protected override void ProcessRecord()
{
base.ProcessRecord();
Client = CreateClient(_CurrentCredentials, _RegionEndpoint);
}
public void Should_poll_and_reload_when_secrets_changed([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueInitialResponse, GetSecretValueResponse getSecretValueUpdatedResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture, Action <object> changeCallback, object changeCallbackState)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).SetupSequence(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>()))
.ReturnsAsync(getSecretValueInitialResponse)
.ReturnsAsync(getSecretValueUpdatedResponse);
options.PollingInterval = TimeSpan.FromMilliseconds(100);
sut.GetReloadToken().RegisterChangeCallback(changeCallback, changeCallbackState);
sut.Load();
Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueInitialResponse.SecretString));
Thread.Sleep(200);
Mock.Get(changeCallback).Verify(c => c(changeCallbackState));
Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueUpdatedResponse.SecretString));
}
public void Simple_values_in_string_can_be_handled([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse);
sut.Load();
Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueResponse.SecretString));
}
public void Secrets_can_be_filtered_out_via_options([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
options.SecretFilter = entry => false;
sut.Load();
Mock.Get(secretsManager).Verify(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>()), Times.Never);
Assert.That(sut.Get(testEntry.Name), Is.Null);
}
public void Keys_should_be_case_insensitive([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse);
sut.Load();
Assert.That(sut.Get(testEntry.Name.ToLower()), Is.EqualTo(getSecretValueResponse.SecretString));
Assert.That(sut.Get(testEntry.Name.ToUpper()), Is.EqualTo(getSecretValueResponse.SecretString));
}
public AwsSecretManagerService(IAmazonSecretsManager secretsManager)
{
_secretsManager = secretsManager;
}
protected SecretRotationFunction()
{
secretRotator = new TSecretRotator();
secretsManager = new AmazonSecretsManagerClient();
}
private void AddAuthenticationOptions(IAmazonSecretsManager secretManager, IServiceCollection services, AppSettings appSettings)
{
OAuthSecret oAuthSecret = GetSecret <OAuthSecret>(secretManager, appSettings.AuthSecretId);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.Cookie.SecurePolicy = Environment.IsProduction() ? CookieSecurePolicy.Always : CookieSecurePolicy.SameAsRequest;
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.Path = null;
options.LoginPath = "/Api/Auth/Login";
options.AccessDeniedPath = "/Api/Auth/AccessDenied";
})
.AddOAuth("GitHub", options =>
{
options.ClientId = oAuthSecret.GitHubClientId;
options.ClientSecret = oAuthSecret.GitHubClientSecret;
options.CallbackPath = new PathString("/signin-github");
// Include the users email address in the scope
options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize?scope=user:email";
options.TokenEndpoint = "https://github.com/login/oauth/access_token";
options.UserInformationEndpoint = "https://api.github.com/user";
options.ClaimActions.MapJsonKey(ClaimTypes.PrimarySid, "accountId");
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
JObject user = await RequestUserDetailsFromProvider(context);
var accountRepository = context.HttpContext.RequestServices.GetRequiredService <IAccountRepository>();
var gitHubId = (string)user["id"];
var name = (string)user["name"];
var email = (string)user["email"];
var avatarUrl = (string)user["avatar_url"];
var account = await accountRepository.AddOrGetAsync(name, email, avatarUrl, gitHubId: gitHubId);
user["accountId"] = account.Id.ToString();
context.RunClaimActions(user);
}
};
})
.AddGoogle(options =>
{
options.ClientId = oAuthSecret.GoogleClientId;
options.ClientSecret = oAuthSecret.GoogleClientSecret;
options.ClaimActions.MapJsonKey(ClaimTypes.PrimarySid, "accountId");
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
JObject user = await RequestUserDetailsFromProvider(context);
var accountRepository = context.HttpContext.RequestServices.GetRequiredService <IAccountRepository>();
var googleId = (string)user["id"];
var name = (string)user["displayName"];
var imageObject = (JObject)user["image"];
string avatarUrl = null;
if (imageObject != null)
{
avatarUrl = (string)imageObject["url"];
}
var emailsObject = (JArray)user["emails"];
string email = null;
if (emailsObject != null && emailsObject.Any())
{
email = (string)emailsObject.First()["value"];
}
var account = await accountRepository.AddOrGetAsync(name, email, avatarUrl, googleId: googleId);
user["accountId"] = account.Id.ToString();
context.RunClaimActions(user);
}
};
})
.AddMicrosoftAccount(options =>
{
options.ClientId = oAuthSecret.MicrosoftApplicationId;
options.ClientSecret = oAuthSecret.MicrosoftPassword;
options.ClaimActions.MapJsonKey(ClaimTypes.PrimarySid, "accountId");
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
JObject user = await RequestUserDetailsFromProvider(context);
var accountRepository = context.HttpContext.RequestServices.GetRequiredService <IAccountRepository>();
var microsoftId = (string)user["id"];
var name = (string)user["displayName"];
var email = (string)user["userPrincipalName"];
// userPrincipalName might not be an email, depending on the account type
if (!email.Contains("@"))
{
email = null;
}
var account = await accountRepository.AddOrGetAsync(name, email, null, microsoftId: microsoftId);
user["accountId"] = account.Id.ToString();
context.RunClaimActions(user);
}
};
});
}
public static string GetDBSecret(IAmazonSecretsManager client)
{
string secretName = "MongoAuthConnection";
string secret = "";
MemoryStream memoryStream = new MemoryStream();
GetSecretValueRequest request = new GetSecretValueRequest();
request.SecretId = secretName;
request.VersionStage = "AWSCURRENT"; // VersionStage defaults to AWSCURRENT if unspecified.
GetSecretValueResponse response = null;
// In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
// See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
// We rethrow the exception by default.
try
{
response = client.GetSecretValueAsync(request).Result;
}
catch (DecryptionFailureException e)
{
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (InternalServiceErrorException e)
{
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (InvalidParameterException e)
{
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion
throw;
}
catch (InvalidRequestException e)
{
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (ResourceNotFoundException e)
{
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
catch (System.AggregateException ae)
{
// More than one of the above exceptions were triggered.
// Deal with the exception here, and/or rethrow at your discretion.
throw;
}
// Decrypts secret using the associated KMS CMK.
// Depending on whether the secret is a string or binary, one of these fields will be populated.
if (response.SecretString != null)
{
secret = response.SecretString;
return(secret);
}
else
{
memoryStream = response.SecretBinary;
StreamReader reader = new StreamReader(memoryStream);
string decodedBinarySecret = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(reader.ReadToEnd()));
return(null);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="AwsSecretsProvider"/> class.
/// </summary>
/// <param name="secretsClient">The <see cref="IAmazonSecretsManager"/> used for routing calls to AWS.</param>
/// <param name="secrets">A list of <see cref="AwsSecret"/> to define the secrets.</param>
public AwsSecretsProvider(IAmazonSecretsManager secretsClient, IReadOnlyList <AwsSecret> secrets)
{
SecretsClient = secretsClient;
Secrets = secrets;
}
/// <summary>
/// Adds an <see cref="AwsSecret"/> to the <see cref="ISecretsConfigurationBuilder"/>.
/// </summary>
/// <param name="builder">The builder the secret is beind added to.</param>
/// <param name="configurationKey">The configuration key for the secret.</param>
/// <param name="secretId">The Amazon Resource Name (ARN) or the friendly name of the secret.</param>
/// <param name="secretKey">The key of the secret in AWS.</param>
/// <param name="secretsManager">
/// The <see cref="IAmazonSecretsManager"/> client used for routing calls to AWS. If <see langword="null"/>,
/// then <see cref="AwsSecret.DefaultSecretsManager"/> is used instead.
/// </param>
/// <returns>The same <see cref="ISecretsConfigurationBuilder"/>.</returns>
public static ISecretsConfigurationBuilder AddAwsSecret(this ISecretsConfigurationBuilder builder,
string configurationKey, string secretId, string secretKey = null, IAmazonSecretsManager secretsManager = null)
{
if (builder is null)
{
throw new ArgumentNullException(nameof(builder));
}
return(builder.AddSecret(new AwsSecret(configurationKey, secretId, secretKey, secretsManager)));
}
/// <summary>
/// Initializes a new instance of the <see cref="AwsSecretsProvider"/> class.
/// </summary>
/// <param name="secretsClient">The <see cref="IAmazonSecretsManager"/> used for routing calls to AWS.</param>
/// <param name="secrets">A list of <see cref="AwsSecretDefinition"/> to define the secrets.</param>
public AwsSecretsProvider(IAmazonSecretsManager secretsClient, IEnumerable <AwsSecretDefinition> secrets)
: this(secretsClient, secrets.Select(s => new AwsSecret(s.Key, s.AwsSecretName, s.AwsSecretKey, secretsClient)).ToList())
{
}
public SmokeTest()
{
secretsManagerClient = new AmazonSecretsManagerClient(Amazon.RegionEndpoint.USEast1);
}
public SecretCacheVersion(String secretId, String versionId, IAmazonSecretsManager client, SecretCacheConfiguration config)
: base(secretId, client, config)
{
this.versionId = versionId;
this.hash = $"{secretId} {versionId}".GetHashCode();
}
public SecretService(IAmazonSecretsManager secretsManager)
{
_secretsManager = secretsManager;
}
internal SecretsManagerPaginatorFactory(IAmazonSecretsManager client)
{
this.client = client;
}
public SecretsManagerConfigurationProvider(IAmazonSecretsManager client, SecretsManagerConfigurationProviderOptions options)
{
Options = options ?? throw new ArgumentNullException(nameof(options));
Client = client ?? throw new ArgumentNullException(nameof(client));
}
/// <summary>
/// Initializes a new instance of the <see cref="SecretsManagerCache"/> class.
/// </summary>
public SecretsManagerCache(IAmazonSecretsManager secretsManager)
: this(secretsManager, new SecretCacheConfiguration())
{
}
internal ListSecretsPaginator(IAmazonSecretsManager client, ListSecretsRequest request)
{
this._client = client;
this._request = request;
}
/// <summary>
/// Initializes a new instance of the <see cref="AWSSecretsManagerHelper"/> class.
/// </summary>
public AWSSecretsManagerHelper(IAmazonSecretsManager amazonSecretsManager,
ILogger<AWSSecretsManagerHelper> logger)
{
this._amazonSecretsManager = amazonSecretsManager;
this._logger = logger;
}
private Amazon.SecretsManager.Model.ListSecretsResponse CallAWSServiceOperation(IAmazonSecretsManager client, Amazon.SecretsManager.Model.ListSecretsRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Secrets Manager", "ListSecrets");
try
{
#if DESKTOP
return(client.ListSecrets(request));
#elif CORECLR
return(client.ListSecretsAsync(request).GetAwaiter().GetResult());
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
public SecretProvider(SecretConfigCollection collection, IAmazonSecretsManager manager)
{
this.collection = collection;
this.manager = manager;
}
public void Keys_can_be_customized_via_options([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, string newKey, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse);
options.KeyGenerator = (entry, key) => newKey;
sut.Load();
Assert.That(sut.Get(testEntry.Name), Is.Null);
Assert.That(sut.Get(newKey), Is.EqualTo(getSecretValueResponse.SecretString));
}
public SecretCacheItem(String secretId, IAmazonSecretsManager client, SecretCacheConfiguration config)
: base(secretId, client, config)
{
}
public void Should_throw_on_missing_secret_value([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).Throws(new ResourceNotFoundException("Oops"));
Assert.That(() => sut.Load(), Throws.TypeOf <MissingSecretValueException>());
}
public SecretCacheVersion(String secretId, String versionId, IAmazonSecretsManager client, SecretCacheConfiguration config)
: base(secretId, client, config)
{
this.versionId = versionId;
this.hash = String.Format("%s %s", secretId, versionId).GetHashCode();
}
public async Task Should_reload_when_forceReload_called([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueInitialResponse, GetSecretValueResponse getSecretValueUpdatedResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture, Action <object> changeCallback, object changeCallbackState)
{
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).SetupSequence(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>()))
.ReturnsAsync(getSecretValueInitialResponse)
.ReturnsAsync(getSecretValueUpdatedResponse);
sut.GetReloadToken().RegisterChangeCallback(changeCallback, changeCallbackState);
sut.Load();
Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueInitialResponse.SecretString));
await sut.ForceReloadAsync(CancellationToken.None);
Mock.Get(changeCallback).Verify(c => c(changeCallbackState));
Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueUpdatedResponse.SecretString));
}
public SecretManager(IAmazonSecretsManager amazonSecretsManager)
{
_amazonSecretsManager = amazonSecretsManager;
}
public void Array_Of_Complex_JSON_objects_with_arrays_can_be_handled([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, RootObjectWithArray[] test, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
var getSecretValueResponse = fixture.Build <GetSecretValueResponse>()
.With(p => p.SecretString, JsonConvert.SerializeObject(test))
.Without(p => p.SecretBinary)
.Create();
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse);
sut.Load();
Assert.That(sut.Get(testEntry.Name, "0", nameof(RootObjectWithArray.Properties), "0"), Is.EqualTo(test[0].Properties[0]));
Assert.That(sut.Get(testEntry.Name, "0", nameof(RootObjectWithArray.Mids), "0", nameof(MidLevel.Property)), Is.EqualTo(test[0].Mids[0].Property));
Assert.That(sut.Get(testEntry.Name, "1", nameof(RootObjectWithArray.Properties), "0"), Is.EqualTo(test[1].Properties[0]));
Assert.That(sut.Get(testEntry.Name, "1", nameof(RootObjectWithArray.Mids), "0", nameof(MidLevel.Property)), Is.EqualTo(test[1].Mids[0].Property));
}
public void Secrets_can_be_filtered_out_via_options_on_fetching([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture)
{
options.ListSecretsFilters = new List <Filter> {
new Filter {
Key = FilterNameStringType.Name, Values = new List <string> {
testEntry.Name
}
}
};
Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.Is <ListSecretsRequest>(request => request.Filters == options.ListSecretsFilters), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse);
sut.Load();
Mock.Get(secretsManager).Verify(p => p.ListSecretsAsync(It.Is <ListSecretsRequest>(request => request.Filters == options.ListSecretsFilters), It.IsAny <CancellationToken>()));
Assert.That(sut.Get(testEntry.Name), Is.Null);
}
