Beispiel #1
0
 protected static async Task ExecuteHashicorpVaultOperation(Func <Task> func, string operation)
 {
     try
     {
         await func();
     }
     catch (VaultApiException vEx) when(vEx.HttpStatusCode == System.Net.HttpStatusCode.Forbidden)
     {
         throw new SecureStoreException(
                   SecureStoreException.Type.UnauthorizedOperation,
                   HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SecureStoreOperationNotAuthorizeded), operation),
                   vEx);
     }
     catch (VaultApiException vEx) when(vEx.HttpStatusCode == System.Net.HttpStatusCode.NotFound)
     {
         throw new SecureStoreException(
                   SecureStoreException.Type.SecretNotFound,
                   HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SecureStoreSecretNotFound)),
                   vEx);
     }
     catch (Exception ex)
     {
         throw new SecureStoreException($"Operation {operation} failed.", ex);
     }
 }
Beispiel #2
0
        public virtual async Task ValidateContextAsync(string context)
        {
            var ctx = ConvertJsonToContext(context);

            if (ctx.SecretsEngine == SecretsEngine.ActiveDirectory)
            {
                // ActiveDirectory is valid only for the read-only secure store
                throw new SecureStoreException(
                          SecureStoreException.Type.InvalidConfiguration,
                          HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(ctx.SecretsEngine)));
            }

            var keyVaultClient = _clientFactory.CreateClient(ctx);

            var secretName  = "UIPATH-TEST-SECRET-HASHICORP-VAULT";
            var secretValue = Guid.NewGuid().ToString();

            var storageKey = await ExecuteHashicorpVaultOperation(
                async() =>
            {
                return(await keyVaultClient.SetSecretAsync(secretName, secretValue));
            },
                "set");

            _ = await ExecuteHashicorpVaultOperation(
                async() =>
            {
                return(await keyVaultClient.GetSecretAsync(storageKey));
            },
                "get");

            try
            {
                // We use destroy because we don't want to leave behind key metadata with nothing inside for each edit of the store.
                // If destroy fails (maybe due to policies), we just delete the secret version we created.
                // This is ok to do since we don't need to destroy secrets during normal operation, just for testing.
                await ExecuteHashicorpVaultOperation(
                    async() =>
                {
                    await keyVaultClient.DeleteSecretAsync(secretName, destroy: true);
                },
                    "destroy");
            }
            catch
            {
                await ExecuteHashicorpVaultOperation(
                    async() =>
                {
                    await keyVaultClient.DeleteSecretAsync(secretName, destroy: false);
                },
                    "delete");
            }
        }
Beispiel #3
0
        public static SecureKeyMetadata GetExistingMetadata(this string passwordKey)
        {
            SecureKeyMetadata result = JsonConvert.DeserializeObject <SecureKeyMetadata>(passwordKey);

            if (string.IsNullOrEmpty(result.VaultSecretName))
            {
                throw new SecureStoreException(
                          SecureStoreException.Type.Unknown,
                          HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.InvalidSecureStoreSecretName)));
            }

            return(result);
        }
Beispiel #4
0
 public virtual IEnumerable <ConfigurationEntry> GetConfiguration()
 {
     return(new List <ConfigurationEntry>
     {
         new ConfigurationValue(ConfigurationValueType.String)
         {
             Key = "VaultUri",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingVaultUri)),
             IsMandatory = true,
         },
         new ConfigurationValue(ConfigurationValueType.Choice)
         {
             Key = "AuthenticationType",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingAuthenticationType)),
             IsMandatory = true,
             PossibleValues = Enum.GetNames(typeof(AuthenticationType)),
         },
         new ConfigurationValue(ConfigurationValueType.Secret)
         {
             Key = "RoleId",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingRoleId)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.Secret)
         {
             Key = "SecretId",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingSecretId)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.String)
         {
             Key = "Username",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingUsername)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.Secret)
         {
             Key = "Password",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingPassword)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.Secret)
         {
             Key = "Token",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingToken)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.Choice)
         {
             Key = "SecretsEngine",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingSecretsEngine)),
             IsMandatory = true,
             PossibleValues = Enum.GetNames(typeof(SecretsEngine))
                              .Except(new [] { SecretsEngine.ActiveDirectory.ToString() })
                              .ToArray(),
         },
         new ConfigurationValue(ConfigurationValueType.String)
         {
             Key = "SecretsEnginePath",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingSecretsEnginePath)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.String)
         {
             Key = "DataPath",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingDataPath)),
             IsMandatory = false,
         },
         new ConfigurationValue(ConfigurationValueType.String)
         {
             Key = "Namespace",
             DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingNamespace)),
             IsMandatory = false,
         },
     });
 }
        public HashicorpVaultContext Build()
        {
            if (_context == null)
            {
                throw new Exception("Invalid usage");
            }

            if (_context.VaultUri == null || !_context.VaultUri.IsAbsoluteUri)
            {
                throw new SecureStoreException(
                          SecureStoreException.Type.InvalidConfiguration,
                          HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.VaultUri)));
            }

            switch (_context.AuthenticationType)
            {
            case AuthenticationType.None:
                throw new SecureStoreException(
                          SecureStoreException.Type.InvalidConfiguration,
                          HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.AuthenticationType)));

            case AuthenticationType.AppRole:
                if (string.IsNullOrEmpty(_context.RoleId))
                {
                    throw new SecureStoreException(
                              SecureStoreException.Type.InvalidConfiguration,
                              HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.RoleId)));
                }

                if (string.IsNullOrEmpty(_context.SecretId))
                {
                    throw new SecureStoreException(
                              SecureStoreException.Type.InvalidConfiguration,
                              HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.SecretId)));
                }

                break;

            case AuthenticationType.UsernamePassword:
            case AuthenticationType.Ldap:
                if (string.IsNullOrEmpty(_context.Username))
                {
                    throw new SecureStoreException(
                              SecureStoreException.Type.InvalidConfiguration,
                              HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.Username)));
                }

                if (string.IsNullOrEmpty(_context.Password))
                {
                    throw new SecureStoreException(
                              SecureStoreException.Type.InvalidConfiguration,
                              HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.Password)));
                }

                break;

            case AuthenticationType.Token:

                if (string.IsNullOrEmpty(_context.Token))
                {
                    throw new SecureStoreException(
                              SecureStoreException.Type.InvalidConfiguration,
                              HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.Token)));
                }

                break;

            default:
                throw new SecureStoreException(
                          SecureStoreException.Type.InvalidConfiguration,
                          HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.AuthenticationType)));
            }

            if (_context.SecretsEngine == SecretsEngine.None)
            {
                throw new SecureStoreException(
                          SecureStoreException.Type.InvalidConfiguration,
                          HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.SecretsEngine)));
            }

            if (!string.IsNullOrWhiteSpace(_context.DataPath))
            {
                _context.DataPath = _context.DataPath.Trim('/');
            }

            if (string.IsNullOrWhiteSpace(_context.SecretsEnginePath))
            {
                // Empty or whitespaces are treated as null
                _context.SecretsEnginePath = null;
            }

            return(_context);
        }