public async Task <IPage <SecretItem> > GetSecretVersions(string secretName)
{
var client = new KeyVaultClient(AuthCallback);
var r = await client.GetSecretVersionsAsync(VaultBaseUrl, secretName);
return(r);
}
private async Task <ExpirationMetadata <KeyVaultCertificate[]> > Factory(ExpirationMetadata <KeyVaultCertificate[]> arg)
{
using (var scope = serviceScopeFactory.CreateScope())
{
var old = (arg.Result ?? Array.Empty <KeyVaultCertificate>()).ToLookup(k => k.Identifier);
var options = scope.ServiceProvider.GetService <IOptions <SigingKeyStoreOptions> >();
var configuration = scope.ServiceProvider.GetRequiredService <IConfiguration>();
var tokenProvider = scope.ServiceProvider.GetRequiredService <ManagedIdentityTokenProvider>();
var client = new KeyVaultClient((string authority, string resource, string _) =>
tokenProvider.GetTokenForResourceAsync(authority, resource), scope.ServiceProvider.GetRequiredService <System.Net.Http.IHttpClientFactory>().CreateClient());
var certsVersions = await client.GetSecretVersionsAsync(options.Value.KeyVaultUri, options.Value.SecretName);
var certsIds = certsVersions.Where(k => !old.Contains(k.Identifier.Identifier) && (k.Attributes?.Enabled ?? false)).ToArray();
var secrets = await Task.WhenAll(certsIds.Select(k => client.GetSecretAsync(k.Identifier.Identifier)));
return(new ExpirationMetadata <KeyVaultCertificate[]>
{
ValidUntil = DateTimeOffset.UtcNow.AddHours(1),
Result = secrets.Select((e, i) =>
new KeyVaultCertificate
{
Cert = new X509Certificate2(Convert.FromBase64String(e.Value), string.Empty, X509KeyStorageFlags.MachineKeySet),
Identifier = certsIds[i].Identifier.Identifier
}).Concat(arg.Result ?? Array.Empty <KeyVaultCertificate>()).ToArray()
});
}
}
private async Task <List <string> > GetSecretsVersionAsync(string secretName, string uri)
{
List <string> ids = new List <string>();
IPage <SecretItem> items = await vault.GetSecretVersionsAsync(uri, secretName);
foreach (var item in items)
{
ids.Add(item.Id);
}
return(ids);
}
public async Task <string> GetSecret(string name)
{
var secretBundle = await _client.GetSecretVersionsAsync(_vaultUrl, name);
var latestVersion = secretBundle.Where(b => b.Attributes.Created.HasValue)
.OrderByDescending(b => b.Attributes.Created).FirstOrDefault()?.Id;
if (latestVersion == null)
{
return(null);
}
var secret = await _client.GetSecretAsync(latestVersion);
return(secret.Value);
}
public async Task <bool> SetEbayTokenByCompanyId(long companyId, EbayOAuthToken token)
{
try
{
var secretIdentifier = string.Empty;
switch (token.Type)
{
case EbayOAuthTokenType.USERTOKEN:
secretIdentifier = $"ebay-user-token-company{companyId}";
break;
case EbayOAuthTokenType.REFRESHTOKEN:
secretIdentifier = $"ebay-refresh-token-company{companyId}";
break;
default:
throw new InvalidTokenTypeException("The token has an invalid type.");
}
var secretAttributes = new SecretAttributes
{
Expires = token.Expiration.Value.ToUniversalTime()
};
//check to see if identifier exists
var versionList = await keyVaultClient.GetSecretVersionsAsync(appSettings.Value.KeyVaultUrl, secretIdentifier);
if (!versionList.Any())
{
await keyVaultClient.SetSecretAsync(appSettings.Value.KeyVaultUrl, secretIdentifier, token.Token, null, null, secretAttributes);
}
else //exists, update it
{
await keyVaultClient.SetSecretAsync(keyVaultUrl, secretIdentifier, token.Token, null, null, secretAttributes);
}
return(true);
}
catch (Exception ex)
{
telemetryClient.TrackException(ex);
return(false);
}
}
private async Task <int> OnExecuteAsync(CommandLineApplication app)
{
// var secretName = "AscendXYZGatewayPrincipal";
// var certificateName = "AscendXYZGatewayPrincipalCertificate";
// var vaultName = "ascendxyz";
var vaultUri = $"https://{VaultName}.vault.azure.net";
var keyvaultClient = new KeyVaultClient(GetToken);
var secret = await keyvaultClient.GetSecretAsync($"{vaultUri}/secrets/{SecretName}");
var certs = await keyvaultClient.GetSecretVersionsAsync(vaultUri, CertificateName);
X509Certificate2 cert = null;
if (!certs.Any())
{
var x509Certificate = cert = buildSelfSignedServerCertificate(CertificateName, "");
await keyvaultClient.SetSecretAsync(vaultUri, CertificateName, Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12)), null, "application/x-pkcs12");
}
else
{
var certSecret = await keyvaultClient.GetSecretAsync(certs.First().Id);
cert = new X509Certificate2(Convert.FromBase64String(certSecret.Value));
}
byte[] encoded = Encoding.Unicode.GetBytes(secret.Value);
var content = new ContentInfo(encoded);
var env = new EnvelopedCms(content);
env.Encrypt(new CmsRecipient(cert));
string encrypted64 = Convert.ToBase64String(env.Encode());
Console.WriteLine(encrypted64);
if (Install)
{
Console.WriteLine($"installing {cert.Thumbprint} to CurrentUser.My");
using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
}
try
{
using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
}
}
catch (Exception ex)
{
Console.WriteLine("Failed to add to localmachine");
}
}
return(0);
}
private static void HandleDeploy(Options options, AuthenticationContext authContext, AuthenticationResult token, ResourceManagementClient resourceManagementClient)
{
if (!string.IsNullOrWhiteSpace(options.Deploy))
{
ResourceGroupExtended rg = GetResourceGroup(options, resourceManagementClient);
//Fix location to displayname from template
using (var subscriptionClient = new SubscriptionClient(new TokenCloudCredentials(token.AccessToken)))
{
var a = subscriptionClient.Subscriptions.ListLocations(options.SubscriptionId);
rg.Location = a.Locations.Single(l => l.Name == rg.Location).DisplayName;
}
var graphtoken = authContext.AcquireToken("https://graph.windows.net/", options.ClientID, new Uri(options.RedirectUri), PromptBehavior.Auto);
var graph = new ActiveDirectoryClient(new Uri("https://graph.windows.net/" + graphtoken.TenantId), () => Task.FromResult(graphtoken.AccessToken));
var principal = graph.ServicePrincipals.Where(p => p.AppId == options.ApplicaitonId).ExecuteSingleAsync().GetAwaiter().GetResult();
DeploymentExtended deploymentInfo = null;
if (!resourceManagementClient.Deployments.CheckExistence(options.ResourceGroup, options.DeployName).Exists)
{
var deployment = new Deployment
{
Properties = new DeploymentProperties
{
Mode = DeploymentMode.Incremental, //Dont Delete other resources
Template = File.ReadAllText(options.Deploy),
Parameters = new JObject(
new JProperty("siteName", CreateValue(options.SiteName)),
new JProperty("hostingPlanName", CreateValue(options.HostingPlanName)),
new JProperty("storageAccountType", CreateValue(options.StorageAccountType)),
new JProperty("siteLocation", CreateValue(rg.Location)),
new JProperty("sku", CreateValue(options.WebsitePlan)),
new JProperty("tenantId", CreateValue(token.TenantId)),
new JProperty("objectId", CreateValue(token.UserInfo.UniqueId)),
new JProperty("appOwnerTenantId", CreateValue(principal.AppOwnerTenantId.Value.ToString())),
new JProperty("appOwnerObjectId", CreateValue(principal.ObjectId))
).ToString(),
}
};
var result = resourceManagementClient.Deployments.CreateOrUpdate(options.ResourceGroup, options.DeployName, deployment);
deploymentInfo = result.Deployment;
}
else
{
var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName);
deploymentInfo = deploymentStatus.Deployment;
}
while (!(deploymentInfo.Properties.ProvisioningState == "Succeeded" || deploymentInfo.Properties.ProvisioningState == "Failed"))
{
var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName);
deploymentInfo = deploymentStatus.Deployment;
Thread.Sleep(5000);
}
Console.WriteLine(deploymentInfo.Properties.Outputs);
var outputs = JObject.Parse(deploymentInfo.Properties.Outputs);
var storageAccountName = outputs["storageAccount"]["value"].ToString();
var keyvaultName = outputs["keyvault"]["value"].ToString();
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
using (var storageClient = new StorageManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
var keys = storageClient.StorageAccounts.ListKeys(options.ResourceGroup, storageAccountName);
var vaultInfo = client.Vaults.Get(options.ResourceGroup, keyvaultName);
//CHEATING (using powershell application id to get token on behhalf of user);
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/storage"))
{
keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key1}").GetAwaiter().GetResult();
keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key2}").GetAwaiter().GetResult();
var secret = keyvaultClient.GetSecretVersionsAsync(vaultInfo.Vault.Properties.VaultUri, "storage").GetAwaiter().GetResult();
}
}
}
}
}
