Format key in the same way as certificate

[samwmarsh]

Description

Currently only the certificate has a prefix and suffix added if it doesn’t exist. This is to bring the SAML key inline.

Motivation and Context

In #83 we’ve been having issues with SAML working when not using AAD as the identity provider. We’ve been able to get this working with values within the config.json, however we’re currently getting issues when passing in environment variables. We’re concerned that the \n in the key is causing it to be interpreted incorrectly when being passed as an env var in Helm/K8s so we’d like to add this to attempt to resolve this issue.

How Has This Been Tested?

Currently tested same logic already works for certificate. I’m unaware of the impacts, I’m new to golang and it’s quite confusing to attempt to follow so please test on my behalf!

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Documentation updates are needed, and have been made accordingly.
• I have added and/or updated tests to cover my changes.
• All new and existing tests passed.
• My changes include a database migration.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[samwmarsh]

I have read the CLA Document and I hereby sign the CLA

[sircodemane]

Hi @samwmarsh. To help provide context to these changes, would you mind please editing the PR to describe the changes made and include links to an issue if it is related? Thank you for the contribution!

[samwmarsh]

@codydbentley updated! Let me know if you need anything else

[samwmarsh]

@codydbentley we've done some testing this morning and seen the following (which makes me sad and this PR invalid, but also raises a bug)

Test Case 1
Using the code in this PR for tls.go,
supply the SAML certificate without the BEGIN/END certificate values via the config.json file
supply the SAML key without the BEGIN/END private key values via the config.json file
error message "[panic recovery] runtime error: invalid memory address or nil pointer dereference"

Test Case 2
Using the code in the main branch for tls.go
supply the SAML certificate without BEGIN/END certificate values via the config.json file
supply the SAML key with the BEGIN/END private key values via the config.json file
SAML works

Test Case 3
Using the code in the main branch for tls.go
supply the SAML certificate without BEGIN/END certificate values via environment variable bhe_saml_sp_cert
supply the SAML key with the BEGIN/END private key values via environment variable bhe_saml_sp_key
error message "[panic recovery] runtime error: invalid memory address or nil pointer dereference"

Test cases 2 and 3 were where we were before raising this PR, with the idea that the \n character in the BEGIN PRIVATE KEY and END PRIVATE KEY lines were causing this error, however as proven with test case 1, this is not the case. In fact, the kernel panic happens in both cases 1 and 3.

As a note, this [panic recovery] references

BloodHound/packages/go/crypto/tls.go

Line 40 in 00668cc

func tryParsePrivateKey(key string) (*rsa.PrivateKey, error) {

To generate key/certificate we're just simply doing

openssl genpkey -algorithm RSA -out key.pem
openssl req -new -key -key.pem -out csr.csr
openssl x509 -req -days 365 -in csr.csr -signkey key.pem -out cert.crt

And using cert.crt as the certificate, key.pem as the key. This is confirmed working as described in Test Case 2.

[StephenHinck]

@samwmarsh - we have some work upcoming in this area that will allow us to review and get this across the line properly. Our apologies for the delay in merging!

[urangel]

@samwmarsh Apologies for the slow review and thank you for your patience. I noticed there are new suggestions mentioned in #83, have you tried them out by chance? Specifically, this comment: #83 (comment).

The code changes in this pull request are well contained and clear though it looks like the newly added formattedKey variable is not being used anywhere so the formatting changes have no effect in the logic.

Let us know if you try the suggestions mentioned here #83 (comment) and if it works or not for you. Thank you!

[samwmarsh]

Hi @urangel,
I think we ended up injecting these as k8s secrets into the json file directly in the end. I'm not sure what state it is in now, just that the previous test steps in #175 (comment) were the state at the time.

Thanks,
Sam

[byt3n33dl3]

Just want to see the runway -->