/// <summary> /// Add the Vault API client to the service collection. /// </summary> /// <param name="services"> /// The service collection to configure. /// </param> public static void AddVaultClient(this IServiceCollection services) { if (services == null) { throw new ArgumentNullException(nameof(services)); } services.AddSingleton <IVaultClient>(serviceProvider => { VaultOptions vaultOptions = serviceProvider.GetRequiredService <IOptions <VaultOptions> >().Value; if (String.IsNullOrWhiteSpace(vaultOptions.EndPoint)) { throw new InvalidOperationException("Application configuration is missing Vault end-point."); } if (String.IsNullOrWhiteSpace(vaultOptions.Token)) { throw new InvalidOperationException("Application configuration is missing Vault access token."); } return(VaultClientFactory.CreateVaultClient( new Uri(vaultOptions.EndPoint), new TokenAuthenticationInfo(vaultOptions.Token) )); }); }
public static IConfigurationBuilder AddVault(this IConfigurationBuilder builder) { var buildConfig = builder.Build(); if (buildConfig.GetSection("settings:useVault").Get <bool>()) { try { IVaultClient vaultClient = VaultClientFactory.CreateVaultClient( new Uri(buildConfig["vault:address"]), new AppRoleAuthenticationInfo( buildConfig["vault:roleid"], buildConfig["vault:secretid"] ) ); var vaultSecrets = vaultClient .ReadSecretAsync(buildConfig["vault:path"]) .Result.Data.Select(x => new KeyValuePair <string, string>($"vault:{x.Key}", x.Value.ToString())); return(builder.AddInMemoryCollection(vaultSecrets)); } catch (Exception ex) { throw new Exception("Vault configuration failed: " + ex.Message); } } else { return(builder); } }
private async Task GithubAuthenticationProviderTests() { // github auth var personalAccessToken = "2ba5fecdddbf09b2b6facc495bdae12f3067d9d4"; var path = "github" + Guid.NewGuid(); var prefix = "auth/" + path; var organization = "testingalib"; var team = "testalibteam1"; var githubAuthenticationInfo = new GitHubAuthenticationInfo(path, personalAccessToken); var githubClient = VaultClientFactory.CreateVaultClient(_vaultUri, githubAuthenticationInfo); var githubAuthBackend = new AuthenticationBackend { BackendType = AuthenticationBackendType.GitHub, AuthenticationPath = githubAuthenticationInfo.MountPoint }; await _authenticatedVaultClient.EnableAuthenticationBackendAsync(githubAuthBackend); await _authenticatedVaultClient.WriteSecretAsync(prefix + "/config", new Dictionary <string, object> { { "organization", organization } }); await _authenticatedVaultClient.WriteSecretAsync(prefix + "/map/teams/" + team, new Dictionary <string, object> { { "value", "root" } }); var authBackends = await githubClient.GetAllEnabledAuthenticationBackendsAsync(); Assert.True(authBackends.Data.Any()); await _authenticatedVaultClient.DisableAuthenticationBackendAsync(githubAuthBackend.AuthenticationPath); }
private async Task UsernamePasswordAuthenticationProviderTests() { // userpass auth var path = "userpass" + Guid.NewGuid(); var prefix = "auth/" + path; var username = "******"; var password = "******"; var authenticationInfo = new UsernamePasswordAuthenticationInfo(path, username, password); var userPassClient = VaultClientFactory.CreateVaultClient(_vaultUri, authenticationInfo); var authBackend = new AuthenticationBackend { BackendType = AuthenticationBackendType.UsernamePassword, AuthenticationPath = authenticationInfo.MountPoint }; await _authenticatedVaultClient.EnableAuthenticationBackendAsync(authBackend); await _authenticatedVaultClient.WriteSecretAsync(prefix + "/users/" + username, new Dictionary <string, object> { { "password", password }, { "policies", "root" } }); var authBackends = await userPassClient.GetAllEnabledAuthenticationBackendsAsync(); Assert.True(authBackends.Data.Any()); await _authenticatedVaultClient.DisableAuthenticationBackendAsync(authBackend.AuthenticationPath); }
/// <inheritdoc/> public void SeedVault() { _logger.LogInformation("Starting seeding HashiCopr Vault"); _logger.LogInformation("Creating Vault client"); _logger.LogInformation($"Vault Address: {_options.Server}"); IAuthenticationInfo tokenAuthenticationInfo; if (!string.IsNullOrWhiteSpace(_options.TokenId)) { _logger.LogInformation($"Auth Token: {_options.TokenId}"); tokenAuthenticationInfo = new TokenAuthenticationInfo(_options.TokenId); } else { _logger.LogInformation($"AppRole RoleId: {_options.RoleId}"); _logger.LogInformation($"AppRole SecretId: {_options.SecretId}"); tokenAuthenticationInfo = new AppRoleAuthenticationInfo("approle", _options.RoleId, _options.SecretId); } _logger.LogInformation($"Create Vault Client: {_options.Server}"); var vaultClient = VaultClientFactory.CreateVaultClient(new Uri(_options.Server), tokenAuthenticationInfo); foreach (var item in _seeder) { _logger.LogDebug($"key:{item.key} -- property name: {item.values[0]} -- property value: {item.values[1]}"); var result = vaultClient.WriteSecretAsync(item.key, new Dictionary <string, object>() { { item.values[0], item.values[1] } }).Result; _logger.LogDebug($"Result from Vault Server: {result?.ToString()}"); } }
public VaultClient(string vaultAddr, string vaultToken, string keyName) { Uri vaultUri = new Uri(vaultAddr); IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(vaultToken); client = VaultClientFactory.CreateVaultClient(vaultUri, tokenAuthenticationInfo); transitKeyName = keyName; }
static void Main(string[] args) { //start Vault Server in dev mode // ./vault server -dev string vaultAddressWithPort = "http://127.0.0.1:8200"; string token = "75a244db-9164-4130-db60-50c7081f50ba"; System.Console.WriteLine("Creating Vault client"); System.Console.WriteLine($"Vault Address: {vaultAddressWithPort}"); System.Console.WriteLine($"Auth Token: {token}"); IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(token); var vaultClient = VaultClientFactory.CreateVaultClient(new Uri(vaultAddressWithPort), tokenAuthenticationInfo); System.Console.WriteLine("Writing data to Vault..."); var resulA = vaultClient.WriteSecretAsync("secret/keyA", new Dictionary <string, object>() { { "prop1", "valueA" } }).Result; var resultB = vaultClient.WriteSecretAsync("secret/keyB", new Dictionary <string, object>() { { "prop1", "valueB" } }).Result; var resultC = vaultClient.WriteSecretAsync("secret/group1/keyC", new Dictionary <string, object>() { { "prop1", "valueC" } }).Result; var resultD = vaultClient.WriteSecretAsync("secret/group2/keyD", new Dictionary <string, object>() { { "prop1", "valueD" } }).Result; var client = new HashiCorpVaultClientWrapper(vaultAddressWithPort, token); IConfigurationBuilder configBuilder = new ConfigurationBuilder() .AddHashiCorpVault(client, "secret", new[] { "keyA", "keyB", "group1/keyC" }) .AddHashiCorpVault(client, "secret/group2", new[] { "keyD" }); System.Console.WriteLine("Building configuration..."); IConfiguration config = configBuilder.Build(); System.Console.WriteLine("The following settings populated:"); foreach (var item in config.AsEnumerable()) { System.Console.WriteLine(item); } }
public VaultOperator(ILogger <VaultOperator> logger, IKeyProvider keyProvider, VaultClientFactory vaultClientFactory, ShepherdConfiguration configuration) { _logger = logger; _keyProvider = keyProvider; _vaultClientFactory = vaultClientFactory; _hostname = configuration.Unsealing.Hostname; }
// This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { using var vaultClient = VaultClientFactory.CreateVaultClient(Configuration); vaultClient.Login(Configuration[Configuration["Vault:Token"]]).GetAwaiter().GetResult(); services.AddElasticSearch(Configuration, vaultClient); services.AddTransient <IAuditLogService, AuditLogService>(); services.ConfigureSwagger(); services.AddHealthChecks(); services.AddControllers(); }
public void CanInstantiateWithMinimalParameters() { var address = new Uri("http://127.0.0.1:8200"); var client1 = VaultClientFactory.CreateVaultClient(address, null); Assert.NotNull(client1); var client2 = VaultClientFactory.CreateVaultClient(address, new TokenAuthenticationInfo("test")); Assert.NotNull(client2); }
private async Task TokenAuthenticationProviderTests() { // token auth var secret = await _authenticatedVaultClient.CreateTokenAsync(); var tokenAuthenticationInfo = new TokenAuthenticationInfo(secret.AuthorizationInfo.ClientToken); var tokenClient = VaultClientFactory.CreateVaultClient(_vaultUri, tokenAuthenticationInfo); var authBackends = await tokenClient.GetAllEnabledAuthenticationBackendsAsync(); Assert.True(authBackends.Data.Any()); }
public void GoodArgsDoesNotThrow(IFixture fixture) { var args = fixture.Build <FileArgsBase>() .With(f => f.VaultUri, "http://localhost/") .Create(); var sut = new VaultClientFactory(args); IAuthMethodInfo authMethod = new AppRoleAuthMethodInfo(args.VaultRoleId, secretId: args.VaultSecretId); var expectedSettings = new VaultClientSettings(args.VaultUri, authMethod) { VaultServiceTimeout = TimeSpan.FromMinutes(5) }; var client = sut.GetClient(); client.Settings.Should().BeEquivalentTo(expectedSettings); }
/// <summary> /// Creates a session with the two minimum, necessary components /// provided as parameters. /// </summary> public VaultSession(string address, string token) { VaultAddress = address; VaultToken = token; _vaultAddr = new Uri(address); _vaultBase = new Uri(_vaultAddr, "v1/"); if (!string.IsNullOrWhiteSpace(token)) { _vaultToken = token; _authnInfo = new TokenAuthenticationInfo(token); } _dataAccessManager = new HttpDataAccessManager(_vaultBase); VaultClient = VaultClientFactory.CreateVaultClient(new Uri(address), _authnInfo); }
/// <summary> /// Initializes a new instance with <see cref="VaultOptions"/> /// </summary> /// <param name="options"></param> public HashiCorpVaultClientWrapper(VaultOptions options) { _options = options; IAuthenticationInfo authInfo; // token present so authetnication with token if (!string.IsNullOrWhiteSpace(_options.TokenId)) { authInfo = new TokenAuthenticationInfo(_options.TokenId); } else { authInfo = new AppRoleAuthenticationInfo("approle", _options.RoleId, _options.SecretId); } _vaultClientImpl = VaultClientFactory.CreateVaultClient(new Uri(_options.Server), authInfo); }
/// <summary> /// Adds an <see cref="IConfigurationProvider"/> that reads configuration values from Hashicorp Vault. /// </summary> /// <param name="configurationBuilder">The <see cref="IConfigurationBuilder"/> to add to.</param> /// <param name="vaultUri">The Vault uri with port.</param> /// <param name="roleId">The AppRole role_id to use for authentication.</param> /// <param name="secretId">The secret_id to use for authentication.</param> /// <param name="secretLocationPaths">The paths for the secrets to load.</param> /// <returns>The <see cref="IConfigurationBuilder"/>.</returns> public static IConfigurationBuilder AddVault( this IConfigurationBuilder configurationBuilder, string vaultUri, IAuthenticationInfo authenticationInfo, params string[] secretLocationPaths) { if (string.IsNullOrWhiteSpace(vaultUri)) { throw new ArgumentException("VaultUri must be a valid URI", nameof(vaultUri)); } var uri = new Uri(vaultUri); var vaultClient = VaultClientFactory.CreateVaultClient( uri, authenticationInfo, continueAsyncTasksOnCapturedContext: false); return(AddVault(configurationBuilder, vaultClient, new DefaultVaultSecretManager(), secretLocationPaths)); }
public TransitKeyProvider(ILogger <TransitKeyProvider> logger, ShepherdConfiguration configuration, VaultClientFactory vaultClientFactory) { _logger = logger; _vaultClientFactory = vaultClientFactory; var transit = configuration.Unsealing.Transit; _address = transit.Address ?? throw new ArgumentException("Key 'Unsealing:Transit:Address' is invalid."); _keyName = transit.KeyName ?? throw new ArgumentException("Key 'Unsealing:Transit:KeyName' is invalid."); _mountPath = transit.MountPath ?? throw new ArgumentException("Key 'Unsealing:Transit:MountPath' is invalid."); _wrappedKeys = transit.WrappedKeys; _hostname = transit.Hostname; _auth = transit.Auth; vaultClientFactory.AssertValidConfiguration(transit.Auth); if (!_wrappedKeys.Any()) { throw new ArgumentException("Key 'Unsealing:Transit:WrappedKeys' is invalid."); } }
public void ConstructorThrowsOnInvalidInputs() { Assert.Throws <ArgumentNullException>( () => VaultClientFactory.CreateVaultClient(null, new TokenAuthenticationInfo("test"))); }
private static void InitializeVault() { // for all the tests to run smoothly, this is the only method, // you need to setup your initial values. // Ensure you have an instance of Vault Server started up but not initialized. /* * * backend "file" { * path = "e:\raja\work\vault\file_backend" * } * * listener "tcp" { * address = "127.0.0.1:8200" * tls_disable = 1 * } * * rd file_backend /S /Q * vault server -config f.hcl * */ var vaultUriWithPort = "http://127.0.0.1:8200"; _vaultUri = new Uri(vaultUriWithPort); _unauthenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, null); if (DevServer) { _masterCredentials = new MasterCredentials { MasterKeys = new[] { MasterKey }, RootToken = RootToken }; IAuthenticationInfo devRootTokenInfo = new TokenAuthenticationInfo(_masterCredentials.RootToken); _authenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, devRootTokenInfo); return; } // BEGIN setting values var fileName = "E:\\raja\\work\\vault0.6.1\\StartVault.cmd"; var process = Process.Start(new ProcessStartInfo(fileName)); Assert.NotNull(process); _vaultServerProcessId = process.Id; // END setting values var initialized = _unauthenticatedVaultClient.GetInitializationStatusAsync().Result; Assert.False(initialized); var healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result; Assert.False(healthStatus.Initialized); // try to initialize with mismatched PGP Key var invalidPgpException = Assert.Throws <AggregateException>( () => _masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions { SecretShares = 5, SecretThreshold = 3, PgpKeys = new[] { Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key1")) } }).Result); Assert.NotNull(invalidPgpException.InnerException); Assert.True(invalidPgpException.InnerException.Message.Contains("400 BadRequest")); _masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions { SecretShares = 7, SecretThreshold = 6 }).Result; Assert.NotNull(_masterCredentials); Assert.NotNull(_masterCredentials.RootToken); Assert.NotNull(_masterCredentials.MasterKeys); Assert.True(_masterCredentials.MasterKeys.Length == 7); process.CloseMainWindow(); process.WaitForExit(); process = Process.Start(new ProcessStartInfo(fileName)); Assert.NotNull(process); _vaultServerProcessId = process.Id; // todo find valid PGP keys //var pgpKeys = new[] { Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key1")), Convert.ToBase64String(Encoding.UTF8.GetBytes("pgp_key2")) }; //_masterCredentials = _unauthenticatedVaultClient.InitializeAsync(2, 2, pgpKeys).Result; //Assert.NotNull(_masterCredentials); //Assert.NotNull(_masterCredentials.RootToken); //Assert.NotNull(_masterCredentials.MasterKeys); //Assert.True(_masterCredentials.MasterKeys.Length == 5); //process.CloseMainWindow(); //process.WaitForExit(); //process = Process.Start(new ProcessStartInfo(fileName)); //Assert.NotNull(process); //_vaultServerProcessId = process.Id; _masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions { SecretShares = 5, SecretThreshold = 3 }).Result; Assert.NotNull(_masterCredentials); Assert.NotNull(_masterCredentials.RootToken); Assert.NotNull(_masterCredentials.MasterKeys); Assert.True(_masterCredentials.MasterKeys.Length == 5); healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result; Assert.True(healthStatus.Initialized); Assert.True(healthStatus.Sealed); // try to initialize an already initialized vault. var aggregateException = Assert.Throws <AggregateException>( () => _masterCredentials = _unauthenticatedVaultClient.InitializeAsync(new InitializeOptions { SecretShares = 5, SecretThreshold = 3 }).Result); Assert.NotNull(aggregateException.InnerException); Assert.True(aggregateException.InnerException.Message.Contains("Vault is already initialized")); var sealStatus = _unauthenticatedVaultClient.GetSealStatusAsync().Result; if (sealStatus.Sealed) { foreach (var masterKey in _masterCredentials.MasterKeys) { sealStatus = _unauthenticatedVaultClient.UnsealAsync(masterKey).Result; if (!sealStatus.Sealed) { healthStatus = _unauthenticatedVaultClient.GetHealthStatusAsync().Result; Assert.True(healthStatus.Initialized); Assert.False(healthStatus.Sealed); // we are acting as the root user here. IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(_masterCredentials.RootToken); _authenticatedVaultClient = VaultClientFactory.CreateVaultClient(_vaultUri, tokenAuthenticationInfo); break; } } } }
public HashiCorpVaultClientWrapper(string vaultAddressWithPort, string token) { IAuthenticationInfo authenticationInfo = new TokenAuthenticationInfo(token); _vaultClientImplementation = VaultClientFactory.CreateVaultClient(new Uri(vaultAddressWithPort), authenticationInfo); }