Import queue does not react properly when token expires

[tr1ck3r]

PROBLEM SUMMARY Import queue does not react properly when token expires

STEPS TO REPRODUCE

1. In TPP, configure the Venafi Monitoring Secrets Engine for HashiCorp Vault API Application with a token expiration period of 90 seconds and grant a user access to use it and required folder permissions in the policy tree.
2. Configure the VEDWebSDK application pool in IIS to automatically recycle every 2 minutes.
3. Use VCert to get a new pair of tokens:

   vcert getcred -u "https://tpp.venafi.example" --username "vault_mon" --password "..." \
   --client-id "hashicorp-vault-monitor-by-venafi" --scope "certificate:manage,discover"

4. Start Vault with debug logging enabled and enable/mount the Venafi PKI monitor plugin.
5. Create a default Vault policy (set to auto refresh policy every 60 seconds), self-signed root CA certificate, and role:

   
   vault write pki-monitor/venafi-policy/default url="https://tpp.venafi.example" access_token="..." refresh_token="..." \
   trust_bundle_file="/opt/venafi/bundle.pem" zone="DevOps\\HashiCorp Vault\\Policy" \
   enforcement_roles="tls-server" defaults_roles="tls-server" import_roles="tls-server" auto_refresh_interval=60

vault write pki-monitor/root/generate/internal ttl=8760h key_bits=2048 exclude_cn_from_sans=true \ common_name="Vault Test Root CA" organization="Venafi Inc." locality="Salt Lake City" province="Utah" country="US"

vault write pki-monitor/roles/test-role \ allow_any_name=true generate_lease=true ttl=2160h max_ttl=2160h

6. Enroll certificates from Vault continuously for several minutes

vault write pki-monitor/issue/test-role common_name=test.venafi.example alt_names=test.venafi.example

7. Check the import queue

vault list pki-monitor/import-queue

8. Review the Vault server log

**EXPECTED RESULTS**
Import queue is empty because all of the certificates issued by Vault were successfully imported

**ACTUAL RESULTS**
Events similar to the following were logged after the `access_token` expired:

2020-10-05T23:28:59.378Z [DEBUG] secrets.pki-monitor-venafi.pki-monitor-venafi_2494a885.pki-monitor-venafi.pki-monitor-venafi: Job id: 684 ### could not import certificate: vcert error: server error: server unavailable: temporary: unexpected response status 401: {"error":"expired_token","error_description":"Access token expire "}

Events similar to the following were logged after the venafi-policy was automatically refreshed and the `refresh_token` was used to get a new pair of tokens:

2020-10-05T23:44:59.724Z [DEBUG] secrets.pki-monitor-venafi.pki-monitor-venafi_2494a885.pki-monitor-venafi.pki-monitor-venafi: Job id: 1541 ### could not import certificate: vcert error: server error: server unavailable: temporary: unexpected response status 401: {"error":"session_error","error_description":"Token 'Ek5YWEnA1WlP7qDvlAHP4A==' not found"}

The import queue never drains.

**ENVIRONMENT DETAILS**
* HashiCorp Vault 1.5.4
* Venafi PKI Monitor v0.8.0
* Venafi Trust Protection Platform 20.3

**COMMENTS/WORKAROUNDS**
Seems that `path_import_queue.go` needs token refresh logic similar to `path_venafi_policy.go` or perhaps just enhance the import workers to trigger the venafi-policy refresh and re-read their Venafi credentials when they encounter errors indicating the token expired or is not found.
https://github.com/Venafi/vault-pki-monitor-venafi/blob/8e2810adfd707db10538d768989a2457f70c8f83/plugin/pki/path_venafi_policy.go#L562-L598