/// <summary>
/// Add Keyvault protection
/// </summary>
/// <param name="builder"></param>
/// <param name="configuration"></param>
public static IDataProtectionBuilder AddAzureKeyVaultDataProtection(
this IDataProtectionBuilder builder, IConfiguration configuration = null)
{
if (configuration == null)
{
configuration = builder.Services.BuildServiceProvider()
.GetRequiredService <IConfiguration>();
}
var config = new DataProtectionConfig(configuration);
if (string.IsNullOrEmpty(config.KeyVaultBaseUrl))
{
return(builder);
}
var keyName = config.KeyVaultKeyDataProtection;
var client = TryKeyVaultClientAsync(config.KeyVaultBaseUrl,
config, keyName).Result;
if (client == null)
{
throw new UnauthorizedAccessException("Cannot access keyvault");
}
var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}";
return(builder.ProtectKeysWithAzureKeyVault(client, identifier));
}
/// <summary>
/// Add blob key storage
/// </summary>
/// <param name="builder"></param>
/// <param name="configuration"></param>
public static IDataProtectionBuilder AddAzureBlobKeyStorage(
this IDataProtectionBuilder builder, IConfiguration configuration = null)
{
if (configuration == null)
{
configuration = builder.Services.BuildServiceProvider()
.GetRequiredService <IConfiguration>();
}
var storage = new DataProtectionConfig(configuration);
var containerName = storage.BlobStorageContainerDataProtection;
if (string.IsNullOrEmpty(storage.BlobStorageConnString))
{
return(builder);
}
var storageAccount = CloudStorageAccount.Parse(storage.BlobStorageConnString);
var relativePath = $"{containerName}/keys.xml";
var uriBuilder = new UriBuilder(storageAccount.BlobEndpoint);
uriBuilder.Path = uriBuilder.Path.TrimEnd('/') + "/" + relativePath.TrimStart('/');
var block = new CloudBlockBlob(uriBuilder.Uri, storageAccount.Credentials);
Try.Op(() => block.Container.Create());
return(builder.PersistKeysToAzureBlobStorage(block));
}
/// <summary> Initializes a new instances of <see cref="CSVDataWriter"/> class </summary>
/// <param name="writer"> Text writer to the destination file </param>
public CSVDataWriter(StreamWriter writer, DataProtectionConfig config, TokenCredential credential, string[] header, bool encrypted)
{
this.csvWriter = new CsvWriter(writer);
this.header = header;
this.azureKeyProvider = new AzureKeyVaultKeyStoreProvider(credential);
this.encryptionSettings = LoadFileEncryptionSettings(config, encrypted);
}
/// <summary> Initializes a new instance of <see cref="CSVDataReader"/> class with encryption metadata </summary>
/// <param name="reader"> Text reader of the source </param>
/// <param name="credential">A tokencredential for authenticating to Key Vault</param>
/// <param name="encrypted">Indicates if the current file has encryption or not</param>
public CSVDataReader(StreamReader reader, DataProtectionConfig config, TokenCredential credential, bool encrypted)
{
this.csvReader = new CsvReader(reader, true);
this.encryptionSettings = new List <FileEncryptionSettings>();
this.azureKeyProvider = new AzureKeyVaultKeyStoreProvider(credential);
header = ReaderHeaderIfRequired();
this.encryptionSettings = LoadFileEncryptionSettings(config, encrypted);
}
protected IList <FileEncryptionSettings> LoadFileEncryptionSettings(DataProtectionConfig config, bool encrypted)
{
List <FileEncryptionSettings> encryptionSettings = new List <FileEncryptionSettings>();
for (int i = 0; i < header.Length; i++)
{
ColumnEncryptionInfo encryptionInfo = config.ColumnEncryptionInfo.Where(x => x.ColumnName == header[i]).FirstOrDefault();
if (encryptionInfo != null)
{
string dekName = encryptionInfo.ColumnKeyName;
ColumnKeyInfo dekInfo = config.ColumnKeyInfo.First(x => x.Name == encryptionInfo.ColumnKeyName);
byte[] dekBytes = Converter.FromHexString(dekInfo.EncryptedColumnKey);
ColumnMasterKeyInfo kekInfo = config.ColumnMasterKeyInfo.First(x => x.Name == dekInfo.ColumnMasterKeyName);
KeyEncryptionKey kek = new KeyEncryptionKey(kekInfo.Name, kekInfo.KeyPath, azureKeyProvider);
EncryptionType encryptionType = EncryptionType.Plaintext;
if (encrypted)
{
if (encryptionInfo.EncryptionType.ToLower() == "randomized")
{
encryptionType = EncryptionType.Randomized;
}
else if (encryptionInfo.EncryptionType.ToLower() == "deterministic")
{
encryptionType = EncryptionType.Deterministic;
}
else
{
encryptionType = EncryptionType.Plaintext;
}
}
var encryptionSetting = new FileEncryptionSettings <string>(new ProtectedDataEncryptionKey(dekName, kek, dekBytes), encryptionType, new SqlVarCharSerializer(size: 255));
encryptionSettings.Add(encryptionSetting);
}
else
{
if (defaultKEK == null)
{
ColumnMasterKeyInfo kekInfo = config.ColumnMasterKeyInfo.First();
KeyEncryptionKey kek = new KeyEncryptionKey(kekInfo.Name, kekInfo.KeyPath, azureKeyProvider);
defaultKEK = kek;
}
var encryptionSetting = new FileEncryptionSettings <string>(new ProtectedDataEncryptionKey("none", defaultKEK), EncryptionType.Plaintext, new SqlVarCharSerializer(size: 255));
encryptionSettings.Add(encryptionSetting);
}
}
return(encryptionSettings);
}
/// <summary> Initializes a new instance of <see cref="YamlConfigReader"/> class </summary>
/// <param name="configFile"> Config file stream object</param>
public YamlConfigReader(Stream configFile)
{
using (StreamReader reader = new StreamReader(configFile))
{
IDeserializer deserializer = new DeserializerBuilder().WithNamingConvention(PascalCaseNamingConvention.Instance).Build();
yamlConfig = deserializer.Deserialize <DataProtectionConfig>(reader);
configExists = true;
// TODO: Double-check on method to ensure this is disposed
configFile.Close();
}
}
public void Returns_Uri__With_Correct_Value()
{
// Arrange
var key = $"https://{Rnd.Str}.com/";
var config = new DataProtectionConfig {
KeyUri = key
};
// Act
var result = config.GetUri();
// Assert
Assert.Equal(key.ToLowerInvariant(), result.AbsoluteUri);
}
public void Returns_True()
{
// Arrange
var config = new DataProtectionConfig
{
StorageAccessKeyConnectionString = Rnd.Str,
ContainerName = Rnd.Str,
BlobName = Rnd.Str,
KeyUri = Rnd.Str
};
// Act
var result = config.IsValid;
// Assert
Assert.True(result);
}
public void Returns_False(string cs, string container, string blob, string key)
{
// Arrange
var config = new DataProtectionConfig
{
StorageAccessKeyConnectionString = cs,
ContainerName = container,
BlobName = blob,
KeyUri = key
};
// Act
var result = config.IsValid;
// Assert
Assert.False(result);
}
public Startup(IConfiguration configuration)
{
Configuration = configuration;
_helseIdConfigurationSection = Configuration.GetSection(nameof(DemoHelseIdConfig));
_demoHelseIdConfiguration = _helseIdConfigurationSection.Get <DemoHelseIdConfig>();
_redirectPagesConfigurationSection = Configuration.GetSection(nameof(RedirectPagesKonfigurasjon));
_redirectPagesConfiguration = _redirectPagesConfigurationSection.Get <RedirectPagesKonfigurasjon>();
_hprConfigurationSection = Configuration.GetSection(nameof(HprKonfigurasjon));
_hprConfiguration = _hprConfigurationSection.Get <HprKonfigurasjon>();
_whitelist = Configuration.GetSection(nameof(WhitelistConfiguration)).Get <WhitelistConfiguration>().Whitelist;
_dataprotectionConfigSection = Configuration.GetSection(nameof(DataProtectionConfig));
_dataProtectionConfig = _dataprotectionConfigSection.Get <DataProtectionConfig>();
}
/// <summary> Writes updated config back to yaml file </summary>
/// <param name="currentConfig"> Latest config data </param>
public void Write(DataProtectionConfig currentConfig)
{
if (configStream)
{
using (StreamWriter streamWriter = new StreamWriter(configFile))
{
ISerializer serializer = new SerializerBuilder().WithNamingConvention(PascalCaseNamingConvention.Instance).Build();
serializer.Serialize(streamWriter, currentConfig);
}
}
else
{
using (StreamWriter streamWriter = new StreamWriter(this.configFilePath, false, Encoding.UTF8))
{
ISerializer serializer = new SerializerBuilder().WithNamingConvention(PascalCaseNamingConvention.Instance).Build();
serializer.Serialize(streamWriter, currentConfig);
}
}
}
/// <summary>
/// Add Keyvault protection
/// </summary>
/// <param name="builder"></param>
/// <param name="configuration"></param>
public static IDataProtectionBuilder AddAzureKeyVaultDataProtection(
this IDataProtectionBuilder builder, IConfiguration configuration)
{
var config = new DataProtectionConfig(configuration);
if (string.IsNullOrEmpty(config.KeyVaultBaseUrl))
{
throw new InvalidConfigurationException(
"Keyvault base url is missing in your configuration " +
"for dataprotection to be able to store the root key.");
}
var keyName = config.KeyVaultKeyDataProtection;
var keyVault = new KeyVaultClientBootstrap(configuration);
if (!TryInititalizeKeyAsync(keyVault.Client, config.KeyVaultBaseUrl, keyName).Result)
{
throw new UnauthorizedAccessException("Cannot access keyvault");
}
var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}";
return(builder.ProtectKeysWithAzureKeyVault(keyVault.Client, identifier));
}
/// <summary>
/// Add blob key storage
/// </summary>
/// <param name="builder"></param>
/// <param name="configuration"></param>
public static IDataProtectionBuilder AddAzureBlobKeyStorage(
this IDataProtectionBuilder builder, IConfiguration configuration)
{
var storage = new DataProtectionConfig(configuration);
var containerName = storage.BlobStorageContainerDataProtection;
var connectionString = storage.GetStorageConnString();
if (string.IsNullOrEmpty(connectionString))
{
throw new InvalidConfigurationException(
"Storage configuration is missing in your configuration for " +
"dataprotection to store all keys across all instances.");
}
var storageAccount = CloudStorageAccount.Parse(storage.GetStorageConnString());
var relativePath = $"{containerName}/keys.xml";
var uriBuilder = new UriBuilder(storageAccount.BlobEndpoint);
uriBuilder.Path = uriBuilder.Path.TrimEnd('/') + "/" + relativePath.TrimStart('/');
var block = new CloudBlockBlob(uriBuilder.Uri, storageAccount.Credentials);
Try.Op(() => block.Container.Create());
return(builder.PersistKeysToAzureBlobStorage(block));
}
private void OnExecute()
{
string outPath = OutputFilePath ?? (Path.GetFileNameWithoutExtension(DataFilePath) + "_output" + Path.GetExtension(DataFilePath));
// load configuration file
// YamlConfigReader configFile = new YamlConfigReader(".\\resources\\config.yaml");
YamlConfigReader configFile = new YamlConfigReader(MetadataFilePath);
DataProtectionConfig protectionConfig = configFile.Read();
bool sourceIsEncrypted = false;
bool targetIsEncrypted = true;
string outputFileName = "";
switch (Command.ToLower())
{
case "encrypt":
sourceIsEncrypted = false;
targetIsEncrypted = true;
outputFileName = DataFilePath.Split('.')[0] + "-encrypted." + DataFilePath.Split('.')[1];
break;
case "decrypt":
sourceIsEncrypted = true;
targetIsEncrypted = false;
outputFileName = DataFilePath.Split('.')[0] + "-decrypted." + DataFilePath.Split('.')[1];
break;
default:
Console.WriteLine("Not a valid command. Try 'encrypt' or 'decrypt' as a command.");
break;
}
// For encryption operations, we're going to remove output settings
// open input and output file streams
// Stream inputFile = File.OpenRead (".\\resources\\userdata.parquet");
// Stream outputFile = File.OpenWrite (".\\resources\\userdata.parquet");
Stream outputFile = File.OpenWrite(outputFileName);
// Create reader
// using ParquetFileReader reader = new ParquetFileReader (inputFile);
CSVDataReader reader = new CSVDataReader(new StreamReader(DataFilePath), protectionConfig, TokenCredential, sourceIsEncrypted);
// Copy source settings as target settings
/*
* List<FileEncryptionSettings> writerSettings = reader.FileEncryptionSettings
* .Select (s => Copy (s))
* .ToList ();
*/
// Create and pass the target settings to the writer
// using ParquetFileWriter writer = new ParquetFileWriter (outputFile, writerSettings);
using CSVDataWriter writer = new CSVDataWriter(new StreamWriter(outputFile), protectionConfig, TokenCredential, reader.Header, targetIsEncrypted);
// Process the file
ColumnarCryptographer cryptographer = new ColumnarCryptographer(reader, writer);
try
{
cryptographer.Transform();
Console.WriteLine($"File processed successfully. Verify output file contains encrypted data.");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
