/// <summary>
/// Copies settings from another settings object.
/// </summary>
/// <remarks>
/// <see cref="Microsoft.Extensions.Options.IOptions{TOptions}"/> requires a parameterless constructor, so we end up with nasty hackery like this for handling programmatic options specification.
/// </remarks>
/// <param name="input">Input from which to copy configuration.</param>
public void CopyFrom(IKmsXmlEncryptorConfig input)
{
KeyId = input.KeyId;
EncryptionContext = input.EncryptionContext.ToDictionary(x => x.Key, x => x.Value);
GrantTokens = input.GrantTokens.ToList();
DiscriminatorAsContext = input.DiscriminatorAsContext;
HashDiscriminatorContext = input.HashDiscriminatorContext;
}
public static Dictionary <string, string> GetEncryptionContext(IKmsXmlEncryptorConfig config, DataProtectionOptions dpOptions)
{
var encryptionContext = config.EncryptionContext;
// Set the application discriminator as part of the context of encryption, given the intent of the discriminator
if (config.DiscriminatorAsContext && !string.IsNullOrEmpty(dpOptions.ApplicationDiscriminator))
{
encryptionContext = encryptionContext.ToDictionary(x => x.Key, x => x.Value);
var contextValue = dpOptions.ApplicationDiscriminator;
// Some application discriminators (like the defaults) leak sensitive file paths, so hash them
if (config.HashDiscriminatorContext)
{
using (var hasher = SHA256.Create())
{
contextValue = Convert.ToBase64String(hasher.ComputeHash(Encoding.UTF8.GetBytes(contextValue)));
}
}
encryptionContext[KmsConstants.ApplicationEncryptionContextKey] = contextValue;
}
return(encryptionContext);
}
/// <summary>
/// Creates a <see cref="KmsXmlEncryptor"/> for encrypting ASP.NET keys with a KMS master key
/// </summary>
/// <param name="kmsClient">The KMS client</param>
/// <param name="config">The configuration object specifying which key data in KMS to use</param>
/// <param name="services">An optional <see cref="IServiceProvider"/> to provide ancillary services</param>
public KmsXmlEncryptor(IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config, IServiceProvider services)
{
this.kmsClient = kmsClient ?? throw new ArgumentNullException(nameof(kmsClient));
Config = config ?? throw new ArgumentNullException(nameof(config));
logger = services?.GetService <ILoggerFactory>()?.CreateLogger <KmsXmlEncryptor>();
}
/// <summary>
/// Creates a <see cref="KmsXmlEncryptor"/> for encrypting ASP.NET keys with a KMS master key
/// </summary>
/// <param name="kmsClient">The KMS client</param>
/// <param name="config">The configuration object specifying which key data in KMS to use</param>
public KmsXmlEncryptor(IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config)
: this(kmsClient, config, null)
{
}
/// <summary>
/// Configures the data protection system to encrypt keys using AWS Key Management Service master keys
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="config">The configuration object specifying how to use KMS keys.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder ProtectKeysWithAwsKms(this IDataProtectionBuilder builder, IKmsXmlEncryptorConfig config)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (config == null)
{
throw new ArgumentNullException(nameof(config));
}
return(builder.ProtectKeysWithAwsKmsRaw(null, config));
}
/// <summary>
/// Configures the data protection system to encrypt keys using AWS Key Management Service master keys
/// </summary>
/// <param name="builder">The <see cref="IDataProtectionBuilder"/>.</param>
/// <param name="kmsClient">KMS client configured with appropriate credentials.</param>
/// <param name="config">The configuration object specifying how to use KMS keys.</param>
/// <returns>A reference to the <see cref="IDataProtectionBuilder" /> after this operation has completed.</returns>
public static IDataProtectionBuilder ProtectKeysWithAwsKms(this IDataProtectionBuilder builder, IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (kmsClient == null)
{
throw new ArgumentNullException(nameof(kmsClient));
}
if (config == null)
{
throw new ArgumentNullException(nameof(config));
}
return(builder.ProtectKeysWithAwsKmsRaw(kmsClient, config));
}
public DirectConfigure(IKmsXmlEncryptorConfig input)
{
this.input = input ?? throw new ArgumentNullException(nameof(input));
}
private static IDataProtectionBuilder ProtectKeysWithAwsKmsRaw(this IDataProtectionBuilder builder, IAmazonKeyManagementService kmsClient, IKmsXmlEncryptorConfig config)
{
builder.Services.AddSingleton <IConfigureOptions <KmsXmlEncryptorConfig> >(new DirectConfigure(config));
return(builder.ProtectKeysWithAwsKmsImpl(kmsClient, sp => sp.GetRequiredService <IOptions <KmsXmlEncryptorConfig> >()));
}
