/// <inheritdoc />
public void Save(ProtectedSecret secret)
{
var t = SaveAsync(secret);
t.ConfigureAwait(false);
t.GetAwaiter().GetResult();
}
public async Task WhenWeSaveThenRetrieveSecret()
{
await Repository.CreateProtectedSecretTableAsync(TableName);
Repository.Save(savedSecret);
returnedSecret = Repository.Get(savedSecret.ApplicationName, savedSecret.Name);
}
private async Task <ProtectedSecret> TryReKeySecretsAsync(ProtectedSecret secret, string name, object context)
{
try
{
string rawEmail = this.secretProvider.UnprotectSecret(secret);
return(this.secretProvider.ProtectSecret(rawEmail));
}
catch (Exception ex)
{
this.logger.LogError(EventIDs.UIGenericError, ex, $"Unable to re-encrypt {name}");
LoginDialogData data = await this.dialogCoordinator.ShowLoginAsync(context, "Error", $"The {name} could not be automatically re-encrypted. Please re-enter the {name}",
new LoginDialogSettings
{
ShouldHideUsername = true,
RememberCheckBoxVisibility = System.Windows.Visibility.Hidden,
AffirmativeButtonText = "OK",
NegativeButtonVisibility = System.Windows.Visibility.Visible,
NegativeButtonText = "Cancel"
});
if (data != null)
{
return(this.secretProvider.ProtectSecret(data.Password));
}
}
return(null);
}
private string UnprotectSecretv1(ProtectedSecret data)
{
byte[] salt = Convert.FromBase64String(data.Salt);
byte[] protectedData = Convert.FromBase64String(data.Data);
byte[] unprotectedData = ProtectedData.Unprotect(protectedData, salt, DataProtectionScope.LocalMachine);
return(Encoding.UTF8.GetString(unprotectedData));
}
public async Task TableCreatedAndSecretAdded()
{
await Repository.CreateProtectedSecretTableAsync(TableName);
_savedSecret = ProtectedSecretBuilder.Create().AnInstance();
await Repository.SaveAsync(_savedSecret);
_retrievedSecret = await Repository.GetAsync(_savedSecret.ApplicationName, _savedSecret.Name);
}
public void WhenWeSaveThenRetrieveSecret()
{
Repository.Save(savedSecret);
returnedSecret = Repository.Get(savedSecret.ApplicationName, savedSecret.Name);
savedSecret.MasterKeyId = editedMasterKeyId;
Repository.Save(savedSecret);
returnedEditedSecret = Repository.Get(savedSecret.ApplicationName, savedSecret.Name);
}
public void Save(ProtectedSecret secret)
{
if (secret == null)
{
throw new ArgumentNullException(nameof(secret));
}
_secrets.Save(secret);
_cache.Remove(secret.ApplicationName, secret.Name);
}
public ProtectedSecret ProtectSecret(string secret, X509Certificate2 cert)
{
ProtectedSecret protectedData = new ProtectedSecret
{
Mode = 2,
Data = encryptionProvider.Encrypt(cert, secret)
};
return(protectedData);
}
public void Save(ProtectedSecret secret)
{
if (secret == null)
{
throw new ArgumentNullException(nameof(secret));
}
_secrets.Save(secret);
_cache.Add(secret);
}
public async Task SaveAsync(ProtectedSecret secret)
{
if (secret == null)
{
throw new ArgumentNullException(nameof(secret));
}
await _secrets.SaveAsync(secret);
await _cache.AddAsync(secret);
}
public async Task SaveAsync(ProtectedSecret secret)
{
if (secret == null)
{
throw new ArgumentNullException(nameof(secret));
}
await _secrets.SaveAsync(secret);
await _cache.RemoveAsync(secret.ApplicationName, secret.Name);
}
public async Task WhenWeSaveThenRetrieveSecret()
{
await Repository.SaveAsync(savedSecret);
returnedSecret = await Repository.GetAsync(savedSecret.ApplicationName, savedSecret.Name);
savedSecret.MasterKeyId = editedMasterKeyId;
await Repository.SaveAsync(savedSecret);
returnedEditedSecret = await Repository.GetAsync(savedSecret.ApplicationName, savedSecret.Name);
}
private string UnprotectSecretv3(ProtectedSecret data)
{
byte[] rawProtectedData = Convert.FromBase64String(data.Data);
using SafeHGlobalHandle f = new SafeHGlobalHandle(rawProtectedData);
var result = NCrypt.NCryptUnprotectSecret(out _, NCrypt.UnprotectSecretFlags.NCRYPT_SILENT_FLAG, f.DangerousGetHandle(), f.Size, IntPtr.Zero, IntPtr.Zero, out IntPtr unprotectedData, out uint unprotectedDataSize);
result.ThrowIfFailed();
using SafeHGlobalHandle d = new SafeHGlobalHandle(unprotectedData, unprotectedDataSize, true);
return(Encoding.Unicode.GetString(d.GetBytes(0, (int)unprotectedDataSize)));
}
private ProtectedSecretBuilder()
{
_instance = new ProtectedSecret
{
ApplicationName = Defaults.ApplicationName,
Name = Defaults.Name,
MasterKeyId = Defaults.MasterKeyId,
InitialisationVector = Defaults.InitialisationVector,
ProtectedDocumentKey = Defaults.ProtectedDocumentKey,
ProtectedSecretValue = Defaults.ProtectedSecretValue
};
}
public void WeHaveSecretsToSave()
{
firstSecret = ProtectedSecretBuilder.Create().AnInstance();
secondSecret = ProtectedSecretBuilder
.Create()
.WithName("SecondSecret")
.AnInstance();
notReturnedSecret = ProtectedSecretBuilder
.Create()
.WithApplicationName("DifferentApp")
.WithName("NotReturned")
.AnInstance();
}
private ProtectedSecret ProtectSecretv1(string secret)
{
byte[] salt = new byte[128];
this.rng.GetBytes(salt);
ProtectedSecret protectedData = new ProtectedSecret
{
Mode = 1,
Salt = Convert.ToBase64String(salt),
Data = Convert.ToBase64String(ProtectedData.Protect(Encoding.UTF8.GetBytes(secret), salt, DataProtectionScope.LocalMachine))
};
return(protectedData);
}
/// <inheritdoc />
public async Task SaveAsync(ProtectedSecret secret)
{
if (_disposed)
{
throw new ObjectDisposedException("AwsDynamoProtectedSecretRepository");
}
var doc = new Document
{
[Fields.ApplicationName] = secret.ApplicationName,
[Fields.SecretName] = secret.Name,
[Fields.MasterKeyId] = secret.MasterKeyId,
[Fields.ProtectedDocumentKey] = secret.ProtectedDocumentKey,
[Fields.ProtectedSecretValue] = secret.ProtectedSecretValue,
[Fields.InitialisationVector] = secret.InitialisationVector
};
await _table.Value.PutItemAsync(doc).ConfigureAwait(false);
}
public async Task <bool> TryReKeySecretsAsync(object context)
{
ProtectedSecret oldEmailOptionsPassword = this.emailOptions.Password;
ProtectedSecret oldOidcSecret = this.authnOptions.Oidc?.Secret;
if (this.emailOptions.Password != null)
{
ProtectedSecret response = await this.TryReKeySecretsAsync(this.emailOptions.Password, "SMTP password", context);
if (response == null)
{
this.emailOptions.Password = oldEmailOptionsPassword;
return(false);
}
this.emailOptions.Password = response;
}
if (this.authnOptions.Oidc?.Secret != null)
{
ProtectedSecret response = await this.TryReKeySecretsAsync(this.authnOptions.Oidc.Secret, "OpenID Connect secret", context);
if (response == null)
{
this.emailOptions.Password = oldEmailOptionsPassword;
this.authnOptions.Oidc.Secret = oldOidcSecret;
return(false);
}
this.authnOptions.Oidc.Secret = response;
}
return(true);
}
public string GetSecurityDescriptorFromSecret(ProtectedSecret data)
{
if (data.Mode != 3)
{
throw new ArgumentException("The protected data was of the incorrect format");
}
byte[] rawProtectedData = Convert.FromBase64String(data.Data);
using SafeHGlobalHandle f = new SafeHGlobalHandle(rawProtectedData);
var result = NCrypt.NCryptUnprotectSecret(out NCrypt.SafeNCRYPT_DESCRIPTOR_HANDLE dh, NCrypt.UnprotectSecretFlags.NCRYPT_SILENT_FLAG | NCrypt.UnprotectSecretFlags.NCRYPT_UNPROTECT_NO_DECRYPT, f.DangerousGetHandle(), f.Size, IntPtr.Zero, IntPtr.Zero, out IntPtr unprotectedData, out uint unprotectedDataSize);
result.ThrowIfFailed();
IntPtr ruleStringHandle = IntPtr.Zero;
try
{
result = NCrypt.NCryptGetProtectionDescriptorInfo(
dh,
IntPtr.Zero,
NCrypt.ProtectionDescriptorInfoType.NCRYPT_PROTECTION_INFO_TYPE_DESCRIPTOR_STRING,
out ruleStringHandle);
result.ThrowIfFailed();
return(Marshal.PtrToStringUni(ruleStringHandle));
}
finally
{
if (ruleStringHandle != IntPtr.Zero)
{
Marshal.FreeHGlobal(ruleStringHandle);
}
}
}
public string UnprotectSecret(ProtectedSecret data)
{
try
{
if (data?.Data == null)
{
return(null);
}
if (data.Mode == 0)
{
return(data.Data);
}
if (data.Mode == 1)
{
return(this.UnprotectSecretv1(data));
}
if (data.Mode == 2)
{
return(this.UnprotectSecretv2(data));
}
if (data.Mode == 3)
{
return(this.UnprotectSecretv3(data));
}
throw new ConfigurationException("The data was protected with an encryption mechanism not known to this version of the application");
}
catch (Exception ex)
{
throw new ConfigurationException("Unable to decrypt the encrypted data from the configuration file. Use the configuration manager application to re-enter the secret, and try again", ex);
}
}
public void SaveRecordsTheSecret()
{
SecretRepository
.When(s => s.Save(Arg.Any <ProtectedSecret>()))
.Do(ci => _savedSecret = ci.Arg <ProtectedSecret>());
}
private string UnprotectSecretv2(ProtectedSecret data)
{
return(this.encryptionProvider.Decrypt(data.Data, this.certificateProvider.FindDecryptionCertificate));
}
/// <inheritdoc />
public virtual void Save(ProtectedSecret secret)
{
using var conn = CreateConnection(requiresWrite: true);
conn.Execute(UpsertSql, secret);
}
public async Task WhenGettingNonExistentSecret()
{
secret = await Repository.GetAsync(appName, secretName);
}
public void WhenGettingNonExistentSecret()
{
secret = Repository.Get(appName, secretName);
}
/// <inheritdoc />
public virtual async Task SaveAsync(ProtectedSecret secret)
{
using var conn = CreateConnection(requiresWrite: true);
await conn.ExecuteAsync(UpsertSql, secret);
}
public void WeHaveSecretToSave()
{
savedSecret = ProtectedSecretBuilder.Create().AnInstance();
}
