public FileStreamResult File(string filename) { var stockpickFormsAzurequeueConnectionstring = "Stockpick.Forms.AzureQueue.Connectionstring"; var connectionstring = Sitecore.Configuration.Settings.GetSetting(stockpickFormsAzurequeueConnectionstring); Microsoft.WindowsAzure.Storage.CloudStorageAccount storageAccount = Microsoft.WindowsAzure.Storage.CloudStorageAccount.Parse(connectionstring); var cloudBlobClient = storageAccount.CreateCloudBlobClient(); var blobContainer = cloudBlobClient.GetContainerReference("stockpickformsblob"); blobContainer.CreateIfNotExists(); var cloudResolver = new KeyVaultKeyResolver(Keyvault.GetToken); var url = Sitecore.Configuration.Settings.GetSetting("Stockpick.Forms.KeyFault.Key.URL"); if (string.IsNullOrEmpty(url)) { Log.Error("config key Stockpick.Forms.KeyFault.Key.URL is emty", this); } var key = cloudResolver.ResolveKeyAsync(url, CancellationToken.None).GetAwaiter().GetResult(); CloudBlockBlob blob = blobContainer.GetBlockBlobReference(filename); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; Stream blobStream = blob.OpenRead(null, options); return(new FileStreamResult(blobStream, "application/x-binary")); }
public async Task SaveContentAsync(EncryptedFile fileInfo, IFormFile formFile) { if (fileInfo == null) { return; } var blobParts = fileInfo.BlobName.Split(ContainerNameSeparator); var containerName = blobParts[0]; var blobName = blobParts[1]; var contain = _cloudBlobClient.GetContainerReference(containerName); contain.CreateIfNotExists(); var rsa = await _cloudResolver.ResolveKeyAsync( _fileStorageKey, CancellationToken.None); var policy = new BlobEncryptionPolicy(rsa, null); var options = new BlobRequestOptions { EncryptionPolicy = policy }; var blob = contain.GetBlockBlobReference(blobName); using (var stream = formFile.OpenReadStream()) { // Options object is containing all information about the await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null); } }
private BlobEncryptionPolicy GetEncryptionPolicyForDownload() { var keyResolver = new KeyVaultKeyResolver(_keyVaultClient); var blobEncryptionPolicy = new BlobEncryptionPolicy(null, keyResolver); return(blobEncryptionPolicy); }
public async Task <KeyValuePair <string, MemoryStream> > DownloadDocumentAsync(Guid documentId, Guid customerId) { var storageAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["DocumentStore"].ConnectionString); var blobClient = storageAccount.CreateCloudBlobClient(); var container = blobClient.GetContainerReference(customerId.ToString().ToLower()); var dbContext = new DashDocsContext(); var document = await dbContext.Documents.SingleAsync(d => d.Id == documentId); var keyvaultResolver = new KeyVaultKeyResolver(GetToken); var encryptionPolicy = new BlobEncryptionPolicy(null, keyvaultResolver); var requestOptions = new BlobRequestOptions { EncryptionPolicy = encryptionPolicy }; var block = container.GetBlockBlobReference(document.BlobPath); var stream = new MemoryStream(); await block.DownloadToStreamAsync(stream, null, requestOptions, null); var content = new KeyValuePair <string, MemoryStream>(document.DocumentName, stream); return(content); }
public async Task <Stream> GetContentAsync(EncryptedFile fileInfo) { if (fileInfo.BlobName == null) { return(null); } var blobParts = fileInfo.BlobName.Split(ContainerNameSeparator); var containerName = blobParts[0]; var blobName = blobParts[1]; var contain = _cloudBlobClient.GetContainerReference(containerName); contain.CreateIfNotExists(); var policy = new BlobEncryptionPolicy(null, _cloudResolver); var options = new BlobRequestOptions { EncryptionPolicy = policy }; var blob = contain.GetBlockBlobReference(blobName); // Options object is containing all information about the return(await blob.OpenReadAsync(null, options, null)); }
public static IActionResult RunDecryptBlobFile( [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req, ILogger log, ExecutionContext executionContext) { log.LogInformation("DecryptBlobFile Custom Skill: C# HTTP trigger function processed a request."); string skillName = executionContext.FunctionName; IEnumerable <WebApiRequestRecord> requestRecords = WebApiSkillHelpers.GetRequestRecords(req); if (requestRecords == null) { return(new BadRequestObjectResult($"{skillName} - Invalid request record array.")); } // Set up access to keyvault to retrieve the key to decrypt the document with // Requires that this Azure Function has access via managed identity to the Keyvault where the key is stored. var azureServiceTokenProvider1 = new AzureServiceTokenProvider(); var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider1.KeyVaultTokenCallback)); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(kv); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; WebApiSkillResponse response = WebApiSkillHelpers.ProcessRequestRecords(skillName, requestRecords, (inRecord, outRecord) => { string blobUrl = (inRecord.Data.TryGetValue("blobUrl", out object blobUrlObject) ? blobUrlObject : null) as string; string sasToken = (inRecord.Data.TryGetValue("sasToken", out object sasTokenObject) ? sasTokenObject : null) as string; if (string.IsNullOrWhiteSpace(blobUrl)) { outRecord.Errors.Add(new WebApiErrorWarningContract() { Message = $"Parameter '{nameof(blobUrl)}' is required to be present and a valid uri." }); return(outRecord); } CloudBlockBlob blob = new CloudBlockBlob(new Uri(WebApiSkillHelpers.CombineSasTokenWithUri(blobUrl, sasToken))); byte[] decryptedFileData; using (var np = new MemoryStream()) { blob.DownloadToStream(np, null, options, null); decryptedFileData = np.ToArray(); } FileReference decryptedFileReference = new FileReference() { data = Convert.ToBase64String(decryptedFileData) }; JObject jObject = JObject.FromObject(decryptedFileReference); jObject["$type"] = "file"; outRecord.Data["decrypted_file_data"] = jObject; return(outRecord); });
public async override Task ExecutePostProcessingAsync() { KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); foreach (var file in FileData) { string fileName = Path.GetFileName(file.Headers.ContentDisposition.FileName.Trim('"')); var blob = _container.GetBlockBlobReference(Path.Combine(currentFilePath, fileName)); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; using (var stream = File.OpenRead(file.LocalFileName)) { await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null); } Urls.Add(blob.Uri.AbsoluteUri); string ext = Path.GetExtension(fileName); if (ext == ".jpeg" || ext == ".jpg") { Image original = Image.FromFile(file.LocalFileName); float ratio = (float)original.Width / (float)original.Height; SizeF newSize = new SizeF(350 * ratio, 350); Image thumb = original.GetThumbnailImage((int)newSize.Width, (int)newSize.Height, null, IntPtr.Zero); string thumbName = Path.GetFileNameWithoutExtension(fileName) + "_thumb.jpg"; var thumbBlob = _container.GetBlockBlobReference(Path.Combine(currentFilePath, thumbName)); MemoryStream thumbStream = new MemoryStream(); thumb.Save(thumbStream, System.Drawing.Imaging.ImageFormat.Jpeg); thumbStream.Position = 0; await thumbBlob.UploadFromStreamAsync(thumbStream, thumbStream.Length, null, options, null); Urls.Add(thumbBlob.Uri.AbsoluteUri); } try { File.Delete(file.LocalFileName); } catch (Exception e) { } } }
private async Task <BlobEncryptionPolicy> GetEncryptionPolicyForUpload(EncryptedBlobAttribute config, string keyName, CancellationToken cancellationToken) { var kid = await _keyVaultClient.GetKidByName(config, keyName, cancellationToken) ?? throw new ArgumentException(nameof(EncryptedBlobAttribute.KeyName)); var keyResolver = new KeyVaultKeyResolver(_keyVaultClient); var key = await keyResolver.ResolveKeyAsync(kid, cancellationToken); var blobEncryptionPolicy = new BlobEncryptionPolicy(key, null); return(blobEncryptionPolicy); }
public BlobDecryptStream(Stream userStream, IDictionary <string, string> metadata, long?userProvidedLength, int discardFirst, bool bufferIV, bool noPadding, BlobEncryptionPolicy policy, bool?requireEncryption) { this.userStream = userStream; this.metadata = metadata; this.userProvidedLength = userProvidedLength; this.discardFirst = discardFirst; this.encryptionPolicy = policy; this.bufferIV = bufferIV; this.noPadding = noPadding; this.requireEncryption = requireEncryption; }
public async Task <HttpResponseMessage> Get(string imageId, bool thumb = false) { int id; if (string.IsNullOrEmpty(imageId) || !Int32.TryParse(imageId, out id)) { return(Request.CreateResponse(HttpStatusCode.BadRequest)); } ServiceData.Models.Photo found = _photoRepository.GetById(id); if (found == null) { return(Request.CreateResponse(HttpStatusCode.NotFound)); } ServiceData.Models.UserCondition foundCond = _conditionRepository.GetById(found.UserCondition.Id); if (foundCond.Owner.Email != User.Identity.Name) { return(Request.CreateResponse(HttpStatusCode.Forbidden)); } string target = (thumb) ? found.ThumbUrl : found.Url; CloudBlobContainer container = await GetBlobContainer(); Stream blobStream = new MemoryStream(); CloudBlob photoBlob = container.GetBlobReference(target.Replace(ConfidentialData.BlobStorageUrl, "")); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; await photoBlob.DownloadToStreamAsync(blobStream, null, options, null); blobStream.Position = 0; HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK); response.Content = new StreamContent(blobStream); response.Content.Headers.ContentDisposition = new System.Net.Http.Headers.ContentDispositionHeaderValue("attachment"); response.Content.Headers.ContentDisposition.FileName = imageId + Path.GetExtension(target); string eventName = thumb ? "DownloadThumb" : "DownloadImage"; ServerUtils.LogTelemetryEvent(User.Identity.Name, eventName); return(response); }
private static async Task DownloadBlobAsync(CloudBlob blob, KeyVaultKeyResolver cloudResolver) { BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions { EncryptionPolicy = policy }; using (var np = File.Open("DownloadedData.txt", FileMode.Create)) { await blob.DownloadToStreamAsync(np, null, options, null); } }
static void Main(string[] args) { // This is standard code to interact with Blob storage. StorageCredentials creds = new StorageCredentials( CloudConfigurationManager.GetSetting("accountName"), CloudConfigurationManager.GetSetting("accountKey")); CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true); CloudBlobClient client = account.CreateCloudBlobClient(); CloudBlobContainer contain = client.GetContainerReference(CloudConfigurationManager.GetSetting("container")); contain.CreateIfNotExists(); // The Resolver object is used to interact with Key Vault for Azure Storage. // This is where the GetToken method from above is used. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken); //Encrypt Blob and upload // Retrieve the key that you created previously. // The IKey that is returned here is an RsaKey. var rsa = cloudResolver.ResolveKeyAsync( "https://phupaa-vault.vault.azure.net/keys/key01", CancellationToken.None).GetAwaiter().GetResult(); // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Reference a block blob. CloudBlockBlob blob = contain.GetBlockBlobReference("MyFile.txt"); // Upload using the UploadFromStream method. using (var stream = System.IO.File.OpenRead(@"C:\Temp\MyFile.txt")) blob.UploadFromStream(stream, stream.Length, null, options, null); //Decrypt blob // In this case, we will not pass a key and only pass the resolver because // this policy will only be used for downloading / decrypting. BlobEncryptionPolicy policy2 = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options2 = new BlobRequestOptions() { EncryptionPolicy = policy }; using (var np = File.Open(@"C:\temp\MyFileDecrypted.txt", FileMode.Create)) blob.DownloadToStream(np, null, options, null); }
private static async Task <CloudBlockBlob> UploadBlobAsync(CloudBlobContainer container, IKey key) { BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null); BlobRequestOptions options = new BlobRequestOptions { EncryptionPolicy = policy }; CloudBlockBlob blob = container.GetBlockBlobReference("MyFile.txt"); using (var stream = File.OpenRead("Data.txt")) { await blob.UploadFromStreamAsync(stream, stream.Length, null, options, null); } return(blob); }
public BlobStorageProvider(string connectionString, RsaKey key = null) { this.storageAccount = CloudStorageAccount.Parse(connectionString); this.encoding = Encoding.UTF8; // Create the encryption policy to be used for upload and download. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null); this.options = new BlobRequestOptions { RequireEncryption = key != null, EncryptionPolicy = policy }; blobClient = storageAccount.CreateCloudBlobClient(); }
static async Task MainAsync(string[] args) { try { string storageEndPoint = ConfigurationManager.AppSettings["StorageEndPoint"]; Console.WriteLine("Login..."); var result = await AcquireTokenWithUserInteraction(); // Use the access token to create the storage credentials. TokenCredential tokenCredential = new TokenCredential(result.AccessToken); StorageCredentials storageCredentials = new StorageCredentials(tokenCredential); CloudBlobContainer blobContainer = new CloudBlobContainer(new StorageUri(new Uri(storageEndPoint)), storageCredentials); var symKey = await GetCustomKey(createKey : true); Console.WriteLine("Upload File"); var blobFileCrypt = blobContainer.GetBlockBlobReference("AuthenticationStorageAccountFx.exe.config.cryp"); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(symKey, null); BlobRequestOptions options = new BlobRequestOptions { EncryptionPolicy = policy, RequireEncryption = true, StoreBlobContentMD5 = true }; OperationContext context = new OperationContext(); context.LogLevel = Microsoft.WindowsAzure.Storage.LogLevel.Verbose; await blobFileCrypt.UploadFromFileAsync("AuthenticationStorageAccountFx.exe.config", null, options, context); var blobFile = blobContainer.GetBlockBlobReference("AuthenticationStorageAccountFx.exe.config"); await blobFile.UploadFromFileAsync("AuthenticationStorageAccountFx.exe.config", null, null, context); var blobs = blobContainer.ListBlobs(); Console.WriteLine("List Blobs"); foreach (var b in blobs) { Console.WriteLine(b.Uri.ToString()); } Console.WriteLine("Upload succeeded !!"); } catch (Exception exc) { Console.WriteLine("Something went wrong."); Console.WriteLine("Message: " + exc.Message + "\n"); } }
private static async Task <string> RetrieveAndDecrypt(CloudBlobContainer blobContainer, string id) { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var resolver = new KeyVaultKeyResolver(client); //no need to provide key vault key id - stored in blob meta data var policy = new BlobEncryptionPolicy(null, resolver); var options = new BlobRequestOptions() { EncryptionPolicy = policy }; var blobRef = blobContainer.GetBlockBlobReference(id); var ms = new MemoryStream(); await blobRef.DownloadToStreamAsync(ms, null, options, null); return(Encoding.UTF8.GetString(ms.ToArray())); }
public async Task <ActionResult> Download(string imageId, bool thumb = false) { int id; if (string.IsNullOrEmpty(imageId) || !Int32.TryParse(imageId, out id)) { return(new HttpUnauthorizedResult()); } IReadWriteRepository <ServiceData.Models.Photo> _photoRepository = new PhotoRepository(); IReadWriteRepository <ServiceData.Models.UserCondition> _condRepository = new UserConditionsRepository(); ServiceData.Models.Photo found = _photoRepository.GetById(id); if (found == null) { return(new HttpNotFoundResult()); } ServiceData.Models.UserCondition foundCond = _condRepository.GetById(found.UserCondition.Id); if (!IsSharedOrOwned(foundCond)) { return(new HttpUnauthorizedResult()); } string target = (thumb) ? found.ThumbUrl : found.Url; CloudBlobContainer container = await UploadController.GetBlobContainer(); Stream blobStream = new MemoryStream(); CloudBlob photoBlob = container.GetBlobReference(target.Replace(ConfidentialData.BlobStorageUrl, "")); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; await photoBlob.DownloadToStreamAsync(blobStream, null, options, null); blobStream.Position = 0; return(File(blobStream, "image/jpeg")); }
//Upload a blob from a stream to a named container, using a KeyVault Key to dynamically encryprt the file public void WriteBlobFile(string FileName, string BlobName, string ContainerName, Microsoft.Azure.KeyVault.Core.IKey Key) { CloudBlobContainer container = GetContainerRefference(ContainerName); // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(Key, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Retrieve reference to a blob named "myblob". CloudBlockBlob blockBlob = container.GetBlockBlobReference(BlobName); // Create or overwrite the "FileName" blob with contents from FileStream, using encryption option blockBlob.UploadFromFile(FileName, null, options, null); }
//Read Encrypted blob to a Stream from a container public Stream GetBlobStream(string BlobName, string ContainerName, KeyVaultKeyResolver KeyResolver) { CloudBlobContainer container = GetContainerRefference(ContainerName); // In this case, we will not pass a key and only pass the resolver because // this policy will only be used for downloading / decrypting. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, KeyResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Retrieve reference to a blob named "myblob". CloudBlockBlob blob = container.GetBlockBlobReference(BlobName); return(blob.OpenRead(null, options, null)); }
//Read Encrypted blob to a File at the path location specified from a container public void GetBlobFile(string BlobName, string ContainerName, string DestinationPath, KeyVaultKeyResolver KeyResolver) { CloudBlobContainer container = GetContainerRefference(ContainerName); // In this case, we will not pass a key and only pass the resolver because // this policy will only be used for downloading / decrypting. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, KeyResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Retrieve reference to a blob named "myblob". CloudBlockBlob blob = container.GetBlockBlobReference(BlobName); Directory.CreateDirectory(new FileInfo(DestinationPath).Directory.ToString()); blob.DownloadToFile(DestinationPath, FileMode.Create, null, options, null); }
private void RetriveRSA(KeyVaultKeyResolver cloudResolver, CloudBlobContainer contain) { log.LogInformation($"validando chave externa de integração rsa"); log.LogInformation("recebendo parametros [endpoint]"); // Retrieve the key that you created previously. // The IKey that is returned here is an RsaKey. var rsa = cloudResolver.ResolveKeyAsync(app.Endpoint, CancellationToken.None) .GetAwaiter().GetResult(); log.LogInformation($"chave rsa gerada com sucesso"); log.LogInformation($"algoritimo {rsa.DefaultEncryptionAlgorithm}"); log.LogInformation($"hash {rsa.DefaultKeyWrapAlgorithm}"); log.LogInformation($"assinatura {rsa.DefaultSignatureAlgorithm}"); // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy. var policy = new BlobEncryptionPolicy(rsa, null); var options = new BlobRequestOptions() { EncryptionPolicy = policy }; log.LogInformation($"iniciando teste de upload no blob com autenticação segura"); log.LogInformation($"validando referencia do blob para File.txt"); // Reference a block blob. CloudBlockBlob blob = contain.GetBlockBlobReference("File.txt"); log.LogInformation($"iniciando processo de upload"); // Upload using the UploadFromStream method. using var stream = File.OpenRead(Directory.GetCurrentDirectory() + "\\File.txt"); blob.UploadFromStream(stream, stream.Length, null, options, null); log.LogInformation($"valide se o arquivo File.txt é "); }
public EncryptedBlobHandler(CloudBlobContainer container, string key = null) : base(container) { RsaKey _Key = null; // We are encrypting these values with the strongest encryption key // on God's green earth: Chuck Norris // unless someone gives me a better one // like THAT exists! if (key == null) { _Key = new RsaKey("private:ChuckNorris"); } else { _Key = new RsaKey(key); } // Local Resolver holds and keeps track of our key so we can // use it over and over again. LocalResolver.Current.Add(_Key); // A Policy is created to tell it what key to use to upload BlobEncryptionPolicy policy = new BlobEncryptionPolicy(_Key, null); // A policy is created to tell it what key to use to download BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, LocalResolver.Current); // The actual parameter when we upload/download is a BlobRequestOptions object // So we load those in preperation of uploading or downloading _BlobUploadEncryptionOptions = new BlobRequestOptions() { EncryptionPolicy = policy }; _BlobDownloadEncryptionOptions = new BlobRequestOptions() { EncryptionPolicy = downloadPolicy }; }
private static async Task EncryptAndStore(CloudBlobContainer blobContainer, string text, string id) { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var resolver = new KeyVaultKeyResolver(client); var rsa = await resolver.ResolveKeyAsync(Environment.GetEnvironmentVariable("RsaVaultKey"), CancellationToken.None); var policy = new BlobEncryptionPolicy(rsa, null); var options = new BlobRequestOptions() { EncryptionPolicy = policy }; var blob = blobContainer.GetBlockBlobReference(id); var bytes = Encoding.UTF8.GetBytes(text); using (Stream stream = new MemoryStream(bytes)) { await blob.UploadFromStreamAsync(stream, bytes.Length, null, options, null); } }
private void StoreFiles(CloudStorageAccount storageAccount, FormSubmitContext formSubmitContext, IEnumerable <Guid> fileIds) { var cloudBlobClient = storageAccount.CreateCloudBlobClient(); var blob = cloudBlobClient.GetContainerReference("stockpickformsblob"); blob.CreateIfNotExists(); var cloudResolver = new KeyVaultKeyResolver(Keyvault.GetToken); var url = Sitecore.Configuration.Settings.GetSetting("Stockpick.Forms.KeyFault.Key.URL"); if (string.IsNullOrEmpty(url)) { Log.Error("config key Stockpick.Forms.KeyFault.Key.URL is emty", this); } var key = cloudResolver.ResolveKeyAsync(url, CancellationToken.None).GetAwaiter().GetResult(); foreach (var gui in fileIds) { var file = FileStorageProvider.GetFile(gui); if (file != null) { Log.Info("Upload to Cloud storage file " + file.FileInfo.FileName + " as " + gui.ToString() + " using key kid:" + key.Kid, this); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(key, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; CloudBlockBlob cloudBlockBlob = blob.GetBlockBlobReference(gui.ToString()); using (var filestream = file.File) { cloudBlockBlob.UploadFromStream(filestream, null, options, null); } } } }
public async Task <string> UploadDocumentAsync(HttpPostedFileBase documentFile, Guid customerId, Guid documentId) { var storageAccount = CloudStorageAccount.Parse(ConfigurationManager.ConnectionStrings["DocumentStore"].ConnectionString); var blobClient = storageAccount.CreateCloudBlobClient(); var container = blobClient.GetContainerReference(customerId.ToString().ToLower()); await container.CreateIfNotExistsAsync(); var keyvaultResolver = new KeyVaultKeyResolver(GetToken); var key = await keyvaultResolver.ResolveKeyAsync(KEY_URI, CancellationToken.None); var encryptionPolicy = new BlobEncryptionPolicy(key, null); var requestOptions = new BlobRequestOptions { EncryptionPolicy = encryptionPolicy }; var blobRelativePath = documentId.ToString().ToLower() + "/" + Path.GetFileName(documentFile.FileName).ToLower(); var block = container.GetBlockBlobReference(blobRelativePath); await block.UploadFromStreamAsync(documentFile.InputStream, documentFile.InputStream.Length, null, requestOptions, null); return(blobRelativePath); }
static void Main(string[] args) { /* OVERVIEW OF HOW THIS WORKS : * The Azure Storage client SDK generates a content encryption key(CEK), which is a * one - time - use symmetric key. Customer data is encrypted using this CEK. * The CEK is then wrapped (encrypted) using the key encryption key(KEK). * The KEK is identified by a key identifier and can be managed locally or stored in Azure Key * Vault. * The Storage client itself never has access to the KEK. It just invokes the key wrapping * algorithm that is provided by Key Vault. * The encrypted data is then uploaded to the Azure Storage service. * * Decryption is really when using the Resolver classes make sense. * The ID of the key used for encryption is associated with the blob in its metadata, so there * is no reason for you to retrieve the key and remember the * association between key and blob.You just have to make sure that the key remains in Key Vault. * The private key of an RSA Key remains in Key Vault, so for decryption to occur, the Encrypted * Key from the blob metadata that contains the CEK is sent to * Key Vault for decryption.*/ Console.WriteLine("Azure Key Vault Demo : Encryption and decryption of a file."); Console.WriteLine("Please enter storage account NAME :"); var accountN = Console.ReadLine(); Console.WriteLine("Please enter storage account KEY :"); var accountK = Console.ReadLine(); // This is standard code to interact with Blob storage. StorageCredentials creds = new StorageCredentials( accountN, accountK); CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true); CloudBlobClient client = account.CreateCloudBlobClient(); CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]); contain.CreateIfNotExists(); // The Resolver object is used to interact with Key Vault for Azure Storage. // This is where the GetToken method from above is used. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken); // Retrieve the key that you created previously. // The IKey that is returned here is an RsaKey. // Console.WriteLine("Please enter URL of key, for example : https://myKeyVault.vault.azure.net/keys/MyKeyDemo"); var kv = Console.ReadLine(); var rsa = cloudResolver.ResolveKeyAsync(kv, CancellationToken.None).GetAwaiter().GetResult(); // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy. BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; // Reference a block blob. CloudBlockBlob blob = contain.GetBlockBlobReference("MyFile.txt"); // Upload using the UploadFromStream method. Console.WriteLine("Ensure MyFile.txt is placed in the temp directory."); Console.WriteLine("Press any key to continue..."); Console.ReadLine(); using (var stream = System.IO.File.OpenRead(@"C:\temp\MyFile.txt")) blob.UploadFromStream(stream, stream.Length, null, options, null); Console.WriteLine("File encrypted and uploaded...."); Console.WriteLine("Now use Storage Explorer or portal to retrive the encrypted file from the storage account and view it."); Console.WriteLine("Press ANY Key to continue..."); Console.ReadLine(); Console.WriteLine("Now let's retrieve and decrypt..."); // In this case, we will not pass a key and only pass the resolver because // this policy will only be used for downloading / decrypting. BlobEncryptionPolicy policydecrypt = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions optionsdecrypt = new BlobRequestOptions() { EncryptionPolicy = policydecrypt }; using (var np = File.Open(@"C:\temp\MyFileDecrypted.txt", FileMode.Create)) blob.DownloadToStream(np, null, options, null); Console.WriteLine("File Downloaded and decrypted as MyFileDecrypted.txt into the temp directory. Check it out!"); Console.WriteLine("Press ANY Key to continue..."); Console.ReadLine(); }
static void Main(string[] args) { CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString(); CloudBlobClient client = storageAccount.CreateCloudBlobClient(); CloudBlobContainer container = client.GetContainerReference(CloudConfigurationManager.GetSetting("Container")); try { container.CreateIfNotExists(); Console.WriteLine("Blob encryption sample"); int size = 5 * 1024 * 1024; byte[] buffer = new byte[size]; Random rand = new Random(); rand.NextBytes(buffer); CloudBlockBlob blob = container.GetBlockBlobReference("blockblob"); blob.CreateSnapshot(); // Create the IKey used for encryption. RsaKey key = new RsaKey("private:key1"); // Create the encryption policy to be used for upload. BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(key, null); // Set the encryption policy on the request options. BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy }; Console.WriteLine("Uploading the encrypted blob."); // Upload the encrypted contents to the blob. using (MemoryStream stream = new MemoryStream(buffer)) { blob.UploadFromStream(stream, size, null, uploadOptions, null); } // Download the encrypted blob. // For downloads, a resolver can be set up that will help pick the key based on the key id. LocalResolver resolver = new LocalResolver(); resolver.Add(key); BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, resolver); // Set the decryption policy on the request options. BlobRequestOptions downloadOptions = new BlobRequestOptions() { EncryptionPolicy = downloadPolicy }; Console.WriteLine("Downloading the encrypted blob."); // Download and decrypt the encrypted contents from the blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, null, downloadOptions, null); } Console.WriteLine("Press enter key to exit"); //Console.ReadLine(); #region folder //folder creation CloudBlobDirectory directory = container.GetDirectoryReference("directoryName"); CloudBlockBlob blockblob = directory.GetBlockBlobReference("sample"); blockblob.UploadFromFile(@"C:\Users\RINGEL\Downloads\Angular.txt", FileMode.Open); //listof Directories &files DirectoryFile(container); #endregion folder #region sas var sasPolicy = new SharedAccessBlobPolicy() { Permissions = SharedAccessBlobPermissions.Read, SharedAccessStartTime = DateTime.Now.AddMinutes(-10), SharedAccessExpiryTime = DateTime.Now.AddMinutes(30) }; var sasTokenforcontainer = container.GetSharedAccessSignature(sasPolicy); string sasTokenforblob = blob.GetSharedAccessSignature(sasPolicy); #endregion sas } finally { container.DeleteIfExists(); } }
public async Task <HttpResponseMessage> Get() { try { string[] testUsers = new string[] { "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**" }; string baseFileLoc = "C:/Users/tgs03_000/Downloads/SkinSelfies"; //if (Directory.Exists(baseFileLoc)) //{ // Directory.Delete(baseFileLoc, true); //} if (!Directory.Exists(baseFileLoc)) { Directory.CreateDirectory(baseFileLoc); } List <Task> allTasks = new List <Task>(); List <string> nullEmails = new List <string>(); foreach (string userEmail in testUsers) { ServiceData.Models.User user = _userRepository.Search(u => u.Email == userEmail).FirstOrDefault(); DirectoryInfo userDir = Directory.CreateDirectory(Path.Combine(baseFileLoc, userEmail)); if (user == null) { nullEmails.Add(userEmail); continue; } AboutUser userDetails = new AboutUser { Id = user.Id, Email = user.Email, Name = user.Name, Dob = user.BirthDate }; File.WriteAllText(Path.Combine(userDir.FullName, "AboutUser.txt"), JsonConvert.SerializeObject(userDetails, Formatting.Indented)); foreach (ServiceData.Models.UserCondition cond in user.Conditions) { ServiceData.Models.UserCondition fullCond = _conditionRepository.GetById(cond.Id); string condPath = Path.Combine(userDir.FullName, cond.Id.ToString()); DirectoryInfo condDir = Directory.Exists(condPath)? new DirectoryInfo(condPath) : Directory.CreateDirectory(condPath); AboutCondition condDetails = new AboutCondition { Id = user.Id, Name = cond.Condition, SkinRegion = fullCond.SkinRegion.BodyPart.Name + " - " + fullCond.SkinRegion.Name, StartDate = cond.StartDate, NumPhotos = fullCond.Photos.Count() }; File.WriteAllText(Path.Combine(condDir.FullName, "AboutCondition.txt"), JsonConvert.SerializeObject(condDetails, Formatting.Indented)); foreach (ServiceData.Models.Photo photo in fullCond.Photos) { string filename = Path.Combine(condDir.FullName, photo.CreatedAt.ToString("yyyy-MM-dd-HH-mm-ss.") + Path.GetExtension(photo.Url)); if (File.Exists(filename)) { continue; } CloudBlobContainer container = await GetBlobContainer(); Stream blobStream = new MemoryStream(); CloudBlob photoBlob = container.GetBlobReference(photo.Url.Replace(ConfidentialData.BlobStorageUrl, "")); KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(ServerUtils.GetToken); IKey rsa = await cloudResolver.ResolveKeyAsync(ConfidentialData.KeyLocation, CancellationToken.None); BlobEncryptionPolicy policy = new BlobEncryptionPolicy(null, cloudResolver); BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy }; await photoBlob.DownloadToStreamAsync(blobStream, null, options, null); blobStream.Position = 0; using (var fileStream = File.Create(filename)) { await blobStream.CopyToAsync(fileStream); } } } } string nullString = ""; foreach (string nEmail in nullEmails) { nullString += nEmail + ", "; } return(Request.CreateResponse(HttpStatusCode.OK, "Files located at " + baseFileLoc + " Null emails: " + nullString)); } catch (Exception e) { return(Request.CreateErrorResponse(HttpStatusCode.InternalServerError, e)); } }
static void Main(string[] args) { Console.WriteLine("Blob encryption with Key Vault integration demonstrating key rotation from Key 1 to Key 2"); Console.WriteLine(); // Create two secrets and obtain their IDs. This is normally a one-time setup step. // Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching. // Therefore it is recommended to use secrets along with a caching resolver (see below). string keyID1 = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret("KeyRotationSampleSecret1"); string keyID2 = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret("KeyRotationSampleSecret2"); // Retrieve storage account information from connection string // How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/ CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString(); CloudBlobClient client = storageAccount.CreateCloudBlobClient(); CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N")); // Construct a resolver capable of looking up keys and secrets stored in Key Vault. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken); // Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage // pattern since the throttling targets for Storage and Key Vault services are orders of magnitude // different. CachingKeyResolver cachingResolver = new CachingKeyResolver(2, cloudResolver); // Create key instances corresponding to the key IDs. This will cache the secrets. IKey cloudKey1 = cachingResolver.ResolveKeyAsync(keyID1, CancellationToken.None).GetAwaiter().GetResult(); IKey cloudKey2 = cachingResolver.ResolveKeyAsync(keyID2, CancellationToken.None).GetAwaiter().GetResult(); // We begin with cloudKey1, and a resolver capable of resolving and caching Key Vault secrets. BlobEncryptionPolicy encryptionPolicy = new BlobEncryptionPolicy(cloudKey1, cachingResolver); client.DefaultRequestOptions.EncryptionPolicy = encryptionPolicy; client.DefaultRequestOptions.RequireEncryption = true; try { container.Create(); int size = 5 * 1024 * 1024; byte[] buffer1 = new byte[size]; byte[] buffer2 = new byte[size]; Random rand = new Random(); rand.NextBytes(buffer1); rand.NextBytes(buffer2); // Upload the first blob using the secret stored in Azure Key Vault. CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1"); Console.WriteLine("Uploading Blob 1 using Key 1."); // Upload the encrypted contents to the first blob. using (MemoryStream stream = new MemoryStream(buffer1)) { blob.UploadFromStream(stream, size); } Console.WriteLine("Downloading and decrypting Blob 1."); // Download and decrypt the encrypted contents from the first blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream); } // At this point we will rotate our keys so new encrypted content will use the // second key. Note that the same resolver is used, as this resolver is capable // of decrypting blobs encrypted using either key. Console.WriteLine("Rotating the active encryption key to Key 2."); client.DefaultRequestOptions.EncryptionPolicy = new BlobEncryptionPolicy(cloudKey2, cachingResolver); // Upload the second blob using the key stored in Azure Key Vault. CloudBlockBlob blob2 = container.GetBlockBlobReference("blockblob2"); Console.WriteLine("Uploading Blob 2 using Key 2."); // Upload the encrypted contents to the second blob. using (MemoryStream stream = new MemoryStream(buffer2)) { blob2.UploadFromStream(stream, size); } Console.WriteLine("Downloading and decrypting Blob 2."); // Download and decrypt the encrypted contents from the second blob. using (MemoryStream outputStream = new MemoryStream()) { blob2.DownloadToStream(outputStream); } // Here we download and re-upload the first blob. This has the effect of updating // the blob to use the new key. using (MemoryStream memoryStream = new MemoryStream()) { Console.WriteLine("Downloading and decrypting Blob 1."); blob.DownloadToStream(memoryStream); memoryStream.Seek(0, SeekOrigin.Begin); Console.WriteLine("Re-uploading Blob 1 using Key 2."); blob.UploadFromStream(memoryStream); } // For the purposes of demonstration, we now override the encryption policy to only recognize key 2. BlobEncryptionPolicy key2OnlyPolicy = new BlobEncryptionPolicy(cloudKey2, null); BlobRequestOptions key2OnlyOptions = new BlobRequestOptions() { EncryptionPolicy = key2OnlyPolicy }; Console.WriteLine("Downloading and decrypting Blob 1."); // The first blob can still be decrypted because it is using the second key. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, options: key2OnlyOptions); } Console.WriteLine("Press enter key to exit"); Console.ReadLine(); } finally { container.DeleteIfExists(); } }
static void Main(string[] args) { Console.WriteLine("Blob encryption with Key Vault integration"); Console.WriteLine(); // Get the key ID from App.config if it exists. string keyID = CloudConfigurationManager.GetSetting("KeyID"); // If no key ID was specified, we will create a new secret in Key Vault. // To create a new secret, this client needs full permission to Key Vault secrets. // Once the secret is created, its ID can be added to App.config. Once this is done, // this client only needs read access to secrets. if (string.IsNullOrEmpty(keyID)) { Console.WriteLine("No secret specified in App.config."); Console.WriteLine("Please enter the name of a new secret to create in Key Vault."); Console.WriteLine("WARNING: This will delete any existing secret with the same name."); Console.Write("Name of the new secret to create [{0}]: ", DefaultSecretName); string newSecretName = Console.ReadLine().Trim(); if (string.IsNullOrEmpty(newSecretName)) { newSecretName = DefaultSecretName; } // Although it is possible to use keys (rather than secrets) stored in Key Vault, this prevents caching. // Therefore it is recommended to use secrets along with a caching resolver (see below). keyID = EncryptionShared.KeyVaultUtility.SetUpKeyVaultSecret(newSecretName); Console.WriteLine(); Console.WriteLine("Created a secret with ID: {0}", keyID); Console.WriteLine("Copy the secret ID to App.config to reuse."); Console.WriteLine(); } // Retrieve storage account information from connection string // How to create a storage connection string - https://azure.microsoft.com/en-us/documentation/articles/storage-configure-connection-string/ CloudStorageAccount storageAccount = EncryptionShared.Utility.CreateStorageAccountFromConnectionString(); CloudBlobClient client = storageAccount.CreateCloudBlobClient(); CloudBlobContainer container = client.GetContainerReference(DemoContainer + Guid.NewGuid().ToString("N")); // Construct a resolver capable of looking up keys and secrets stored in Key Vault. KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(EncryptionShared.KeyVaultUtility.GetAccessToken); // To demonstrate how multiple different types of key can be used, we also create a local key and resolver. // This key is temporary and won't be persisted. RsaKey rsaKey = new RsaKey("rsakey"); LocalResolver resolver = new LocalResolver(); resolver.Add(rsaKey); // If there are multiple key sources like Azure Key Vault and local KMS, set up an aggregate resolver as follows. // This helps users to define a plug-in model for all the different key providers they support. AggregateKeyResolver aggregateResolver = new AggregateKeyResolver() .Add(resolver) .Add(cloudResolver); // Set up a caching resolver so the secrets can be cached on the client. This is the recommended usage // pattern since the throttling targets for Storage and Key Vault services are orders of magnitude // different. CachingKeyResolver cachingResolver = new CachingKeyResolver(2, aggregateResolver); // Create a key instance corresponding to the key ID. This will cache the secret. IKey cloudKey = cachingResolver.ResolveKeyAsync(keyID, CancellationToken.None).GetAwaiter().GetResult(); try { container.Create(); int size = 5 * 1024 * 1024; byte[] buffer = new byte[size]; Random rand = new Random(); rand.NextBytes(buffer); // The first blob will use the key stored in Azure Key Vault. CloudBlockBlob blob = container.GetBlockBlobReference("blockblob1"); // Create the encryption policy using the secret stored in Azure Key Vault to be used for upload. BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(cloudKey, null); // Set the encryption policy on the request options. BlobRequestOptions uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy }; Console.WriteLine("Uploading the 1st encrypted blob."); // Upload the encrypted contents to the blob. using (MemoryStream stream = new MemoryStream(buffer)) { blob.UploadFromStream(stream, size, null, uploadOptions); } // Download the encrypted blob. BlobEncryptionPolicy downloadPolicy = new BlobEncryptionPolicy(null, cachingResolver); // Set the decryption policy on the request options. BlobRequestOptions downloadOptions = new BlobRequestOptions() { EncryptionPolicy = downloadPolicy }; Console.WriteLine("Downloading the 1st encrypted blob."); // Download and decrypt the encrypted contents from the blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, null, downloadOptions); } // Upload second blob using the local key. blob = container.GetBlockBlobReference("blockblob2"); // Create the encryption policy using the local key. uploadPolicy = new BlobEncryptionPolicy(rsaKey, null); // Set the encryption policy on the request options. uploadOptions = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy }; Console.WriteLine("Uploading the 2nd encrypted blob."); // Upload the encrypted contents to the blob. using (MemoryStream stream = new MemoryStream(buffer)) { blob.UploadFromStream(stream, size, null, uploadOptions); } // Download the encrypted blob. The same policy and options created before can be used because the aggregate resolver contains both // resolvers and will pick the right one based on the key ID stored in blob metadata on the service. Console.WriteLine("Downloading the 2nd encrypted blob."); // Download and decrypt the encrypted contents from the blob. using (MemoryStream outputStream = new MemoryStream()) { blob.DownloadToStream(outputStream, null, downloadOptions); } Console.WriteLine("Press enter key to exit"); Console.ReadLine(); } finally { container.DeleteIfExists(); } }