feat: add grant-type-specific PAM types and xUnit test project#17
Closed
spbsoluble wants to merge 32 commits intomainfrom
Closed
feat: add grant-type-specific PAM types and xUnit test project#17spbsoluble wants to merge 32 commits intomainfrom
spbsoluble wants to merge 32 commits intomainfrom
Conversation
Logs the token endpoint request body (with password/client_secret redacted) and the raw response body on non-2xx status codes to aid troubleshooting of authentication failures without exposing credentials.
Adds .env, scripts/, and client_pam.json to .gitignore to prevent accidental commit of credentials, bearer tokens, and local test output.
Validate() was never invoked — validation is enforced imperatively in ValidateServerConfigurationParams() and ValidateInstanceParams(). Calling Validator.TryValidateObject() would also incorrectly fail for the client_credentials flow (which stores GrantType="password" internally to satisfy the Delinea API). Data annotation attributes are retained for documentation value.
- Log caller identity (Environment.UserName, MachineName), SecretId, field name, target URL, and grant type on every GetPassword invocation - Record API call duration (Stopwatch) for both token and secret endpoints - Include SecretId, field, grant type, and URL in success and failure log events - Improve auth failure log with URL, grant type, and caller identity context - Truncate Secret Server error response bodies to 500 chars before logging - Remove raw token response body from deserialization failure log path - Switch .Result to .GetAwaiter().GetResult() to avoid exception masking
…edential defaults
…c PAM types
Extract all shared HTTP, validation, and secret-retrieval logic into an
abstract base class SecretServerPamBase. Add three concrete subclasses —
SecretServerPamPassword, SecretServerPamClientCredentials, and
SecretServerPamWindows — each implementing IPAMProvider with a hardcoded
grant type. The existing SecretServerPam class is unchanged (backwards
compatible).
Also fixes a pre-existing bug where BuildDelineaConfiguration set
GrantType = "password" on the DelineaConfiguration returned for the
client_credentials case; it now correctly sets "client_credentials".
SecretFieldName validation is tightened to reject whitespace-only values
(previously only empty string was rejected).
InternalsVisibleTo("delinea-secretserver-pam.Tests") added via AssemblyInfo.cs
to allow the xUnit test project to reach the internal test constructors.
Adds delinea-secretserver-pam.Tests (net8.0) with 38 tests covering: - Happy path for password, client_credentials, and windows grant types - Missing required server and instance parameters - Non-success HTTP responses from token and secret endpoints - Empty/null token responses - Field-not-found in secret response - Token request body field name verification (Delinea API constraint: client_credentials still uses username/password key names) - Windows auth correctly targets winauthwebservices endpoint and never calls the token endpoint - All four PAM type Names are distinct TestHttpMessageHandler fake allows request interception without network access.
integration-manifest.json: add Delinea-SecretServer-Password, Delinea-SecretServer-ClientCredentials, and Delinea-SecretServer-Windows PAM type blocks. Each exposes only the fields relevant to its auth flow, removing the Command UI requirement to fill in irrelevant credentials. manifest.json: add InitializationInfo example blocks for the three new types alongside the existing Delinea-SecretServer block. CHANGELOG.md and README.md updated to document all four types, including recommended usage guidance and kfutil commands for the new variants.
…octool - Add docsource/overview.md documenting all four PAM types - Add per-type docsource files for Password, ClientCredentials, Windows variants - Update docsource/delinea-secretserver.md for backwards-compat type - Remove deprecated readme-src/ directory - Regenerate README.md and docs/ via doctool (adam_dotNetVpython_Fixes branch)
Allows TLS certificate validation to be disabled via environment variable in addition to the existing SkipTlsValidation configuration parameter. Either setting is sufficient to disable validation; the env var does not need to be set if the config parameter is already true.
…SKIP_TLS_VALIDATION env var - SkipTlsValidation config param: verified succeeds when set to true - KEYFACTOR_PAM_SKIP_TLS_VALIDATION env var: verified true and 1 both enable skip - Env var set to false does not interfere when config param is also false - client_credentials token body: asserts grant_type=password (Delinea API constraint) - Integration-tested both TLS skip paths against live Secret Server instance
…t set Adds IntegrationFactAttribute which sets Skip at attribute construction time if any of the required SECRET_SERVER_* env vars are absent, producing a clean skip rather than a failure in CI environments without live server access.
Contributor
Author
|
Superseded by #16 which targets release-1.3. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SecretServerPamBase(HTTP, validation, config-building, audit logging, secret retrieval). All four concrete types delegate toGetPasswordCorein the base.SecretServerPamPassword→Delinea-SecretServer-Password(Username + Password)SecretServerPamClientCredentials→Delinea-SecretServer-ClientCredentials(ClientId + ClientSecret)SecretServerPamWindows→Delinea-SecretServer-Windows(IWA, no credentials)Delinea-SecretServertype and all its parameters are unchanged — fully backwards compatible.BuildDelineaConfigurationwas settingGrantType = "password"on theDelineaConfigurationobject returned for theclient_credentialscase.SecretFieldNamevalidation now rejects whitespace-only values (previously only empty string was rejected).integration-manifest.jsonupdated with three new PAM type blocks.manifest.jsonupdated withInitializationInfoexamples for all four types.TestConsolewith a proper xUnit test project (delinea-secretserver-pam.Tests, net8.0): 38 tests, all passing, covering all four types and all error paths.Test plan
dotnet test delinea-secretserver-pam.sln -c Releasedotnet build delinea-secretserver-pam.sln -c Releaseusername/passwordfield names for bothpasswordandclient_credentialsflows (Delinea API constraint)Backwards compatibility
The existing
Delinea-SecretServerPAM type, its parameter names, and its default behaviour (GrantTypedefaults topasswordwhen absent) are all unchanged. Existing Command installations require no reconfiguration.