protected static async Task ExecuteHashicorpVaultOperation(Func <Task> func, string operation)
{
try
{
await func();
}
catch (VaultApiException vEx) when(vEx.HttpStatusCode == System.Net.HttpStatusCode.Forbidden)
{
throw new SecureStoreException(
SecureStoreException.Type.UnauthorizedOperation,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SecureStoreOperationNotAuthorizeded), operation),
vEx);
}
catch (VaultApiException vEx) when(vEx.HttpStatusCode == System.Net.HttpStatusCode.NotFound)
{
throw new SecureStoreException(
SecureStoreException.Type.SecretNotFound,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SecureStoreSecretNotFound)),
vEx);
}
catch (Exception ex)
{
throw new SecureStoreException($"Operation {operation} failed.", ex);
}
}
public virtual async Task ValidateContextAsync(string context)
{
var ctx = ConvertJsonToContext(context);
if (ctx.SecretsEngine == SecretsEngine.ActiveDirectory)
{
// ActiveDirectory is valid only for the read-only secure store
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(ctx.SecretsEngine)));
}
var keyVaultClient = _clientFactory.CreateClient(ctx);
var secretName = "UIPATH-TEST-SECRET-HASHICORP-VAULT";
var secretValue = Guid.NewGuid().ToString();
var storageKey = await ExecuteHashicorpVaultOperation(
async() =>
{
return(await keyVaultClient.SetSecretAsync(secretName, secretValue));
},
"set");
_ = await ExecuteHashicorpVaultOperation(
async() =>
{
return(await keyVaultClient.GetSecretAsync(storageKey));
},
"get");
try
{
// We use destroy because we don't want to leave behind key metadata with nothing inside for each edit of the store.
// If destroy fails (maybe due to policies), we just delete the secret version we created.
// This is ok to do since we don't need to destroy secrets during normal operation, just for testing.
await ExecuteHashicorpVaultOperation(
async() =>
{
await keyVaultClient.DeleteSecretAsync(secretName, destroy: true);
},
"destroy");
}
catch
{
await ExecuteHashicorpVaultOperation(
async() =>
{
await keyVaultClient.DeleteSecretAsync(secretName, destroy: false);
},
"delete");
}
}
public static SecureKeyMetadata GetExistingMetadata(this string passwordKey)
{
SecureKeyMetadata result = JsonConvert.DeserializeObject <SecureKeyMetadata>(passwordKey);
if (string.IsNullOrEmpty(result.VaultSecretName))
{
throw new SecureStoreException(
SecureStoreException.Type.Unknown,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.InvalidSecureStoreSecretName)));
}
return(result);
}
public virtual IEnumerable <ConfigurationEntry> GetConfiguration()
{
return(new List <ConfigurationEntry>
{
new ConfigurationValue(ConfigurationValueType.String)
{
Key = "VaultUri",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingVaultUri)),
IsMandatory = true,
},
new ConfigurationValue(ConfigurationValueType.Choice)
{
Key = "AuthenticationType",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingAuthenticationType)),
IsMandatory = true,
PossibleValues = Enum.GetNames(typeof(AuthenticationType)),
},
new ConfigurationValue(ConfigurationValueType.Secret)
{
Key = "RoleId",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingRoleId)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.Secret)
{
Key = "SecretId",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingSecretId)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.String)
{
Key = "Username",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingUsername)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.Secret)
{
Key = "Password",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingPassword)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.Secret)
{
Key = "Token",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingToken)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.Choice)
{
Key = "SecretsEngine",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingSecretsEngine)),
IsMandatory = true,
PossibleValues = Enum.GetNames(typeof(SecretsEngine))
.Except(new [] { SecretsEngine.ActiveDirectory.ToString() })
.ToArray(),
},
new ConfigurationValue(ConfigurationValueType.String)
{
Key = "SecretsEnginePath",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingSecretsEnginePath)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.String)
{
Key = "DataPath",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingDataPath)),
IsMandatory = false,
},
new ConfigurationValue(ConfigurationValueType.String)
{
Key = "Namespace",
DisplayName = HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.SettingNamespace)),
IsMandatory = false,
},
});
}
public HashicorpVaultContext Build()
{
if (_context == null)
{
throw new Exception("Invalid usage");
}
if (_context.VaultUri == null || !_context.VaultUri.IsAbsoluteUri)
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.VaultUri)));
}
switch (_context.AuthenticationType)
{
case AuthenticationType.None:
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.AuthenticationType)));
case AuthenticationType.AppRole:
if (string.IsNullOrEmpty(_context.RoleId))
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.RoleId)));
}
if (string.IsNullOrEmpty(_context.SecretId))
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.SecretId)));
}
break;
case AuthenticationType.UsernamePassword:
case AuthenticationType.Ldap:
if (string.IsNullOrEmpty(_context.Username))
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.Username)));
}
if (string.IsNullOrEmpty(_context.Password))
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.Password)));
}
break;
case AuthenticationType.Token:
if (string.IsNullOrEmpty(_context.Token))
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.Token)));
}
break;
default:
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.AuthenticationType)));
}
if (_context.SecretsEngine == SecretsEngine.None)
{
throw new SecureStoreException(
SecureStoreException.Type.InvalidConfiguration,
HashicorpVaultUtils.GetLocalizedResource(nameof(Resource.HashicorpVaultSettingInvalidOrMissing), nameof(_context.SecretsEngine)));
}
if (!string.IsNullOrWhiteSpace(_context.DataPath))
{
_context.DataPath = _context.DataPath.Trim('/');
}
if (string.IsNullOrWhiteSpace(_context.SecretsEnginePath))
{
// Empty or whitespaces are treated as null
_context.SecretsEnginePath = null;
}
return(_context);
}
