helm-external-secrets/pkg/provider/azure/keyvault/keyvault_certificate.go

// /*
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//	http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// */
package keyvault

import (
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"fmt"

	"github.com/Azure/go-autorest/autorest"
	"github.com/Azure/go-autorest/autorest/adal"
	"github.com/Azure/go-autorest/autorest/azure"
)

// ClientInMemoryCertificateConfig struct includes a Certificate field to hold the certificate data as a byte slice.
type ClientInMemoryCertificateConfig struct {
	ClientID    string
	Certificate []byte // Certificate data as a byte slice
	TenantID    string
	AuxTenants  []string
	AADEndpoint string
	Resource    string
}

func NewClientInMemoryCertificateConfig(clientID string, certificate []byte, tenantID string) ClientInMemoryCertificateConfig {
	return ClientInMemoryCertificateConfig{
		ClientID:    clientID,
		Certificate: certificate,
		TenantID:    tenantID,
		Resource:    azure.PublicCloud.ResourceManagerEndpoint,
		AADEndpoint: azure.PublicCloud.ActiveDirectoryEndpoint,
	}
}

// ServicePrincipalToken creates a adal.ServicePrincipalToken from client certificate using the certificate byte slice.
func (ccc ClientInMemoryCertificateConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error) {
	oauthConfig, err := adal.NewOAuthConfig(ccc.AADEndpoint, ccc.TenantID)
	if err != nil {
		return nil, err
	}
	// Use the byte slice directly instead of reading from a file
	certificate, rsaPrivateKey, err := loadCertificateFromBytes(ccc.Certificate)

	if err != nil {
		return nil, fmt.Errorf("failed to decode certificate: %w", err)
	}
	return adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, ccc.ClientID, certificate, rsaPrivateKey, ccc.Resource)
}

func loadCertificateFromBytes(certificateBytes []byte) (*x509.Certificate, *rsa.PrivateKey, error) {
	var cert *x509.Certificate
	var privateKey *rsa.PrivateKey
	var err error

	// Extract certificate and private key
	for {
		block, rest := pem.Decode(certificateBytes)
		if block == nil {
			break
		}
		if block.Type == "CERTIFICATE" {
			cert, err = x509.ParseCertificate(block.Bytes)
			if err != nil {
				return nil, nil, fmt.Errorf("failed to parse PEM certificate: %w", err)
			}
		} else {
			privateKey, err = parsePrivateKey(block.Bytes)
			if err != nil {
				return nil, nil, fmt.Errorf("failed to extract private key from PEM certificate: %w", err)
			}
		}
		certificateBytes = rest
	}

	if cert == nil {
		return nil, nil, errors.New("no certificate found in PEM file")
	}

	if privateKey == nil {
		return nil, nil, errors.New("no private key found in PEM file")
	}

	return cert, privateKey, nil
}

func parsePrivateKey(der []byte) (*rsa.PrivateKey, error) {
	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
		return key, nil
	}
	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
		switch key := key.(type) {
		case *rsa.PrivateKey:
			return key, nil
		default:
			return nil, errors.New("found unknown private key type in PKCS#8 wrapping")
		}
	}
	return nil, errors.New("failed to parse private key")
}

// Implementation of the AuthorizerConfig interface.
func (ccc ClientInMemoryCertificateConfig) Authorizer() (autorest.Authorizer, error) {
	spToken, err := ccc.ServicePrincipalToken()
	if err != nil {
		return nil, fmt.Errorf("failed to get oauth token from certificate auth: %w", err)
	}
	return autorest.NewBearerAuthorizer(spToken), nil
}