/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="settings"></param>
/// <param name="secretPath">The secret path where the secret provider should look for secrets.</param>
/// <param name="configureOptions">The function to set the additional options to configure the HashiCorp Vault KeyValue.</param>
/// <param name="name">The unique name to register this HashiCorp provider in the secret store.</param>
/// <param name="mutateSecretName">The optional function to mutate the secret name before looking it up.</param>
/// <exception cref="ArgumentNullException">
/// Thrown when the <paramref name="builder"/>, <paramref name="settings"/> or <paramref name="secretPath"/> is <c>null</c>.
/// </exception>
/// <exception cref="ArgumentException">
/// Thrown when the <paramref name="settings"/> doesn't have a valid Vault server URI or a missing authentication method,
/// or the <paramref name="secretPath"/> is blank.
/// </exception>
public static SecretStoreBuilder AddHashiCorpVault(
this SecretStoreBuilder builder,
VaultClientSettings settings,
string secretPath,
Action <HashiCorpVaultOptions> configureOptions,
string name,
Func <string, string> mutateSecretName)
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNull(settings, nameof(settings), "Requires HashiCorp Vault settings to correctly connect to the running HashiCorp Vault");
Guard.NotNullOrWhitespace(settings.VaultServerUriWithPort, nameof(settings.VaultServerUriWithPort), "Requires a non-blank HashiCorp Vault settings to have a valid URI with HTTP port");
Guard.NotNull(settings.AuthMethodInfo, nameof(settings.AuthMethodInfo), "Requires the HashiCorp Vault settings to have an authentication method configured");
Guard.NotNullOrWhitespace(secretPath, nameof(secretPath), "Requires a secret path to look for secret values");
Guard.For <ArgumentException>(() => !Uri.IsWellFormedUriString(settings.VaultServerUriWithPort, UriKind.RelativeOrAbsolute), "Requires a HashiCorp Vault server URI with HTTP port");
var options = new HashiCorpVaultOptions();
configureOptions?.Invoke(options);
return(AddHashiCorpVault(builder, settings, secretPath, options, configureSecretProviderOptions: secretProviderOptions =>
{
secretProviderOptions.Name = name;
secretProviderOptions.MutateSecretName = mutateSecretName;
}));
}
public static SecretStoreBuilder AddAzureKeyVaultProvider(
this SecretStoreBuilder builder,
IKeyVaultAuthentication authentication,
IKeyVaultConfiguration configuration)
{
return(builder.AddProvider(new KeyVaultSecretProvider(authentication, configuration)));
}
/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="vaultServerUriWithPort">The URI that points to the running HashiCorp Vault.</param>
/// <param name="username">The username of the UserPass authentication method.</param>
/// <param name="password">The password of the UserPass authentication method.</param>
/// <param name="secretPath">The secret path where the secret provider should look for secrets.</param>
/// <param name="configureOptions">The optional function to set the additional options to configure the HashiCorp Vault KeyValue.</param>
/// <param name="name">The unique name to register this HashiCorp provider in the secret store.</param>
/// <param name="mutateSecretName">The optional function to mutate the secret name before looking it up.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> or <paramref name="secretPath"/> is <c>null</c>.</exception>
/// <exception cref="ArgumentException">
/// Thrown when the <paramref name="vaultServerUriWithPort"/> is blank or doesn't represent a valid URI,
/// or the <paramref name="username"/> or <paramref name="password"/> is blank,
/// or the <paramref name="secretPath"/> is blank.
/// </exception>
public static SecretStoreBuilder AddHashiCorpVaultWithUserPass(
this SecretStoreBuilder builder,
string vaultServerUriWithPort,
string username,
string password,
string secretPath,
Action <HashiCorpVaultUserPassOptions> configureOptions,
string name,
Func <string, string> mutateSecretName)
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNullOrWhitespace(vaultServerUriWithPort, nameof(vaultServerUriWithPort), "Requires a valid HashiCorp Vault URI with HTTP port to connect to the running HashiCorp Vault");
Guard.NotNullOrWhitespace(username, nameof(username), "Requires a username for the UserPass authentication during connecting with the HashiCorp Vault");
Guard.NotNullOrWhitespace(password, nameof(password), "Requires a password for the UserPass authentication during connecting with the HashiCorp Vault");
Guard.NotNullOrWhitespace(secretPath, nameof(secretPath), "Requires a path where the HashiCorp Vault secrets are stored");
Guard.For <ArgumentException>(() => !Uri.IsWellFormedUriString(vaultServerUriWithPort, UriKind.RelativeOrAbsolute), "Requires a HashiCorp Vault server URI with HTTP port");
var options = new HashiCorpVaultUserPassOptions();
configureOptions?.Invoke(options);
IAuthMethodInfo authenticationMethod = new UserPassAuthMethodInfo(options.UserPassMountPoint, username, password);
var settings = new VaultClientSettings(vaultServerUriWithPort, authenticationMethod);
return(AddHashiCorpVault(builder, settings, secretPath, options, configureSecretProviderOptions: secretProviderOptions =>
{
secretProviderOptions.Name = name;
secretProviderOptions.MutateSecretName = mutateSecretName;
}));
}
/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="vaultServerUriWithPort">The URI that points to the running HashiCorp Vault.</param>
/// <param name="roleName">
/// The name of the role in the Kubernetes authentication.
/// Role types have specific entities that can perform login operations against this endpoint.
/// Constraints specific to the role type must be set on the role. These are applied to the authenticated entities attempting to login.
/// </param>
/// <param name="jsonWebToken">The service account JWT used to access the TokenReview API to validate other JWTs during login.</param>
/// <param name="secretPath">The secret path where the secret provider should look for secrets.</param>
/// <param name="configureOptions"></param>
/// <param name="name">The unique name to register this HashiCorp provider in the secret store.</param>
/// <param name="mutateSecretName">The optional function to mutate the secret name before looking it up.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/>.</exception>
/// <exception cref="ArgumentException">
/// Thrown when the <paramref name="vaultServerUriWithPort"/> is blank or doesn't represent a valid URI,
/// or the <paramref name="jsonWebToken"/> is blank,
/// or the <paramref name="secretPath"/> is blank.
/// </exception>
public static SecretStoreBuilder AddHashiCorpVaultWithKubernetes(
this SecretStoreBuilder builder,
string vaultServerUriWithPort,
string roleName,
string jsonWebToken,
string secretPath,
Action <HashiCorpVaultKubernetesOptions> configureOptions,
string name,
Func <string, string> mutateSecretName)
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNullOrWhitespace(vaultServerUriWithPort, nameof(vaultServerUriWithPort), "Requires a valid HashiCorp Vault URI with HTTP port to connect to the running HashiCorp Vault");
Guard.NotNullOrWhitespace(jsonWebToken, nameof(jsonWebToken), "Requires a valid Json Web Token (JWT) during the Kubernetes authentication procedure");
Guard.NotNullOrWhitespace(secretPath, nameof(secretPath), "Requires a path where the HashiCorp Vault secrets are stored");
Guard.For <ArgumentException>(() => !Uri.IsWellFormedUriString(vaultServerUriWithPort, UriKind.RelativeOrAbsolute), "Requires a HashiCorp Vault server URI with HTTP port");
var options = new HashiCorpVaultKubernetesOptions();
configureOptions?.Invoke(options);
IAuthMethodInfo authenticationMethod = new KubernetesAuthMethodInfo(options.KubernetesMountPoint, roleName, jsonWebToken);
var settings = new VaultClientSettings(vaultServerUriWithPort, authenticationMethod);
return(AddHashiCorpVault(builder, settings, secretPath, options, configureSecretProviderOptions: secretProviderOptions =>
{
secretProviderOptions.Name = name;
secretProviderOptions.MutateSecretName = mutateSecretName;
}));
}
public static SecretStoreBuilder AddInMemoryProvider(
this SecretStoreBuilder builder,
IDictionary <string, Secret> secrets)
{
var provider = new InMemorySecretProvider(secrets);
return(builder.AddProvider(provider));
}
public static SecretStoreBuilder AddConfiguration(
this SecretStoreBuilder builder,
IConfiguration configuration)
{
var provider = new ConfigurationSecretProvider(configuration);
return(builder.AddProvider(provider));
}
public void AddProviderFunction_WithoutFunctionWithOptions_Throws()
{
// Arrange
var services = new ServiceCollection();
var builder = new SecretStoreBuilder(services);
// Act / Assert
Assert.ThrowsAny <ArgumentException>(() => builder.AddProvider(createSecretProvider: null, configureOptions: options => { }));
}
public void AddProvider_WithoutSecretProvider_Throws()
{
// Arrange
var services = new ServiceCollection();
var builder = new SecretStoreBuilder(services);
// Act / Assert
Assert.ThrowsAny <ArgumentException>(() => builder.AddProvider(secretProvider: null));
}
private static void AddHashiCorpCriticalExceptions(SecretStoreBuilder builder)
{
// Thrown when the HashiCorp Vault's authentication and/or authorization fails.
builder.AddCriticalException <VaultApiException>(exception =>
{
return(exception.HttpStatusCode == HttpStatusCode.BadRequest ||
exception.HttpStatusCode == HttpStatusCode.Forbidden);
});
}
/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <typeparam name="TSecretProvider">The custom implementation type that implements the <see cref="HashiCorpSecretProvider"/>.</typeparam>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="implementationFactory">The factory function to create an implementation of the <see cref="HashiCorpSecretProvider"/>.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> or the <paramref name="implementationFactory"/> is <c>null</c>.</exception>
public static SecretStoreBuilder AddHashiCorpVault <TSecretProvider>(
this SecretStoreBuilder builder,
Func <IServiceProvider, TSecretProvider> implementationFactory)
where TSecretProvider : HashiCorpSecretProvider
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNull(implementationFactory, nameof(implementationFactory), "Requires a factory function to create a HashiCorp KeyValue Vault secret provider implementation");
return(AddHashiCorpVault(builder, implementationFactory, name: null, mutateSecretName: null));
}
public void WithAuditing_WithoutFunction_Throws()
{
// Arrange
var services = new ServiceCollection();
var builder = new SecretStoreBuilder(services);
// Act / assert
Assert.ThrowsAny <ArgumentException>(
() => builder.WithAuditing(configureOptions: null));
}
public void AddCriticalException_WithoutExceptionFilter_Throws()
{
// Arrange
var services = new ServiceCollection();
var builder = new SecretStoreBuilder(services);
// Act / Assert
Assert.ThrowsAny <ArgumentException>(
() => builder.AddCriticalException <AuthenticationException>(exceptionFilter: null));
}
public static SecretStoreBuilder AddAzureKeyVaultProviderWithServicePrincipal(
this SecretStoreBuilder builder,
string rawVaultUri,
string clientId,
string clientKey)
{
return(AddAzureKeyVaultProvider(
builder,
new ServicePrincipalAuthentication(clientId, clientKey),
new KeyVaultConfiguration(rawVaultUri)));
}
public static SecretStoreBuilder AddAzureKeyVaultProviderWithManagedServiceIdentity(
this SecretStoreBuilder builder,
string rawVaultUri,
string connectionString = null,
string azureADInstance = null)
{
return(AddAzureKeyVaultProvider(
builder,
new ManagedServiceIdentityAuthentication(connectionString, azureADInstance),
new KeyVaultConfiguration(rawVaultUri)));
}
public static SecretStoreBuilder AddAzureKeyVaultProviderWithCertificate(
this SecretStoreBuilder builder,
string rawVaultUri,
string clientId,
X509Certificate2 certificate)
{
return(AddAzureKeyVaultProvider(
builder,
new CertificateBasedAuthentication(clientId, certificate),
new KeyVaultConfiguration(rawVaultUri)));
}
/// <summary>
/// Configure an <see cref="ISecretProvider"/> in the application with a given set of stores configured in the given <paramref name="configureSecretStores"/>.
/// </summary>
/// <param name="services">The services to append the secret store configuration to.</param>
/// <param name="configureSecretStores">The customization of the different target secret store sources to include in the final <see cref="ISecretProvider"/>.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="services"/> or <paramref name="configureSecretStores"/> is <c>null</c>.</exception>
public static IServiceCollection AddSecretStore(this IServiceCollection services, Action <SecretStoreBuilder> configureSecretStores)
{
Guard.NotNull(services, nameof(services), "Requires a set of services to add the secret store");
Guard.NotNull(configureSecretStores, nameof(configureSecretStores), "Requires a function to register the secret providers in the secret store");
var builder = new SecretStoreBuilder(services);
configureSecretStores(builder);
builder.RegisterSecretStore();
return(services);
}
/// <summary>
/// Configure an <see cref="ISecretProvider"/> in the application with a given set of stores configured in the given <paramref name="configureSecretStores"/>.
/// </summary>
/// <param name="functionsHostBuilder">The builder to append the secret store configuration to.</param>
/// <param name="configureSecretStores">The customization of the different target secret store sources to include in the final <see cref="ISecretProvider"/>.</param>
public static IFunctionsHostBuilder ConfigureSecretStore(this IFunctionsHostBuilder functionsHostBuilder, Action <SecretStoreBuilder> configureSecretStores)
{
Guard.NotNull(functionsHostBuilder, nameof(functionsHostBuilder));
Guard.NotNull(configureSecretStores, nameof(configureSecretStores));
var builder = new SecretStoreBuilder(functionsHostBuilder.Services);
configureSecretStores(builder);
builder.RegisterSecretStore();
return(functionsHostBuilder);
}
/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="vaultServerUriWithPort">The URI that points to the running HashiCorp Vault.</param>
/// <param name="roleName">
/// The name of the role in the Kubernetes authentication.
/// Role types have specific entities that can perform login operations against this endpoint.
/// Constraints specific to the role type must be set on the role. These are applied to the authenticated entities attempting to login.
/// </param>
/// <param name="jsonWebToken">The service account JWT used to access the TokenReview API to validate other JWTs during login.</param>
/// <param name="secretPath">The secret path where the secret provider should look for secrets.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/>.</exception>
/// <exception cref="ArgumentException">
/// Thrown when the <paramref name="vaultServerUriWithPort"/> is blank or doesn't represent a valid URI,
/// or the <paramref name="jsonWebToken"/> is blank,
/// or the <paramref name="secretPath"/> is blank.
/// </exception>
public static SecretStoreBuilder AddHashiCorpVaultWithKubernetes(
this SecretStoreBuilder builder,
string vaultServerUriWithPort,
string roleName,
string jsonWebToken,
string secretPath)
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNullOrWhitespace(vaultServerUriWithPort, nameof(vaultServerUriWithPort), "Requires a valid HashiCorp Vault URI with HTTP port to connect to the running HashiCorp Vault");
Guard.NotNullOrWhitespace(jsonWebToken, nameof(jsonWebToken), "Requires a valid Json Web Token (JWT) during the Kubernetes authentication procedure");
Guard.NotNullOrWhitespace(secretPath, nameof(secretPath), "Requires a path where the HashiCorp Vault secrets are stored");
Guard.For <ArgumentException>(() => !Uri.IsWellFormedUriString(vaultServerUriWithPort, UriKind.RelativeOrAbsolute), "Requires a HashiCorp Vault server URI with HTTP port");
return(AddHashiCorpVaultWithKubernetes(builder, vaultServerUriWithPort, roleName, jsonWebToken, secretPath, configureOptions: null, name: null, mutateSecretName: null));
}
/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="vaultServerUriWithPort">The URI that points to the running HashiCorp Vault.</param>
/// <param name="username">The username of the UserPass authentication method.</param>
/// <param name="password">The password of the UserPass authentication method.</param>
/// <param name="secretPath">The secret path where the secret provider should look for secrets.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> or <paramref name="secretPath"/> is <c>null</c>.</exception>
/// <exception cref="ArgumentException">
/// Thrown when the <paramref name="vaultServerUriWithPort"/> is blank or doesn't represent a valid URI,
/// or the <paramref name="username"/> or <paramref name="password"/> is blank,
/// or the <paramref name="secretPath"/> is blank.
/// </exception>
public static SecretStoreBuilder AddHashiCorpVaultWithUserPass(
this SecretStoreBuilder builder,
string vaultServerUriWithPort,
string username,
string password,
string secretPath)
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNullOrWhitespace(vaultServerUriWithPort, nameof(vaultServerUriWithPort), "Requires a valid HashiCorp Vault URI with HTTP port to connect to the running HashiCorp Vault");
Guard.NotNullOrWhitespace(username, nameof(username), "Requires a username for the UserPass authentication during connecting with the HashiCorp Vault");
Guard.NotNullOrWhitespace(password, nameof(password), "Requires a password for the UserPass authentication during connecting with the HashiCorp Vault");
Guard.NotNullOrWhitespace(secretPath, nameof(secretPath), "Requires a path where the HashiCorp Vault secrets are stored");
Guard.For <ArgumentException>(() => !Uri.IsWellFormedUriString(vaultServerUriWithPort, UriKind.RelativeOrAbsolute), "Requires a HashiCorp Vault server URI with HTTP port");
return(AddHashiCorpVaultWithUserPass(builder, vaultServerUriWithPort, username, password, secretPath, configureOptions: null));
}
private static SecretStoreBuilder AddHashiCorpVault(
SecretStoreBuilder builder,
VaultClientSettings settings,
string secretPath,
HashiCorpVaultOptions options,
Action <SecretProviderOptions> configureSecretProviderOptions)
{
AddHashiCorpCriticalExceptions(builder);
return(builder.AddProvider(serviceProvider =>
{
var logger = serviceProvider.GetService <ILogger <HashiCorpSecretProvider> >();
var provider = new HashiCorpSecretProvider(settings, secretPath, options, logger);
return provider;
}, configureSecretProviderOptions));
}
/// <summary>
/// <para>
/// Adds the secrets of a HashiCorp Vault KeyValue engine to the secret store.
/// </para>
/// <para>
/// See more information on HashiCorp: <a href="https://www.vaultproject.io/docs" />.
/// </para>
/// </summary>
/// <typeparam name="TSecretProvider">The custom implementation type that implements the <see cref="HashiCorpSecretProvider"/>.</typeparam>
/// <param name="builder">The builder to add the HashiCorp secrets from the KeyValue Vault to.</param>
/// <param name="implementationFactory">The factory function to create an implementation of the <see cref="HashiCorpSecretProvider"/>.</param>
/// <param name="name">The unique name to register this HashiCorp provider in the secret store.</param>
/// <param name="mutateSecretName">The optional function to mutate the secret name before looking it up.</param>
/// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> or the <paramref name="implementationFactory"/> is <c>null</c>.</exception>
public static SecretStoreBuilder AddHashiCorpVault <TSecretProvider>(
this SecretStoreBuilder builder,
Func <IServiceProvider, TSecretProvider> implementationFactory,
string name,
Func <string, string> mutateSecretName)
where TSecretProvider : HashiCorpSecretProvider
{
Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the HashiCorp Vault secret provider");
Guard.NotNull(implementationFactory, nameof(implementationFactory), "Requires a factory function to create a HashiCorp KeyValue Vault secret provider implementation");
AddHashiCorpCriticalExceptions(builder);
return(builder.AddProvider(implementationFactory, options =>
{
options.Name = name;
options.MutateSecretName = mutateSecretName;
}));
}
private static SecretStoreBuilder AddHashiCorpVault(
SecretStoreBuilder builder,
VaultClientSettings settings,
string secretPath,
HashiCorpVaultOptions options,
Func <string, string> mutateSecretName)
{
// Thrown when the HashiCorp Vault's authentication and/or authorization fails.
builder.AddCriticalException <VaultApiException>(exception =>
{
return(exception.HttpStatusCode == HttpStatusCode.BadRequest ||
exception.HttpStatusCode == HttpStatusCode.Forbidden);
});
return(builder.AddProvider(serviceProvider =>
{
var logger = serviceProvider.GetService <ILogger <HashiCorpSecretProvider> >();
var provider = new HashiCorpSecretProvider(settings, secretPath, options, logger);
return provider;
}, mutateSecretName));
}
public static SecretStoreBuilder AddEnvironmentVariableProvider(this SecretStoreBuilder builder)
{
return(builder.AddProvider(new EnvironmentVariableSecretProvider()));
}
