/// <summary>
/// Add Keyvault protection
/// </summary>
/// <param name="builder"></param>
/// <param name="configuration"></param>
public static IDataProtectionBuilder AddAzureKeyVaultDataProtection(
this IDataProtectionBuilder builder, IConfiguration configuration = null)
{
if (configuration == null)
{
configuration = builder.Services.BuildServiceProvider()
.GetRequiredService <IConfiguration>();
}
var config = new DataProtectionConfig(configuration);
if (string.IsNullOrEmpty(config.KeyVaultBaseUrl))
{
return(builder);
}
var keyName = config.KeyVaultKeyDataProtection;
var client = TryKeyVaultClientAsync(config.KeyVaultBaseUrl,
config, keyName).Result;
if (client == null)
{
throw new UnauthorizedAccessException("Cannot access keyvault");
}
var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}";
return(builder.ProtectKeysWithAzureKeyVault(client, identifier));
}
public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder)
{
// not the preferred action here
var provider = builder.Services.BuildServiceProvider();
var options = provider.GetRequiredService <IOptions <DataProtectionAzureStorageOptions> >();
#pragma warning disable CA2000 // Dispose objects before losing scope
var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(options.Value.TokenProvider.KeyVaultTokenCallback));
#pragma warning restore CA2000 // Dispose objects before losing scope
builder.ProtectKeysWithAzureKeyVault(kvClient, options.Value.KeyVaultKeyId);
return(builder);
}
/// <summary>
/// Add Keyvault protection
/// </summary>
/// <param name="builder"></param>
/// <param name="configuration"></param>
public static IDataProtectionBuilder AddAzureKeyVaultDataProtection(
this IDataProtectionBuilder builder, IConfiguration configuration)
{
var config = new DataProtectionConfig(configuration);
if (string.IsNullOrEmpty(config.KeyVaultBaseUrl))
{
throw new InvalidConfigurationException(
"Keyvault base url is missing in your configuration " +
"for dataprotection to be able to store the root key.");
}
var keyName = config.KeyVaultKeyDataProtection;
var keyVault = new KeyVaultClientBootstrap(configuration);
if (!TryInititalizeKeyAsync(keyVault.Client, config.KeyVaultBaseUrl, keyName).Result)
{
throw new UnauthorizedAccessException("Cannot access keyvault");
}
var identifier = $"{config.KeyVaultBaseUrl.TrimEnd('/')}/keys/{keyName}";
return(builder.ProtectKeysWithAzureKeyVault(keyVault.Client, identifier));
}
public static IDataProtectionBuilder ConfigureDataProtection(this IDataProtectionBuilder builder, IConfiguration configuration)
{
var dataProtectionsOptions = configuration.Get <Aguacongas.TheIdServer.Models.DataProtectionOptions>();
if (dataProtectionsOptions == null)
{
return(builder);
}
builder.AddKeyManagementOptions(options => configuration.GetSection(nameof(KeyManagementOptions))?.Bind(options));
ConfigureEncryptionAlgorithm(builder, configuration);
switch (dataProtectionsOptions.StorageKind)
{
case StorageKind.AzureStorage:
builder.PersistKeysToAzureBlobStorage(new Uri(dataProtectionsOptions.StorageConnectionString));
break;
case StorageKind.EntityFramework:
builder.PersistKeysToDbContext <OperationalDbContext>();
break;
case StorageKind.FileSytem:
builder.PersistKeysToFileSystem(new DirectoryInfo(dataProtectionsOptions.StorageConnectionString));
break;
case StorageKind.Redis:
var redis = ConnectionMultiplexer.Connect(dataProtectionsOptions.StorageConnectionString);
if (string.IsNullOrEmpty(dataProtectionsOptions.RedisKey))
{
builder.PersistKeysToStackExchangeRedis(redis);
break;
}
builder.PersistKeysToStackExchangeRedis(redis, dataProtectionsOptions.RedisKey);
break;
case StorageKind.Registry:
#pragma warning disable CA1416 // Validate platform compatibility
builder.PersistKeysToRegistry(Registry.CurrentUser.OpenSubKey(dataProtectionsOptions.StorageConnectionString));
#pragma warning restore CA1416 // Validate platform compatibility
break;
}
var protectOptions = dataProtectionsOptions.KeyProtectionOptions;
if (protectOptions != null)
{
switch (protectOptions.KeyProtectionKind)
{
case KeyProtectionKind.AzureKeyVault:
builder.ProtectKeysWithAzureKeyVault(protectOptions.AzureKeyVaultKeyId, protectOptions.AzureKeyVaultClientId, protectOptions.AzureKeyVaultClientSecret);
break;
case KeyProtectionKind.WindowsDpApi:
builder.ProtectKeysWithDpapi(protectOptions.WindowsDPAPILocalMachine);
break;
case KeyProtectionKind.WindowsDpApiNg:
ConfigureWindowsDpApiNg(builder, protectOptions);
break;
case KeyProtectionKind.X509:
if (!string.IsNullOrEmpty(protectOptions.X509CertificatePath))
{
var certificate = SigningKeysLoader.LoadFromFile(protectOptions.X509CertificatePath, protectOptions.X509CertificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet);
builder.ProtectKeysWithCertificate(certificate);
break;
}
builder.ProtectKeysWithCertificate(protectOptions.X509CertificateThumbprint);
break;
}
}
return(builder);
}
