public async Task <IActionResult> Create([HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "managedSecrets")] ManagedSecretViewModel inputSecret)
{
if (!_identityService.CurrentUserHasRole(AuthJanitorRoles.SecretAdmin))
{
return(new UnauthorizedResult());
}
var resources = await _resources.Get();
var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList();
if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id)))
{
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(AdminApi.ManagedSecrets.Create), "New Managed Secret attempted to use one or more invalid Resource IDs");
return(new NotFoundObjectResult("One or more Resource IDs not found!"));
}
ManagedSecret newManagedSecret = new ManagedSecret()
{
Name = inputSecret.Name,
Description = inputSecret.Description,
ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes),
LastChanged = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes),
TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies,
ResourceIds = resourceIds,
Nonce = await _cryptographicImplementation.GenerateCryptographicallySecureString(_configuration.DefaultNonceLength)
};
await _managedSecrets.Create(newManagedSecret);
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.SecretCreated, nameof(AdminApi.ManagedSecrets.Create), newManagedSecret);
return(new OkObjectResult(_managedSecretViewModel(newManagedSecret)));
}
private RekeyingTask CreateRekeyingTask(ManagedSecret secret, DateTimeOffset expiry) =>
new RekeyingTask()
{
ManagedSecretId = secret.ObjectId,
Expiry = expiry,
ConfirmationType = GetPreferredConfirmation(secret.TaskConfirmationStrategies),
Queued = DateTimeOffset.UtcNow,
RekeyingInProgress = false
};
public async Task <IActionResult> Update(
[HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "managedSecrets/{secretId:guid}")] ManagedSecretViewModel inputSecret,
HttpRequest req,
Guid secretId,
ILogger log)
{
if (!req.IsValidUser(AuthJanitorRoles.SecretAdmin, AuthJanitorRoles.GlobalAdmin))
{
return(new UnauthorizedResult());
}
log.LogInformation("Updating Managed Secret {0}", secretId);
if (!await ManagedSecrets.ContainsIdAsync(secretId))
{
return(new BadRequestErrorMessageResult("Secret not found!"));
}
var resources = await Resources.ListAsync();
var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList();
if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id)))
{
var invalidIds = resourceIds.Where(id => !resources.Any(r => r.ObjectId == id));
log.LogError("New Managed Secret attempted to link one or more invalid Resource IDs: {0}", invalidIds);
return(new BadRequestErrorMessageResult("One or more ResourceIds not found!"));
}
ManagedSecret newManagedSecret = new ManagedSecret()
{
ObjectId = secretId,
Name = inputSecret.Name,
Description = inputSecret.Description,
ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes),
TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies,
ResourceIds = resourceIds
};
await ManagedSecrets.UpdateAsync(newManagedSecret);
log.LogInformation("Updated Managed Secret '{0}'", newManagedSecret.Name);
return(new OkObjectResult(GetViewModel(newManagedSecret)));
}
public async Task <IActionResult> Update(ManagedSecretViewModel inputSecret, Guid secretId, CancellationToken cancellationToken)
{
if (!_identityService.CurrentUserHasRole(AuthJanitorRoles.SecretAdmin))
{
return(new UnauthorizedResult());
}
if (!await _managedSecrets.ContainsId(secretId, cancellationToken))
{
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(ManagedSecretsService.Update), "Secret ID not found");
return(new NotFoundObjectResult("Secret not found!"));
}
var resources = await _resources.Get(cancellationToken);
var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList();
if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id)))
{
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(ManagedSecretsService.Update), "New Managed Secret attempted to use one or more invalid Resource IDs");
return(new NotFoundObjectResult("One or more Resource IDs not found!"));
}
ManagedSecret newManagedSecret = new ManagedSecret()
{
ObjectId = secretId,
Name = inputSecret.Name,
Description = inputSecret.Description,
ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes),
TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies,
ResourceIds = resourceIds,
Nonce = await _cryptographicImplementation.GenerateCryptographicallyRandomString(_configuration.DefaultNonceLength)
};
await _managedSecrets.Update(newManagedSecret, cancellationToken);
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.SecretUpdated, nameof(ManagedSecretsService.Update), newManagedSecret);
return(new OkObjectResult(_managedSecretViewModel(newManagedSecret)));
}
private static ManagedSecretViewModel GetViewModel(IServiceProvider serviceProvider, ManagedSecret secret, CancellationToken cancellationToken)
{
var providerManagerService = serviceProvider.GetRequiredService <ProviderManagerService>();
var resources = secret.ResourceIds
.Select(resourceId => serviceProvider.GetRequiredService <IDataStore <Resource> >()
.GetOne(resourceId, cancellationToken).Result)
.Select(resource => serviceProvider.GetRequiredService <Func <Resource, ResourceViewModel> >()(resource));
foreach (var resource in resources)
{
var provider = providerManagerService.GetProviderInstance(resource.ProviderType, resource.SerializedProviderConfiguration);
resource.Risks = provider.GetRisks(secret.ValidPeriod);
resource.Description = provider.GetDescription();
}
return(new ManagedSecretViewModel()
{
ObjectId = secret.ObjectId,
Name = secret.Name,
Description = secret.Description,
TaskConfirmationStrategies = secret.TaskConfirmationStrategies,
ExecutingAgentId = secret.ExecutingAgentId,
LastChanged = secret.LastChanged,
ValidPeriodMinutes = (int)secret.ValidPeriod.TotalMinutes,
Nonce = secret.Nonce,
Resources = resources,
AdminEmails = secret.AdminEmails
});
}
public async Task DispatchNotification_ManagedSecretExpired(string[] toAddresses, ManagedSecret secret)
{
if (toAddresses == null || !toAddresses.Any())
{
return;
}
var msg = Template("AuthJanitor Managed Secret Has Expired!");
msg.AddBccs(toAddresses.Select(a => new EmailAddress(a)).ToList());
msg.AddContent(MimeType.Text,
$"An AuthJanitor Managed Secret ({secret.Name}) has expired!" + Environment.NewLine +
$"{new Uri(AuthJanitorUiBase + "aj/secrets/" + secret.ObjectId)}");
msg.AddContent(MimeType.Html,
$"<p>An AuthJanitor Managed Secret (<strong>{secret.Name}</strong>) has expired!</p><br />" +
$"<a href=\"{new Uri(AuthJanitorUiBase + "aj/secrets/" + secret.ObjectId)}\">Click here to review!</a>");
await new SendGridClient(_sendGridApiKey).SendEmailAsync(msg);
}
protected ManagedSecretViewModel GetViewModel(ManagedSecret secret) => _managedSecretViewModelDelegate(secret);
private static ManagedSecretViewModel GetViewModel(IServiceProvider serviceProvider, ManagedSecret secret)
{
var resources = secret.ResourceIds
.Select(resourceId => serviceProvider.GetRequiredService <IDataStore <Resource> >()
.GetAsync(resourceId).Result)
.Select(resource => serviceProvider.GetRequiredService <Func <Resource, ResourceViewModel> >()(resource));
foreach (var resource in resources)
{
var provider = serviceProvider.GetRequiredService <Func <string, RekeyingAttemptLogger, IAuthJanitorProvider> >()(resource.ProviderType,
new RekeyingAttemptLogger(serviceProvider.GetRequiredService <ILoggerFactory>()
.CreateLogger("ViewModelLogger")));
provider.SerializedConfiguration = resource.SerializedProviderConfiguration;
resource.Risks = provider.GetRisks(secret.ValidPeriod);
resource.Description = provider.GetDescription();
}
return(new ManagedSecretViewModel()
{
ObjectId = secret.ObjectId,
Name = secret.Name,
Description = secret.Description,
TaskConfirmationStrategies = secret.TaskConfirmationStrategies,
LastChanged = secret.LastChanged,
ValidPeriodMinutes = (int)secret.ValidPeriod.TotalMinutes,
Nonce = secret.Nonce,
Resources = resources,
AdminEmails = secret.AdminEmails
});
}
