/// <summary>
/// Add the Vault API client to the service collection.
/// </summary>
/// <param name="services">
/// The service collection to configure.
/// </param>
public static void AddVaultClient(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.AddSingleton <IVaultClient>(serviceProvider =>
{
VaultOptions vaultOptions = serviceProvider.GetRequiredService <IOptions <VaultOptions> >().Value;
if (String.IsNullOrWhiteSpace(vaultOptions.EndPoint))
{
throw new InvalidOperationException("Application configuration is missing Vault end-point.");
}
if (String.IsNullOrWhiteSpace(vaultOptions.Token))
{
throw new InvalidOperationException("Application configuration is missing Vault access token.");
}
return(VaultClientFactory.CreateVaultClient(
new Uri(vaultOptions.EndPoint),
new TokenAuthenticationInfo(vaultOptions.Token)
));
});
}
public static IConfigurationBuilder AddVault(this IConfigurationBuilder builder)
{
var buildConfig = builder.Build();
if (buildConfig.GetSection("settings:useVault").Get <bool>())
{
try
{
IVaultClient vaultClient = VaultClientFactory.CreateVaultClient(
new Uri(buildConfig["vault:address"]),
new AppRoleAuthenticationInfo(
buildConfig["vault:roleid"],
buildConfig["vault:secretid"]
)
);
var vaultSecrets = vaultClient
.ReadSecretAsync(buildConfig["vault:path"])
.Result.Data.Select(x => new KeyValuePair <string, string>($"vault:{x.Key}", x.Value.ToString()));
return(builder.AddInMemoryCollection(vaultSecrets));
}
catch (Exception ex)
{
throw new Exception("Vault configuration failed: " + ex.Message);
}
}
else
{
return(builder);
}
}
private async Task GithubAuthenticationProviderTests()
{
// github auth
var personalAccessToken = "2ba5fecdddbf09b2b6facc495bdae12f3067d9d4";
var path = "github" + Guid.NewGuid();
var prefix = "auth/" + path;
var organization = "testingalib";
var team = "testalibteam1";
var githubAuthenticationInfo = new GitHubAuthenticationInfo(path, personalAccessToken);
var githubClient = VaultClientFactory.CreateVaultClient(_vaultUri, githubAuthenticationInfo);
var githubAuthBackend = new AuthenticationBackend {
BackendType = AuthenticationBackendType.GitHub, AuthenticationPath = githubAuthenticationInfo.MountPoint
};
await _authenticatedVaultClient.EnableAuthenticationBackendAsync(githubAuthBackend);
await _authenticatedVaultClient.WriteSecretAsync(prefix + "/config", new Dictionary <string, object> {
{ "organization", organization }
});
await _authenticatedVaultClient.WriteSecretAsync(prefix + "/map/teams/" + team, new Dictionary <string, object> {
{ "value", "root" }
});
var authBackends = await githubClient.GetAllEnabledAuthenticationBackendsAsync();
Assert.True(authBackends.Data.Any());
await _authenticatedVaultClient.DisableAuthenticationBackendAsync(githubAuthBackend.AuthenticationPath);
}
private async Task UsernamePasswordAuthenticationProviderTests()
{
// userpass auth
var path = "userpass" + Guid.NewGuid();
var prefix = "auth/" + path;
var username = "******";
var password = "******";
var authenticationInfo = new UsernamePasswordAuthenticationInfo(path, username, password);
var userPassClient = VaultClientFactory.CreateVaultClient(_vaultUri, authenticationInfo);
var authBackend = new AuthenticationBackend {
BackendType = AuthenticationBackendType.UsernamePassword, AuthenticationPath = authenticationInfo.MountPoint
};
await _authenticatedVaultClient.EnableAuthenticationBackendAsync(authBackend);
await _authenticatedVaultClient.WriteSecretAsync(prefix + "/users/" + username, new Dictionary <string, object>
{
{ "password", password },
{ "policies", "root" }
});
var authBackends = await userPassClient.GetAllEnabledAuthenticationBackendsAsync();
Assert.True(authBackends.Data.Any());
await _authenticatedVaultClient.DisableAuthenticationBackendAsync(authBackend.AuthenticationPath);
}
/// <inheritdoc/>
public void SeedVault()
{
_logger.LogInformation("Starting seeding HashiCopr Vault");
_logger.LogInformation("Creating Vault client");
_logger.LogInformation($"Vault Address: {_options.Server}");
IAuthenticationInfo tokenAuthenticationInfo;
if (!string.IsNullOrWhiteSpace(_options.TokenId))
{
_logger.LogInformation($"Auth Token: {_options.TokenId}");
tokenAuthenticationInfo = new TokenAuthenticationInfo(_options.TokenId);
}
else
{
_logger.LogInformation($"AppRole RoleId: {_options.RoleId}");
_logger.LogInformation($"AppRole SecretId: {_options.SecretId}");
tokenAuthenticationInfo = new AppRoleAuthenticationInfo("approle", _options.RoleId, _options.SecretId);
}
_logger.LogInformation($"Create Vault Client: {_options.Server}");
var vaultClient = VaultClientFactory.CreateVaultClient(new Uri(_options.Server), tokenAuthenticationInfo);
foreach (var item in _seeder)
{
_logger.LogDebug($"key:{item.key} -- property name: {item.values[0]} -- property value: {item.values[1]}");
var result = vaultClient.WriteSecretAsync(item.key, new Dictionary <string, object>()
{
{ item.values[0], item.values[1] }
}).Result;
_logger.LogDebug($"Result from Vault Server: {result?.ToString()}");
}
}
public VaultClient(string vaultAddr, string vaultToken, string keyName)
{
Uri vaultUri = new Uri(vaultAddr);
IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(vaultToken);
client = VaultClientFactory.CreateVaultClient(vaultUri, tokenAuthenticationInfo);
transitKeyName = keyName;
}
static void Main(string[] args)
{
//start Vault Server in dev mode
// ./vault server -dev
string vaultAddressWithPort = "http://127.0.0.1:8200";
string token = "75a244db-9164-4130-db60-50c7081f50ba";
System.Console.WriteLine("Creating Vault client");
System.Console.WriteLine($"Vault Address: {vaultAddressWithPort}");
System.Console.WriteLine($"Auth Token: {token}");
IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(token);
var vaultClient = VaultClientFactory.CreateVaultClient(new Uri(vaultAddressWithPort), tokenAuthenticationInfo);
System.Console.WriteLine("Writing data to Vault...");
var resulA = vaultClient.WriteSecretAsync("secret/keyA", new Dictionary <string, object>()
{
{ "prop1", "valueA" }
}).Result;
var resultB = vaultClient.WriteSecretAsync("secret/keyB", new Dictionary <string, object>()
{
{ "prop1", "valueB" }
}).Result;
var resultC = vaultClient.WriteSecretAsync("secret/group1/keyC", new Dictionary <string, object>()
{
{ "prop1", "valueC" }
}).Result;
var resultD = vaultClient.WriteSecretAsync("secret/group2/keyD", new Dictionary <string, object>()
{
{ "prop1", "valueD" }
}).Result;
var client = new HashiCorpVaultClientWrapper(vaultAddressWithPort, token);
IConfigurationBuilder configBuilder =
new ConfigurationBuilder()
.AddHashiCorpVault(client, "secret", new[] { "keyA", "keyB", "group1/keyC" })
.AddHashiCorpVault(client, "secret/group2", new[] { "keyD" });
System.Console.WriteLine("Building configuration...");
IConfiguration config = configBuilder.Build();
System.Console.WriteLine("The following settings populated:");
foreach (var item in config.AsEnumerable())
{
System.Console.WriteLine(item);
}
}
public VaultOperator(ILogger <VaultOperator> logger,
IKeyProvider keyProvider,
VaultClientFactory vaultClientFactory,
ShepherdConfiguration configuration)
{
_logger = logger;
_keyProvider = keyProvider;
_vaultClientFactory = vaultClientFactory;
_hostname = configuration.Unsealing.Hostname;
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
using var vaultClient = VaultClientFactory.CreateVaultClient(Configuration);
vaultClient.Login(Configuration[Configuration["Vault:Token"]]).GetAwaiter().GetResult();
services.AddElasticSearch(Configuration, vaultClient);
services.AddTransient <IAuditLogService, AuditLogService>();
services.ConfigureSwagger();
services.AddHealthChecks();
services.AddControllers();
}
public void CanInstantiateWithMinimalParameters()
{
var address = new Uri("http://127.0.0.1:8200");
var client1 = VaultClientFactory.CreateVaultClient(address, null);
Assert.NotNull(client1);
var client2 = VaultClientFactory.CreateVaultClient(address, new TokenAuthenticationInfo("test"));
Assert.NotNull(client2);
}
private async Task TokenAuthenticationProviderTests()
{
// token auth
var secret = await _authenticatedVaultClient.CreateTokenAsync();
var tokenAuthenticationInfo = new TokenAuthenticationInfo(secret.AuthorizationInfo.ClientToken);
var tokenClient = VaultClientFactory.CreateVaultClient(_vaultUri, tokenAuthenticationInfo);
var authBackends = await tokenClient.GetAllEnabledAuthenticationBackendsAsync();
Assert.True(authBackends.Data.Any());
}
public void GoodArgsDoesNotThrow(IFixture fixture)
{
var args = fixture.Build <FileArgsBase>()
.With(f => f.VaultUri, "http://localhost/")
.Create();
var sut = new VaultClientFactory(args);
IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(args.VaultRoleId, secretId: args.VaultSecretId);
var expectedSettings = new VaultClientSettings(args.VaultUri, authMethod)
{
VaultServiceTimeout = TimeSpan.FromMinutes(5)
};
var client = sut.GetClient();
client.Settings.Should().BeEquivalentTo(expectedSettings);
}
/// <summary>
/// Creates a session with the two minimum, necessary components
/// provided as parameters.
/// </summary>
public VaultSession(string address, string token)
{
VaultAddress = address;
VaultToken = token;
_vaultAddr = new Uri(address);
_vaultBase = new Uri(_vaultAddr, "v1/");
if (!string.IsNullOrWhiteSpace(token))
{
_vaultToken = token;
_authnInfo = new TokenAuthenticationInfo(token);
}
_dataAccessManager = new HttpDataAccessManager(_vaultBase);
VaultClient = VaultClientFactory.CreateVaultClient(new Uri(address), _authnInfo);
}
/// <summary>
/// Initializes a new instance with <see cref="VaultOptions"/>
/// </summary>
/// <param name="options"></param>
public HashiCorpVaultClientWrapper(VaultOptions options)
{
_options = options;
IAuthenticationInfo authInfo;
// token present so authetnication with token
if (!string.IsNullOrWhiteSpace(_options.TokenId))
{
authInfo = new TokenAuthenticationInfo(_options.TokenId);
}
else
{
authInfo = new AppRoleAuthenticationInfo("approle", _options.RoleId, _options.SecretId);
}
_vaultClientImpl = VaultClientFactory.CreateVaultClient(new Uri(_options.Server), authInfo);
}
/// <summary>
/// Adds an <see cref="IConfigurationProvider"/> that reads configuration values from Hashicorp Vault.
/// </summary>
/// <param name="configurationBuilder">The <see cref="IConfigurationBuilder"/> to add to.</param>
/// <param name="vaultUri">The Vault uri with port.</param>
/// <param name="roleId">The AppRole role_id to use for authentication.</param>
/// <param name="secretId">The secret_id to use for authentication.</param>
/// <param name="secretLocationPaths">The paths for the secrets to load.</param>
/// <returns>The <see cref="IConfigurationBuilder"/>.</returns>
public static IConfigurationBuilder AddVault(
this IConfigurationBuilder configurationBuilder,
string vaultUri,
IAuthenticationInfo authenticationInfo,
params string[] secretLocationPaths)
{
if (string.IsNullOrWhiteSpace(vaultUri))
{
throw new ArgumentException("VaultUri must be a valid URI", nameof(vaultUri));
}
var uri = new Uri(vaultUri);
var vaultClient = VaultClientFactory.CreateVaultClient(
uri,
authenticationInfo,
continueAsyncTasksOnCapturedContext: false);
return(AddVault(configurationBuilder, vaultClient, new DefaultVaultSecretManager(), secretLocationPaths));
}
public TransitKeyProvider(ILogger <TransitKeyProvider> logger, ShepherdConfiguration configuration, VaultClientFactory vaultClientFactory)
{
_logger = logger;
_vaultClientFactory = vaultClientFactory;
var transit = configuration.Unsealing.Transit;
_address = transit.Address ?? throw new ArgumentException("Key 'Unsealing:Transit:Address' is invalid.");
_keyName = transit.KeyName ?? throw new ArgumentException("Key 'Unsealing:Transit:KeyName' is invalid.");
_mountPath = transit.MountPath ?? throw new ArgumentException("Key 'Unsealing:Transit:MountPath' is invalid.");
_wrappedKeys = transit.WrappedKeys;
_hostname = transit.Hostname;
_auth = transit.Auth;
vaultClientFactory.AssertValidConfiguration(transit.Auth);
if (!_wrappedKeys.Any())
{
throw new ArgumentException("Key 'Unsealing:Transit:WrappedKeys' is invalid.");
}
}
public void ConstructorThrowsOnInvalidInputs()
{
Assert.Throws <ArgumentNullException>(
() => VaultClientFactory.CreateVaultClient(null, new TokenAuthenticationInfo("test")));
}
private static void InitializeVault()
{
// for all the tests to run smoothly, this is the only method,
// you need to setup your initial values.
// Ensure you have an instance of Vault Server started up but not initialized.
/*
*
* backend "file" {
* path = "e:\raja\work\vault\file_backend"
* }
*
* listener "tcp" {
* address = "127.0.0.1:8200"
* tls_disable = 1
* }
*
* rd file_backend /S /Q
* vault server -config f.hcl
*
*/
var vaultUriWithPort = "http://127.0.0.1:8200";
_vaultUri = new Uri(vaultUriWithPort);
_unauthenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, null);
if (DevServer)
{
_masterCredentials = new MasterCredentials
{
MasterKeys = new[] { MasterKey },
RootToken = RootToken
};
IAuthenticationInfo devRootTokenInfo = new TokenAuthenticationInfo(_masterCredentials.RootToken);
_authenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, devRootTokenInfo);
return;
}
// BEGIN setting values
var fileName = "E:\\raja\\work\\vault0.6.1\\StartVault.cmd";
var process = Process.Start(new ProcessStartInfo(fileName));
Assert.NotNull(process);
_vaultServerProcessId = process.Id;
// END setting values
var initialized = _unauthenticatedVaultClient.GetInitializationStatusAsync().Result;
Assert.False(initialized);
var healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result;
Assert.False(healthStatus.Initialized);
// try to initialize with mismatched PGP Key
var invalidPgpException =
Assert.Throws <AggregateException>(
() =>
_masterCredentials =
_unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 5,
SecretThreshold = 3,
PgpKeys = new[] { Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key1")) }
}).Result);
Assert.NotNull(invalidPgpException.InnerException);
Assert.True(invalidPgpException.InnerException.Message.Contains("400 BadRequest"));
_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 7,
SecretThreshold = 6
}).Result;
Assert.NotNull(_masterCredentials);
Assert.NotNull(_masterCredentials.RootToken);
Assert.NotNull(_masterCredentials.MasterKeys);
Assert.True(_masterCredentials.MasterKeys.Length == 7);
process.CloseMainWindow();
process.WaitForExit();
process = Process.Start(new ProcessStartInfo(fileName));
Assert.NotNull(process);
_vaultServerProcessId = process.Id;
// todo find valid PGP keys
//var pgpKeys = new[] { Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key1")), Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key2")) };
//_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(2, 2, pgpKeys).Result;
//Assert.NotNull(_masterCredentials);
//Assert.NotNull(_masterCredentials.RootToken);
//Assert.NotNull(_masterCredentials.MasterKeys);
//Assert.True(_masterCredentials.MasterKeys.Length == 5);
//process.CloseMainWindow();
//process.WaitForExit();
//process = Process.Start(new ProcessStartInfo(fileName));
//Assert.NotNull(process);
//_vaultServerProcessId = process.Id;
_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 5,
SecretThreshold = 3
}).Result;
Assert.NotNull(_masterCredentials);
Assert.NotNull(_masterCredentials.RootToken);
Assert.NotNull(_masterCredentials.MasterKeys);
Assert.True(_masterCredentials.MasterKeys.Length == 5);
healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result;
Assert.True(healthStatus.Initialized);
Assert.True(healthStatus.Sealed);
// try to initialize an already initialized vault.
var aggregateException =
Assert.Throws <AggregateException>(
() => _masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions
{
SecretShares = 5,
SecretThreshold = 3
}).Result);
Assert.NotNull(aggregateException.InnerException);
Assert.True(aggregateException.InnerException.Message.Contains("Vault is already initialized"));
var sealStatus = _unauthenticatedVaultClient.GetSealStatusAsync().Result;
if (sealStatus.Sealed)
{
foreach (var masterKey in _masterCredentials.MasterKeys)
{
sealStatus = _unauthenticatedVaultClient.UnsealAsync(masterKey).Result;
if (!sealStatus.Sealed)
{
healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result;
Assert.True(healthStatus.Initialized);
Assert.False(healthStatus.Sealed);
// we are acting as the root user here.
IAuthenticationInfo tokenAuthenticationInfo =
new TokenAuthenticationInfo(_masterCredentials.RootToken);
_authenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, tokenAuthenticationInfo);
break;
}
}
}
}
public HashiCorpVaultClientWrapper(string vaultAddressWithPort, string token)
{
IAuthenticationInfo authenticationInfo = new TokenAuthenticationInfo(token);
_vaultClientImplementation = VaultClientFactory.CreateVaultClient(new Uri(vaultAddressWithPort), authenticationInfo);
}
