private async Task <CredHubClient> InitializeAsync()
{
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
var info = await _httpClient.GetAsync($"{_baseCredHubUrl.Replace("/api", "/info")}");
if (!info.IsSuccessStatusCode)
{
// we don't NEED to throw an error here as this was more of a connectivity test than anything else
// throw new CredHubException($"Failed calling {_baseCredHubUrl.Replace("/api", "/info")}: {info.StatusCode}");
_logger?.LogError($"Failed calling {_baseCredHubUrl.Replace("/api", "/info")}: {info.StatusCode} -- CredHub interactions may not work!");
}
}
catch (Exception e)
{
_logger?.LogCritical($"Encountered an exception calling /info on the CredHub server: {e}");
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
return(this);
}
public async Task <List <CredentialPermission> > AddPermissionsAsync(string name, List <CredentialPermission> permissions)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name is required");
}
if (permissions == null || !permissions.Any())
{
throw new ArgumentException("At least one permission is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to POST {_baseCredHubUrl}/v1/permissions");
var newPermissions = new CredentialPermissions {
CredentialName = name, Permissions = permissions
};
var addResponse = await _httpClient.PostAsJsonAsync($"{_baseCredHubUrl}/v1/permissions", newPermissions, _serializerSettings);
return(await GetPermissionsAsync(name));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <bool> DeletePermissionAsync(string name, string actor)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name is required");
}
if (string.IsNullOrEmpty(actor))
{
throw new ArgumentException("Actor is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to DELETE {_baseCredHubUrl}/v1/permissions?credential_name={name}&actor={actor}");
var response = await _httpClient.DeleteAsync($"{_baseCredHubUrl}/v1/permissions?credential_name={name}&actor={actor}");
if (response.StatusCode == System.Net.HttpStatusCode.NoContent || response.StatusCode == System.Net.HttpStatusCode.NotFound)
{
return(true);
}
return(false);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <string> InterpolateServiceDataAsync(string serviceData)
{
if (string.IsNullOrEmpty(serviceData))
{
throw new ArgumentException("Service data is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to POST {_baseCredHubUrl}/v1/interpolate");
var response = await _httpClient.PostAsync($"{_baseCredHubUrl}/v1/interpolate", new StringContent(serviceData, Encoding.Default, "application/json"));
if (response.IsSuccessStatusCode)
{
return(await response.Content.ReadAsStringAsync());
}
else
{
throw new CredHubException($"Failed to interpolate credentials, status code: {response.StatusCode}");
}
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public virtual async Task <JsonWebKeySet> FetchKeySet()
{
var requestMessage = new HttpRequestMessage(HttpMethod.Get, _jwtKeyUrl);
requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
HttpClient client = GetHttpClient();
HttpClientHelper.ConfigureCertificateValidatation(
_validateCertificates,
out SecurityProtocolType prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
HttpResponseMessage response = null;
try
{
response = await client.SendAsync(requestMessage);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, prevProtocols, prevValidator);
}
if (response.IsSuccessStatusCode)
{
var result = await response.Content.ReadAsStringAsync();
return(GetJsonWebKeySet(result));
}
return(null);
}
private async Task DoPost(HttpClient client, HttpRequestMessage request)
{
HttpClientHelper.ConfigureCertificateValidatation(
_options.ValidateCertificates,
out SecurityProtocolType prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
try
{
using (HttpResponseMessage response = await client.SendAsync(request))
{
_logger?.LogDebug("DoPost {uri}, status: {status}", request.RequestUri, response.StatusCode);
if (response.StatusCode != HttpStatusCode.OK &&
response.StatusCode != HttpStatusCode.Accepted)
{
var statusCode = (int)response.StatusCode;
_logger?.LogError("Failed to send traces to Zipkin. Discarding traces. StatusCode: {status}, Uri: {uri}", statusCode, request.RequestUri);
}
return;
}
}
catch (Exception e)
{
_logger?.LogError(e, "DoPost Exception: {uri}", request.RequestUri);
}
finally
{
client.Dispose();
HttpClientHelper.RestoreCertificateValidation(_options.ValidateCertificates, prevProtocols, prevValidator);
}
}
private HttpClient InitializeHttpClient(bool validateCertificates)
{
HttpClientHelper.ConfigureCertificateValidatation(validateCertificates, out SecurityProtocolType sslProtocols, out RemoteCertificateValidationCallback certCallback);
if (validateCertificates)
{
return(new HttpClient(_httpClientHandler));
}
else
{
// TODO: this may need further attention
if (Platform.IsFullFramework)
{
_logger?.LogTrace("Full .NET Framework detected, using ServicePointManager to disable Certificate Validation");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;
}
else
{
_logger?.LogTrace("Full .NET Framework NOT detected, using HttpClientHandler to disable Certificate Validation");
_httpClientHandler.SslProtocols = SslProtocols.Tls12;
_httpClientHandler.ServerCertificateCustomValidationCallback = (httpRequestMessage, cert, cetChain, policyErrors) => true;
}
return(new HttpClient(_httpClientHandler));
}
}
private async Task <CredHubClient> InitializeAsync(string credHubUser, string credHubPassword)
{
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
Uri tokenUri;
var uaaOverrideUrl = Environment.GetEnvironmentVariable("UAA_Server_Override");
if (string.IsNullOrEmpty(uaaOverrideUrl))
{
var info = await _httpClient.GetAsync($"{_baseCredHubUrl.Replace("/api", "/info")}");
var infoResponse = await HandleErrorParseResponse <CredHubServerInfo>(info, "GET /info from CredHub Server");
tokenUri = new Uri($"{infoResponse.AuthServer.First().Value}/oauth/token");
_logger?.LogInformation($"Targeted CredHub server uses UAA server at {tokenUri}");
}
else
{
tokenUri = new Uri(uaaOverrideUrl);
_logger?.LogInformation($"UAA set by ENV variable {tokenUri}");
}
// login to UAA
var header = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(Encoding.ASCII.GetBytes($"{credHubUser}:{credHubPassword}")));
_httpClient.DefaultRequestHeaders.Authorization = header;
var postParams = new List <KeyValuePair <string, string> >
{
new KeyValuePair <string, string>("grant_type", "client_credentials"),
new KeyValuePair <string, string>("response_type", "token")
};
var response = await _httpClient.PostAsync(tokenUri, new FormUrlEncodedContent(postParams));
if (response.IsSuccessStatusCode)
{
_logger?.LogTrace(await response.Content.ReadAsStringAsync());
// set the token
var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", payload.Value <string>("access_token"));
return(this);
}
else
{
_logger?.LogCritical($"Authentication with UAA Server failed, status code: {response.StatusCode}");
_logger?.LogCritical(await response.Content.ReadAsStringAsync());
throw new AuthenticationException($"Authentication with UAA Server failed, status code: {response.StatusCode}");
}
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
protected override async Task <AuthenticationTicket> CreateTicketAsync(ClaimsIdentity identity, AuthenticationProperties properties, OAuthTokenResponse tokens)
{
_logger?.LogDebug("CreateTicketAsync()");
HttpRequestMessage request = GetTokenInfoRequestMessage(tokens);
HttpClient client = GetHttpClient();
HttpClientHelper.ConfigureCertificateValidatation(
Options.ValidateCertificates,
out SecurityProtocolType prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
HttpResponseMessage response = null;
try
{
response = await client.SendAsync(request, Context.RequestAborted);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(Options.ValidateCertificates, prevProtocols, prevValidator);
}
if (!response.IsSuccessStatusCode)
{
_logger?.LogDebug("CreateTicketAsync() failure getting token info from {requesturi}", request.RequestUri);
throw new HttpRequestException($"An error occurred when retrieving token information ({response.StatusCode}).");
}
var resp = await response.Content.ReadAsStringAsync();
_logger?.LogDebug("CreateTicketAsync() received json: {json}", resp);
var payload = JObject.Parse(resp);
var context = new OAuthCreatingTicketContext(new ClaimsPrincipal(identity), properties, Context, Scheme, Options, Backchannel, tokens, payload);
context.RunClaimActions();
await Events.CreatingTicket(context);
if (Options.UseTokenLifetime)
{
properties.IssuedUtc = CloudFoundryHelper.GetIssueTime(payload);
properties.ExpiresUtc = CloudFoundryHelper.GetExpTime(payload);
}
await Events.CreatingTicket(context);
var ticket = new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
return(ticket);
}
public async Task <SecurityResult> GetPermissionsAsync(string token)
{
if (string.IsNullOrEmpty(token))
{
return(new SecurityResult(HttpStatusCode.Unauthorized, AUTHORIZATION_HEADER_INVALID));
}
string checkPermissionsUri = _options.CloudFoundryApi + "/v2/apps/" + _options.ApplicationId + "/permissions";
var request = new HttpRequestMessage(HttpMethod.Get, checkPermissionsUri);
AuthenticationHeaderValue auth = new AuthenticationHeaderValue("bearer", token);
request.Headers.Authorization = auth;
// If certificate validation is disabled, inject a callback to handle properly
HttpClientHelper.ConfigureCertificateValidatation(
_options.ValidateCertificates,
out SecurityProtocolType prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
try
{
_logger.LogDebug("GetPermissions({0}, {1})", checkPermissionsUri, token);
using (var client = HttpClientHelper.GetHttpClient(_options.ValidateCertificates, DEFAULT_GETPERMISSIONS_TIMEOUT))
{
using (HttpResponseMessage response = await client.SendAsync(request))
{
if (response.StatusCode != HttpStatusCode.OK)
{
_logger?.LogInformation(
"Cloud Foundry returned status: {HttpStatus} while obtaining permissions from: {PermissionsUri}",
response.StatusCode,
checkPermissionsUri);
return(response.StatusCode == HttpStatusCode.Forbidden
? new SecurityResult(HttpStatusCode.Forbidden, ACCESS_DENIED_MESSAGE)
: new SecurityResult(HttpStatusCode.ServiceUnavailable, CLOUDFOUNDRY_NOT_REACHABLE_MESSAGE));
}
return(new SecurityResult(await GetPermissions(response)));
}
}
}
catch (Exception e)
{
_logger?.LogError("Cloud Foundry returned exception: {SecurityException} while obtaining permissions from: {PermissionsUri}", e, checkPermissionsUri);
return(new SecurityResult(HttpStatusCode.ServiceUnavailable, CLOUDFOUNDRY_NOT_REACHABLE_MESSAGE));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_options.ValidateCertificates, prevProtocols, prevValidator);
}
}
public async Task <List <CredentialPath> > FindAllPathsAsync()
{
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to GET {_baseCredHubUrl}/v1/data?paths=true");
var response = await _httpClient.GetAsync($"{_baseCredHubUrl}/v1/data?paths=true");
return((await HandleErrorParseResponse <CredentialPathsResponse>(response, "Find all Paths")).Paths);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
#pragma warning restore SA1202 // Elements must be ordered by access
public async Task <CredHubCredential <T> > GenerateAsync <T>(CredHubGenerateRequest request)
{
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to POST {_baseCredHubUrl}/v1/data");
var response = await _httpClient.PostAsJsonAsync($"{_baseCredHubUrl}/v1/data", request, _serializerSettings);
return(await HandleErrorParseResponse <CredHubCredential <T> >(response, $"Generate {typeof(T).Name}"));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
protected internal async void DoPost(HttpClient client, HttpRequestMessage request)
{
HttpClientHelper.ConfigureCertificateValidatation(
options.ValidateCertificates,
out SecurityProtocolType prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
try
{
using (HttpResponseMessage response = await client.SendAsync(request))
{
logger?.LogDebug("DoPost {0}, status: {1}", request.RequestUri, response.StatusCode);
if (response.StatusCode != HttpStatusCode.OK &&
response.StatusCode != HttpStatusCode.Accepted)
{
var headers = response.Headers;
var statusCode = (int)response.StatusCode;
if (statusCode == UNPROCESSABLE_ENTITY)
{
logger?.LogError("Failed to send metrics to Metrics Forwarder service due to unprocessable payload. Discarding metrics.");
}
else if (statusCode == PAYLOAD_TOO_LARGE)
{
logger?.LogError("Failed to send metrics to Metrics Forwarder service due to rate limiting. Discarding metrics.");
}
else if (statusCode == TOO_MANY_REQUESTS)
{
logger?.LogError("Failed to send metrics to Metrics Forwarder service due to rate limiting. Discarding metrics.");
}
else
{
logger?.LogError("Failed to send metrics to Metrics Forwarder service. Discarding metrics. StatusCode: {status}", statusCode);
}
}
return;
}
}
catch (Exception e)
{
logger?.LogError(e, "DoPost Exception: {uri}", request.RequestUri);
}
finally
{
client.Dispose();
HttpClientHelper.RestoreCertificateValidation(options.ValidateCertificates, prevProtocols, prevValidator);
}
}
protected internal virtual async void RefreshVaultTokenAsync(object state)
{
if (string.IsNullOrEmpty(Settings.Token))
{
return;
}
var obscuredToken = Settings.Token.Substring(0, 4) + "[*]" + Settings.Token.Substring(Settings.Token.Length - 4);
// If certificate validation is disabled, inject a callback to handle properly
SecurityProtocolType prevProtocols = (SecurityProtocolType)0;
HttpClientHelper.ConfigureCertificateValidatation(
_settings.ValidateCertificates,
out prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
HttpClient client = null;
try
{
client = GetHttpClient(Settings);
var uri = GetVaultRenewUri();
var message = GetValutRenewMessage(uri);
_logger?.LogInformation("Renewing Vault token {0} for {1} milliseconds at Uri {2}", obscuredToken, Settings.TokenTtl, uri);
using (HttpResponseMessage response = await client.SendAsync(message).ConfigureAwait(false))
{
if (response.StatusCode != HttpStatusCode.OK)
{
_logger?.LogWarning("Renewing Vault token {0} returned status: {1}", obscuredToken, response.StatusCode);
}
}
}
catch (Exception e)
{
_logger?.LogError("Unable to renew Vault token {0}. Is the token invalid or expired? - {1}", obscuredToken, e);
}
finally
{
client.Dispose();
HttpClientHelper.RestoreCertificateValidation(_settings.ValidateCertificates, prevProtocols, prevValidator);
}
}
#pragma warning disable SA1202 // Elements must be ordered by access
public async Task <CredHubCredential <T> > WriteAsync <T>(CredentialSetRequest credentialRequest)
{
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to PUT {_baseCredHubUrl}/v1/data");
var response = await _httpClient.PutAsJsonAsync($"{_baseCredHubUrl}/v1/data", credentialRequest, _serializerSettings);
var dataAsString = await response.Content.ReadAsStringAsync();
var s = JsonConvert.DeserializeObject <CredHubCredential <T> >(dataAsString, _serializerSettings);
return(await HandleErrorParseResponse <CredHubCredential <T> >(response, $"Write {typeof(T).Name}"));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <List <CredentialPermission> > GetPermissionsAsync(string name)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to GET {_baseCredHubUrl}/v1/permissions?credential_name={name}");
var response = await _httpClient.GetAsync($"{_baseCredHubUrl}/v1/permissions?credential_name={name}");
return((await HandleErrorParseResponse <CredentialPermissions>(response, "Get Permissions")).Permissions);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <List <FoundCredential> > FindByPathAsync(string path)
{
if (string.IsNullOrEmpty(path))
{
throw new ArgumentException("Path is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to GET {_baseCredHubUrl}/v1/data?path={path}");
var response = await _httpClient.GetAsync($"{_baseCredHubUrl}/v1/data?path={path}");
return((await HandleErrorParseResponse <CredentialFindResponse>(response, "Find by Path")).Credentials);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <List <CredHubCredential <T> > > GetByNameWithHistoryAsync <T>(string name, int entries = 10)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to GET {_baseCredHubUrl}/v1/data?name={name}&versions={entries}");
var response = await _httpClient.GetAsync($"{_baseCredHubUrl}/v1/data?name={name}&versions={entries}");
return((await HandleErrorParseResponse <CredHubResponse <T> >(response, "Get credential by name with History")).Data);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <CredHubCredential <T> > GetByIdAsync <T>(Guid id)
{
if (id == Guid.Empty)
{
throw new ArgumentException("Id of credential is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to GET {_baseCredHubUrl}/v1/data{id}");
var response = await _httpClient.GetAsync($"{_baseCredHubUrl}/v1/data/{id}");
return(await HandleErrorParseResponse <CredHubCredential <T> >(response, $"Get {typeof(T).Name} by Id"));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public async Task <CredHubCredential <T> > GetByNameAsync <T>(string name)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name of credential is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to GET {_baseCredHubUrl}/v1/data?name={name}¤t=true");
var response = await _httpClient.GetAsync($"{_baseCredHubUrl}/v1/data?name={name}¤t=true");
return((await HandleErrorParseResponse <CredHubResponse <T> >(response, $"Get {typeof(T).Name} by Name")).Data.First());
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public virtual async Task <string> GetAccessToken()
{
HttpRequestMessage requestMessage = GetTokenRequestMessage();
HttpClientHelper.ConfigureCertificateValidatation(Options.ValidateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
HttpClient client = new HttpClient
{
BaseAddress = new Uri(Options.OAuthServiceUrl)
};
HttpResponseMessage response = null;
try
{
response = await client.SendAsync(requestMessage);
}
catch (Exception ex)
{
throw new Exception("Error getting access token:" + ex.Message);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(Options.ValidateCertificates, protocolType, prevValidator);
}
if (response.IsSuccessStatusCode)
{
var resp = await response.Content.ReadAsStringAsync();
var payload = JObject.Parse(resp);
return(payload.Value <string>("access_token"));
}
else
{
var error = "OAuth token endpoint failure: " + await Display(response);
throw new Exception(error);
}
}
protected override async Task <OAuthTokenResponse> ExchangeCodeAsync(string code, string redirectUri)
{
_logger?.LogDebug("ExchangeCodeAsync({code},{redirectUri})", code, redirectUri);
HttpRequestMessage requestMessage = GetTokenRequestMessage(code, redirectUri);
HttpClient client = GetHttpClient();
HttpClientHelper.ConfigureCertificateValidatation(
Options.ValidateCertificates,
out SecurityProtocolType prevProtocols,
out RemoteCertificateValidationCallback prevValidator);
HttpResponseMessage response = null;
try
{
response = await client.SendAsync(requestMessage, Context.RequestAborted);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(Options.ValidateCertificates, prevProtocols, prevValidator);
}
if (response.IsSuccessStatusCode)
{
var result = await response.Content.ReadAsStringAsync();
_logger?.LogDebug("ExchangeCodeAsync() received json: {json}", result);
var payload = JObject.Parse(result);
var tokenResponse = OAuthTokenResponse.Success(payload);
return(tokenResponse);
}
else
{
var error = "OAuth token endpoint failure: " + await Display(response);
return(OAuthTokenResponse.Failed(new Exception(error)));
}
}
public async Task <RegeneratedCertificates> BulkRegenerateAsync(string certificateAuthority)
{
if (string.IsNullOrEmpty(certificateAuthority))
{
throw new ArgumentException("Certificate authority used for certificates is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to POST {_baseCredHubUrl}/v1/bulk-regenerate");
var response = await _httpClient.PostAsJsonAsync($"{_baseCredHubUrl}/v1/bulk-regenerate", new Dictionary <string, string> {
{ "signed_by", certificateAuthority }
});
return(await HandleErrorParseResponse <RegeneratedCertificates>(response, "Bulk Regenerate Credentials"));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
public void ConfigureCertificateValidatation_ValidateTrue()
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback = null;
RemoteCertificateValidationCallback prevValidator;
SecurityProtocolType protocolType;
HttpClientHelper.ConfigureCertificateValidatation(true, out protocolType, out prevValidator);
if (Platform.IsNetCore)
{
Assert.Equal(SecurityProtocolType.Tls, ServicePointManager.SecurityProtocol);
Assert.Null(ServicePointManager.ServerCertificateValidationCallback);
}
if (Platform.IsFullFramework)
{
Assert.Equal(SecurityProtocolType.Tls, ServicePointManager.SecurityProtocol);
Assert.Null(ServicePointManager.ServerCertificateValidationCallback);
}
}
public virtual async Task <JsonWebKeySet> FetchKeySet()
{
var requestMessage = new HttpRequestMessage(HttpMethod.Get, Options.JwtKeyEndpoint);
requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
using (var handler = new HttpClientHandler())
{
HttpClientHelper.ConfigureCertificateValidatation(Options.ValidateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
HttpClient client = new HttpClient(handler)
{
BaseAddress = new Uri(Options.OAuthServiceUrl)
};
HttpResponseMessage response = null;
try
{
response = await client.SendAsync(requestMessage);
}
catch (Exception ex)
{
throw new Exception("Error getting keys to validate token:" + ex.Message);
}
finally
{
HttpClientHelper.RestoreCertificateValidation(Options.ValidateCertificates, protocolType, prevValidator);
}
if (response.IsSuccessStatusCode)
{
var result = await response.Content.ReadAsStringAsync();
return(GetJsonWebKeySet(result));
}
}
return(null);
}
public async Task <CredHubCredential <T> > RegenerateAsync <T>(string name)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("Name of credential to regenerate is required");
}
HttpClientHelper.ConfigureCertificateValidatation(_validateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
try
{
_logger?.LogTrace($"About to POST {_baseCredHubUrl}/v1/data");
var response = await _httpClient.PostAsJsonAsync($"{_baseCredHubUrl}/v1/regenerate", new Dictionary <string, string> {
{ "name", name }
});
return(await HandleErrorParseResponse <CredHubCredential <T> >(response, $"Regenerate {typeof(T).Name}"));
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_validateCertificates, protocolType, prevValidator);
}
}
/// <summary>
/// Asynchronously calls the Spring Cloud Configuration Server using the provided Uri and returning a
/// a task that can be used to obtain the results
/// </summary>
/// <param name="requestUri">the Uri used in accessing the Spring Cloud Configuration Server</param>
/// <returns>The task object representing the asynchronous operation</returns>
protected internal virtual async Task <ConfigEnvironment> RemoteLoadAsync(string requestUri)
{
// Get client if not already set
if (_client == null)
{
_client = GetHttpClient(_settings);
}
// Get the request message
var request = GetRequestMessage(requestUri);
// If certificate validation is disabled, inject a callback to handle properly
RemoteCertificateValidationCallback prevValidator = null;
SecurityProtocolType prevProtocols = (SecurityProtocolType)0;
HttpClientHelper.ConfigureCertificateValidatation(_settings.ValidateCertificates, out prevProtocols, out prevValidator);
// Invoke config server
try
{
using (HttpResponseMessage response = await _client.SendAsync(request).ConfigureAwait(false))
{
if (response.StatusCode != HttpStatusCode.OK)
{
if (response.StatusCode == HttpStatusCode.NotFound)
{
return(null);
}
// Log status
var message = $"Config Server returned status: {response.StatusCode} invoking path: {requestUri}";
_logger?.LogInformation(message);
// Throw if status >= 400
if (response.StatusCode >= HttpStatusCode.BadRequest)
{
throw new HttpRequestException(message);
}
else
{
return(null);
}
}
Stream stream = await response.Content.ReadAsStreamAsync();
return(Deserialize(stream));
}
}
catch (Exception e)
{
// Log and rethrow
_logger?.LogError("Config Server exception: {0}, path: {1}", e, requestUri);
throw;
}
finally
{
HttpClientHelper.RestoreCertificateValidation(_settings.ValidateCertificates, prevProtocols, prevValidator);
}
}
internal static async Task <ClaimsIdentity> ExchangeCodeForToken(string code, OpenIDConnectOptions options)
{
string redirect_url = "https://" + options.AppHost;
if (options.AppPort != 0)
{
redirect_url = redirect_url + ":" + options.AppPort + options.CallbackPath;
}
else
{
redirect_url = redirect_url + options.CallbackPath;
}
var hostName = options.AuthDomain;
var pairs = new[]
{
new KeyValuePair <string, string>(Constants.ParamsClientID, options.ClientID),
new KeyValuePair <string, string>(Constants.ParamsClientSecret, options.ClientSecret),
new KeyValuePair <string, string>(Constants.ParamsGrantType, Constants.GrantTypeAuthorizationCode),
new KeyValuePair <string, string>(Constants.ParamsRedirectUri, redirect_url),
new KeyValuePair <string, string>(Constants.ParamsCode, code)
};
var content = new FormUrlEncodedContent(pairs);
var targetUrl = hostName + "/" + Constants.EndPointOAuthToken;
Debug.WriteLine("About to submit request for token to : " + targetUrl);
foreach (var item in pairs)
{
Debug.WriteLine(item.Key + ": " + item.Value);
}
HttpClientHelper.ConfigureCertificateValidatation(options.ValidateCertificates, out SecurityProtocolType protocolType, out RemoteCertificateValidationCallback prevValidator);
using (var client = new HttpClient())
{
var byteArray = Encoding.ASCII.GetBytes(options.ClientID + ":" + options.ClientSecret);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(byteArray));
try
{
var response = await client.PostAsync(targetUrl, content);
if (response.IsSuccessStatusCode)
{
var tokens = await response.Content.ReadAsJsonAsync <OpenIDTokenResponse>();
Debug.WriteLine("Identity token from IDP: " + tokens.IdentityToken);
Debug.WriteLine("Access token from IDP: " + tokens.AccessToken);
JwtSecurityToken securityToken = new JwtSecurityToken(tokens.IdentityToken);
var claimsId = new ClaimsIdentity(options.SignInAsAuthenticationType);
string userName = securityToken.Claims.First(c => c.Type == "user_name").Value;
string email = securityToken.Claims.First(c => c.Type == "email").Value;
string userId = securityToken.Claims.First(c => c.Type == "user_id").Value;
foreach (var claim in securityToken.Claims)
{
Debug.WriteLine(claim.Type + " : " + claim.Value);
}
claimsId.AddClaims(new List <Claim>
{
new Claim(ClaimTypes.NameIdentifier, userId),
new Claim(ClaimTypes.Name, userName),
new Claim(ClaimTypes.Email, email),
});
var additionalScopes = tokens.Scope.Split(' ').Where(s => s != "openid");
foreach (var scope in additionalScopes)
{
claimsId.AddClaim(new Claim("scope", scope));
}
claimsId.AddClaim(new Claim(ClaimTypes.Authentication, tokens.AccessToken));
return(claimsId);
}
else
{
Debug.WriteLine("Failed call to exchange code for token : " + response.StatusCode);
Debug.WriteLine(response.ReasonPhrase);
string resultJson = await response.Content.ReadAsStringAsync();
Debug.WriteLine(resultJson);
return(null);
}
}
finally
{
HttpClientHelper.RestoreCertificateValidation(options.ValidateCertificates, protocolType, prevValidator);
}
}
}
