/// <summary> /// Returns all the properties of a given secretID for a given role. Returns null if the secretID could not be found. /// </summary> /// <param name="roleName">The name of the role that the secretID belongs to.</param> /// <param name="secretID">The specific secretID to retrieve information on.</param> /// <returns>The properties of the secretID</returns> public async Task <AppRoleSecret> ReadSecretID(string roleName, string secretID) { string path = MountPointPath + "role/" + roleName + "/secret-id/lookup"; // Setup secret ID Parameter Dictionary <string, object> contentParams = new Dictionary <string, object>() { { "secret_id", secretID } }; try { VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ReadSecretID", contentParams); // Note: We cannot test for HTTP Success as Vault returns a 204 if secretID is not found - might be a bug - filed a post on Forum. // TODO - Follow up to see if this is a bug or feature. if (vdro.HttpStatusCode == 200) { AppRoleSecret secret = await vdro.GetDotNetObject <AppRoleSecret>(); // We need to do this as Vault does NOT return the ID of the secret in the data. // TODO - Do we want to blank it out or continue filling it in....? secret.ID = secretID; return(secret); } else { return(null); } } catch (VaultInvalidPathException e) { e.SpecificErrorCode = EnumVaultExceptionCodes.ObjectDoesNotExist; throw e; } }
/// <summary> /// Generates a secret ID for a given Application Role. /// TODO - At this time this method does not support the cidr_list or token_bound_cidrs properties that restrict the IP addresses that can use a given token. /// </summary> /// <param name="appRoleName">The name of the Application Role that you wish to generate a Secret ID For</param> /// <param name="returnFullSecret">Vault only returns an abbreviated secret object. If you wish to have a fully populated one then set to true. Default False. /// Note, that this in no way affects the secret itself. By setting to true, we make an additional call to Vault to re-read the full secret object. If you do not /// need the full secret information then leaving at false is faster.</param> /// <param name="vaultMetadata">A Vault MetaData object that should be attached to the given secret. </param> /// <returns>AppRoleSecret object. Whether this is fully populated or contains just the ID and accessor depends upon the returnFullSecret parameter.</returns> public async Task <AppRoleSecret> GenerateSecretID(string appRoleName, bool returnFullSecret = false, Dictionary <string, string> vaultMetadata = null) { string path = MountPointPath + "role/" + appRoleName + "/secret-id"; Dictionary <string, object> contentParams = new Dictionary <string, object>(); if (vaultMetadata != null) { string metadataString = JsonConvert.SerializeObject(vaultMetadata); contentParams.Add("metadata", metadataString); } /* if (cidrIPsAllowed != null) { * string cidrs = JsonConvert.SerializeObject(cidrIPsAllowed); * contentParams.Add("cidr_list", cidrs); * } */ try { VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateSecretID", contentParams); if (vdro.Success) { AppRoleSecret appRoleSecret = await vdro.GetDotNetObject <AppRoleSecret> ("data"); if (returnFullSecret) { AppRoleSecret fullSecret = await ReadSecretID(appRoleName, appRoleSecret.ID); return(fullSecret); } else { return(appRoleSecret); } } else { return(null); } } catch (VaultInvalidPathException e) { if (e.Message.Contains("role") && e.Message.Contains("does not exist")) { e.SpecificErrorCode = EnumVaultExceptionCodes.ObjectDoesNotExist; } throw e; } }