private static async Task ProcessAppWithPasswordCredentailsAsync(
CredentialRotatePayload payload,
StringBuilder executionLogs,
Dictionary <string, string> context,
AzDoService azdo,
Payloads.AzureDevOps.VstsServiceEndpoint endpoint,
GraphServiceClient graph,
Application application)
{
if (application.PasswordCredentials.Any())
{
executionLogs.AppendLine($"Password Credentails found ({application.PasswordCredentials.Count()}).");
context.Add("Total Credentails", application.PasswordCredentials.Count().ToString());
var now = DateTimeOffset.UtcNow;
var oldPassCred = application.PasswordCredentials.First();
if (oldPassCred.EndDateTime.HasValue)
{
var rotationRequired = (now.AddDays(payload.DaysBeforeExpire) > oldPassCred.EndDateTime);
executionLogs.AppendLine($"{now.AddDays(payload.DaysBeforeExpire)} > {oldPassCred.EndDateTime} = {rotationRequired}");
if (rotationRequired)
{
await RotatePasswordCoreAsync(payload, executionLogs, context, azdo, endpoint, graph, application, now, oldPassCred);
}
}
}
}
private static async Task RotatePasswordCoreAsync(
CredentialRotatePayload payload,
StringBuilder executionLogs,
Dictionary <string, string> context,
AzDoService azdo,
Payloads.AzureDevOps.VstsServiceEndpoint endpoint,
GraphServiceClient graph,
Application application,
DateTimeOffset now,
PasswordCredential oldPassCred)
{
var newPassCred = await graph.Applications[application.Id]
.AddPassword(new PasswordCredential
{
DisplayName = $"AutoGen: {now}",
Hint = $"AutoGen: {now}",
StartDateTime = now,
EndDateTime = now.AddDays(payload.LifeTimeInDays)
})
.Request().PostAsync();
endpoint.Authorization.Parameters.Serviceprincipalkey = newPassCred.SecretText;
await azdo.UpdateServiceEndpointsAsync(payload.ProjectId, endpoint.Id, endpoint);
context.Add("Secret Id", newPassCred.KeyId.ToString());
context.Add("Secret Start Time", newPassCred.StartDateTime.ToString());
context.Add("Secret End Time", newPassCred.EndDateTime.ToString());
await graph
.Applications[application.Id]
.RemovePassword(oldPassCred.KeyId.Value)
.Request().PostAsync();
executionLogs.AppendLine($"App ({application.DisplayName}) password credentail ({oldPassCred.KeyId.Value}) deleted successfully");
context.Add("Deleted Secret Id", oldPassCred.KeyId.ToString());
}
private static async Task RotateCertificateCoreAsync(
CredentialRotatePayload payload,
StringBuilder executionLogs,
Dictionary <string, string> context,
AzDoService azdo,
Payloads.AzureDevOps.VstsServiceEndpoint endpoint,
GraphServiceClient graph,
Application application,
DateTimeOffset now)
{
var selfSignedCertificate =
CertificateUtils.CreateSelfSignedCertificateAsync(validForDays: payload.LifeTimeInDays);
var certificateCredentail = new KeyCredential
{
StartDateTime = now,
EndDateTime = now.AddDays(payload.LifeTimeInDays),
Type = "AsymmetricX509Cert",
Usage = "Verify",
Key = CertificateUtils.GetPfxAsBytes(selfSignedCertificate)
};
var app = new Application
{
KeyCredentials = new List <KeyCredential> {
certificateCredentail
}
};
await graph.Applications[application.Id].Request().UpdateAsync(app);
endpoint.Authorization.Parameters
.ServicePrincipalCertificate = CertificateUtils.GeneratePEMWithPrivateKeyAsString(selfSignedCertificate);
await azdo.UpdateServiceEndpointsAsync(payload.ProjectId, endpoint.Id, endpoint);
context.Add("Certificate Key Id", certificateCredentail.KeyId.ToString());
context.Add("Certificate Start Time", certificateCredentail.StartDateTime.ToString());
context.Add("Certificate End Time", certificateCredentail.EndDateTime.ToString());
context.Add("Certificate Thumbprint", selfSignedCertificate.Thumbprint);
}
