public static KeyVaultSecrets GetSecretsClient(ILogger logger)
{
var keyVaultName = Environment.GetEnvironmentVariable("KeyVaultName");
var hubSecretName = Environment.GetEnvironmentVariable("HubSecretName");
var identityClientId = Environment.GetEnvironmentVariable("IdentityClientId");
var tenantId = Environment.GetEnvironmentVariable("TenantId");
var clientId = Environment.GetEnvironmentVariable("ClientId");
var clientSecret = Environment.GetEnvironmentVariable("ClientSecret");
logger.LogInformation("Retrieving secrets from vault named: {valueName} and a hub secret named: {hubSecretName}", keyVaultName, hubSecretName);
TokenCredential tokenProvider;
if (string.IsNullOrWhiteSpace(clientSecret))
{
tokenProvider = string.IsNullOrWhiteSpace(identityClientId) ? AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity() : AzureOauthTokenAuthentication.GetOauthTokenCredentialFromManagedIdentity(identityClientId);
}
else
{
tokenProvider = AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(tenantId, clientId, clientSecret);
}
logger.LogInformation("Completed creation of token provider");
var vault = new KeyVault(keyVaultName, tokenProvider, 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
logger.LogInformation("Created key vault");
return(vault.GetSecretsClient());
}
public void GetCertificateSecret()
{
const string VaultName = "fakevault1";
const string SecretName = "secretname1";
const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
var getSecretInvoked = false;
X509Certificate2 certificateSecret = null;
using (var context = ShimsContext.Create())
{
var path = Path.Combine(Environment.CurrentDirectory, "TestValidationCertificate.pfx");
var certificate = new X509Certificate2(path, "abc123");
var certificateString = Convert.ToBase64String(certificate.RawData);
var secret = new KeyVaultSecretFake($"{VaultName}.vault.azure.net", SecretName, SecretVersion, certificateString);
var response = new FakeResponse <KeyVaultSecret>(secret, 200, "OK", null);
SetupSecretClientConstructorFakes();
ShimSecretClient.AllInstances.GetSecretAsyncStringStringCancellationToken = new FakesDelegates.Func <SecretClient, string, string, CancellationToken, Task <Response <KeyVaultSecret> > >((client, name, version, cancellationToken) =>
{
getSecretInvoked = true;
var fakeResponse = response as Response <KeyVaultSecret>;
return(Task.FromResult(fakeResponse));
});
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var client = vault.GetSecretsClient(SecretClientOptions.ServiceVersion.V7_1);
var secretValue = client.GetCertificateAsync(SecretName, SecretVersion, CancellationToken.None).GetAwaiter().GetResult();
certificateSecret = secretValue.Value;
}
Assert.IsTrue(getSecretInvoked, "The fake should be used");
Assert.IsNotNull(certificateSecret, "Certificate is null");
Assert.IsTrue(string.Equals(certificateSecret.Thumbprint, "A449811985D59FC72303860F51CB95F5D3257141", StringComparison.Ordinal), "Certificate thumbprint not expected");
Assert.IsTrue(string.Equals(certificateSecret.Subject, "CN=Joe Smith, OU=UserAccounts, DC=corp, DC=praxicloud, DC=com", StringComparison.Ordinal), "Certificate subject not expected");
Assert.IsTrue(string.Equals(certificateSecret.Issuer, "CN=Joe Smith, OU=UserAccounts, DC=corp, DC=praxicloud, DC=com", StringComparison.Ordinal), "Certificate issuer not expected");
Assert.IsTrue(string.Equals(certificateSecret.SerialNumber, "67EA381F988D5AA94B1569B978062CFB", StringComparison.Ordinal), "Certificate serial number not expected");
Assert.IsTrue(certificateSecret.NotBefore == DateTime.Parse("2020-09-09 9:42:40 AM"), "Certificate not before not expected");
Assert.IsTrue(certificateSecret.NotAfter == DateTime.Parse("2070-09-09 9:52:40 AM"), "Certificate not after not expected");
}
public void GetSecretWithVersion()
{
const string VaultName = "fakevault1";
const string SecretName = "secretname1";
const string SecretVersion = "1aaaaaaa1aa11a1111aaaa11111a1111";
const string SecretValue = "This is the value fake";
const string TenantId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientId = "11111111-1111-1111-aa1a-a1a11a111111";
const string ClientSecret = "a.u8w3FFgwy9v_-5R_5gsT~qf96T~a7e6y";
var getSecretInvoked = false;
string key = null;
using (var context = ShimsContext.Create())
{
var secret = new KeyVaultSecretFake($"{VaultName}.vault.azure.net", SecretName, SecretVersion, SecretValue);
var response = new FakeResponse <KeyVaultSecret>(secret, 200, "OK", null);
SetupSecretClientConstructorFakes();
ShimSecretClient.AllInstances.GetSecretAsyncStringStringCancellationToken = new FakesDelegates.Func <SecretClient, string, string, CancellationToken, Task <Response <KeyVaultSecret> > >((client, name, version, cancellationToken) =>
{
getSecretInvoked = true;
var fakeResponse = response as Response <KeyVaultSecret>;
return(Task.FromResult(fakeResponse));
});
var vault = new KeyVault(VaultName, AzureOauthTokenAuthentication.GetOauthTokenCredentialFromClientSecret(TenantId, ClientId, ClientSecret), 3, TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(15), TimeSpan.FromSeconds(10));
var client = vault.GetSecretsClient(SecretClientOptions.ServiceVersion.V7_1);
var secretValue = client.GetAsync(SecretName, SecretVersion).GetAwaiter().GetResult();
key = secretValue.Value.SecureStringToString();
}
Assert.IsTrue(getSecretInvoked, "The fake should be used");
Assert.IsTrue(string.Equals(key, SecretValue, StringComparison.Ordinal), "Value not expected");
}
