public MyWebDbContext(DbContextOptions <MyWebDbContext> options)
: base(options)
{
var conn = (Microsoft.Data.SqlClient.SqlConnection)Database.GetDbConnection();
var prov = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
conn.AccessToken = prov.GetAccessTokenAsync("https://database.windows.net/").Result;
}
public MyDatabaseContext(DbContextOptions <MyDatabaseContext> options)
: base(options)
{
var conn = (System.Data.SqlClient.SqlConnection)Database.GetDbConnection();
string accesstoken = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider().GetAccessTokenAsync("https://database.windows.net/").Result;
//if the user belogns to more subscriptions/tenants, add tenantID
//string accesstoken = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider().GetAccessTokenAsync("https://database.windows.net/", "<tenantid>").Result;
conn.AccessToken = accesstoken;
}
/// <summary>
/// Gets the stored key vault configuration.
/// </summary>
/// <param name="configuration">IConfiguration.</param>
/// <param name="deliveryChannelSecretUrl">Azure Key Vault URL where the delivery channel's configuration is stored.</param>
/// <returns>Delivery channel secret.</returns>
public static async Task <string> GetDeliveryChannelSecretAsync(IConfiguration configuration, string deliveryChannelSecretUrl)
{
string?azureConnectionString = configuration.GetValue <string>("AzureServicesAuthConnectionString");
var azureServiceTokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider(azureConnectionString);
using var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
Microsoft.Azure.KeyVault.Models.SecretBundle accountKey = await keyVaultClient.GetSecretAsync(deliveryChannelSecretUrl).ConfigureAwait(false);
return(accountKey.Value);
}
/// <summary>
/// This should be called before any call to <see cref="IRestClient"/>,
/// it sets up the auth token and default headers per the AMS V2 API specification.
/// </summary>
private void ConfigureRestClient()
{
if (!isConfigured)
{
Exception exceptionInLock = null;
lock (configLock)
{
if (!isConfigured)
{
try
{
string amsRestApiEndpoint = GetAmsRestApiEndpoint();
_restClient = new RestClient(amsRestApiEndpoint);
// Acquire a token for AMS.
// Ref: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#asal
var azureServiceTokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
string amsAccessToken = azureServiceTokenProvider.GetAccessTokenAsync(AmsRestApiResource).Result;
_restClient.Authenticator = new JwtAuthenticator(amsAccessToken);
_restClient.UseNewtonsoftJson(
new Newtonsoft.Json.JsonSerializerSettings()
{
ContractResolver = new DefaultContractResolver(),
});
_restClient.AddDefaultHeader("Content-Type", $"{ContentType.Json};odata=verbose");
_restClient.AddDefaultHeader("Accept", $"{ContentType.Json};odata=verbose");
_restClient.AddDefaultHeader("DataServiceVersion", "3.0");
_restClient.AddDefaultHeader("MaxDataServiceVersion", "3.0");
_restClient.AddDefaultHeader("x-ms-version", "2.19");
}
catch (Exception e)
{
exceptionInLock = e;
_log.LogError(e, $"Failed in {nameof(ConfigureRestClient)}.\nException.Message:\n{e.Message}\nInnerException.Message:\n{e.InnerException?.Message}");
}
finally
{
isConfigured = true;
}
}
}
if (exceptionInLock != null)
{
throw exceptionInLock;
}
}
return;
}
public AzureServiceTokenProviderCredentials(string tenantIdentity, string resourceIdentity)
{
if (string.IsNullOrWhiteSpace(_resourceIdentity))
{
_resourceIdentity = "https://storage.azure.com/";
}
else
{
_resourceIdentity = resourceIdentity;
}
_tenantIdentity = tenantIdentity;
_tokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
}
/// <summary>
/// Gets the AMS V2 API endpoint.
/// </summary>
/// <returns>The AMS V2 API endpoint.</returns>
private string GetAmsRestApiEndpoint()
{
string amsRestApiEndpoint;
try
{
// Create a rest client for access the Azure Resource Management API Endpoint:
var restManagementClient = new RestClient(_armManagementUrl);
// Acquire a token for arm.
// Ref: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#asal
var azureServiceTokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
string armAccessToken = azureServiceTokenProvider.GetAccessTokenAsync(_armManagementUrl).Result;
// Add the bearer authentication token to all requests:
restManagementClient.Authenticator = new JwtAuthenticator(armAccessToken);
// Enforce a known serializer:
restManagementClient.UseNewtonsoftJson(
new Newtonsoft.Json.JsonSerializerSettings()
{
ContractResolver = new DefaultContractResolver(),
});
// Add default headers
restManagementClient.AddDefaultHeader("Accept", $"{ContentType.Json};odata=verbose");
restManagementClient.AddDefaultHeader("Content-Type", ContentType.Json);
// GET ams account details:
var request = new RestRequest(_armAmsAccoutGetPath, Method.GET);
var restResponse = restManagementClient.Execute <JObject>(request);
if (!restResponse.IsSuccessful)
{
string expMsg = "Failed to get ams account details.";
throw new Exception(expMsg);
}
// Parse endpoint information from arm response.
amsRestApiEndpoint = (string)restResponse.Data.SelectToken("properties.apiEndpoints[0].endpoint");
}
catch (Exception e)
{
// Just log, let the caller catch the original exception:
_log.LogError(e, $"Failed in {nameof(GetAmsRestApiEndpoint)}.\nException.Message:\n{e.Message}\nInnerException.Message:\n{e.InnerException?.Message}");
throw;
}
return(amsRestApiEndpoint);
}
public string GetAzureRestApiToken(string ServiceURI, bool UseMSI, string ApplicationId, string AuthenticationKey)
{
if (UseMSI == true)
{
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider tokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
//https://management.azure.com/
return(tokenProvider.GetAccessTokenAsync(ServiceURI).Result);
}
else
{
AuthenticationContext context = new AuthenticationContext("https://login.windows.net/" + _authOptions.Value.TenantId);
ClientCredential cc = new ClientCredential(ApplicationId, AuthenticationKey);
AuthenticationResult result = context.AcquireTokenAsync(ServiceURI, cc).Result;
return(result.AccessToken);
}
}
private string ValidateConnectionStringWithoutPassword(string connection, string clientId, string tenantId, string appSecret, string resourceName)
{
if (string.IsNullOrEmpty(connection))
{
return("Connection string is empty");
}
if (string.IsNullOrEmpty(clientId) || !Guid.TryParse(clientId, out _))
{
return("Invalid client/app id.");
}
if (string.IsNullOrEmpty(tenantId) || !Guid.TryParse(tenantId, out _))
{
return("Invalid tenant id.");
}
if (string.IsNullOrEmpty(appSecret))
{
return("App secret is empty");
}
if (string.IsNullOrEmpty(resourceName))
{
return("Resource name is empty");
}
SqlConnection con = new SqlConnection(connection);
try
{
var tokenProv = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider($"RunAs=App;AppId={clientId};TenantId={tenantId};AppKey={appSecret}");
con.AccessToken = tokenProv.GetAccessTokenAsync(resourceName).Result;
con.Open();
return("Connection success.");
}
catch (Exception e)
{
return(e.Message);
}
finally
{
con.Close();
con.Dispose();
}
}
public MentorDbContext(DbContextOptions <MentorDbContext> options, IHttpContextAccessor httpContextAccessor, ILogger <MentorDbContext> logger)
: base(options)
{
this.httpContextAccessor = httpContextAccessor;
this.logger = logger;
var conn = (Microsoft.Data.SqlClient.SqlConnection)Database.GetDbConnection();
if (conn.ConnectionString.Contains("database.usgovcloudapi.net", StringComparison.OrdinalIgnoreCase))
{
var provider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
conn.AccessToken = provider.GetAccessTokenAsync("https://database.usgovcloudapi.net/").ConfigureAwait(true).GetAwaiter().GetResult();
}
if (conn.ConnectionString.Contains("database.windows.net", StringComparison.OrdinalIgnoreCase))
{
var provider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
conn.AccessToken = provider.GetAccessTokenAsync("https://database.windows.net/").ConfigureAwait(true).GetAwaiter().GetResult();
}
}
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
// read config from KV if env is prod else read from appsetting.json
if (context.HostingEnvironment.IsProduction())
{
var builtConfig = config.Build();
var kvacct = builtConfig["app:kvacct"];
Trace.WriteLine($"TRACE:kevault url= https://{kvacct}.vault.azure.net/");
var azureServiceTokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault(
$"https://{kvacct}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager());
}
})
.UseStartup <Startup>();
public AzureServiceTokenProviderCredentials(string tenantIdentity, string resourceIdentity, string clientIdentity)
{
if (string.IsNullOrWhiteSpace(_resourceIdentity))
{
_resourceIdentity = "https://database.windows.net/";
}
else
{
_resourceIdentity = resourceIdentity;
}
if (!string.IsNullOrWhiteSpace(tenantIdentity))
{
_tenantIdentity = tenantIdentity;
}
if (string.IsNullOrWhiteSpace(clientIdentity))
{
_tokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
}
else
{
_tokenProvider = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider($"RunAs=App;AppId={clientIdentity}");
}
}
