public async Task DeleteKeyVaultAsync(Guid subscriptionId, KeyVault keyVault) { var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var kvClient = new KeyVaultManagementClient(token) { SubscriptionId = subscriptionId.ToString() }; try { await kvClient.Vaults.DeleteWithHttpMessagesAsync(keyVault.ResourceGroupName, keyVault.Name); } catch (CloudException cEx) { if (cEx.Response?.StatusCode != HttpStatusCode.NotFound) { _logger.LogError(cEx, $"Exception deleting Key Vault {keyVault.ResourceId} " + $"with request {cEx.RequestId}"); throw; } } }
public VaultViewer(KeyVault vault) { DataContext = vault; InitializeComponent(); Loaded += async(sender, args) => { await PopulatePolicyList(); }; policyItems.SelectionChanged += (sender, args) => { var policy = ((EntityAccessPolicy)args.AddedItems[0]); keyGroup.DataContext = policy.KeyPolicy; secretGroup.DataContext = policy.SecretPolicy; }; policyItems.PreviewMouseRightButtonDown += (sender, args) => { TreeViewItem treeViewItem = VisualUpwardSearch(args.OriginalSource as DependencyObject); if (treeViewItem != null) { treeViewItem.Focus(); args.Handled = true; } }; }
public static KeyVaultSecrets GetSecretsClient(ILogger logger) { var keyVaultName = Environment.GetEnvironmentVariable("KeyVaultName"); var hubSecretName = Environment.GetEnvironmentVariable("HubSecretName"); var identityClientId = Environment.GetEnvironmentVariable("IdentityClientId"); var tenantId = Environment.GetEnvironmentVariable("TenantId"); var clientId = Environment.GetEnvironmentVariable("ClientId"); var clientSecret = Environment.GetEnvironmentVariable("ClientSecret"); logger.LogInformation("Retrieving secrets from vault named: {valueName} and a hub secret named: {hubSecretName}", keyVaultName, hubSecretName); TokenCredential tokenProvider; if (string.IsNullOrWhiteSpace(clientSecret)) { tokenProvider = string.IsNullOrWhiteSpace(identityClientId) ? AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity() : AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity(identityClientId); } else { tokenProvider = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(tenantId, clientId, clientSecret); } logger.LogInformation("Completed creation of token provider"); var vault = new KeyVault(keyVaultName, tokenProvider, 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10)); logger.LogInformation("Created key vault"); return(vault.GetSecretsClient()); }
public void simple_crypt_test() { var c = KeyVault.EncryptValuesToString(ReferenceDictionary, "A passphrase"); var read = KeyVault.DecryptValues(c, "A passphrase"); read.Should().BeEquivalentTo(ReferenceDictionary); }
public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", Route = null)] HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); //Getting secret from query string secret = req.Query["secret"]; //Validating if secret is empty if (string.IsNullOrEmpty(secret)) return new BadRequestObjectResult("Request does not contain a valid Secret"); SecretRequest secretRequest = new SecretRequest(secret); log.LogInformation($"GetKeyVaultSecret request received for secret { secretRequest.Secret}"); //Creating keyvault object var keyvault = new KeyVault(); log.LogInformation("Secret Value retrieved from KeyVault."); //Getting secret information var secretBundle = await keyvault.GetSecret(secret); //Returning secret data var secretResponse = new SecretResponse { Secret = secretRequest.Secret, Value = secretBundle.Value }; return new OkObjectResult(secretResponse); }
public void read_previous_version(int version) { var fName = PreviousVersionsFolder.AppendPart($"Version{version}.txt"); var read = KeyVault.DecryptValues(File.ReadAllText(fName), "A passphrase"); read.Should().BeEquivalentTo(ReferenceDictionary); }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddSingleton <IQueue, AzureQueue>((serviceProvider) => { const string queueName = "somequeue"; KV = new KeyVault(Configuration["AzureKeyVaultUri"], Configuration["applicationId"], Configuration["applicationSecret"]); var encryptionKeyName = Configuration["EncryptionKeyName"]; var decryptionKeyName = Configuration["DecryptionKeyName"]; var signKeyName = Configuration["SignKeyName"]; var verifyKeyName = Configuration["VerifyKeyName"]; var encryptionCertPassword = Configuration["EncryptionCertPassword"]; var decryptionCertPassword = Configuration["DecryptionCertPassword"]; var signCertPassword = Configuration["SignCertPassword"]; var verifyCertPassword = Configuration["VerifyCertPassword"]; var secretsMgmnt = new KeyVaultCryptoActions( new CertificateInfo(encryptionKeyName, encryptionCertPassword), new CertificateInfo(decryptionKeyName, decryptionCertPassword), new CertificateInfo(signKeyName, signCertPassword), new CertificateInfo(verifyKeyName, verifyCertPassword), KV, KV); secretsMgmnt.InitializeAsync().Wait(); //var securedComm = new RabbitMQBusImpl(config["rabbitMqUri"], secretsMgmnt, true, "securedCommExchange"); var queueClient = new CloudQueueClientWrapper(Configuration["AzureStorageConnectionString"]); securedComm = new AzureQueue(queueName, queueClient, secretsMgmnt, true); securedComm.Initialize().Wait(); return(securedComm); }); }
public TableFactory(AppConfig config) { var storageConnection = KeyVault.GetSecretFromKeyvault(config.StorageConnection); var storageAccount = CloudStorageAccount.Parse(storageConnection); _tableClient = storageAccount.CreateCloudTableClient(); }
public async Task <string> GetKeyVaultSecretAsync( Guid subscriptionId, KeyVault keyVault, string secretName) { // Authenticate using MSI AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net"); var token = new TokenCredentials(accessToken); var keyVaultClient = new KeyVaultClient(token); try { var secret = await keyVaultClient.GetSecretAsync(keyVault.Uri, secretName); return(secret?.Value); } catch (KeyVaultErrorException e) { if (e.Body?.Error?.Code != "SecretNotFound") { throw new Exception($"Failed to get secret with principal: {azureServiceTokenProvider.PrincipalUsed}", e); } } catch (Exception e) { throw new Exception($"Failed to get secret with principal: {azureServiceTokenProvider.PrincipalUsed}", e); } return(null); }
public async Task <X509Certificate2> GetKeyVaultCertificateAsync( Guid subscriptionId, KeyVault keyVault, string certificateName, string password) { // Authenticate using MSI AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net"); var token = new TokenCredentials(accessToken); var keyVaultClient = new KeyVaultClient(token); try { var certSecret = await keyVaultClient.GetSecretAsync(keyVault.Uri, certificateName); if (certSecret == null) { return(null); } return(new X509Certificate2( Convert.FromBase64String(certSecret.Value), string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable)); } catch (Exception e) { throw new Exception($"Failed to get certificate with principal: {azureServiceTokenProvider.PrincipalUsed}", e); } }
public async Task AddReaderIdentityToAccessPolicies(Guid subscriptionId, KeyVault keyVault, Config.ServicePrincipal identity) { var accessToken = await GetAccessToken(); var token = new TokenCredentials(accessToken); var kvClient = new KeyVaultManagementClient(token) { SubscriptionId = subscriptionId.ToString() }; var vault = await kvClient.Vaults.GetAsync(keyVault.ResourceGroupName, keyVault.Name); var accessPolicies = vault.Properties.AccessPolicies; if (accessPolicies.All(ap => ap.ObjectId != identity.ObjectId.ToString())) { // This identity doesn't exist, lets add it. accessPolicies.Add(new AccessPolicyEntry( identity.TenantId, identity.ObjectId.ToString(), new Microsoft.Azure.Management.KeyVault.Models.Permissions( secrets: new[] { "Get", "List" }, certificates: new[] { "Get", "List" }))); await kvClient.Vaults.UpdateWithHttpMessagesAsync(keyVault.ResourceGroupName, keyVault.Name, new VaultPatchParameters(properties : new VaultPatchProperties(accessPolicies : accessPolicies))); } }
public async Task DeleteCertificateAsync( Guid subscriptionId, KeyVault keyVault, string certificateName) { AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(); var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net"); var token = new TokenCredentials(accessToken); using (var keyVaultClient = new KeyVaultClient(token)) { try { await keyVaultClient.DeleteCertificateAsync(keyVault.Uri, certificateName); } catch (KeyVaultErrorException ex) { if (ex.Body?.Error?.Code != "CertificateNotFound") { throw new Exception($"Failed to delete certificate with principal: {azureServiceTokenProvider.PrincipalUsed}", ex); } } catch (Exception e) { throw new Exception($"Failed to delete certificate with principal: {azureServiceTokenProvider.PrincipalUsed}", e); } } }
private static IDictionary <string, object> Logic() { var resourceGroup = new ResourceGroup("DevTestKeyVaultGroup", new ResourceGroupArgs { Location = "WestEurope", Name = "DevTestKeyVaultGroup", Tags = new InputMap <string>() }, new CustomResourceOptions { ImportId = "/subscriptions/47a9c0f7-9e3a-4f74-8803-a4c966fedff6/resourceGroups/DevTestKeyVaultGroup" }); var keyVault = new KeyVault("PulumiVault", new KeyVaultArgs { Name = "PulumiVault", ResourceGroupName = resourceGroup.Name, TenantId = "407da715-6eac-44a1-ac21-3f0b4e84877c", EnabledForDeployment = true, EnabledForDiskEncryption = true, EnabledForTemplateDeployment = true }, new CustomResourceOptions { ImportId = KeyVaultId }); return(new Dictionary <string, object?> { { "VaultLocation", keyVault.Location } }); }
public JSonService(ILogger <DisplayController> logger, IConfiguration configuration) { httpClient = new HttpClient(); keyVault = new KeyVault(configuration); httpClient.Timeout = new TimeSpan(0, 0, 10); this.logger = logger; }
public DriveHandler(ILogger <Startup> Logger, IConfiguration configuration) { Configuration = configuration; _logger = Logger; var keys = new KeyVault(Logger); _folderId = keys.GetSecret("ChummerFolderId"); }
public void GetCertificateWithVersion() { const string VaultName = "fakevault1"; const string SecretName = "secretname1"; const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111"; // const string SecretValue = "This is the value fake"; const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111"; const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111"; const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y"; // var getCertificateInvoked = false; // string key = null; var path = ContainerEnvironment.IsLinux ? Path.Combine(Environment.CurrentDirectory, "my_contoso_local.pfx") : Path.Combine(Environment.CurrentDirectory, "TestValidationCertificate.pfx"); var certificate = new X509Certificate2(path, "abc123"); var certificateString = Convert.ToBase64String(certificate.RawData); using (var context = ShimsContext.Create()) { ShimKeyVaultCertificate.AllInstances.CerGet = new FakesDelegates.Func <KeyVaultCertificate, byte[]>((vaultCert) => certificate.RawData); var fakeCertificate = new ShimKeyVaultCertificate() { NameGet = new FakesDelegates.Func <string>(() => "FakeCert1"), IdGet = new FakesDelegates.Func <Uri>(() => new Uri("cert://FakeCert1")), PropertiesGet = new FakesDelegates.Func <CertificateProperties>(() => { return(new ShimCertificateProperties() { VersionGet = new FakesDelegates.Func <string>(() => SecretVersion), NameGet = new FakesDelegates.Func <string>(() => SecretName), IdGet = new FakesDelegates.Func <Uri>(() => new Uri("cert://FakeCert1")) }); }) }; ShimCertificateClient.AllInstances.GetCertificateVersionAsyncStringStringCancellationToken = new FakesDelegates.Func <CertificateClient, string, string, CancellationToken, Task <Response <KeyVaultCertificate> > >((client, name, version, cancellationToken) => { var keyVaultFakeCertificateResponse = new FakeResponse <KeyVaultCertificate>(fakeCertificate, 200, "OK", null); return(Task.FromResult(keyVaultFakeCertificateResponse as Response <KeyVaultCertificate>)); }); var secret = new ShimKeyVaultCertificateWithPolicy(); var response = new FakeResponse <KeyVaultCertificate>(secret, 200, "OK", null); SetupSecretClientConstructorFakes(); var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10)); var client = vault.GetCertificatesClient(CertificateClientOptions.ServiceVersion.V7_1); var certificateValue = client.GetAsync(SecretName, SecretVersion).GetAwaiter().GetResult(); Assert.IsNotNull(certificateValue, "Certificate failed to retrieve"); Assert.IsTrue(string.Equals(certificateValue.Id.AbsoluteUri, "cert://fakecert1/", StringComparison.Ordinal), "Id not expected"); Assert.IsTrue(string.Equals(certificateValue.Name, "FakeCert1", StringComparison.Ordinal), "Name not expected"); Assert.IsTrue(string.Equals(certificateValue.Version, SecretVersion, StringComparison.Ordinal), "Version not expected"); Assert.IsNull(certificateValue.Policy, "Policy not expected"); } }
private async Task <string> WrapKey(byte[] value, string keyIdentifier) { var encrypted = await KeyVault.EncryptAsync( keyIdentifier, JsonWebKeyEncryptionAlgorithm.RSAOAEP256, value); return(Convert.ToBase64String(encrypted.Result)); }
public bool IsReader() { return(EnvironmentResourceGroup.Any(p => ReaderRoles.Contains(p.Role)) && Batch.Any(p => ReaderRoles.Contains(p.Role)) && Storage.Any(p => ReaderRoles.Contains(p.Role)) && KeyVault.Any(p => ReaderRoles.Contains(p.Role)) && ApplicationInsights.Any(p => ReaderRoles.Contains(p.Role)) && VNet.Any(p => ReaderRoles.Contains(p.Role))); }
public bool IsOwner() { return(EnvironmentResourceGroup.Any(p => p.Role == OwnerRole) && Batch.Any(p => p.Role == OwnerRole) && Storage.Any(p => p.Role == OwnerRole) && KeyVault.Any(p => p.Role == OwnerRole) && ApplicationInsights.Any(p => p.Role == OwnerRole) && VNet.Any(p => p.Role == OwnerRole)); }
void DoSaveKeyVault(IActivityMonitor m) { foreach (var e in _store.OptimalAvailableInfos) { _vaultContent[e.Name] = e.Secret; } m?.Info($"Saved Key Vault with keys: {_vaultContent.Keys.Concatenate()}."); File.WriteAllText(KeyVaultPath, KeyVault.EncryptValuesToString(_vaultContent, _passPhrase)); }
/// <summary> /// Checks if the value is a keyvault and if it is, gets the value from a keyvault /// Otherwise, returns as is /// </summary> /// <param name="value"></param> /// <returns>value or value from secret</returns> public static string GetSecretFromKeyvaultIfNeeded(string value) { if (IsKeyVault(value)) { return(KeyVault.GetSecretFromKeyvault(value)); } return(value); }
public void invalid_keys(string k) { var vals = new Dictionary <string, string> { { "A", "a1" }, { k, "a2" } }; Assert.Throws <ArgumentException>(() => KeyVault.EncryptValuesToString(vals, "A passphrase")); }
private static string GetInstrumentationKey(AppConfig settings) { var secretName = settings?.AppInsightsIntrumentationKey; var vaultName = settings.ServiceKeyVaultName; return(string.IsNullOrWhiteSpace(secretName) || string.IsNullOrWhiteSpace(vaultName) ? Guid.Empty.ToString() : KeyVault.GetSecretFromKeyvault(settings.ServiceKeyVaultName, settings.AppInsightsIntrumentationKey)); }
public JobRunner(IConfiguration configuration, ScheduledJobTable jobTable) { IServiceCollection services = new ServiceCollection(); var appConfig = new AppConfig(configuration); services.AddLogging(loggingBuilder => { // Optional: Apply filters to configure LogLevel Trace or above is sent to ApplicationInsights for all // categories. loggingBuilder.AddFilter <ApplicationInsightsLoggerProvider>("", LogLevel.Information); var abc = GetInstrumentationKey(appConfig); loggingBuilder.AddApplicationInsights(GetInstrumentationKey(appConfig)); }); IServiceProvider serviceProvider = services.BuildServiceProvider(); _logger = serviceProvider.GetRequiredService <ILogger <JobRunner> >(); var sbConnection = KeyVault.GetSecretFromKeyvault(appConfig.ServiceBusConnectionString); _primaryQueueClient = new QueueClient(sbConnection, appConfig.PrimaryQueueName); _testQueueClient = new QueueClient(sbConnection, appConfig.TestQueueName); _activeQueueName = appConfig.ActiveQueueName; // NOTE: If you need to DI other things (e.g. for your jobs) here's where you'd do it, and then just add the injected class into your constructor. _services.AddSingleton <AppConfig>(appConfig) .AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions() { EnableAdaptiveSampling = false, EnableDebugLogger = false, InstrumentationKey = GetInstrumentationKey(appConfig) }) .AddLogging(logging => { try { // In order to log ILogger logs logging.AddApplicationInsights(); // Optional: Apply filters to configure LogLevel Information or above is sent to // ApplicationInsights for all categories. logging.AddFilter <ApplicationInsightsLoggerProvider>("", LogLevel.Information); // Additional filtering For category starting in "Microsoft", // only Warning or above will be sent to Application Insights. logging.AddFilter <ApplicationInsightsLoggerProvider>("Microsoft", LogLevel.Warning); } catch (Exception e) { } }); _services.AddSingleton <ILogger>(_logger); LoadJobTypes(); _provider = _services.BuildServiceProvider(); this.ScheduledJobTable = jobTable; }
[ExcludeFromCodeCoverage] //excluded as Msi isn't part of the build pipeline for testing. public static IConfigurationBuilder AddKeyVaultSecrets(this IConfigurationBuilder builder, List <string> keys, bool throwNotFoundErrors = false) { try { var instanceName = builder.Build().GetValue <string>("KeyVaultInstanceName"); if (instanceName.IsNullOrEmpty()) { throw new InvalidOperationException("Expecting setting \"KeyVaultInstanceName\" to infer instance name"); } var vault = new KeyVault(new MsiConfig { KeyVaultInstanceName = instanceName }); var secrets = new List <KeyValuePair <string, string> >(); // Gather secrets from Key Vault foreach (var key in keys) { try { var value = vault.GetSecret(key).GetAwaiter().GetResult(); secrets.Add(new KeyValuePair <string, string>(key, value)); } catch (KeyVaultErrorException e) { // Throw an exception if requested. if (e.Response.StatusCode == HttpStatusCode.NotFound && throwNotFoundErrors) { throw; } // Do nothing if it fails to find the value. Console.WriteLine($"Failed to find keyvault setting: {key}, exception: {e.Message}"); } } // Add them to config. if (secrets.Any()) { builder.AddInMemoryCollection(secrets); } // Keep track of instance. KeyVaultInstance = vault; // Return updated builder. return(builder); } catch (Exception ex) { throw new InvalidOperationException("Problem occurred retrieving secrets from KeyVault using Managed Identity", ex); } }
public ActionResult LookUp(int beerId) { string clientId = KeyVault.GetSecret("untappd-clientid").Result; string clientSecret = KeyVault.GetSecret("untappd-clientsecret").Result; UntappdClient client = UntappdClient.Create(clientId, clientSecret); ViewBag.Message = client.Lookup(beerId); return(View("Message")); }
/// <summary> /// UDFPathResolver resolves the keyvault uri and gets the real path /// </summary> /// <param name="path">path</param> /// <returns>Returns a string </returns> private string UDFPathResolver(string path) { if (path != null && Config.Utility.KeyVaultUri.IsSecretUri(path)) { SecretUriParser.ParseSecretUri(path, out string keyvalut, out string secret); var secretUri = KeyVault.GetSecretFromKeyvault(keyvalut, secret); return(secretUri); } return(path); }
public void Injector_shouldnt_inject_unconfigured_optional_dependencies() { // prepare var context = new Provision.Context(); var keyvault = new KeyVault(context); // execute new Injector(context).Inject(); // assess Assert.DoesNotContain(context.Resources, resource => resource.GetType() == typeof(ServicePrincipal)); }
// Returns the environment permissions for a given user public UserEnvironmentPermissions ToUserEnvironmentPermissions(string objectId) { return(new UserEnvironmentPermissions { EnvironmentResourceGroup = EnvironmentResourceGroup.Where(p => p.ObjectId == objectId).ToList(), Batch = Batch.Where(p => p.ObjectId == objectId).ToList(), Storage = Storage.Where(p => p.ObjectId == objectId).ToList(), KeyVault = KeyVault.Where(p => p.ObjectId == objectId).ToList(), ApplicationInsights = ApplicationInsights.Where(p => p.ObjectId == objectId).ToList(), VNet = VNet.Where(p => p.ObjectId == objectId).ToList(), }); }
public void Test_KeyVault_MsiError() { // Arrange var kvClient = new KeyVault(new MsiConfig { KeyVaultInstanceName = _config.GetValue <string>("InstanceName") }); // Act/Assert kvClient.Name.Should().Be(_config.GetValue <string>("InstanceName")); (kvClient.Config as MsiConfig).Should().NotBeNull(); Assert.Throws <AzureServiceTokenProviderException>(() => kvClient.GetSecret("test").GetAwaiter().GetResult()); }
private static string GetStorage(int retry) { var vault = new KeyVault(new Uri(CloudConfigurationManager.GetSetting("KeyVault"))); while (true) { if (retry <= 0) { return null; } var jobStorageSecret = vault.Secret.GetSecretByName("JobStorage"); if (jobStorageSecret.Value != null) return jobStorageSecret.Value; System.Threading.Thread.Sleep(TimeSpan.FromSeconds((1 - (retry/10F)*10F))); retry = retry - 1; } }
// Please set the following connection strings in app.config for this WebJob to run: // AzureWebJobsDashboard and AzureWebJobsStorage static void Main() { var client = new KeyVault(new Uri(CloudConfigurationManager.GetSetting("KeyVault"))); var jobStorage = client.Secret.GetSecretByName("JobStorage"); var sb = client.Secret.GetSecretByName("ServiceBus"); if (jobStorage.Value != CloudConfigurationManager.GetSetting("JobStorage")) { jobStorage = new Secret() { ContentType = "String", Name = "JobStorage", Value = CloudConfigurationManager.GetSetting("JobStorage") }; jobStorage = client.Secret.CreateSecret("JobStorage", jobStorage); } if (sb.Value != CloudConfigurationManager.GetSetting("ServiceBus")) { sb = new Secret() { ContentType = "String", Name = "ServiceBus", Value = CloudConfigurationManager.GetSetting("ServiceBus") }; sb = client.Secret.CreateSecret("ServiceBus", sb); } var jobStorageConnString = jobStorage.Value; var host = new JobHost(new JobHostConfiguration(jobStorageConnString)); host.Start(); Console.WriteLine("Bootstrapped"); host.Stop(); }