//Secrets
public void CreateSecret(string secretName, byte[] secretValue, string vaultURI = "", bool secretIsEnabled = true, DateTime?expirationDate = null, DateTime?notEnabledBeforeThisDate = null, Dictionary <string, string> tags = null)
{
string secretbase64 = Convert.ToBase64String(secretValue);
string uri = string.Empty;
if (!string.IsNullOrEmpty(vaultURI))
{
uri = vaultURI;
}
else
{
uri = vaulturi;
}
SecretAttributes attr = new SecretAttributes();
attr.Expires = expirationDate;
attr.NotBefore = notEnabledBeforeThisDate;
attr.Enabled = secretIsEnabled;
if (string.IsNullOrEmpty(uri))
{
vault.SetSecretAsync(uri, secretName, secretbase64, tags, "base64String", attr);
}
else
{
throw new KeyVaultErrorException("Vault URI not set. Please use SetVault().");
}
}
public static async Task <string> RotateAndAddNewAemoPassword(TraceWriter log, string lastAemoFtpPassword, string aemoFtpPassword, bool fakeIt)
{
log.Info($"Initializing rotate and add new AEMO password in persistence: {DateTime.Now}");
if (fakeIt)
{
var environment = Environment.GetEnvironmentVariable("Environment");
log.Info($"Faking password change: {DateTime.Now}");
return($"Note: the application is running in test mode and therefore the [{environment}] AEMO password was not changed");
}
else
{
var keyVaultUrlFromConfig = Environment.GetEnvironmentVariable("KeyVaultUrl");
var environment = Environment.GetEnvironmentVariable("Environment");
var aemoOldPasswordUrl = string.Format("{0}/secrets/LastAemoFtpPassword", keyVaultUrlFromConfig);
var aemoNewPasswordUrl = string.Format("{0}/secrets/AemoFtpPassword", keyVaultUrlFromConfig);
SecretBundle secretBundle = new SecretBundle();
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
try
{
log.Info($"Creating kv client...");
log.Info($"update secret LastAemoFtpPassword (first 4 characters):{lastAemoFtpPassword.Substring(0, 4)}");
secretBundle = await keyVaultClient.SetSecretAsync(keyVaultUrlFromConfig, string.Format("LastAemoFtpPassword"), lastAemoFtpPassword)
.ConfigureAwait(false);
}
catch (Exception exp)
{
var exceptionMessage = $"<h1>AEMO Password Changer Workflow Message</h1></br><span style = \"color:red;\">Could not update old password AEMO password from (first 4 characters) {aemoOldPasswordUrl.Substring(0, 4)} with response {exp.Message}</span>";
log.Error(exceptionMessage);
await Messaging.SendNotification(log, false, emailSubjectOverride : $"The [{environment}] AEMO password changer failed to change the AEMO password!", emailHtmlBodyOverride : exceptionMessage, slackBodyOverride : exceptionMessage, smsBodyOverride : exceptionMessage, slackIconOverride : ":bandit:");
}
try
{
log.Info($"update newPassword secret newPassword (first 4 characters):{aemoFtpPassword.Substring(0, 4)}");
secretBundle = await keyVaultClient.SetSecretAsync(keyVaultUrlFromConfig, "AemoFtpPassword", aemoFtpPassword)
.ConfigureAwait(false);
}
catch (Exception exp)
{
log.Error($"Could not update new password AEMO password from {aemoNewPasswordUrl} with response {exp.Message}");
}
log.Info($"Finalizing rotate and add new AEMO password in persistence: {DateTime.Now}");
return(secretBundle.Id);
}
}
public async Task WriteAsync(string id, Stream sourceStream, bool append, CancellationToken cancellationToken)
{
GenericValidation.CheckBlobId(id);
ValidateSecretName(id);
GenericValidation.CheckSourceStream(sourceStream);
if (append)
{
throw new ArgumentException("appending to secrets is not supported", nameof(append));
}
string value = Encoding.UTF8.GetString(sourceStream.ToByteArray());
await _vaultClient.SetSecretAsync(_vaultUri, id, value);
}
public async Task CreateSecret(VehiclePolicies policydata)
{
// Create the content for the Policy data to be stored as Secret
Insdata akvdata = new Insdata {
Id = policydata.Id, Inscompany = policydata.Inscompany,
Policyno = policydata.Policyno, Userid = policydata.Userid, Vehicleno = policydata.Vehicleno
};
//Create a JSON String of the Policy data to be stored as Secret
string insurancepolicysecret = JsonConvert.SerializeObject(akvdata);
byte[] datatoencrypt = System.Text.Encoding.UTF8.GetBytes(insurancepolicysecret);
string keyUri = string.Format("https://{0}.vault.azure.net/keys/{1}", _keyVaultName, _keyName);
string keyVaultUri = string.Format("https://{0}.vault.azure.net", _keyVaultName);
//Encrypt the data before it is stored as a Secret
KeyOperationResult result = await _keyVaultClient.EncryptAsync(keyUri, JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
datatoencrypt);
byte[] encdata = result.Result;
string encrypteddata = Convert.ToBase64String(encdata);
//Set the Policy Start and Expiry Data to be added as attributes to the secret
SecretAttributes attribs = new SecretAttributes
{
Enabled = true,
Expires = DateTime.UtcNow.AddYears(1),
NotBefore = DateTime.UtcNow
};
IDictionary <string, string> alltags = new Dictionary <string, string>
{
{ "InsuranceCompany", policydata.Inscompany }
};
string contentType = "DigitalInsurance";
// Create a Secret with the encrypted Policy data
SecretBundle bundle = await _keyVaultClient.SetSecretAsync(keyVaultUri, policydata.Uidname,
encrypteddata, alltags, contentType, attribs);
string bundlestr = bundle.Value;
policydata.Version = bundle.SecretIdentifier.Version;
policydata.Lastmod = bundle.Attributes.Updated;
policydata.Startdate = bundle.Attributes.NotBefore;
policydata.Enddate = bundle.Attributes.Expires;
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string userName = req.Query["UserName"];
string password = req.Query["Password"];
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
userName = userName ?? data?.UserName;
password = password ?? data?.Password;
try
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.SetSecretAsync($"https://lab-keyvault.vault.azure.net", userName, password).ConfigureAwait(false);
}
catch (Exception ex)
{
return(new BadRequestObjectResult(ex.Message));
}
return((ActionResult) new OkObjectResult($"Created {userName}"));
}
static async Task Main(string[] args)
{
IConfigurationRoot configRoot = new ConfigurationBuilder()
.AddJsonFile("settings.json")
.AddJsonFile("settings.local.json")
.Build();
string clientId = configRoot.GetSection("ClientId").Value;
string clientSecret = configRoot.GetSection("ClientSecret").Value;
KeyVaultClient kvClient = new KeyVaultClient(async(authority, resource, scope) =>
{
var adCredential = new ClientCredential(clientId, clientSecret);
var authenticationContext = new AuthenticationContext(authority, null);
return((await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken);
});
string kvURL = "https://myvault201909.vault.azure.net";
string secretName = "SecretFromCode";
string secretValue = "SecretValueFromCode";
await kvClient.SetSecretAsync($"{kvURL}", secretName, secretValue);
var keyvaultSecret = await kvClient.GetSecretAsync($"{kvURL}", secretName).ConfigureAwait(false);
Console.WriteLine($"The secret: {keyvaultSecret.Value}");
}
/// <summary>
/// Creates a secret in Azure Key Vault and returns its ID.
/// </summary>
/// <param name="secretName">The name of the secret to create.</param>
/// <returns>The ID of the secret created.</returns>
public static string SetUpKeyVaultSecret(string secretName)
{
KeyVaultClient cloudVault = new KeyVaultClient(GetAccessToken);
string vaultUri = CloudConfigurationManager.GetSetting("VaultUri");
try
{
// Delete the secret if it exists.
cloudVault.DeleteSecretAsync(vaultUri, secretName).GetAwaiter().GetResult();
}
catch (KeyVaultClientException ex)
{
if (ex.Status != System.Net.HttpStatusCode.NotFound)
{
Console.WriteLine("Unable to access the specified vault. Please confirm the KVClientId, KVClientKey, and VaultUri are valid in the app.config file.");
Console.WriteLine("Also ensure that the client ID has previously been granted full permissions for Key Vault secrets using the Set-AzureKeyVaultAccessPolicy command with the -PermissionsToSecrets parameter.");
Console.WriteLine("Press any key to exit");
Console.ReadLine();
throw;
}
}
// Create a 256bit symmetric key and convert it to Base64.
SymmetricKey symmetricKey = new SymmetricKey(secretName, SymmetricKey.KeySize256);
string symmetricBytes = Convert.ToBase64String(symmetricKey.Key);
// Store the Base64 of the key in the key vault. Note that the content-type of the secret must
// be application/octet-stream or the KeyVaultKeyResolver will not load it as a key.
Secret cloudSecret = cloudVault.SetSecretAsync(vaultUri, secretName, symmetricBytes, null, "application/octet-stream").GetAwaiter().GetResult();
// Return the base identifier of the secret. This will be resolved to the current version of the secret.
return cloudSecret.SecretIdentifier.BaseIdentifier;
}
public async Task SetSecretAsync(string keyVaultName, string secretName, string secretValue)
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
string vaultUri = $"https://{keyVaultName}.vault.azure.net/";
await keyVaultClient.SetSecretAsync(vaultUri, secretName, secretValue);
}
public async Task SetSecret(SecretItem secret, string secretValue, IDictionary <string, string> tags)
{
Log.LogDebug($"Set new value for secret '{secret.Identifier.Name}' in KeyVault");
await _keyVaultClient.SetSecretAsync(_keyVaultUrl, secret.Identifier.Name, secretValue, tags);
Log.LogInformation($"Updated the secret '{secret.Identifier.Name}' with a new value in the KeyVault");
}
/// <summary>
/// Load configuration from environment properties and keyvault
/// </summary>
/// <returns>Task of async operation</returns>
public async Task LoadConfigurationAsync()
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
using var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/AMSConfiguration").ConfigureAwait(false);
var amsConfigurationList = JsonConvert.DeserializeObject <List <MediaServiceConfigurationModel> >(secret.Value);
this.MediaServiceInstanceConfiguration = amsConfigurationList.ToDictionary(i => i.AccountName);
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/StorageAccountConnectionString").ConfigureAwait(false);
this.StorageAccountConnectionString = secret.Value;
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/TableStorageAccountConnectionString").ConfigureAwait(false);
this.TableStorageAccountConnectionString = secret.Value;
foreach (var configuration in this.MediaServiceInstanceConfiguration)
{
secret = await keyVaultClient.GetSecretAsync($"https://{this.keyVaultName}.vault.azure.net/secrets/AMSStorageAccountConnectionString-{configuration.Value.AccountName}").ConfigureAwait(false);
this.MediaServiceInstanceStorageAccountConnectionStrings.Add(configuration.Value.AccountName, secret.Value);
}
using (var rng = new RNGCryptoServiceProvider())
{
this.clearKeyStreamingKey = new byte[40];
rng.GetBytes(this.clearKeyStreamingKey);
await keyVaultClient.SetSecretAsync($"https://{this.keyVaultName}.vault.azure.net", "ClearKeyStreamingKey", Convert.ToBase64String(this.clearKeyStreamingKey)).ConfigureAwait(false);
}
}
/// <summary>
/// Create secret with "application/json" content type.
/// </summary>
/// <param name="secretName"></param>
/// <param name="secretValue"></param>
/// <param name="tags"></param>
/// <param name="cancellationToken"></param>
/// <returns></returns>
public async Task <SecretBundle> CreateSecretAsync(
string secretName,
string secretValue,
IDictionary <string, string> tags = null,
CancellationToken cancellationToken = default
)
{
if (string.IsNullOrEmpty(secretName))
{
throw new ArgumentNullException(nameof(secretName));
}
if (string.IsNullOrEmpty(secretValue))
{
throw new ArgumentNullException(nameof(secretValue));
}
tags ??= new Dictionary <string, string>();
var secret = await _keyVaultClient
.SetSecretAsync(
_keyVault.Properties.VaultUri,
secretName,
secretValue,
tags,
"application/json",
cancellationToken : cancellationToken
);
return(secret);
}
public async Task <SecretBundle> CreateSecret(string secretName, string value)
{
var client = new KeyVaultClient(AuthCallback);
var r = await client.SetSecretAsync(VaultBaseUrl, secretName, value);
return(r);
}
public async Task <IActionResult> LinkAccounts([FromQuery(Name = "data")] string encryptedData)
{
var refreshToken = await HttpContext.GetTokenAsync(CookieAuthenticationDefaults.AuthenticationScheme, "refresh_token");
try
{
// Decrypt the data
string decryptedData = _protector.Unprotect(encryptedData);
// Deserialize json
var jsonData = Serializer.Deserialize <LinkData>(decryptedData);
// Validate the time
if (jsonData is null || DateTime.Now > jsonData.ValidUntil)
{
return(BadRequest("Link has expired."));
}
// Associate the uuid with the refresh token
var azureServiceTokenProvider = new AzureServiceTokenProvider();
using var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
await keyVaultClient.SetSecretAsync(Program.GetKeyVaultEndpoint(), jsonData.UserId, refreshToken);
// Reload the configuration because we added a new secret
((IConfigurationRoot)_configuration).Reload();
}
catch (Exception exception)
{
_logger.LogCritical(exception.ToString());
return(BadRequest("Failed to link accounts."));
}
return(Ok("Successfully linked the accounts."));
}
private static async Task <SecretBundle> WriteKeyVault(CreateSecret Obj)// string szPFX, string szCER, string szPassword)
{
SecretBundle bundle = null;
SecretAttributes attribs = new SecretAttributes
{
Enabled = true //,
//Expires = DateTime.UtcNow.AddYears(2), // if you want to expire the info
//NotBefore = DateTime.UtcNow.AddDays(1) // if you want the info to
// start being available later
};
/* IDictionary<string, string> alltags = new Dictionary<string, string>();
* alltags.Add("Test1", "This is a test1 value");
* alltags.Add("Test2", "This is a test2 value");
* alltags.Add("CanBeAnything", "Including a long encrypted string if you choose");
* string TestName = "TestSecret";
* string TestValue = "searchValue"; // this is what you will use to search for the item later
* string contentType = "SecretInfo"; // whatever you want to categorize it by; you name it
*/
IDictionary <string, string> alltags = Obj.KeyValue;
string TestName = Obj.SecretName;
string TestValue = Obj.SecretValue; // this is what you will use to search for the item later
string contentType = Obj.ContenType;
bundle = await kvc.SetSecretAsync
(BASESECRETURI, TestName, TestValue, alltags, contentType, attribs);
return(bundle);
//kvc.GetKeyAsync(BASESECRETURI, "");
// Console.WriteLine("Bundle:" + bundle.Tags["Test1"].ToString());
}
/// <summary>
/// Creates a secret in Azure Key Vault and returns its ID.
/// </summary>
/// <param name="secretName">The name of the secret to create.</param>
/// <returns>The ID of the secret created.</returns>
public static string SetUpKeyVaultSecret(string secretName)
{
KeyVaultClient cloudVault = new KeyVaultClient(GetAccessToken);
string vaultUri = CloudConfigurationManager.GetSetting("VaultUri");
try
{
// Delete the secret if it exists.
cloudVault.DeleteSecretAsync(vaultUri, secretName).GetAwaiter().GetResult();
}
catch (KeyVaultClientException ex)
{
if (ex.Status != System.Net.HttpStatusCode.NotFound)
{
Console.WriteLine("Unable to access the specified vault. Please confirm the KVClientId, KVClientKey, and VaultUri are valid in the app.config file.");
Console.WriteLine("Also ensure that the client ID has previously been granted full permissions for Key Vault secrets using the Set-AzureKeyVaultAccessPolicy command with the -PermissionsToSecrets parameter.");
Console.WriteLine("Press any key to exit");
Console.ReadLine();
throw;
}
}
// Create a 256bit symmetric key and convert it to Base64.
SymmetricKey symmetricKey = new SymmetricKey(secretName, SymmetricKey.KeySize256);
string symmetricBytes = Convert.ToBase64String(symmetricKey.Key);
// Store the Base64 of the key in the key vault. Note that the content-type of the secret must
// be application/octet-stream or the KeyVaultKeyResolver will not load it as a key.
Secret cloudSecret = cloudVault.SetSecretAsync(vaultUri, secretName, symmetricBytes, null, "application/octet-stream").GetAwaiter().GetResult();
// Return the base identifier of the secret. This will be resolved to the current version of the secret.
return(cloudSecret.SecretIdentifier.BaseIdentifier);
}
/// <summary>
/// Set secrets to azure key vault
/// </summary>
/// <param name="vaultUri">The key vault uri.</param>
/// <param name="clientId">The service principal id.</param>
/// <param name="clientSecret">The service principal secret.</param>
/// <param name="secretsDic">The secrets to be set.</param>
/// <returns>The async task for set operation.</returns>
private static async Task SetSecretsAsync(
string vaultUri,
string clientId,
string clientSecret,
Dictionary <string, string> secretsDic)
{
KeyVaultClient keyVaultClient =
CreateKeyVaultClient(clientId, clientSecret);
Console.WriteLine($"[Trace] Setting secrets to key vault '{vaultUri}'");
foreach (var kvp in secretsDic)
{
string secretName = kvp.Key;
string secretValue = kvp.Value;
Console.WriteLine($"[Trace] Setting secret '{secretName}' with value '{secretValue}'");
SecretBundle secretBundle =
await keyVaultClient.SetSecretAsync(
vaultUri,
secretName,
secretValue);
Console.WriteLine($"[Trace] secret identifier: {secretBundle.SecretIdentifier}");
}
Console.WriteLine();
}
public static async Task Run([TimerTrigger("0 0 0 1,15 * *")] TimerInfo myTimer, TraceWriter log, ExecutionContext context)
{
log.Info($"Updating Radar password: {DateTime.UtcNow}");
log4net.Config.XmlConfigurator.ConfigureAndWatch(LogManager.GetRepository(Assembly.GetEntryAssembly()), new FileInfo(Path.Combine(context.FunctionAppDirectory, "log4net.config")));
try
{
var keyvault = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback));
var oldPassword = await keyvault.GetSecretAsync(_vaultUrl, _secretName);
var newPassword = CryptoMethods.GetRandomPassword();
var client = new RadarApiClient(_username, oldPassword.Value);
var response = await client.UpdatePasswordAsync(newPassword);
if (response.Trim() != "")
{
_log.Error($"Unable to set radar password, response: {response}");
}
else
{
var result = await keyvault.SetSecretAsync(_vaultUrl, _secretName, newPassword);
_log.Info($"Wandera Radar Api password updated, response: {response}");
}
}
catch (Exception ex)
{
_log.Error("Wandera password update failed", ex);
throw;
}
}
private async Task authUsingADALCallbackAsync(string vaultBaseURL)
{
Console.WriteLine("Authenticating to Key Vault using ADAL callback.");
Console.WriteLine(vaultBaseURL);
// Set up a KV Client with an ADAL authentication callback function
KeyVaultClient kvClient = new KeyVaultClient(
async(string authority, string resource, string scope) =>
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(settings.ClientID, settings.ClientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if (result == null)
{
throw new InvalidOperationException("Failed to retrieve access token for Key Vault");
}
return(result.AccessToken);
}
);
// Set and get an example secret
await kvClient.SetSecretAsync(vaultBaseURL, "test-secret", "test-secret-value-using-adal");
SecretBundle s = await kvClient.GetSecretAsync(vaultBaseURL, "test-secret");
Console.WriteLine("Retrieved \"test-secret\", value=\"" + s.Value + "\"");
}
/*
* This method shows you how to create a secret key value pair in Key Vault
*/
public async Task CreateSecretKeyValuePair(string vaultBaseURL)
{
System.Console.WriteLine("Authenticating to Key Vault using ADAL Callback to create Secret Key Value Pair");
System.Console.WriteLine(vaultBaseURL);
KeyVaultClient kvClient = new KeyVaultClient(this.GetAccessToken);
await kvClient.SetSecretAsync(vaultBaseURL, "TestKey", "TestSecret");
}
public void SetSecret(string secretId, string secret)
{
KeyVaultClient kvClient = AuthUsingADALCallback(vaultBaseUrl);
Task task = Task.Run(async() =>
{
await kvClient.SetSecretAsync(vaultBaseUrl, secretId, secret);
});
}
/// <summary>
///
/// </summary>
/// <param name="secretName"></param>
/// <returns></returns>
public async Task <string> SaveSecretStringAsync(string keyvaultName, string secretName, string value)
{
var secretUrlBase = GetKeyVaultSecretUrl(keyvaultName);
//TODO: we may want to add some retries here in case network hipcups
var secret = await _keyVaultClient.SetSecretAsync(secretUrlBase, secretName, value);
return(secret.Value);
}
private async Task InsertKeysInKeyVault(KeyVaultClient keyVaultClient)
{
var keyVaultIdentifierHelper = ConfigurationManager.AppSettings["KeyVaultUrl"]; //Get the Secret Vault URL
var getResultSecret = await keyVaultClient.SetSecretAsync(keyVaultIdentifierHelper, "AvinashSecKeyName", "AvinashSecKeyValue");
Message = getResultSecret.Value;
}
public async Task <string> SetSecretAsync(string secretName, string secretValue, CancellationToken cancellationToken = default)
{
SecretBundle result;
var keyVaultClient = new KeyVaultClient(GetAccessTokenAsync);
result = await keyVaultClient.SetSecretAsync(_context.KeyVaultUri.AbsoluteUri, secretName, secretValue, cancellationToken : cancellationToken);
return(result?.SecretIdentifier.Name);
}
/// <returns> The created or the updated secret </returns>
public async Task <bool> SetSecret(KeyVaultClient kvClient, string kvURL, string secretName, string secretValue)
{
// <setsecret>
await kvClient.SetSecretAsync($"{kvURL}", secretName, secretValue);
// </setsecret>
return(true);
}
public static void StoreCertificateInVault(KeyVaultClient keyVaultClient, string vaultBaseUrl, X509Certificate2 certificate, string certificateName)
{
byte[] certificateBytes = certificate.Export(X509ContentType.Pkcs12);
string base64EncodedCertificate = System.Convert.ToBase64String(certificateBytes);
//save as KV Secret the wole root certificate
SecretBundle certSetResult = keyVaultClient.SetSecretAsync(vaultBaseUrl, $"cert-{certificateName}", base64EncodedCertificate).Result;
}
/// <summary>
/// This method uses the token from AAD, connect to Azure Key Vault and creates a secret
/// </summary>
/// <param name="secretName"></param>
/// <param name="secretValue"></param>
/// <returns></returns>
public async Task CreateSecretAsync(string secretName, string secretValue)
{
if (_keyVaultClient == null)
{
_keyVaultClient = new KeyVaultClient(GetAccessToken);
}
await _keyVaultClient.SetSecretAsync(_appSettings.KeyVaultUrl, secretName, secretValue);
}
private async Task WriteSecretsKeyVaultAndUpdateSectinelFile(string functionNameOrHost, ScriptSecrets secrets, bool createSentinelFile = true)
{
Dictionary <string, string> dictionary = KeyVaultSecretsRepository.GetDictionaryFromScriptSecrets(secrets, functionNameOrHost);
foreach (string key in dictionary.Keys)
{
await KeyVaultClient.SetSecretAsync(GetKeyVaultBaseUrl(), key, dictionary[key]);
}
}
public async Task <bool> SetEbayTokenByCompanyId(long companyId, EbayOAuthToken token)
{
try
{
var secretIdentifier = string.Empty;
switch (token.Type)
{
case EbayOAuthTokenType.USERTOKEN:
secretIdentifier = $"ebay-user-token-company{companyId}";
break;
case EbayOAuthTokenType.REFRESHTOKEN:
secretIdentifier = $"ebay-refresh-token-company{companyId}";
break;
default:
throw new InvalidTokenTypeException("The token has an invalid type.");
}
var secretAttributes = new SecretAttributes
{
Expires = token.Expiration.Value.ToUniversalTime()
};
//check to see if identifier exists
var versionList = await keyVaultClient.GetSecretVersionsAsync(appSettings.Value.KeyVaultUrl, secretIdentifier);
if (!versionList.Any())
{
await keyVaultClient.SetSecretAsync(appSettings.Value.KeyVaultUrl, secretIdentifier, token.Token, null, null, secretAttributes);
}
else //exists, update it
{
await keyVaultClient.SetSecretAsync(keyVaultUrl, secretIdentifier, token.Token, null, null, secretAttributes);
}
return(true);
}
catch (Exception ex)
{
telemetryClient.TrackException(ex);
return(false);
}
}
public override async Task SetSecretAsync(string secretName, string value)
{
if (DateTime.Now > expiry)
{
client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
}
SecretBundle bundle = await client.SetSecretAsync(String.Format("https://{0}.vault.azure.net:443/", Authority), secretName, value);
}
public async Task CreateAsync(Item newItem)
{
// Ignore items with no name
if (string.IsNullOrEmpty(newItem.Name))
{
return;
}
// Get cached list of all items
var items = await ReadAllAsync();
// Compute Id for new item
if (items.Count == 0)
{
newItem.Id = 1;
}
else
{
newItem.Id = items.Max(c => c.Id) + 1;
}
// Add item to list
items.Add(newItem);
// Store item in KeyVault
string itemJson = JsonSerializer.Serialize(newItem);
try
{
await keyVaultClient.SetSecretAsync(
KeyVaultBaseUrl, newItem.Name, itemJson);
}
catch (ValidationException)
{
}
// Order item list by name ascending
List <Item> sortedItems = items.OrderBy(o => o.Name).ToList();
// Update item cache
_cache.Set("ItemList", sortedItems);
}
public void Write(string key, string value)
{
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
key = key.UrlEncode();
_client.SetSecretAsync(_vaultUri, key, value).Wait();
}
private static void HandleDeploy(Options options, AuthenticationContext authContext, AuthenticationResult token, ResourceManagementClient resourceManagementClient)
{
if (!string.IsNullOrWhiteSpace(options.Deploy))
{
ResourceGroupExtended rg = GetResourceGroup(options, resourceManagementClient);
//Fix location to displayname from template
using (var subscriptionClient = new SubscriptionClient(new TokenCloudCredentials(token.AccessToken)))
{
var a = subscriptionClient.Subscriptions.ListLocations(options.SubscriptionId);
rg.Location = a.Locations.Single(l => l.Name == rg.Location).DisplayName;
}
var graphtoken = authContext.AcquireToken("https://graph.windows.net/", options.ClientID, new Uri(options.RedirectUri), PromptBehavior.Auto);
var graph = new ActiveDirectoryClient(new Uri("https://graph.windows.net/" + graphtoken.TenantId), () => Task.FromResult(graphtoken.AccessToken));
var principal = graph.ServicePrincipals.Where(p => p.AppId == options.ApplicaitonId).ExecuteSingleAsync().GetAwaiter().GetResult();
DeploymentExtended deploymentInfo = null;
if (!resourceManagementClient.Deployments.CheckExistence(options.ResourceGroup, options.DeployName).Exists)
{
var deployment = new Deployment
{
Properties = new DeploymentProperties
{
Mode = DeploymentMode.Incremental, //Dont Delete other resources
Template = File.ReadAllText(options.Deploy),
Parameters = new JObject(
new JProperty("siteName", CreateValue(options.SiteName)),
new JProperty("hostingPlanName", CreateValue(options.HostingPlanName)),
new JProperty("storageAccountType", CreateValue(options.StorageAccountType)),
new JProperty("siteLocation", CreateValue(rg.Location)),
new JProperty("sku", CreateValue(options.WebsitePlan)),
new JProperty("tenantId", CreateValue(token.TenantId)),
new JProperty("objectId", CreateValue(token.UserInfo.UniqueId)),
new JProperty("appOwnerTenantId", CreateValue(principal.AppOwnerTenantId.Value.ToString())),
new JProperty("appOwnerObjectId", CreateValue(principal.ObjectId))
).ToString(),
}
};
var result = resourceManagementClient.Deployments.CreateOrUpdate(options.ResourceGroup, options.DeployName, deployment);
deploymentInfo = result.Deployment;
}
else
{
var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName);
deploymentInfo = deploymentStatus.Deployment;
}
while (!(deploymentInfo.Properties.ProvisioningState == "Succeeded" || deploymentInfo.Properties.ProvisioningState == "Failed"))
{
var deploymentStatus = resourceManagementClient.Deployments.Get(options.ResourceGroup, options.DeployName);
deploymentInfo = deploymentStatus.Deployment;
Thread.Sleep(5000);
}
Console.WriteLine(deploymentInfo.Properties.Outputs);
var outputs = JObject.Parse(deploymentInfo.Properties.Outputs);
var storageAccountName = outputs["storageAccount"]["value"].ToString();
var keyvaultName = outputs["keyvault"]["value"].ToString();
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
using (var storageClient = new StorageManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
var keys = storageClient.StorageAccounts.ListKeys(options.ResourceGroup, storageAccountName);
var vaultInfo = client.Vaults.Get(options.ResourceGroup, keyvaultName);
//CHEATING (using powershell application id to get token on behhalf of user);
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/storage"))
{
keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key1}").GetAwaiter().GetResult();
keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, "storage", $"{storageAccountName}:{keys.StorageAccountKeys.Key2}").GetAwaiter().GetResult();
var secret = keyvaultClient.GetSecretVersionsAsync(vaultInfo.Vault.Properties.VaultUri, "storage").GetAwaiter().GetResult();
}
}
}
}
}
private static void HandleCertificateOperations(Options options, AuthenticationContext authContext, AuthenticationResult token)
{
using (var client = new KeyVaultManagementClient(new TokenCloudCredentials(options.SubscriptionId, token.AccessToken)))
{
if (!string.IsNullOrEmpty(options.ResourceGroup))
{
if (!string.IsNullOrEmpty(options.Vault))
{
var vaultInfo = client.Vaults.Get(options.ResourceGroup, options.Vault);
var vaultToken = authContext.AcquireToken("https://vault.azure.net", "1950a258-227b-4e31-a9cf-717495945fc2", new Uri("urn:ietf:wg:oauth:2.0:oob"));
var keyvaultClient = new KeyVaultClient((_, b, c) => Task.FromResult(vaultToken.AccessToken));
if (!string.IsNullOrEmpty(options.ExportCert))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.ExportCert).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value), new SecureString(), X509KeyStorageFlags.Exportable);
File.WriteAllBytes(options.Out, cert.Export(X509ContentType.Pfx));
}
if (!string.IsNullOrEmpty(options.Encrypt))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
byte[] encoded = System.Text.UTF8Encoding.UTF8.GetBytes(options.Encrypt);
var content = new ContentInfo(encoded);
var env = new EnvelopedCms(content);
env.Encrypt(new CmsRecipient(cert));
string encrypted64 = Convert.ToBase64String(env.Encode());
Console.WriteLine("Encrypting: {0}", options.Encrypt);
Console.WriteLine("Encrypted Base64 String: {0}", encrypted64);
}
if (!string.IsNullOrEmpty(options.Decrypt))
{
var secret = keyvaultClient.GetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName).GetAwaiter().GetResult();
var cert = new X509Certificate2(Convert.FromBase64String(secret.Value));
var encryptedBytes = Convert.FromBase64String(options.Decrypt);
var envelope = new EnvelopedCms();
envelope.Decode(encryptedBytes);
envelope.Decrypt(new X509Certificate2Collection(cert));
Console.WriteLine("Decrypting: {0}", options.Decrypt);
Console.WriteLine("Decrypted String: {0}", Encoding.UTF8.GetString(envelope.ContentInfo.Content));
}
if (options.MakeCert)
{
var cert = Convert.ToBase64String(Certificate.CreateSelfSignCertificatePfx(string.Format("CN={0}", options.CertificateName), DateTime.UtcNow, DateTime.UtcNow.AddYears(2)));
var cert1 = new X509Certificate2(Convert.FromBase64String(cert));
var secrets = keyvaultClient.GetSecretsAsync(vaultInfo.Vault.Properties.VaultUri).GetAwaiter().GetResult();
if (secrets.Value == null || !secrets.Value.Any(s => s.Id == vaultInfo.Vault.Properties.VaultUri + "secrets/" + options.CertificateName))
{
Console.WriteLine(
JsonConvert.SerializeObject(keyvaultClient.SetSecretAsync(vaultInfo.Vault.Properties.VaultUri, options.CertificateName, cert, null, "application/pkcs12").GetAwaiter().GetResult()
, Formatting.Indented));
}
}
}
}
}
}
