public ConsumerClientFactory(IConfiguration configuration, ILoggerFactory loggerFactory)
{
_logger = loggerFactory.CreateLogger <ProducerClientFactory>();
_hubSettings = configuration.GetConfiguredSettings <EventHubSettings>();
_consumerGroupName = Consumer.ConsumerGroup ?? EventHubConsumerClient.DefaultConsumerGroupName;
_aadSettings = configuration.GetConfiguredSettings <AadSettings>();
_vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
_logger.LogInformation($"using consumer group: {_consumerGroupName}");
if (!TryCreateClientUsingMsi())
{
if (!TryCreateClientUsingSpn())
{
if (!TryCreateClientFromKeyVault() &&
!string.IsNullOrEmpty(_hubSettings.ConnectionStringSecretName))
{
if (!string.IsNullOrEmpty(_hubSettings.ConnectionStringSecretName))
{
if (!TryCreateClientUsingConnStr())
{
throw new Exception("failed to create queue client");
}
}
else
{
throw new Exception("Invalid queue settings");
}
}
}
}
}
public BlobContainerFactory(IServiceProvider serviceProvider, ILoggerFactory loggerFactory,
BlobStorageSettings settings = null)
{
var configuration = serviceProvider.GetRequiredService <IConfiguration>();
blobSettings = settings ?? configuration.GetConfiguredSettings <BlobStorageSettings>();
aadSettings = configuration.GetConfiguredSettings <AadSettings>();
vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
kvClient = serviceProvider.GetRequiredService <IKeyVaultClient>();
logger = loggerFactory.CreateLogger <BlobContainerFactory>();
switch (blobSettings.AuthMode)
{
case StorageAuthMode.Msi:
TryCreateUsingMsi();
break;
case StorageAuthMode.Spn:
TryCreateUsingSpn();
break;
case StorageAuthMode.SecretFromVault:
TryCreateFromKeyVault();
break;
case StorageAuthMode.ConnStr:
TryCreateUsingConnStr();
break;
default:
throw new NotSupportedException($"Storage auth mode: {blobSettings.AuthMode} is not supported");
}
}
public QueueClientFactory(IServiceProvider serviceProvider, ILoggerFactory loggerFactory)
{
logger = loggerFactory.CreateLogger <QueueClientFactory>();
var configuration = serviceProvider.GetRequiredService <IConfiguration>();
queueSettings = configuration.GetConfiguredSettings <QueueSettings>();
aadSettings = configuration.GetConfiguredSettings <AadSettings>();
vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
kvClient = serviceProvider.GetRequiredService <IKeyVaultClient>();
switch (queueSettings.AuthMode)
{
case StorageAuthMode.Msi:
TryCreateClientUsingMsi();
break;
case StorageAuthMode.Spn:
TryCreateClientUsingSpn();
break;
case StorageAuthMode.SecretFromVault:
TryCreateClientFromKeyVault();
break;
case StorageAuthMode.ConnStr:
TryCreateClientUsingConnStr();
break;
default:
throw new NotSupportedException($"Storage auth mode: {queueSettings.AuthMode} is not supported");
}
}
public ProducerClientFactory(IConfiguration configuration, ILoggerFactory loggerFactory)
{
logger = loggerFactory.CreateLogger <ProducerClientFactory>();
hubSettings = configuration.GetConfiguredSettings <EventHubSettings>();
aadSettings = configuration.GetConfiguredSettings <AadSettings>();
vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
if (!TryCreateClientUsingMsi())
{
if (!TryCreateClientUsingSpn())
{
if (!TryCreateClientFromKeyVault() &&
!string.IsNullOrEmpty(hubSettings.ConnectionStringSecretName))
{
if (!string.IsNullOrEmpty(hubSettings.ConnectionStringSecretName))
{
if (!TryCreateClientUsingConnStr())
{
throw new Exception("failed to create queue client");
}
}
else
{
throw new Exception("Invalid queue settings");
}
}
}
}
}
private static VaultClient CreateBootstrappingVaultClient(VaultSettings configuration)
{
var authMethod = new VaultSharp.V1.AuthMethods.Token.TokenAuthMethodInfo(configuration.BootstrapToken);
var settings = new VaultClientSettings(configuration.VaultEndpointUri, authMethod);
return(new VaultClient(settings));
}
public static IServiceCollection AddVaultService(this IServiceCollection services, IConfiguration configuration)
{
var vaultSettings = new VaultSettings();
configuration.GetSection(key: nameof(VaultSettings)).Bind(vaultSettings);
services.AddSingleton(vaultSettings);
services.AddVault();
return(services);
}
public BlobContainerFactory(IConfiguration configuration, ILoggerFactory loggerFactory)
{
_blobSettings = configuration.GetConfiguredSettings <BlobStorageSettings>();
_aadSettings = configuration.GetConfiguredSettings <AadSettings>();
_vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
_logger = loggerFactory.CreateLogger <BlobContainerFactory>();
if (!TryCreateUsingMsi())
{
if (!TryCreateUsingSpn())
{
if (!TryCreateFromKeyVault())
{
TryCreateUsingConnStr();
}
}
}
}
public static async Task <string> GetAccessToken(
AadAppSettings settings,
VaultSettings vaultSettings = null,
IKeyVaultClient kvClient = null)
{
if (!string.IsNullOrEmpty(settings.ClientCertName))
{
if (kvClient == null)
{
throw new ArgumentNullException(nameof(kvClient));
}
if (vaultSettings == null)
{
throw new ArgumentNullException(nameof(vaultSettings));
}
}
else if (string.IsNullOrEmpty(settings.ClientSecret))
{
throw new ArgumentNullException("ClientSecret not specified", nameof(settings));
}
IConfidentialClientApplication app;
if (!string.IsNullOrEmpty(settings.ClientCertName) && vaultSettings != null)
{
var cert = await kvClient.GetCertificateAsync(vaultSettings.VaultUrl, settings.ClientCertName);
var pfx = new X509Certificate2(cert.Cer);
app = ConfidentialClientApplicationBuilder.Create(settings.ClientId)
.WithCertificate(pfx)
.WithAuthority(settings.Authority)
.Build();
}
else if (!string.IsNullOrEmpty(settings.ClientSecret))
{
app = ConfidentialClientApplicationBuilder
.Create(settings.ClientId)
.WithClientSecret(settings.ClientSecret)
.WithAuthority(settings.Authority)
.Build();
}
else
{
throw new ArgumentException("Either client secret or cert must be specified", nameof(settings));
}
try
{
var result = await app.AcquireTokenForClient(settings.Scopes).ExecuteAsync();
return(result.AccessToken);
}
catch (MsalServiceException ex) when(ex.Message.Contains("AADSTS70011"))
{
// Invalid scope. The scope has to be of the form "https://resourceurl/.default"
// Mitigation: change the scope to be as expected
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Scope provided is not supported");
Console.ResetColor();
}
return(null);
}
public HomeController(IOptions <VaultSettings> options)
{
_settings = options.Value;
}
public AccountController(IOptions <VaultSettings> options)
{
_vaultSettings = options.Value;
}
