@@ -110,12 +110,34 @@ var migrateCheckCmd = &cobra.Command{
110110 // get properties field, as this will contain the Secret GUID for one of our active Instances if the PAM provider is in use
111111 storeProperties := store .PropertiesString
112112
113+ // need to specifically query each store to get set Password details
114+ queryStore , err := legacyClient .GetCertificateStoreByID (store .Id )
115+
116+ if err != nil {
117+ log .Error ().Err (err ).Send ()
118+ return err
119+ }
120+
121+ storePasswordSettings := queryStore .Password
122+
113123 // loop through all found Instance GUIDs of the PAM Provider
114124 // if the GUID is present in the Properties field, add this Store ID to the list to return
115125 for instanceGuid , _ := range activePamSecretGuids {
116126 if strings .Contains (storeProperties , instanceGuid ) {
127+ if debugFlag {
128+ fmt .Println ("Found PAM usage in Properties for Store Id: " , store .Id )
129+ }
117130 certStoreGuids [store .Id ] = true
118131 }
132+
133+ if storePasswordSettings .IsManaged {
134+ if * storePasswordSettings .InstanceGuid == instanceGuid {
135+ if debugFlag {
136+ fmt .Println ("Found PAM usage in Store Password for Store Id: " , store .Id )
137+ }
138+ certStoreGuids [store .Id ] = true
139+ }
140+ }
119141 }
120142 }
121143
@@ -356,6 +378,38 @@ var migratePamCmd = &cobra.Command{
356378 fmt .Println ("^^^ SECRETS REFORMATTED ^^^" )
357379 }
358380
381+ // check Store Password for PAM field, and process migration if applicable
382+ var storePassword * api.UpdateStorePasswordConfig
383+ if certStore .Password .IsManaged { // managed secret, i.e. PAM Provider in use
384+
385+ // check if Pam Secret is using our migrating provider
386+ fmt .Println (* fromPamProvider .Id , " <= from id equals store password id => " , int32 (certStore .Password .ProviderId ))
387+ fmt .Println (* fromPamProvider .Id == int32 (certStore .Password .ProviderId ))
388+ if * fromPamProvider .Id == int32 (certStore .Password .ProviderId ) {
389+ // Pam Secret that Needs to be migrated
390+ var storePasswordInterface map [string ]interface {}
391+ // marshal and unmarshal strongly typed store password to match
392+ // expected map[string]interface{} typing for helper function
393+ storePasswordJson , _ := json .Marshal (certStore .Password )
394+ json .Unmarshal (storePasswordJson , & storePasswordInterface )
395+
396+ // migrate secret using helper function
397+ var updateStorePasswordInterface map [string ]interface {}
398+ updateStorePasswordInterface = buildMigratedPamSecret (storePasswordInterface , fromProviderLevelParamValues , * migrationTargetPamProvider .Id )
399+
400+ // finally, transform the migrated secret back to the strongly typed input for API client
401+ updateStorePasswordJson , _ := json .Marshal (updateStorePasswordInterface )
402+ json .Unmarshal (updateStorePasswordJson , & storePassword )
403+ } else {
404+ // leave Store Password untouched: set to null
405+ storePassword = nil
406+ }
407+ } else {
408+ // non-managed secret i.e. a KF-encrypted secret, or no value
409+ // instead of reformatting, send null to effect no change
410+ storePassword = nil
411+ }
412+
359413 // update property object
360414 // set required fields, and new Properties
361415 updateStoreArgs := api.UpdateStoreFctArgs {
@@ -364,9 +418,28 @@ var migratePamCmd = &cobra.Command{
364418 StorePath : certStore .StorePath ,
365419 AgentId : certStore .AgentId ,
366420 Properties : certStore .Properties ,
367- Password : & certStore .Password ,
421+ Password : storePassword ,
422+ // the password should be set to null (omitted) when it is not meant to be updated
423+ // however it will need to be migrated if it is a matching PAM secret
424+ // check formatting to see if it's a PAM secret
425+ // then update to new provider format if it matches
426+ // otherwise omit / set to null
427+
428+ // password PAM format:
429+ // { Provider: integer id,
430+ // Parameters: { paramname:value
431+ // Safe: safe,
432+ // Folder: folder,
433+ // Object: object }}
434+ InventorySchedule : & certStore .InventorySchedule ,
435+ CertStoreInventoryJobId : & certStore .CertStoreInventoryJobId ,
368436 }
369437
438+ fmt .Println ("vvv REQUESTED UPDATE TO STORE vvv" )
439+ jobject , _ := json .MarshalIndent (updateStoreArgs , "" , " " )
440+ fmt .Println (string (jobject ))
441+ fmt .Println ("^^^ REQUESTED UPDATE TO STORE ^^^" )
442+
370443 // TODO: use updated client when API endpoint available
371444 updatedStore , rErr := legacyClient .UpdateStore (& updateStoreArgs )
372445
@@ -376,7 +449,7 @@ var migratePamCmd = &cobra.Command{
376449 }
377450
378451 fmt .Println ("vvv UPDATED STORE vvv" )
379- jobject , _ : =json .MarshalIndent (updatedStore , "" , " " )
452+ jobject , _ = json .MarshalIndent (updatedStore , "" , " " )
380453 fmt .Println (string (jobject ))
381454 fmt .Println ("^^^ UPDATED STORE ^^^" )
382455
0 commit comments