public async Task <List <SecretItem> > GetAllSecretsFromKeyVault() { if (_allSecrets != null) { return(_allSecrets); } Log.LogDebug("Get all secrets from KeyVault"); _allSecrets = new List <SecretItem>(); try { Log.LogDebug($"Get secrets from '{_keyVaultUrl}'"); var secretsPage = await _keyVaultClient.GetSecretsAsync(_keyVaultUrl); _allSecrets.AddRange(secretsPage.ToList()); while (!string.IsNullOrWhiteSpace(secretsPage.NextPageLink)) { Log.LogDebug($"Found another page with secrets. Get secrets from '{secretsPage.NextPageLink}'"); secretsPage = await _keyVaultClient.GetSecretsAsync(secretsPage.NextPageLink); _allSecrets.AddRange(secretsPage.ToList()); } } catch (HttpRequestException) { Log.LogError("Can't get secrets from Key Vault."); throw; } Log.LogDebug($"Found in total {_allSecrets.Count} secret(s)"); return(_allSecrets); }
public async Task OnGetListAsync(string identifier) { try { /* The next four lines of code show you how to use AppAuthentication library to fetch secrets from your key vault */ AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretsAsync(vaultBaseUrl : String.Format("https://{0}.vault.azure.net", identifier), maxresults : 1000).ConfigureAwait(false); Secrets = secret.ToHashSet(); } /* If you have throttling errors see this tutorial https://docs.microsoft.com/azure/key-vault/tutorial-net-create-vault-azure-web-app */ /// <exception cref="KeyVaultErrorException"> /// Thrown when the operation returned an invalid status code /// </exception> catch (KeyVaultErrorException keyVaultException) { Message = keyVaultException.Message; Telemetry.TrackEvent(String.Format("Could not reach vault. Exception: {0}", keyVaultException.Message)); } catch (Exception e) { Message = e.Message; Telemetry.TrackEvent(String.Format("General exception when reaching vault. Exception: {0}", e.Message)); } }
/// <summary> /// Delete a secret from Key Vault /// </summary> /// <param name="keyvaultName">ID of the secret</param> /// <returns>secret value</returns> public async Task <ApiResult> GetAndDeleteSecretsAsync(string keyvaultName, string flowId) { try { var secretUrl = GetKeyVaultSecretUrl(keyvaultName); var secrets = await _keyVaultClient.GetSecretsAsync(secretUrl); foreach (Microsoft.Azure.KeyVault.Models.SecretItem secretItem in secrets) { if (secretItem.Identifier.Name.StartsWith($"{flowId}-")) { await DeleteSecretAsync(keyvaultName, secretItem.Identifier.Name); } } while (!string.IsNullOrWhiteSpace(secrets.NextPageLink)) { secrets = await _keyVaultClient.GetSecretsNextAsync(secrets.NextPageLink); foreach (Microsoft.Azure.KeyVault.Models.SecretItem secretItem in secrets) { if (secretItem.Identifier.Name.StartsWith($"{flowId}-")) { await DeleteSecretAsync(keyvaultName, secretItem.Identifier.Name); } } } return(ApiResult.CreateSuccess("Deleted")); } catch (Exception) { throw; } }
/// <summary> /// Lists secrets in a vault /// </summary> private static void ListSecrets() { var vaultAddress = inputValidator.GetVaultAddress(); var numSecretsInVault = 0; var maxResults = 1; Console.Out.WriteLine("List secrets:---------------"); var results = keyVaultClient.GetSecretsAsync(vaultAddress, maxResults).GetAwaiter().GetResult(); if (results != null) { numSecretsInVault += results.Count(); foreach (var m in results) { Console.Out.WriteLine("\t{0}", m.Identifier.Name); } } while (results != null && !string.IsNullOrWhiteSpace(results.NextPageLink)) { results = keyVaultClient.GetSecretsNextAsync(results.NextPageLink).GetAwaiter().GetResult(); if (results != null) { numSecretsInVault += results.Count(); foreach (var m in results) { Console.Out.WriteLine("\t{0}", m.Identifier.Name); } } } Console.Out.WriteLine("\n\tNumber of secrets in the vault: {0}", numSecretsInVault); }
private async Task ClearAllKeyVaultSecrets() { foreach (SecretItem item in await KeyVaultClient.GetSecretsAsync(GetKeyVaultBaseUrl())) { await KeyVaultClient.DeleteSecretAsync(GetKeyVaultBaseUrl(), item.Identifier.Name); } }
public async Task <IReadOnlyCollection <Blob> > ListAsync(ListOptions options, CancellationToken cancellationToken) { if (options == null) { options = new ListOptions(); } GenericValidation.CheckBlobPrefix(options.FilePrefix); if (!StoragePath.IsRootPath(options.FolderPath)) { return(new List <Blob>()); } var secretNames = new List <Blob>(); IPage <SecretItem> page = await _vaultClient.GetSecretsAsync(_vaultUri).ConfigureAwait(false); do { var ids = page .Select((Func <SecretItem, Blob>)AzureKeyVaultBlobStorageProvider.ToBlobId) .Where(options.IsMatch) .Where(s => options.BrowseFilter == null || options.BrowseFilter(s)) .ToList(); secretNames.AddRange(ids); if (options.MaxResults != null && secretNames.Count >= options.MaxResults.Value) { return(secretNames.Take(options.MaxResults.Value).ToList()); } }while (page.NextPageLink != null && (page = await _vaultClient.GetSecretsNextAsync(page.NextPageLink).ConfigureAwait(false)) != null); return(secretNames); }
public async Task <IEnumerable <BlobId> > ListAsync(ListOptions options, CancellationToken cancellationToken) { if (options == null) { options = new ListOptions(); } GenericValidation.CheckBlobPrefix(options.Prefix); var secretNames = new List <BlobId>(); IPage <SecretItem> page = await _vaultClient.GetSecretsAsync(_vaultUri); do { secretNames.AddRange(page.Select(ToBlobId)); }while (page.NextPageLink != null && (page = await _vaultClient.GetSecretsNextAsync(page.NextPageLink)) != null); if (options.Prefix == null) { return(secretNames); } return(secretNames .Where(options.IsMatch) .Take(options.MaxResults == null ? int.MaxValue : options.MaxResults.Value)); }
private static string GetAzureAccessTokenFromKeyVault() { var clientId = GetEnvironmentVariable("clientId"); var vaultName = GetEnvironmentVariable("vaultName"); // Use Managed Service Identity AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); // List secrets to obtain secret value (assumes single token in vault) var vaultUrl = $"https://{vaultName}.vault.azure.net"; var secrets = keyVaultClient.GetSecretsAsync(vaultUrl) .GetAwaiter() .GetResult(); string secretName = null; foreach (var secret in secrets) { secretName = secret.Identifier.Name; } var vaultSecret = keyVaultClient.GetSecretAsync(vaultUrl, secretName) .GetAwaiter() .GetResult(); return(vaultSecret.Value); // to be used like $"Bearer {vaultSecret.Value}" }
public async Task <IPage <SecretItem> > GetSecrets() { var client = new KeyVaultClient(AuthCallback); var r = await client.GetSecretsAsync(VaultBaseUrl); return(r); }
protected ConfigParams PerformReadConfig(string correlationId) { try { var connection = _connectionResolver.ResolveAsync(correlationId).Result; var credential = _credentialResolver.LookupAsync(correlationId).Result; KeyVaultClient _client = new KeyVaultClient(connection, credential); var secrets = _client.GetSecretsAsync().Result; var result = new ConfigParams(); foreach (var entry in secrets) { var key = entry.Key.Replace('-', '.'); var value = entry.Value; result[key] = value; } return(result); } catch (Exception ex) { throw new ArgumentException("Failed to load config from KeyVault", ex); } }
public async Task <int> ExecuteAsync() { Console.WriteLine($"Verifying {VaultOptions.VaultUrl} Key Vault"); var azureServiceTokenProvider = new AzureServiceTokenProvider(); var authCallback = new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback); var keyVaultClient = new KeyVaultClient(authCallback); var result = await keyVaultClient.GetSecretsAsync(VaultOptions.VaultUrl); while (true) { foreach (Microsoft.Azure.KeyVault.Models.SecretItem item in result) { var secret = await keyVaultClient.GetSecretAsync(item.Id); Console.WriteLine($" - {item.Id}"); Console.WriteLine($" {secret.Value}"); } if (result.NextPageLink == null) { break; } result = await keyVaultClient.GetSecretsNextAsync(result.NextPageLink); } return(0); }
public static async Task <Dictionary <string, string> > LoadAsync( string keyVaultBaseUri, string applicationId, string appCertThumbprint) { try { using (var client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback( (authority, resource, scope) => GetToken(applicationId, appCertThumbprint, authority, resource, scope)))) { var secretItems = await client.GetSecretsAsync(keyVaultBaseUri); var tasks = secretItems.Select(async item => await client.GetSecretAsync(item.Identifier.Identifier)); var secrets = (await Task.WhenAll(tasks)) .ToDictionary( secret => secret.SecretIdentifier.Name, secret => secret.Value); Trace.TraceInformation(FormattableString.Invariant($"Secrets loaded from keyVault: {string.Join(", ", secrets.Keys)}")); return(secrets); } } catch (Exception ex) { Trace.TraceError(FormattableString.Invariant($"Failed to load secret from keyVault {keyVaultBaseUri}: {ex}")); return(new Dictionary <string, string>()); } }
/// <summary> /// Print all secrets in azure key vault. /// </summary> /// <param name="vaultUri">The key vault uri.</param> /// <param name="clientId">The service principal id.</param> /// <param name="clientSecret">The service principal secret.</param> /// <returns>The async task for printing operation.</returns> private static async Task PrintKeyVaultSecretsAsync( string vaultUri, string clientId, string clientSecret) { KeyVaultClient keyVaultClient = CreateKeyVaultClient(clientId, clientSecret); IPage <SecretItem> secretsPage = await keyVaultClient.GetSecretsAsync(vaultUri); do { foreach (SecretItem secret in secretsPage) { string secretName = secret.Identifier.Name; SecretBundle secretBundle = await keyVaultClient.GetSecretAsync( secret.Identifier.Identifier); string secretValue = secretBundle.Value; Console.WriteLine($"{secretName}: {secretValue}"); } if (secretsPage.NextPageLink != null) { secretsPage = await keyVaultClient.GetSecretsNextAsync( secretsPage.NextPageLink); } } while (secretsPage.NextPageLink != null); }
private List <string> GetAllKeys() { List <string> keys = new List <string>(); // KeyVault keys are case-insensitive. There won't be case-duplicates. List<> should be fine. // Get first page of secret keys var allSecrets = Task.Run(async() => { return(await _kvClient.GetSecretsAsync(_uri)); }).Result; foreach (var secretItem in allSecrets) { keys.Add(secretItem.Identifier.Name); } // If there more more pages, get those too string nextPage = allSecrets.NextPageLink; while (!String.IsNullOrWhiteSpace(nextPage)) { var moreSecrets = Task.Run(async() => { return(await _kvClient.GetSecretsNextAsync(nextPage)); }).Result; foreach (var secretItem in moreSecrets) { keys.Add(secretItem.Identifier.Name); } nextPage = moreSecrets.NextPageLink; } return(keys); }
private static async Task <Keyring> GenerateKeyring(KeyVaultClient client, string vault, string prefix) { var secrets = await client.GetSecretsAsync(vault); var allSecrets = new List <SecretItem>(secrets.Value); while (secrets.NextLink != null) { secrets = await client.GetSecretsNextAsync(secrets.NextLink); allSecrets.AddRange(secrets.Value); } var keyring = new Keyring(); foreach (var secret in allSecrets.Where(s => s.Identifier.Name.StartsWith(prefix))) { var secretItem = await client.GetSecretAsync(secret.Id); var bytes = System.Convert.FromBase64String(secretItem.Value); keyring.ImportFromStream(new MemoryStream(bytes)); } return(keyring); }
private static async Task <List <string> > GetSecretsAsync() { // Gets the list of secrets. var secrets = await _kv.GetSecretsAsync(_baseUri).ConfigureAwait(false); // Returns the list of secret names. return(secrets.Select(p => p.Identifier.Name).ToList()); }
private async static Task <TResult> GetKeyVaultSecretsAsync <TResult>(string vaultUrl, string clientId, string clientSecret, Func <Dictionary <string, string>, TResult> onFound, Func <TResult> onNotFound, Func <TResult> onKeyVaultTokenInvalid, Func <TResult> onKeyVaultNotConfigured) { if (string.IsNullOrEmpty(vaultUrl) || string.IsNullOrEmpty(clientId) || string.IsNullOrEmpty(clientSecret)) { return(onKeyVaultNotConfigured()); } try { var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback( async(authority, resource, scope) => await GetTokenAsync(clientId, clientSecret, authority, resource, scope))); var secretBundle = await keyVaultClient.GetSecretsAsync(vaultUrl); if (null == secretBundle) { return(onNotFound()); } // The api returns 25 keys at a time var names = secretBundle.Select(secret => secret.Identifier.Name).ToArray(); while (!string.IsNullOrEmpty(secretBundle.NextPageLink)) { secretBundle = await keyVaultClient.GetSecretsNextAsync(secretBundle.NextPageLink); if (secretBundle == null) { break; } names = names.Concat(secretBundle.Select(secret => secret.Identifier.Name)).ToArray(); } ; var secrets = await names .Select( async name => { var secret = await keyVaultClient.GetSecretAsync(vaultUrl, name); var value = (null == secret) ? string.Empty : secret.Value; // KeyVault will only allow Alphanumberic characters and dashes. Replace - with . to keep our // current naming convention. Yes - this means we cannot have dashes in our names. return(name.Replace("-", ".").PairWithValue(value)); }).WhenAllAsync(1); return(onFound(secrets.ToDictionary())); } catch (Exception) { return(onKeyVaultTokenInvalid()); } }
private async Task <List <string> > GetSecretsAsync(string uri) { List <string> ids = new List <string>(); IPage <SecretItem> items = await vault.GetSecretsAsync(uri); foreach (var item in items) { ids.Add(item.Id); } return(ids); }
public async Task <SecurityCredentials> InitialiseAzure() { var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient()); var secrets = await client.GetSecretsAsync(VaultUrl); foreach (var item in secrets) { Cache.Add(item.Identifier.Name, await GetSecretAsync(client, item.Identifier.Name)); } return(this); }
/// <summary> /// Gets the keys. /// </summary> /// <returns>Dictionary<System.String, System.String>.</returns> public static Dictionary <string, string> GetKeys() { try { var result = KvClient.GetSecretsAsync(VaultName).Result; return(result.Value.ToDictionary(value => value.Id, value => value.Identifier.Name)); } catch (Exception e) { return(null); } }
public async Task <Dictionary <string, string> > GetSecrets() { IPage <SecretItem> secrets = await _client.GetSecretsAsync(_config.VaultURL); Dictionary <string, string> returnDictionary = new Dictionary <string, string>(); foreach (var item in secrets) { returnDictionary.Add(item.Id, await GetSecret(item.Id)); } return(returnDictionary); }
private async Task <List <SecretItem> > GetAllSecretsFromKeyVault() { _log.Info("Get all secrets from KeyVault"); List <SecretItem> allSecrets = new List <SecretItem>(); _log.Verbose($"Get secrets from '{_keyVaultUrl}'"); var secretsPage = await _keyVaultClient.GetSecretsAsync(_keyVaultUrl); allSecrets.AddRange(secretsPage.ToList()); while (!string.IsNullOrWhiteSpace(secretsPage.NextPageLink)) { _log.Verbose($"Found another page with secrets. Get secrets from '{secretsPage.NextPageLink}'"); secretsPage = await _keyVaultClient.GetSecretsAsync(secretsPage.NextPageLink); allSecrets.AddRange(secretsPage.ToList()); } _log.Verbose($"Found in total {allSecrets.Count} secret(s)"); return(allSecrets); }
public static Dictionary <string, string> GetAllFromKeyVault(string keyVaultName) { var secretDict = new Dictionary <string, string>(); AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); string vaultUri = $"https://{keyVaultName}.vault.azure.net/"; var secrets = keyVaultClient.GetSecretsAsync(vaultUri).Result; foreach (var secret in secrets) { secretDict.Add(secret.Identifier.Name, keyVaultClient.GetSecretAsync(vaultUri, secret.Identifier.Name).Result.Value); } return(secretDict); }
private List <string> GetAllKeys() { var allSecrets = Task.Run(async() => { return(await _kvClient.GetSecretsAsync(_uri)); }).Result; List <Task> tasks = new List <Task>(); List <string> keys = new List <string>(); // KeyVault keys are case-insensitive. There won't be case-duplicates. List<> should be fine. foreach (var secretItem in allSecrets) { keys.Add(secretItem.Identifier.Name); } return(keys); }
public async Task<IEnumerable<string>> Get() { if (false) //DONT RUN { var keyvaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken)); var secrets = await keyvaultClient.GetSecretsAsync("https://ascend-xyz-testing-weu.vault.azure.net"); } //Using the abstraction we can do var storageKey = config.GetAzureKeyVaultSecret("storage"); return new string[] { "value1", "value2" }; }
public async Task <List <Item> > ReadAllAsync() { if (_cache.Get("ItemList") == null) { int splitMark; string secretName; List <Item> items = new List <Item>(); Item item; int itemId = 1; // Load secrets from KeyVault try { var secrets = await keyVaultClient.GetSecretsAsync( KeyVaultBaseUrl, MaxGetSecretsResults); // Get items and store them in List foreach (SecretItem secret in secrets) { // Secret name follows after the last forward slash in secret.Id splitMark = secret.Id.LastIndexOf('/'); secretName = secret.Id.Substring(splitMark + 1); // Skip prefixed configuration keys if (!secretName.StartsWith(ConfigKeyPrefix)) { item = new Item() { Id = itemId, Name = secretName }; items.Add(item); itemId++; } } } catch (HttpRequestException) { } // Order list by name ascending List <Item> sortedItems = items.OrderBy(o => o.Name).ToList(); _cache.Set("ItemList", sortedItems); } return(_cache.Get <List <Item> >("ItemList")); }
public async Task <IActionResult> Vault() { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secrets = await keyVaultClient.GetSecretsAsync(_configuration["MNKeyVault"]); Dictionary <string, string> secretValueList = new Dictionary <string, string>(); foreach (var item in secrets) { var secret = await keyVaultClient.GetSecretAsync(item.Id); secretValueList.Add(item.Id, secret.Value); } return(View(secretValueList)); }
public List <DataList> getKeyList(core.AzureKeyManager azureNet) { publicazure = azureNet; KeyVaultClient kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken)); var list = new List <DataList>(); var secret = kv.GetSecretsAsync(azureNet.keyVaultBaseUrl); foreach (SecretItem secrets in secret.Result) { var name = secrets.Id.Substring(secrets.Id.LastIndexOf('/') + 1); list.Add(new DataList() { secretname = name, secrettype = secrets.ContentType }); } return(list); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddControllersWithViews(); services.AddAuthentication(); AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secrets = keyVaultClient.GetSecretsAsync("https://part1kv.vault.azure.net").Result; foreach (var secret in secrets.ToList()) { ConfigurationManager.AppSettings[secret.Identifier.Name] = keyVaultClient.GetSecretAsync(secret.Identifier.Identifier).Result.Value; } }
public static async Task <List <IEnumerable <SecretItem> > > GetKeyVaultSecretsPagesAsync(KeyVaultClient keyVaultClient, string keyVaultBaseUrl) { IPage <SecretItem> secretItems = await keyVaultClient.GetSecretsAsync(keyVaultBaseUrl); List <IEnumerable <SecretItem> > secretsPages = new List <IEnumerable <SecretItem> >() { secretItems }; while (!string.IsNullOrEmpty(secretItems.NextPageLink)) { secretItems = await keyVaultClient.GetSecretsNextAsync(secretItems.NextPageLink); secretsPages.Add(secretItems); } return(secretsPages); }
public override void Load() { var keyVaultUri = _getKeyVaultUriAction(); if (string.IsNullOrEmpty(keyVaultUri)) { Data = new Dictionary <string, string>(); return; } var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secretList = keyVaultClient.GetSecretsAsync(keyVaultUri).Result.ToList(); Data = new Dictionary <string, string>(); secretList.ForEach(s => Data.Add(Grouped(s.Identifier.Name), keyVaultClient.GetSecretAsync(s.Id).Result.Value)); }
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); // I put my GetToken method in a Utils class. Change for wherever you placed your method. var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken)); var sec = kv.GetSecretsAsync(WebConfigurationManager.AppSettings["VaultUri"]).GetAwaiter().GetResult(); //I put a variable in a Utils class to hold the secret for general application use. Util.EncryptSecret = new List<KeyValuePair<string, string>>(); foreach (var item in sec.Value) { var value = kv.GetSecretAsync(item.Id).GetAwaiter().GetResult().Value; Util.EncryptSecret.Add(new KeyValuePair<string, string>(item.Identifier.Name, value)); } }
private static void HandleCertificateOperations(Options options, AuthenticationContext authContext, AuthenticationResult token) { using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken))) { if (!string.IsNullOrEmpty(options.ResourceGroup)) { if (!string.IsNullOrEmpty(options.Vault)) { var vaultInfo = client.Vaults.Get(options.ResourceGroup, options.Vault); var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob")); var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken)); if (!string.IsNullOrEmpty(options.ExportCert)) { var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.ExportCert).GetAwaiter().GetResult(); var cert = new X509Certificate2(Convert.FromBase64String(secret.Value), new SecureString(), X509KeyStorageFlags.Exportable); File.WriteAllBytes(options.Out, cert.Export(X509ContentType.Pfx)); } if (!string.IsNullOrEmpty(options.Encrypt)) { var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult(); var cert = new X509Certificate2(Convert.FromBase64String(secret.Value)); byte[] encoded = System.Text.UTF8Encoding.UTF8.GetBytes(options.Encrypt); var content = new ContentInfo(encoded); var env = new EnvelopedCms(content); env.Encrypt(new CmsRecipient(cert)); string encrypted64 = Convert.ToBase64String(env.Encode()); Console.WriteLine("Encrypting: {0}", options.Encrypt); Console.WriteLine("Encrypted Base64 String: {0}", encrypted64); } if (!string.IsNullOrEmpty(options.Decrypt)) { var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult(); var cert = new X509Certificate2(Convert.FromBase64String(secret.Value)); var encryptedBytes = Convert.FromBase64String(options.Decrypt); var envelope = new EnvelopedCms(); envelope.Decode(encryptedBytes); envelope.Decrypt(new X509Certificate2Collection(cert)); Console.WriteLine("Decrypting: {0}", options.Decrypt); Console.WriteLine("Decrypted String: {0}", Encoding.UTF8.GetString(envelope.ContentInfo.Content)); } if (options.MakeCert) { var cert = Convert.ToBase64String(Certificate.CreateSelfSignCertificatePfx(string.Format("CN={0}", options.CertificateName), DateTime.UtcNow, DateTime.UtcNow.AddYears(2))); var cert1 = new X509Certificate2(Convert.FromBase64String(cert)); var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult(); if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/" + options.CertificateName)) { Console.WriteLine( JsonConvert.SerializeObject(keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName, cert, null, "application/pkcs12").GetAwaiter().GetResult() , Formatting.Indented)); } } } } } }
private static void HandleDeploy(Options options, AuthenticationContext authContext, AuthenticationResult token, ResourceManagementClient resourceManagementClient) { if (!string.IsNullOrWhiteSpace(options.Deploy)) { ResourceGroupExtended rg = GetResourceGroup(options, resourceManagementClient); //Fix location to displayname from template using (var subscriptionClient = new SubscriptionClient(new TokenCloudCredentials(token.AccessToken))) { var a = subscriptionClient.Subscriptions.ListLocations(options.SubscriptionId); rg.Location = a.Locations.Single(l => l.Name == rg.Location).DisplayName; } var graphtoken = authContext.AcquireToken("https://graph.windows.net/", options.ClientID, new Uri(options.RedirectUri), PromptBehavior.Auto); var graph = new ActiveDirectoryClient(new Uri("https://graph.windows.net/" + graphtoken.TenantId), () => Task.FromResult(graphtoken.AccessToken)); var principal = graph.ServicePrincipals.Where(p => p.AppId == options.ApplicaitonId).ExecuteSingleAsync().GetAwaiter().GetResult(); DeploymentExtended deploymentInfo = null; if (!resourceManagementClient.Deployments.CheckExistence(options.ResourceGroup, options.DeployName).Exists) { var deployment = new Deployment { Properties = new DeploymentProperties { Mode = DeploymentMode.Incremental, //Dont Delete other resources Template = File.ReadAllText(options.Deploy), Parameters = new JObject( new JProperty("siteName", CreateValue(options.SiteName)), new JProperty("hostingPlanName", CreateValue(options.HostingPlanName)), new JProperty("storageAccountType", CreateValue(options.StorageAccountType)), new JProperty("siteLocation", CreateValue(rg.Location)), new JProperty("sku", CreateValue(options.WebsitePlan)), new JProperty("tenantId", CreateValue(token.TenantId)), new JProperty("objectId", CreateValue(token.UserInfo.UniqueId)), new JProperty("appOwnerTenantId", CreateValue(principal.AppOwnerTenantId.Value.ToString())), new JProperty("appOwnerObjectId", CreateValue(principal.ObjectId)) ).ToString(), } }; var result = resourceManagementClient.Deployments.CreateOrUpdate(options.ResourceGroup, options.DeployName, deployment); deploymentInfo = result.Deployment; } else { var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName); deploymentInfo = deploymentStatus.Deployment; } while (!(deploymentInfo.Properties.ProvisioningState == "Succeeded" || deploymentInfo.Properties.ProvisioningState == "Failed")) { var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName); deploymentInfo = deploymentStatus.Deployment; Thread.Sleep(5000); } Console.WriteLine(deploymentInfo.Properties.Outputs); var outputs = JObject.Parse(deploymentInfo.Properties.Outputs); var storageAccountName = outputs["storageAccount"]["value"].ToString(); var keyvaultName = outputs["keyvault"]["value"].ToString(); using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken))) { using (var storageClient = new StorageManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken))) { var keys = storageClient.StorageAccounts.ListKeys(options.ResourceGroup, storageAccountName); var vaultInfo = client.Vaults.Get(options.ResourceGroup, keyvaultName); //CHEATING (using powershell application id to get token on behhalf of user); var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob")); var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken)); var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult(); if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/storage")) { keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key1}").GetAwaiter().GetResult(); keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key2}").GetAwaiter().GetResult(); var secret = keyvaultClient.GetSecretVersionsAsync(vaultInfo.Vault.Properties.VaultUri, "storage").GetAwaiter().GetResult(); } } } } }
/// <summary> /// Loads all secrets which are delimited by : so that they can be retrieved by the config system /// Since KeyVault does not allow : as delimiters in the share secret name, the actual name is not used as key for configuration. /// The Tag property is used instead /// The tag should always be of the form "ConfigKey"="ParentKey1:Child1:.." /// </summary> /// <param name="token"></param> /// <returns></returns> private async Task LoadAsync(CancellationToken token) { string password; var cert = CertificateUtility.FindCertificateByThumbprint(_storeName, _storeLocation, _certificateThumbprint, _validateCertificate); var certBytes = CertificateUtility.ExportCertificateWithPrivateKey(cert, out password); _assertion = new ClientAssertionCertificate(_appClientId, certBytes, password); Data = new Dictionary<string, string>(); // This returns a list of identifiers which are uris to the secret, you need to use the identifier to get the actual secrets again. var kvClient = new KeyVaultClient(GetTokenAsync); var secretsResponseList = await kvClient.GetSecretsAsync(_vault, MaxSecrets, token); foreach (var secretItem in secretsResponseList.Value ?? new List<SecretItem>()) { //The actual config key is stored in a tag with the Key "ConfigKey" since : is not supported in a shared secret name by KeyVault if (secretItem.Tags != null && secretItem.Tags.ContainsKey(ConfigKey)) { var secret = await kvClient.GetSecretAsync(secretItem.Id, token); Data.Add(secret.Tags[ConfigKey], secret.Value); } } }