public async Task <IActionResult> Create(ManagedSecretViewModel inputSecret, CancellationToken cancellationToken)
{
if (!_identityService.CurrentUserHasRole(AuthJanitorRoles.SecretAdmin))
{
return(new UnauthorizedResult());
}
var resources = await _resources.Get(cancellationToken);
var resourceIds = inputSecret.ResourceIds.Split(';').Select(r => Guid.Parse(r)).ToList();
if (resourceIds.Any(id => !resources.Any(r => r.ObjectId == id)))
{
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.AnomalousEventOccurred, nameof(ManagedSecretsService.Create), "New Managed Secret attempted to use one or more invalid Resource IDs");
return(new NotFoundObjectResult("One or more Resource IDs not found!"));
}
ManagedSecret newManagedSecret = new ManagedSecret()
{
Name = inputSecret.Name,
Description = inputSecret.Description,
ValidPeriod = TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes),
LastChanged = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(inputSecret.ValidPeriodMinutes),
TaskConfirmationStrategies = inputSecret.TaskConfirmationStrategies,
ResourceIds = resourceIds,
Nonce = await _cryptographicImplementation.GenerateCryptographicallyRandomString(_configuration.DefaultNonceLength)
};
await _managedSecrets.Create(newManagedSecret, cancellationToken);
await _eventDispatcher.DispatchEvent(AuthJanitorSystemEvents.SecretCreated, nameof(ManagedSecretsService.Create), newManagedSecret);
return(new OkObjectResult(_managedSecretViewModel(newManagedSecret)));
}
public override async Task <RegeneratedSecret> Rekey(TimeSpan requestedValidPeriod)
{
_logger.LogInformation("Generating new password of length {PasswordLength}", Configuration.PasswordLength);
var newPassword = await _cryptographicImplementation.GenerateCryptographicallyRandomString(Configuration.PasswordLength);
var sqlServer = await GetResourceAsync();
_logger.LogInformation("Updating administrator password...");
await sqlServer.Update()
.WithAdministratorPassword(newPassword)
.ApplyAsync();
_logger.LogInformation("Password update complete");
return(new RegeneratedSecret()
{
Expiry = DateTimeOffset.UtcNow + requestedValidPeriod,
UserHint = Configuration.UserHint,
NewSecretValue = newPassword.GetSecureString(),
NewConnectionString = $"Server=tcp:{Configuration.ResourceName}.database.windows.net,1433;Database={Configuration.DatabaseName};User ID={sqlServer.AdministratorLogin}@{Configuration.ResourceName};Password={newPassword};Trusted_Connection=False;Encrypt=True;"
.GetSecureString()
});
}
public async Task <RegeneratedSecret> Rekey(TimeSpan requestedValidPeriod)
{
Logger.LogInformation("Getting current Secret details from Secret name '{SecretName}'", Configuration.SecretName);
var client = GetSecretClient();
Response <KeyVaultSecret> currentSecret = await client.GetSecretAsync(Configuration.SecretName);
// Create a new version of the Secret
KeyVaultSecret newSecret = new KeyVaultSecret(
Configuration.SecretName,
await _cryptographicImplementation.GenerateCryptographicallyRandomString(Configuration.SecretLength));
// Copy in metadata from the old Secret if it existed
if (currentSecret != null && currentSecret.Value != null)
{
newSecret.Properties.ContentType = currentSecret.Value.Properties.ContentType;
foreach (KeyValuePair <string, string> tag in currentSecret.Value.Properties.Tags)
{
newSecret.Properties.Tags.Add(tag.Key, tag.Value);
}
}
newSecret.Properties.NotBefore = DateTimeOffset.UtcNow;
newSecret.Properties.ExpiresOn = DateTimeOffset.UtcNow + requestedValidPeriod;
Logger.LogInformation("Committing new Secret with name '{SecretName}'", newSecret.Name);
Response <KeyVaultSecret> secretResponse = await client.SetSecretAsync(newSecret);
Logger.LogInformation("Successfully committed '{SecretName}'", newSecret.Name);
return(new RegeneratedSecret()
{
Expiry = newSecret.Properties.ExpiresOn.Value,
UserHint = Configuration.UserHint,
NewSecretValue = secretResponse.Value.Value.GetSecureString()
});
}
