コード例 #1
0
        public async Task TestFullFlow()
        {
            var sa        = "sa:namespace";
            var data      = "data";
            var encrypted = await mAwsKeyManagement.Encrypt(data, sa);

            var decrypted = await mAwsKeyManagement.Decrypt(encrypted, sa);

            Assert.Equal(data, decrypted);
        }
コード例 #2
0
        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            if (data.Length <= mMaximumDataLength)
            {
                return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
            }

            mLogger.Information($"Encryption data too length, using envelope encryption");
            var encryptedData = await mDataKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing);

            var encryptedKey = await mMasterKeyManagement.Encrypt(mDataKeyManagement.GetEncryptionKey(), serviceAccountId, createKeyIfMissing);

            return("env" + "$" + encryptedKey + "$" + encryptedData);
        }
コード例 #3
0
        public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
        {
            if (data.Length <= mMaximumDataLength)
            {
                return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
            }

            mLogger.Information("Encryption data too length, using envelope encryption");

            var dataKey = RijndaelUtils.GenerateKey(256);

            var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data));
            var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing);

            return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
        }
コード例 #4
0
ファイル: EncryptController.cs プロジェクト: mcanaves/kamus
        public async Task <ActionResult> Encrypt([FromBody] EncryptRequest body)
        {
            if (!ModelState.IsValid)
            {
                mAuditLogger.Warning("Bad request to Encrypt API: {sourceIP} {validationState}",
                                     Request.HttpContext.Connection.RemoteIpAddress,
                                     ModelState.ValidationState);
                return(BadRequest("One or more of the required fields doesn't present in the request body."));
            }

            mAuditLogger.Information("Encryption request started, SourceIP: {sourceIp}, ServiceAccount: {sa}, Namespace: {namespace}",
                                     Request.HttpContext.Connection.RemoteIpAddress,
                                     body.ServiceAccountName,
                                     body.NamespaceName);

            var encryptedData = await mKeyManagement.Encrypt(body.Data, body.ServiceAccountName);

            if (body.ServiceAccountName == "default")
            {
                return(BadRequest("You cannot encrypt a secret for the default service account"));
            }

            mAuditLogger.Information("Encryption request succeeded, SourceIP: {sourceIp}, ServiceAccount: {serviceAccount}, Namesacpe: {namespace}",
                                     Request.HttpContext.Connection.RemoteIpAddress,
                                     body.ServiceAccountName,
                                     body.NamespaceName);

            return(Content(encryptedData));
        }
コード例 #5
0
        public async Task Encrypt_KeyDoesNotExist_CreateIt()
        {
            var data             = "test";
            var serviceAccountId = "default:" + Guid.NewGuid();

            await mAzureKeyManagement.Encrypt(data, serviceAccountId);

            var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{ComputeKeyId(serviceAccountId)}";

            try
            {
                await mKeyVaultClient.GetKeyAsync(keyId);
            }
            catch (KeyVaultErrorException e) when(e.Response.StatusCode == HttpStatusCode.NotFound)
            {
                throw new Exception("New key was not created in the key vault");
            }
            finally // clean up
            {
                await mKeyVaultClient.DeleteKeyAsync($"https://{mKeyVaultName}.vault.azure.net", ComputeKeyId(serviceAccountId));
            }
        }
コード例 #6
0
ファイル: EncryptController.cs プロジェクト: randyammar/kamus
        public async Task <ActionResult> Encrypt([FromBody] EncryptRequest body)
        {
            mAuditLogger.Information("Encryption request started, SourceIP: {sourceIp}, ServiceAccount: {sa}, Namespace: {namespace}",
                                     Request.HttpContext.Connection.RemoteIpAddress,
                                     body.SerivceAccountName,
                                     body.NamesapceName);

            var encryptedData = await mKeyManagement.Encrypt(body.Data, $"{body.NamesapceName}:{body.SerivceAccountName}");

            if (body.SerivceAccountName == "default")
            {
                return(BadRequest("You cannot encrypt a secret for the default service account"));
            }

            mAuditLogger.Information("Encryption request succeeded, SourceIP: {sourceIp}, ServiceAccount: {serviceAccount}, Namesacpe: {namespace}",
                                     Request.HttpContext.Connection.RemoteIpAddress,
                                     body.SerivceAccountName,
                                     body.NamesapceName);

            return(Content(encryptedData));
        }
コード例 #7
0
        public async Task DataIsLessThenMaximumConfiguration_NoEnvelope()
        {
            var encryptedData = await mDecorator.Encrypt("123", "a-service-account");

            Assert.DoesNotContain(encryptedData, "env$");
        }