/// <summary> /// Add Keyvault protection /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> public static IDataProtectionBuilder AddAzureKeyVaultDataProtection( this IDataProtectionBuilder builder, IConfiguration configuration = null) { if (configuration == null) { configuration = builder.Services.BuildServiceProvider() .GetRequiredService <IConfiguration>(); } var config = new DataProtectionConfig(configuration); if (string.IsNullOrEmpty(config.KeyVaultBaseUrl)) { return(builder); } var keyName = config.KeyVaultKeyDataProtection; var client = TryKeyVaultClientAsync(config.KeyVaultBaseUrl, config, keyName).Result; if (client == null) { throw new UnauthorizedAccessException("Cannot access keyvault"); } var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}"; return(builder.ProtectKeysWithAzureKeyVault(client, identifier)); }
public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder) { // not the preferred action here var provider = builder.Services.BuildServiceProvider(); var options = provider.GetRequiredService <IOptions <DataProtectionAzureStorageOptions> >(); #pragma warning disable CA2000 // Dispose objects before losing scope var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(options.Value.TokenProvider.KeyVaultTokenCallback)); #pragma warning restore CA2000 // Dispose objects before losing scope builder.ProtectKeysWithAzureKeyVault(kvClient, options.Value.KeyVaultKeyId); return(builder); }
/// <summary> /// Add Keyvault protection /// </summary> /// <param name="builder"></param> /// <param name="configuration"></param> public static IDataProtectionBuilder AddAzureKeyVaultDataProtection( this IDataProtectionBuilder builder, IConfiguration configuration) { var config = new DataProtectionConfig(configuration); if (string.IsNullOrEmpty(config.KeyVaultBaseUrl)) { throw new InvalidConfigurationException( "Keyvault base url is missing in your configuration " + "for dataprotection to be able to store the root key."); } var keyName = config.KeyVaultKeyDataProtection; var keyVault = new KeyVaultClientBootstrap(configuration); if (!TryInititalizeKeyAsync(keyVault.Client, config.KeyVaultBaseUrl, keyName).Result) { throw new UnauthorizedAccessException("Cannot access keyvault"); } var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}"; return(builder.ProtectKeysWithAzureKeyVault(keyVault.Client, identifier)); }
public static IDataProtectionBuilder ConfigureDataProtection(this IDataProtectionBuilder builder, IConfiguration configuration) { var dataProtectionsOptions = configuration.Get <Aguacongas.TheIdServer.Models.DataProtectionOptions>(); if (dataProtectionsOptions == null) { return(builder); } builder.AddKeyManagementOptions(options => configuration.GetSection(nameof(KeyManagementOptions))?.Bind(options)); ConfigureEncryptionAlgorithm(builder, configuration); switch (dataProtectionsOptions.StorageKind) { case StorageKind.AzureStorage: builder.PersistKeysToAzureBlobStorage(new Uri(dataProtectionsOptions.StorageConnectionString)); break; case StorageKind.EntityFramework: builder.PersistKeysToDbContext <OperationalDbContext>(); break; case StorageKind.FileSytem: builder.PersistKeysToFileSystem(new DirectoryInfo(dataProtectionsOptions.StorageConnectionString)); break; case StorageKind.Redis: var redis = ConnectionMultiplexer.Connect(dataProtectionsOptions.StorageConnectionString); if (string.IsNullOrEmpty(dataProtectionsOptions.RedisKey)) { builder.PersistKeysToStackExchangeRedis(redis); break; } builder.PersistKeysToStackExchangeRedis(redis, dataProtectionsOptions.RedisKey); break; case StorageKind.Registry: #pragma warning disable CA1416 // Validate platform compatibility builder.PersistKeysToRegistry(Registry.CurrentUser.OpenSubKey(dataProtectionsOptions.StorageConnectionString)); #pragma warning restore CA1416 // Validate platform compatibility break; } var protectOptions = dataProtectionsOptions.KeyProtectionOptions; if (protectOptions != null) { switch (protectOptions.KeyProtectionKind) { case KeyProtectionKind.AzureKeyVault: builder.ProtectKeysWithAzureKeyVault(protectOptions.AzureKeyVaultKeyId, protectOptions.AzureKeyVaultClientId, protectOptions.AzureKeyVaultClientSecret); break; case KeyProtectionKind.WindowsDpApi: builder.ProtectKeysWithDpapi(protectOptions.WindowsDPAPILocalMachine); break; case KeyProtectionKind.WindowsDpApiNg: ConfigureWindowsDpApiNg(builder, protectOptions); break; case KeyProtectionKind.X509: if (!string.IsNullOrEmpty(protectOptions.X509CertificatePath)) { var certificate = SigningKeysLoader.LoadFromFile(protectOptions.X509CertificatePath, protectOptions.X509CertificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet); builder.ProtectKeysWithCertificate(certificate); break; } builder.ProtectKeysWithCertificate(protectOptions.X509CertificateThumbprint); break; } } return(builder); }