Beispiel #1
0
        public KuduFileSystemAuthorizationChallengeProvider(IAzureWebAppEnvironment azureEnvironment, IAuthorizationChallengeProviderConfig config)
        {
            this.config = config;

            this.azureEnvironment = azureEnvironment;
            this.pathProvider     = new PathProvider(azureEnvironment);
        }
Beispiel #2
0
        public static async Task <IReadOnlyList <string> > GetLetsEncryptHostNames(IAzureWebAppEnvironment webAppEnvironment, bool staging)
        {
            Site site;

            using (var client = await ArmHelper.GetWebSiteManagementClient(webAppEnvironment))
            {
                Trace.TraceInformation(
                    "Getting Web App '{0}' (slot '{1}') from resource group '{2}'",
                    webAppEnvironment.WebAppName,
                    webAppEnvironment.SiteSlotName,
                    webAppEnvironment.ResourceGroupName);

                site = client.WebApps.GetSiteOrSlot(webAppEnvironment.ResourceGroupName, webAppEnvironment.WebAppName, webAppEnvironment.SiteSlotName);
            }

            using (var httpClient = await ArmHelper.GetHttpClient(webAppEnvironment))
            {
                var certRequestUri = $"/subscriptions/{webAppEnvironment.SubscriptionId}/providers/Microsoft.Web/certificates?api-version=2016-03-01";
                Trace.TraceInformation("GET {0}", certRequestUri);
                var response = await ArmHelper.ExponentialBackoff().ExecuteAsync(async() => await httpClient.GetAsync(certRequestUri));

                Trace.TraceInformation("Reading ARM certificate query response");
                var body = await response.EnsureSuccessStatusCode().Content.ReadAsStringAsync();

                var letsEncryptCerts = ExtractCertificates(body).Where(s => s.Issuer.Contains(staging ? "Fake LE" : "Let's Encrypt"));

                var leCertThumbprints = new HashSet <string>(letsEncryptCerts.Select(c => c.Thumbprint));
                return(site.HostNameSslStates.Where(ssl => leCertThumbprints.Contains(ssl.Thumbprint)).Select(ssl => ssl.Name).ToArray());
            }
        }
Beispiel #3
0
 public CertificateManager(IAzureWebAppEnvironment settings, IAcmeConfig acmeConfig, ICertificateService certificateService, IAuthorizationChallengeProvider challengeProvider)
 {
     this.settings           = settings;
     this.certificateService = certificateService;
     this.acmeConfig         = acmeConfig;
     this.challengeProvider  = challengeProvider;
 }
Beispiel #4
0
        public KuduFileSystemAuthorizationChallengeProvider(IAzureWebAppEnvironment azureEnvironment, IAuthorizationChallengeProviderConfig config)
        {
            this.config = config;
            var website = ArmHelper.GetWebSiteManagementClient(azureEnvironment);

            this.kuduClient = KuduHelper.GetKuduClient(website, azureEnvironment);
        }
Beispiel #5
0
        public static WebSiteManagementClient GetWebSiteManagementClient(IAzureWebAppEnvironment model)
        {
            AuthenticationResult token = GetToken(model);
            var creds = new TokenCredentials(token.AccessToken);

            var websiteClient = new WebSiteManagementClient(model.ManagementEndpoint, creds);

            websiteClient.SubscriptionId = model.SubscriptionId.ToString();
            return(websiteClient);
        }
Beispiel #6
0
 public KuduRestClient(IAzureWebAppEnvironment azureEnvironment, string publishingUserName, string publishingPassword)
 {
     this.webAppName         = string.IsNullOrEmpty(azureEnvironment.SiteSlotName) ? azureEnvironment.WebAppName : azureEnvironment.WebAppName + "-" + azureEnvironment.SiteSlotName;
     this.publishingUserName = publishingUserName;
     this.publishingPassword = publishingPassword;
     this.baseUri            = $"https://{this.webAppName}.scm.{azureEnvironment.AzureWebSitesDefaultDomainName}";
     this.client             = new HttpClient();
     client.BaseAddress      = new System.Uri(baseUri);
     client.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", CreateToken());
 }
Beispiel #7
0
        public static HttpClient GetHttpClient(IAzureWebAppEnvironment model)
        {
            AuthenticationResult token = GetToken(model);

            var client = new HttpClient();

            client.DefaultRequestHeaders.Add("Authorization", "Bearer " + token.AccessToken);
            client.BaseAddress = model.ManagementEndpoint;

            return(client);
        }
Beispiel #8
0
        public static async Task <HttpClient> GetHttpClient(IAzureWebAppEnvironment model)
        {
            AuthenticationResult token = await GetToken(model);

            var client = HttpClientFactory.Create(new HttpClientHandler(), new TimeoutHandler());

            client.DefaultRequestHeaders.Add("Authorization", "Bearer " + token.AccessToken);
            client.BaseAddress = model.ManagementEndpoint;

            return(client);
        }
Beispiel #9
0
 /// <summary>
 /// For backwards compatability
 /// </summary>
 /// <param name="config"></param>
 public CertificateManager(AppSettingsAuthConfig config)
 {
     this.settings          = config;
     this.acmeConfig        = config;
     this.challengeProvider = new KuduFileSystemAuthorizationChallengeProvider(this.settings, new AuthorizationChallengeProviderConfig()
     {
         DisableWebConfigUpdate = config.DisableWebConfigUpdate
     });
     this.certificateService = new WebAppCertificateService(this.settings, new CertificateServiceSettings()
     {
         UseIPBasedSSL = config.UseIPBasedSSL
     });
 }
Beispiel #10
0
        /// <summary>
        /// For backwards compatability
        /// </summary>
        /// <param name="config"></param>
        public CertificateManager(AppSettingsAuthConfig config)
        {
            this.settings   = config;
            this.acmeConfig = config;
            string storageAccount = AuthorizationChallengeBlobStorageAccount();

            if (string.IsNullOrEmpty(storageAccount))
            {
                this.challengeProvider = new KuduFileSystemAuthorizationChallengeProvider(this.settings, new AuthorizationChallengeProviderConfig()
                {
                    DisableWebConfigUpdate = config.DisableWebConfigUpdate
                });
            }
            else
            {
                this.challengeProvider = NewBlobStorageAuthorizationChallengeProvider();
            }
            this.certificateService = new WebAppCertificateService(this.settings, new CertificateServiceSettings()
            {
                UseIPBasedSSL = config.UseIPBasedSSL
            });
        }
Beispiel #11
0
        public static KuduRestClient GetKuduClient(this WebSiteManagementClient client, IAzureWebAppEnvironment settings)
        {
            var user = client.WebApps.GetPublsihingCredentialSiteOrSlot(settings.ResourceGroupName, settings.WebAppName, settings.SiteSlotName);

            return(new KuduRestClient(settings, user.PublishingUserName, user.PublishingPassword));
        }
Beispiel #12
0
 /// <summary>
 /// Returns a <see cref="CertificateManager"/> configured to use HTTP Challenge, placing the challenge file on Azure Web App
 /// using Kudu, and assigning the obtained certificate directly to the web app service.
 /// </summary>
 /// <param name="settings"></param>
 /// <param name="acmeConfig"></param>
 /// <param name="certSettings"></param>
 /// <param name="authProviderConfig"></param>
 /// <returns></returns>
 public static CertificateManager CreateKuduWebAppCertificateManager(IAzureWebAppEnvironment settings, IAcmeConfig acmeConfig, IWebAppCertificateSettings certSettings, IAuthorizationChallengeProviderConfig authProviderConfig)
 {
     return(new CertificateManager(settings, acmeConfig, new WebAppCertificateService(settings, certSettings), new KuduFileSystemAuthorizationChallengeProvider(settings, authProviderConfig)));
 }
Beispiel #13
0
 /// <summary>
 /// Returns a <see cref="CertificateManager"/> configured to use HTTP Challenge, placing the challenge file on Azure Blob Storage,
 /// and assigning the obtained certificate directly to the web app service.
 /// </summary>
 /// <param name="settings"></param>
 /// <param name="acmeConfig"></param>
 /// <param name="certSettings"></param>
 /// <returns></returns>
 public static CertificateManager CreateBlobWebAppCertificateManager(IAzureWebAppEnvironment settings, IAcmeConfig acmeConfig, IWebAppCertificateSettings certSettings)
 {
     return(new CertificateManager(settings, acmeConfig, new WebAppCertificateService(settings, certSettings), NewBlobStorageAuthorizationChallengeProvider()));
 }
Beispiel #14
0
        public static async Task<IReadOnlyList<string>> GetNonExpiringLetsEncryptHostNames(IAzureWebAppEnvironment webAppEnvironment, bool staging, int renewXNumberOfDaysBeforeExpiration)
        {
            Site site;
            using (var client = await ArmHelper.GetWebSiteManagementClient(webAppEnvironment).ConfigureAwait(false))
            {
                var webAppName = webAppEnvironment.WebAppName;
                var resourceGroupName = webAppEnvironment.ResourceGroupName;
                var siteSlotName = webAppEnvironment.SiteSlotName;
                Trace.TraceInformation(
                    "Getting Web App '{0}' (slot '{1}') from resource group '{2}'",
                    webAppName,
                    siteSlotName,
                    resourceGroupName);

                site = client.WebApps.GetSiteOrSlot(resourceGroupName, webAppName, siteSlotName);
                if (site == null)
                {
                    throw new InvalidOperationException(
                        $"Could not find web app '{webAppName}' (slot '{siteSlotName}') under Resource Groups '{resourceGroupName}'");
                }
            }

            using (var httpClient = await ArmHelper.GetHttpClient(webAppEnvironment).ConfigureAwait(false))
            {
                var certRequestUri = $"/subscriptions/{webAppEnvironment.SubscriptionId}/providers/Microsoft.Web/certificates?api-version=2016-03-01";
                Trace.TraceInformation("GET {0}", certRequestUri);
                var response = await ArmHelper.ExponentialBackoff().ExecuteAsync(() => httpClient.GetAsync(new Uri(certRequestUri, UriKind.Relative))).ConfigureAwait(false);

                Trace.TraceInformation("Reading ARM certificate query response");
                var body = await response.EnsureSuccessStatusCode().Content.ReadAsStringAsync().ConfigureAwait(false);

                var letsEncryptIssuerNames = staging ? s_letsEncrypStagingtIssuerNames : s_letsEncryptIssuerNames;

                var letsEncryptNonExpiringCerts = ExtractCertificates(body).Where(cert =>
                    letsEncryptIssuerNames.Contains(cert.Issuer) &&
                    cert.ExpirationDate > DateTime.UtcNow.AddDays(renewXNumberOfDaysBeforeExpiration));

                var letsEncryptNonExpiringThumbprints = new HashSet<string>(letsEncryptNonExpiringCerts.Select(c => c.Thumbprint));
                return site.HostNameSslStates.Where(ssl => letsEncryptNonExpiringThumbprints.Contains(ssl.Thumbprint)).Select(ssl => ssl.Name).ToArray();
            }
        }
Beispiel #15
0
        public static async Task <WebSiteManagementClient> GetWebSiteManagementClient(IAzureWebAppEnvironment model)
        {
            AuthenticationResult token = await GetToken(model);

            var creds = new TokenCredentials(token.AccessToken);

            var websiteClient = new WebSiteManagementClient(model.ManagementEndpoint, creds, new TraceLoggingHandler());

            websiteClient.SubscriptionId = model.SubscriptionId.ToString();
            return(websiteClient);
        }
Beispiel #16
0
 public WebAppCertificateService(IAzureWebAppEnvironment azureEnvironment, IWebAppCertificateSettings settings)
 {
     this.azureEnvironment = azureEnvironment;
     this.settings         = settings;
 }
Beispiel #17
0
 public LocalFileSystemAuthorizationChallengeProvider(IAzureWebAppEnvironment azureEnvironment, IAuthorizationChallengeProviderConfig config)
 {
     this.azureEnvironment = azureEnvironment;
     this.config           = config;
 }
Beispiel #18
0
 /// <summary>
 /// TODO; should also work for APP service environment, which uses a different format for scm site uri https://blogs.msdn.microsoft.com/benjaminperkins/2017/11/08/how-to-access-kudu-scm-for-an-azure-app-service-environment-ase/
 /// </summary>
 /// <param name="defaultHostName"></param>
 /// <param name="settings"></param>
 /// <returns></returns>
 public static Uri MakeScmUri(string defaultHostName, IAzureWebAppEnvironment settings)
 {
     var i = defaultHostName.IndexOf("." + settings.AzureWebSitesDefaultDomainName);
     return new Uri($"https://{defaultHostName.Insert(i, ".scm")}");
 }
Beispiel #19
0
 /// <summary>
 /// Returns a <see cref="CertificateManager"/> configured to use DNS Challenge, placing the challenge record in Azure DNS,
 /// and assigning the obtained certificate directly to the web app service.
 /// </summary>
 /// <param name="settings"></param>
 /// <param name="acmeConfig"></param>
 /// <param name="certSettings"></param>
 /// <param name="dnsEnvironment"></param>
 /// <returns></returns>
 public static CertificateManager CreateAzureDnsWebAppCertificateManager(IAzureWebAppEnvironment settings, IAcmeConfig acmeConfig, IWebAppCertificateSettings certSettings, IAzureDnsEnvironment dnsEnvironment)
 {
     return(new CertificateManager(settings, acmeConfig, new WebAppCertificateService(settings, certSettings), new AzureDnsAuthorizationChallengeProvider(dnsEnvironment)));
 }
Beispiel #20
0
 public PathProvider(IAzureWebAppEnvironment azureEnvironment)
 {
     this.azureEnvironment = azureEnvironment;
 }
Beispiel #21
0
        public static KuduRestClient GetKuduClient(this WebSiteManagementClient client, IAzureWebAppEnvironment settings)
        {
            var user = client.WebApps.GetPublsihingCredentialSiteOrSlot(settings.ResourceGroupName, settings.WebAppName, settings.SiteSlotName);
            var site = client.WebApps.GetSiteOrSlot(settings.ResourceGroupName, settings.WebAppName, settings.SiteSlotName);
            var defaultHostName = site.DefaultHostName;

            return new KuduRestClient(MakeScmUri(defaultHostName,settings), user.PublishingUserName, user.PublishingPassword);
        }