public async Task <IActionResult> Create([HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "managedSecrets")] ManagedSecretViewModel inputSecret) { if (!_identityService.CurrentUserHasRole(AuthJanitorRoles.SecretAdmin)) { return(new UnauthorizedResult()); } var resources = await _resources.Get(); var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList(); if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id))) { await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(AdminApi.ManagedSecrets.Create), "New Managed Secret attempted to use one or more invalid Resource IDs"); return(new NotFoundObjectResult("One or more Resource IDs not found!")); } ManagedSecret newManagedSecret = new ManagedSecret() { Name = inputSecret.Name, Description = inputSecret.Description, ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes), LastChanged = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes), TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies, ResourceIds = resourceIds, Nonce = await _cryptographicImplementation.GenerateCryptographicallySecureString(_configuration.DefaultNonceLength) }; await _managedSecrets.Create(newManagedSecret); await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.SecretCreated, nameof(AdminApi.ManagedSecrets.Create), newManagedSecret); return(new OkObjectResult(_managedSecretViewModel(newManagedSecret))); }
private RekeyingTask CreateRekeyingTask(ManagedSecret secret, DateTimeOffset expiry) => new RekeyingTask() { ManagedSecretId = secret.ObjectId, Expiry = expiry, ConfirmationType = GetPreferredConfirmation(secret.TaskConfirmationStrategies), Queued = DateTimeOffset.UtcNow, RekeyingInProgress = false };
public async Task <IActionResult> Update( [HttpTrigger(AuthorizationLevel.Anonymous, "post", Route = "managedSecrets/{secretId:guid}")] ManagedSecretViewModel inputSecret, HttpRequest req, Guid secretId, ILogger log) { if (!req.IsValidUser(AuthJanitorRoles.SecretAdmin, AuthJanitorRoles.GlobalAdmin)) { return(new UnauthorizedResult()); } log.LogInformation("Updating Managed Secret {0}", secretId); if (!await ManagedSecrets.ContainsIdAsync(secretId)) { return(new BadRequestErrorMessageResult("Secret not found!")); } var resources = await Resources.ListAsync(); var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList(); if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id))) { var invalidIds = resourceIds.Where(id => !resources.Any(r => r.ObjectId == id)); log.LogError("New Managed Secret attempted to link one or more invalid Resource IDs: {0}", invalidIds); return(new BadRequestErrorMessageResult("One or more ResourceIds not found!")); } ManagedSecret newManagedSecret = new ManagedSecret() { ObjectId = secretId, Name = inputSecret.Name, Description = inputSecret.Description, ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes), TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies, ResourceIds = resourceIds }; await ManagedSecrets.UpdateAsync(newManagedSecret); log.LogInformation("Updated Managed Secret '{0}'", newManagedSecret.Name); return(new OkObjectResult(GetViewModel(newManagedSecret))); }
public async Task <IActionResult> Update(ManagedSecretViewModel inputSecret, Guid secretId, CancellationToken cancellationToken) { if (!_identityService.CurrentUserHasRole(AuthJanitorRoles.SecretAdmin)) { return(new UnauthorizedResult()); } if (!await _managedSecrets.ContainsId(secretId, cancellationToken)) { await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(ManagedSecretsService.Update), "Secret ID not found"); return(new NotFoundObjectResult("Secret not found!")); } var resources = await _resources.Get(cancellationToken); var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList(); if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id))) { await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(ManagedSecretsService.Update), "New Managed Secret attempted to use one or more invalid Resource IDs"); return(new NotFoundObjectResult("One or more Resource IDs not found!")); } ManagedSecret newManagedSecret = new ManagedSecret() { ObjectId = secretId, Name = inputSecret.Name, Description = inputSecret.Description, ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes), TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies, ResourceIds = resourceIds, Nonce = await _cryptographicImplementation.GenerateCryptographicallyRandomString(_configuration.DefaultNonceLength) }; await _managedSecrets.Update(newManagedSecret, cancellationToken); await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.SecretUpdated, nameof(ManagedSecretsService.Update), newManagedSecret); return(new OkObjectResult(_managedSecretViewModel(newManagedSecret))); }
private static ManagedSecretViewModel GetViewModel(IServiceProvider serviceProvider, ManagedSecret secret, CancellationToken cancellationToken) { var providerManagerService = serviceProvider.GetRequiredService <ProviderManagerService>(); var resources = secret.ResourceIds .Select(resourceId => serviceProvider.GetRequiredService <IDataStore <Resource> >() .GetOne(resourceId, cancellationToken).Result) .Select(resource => serviceProvider.GetRequiredService <Func <Resource, ResourceViewModel> >()(resource)); foreach (var resource in resources) { var provider = providerManagerService.GetProviderInstance(resource.ProviderType, resource.SerializedProviderConfiguration); resource.Risks = provider.GetRisks(secret.ValidPeriod); resource.Description = provider.GetDescription(); } return(new ManagedSecretViewModel() { ObjectId = secret.ObjectId, Name = secret.Name, Description = secret.Description, TaskConfirmationStrategies = secret.TaskConfirmationStrategies, ExecutingAgentId = secret.ExecutingAgentId, LastChanged = secret.LastChanged, ValidPeriodMinutes = (int)secret.ValidPeriod.TotalMinutes, Nonce = secret.Nonce, Resources = resources, AdminEmails = secret.AdminEmails }); }
public async Task DispatchNotification_ManagedSecretExpired(string[] toAddresses, ManagedSecret secret) { if (toAddresses == null || !toAddresses.Any()) { return; } var msg = Template("AuthJanitor Managed Secret Has Expired!"); msg.AddBccs(toAddresses.Select(a => new EmailAddress(a)).ToList()); msg.AddContent(MimeType.Text, $"An AuthJanitor Managed Secret ({secret.Name}) has expired!" + Environment.NewLine + $"{new Uri(AuthJanitorUiBase + "aj/secrets/" + secret.ObjectId)}"); msg.AddContent(MimeType.Html, $"<p>An AuthJanitor Managed Secret (<strong>{secret.Name}</strong>) has expired!</p><br />" + $"<a href=\"{new Uri(AuthJanitorUiBase + "aj/secrets/" + secret.ObjectId)}\">Click here to review!</a>"); await new SendGridClient(_sendGridApiKey).SendEmailAsync(msg); }
protected ManagedSecretViewModel GetViewModel(ManagedSecret secret) => _managedSecretViewModelDelegate(secret);
private static ManagedSecretViewModel GetViewModel(IServiceProvider serviceProvider, ManagedSecret secret) { var resources = secret.ResourceIds .Select(resourceId => serviceProvider.GetRequiredService <IDataStore <Resource> >() .GetAsync(resourceId).Result) .Select(resource => serviceProvider.GetRequiredService <Func <Resource, ResourceViewModel> >()(resource)); foreach (var resource in resources) { var provider = serviceProvider.GetRequiredService <Func <string, RekeyingAttemptLogger, IAuthJanitorProvider> >()(resource.ProviderType, new RekeyingAttemptLogger(serviceProvider.GetRequiredService <ILoggerFactory>() .CreateLogger("ViewModelLogger"))); provider.SerializedConfiguration = resource.SerializedProviderConfiguration; resource.Risks = provider.GetRisks(secret.ValidPeriod); resource.Description = provider.GetDescription(); } return(new ManagedSecretViewModel() { ObjectId = secret.ObjectId, Name = secret.Name, Description = secret.Description, TaskConfirmationStrategies = secret.TaskConfirmationStrategies, LastChanged = secret.LastChanged, ValidPeriodMinutes = (int)secret.ValidPeriod.TotalMinutes, Nonce = secret.Nonce, Resources = resources, AdminEmails = secret.AdminEmails }); }