Beispiel #1
0
        public static async Task Main()
        {
            InteractiveBrowserCredential credential;

            if (!File.Exists(AUTH_RECORD_PATH))
            {
                credential = new InteractiveBrowserCredential(
                    new InteractiveBrowserCredentialOptions {
                    TokenCache = new PersistentTokenCache()
                });

                AuthenticationRecord authRecord = await credential.AuthenticateAsync();

                using (var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Create, FileAccess.Write))
                {
                    await authRecord.SerializeAsync(authRecordStream);
                }
            }
            else
            {
                AuthenticationRecord authRecord;

                using (var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Open, FileAccess.Read))
                {
                    authRecord = await AuthenticationRecord.DeserializeAsync(authRecordStream);
                }

                credential = new InteractiveBrowserCredential(
                    new InteractiveBrowserCredentialOptions {
                    TokenCache           = new PersistentTokenCache(),
                    AuthenticationRecord = authRecord
                });
            }

            var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), credential);
        }
Beispiel #2
0
        public static Func <string, string> Create(IConfiguration bootstrapConfiguration)
        {
            TelemetryClient telemetry   = ConfigMapper.GetTelemetryClient(bootstrapConfiguration);
            string          keyVaultUri = bootstrapConfiguration[ConfigurationConstants.KeyVaultUriConfigurationKey];
            var             credentials = ServiceConfigurationExtensions.GetAzureTokenCredential(bootstrapConfiguration);
            var             client      = new SecretClient(new Uri(keyVaultUri), credentials);

            void TrackEvent(string key, Exception?error)
            {
                telemetry.TrackEvent("KeyVaultSecretAccess", new Dictionary <string, string>
                {
                    ["secretKey"]   = key,
                    ["keyVaultUri"] = keyVaultUri,
                    ["success"]     = error == null ? "true" : "false",
                });
                if (error != null)
                {
                    telemetry.TrackException(error);
                }
            }

            return(RegexConfigMapper.Create(VaultReferenceRegex, key =>
            {
                try
                {
                    var value = client.GetSecret(key).Value.Value;
                    TrackEvent(key, null);
                    return value;
                }
                catch (RequestFailedException ex)
                {
                    TrackEvent(key, ex);
                    return "";
                }
            }));
        }
Beispiel #3
0
        // using System.Linq;
        // using System.Security.Cryptography.X509Certificates;
        // using Azure.Extensions.AspNetCore.Configuration.Secrets;
        // using Azure.Identity;

        public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            var builtConfig = config.Build();
            if (Convert.ToBoolean(builtConfig["IsServiceSecretFromKeyVault"]))
            {
                if (!context.HostingEnvironment.IsProduction())
                {
                    using (var store = new X509Store(StoreLocation.CurrentUser))
                    {
                        store.Open(OpenFlags.ReadOnly);
                        var certs = store.Certificates
                                    .Find(X509FindType.FindByThumbprint,
                                          builtConfig["AzureADCertThumbprint"], false);

                        config.AddAzureKeyVault(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                                                new ClientCertificateCredential(builtConfig["AzureADDirectoryId"], builtConfig["AzureADApplicationId"], certs.OfType <X509Certificate2>().Single()),
                                                new KeyVaultSecretManager());


                        store.Close();
                    }
                }
                else
                {
                    var secretClient = new SecretClient(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                                                        new DefaultAzureCredential());
                    config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
                }
            }
        })
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup <Startup>();
        });
Beispiel #4
0
        public async Task OnGetAsync()
        {
            SecretValue = "Secret value is currently empty";

            // Get the secret from the preloaded config settings
            ConfigSetting = configuration["SomeConfigValueFromKV"];
            try
            {
                // grab the KeyVault Secret value on demand
                var keyVaultClient = new SecretClient(
                    vaultUri: new Uri("https://cm-identity-kv.vault.azure.net"),
                    credential: new ChainedTokenCredential(
                        new AzureCliCredential(),
                        new ManagedIdentityCredential()));
                var secretOperation = await keyVaultClient.GetSecretAsync("KVSercret");

                var secret = secretOperation.Value;
                SecretValue = secret.Value;
            }
            catch (Exception keyVaultException)
            {
                SecretValue = keyVaultException.Message;
            }
        }
Beispiel #5
0
        public async Task AsyncPageableLoop()
        {
            // create a client
            var client = new SecretClient(new Uri("http://example.com"), new DefaultAzureCredential());

            #region Snippet:AsyncPageableLoop
            // call a service method, which returns AsyncPageable<T>
            AsyncPageable <SecretProperties> allSecretProperties = client.GetPropertiesOfSecretsAsync();

            IAsyncEnumerator <SecretProperties> enumerator = allSecretProperties.GetAsyncEnumerator();
            try
            {
                while (await enumerator.MoveNextAsync())
                {
                    SecretProperties secretProperties = enumerator.Current;
                    Console.WriteLine(secretProperties.Name);
                }
            }
            finally
            {
                await enumerator.DisposeAsync();
            }
            #endregion
        }
Beispiel #6
0
        public async Task ResolveSecretId()
        {
            SecretClient secretClient = GetSecretClient();

            // using Random to create a key so it is consistent for the recording. IRL this would be
            // a major security no no.  We would need to use AES.Create or RNGCryptoServiceProvider
            byte[] key = new byte[32];

            Recording.Random.NextBytes(key);

            Secret secret = new Secret(Recording.GenerateId(), Base64Url.Encode(key))
            {
                Properties =
                {
                    ContentType = "application/octet-stream"
                }
            };

            secret = await secretClient.SetSecretAsync(secret);

            CryptographyClient cryptoClient = await Resolver.ResolveAsync(secret.Id);

            cryptoClient = InstrumentClient(cryptoClient);

            Assert.IsNotNull(cryptoClient);

            byte[] toWrap = new byte[32];

            Recording.Random.NextBytes(toWrap);

            WrapResult wrapResult = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.A256KW, toWrap);

            UnwrapResult unwrapResult = await cryptoClient.UnwrapKeyAsync(KeyWrapAlgorithm.A256KW, wrapResult.EncryptedKey);

            CollectionAssert.AreEqual(toWrap, unwrapResult.Key);
        }
Beispiel #7
0
        public async Task <ActionResult <string> > AKV()
        {
            SecretClientOptions options = new SecretClientOptions()
            {
                Retry =
                {
                    Delay      = TimeSpan.FromSeconds(2),
                    MaxDelay   = TimeSpan.FromSeconds(16),
                    MaxRetries =                        5,
                    Mode       = RetryMode.Exponential
                }
            };


            var defaultAzureCredential = new DefaultAzureCredential();
            var client = new SecretClient(new Uri("https://itan-kv-secrets.vault.azure.net"), defaultAzureCredential);

            // await client.SetSecretAsync("code-secret", "42");
            KeyVaultSecret secret = await client.GetSecretAsync("itan-test-secret");

            string secretValue = secret.Value;

            return(secretValue);
        }
Beispiel #8
0
        static void Main(string[] args)
        {
            //get config settings
            string keyVaultName = ConfigurationManager.AppSettings.Get("KEY_VAULT_NAME");
            string tenId        = ConfigurationManager.AppSettings.Get("TENANT_ID");
            string spId         = ConfigurationManager.AppSettings.Get("SERVICE_PRINCIPAL_CLIENT_ID");
            string spSec        = ConfigurationManager.AppSettings.Get("SERVICE_PRINCIPAL_SECRET");
            string container    = ConfigurationManager.AppSettings.Get("CONTAINER_NAME");

            //setup vault uri
            string kvUri = "https://" + keyVaultName + ".vault.azure.net";

            //get access token for vault access
            var credential = new ClientSecretCredential(tenId, spId, spSec);

            //instantiate vault client using access token
            var client = new SecretClient(new Uri(kvUri), credential);

            //retrieve connection string for storage from vault
            KeyVaultSecret secret = client.GetSecret("DemoStoreConnectionString");
            string         storageConnectionString = secret.Value;

            //create a BlobServiceClient object for container reference
            BlobServiceClient blobServiceClient = new BlobServiceClient(storageConnectionString);

            //sink reference to specified container
            BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(container);

            Console.WriteLine("Listing blobs...");

            // List all blobs in the container
            foreach (BlobItem blobItem in containerClient.GetBlobs())
            {
                Console.WriteLine("\t" + blobItem.Name);
            }
        }
Beispiel #9
0
        static void Main(string[] args)
        {
            // <authenticate>

            Console.Write("What's the name of your Key Vault?");
            string keyVaultName = Console.ReadLine();

            var kvUri  = "https://" + keyVaultName + ".vault.azure.net";
            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

            // </authenticate>

            // <add secret>

            Console.Write("Input the name of your secret > ");
            string secretName = Console.ReadLine();

            Console.Write("Input the value of your secret > ");
            string secretValue = Console.ReadLine();

            Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "` ...");

            client.SetSecret(secretName, secretValue);

            Console.WriteLine(" done.");

            // </add secret>

            // <read secret>

            KeyVaultSecret secret = client.GetSecret(secretName);

            Console.WriteLine(string.Format("Your secret value read from the vault: {0}", secret.Value.ToString()));

            // </read secret>
        }
Beispiel #10
0
 private void AzureKeyVaultConnection(string clientId, string clientSecret, string tenantId, Uri keyVaultUri)
 {
     secret = new SecretClient(keyVaultUri, new ClientSecretCredential(tenantId, clientId, clientSecret));
 }
Beispiel #11
0
        public async Task <string> GetSecretValueAsync(string name)
        {
            var client = new SecretClient(_kvUri, _cred);

            return((await client.GetSecretAsync(name)).Value.Value);
        }
Beispiel #12
0
 public void Identity_ClientSideUserAuthentication_SimpleInteractiveBrowser()
 {
     #region Snippet:Identity_ClientSideUserAuthentication_SimpleInteractiveBrowser
     var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new InteractiveBrowserCredential());
     #endregion
 }
Beispiel #13
0
 public SeedData(SecretClient secretClient)
 {
     _secretClient = secretClient;
 }
Beispiel #14
0
 public KeyVaultIntegration(KeyVaultOptions options)
 {
     SecretClient      = new SecretClient(vaultUri: new Uri(options.Url), credential: new DefaultAzureCredential(), options: options.SecretOptions);
     CertificateClient = new CertificateClient(vaultUri: new Uri(options.Url), credential: new DefaultAzureCredential(), options: options.CertificateOptions);
     KeyClient         = new KeyClient(vaultUri: new Uri(options.Url), credential: new DefaultAzureCredential(), options: options.KeyOptions);
 }
Beispiel #15
0
 public async Task DeleteExternalSecretAsync(string externalName)
 {
     var secretClient = new SecretClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential);
     await secretClient.StartDeleteSecretAsync(GetExternalFullName(externalName));
 }
Beispiel #16
0
        private static SecretClient CreateKeyVaultClient(Uri keyVaultURL)
        {
            kvClient = new SecretClient(keyVaultURL, defaultCred);

            return(kvClient);
        }
Beispiel #17
0
 public SendMessageHandler(SecretClient client, ISecretKeySettings secretKeySettings)
 {
     _client            = client;
     _secretKeySettings = secretKeySettings;
 }
Beispiel #18
0
 /// <summary>
 /// Registers the specified <see cref="SecretClient"/> instance to use to resolve key vault references for secrets from associated key vault.
 /// </summary>
 /// <param name="secretClient">Secret client instance.</param>
 public AzureAppConfigurationKeyVaultOptions Register(SecretClient secretClient)
 {
     SecretClients.Add(secretClient);
     return(this);
 }
Beispiel #19
0
 private AzureKeyVaultCertificateClient(SecretClient secretClient)
 {
     _secretClient = secretClient;
 }
Beispiel #20
0
        public void ConfigureServices(IFunctionsHostBuilder builder, IConfiguration config)
        {
            _loggerFactory = new LoggerFactory();
            var logger = _loggerFactory.CreateLogger <Startup>();

            var aadConfig = config?.GetSection("AzureAd");

            builder?.Services.AddHttpClient("graph", x =>
            {
                x.BaseAddress = new Uri("https://graph.microsoft.com/");
            });

            builder.Services.AddSingleton <CloudTable>(x =>
            {
                var sa    = CloudStorageAccount.Parse(config["TableTokenCache:ConnectionString"]);
                var table = sa.CreateCloudTableClient().GetTableReference("MsalCache");
                table.CreateIfNotExistsAsync().Wait();
                return(table);
            });

            builder.Services.AddSingleton <X509Certificate2>(x =>
            {
                logger.LogInformation("Setting up certificate");

                var managedIdentityAvailable = config["MSI_ENDPOINT"] != null ||
                                               config["IDENTITY_ENDPOINT"] != null ||
                                               Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT") != null ||
                                               Environment.GetEnvironmentVariable("MSI_ENDPOINT") != null;

                logger.LogInformation($"Managed identity available: {managedIdentityAvailable}");

                X509Certificate2 msalCert;

                if (bool.Parse(config["USE_MSI"]))
                {
                    logger.LogInformation($"USE_MSI: {managedIdentityAvailable}, using MSI");
                    var secretClient = new SecretClient(new Uri(config["KeyVault:Endpoint"]), new ManagedIdentityCredential());
                    var certKey      = secretClient.GetSecret(config["KeyVault:CertificateName"]).Value;
                    try
                    {
                        msalCert = new X509Certificate2(Convert.FromBase64String(certKey.Value));
                    }
                    catch (Exception ex)
                    {
                        logger.LogError($"Error using kv cert: {ex.Message}");
                        throw;
                    }
                }
                else
                {
                    logger.LogInformation($"USE_MSI: {managedIdentityAvailable}, using local certificate...");
                    try
                    {
                        //E6213E8767D78C384AD7312EB2049AB5CBA23D33

                        X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
                        certStore.Open(OpenFlags.ReadOnly);
                        X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "E6213E8767D78C384AD7312EB2049AB5CBA23D33", false);


                        msalCert = certCollection[0];

                        //var localCert = System.IO.File.ReadAllBytes(config["AzureAd:TestCertificatePath"]);
                        //logger.LogInformation("Got local cert bytes, creating x509 object");
                        //msalCert = new X509Certificate2(localCert, config["AzureAd:TestCertificatePassword"]);
                    }
                    catch (Exception ex)
                    {
                        logger.LogError($"Error using local cert: {ex.Message}");
                        throw;
                    }
                }
                return(msalCert);
            });

            builder.Services.Configure <MsalOptions>(x =>
            {
                x.ClientId    = aadConfig["ClientId"];
                x.RedirectUri = aadConfig["RedirectUrl"];
                x.TenantId    = aadConfig["TenantId"];
            });

            builder.Services.AddTransient <ITokenCacheAccessor, PerUserTableTokenCacheAccessor>();
            builder.Services.AddTransient <MsalClientFactory>();
        }
Beispiel #21
0
 private KeyVaultHelper(SecretClient keyVaultClient, string keyVaultUri)
 {
     this.keyVaultClient = keyVaultClient;
     this.keyVaultUri    = keyVaultUri;
 }
Beispiel #22
0
        public void BackupAndRestoreSync()
        {
            // Environment variable with the Key Vault endpoint.
            string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL");

            #region Snippet:SecretsSample2SecretClient
            var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
            #endregion

            #region Snippet:SecretsSample2CreateSecret
            string secretName = $"StorageAccountPassword{Guid.NewGuid()}";

            var secret = new KeyVaultSecret(secretName, "f4G34fMh8v");
            secret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1);

            KeyVaultSecret storedSecret = client.SetSecret(secret);
            #endregion

            #region Snippet:SecretsSample2BackupSecret
            string backupPath   = Path.GetTempFileName();
            byte[] secretBackup = client.BackupSecret(secretName);

            File.WriteAllBytes(backupPath, secretBackup);
            #endregion

            // The storage account secret is no longer in use so you delete it.
            DeleteSecretOperation operation = client.StartDeleteSecret(secretName);

            // Before it can be purged, you need to wait until the secret is fully deleted.
            while (!operation.HasCompleted)
            {
                Thread.Sleep(2000);

                operation.UpdateStatus();
            }

            // If the Key Vault is soft delete-enabled and you want to permanently delete the secret before its `ScheduledPurgeDate`,
            // the deleted secret needs to be purged.
            client.PurgeDeletedSecret(secretName);

            #region Snippet:SecretsSample2RestoreSecret
            byte[] secretBackupToRestore = File.ReadAllBytes(backupPath);

            SecretProperties restoreSecret = client.RestoreSecretBackup(secretBackupToRestore);
            #endregion

            AssertSecretsEqual(storedSecret.Properties, restoreSecret);

            // Delete and purge the restored secret.
            operation = client.StartDeleteSecret(restoreSecret.Name);

            // You only need to wait for completion if you want to purge or recover the secret.
            while (!operation.HasCompleted)
            {
                Thread.Sleep(2000);

                operation.UpdateStatus();
            }

            client.PurgeDeletedSecret(restoreSecret.Name);
        }
Beispiel #23
0
        public async Task GetSecretsAsync()
        {
            // Environment variable with the Key Vault endpoint.
            string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL");

            var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());

            string bankSecretName    = $"BankAccountPassword-{Guid.NewGuid()}";
            string storageSecretName = $"StorageAccountPassword{Guid.NewGuid()}";

            var bankSecret = new KeyVaultSecret(bankSecretName, "f4G34fMh8v");

            bankSecret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1);

            var storageSecret = new KeyVaultSecret(storageSecretName, "f4G34fMh8v547");

            storageSecret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1);

            await client.SetSecretAsync(bankSecret);

            await client.SetSecretAsync(storageSecret);

            Dictionary <string, string> secretValues = new Dictionary <string, string>();

            await foreach (SecretProperties secret in client.GetPropertiesOfSecretsAsync())
            {
                // Getting a disabled secret will fail, so skip disabled secrets.
                if (!secret.Enabled.GetValueOrDefault())
                {
                    continue;
                }

                KeyVaultSecret secretWithValue = await client.GetSecretAsync(secret.Name);

                if (secretValues.ContainsKey(secretWithValue.Value))
                {
                    Debug.WriteLine($"Secret {secretWithValue.Name} shares a value with secret {secretValues[secretWithValue.Value]}");
                }
                else
                {
                    secretValues.Add(secretWithValue.Value, secretWithValue.Name);
                }
            }

            string newBankSecretPassword = "******";

            await foreach (SecretProperties secret in client.GetPropertiesOfSecretVersionsAsync(bankSecretName))
            {
                // Secret versions may also be disabled if compromised and new versions generated, so skip disabled versions, too.
                if (!secret.Enabled.GetValueOrDefault())
                {
                    continue;
                }

                KeyVaultSecret oldBankSecret = await client.GetSecretAsync(secret.Name, secret.Version);

                if (newBankSecretPassword == oldBankSecret.Value)
                {
                    Debug.WriteLine($"Secret {secret.Name} reuses a password");
                }
            }

            await client.SetSecretAsync(bankSecretName, newBankSecretPassword);

            DeleteSecretOperation bankSecretOperation = await client.StartDeleteSecretAsync(bankSecretName);

            DeleteSecretOperation storageSecretOperation = await client.StartDeleteSecretAsync(storageSecretName);

            // You only need to wait for completion if you want to purge or recover the secret.
            await Task.WhenAll(
                bankSecretOperation.WaitForCompletionAsync().AsTask(),
                storageSecretOperation.WaitForCompletionAsync().AsTask());

            await foreach (DeletedSecret secret in client.GetDeletedSecretsAsync())
            {
                Debug.WriteLine($"Deleted secret's recovery Id {secret.RecoveryId}");
            }

            // If the Key Vault is soft delete-enabled, then for permanent deletion, deleted secret needs to be purged.
            await Task.WhenAll(
                client.PurgeDeletedSecretAsync(bankSecretName),
                client.PurgeDeletedSecretAsync(storageSecretName));
        }
Beispiel #24
0
 public async Task Run([AzureClient("Connection")] SecretClient keyClient)
 {
     await keyClient.SetSecretAsync("TestSecret", "Secret value");
 }
Beispiel #25
0
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddSingleton <ILocalizationProvider, StorageLocalizationProvider>();
            services.AddTextLocalization(options =>
            {
                options.ReturnOnlyKeyIfNotFound = !_environment.IsDevelopment();
                options.FallBackNeutralCulture  = !_environment.IsDevelopment();
            }).Configure <RequestLocalizationOptions>(options =>
            {
                options.DefaultRequestCulture = new RequestCulture(Settings.SupportedCultures[0]);
                options.AddSupportedCultures(Settings.SupportedCultures);
                options.AddSupportedUICultures(Settings.SupportedCultures);
            });

            services.AddScoped <LazyAssemblyLoader>();

            var dataProtectionBuilder = services.AddDataProtection().SetApplicationName(projectName);

            services.RegisterStorage(Configuration);

            services.Configure <ApiBehaviorOptions>(options => { options.SuppressModelStateInvalidFilter = true; });

            services.AddIdentity <ApplicationUser, ApplicationRole>()
            .AddRoles <ApplicationRole>()
            .AddEntityFrameworkStores <ApplicationDbContext>()
            .AddDefaultTokenProviders()
            .AddErrorDescriber <LocalizedIdentityErrorDescriber>();

            services.AddScoped <IUserClaimsPrincipalFactory <ApplicationUser>,
                                AdditionalUserClaimsPrincipalFactory>();

            var authAuthority = Configuration[$"{projectName}:IS4ApplicationUrl"].TrimEnd('/');

            // Adds IdentityServer https://identityserver4.readthedocs.io/en/latest/reference/options.html
            var identityServerBuilder = services.AddIdentityServer(options =>
            {
                options.IssuerUri = authAuthority;
                options.Events.RaiseErrorEvents       = true;
                options.Events.RaiseInformationEvents = true;
                options.Events.RaiseFailureEvents     = true;
                options.Events.RaiseSuccessEvents     = true;
                options.UserInteraction.ErrorUrl      = "/identityserver/error";
            })
                                        .AddIdentityServerStores(Configuration)
                                        .AddAspNetIdentity <ApplicationUser>(); //https://identityserver4.readthedocs.io/en/latest/reference/aspnet_identity.html

            X509Certificate2 cert = null;

            var keysLocalFolder = Path.Combine(_environment.ContentRootPath, "Keys");

            if (_environment.IsDevelopment())
            {
                // The AddDeveloperSigningCredential extension creates temporary key material tempkey.jwk for signing tokens.
                // This might be useful to get started, but needs to be replaced by some persistent key material for production scenarios.
                // See http://docs.identityserver.io/en/release/topics/crypto.html#refcrypto for more information.
                // https://stackoverflow.com/questions/42351274/identityserver4-hosting-in-iis

                identityServerBuilder.AddDeveloperSigningCredential();

                dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(keysLocalFolder));
            }
            else
            {
                // Running on Azure Web App service - read the setup doc at blazor-boilerplate.readthedocs.io

                // appsettings.json parameters used:
                //  "RunsOnAzure": true,
                //  "RunningAsAppService": true,
                //  "RunningAsDocker": false, // not implemented yet
                //  "AzureKeyVault": {
                //      "UsingKeyVault": true,
                //      "UseManagedAppIdentity": true,
                //      "AppKey": "", // not implemented yet.
                //      "AppSecret": "",
                //      "KeyVaultURI": "https://YOURVAULTNAMEHERE.vault.azure.net/",
                //      "CertificateIdentifier": "https://YOURVAULTNAMEHERE.vault.azure.net/certificates/BBAUTH/<HEX_VERSION_STRING_HERE>",
                //      "CertificateName": "BBAUTH",
                //      "StorageAccountBlobBaseUrl": "https://<YOUR_STORAGE_ACCOUNT_NAME_HERE>.blob.core.windows.net",
                //      "ContainerName": "blazor-boilerplate-keys",
                //      "KeysBlobName": "keys.xml"
                if (Convert.ToBoolean(Configuration["HostingOnAzure:RunsOnAzure"]) == true)
                {
                    if (Convert.ToBoolean(Configuration["HostingOnAzure:AzureKeyVault:UsingKeyVault"]) == true)
                    {
                        if (Convert.ToBoolean(Configuration["HostingOnAzure:AzurekeyVault:UseManagedAppIdentity"]) == true)
                        {
                            //https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

                            // In production environment we have already configured Managed Identity (blazor-boilerplate) using Azure Portal for our app to access Key Vault and Blob Storage.

                            // Set up TokenCredential options for production and development environments
                            bool isDeployed        = !_environment.IsDevelopment();
                            var  credentialOptions = new DefaultAzureCredentialOptions
                            {
                                ExcludeEnvironmentCredential        = isDeployed,
                                ExcludeManagedIdentityCredential    = false, // we only use this one in production
                                ExcludeSharedTokenCacheCredential   = isDeployed,
                                ExcludeVisualStudioCredential       = isDeployed,
                                ExcludeVisualStudioCodeCredential   = isDeployed,
                                ExcludeAzureCliCredential           = isDeployed,
                                ExcludeInteractiveBrowserCredential = isDeployed,
                            };

                            // In development environment DefaultAzureCredential() will use the shared token credential from the IDE. In Visual Studio this is under Options - Azure Service Authentication.
                            if (_environment.IsDevelopment())
                            {
                                // credentialOptions.SharedTokenCacheUsername = "******"; // specify user name to use if more than one Azure username is configured in IDE.
                                // var defaultTenantId = "?????-????-????-????-????????"; // specify AAD tenant to authenticate against (from Azure Portal - AAD - Tenant ID)
                                // credentialOptions.SharedTokenCacheTenantId = defaultTenantId;
                                // credentialOptions.VisualStudioCodeTenantId = defaultTenantId;
                                // credentialOptions.VisualStudioTenantId = defaultTenantId;
                            }

                            TokenCredential tokenCredential = new DefaultAzureCredential(credentialOptions);

                            // The Azure Storage Container (blazor-boilerplate-keys) Access Control must grant blazor-boilerplate the following roles:
                            // - Storage Blob Data Contributor

                            var blobServiceClient = new BlobServiceClient(
                                new Uri(Configuration["HostingOnAzure:AzureKeyVault:StorageAccountBlobBaseUrl"]),
                                tokenCredential);

                            BlobContainerClient blobContainerClient = blobServiceClient.GetBlobContainerClient(Configuration["HostingOnAzure:AzureKeyVault:ContainerName"]);
                            BlobClient          blobClient          = blobContainerClient.GetBlobClient(Configuration["HostingOnAzure:AzureKeyVault:KeysBlobName"]);

                            var certificateIdentifier = Configuration["HostingOnAzure:AzureKeyVault:CertificateIdentifier"];

                            dataProtectionBuilder.PersistKeysToAzureBlobStorage(blobClient);
                            // 1. Remove the call to ProtectKeysWithAzureKeyVault below for the first run to create the keys.xml blob in place.
                            // 2. Add the call to ProtectKeysWithAzureKeyVault for subsequent runs.so that keys.xml gets created - see the setup doc for more information
                            dataProtectionBuilder.ProtectKeysWithAzureKeyVault(new Uri(certificateIdentifier), tokenCredential);

                            // Azure Key Vault Access Policy must grant the following permissions to the blazor-boilerplate app:
                            // - Secret Permissions: Get
                            // - Certificate Permissions: Get

                            // Retrieve the certificate and extract the secret so that we can build the new X509 certificate for later use by Identity Server
                            var certificateClient = new CertificateClient(vaultUri: new Uri(Configuration["HostingOnAzure:AzureKeyVault:KeyVaultUri"]), credential: new DefaultAzureCredential());
                            var secretClient      = new SecretClient(vaultUri: new Uri(Configuration["HostingOnAzure:AzureKeyVault:KeyVaultUri"]), credential: new DefaultAzureCredential());
                            KeyVaultCertificateWithPolicy certificateWithPolicy = certificateClient.GetCertificateAsync(Configuration["HostingOnAzure:AzureKeyVault:CertificateName"]).GetAwaiter().GetResult(); // retrieves latest version of certificate
                            KeyVaultSecretIdentifier      secretIdentifier      = new KeyVaultSecretIdentifier(certificateWithPolicy.SecretId);
                            KeyVaultSecret secret          = secretClient.GetSecretAsync(secretIdentifier.Name, secretIdentifier.Version).GetAwaiter().GetResult();
                            byte[]         privateKeyBytes = Convert.FromBase64String(secret.Value);

                            cert = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
                        }
                    }
                    else // if app id and app secret are used
                    {
                        throw new NotImplementedException();
                    }
                }
                else
                {
                    dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(keysLocalFolder));
                }

                //TODO this implementation does not consider certificate expiration
                if (Convert.ToBoolean(Configuration[$"{projectName}:UseLocalCertStore"]) == true)
                {
                    var certificateThumbprint = Configuration[$"{projectName}:CertificateThumbprint"];

                    var storeLocation = StoreLocation.LocalMachine;

                    dynamic storeName = "WebHosting";

                    if (OperatingSystem.IsLinux())
                    {
                        storeLocation = StoreLocation.CurrentUser;
                        storeName     = StoreName.My;
                    }

                    using X509Store store = new(storeName, storeLocation);
                    store.Open(OpenFlags.ReadOnly);
                    var certs = store.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false);
                    if (certs.Count > 0)
                    {
                        cert = certs[0];
                    }
                    else
                    {
                        var certPath = Path.Combine(_environment.ContentRootPath, "AuthSample.pfx");

                        if (File.Exists(certPath))
                        {
                            string certificatePassword = Configuration[$"{projectName}:CertificatePassword"] ?? "Admin123";
                            cert = new X509Certificate2(certPath, certificatePassword,
                                                        X509KeyStorageFlags.MachineKeySet |
                                                        X509KeyStorageFlags.PersistKeySet |
                                                        X509KeyStorageFlags.Exportable);
                        }
                    }

                    store.Close();
                }

                // pass the resulting certificate to Identity Server
                if (cert != null)
                {
                    identityServerBuilder.AddSigningCredential(cert);
                    Log.Logger.Information($"Added certificate {cert.Subject} to Identity Server");
                }
                else if (OperatingSystem.IsWindows())
                {
                    Log.Logger.Debug("Trying to use WebHosting Certificate for Identity Server");
                    identityServerBuilder.AddWebHostingCertificate();
                }
                else
                {
                    throw new Exception("Missing Certificate for Identity Server");
                }
            }

            var authBuilder = services.AddAuthentication(options =>
            {
                options.DefaultScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
            })
                              .AddIdentityServerAuthentication(options =>
            {
                options.Authority            = authAuthority;
                options.SupportedTokens      = SupportedTokens.Jwt;
                options.RequireHttpsMetadata = _environment.IsProduction();
                options.ApiName = IdentityServerConfig.LocalApiName;
                options.Events  = new JwtBearerEvents
                {
                    OnMessageReceived = context =>
                    {
                        var accessToken = context.Request.Query["access_token"];

                        // If the request is for our hub...
                        var path = context.HttpContext.Request.Path;
                        if (!string.IsNullOrEmpty(accessToken) &&
                            (path.StartsWithSegments("/chathub")))
                        {
                            // Read the token out of the query string
                            context.Token = accessToken;
                        }
                        return(Task.CompletedTask);
                    }
                };
            });

            #region ExternalAuthProviders
            //https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/samples/SocialSample/Startup.cs
            //https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins
            if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Google:Enabled"] ?? "false"))
            {
                authBuilder.AddGoogle(options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                    options.ClientId     = Configuration["ExternalAuthProviders:Google:ClientId"];
                    options.ClientSecret = Configuration["ExternalAuthProviders:Google:ClientSecret"];

                    options.AuthorizationEndpoint += "?prompt=consent"; // Hack so we always get a refresh token, it only comes on the first authorization response
                    options.AccessType             = "offline";
                    options.SaveTokens             = true;
                    options.Events = new OAuthEvents()
                    {
                        OnRemoteFailure = HandleOnRemoteFailure
                    };
                    options.ClaimActions.MapJsonSubKey("urn:google:image", "image", "url");
                    options.ClaimActions.Remove(ClaimTypes.GivenName);
                });
            }

            if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Facebook:Enabled"] ?? "false"))
            {
                // You must first create an app with Facebook and add its ID and Secret to your user-secrets.
                // https://developers.facebook.com/apps/
                // https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login
                authBuilder.AddFacebook(options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                    options.AppId     = Configuration["ExternalAuthProviders:Facebook:AppId"];
                    options.AppSecret = Configuration["ExternalAuthProviders:Facebook:AppSecret"];

                    options.Scope.Add("email");
                    options.Fields.Add("name");
                    options.Fields.Add("email");
                    options.SaveTokens = true;
                    options.Events     = new OAuthEvents()
                    {
                        OnRemoteFailure = HandleOnRemoteFailure
                    };
                });
            }

            if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Twitter:Enabled"] ?? "false"))
            {
                // You must first create an app with Twitter and add its key and Secret to your user-secrets.
                // https://apps.twitter.com/
                // https://developer.twitter.com/en/docs/basics/authentication/api-reference/access_token
                authBuilder.AddTwitter(options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                    options.ConsumerKey    = Configuration["ExternalAuthProviders:Twitter:ConsumerKey"];
                    options.ConsumerSecret = Configuration["ExternalAuthProviders:Twitter:ConsumerSecret"];

                    // http://stackoverflow.com/questions/22627083/can-we-get-email-id-from-twitter-oauth-api/32852370#32852370
                    // http://stackoverflow.com/questions/36330675/get-users-email-from-twitter-api-for-external-login-authentication-asp-net-mvc?lq=1
                    options.RetrieveUserDetails = true;
                    options.SaveTokens          = true;
                    options.ClaimActions.MapJsonKey("urn:twitter:profilepicture", "profile_image_url", ClaimTypes.Uri);
                    options.Events = new TwitterEvents()
                    {
                        OnRemoteFailure = HandleOnRemoteFailure
                    };
                });
            }

            //https://github.com/xamarin/Essentials/blob/master/Samples/Sample.Server.WebAuthenticator/Startup.cs
            if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Apple:Enabled"] ?? "false"))
            {
                authBuilder.AddApple(options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                    options.ClientId = Configuration["ExternalAuthProviders:Apple:ClientId"];
                    options.KeyId    = Configuration["ExternalAuthProviders:Apple:KeyId"];
                    options.TeamId   = Configuration["ExternalAuthProviders:Apple:TeamId"];

                    options.UsePrivateKey(keyId
                                          => _environment.ContentRootFileProvider.GetFileInfo($"AuthKey_{keyId}.p8"));
                    options.SaveTokens = true;
                });
            }

            // You must first create an app with Microsoft Account and add its ID and Secret to your user-secrets.
            // https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
            if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Microsoft:Enabled"] ?? "false"))
            {
                authBuilder.AddMicrosoftAccount(options =>
                {
                    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

                    options.ClientId     = Configuration["ExternalAuthProviders:Microsoft:ClientId"];
                    options.ClientSecret = Configuration["ExternalAuthProviders:Microsoft:ClientSecret"];

                    options.SaveTokens = true;
                    options.Scope.Add("offline_access");
                    options.Events = new OAuthEvents()
                    {
                        OnRemoteFailure = HandleOnRemoteFailure
                    };
                });
            }
            #endregion

            #region Authorization
            //Add Policies / Claims / Authorization - https://identityserver4.readthedocs.io/en/latest/topics/add_apis.html#advanced
            services.AddScoped <EntityPermissions>();
            services.AddSingleton <IAuthorizationPolicyProvider, AuthorizationPolicyProvider>();
            services.AddTransient <IAuthorizationHandler, DomainRequirementHandler>();
            services.AddTransient <IAuthorizationHandler, PermissionRequirementHandler>();
            #endregion

            services.Configure <IdentityOptions>(options =>
            {
                // Password settings
                options.Password.RequireDigit           = RequireDigit;
                options.Password.RequiredLength         = RequiredLength;
                options.Password.RequireNonAlphanumeric = RequireNonAlphanumeric;
                options.Password.RequireUppercase       = RequireUppercase;
                options.Password.RequireLowercase       = RequireLowercase;
                //options.Password.RequiredUniqueChars = 6;

                // Lockout settings
                options.Lockout.DefaultLockoutTimeSpan  = TimeSpan.FromMinutes(30);
                options.Lockout.MaxFailedAccessAttempts = 10;
                options.Lockout.AllowedForNewUsers      = true;

                // Require Confirmed Email User settings
                if (Convert.ToBoolean(Configuration[$"{projectName}:RequireConfirmedEmail"] ?? "false"))
                {
                    options.User.RequireUniqueEmail      = true;
                    options.SignIn.RequireConfirmedEmail = true;
                }
            });

            #region Cookies
            // cookie policy to deal with temporary browser incompatibilities
            services.AddSameSiteCookiePolicy();

            //https://docs.microsoft.com/en-us/aspnet/core/security/gdpr
            services.Configure <CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential
                // cookies is needed for a given request.
                options.CheckConsentNeeded = context => false; //consent not required
                // requires using Microsoft.AspNetCore.Http;
                //options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            //services.ConfigureExternalCookie(options =>
            // {
            // macOS login fix
            //options.Cookie.SameSite = SameSiteMode.None;
            //});

            services.ConfigureApplicationCookie(options =>
            {
                options.Cookie.IsEssential  = true;
                options.Cookie.HttpOnly     = true;
                options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
                options.ExpireTimeSpan      = TimeSpan.FromDays(Convert.ToDouble(Configuration[$"{projectName}:CookieExpireTimeSpanDays"] ?? "30"));
                options.LoginPath           = Constants.Settings.LoginPath;
                //options.AccessDeniedPath = "/Identity/Account/AccessDenied";
                // ReturnUrlParameter requires
                //using Microsoft.AspNetCore.Authentication.Cookies;
                options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter;
                options.SlidingExpiration  = true;

                // Suppress redirect on API URLs in ASP.NET Core -> https://stackoverflow.com/a/56384729/54159
                options.Events = new CookieAuthenticationEvents()
                {
                    OnRedirectToAccessDenied = context =>
                    {
                        if (context.Request.Path.StartsWithSegments("/api"))
                        {
                            context.Response.StatusCode = Status403Forbidden;
                        }

                        return(Task.CompletedTask);
                    },
                    OnRedirectToLogin = context =>
                    {
                        context.Response.StatusCode = Status401Unauthorized;
                        return(Task.CompletedTask);
                    }
                };
            });
            #endregion

            services.AddMvc().AddNewtonsoftJson(opt =>
            {
                // Set Breeze defaults for entity serialization
                var ss = JsonSerializationFns.UpdateWithDefaults(opt.SerializerSettings);
                if (ss.ContractResolver is DefaultContractResolver resolver)
                {
                    resolver.NamingStrategy = null;  // remove json camelCasing; names are converted on the client.
                }
                if (_environment.IsDevelopment())
                {
                    ss.Formatting = Newtonsoft.Json.Formatting.Indented; // format JSON for debugging
                }
            })                                                           // Add Breeze exception filter to send errors back to the client
            .AddMvcOptions(o => { o.Filters.Add(new GlobalExceptionFilter()); })
            .AddViewLocalization().AddDataAnnotationsLocalization(options =>
            {
                options.DataAnnotationLocalizerProvider = (type, factory) =>
                {
                    return(factory.Create(typeof(Global)));
                };
            }).AddFluentValidation(fv => fv.RegisterValidatorsFromAssemblyContaining <LocalizationRecordValidator>());

            services.AddServerSideBlazor().AddCircuitOptions(o =>
            {
                if (_environment.IsDevelopment())
                {
                    o.DetailedErrors = true;
                }
            }).AddHubOptions(o =>
            {
                o.MaximumReceiveMessageSize = 131072;
            });

            services.AddSignalR();

            if (_enableAPIDoc)
            {
                services.AddOpenApiDocument(document =>
                {
                    document.Title   = "BlazorBoilerplate API";
                    document.Version = typeof(Startup).GetTypeInfo().Assembly.GetName().Version.ToString();
                    document.AddSecurity("bearer", Enumerable.Empty <string>(), new OpenApiSecurityScheme
                    {
                        Type             = OpenApiSecuritySchemeType.OAuth2,
                        Description      = "Local Identity Server",
                        OpenIdConnectUrl = $"{authAuthority}/.well-known/openid-configuration", //not working
                        Flow             = OpenApiOAuth2Flow.AccessCode,
                        Flows            = new OpenApiOAuthFlows()
                        {
                            AuthorizationCode = new OpenApiOAuthFlow()
                            {
                                Scopes = new Dictionary <string, string>
                                {
                                    { LocalApi.ScopeName, IdentityServerConfig.LocalApiName }
                                },
                                AuthorizationUrl = $"{authAuthority}/connect/authorize",
                                TokenUrl         = $"{authAuthority}/connect/token"
                            },
                        }
                    });;

                    document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("bearer"));
                    //      new OperationSecurityScopeProcessor("bearer"));
                });
            }

            services.AddScoped <IUserSession, UserSession>();

            services.AddSingleton <IHttpContextAccessor, HttpContextAccessor>();

            services.Add(ServiceDescriptor.Scoped(typeof(ITenantSettings <>), typeof(TenantSettingsManager <>)));

            services.AddTransient <IEmailFactory, EmailFactory>();

            services.AddTransient <IAccountManager, AccountManager>();
            services.AddTransient <IAdminManager, AdminManager>();
            services.AddTransient <IEmailManager, EmailManager>();
            services.AddTransient <IExternalAuthManager, ExternalAuthManager>();

            #region Automapper
            //Automapper to map DTO to Models https://www.c-sharpcorner.com/UploadFile/1492b1/crud-operations-using-automapper-in-mvc-application/
            var automapperConfig = new MapperConfiguration(configuration =>
            {
                configuration.AddProfile(new MappingProfile());
            });

            var autoMapper = automapperConfig.CreateMapper();

            services.AddSingleton(autoMapper);
            #endregion

            /* ServerSideBlazor */
            services.AddScoped <IAccountApiClient, AccountApiClient>();
            services.AddScoped <AppState>();

            // setup HttpClient for server side in a client side compatible fashion ( with auth cookie )
            // if (!services.Any(x => x.ServiceType == typeof(HttpClient)))
            // {
            services.AddScoped(s =>
            {
                // creating the URI helper needs to wait until the JS Runtime is initialized, so defer it.
                var navigationManager   = s.GetRequiredService <NavigationManager>();
                var httpContextAccessor = s.GetRequiredService <IHttpContextAccessor>();
                var cookies             = httpContextAccessor.HttpContext.Request.Cookies;
                var httpClientHandler   = new HttpClientHandler()
                {
                    UseCookies = false
                };
                if (_environment.IsDevelopment())
                {
                    // Return 'true' to allow certificates that are untrusted/invalid
                    httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return(true); };
                }
                var client = new HttpClient(httpClientHandler);
                if (cookies.Any())
                {
                    var cks = new List <string>();

                    foreach (var cookie in cookies)
                    {
                        cks.Add($"{cookie.Key}={cookie.Value}");
                    }

                    client.DefaultRequestHeaders.Add("Cookie", string.Join(';', cks));
                }

                client.BaseAddress = new Uri(navigationManager.BaseUri);

                return(client);
            });
            // }

            services.AddScoped <ILocalizationApiClient, LocalizationApiClient>();
            services.AddScoped <IApiClient, ApiClient>();

            // Authentication providers
            Log.Logger.Debug("Removing AuthenticationStateProvider...");
            var serviceDescriptor = services.FirstOrDefault(descriptor => descriptor.ServiceType == typeof(AuthenticationStateProvider));
            if (serviceDescriptor != null)
            {
                services.Remove(serviceDescriptor);
            }

            Log.Logger.Debug("Adding AuthenticationStateProvider...");
            services.AddScoped <AuthenticationStateProvider, IdentityAuthenticationStateProvider>();
            /**********************/

            services.AddModules();

            if (Log.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug))
            {
                Log.Logger.Debug($"Total Services Registered: {services.Count}");
                foreach (var service in services)
                {
                    Log.Logger.Debug($"\n\tService: {service.ServiceType.FullName}\n\tLifetime: {service.Lifetime}\n\tInstance: {service.ImplementationType?.FullName}");
                }
            }
        }
Beispiel #26
0
        /// <summary>
        /// Gets all top-level XML elements from Azure Key Vault
        /// </summary>
        /// <returns></returns>
        public IReadOnlyCollection <XElement> GetAllElements()
        {
            _logger.LogInformation("Loading Data Protection Key Ring from Azure Key Vault");

            var credentials = new ClientSecretCredential(tenantId: _tenantId, clientId: _clientId, clientSecret: _secret);
            var client      = new SecretClient(new Uri(_vaultUrl), credentials);

            try
            {
                KeyVaultSecret kvSecret = client.GetSecret(_keyRingName);

                string encoded = kvSecret.Value;

                _logger.LogInformation("Key Ring size in Key Vault is {size}", encoded.Length);

                //The data stored in key vault is base64 encoded
                string decoded = Encoding.UTF8.GetString(Convert.FromBase64String(encoded));

                XDocument doc = XDocument.Parse(decoded);

                var entries = new List <XElement>();
                foreach (XElement node in doc.Root.Elements())
                {
                    switch (node.Name.ToString())
                    {
                    case "key":
                        string keyId = node.Attribute("id")?.Value ?? "";

                        var created = DateTime.Parse(node.Element("creationDate").Value);
                        var keyAge  = DateTime.Now.Subtract(created).Days;

                        //To keep the key-ring small, we remove items older than 180 days
                        if (keyAge <= 180)
                        {
                            _logger.LogInformation("Loaded key {keyid}", keyId);
                            entries.Add(node);
                        }
                        else
                        {
                            _logger.LogCritical("Ignored old key {keyid}", keyId);
                        }
                        break;

                    case "revocation":
                        //Revocation entries are added to the key-ring if we decide to revoke existing keys
                        var revDate = DateTime.Parse(node.Element("revocationDate").Value);

                        var revAge = DateTime.Now.Subtract(revDate).Days;
                        if (revAge <= 180)
                        {
                            _logger.LogInformation("Loaded revocation entry dated {revocationDate}", revDate);
                            entries.Add(node);
                        }
                        break;

                    default:
                        entries.Add(node);
                        break;
                    }
                }

                _logger.LogInformation("Loaded {keycount} Key Ring items from Azure Key Vault", entries.Count);
                return(entries);
            }
            catch (Exception exc)
            {
                _logger.LogInformation("Failed to load secret '{secretname}' from Azure Key Vault, a new Key Ring will be created.", _keyRingName, exc.Message);
                return(new List <XElement>());
            }
        }
Beispiel #27
0
 public ParallelSecretLoader(SecretClient client)
 {
     _client    = client;
     _semaphore = new SemaphoreSlim(ParallelismLevel, ParallelismLevel);
     _tasks     = new List <Task <Response <KeyVaultSecret> > >();
 }
Beispiel #28
0
 public TwilioAuthenticationWebHookService(SecretClient secretClient, ISecretKeySettings secretKeySettings)
 {
     _secretClient      = secretClient;
     _secretKeySettings = secretKeySettings;
 }
Beispiel #29
0
        public AzDOConnection(string azdoUrl, string projectName, string buildDefinitionName, SecretClient client, string secretName)
        {
            BuildProjectName    = projectName;
            BuildDefinitionName = buildDefinitionName;

            var azureDevOpsSecret = client.GetSecret(secretName);
            var credential        = new NetworkCredential("vslsnap", azureDevOpsSecret.Value.Value);

            Connection  = new VssConnection(new Uri(azdoUrl), new WindowsCredential(credential));
            NuGetClient = new HttpClient(new HttpClientHandler {
                Credentials = credential
            });

            GitClient   = Connection.GetClient <GitHttpClient>();
            BuildClient = Connection.GetClient <BuildHttpClient>();
        }
Beispiel #30
0
        private static SecretClient CreateKeyVaultClient(string keyVaultURL)
        {
            kvClient = new SecretClient(new Uri(keyVaultURL), defaultCred);

            return(kvClient);
        }