public FileStreamResult File(string filename)
{
var stockpickFormsAzurequeueConnectionstring = "Stockpick.Forms.AzureQueue.Connectionstring";
var connectionstring = Sitecore.Configuration.Settings.GetSetting(stockpickFormsAzurequeueConnectionstring);
Microsoft.WindowsAzure.Storage.CloudStorageAccount storageAccount = Microsoft.WindowsAzure.Storage.CloudStorageAccount.Parse(connectionstring);
var cloudBlobClient = storageAccount.CreateCloudBlobClient();
var blobContainer = cloudBlobClient.GetContainerReference("stockpickformsblob");
blobContainer.CreateIfNotExists();
var cloudResolver = new KeyVaultKeyResolver(Keyvault.GetToken);
var url = Sitecore.Configuration.Settings.GetSetting("Stockpick.Forms.KeyFault.Key.URL");
if (string.IsNullOrEmpty(url))
{
Log.Error("config key Stockpick.Forms.KeyFault.Key.URL is emty", this);
}
var key = cloudResolver.ResolveKeyAsync(url, CancellationToken.None).GetAwaiter().GetResult();
CloudBlockBlob blob = blobContainer.GetBlockBlobReference(filename);
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
Stream blobStream = blob.OpenRead(null, options);
return(new FileStreamResult(blobStream, "application/x-binary"));
}
public async Task SaveContentAsync(EncryptedFile fileInfo, IFormFile formFile)
{
if (fileInfo == null)
{
return;
}
var blobParts = fileInfo.BlobName.Split(ContainerNameSeparator);
var containerName = blobParts[0];
var blobName = blobParts[1];
var contain = _cloudBlobClient.GetContainerReference(containerName);
contain.CreateIfNotExists();
var rsa = await _cloudResolver.ResolveKeyAsync(
_fileStorageKey,
CancellationToken.None);
var policy = new BlobEncryptionPolicy(rsa, null);
var options = new BlobRequestOptions {
EncryptionPolicy = policy
};
var blob = contain.GetBlockBlobReference(blobName);
using (var stream = formFile.OpenReadStream())
{
// Options object is containing all information about the
await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null);
}
}
private BlobEncryptionPolicy GetEncryptionPolicyForDownload()
{
var keyResolver = new KeyVaultKeyResolver(_keyVaultClient);
var blobEncryptionPolicy = new BlobEncryptionPolicy(null, keyResolver);
return(blobEncryptionPolicy);
}
public async Task <KeyValuePair <string, MemoryStream> > DownloadDocumentAsync(Guid documentId, Guid customerId)
{
var storageAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["DocumentStore"].ConnectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
var container = blobClient.GetContainerReference(customerId.ToString().ToLower());
var dbContext = new DashDocsContext();
var document = await dbContext.Documents.SingleAsync(d => d.Id == documentId);
var keyvaultResolver = new KeyVaultKeyResolver(GetToken);
var encryptionPolicy = new BlobEncryptionPolicy(null, keyvaultResolver);
var requestOptions = new BlobRequestOptions {
EncryptionPolicy = encryptionPolicy
};
var block = container.GetBlockBlobReference(document.BlobPath);
var stream = new MemoryStream();
await block.DownloadToStreamAsync(stream, null, requestOptions, null);
var content = new KeyValuePair <string, MemoryStream>(document.DocumentName, stream);
return(content);
}
public async Task <Stream> GetContentAsync(EncryptedFile fileInfo)
{
if (fileInfo.BlobName == null)
{
return(null);
}
var blobParts = fileInfo.BlobName.Split(ContainerNameSeparator);
var containerName = blobParts[0];
var blobName = blobParts[1];
var contain = _cloudBlobClient.GetContainerReference(containerName);
contain.CreateIfNotExists();
var policy = new BlobEncryptionPolicy(null, _cloudResolver);
var options = new BlobRequestOptions {
EncryptionPolicy = policy
};
var blob = contain.GetBlockBlobReference(blobName);
// Options object is containing all information about the
return(await blob.OpenReadAsync(null, options, null));
}
public static IActionResult RunDecryptBlobFile(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log,
ExecutionContext executionContext)
{
log.LogInformation("DecryptBlobFile Custom Skill: C# HTTP trigger function processed a request.");
string skillName = executionContext.FunctionName;
IEnumerable <WebApiRequestRecord> requestRecords = WebApiSkillHelpers.GetRequestRecords(req);
if (requestRecords == null)
{
return(new BadRequestObjectResult($"{skillName} - Invalid request record array."));
}
// Set up access to keyvault to retrieve the key to decrypt the document with
// Requires that this Azure Function has access via managed identity to the Keyvault where the key is stored.
var azureServiceTokenProvider1 = new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider1.KeyVaultTokenCallback));
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(kv);
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
WebApiSkillResponse response = WebApiSkillHelpers.ProcessRequestRecords(skillName, requestRecords,
(inRecord, outRecord) =>
{
string blobUrl = (inRecord.Data.TryGetValue("blobUrl", out object blobUrlObject) ? blobUrlObject : null) as string;
string sasToken = (inRecord.Data.TryGetValue("sasToken", out object sasTokenObject) ? sasTokenObject : null) as string;
if (string.IsNullOrWhiteSpace(blobUrl))
{
outRecord.Errors.Add(new WebApiErrorWarningContract()
{
Message = $"Parameter '{nameof(blobUrl)}' is required to be present and a valid uri."
});
return(outRecord);
}
CloudBlockBlob blob = new CloudBlockBlob(new Uri(WebApiSkillHelpers.CombineSasTokenWithUri(blobUrl, sasToken)));
byte[] decryptedFileData;
using (var np = new MemoryStream())
{
blob.DownloadToStream(np, null, options, null);
decryptedFileData = np.ToArray();
}
FileReference decryptedFileReference = new FileReference()
{
data = Convert.ToBase64String(decryptedFileData)
};
JObject jObject = JObject.FromObject(decryptedFileReference);
jObject["$type"] = "file";
outRecord.Data["decrypted_file_data"] = jObject;
return(outRecord);
});
public async override Task ExecutePostProcessingAsync()
{
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken);
IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None);
foreach (var file in FileData)
{
string fileName = Path.GetFileName(file.Headers.ContentDisposition.FileName.Trim('"'));
var blob = _container.GetBlockBlobReference(Path.Combine(currentFilePath, fileName));
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
using (var stream = File.OpenRead(file.LocalFileName))
{
await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null);
}
Urls.Add(blob.Uri.AbsoluteUri);
string ext = Path.GetExtension(fileName);
if (ext == ".jpeg" || ext == ".jpg")
{
Image original = Image.FromFile(file.LocalFileName);
float ratio = (float)original.Width / (float)original.Height;
SizeF newSize = new SizeF(350 * ratio, 350);
Image thumb = original.GetThumbnailImage((int)newSize.Width, (int)newSize.Height, null, IntPtr.Zero);
string thumbName = Path.GetFileNameWithoutExtension(fileName) + "_thumb.jpg";
var thumbBlob = _container.GetBlockBlobReference(Path.Combine(currentFilePath, thumbName));
MemoryStream thumbStream = new MemoryStream();
thumb.Save(thumbStream, System.Drawing.Imaging.ImageFormat.Jpeg);
thumbStream.Position = 0;
await thumbBlob.UploadFromStreamAsync(thumbStream, thumbStream.Length, null, options, null);
Urls.Add(thumbBlob.Uri.AbsoluteUri);
}
try
{
File.Delete(file.LocalFileName);
}
catch (Exception e)
{ }
}
}
private async Task <BlobEncryptionPolicy> GetEncryptionPolicyForUpload(EncryptedBlobAttribute config, string keyName, CancellationToken cancellationToken)
{
var kid = await _keyVaultClient.GetKidByName(config, keyName, cancellationToken) ?? throw new ArgumentException(nameof(EncryptedBlobAttribute.KeyName));
var keyResolver = new KeyVaultKeyResolver(_keyVaultClient);
var key = await keyResolver.ResolveKeyAsync(kid, cancellationToken);
var blobEncryptionPolicy = new BlobEncryptionPolicy(key, null);
return(blobEncryptionPolicy);
}
public BlobDecryptStream(Stream userStream, IDictionary <string, string> metadata, long?userProvidedLength, int discardFirst, bool bufferIV, bool noPadding, BlobEncryptionPolicy policy, bool?requireEncryption)
{
this.userStream = userStream;
this.metadata = metadata;
this.userProvidedLength = userProvidedLength;
this.discardFirst = discardFirst;
this.encryptionPolicy = policy;
this.bufferIV = bufferIV;
this.noPadding = noPadding;
this.requireEncryption = requireEncryption;
}
public async Task <HttpResponseMessage> Get(string imageId, bool thumb = false)
{
int id;
if (string.IsNullOrEmpty(imageId) || !Int32.TryParse(imageId, out id))
{
return(Request.CreateResponse(HttpStatusCode.BadRequest));
}
ServiceData.Models.Photo found = _photoRepository.GetById(id);
if (found == null)
{
return(Request.CreateResponse(HttpStatusCode.NotFound));
}
ServiceData.Models.UserCondition foundCond = _conditionRepository.GetById(found.UserCondition.Id);
if (foundCond.Owner.Email != User.Identity.Name)
{
return(Request.CreateResponse(HttpStatusCode.Forbidden));
}
string target = (thumb) ? found.ThumbUrl : found.Url;
CloudBlobContainer container = await GetBlobContainer();
Stream blobStream = new MemoryStream();
CloudBlob photoBlob = container.GetBlobReference(target.Replace(ConfidentialData.BlobStorageUrl, ""));
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken);
IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None);
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
await photoBlob.DownloadToStreamAsync(blobStream, null, options, null);
blobStream.Position = 0;
HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK);
response.Content = new StreamContent(blobStream);
response.Content.Headers.ContentDisposition = new System.Net.Http.Headers.ContentDispositionHeaderValue("attachment");
response.Content.Headers.ContentDisposition.FileName = imageId + Path.GetExtension(target);
string eventName = thumb ? "DownloadThumb" : "DownloadImage";
ServerUtils.LogTelemetryEvent(User.Identity.Name, eventName);
return(response);
}
private static async Task DownloadBlobAsync(CloudBlob blob, KeyVaultKeyResolver cloudResolver)
{
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options = new BlobRequestOptions {
EncryptionPolicy = policy
};
using (var np = File.Open("DownloadedData.txt", FileMode.Create))
{
await blob.DownloadToStreamAsync(np, null, options, null);
}
}
static void Main(string[] args)
{
// This is standard code to interact with Blob storage.
StorageCredentials creds = new StorageCredentials(
CloudConfigurationManager.GetSetting("accountName"),
CloudConfigurationManager.GetSetting("accountKey"));
CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);
CloudBlobClient client = account.CreateCloudBlobClient();
CloudBlobContainer contain = client.GetContainerReference(CloudConfigurationManager.GetSetting("container"));
contain.CreateIfNotExists();
// The Resolver object is used to interact with Key Vault for Azure Storage.
// This is where the GetToken method from above is used.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);
//Encrypt Blob and upload
// Retrieve the key that you created previously.
// The IKey that is returned here is an RsaKey.
var rsa = cloudResolver.ResolveKeyAsync(
"https://phupaa-vault.vault.azure.net/keys/key01",
CancellationToken.None).GetAwaiter().GetResult();
// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
// Reference a block blob.
CloudBlockBlob blob = contain.GetBlockBlobReference("MyFile.txt");
// Upload using the UploadFromStream method.
using (var stream = System.IO.File.OpenRead(@"C:\Temp\MyFile.txt"))
blob.UploadFromStream(stream, stream.Length, null, options, null);
//Decrypt blob
// In this case, we will not pass a key and only pass the resolver because
// this policy will only be used for downloading / decrypting.
BlobEncryptionPolicy policy2 = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options2 = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
using (var np = File.Open(@"C:\temp\MyFileDecrypted.txt", FileMode.Create))
blob.DownloadToStream(np, null, options, null);
}
private static async Task <CloudBlockBlob> UploadBlobAsync(CloudBlobContainer container, IKey key)
{
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null);
BlobRequestOptions options = new BlobRequestOptions {
EncryptionPolicy = policy
};
CloudBlockBlob blob = container.GetBlockBlobReference("MyFile.txt");
using (var stream = File.OpenRead("Data.txt"))
{
await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null);
}
return(blob);
}
public BlobStorageProvider(string connectionString, RsaKey key = null)
{
this.storageAccount = CloudStorageAccount.Parse(connectionString);
this.encoding = Encoding.UTF8;
// Create the encryption policy to be used for upload and download.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null);
this.options = new BlobRequestOptions
{
RequireEncryption = key != null,
EncryptionPolicy = policy
};
blobClient = storageAccount.CreateCloudBlobClient();
}
static async Task MainAsync(string[] args)
{
try
{
string storageEndPoint = ConfigurationManager.AppSettings["StorageEndPoint"];
Console.WriteLine("Login...");
var result = await AcquireTokenWithUserInteraction();
// Use the access token to create the storage credentials.
TokenCredential tokenCredential = new TokenCredential(result.AccessToken);
StorageCredentials storageCredentials = new StorageCredentials(tokenCredential);
CloudBlobContainer blobContainer = new CloudBlobContainer(new StorageUri(new Uri(storageEndPoint)), storageCredentials);
var symKey = await GetCustomKey(createKey : true);
Console.WriteLine("Upload File");
var blobFileCrypt = blobContainer.GetBlockBlobReference("AuthenticationStorageAccountFx.exe.config.cryp");
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(symKey, null);
BlobRequestOptions options = new BlobRequestOptions {
EncryptionPolicy = policy, RequireEncryption = true, StoreBlobContentMD5 = true
};
OperationContext context = new OperationContext();
context.LogLevel = Microsoft.WindowsAzure.Storage.LogLevel.Verbose;
await blobFileCrypt.UploadFromFileAsync("AuthenticationStorageAccountFx.exe.config", null, options, context);
var blobFile = blobContainer.GetBlockBlobReference("AuthenticationStorageAccountFx.exe.config");
await blobFile.UploadFromFileAsync("AuthenticationStorageAccountFx.exe.config", null, null, context);
var blobs = blobContainer.ListBlobs();
Console.WriteLine("List Blobs");
foreach (var b in blobs)
{
Console.WriteLine(b.Uri.ToString());
}
Console.WriteLine("Upload succeeded !!");
}
catch (Exception exc)
{
Console.WriteLine("Something went wrong.");
Console.WriteLine("Message: " + exc.Message + "\n");
}
}
private static async Task <string> RetrieveAndDecrypt(CloudBlobContainer blobContainer, string id)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var resolver = new KeyVaultKeyResolver(client);
//no need to provide key vault key id - stored in blob meta data
var policy = new BlobEncryptionPolicy(null, resolver);
var options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
var blobRef = blobContainer.GetBlockBlobReference(id);
var ms = new MemoryStream();
await blobRef.DownloadToStreamAsync(ms, null, options, null);
return(Encoding.UTF8.GetString(ms.ToArray()));
}
public async Task <ActionResult> Download(string imageId, bool thumb = false)
{
int id;
if (string.IsNullOrEmpty(imageId) || !Int32.TryParse(imageId, out id))
{
return(new HttpUnauthorizedResult());
}
IReadWriteRepository <ServiceData.Models.Photo> _photoRepository = new PhotoRepository();
IReadWriteRepository <ServiceData.Models.UserCondition> _condRepository = new UserConditionsRepository();
ServiceData.Models.Photo found = _photoRepository.GetById(id);
if (found == null)
{
return(new HttpNotFoundResult());
}
ServiceData.Models.UserCondition foundCond = _condRepository.GetById(found.UserCondition.Id);
if (!IsSharedOrOwned(foundCond))
{
return(new HttpUnauthorizedResult());
}
string target = (thumb) ? found.ThumbUrl : found.Url;
CloudBlobContainer container = await UploadController.GetBlobContainer();
Stream blobStream = new MemoryStream();
CloudBlob photoBlob = container.GetBlobReference(target.Replace(ConfidentialData.BlobStorageUrl, ""));
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken);
IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None);
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
await photoBlob.DownloadToStreamAsync(blobStream, null, options, null);
blobStream.Position = 0;
return(File(blobStream, "image/jpeg"));
}
//Upload a blob from a stream to a named container, using a KeyVault Key to dynamically encryprt the file
public void WriteBlobFile(string FileName, string BlobName, string ContainerName, Microsoft.Azure.KeyVault.Core.IKey Key)
{
CloudBlobContainer container = GetContainerRefference(ContainerName);
// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(Key, null);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
// Retrieve reference to a blob named "myblob".
CloudBlockBlob blockBlob = container.GetBlockBlobReference(BlobName);
// Create or overwrite the "FileName" blob with contents from FileStream, using encryption option
blockBlob.UploadFromFile(FileName, null, options, null);
}
//Read Encrypted blob to a Stream from a container
public Stream GetBlobStream(string BlobName, string ContainerName, KeyVaultKeyResolver KeyResolver)
{
CloudBlobContainer container = GetContainerRefference(ContainerName);
// In this case, we will not pass a key and only pass the resolver because
// this policy will only be used for downloading / decrypting.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, KeyResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
// Retrieve reference to a blob named "myblob".
CloudBlockBlob blob = container.GetBlockBlobReference(BlobName);
return(blob.OpenRead(null, options, null));
}
//Read Encrypted blob to a File at the path location specified from a container
public void GetBlobFile(string BlobName, string ContainerName, string DestinationPath, KeyVaultKeyResolver KeyResolver)
{
CloudBlobContainer container = GetContainerRefference(ContainerName);
// In this case, we will not pass a key and only pass the resolver because
// this policy will only be used for downloading / decrypting.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, KeyResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
// Retrieve reference to a blob named "myblob".
CloudBlockBlob blob = container.GetBlockBlobReference(BlobName);
Directory.CreateDirectory(new FileInfo(DestinationPath).Directory.ToString());
blob.DownloadToFile(DestinationPath, FileMode.Create, null, options, null);
}
private void RetriveRSA(KeyVaultKeyResolver cloudResolver, CloudBlobContainer contain)
{
log.LogInformation($"validando chave externa de integração rsa");
log.LogInformation("recebendo parametros [endpoint]");
// Retrieve the key that you created previously.
// The IKey that is returned here is an RsaKey.
var rsa = cloudResolver.ResolveKeyAsync(app.Endpoint, CancellationToken.None)
.GetAwaiter().GetResult();
log.LogInformation($"chave rsa gerada com sucesso");
log.LogInformation($"algoritimo {rsa.DefaultEncryptionAlgorithm}");
log.LogInformation($"hash {rsa.DefaultKeyWrapAlgorithm}");
log.LogInformation($"assinatura {rsa.DefaultSignatureAlgorithm}");
// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
var policy = new BlobEncryptionPolicy(rsa, null);
var options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
log.LogInformation($"iniciando teste de upload no blob com autenticação segura");
log.LogInformation($"validando referencia do blob para File.txt");
// Reference a block blob.
CloudBlockBlob blob = contain.GetBlockBlobReference("File.txt");
log.LogInformation($"iniciando processo de upload");
// Upload using the UploadFromStream method.
using var stream = File.OpenRead(Directory.GetCurrentDirectory() + "\\File.txt");
blob.UploadFromStream(stream, stream.Length, null, options, null);
log.LogInformation($"valide se o arquivo File.txt é ");
}
public EncryptedBlobHandler(CloudBlobContainer container, string key = null) : base(container)
{
RsaKey _Key = null;
// We are encrypting these values with the strongest encryption key
// on God's green earth: Chuck Norris
// unless someone gives me a better one
// like THAT exists!
if (key == null)
{
_Key = new RsaKey("private:ChuckNorris");
}
else
{
_Key = new RsaKey(key);
}
// Local Resolver holds and keeps track of our key so we can
// use it over and over again.
LocalResolver.Current.Add(_Key);
// A Policy is created to tell it what key to use to upload
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(_Key, null);
// A policy is created to tell it what key to use to download
BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, LocalResolver.Current);
// The actual parameter when we upload/download is a BlobRequestOptions object
// So we load those in preperation of uploading or downloading
_BlobUploadEncryptionOptions = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
_BlobDownloadEncryptionOptions = new BlobRequestOptions()
{
EncryptionPolicy = downloadPolicy
};
}
private static async Task EncryptAndStore(CloudBlobContainer blobContainer, string text, string id)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var resolver = new KeyVaultKeyResolver(client);
var rsa = await resolver.ResolveKeyAsync(Environment.GetEnvironmentVariable("RsaVaultKey"), CancellationToken.None);
var policy = new BlobEncryptionPolicy(rsa, null);
var options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
var blob = blobContainer.GetBlockBlobReference(id);
var bytes = Encoding.UTF8.GetBytes(text);
using (Stream stream = new MemoryStream(bytes))
{
await blob.UploadFromStreamAsync(stream, bytes.Length, null, options, null);
}
}
private void StoreFiles(CloudStorageAccount storageAccount, FormSubmitContext formSubmitContext, IEnumerable <Guid> fileIds)
{
var cloudBlobClient = storageAccount.CreateCloudBlobClient();
var blob = cloudBlobClient.GetContainerReference("stockpickformsblob");
blob.CreateIfNotExists();
var cloudResolver = new KeyVaultKeyResolver(Keyvault.GetToken);
var url = Sitecore.Configuration.Settings.GetSetting("Stockpick.Forms.KeyFault.Key.URL");
if (string.IsNullOrEmpty(url))
{
Log.Error("config key Stockpick.Forms.KeyFault.Key.URL is emty", this);
}
var key = cloudResolver.ResolveKeyAsync(url, CancellationToken.None).GetAwaiter().GetResult();
foreach (var gui in fileIds)
{
var file = FileStorageProvider.GetFile(gui);
if (file != null)
{
Log.Info("Upload to Cloud storage file " + file.FileInfo.FileName + " as " + gui.ToString() + " using key kid:" + key.Kid, this);
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
CloudBlockBlob cloudBlockBlob = blob.GetBlockBlobReference(gui.ToString());
using (var filestream = file.File)
{
cloudBlockBlob.UploadFromStream(filestream, null, options, null);
}
}
}
}
public async Task <string> UploadDocumentAsync(HttpPostedFileBase documentFile, Guid customerId, Guid documentId)
{
var storageAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["DocumentStore"].ConnectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
var container = blobClient.GetContainerReference(customerId.ToString().ToLower());
await container.CreateIfNotExistsAsync();
var keyvaultResolver = new KeyVaultKeyResolver(GetToken);
var key = await keyvaultResolver.ResolveKeyAsync(KEY_URI, CancellationToken.None);
var encryptionPolicy = new BlobEncryptionPolicy(key, null);
var requestOptions = new BlobRequestOptions {
EncryptionPolicy = encryptionPolicy
};
var blobRelativePath = documentId.ToString().ToLower() + "/" + Path.GetFileName(documentFile.FileName).ToLower();
var block = container.GetBlockBlobReference(blobRelativePath);
await block.UploadFromStreamAsync(documentFile.InputStream, documentFile.InputStream.Length, null, requestOptions, null);
return(blobRelativePath);
}
static void Main(string[] args)
{
/* OVERVIEW OF HOW THIS WORKS :
* The Azure Storage client SDK generates a content encryption key(CEK), which is a
* one - time - use symmetric key. Customer data is encrypted using this CEK.
* The CEK is then wrapped (encrypted) using the key encryption key(KEK).
* The KEK is identified by a key identifier and can be managed locally or stored in Azure Key
* Vault.
* The Storage client itself never has access to the KEK. It just invokes the key wrapping
* algorithm that is provided by Key Vault.
* The encrypted data is then uploaded to the Azure Storage service.
*
* Decryption is really when using the Resolver classes make sense.
* The ID of the key used for encryption is associated with the blob in its metadata, so there
* is no reason for you to retrieve the key and remember the
* association between key and blob.You just have to make sure that the key remains in Key Vault.
* The private key of an RSA Key remains in Key Vault, so for decryption to occur, the Encrypted
* Key from the blob metadata that contains the CEK is sent to
* Key Vault for decryption.*/
Console.WriteLine("Azure Key Vault Demo : Encryption and decryption of a file.");
Console.WriteLine("Please enter storage account NAME :");
var accountN = Console.ReadLine();
Console.WriteLine("Please enter storage account KEY :");
var accountK = Console.ReadLine();
// This is standard code to interact with Blob storage.
StorageCredentials creds = new StorageCredentials(
accountN, accountK);
CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);
CloudBlobClient client = account.CreateCloudBlobClient();
CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);
contain.CreateIfNotExists();
// The Resolver object is used to interact with Key Vault for Azure Storage.
// This is where the GetToken method from above is used.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);
// Retrieve the key that you created previously.
// The IKey that is returned here is an RsaKey.
//
Console.WriteLine("Please enter URL of key, for example : https://myKeyVault.vault.azure.net/keys/MyKeyDemo");
var kv = Console.ReadLine();
var rsa = cloudResolver.ResolveKeyAsync(kv, CancellationToken.None).GetAwaiter().GetResult();
// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
// Reference a block blob.
CloudBlockBlob blob = contain.GetBlockBlobReference("MyFile.txt");
// Upload using the UploadFromStream method.
Console.WriteLine("Ensure MyFile.txt is placed in the temp directory.");
Console.WriteLine("Press any key to continue...");
Console.ReadLine();
using (var stream = System.IO.File.OpenRead(@"C:\temp\MyFile.txt"))
blob.UploadFromStream(stream, stream.Length, null, options, null);
Console.WriteLine("File encrypted and uploaded....");
Console.WriteLine("Now use Storage Explorer or portal to retrive the encrypted file from the storage account and view it.");
Console.WriteLine("Press ANY Key to continue...");
Console.ReadLine();
Console.WriteLine("Now let's retrieve and decrypt...");
// In this case, we will not pass a key and only pass the resolver because
// this policy will only be used for downloading / decrypting.
BlobEncryptionPolicy policydecrypt = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions optionsdecrypt = new BlobRequestOptions()
{
EncryptionPolicy = policydecrypt
};
using (var np = File.Open(@"C:\temp\MyFileDecrypted.txt", FileMode.Create))
blob.DownloadToStream(np, null, options, null);
Console.WriteLine("File Downloaded and decrypted as MyFileDecrypted.txt into the temp directory. Check it out!");
Console.WriteLine("Press ANY Key to continue...");
Console.ReadLine();
}
static void Main(string[] args)
{
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudBlobClient client = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = client.GetContainerReference(CloudConfigurationManager.GetSetting("Container"));
try
{
container.CreateIfNotExists();
Console.WriteLine("Blob encryption sample");
int size = 5 * 1024 * 1024;
byte[] buffer = new byte[size];
Random rand = new Random();
rand.NextBytes(buffer);
CloudBlockBlob blob = container.GetBlockBlobReference("blockblob");
blob.CreateSnapshot();
// Create the IKey used for encryption.
RsaKey key = new RsaKey("private:key1");
// Create the encryption policy to be used for upload.
BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key, null);
// Set the encryption policy on the request options.
BlobRequestOptions uploadOptions = new BlobRequestOptions()
{
EncryptionPolicy = uploadPolicy
};
Console.WriteLine("Uploading the encrypted blob.");
// Upload the encrypted contents to the blob.
using (MemoryStream stream = new MemoryStream(buffer))
{
blob.UploadFromStream(stream, size, null, uploadOptions, null);
}
// Download the encrypted blob.
// For downloads, a resolver can be set up that will help pick the key based on the key id.
LocalResolver resolver = new LocalResolver();
resolver.Add(key);
BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, resolver);
// Set the decryption policy on the request options.
BlobRequestOptions downloadOptions = new BlobRequestOptions()
{
EncryptionPolicy = downloadPolicy
};
Console.WriteLine("Downloading the encrypted blob.");
// Download and decrypt the encrypted contents from the blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, null, downloadOptions, null);
}
Console.WriteLine("Press enter key to exit");
//Console.ReadLine();
#region folder
//folder creation
CloudBlobDirectory directory = container.GetDirectoryReference("directoryName");
CloudBlockBlob blockblob = directory.GetBlockBlobReference("sample");
blockblob.UploadFromFile(@"C:\Users\RINGEL\Downloads\Angular.txt", FileMode.Open);
//listof Directories &files
DirectoryFile(container);
#endregion folder
#region sas
var sasPolicy = new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.Read,
SharedAccessStartTime = DateTime.Now.AddMinutes(-10),
SharedAccessExpiryTime = DateTime.Now.AddMinutes(30)
};
var sasTokenforcontainer = container.GetSharedAccessSignature(sasPolicy);
string sasTokenforblob = blob.GetSharedAccessSignature(sasPolicy);
#endregion sas
}
finally
{
container.DeleteIfExists();
}
}
public async Task <HttpResponseMessage> Get()
{
try
{
string[] testUsers = new string[]
{
"*****@*****.**",
"*****@*****.**",
"*****@*****.**",
"*****@*****.**",
"*****@*****.**",
"*****@*****.**",
"*****@*****.**",
"*****@*****.**",
"*****@*****.**"
};
string baseFileLoc = "C:/Users/tgs03_000/Downloads/SkinSelfies";
//if (Directory.Exists(baseFileLoc))
//{
// Directory.Delete(baseFileLoc, true);
//}
if (!Directory.Exists(baseFileLoc))
{
Directory.CreateDirectory(baseFileLoc);
}
List <Task> allTasks = new List <Task>();
List <string> nullEmails = new List <string>();
foreach (string userEmail in testUsers)
{
ServiceData.Models.User user = _userRepository.Search(u => u.Email == userEmail).FirstOrDefault();
DirectoryInfo userDir = Directory.CreateDirectory(Path.Combine(baseFileLoc, userEmail));
if (user == null)
{
nullEmails.Add(userEmail);
continue;
}
AboutUser userDetails = new AboutUser
{
Id = user.Id,
Email = user.Email,
Name = user.Name,
Dob = user.BirthDate
};
File.WriteAllText(Path.Combine(userDir.FullName, "AboutUser.txt"), JsonConvert.SerializeObject(userDetails, Formatting.Indented));
foreach (ServiceData.Models.UserCondition cond in user.Conditions)
{
ServiceData.Models.UserCondition fullCond = _conditionRepository.GetById(cond.Id);
string condPath = Path.Combine(userDir.FullName, cond.Id.ToString());
DirectoryInfo condDir = Directory.Exists(condPath)? new DirectoryInfo(condPath) : Directory.CreateDirectory(condPath);
AboutCondition condDetails = new AboutCondition
{
Id = user.Id,
Name = cond.Condition,
SkinRegion = fullCond.SkinRegion.BodyPart.Name + " - " + fullCond.SkinRegion.Name,
StartDate = cond.StartDate,
NumPhotos = fullCond.Photos.Count()
};
File.WriteAllText(Path.Combine(condDir.FullName, "AboutCondition.txt"), JsonConvert.SerializeObject(condDetails, Formatting.Indented));
foreach (ServiceData.Models.Photo photo in fullCond.Photos)
{
string filename = Path.Combine(condDir.FullName, photo.CreatedAt.ToString("yyyy-MM-dd-HH-mm-ss.") + Path.GetExtension(photo.Url));
if (File.Exists(filename))
{
continue;
}
CloudBlobContainer container = await GetBlobContainer();
Stream blobStream = new MemoryStream();
CloudBlob photoBlob = container.GetBlobReference(photo.Url.Replace(ConfidentialData.BlobStorageUrl, ""));
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken);
IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None);
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver);
BlobRequestOptions options = new BlobRequestOptions()
{
EncryptionPolicy = policy
};
await photoBlob.DownloadToStreamAsync(blobStream, null, options, null);
blobStream.Position = 0;
using (var fileStream = File.Create(filename))
{
await blobStream.CopyToAsync(fileStream);
}
}
}
}
string nullString = "";
foreach (string nEmail in nullEmails)
{
nullString += nEmail + ", ";
}
return(Request.CreateResponse(HttpStatusCode.OK, "Files located at " + baseFileLoc + " Null emails: " + nullString));
}
catch (Exception e)
{
return(Request.CreateErrorResponse(HttpStatusCode.InternalServerError, e));
}
}
static void Main(string[] args)
{
Console.WriteLine("Blob encryption with Key Vault integration demonstrating key rotation from Key 1 to Key 2");
Console.WriteLine();
// Create two secrets and obtain their IDs. This is normally a one-time setup step.
// Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching.
// Therefore it is recommended to use secrets along with a caching resolver (see below).
string keyID1 = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret("KeyRotationSampleSecret1");
string keyID2 = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret("KeyRotationSampleSecret2");
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudBlobClient client = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N"));
// Construct a resolver capable of looking up keys and secrets stored in Key Vault.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken);
// Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage
// pattern since the throttling targets for Storage and Key Vault services are orders of magnitude
// different.
CachingKeyResolver cachingResolver = new CachingKeyResolver(2, cloudResolver);
// Create key instances corresponding to the key IDs. This will cache the secrets.
IKey cloudKey1 = cachingResolver.ResolveKeyAsync(keyID1, CancellationToken.None).GetAwaiter().GetResult();
IKey cloudKey2 = cachingResolver.ResolveKeyAsync(keyID2, CancellationToken.None).GetAwaiter().GetResult();
// We begin with cloudKey1, and a resolver capable of resolving and caching Key Vault secrets.
BlobEncryptionPolicy encryptionPolicy = new BlobEncryptionPolicy(cloudKey1, cachingResolver);
client.DefaultRequestOptions.EncryptionPolicy = encryptionPolicy;
client.DefaultRequestOptions.RequireEncryption = true;
try
{
container.Create();
int size = 5 * 1024 * 1024;
byte[] buffer1 = new byte[size];
byte[] buffer2 = new byte[size];
Random rand = new Random();
rand.NextBytes(buffer1);
rand.NextBytes(buffer2);
// Upload the first blob using the secret stored in Azure Key Vault.
CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1");
Console.WriteLine("Uploading Blob 1 using Key 1.");
// Upload the encrypted contents to the first blob.
using (MemoryStream stream = new MemoryStream(buffer1))
{
blob.UploadFromStream(stream, size);
}
Console.WriteLine("Downloading and decrypting Blob 1.");
// Download and decrypt the encrypted contents from the first blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream);
}
// At this point we will rotate our keys so new encrypted content will use the
// second key. Note that the same resolver is used, as this resolver is capable
// of decrypting blobs encrypted using either key.
Console.WriteLine("Rotating the active encryption key to Key 2.");
client.DefaultRequestOptions.EncryptionPolicy = new BlobEncryptionPolicy(cloudKey2, cachingResolver);
// Upload the second blob using the key stored in Azure Key Vault.
CloudBlockBlob blob2 = container.GetBlockBlobReference("blockblob2");
Console.WriteLine("Uploading Blob 2 using Key 2.");
// Upload the encrypted contents to the second blob.
using (MemoryStream stream = new MemoryStream(buffer2))
{
blob2.UploadFromStream(stream, size);
}
Console.WriteLine("Downloading and decrypting Blob 2.");
// Download and decrypt the encrypted contents from the second blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob2.DownloadToStream(outputStream);
}
// Here we download and re-upload the first blob. This has the effect of updating
// the blob to use the new key.
using (MemoryStream memoryStream = new MemoryStream())
{
Console.WriteLine("Downloading and decrypting Blob 1.");
blob.DownloadToStream(memoryStream);
memoryStream.Seek(0, SeekOrigin.Begin);
Console.WriteLine("Re-uploading Blob 1 using Key 2.");
blob.UploadFromStream(memoryStream);
}
// For the purposes of demonstration, we now override the encryption policy to only recognize key 2.
BlobEncryptionPolicy key2OnlyPolicy = new BlobEncryptionPolicy(cloudKey2, null);
BlobRequestOptions key2OnlyOptions = new BlobRequestOptions()
{
EncryptionPolicy = key2OnlyPolicy
};
Console.WriteLine("Downloading and decrypting Blob 1.");
// The first blob can still be decrypted because it is using the second key.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, options: key2OnlyOptions);
}
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
container.DeleteIfExists();
}
}
static void Main(string[] args)
{
Console.WriteLine("Blob encryption with Key Vault integration");
Console.WriteLine();
// Get the key ID from App.config if it exists.
string keyID = CloudConfigurationManager.GetSetting("KeyID");
// If no key ID was specified, we will create a new secret in Key Vault.
// To create a new secret, this client needs full permission to Key Vault secrets.
// Once the secret is created, its ID can be added to App.config. Once this is done,
// this client only needs read access to secrets.
if (string.IsNullOrEmpty(keyID))
{
Console.WriteLine("No secret specified in App.config.");
Console.WriteLine("Please enter the name of a new secret to create in Key Vault.");
Console.WriteLine("WARNING: This will delete any existing secret with the same name.");
Console.Write("Name of the new secret to create [{0}]: ", DefaultSecretName);
string newSecretName = Console.ReadLine().Trim();
if (string.IsNullOrEmpty(newSecretName))
{
newSecretName = DefaultSecretName;
}
// Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching.
// Therefore it is recommended to use secrets along with a caching resolver (see below).
keyID = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret(newSecretName);
Console.WriteLine();
Console.WriteLine("Created a secret with ID: {0}", keyID);
Console.WriteLine("Copy the secret ID to App.config to reuse.");
Console.WriteLine();
}
// Retrieve storage account information from connection string
// How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/
CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString();
CloudBlobClient client = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N"));
// Construct a resolver capable of looking up keys and secrets stored in Key Vault.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken);
// To demonstrate how multiple different types of key can be used, we also create a local key and resolver.
// This key is temporary and won't be persisted.
RsaKey rsaKey = new RsaKey("rsakey");
LocalResolver resolver = new LocalResolver();
resolver.Add(rsaKey);
// If there are multiple key sources like Azure Key Vault and local KMS, set up an aggregate resolver as follows.
// This helps users to define a plug-in model for all the different key providers they support.
AggregateKeyResolver aggregateResolver = new AggregateKeyResolver()
.Add(resolver)
.Add(cloudResolver);
// Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage
// pattern since the throttling targets for Storage and Key Vault services are orders of magnitude
// different.
CachingKeyResolver cachingResolver = new CachingKeyResolver(2, aggregateResolver);
// Create a key instance corresponding to the key ID. This will cache the secret.
IKey cloudKey = cachingResolver.ResolveKeyAsync(keyID, CancellationToken.None).GetAwaiter().GetResult();
try
{
container.Create();
int size = 5 * 1024 * 1024;
byte[] buffer = new byte[size];
Random rand = new Random();
rand.NextBytes(buffer);
// The first blob will use the key stored in Azure Key Vault.
CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1");
// Create the encryption policy using the secret stored in Azure Key Vault to be used for upload.
BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(cloudKey, null);
// Set the encryption policy on the request options.
BlobRequestOptions uploadOptions = new BlobRequestOptions()
{
EncryptionPolicy = uploadPolicy
};
Console.WriteLine("Uploading the 1st encrypted blob.");
// Upload the encrypted contents to the blob.
using (MemoryStream stream = new MemoryStream(buffer))
{
blob.UploadFromStream(stream, size, null, uploadOptions);
}
// Download the encrypted blob.
BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, cachingResolver);
// Set the decryption policy on the request options.
BlobRequestOptions downloadOptions = new BlobRequestOptions()
{
EncryptionPolicy = downloadPolicy
};
Console.WriteLine("Downloading the 1st encrypted blob.");
// Download and decrypt the encrypted contents from the blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, null, downloadOptions);
}
// Upload second blob using the local key.
blob = container.GetBlockBlobReference("blockblob2");
// Create the encryption policy using the local key.
uploadPolicy = new BlobEncryptionPolicy(rsaKey, null);
// Set the encryption policy on the request options.
uploadOptions = new BlobRequestOptions()
{
EncryptionPolicy = uploadPolicy
};
Console.WriteLine("Uploading the 2nd encrypted blob.");
// Upload the encrypted contents to the blob.
using (MemoryStream stream = new MemoryStream(buffer))
{
blob.UploadFromStream(stream, size, null, uploadOptions);
}
// Download the encrypted blob. The same policy and options created before can be used because the aggregate resolver contains both
// resolvers and will pick the right one based on the key ID stored in blob metadata on the service.
Console.WriteLine("Downloading the 2nd encrypted blob.");
// Download and decrypt the encrypted contents from the blob.
using (MemoryStream outputStream = new MemoryStream())
{
blob.DownloadToStream(outputStream, null, downloadOptions);
}
Console.WriteLine("Press enter key to exit");
Console.ReadLine();
}
finally
{
container.DeleteIfExists();
}
}
