private IKeyManagement GetGoogleCloudKeyManagment()
{
var location = Configuration.GetValue <string>("KeyManagement:GoogleKms:Location");
var keyRingName = Configuration.GetValue <string>("KeyManagement:GoogleKms:KeyRingName");
var protectionLevel = Configuration.GetValue <string>("KeyManagement:GoogleKms:ProtectionLevel");
var credentialsPath = Configuration.GetValue <string>("KeyManagement:GoogleKms:CredentialsPath");
var serviceAccountCredential = ServiceAccountCredential.FromServiceAccountData(File.OpenRead(credentialsPath));
var credentials = GoogleCredential.FromServiceAccountCredential(serviceAccountCredential);
if (credentials.IsCreateScopedRequired)
{
credentials = credentials.CreateScoped(new[]
{
CloudKMSService.Scope.CloudPlatform
});
}
var kmsService = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credentials,
GZipEnabled = true
});
return(new GoogleCloudKeyManagment(
kmsService,
serviceAccountCredential.ProjectId,
keyRingName,
location,
protectionLevel));
}
internal KmsDataProtector(CloudKMSService kms, string keyName,
Func <string, IDataProtector> dataProtectorFactory)
{
_kms = kms;
_keyName = keyName;
_dataProtectorFactory = dataProtectorFactory;
}
public GoogleCloudKeyManagment(
CloudKMSService kmsService,
string projectName,
string keyringName,
string keyringLocation,
string protectionLevel)
{
mKmsService = kmsService;
mProjectName = projectName;
mKeyringName = keyringName;
mKeyringLocation = keyringLocation;
mProtectionLevel = protectionLevel;
}
public static string Decrypt(CloudKMSService cloudKms, string projectId, string locationId, string keyRingId, string cryptoKeyId, string ciphertext)
{
//var cloudKms = CreateAuthorizedClient();
// Generate the full path of the crypto key to use for encryption.
var cryptoKey = $"projects/{projectId}/locations/{locationId}/keyRings/{keyRingId}/cryptoKeys/{cryptoKeyId}";
DecryptRequest decryptRequest = new DecryptRequest();
decryptRequest.Ciphertext = ciphertext;
Console.WriteLine($"dataToDecrypt.Ciphertext: {decryptRequest.Ciphertext}");
var result = cloudKms.Projects.Locations.KeyRings.CryptoKeys.Decrypt(name: cryptoKey, body: decryptRequest).Execute();
// Output decrypted data to a file.
var plaintext = result.Plaintext;
Console.WriteLine($"Decrypted file created: {plaintext}");
return(plaintext);
}
public static void Main(string[] args)
{
// Your Google Cloud Platform project ID.
string projectId = "YOUR-PROJECT-ID";
// Lists keys in the "global" location.
string location = "global";
// The resource name of the location associated with the key rings.
string parent = $"projects/{projectId}/locations/{location}";
// Authorize the client using Application Default Credentials.
// See: https://developers.google.com/identity/protocols/application-default-credentials
GoogleCredential credential = GoogleCredential.GetApplicationDefaultAsync().Result;
// Specify the Cloud Key Management Service scope.
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[]
{
Google.Apis.CloudKMS.v1.CloudKMSService.Scope.CloudPlatform
});
}
// Instantiate the Cloud Key Management Service API.
CloudKMSService cloudKms = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
// List key rings.
ListKeyRingsResponse result = cloudKms.Projects.Locations.KeyRings.List(parent).Execute();
if (result.KeyRings != null)
{
Console.WriteLine("Key Rings: ");
result.KeyRings.ToList().ForEach(response => Console.WriteLine(response.Name));
}
else
{
Console.WriteLine("No Key Rings found.");
}
}
public KmsDataProtectionProvider(
IOptions <KmsDataProtectionProviderOptions> options)
{
_options = options;
// Create a KMS service client with credentials.
GoogleCredential credential =
GoogleCredential.GetApplicationDefaultAsync().Result;
// Inject the Cloud Key Management Service scope
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[]
{
CloudKMSService.Scope.CloudPlatform
});
}
_kms = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
// Create the key ring.
var parent = string.Format("projects/{0}/locations/{1}",
options.Value.ProjectId, options.Value.Location);
KeyRing keyRingToCreate = new KeyRing();
var request = new ProjectsResource.LocationsResource
.KeyRingsResource.CreateRequest(_kms, keyRingToCreate, parent);
request.KeyRingId = options.Value.KeyRing;
try
{
request.Execute();
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
}
}
public GoogleCloudKeyManagmentTests()
{
mConfiguration = new ConfigurationBuilder()
.AddJsonFile("settings.json")
.AddEnvironmentVariables().Build();
var stream = new MemoryStream();
var writer = new StreamWriter(stream);
writer.Write(mConfiguration.GetValue <string>("KeyManagment:GoogleKms:Credentials"));
writer.Flush();
stream.Position = 0;
var serviceAccountCredential = ServiceAccountCredential.FromServiceAccountData(stream);
var credentials = GoogleCredential.FromServiceAccountCredential(serviceAccountCredential);
if (credentials.IsCreateScopedRequired)
{
credentials = credentials.CreateScoped(new[]
{
CloudKMSService.Scope.CloudPlatform
});
}
mCloudKmsService = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credentials,
GZipEnabled = true
});
var location = mConfiguration.GetValue <string>("KeyManagment:GoogleKms:Location");
var keyRingName = mConfiguration.GetValue <string>("KeyManagment:GoogleKms:KeyRingName");
var protectionLevel = mConfiguration.GetValue <string>("KeyManagment:GoogleKms:ProtectionLevel");
mGoogleCloudKeyManagement = new GoogleCloudKeyManagment(
mCloudKmsService,
serviceAccountCredential.ProjectId,
keyRingName,
location,
protectionLevel);
}
public KmsDataProtectionProvider(IOptions <KmsDataProtectionProviderOptions> options)
{
_options = options;
GoogleCredential credential = GoogleCredential.GetApplicationDefaultAsync().Result;
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[] { CloudKMSService.Scope.CloudPlatform });
}
_kms = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
var parent = string.Format("projects/{0}/locations/{1}", options.Value.ProjectId, options.Value.Location);
KeyRing keyRingToCreate = new KeyRing();
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CreateRequest(_kms, keyRingToCreate, parent);
request.KeyRingId = options.Value.KeyRing;
try
{
request.Execute();
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict) /* Already exists. Ok.*/ }
{
}
IDataProtector IDataProtectionProvider.CreateProtector(string purpose)
{
IDataProtector cached;
if (_dataProtectorCache.TryGetValue(purpose, out cached))
{
return(cached);
}
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
_options.Value.ProjectId, _options.Value.Location,
_options.Value.KeyRing);
string rotationPeriod = string.Format("{0}s", TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
var request = new ProjectsResource.LocationsResource.KeyRingsResource.CryptoKeysResource.CreateRequest(_kms, cryptoKeyToCreate, keyRingName);
string keyId = EscapeKeyId(purpose);
request.CryptoKeyId = keyId;
string keyName;
try
{
keyName = request.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}", keyRingName, keyId);
}
var newProtector = new KmsDataProtector(_kms, keyName, (string innerPurpose) => this.CreateProtector($"{purpose}.{innerPurpose}"));
_dataProtectorCache.TryAdd(purpose, newProtector);
return(newProtector);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
// In production, the React files will be served from this directory
services.AddSpaStaticFiles(configuration =>
{
configuration.RootPath = "ClientApp/build";
});
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.LoginPath = "/login";
options.LogoutPath = "/signout";
})
.AddStrava(options =>
{
// ClientId and CleintSecret can be configured in your appsettings.json file
// ....
// "Strava": {
// "ClientId": "5275",
// "ClientSecret": "5930e45f6727e4656eb830e7a3893efbcef2a37b"
// },
// ....
// Your Google Cloud Platform project ID.
string projectId = "jenkins-x-002";
// Lists keys in the "global" location.
string location = "global";
// The resource name of the location associated with the key rings.
string parent = $"projects/{projectId}/locations/{location}";
// Authorize the client using Application Default Credentials.
// See: https://developers.google.com/identity/protocols/application-default-credentials
GoogleCredential credential = GoogleCredential.GetApplicationDefaultAsync().Result;
// Specify the Cloud Key Management Service scope.
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[]
{
Google.Apis.CloudKMS.v1.CloudKMSService.Scope.CloudPlatform
});
}
// Instantiate the Cloud Key Management Service API.
CloudKMSService cloudKms = new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
string keyRingId = "oauth_keystore";
string cryptoKeyId = "strava_client_secret";
var ClientIdEnc = Configuration["Strava:ClientId"];
options.ClientId = Decrypt(cloudKms, projectId, location, keyRingId, cryptoKeyId, ClientIdEnc);
var ClientSecretEnc = Configuration["Strava:ClientSecret"];
options.ClientSecret = Decrypt(cloudKms, projectId, location, keyRingId, cryptoKeyId, ClientSecretEnc);
});
}
public static int Main(string[] args)
{
// Your Google Cloud Platform project ID.
string projectId = "YOUR-PROJECT-ID";
if (projectId == "YOUR-" + "PROJECT-ID")
{
Console.Error.WriteLine("Modify Program.cs and replace YOUR-"
+ "PROJECT-ID with your google project id.");
return(-1);
}
// Authorize the client using Application Default Credentials.
// See: https://developers.google.com/identity/protocols/application-default-credentials
GoogleCredential credential =
GoogleCredential.GetApplicationDefaultAsync().Result;
// Specify the Cloud Key Management Service scope.
if (credential.IsCreateScopedRequired)
{
credential = credential.CreateScoped(new[]
{
CloudKMSService.Scope.CloudPlatform
});
}
var cloudKms =
new CloudKMSService(new BaseClientService.Initializer
{
HttpClientInitializer = credential,
GZipEnabled = false
});
// Create the key ring.
string location = "global";
// The resource name of the location associated with the key rings.
string parent = $"projects/{projectId}/locations/{location}";
KeyRing keyRingToCreate = new KeyRing();
var request = new ProjectsResource.LocationsResource
.KeyRingsResource.CreateRequest(cloudKms, keyRingToCreate, parent);
string keyRingId = request.KeyRingId = "QuickStartCore";
try
{
request.Execute();
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
}
// Create the crypto key:
var keyRingName = string.Format(
"projects/{0}/locations/{1}/keyRings/{2}",
projectId, location, keyRingId);
string rotationPeriod = string.Format("{0}s",
TimeSpan.FromDays(7).TotalSeconds);
CryptoKey cryptoKeyToCreate = new CryptoKey()
{
Purpose = "ENCRYPT_DECRYPT",
NextRotationTime = DateTime.UtcNow.AddDays(7),
RotationPeriod = rotationPeriod
};
string keyId = "Key1";
string keyName;
try
{
keyName = new ProjectsResource.LocationsResource
.KeyRingsResource.CryptoKeysResource.CreateRequest(
cloudKms, cryptoKeyToCreate, keyRingName)
{
CryptoKeyId = keyId
}.Execute().Name;
}
catch (Google.GoogleApiException e)
when(e.HttpStatusCode == System.Net.HttpStatusCode.Conflict)
{
// Already exists. Ok.
keyName = string.Format("{0}/cryptoKeys/{1}",
keyRingName, keyId);
}
// Encrypt a string.
var encryptResult = cloudKms.Projects.Locations.KeyRings.CryptoKeys
.Encrypt(new EncryptRequest()
{
Plaintext = Convert.ToBase64String(Encoding.UTF8.GetBytes("Hello World."))
}, keyName).Execute();
var cipherText =
Convert.FromBase64String(encryptResult.Ciphertext);
// Decrypt the string.
var result = cloudKms.Projects.Locations.KeyRings.CryptoKeys
.Decrypt(new DecryptRequest()
{
Ciphertext = Convert.ToBase64String(cipherText)
}, keyName).Execute();
Console.WriteLine(Encoding.UTF8.GetString(Convert.FromBase64String(result.Plaintext)));
return(0);
}
