static async Task Main(string[] args)
{
// limited permissions. hidden in env variables, typically injected
var roleId = Environment.GetEnvironmentVariable("ROLEID");
var secretId = Environment.GetEnvironmentVariable("VAULTSECRET");
IVaultClient vaultClient = null;
try{
// Get the approle token
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(roleId, secretId);
var vaultClientSettings = new VaultClientSettings("http://127.0.0.1:8200", authMethod);
vaultClient = new VaultClient(vaultClientSettings);
}
catch (Exception e) {
// Failed to get Vault token
Console.WriteLine(String.Format("An error occurred authenticating: {0}", e.Message));
throw;
}
try{
//Get the secret and print it
Secret <Dictionary <string, object> > kv1Secret = await vaultClient.V1.Secrets.KeyValue.V1.ReadSecretAsync("data/testdata/universe", "secret");
Dictionary <string, object> dataDictionary = kv1Secret.Data;
JsonDocument jsonObj = JsonDocument.Parse(dataDictionary["data"].ToString());
Console.WriteLine(String.Format("The answer is {0}.", jsonObj.RootElement.GetProperty("theanswer")));
}
catch (Exception e) {
//Failed to get the secret or format it.
Console.WriteLine(String.Format("An error pulling or parsing the secret: {0}", e.Message));
throw;
}
}
private async Task WriteKeyValueAsync(IVaultClient vaultClient)
{
var value = new Dictionary <string, string> {
{ "CERTSQLAUTHUSR", "username" }, { "CERTSQLAUTHPW", "password" }
};
var writtenValue = await vaultClient.V1.Secrets.KeyValue.V2.WriteSecretAsync(kvSecretPath, data : value, checkAndSet : 0);
}
public static IConfigurationBuilder AddHashicorpVault(
this IConfigurationBuilder configurationBuilder, IVaultClient client, KVVersion version, params string[] secretPaths)
{
if (configurationBuilder == null)
{
throw new ArgumentNullException(nameof(configurationBuilder));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (secretPaths == null)
{
throw new ArgumentNullException(nameof(secretPaths));
}
configurationBuilder.Add(new HashicorpVaultSource()
{
Client = client,
Version = version,
SecretPaths = secretPaths,
});
return(configurationBuilder);
}
public VaultCertificateStore(IVaultClient vaultClient, string roleName, string commonName, ILogger logger)
{
this.vaultClient = vaultClient.ThrowIfNull(nameof(vaultClient));
this.roleName = roleName.ThrowIfNullOrEmpty(nameof(roleName));
this.commonName = commonName.ThrowIfNullOrEmpty(nameof(commonName));
this.logger = logger.ThrowIfNull(nameof(logger));
}
/// <summary>
/// Creates a new instance of <see cref="VaultConfigurationProvider"/>.
/// </summary>
/// <param name="client">The <see cref="IVaultClient"/> to use for retrieving values.</param>
/// <param name="secretPaths">The secret paths to read</param>
/// <param name="manager"></param>
/// <param name="asJson">Read as JSON</param>
public VaultConfigurationProvider(IVaultClient client, IVaultSecretManager manager, IEnumerable <string> secretPaths, bool asJson)
{
_client = client ?? throw new ArgumentNullException(nameof(client));
_secretPaths = secretPaths ?? throw new ArgumentNullException(nameof(secretPaths));
_asJson = asJson;
_manager = manager ?? throw new ArgumentNullException(nameof(manager));
}
private async Task LoadVaultDataAsync(IVaultClient vaultClient)
{
await foreach (var secretData in this.ReadKeysAsync(vaultClient, this._source.BasePath))
{
this._logger?.LogDebug($"VaultConfigurationProvider: got Vault data with key `{secretData.Key}`");
var key = secretData.Key;
key = key.Replace(this._source.BasePath, string.Empty, StringComparison.InvariantCultureIgnoreCase).TrimStart('/')
.Replace('/', ':');
key = this.ReplaceTheAdditionalCharactersForConfigurationPath(key);
var data = secretData.SecretData.Data;
var shouldSetValue = true;
if (this._versionsCache.TryGetValue(key, out var currentVersion))
{
shouldSetValue = secretData.SecretData.Metadata.Version > currentVersion;
string keyMsg = shouldSetValue ? "has new version" : "is outdated";
this._logger?.LogDebug($"VaultConfigurationProvider: Data for key `{secretData.Key}` {keyMsg}");
}
if (shouldSetValue)
{
this.SetData(data, this.ConfigurationSource.Options.OmitVaultKeyName ? string.Empty : key);
this._versionsCache[key] = secretData.SecretData.Metadata.Version;
}
}
}
/// <summary>
/// Adds an <see cref="IConfigurationProvider"/> that reads configuration values from Hashicorp Vault.
/// </summary>
/// <param name="configurationBuilder">The <see cref="IConfigurationBuilder"/> to add to.</param>
/// <param name="client">The <see cref="IVaultClient"/> to use for retrieving values.</param>
/// <param name="manager">The <see cref="IKeyVaultSecretManager"/> instance used to control secret loading.</param>
/// <param name="secretLocationPaths">The paths for the secrets to load.</param>
/// <returns>The <see cref="IConfigurationBuilder"/>.</returns>
public static IConfigurationBuilder AddVault(
this IConfigurationBuilder configurationBuilder,
IVaultClient client,
IVaultSecretManager manager,
params string[] secretLocationPaths)
{
if (configurationBuilder == null)
{
throw new ArgumentNullException(nameof(configurationBuilder));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (secretLocationPaths == null)
{
throw new ArgumentNullException(nameof(secretLocationPaths));
}
if (manager == null)
{
throw new ArgumentNullException(nameof(manager));
}
configurationBuilder.Add(new VaultConfigurationSource()
{
Client = client,
SecretLocationPaths = secretLocationPaths,
Manager = manager,
});
return(configurationBuilder);
}
public void Unload()
{
_logger = null;
_vaultClient = null;
_configuration.Clear();
_configuration = null;
}
private async IAsyncEnumerable <KeyedSecretData> ReadKeysAsync(IVaultClient vaultClient, string path)
{
Secret <ListInfo>?keys = null;
try
{
keys = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(path, this._source.MountPoint).ConfigureAwait(false);
}
catch (VaultApiException)
{
// this is key, not a folder
}
if (keys != null)
{
foreach (var key in keys.Data.Keys)
{
var keyData = this.ReadKeysAsync(vaultClient, path + key);
await foreach (var secretData in keyData)
{
yield return(secretData);
}
}
}
else
{
var secretData =
await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path, null, this._source.MountPoint).ConfigureAwait(false);
yield return(new KeyedSecretData(path, secretData.Data));
}
}
public KeyValueService(
IVaultClient client,
VaultOptions options)
{
_client = client;
_options = options;
}
public static IServiceCollection ConfigureHttpClients(this IServiceCollection services, IConfiguration configuration, IWebHostEnvironment environment,
IVaultClient vaultClient)
{
var(_, authorityUrl) = GetApiNameAndAuthority(configuration, environment, vaultClient);
services.AddHttpClient(HttpClientNames.Identity, client => client.BaseAddress = new Uri(authorityUrl));
services.AddHttpClient(HttpClientNames.GoogleMaps, c => { c.BaseAddress = new Uri(configuration["Edo:Google:Endpoint"]); })
.SetHandlerLifetime(TimeSpan.FromMinutes(5))
.AddPolicyHandler(GetDefaultRetryPolicy());
services.AddHttpClient(SendGridMailSender.HttpClientName)
.SetHandlerLifetime(TimeSpan.FromMinutes(5))
.AddPolicyHandler(GetDefaultRetryPolicy());
services.AddHttpClient(HttpClientNames.Payfort)
.SetHandlerLifetime(TimeSpan.FromMinutes(5))
.AddPolicyHandler(GetDefaultRetryPolicy());
services.AddHttpClient(HttpClientNames.CurrencyService)
.SetHandlerLifetime(TimeSpan.FromMinutes(5))
.AddPolicyHandler(GetDefaultRetryPolicy());
services.AddHttpClient(HttpClientNames.Connectors)
.SetHandlerLifetime(TimeSpan.FromMinutes(5));
return(services);
}
public static IConfigurationBuilder AddVault(this IConfigurationBuilder builder)
{
var buildConfig = builder.Build();
if (buildConfig.GetSection("settings:useVault").Get <bool>())
{
try
{
IVaultClient vaultClient = VaultClientFactory.CreateVaultClient(
new Uri(buildConfig["vault:address"]),
new AppRoleAuthenticationInfo(
buildConfig["vault:roleid"],
buildConfig["vault:secretid"]
)
);
var vaultSecrets = vaultClient
.ReadSecretAsync(buildConfig["vault:path"])
.Result.Data.Select(x => new KeyValuePair <string, string>($"vault:{x.Key}", x.Value.ToString()));
return(builder.AddInMemoryCollection(vaultSecrets));
}
catch (Exception ex)
{
throw new Exception("Vault configuration failed: " + ex.Message);
}
}
else
{
return(builder);
}
}
public VaultClient(string vaultAddr, string vaultToken, string keyName)
{
Uri vaultUri = new Uri(vaultAddr);
IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(vaultToken);
client = VaultClientFactory.CreateVaultClient(vaultUri, tokenAuthenticationInfo);
transitKeyName = keyName;
}
public VaultClientSecretStore(IIdentityServerVaultAuthSettings settings, IVaultClient vaultClient)
{
settings.ThrowIfNull(nameof(settings));
vaultClient.ThrowIfNull(nameof(vaultClient));
this.settings = settings;
this.vaultClient = vaultClient;
}
private async Task LoadVaultDataAsync(IVaultClient vaultClient)
{
await foreach (var secretData in this.ReadKeysAsync(vaultClient, this._source.BasePath))
{
this._logger?.LogDebug($"VaultConfigurationProvider: got Vault data with key `{secretData.Key}`");
var key = secretData.Key;
key = key.TrimStart('/')[this._source.BasePath.TrimStart('/').Length..].TrimStart('/').Replace('/', ':');
public static IConfigurationBuilder AddHashiCorpVault(
this IConfigurationBuilder configurationBuilder,
IVaultClient client,
string path
)
{
return(AddHashiCorpVault(configurationBuilder, client, path, false));
}
/// <summary>
/// Adds an <see cref="IConfigurationProvider"/> that reads configuration values from Hashicorp Vault.
/// </summary>
/// <param name="configurationBuilder">The <see cref="IConfigurationBuilder"/> to add to.</param>
/// <param name="client">The <see cref="IVaultClient"/> to use for retrieving values.</param>
/// <param name="manager">The <see cref="IVaultSecretManager"/> instance used to control secret loading.</param>
/// <param name="secretLocationPaths">The paths for the secrets to load.</param>
/// <returns>The <see cref="IConfigurationBuilder"/>.</returns>
public static IConfigurationBuilder AddVault(
this IConfigurationBuilder configurationBuilder,
IVaultClient client,
IVaultSecretManager manager,
params string[] secretLocationPaths)
{
return(configurationBuilder.AddVault(client, manager, asJson: false, secretLocationPaths));
}
public RepositoryDeletionHistory(IVaultClient vaultClient, string repositoryName, string repositoryPath)
{
Guard.That(vaultClient).IsNotNull();
Guard.That(repositoryName, "repositoryName").IsNotNullOrEmpty();
Guard.That(repositoryPath, "repositoryPath").IsNotNullOrEmpty();
this.vaultClient = vaultClient;
this.repositoryName = repositoryName;
this.repositoryPath = repositoryPath;
}
private async IAsyncEnumerable <KeyedSecretData> ReadKeysAsync(IVaultClient vaultClient, string path)
{
Secret <ListInfo>?keys = null;
var folderPath = path;
if (folderPath.EndsWith("/", StringComparison.InvariantCulture) == false)
{
folderPath += "/";
}
try
{
keys = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(folderPath, this._source.MountPoint).ConfigureAwait(false);
}
catch (VaultApiException)
{
// this is key, not a folder
}
if (keys != null)
{
foreach (var key in keys.Data.Keys)
{
var keyData = this.ReadKeysAsync(vaultClient, folderPath + key);
await foreach (var secretData in keyData)
{
yield return(secretData);
}
}
}
var valuePath = path;
if (valuePath.EndsWith("/", StringComparison.InvariantCulture) == true)
{
valuePath = valuePath.TrimEnd('/');
}
KeyedSecretData?keyedSecretData = null;
try
{
var secretData = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(valuePath, null, this._source.MountPoint)
.ConfigureAwait(false);
keyedSecretData = new KeyedSecretData(valuePath, secretData.Data);
}
catch (VaultApiException)
{
// this is folder, not a key
}
if (keyedSecretData != null)
{
yield return(keyedSecretData);
}
}
public VaultHostedService(IVaultClient client, ILeaseService leaseService, VaultOptions options,
ILogger <VaultHostedService> logger)
{
_client = client;
_leaseService = leaseService;
_options = options;
_logger = logger;
_interval = 5;
}
public VaultHostedService(
IVaultClient client,
VaultOptions options,
ILogger <VaultHostedService> logger)
{
_client = client;
_options = options;
_logger = logger;
}
public RepositoryDeletionHistory(IVaultClient vaultClient, string repositoryName, string repositoryPath)
{
Guard.That(vaultClient).IsNotNull();
Guard.That(repositoryName, "repositoryName").IsNotNullOrEmpty();
Guard.That(repositoryPath, "repositoryPath").IsNotNullOrEmpty();
this.vaultClient = vaultClient;
this.repositoryName = repositoryName;
this.repositoryPath = repositoryPath;
}
public void NotNullShouldThrowForObjects()
{
var paramName = "client";
IVaultClient client = null;
var exception = Assert.Throws <ArgumentNullException>(() => Checker.NotNull(client, paramName));
Assert.Equal(paramName, exception.ParamName);
}
public static IServiceCollection ConfigureHttpClients(this IServiceCollection services, IConfiguration configuration, IHostEnvironment environment,
IVaultClient vaultClient)
{
var(_, authorityUrl) = GetApiNameAndAuthority(configuration, environment, vaultClient);
services.AddHttpClient <IdentityHttpClient>(client => client.BaseAddress = new Uri(authorityUrl));
services.AddHttpClient <BookingWebhookClient>()
.SetHandlerLifetime(TimeSpan.FromMinutes(5))
.AddPolicyHandler(GetDefaultRetryPolicy());
return(services);
}
public static IConfigurationBuilder AddHashiCorpVault(
this IConfigurationBuilder configurationBuilder,
IVaultClient client,
string path,
bool optional
)
{
configurationBuilder.Add(new HashiCorpVaultConfigurationSource(client, path, optional));
return(configurationBuilder);
}
/// <summary>
/// The method to get a DB connection string from the Vault using options from appsettings.json
/// </summary>
/// <param name="vaultClient">The instance of the Vault client </param>
/// <param name="pathToConnectionOptions">The path to connection options in appsettings.json</param>
/// <param name="pathToConnectionString">The path to the connection string template in appsettings.json</param>
/// <param name="configuration">Represents the application configuration</param>
/// <returns></returns>
public static string GetDbConnectionString(IVaultClient vaultClient, string pathToConnectionOptions, string pathToConnectionString, IConfiguration configuration)
{
var connectionOptions = vaultClient.Get(configuration[pathToConnectionOptions]).Result;
return(string.Format($"{configuration[pathToConnectionString]}",
connectionOptions["host"],
connectionOptions["port"],
connectionOptions["database"],
connectionOptions["userId"],
connectionOptions["password"]));
}
public VaultHostedService(IVaultClient client, ILeaseService leaseService, ICertificatesIssuer certificatesIssuer,
ICertificatesService certificatesService, VaultOptions options, ILogger <VaultHostedService> logger)
{
_client = client;
_leaseService = leaseService;
_certificatesIssuer = certificatesIssuer;
_certificatesService = certificatesService;
_options = options;
_logger = logger;
_interval = _options.RenewalsInterval <= 0 ? 10 : _options.RenewalsInterval;
}
public VaultSrnProvider(IConfiguration options)
{
_mountPoint = options["MountPoint"];
// Instantiate the client
var authMethod = new TokenAuthMethodInfo(options["Token"]);
var settings = new VaultClientSettings(options["Url"], authMethod);
_client = new VaultClient(settings);
_engine = _client.V1.Secrets.KeyValue.V2;
}
public VaultSecretLoader()
{
var authMethod = ConfigurationExtensions.Environment.IsDevelopment()
? new GitHubAuthMethodInfo(Environment.GetEnvironmentVariable("VAULT_GITHUB_AT"))
: new AppRoleAuthMethodInfo(Environment.GetEnvironmentVariable("VAULT_ID"),
Environment.GetEnvironmentVariable("VAULT_SECRET")) as IAuthMethodInfo;
var vaultClientSettings =
new VaultClientSettings(Environment.GetEnvironmentVariable("VAULT_URL"), authMethod);
_client = new VaultClient(vaultClientSettings);
}
public VaultConfigurationProvider(VaultOptions config)
{
_config = config;
var vaultClientSettings = new VaultClientSettings(
_config.Address,
new AppRoleAuthMethodInfo(_config.Role,
_config.Secret)
);
_client = new VaultClient(vaultClientSettings);
}
public void Initialize()
{
_logger.LogInformation("Initializing {Name} provider with options {Options}.", Name, new
{
_providerOptions.ServerUri,
_providerOptions.Path
});
var vaultClientSettings = new VaultClientSettings(_providerOptions.ServerUri, _providerOptions.AuthMethodInfo);
_vaultClient = new VaultClient(vaultClientSettings);
}
public VersionSnapshot(IVaultClient vaultClient, string repositoryName, string repositoryPath)
{
this.vaultClient = vaultClient;
this.repositoryName = repositoryName;
this.repositoryPath = repositoryPath;
}
public VaultFacade(IVaultClient vaultClient)
{
this.vaultClient = vaultClient;
}
private static void InitializeVault()
{
// for all the tests to run smoothly, this is the only method,
// you need to setup your initial values.
// Ensure you have an instance of Vault Server started up but not initialized.
/*
backend "file" {
path = "e:\raja\work\vault\file_backend"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
rd file_backend /S /Q
vault server -config f.hcl
*/
var vaultUriWithPort = "http://127.0.0.1:8200";
_vaultUri = new Uri(vaultUriWithPort);
_unauthenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, null);
if (DevServer)
{
_masterCredentials = new MasterCredentials
{
MasterKeys = new[] { MasterKey },
RootToken = RootToken
};
IAuthenticationInfo devRootTokenInfo = new TokenAuthenticationInfo(_masterCredentials.RootToken);
_authenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, devRootTokenInfo);
return;
}
// BEGIN setting values
var fileName = "E:\\raja\\work\\vault0.6.1\\StartVault.cmd";
var process = Process.Start(new ProcessStartInfo(fileName));
Assert.NotNull(process);
_vaultServerProcessId = process.Id;
// END setting values
var initialized = _unauthenticatedVaultClient.GetInitializationStatusAsync().Result;
Assert.False(initialized);
var healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result;
Assert.False(healthStatus.Initialized);
// try to initialize with mismatched PGP Key
var invalidPgpException =
Assert.Throws<AggregateException>(
() =>
_masterCredentials =
_unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 5,
SecretThreshold = 3,
PgpKeys = new[] { Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key1")) }
}).Result);
Assert.NotNull(invalidPgpException.InnerException);
Assert.True(invalidPgpException.InnerException.Message.Contains("400 BadRequest"));
_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 7,
SecretThreshold = 6
}).Result;
Assert.NotNull(_masterCredentials);
Assert.NotNull(_masterCredentials.RootToken);
Assert.NotNull(_masterCredentials.MasterKeys);
Assert.True(_masterCredentials.MasterKeys.Length == 7);
process.CloseMainWindow();
process.WaitForExit();
process = Process.Start(new ProcessStartInfo(fileName));
Assert.NotNull(process);
_vaultServerProcessId = process.Id;
// todo find valid PGP keys
//var pgpKeys = new[] { Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key1")), Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key2")) };
//_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(2, 2, pgpKeys).Result;
//Assert.NotNull(_masterCredentials);
//Assert.NotNull(_masterCredentials.RootToken);
//Assert.NotNull(_masterCredentials.MasterKeys);
//Assert.True(_masterCredentials.MasterKeys.Length == 5);
//process.CloseMainWindow();
//process.WaitForExit();
//process = Process.Start(new ProcessStartInfo(fileName));
//Assert.NotNull(process);
//_vaultServerProcessId = process.Id;
_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 5,
SecretThreshold = 3
}).Result;
Assert.NotNull(_masterCredentials);
Assert.NotNull(_masterCredentials.RootToken);
Assert.NotNull(_masterCredentials.MasterKeys);
Assert.True(_masterCredentials.MasterKeys.Length == 5);
healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result;
Assert.True(healthStatus.Initialized);
Assert.True(healthStatus.Sealed);
// try to initialize an already initialized vault.
var aggregateException =
Assert.Throws<AggregateException>(
() => _masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 5,
SecretThreshold = 3
}).Result);
Assert.NotNull(aggregateException.InnerException);
Assert.True(aggregateException.InnerException.Message.Contains("Vault is already initialized"));
var sealStatus = _unauthenticatedVaultClient.GetSealStatusAsync().Result;
if (sealStatus.Sealed)
{
foreach (var masterKey in _masterCredentials.MasterKeys)
{
sealStatus = _unauthenticatedVaultClient.UnsealAsync(masterKey).Result;
if (!sealStatus.Sealed)
{
healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result;
Assert.True(healthStatus.Initialized);
Assert.False(healthStatus.Sealed);
// we are acting as the root user here.
IAuthenticationInfo tokenAuthenticationInfo =
new TokenAuthenticationInfo(_masterCredentials.RootToken);
_authenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, tokenAuthenticationInfo);
break;
}
}
}
}
