/// <summary> /// Add Keyvault protection /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> public static IDataProtectionBuilder AddAzureKeyVaultDataProtection( this IDataProtectionBuilder builder, IConfiguration configuration = null) { if (configuration == null) { configuration = builder.Services.BuildServiceProvider() .GetRequiredService <IConfiguration>(); } var config = new DataProtectionConfig(configuration); if (string.IsNullOrEmpty(config.KeyVaultBaseUrl)) { return(builder); } var keyName = config.KeyVaultKeyDataProtection; var client = TryKeyVaultClientAsync(config.KeyVaultBaseUrl, config, keyName).Result; if (client == null) { throw new UnauthorizedAccessException("Cannot access keyvault"); } var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}"; return(builder.ProtectKeysWithAzureKeyVault(client, identifier)); }
/// <summary> /// Add blob key storage /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> public static IDataProtectionBuilder AddAzureBlobKeyStorage( this IDataProtectionBuilder builder, IConfiguration configuration = null) { if (configuration == null) { configuration = builder.Services.BuildServiceProvider() .GetRequiredService <IConfiguration>(); } var storage = new DataProtectionConfig(configuration); var containerName = storage.BlobStorageContainerDataProtection; if (string.IsNullOrEmpty(storage.BlobStorageConnString)) { return(builder); } var storageAccount = CloudStorageAccount.Parse(storage.BlobStorageConnString); var relativePath = $"{containerName}/keys.xml"; var uriBuilder = new UriBuilder(storageAccount.BlobEndpoint); uriBuilder.Path = uriBuilder.Path.TrimEnd('/') + "/" + relativePath.TrimStart('/'); var block = new CloudBlockBlob(uriBuilder.Uri, storageAccount.Credentials); Try.Op(() => block.Container.Create()); return(builder.PersistKeysToAzureBlobStorage(block)); }
/// <summary> Initializes a new instances of <see cref="CSVDataWriter"/> class </summary> /// <param name="writer"> Text writer to the destination file </param> public CSVDataWriter(StreamWriter writer, DataProtectionConfig config, TokenCredential credential, string[] header, bool encrypted) { this.csvWriter = new CsvWriter(writer); this.header = header; this.azureKeyProvider = new AzureKeyVaultKeyStoreProvider(credential); this.encryptionSettings = LoadFileEncryptionSettings(config, encrypted); }
/// <summary> Initializes a new instance of <see cref="CSVDataReader"/> class with encryption metadata </summary> /// <param name="reader"> Text reader of the source </param> /// <param name="credential">A tokencredential for authenticating to Key Vault</param> /// <param name="encrypted">Indicates if the current file has encryption or not</param> public CSVDataReader(StreamReader reader, DataProtectionConfig config, TokenCredential credential, bool encrypted) { this.csvReader = new CsvReader(reader, true); this.encryptionSettings = new List <FileEncryptionSettings>(); this.azureKeyProvider = new AzureKeyVaultKeyStoreProvider(credential); header = ReaderHeaderIfRequired(); this.encryptionSettings = LoadFileEncryptionSettings(config, encrypted); }
protected IList <FileEncryptionSettings> LoadFileEncryptionSettings(DataProtectionConfig config, bool encrypted) { List <FileEncryptionSettings> encryptionSettings = new List <FileEncryptionSettings>(); for (int i = 0; i < header.Length; i++) { ColumnEncryptionInfo encryptionInfo = config.ColumnEncryptionInfo.Where(x => x.ColumnName == header[i]).FirstOrDefault(); if (encryptionInfo != null) { string dekName = encryptionInfo.ColumnKeyName; ColumnKeyInfo dekInfo = config.ColumnKeyInfo.First(x => x.Name == encryptionInfo.ColumnKeyName); byte[] dekBytes = Converter.FromHexString(dekInfo.EncryptedColumnKey); ColumnMasterKeyInfo kekInfo = config.ColumnMasterKeyInfo.First(x => x.Name == dekInfo.ColumnMasterKeyName); KeyEncryptionKey kek = new KeyEncryptionKey(kekInfo.Name, kekInfo.KeyPath, azureKeyProvider); EncryptionType encryptionType = EncryptionType.Plaintext; if (encrypted) { if (encryptionInfo.EncryptionType.ToLower() == "randomized") { encryptionType = EncryptionType.Randomized; } else if (encryptionInfo.EncryptionType.ToLower() == "deterministic") { encryptionType = EncryptionType.Deterministic; } else { encryptionType = EncryptionType.Plaintext; } } var encryptionSetting = new FileEncryptionSettings <string>(new ProtectedDataEncryptionKey(dekName, kek, dekBytes), encryptionType, new SqlVarCharSerializer(size: 255)); encryptionSettings.Add(encryptionSetting); } else { if (defaultKEK == null) { ColumnMasterKeyInfo kekInfo = config.ColumnMasterKeyInfo.First(); KeyEncryptionKey kek = new KeyEncryptionKey(kekInfo.Name, kekInfo.KeyPath, azureKeyProvider); defaultKEK = kek; } var encryptionSetting = new FileEncryptionSettings <string>(new ProtectedDataEncryptionKey("none", defaultKEK), EncryptionType.Plaintext, new SqlVarCharSerializer(size: 255)); encryptionSettings.Add(encryptionSetting); } } return(encryptionSettings); }
/// <summary> Initializes a new instance of <see cref="YamlConfigReader"/> class </summary> /// <param name="configFile"> Config file stream object</param> public YamlConfigReader(Stream configFile) { using (StreamReader reader = new StreamReader(configFile)) { IDeserializer deserializer = new DeserializerBuilder().WithNamingConvention(PascalCaseNamingConvention.Instance).Build(); yamlConfig = deserializer.Deserialize <DataProtectionConfig>(reader); configExists = true; // TODO: Double-check on method to ensure this is disposed configFile.Close(); } }
public void Returns_Uri__With_Correct_Value() { // Arrange var key = $"https://{Rnd.Str}.com/"; var config = new DataProtectionConfig { KeyUri = key }; // Act var result = config.GetUri(); // Assert Assert.Equal(key.ToLowerInvariant(), result.AbsoluteUri); }
public void Returns_True() { // Arrange var config = new DataProtectionConfig { StorageAccessKeyConnectionString = Rnd.Str, ContainerName = Rnd.Str, BlobName = Rnd.Str, KeyUri = Rnd.Str }; // Act var result = config.IsValid; // Assert Assert.True(result); }
public void Returns_False(string cs, string container, string blob, string key) { // Arrange var config = new DataProtectionConfig { StorageAccessKeyConnectionString = cs, ContainerName = container, BlobName = blob, KeyUri = key }; // Act var result = config.IsValid; // Assert Assert.False(result); }
public Startup(IConfiguration configuration) { Configuration = configuration; _helseIdConfigurationSection = Configuration.GetSection(nameof(DemoHelseIdConfig)); _demoHelseIdConfiguration = _helseIdConfigurationSection.Get <DemoHelseIdConfig>(); _redirectPagesConfigurationSection = Configuration.GetSection(nameof(RedirectPagesKonfigurasjon)); _redirectPagesConfiguration = _redirectPagesConfigurationSection.Get <RedirectPagesKonfigurasjon>(); _hprConfigurationSection = Configuration.GetSection(nameof(HprKonfigurasjon)); _hprConfiguration = _hprConfigurationSection.Get <HprKonfigurasjon>(); _whitelist = Configuration.GetSection(nameof(WhitelistConfiguration)).Get <WhitelistConfiguration>().Whitelist; _dataprotectionConfigSection = Configuration.GetSection(nameof(DataProtectionConfig)); _dataProtectionConfig = _dataprotectionConfigSection.Get <DataProtectionConfig>(); }
/// <summary> Writes updated config back to yaml file </summary> /// <param name="currentConfig"> Latest config data </param> public void Write(DataProtectionConfig currentConfig) { if (configStream) { using (StreamWriter streamWriter = new StreamWriter(configFile)) { ISerializer serializer = new SerializerBuilder().WithNamingConvention(PascalCaseNamingConvention.Instance).Build(); serializer.Serialize(streamWriter, currentConfig); } } else { using (StreamWriter streamWriter = new StreamWriter(this.configFilePath, false, Encoding.UTF8)) { ISerializer serializer = new SerializerBuilder().WithNamingConvention(PascalCaseNamingConvention.Instance).Build(); serializer.Serialize(streamWriter, currentConfig); } } }
/// <summary> /// Add Keyvault protection /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> public static IDataProtectionBuilder AddAzureKeyVaultDataProtection( this IDataProtectionBuilder builder, IConfiguration configuration) { var config = new DataProtectionConfig(configuration); if (string.IsNullOrEmpty(config.KeyVaultBaseUrl)) { throw new InvalidConfigurationException( "Keyvault base url is missing in your configuration " + "for dataprotection to be able to store the root key."); } var keyName = config.KeyVaultKeyDataProtection; var keyVault = new KeyVaultClientBootstrap(configuration); if (!TryInititalizeKeyAsync(keyVault.Client, config.KeyVaultBaseUrl, keyName).Result) { throw new UnauthorizedAccessException("Cannot access keyvault"); } var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}"; return(builder.ProtectKeysWithAzureKeyVault(keyVault.Client, identifier)); }
/// <summary> /// Add blob key storage /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> public static IDataProtectionBuilder AddAzureBlobKeyStorage( this IDataProtectionBuilder builder, IConfiguration configuration) { var storage = new DataProtectionConfig(configuration); var containerName = storage.BlobStorageContainerDataProtection; var connectionString = storage.GetStorageConnString(); if (string.IsNullOrEmpty(connectionString)) { throw new InvalidConfigurationException( "Storage configuration is missing in your configuration for " + "dataprotection to store all keys across all instances."); } var storageAccount = CloudStorageAccount.Parse(storage.GetStorageConnString()); var relativePath = $"{containerName}/keys.xml"; var uriBuilder = new UriBuilder(storageAccount.BlobEndpoint); uriBuilder.Path = uriBuilder.Path.TrimEnd('/') + "/" + relativePath.TrimStart('/'); var block = new CloudBlockBlob(uriBuilder.Uri, storageAccount.Credentials); Try.Op(() => block.Container.Create()); return(builder.PersistKeysToAzureBlobStorage(block)); }
private void OnExecute() { string outPath = OutputFilePath ?? (Path.GetFileNameWithoutExtension(DataFilePath) + "_output" + Path.GetExtension(DataFilePath)); // load configuration file // YamlConfigReader configFile = new YamlConfigReader(".\\resources\\config.yaml"); YamlConfigReader configFile = new YamlConfigReader(MetadataFilePath); DataProtectionConfig protectionConfig = configFile.Read(); bool sourceIsEncrypted = false; bool targetIsEncrypted = true; string outputFileName = ""; switch (Command.ToLower()) { case "encrypt": sourceIsEncrypted = false; targetIsEncrypted = true; outputFileName = DataFilePath.Split('.')[0] + "-encrypted." + DataFilePath.Split('.')[1]; break; case "decrypt": sourceIsEncrypted = true; targetIsEncrypted = false; outputFileName = DataFilePath.Split('.')[0] + "-decrypted." + DataFilePath.Split('.')[1]; break; default: Console.WriteLine("Not a valid command. Try 'encrypt' or 'decrypt' as a command."); break; } // For encryption operations, we're going to remove output settings // open input and output file streams // Stream inputFile = File.OpenRead (".\\resources\\userdata.parquet"); // Stream outputFile = File.OpenWrite (".\\resources\\userdata.parquet"); Stream outputFile = File.OpenWrite(outputFileName); // Create reader // using ParquetFileReader reader = new ParquetFileReader (inputFile); CSVDataReader reader = new CSVDataReader(new StreamReader(DataFilePath), protectionConfig, TokenCredential, sourceIsEncrypted); // Copy source settings as target settings /* * List<FileEncryptionSettings> writerSettings = reader.FileEncryptionSettings * .Select (s => Copy (s)) * .ToList (); */ // Create and pass the target settings to the writer // using ParquetFileWriter writer = new ParquetFileWriter (outputFile, writerSettings); using CSVDataWriter writer = new CSVDataWriter(new StreamWriter(outputFile), protectionConfig, TokenCredential, reader.Header, targetIsEncrypted); // Process the file ColumnarCryptographer cryptographer = new ColumnarCryptographer(reader, writer); try { cryptographer.Transform(); Console.WriteLine($"File processed successfully. Verify output file contains encrypted data."); } catch (Exception e) { Console.WriteLine(e.Message); } }