public async Task <IPage <SecretItem> > GetSecretVersions(string secretName) { var client = new KeyVaultClient(AuthCallback); var r = await client.GetSecretVersionsAsync(VaultBaseUrl, secretName); return(r); }
private async Task <ExpirationMetadata <KeyVaultCertificate[]> > Factory(ExpirationMetadata <KeyVaultCertificate[]> arg) { using (var scope = serviceScopeFactory.CreateScope()) { var old = (arg.Result ?? Array.Empty <KeyVaultCertificate>()).ToLookup(k => k.Identifier); var options = scope.ServiceProvider.GetService <IOptions <SigingKeyStoreOptions> >(); var configuration = scope.ServiceProvider.GetRequiredService <IConfiguration>(); var tokenProvider = scope.ServiceProvider.GetRequiredService <ManagedIdentityTokenProvider>(); var client = new KeyVaultClient((string authority, string resource, string _) => tokenProvider.GetTokenForResourceAsync(authority, resource), scope.ServiceProvider.GetRequiredService <System.Net.Http.IHttpClientFactory>().CreateClient()); var certsVersions = await client.GetSecretVersionsAsync(options.Value.KeyVaultUri, options.Value.SecretName); var certsIds = certsVersions.Where(k => !old.Contains(k.Identifier.Identifier) && (k.Attributes?.Enabled ?? false)).ToArray(); var secrets = await Task.WhenAll(certsIds.Select(k => client.GetSecretAsync(k.Identifier.Identifier))); return(new ExpirationMetadata <KeyVaultCertificate[]> { ValidUntil = DateTimeOffset.UtcNow.AddHours(1), Result = secrets.Select((e, i) => new KeyVaultCertificate { Cert = new X509Certificate2(Convert.FromBase64String(e.Value), string.Empty, X509KeyStorageFlags.MachineKeySet), Identifier = certsIds[i].Identifier.Identifier }).Concat(arg.Result ?? Array.Empty <KeyVaultCertificate>()).ToArray() }); } }
private async Task <List <string> > GetSecretsVersionAsync(string secretName, string uri) { List <string> ids = new List <string>(); IPage <SecretItem> items = await vault.GetSecretVersionsAsync(uri, secretName); foreach (var item in items) { ids.Add(item.Id); } return(ids); }
public async Task <string> GetSecret(string name) { var secretBundle = await _client.GetSecretVersionsAsync(_vaultUrl, name); var latestVersion = secretBundle.Where(b => b.Attributes.Created.HasValue) .OrderByDescending(b => b.Attributes.Created).FirstOrDefault()?.Id; if (latestVersion == null) { return(null); } var secret = await _client.GetSecretAsync(latestVersion); return(secret.Value); }
public async Task <bool> SetEbayTokenByCompanyId(long companyId, EbayOAuthToken token) { try { var secretIdentifier = string.Empty; switch (token.Type) { case EbayOAuthTokenType.USERTOKEN: secretIdentifier = $"ebay-user-token-company{companyId}"; break; case EbayOAuthTokenType.REFRESHTOKEN: secretIdentifier = $"ebay-refresh-token-company{companyId}"; break; default: throw new InvalidTokenTypeException("The token has an invalid type."); } var secretAttributes = new SecretAttributes { Expires = token.Expiration.Value.ToUniversalTime() }; //check to see if identifier exists var versionList = await keyVaultClient.GetSecretVersionsAsync(appSettings.Value.KeyVaultUrl, secretIdentifier); if (!versionList.Any()) { await keyVaultClient.SetSecretAsync(appSettings.Value.KeyVaultUrl, secretIdentifier, token.Token, null, null, secretAttributes); } else //exists, update it { await keyVaultClient.SetSecretAsync(keyVaultUrl, secretIdentifier, token.Token, null, null, secretAttributes); } return(true); } catch (Exception ex) { telemetryClient.TrackException(ex); return(false); } }
private async Task <int> OnExecuteAsync(CommandLineApplication app) { // var secretName = "AscendXYZGatewayPrincipal"; // var certificateName = "AscendXYZGatewayPrincipalCertificate"; // var vaultName = "ascendxyz"; var vaultUri = $"https://{VaultName}.vault.azure.net"; var keyvaultClient = new KeyVaultClient(GetToken); var secret = await keyvaultClient.GetSecretAsync($"{vaultUri}/secrets/{SecretName}"); var certs = await keyvaultClient.GetSecretVersionsAsync(vaultUri, CertificateName); X509Certificate2 cert = null; if (!certs.Any()) { var x509Certificate = cert = buildSelfSignedServerCertificate(CertificateName, ""); await keyvaultClient.SetSecretAsync(vaultUri, CertificateName, Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12)), null, "application/x-pkcs12"); } else { var certSecret = await keyvaultClient.GetSecretAsync(certs.First().Id); cert = new X509Certificate2(Convert.FromBase64String(certSecret.Value)); } byte[] encoded = Encoding.Unicode.GetBytes(secret.Value); var content = new ContentInfo(encoded); var env = new EnvelopedCms(content); env.Encrypt(new CmsRecipient(cert)); string encrypted64 = Convert.ToBase64String(env.Encode()); Console.WriteLine(encrypted64); if (Install) { Console.WriteLine($"installing {cert.Thumbprint} to CurrentUser.My"); using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser)) { store.Open(OpenFlags.ReadWrite); store.Add(cert); store.Close(); } try { using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine)) { store.Open(OpenFlags.ReadWrite); store.Add(cert); store.Close(); } } catch (Exception ex) { Console.WriteLine("Failed to add to localmachine"); } } return(0); }
private static void HandleDeploy(Options options, AuthenticationContext authContext, AuthenticationResult token, ResourceManagementClient resourceManagementClient) { if (!string.IsNullOrWhiteSpace(options.Deploy)) { ResourceGroupExtended rg = GetResourceGroup(options, resourceManagementClient); //Fix location to displayname from template using (var subscriptionClient = new SubscriptionClient(new TokenCloudCredentials(token.AccessToken))) { var a = subscriptionClient.Subscriptions.ListLocations(options.SubscriptionId); rg.Location = a.Locations.Single(l => l.Name == rg.Location).DisplayName; } var graphtoken = authContext.AcquireToken("https://graph.windows.net/", options.ClientID, new Uri(options.RedirectUri), PromptBehavior.Auto); var graph = new ActiveDirectoryClient(new Uri("https://graph.windows.net/" + graphtoken.TenantId), () => Task.FromResult(graphtoken.AccessToken)); var principal = graph.ServicePrincipals.Where(p => p.AppId == options.ApplicaitonId).ExecuteSingleAsync().GetAwaiter().GetResult(); DeploymentExtended deploymentInfo = null; if (!resourceManagementClient.Deployments.CheckExistence(options.ResourceGroup, options.DeployName).Exists) { var deployment = new Deployment { Properties = new DeploymentProperties { Mode = DeploymentMode.Incremental, //Dont Delete other resources Template = File.ReadAllText(options.Deploy), Parameters = new JObject( new JProperty("siteName", CreateValue(options.SiteName)), new JProperty("hostingPlanName", CreateValue(options.HostingPlanName)), new JProperty("storageAccountType", CreateValue(options.StorageAccountType)), new JProperty("siteLocation", CreateValue(rg.Location)), new JProperty("sku", CreateValue(options.WebsitePlan)), new JProperty("tenantId", CreateValue(token.TenantId)), new JProperty("objectId", CreateValue(token.UserInfo.UniqueId)), new JProperty("appOwnerTenantId", CreateValue(principal.AppOwnerTenantId.Value.ToString())), new JProperty("appOwnerObjectId", CreateValue(principal.ObjectId)) ).ToString(), } }; var result = resourceManagementClient.Deployments.CreateOrUpdate(options.ResourceGroup, options.DeployName, deployment); deploymentInfo = result.Deployment; } else { var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName); deploymentInfo = deploymentStatus.Deployment; } while (!(deploymentInfo.Properties.ProvisioningState == "Succeeded" || deploymentInfo.Properties.ProvisioningState == "Failed")) { var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName); deploymentInfo = deploymentStatus.Deployment; Thread.Sleep(5000); } Console.WriteLine(deploymentInfo.Properties.Outputs); var outputs = JObject.Parse(deploymentInfo.Properties.Outputs); var storageAccountName = outputs["storageAccount"]["value"].ToString(); var keyvaultName = outputs["keyvault"]["value"].ToString(); using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken))) { using (var storageClient = new StorageManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken))) { var keys = storageClient.StorageAccounts.ListKeys(options.ResourceGroup, storageAccountName); var vaultInfo = client.Vaults.Get(options.ResourceGroup, keyvaultName); //CHEATING (using powershell application id to get token on behhalf of user); var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob")); var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken)); var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult(); if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/storage")) { keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key1}").GetAwaiter().GetResult(); keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key2}").GetAwaiter().GetResult(); var secret = keyvaultClient.GetSecretVersionsAsync(vaultInfo.Vault.Properties.VaultUri, "storage").GetAwaiter().GetResult(); } } } } }