private static ISecretInjector GetSecretInjector(IDictionary<string, string> arguments)
{
ISecretReader secretReader;
var vaultName = arguments.GetOrDefault<string>(Arguments.VaultName);
if (string.IsNullOrEmpty(vaultName))
{
secretReader = new EmptySecretReader();
}
else
{
var clientId = arguments.GetOrThrow<string>(Arguments.ClientId);
var certificateThumbprint = arguments.GetOrThrow<string>(Arguments.CertificateThumbprint);
var storeName = arguments.GetOrDefault(Arguments.StoreName, StoreName.My);
var storeLocation = arguments.GetOrDefault(Arguments.StoreLocation, StoreLocation.LocalMachine);
var shouldValidateCert = arguments.GetOrDefault(Arguments.ValidateCertificate, false);
var keyVaultConfig = new KeyVaultConfiguration(vaultName, clientId, certificateThumbprint, storeName, storeLocation, shouldValidateCert);
secretReader = new CachingSecretReader(new KeyVaultReader(keyVaultConfig),
arguments.GetOrDefault(Arguments.RefreshIntervalSec, CachingSecretReader.DefaultRefreshIntervalSec));
}
return new SecretInjector(secretReader);
}
public ISecretReader CreateSecretReader(IGalleryConfigurationService configurationService)
{
if (configurationService == null)
{
throw new ArgumentNullException(nameof(configurationService));
}
ISecretReader secretReader;
var vaultName = configurationService.ReadSetting(
string.Format(CultureInfo.InvariantCulture, "{0}{1}", KeyVaultConfigurationPrefix, VaultNameConfigurationKey)).Result;
if (!string.IsNullOrEmpty(vaultName))
{
var clientId = configurationService.ReadSetting(
string.Format(CultureInfo.InvariantCulture, "{0}{1}", KeyVaultConfigurationPrefix, ClientIdConfigurationKey)).Result;
var certificateThumbprint = configurationService.ReadSetting(
string.Format(CultureInfo.InvariantCulture, "{0}{1}", KeyVaultConfigurationPrefix, CertificateThumbprintConfigurationKey)).Result;
var keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificateThumbprint, validateCertificate: true);
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return new CachingSecretReader(secretReader, _diagnosticsService);
}
public ISecretReader CreateSecretReader()
{
if (string.IsNullOrEmpty(_vaultName))
{
return(new EmptySecretReader());
}
var certificate = CertificateUtility.FindCertificateByThumbprint(
!string.IsNullOrEmpty(_storeName)
? (StoreName)Enum.Parse(typeof(StoreName), _storeName)
: StoreName.My,
!string.IsNullOrEmpty(_storeLocation)
? (StoreLocation)Enum.Parse(typeof(StoreLocation), _storeLocation)
: StoreLocation.LocalMachine,
_certificateThumbprint,
_validateCertificate);
var keyVaultConfiguration = new KeyVaultConfiguration(
_vaultName,
_clientId,
certificate,
_sendX5c);
return(new KeyVaultReader(keyVaultConfiguration));
}
public ISecretReader CreateSecretReader(IDictionary <string, string> settings)
{
if (JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.VaultName) == null)
{
return(new EmptySecretReader());
}
var storeName = JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.StoreName);
var storeLocation = JobConfigurationManager.TryGetArgument(settings, JobArgumentNames.StoreLocation);
var certificate = CertificateUtility.FindCertificateByThumbprint(
storeName != null ? (StoreName)Enum.Parse(typeof(StoreName), storeName) : StoreName.My,
storeLocation != null ? (StoreLocation)Enum.Parse(typeof(StoreLocation), storeLocation) : StoreLocation.LocalMachine,
JobConfigurationManager.GetArgument(settings, JobArgumentNames.CertificateThumbprint),
JobConfigurationManager.TryGetBoolArgument(settings, JobArgumentNames.ValidateCertificate, defaultValue: true));
var keyVaultConfiguration =
new KeyVaultConfiguration(
JobConfigurationManager.GetArgument(settings, JobArgumentNames.VaultName),
JobConfigurationManager.GetArgument(settings, JobArgumentNames.ClientId),
certificate);
var refreshIntervalSec = JobConfigurationManager.TryGetIntArgument(settings,
JobArgumentNames.RefreshIntervalSec) ?? CachingSecretReader.DefaultRefreshIntervalSec;
return(new CachingSecretReader(new KeyVaultReader(keyVaultConfiguration), refreshIntervalSec));
}
public ISecretReader CreateSecretReader(IGalleryConfigurationService configurationService)
{
if (configurationService == null)
{
throw new ArgumentNullException(nameof(configurationService));
}
ISecretReader secretReader;
var vaultName = configurationService.ReadSetting(
string.Format(CultureInfo.InvariantCulture, "{0}{1}", KeyVaultConfigurationPrefix, VaultNameConfigurationKey)).Result;
if (!string.IsNullOrEmpty(vaultName))
{
var clientId = configurationService.ReadSetting(
string.Format(CultureInfo.InvariantCulture, "{0}{1}", KeyVaultConfigurationPrefix, ClientIdConfigurationKey)).Result;
var certificateThumbprint = configurationService.ReadSetting(
string.Format(CultureInfo.InvariantCulture, "{0}{1}", KeyVaultConfigurationPrefix, CertificateThumbprintConfigurationKey)).Result;
var keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificateThumbprint, validateCertificate: true);
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return(new CachingSecretReader(secretReader, _diagnosticsService));
}
public ISecretReader CreateSecretReader()
{
ISecretReader secretReader;
var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey));
if (!string.IsNullOrEmpty(vaultName))
{
var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey));
var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey));
var storeName = GetOptionalKeyVaultEnumSettingValue(CertificateStoreName, StoreName.My);
var storeLocation = GetOptionalKeyVaultEnumSettingValue(CertificateStoreLocation, StoreLocation.LocalMachine);
var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validationRequired: true);
var keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate);
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return(new CachingSecretReader(secretReader));
}
public async Task UpdateExistingConfigurationTest()
{
this.Initialize();
var keyVaultConfiguration = new KeyVaultConfiguration()
{
ADApplicationClientId = "1",
ADApplicationSecret = "Secret",
VaultName = "test",
AzureKeyVaultUrl = @"https://test.vault.azure.net/"
};
IKeyVaultConfigurationRepository repository = new KeyVaultConfigurationRepository();
var isInserted = await repository.InsertOrUpdate(keyVaultConfiguration);
Assert.IsTrue(isInserted);
Assert.IsTrue(repository.All.Count() == 1);
keyVaultConfiguration.ADApplicationSecret = "Updated Secret";
await repository.InsertOrUpdate(keyVaultConfiguration);
IKeyVaultConfigurationRepository newRepository = new KeyVaultConfigurationRepository();
Assert.IsTrue(newRepository.All.Count() == 1);
Assert.IsTrue(newRepository.All.First().ADApplicationSecret == "Updated Secret");
}
public ISecretReader CreateSecretReader()
{
ISecretReader secretReader;
var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey));
if (!string.IsNullOrEmpty(vaultName))
{
var useManagedIdentity = GetOptionalKeyVaultBoolSettingValue(UseManagedIdentityConfigurationKey, defaultValue: false);
KeyVaultConfiguration keyVaultConfiguration;
if (useManagedIdentity)
{
keyVaultConfiguration = new KeyVaultConfiguration(vaultName);
}
else
{
var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey));
var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey));
var storeName = GetOptionalKeyVaultEnumSettingValue(CertificateStoreName, StoreName.My);
var storeLocation = GetOptionalKeyVaultEnumSettingValue(CertificateStoreLocation, StoreLocation.LocalMachine);
var certificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, validationRequired: true);
keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate);
}
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return(new CachingSecretReader(secretReader, refreshIntervalSec: SecretCachingRefreshInterval));
}
public static IFhirServerBuilder AddKeyVaultSecretStore(this IFhirServerBuilder fhirServerBuilder, IConfiguration configuration)
{
EnsureArg.IsNotNull(fhirServerBuilder, nameof(fhirServerBuilder));
EnsureArg.IsNotNull(configuration, nameof(configuration));
// Get the KeyVault endpoint mentioned in the config. It is not necessary the KeyVault config
// section is present (depending on how we choose to implement ISecretStore). But even if it is
// not present, GetSection will return an empty IConfigurationSection. And we will end up creating
// an InMemoryKeyVaultSecretStore in that scenario also.
var keyVaultConfig = new KeyVaultConfiguration();
configuration.GetSection(KeyVaultConfigurationName).Bind(keyVaultConfig);
if (string.IsNullOrWhiteSpace(keyVaultConfig.Endpoint))
{
fhirServerBuilder.Services.Add <InMemorySecretStore>()
.Singleton()
.AsService <ISecretStore>();
}
else
{
fhirServerBuilder.Services.Add <KeyVaultSecretStore>((sp) =>
{
var tokenProvider = new AzureServiceTokenProvider();
var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));
return(new KeyVaultSecretStore(kvClient, new Uri(keyVaultConfig.Endpoint)));
})
.Singleton()
.AsService <ISecretStore>();
}
return(fhirServerBuilder);
}
private static ISecretInjector GetSecretInjector(IDictionary <string, string> arguments)
{
ISecretReader secretReader;
var vaultName = arguments.GetOrDefault <string>(Arguments.VaultName);
if (string.IsNullOrEmpty(vaultName))
{
secretReader = new EmptySecretReader();
}
else
{
var clientId = arguments.GetOrThrow <string>(Arguments.ClientId);
var certificateThumbprint = arguments.GetOrThrow <string>(Arguments.CertificateThumbprint);
var storeName = arguments.GetOrDefault(Arguments.StoreName, StoreName.My);
var storeLocation = arguments.GetOrDefault(Arguments.StoreLocation, StoreLocation.LocalMachine);
var shouldValidateCert = arguments.GetOrDefault(Arguments.ValidateCertificate, true);
var keyVaultCertificate = CertificateUtility.FindCertificateByThumbprint(storeName, storeLocation, certificateThumbprint, shouldValidateCert);
var keyVaultConfig = new KeyVaultConfiguration(vaultName, clientId, keyVaultCertificate);
secretReader = new CachingSecretReader(new KeyVaultReader(keyVaultConfig),
arguments.GetOrDefault(Arguments.RefreshIntervalSec, CachingSecretReader.DefaultRefreshIntervalSec));
}
return(new SecretInjector(secretReader));
}
private void Initialize(KeyVaultConfiguration keyVaultConfiguration)
{
this.keyVaultConfiguration = keyVaultConfiguration;
this.KeyVaultUrl = keyVaultConfiguration.AzureKeyVaultUrl;
this.ADApplicationId = keyVaultConfiguration.ADApplicationClientId;
this.ADApplicationSecret = keyVaultConfiguration.ADApplicationSecret;
this.SetupValidationRules();
}
public KeyVaultService(ILogger <KeyVaultService> logger,
IOptions <KeyVaultConfiguration> keyVaultConfiguration,
IOptions <AADApplicationConfiguration> applicationConfiguration)
{
this.logger = logger;
this.keyVaultConfiguration = keyVaultConfiguration.Value;
this.applicationConfiguration = applicationConfiguration.Value;
}
public static IServiceCollection AddAzureInfrastructure(this IServiceCollection services, IConfiguration configuration)
{
var keyVaultConfig = new KeyVaultConfiguration();
configuration.Bind(ConfigurationPrefixes.KeyVault, keyVaultConfig);
return(services
.AddSingleton(keyVaultConfig)
.AddAzureServices());
}
public TestRunner(string connectionString, KeyVaultConfiguration keyVaultConfig)
{
KeyVaultConfig = keyVaultConfig ?? throw new ArgumentNullException(nameof(keyVaultConfig));
if (string.IsNullOrEmpty(connectionString))
{
throw new ArgumentException("Value cannot be null or empty", nameof(connectionString));
}
ConnectionString = new AzureSqlConnectionStringBuilder(connectionString);
SecretInjector = new SecretInjector(new KeyVaultReader(KeyVaultConfig));
}
/// <summary>
/// Instantiates ProxyConnectionInfo with certificate authentication using a certificate retrieved from keyvault
/// </summary>
/// <param name="endpoint">Proxy Endpoint</param>
/// <param name="config">Configuration root for initialization</param>
/// <param name="vaultName">Key vault name</param>
public ProxyConnectionInfo(
string endpoint,
KeyVaultConfiguration config,
string vaultName
) : this(
endpoint,
AuthenticationType.CertificateFromKeyVault
)
{
Vault = new AzureSecretVault(config);
CertIdentifier = ThrowIf.NullOrWhiteSpace(vaultName, nameof(vaultName));
}
public void Constructor_ValidUri_Succeeds()
{
// Arrange
var expectedVaultUri = new Uri($"https://{Guid.NewGuid():N}.vault.azure.net/");
// Act
var keyVaultConfiguration = new KeyVaultConfiguration(expectedVaultUri);
// Assert
Assert.NotNull(keyVaultConfiguration);
Assert.Equal(expectedVaultUri, keyVaultConfiguration.VaultUri);
}
public void Constructor_ValidRawUri_Succeeds()
{
// Arrange
string vaultUri = $"https://{Guid.NewGuid().ToString("N").Substring(0, 24)}.vault.azure.net/";
var expectedVaultUri = new Uri(vaultUri);
// Act
var keyVaultConfiguration = new KeyVaultConfiguration(vaultUri);
// Assert
Assert.NotNull(keyVaultConfiguration);
Assert.Equal(expectedVaultUri, keyVaultConfiguration.VaultUri);
}
public VersionHealthCheck(ILogger <VersionHealthCheck> logger, IOptionsSnapshot <ApplicationOptions> settings)
{
_applicationVersionNumber = Assembly.GetEntryAssembly()?.GetName().Version?.ToString();
_applicationBuildDate = GetAssemblyLastModifiedDate();
_environment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
_clusterName = Environment.GetEnvironmentVariable("CLUSTER_NAME");
_systemsManagerReload = Environment.GetEnvironmentVariable("SYSTEMS_MANAGER_RELOAD");
_dnsHostName = Dns.GetHostName();
_osNameAndVersion = System.Runtime.InteropServices.RuntimeInformation.OSDescription;
_keyVaultConfiguration = settings?.Value?.KeyVaultConfiguration != null ? settings?.Value?.KeyVaultConfiguration : new KeyVaultConfiguration();
_elasticUrl = settings?.Value.Logging.ElasticSearchConfiguration.ElasticUrl;
_elasticEnabled = settings.Value.Logging.ElasticSearchConfiguration.ElasticEnabled;
_logger = logger;
}
public KeyVaultAccountViewModel(KeyVaultConfiguration keyVaultConfiguration, IKeyRepository keyRepository)
{
if (keyVaultConfiguration == null)
{
throw new ArgumentNullException("keyVaultConfiguration");
}
this.keyVaultConfiguration = keyVaultConfiguration;
this.keyRepository = keyRepository;
this.ManageVaultKeysViewModel = new ManageVaultKeysViewModel(keyVaultConfiguration.VaultName, keyRepository, new KeyVaultKeyRepository(keyVaultConfiguration));
this.ManageLocalKeysViewModel = new ManageLocalKeysViewModel(keyVaultConfiguration.VaultName, keyRepository);
this.ManageLocalKeysViewModel.KeysModified += this.HandleKeysModified;
this.ManageVaultKeysViewModel.KeysModified += this.HandleKeysModified;
this.KeyCryptographicOperationsViewModel = new KeyCryptographicOperationsViewModel(new KeyOperations(keyVaultConfiguration));
}
private ISecretProvider CreateSecretProvider()
{
var keyVaultEndpoint = Configuration["KeyVaultUri"];
#if RELEASE
var vaultAuthentication = new ManagedServiceIdentityAuthentication();
#elif DEBUG
var clientId = Configuration["KEYVAULT_AUTH_ID"];
var clientSecret = Configuration["KEYVAULT_AUTH_SECRET"];
var vaultAuthentication = new ServicePrincipalAuthentication(clientId, clientSecret);
#endif
var vaultConfiguration = new KeyVaultConfiguration(keyVaultEndpoint);
var keyVaultSecretProvider = new Arcus.Security.Providers.AzureKeyVault.KeyVaultSecretProvider(vaultAuthentication, vaultConfiguration);
return(keyVaultSecretProvider);
}
public ISecretReader CreateSecretReader()
{
if (string.IsNullOrEmpty(_vaultName))
{
return new EmptySecretReader();
}
var keyVaultConfiguration = new KeyVaultConfiguration(
_vaultName,
_clientId,
_certificateThumbprint,
!string.IsNullOrEmpty(_storeName) ? (StoreName)Enum.Parse(typeof(StoreName), _storeName) : StoreName.My,
!string.IsNullOrEmpty(_storeLocation) ? (StoreLocation)Enum.Parse(typeof(StoreLocation), _storeLocation) : StoreLocation.LocalMachine,
_validateCertificate);
return new KeyVaultReader(keyVaultConfiguration);
}
public ISecretReader CreateSecretReader()
{
ISecretReader secretReader;
// Is KeyVault configured?
if (!_configurationDictionary.TryGetValue(VaultNameKey, out var vaultName) ||
string.IsNullOrEmpty(vaultName))
{
secretReader = new EmptySecretReader();
}
else
{
KeyVaultConfiguration keyVaultConfiguration;
if (_configurationDictionary.TryGetValue(UseManagedIdentityKey, out var useManagedIdentityStr) &&
bool.TryParse(useManagedIdentityStr, out var useManagedIdentity) &&
useManagedIdentity)
{
keyVaultConfiguration = new KeyVaultConfiguration(vaultName);
}
else
{
var clientId = _configurationDictionary[ClientIdKey];
var certificateThumbprint = _configurationDictionary[CertificateThumbprintKey];
var storeLocation = _configurationDictionary[StoreLocationKey];
var storeName = _configurationDictionary[StoreNameKey];
var validateCertificate = _configurationDictionary[ValidateCertificateKey];
var certificate = CertificateUtility.FindCertificateByThumbprint(
(StoreName)Enum.Parse(typeof(StoreName), storeName),
(StoreLocation)Enum.Parse(typeof(StoreLocation), storeLocation),
certificateThumbprint,
bool.Parse(validateCertificate));
keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate);
}
if (!_configurationDictionary.TryGetValue(CacheRefreshIntervalKey, out var cacheRefresh) ||
!int.TryParse(cacheRefresh, out int refreshIntervalSec))
{
refreshIntervalSec = CachingSecretReader.DefaultRefreshIntervalSec;
}
secretReader = new KeyVaultReader(keyVaultConfiguration);
secretReader = new CachingSecretReader(secretReader, refreshIntervalSec);
}
return(secretReader);
}
public async Task <int> ExecuteAsync()
{
if (!Help.HasValue())
{
var count = IntValue(Count, defaultValue: 1);
var durationInSeconds = IntValue(DurationInSeconds, defaultValue: 60);
var intervalInSeconds = IntValue(IntervalInSeconds, defaultValue: 15);
if (count > 1 && SpawnClients.HasValue())
{
return(await SpawnTestClients(count, durationInSeconds, intervalInSeconds));
}
var persist = PersistConnections.HasValue();
var useAdalOnly = UseAdalOnly.HasValue();
if (KeyVaultName.HasValue() &&
KeyVaultClientId.HasValue() &&
KeyVaultCertificateThumbprint.HasValue())
{
using (var kvCertificate = GetKeyVaultCertificate(KeyVaultCertificateThumbprint.Value()))
{
var keyVaultConfig = new KeyVaultConfiguration(
KeyVaultName.Value(),
KeyVaultClientId.Value(),
kvCertificate);
var runner = new TestRunner(
ConnectionString.Value(),
keyVaultConfig);
return(await runner.TestConnectionsAsync(
count,
durationInSeconds,
intervalInSeconds,
persist,
useAdalOnly));
}
}
}
ShowHelp();
return(1);
}
private static KeyVaultConfiguration GetKeyVaultConfiguration(IHostingEnvironment env)
{
//KeyVault configuration can be found in appsettings or environment variables
//We won't need to do things this way once .NET Core 2.1 comes out; it will have
//chained config as per https://github.com/aspnet/Configuration/issues/630
var config = new ConfigurationBuilder();
var keyVaultConfig = new KeyVaultConfiguration();
var rootConfig = config
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: false, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true, reloadOnChange: true)
.AddEnvironmentVariables()
.Build();
return(rootConfig.GetSection("KeyVault").Get <KeyVaultConfiguration>());
}
public async Task RotateServiceBusSecrets_WithValidArguments_RotatesPrimarySecondaryAlternatively()
{
// Arrange
var config = TestConfig.Create();
KeyRotationConfig keyRotationConfig = config.GetKeyRotationConfig();
_logger.LogInformation("Using Service Principal [ClientID: '{ClientId}']", keyRotationConfig.ServicePrincipal.ClientId);
const ServiceBusEntityType entity = ServiceBusEntityType.Topic;
var keyVaultAuthentication = new ServicePrincipalAuthentication(
keyRotationConfig.ServicePrincipal.ClientId,
keyRotationConfig.ServicePrincipal.ClientSecret);
var keyVaultConfiguration = new KeyVaultConfiguration(keyRotationConfig.KeyVault.VaultUri);
var secretProvider = new KeyVaultSecretProvider(keyVaultAuthentication, keyVaultConfiguration);
AzureServiceBusClient azureServiceBusClient = CreateAzureServiceBusClient(keyRotationConfig, secretProvider, entity);
var rotation = new AzureServiceBusKeyRotation(azureServiceBusClient, keyVaultAuthentication, keyVaultConfiguration, _logger);
var client = new ServiceBusConfiguration(keyRotationConfig, _logger);
AccessKeys keysBefore1stRotation = await client.GetConnectionStringKeysForTopicAsync();
// Act
await rotation.RotateServiceBusSecretAsync(keyRotationConfig.KeyVault.SecretName);
// Assert
string secondaryConnectionString = await secretProvider.GetRawSecretAsync(keyRotationConfig.KeyVault.SecretName);
AccessKeys keysAfter1stRotation = await client.GetConnectionStringKeysForTopicAsync();
Assert.True(secondaryConnectionString == keysAfter1stRotation.SecondaryConnectionString, "Secondary connection string should be set in Azure Key Vault after first rotation");
Assert.NotEqual(keysBefore1stRotation.PrimaryConnectionString, keysAfter1stRotation.PrimaryConnectionString);
Assert.NotEqual(keysBefore1stRotation.SecondaryConnectionString, keysAfter1stRotation.SecondaryConnectionString);
await rotation.RotateServiceBusSecretAsync(keyRotationConfig.KeyVault.SecretName);
string primaryConnectionString = await secretProvider.GetRawSecretAsync(keyRotationConfig.KeyVault.SecretName);
AccessKeys keysAfter2ndRotation = await client.GetConnectionStringKeysForTopicAsync();
Assert.True(primaryConnectionString == keysAfter2ndRotation.PrimaryConnectionString, "Primary connection string should be set in Azure Key Vault after second rotation");
Assert.NotEqual(keysAfter1stRotation.PrimaryConnectionString, keysAfter2ndRotation.PrimaryConnectionString);
Assert.NotEqual(keysAfter2ndRotation.SecondaryConnectionString, keysAfter1stRotation.SecondaryConnectionString);
}
public GitHubConfig(IConfigurationRoot config, ILoggerFactory loggerFactory)
{
var section = config.GetSection(TokenConfigKey);
_token = section.Value;
if (String.IsNullOrEmpty(_token))
{
var clientId = ThrowIf.NullOrWhiteSpace(config[ConfigurationClientIdKey], nameof(ConfigurationClientIdKey));
var clientSecret = ThrowIf.NullOrWhiteSpace(config[ConfigurationClientSecretKey], nameof(ConfigurationClientSecretKey));
var vaultName = ThrowIf.NullOrWhiteSpace(config[ConfigurationVaultNameKey], nameof(ConfigurationVaultNameKey));
var tokenName = ThrowIf.NullOrWhiteSpace(config[ConfigurationGithubTokenNameKey], nameof(ConfigurationGithubTokenNameKey));
var keyVaultConfig = new KeyVaultConfiguration(clientId, clientSecret, vaultName);
var keyVault = new AzureSecretVault(keyVaultConfig);
_token = keyVault.Get(tokenName).Result;
}
ThrowIf.NullOrWhiteSpace(_token, TokenConfigKey);
RepositoryName = ThrowIf.NullOrWhiteSpace(config[RepositoryNameConfigKey], nameof(RepositoryNameConfigKey));
RepositoryOwner = ThrowIf.NullOrWhiteSpace(config[RepositoryOwnerConfigKey], nameof(RepositoryOwnerConfigKey));
_logger = loggerFactory.CreateLogger <GitHubConfig>();
}
public ISecretReader CreateSecretReader()
{
ISecretReader secretReader;
var vaultName = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(VaultNameConfigurationKey));
if (!string.IsNullOrEmpty(vaultName))
{
var clientId = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(ClientIdConfigurationKey));
var certificateThumbprint = _configurationService.ReadRawSetting(ResolveKeyVaultSettingName(CertificateThumbprintConfigurationKey));
var certificate = CertificateUtility.FindCertificateByThumbprint(StoreName.My, StoreLocation.LocalMachine, certificateThumbprint, true);
var keyVaultConfiguration = new KeyVaultConfiguration(vaultName, clientId, certificate);
secretReader = new KeyVaultReader(keyVaultConfiguration);
}
else
{
secretReader = new EmptySecretReader();
}
return(new CachingSecretReader(secretReader, _diagnosticsService));
}
public static IServiceCollection AddProxyWithCertFromKeyVault(
this IServiceCollection services,
string endpoint,
KeyVaultConfiguration config,
string certName
) => services.AddProxy(new ProxyConnectionInfo(endpoint, config, certName));
private static TokenCredential GetKeyClientTokenCredential(KeyVaultConfiguration config)
=> new Identity.ClientSecretCredential(
config.ActiveDirectoryTenantId,
config.ActiveDirectoryApplicationId,
config.ActiveDirectoryApplicationSecret);
private static Security.KeyVault.Keys.KeyClient GetKeyClient(KeyVaultConfiguration config)
=> new Security.KeyVault.Keys.KeyClient(
new Uri(config.VaultEndpoint),
GetKeyClientTokenCredential(config));
/// <summary>
///
/// </summary>
/// <param name="settings"></param>
/// <param name="vault"></param>
/// <param name="logger"></param>
public ValuesController(IOptionsSnapshot <SmtpConfiguration> settings, IOptionsSnapshot <KeyVaultConfiguration> vault, ILogger <ValuesController> logger)
{
_smtpConfiguration = settings.Value;
_keyVaultConfiguration = vault.Value;
_logger = logger;
}
public AddKeyVaultAccountViewModel(IKeyVaultConfigurationRepository keyVaultConfigurationRepository, KeyVaultConfiguration keyVaultConfiguration)
{
this.keyVaultConfigurationRepository = keyVaultConfigurationRepository;
this.vaultUrlMatcher = new Regex(KeyVaultUrlFormat, RegexOptions.Compiled);
this.AddKeyVaultAccountCommand = new RelayCommand(this.AddKeyVaultAccount, this.CanAddKeyVaultCommand);
this.Initialize(keyVaultConfiguration);
}
public KeyVaultSecretRepositoryMSIAuth(KeyVaultConfiguration configuration, ILogger logger)
{
_configuration = configuration;
_logger = logger;
}