/// <summary>
/// The action performed after receiving a message from Service Bus. This method will load the KeyVault key and decrypt messages.
/// </summary>
/// <param name="message">The <see cref="Message"/> to be decrypted.</param>
/// <returns>The decrypted <see cref="Message"/>.</returns>
public override async Task <Message> AfterMessageReceive(Message message)
{
try
{
if (!message.UserProperties.ContainsKey(KeyVaultMessageHeaders.InitializationVectorPropertyName) ||
!message.UserProperties.ContainsKey(KeyVaultMessageHeaders.KeyNamePropertyName))
{
return(message);
}
var iVString = message.UserProperties[KeyVaultMessageHeaders.InitializationVectorPropertyName] as string;
var iV = Convert.FromBase64String(iVString);
var secretName = message.UserProperties[KeyVaultMessageHeaders.KeyNamePropertyName] as string;
// Remove properties before giving the message back
message.UserProperties.Remove(KeyVaultMessageHeaders.InitializationVectorPropertyName);
message.UserProperties.Remove(KeyVaultMessageHeaders.KeyNamePropertyName);
var secret = await secretManager.GetHashedSecret(secretName);
var decryptedMessage = await KeyVaultPlugin.Decrypt(message.Body, secret, iV);
message.Body = decryptedMessage;
return(message);
}
catch (Exception ex)
{
throw new KeyVaultPluginException(Resources.AfterMessageReceiveException, ex);
}
}
/// <summary>
/// The action performed before sending a message to Service Bus. This method will load the KeyVault key and encrypt messages.
/// </summary>
/// <param name="message">The <see cref="Message"/> to be encrypted.</param>
/// <returns>The encrypted <see cref="Message"/>.</returns>
public override async Task <Message> BeforeMessageSend(Message message)
{
try
{
// Skip encryption if message properties are already set
if (message.UserProperties.ContainsKey(KeyVaultMessageHeaders.InitializationVectorPropertyName) ||
message.UserProperties.ContainsKey(KeyVaultMessageHeaders.KeyNamePropertyName) ||
message.UserProperties.ContainsKey(KeyVaultMessageHeaders.KeyVersionPropertyName))
{
return(message);
}
var secret = await secretManager.GetHashedSecret(secretName, secretVersion);
message.UserProperties.Add(KeyVaultMessageHeaders.InitializationVectorPropertyName, base64InitializationVector);
message.UserProperties.Add(KeyVaultMessageHeaders.KeyNamePropertyName, secretName);
message.UserProperties.Add(KeyVaultMessageHeaders.KeyVersionPropertyName, secretVersion);
message.Body = await KeyVaultPlugin.Encrypt(message.Body, secret, this.initializationVector);
return(message);
}
catch (Exception ex)
{
throw new KeyVaultPluginException(Resources.BeforeMessageSendException, ex);
}
}
internal KeyVaultPlugin(string encryptionSecretName, ISecretManager secretManager)
{
this.secretName = encryptionSecretName;
this.secretManager = secretManager;
this.initializationVector = KeyVaultPlugin.GenerateInitializationVector();
this.base64InitializationVector = Convert.ToBase64String(this.initializationVector);
}
/// <summary>
/// Creates a new instance of an <see cref="KeyVaultPlugin"/>.
/// </summary>
/// <param name="encryptionSecretName">The name of the secret used to encrypt / decrypt messages.</param>
/// <param name="options">The <see cref="KeyVaultPluginSettings"/> used to create a new instance.</param>
public KeyVaultPlugin(string encryptionSecretName, KeyVaultPluginSettings options)
{
if (string.IsNullOrEmpty(encryptionSecretName))
{
throw new ArgumentNullException(nameof(encryptionSecretName));
}
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
this.secretName = encryptionSecretName;
this.keyVaultEndpoint = options.Endpoint;
this.secretManager = new KeyVaultSecretManager(options.Endpoint, options.ClientId, options.ClientSecret);
this.initializationVector = KeyVaultPlugin.GenerateInitializationVector();
this.base64InitializationVector = Convert.ToBase64String(this.initializationVector);
}
