protected override void ProcessRecord() { base.ProcessRecord(); Client = CreateClient(_CurrentCredentials, _RegionEndpoint); }
public void Should_poll_and_reload_when_secrets_changed([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueInitialResponse, GetSecretValueResponse getSecretValueUpdatedResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture, Action <object> changeCallback, object changeCallbackState) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).SetupSequence(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())) .ReturnsAsync(getSecretValueInitialResponse) .ReturnsAsync(getSecretValueUpdatedResponse); options.PollingInterval = TimeSpan.FromMilliseconds(100); sut.GetReloadToken().RegisterChangeCallback(changeCallback, changeCallbackState); sut.Load(); Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueInitialResponse.SecretString)); Thread.Sleep(200); Mock.Get(changeCallback).Verify(c => c(changeCallbackState)); Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueUpdatedResponse.SecretString)); }
public void Simple_values_in_string_can_be_handled([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse); sut.Load(); Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueResponse.SecretString)); }
public void Secrets_can_be_filtered_out_via_options([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); options.SecretFilter = entry => false; sut.Load(); Mock.Get(secretsManager).Verify(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>()), Times.Never); Assert.That(sut.Get(testEntry.Name), Is.Null); }
public void Keys_should_be_case_insensitive([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse); sut.Load(); Assert.That(sut.Get(testEntry.Name.ToLower()), Is.EqualTo(getSecretValueResponse.SecretString)); Assert.That(sut.Get(testEntry.Name.ToUpper()), Is.EqualTo(getSecretValueResponse.SecretString)); }
public AwsSecretManagerService(IAmazonSecretsManager secretsManager) { _secretsManager = secretsManager; }
protected SecretRotationFunction() { secretRotator = new TSecretRotator(); secretsManager = new AmazonSecretsManagerClient(); }
private void AddAuthenticationOptions(IAmazonSecretsManager secretManager, IServiceCollection services, AppSettings appSettings) { OAuthSecret oAuthSecret = GetSecret <OAuthSecret>(secretManager, appSettings.AuthSecretId); services.AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; }) .AddCookie(options => { options.Cookie.SecurePolicy = Environment.IsProduction() ? CookieSecurePolicy.Always : CookieSecurePolicy.SameAsRequest; options.Cookie.SameSite = SameSiteMode.None; options.Cookie.Path = null; options.LoginPath = "/Api/Auth/Login"; options.AccessDeniedPath = "/Api/Auth/AccessDenied"; }) .AddOAuth("GitHub", options => { options.ClientId = oAuthSecret.GitHubClientId; options.ClientSecret = oAuthSecret.GitHubClientSecret; options.CallbackPath = new PathString("/signin-github"); // Include the users email address in the scope options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize?scope=user:email"; options.TokenEndpoint = "https://github.com/login/oauth/access_token"; options.UserInformationEndpoint = "https://api.github.com/user"; options.ClaimActions.MapJsonKey(ClaimTypes.PrimarySid, "accountId"); options.Events = new OAuthEvents { OnCreatingTicket = async context => { JObject user = await RequestUserDetailsFromProvider(context); var accountRepository = context.HttpContext.RequestServices.GetRequiredService <IAccountRepository>(); var gitHubId = (string)user["id"]; var name = (string)user["name"]; var email = (string)user["email"]; var avatarUrl = (string)user["avatar_url"]; var account = await accountRepository.AddOrGetAsync(name, email, avatarUrl, gitHubId: gitHubId); user["accountId"] = account.Id.ToString(); context.RunClaimActions(user); } }; }) .AddGoogle(options => { options.ClientId = oAuthSecret.GoogleClientId; options.ClientSecret = oAuthSecret.GoogleClientSecret; options.ClaimActions.MapJsonKey(ClaimTypes.PrimarySid, "accountId"); options.Events = new OAuthEvents { OnCreatingTicket = async context => { JObject user = await RequestUserDetailsFromProvider(context); var accountRepository = context.HttpContext.RequestServices.GetRequiredService <IAccountRepository>(); var googleId = (string)user["id"]; var name = (string)user["displayName"]; var imageObject = (JObject)user["image"]; string avatarUrl = null; if (imageObject != null) { avatarUrl = (string)imageObject["url"]; } var emailsObject = (JArray)user["emails"]; string email = null; if (emailsObject != null && emailsObject.Any()) { email = (string)emailsObject.First()["value"]; } var account = await accountRepository.AddOrGetAsync(name, email, avatarUrl, googleId: googleId); user["accountId"] = account.Id.ToString(); context.RunClaimActions(user); } }; }) .AddMicrosoftAccount(options => { options.ClientId = oAuthSecret.MicrosoftApplicationId; options.ClientSecret = oAuthSecret.MicrosoftPassword; options.ClaimActions.MapJsonKey(ClaimTypes.PrimarySid, "accountId"); options.Events = new OAuthEvents { OnCreatingTicket = async context => { JObject user = await RequestUserDetailsFromProvider(context); var accountRepository = context.HttpContext.RequestServices.GetRequiredService <IAccountRepository>(); var microsoftId = (string)user["id"]; var name = (string)user["displayName"]; var email = (string)user["userPrincipalName"]; // userPrincipalName might not be an email, depending on the account type if (!email.Contains("@")) { email = null; } var account = await accountRepository.AddOrGetAsync(name, email, null, microsoftId: microsoftId); user["accountId"] = account.Id.ToString(); context.RunClaimActions(user); } }; }); }
public static string GetDBSecret(IAmazonSecretsManager client) { string secretName = "MongoAuthConnection"; string secret = ""; MemoryStream memoryStream = new MemoryStream(); GetSecretValueRequest request = new GetSecretValueRequest(); request.SecretId = secretName; request.VersionStage = "AWSCURRENT"; // VersionStage defaults to AWSCURRENT if unspecified. GetSecretValueResponse response = null; // In this sample we only handle the specific exceptions for the 'GetSecretValue' API. // See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html // We rethrow the exception by default. try { response = client.GetSecretValueAsync(request).Result; } catch (DecryptionFailureException e) { // Secrets Manager can't decrypt the protected secret text using the provided KMS key. // Deal with the exception here, and/or rethrow at your discretion. throw; } catch (InternalServiceErrorException e) { // An error occurred on the server side. // Deal with the exception here, and/or rethrow at your discretion. throw; } catch (InvalidParameterException e) { // You provided an invalid value for a parameter. // Deal with the exception here, and/or rethrow at your discretion throw; } catch (InvalidRequestException e) { // You provided a parameter value that is not valid for the current state of the resource. // Deal with the exception here, and/or rethrow at your discretion. throw; } catch (ResourceNotFoundException e) { // We can't find the resource that you asked for. // Deal with the exception here, and/or rethrow at your discretion. throw; } catch (System.AggregateException ae) { // More than one of the above exceptions were triggered. // Deal with the exception here, and/or rethrow at your discretion. throw; } // Decrypts secret using the associated KMS CMK. // Depending on whether the secret is a string or binary, one of these fields will be populated. if (response.SecretString != null) { secret = response.SecretString; return(secret); } else { memoryStream = response.SecretBinary; StreamReader reader = new StreamReader(memoryStream); string decodedBinarySecret = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(reader.ReadToEnd())); return(null); } }
/// <summary> /// Initializes a new instance of the <see cref="AwsSecretsProvider"/> class. /// </summary> /// <param name="secretsClient">The <see cref="IAmazonSecretsManager"/> used for routing calls to AWS.</param> /// <param name="secrets">A list of <see cref="AwsSecret"/> to define the secrets.</param> public AwsSecretsProvider(IAmazonSecretsManager secretsClient, IReadOnlyList <AwsSecret> secrets) { SecretsClient = secretsClient; Secrets = secrets; }
/// <summary> /// Adds an <see cref="AwsSecret"/> to the <see cref="ISecretsConfigurationBuilder"/>. /// </summary> /// <param name="builder">The builder the secret is beind added to.</param> /// <param name="configurationKey">The configuration key for the secret.</param> /// <param name="secretId">The Amazon Resource Name (ARN) or the friendly name of the secret.</param> /// <param name="secretKey">The key of the secret in AWS.</param> /// <param name="secretsManager"> /// The <see cref="IAmazonSecretsManager"/> client used for routing calls to AWS. If <see langword="null"/>, /// then <see cref="AwsSecret.DefaultSecretsManager"/> is used instead. /// </param> /// <returns>The same <see cref="ISecretsConfigurationBuilder"/>.</returns> public static ISecretsConfigurationBuilder AddAwsSecret(this ISecretsConfigurationBuilder builder, string configurationKey, string secretId, string secretKey = null, IAmazonSecretsManager secretsManager = null) { if (builder is null) { throw new ArgumentNullException(nameof(builder)); } return(builder.AddSecret(new AwsSecret(configurationKey, secretId, secretKey, secretsManager))); }
/// <summary> /// Initializes a new instance of the <see cref="AwsSecretsProvider"/> class. /// </summary> /// <param name="secretsClient">The <see cref="IAmazonSecretsManager"/> used for routing calls to AWS.</param> /// <param name="secrets">A list of <see cref="AwsSecretDefinition"/> to define the secrets.</param> public AwsSecretsProvider(IAmazonSecretsManager secretsClient, IEnumerable <AwsSecretDefinition> secrets) : this(secretsClient, secrets.Select(s => new AwsSecret(s.Key, s.AwsSecretName, s.AwsSecretKey, secretsClient)).ToList()) { }
public SmokeTest() { secretsManagerClient = new AmazonSecretsManagerClient(Amazon.RegionEndpoint.USEast1); }
public SecretCacheVersion(String secretId, String versionId, IAmazonSecretsManager client, SecretCacheConfiguration config) : base(secretId, client, config) { this.versionId = versionId; this.hash = $"{secretId} {versionId}".GetHashCode(); }
public SecretService(IAmazonSecretsManager secretsManager) { _secretsManager = secretsManager; }
internal SecretsManagerPaginatorFactory(IAmazonSecretsManager client) { this.client = client; }
public SecretsManagerConfigurationProvider(IAmazonSecretsManager client, SecretsManagerConfigurationProviderOptions options) { Options = options ?? throw new ArgumentNullException(nameof(options)); Client = client ?? throw new ArgumentNullException(nameof(client)); }
/// <summary> /// Initializes a new instance of the <see cref="SecretsManagerCache"/> class. /// </summary> public SecretsManagerCache(IAmazonSecretsManager secretsManager) : this(secretsManager, new SecretCacheConfiguration()) { }
internal ListSecretsPaginator(IAmazonSecretsManager client, ListSecretsRequest request) { this._client = client; this._request = request; }
/// <summary> /// Initializes a new instance of the <see cref="AWSSecretsManagerHelper"/> class. /// </summary> public AWSSecretsManagerHelper(IAmazonSecretsManager amazonSecretsManager, ILogger<AWSSecretsManagerHelper> logger) { this._amazonSecretsManager = amazonSecretsManager; this._logger = logger; }
private Amazon.SecretsManager.Model.ListSecretsResponse CallAWSServiceOperation(IAmazonSecretsManager client, Amazon.SecretsManager.Model.ListSecretsRequest request) { Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Secrets Manager", "ListSecrets"); try { #if DESKTOP return(client.ListSecrets(request)); #elif CORECLR return(client.ListSecretsAsync(request).GetAwaiter().GetResult()); #else #error "Unknown build edition" #endif } catch (AmazonServiceException exc) { var webException = exc.InnerException as System.Net.WebException; if (webException != null) { throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException); } throw; } }
public SecretProvider(SecretConfigCollection collection, IAmazonSecretsManager manager) { this.collection = collection; this.manager = manager; }
public void Keys_can_be_customized_via_options([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, string newKey, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse); options.KeyGenerator = (entry, key) => newKey; sut.Load(); Assert.That(sut.Get(testEntry.Name), Is.Null); Assert.That(sut.Get(newKey), Is.EqualTo(getSecretValueResponse.SecretString)); }
public SecretCacheItem(String secretId, IAmazonSecretsManager client, SecretCacheConfiguration config) : base(secretId, client, config) { }
public void Should_throw_on_missing_secret_value([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).Throws(new ResourceNotFoundException("Oops")); Assert.That(() => sut.Load(), Throws.TypeOf <MissingSecretValueException>()); }
public SecretCacheVersion(String secretId, String versionId, IAmazonSecretsManager client, SecretCacheConfiguration config) : base(secretId, client, config) { this.versionId = versionId; this.hash = String.Format("%s %s", secretId, versionId).GetHashCode(); }
public async Task Should_reload_when_forceReload_called([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueInitialResponse, GetSecretValueResponse getSecretValueUpdatedResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture, Action <object> changeCallback, object changeCallbackState) { Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).SetupSequence(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())) .ReturnsAsync(getSecretValueInitialResponse) .ReturnsAsync(getSecretValueUpdatedResponse); sut.GetReloadToken().RegisterChangeCallback(changeCallback, changeCallbackState); sut.Load(); Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueInitialResponse.SecretString)); await sut.ForceReloadAsync(CancellationToken.None); Mock.Get(changeCallback).Verify(c => c(changeCallbackState)); Assert.That(sut.Get(testEntry.Name), Is.EqualTo(getSecretValueUpdatedResponse.SecretString)); }
public SecretManager(IAmazonSecretsManager amazonSecretsManager) { _amazonSecretsManager = amazonSecretsManager; }
public void Array_Of_Complex_JSON_objects_with_arrays_can_be_handled([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, RootObjectWithArray[] test, [Frozen] IAmazonSecretsManager secretsManager, SecretsManagerConfigurationProvider sut, IFixture fixture) { var getSecretValueResponse = fixture.Build <GetSecretValueResponse>() .With(p => p.SecretString, JsonConvert.SerializeObject(test)) .Without(p => p.SecretBinary) .Create(); Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.IsAny <ListSecretsRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); Mock.Get(secretsManager).Setup(p => p.GetSecretValueAsync(It.IsAny <GetSecretValueRequest>(), It.IsAny <CancellationToken>())).ReturnsAsync(getSecretValueResponse); sut.Load(); Assert.That(sut.Get(testEntry.Name, "0", nameof(RootObjectWithArray.Properties), "0"), Is.EqualTo(test[0].Properties[0])); Assert.That(sut.Get(testEntry.Name, "0", nameof(RootObjectWithArray.Mids), "0", nameof(MidLevel.Property)), Is.EqualTo(test[0].Mids[0].Property)); Assert.That(sut.Get(testEntry.Name, "1", nameof(RootObjectWithArray.Properties), "0"), Is.EqualTo(test[1].Properties[0])); Assert.That(sut.Get(testEntry.Name, "1", nameof(RootObjectWithArray.Mids), "0", nameof(MidLevel.Property)), Is.EqualTo(test[1].Mids[0].Property)); }
public void Secrets_can_be_filtered_out_via_options_on_fetching([Frozen] SecretListEntry testEntry, ListSecretsResponse listSecretsResponse, GetSecretValueResponse getSecretValueResponse, [Frozen] IAmazonSecretsManager secretsManager, [Frozen] SecretsManagerConfigurationProviderOptions options, SecretsManagerConfigurationProvider sut, IFixture fixture) { options.ListSecretsFilters = new List <Filter> { new Filter { Key = FilterNameStringType.Name, Values = new List <string> { testEntry.Name } } }; Mock.Get(secretsManager).Setup(p => p.ListSecretsAsync(It.Is <ListSecretsRequest>(request => request.Filters == options.ListSecretsFilters), It.IsAny <CancellationToken>())).ReturnsAsync(listSecretsResponse); sut.Load(); Mock.Get(secretsManager).Verify(p => p.ListSecretsAsync(It.Is <ListSecretsRequest>(request => request.Filters == options.ListSecretsFilters), It.IsAny <CancellationToken>())); Assert.That(sut.Get(testEntry.Name), Is.Null); }