private async Task RegisterUserCredential(HttpRequest request)
{
if (!request.Headers.ContainsKey("X-MS-TOKEN-AAD-ID-TOKEN"))
{
return;
}
var idToken = request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].FirstOrDefault();
var client = new HttpClient();
var expando = new System.Dynamic.ExpandoObject();
var dict = new Microsoft.AspNetCore.Routing.RouteValueDictionary(new
{
grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer",
client_id = Environment.GetEnvironmentVariable("CLIENT_ID", EnvironmentVariableTarget.Process),
client_secret = Environment.GetEnvironmentVariable("CLIENT_SECRET", EnvironmentVariableTarget.Process),
assertion = request.Headers["X-MS-TOKEN-AAD-ID-TOKEN"].FirstOrDefault(),
resource = "https://management.core.windows.net",
requested_token_use = "on_behalf_of"
});
var result = await client.PostAsync("https://login.microsoftonline.com/" +
Environment.GetEnvironmentVariable("TENANT_ID", EnvironmentVariableTarget.Process) +
"/oauth2/token",
new FormUrlEncodedContent(dict.ToDictionary(k => k.Key, v => v.Value as string).ToList()));
var resultObj = JsonConvert.DeserializeObject <TokenExchangeResponse>(
await result.Content.ReadAsStringAsync());
CredentialProvider.Register(
MultiCredentialProvider.CredentialType.UserCredential,
resultObj.AccessToken,
resultObj.ExpiresOnDateTime);
}
protected async Task <RekeyingAttemptLogger> ExecuteRekeyingWorkflow(RekeyingTask task, RekeyingAttemptLogger log = null)
{
if (log == null)
{
log = new RekeyingAttemptLogger();
}
MultiCredentialProvider.CredentialType credentialType;
if (task.ConfirmationType == TaskConfirmationStrategies.AdminCachesSignOff)
{
if (task.PersistedCredentialId == default)
{
log.LogError("Cached sign-off is preferred but no credentials were persisted!");
throw new Exception("Cached sign-off is preferred but no credentials were persisted!");
}
var token = await SecureStorageProvider.Retrieve <Azure.Core.AccessToken>(task.PersistedCredentialId);
CredentialProvider.Register(
MultiCredentialProvider.CredentialType.CachedCredential,
token.Token,
token.ExpiresOn);
credentialType = MultiCredentialProvider.CredentialType.CachedCredential;
}
else if (task.ConfirmationType == TaskConfirmationStrategies.AdminSignsOffJustInTime)
{
credentialType = MultiCredentialProvider.CredentialType.UserCredential;
}
else
{
credentialType = MultiCredentialProvider.CredentialType.AgentServicePrincipal;
}
log.LogInformation("Using credential type {0} to access resources", credentialType);
var secret = await ManagedSecrets.GetAsync(task.ManagedSecretId);
log.LogInformation("Beginning rekeying for ManagedSecret '{0}' (ID {1})", secret.Name, secret.ObjectId);
var resources = await Resources.GetAsync(r => secret.ResourceIds.Contains(r.ObjectId));
var workflow = new ProviderActionWorkflow(log,
resources.Select(r => GetProvider(log, r.ProviderType, r.ProviderConfiguration, credentialType)));
try
{
await workflow.InvokeAsync(secret.ValidPeriod);
secret.LastChanged = DateTimeOffset.UtcNow;
await ManagedSecrets.UpdateAsync(secret);
log.LogInformation("Completed rekeying workflow for ManagedSecret '{0}' (ID {1})", secret.Name, secret.ObjectId);
if (credentialType == MultiCredentialProvider.CredentialType.CachedCredential)
{
log.LogInformation("Destroying persisted credential");
await SecureStorageProvider.Destroy(task.PersistedCredentialId);
}
log.LogInformation("Rekeying task completed");
}
catch (Exception ex)
{
log.LogCritical(ex, "Error running rekeying task!");
log.LogCritical(ex.Message);
log.LogCritical(ex.StackTrace);
log.OuterException = JsonConvert.SerializeObject(ex, Formatting.Indented);
}
return(log);
}
