public async Task <IActionResult> Create([HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "managedSecrets")] ManagedSecretViewModel inputSecret) { if (!_identityService.CurrentUserHasRole(AuthJanitorRoles.SecretAdmin)) { return(new UnauthorizedResult()); } var resources = await _resources.Get(); var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList(); if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id))) { await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(AdminApi.ManagedSecrets.Create), "New Managed Secret attempted to use one or more invalid Resource IDs"); return(new NotFoundObjectResult("One or more Resource IDs not found!")); } ManagedSecret newManagedSecret = new ManagedSecret() { Name = inputSecret.Name, Description = inputSecret.Description, ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes), LastChanged = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes), TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies, ResourceIds = resourceIds, Nonce = await _cryptographicImplementation.GenerateCryptographicallySecureString(_configuration.DefaultNonceLength) }; await _managedSecrets.Create(newManagedSecret); await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.SecretCreated, nameof(AdminApi.ManagedSecrets.Create), newManagedSecret); return(new OkObjectResult(_managedSecretViewModel(newManagedSecret))); }
public override async Task <RegeneratedSecret> Rekey(TimeSpan requestedValidPeriod) { _logger.LogInformation("Generating a new secret of length {SecretKeyLength}", Configuration.KeyLength); RegeneratedSecret newKey = new RegeneratedSecret() { Expiry = DateTimeOffset.UtcNow + requestedValidPeriod, UserHint = Configuration.UserHint, NewSecretValue = await _cryptographicImplementation.GenerateCryptographicallySecureString(Configuration.KeyLength) }; var functionsApp = await(await this.GetAzure()).AppServices.FunctionApps.GetByResourceGroupAsync(ResourceGroup, ResourceName); if (functionsApp == null) { throw new Exception($"Cannot locate Functions application called '{ResourceName}' in group '{ResourceGroup}'"); } _logger.LogInformation("Removing previous Function Key '{FunctionKeyName}' from Function '{FunctionName}'", Configuration.FunctionKeyName, Configuration.FunctionName); await functionsApp.RemoveFunctionKeyAsync(Configuration.FunctionName, Configuration.FunctionKeyName); _logger.LogInformation("Adding new Function Key '{FunctionKeyName}' from Function '{FunctionName}'", Configuration.FunctionKeyName, Configuration.FunctionName); await functionsApp.AddFunctionKeyAsync(Configuration.FunctionName, Configuration.FunctionKeyName, newKey.NewSecretValue); return(newKey); }
public override async Task <RegeneratedSecret> Rekey(TimeSpan requestedValidPeriod) { _logger.LogInformation("Generating new password of length {PasswordLength}", Configuration.PasswordLength); var newPassword = await _cryptographicImplementation.GenerateCryptographicallySecureString(Configuration.PasswordLength); var sqlServer = await GetResourceAsync(); _logger.LogInformation("Updating administrator password..."); await sqlServer.Update() .WithAdministratorPassword(newPassword) .ApplyAsync(); _logger.LogInformation("Password update complete"); return(new RegeneratedSecret() { Expiry = DateTimeOffset.UtcNow + requestedValidPeriod, UserHint = Configuration.UserHint, NewSecretValue = newPassword, NewConnectionString = $"Server=tcp:{Configuration.ResourceName}.database.windows.net,1433;Database={Configuration.DatabaseName};User ID={sqlServer.AdministratorLogin}@{Configuration.ResourceName};Password={newPassword};Trusted_Connection=False;Encrypt=True;" }); }
public override async Task <RegeneratedSecret> Rekey(TimeSpan requestedValidPeriod) { _logger.LogInformation("Getting current Secret details from Secret name '{SecretName}'", Configuration.SecretName); var client = GetSecretClient(); Azure.Response <KeyVaultSecret> currentSecret = await client.GetSecretAsync(Configuration.SecretName); // Create a new version of the Secret KeyVaultSecret newSecret = new KeyVaultSecret( Configuration.SecretName, await _cryptographicImplementation.GenerateCryptographicallySecureString(Configuration.SecretLength)); // Copy in metadata from the old Secret if it existed if (currentSecret != null && currentSecret.Value != null) { newSecret.Properties.ContentType = currentSecret.Value.Properties.ContentType; foreach (KeyValuePair <string, string> tag in currentSecret.Value.Properties.Tags) { newSecret.Properties.Tags.Add(tag.Key, tag.Value); } } newSecret.Properties.NotBefore = DateTimeOffset.UtcNow; newSecret.Properties.ExpiresOn = DateTimeOffset.UtcNow + requestedValidPeriod; _logger.LogInformation("Committing new Secret with name '{SecretName}'", newSecret.Name); Azure.Response <KeyVaultSecret> secretResponse = await client.SetSecretAsync(newSecret); _logger.LogInformation("Successfully committed '{SecretName}'", newSecret.Name); return(new RegeneratedSecret() { Expiry = newSecret.Properties.ExpiresOn.Value, UserHint = Configuration.UserHint, NewSecretValue = secretResponse.Value.Value }); }