/// <summary> /// The action performed after receiving a message from Service Bus. This method will load the KeyVault key and decrypt messages. /// </summary> /// <param name="message">The <see cref="Message"/> to be decrypted.</param> /// <returns>The decrypted <see cref="Message"/>.</returns> public override async Task <Message> AfterMessageReceive(Message message) { try { if (!message.UserProperties.ContainsKey(KeyVaultMessageHeaders.InitializationVectorPropertyName) || !message.UserProperties.ContainsKey(KeyVaultMessageHeaders.KeyNamePropertyName)) { return(message); } var iVString = message.UserProperties[KeyVaultMessageHeaders.InitializationVectorPropertyName] as string; var iV = Convert.FromBase64String(iVString); var secretName = message.UserProperties[KeyVaultMessageHeaders.KeyNamePropertyName] as string; // Remove properties before giving the message back message.UserProperties.Remove(KeyVaultMessageHeaders.InitializationVectorPropertyName); message.UserProperties.Remove(KeyVaultMessageHeaders.KeyNamePropertyName); var secret = await secretManager.GetHashedSecret(secretName); var decryptedMessage = await KeyVaultPlugin.Decrypt(message.Body, secret, iV); message.Body = decryptedMessage; return(message); } catch (Exception ex) { throw new KeyVaultPluginException(Resources.AfterMessageReceiveException, ex); } }
/// <summary> /// The action performed before sending a message to Service Bus. This method will load the KeyVault key and encrypt messages. /// </summary> /// <param name="message">The <see cref="Message"/> to be encrypted.</param> /// <returns>The encrypted <see cref="Message"/>.</returns> public override async Task <Message> BeforeMessageSend(Message message) { try { // Skip encryption if message properties are already set if (message.UserProperties.ContainsKey(KeyVaultMessageHeaders.InitializationVectorPropertyName) || message.UserProperties.ContainsKey(KeyVaultMessageHeaders.KeyNamePropertyName) || message.UserProperties.ContainsKey(KeyVaultMessageHeaders.KeyVersionPropertyName)) { return(message); } var secret = await secretManager.GetHashedSecret(secretName, secretVersion); message.UserProperties.Add(KeyVaultMessageHeaders.InitializationVectorPropertyName, base64InitializationVector); message.UserProperties.Add(KeyVaultMessageHeaders.KeyNamePropertyName, secretName); message.UserProperties.Add(KeyVaultMessageHeaders.KeyVersionPropertyName, secretVersion); message.Body = await KeyVaultPlugin.Encrypt(message.Body, secret, this.initializationVector); return(message); } catch (Exception ex) { throw new KeyVaultPluginException(Resources.BeforeMessageSendException, ex); } }
internal KeyVaultPlugin(string encryptionSecretName, ISecretManager secretManager) { this.secretName = encryptionSecretName; this.secretManager = secretManager; this.initializationVector = KeyVaultPlugin.GenerateInitializationVector(); this.base64InitializationVector = Convert.ToBase64String(this.initializationVector); }
/// <summary> /// Creates a new instance of an <see cref="KeyVaultPlugin"/>. /// </summary> /// <param name="encryptionSecretName">The name of the secret used to encrypt / decrypt messages.</param> /// <param name="options">The <see cref="KeyVaultPluginSettings"/> used to create a new instance.</param> public KeyVaultPlugin(string encryptionSecretName, KeyVaultPluginSettings options) { if (string.IsNullOrEmpty(encryptionSecretName)) { throw new ArgumentNullException(nameof(encryptionSecretName)); } if (options == null) { throw new ArgumentNullException(nameof(options)); } this.secretName = encryptionSecretName; this.keyVaultEndpoint = options.Endpoint; this.secretManager = new KeyVaultSecretManager(options.Endpoint, options.ClientId, options.ClientSecret); this.initializationVector = KeyVaultPlugin.GenerateInitializationVector(); this.base64InitializationVector = Convert.ToBase64String(this.initializationVector); }