public async Task <List <SecretItem> > GetAllSecretsFromKeyVault()
{
if (_allSecrets != null)
{
return(_allSecrets);
}
Log.LogDebug("Get all secrets from KeyVault");
_allSecrets = new List <SecretItem>();
try
{
Log.LogDebug($"Get secrets from '{_keyVaultUrl}'");
var secretsPage = await _keyVaultClient.GetSecretsAsync(_keyVaultUrl);
_allSecrets.AddRange(secretsPage.ToList());
while (!string.IsNullOrWhiteSpace(secretsPage.NextPageLink))
{
Log.LogDebug($"Found another page with secrets. Get secrets from '{secretsPage.NextPageLink}'");
secretsPage = await _keyVaultClient.GetSecretsAsync(secretsPage.NextPageLink);
_allSecrets.AddRange(secretsPage.ToList());
}
}
catch (HttpRequestException)
{
Log.LogError("Can't get secrets from Key Vault.");
throw;
}
Log.LogDebug($"Found in total {_allSecrets.Count} secret(s)");
return(_allSecrets);
}
public async Task OnGetListAsync(string identifier)
{
try
{
/* The next four lines of code show you how to use AppAuthentication library to fetch secrets from your key vault */
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretsAsync(vaultBaseUrl : String.Format("https://{0}.vault.azure.net", identifier), maxresults : 1000).ConfigureAwait(false);
Secrets = secret.ToHashSet();
}
/* If you have throttling errors see this tutorial https://docs.microsoft.com/azure/key-vault/tutorial-net-create-vault-azure-web-app */
/// <exception cref="KeyVaultErrorException">
/// Thrown when the operation returned an invalid status code
/// </exception>
catch (KeyVaultErrorException keyVaultException)
{
Message = keyVaultException.Message;
Telemetry.TrackEvent(String.Format("Could not reach vault. Exception: {0}", keyVaultException.Message));
}
catch (Exception e)
{
Message = e.Message;
Telemetry.TrackEvent(String.Format("General exception when reaching vault. Exception: {0}", e.Message));
}
}
/// <summary>
/// Delete a secret from Key Vault
/// </summary>
/// <param name="keyvaultName">ID of the secret</param>
/// <returns>secret value</returns>
public async Task <ApiResult> GetAndDeleteSecretsAsync(string keyvaultName, string flowId)
{
try
{
var secretUrl = GetKeyVaultSecretUrl(keyvaultName);
var secrets = await _keyVaultClient.GetSecretsAsync(secretUrl);
foreach (Microsoft.Azure.KeyVault.Models.SecretItem secretItem in secrets)
{
if (secretItem.Identifier.Name.StartsWith($"{flowId}-"))
{
await DeleteSecretAsync(keyvaultName, secretItem.Identifier.Name);
}
}
while (!string.IsNullOrWhiteSpace(secrets.NextPageLink))
{
secrets = await _keyVaultClient.GetSecretsNextAsync(secrets.NextPageLink);
foreach (Microsoft.Azure.KeyVault.Models.SecretItem secretItem in secrets)
{
if (secretItem.Identifier.Name.StartsWith($"{flowId}-"))
{
await DeleteSecretAsync(keyvaultName, secretItem.Identifier.Name);
}
}
}
return(ApiResult.CreateSuccess("Deleted"));
}
catch (Exception)
{
throw;
}
}
/// <summary>
/// Lists secrets in a vault
/// </summary>
private static void ListSecrets()
{
var vaultAddress = inputValidator.GetVaultAddress();
var numSecretsInVault = 0;
var maxResults = 1;
Console.Out.WriteLine("List secrets:---------------");
var results = keyVaultClient.GetSecretsAsync(vaultAddress, maxResults).GetAwaiter().GetResult();
if (results != null)
{
numSecretsInVault += results.Count();
foreach (var m in results)
{
Console.Out.WriteLine("\t{0}", m.Identifier.Name);
}
}
while (results != null && !string.IsNullOrWhiteSpace(results.NextPageLink))
{
results = keyVaultClient.GetSecretsNextAsync(results.NextPageLink).GetAwaiter().GetResult();
if (results != null)
{
numSecretsInVault += results.Count();
foreach (var m in results)
{
Console.Out.WriteLine("\t{0}", m.Identifier.Name);
}
}
}
Console.Out.WriteLine("\n\tNumber of secrets in the vault: {0}", numSecretsInVault);
}
private async Task ClearAllKeyVaultSecrets()
{
foreach (SecretItem item in await KeyVaultClient.GetSecretsAsync(GetKeyVaultBaseUrl()))
{
await KeyVaultClient.DeleteSecretAsync(GetKeyVaultBaseUrl(), item.Identifier.Name);
}
}
public async Task <IReadOnlyCollection <Blob> > ListAsync(ListOptions options, CancellationToken cancellationToken)
{
if (options == null)
{
options = new ListOptions();
}
GenericValidation.CheckBlobPrefix(options.FilePrefix);
if (!StoragePath.IsRootPath(options.FolderPath))
{
return(new List <Blob>());
}
var secretNames = new List <Blob>();
IPage <SecretItem> page = await _vaultClient.GetSecretsAsync(_vaultUri).ConfigureAwait(false);
do
{
var ids = page
.Select((Func <SecretItem, Blob>)AzureKeyVaultBlobStorageProvider.ToBlobId)
.Where(options.IsMatch)
.Where(s => options.BrowseFilter == null || options.BrowseFilter(s))
.ToList();
secretNames.AddRange(ids);
if (options.MaxResults != null && secretNames.Count >= options.MaxResults.Value)
{
return(secretNames.Take(options.MaxResults.Value).ToList());
}
}while (page.NextPageLink != null && (page = await _vaultClient.GetSecretsNextAsync(page.NextPageLink).ConfigureAwait(false)) != null);
return(secretNames);
}
public async Task <IEnumerable <BlobId> > ListAsync(ListOptions options, CancellationToken cancellationToken)
{
if (options == null)
{
options = new ListOptions();
}
GenericValidation.CheckBlobPrefix(options.Prefix);
var secretNames = new List <BlobId>();
IPage <SecretItem> page = await _vaultClient.GetSecretsAsync(_vaultUri);
do
{
secretNames.AddRange(page.Select(ToBlobId));
}while (page.NextPageLink != null && (page = await _vaultClient.GetSecretsNextAsync(page.NextPageLink)) != null);
if (options.Prefix == null)
{
return(secretNames);
}
return(secretNames
.Where(options.IsMatch)
.Take(options.MaxResults == null ? int.MaxValue : options.MaxResults.Value));
}
private static string GetAzureAccessTokenFromKeyVault()
{
var clientId = GetEnvironmentVariable("clientId");
var vaultName = GetEnvironmentVariable("vaultName");
// Use Managed Service Identity
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
// List secrets to obtain secret value (assumes single token in vault)
var vaultUrl = $"https://{vaultName}.vault.azure.net";
var secrets = keyVaultClient.GetSecretsAsync(vaultUrl)
.GetAwaiter()
.GetResult();
string secretName = null;
foreach (var secret in secrets)
{
secretName = secret.Identifier.Name;
}
var vaultSecret = keyVaultClient.GetSecretAsync(vaultUrl, secretName)
.GetAwaiter()
.GetResult();
return(vaultSecret.Value); // to be used like $"Bearer {vaultSecret.Value}"
}
public async Task <IPage <SecretItem> > GetSecrets()
{
var client = new KeyVaultClient(AuthCallback);
var r = await client.GetSecretsAsync(VaultBaseUrl);
return(r);
}
protected ConfigParams PerformReadConfig(string correlationId)
{
try
{
var connection = _connectionResolver.ResolveAsync(correlationId).Result;
var credential = _credentialResolver.LookupAsync(correlationId).Result;
KeyVaultClient _client = new KeyVaultClient(connection, credential);
var secrets = _client.GetSecretsAsync().Result;
var result = new ConfigParams();
foreach (var entry in secrets)
{
var key = entry.Key.Replace('-', '.');
var value = entry.Value;
result[key] = value;
}
return(result);
}
catch (Exception ex)
{
throw new ArgumentException("Failed to load config from KeyVault", ex);
}
}
public async Task <int> ExecuteAsync()
{
Console.WriteLine($"Verifying {VaultOptions.VaultUrl} Key Vault");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var authCallback = new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback);
var keyVaultClient = new KeyVaultClient(authCallback);
var result = await keyVaultClient.GetSecretsAsync(VaultOptions.VaultUrl);
while (true)
{
foreach (Microsoft.Azure.KeyVault.Models.SecretItem item in result)
{
var secret = await keyVaultClient.GetSecretAsync(item.Id);
Console.WriteLine($" - {item.Id}");
Console.WriteLine($" {secret.Value}");
}
if (result.NextPageLink == null)
{
break;
}
result = await keyVaultClient.GetSecretsNextAsync(result.NextPageLink);
}
return(0);
}
public static async Task <Dictionary <string, string> > LoadAsync(
string keyVaultBaseUri,
string applicationId,
string appCertThumbprint)
{
try
{
using (var client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
(authority, resource, scope) => GetToken(applicationId, appCertThumbprint, authority, resource, scope))))
{
var secretItems = await client.GetSecretsAsync(keyVaultBaseUri);
var tasks = secretItems.Select(async item => await client.GetSecretAsync(item.Identifier.Identifier));
var secrets = (await Task.WhenAll(tasks))
.ToDictionary(
secret => secret.SecretIdentifier.Name,
secret => secret.Value);
Trace.TraceInformation(FormattableString.Invariant($"Secrets loaded from keyVault: {string.Join(", ", secrets.Keys)}"));
return(secrets);
}
}
catch (Exception ex)
{
Trace.TraceError(FormattableString.Invariant($"Failed to load secret from keyVault {keyVaultBaseUri}: {ex}"));
return(new Dictionary <string, string>());
}
}
/// <summary>
/// Print all secrets in azure key vault.
/// </summary>
/// <param name="vaultUri">The key vault uri.</param>
/// <param name="clientId">The service principal id.</param>
/// <param name="clientSecret">The service principal secret.</param>
/// <returns>The async task for printing operation.</returns>
private static async Task PrintKeyVaultSecretsAsync(
string vaultUri,
string clientId,
string clientSecret)
{
KeyVaultClient keyVaultClient =
CreateKeyVaultClient(clientId, clientSecret);
IPage <SecretItem> secretsPage
= await keyVaultClient.GetSecretsAsync(vaultUri);
do
{
foreach (SecretItem secret in secretsPage)
{
string secretName = secret.Identifier.Name;
SecretBundle secretBundle =
await keyVaultClient.GetSecretAsync(
secret.Identifier.Identifier);
string secretValue = secretBundle.Value;
Console.WriteLine($"{secretName}: {secretValue}");
}
if (secretsPage.NextPageLink != null)
{
secretsPage =
await keyVaultClient.GetSecretsNextAsync(
secretsPage.NextPageLink);
}
} while (secretsPage.NextPageLink != null);
}
private List <string> GetAllKeys()
{
List <string> keys = new List <string>(); // KeyVault keys are case-insensitive. There won't be case-duplicates. List<> should be fine.
// Get first page of secret keys
var allSecrets = Task.Run(async() => { return(await _kvClient.GetSecretsAsync(_uri)); }).Result;
foreach (var secretItem in allSecrets)
{
keys.Add(secretItem.Identifier.Name);
}
// If there more more pages, get those too
string nextPage = allSecrets.NextPageLink;
while (!String.IsNullOrWhiteSpace(nextPage))
{
var moreSecrets = Task.Run(async() => { return(await _kvClient.GetSecretsNextAsync(nextPage)); }).Result;
foreach (var secretItem in moreSecrets)
{
keys.Add(secretItem.Identifier.Name);
}
nextPage = moreSecrets.NextPageLink;
}
return(keys);
}
private static async Task <Keyring> GenerateKeyring(KeyVaultClient client, string vault, string prefix)
{
var secrets = await client.GetSecretsAsync(vault);
var allSecrets = new List <SecretItem>(secrets.Value);
while (secrets.NextLink != null)
{
secrets = await client.GetSecretsNextAsync(secrets.NextLink);
allSecrets.AddRange(secrets.Value);
}
var keyring = new Keyring();
foreach (var secret in allSecrets.Where(s => s.Identifier.Name.StartsWith(prefix)))
{
var secretItem = await client.GetSecretAsync(secret.Id);
var bytes = System.Convert.FromBase64String(secretItem.Value);
keyring.ImportFromStream(new MemoryStream(bytes));
}
return(keyring);
}
private static async Task <List <string> > GetSecretsAsync()
{
// Gets the list of secrets.
var secrets = await _kv.GetSecretsAsync(_baseUri).ConfigureAwait(false);
// Returns the list of secret names.
return(secrets.Select(p => p.Identifier.Name).ToList());
}
private async static Task <TResult> GetKeyVaultSecretsAsync <TResult>(string vaultUrl, string clientId, string clientSecret,
Func <Dictionary <string, string>, TResult> onFound,
Func <TResult> onNotFound,
Func <TResult> onKeyVaultTokenInvalid,
Func <TResult> onKeyVaultNotConfigured)
{
if (string.IsNullOrEmpty(vaultUrl) ||
string.IsNullOrEmpty(clientId) ||
string.IsNullOrEmpty(clientSecret))
{
return(onKeyVaultNotConfigured());
}
try
{
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
async(authority, resource, scope) => await GetTokenAsync(clientId, clientSecret, authority, resource, scope)));
var secretBundle = await keyVaultClient.GetSecretsAsync(vaultUrl);
if (null == secretBundle)
{
return(onNotFound());
}
// The api returns 25 keys at a time
var names = secretBundle.Select(secret => secret.Identifier.Name).ToArray();
while (!string.IsNullOrEmpty(secretBundle.NextPageLink))
{
secretBundle = await keyVaultClient.GetSecretsNextAsync(secretBundle.NextPageLink);
if (secretBundle == null)
{
break;
}
names = names.Concat(secretBundle.Select(secret => secret.Identifier.Name)).ToArray();
}
;
var secrets = await names
.Select(
async name =>
{
var secret = await keyVaultClient.GetSecretAsync(vaultUrl, name);
var value = (null == secret) ? string.Empty : secret.Value;
// KeyVault will only allow Alphanumberic characters and dashes. Replace - with . to keep our
// current naming convention. Yes - this means we cannot have dashes in our names.
return(name.Replace("-", ".").PairWithValue(value));
}).WhenAllAsync(1);
return(onFound(secrets.ToDictionary()));
}
catch (Exception)
{
return(onKeyVaultTokenInvalid());
}
}
private async Task <List <string> > GetSecretsAsync(string uri)
{
List <string> ids = new List <string>();
IPage <SecretItem> items = await vault.GetSecretsAsync(uri);
foreach (var item in items)
{
ids.Add(item.Id);
}
return(ids);
}
public async Task <SecurityCredentials> InitialiseAzure()
{
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
var secrets = await client.GetSecretsAsync(VaultUrl);
foreach (var item in secrets)
{
Cache.Add(item.Identifier.Name, await GetSecretAsync(client, item.Identifier.Name));
}
return(this);
}
/// <summary>
/// Gets the keys.
/// </summary>
/// <returns>Dictionary<System.String, System.String>.</returns>
public static Dictionary <string, string> GetKeys()
{
try
{
var result = KvClient.GetSecretsAsync(VaultName).Result;
return(result.Value.ToDictionary(value => value.Id, value => value.Identifier.Name));
}
catch (Exception e)
{
return(null);
}
}
public async Task <Dictionary <string, string> > GetSecrets()
{
IPage <SecretItem> secrets = await _client.GetSecretsAsync(_config.VaultURL);
Dictionary <string, string> returnDictionary = new Dictionary <string, string>();
foreach (var item in secrets)
{
returnDictionary.Add(item.Id, await GetSecret(item.Id));
}
return(returnDictionary);
}
private async Task <List <SecretItem> > GetAllSecretsFromKeyVault()
{
_log.Info("Get all secrets from KeyVault");
List <SecretItem> allSecrets = new List <SecretItem>();
_log.Verbose($"Get secrets from '{_keyVaultUrl}'");
var secretsPage = await _keyVaultClient.GetSecretsAsync(_keyVaultUrl);
allSecrets.AddRange(secretsPage.ToList());
while (!string.IsNullOrWhiteSpace(secretsPage.NextPageLink))
{
_log.Verbose($"Found another page with secrets. Get secrets from '{secretsPage.NextPageLink}'");
secretsPage = await _keyVaultClient.GetSecretsAsync(secretsPage.NextPageLink);
allSecrets.AddRange(secretsPage.ToList());
}
_log.Verbose($"Found in total {allSecrets.Count} secret(s)");
return(allSecrets);
}
public static Dictionary <string, string> GetAllFromKeyVault(string keyVaultName)
{
var secretDict = new Dictionary <string, string>();
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
string vaultUri = $"https://{keyVaultName}.vault.azure.net/";
var secrets = keyVaultClient.GetSecretsAsync(vaultUri).Result;
foreach (var secret in secrets)
{
secretDict.Add(secret.Identifier.Name, keyVaultClient.GetSecretAsync(vaultUri, secret.Identifier.Name).Result.Value);
}
return(secretDict);
}
private List <string> GetAllKeys()
{
var allSecrets = Task.Run(async() => { return(await _kvClient.GetSecretsAsync(_uri)); }).Result;
List <Task> tasks = new List <Task>();
List <string> keys = new List <string>(); // KeyVault keys are case-insensitive. There won't be case-duplicates. List<> should be fine.
foreach (var secretItem in allSecrets)
{
keys.Add(secretItem.Identifier.Name);
}
return(keys);
}
public async Task<IEnumerable<string>> Get()
{
if (false) //DONT RUN
{
var keyvaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
var secrets = await keyvaultClient.GetSecretsAsync("https://ascend-xyz-testing-weu.vault.azure.net");
}
//Using the abstraction we can do
var storageKey = config.GetAzureKeyVaultSecret("storage");
return new string[] { "value1", "value2" };
}
public async Task <List <Item> > ReadAllAsync()
{
if (_cache.Get("ItemList") == null)
{
int splitMark;
string secretName;
List <Item> items = new List <Item>();
Item item;
int itemId = 1;
// Load secrets from KeyVault
try
{
var secrets = await keyVaultClient.GetSecretsAsync(
KeyVaultBaseUrl, MaxGetSecretsResults);
// Get items and store them in List
foreach (SecretItem secret in secrets)
{
// Secret name follows after the last forward slash in secret.Id
splitMark = secret.Id.LastIndexOf('/');
secretName = secret.Id.Substring(splitMark + 1);
// Skip prefixed configuration keys
if (!secretName.StartsWith(ConfigKeyPrefix))
{
item = new Item()
{
Id = itemId,
Name = secretName
};
items.Add(item);
itemId++;
}
}
}
catch (HttpRequestException)
{
}
// Order list by name ascending
List <Item> sortedItems = items.OrderBy(o => o.Name).ToList();
_cache.Set("ItemList", sortedItems);
}
return(_cache.Get <List <Item> >("ItemList"));
}
public async Task <IActionResult> Vault()
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secrets = await keyVaultClient.GetSecretsAsync(_configuration["MNKeyVault"]);
Dictionary <string, string> secretValueList = new Dictionary <string, string>();
foreach (var item in secrets)
{
var secret = await keyVaultClient.GetSecretAsync(item.Id);
secretValueList.Add(item.Id, secret.Value);
}
return(View(secretValueList));
}
public List <DataList> getKeyList(core.AzureKeyManager azureNet)
{
publicazure = azureNet;
KeyVaultClient kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
var list = new List <DataList>();
var secret = kv.GetSecretsAsync(azureNet.keyVaultBaseUrl);
foreach (SecretItem secrets in secret.Result)
{
var name = secrets.Id.Substring(secrets.Id.LastIndexOf('/') + 1);
list.Add(new DataList()
{
secretname = name, secrettype = secrets.ContentType
});
}
return(list);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication();
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secrets = keyVaultClient.GetSecretsAsync("https://part1kv.vault.azure.net").Result;
foreach (var secret in secrets.ToList())
{
ConfigurationManager.AppSettings[secret.Identifier.Name] = keyVaultClient.GetSecretAsync(secret.Identifier.Identifier).Result.Value;
}
}
public static async Task <List <IEnumerable <SecretItem> > > GetKeyVaultSecretsPagesAsync(KeyVaultClient keyVaultClient, string keyVaultBaseUrl)
{
IPage <SecretItem> secretItems = await keyVaultClient.GetSecretsAsync(keyVaultBaseUrl);
List <IEnumerable <SecretItem> > secretsPages = new List <IEnumerable <SecretItem> >()
{
secretItems
};
while (!string.IsNullOrEmpty(secretItems.NextPageLink))
{
secretItems = await keyVaultClient.GetSecretsNextAsync(secretItems.NextPageLink);
secretsPages.Add(secretItems);
}
return(secretsPages);
}
public override void Load()
{
var keyVaultUri = _getKeyVaultUriAction();
if (string.IsNullOrEmpty(keyVaultUri))
{
Data = new Dictionary <string, string>();
return;
}
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secretList = keyVaultClient.GetSecretsAsync(keyVaultUri).Result.ToList();
Data = new Dictionary <string, string>();
secretList.ForEach(s => Data.Add(Grouped(s.Identifier.Name), keyVaultClient.GetSecretAsync(s.Id).Result.Value));
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
// I put my GetToken method in a Utils class. Change for wherever you placed your method.
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(Util.GetToken));
var sec = kv.GetSecretsAsync(WebConfigurationManager.AppSettings["VaultUri"]).GetAwaiter().GetResult();
//I put a variable in a Utils class to hold the secret for general application use.
Util.EncryptSecret = new List<KeyValuePair<string, string>>();
foreach (var item in sec.Value)
{
var value = kv.GetSecretAsync(item.Id).GetAwaiter().GetResult().Value;
Util.EncryptSecret.Add(new KeyValuePair<string, string>(item.Identifier.Name, value));
}
}
private static void HandleCertificateOperations(Options options, AuthenticationContext authContext, AuthenticationResult token)
{
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
if (!string.IsNullOrEmpty(options.ResourceGroup))
{
if (!string.IsNullOrEmpty(options.Vault))
{
var vaultInfo = client.Vaults.Get(options.ResourceGroup, options.Vault);
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
if (!string.IsNullOrEmpty(options.ExportCert))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.ExportCert).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value), new SecureString(), X509KeyStorageFlags.Exportable);
File.WriteAllBytes(options.Out, cert.Export(X509ContentType.Pfx));
}
if (!string.IsNullOrEmpty(options.Encrypt))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
byte[] encoded = System.Text.UTF8Encoding.UTF8.GetBytes(options.Encrypt);
var content = new ContentInfo(encoded);
var env = new EnvelopedCms(content);
env.Encrypt(new CmsRecipient(cert));
string encrypted64 = Convert.ToBase64String(env.Encode());
Console.WriteLine("Encrypting: {0}", options.Encrypt);
Console.WriteLine("Encrypted Base64 String: {0}", encrypted64);
}
if (!string.IsNullOrEmpty(options.Decrypt))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
var encryptedBytes = Convert.FromBase64String(options.Decrypt);
var envelope = new EnvelopedCms();
envelope.Decode(encryptedBytes);
envelope.Decrypt(new X509Certificate2Collection(cert));
Console.WriteLine("Decrypting: {0}", options.Decrypt);
Console.WriteLine("Decrypted String: {0}", Encoding.UTF8.GetString(envelope.ContentInfo.Content));
}
if (options.MakeCert)
{
var cert = Convert.ToBase64String(Certificate.CreateSelfSignCertificatePfx(string.Format("CN={0}", options.CertificateName), DateTime.UtcNow, DateTime.UtcNow.AddYears(2)));
var cert1 = new X509Certificate2(Convert.FromBase64String(cert));
var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/" + options.CertificateName))
{
Console.WriteLine(
JsonConvert.SerializeObject(keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName, cert, null, "application/pkcs12").GetAwaiter().GetResult()
, Formatting.Indented));
}
}
}
}
}
}
private static void HandleDeploy(Options options, AuthenticationContext authContext, AuthenticationResult token, ResourceManagementClient resourceManagementClient)
{
if (!string.IsNullOrWhiteSpace(options.Deploy))
{
ResourceGroupExtended rg = GetResourceGroup(options, resourceManagementClient);
//Fix location to displayname from template
using (var subscriptionClient = new SubscriptionClient(new TokenCloudCredentials(token.AccessToken)))
{
var a = subscriptionClient.Subscriptions.ListLocations(options.SubscriptionId);
rg.Location = a.Locations.Single(l => l.Name == rg.Location).DisplayName;
}
var graphtoken = authContext.AcquireToken("https://graph.windows.net/", options.ClientID, new Uri(options.RedirectUri), PromptBehavior.Auto);
var graph = new ActiveDirectoryClient(new Uri("https://graph.windows.net/" + graphtoken.TenantId), () => Task.FromResult(graphtoken.AccessToken));
var principal = graph.ServicePrincipals.Where(p => p.AppId == options.ApplicaitonId).ExecuteSingleAsync().GetAwaiter().GetResult();
DeploymentExtended deploymentInfo = null;
if (!resourceManagementClient.Deployments.CheckExistence(options.ResourceGroup, options.DeployName).Exists)
{
var deployment = new Deployment
{
Properties = new DeploymentProperties
{
Mode = DeploymentMode.Incremental, //Dont Delete other resources
Template = File.ReadAllText(options.Deploy),
Parameters = new JObject(
new JProperty("siteName", CreateValue(options.SiteName)),
new JProperty("hostingPlanName", CreateValue(options.HostingPlanName)),
new JProperty("storageAccountType", CreateValue(options.StorageAccountType)),
new JProperty("siteLocation", CreateValue(rg.Location)),
new JProperty("sku", CreateValue(options.WebsitePlan)),
new JProperty("tenantId", CreateValue(token.TenantId)),
new JProperty("objectId", CreateValue(token.UserInfo.UniqueId)),
new JProperty("appOwnerTenantId", CreateValue(principal.AppOwnerTenantId.Value.ToString())),
new JProperty("appOwnerObjectId", CreateValue(principal.ObjectId))
).ToString(),
}
};
var result = resourceManagementClient.Deployments.CreateOrUpdate(options.ResourceGroup, options.DeployName, deployment);
deploymentInfo = result.Deployment;
}
else
{
var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName);
deploymentInfo = deploymentStatus.Deployment;
}
while (!(deploymentInfo.Properties.ProvisioningState == "Succeeded" || deploymentInfo.Properties.ProvisioningState == "Failed"))
{
var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName);
deploymentInfo = deploymentStatus.Deployment;
Thread.Sleep(5000);
}
Console.WriteLine(deploymentInfo.Properties.Outputs);
var outputs = JObject.Parse(deploymentInfo.Properties.Outputs);
var storageAccountName = outputs["storageAccount"]["value"].ToString();
var keyvaultName = outputs["keyvault"]["value"].ToString();
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
using (var storageClient = new StorageManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
var keys = storageClient.StorageAccounts.ListKeys(options.ResourceGroup, storageAccountName);
var vaultInfo = client.Vaults.Get(options.ResourceGroup, keyvaultName);
//CHEATING (using powershell application id to get token on behhalf of user);
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/storage"))
{
keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key1}").GetAwaiter().GetResult();
keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key2}").GetAwaiter().GetResult();
var secret = keyvaultClient.GetSecretVersionsAsync(vaultInfo.Vault.Properties.VaultUri, "storage").GetAwaiter().GetResult();
}
}
}
}
}
/// <summary>
/// Loads all secrets which are delimited by : so that they can be retrieved by the config system
/// Since KeyVault does not allow : as delimiters in the share secret name, the actual name is not used as key for configuration.
/// The Tag property is used instead
/// The tag should always be of the form "ConfigKey"="ParentKey1:Child1:.."
/// </summary>
/// <param name="token"></param>
/// <returns></returns>
private async Task LoadAsync(CancellationToken token)
{
string password;
var cert = CertificateUtility.FindCertificateByThumbprint(_storeName, _storeLocation, _certificateThumbprint, _validateCertificate);
var certBytes = CertificateUtility.ExportCertificateWithPrivateKey(cert, out password);
_assertion = new ClientAssertionCertificate(_appClientId, certBytes, password);
Data = new Dictionary<string, string>();
// This returns a list of identifiers which are uris to the secret, you need to use the identifier to get the actual secrets again.
var kvClient = new KeyVaultClient(GetTokenAsync);
var secretsResponseList = await kvClient.GetSecretsAsync(_vault, MaxSecrets, token);
foreach (var secretItem in secretsResponseList.Value ?? new List<SecretItem>())
{
//The actual config key is stored in a tag with the Key "ConfigKey" since : is not supported in a shared secret name by KeyVault
if (secretItem.Tags != null && secretItem.Tags.ContainsKey(ConfigKey))
{
var secret = await kvClient.GetSecretAsync(secretItem.Id, token);
Data.Add(secret.Tags[ConfigKey], secret.Value);
}
}
}
