public AzureBaseManager(IAzureCloudAuthenticationInfo authInfo) { this.AuthInfo = authInfo; switch (this.AuthInfo.AuthenticationMode) { case CloudAuthenticationMode.AccessToken: Microsoft.Rest.TokenCredentials tokenCredentials = new Microsoft.Rest.TokenCredentials(this.AuthInfo.AzureAccessToken); this.ServiceCredentials = tokenCredentials; break; case CloudAuthenticationMode.Certificate: X509Certificate2 cert = new X509Certificate2(this.AuthInfo.CertificateBytes, this.AuthInfo.PfxCertificatePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); Microsoft.Rest.CertificateCredentials certificateCredentials = new Microsoft.Rest.CertificateCredentials(cert); this.ServiceCredentials = certificateCredentials; break; case CloudAuthenticationMode.PublishingProfile: byte[] managementCertificateBytes = Convert.FromBase64String(this.AuthInfo.ManagementCertificate); X509Certificate2 publishingCert = new X509Certificate2(managementCertificateBytes, string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); Microsoft.Rest.CertificateCredentials publishingCredentials = new CertificateCredentials(publishingCert); this.ServiceCredentials = publishingCredentials; break; } }
private void ConfigureClientWithHost(string host, bool enforceTls = false, string pfxFilePath = null) { if (enforceTls && string.IsNullOrEmpty(pfxFilePath)) { throw new InvalidOperationException("A PFX file with the TLS certificates must be provided to enforce TLS"); } var hostUri = new Uri(host); DockerClientConfiguration clientConfig = null; if (!enforceTls) { clientConfig = new DockerClientConfiguration(hostUri); } else { var tlsCertificate = new SystemX509Certificate2(pfxFilePath); var credentials = new CertificateCredentials(tlsCertificate); credentials.ServerCertificateValidationCallback += (o, c, ch, er) => true; clientConfig = new DockerClientConfiguration(hostUri, credentials); } var client = clientConfig.CreateClient(); if (host.StartsWith("npipe") || host.StartsWith("unix")) { DockerHost = "localhost"; } else { DockerHost = hostUri.Host; } ConfiguredClient = client; }
/// <summary> /// Performs the playback of actions in this module. /// </summary> /// <remarks>You should not call this method directly, instead pass the module /// instance to the <see cref="TestModuleRunner.Run(ITestModule)"/> method /// that will in turn invoke this method.</remarks> void ITestModule.Run() { ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true; DockerClient client = null; if (certFile.Length > 0) { var credentials = new CertificateCredentials(new X509Certificate2(certFile)); client = new DockerClientConfiguration(new Uri(dockerURL), credentials).CreateClient(); } else { client = new DockerClientConfiguration(new Uri(dockerURL)).CreateClient(); } var id = TestSuite.CurrentTestContainer.Parameters["containerID"]; var stopParams = new Docker.DotNet.Models.ContainerStopParameters() { WaitBeforeKillSeconds = 10 }; CancellationToken token = new CancellationToken(); var stopTask = client.Containers.StopContainerAsync(id, stopParams, token); stopTask.Wait(); var remParams = new Docker.DotNet.Models.ContainerRemoveParameters(); var deleteTask = client.Containers.RemoveContainerAsync(id, remParams); deleteTask.Wait(new TimeSpan(0, 0, 15)); }
private async void button5_Click(object sender, EventArgs e) { int chooise = comboBox1.SelectedIndex; if (chooise == -1) { return; } List <string> getconn = DockerConnectionStrs[chooise]; if (client != null) { client.Dispose(); } if (getconn[2] == "false") { client = new DockerClientConfiguration(new Uri(getconn[3])).CreateClient(); label3.Text = "已经连接至" + comboBox1.SelectedItem.ToString(); } else if (getconn[2] == "true") { var credentials = new CertificateCredentials(new X509Certificate2(getconn[4], getconn[5])); var config = new DockerClientConfiguration(new Uri(getconn[3]), credentials); client = config.CreateClient(); label3.Text = "已经连接至" + comboBox1.SelectedItem.ToString(); } else { label3.Text = "数据错误"; } try { listBox1.Items.Clear(); if (client != null) { IList <ContainerListResponse> containers = await client.Containers.ListContainersAsync( new ContainersListParameters() { Limit = 10, }); foreach (ContainerListResponse c in containers) { listBox1.Items.Add(c.ID.Substring(0, 12)); } } else { return; } } catch { MessageBox.Show("连接失败", "Error", MessageBoxButtons.OK); return; } }
async Task StartDockerClient() { await Task.Run(async() => { //start docker connection switch (CurrentInstallerType) { case InstallerType.HYPER_V: Log.Info("Starting HyperV Docker"); dockerclient = new DockerClientConfiguration(new Uri("npipe://./pipe/docker_engine")).CreateClient(); break; case InstallerType.NO_HYPER_V: Log.Info("Starting Toolbox Docker"); var info = await Process.Start(new ProcessStartInfo("docker-machine", "env --shell=cmd") //var info = await Process.Start(new ProcessStartInfo("cmd.exe","/C @FOR / f \"tokens=*\" % i IN('docker-machine env') DO @% i") { //var info = await Process.Start(new ProcessStartInfo("whoami") { RedirectStandardError = true, RedirectStandardOutput = true, UseShellExecute = false, CreateNoWindow = true, WindowStyle = ProcessWindowStyle.Hidden }).StandardOutput.ReadToEndAsync(); foreach (var line in info.Split('\n')) { if (line.Contains("=")) { var parts = line.Split('='); Environment.SetEnvironmentVariable(parts[0].Remove(0, 4), parts[1]); } } var host = Environment.GetEnvironmentVariable("DOCKER_HOST"); var path = Environment.GetEnvironmentVariable("DOCKER_CERT_PATH"); byte[] certBuffer = Helpers.GetBytesFromPEM(File.ReadAllText(Path.Combine(path, "cert.pem")), PemStringType.Certificate); byte[] keyBuffer = Helpers.GetBytesFromPEM(File.ReadAllText(Path.Combine(path, "key.pem")), PemStringType.RsaPrivateKey); X509Certificate2 certificate = new X509Certificate2(certBuffer); RSACryptoServiceProvider prov = Crypto.DecodeRsaPrivateKey(keyBuffer); certificate.PrivateKey = prov; ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true; var credentials = new CertificateCredentials(certificate); dockerclient = new DockerClientConfiguration(new Uri(host), credentials).CreateClient(); break; } }); }
public async Task connect(String host, int port, String user, String local_path, String remote_path, String password, TLS_MODE tls_mode, bool use_compression, String container) { cancel = new CancellationTokenSource(); SetLocalPath(local_path); compress = use_compression; this.tls_mode = tls_mode; if (String.IsNullOrWhiteSpace(remote_path)) { remote_path = ""; } else if (remote_path.EndsWith("/") == false && remote_path.EndsWith("\\") == false) { remote_path += "/"; } this.remote_path = remote_path; this.container = container; if (host.IndexOf("://") == -1) { host = "tcp://" + host; } host += ":" + port; Credentials creds = new AnonymousCredentials(); var pswd_info = new FileInfo(password); if (pswd_info.Exists) { if (pswd_info.Attributes.HasFlag(FileAttributes.ReparsePoint)) { throw new Exception("Sysmlinks will crash this;0"); } creds = new CertificateCredentials(new X509Certificate2(password, "")); //warning sym links will throw an error here ca_cert_path = user; ((CertificateCredentials)creds).ServerCertificateValidationCallback += ServerCertificateValidationCallback; //not sure why cannot do this for basic auth } else if (!String.IsNullOrWhiteSpace(user) && !String.IsNullOrWhiteSpace(password)) { creds = new BasicAuthCredentials(user, password, tls_mode != TLS_MODE.None); } var config = new DockerClientConfiguration(new Uri(host), creds); client = config.CreateClient(); try { var stats = await client.Containers.InspectContainerAsync(container); if (!stats.State.Running) { MainWindow.ShowMessage("Container is not running", "Unable to connect"); } else { connected = true; } } catch (Exception e) { HandleException(e); } }
public DockerNode(string name, JoyOIManagementConfiguration.Node nodeInfo) { Name = name; NodeInfo = nodeInfo; RunningJobs = 0; RunningJobDescriptions = new ConcurrentDictionary <string, int>(); ErrorFlags = false; _credentials = new CertificateCredentials( new X509Certificate2(nodeInfo.ClientCertificatePath, nodeInfo.ClientCertificatePassword)); _dockerClientConfiguration = new DockerClientConfiguration(new Uri(nodeInfo.Address), _credentials); _client = _dockerClientConfiguration.CreateClient(); }
/// <summary> /// Convert Vault certificate credentials to an <see cref="X509Certificate2"/> (with private key, if present). /// </summary> /// <param name="certificateCredentials"> /// The Vault <see cref="CertificateCredentials"/> to convert. /// </param> /// <param name="keyStorageFlags"> /// Optional key-storage flags that control how the private key is persisted. /// </param> /// <returns> /// The certificate, as an <see cref="X509Certificate2"/>. /// </returns> public static X509Certificate2 ToX509Certificate(this CertificateCredentials certificateCredentials, X509KeyStorageFlags keyStorageFlags = X509KeyStorageFlags.DefaultKeySet | X509KeyStorageFlags.Exportable) { if (certificateCredentials == null) { throw new ArgumentNullException(nameof(certificateCredentials)); } // TODO: Use CRNG. string tempPassword = Guid.NewGuid().ToString("N"); byte[] pfxData = certificateCredentials.ToPfx(tempPassword); return(new X509Certificate2(pfxData, tempPassword, keyStorageFlags)); }
/// <summary> /// Convert Vault certificate credentials to PFX / PKCS12 format (with private key, if present). /// </summary> /// <param name="certificateCredentials"> /// The Vault <see cref="CertificateCredentials"/> to convert. /// </param> /// <param name="password"> /// The password to use for protecting the exported data. /// </param> /// <returns> /// A byte array containing the exported data. /// </returns> public static byte[] ToPfx(this CertificateCredentials certificateCredentials, string password) { if (certificateCredentials == null) { throw new ArgumentNullException(nameof(certificateCredentials)); } if (String.IsNullOrWhiteSpace(password)) { throw new ArgumentException("Argument cannot be null, empty, or entirely composed of whitespace: 'password'.", nameof(password)); } List <X509CertificateEntry> chain = new List <X509CertificateEntry>(); AsymmetricCipherKeyPair privateKey = null; foreach (object pemObject in EnumeratePemObjects(password, certificateCredentials.CertificateContent, certificateCredentials.PrivateKey, certificateCredentials.IssuingCACertificateContent)) { if (pemObject is X509Certificate certificate) { chain.Add(new X509CertificateEntry(certificate)); } else if (pemObject is AsymmetricCipherKeyPair keyPair) { privateKey = keyPair; } } if (chain.Count == 0) { throw new CryptographicException("Cannot find X.509 certificate in PEM data."); } if (privateKey == null) { throw new CryptographicException("Cannot find private key in PEM data."); } string certificateSubject = chain[0].Certificate.SubjectDN.ToString(); Pkcs12Store store = new Pkcs12StoreBuilder().Build(); store.SetKeyEntry(certificateSubject, new AsymmetricKeyEntry(privateKey.Private), chain.ToArray()); using (MemoryStream pfxData = new MemoryStream()) { store.Save(pfxData, password.ToCharArray(), new SecureRandom()); return(pfxData.ToArray()); } }
public DockerMachine(string clientID, int?machineID = null) { _UserID = clientID; _db = DB.GetInstance(); machines = _db.Select <Machine>("Docker", "=", new Dictionary <string, object>() { ["UserID"] = _UserID }); if (machines.Count > 0) { var machine = machines.Any(x => x.MachineID == machineID) == false?machines.First() : machines.Find(x => x.MachineID == machineID); var credentials = new CertificateCredentials(new X509Certificate2(machine.CertPath, DecodeString(machine.Passwd))); _client = new DockerClientConfiguration(new Uri(machine.Url), credentials).CreateClient(); } }
private static X509Certificate2 CreateX509FromVaultCertificate(CertificateCredentials data) { var publicKeyBytes = Encoding.UTF8.GetBytes(data.CertificateContent); var publicKey = new X509Certificate2(publicKeyBytes, string.Empty, X509KeyStorageFlags.EphemeralKeySet); // https://github.com/StefH/OpenSSL-X509Certificate2-Provider var decoder = new OpenSSLPrivateKeyDecoder(); var privateKey = decoder.Decode(data.PrivateKeyContent); var privateKeyParameters = decoder.DecodeParameters(data.PrivateKeyContent); // Combine the public key & private key using the CopyWithPrivateKey extension method // https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-2.2 using (var certwithkey = publicKey.CopyWithPrivateKey(privateKey)) { return(new X509Certificate2(certwithkey.Export(X509ContentType.Pkcs12))); } }
/** * Instantiate a Docker client that will be used for Docker client related operations. * @param azure - instance of Azure * @param rgName - name of the Azure resource group to be used when creating a virtual machine * @param region - region to be used when creating a virtual machine * @return an instance of DockerClient */ public static DockerClient CreateDockerClient(IAzure azure, String rgName, Region region) { string envDockerHost = Environment.GetEnvironmentVariable("DOCKER_HOST"); string envDockerCertPath = Environment.GetEnvironmentVariable("DOCKER_CERT_PATH"); string dockerHostUrl; DockerClient dockerClient; if (String.IsNullOrWhiteSpace(envDockerHost)) { // Could not find a Docker environment; presume that there is no local Docker engine running and // attempt to configure a Docker engine running inside a new Azure virtual machine dockerClient = FromNewDockerVM(azure, rgName, region); } else { dockerHostUrl = envDockerHost; Utilities.Log("Using local settings to connect to a Docker service: " + dockerHostUrl); if (String.IsNullOrWhiteSpace(envDockerCertPath) || !File.Exists(envDockerCertPath + "/key.pfx")) { // Could not find a Docker environment variable that is used to set the path to the certificate files // which are required when authenticating to a secured Docker service. // Presume that no authentication is required to connect with this Docker service dockerClient = new DockerClientConfiguration(new Uri(dockerHostUrl)).CreateClient(); } else { // Found environment variable pointing at the folder containing the certificate files required to // establish a secured connection to this Docker service. // "key.pfx" file is required when connecting using the .Net client; to generate this certificate file // from standard .PEM certificate file execute the following command: // // openssl pkcs12 -export -inkey key.pem -in cert.pem -out key.pfx -passout pass: -CAfile ca.pem // var credentials = new CertificateCredentials(new X509Certificate2(envDockerCertPath + "/key.pfx")); credentials.ServerCertificateValidationCallback += (o, c, ch, er) => true; dockerClient = new DockerClientConfiguration(new Uri(dockerHostUrl), credentials).CreateClient(); } } Utilities.Log("List Docker host info"); Utilities.Log("\tFound Docker version: " + dockerClient.Miscellaneous.GetVersionAsync().Result.Version); Utilities.Log("\tFound Docker server version: " + dockerClient.Miscellaneous.GetSystemInfoAsync().Result.ServerVersion); return(dockerClient); }
public static DockerClient CreateClient(string HostAddress, string CertificateLocation) { HostAddress = HostAddress ?? Environment.GetEnvironmentVariable("DOCKER_HOST") ?? "http://127.0.0.1:2375"; CertificateLocation = CertificateLocation ?? Environment.GetEnvironmentVariable("DOCKER_CERT_PATH"); Credentials cred = null; if (!string.IsNullOrEmpty(CertificateLocation)) { //BUGBUG(swernli) - Remove this later in favor of something better. ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true; // Try to find a certificate for secure connections. cred = new CertificateCredentials( new X509Certificate2( System.IO.Path.Combine(CertificateLocation, KeyFileName), certPass)); } return(new DockerClientConfiguration(new Uri(HostAddress), cred).CreateClient(new Version(ApiVersion))); }
public async Task Connect() { connected = true; string userProfile = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile); string configPath = Path.Combine(userProfile, @".docker\machine\machines", MachineName, "config.json"); MachineConfigJson machineConfig = MachineConfigJson.Read(File.ReadAllBytes(configPath)); string clientCertPath = machineConfig.HostOptions.AuthOptions.ClientCertPath; string clientKeyPath = machineConfig.HostOptions.AuthOptions.ClientKeyPath; Uri uri = new Uri($"http://{machineConfig.Driver.IPAddress}:2376"); X509Certificate2 cert = CertificateUtils.ReadCertificateWithKey(clientCertPath, clientKeyPath, null); CertificateCredentials credentials = new CertificateCredentials(cert); DockerClientConfiguration config = new DockerClientConfiguration(uri, credentials); client = config.CreateClient(); await Refresh(); }
/// <summary> /// Ensure that a Secret for data exists for the specified database server. /// </summary> /// <returns> /// The Secret resource, as a <see cref="SecretV1"/>. /// </returns> public async Task <SecretV1> EnsureCredentialsSecretPresent() { RequireCurrentState(); SecretV1 existingSecret = await FindCredentialsSecret(); if (existingSecret != null) { Log.LogInformation("Found existing credentials secret {SecretName} for server {ServerId}.", existingSecret.Metadata.Name, State.Id ); return(existingSecret); } Log.LogInformation("Creating credentials secret for server {ServerId}...", State.Id ); Log.LogInformation("Requesting X.509 certificate..."); CertificateCredentials serverCertificate = await RequestServerCertificate(); SecretV1 createdSecret = await KubeClient.SecretsV1().Create( KubeResources.CredentialsSecret(State, serverCertificate, kubeNamespace: KubeOptions.KubeNamespace ) ); Log.LogInformation("Successfully created credentials secret {SecretName} for server {ServerId}.", createdSecret.Metadata.Name, State.Id ); return(createdSecret); }
public CertificateOpenIdAuthenticationStrategy(CertificateCredentials credentials, ICrypt cryptoProvider) { this.credentials = credentials; this.cryptoProvider = cryptoProvider; }
/** * Install Docker on a given virtual machine and return a DockerClient. * @param dockerHostIP - address (IP) of the Docker host machine * @param vmUserName - user name to connect with to the Docker host machine * @param vmPassword - password to connect with to the Docker host machine * @return an instance of DockerClient */ public static DockerClient InstallDocker(string dockerHostIP, string vmUserName, string vmPassword) { int keyPfxBuffLength = 10000; byte[] keyPfxContent = new byte[keyPfxBuffLength]; // it stores the content of the key.pfx certificate file bool dockerHostTlsEnabled = false; string dockerHostUrl = "tcp://" + dockerHostIP + ":2376"; SSHShell sshShell = null; try { using (sshShell = SSHShell.Open(dockerHostIP, 22, vmUserName, vmPassword)) { Utilities.Log("Copy Docker setup scripts to remote host: " + dockerHostIP); sshShell.Upload(Encoding.ASCII.GetBytes(INSTALL_DOCKER_FOR_UBUNTU_SERVER_16_04_LTS), "INSTALL_DOCKER_FOR_UBUNTU_SERVER_16_04_LTS.sh", ".azuredocker", true); sshShell.Upload(Encoding.ASCII.GetBytes(CREATE_OPENSSL_TLS_CERTS_FOR_UBUNTU.Replace("HOST_IP", dockerHostIP)), "CREATE_OPENSSL_TLS_CERTS_FOR_UBUNTU.sh", ".azuredocker", true); sshShell.Upload(Encoding.ASCII.GetBytes(INSTALL_DOCKER_TLS_CERTS_FOR_UBUNTU), "INSTALL_DOCKER_TLS_CERTS_FOR_UBUNTU.sh", ".azuredocker", true); sshShell.Upload(Encoding.ASCII.GetBytes(DEFAULT_DOCKERD_CONFIG_TLS_ENABLED), "dockerd_tls.config", ".azuredocker", true); sshShell.Upload(Encoding.ASCII.GetBytes(CREATE_DEFAULT_DOCKERD_OPTS_TLS_ENABLED), "CREATE_DEFAULT_DOCKERD_OPTS_TLS_ENABLED.sh", ".azuredocker", true); sshShell.Upload(Encoding.ASCII.GetBytes(DEFAULT_DOCKERD_CONFIG_TLS_DISABLED), "dockerd_notls.config", ".azuredocker", true); sshShell.Upload(Encoding.ASCII.GetBytes(CREATE_DEFAULT_DOCKERD_OPTS_TLS_DISABLED), "CREATE_DEFAULT_DOCKERD_OPTS_TLS_DISABLED.sh", ".azuredocker", true); Utilities.Log("Trying to install Docker host at: " + dockerHostIP); string output = sshShell.ExecuteCommand("chmod +x ~/.azuredocker/INSTALL_DOCKER_FOR_UBUNTU_SERVER_16_04_LTS.sh"); Utilities.Log(output); output = sshShell.ExecuteCommand("bash -c ~/.azuredocker/INSTALL_DOCKER_FOR_UBUNTU_SERVER_16_04_LTS.sh"); Utilities.Log(output); Utilities.Log("Trying to create OPENSSL certificates"); output = sshShell.ExecuteCommand("chmod +x ~/.azuredocker/CREATE_OPENSSL_TLS_CERTS_FOR_UBUNTU.sh"); Utilities.Log(output); output = sshShell.ExecuteCommand("bash -c ~/.azuredocker/CREATE_OPENSSL_TLS_CERTS_FOR_UBUNTU.sh"); Utilities.Log(output); Utilities.Log("Trying to install TLS certificates"); output = sshShell.ExecuteCommand("chmod +x ~/.azuredocker/INSTALL_DOCKER_TLS_CERTS_FOR_UBUNTU.sh"); Utilities.Log(output); output = sshShell.ExecuteCommand("bash -c ~/.azuredocker/INSTALL_DOCKER_TLS_CERTS_FOR_UBUNTU.sh"); Utilities.Log(output); Utilities.Log("Download Docker client TLS certificates from: " + dockerHostIP); sshShell.Download(keyPfxContent, keyPfxBuffLength, "key.pfx", ".azuredocker/tls", true); Utilities.Log("Trying to setup Docker config: " + dockerHostIP); //// Setup Docker daemon to allow connection from any Docker clients //output = sshShell.ExecuteCommand("bash -c ~/.azuredocker/CREATE_DEFAULT_DOCKERD_OPTS_TLS_DISABLED.sh"); //Utilities.Log(output); //string dockerHostPort = "2375"; // Default Docker port when secured connection is disabled //dockerHostTlsEnabled = false; // Setup Docker daemon to allow connection from authorized Docker clients only output = sshShell.ExecuteCommand("chmod +x ~/.azuredocker/CREATE_DEFAULT_DOCKERD_OPTS_TLS_ENABLED.sh"); output = sshShell.ExecuteCommand("bash -c ~/.azuredocker/CREATE_DEFAULT_DOCKERD_OPTS_TLS_ENABLED.sh"); Utilities.Log(output); string dockerHostPort = "2376"; // Default Docker port when secured connection is enabled dockerHostTlsEnabled = true; SdkContext.DelayProvider.Delay(10000); dockerHostUrl = "tcp://" + dockerHostIP + ":" + dockerHostPort; } } catch (Exception exception) { Utilities.Log(exception); return(null); } if (dockerHostTlsEnabled) { var credentials = new CertificateCredentials(new X509Certificate2(keyPfxContent)); credentials.ServerCertificateValidationCallback += (o, c, ch, er) => true; return(new DockerClientConfiguration(new Uri(dockerHostUrl), credentials).CreateClient()); } else { return(new DockerClientConfiguration(new Uri(dockerHostUrl)).CreateClient()); } }
public override async Task <Wrapped.AuthenticationResult> Authenticate(string name, string pw, byte[][] certificates, string certhash, bool certstrong) { string fingerprint = null; long? certSerial = null; string subCN = null; Org.BouncyCastle.X509.X509Certificate bouncyCert = null; if (certificates.Length > 0) { var certs = certificates.Select(x => new X509Certificate2(x)).ToArray(); var usercert = certs.Last(); var chain = new X509Chain(); foreach (var cert in certs) { chain.ChainPolicy.ExtraStore.Add(cert); } chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority; chain.Build(usercert); bouncyCert = new X509CertificateParser().ReadCertificate(certificates.Last()); var subDN = bouncyCert.SubjectDN; subCN = subDN.GetValueList()[subDN.GetOidList().IndexOf(X509ObjectIdentifiers.CommonName)] as string; certSerial = bouncyCert.SerialNumber.LongValue; fingerprint = usercert.Thumbprint; } else { // oh @moritzuehling y u do dis to me Q_Q // (no certs at all) } CertificateCredentials creds = null; if (certSerial.HasValue) { creds = new CertificateCredentials { Fingerprint = fingerprint, CertSerial = certSerial.Value, } } ; User user; bool isGuest = false; using (var context = await FancyContext.Connect()) using (var transact = context.Database.BeginTransaction(IsolationLevel.Serializable)) { user = await context.Users.Include(x => x.Membership).Include(x => x.PersistentGuest) .Include(x => x.PersistentGuest.Godfathers).SingleOrDefaultAsync(x => x.CertCredentials.Any(y => y.Fingerprint == fingerprint)); if (user != null) { // Known user. Why? // * member // * persistent guest // // As this is the /authenticator/, we can't query online users because that would deadlock murmur's main thread. // As someone with CertificateCredentials is definitely allowed to connect, we just let them pass here and // kick them in OnUserConnected if they're missing a godfather. } else { // Unknown user. Why? // * temporary guest // * new cert for existing user // * new user // * random person on the internet // Let's first check for guest invites pw = pw.Trim(); var invite = await context.Invites.SingleOrDefaultAsync(x => (x.Code == pw) && (x.ExpirationDate > DateTimeOffset.Now)); if (invite != null) { // Try to match by name. user = await context.Users.Include(x => x.PersistentGuest).SingleOrDefaultAsync(x => x.Name == name); if (user != null) { if (user.GuestInvite == null) { // In case the name is already taken by a non-guest, we force them to a // random but different name so everyone can see they're a guest. name += "-guest-" + Guid.NewGuid().ToString(); user = null; } else { // The account once belonged to a guest? Nice. // But adjust to the new guest invite. user.GuestInvite = invite; // (Note that we don't care about the edge case where guests get ghost-kicked // by other guests because we simply don't care about guests.) } } if (user == null) { // Create a new user for this name if we need to. user = context.Users.Add(new User { Name = name, GuestInvite = invite, }); } isGuest = true; } else { // random person on the internet; has no signed or valid certificate if (!certstrong) { return(Wrapped.AuthenticationResult.Forbidden()); } // New cert for existing user? /* * not longer supported * foreach (System.Collections.ICollection sans in bouncyCert.GetSubjectAlternativeNames()) * { * var enm = sans.GetEnumerator(); * enm.MoveNext(); * enm.MoveNext(); * var val = enm.Current as string; * var match = Regex.Match(val ?? String.Empty, "^([^@]*)@user.mumble.ehvag.de$"); * if (match.Success) * { * var oldName = match.Groups[1].Captures[0].Value; * var existingUser = await context.Users.Include(x => x.CertCredentials).SingleOrDefaultAsync(x => x.Name == oldName && x.CertCredentials.CertSerial < certSerial); * if (existingUser != null) * { * existingUser.Name = subCN; * existingUser.CertCredentials.CertSerial = certSerial.Value; * existingUser.CertCredentials.Fingerprint = fingerprint; * user = existingUser; * break; * } * } * } */ if (user == null) { // no existing user found, so create new user user = context.Users.Add(new User { Name = subCN, CertCredentials = new List <CertificateCredentials> { creds }, Membership = new Membership() }); } } } // As stated above, we can't query mumble for connected users to reject persistent guests. // However, we can use the logs in the database as a heuristic to get currently connected users. if (user.PersistentGuest != null && !isGuest) { var godfathersQuery = from usr in context.Users from godfathership in usr.Membership.Godfatherships where godfathership.UserId == user.Id join e in context.Logs.OfType <LogEntry.Connected>() on usr.Id equals e.Who.Id into connectEvents join e in context.Logs.OfType <LogEntry.Disconnected>() on usr.Id equals e.Who.Id into disconnectEvents select new { Con = connectEvents.Max(x => x.When), Dis = disconnectEvents.Max(x => x.When) }; var godfatherConnected = await godfathersQuery.AnyAsync(l => l.Con > l.Dis); if (!godfatherConnected) { return(Wrapped.AuthenticationResult.Forbidden()); } } await context.SaveChangesAsync(); transact.Commit(); } if (isGuest && (creds != null)) { Fancyauth.GuestCredentials.AddOrUpdate(user.Id, creds, (k, c) => creds); } string[] groups = null; if (user.PersistentGuest != null) { groups = PersistentGuestGroups; } return(Wrapped.AuthenticationResult.Success(user.Id, user.Name, groups)); }
/// <summary> /// Performs the playback of actions in this module. /// </summary> /// <remarks>You should not call this method directly, instead pass the module /// instance to the <see cref="TestModuleRunner.Run(ITestModule)"/> method /// that will in turn invoke this method.</remarks> void ITestModule.Run() { // docker run --name wp1 -p 5556:80 --link mysql:mysql // -e WORDPRESS_DB_PASSWORD=pwd -e WORDPRESS_DB_NAME=wp1 -d wordpress ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true; DockerClient client = null; if (certFile.Length > 0) { var credentials = new CertificateCredentials(new X509Certificate2(certFile)); client = new DockerClientConfiguration(new Uri(dockerURL), credentials).CreateClient(); } else { client = new DockerClientConfiguration(new Uri(dockerURL)).CreateClient(); } Random r = new Random(); int portNr = r.Next(1500, 8000); TestSuite.CurrentTestContainer.Parameters["URL"] = TestSuite.CurrentTestContainer.Parameters["URL"] + ":" + portNr.ToString(); //Report.Info(portNr.ToString()); //Report.Info(TestSuite.CurrentTestContainer.Parameters["URL"]); Docker.DotNet.Models.HostConfig hostConf = new Docker.DotNet.Models.HostConfig(); hostConf.Links = new List <string>(); hostConf.Links.Add("mysql"); var portBindings = new Dictionary <string, IList <Docker.DotNet.Models.PortBinding> > { { 80.ToString(), new List <Docker.DotNet.Models.PortBinding> { new Docker.DotNet.Models.PortBinding { HostPort = portNr.ToString(), HostIP = "0.0.0.0" } } } }; var exposedPorts = new Dictionary <string, object>() { { 80.ToString(), new { HostPort = portNr.ToString() } } }; hostConf.PortBindings = portBindings; Docker.DotNet.Models.CreateContainerParameters createContainerParams = new Docker.DotNet.Models.CreateContainerParameters(); createContainerParams.HostConfig = hostConf; createContainerParams.Image = "a8f5a76ca5cd"; createContainerParams.Env = new List <string>(); createContainerParams.Env.Add("WORDPRESS_DB_PASSWORD=pwd"); createContainerParams.Env.Add(String.Format("WORDPRESS_DB_NAME=wp{0}", portNr)); createContainerParams.ExposedPorts = exposedPorts; var createTask = client.Containers.CreateContainerAsync(createContainerParams); createTask.Wait(); var container = createTask.Result; TestSuite.CurrentTestContainer.Parameters["containerID"] = container.ID; var incpectTask = client.Containers.InspectContainerAsync(container.ID); incpectTask.Wait(); var inspect = incpectTask.Result; var startParams = new Docker.DotNet.Models.ContainerStartParameters(); var startTast = client.Containers.StartContainerAsync(container.ID, startParams); startTast.Wait(); }
/// <summary> /// Create a new <see cref="SecretV1"/> for the specified database server's credentials. /// </summary> /// <param name="server"> /// A <see cref="DatabaseServer"/> representing the target server. /// </param> /// <param name="serverCertificate"> /// <see cref="CertificateCredentials"/> representing the server certificate. /// </param> /// <param name="kubeNamespace"> /// An optional target Kubernetes namespace. /// </param> /// <returns> /// The configured <see cref="SecretV1"/>. /// </returns> public SecretV1 CredentialsSecret(DatabaseServer server, CertificateCredentials serverCertificate, string kubeNamespace = null) { if (server == null) { throw new ArgumentNullException(nameof(server)); } if (serverCertificate == null) { throw new ArgumentNullException(nameof(serverCertificate)); } var secretData = new Dictionary <string, string>(); if (!String.IsNullOrWhiteSpace(serverCertificate.IssuingCACertificateContent)) { secretData["ca.crt"] = Convert.ToBase64String( Encoding.ASCII.GetBytes(serverCertificate.IssuingCACertificateContent) ); } secretData["server.crt"] = Convert.ToBase64String( Encoding.ASCII.GetBytes(serverCertificate.CertificateContent) ); secretData["server.key"] = Convert.ToBase64String( Encoding.ASCII.GetBytes(serverCertificate.PrivateKey) ); string pfxPassword; byte[] passwordBytes = new byte[16]; using (RandomNumberGenerator random = RandomNumberGenerator.Create()) { random.GetBytes(passwordBytes); } pfxPassword = Convert.ToBase64String(passwordBytes); secretData["server.pfx"] = Convert.ToBase64String( serverCertificate.ToPfx(pfxPassword) ); secretData["pfx-password"] = Convert.ToBase64String( Encoding.ASCII.GetBytes(pfxPassword) ); if (server.Settings is SqlServerSettings sqlServerSettings && !String.IsNullOrWhiteSpace(sqlServerSettings.AdminPassword)) { secretData["sa-password"] = Convert.ToBase64String( Encoding.ASCII.GetBytes(sqlServerSettings.AdminPassword) ); } return(CredentialsSecret( name: Names.CredentialsSecret(server), kubeNamespace: kubeNamespace, data: secretData, labels: new Dictionary <string, string> { ["k8s-app"] = Names.BaseName(server), ["cloud.dimensiondata.daas.server-id"] = server.Id, ["cloud.dimensiondata.daas.secret-type"] = "credentials" } )); }
public static IDataFactoryManagementClient GetRealClient(ExampleSecrets secrets) { IDataFactoryManagementClient client = null; if (secrets.Environment == "test") { string ArmTenant = secrets.TenantId; string ArmServicePrincipalIdentity = secrets.ClientId; string SubId = secrets.SubId; string Thumb = secrets.ClientSecret; // Use service principal with cert to authenticate against Azure X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, Thumb, false)[0]; ClientAssertionCertificate cac = new ClientAssertionCertificate(ArmServicePrincipalIdentity, cert); var context = new AuthenticationContext("https://login.windows-ppe.net/" + ArmTenant); AuthenticationResult result = context.AcquireTokenAsync("https://management.core.windows.net/", cac).Result; ServiceClientCredentials creds = new TokenCredentials(result.AccessToken); client = new DataFactoryManagementClient(creds) { SubscriptionId = SubId }; client.BaseUri = new Uri("https://api-dogfood.resources.windows-int.net/"); } else if (secrets.Environment == "dogfood") { string ArmTenant = secrets.TenantId; string ArmServicePrincipalIdentity = secrets.ClientId; string SubId = secrets.SubId; // Use service principal with key to authenticate against Azure string secret = secrets.ClientSecret; var cac = new ClientCredential(ArmServicePrincipalIdentity, secret); var context = new AuthenticationContext("https://login.windows-ppe.net/" + ArmTenant); AuthenticationResult result = context.AcquireTokenAsync("https://management.core.windows.net/", cac).Result; ServiceClientCredentials creds = new TokenCredentials(result.AccessToken); client = new DataFactoryManagementClient(creds) { SubscriptionId = SubId }; client.BaseUri = new Uri("https://api-dogfood.resources.windows-int.net/"); } else if (secrets.Environment == "prod") { // Use Service Principal to authenticate against Azure var context = new AuthenticationContext("https://login.windows.net/" + secrets.TenantId); ClientCredential cc = new ClientCredential(secrets.ClientId, secrets.ClientSecret); AuthenticationResult result = context.AcquireTokenAsync("https://management.azure.com/", cc).Result; ServiceClientCredentials creds = new TokenCredentials(result.AccessToken); client = new DataFactoryManagementClient(creds) { SubscriptionId = secrets.SubId }; } else if (secrets.Environment == "nightly") { // Use certificate for direct access to RP X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly); X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, "CF6DCEF6F6EB497A1B2A569319D157F875019A9E", false)[0]; CertificateCredentials creds = new CertificateCredentials(cert); client = new DataFactoryManagementClient(creds) { SubscriptionId = secrets.SubId }; client.BaseUri = new Uri("https://adfrpnightly.svc.datafactory-test.azure.com"); } else { throw new ArgumentException("Secrets environment must be test or prod, currently {0}", secrets.Environment); } return(client); }