Add NGTS (Strata Cloud Manager) support - VC-54745#198
Add NGTS (Strata Cloud Manager) support - VC-54745#198TomaszSwierszczCA wants to merge 2 commits into
Conversation
Add NGTSConnection for Palo Alto Networks Next-Gen Trust Security, a VaaS-derived backend that reuses CloudConnection's outagedetection/v1 REST endpoints but differs in authentication and zone format: - Auth: Strata Cloud Manager OAuth2 client-credentials via a service account (client_id/client_secret/tsg_id), sent as a Bearer token and auto-refreshed ahead of the ~15-min expiry, instead of the api-key header. - Zone: a Certificate Issuing Template alias only (no Application\CIT split); requests omit applicationId. - Base and token URLs are environment-specific and must be supplied (no hardcoded default). Wire NGTSConnection into venafi_connection (auto-detected from token_url + client_id + client_secret, or platform=VenafiPlatform.NGTS) and add the VenafiPlatform.NGTS enum and NGTS fields on Authentication. Add a usage example, live tests (tests/test_ngts.py, gated on NGTS_* env vars) and offline unit tests, and ignore generated cert material.
stkomitov
left a comment
stkomitov
left a comment
There was a problem hiding this comment.
It is good to have a README doc similar to the one we have in vcert Go https://github.com/Venafi/vcert/blob/master/README-CLI-NGTS.md
| # path, so neither can be hardcoded - both must be supplied by the caller. | ||
| if not url: | ||
| raise ClientBadData("NGTS requires the API base URL (it differs per environment)") | ||
| if not access_token and not token_url: |
There was a problem hiding this comment.
Lets make the token_url optional, and if it is not provided use the default token url specified in the Palo docs: https://auth.apps.paloaltonetworks.com/auth/v1/oauth2/access_token
source: https://pan.dev/sase/api/auth/post-auth-v-1-oauth-2-access-token/
Note: This is not implemented in vcert go, but it will be later.
| http_request_kwargs=None): | ||
| # The NGTS API base URL and token URL both differ per environment (dev/prod), including the | ||
| # path, so neither can be hardcoded - both must be supplied by the caller. | ||
| if not url: |
There was a problem hiding this comment.
Lets make the url optional, similar to the vcert Go implementation, if there is no value provided we can use the default one: https://api.sase.paloaltonetworks.com/ngts
There was a problem hiding this comment.
Done. Updated to new API url.
… sink Make url and token_url optional (default to Palo Alto production), so NGTS works with service-account credentials alone. Since token_url is where credentials are exchanged, add safeguards: force HTTPS, warn on default fallback, and warn when the host is outside .paloaltonetworks.com. Also anchor scope validation, simplify NGTS auto-detection (client_id + client_secret), and add README-NGTS.md.
Readme file added. |
2 participants
Add NGTSConnection for Palo Alto Networks Next-Gen Trust Security, a VaaS-derived backend that reuses CloudConnection's outagedetection/v1 REST endpoints but differs in authentication and zone format:
api.strata.paloaltonetworks.com/ngts,auth.apps.paloaltonetworks.com/...); only non-production environments need to supply them. Defaulting the token URL is a deliberate divergence from Go (which still requires it)..paloaltonetworks.com. Both warnings warn rather than block.tsg_id:<10-digit TSG ID>.Wire NGTSConnection into venafi_connection (auto-detected from token_url + client_id + client_secret, or platform=VenafiPlatform.NGTS) and add the VenafiPlatform.NGTS enum and NGTS fields on Authentication.
Add a usage example, live tests (tests/test_ngts.py, gated on NGTS_* env vars) and offline unit tests, and ignore generated cert material.