public void ClientSecretCredentialWithOptionsFailureTest(string tenantId, string clientId, string clientSecret, bool useHostString)
{
var options = AzureOauthTokenAuthentication.GetOptions(useHostString ? AzureOauthTokenAuthentication.DefaultAuthorityHost : null);
var credential = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(tenantId, clientId, clientSecret, options);
Assert.IsNotNull(credential, "Credential should not be null");
}
public void ManagedIdentityBaseWithOptionsTest(bool useHostString)
{
var options = AzureOauthTokenAuthentication.GetOptions(useHostString ? AzureOauthTokenAuthentication.DefaultAuthorityHost : null);
var credential = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity(options);
Assert.IsNotNull(credential, "Credential should not be null");
}
public static KeyVaultSecrets GetSecretsClient(ILogger logger)
{
var keyVaultName = Environment.GetEnvironmentVariable("KeyVaultName");
var hubSecretName = Environment.GetEnvironmentVariable("HubSecretName");
var identityClientId = Environment.GetEnvironmentVariable("IdentityClientId");
var tenantId = Environment.GetEnvironmentVariable("TenantId");
var clientId = Environment.GetEnvironmentVariable("ClientId");
var clientSecret = Environment.GetEnvironmentVariable("ClientSecret");
logger.LogInformation("Retrieving secrets from vault named: {valueName} and a hub secret named: {hubSecretName}", keyVaultName, hubSecretName);
TokenCredential tokenProvider;
if (string.IsNullOrWhiteSpace(clientSecret))
{
tokenProvider = string.IsNullOrWhiteSpace(identityClientId) ? AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity() : AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity(identityClientId);
}
else
{
tokenProvider = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(tenantId, clientId, clientSecret);
}
logger.LogInformation("Completed creation of token provider");
var vault = new KeyVault(keyVaultName, tokenProvider, 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
logger.LogInformation("Created key vault");
return(vault.GetSecretsClient());
}
public void GetCertificateWithVersion()
{
const string VaultName = "fakevault1";
const string SecretName = "secretname1";
const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111";
// const string SecretValue = "This is the value fake";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
// var getCertificateInvoked = false;
// string key = null;
var path = ContainerEnvironment.IsLinux ? Path.Combine(Environment.CurrentDirectory, "my_contoso_local.pfx") : Path.Combine(Environment.CurrentDirectory, "TestValidationCertificate.pfx");
var certificate = new X509Certificate2(path, "abc123");
var certificateString = Convert.ToBase64String(certificate.RawData);
using (var context = ShimsContext.Create())
{
ShimKeyVaultCertificate.AllInstances.CerGet = new FakesDelegates.Func <KeyVaultCertificate, byte[]>((vaultCert) => certificate.RawData);
var fakeCertificate = new ShimKeyVaultCertificate()
{
NameGet = new FakesDelegates.Func <string>(() => "FakeCert1"),
IdGet = new FakesDelegates.Func <Uri>(() => new Uri("cert://FakeCert1")),
PropertiesGet = new FakesDelegates.Func <CertificateProperties>(() =>
{
return(new ShimCertificateProperties()
{
VersionGet = new FakesDelegates.Func <string>(() => SecretVersion),
NameGet = new FakesDelegates.Func <string>(() => SecretName),
IdGet = new FakesDelegates.Func <Uri>(() => new Uri("cert://FakeCert1"))
});
})
};
ShimCertificateClient.AllInstances.GetCertificateVersionAsyncStringStringCancellationToken = new FakesDelegates.Func <CertificateClient, string, string, CancellationToken, Task <Response <KeyVaultCertificate> > >((client, name, version, cancellationToken) =>
{
var keyVaultFakeCertificateResponse = new FakeResponse <KeyVaultCertificate>(fakeCertificate, 200, "OK", null);
return(Task.FromResult(keyVaultFakeCertificateResponse as Response <KeyVaultCertificate>));
});
var secret = new ShimKeyVaultCertificateWithPolicy();
var response = new FakeResponse <KeyVaultCertificate>(secret, 200, "OK", null);
SetupSecretClientConstructorFakes();
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var client = vault.GetCertificatesClient(CertificateClientOptions.ServiceVersion.V7_1);
var certificateValue = client.GetAsync(SecretName, SecretVersion).GetAwaiter().GetResult();
Assert.IsNotNull(certificateValue, "Certificate failed to retrieve");
Assert.IsTrue(string.Equals(certificateValue.Id.AbsoluteUri, "cert://fakecert1/", StringComparison.Ordinal), "Id not expected");
Assert.IsTrue(string.Equals(certificateValue.Name, "FakeCert1", StringComparison.Ordinal), "Name not expected");
Assert.IsTrue(string.Equals(certificateValue.Version, SecretVersion, StringComparison.Ordinal), "Version not expected");
Assert.IsNull(certificateValue.Policy, "Policy not expected");
}
}
public void ConfigureOptionRetries()
{
var options = AzureOauthTokenAuthentication.GetOptions();
AzureOauthTokenAuthentication.ConfigureRetries(options, Azure.Core.RetryMode.Exponential, 100, TimeSpan.FromSeconds(5), TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2));
Assert.IsTrue(options.Retry.Delay == TimeSpan.FromSeconds(5), "Delay is not expected");
Assert.IsTrue(options.Retry.MaxDelay == TimeSpan.FromMinutes(1), "MaximumDelay is not expected");
Assert.IsTrue(options.Retry.NetworkTimeout == TimeSpan.FromMinutes(2), "Network Timeout is not expected");
Assert.IsTrue(options.Retry.MaxRetries == 100, "Maximum retries is not expected");
}
public void ConfigureOptionDiagnostics()
{
var options = AzureOauthTokenAuthentication.GetOptions();
AzureOauthTokenAuthentication.ConfigureDiagnostics(options, "app1", true, true, true, true, 5000);
Assert.IsTrue(options.Diagnostics.ApplicationId == "app1", "Application Id is not expected");
Assert.IsTrue(options.Diagnostics.IsDistributedTracingEnabled, "DistributedTracingEnabled is not expected");
Assert.IsTrue(options.Diagnostics.IsLoggingContentEnabled, "LoggingContentEnabled is not expected");
Assert.IsTrue(options.Diagnostics.IsLoggingEnabled, "LoggingEnabled is not expected");
Assert.IsTrue(options.Diagnostics.IsTelemetryEnabled, "LoggingEnabled is not expected");
Assert.IsTrue(options.Diagnostics.LoggedContentSizeLimit == 5000, "LoggedContentSizeLimit is not expected");
Assert.IsTrue(options.Diagnostics.LoggedHeaderNames.Count > 0, "LoggedHeaderNames is not expected");
Assert.IsTrue(options.Diagnostics.LoggedQueryParameters.Count == 0, "LoggedQueryParameters is not expected");
}
public void GetCertificate()
{
const string TenantId = @"11a111aa-11a1-11aa-11aa-1a1aa111aa11";
const string ClientId = @"11a111aa-11a1-11aa-11aa-1a1aa111aa11";
const string ClientSecret = @"someclientsecret";
const string CertificateName = @"democert123";
const string CertificateVersion = @"11a111aa11a111aa11aa1a1aa111aa11";
var manager = new KeyVaultSecretManager("cgcvault1", AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var response = manager.GetCertificateAsync(CertificateName, CertificateVersion, CancellationToken.None).GetAwaiter().GetResult();
Assert.IsNotNull(response, "Response is null");
Assert.IsTrue(response.IsSuccessCode, "Success code unexpected");
Assert.IsTrue(response.StatusCode == 200, "Status code unexpected");
}
public void GetCertificateWithVersion()
{
const string VaultName = "fakevault1";
const string SecretName = "secretname1";
const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
var algorithm = ECDsa.Create();
// string key = null;
var path = Path.Combine(Environment.CurrentDirectory, "TestValidationCertificate.pfx");
var certificate = new X509Certificate2(path, "abc123");
var certificateString = Convert.ToBase64String(certificate.RawData);
using (var context = ShimsContext.Create())
{
ShimKeyVaultKey.AllInstances.KeyGet = new FakesDelegates.Func <KeyVaultKey, JsonWebKey>((key) =>
{
return(new JsonWebKey(algorithm));
});
var fakeKey = new ShimKeyVaultKey()
{
};
ShimKeyClient.AllInstances.GetKeyAsyncStringStringCancellationToken = new FakesDelegates.Func <KeyClient, string, string, CancellationToken, Task <Response <KeyVaultKey> > >((client, name, version, cancellationToken) =>
{
var keyVaultFakeKeyResponse = new FakeResponse <KeyVaultKey>(fakeKey, 200, "OK", null);
return(Task.FromResult(keyVaultFakeKeyResponse as Response <KeyVaultKey>));
});
var testKey = new ShimKeyVaultKey();
var response = new FakeResponse <KeyVaultKey>(testKey, 200, "OK", null);
SetupSecretClientConstructorFakes();
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var client = vault.GetKeysClient(KeyClientOptions.ServiceVersion.V7_1);
var keyValue = client.GetAsync(SecretName, SecretVersion).GetAwaiter().GetResult();
Assert.IsNotNull(keyValue, "Certificate failed to retrieve");
var webKey = (JsonWebKey)keyValue;
Assert.IsNotNull(webKey, "Web key not expected");
}
}
public void GetCertificateSecret()
{
const string VaultName = "fakevault1";
const string SecretName = "secretname1";
const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
var getSecretInvoked = false;
X509Certificate2 certificateSecret = null;
using (var context = ShimsContext.Create())
{
var path = Path.Combine(Environment.CurrentDirectory, "TestValidationCertificate.pfx");
var certificate = new X509Certificate2(path, "abc123");
var certificateString = Convert.ToBase64String(certificate.RawData);
var secret = new KeyVaultSecretFake($"{VaultName}.vault.azure.net", SecretName, SecretVersion, certificateString);
var response = new FakeResponse <KeyVaultSecret>(secret, 200, "OK", null);
SetupSecretClientConstructorFakes();
ShimSecretClient.AllInstances.GetSecretAsyncStringStringCancellationToken = new FakesDelegates.Func <SecretClient, string, string, CancellationToken, Task <Response <KeyVaultSecret> > >((client, name, version, cancellationToken) =>
{
getSecretInvoked = true;
var fakeResponse = response as Response <KeyVaultSecret>;
return(Task.FromResult(fakeResponse));
});
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var client = vault.GetSecretsClient(SecretClientOptions.ServiceVersion.V7_1);
var secretValue = client.GetCertificateAsync(SecretName, SecretVersion, CancellationToken.None).GetAwaiter().GetResult();
certificateSecret = secretValue.Value;
}
Assert.IsTrue(getSecretInvoked, "The fake should be used");
Assert.IsNotNull(certificateSecret, "Certificate is null");
Assert.IsTrue(string.Equals(certificateSecret.Thumbprint, "A449811985D59FC72303860F51CB95F5D3257141", StringComparison.Ordinal), "Certificate thumbprint not expected");
Assert.IsTrue(string.Equals(certificateSecret.Subject, "CN=Joe Smith, OU=UserAccounts, DC=corp, DC=praxicloud, DC=com", StringComparison.Ordinal), "Certificate subject not expected");
Assert.IsTrue(string.Equals(certificateSecret.Issuer, "CN=Joe Smith, OU=UserAccounts, DC=corp, DC=praxicloud, DC=com", StringComparison.Ordinal), "Certificate issuer not expected");
Assert.IsTrue(string.Equals(certificateSecret.SerialNumber, "67EA381F988D5AA94B1569B978062CFB", StringComparison.Ordinal), "Certificate serial number not expected");
Assert.IsTrue(certificateSecret.NotBefore == DateTime.Parse("2020-09-09 9:42:40 AM"), "Certificate not before not expected");
Assert.IsTrue(certificateSecret.NotAfter == DateTime.Parse("2070-09-09 9:52:40 AM"), "Certificate not after not expected");
}
public void GetSet()
{
const string VaultName = "fakevault1";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
Assert.IsTrue(string.Equals(vault.Name, VaultName, StringComparison.Ordinal), "Vault name is not expected");
Assert.IsTrue(string.Equals(vault.FullyQualifiedName, $"{ VaultName }.vault.azure.net", StringComparison.Ordinal), "Fully qualified name is not expected");
Assert.IsTrue(string.Equals(vault.Uri.AbsoluteUri, $"https://{ VaultName }.vault.azure.net/", StringComparison.Ordinal), "Uri not expected");
Assert.IsFalse(vault.EnableDiagnostics, "Enable diagnostics not expected");
Assert.IsTrue(vault.MaximumDelay == TimeSpan.FromSeconds(15), "Maximum delay not expected");
Assert.IsTrue(vault.NetworkTimeout == TimeSpan.FromSeconds(10), "Network timeout not expected");
Assert.IsTrue(vault.Delay == TimeSpan.FromSeconds(2), "Delay not expected");
Assert.IsTrue(vault.MaximumRetries == 3, "Maximum retries not expected");
Assert.IsNull(vault.DiagnosticsApplicationId, "Diagnostics application id not expected");
}
public void GetSecretWithVersion()
{
const string VaultName = "fakevault1";
const string SecretName = "secretname1";
const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111";
const string SecretValue = "This is the value fake";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
var getSecretInvoked = false;
string key = null;
using (var context = ShimsContext.Create())
{
var secret = new KeyVaultSecretFake($"{VaultName}.vault.azure.net", SecretName, SecretVersion, SecretValue);
var response = new FakeResponse <KeyVaultSecret>(secret, 200, "OK", null);
SetupSecretClientConstructorFakes();
ShimSecretClient.AllInstances.GetSecretAsyncStringStringCancellationToken = new FakesDelegates.Func <SecretClient, string, string, CancellationToken, Task <Response <KeyVaultSecret> > >((client, name, version, cancellationToken) =>
{
getSecretInvoked = true;
var fakeResponse = response as Response <KeyVaultSecret>;
return(Task.FromResult(fakeResponse));
});
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var client = vault.GetSecretsClient(SecretClientOptions.ServiceVersion.V7_1);
var secretValue = client.GetAsync(SecretName, SecretVersion).GetAwaiter().GetResult();
key = secretValue.Value.SecureStringToString();
}
Assert.IsTrue(getSecretInvoked, "The fake should be used");
Assert.IsTrue(string.Equals(key, SecretValue, StringComparison.Ordinal), "Value not expected");
}
public void ManagedIdentityCredentialTest(string clientId)
{
var credential = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity(clientId);
Assert.IsNotNull(credential, "Credential should not be null");
}
public void ClientSecretCredentialTest(string tenantId, string clientId, string clientSecret)
{
var credential = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(tenantId, clientId, clientSecret);
Assert.IsNotNull(credential, "Credential should not be null");
}
public void ManagedIdentityCredential1FailureTest(string clientId)
{
var credential = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity(clientId);
}
