public static async Task Main() { InteractiveBrowserCredential credential; if (!File.Exists(AUTH_RECORD_PATH)) { credential = new InteractiveBrowserCredential( new InteractiveBrowserCredentialOptions { TokenCache = new PersistentTokenCache() }); AuthenticationRecord authRecord = await credential.AuthenticateAsync(); using (var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Create, FileAccess.Write)) { await authRecord.SerializeAsync(authRecordStream); } } else { AuthenticationRecord authRecord; using (var authRecordStream = new FileStream(AUTH_RECORD_PATH, FileMode.Open, FileAccess.Read)) { authRecord = await AuthenticationRecord.DeserializeAsync(authRecordStream); } credential = new InteractiveBrowserCredential( new InteractiveBrowserCredentialOptions { TokenCache = new PersistentTokenCache(), AuthenticationRecord = authRecord }); } var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), credential); }
public static Func <string, string> Create(IConfiguration bootstrapConfiguration) { TelemetryClient telemetry = ConfigMapper.GetTelemetryClient(bootstrapConfiguration); string keyVaultUri = bootstrapConfiguration[ConfigurationConstants.KeyVaultUriConfigurationKey]; var credentials = ServiceConfigurationExtensions.GetAzureTokenCredential(bootstrapConfiguration); var client = new SecretClient(new Uri(keyVaultUri), credentials); void TrackEvent(string key, Exception?error) { telemetry.TrackEvent("KeyVaultSecretAccess", new Dictionary <string, string> { ["secretKey"] = key, ["keyVaultUri"] = keyVaultUri, ["success"] = error == null ? "true" : "false", }); if (error != null) { telemetry.TrackException(error); } } return(RegexConfigMapper.Create(VaultReferenceRegex, key => { try { var value = client.GetSecret(key).Value.Value; TrackEvent(key, null); return value; } catch (RequestFailedException ex) { TrackEvent(key, ex); return ""; } })); }
// using System.Linq; // using System.Security.Cryptography.X509Certificates; // using Azure.Extensions.AspNetCore.Configuration.Secrets; // using Azure.Identity; public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args) .ConfigureAppConfiguration((context, config) => { var builtConfig = config.Build(); if (Convert.ToBoolean(builtConfig["IsServiceSecretFromKeyVault"])) { if (!context.HostingEnvironment.IsProduction()) { using (var store = new X509Store(StoreLocation.CurrentUser)) { store.Open(OpenFlags.ReadOnly); var certs = store.Certificates .Find(X509FindType.FindByThumbprint, builtConfig["AzureADCertThumbprint"], false); config.AddAzureKeyVault(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"), new ClientCertificateCredential(builtConfig["AzureADDirectoryId"], builtConfig["AzureADApplicationId"], certs.OfType <X509Certificate2>().Single()), new KeyVaultSecretManager()); store.Close(); } } else { var secretClient = new SecretClient(new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"), new DefaultAzureCredential()); config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager()); } } }) .ConfigureWebHostDefaults(webBuilder => { webBuilder.UseStartup <Startup>(); });
public async Task OnGetAsync() { SecretValue = "Secret value is currently empty"; // Get the secret from the preloaded config settings ConfigSetting = configuration["SomeConfigValueFromKV"]; try { // grab the KeyVault Secret value on demand var keyVaultClient = new SecretClient( vaultUri: new Uri("https://cm-identity-kv.vault.azure.net"), credential: new ChainedTokenCredential( new AzureCliCredential(), new ManagedIdentityCredential())); var secretOperation = await keyVaultClient.GetSecretAsync("KVSercret"); var secret = secretOperation.Value; SecretValue = secret.Value; } catch (Exception keyVaultException) { SecretValue = keyVaultException.Message; } }
public async Task AsyncPageableLoop() { // create a client var client = new SecretClient(new Uri("http://example.com"), new DefaultAzureCredential()); #region Snippet:AsyncPageableLoop // call a service method, which returns AsyncPageable<T> AsyncPageable <SecretProperties> allSecretProperties = client.GetPropertiesOfSecretsAsync(); IAsyncEnumerator <SecretProperties> enumerator = allSecretProperties.GetAsyncEnumerator(); try { while (await enumerator.MoveNextAsync()) { SecretProperties secretProperties = enumerator.Current; Console.WriteLine(secretProperties.Name); } } finally { await enumerator.DisposeAsync(); } #endregion }
public async Task ResolveSecretId() { SecretClient secretClient = GetSecretClient(); // using Random to create a key so it is consistent for the recording. IRL this would be // a major security no no. We would need to use AES.Create or RNGCryptoServiceProvider byte[] key = new byte[32]; Recording.Random.NextBytes(key); Secret secret = new Secret(Recording.GenerateId(), Base64Url.Encode(key)) { Properties = { ContentType = "application/octet-stream" } }; secret = await secretClient.SetSecretAsync(secret); CryptographyClient cryptoClient = await Resolver.ResolveAsync(secret.Id); cryptoClient = InstrumentClient(cryptoClient); Assert.IsNotNull(cryptoClient); byte[] toWrap = new byte[32]; Recording.Random.NextBytes(toWrap); WrapResult wrapResult = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.A256KW, toWrap); UnwrapResult unwrapResult = await cryptoClient.UnwrapKeyAsync(KeyWrapAlgorithm.A256KW, wrapResult.EncryptedKey); CollectionAssert.AreEqual(toWrap, unwrapResult.Key); }
public async Task <ActionResult <string> > AKV() { SecretClientOptions options = new SecretClientOptions() { Retry = { Delay = TimeSpan.FromSeconds(2), MaxDelay = TimeSpan.FromSeconds(16), MaxRetries = 5, Mode = RetryMode.Exponential } }; var defaultAzureCredential = new DefaultAzureCredential(); var client = new SecretClient(new Uri("https://itan-kv-secrets.vault.azure.net"), defaultAzureCredential); // await client.SetSecretAsync("code-secret", "42"); KeyVaultSecret secret = await client.GetSecretAsync("itan-test-secret"); string secretValue = secret.Value; return(secretValue); }
static void Main(string[] args) { //get config settings string keyVaultName = ConfigurationManager.AppSettings.Get("KEY_VAULT_NAME"); string tenId = ConfigurationManager.AppSettings.Get("TENANT_ID"); string spId = ConfigurationManager.AppSettings.Get("SERVICE_PRINCIPAL_CLIENT_ID"); string spSec = ConfigurationManager.AppSettings.Get("SERVICE_PRINCIPAL_SECRET"); string container = ConfigurationManager.AppSettings.Get("CONTAINER_NAME"); //setup vault uri string kvUri = "https://" + keyVaultName + ".vault.azure.net"; //get access token for vault access var credential = new ClientSecretCredential(tenId, spId, spSec); //instantiate vault client using access token var client = new SecretClient(new Uri(kvUri), credential); //retrieve connection string for storage from vault KeyVaultSecret secret = client.GetSecret("DemoStoreConnectionString"); string storageConnectionString = secret.Value; //create a BlobServiceClient object for container reference BlobServiceClient blobServiceClient = new BlobServiceClient(storageConnectionString); //sink reference to specified container BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(container); Console.WriteLine("Listing blobs..."); // List all blobs in the container foreach (BlobItem blobItem in containerClient.GetBlobs()) { Console.WriteLine("\t" + blobItem.Name); } }
static void Main(string[] args) { // <authenticate> Console.Write("What's the name of your Key Vault?"); string keyVaultName = Console.ReadLine(); var kvUri = "https://" + keyVaultName + ".vault.azure.net"; var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential()); // </authenticate> // <add secret> Console.Write("Input the name of your secret > "); string secretName = Console.ReadLine(); Console.Write("Input the value of your secret > "); string secretValue = Console.ReadLine(); Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "` ..."); client.SetSecret(secretName, secretValue); Console.WriteLine(" done."); // </add secret> // <read secret> KeyVaultSecret secret = client.GetSecret(secretName); Console.WriteLine(string.Format("Your secret value read from the vault: {0}", secret.Value.ToString())); // </read secret> }
private void AzureKeyVaultConnection(string clientId, string clientSecret, string tenantId, Uri keyVaultUri) { secret = new SecretClient(keyVaultUri, new ClientSecretCredential(tenantId, clientId, clientSecret)); }
public async Task <string> GetSecretValueAsync(string name) { var client = new SecretClient(_kvUri, _cred); return((await client.GetSecretAsync(name)).Value.Value); }
public void Identity_ClientSideUserAuthentication_SimpleInteractiveBrowser() { #region Snippet:Identity_ClientSideUserAuthentication_SimpleInteractiveBrowser var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new InteractiveBrowserCredential()); #endregion }
public SeedData(SecretClient secretClient) { _secretClient = secretClient; }
public KeyVaultIntegration(KeyVaultOptions options) { SecretClient = new SecretClient(vaultUri: new Uri(options.Url), credential: new DefaultAzureCredential(), options: options.SecretOptions); CertificateClient = new CertificateClient(vaultUri: new Uri(options.Url), credential: new DefaultAzureCredential(), options: options.CertificateOptions); KeyClient = new KeyClient(vaultUri: new Uri(options.Url), credential: new DefaultAzureCredential(), options: options.KeyOptions); }
public async Task DeleteExternalSecretAsync(string externalName) { var secretClient = new SecretClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); await secretClient.StartDeleteSecretAsync(GetExternalFullName(externalName)); }
private static SecretClient CreateKeyVaultClient(Uri keyVaultURL) { kvClient = new SecretClient(keyVaultURL, defaultCred); return(kvClient); }
public SendMessageHandler(SecretClient client, ISecretKeySettings secretKeySettings) { _client = client; _secretKeySettings = secretKeySettings; }
/// <summary> /// Registers the specified <see cref="SecretClient"/> instance to use to resolve key vault references for secrets from associated key vault. /// </summary> /// <param name="secretClient">Secret client instance.</param> public AzureAppConfigurationKeyVaultOptions Register(SecretClient secretClient) { SecretClients.Add(secretClient); return(this); }
private AzureKeyVaultCertificateClient(SecretClient secretClient) { _secretClient = secretClient; }
public void ConfigureServices(IFunctionsHostBuilder builder, IConfiguration config) { _loggerFactory = new LoggerFactory(); var logger = _loggerFactory.CreateLogger <Startup>(); var aadConfig = config?.GetSection("AzureAd"); builder?.Services.AddHttpClient("graph", x => { x.BaseAddress = new Uri("https://graph.microsoft.com/"); }); builder.Services.AddSingleton <CloudTable>(x => { var sa = CloudStorageAccount.Parse(config["TableTokenCache:ConnectionString"]); var table = sa.CreateCloudTableClient().GetTableReference("MsalCache"); table.CreateIfNotExistsAsync().Wait(); return(table); }); builder.Services.AddSingleton <X509Certificate2>(x => { logger.LogInformation("Setting up certificate"); var managedIdentityAvailable = config["MSI_ENDPOINT"] != null || config["IDENTITY_ENDPOINT"] != null || Environment.GetEnvironmentVariable("IDENTITY_ENDPOINT") != null || Environment.GetEnvironmentVariable("MSI_ENDPOINT") != null; logger.LogInformation($"Managed identity available: {managedIdentityAvailable}"); X509Certificate2 msalCert; if (bool.Parse(config["USE_MSI"])) { logger.LogInformation($"USE_MSI: {managedIdentityAvailable}, using MSI"); var secretClient = new SecretClient(new Uri(config["KeyVault:Endpoint"]), new ManagedIdentityCredential()); var certKey = secretClient.GetSecret(config["KeyVault:CertificateName"]).Value; try { msalCert = new X509Certificate2(Convert.FromBase64String(certKey.Value)); } catch (Exception ex) { logger.LogError($"Error using kv cert: {ex.Message}"); throw; } } else { logger.LogInformation($"USE_MSI: {managedIdentityAvailable}, using local certificate..."); try { //E6213E8767D78C384AD7312EB2049AB5CBA23D33 X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); certStore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, "E6213E8767D78C384AD7312EB2049AB5CBA23D33", false); msalCert = certCollection[0]; //var localCert = System.IO.File.ReadAllBytes(config["AzureAd:TestCertificatePath"]); //logger.LogInformation("Got local cert bytes, creating x509 object"); //msalCert = new X509Certificate2(localCert, config["AzureAd:TestCertificatePassword"]); } catch (Exception ex) { logger.LogError($"Error using local cert: {ex.Message}"); throw; } } return(msalCert); }); builder.Services.Configure <MsalOptions>(x => { x.ClientId = aadConfig["ClientId"]; x.RedirectUri = aadConfig["RedirectUrl"]; x.TenantId = aadConfig["TenantId"]; }); builder.Services.AddTransient <ITokenCacheAccessor, PerUserTableTokenCacheAccessor>(); builder.Services.AddTransient <MsalClientFactory>(); }
private KeyVaultHelper(SecretClient keyVaultClient, string keyVaultUri) { this.keyVaultClient = keyVaultClient; this.keyVaultUri = keyVaultUri; }
public void BackupAndRestoreSync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); #region Snippet:SecretsSample2SecretClient var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); #endregion #region Snippet:SecretsSample2CreateSecret string secretName = $"StorageAccountPassword{Guid.NewGuid()}"; var secret = new KeyVaultSecret(secretName, "f4G34fMh8v"); secret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1); KeyVaultSecret storedSecret = client.SetSecret(secret); #endregion #region Snippet:SecretsSample2BackupSecret string backupPath = Path.GetTempFileName(); byte[] secretBackup = client.BackupSecret(secretName); File.WriteAllBytes(backupPath, secretBackup); #endregion // The storage account secret is no longer in use so you delete it. DeleteSecretOperation operation = client.StartDeleteSecret(secretName); // Before it can be purged, you need to wait until the secret is fully deleted. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } // If the Key Vault is soft delete-enabled and you want to permanently delete the secret before its `ScheduledPurgeDate`, // the deleted secret needs to be purged. client.PurgeDeletedSecret(secretName); #region Snippet:SecretsSample2RestoreSecret byte[] secretBackupToRestore = File.ReadAllBytes(backupPath); SecretProperties restoreSecret = client.RestoreSecretBackup(secretBackupToRestore); #endregion AssertSecretsEqual(storedSecret.Properties, restoreSecret); // Delete and purge the restored secret. operation = client.StartDeleteSecret(restoreSecret.Name); // You only need to wait for completion if you want to purge or recover the secret. while (!operation.HasCompleted) { Thread.Sleep(2000); operation.UpdateStatus(); } client.PurgeDeletedSecret(restoreSecret.Name); }
public async Task GetSecretsAsync() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL"); var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential()); string bankSecretName = $"BankAccountPassword-{Guid.NewGuid()}"; string storageSecretName = $"StorageAccountPassword{Guid.NewGuid()}"; var bankSecret = new KeyVaultSecret(bankSecretName, "f4G34fMh8v"); bankSecret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1); var storageSecret = new KeyVaultSecret(storageSecretName, "f4G34fMh8v547"); storageSecret.Properties.ExpiresOn = DateTimeOffset.Now.AddYears(1); await client.SetSecretAsync(bankSecret); await client.SetSecretAsync(storageSecret); Dictionary <string, string> secretValues = new Dictionary <string, string>(); await foreach (SecretProperties secret in client.GetPropertiesOfSecretsAsync()) { // Getting a disabled secret will fail, so skip disabled secrets. if (!secret.Enabled.GetValueOrDefault()) { continue; } KeyVaultSecret secretWithValue = await client.GetSecretAsync(secret.Name); if (secretValues.ContainsKey(secretWithValue.Value)) { Debug.WriteLine($"Secret {secretWithValue.Name} shares a value with secret {secretValues[secretWithValue.Value]}"); } else { secretValues.Add(secretWithValue.Value, secretWithValue.Name); } } string newBankSecretPassword = "******"; await foreach (SecretProperties secret in client.GetPropertiesOfSecretVersionsAsync(bankSecretName)) { // Secret versions may also be disabled if compromised and new versions generated, so skip disabled versions, too. if (!secret.Enabled.GetValueOrDefault()) { continue; } KeyVaultSecret oldBankSecret = await client.GetSecretAsync(secret.Name, secret.Version); if (newBankSecretPassword == oldBankSecret.Value) { Debug.WriteLine($"Secret {secret.Name} reuses a password"); } } await client.SetSecretAsync(bankSecretName, newBankSecretPassword); DeleteSecretOperation bankSecretOperation = await client.StartDeleteSecretAsync(bankSecretName); DeleteSecretOperation storageSecretOperation = await client.StartDeleteSecretAsync(storageSecretName); // You only need to wait for completion if you want to purge or recover the secret. await Task.WhenAll( bankSecretOperation.WaitForCompletionAsync().AsTask(), storageSecretOperation.WaitForCompletionAsync().AsTask()); await foreach (DeletedSecret secret in client.GetDeletedSecretsAsync()) { Debug.WriteLine($"Deleted secret's recovery Id {secret.RecoveryId}"); } // If the Key Vault is soft delete-enabled, then for permanent deletion, deleted secret needs to be purged. await Task.WhenAll( client.PurgeDeletedSecretAsync(bankSecretName), client.PurgeDeletedSecretAsync(storageSecretName)); }
public async Task Run([AzureClient("Connection")] SecretClient keyClient) { await keyClient.SetSecretAsync("TestSecret", "Secret value"); }
public void ConfigureServices(IServiceCollection services) { services.AddSingleton <ILocalizationProvider, StorageLocalizationProvider>(); services.AddTextLocalization(options => { options.ReturnOnlyKeyIfNotFound = !_environment.IsDevelopment(); options.FallBackNeutralCulture = !_environment.IsDevelopment(); }).Configure <RequestLocalizationOptions>(options => { options.DefaultRequestCulture = new RequestCulture(Settings.SupportedCultures[0]); options.AddSupportedCultures(Settings.SupportedCultures); options.AddSupportedUICultures(Settings.SupportedCultures); }); services.AddScoped <LazyAssemblyLoader>(); var dataProtectionBuilder = services.AddDataProtection().SetApplicationName(projectName); services.RegisterStorage(Configuration); services.Configure <ApiBehaviorOptions>(options => { options.SuppressModelStateInvalidFilter = true; }); services.AddIdentity <ApplicationUser, ApplicationRole>() .AddRoles <ApplicationRole>() .AddEntityFrameworkStores <ApplicationDbContext>() .AddDefaultTokenProviders() .AddErrorDescriber <LocalizedIdentityErrorDescriber>(); services.AddScoped <IUserClaimsPrincipalFactory <ApplicationUser>, AdditionalUserClaimsPrincipalFactory>(); var authAuthority = Configuration[$"{projectName}:IS4ApplicationUrl"].TrimEnd('/'); // Adds IdentityServer https://identityserver4.readthedocs.io/en/latest/reference/options.html var identityServerBuilder = services.AddIdentityServer(options => { options.IssuerUri = authAuthority; options.Events.RaiseErrorEvents = true; options.Events.RaiseInformationEvents = true; options.Events.RaiseFailureEvents = true; options.Events.RaiseSuccessEvents = true; options.UserInteraction.ErrorUrl = "/identityserver/error"; }) .AddIdentityServerStores(Configuration) .AddAspNetIdentity <ApplicationUser>(); //https://identityserver4.readthedocs.io/en/latest/reference/aspnet_identity.html X509Certificate2 cert = null; var keysLocalFolder = Path.Combine(_environment.ContentRootPath, "Keys"); if (_environment.IsDevelopment()) { // The AddDeveloperSigningCredential extension creates temporary key material tempkey.jwk for signing tokens. // This might be useful to get started, but needs to be replaced by some persistent key material for production scenarios. // See http://docs.identityserver.io/en/release/topics/crypto.html#refcrypto for more information. // https://stackoverflow.com/questions/42351274/identityserver4-hosting-in-iis identityServerBuilder.AddDeveloperSigningCredential(); dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(keysLocalFolder)); } else { // Running on Azure Web App service - read the setup doc at blazor-boilerplate.readthedocs.io // appsettings.json parameters used: // "RunsOnAzure": true, // "RunningAsAppService": true, // "RunningAsDocker": false, // not implemented yet // "AzureKeyVault": { // "UsingKeyVault": true, // "UseManagedAppIdentity": true, // "AppKey": "", // not implemented yet. // "AppSecret": "", // "KeyVaultURI": "https://YOURVAULTNAMEHERE.vault.azure.net/", // "CertificateIdentifier": "https://YOURVAULTNAMEHERE.vault.azure.net/certificates/BBAUTH/<HEX_VERSION_STRING_HERE>", // "CertificateName": "BBAUTH", // "StorageAccountBlobBaseUrl": "https://<YOUR_STORAGE_ACCOUNT_NAME_HERE>.blob.core.windows.net", // "ContainerName": "blazor-boilerplate-keys", // "KeysBlobName": "keys.xml" if (Convert.ToBoolean(Configuration["HostingOnAzure:RunsOnAzure"]) == true) { if (Convert.ToBoolean(Configuration["HostingOnAzure:AzureKeyVault:UsingKeyVault"]) == true) { if (Convert.ToBoolean(Configuration["HostingOnAzure:AzurekeyVault:UseManagedAppIdentity"]) == true) { //https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview // In production environment we have already configured Managed Identity (blazor-boilerplate) using Azure Portal for our app to access Key Vault and Blob Storage. // Set up TokenCredential options for production and development environments bool isDeployed = !_environment.IsDevelopment(); var credentialOptions = new DefaultAzureCredentialOptions { ExcludeEnvironmentCredential = isDeployed, ExcludeManagedIdentityCredential = false, // we only use this one in production ExcludeSharedTokenCacheCredential = isDeployed, ExcludeVisualStudioCredential = isDeployed, ExcludeVisualStudioCodeCredential = isDeployed, ExcludeAzureCliCredential = isDeployed, ExcludeInteractiveBrowserCredential = isDeployed, }; // In development environment DefaultAzureCredential() will use the shared token credential from the IDE. In Visual Studio this is under Options - Azure Service Authentication. if (_environment.IsDevelopment()) { // credentialOptions.SharedTokenCacheUsername = "******"; // specify user name to use if more than one Azure username is configured in IDE. // var defaultTenantId = "?????-????-????-????-????????"; // specify AAD tenant to authenticate against (from Azure Portal - AAD - Tenant ID) // credentialOptions.SharedTokenCacheTenantId = defaultTenantId; // credentialOptions.VisualStudioCodeTenantId = defaultTenantId; // credentialOptions.VisualStudioTenantId = defaultTenantId; } TokenCredential tokenCredential = new DefaultAzureCredential(credentialOptions); // The Azure Storage Container (blazor-boilerplate-keys) Access Control must grant blazor-boilerplate the following roles: // - Storage Blob Data Contributor var blobServiceClient = new BlobServiceClient( new Uri(Configuration["HostingOnAzure:AzureKeyVault:StorageAccountBlobBaseUrl"]), tokenCredential); BlobContainerClient blobContainerClient = blobServiceClient.GetBlobContainerClient(Configuration["HostingOnAzure:AzureKeyVault:ContainerName"]); BlobClient blobClient = blobContainerClient.GetBlobClient(Configuration["HostingOnAzure:AzureKeyVault:KeysBlobName"]); var certificateIdentifier = Configuration["HostingOnAzure:AzureKeyVault:CertificateIdentifier"]; dataProtectionBuilder.PersistKeysToAzureBlobStorage(blobClient); // 1. Remove the call to ProtectKeysWithAzureKeyVault below for the first run to create the keys.xml blob in place. // 2. Add the call to ProtectKeysWithAzureKeyVault for subsequent runs.so that keys.xml gets created - see the setup doc for more information dataProtectionBuilder.ProtectKeysWithAzureKeyVault(new Uri(certificateIdentifier), tokenCredential); // Azure Key Vault Access Policy must grant the following permissions to the blazor-boilerplate app: // - Secret Permissions: Get // - Certificate Permissions: Get // Retrieve the certificate and extract the secret so that we can build the new X509 certificate for later use by Identity Server var certificateClient = new CertificateClient(vaultUri: new Uri(Configuration["HostingOnAzure:AzureKeyVault:KeyVaultUri"]), credential: new DefaultAzureCredential()); var secretClient = new SecretClient(vaultUri: new Uri(Configuration["HostingOnAzure:AzureKeyVault:KeyVaultUri"]), credential: new DefaultAzureCredential()); KeyVaultCertificateWithPolicy certificateWithPolicy = certificateClient.GetCertificateAsync(Configuration["HostingOnAzure:AzureKeyVault:CertificateName"]).GetAwaiter().GetResult(); // retrieves latest version of certificate KeyVaultSecretIdentifier secretIdentifier = new KeyVaultSecretIdentifier(certificateWithPolicy.SecretId); KeyVaultSecret secret = secretClient.GetSecretAsync(secretIdentifier.Name, secretIdentifier.Version).GetAwaiter().GetResult(); byte[] privateKeyBytes = Convert.FromBase64String(secret.Value); cert = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet); } } else // if app id and app secret are used { throw new NotImplementedException(); } } else { dataProtectionBuilder.PersistKeysToFileSystem(new DirectoryInfo(keysLocalFolder)); } //TODO this implementation does not consider certificate expiration if (Convert.ToBoolean(Configuration[$"{projectName}:UseLocalCertStore"]) == true) { var certificateThumbprint = Configuration[$"{projectName}:CertificateThumbprint"]; var storeLocation = StoreLocation.LocalMachine; dynamic storeName = "WebHosting"; if (OperatingSystem.IsLinux()) { storeLocation = StoreLocation.CurrentUser; storeName = StoreName.My; } using X509Store store = new(storeName, storeLocation); store.Open(OpenFlags.ReadOnly); var certs = store.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false); if (certs.Count > 0) { cert = certs[0]; } else { var certPath = Path.Combine(_environment.ContentRootPath, "AuthSample.pfx"); if (File.Exists(certPath)) { string certificatePassword = Configuration[$"{projectName}:CertificatePassword"] ?? "Admin123"; cert = new X509Certificate2(certPath, certificatePassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); } } store.Close(); } // pass the resulting certificate to Identity Server if (cert != null) { identityServerBuilder.AddSigningCredential(cert); Log.Logger.Information($"Added certificate {cert.Subject} to Identity Server"); } else if (OperatingSystem.IsWindows()) { Log.Logger.Debug("Trying to use WebHosting Certificate for Identity Server"); identityServerBuilder.AddWebHostingCertificate(); } else { throw new Exception("Missing Certificate for Identity Server"); } } var authBuilder = services.AddAuthentication(options => { options.DefaultScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme; }) .AddIdentityServerAuthentication(options => { options.Authority = authAuthority; options.SupportedTokens = SupportedTokens.Jwt; options.RequireHttpsMetadata = _environment.IsProduction(); options.ApiName = IdentityServerConfig.LocalApiName; options.Events = new JwtBearerEvents { OnMessageReceived = context => { var accessToken = context.Request.Query["access_token"]; // If the request is for our hub... var path = context.HttpContext.Request.Path; if (!string.IsNullOrEmpty(accessToken) && (path.StartsWithSegments("/chathub"))) { // Read the token out of the query string context.Token = accessToken; } return(Task.CompletedTask); } }; }); #region ExternalAuthProviders //https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/samples/SocialSample/Startup.cs //https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Google:Enabled"] ?? "false")) { authBuilder.AddGoogle(options => { options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.ClientId = Configuration["ExternalAuthProviders:Google:ClientId"]; options.ClientSecret = Configuration["ExternalAuthProviders:Google:ClientSecret"]; options.AuthorizationEndpoint += "?prompt=consent"; // Hack so we always get a refresh token, it only comes on the first authorization response options.AccessType = "offline"; options.SaveTokens = true; options.Events = new OAuthEvents() { OnRemoteFailure = HandleOnRemoteFailure }; options.ClaimActions.MapJsonSubKey("urn:google:image", "image", "url"); options.ClaimActions.Remove(ClaimTypes.GivenName); }); } if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Facebook:Enabled"] ?? "false")) { // You must first create an app with Facebook and add its ID and Secret to your user-secrets. // https://developers.facebook.com/apps/ // https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login authBuilder.AddFacebook(options => { options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.AppId = Configuration["ExternalAuthProviders:Facebook:AppId"]; options.AppSecret = Configuration["ExternalAuthProviders:Facebook:AppSecret"]; options.Scope.Add("email"); options.Fields.Add("name"); options.Fields.Add("email"); options.SaveTokens = true; options.Events = new OAuthEvents() { OnRemoteFailure = HandleOnRemoteFailure }; }); } if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Twitter:Enabled"] ?? "false")) { // You must first create an app with Twitter and add its key and Secret to your user-secrets. // https://apps.twitter.com/ // https://developer.twitter.com/en/docs/basics/authentication/api-reference/access_token authBuilder.AddTwitter(options => { options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.ConsumerKey = Configuration["ExternalAuthProviders:Twitter:ConsumerKey"]; options.ConsumerSecret = Configuration["ExternalAuthProviders:Twitter:ConsumerSecret"]; // http://stackoverflow.com/questions/22627083/can-we-get-email-id-from-twitter-oauth-api/32852370#32852370 // http://stackoverflow.com/questions/36330675/get-users-email-from-twitter-api-for-external-login-authentication-asp-net-mvc?lq=1 options.RetrieveUserDetails = true; options.SaveTokens = true; options.ClaimActions.MapJsonKey("urn:twitter:profilepicture", "profile_image_url", ClaimTypes.Uri); options.Events = new TwitterEvents() { OnRemoteFailure = HandleOnRemoteFailure }; }); } //https://github.com/xamarin/Essentials/blob/master/Samples/Sample.Server.WebAuthenticator/Startup.cs if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Apple:Enabled"] ?? "false")) { authBuilder.AddApple(options => { options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.ClientId = Configuration["ExternalAuthProviders:Apple:ClientId"]; options.KeyId = Configuration["ExternalAuthProviders:Apple:KeyId"]; options.TeamId = Configuration["ExternalAuthProviders:Apple:TeamId"]; options.UsePrivateKey(keyId => _environment.ContentRootFileProvider.GetFileInfo($"AuthKey_{keyId}.p8")); options.SaveTokens = true; }); } // You must first create an app with Microsoft Account and add its ID and Secret to your user-secrets. // https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app if (Convert.ToBoolean(Configuration["ExternalAuthProviders:Microsoft:Enabled"] ?? "false")) { authBuilder.AddMicrosoftAccount(options => { options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.ClientId = Configuration["ExternalAuthProviders:Microsoft:ClientId"]; options.ClientSecret = Configuration["ExternalAuthProviders:Microsoft:ClientSecret"]; options.SaveTokens = true; options.Scope.Add("offline_access"); options.Events = new OAuthEvents() { OnRemoteFailure = HandleOnRemoteFailure }; }); } #endregion #region Authorization //Add Policies / Claims / Authorization - https://identityserver4.readthedocs.io/en/latest/topics/add_apis.html#advanced services.AddScoped <EntityPermissions>(); services.AddSingleton <IAuthorizationPolicyProvider, AuthorizationPolicyProvider>(); services.AddTransient <IAuthorizationHandler, DomainRequirementHandler>(); services.AddTransient <IAuthorizationHandler, PermissionRequirementHandler>(); #endregion services.Configure <IdentityOptions>(options => { // Password settings options.Password.RequireDigit = RequireDigit; options.Password.RequiredLength = RequiredLength; options.Password.RequireNonAlphanumeric = RequireNonAlphanumeric; options.Password.RequireUppercase = RequireUppercase; options.Password.RequireLowercase = RequireLowercase; //options.Password.RequiredUniqueChars = 6; // Lockout settings options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30); options.Lockout.MaxFailedAccessAttempts = 10; options.Lockout.AllowedForNewUsers = true; // Require Confirmed Email User settings if (Convert.ToBoolean(Configuration[$"{projectName}:RequireConfirmedEmail"] ?? "false")) { options.User.RequireUniqueEmail = true; options.SignIn.RequireConfirmedEmail = true; } }); #region Cookies // cookie policy to deal with temporary browser incompatibilities services.AddSameSiteCookiePolicy(); //https://docs.microsoft.com/en-us/aspnet/core/security/gdpr services.Configure <CookiePolicyOptions>(options => { // This lambda determines whether user consent for non-essential // cookies is needed for a given request. options.CheckConsentNeeded = context => false; //consent not required // requires using Microsoft.AspNetCore.Http; //options.MinimumSameSitePolicy = SameSiteMode.None; }); //services.ConfigureExternalCookie(options => // { // macOS login fix //options.Cookie.SameSite = SameSiteMode.None; //}); services.ConfigureApplicationCookie(options => { options.Cookie.IsEssential = true; options.Cookie.HttpOnly = true; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; options.ExpireTimeSpan = TimeSpan.FromDays(Convert.ToDouble(Configuration[$"{projectName}:CookieExpireTimeSpanDays"] ?? "30")); options.LoginPath = Constants.Settings.LoginPath; //options.AccessDeniedPath = "/Identity/Account/AccessDenied"; // ReturnUrlParameter requires //using Microsoft.AspNetCore.Authentication.Cookies; options.ReturnUrlParameter = CookieAuthenticationDefaults.ReturnUrlParameter; options.SlidingExpiration = true; // Suppress redirect on API URLs in ASP.NET Core -> https://stackoverflow.com/a/56384729/54159 options.Events = new CookieAuthenticationEvents() { OnRedirectToAccessDenied = context => { if (context.Request.Path.StartsWithSegments("/api")) { context.Response.StatusCode = Status403Forbidden; } return(Task.CompletedTask); }, OnRedirectToLogin = context => { context.Response.StatusCode = Status401Unauthorized; return(Task.CompletedTask); } }; }); #endregion services.AddMvc().AddNewtonsoftJson(opt => { // Set Breeze defaults for entity serialization var ss = JsonSerializationFns.UpdateWithDefaults(opt.SerializerSettings); if (ss.ContractResolver is DefaultContractResolver resolver) { resolver.NamingStrategy = null; // remove json camelCasing; names are converted on the client. } if (_environment.IsDevelopment()) { ss.Formatting = Newtonsoft.Json.Formatting.Indented; // format JSON for debugging } }) // Add Breeze exception filter to send errors back to the client .AddMvcOptions(o => { o.Filters.Add(new GlobalExceptionFilter()); }) .AddViewLocalization().AddDataAnnotationsLocalization(options => { options.DataAnnotationLocalizerProvider = (type, factory) => { return(factory.Create(typeof(Global))); }; }).AddFluentValidation(fv => fv.RegisterValidatorsFromAssemblyContaining <LocalizationRecordValidator>()); services.AddServerSideBlazor().AddCircuitOptions(o => { if (_environment.IsDevelopment()) { o.DetailedErrors = true; } }).AddHubOptions(o => { o.MaximumReceiveMessageSize = 131072; }); services.AddSignalR(); if (_enableAPIDoc) { services.AddOpenApiDocument(document => { document.Title = "BlazorBoilerplate API"; document.Version = typeof(Startup).GetTypeInfo().Assembly.GetName().Version.ToString(); document.AddSecurity("bearer", Enumerable.Empty <string>(), new OpenApiSecurityScheme { Type = OpenApiSecuritySchemeType.OAuth2, Description = "Local Identity Server", OpenIdConnectUrl = $"{authAuthority}/.well-known/openid-configuration", //not working Flow = OpenApiOAuth2Flow.AccessCode, Flows = new OpenApiOAuthFlows() { AuthorizationCode = new OpenApiOAuthFlow() { Scopes = new Dictionary <string, string> { { LocalApi.ScopeName, IdentityServerConfig.LocalApiName } }, AuthorizationUrl = $"{authAuthority}/connect/authorize", TokenUrl = $"{authAuthority}/connect/token" }, } });; document.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("bearer")); // new OperationSecurityScopeProcessor("bearer")); }); } services.AddScoped <IUserSession, UserSession>(); services.AddSingleton <IHttpContextAccessor, HttpContextAccessor>(); services.Add(ServiceDescriptor.Scoped(typeof(ITenantSettings <>), typeof(TenantSettingsManager <>))); services.AddTransient <IEmailFactory, EmailFactory>(); services.AddTransient <IAccountManager, AccountManager>(); services.AddTransient <IAdminManager, AdminManager>(); services.AddTransient <IEmailManager, EmailManager>(); services.AddTransient <IExternalAuthManager, ExternalAuthManager>(); #region Automapper //Automapper to map DTO to Models https://www.c-sharpcorner.com/UploadFile/1492b1/crud-operations-using-automapper-in-mvc-application/ var automapperConfig = new MapperConfiguration(configuration => { configuration.AddProfile(new MappingProfile()); }); var autoMapper = automapperConfig.CreateMapper(); services.AddSingleton(autoMapper); #endregion /* ServerSideBlazor */ services.AddScoped <IAccountApiClient, AccountApiClient>(); services.AddScoped <AppState>(); // setup HttpClient for server side in a client side compatible fashion ( with auth cookie ) // if (!services.Any(x => x.ServiceType == typeof(HttpClient))) // { services.AddScoped(s => { // creating the URI helper needs to wait until the JS Runtime is initialized, so defer it. var navigationManager = s.GetRequiredService <NavigationManager>(); var httpContextAccessor = s.GetRequiredService <IHttpContextAccessor>(); var cookies = httpContextAccessor.HttpContext.Request.Cookies; var httpClientHandler = new HttpClientHandler() { UseCookies = false }; if (_environment.IsDevelopment()) { // Return 'true' to allow certificates that are untrusted/invalid httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => { return(true); }; } var client = new HttpClient(httpClientHandler); if (cookies.Any()) { var cks = new List <string>(); foreach (var cookie in cookies) { cks.Add($"{cookie.Key}={cookie.Value}"); } client.DefaultRequestHeaders.Add("Cookie", string.Join(';', cks)); } client.BaseAddress = new Uri(navigationManager.BaseUri); return(client); }); // } services.AddScoped <ILocalizationApiClient, LocalizationApiClient>(); services.AddScoped <IApiClient, ApiClient>(); // Authentication providers Log.Logger.Debug("Removing AuthenticationStateProvider..."); var serviceDescriptor = services.FirstOrDefault(descriptor => descriptor.ServiceType == typeof(AuthenticationStateProvider)); if (serviceDescriptor != null) { services.Remove(serviceDescriptor); } Log.Logger.Debug("Adding AuthenticationStateProvider..."); services.AddScoped <AuthenticationStateProvider, IdentityAuthenticationStateProvider>(); /**********************/ services.AddModules(); if (Log.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug)) { Log.Logger.Debug($"Total Services Registered: {services.Count}"); foreach (var service in services) { Log.Logger.Debug($"\n\tService: {service.ServiceType.FullName}\n\tLifetime: {service.Lifetime}\n\tInstance: {service.ImplementationType?.FullName}"); } } }
/// <summary> /// Gets all top-level XML elements from Azure Key Vault /// </summary> /// <returns></returns> public IReadOnlyCollection <XElement> GetAllElements() { _logger.LogInformation("Loading Data Protection Key Ring from Azure Key Vault"); var credentials = new ClientSecretCredential(tenantId: _tenantId, clientId: _clientId, clientSecret: _secret); var client = new SecretClient(new Uri(_vaultUrl), credentials); try { KeyVaultSecret kvSecret = client.GetSecret(_keyRingName); string encoded = kvSecret.Value; _logger.LogInformation("Key Ring size in Key Vault is {size}", encoded.Length); //The data stored in key vault is base64 encoded string decoded = Encoding.UTF8.GetString(Convert.FromBase64String(encoded)); XDocument doc = XDocument.Parse(decoded); var entries = new List <XElement>(); foreach (XElement node in doc.Root.Elements()) { switch (node.Name.ToString()) { case "key": string keyId = node.Attribute("id")?.Value ?? ""; var created = DateTime.Parse(node.Element("creationDate").Value); var keyAge = DateTime.Now.Subtract(created).Days; //To keep the key-ring small, we remove items older than 180 days if (keyAge <= 180) { _logger.LogInformation("Loaded key {keyid}", keyId); entries.Add(node); } else { _logger.LogCritical("Ignored old key {keyid}", keyId); } break; case "revocation": //Revocation entries are added to the key-ring if we decide to revoke existing keys var revDate = DateTime.Parse(node.Element("revocationDate").Value); var revAge = DateTime.Now.Subtract(revDate).Days; if (revAge <= 180) { _logger.LogInformation("Loaded revocation entry dated {revocationDate}", revDate); entries.Add(node); } break; default: entries.Add(node); break; } } _logger.LogInformation("Loaded {keycount} Key Ring items from Azure Key Vault", entries.Count); return(entries); } catch (Exception exc) { _logger.LogInformation("Failed to load secret '{secretname}' from Azure Key Vault, a new Key Ring will be created.", _keyRingName, exc.Message); return(new List <XElement>()); } }
public ParallelSecretLoader(SecretClient client) { _client = client; _semaphore = new SemaphoreSlim(ParallelismLevel, ParallelismLevel); _tasks = new List <Task <Response <KeyVaultSecret> > >(); }
public TwilioAuthenticationWebHookService(SecretClient secretClient, ISecretKeySettings secretKeySettings) { _secretClient = secretClient; _secretKeySettings = secretKeySettings; }
public AzDOConnection(string azdoUrl, string projectName, string buildDefinitionName, SecretClient client, string secretName) { BuildProjectName = projectName; BuildDefinitionName = buildDefinitionName; var azureDevOpsSecret = client.GetSecret(secretName); var credential = new NetworkCredential("vslsnap", azureDevOpsSecret.Value.Value); Connection = new VssConnection(new Uri(azdoUrl), new WindowsCredential(credential)); NuGetClient = new HttpClient(new HttpClientHandler { Credentials = credential }); GitClient = Connection.GetClient <GitHttpClient>(); BuildClient = Connection.GetClient <BuildHttpClient>(); }
private static SecretClient CreateKeyVaultClient(string keyVaultURL) { kvClient = new SecretClient(new Uri(keyVaultURL), defaultCred); return(kvClient); }