// </Main>
private static CosmosClient CreateClientInstance(
IConfigurationRoot configuration,
AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider)
{
string endpoint = configuration["EndPointUrl"];
if (string.IsNullOrEmpty(endpoint))
{
throw new ArgumentNullException("Please specify a valid endpoint in the appSettings.json");
}
string authKey = configuration["AuthorizationKey"];
if (string.IsNullOrEmpty(authKey) || string.Equals(authKey, "Super secret key"))
{
throw new ArgumentException("Please specify a valid AuthorizationKey in the appSettings.json");
}
CosmosClientOptions options = new CosmosClientOptions
{
AllowBulkExecution = true,
};
CosmosClient encryptionCosmosClient = new CosmosClient(endpoint, authKey, options);
// enable encryption support on the cosmos client.
return(encryptionCosmosClient.WithEncryption(azureKeyVaultKeyWrapProvider));
}
// <Main>
public static async Task Main(string[] _)
{
try
{
// Read the Cosmos endpointUrl and authorizationKey from configuration.
// These values are available from the Azure Management Portal on the Cosmos Account Blade under "Keys".
// Keep these values in a safe and secure location. Together they provide administrative access to your Cosmos account.
IConfigurationRoot configuration = new ConfigurationBuilder()
.AddJsonFile("appSettings.json")
.Build();
// Get the Source Database name.
SourceDatabase = configuration["SourceDatabase"];
if (string.IsNullOrEmpty(SourceDatabase))
{
throw new ArgumentNullException("Please specify a valid database name. ");
}
// Get the Source Container name.
SourceContainer = configuration["SourceContainer"];
if (string.IsNullOrEmpty(SourceContainer))
{
throw new ArgumentNullException("Please specify a valid container name. ");
}
// Get the Destination Container name.
DestinationContainer = configuration["DestinationContainer"];
if (string.IsNullOrEmpty(DestinationContainer))
{
throw new ArgumentNullException("Please specify a valid container name. ");
}
// Get the Token Credential that is capable of providing an OAuth Token.
TokenCredential tokenCredential = Program.GetTokenCredential(configuration);
AzureKeyVaultKeyWrapProvider azureKeyVaultWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredential);
Program.client = Program.CreateClientInstance(configuration, azureKeyVaultWrapProvider);
await Program.CreateAndRunReEncryptionTasks();
}
catch (CosmosException cosmosException)
{
Console.WriteLine(cosmosException.ToString());
}
catch (Exception e)
{
Exception baseException = e.GetBaseException();
Console.WriteLine("Message: {0} Error: {1}", baseException.Message, e);
}
finally
{
Console.WriteLine("ReEncryption activity has been stopped successfully.");
Console.ReadKey();
}
}
// <Main>
public static async Task Main(string[] _)
{
try
{
// Read the Cosmos endpointUrl and authorizationKey from configuration.
// These values are available from the Azure Management Portal on the Cosmos Account Blade under "Keys".
// Keep these values in a safe and secure location. Together they provide administrative access to your Cosmos account.
IConfigurationRoot configuration = new ConfigurationBuilder()
.AddJsonFile("appSettings.json")
.Build();
// Get the Akv Master Key Path.
MasterKeyUrl = configuration["MasterKeyUrl"];
if (string.IsNullOrEmpty(MasterKeyUrl))
{
throw new ArgumentNullException("Please specify a valid Azure Key Path in the appSettings.json");
}
// Get the Token Credential that is capable of providing an OAuth Token.
TokenCredential tokenCredential = GetTokenCredential(configuration);
AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider = new AzureKeyVaultKeyWrapProvider(tokenCredential);
Program.client = Program.CreateClientInstance(configuration, azureKeyVaultKeyWrapProvider);
await Program.AdminSetupAsync(client, azureKeyVaultKeyWrapProvider);
await Program.RunDemoAsync();
}
catch (CosmosException cre)
{
Console.WriteLine(cre.ToString());
}
catch (Exception e)
{
Exception baseException = e.GetBaseException();
Console.WriteLine("Message: {0} Error: {1}", baseException.Message, e);
}
finally
{
Console.WriteLine("End of demo, press any key to exit.");
Console.ReadKey();
await Program.CleanupAsync();
}
}
/// <summary>
/// Administrative operations - create the database, container, and generate the necessary client encryption keys.
/// These are initializations and are expected to be invoked only once - do not invoke these before every item request.
/// </summary>
private static async Task AdminSetupAsync(CosmosClient client, AzureKeyVaultKeyWrapProvider azureKeyVaultKeyWrapProvider)
{
Database database = await client.CreateDatabaseIfNotExistsAsync(Program.encryptedDatabaseId);
// Delete the existing container to prevent create item conflicts.
using (await database.GetContainer(Program.encryptedContainerId).DeleteContainerStreamAsync())
{ }
Console.WriteLine("The demo will create a 1000 RU/s container, press any key to continue.");
Console.ReadKey();
// Create the Client Encryption Keys for Encrypting the configured Paths.
await database.CreateClientEncryptionKeyAsync(
"key1",
DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.ProviderName, "akvMasterKey", MasterKeyUrl));
await database.CreateClientEncryptionKeyAsync(
"key2",
DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256,
new EncryptionKeyWrapMetadata(azureKeyVaultKeyWrapProvider.ProviderName, "akvMasterKey", MasterKeyUrl));
// Configure the required Paths to be Encrypted with appropriate settings.
ClientEncryptionIncludedPath path1 = new ClientEncryptionIncludedPath()
{
Path = "/SubTotal",
ClientEncryptionKeyId = "key1",
EncryptionType = EncryptionType.Deterministic,
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
};
// non primitive data type.Leaves get encrypted.
ClientEncryptionIncludedPath path2 = new ClientEncryptionIncludedPath()
{
Path = "/Items",
ClientEncryptionKeyId = "key2",
EncryptionType = EncryptionType.Deterministic,
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
};
ClientEncryptionIncludedPath path3 = new ClientEncryptionIncludedPath()
{
Path = "/OrderDate",
ClientEncryptionKeyId = "key1",
EncryptionType = EncryptionType.Deterministic,
EncryptionAlgorithm = DataEncryptionKeyAlgorithm.AeadAes256CbcHmacSha256
};
// Create a container with the appropriate partition key definition (we choose the "AccountNumber" property here) and throughput (we choose 1000 here).
// Configure the Client Encryption Key Policy with required paths to be encrypted.
await database.DefineContainer(Program.encryptedContainerId, "/AccountNumber")
.WithClientEncryptionPolicy()
.WithIncludedPath(path1)
.WithIncludedPath(path2)
.WithIncludedPath(path3)
.Attach()
.CreateAsync(throughput: 1000);
// gets a Container with Encryption Support.
containerWithEncryption = await database.GetContainer(Program.encryptedContainerId).InitializeEncryptionAsync();
}
