public VaultClientFactory(FileArgsBase args)
{
if (args == null)
{
throw new ArgumentNullException(nameof(args));
}
if (String.IsNullOrEmpty(args.VaultRoleId))
{
throw new ArgumentException("Vault Rold Id missing", nameof(args.VaultRoleId));
}
if (String.IsNullOrEmpty(args.VaultSecretId))
{
throw new ArgumentException("Vault Secret Id missing", nameof(args.VaultSecretId));
}
if (String.IsNullOrEmpty(args.VaultUri))
{
throw new ArgumentException("Vault VaultUri missing", nameof(args.VaultUri));
}
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(args.VaultRoleId, secretId: args.VaultSecretId);
_vaultClientSettings = new VaultClientSettings(args.VaultUri, authMethod)
{
VaultServiceTimeout = TimeSpan.FromMinutes(5)
};
}
static async Task Main(string[] args)
{
// limited permissions. hidden in env variables, typically injected
var roleId = Environment.GetEnvironmentVariable("ROLEID");
var secretId = Environment.GetEnvironmentVariable("VAULTSECRET");
IVaultClient vaultClient = null;
try{
// Get the approle token
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(roleId, secretId);
var vaultClientSettings = new VaultClientSettings("http://127.0.0.1:8200", authMethod);
vaultClient = new VaultClient(vaultClientSettings);
}
catch (Exception e) {
// Failed to get Vault token
Console.WriteLine(String.Format("An error occurred authenticating: {0}", e.Message));
throw;
}
try{
//Get the secret and print it
Secret <Dictionary <string, object> > kv1Secret = await vaultClient.V1.Secrets.KeyValue.V1.ReadSecretAsync("data/testdata/universe", "secret");
Dictionary <string, object> dataDictionary = kv1Secret.Data;
JsonDocument jsonObj = JsonDocument.Parse(dataDictionary["data"].ToString());
Console.WriteLine(String.Format("The answer is {0}.", jsonObj.RootElement.GetProperty("theanswer")));
}
catch (Exception e) {
//Failed to get the secret or format it.
Console.WriteLine(String.Format("An error pulling or parsing the secret: {0}", e.Message));
throw;
}
}
/// <inheritdoc/>
public override void Load()
{
try
{
IAuthMethodInfo authMethod;
if (!string.IsNullOrEmpty(this._source.Options.VaultRoleId) &&
!string.IsNullOrEmpty(this._source.Options.VaultSecret))
{
authMethod = new AppRoleAuthMethodInfo(
this._source.Options.VaultRoleId,
this._source.Options.VaultSecret);
}
else
{
authMethod = new TokenAuthMethodInfo(this._source.Options.VaultToken);
}
var vaultClientSettings = new VaultClientSettings(this._source.Options.VaultAddress, authMethod)
{
UseVaultTokenHeaderInsteadOfAuthorizationHeader = true,
};
IVaultClient vaultClient = new VaultClient(vaultClientSettings);
using var ctx = new JoinableTaskContext();
var jtf = new JoinableTaskFactory(ctx);
jtf.RunAsync(
async() => { await this.LoadVaultDataAsync(vaultClient).ConfigureAwait(true); }).Join();
}
catch (Exception e) when(e is VaultApiException || e is System.Net.Http.HttpRequestException)
{
this._logger?.Log(LogLevel.Error, e, "Cannot load configuration from Vault");
}
}
public AppRoleVaultSharpService(IOptions <VaultSettings> options)
{
var configuration = options.Value;
var authMethod = new AppRoleAuthMethodInfo(configuration.AppRoleId, configuration.AppRoleSecret);
var settings = new VaultClientSettings(configuration.VaultEndpointUri, authMethod);
VaultClient = new VaultClient(settings);
}
public void GoodArgsDoesNotThrow(IFixture fixture)
{
var args = fixture.Build <FileArgsBase>()
.With(f => f.VaultUri, "http://localhost/")
.Create();
var sut = new VaultClientFactory(args);
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(args.VaultRoleId, secretId: args.VaultSecretId);
var expectedSettings = new VaultClientSettings(args.VaultUri, authMethod)
{
VaultServiceTimeout = TimeSpan.FromMinutes(5)
};
var client = sut.GetClient();
client.Settings.Should().BeEquivalentTo(expectedSettings);
}
public static IConfigurationBuilder AddVault(this IConfigurationBuilder builder)
{
IConfigurationRoot buildConfig = builder.Build();
//IAuthMethodInfo authenticationInfo = new TokenAuthMethodInfo(VaultAccessToken);
IAuthMethodInfo authenticationInfo = new AppRoleAuthMethodInfo(VaultRoleId, VaultSecretId);
VaultClientSettings vaultClientSettings = new VaultClientSettings(VaultServerUri, authenticationInfo);
IVaultClient client = new VaultClient(vaultClientSettings);
SecretData appSecrets = client.V1.Secrets.KeyValue.V2.ReadSecretAsync("applications/vault-test").GetAwaiter().GetResult().Data;
IEnumerable <KeyValuePair <string, string> > secretsForConfiguration = appSecrets.Data.Select(x => new KeyValuePair <string, string>($"vault-startup:{x.Key}", x.Value.ToString()));
return(builder.AddInMemoryCollection(secretsForConfiguration));
}
public void AddVaultWithAuthMethodInfo_AddsSource()
{
// Arrange
var authMethodInfo = new AppRoleAuthMethodInfo(_vaultConfigurationRoleId, _vaultConfigurationSecretId);
var configuration = new ConfigurationBuilder();
// Act
configuration.AddVaultWithAuthMethodInfo(
_vaultConfigurationUrl,
authMethodInfo,
_vaultConfigurationMountPoint,
_vaultConfigurationSecretPath
);
// Assert
Assert.IsNotNull(configuration);
Assert.IsNotNull(configuration.Sources);
Assert.AreEqual(1, configuration.Sources.Count);
}
private IVaultClient CreateVaultClient()
{
IAuthMethodInfo authMethod;
switch (_context.AuthenticationType)
{
case AuthenticationType.AppRole:
authMethod = new AppRoleAuthMethodInfo(_context.RoleId, _context.SecretId);
break;
case AuthenticationType.UsernamePassword:
authMethod = new UserPassAuthMethodInfo(_context.Username, _context.Password);
break;
case AuthenticationType.Ldap:
authMethod = new LDAPAuthMethodInfo(_context.Username, _context.Password);
break;
case AuthenticationType.Token:
authMethod = new TokenAuthMethodInfo(_context.Token);
break;
default:
throw new NotSupportedException($"Authentication type '{_context.AuthenticationType}' is not supported.");
}
var vaultClientSettings = new VaultClientSettings(_context.VaultUri.ToString(), authMethod)
{
VaultServiceTimeout = TimeSpan.FromSeconds(30)
};
if (!string.IsNullOrWhiteSpace(_context.Namespace))
{
vaultClientSettings.Namespace = _context.Namespace;
}
return(new VaultClient(vaultClientSettings));
}
