Merge a07a6dd into 0aa1cb3

Author: dgaley

.github/workflows/keyfactor-starter-workflow.yml

@@ -13,7 +13,7 @@ jobs:
   call-starter-workflow:
     uses: keyfactor/actions/.github/workflows/starter.yml@v2
     secrets:
-      token: ${{ secrets.V2BUILDTOKEN}}
-      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
+      token: ${{ secrets.V2BUILDTOKEN }}
+      APPROVE_README_PUSH: ${{ secrets.V2BUILDTOKEN }}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}

CHANGELOG.md

@@ -31,4 +31,9 @@ Hotfixes for BaseOption flag for Renewal workflow
 Hotfix for domain lookup  
 
 1.1.2
-Hotfix for renewal workflow
+Hotfix for renewal workflow  
+
+1.2.0
+Add SyncProducts config to filter certificate sync by product ID  
+Add ability to manually specify MSSLProfileID per template to use for domain lookup  
+Bugfix: Treat SANs that match the base domain of a wildcard CN as identical for the purpose of removing duplicates  

README.md

@@ -94,15 +94,18 @@ The following sections will breakdown the required configurations for the AnyGat
 ## Templates
 The Template section will map the CA's SSL profile to an AD template. The Lifetime parameter is required and represents the certificate duration in months. 
 * ```ContactName```
-The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.
+The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.  
+* ```MSSLProfileID```
+OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com).
 
  ```json
   "Templates": {
 	"WebServer": {
       "ProductID": "PV_SHA2",
       "Parameters": {
 		"Lifetime":"12",
-		"ContactName":"John Doe"
+		"ContactName":"John Doe",
+		"MSSLProfileID":"123456"
       }
    }
 }
@@ -194,14 +197,19 @@ This is the password that will be used to connect to the GlobalSign API
 OPTIONAL: If provided, full syncs will start at the specified date.
 * ```SyncIntervalDays```  
 OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments.
+* ```SyncProducts```  
+OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs.
 
 ```json
   "CAConnection": {
 	"IsTest":"false",
 	"PickupRetries":5,
 	"PickupDelay":150,
 	"Username":"PAR12344_apiuser",
-	"Password":"password"
+	"Password":"password",
+	"SyncStartDate":"2020-01-01",
+	"SyncIntervalDays":30,
+	"SyncProducts":"PV_SHA2, PEV_SHA2"
   },
 ```
 ## GatewayRegistration

globalsign-mssl-cagateway.sln

@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.31129.286
+# Visual Studio Version 17
+VisualStudioVersion = 17.10.35122.118
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GlobalSignCAProxy", "src\GlobalSignCAProxy\GlobalSignCAProxy.csproj", "{8A26FA6A-22CC-4BD0-9AAC-CDF95A85011D}"
 EndProject
@@ -13,8 +13,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 	ProjectSection(SolutionItems) = preProject
 		CHANGELOG.md = CHANGELOG.md
 		integration-manifest.json = integration-manifest.json
-		.github\workflows\keyfactor-extension-generate-readme.yml = .github\workflows\keyfactor-extension-generate-readme.yml
-		.github\workflows\keyfactor-extension-release.yml = .github\workflows\keyfactor-extension-release.yml
+		.github\workflows\keyfactor-starter-workflow.yml = .github\workflows\keyfactor-starter-workflow.yml
 		README.md.tpl = README.md.tpl
 		readme_source.md = readme_source.md
 	EndProjectSection

integration-manifest.json

@@ -5,7 +5,8 @@
   "status": "production",
   "update_catalog": true,
   "link_github": true,
-  "release_dir": "src\\GlobalSignCAProxy\\bin\\Release",
+  "release_dir": "src/GlobalSignCAProxy/bin/Release",
+  "release_project":  "src/GlobalSignCAProxy/GlobalSignCAProxy.csproj",
   "support_level": "kf-supported",
   "description": "This integration allows for the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center."
 }

readme_source.md

@@ -52,15 +52,18 @@ The following sections will breakdown the required configurations for the AnyGat
 ## Templates
 The Template section will map the CA's SSL profile to an AD template. The Lifetime parameter is required and represents the certificate duration in months. 
 * ```ContactName```
-The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.
+The name to pass to GlobalSign as the contact name for enrollments. OPTIONAL if Active Directory authentication is used in Keyfactor Command, in that case it can look up the name of the requesting user. Value provided in this config field overrides AD lookups.  
+* ```MSSLProfileID```
+OPTIONAL: If specified, enrollments will use that profile ID for domain lookups. If not provided, domain lookup will be done based on the Common Name or first DNS SAN. Useful if your GlobalSign account has multiple domain objects with the same domain string, or subdomains (e.g. sub.test.com vs test.com).
 
  ```json
   "Templates": {
 	"WebServer": {
       "ProductID": "PV_SHA2",
       "Parameters": {
 		"Lifetime":"12",
-		"ContactName":"John Doe"
+		"ContactName":"John Doe",
+		"MSSLProfileID":"123456"
       }
    }
 }
@@ -152,14 +155,19 @@ This is the password that will be used to connect to the GlobalSign API
 OPTIONAL: If provided, full syncs will start at the specified date.
 * ```SyncIntervalDays```  
 OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments.
+* ```SyncProducts```  
+OPTIONAL: If provided as a comma-separated list of product IDs, will limit the certificate sync to only certificates of those products. If blank or not provided, will sync all certs.
 
 ```json
   "CAConnection": {
 	"IsTest":"false",
 	"PickupRetries":5,
 	"PickupDelay":150,
 	"Username":"PAR12344_apiuser",
-	"Password":"password"
+	"Password":"password",
+	"SyncStartDate":"2020-01-01",
+	"SyncIntervalDays":30,
+	"SyncProducts":"PV_SHA2, PEV_SHA2"
   },
 ```
 ## GatewayRegistration

src/GlobalSignCAProxy/Api/GlobalSignEnrollRequest.cs

@@ -90,6 +90,12 @@ public BmV2PvOrderRequest Request
 								Logger.Info($"SAN Entry {item} matches CN, removing from request");
 								continue;
 							}
+							if (string.Equals(item, $"*.{CommonName}", System.StringComparison.OrdinalIgnoreCase)
+								|| string.Equals($"*.{item}", CommonName, System.StringComparison.OrdinalIgnoreCase))
+							{
+								Logger.Info($"SAN Entry {item} is equivalent to CN ignoring wildcards, removing from request");
+								continue;
+							}
 							SANEntry entry = new SANEntry();
 							entry.SubjectAltName = item;
 							StringBuilder sb = new StringBuilder();

src/GlobalSignCAProxy/Api/GlobalSignRenewRequest.cs

@@ -44,6 +44,12 @@ public GlobalSignRenewRequest(GlobalSignCAConfig config) : base(config) { }
 								Logger.Info($"SAN Entry {item} matches CN, removing from request");
 								continue;
 							}
+							if (string.Equals(item, $"*.{CommonName}", System.StringComparison.OrdinalIgnoreCase)
+								|| string.Equals($"*.{item}", CommonName, System.StringComparison.OrdinalIgnoreCase))
+							{
+								Logger.Info($"SAN Entry {item} is the same base domain as the wildcard CN, removing from request");
+								continue;
+							}
 							SANEntry entry = new SANEntry();
 							entry.SubjectAltName = item;
 							StringBuilder sb = new StringBuilder();

src/GlobalSignCAProxy/Client/GlobalSignApiClient.cs

@@ -298,7 +298,7 @@ public EnrollmentResult Enroll(GlobalSignEnrollRequest enrollRequest)
 				{
 					Logger.Trace($"Order Base Option: {rawRequest.OrderRequestParameter.BaseOption}");
 				}
-				var response = OrderService.PVOrder(enrollRequest.Request);
+				var response = OrderService.PVOrder(rawRequest);
 				if (response.OrderResponseHeader.SuccessCode == 0)
 				{
 					Logger.Debug($"Enrollment request successfully submitted");
@@ -365,7 +365,7 @@ public EnrollmentResult Renew(GlobalSignRenewRequest renewRequest)
 					Logger.Trace($"Order Base Option: {rawRequest.OrderRequestParameter.BaseOption}");
 				}
 				Logger.Trace($"Renewal Target: {rawRequest.OrderRequestParameter.RenewalTargetOrderID}");
-				var response = OrderService.PVOrder(renewRequest.Request);
+				var response = OrderService.PVOrder(rawRequest);
 				if (response.OrderResponseHeader.SuccessCode == 0)
 				{
 					Logger.Debug($"Renewal request successfully submitted");

src/GlobalSignCAProxy/GlobalSignCAConfig.cs

@@ -25,6 +25,7 @@ public class GlobalSignCAConfig
 
 		public string SyncStartDate { get; set; }
 		public int SyncIntervalDays { get; set; }
+		public string SyncProducts { get; set; }
 
         public string GetUrl(GlobalSignServiceType queryType)
         {