0-20201110195518-0d17c798219b/go.mod h1:VEqcmf4Sp7gPB7z05QGyKVmn6xWppr7Nz8cVNvyC80o=
+github.com/vmware/go-vmware-nsxt v0.0.0-20201201191552-e8b90e7eb469 h1:k5WnSRR2XOEfr23tGKSjljyhJW7SOhI1C8Ct4tZmpIA=
+github.com/vmware/go-vmware-nsxt v0.0.0-20201201191552-e8b90e7eb469/go.mod h1:VEqcmf4Sp7gPB7z05QGyKVmn6xWppr7Nz8cVNvyC80o=
 github.com/vmware/vsphere-automation-sdk-go/lib v0.3.1 h1:YIcvcshkKm/fbXOvheGfAlGlDTitQXUSMPnYON/uzyg=
 github.com/vmware/vsphere-automation-sdk-go/lib v0.3.1/go.mod h1:lzuoOgc7zhx3bfrKFRDBbaJX3wj4wSstWv4pTpryhJs=
 github.com/vmware/vsphere-automation-sdk-go/runtime v0.3.1 h1:AhoRilMJ6hZbBDr4J9GSrAVpPBkLlZz8+FS84Pdbhc8=

nsxt/provider.go

@@ -167,6 +167,24 @@ func Provider() *schema.Provider {
 						"Must be a valid nsx license key matching: ^[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}$"),
 				},
 			},
+			"client_auth_cert": {
+				Type:        schema.TypeString,
+				Description: "Client certificate passed as string",
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("NSXT_CLIENT_AUTH_CERT", nil),
+			},
+			"client_auth_key": {
+				Type:        schema.TypeString,
+				Description: "Client certificate key passed as string",
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("NSXT_CLIENT_AUTH_KEY", nil),
+			},
+			"ca": {
+				Type:        schema.TypeString,
+				Description: "CA certificate passed as string",
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("NSXT_CA", nil),
+			},
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
@@ -319,6 +337,8 @@ func Provider() *schema.Provider {
 func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 	clientAuthCertFile := d.Get("client_auth_cert_file").(string)
 	clientAuthKeyFile := d.Get("client_auth_key_file").(string)
+	clientAuthCert := d.Get("client_auth_cert").(string)
+	clientAuthKey := d.Get("client_auth_key").(string)
 	vmcToken := d.Get("vmc_token").(string)
 
 	if len(vmcToken) > 0 {
@@ -333,6 +353,14 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 		needCreds = false
 	}
 
+	if len(clientAuthCert) > 0 {
+		if len(clientAuthKey) == 0 {
+			return fmt.Errorf("Please provide key for client certificate")
+		}
+		// only supported for policy resources
+		needCreds = false
+	}
+
 	insecure := d.Get("allow_unverified_ssl").(bool)
 	username := d.Get("username").(string)
 	password := d.Get("password").(string)
@@ -356,6 +384,7 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 	}
 
 	caFile := d.Get("ca_file").(string)
+	caString := d.Get("ca").(string)
 
 	maxRetries := d.Get("max_retries").(int)
 	retryMinDelay := d.Get("retry_min_delay").(int)
@@ -391,6 +420,9 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 		ClientAuthCertFile:   clientAuthCertFile,
 		ClientAuthKeyFile:    clientAuthKeyFile,
 		CAFile:               caFile,
+		ClientAuthCertString: clientAuthCert,
+		ClientAuthKeyString:  clientAuthKey,
+		CAString:             caString,
 		Insecure:             insecure,
 		RetriesConfiguration: retriesConfig,
 	}
@@ -442,17 +474,43 @@ func getAPIToken(vmcAuthHost string, vmcAccessToken string) (string, error) {
 	return token.AccessToken, nil
 }
 
-func getConnectorTLSConfig(insecure bool, clientCertFile string, clientKeyFile string, caFile string) (*tls.Config, error) {
+func getConnectorTLSConfig(d *schema.ResourceData) (*tls.Config, error) {
 
+	insecure := d.Get("allow_unverified_ssl").(bool)
+	clientAuthCertFile := d.Get("client_auth_cert_file").(string)
+	clientAuthKeyFile := d.Get("client_auth_key_file").(string)
+	caFile := d.Get("ca_file").(string)
+	clientAuthCert := d.Get("client_auth_cert").(string)
+	clientAuthKey := d.Get("client_auth_key").(string)
+	caCert := d.Get("ca").(string)
 	tlsConfig := tls.Config{InsecureSkipVerify: insecure}
 
-	if len(clientCertFile) > 0 {
+	if len(clientAuthCertFile) > 0 {
 
-		if len(clientKeyFile) == 0 {
+		// cert and key are passed via filesystem
+		if len(clientAuthKeyFile) == 0 {
 			return nil, fmt.Errorf("Please provide key file for client certificate")
 		}
 
-		cert, err := tls.LoadX509KeyPair(clientCertFile, clientKeyFile)
+		cert, err := tls.LoadX509KeyPair(clientAuthCertFile, clientAuthKeyFile)
+
+		if err != nil {
+			return nil, fmt.Errorf("Failed to load client cert/key pair: %v", err)
+		}
+
+		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			return &cert, nil
+		}
+	}
+
+	if len(clientAuthCert) > 0 {
+		// cert and key are passed as strings
+		if len(clientAuthKey) == 0 {
+			return nil, fmt.Errorf("Please provide key for client certificate")
+		}
+
+		cert, err := tls.X509KeyPair([]byte(clientAuthCert), []byte(clientAuthKey))
+
 		if err != nil {
 			return nil, fmt.Errorf("Failed to load client cert/key pair: %v", err)
 		}
@@ -474,6 +532,13 @@ func getConnectorTLSConfig(insecure bool, clientCertFile string, clientKeyFile s
 		tlsConfig.RootCAs = caCertPool
 	}
 
+	if len(caCert) > 0 {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM([]byte(caCert))
+
+		tlsConfig.RootCAs = caCertPool
+	}
+
 	return &tlsConfig, nil
 }
 
@@ -483,10 +548,9 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients)
 	password := d.Get("password").(string)
 	vmcAccessToken := d.Get("vmc_token").(string)
 	vmcAuthHost := d.Get("vmc_auth_host").(string)
-	insecure := d.Get("allow_unverified_ssl").(bool)
 	clientAuthCertFile := d.Get("client_auth_cert_file").(string)
-	clientAuthKeyFile := d.Get("client_auth_key_file").(string)
-	caFile := d.Get("ca_file").(string)
+	clientAuthCert := d.Get("client_auth_cert").(string)
+	clientAuthDefined := (len(clientAuthCertFile) > 0) || (len(clientAuthCert) > 0)
 	policyEnforcementPoint := d.Get("enforcement_point").(string)
 	policyGlobalManager := d.Get("global_manager").(bool)
 
@@ -500,7 +564,7 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients)
 
 	securityCtx := core.NewSecurityContextImpl()
 	securityContextNeeded := true
-	if len(clientAuthCertFile) > 0 && !clients.CommonConfig.RemoteAuth {
+	if clientAuthDefined && !clients.CommonConfig.RemoteAuth {
 		securityContextNeeded = false
 	}
 
@@ -532,7 +596,7 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients)
 		}
 	}
 
-	tlsConfig, err := getConnectorTLSConfig(insecure, clientAuthCertFile, clientAuthKeyFile, caFile)
+	tlsConfig, err := getConnectorTLSConfig(d)
 	if err != nil {
 		return err
 	}