/// <summary>
/// Add the Vault API client to the service collection.
/// </summary>
/// <param name="services">
/// The service collection to configure.
/// </param>
public static void AddVaultClient(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.AddSingleton <IVaultClient>(serviceProvider =>
{
VaultOptions vaultOptions = serviceProvider.GetRequiredService <IOptions <VaultOptions> >().Value;
if (String.IsNullOrWhiteSpace(vaultOptions.EndPoint))
{
throw new InvalidOperationException("Application configuration is missing Vault end-point.");
}
if (String.IsNullOrWhiteSpace(vaultOptions.Token))
{
throw new InvalidOperationException("Application configuration is missing Vault access token.");
}
return(VaultClientFactory.CreateVaultClient(
new Uri(vaultOptions.EndPoint),
new TokenAuthenticationInfo(vaultOptions.Token)
));
});
}
public KeyValueService(
IVaultClient client,
VaultOptions options)
{
_client = client;
_options = options;
}
private static void VerifyOptions(VaultOptions options)
{
if (options.Kv is null)
{
if (!string.IsNullOrWhiteSpace(options.Key))
{
options.Kv = new VaultOptions.KeyValueOptions
{
Enabled = options.Enabled,
Path = options.Key
};
}
return;
}
if (options.Kv.EngineVersion is > 2 or < 0)
{
throw new VaultException($"Invalid KV engine version: {options.Kv.EngineVersion} (available: 1 or 2).");
}
if (options.Kv.EngineVersion == 0)
{
options.Kv.EngineVersion = 2;
}
}
public VaultHostedService(IVaultClient client, ILeaseService leaseService, VaultOptions options,
ILogger <VaultHostedService> logger)
{
_client = client;
_leaseService = leaseService;
_options = options;
_logger = logger;
_interval = 5;
}
public VaultHostedService(
IVaultClient client,
VaultOptions options,
ILogger <VaultHostedService> logger)
{
_client = client;
_options = options;
_logger = logger;
}
public VaultHostedService(IVaultClient client, ILeaseService leaseService, ICertificatesIssuer certificatesIssuer,
ICertificatesService certificatesService, VaultOptions options, ILogger <VaultHostedService> logger)
{
_client = client;
_leaseService = leaseService;
_certificatesIssuer = certificatesIssuer;
_certificatesService = certificatesService;
_options = options;
_logger = logger;
_interval = _options.RenewalsInterval <= 0 ? 10 : _options.RenewalsInterval;
}
public static IVaultClient CreateVaultClient(IConfiguration configuration)
{
var vaultOptions = new VaultOptions
{
BaseUrl = new Uri(configuration[configuration["Vault:Endpoint"]]),
Engine = configuration["Vault:Engine"],
Role = configuration["Vault:Role"]
};
return(new VaultClient.VaultClient(vaultOptions));
}
private VaultOptions ConfigureClient()
{
var options = new VaultOptions();
if (Uri.TryCreate(_connectionConfiguration["vault.address"], UriKind.Absolute, out var clientAddress))
{
options.Address = clientAddress.ToString();
}
options.Token = _connectionConfiguration["vault.token"];
return(options);
}
private VaultClient.VaultClient GetVaultClient()
{
var vaultOptions = new VaultOptions
{
BaseUrl = new Uri(EnvironmentVariableHelper.Get("Vault:Endpoint", Configuration)),
Engine = Configuration["Vault:Engine"],
Role = Configuration["Vault:Role"]
};
return(new VaultClient.VaultClient(vaultOptions, new NullLoggerFactory()));
}
private static async Task AddVaultAsync(this IConfigurationBuilder builder, VaultOptions options,
string keyValuePath)
{
VerifyOptions(options);
var kvPath = string.IsNullOrWhiteSpace(keyValuePath) ? options.Kv?.Path : keyValuePath;
var(client, _) = GetClientAndSettings(options);
if (!string.IsNullOrWhiteSpace(kvPath) && options.Kv.Enabled)
{
Console.WriteLine($"Loading settings from Vault: '{options.Url}', KV path: '{kvPath}'.");
var keyValueSecrets = new KeyValueSecrets(client, options);
var secret = await keyValueSecrets.GetAsync(kvPath);
var parser = new JsonParser();
var json = JsonConvert.SerializeObject(secret);
var data = parser.Parse(json);
var source = new MemoryConfigurationSource {
InitialData = data
};
builder.Add(source);
}
if (options.Pki is not null && options.Pki.Enabled)
{
Console.WriteLine("Initializing Vault PKI.");
await SetPkiSecretsAsync(client, options);
}
if (options.Lease is null || !options.Lease.Any())
{
return;
}
var configuration = new Dictionary <string, string>();
foreach (var(key, lease) in options.Lease)
{
if (!lease.Enabled || string.IsNullOrWhiteSpace(lease.Type))
{
continue;
}
Console.WriteLine($"Initializing Vault lease for: '{key}', type: '{lease.Type}'.");
await InitLeaseAsync(key, client, lease, configuration);
}
if (configuration.Any())
{
var source = new MemoryConfigurationSource {
InitialData = configuration
};
builder.Add(source);
}
}
public static VaultClient.VaultClient CreateVaultClient(IConfiguration configuration, ILoggerFactory loggerFactory = null)
{
var vaultOptions = new VaultOptions
{
BaseUrl = new Uri(configuration[configuration["Vault:Endpoint"]]),
Engine = configuration["Vault:Engine"],
Role = configuration["Vault:Role"]
};
return(new VaultClient.VaultClient(vaultOptions, loggerFactory));
}
public BatchInitTask(
BatchOptions batchOptions,
SearchOptions searchOptions,
CosmosOptions cosmosOptions,
StorageOptions storageOptions,
VaultOptions vaultOptions)
{
BatchOptions = batchOptions;
SearchOptions = searchOptions;
CosmosOptions = cosmosOptions;
StorageOptions = storageOptions;
VaultOptions = vaultOptions;
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddOptions();
services.AddSingleton(Configuration);
var options = new VaultOptions();
Configuration.Bind("VaultOptions", options);
services.AddSingleton(options);
services.AddMvc()
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
public CertificatesIssuer(IVaultClient client, VaultOptions options)
{
_client = client;
_options = options.Pki;
_mountPoint = string.IsNullOrWhiteSpace(_options.MountPoint)
? SecretsEngineDefaultPaths.PKI
: _options.MountPoint;
_certificateFormat = string.IsNullOrWhiteSpace(_options.CertificateFormat)
? CertificateFormat.pem
: Enum.Parse <CertificateFormat>(_options.CertificateFormat, true);
_privateKeyFormat = string.IsNullOrWhiteSpace(_options.PrivateKeyFormat)
? PrivateKeyFormat.der
: Enum.Parse <PrivateKeyFormat>(_options.PrivateKeyFormat, true);
}
public static void AddHashicorpVaultSecretsToConfiguration(
WebHostBuilderContext context,
IConfigurationBuilder configBuilder,
string vaultOptionsSectionKey,
string vaultSeederSectionKey)
{
var configuration = configBuilder.Build();
// bind vault options
var options = new VaultOptions();
configuration.Bind(vaultOptionsSectionKey, options);
// bind seeder
var seedData = new List <VaultSeeder>();
configuration.Bind(vaultSeederSectionKey, seedData);
var logger = new LoggerFactory()
.AddConsole()
.CreateLogger <VaultWriteService>();
// seed
new VaultWriteService(
logger,
options,
seedData
).SeedVault();
var vaultConfigurationBuilder = new ConfigurationBuilder();
var vaultConfiguration = vaultConfigurationBuilder.AddHashiCorpVault(configuration).Build();
var prefixedConfigValues = new Dictionary <string, string>();
foreach (var secretPath in options.Secrets)
{
var configSectionName = secretPath.Replace("/", ":");
logger.LogInformation($"Reading vault config from section '{configSectionName}'");
var jsonString = vaultConfiguration.GetValue <string>(configSectionName);
var secretValues = JsonConvert.DeserializeObject <Dictionary <string, string> >(jsonString);
foreach (var keyValue in secretValues)
{
prefixedConfigValues.Add(configSectionName + ":" + keyValue.Key, keyValue.Value);
}
}
configBuilder.AddInMemoryCollection(prefixedConfigValues);
context.Configuration = configBuilder.Build();
}
private static IConfigurationBuilder AddVault(this IConfigurationBuilder builder,
VaultOptions options, string key)
{
var client = new VaultStore(options);
var secret = string.IsNullOrWhiteSpace(key) ? client.GetDefaultAsync().Result : client.GetAsync(key).Result;
var parser = new JsonParser();
var data = parser.Parse(JObject.FromObject(secret));
var source = new MemoryConfigurationSource {
InitialData = data
};
builder.Add(source);
return(builder);
}
public async Task Login_ShouldLogin()
{
var options = new VaultOptions
{
BaseUrl = new Uri("https://vault.dev.happytravel.com/v1/"),
Role = "role",
Engine = "secrets"
};
using var client = new VaultClient(options, new NullLoggerFactory());
await client.Login("");
var secret = await client.Get("edo/connection-string");
}
public static void Configure(CommandLineApplication command)
{
command.Description = "Initializes the Azure Batch configuration";
command.SetDefaultHelp();
command.OnExecute(async() =>
{
var batch = new BatchOptions();
var search = new SearchOptions();
var cosmos = new CosmosOptions();
var storage = new StorageOptions();
var vault = new VaultOptions();
if (command.HasAllRequiredParameters(new[]
{
batch.Account,
batch.Url,
batch.Key,
batch.StorageName,
batch.StorageKey,
search.Name,
search.Key,
cosmos.Endpoint,
cosmos.RawKey,
cosmos.Database,
cosmos.DatasetsCollection,
cosmos.UserDataCollection,
storage.Account,
storage.Key,
vault.VaultUrl
}))
{
await new Admin.Batch.BatchInitTask(batch, search, cosmos, storage, vault).ExecuteAsync();
}
return(0);
});
}
/// <summary>
/// Configure all of the needed configurations
/// </summary>
private static void BuildConfiguration()
{
var builder = new ConfigurationBuilder()
.AddEnvironmentVariables()
.SetBasePath(Path.Combine(AppContext.BaseDirectory))
.AddJsonFile("appsettings.json", optional: true);
if (string.IsNullOrEmpty(Enviroment) && IsDevelopment)
{
builder.AddJsonFile("appsettings.development.json", optional: true);
}
else
{
builder.AddJsonFile($"appsettings.{Enviroment}.json", optional: false);
}
Configuration = builder.Build();
#region DEBUG: Seed the Vault before reading into Configurations
var options = new VaultOptions();
Configuration.Bind("VaultOptions", options);
var seedData = new List <VaultSeeder>();
Configuration.Bind("VaultSeeder", seedData);
var logger = new LoggerFactory()
.AddConsole()
.AddDebug()
.CreateLogger <VaultWriteService>();
new VaultWriteService(
logger,
options,
seedData
).SeedVault();
#endregion
// Add Vault Registration
Configuration = builder.AddHashiCorpVault(Configuration).Build();
}
public static void Configure(CommandLineApplication command)
{
command.Description = "Verifies secrets exist in Key Vault.";
command.SetDefaultHelp();
command.OnExecute(async() =>
{
var vault = new VaultOptions();
if (command.HasAllRequiredParameters(new[]
{
vault.VaultUrl,
}))
{
await new Admin.KeyVault.KeyVaultVerifyTask(vault).ExecuteAsync();
}
return(0);
});
}
/// <summary>
/// Dependecy injection in manner of Asp.net application
/// </summary>
/// <param name="services"></param>
private static void ConfigureServices(IServiceCollection services)
{
#region Add Configurations
// Add functionality to inject IOptions<T>
services.AddOptions();
// *If* you need access to generic IConfiguration this is **required**
services.AddSingleton <IConfiguration>(Configuration);
// bind object
var options = new VaultOptions();
Configuration.Bind("VaultOptions", options);
services.AddSingleton(options);
var seedData = new List <VaultSeeder>();
Configuration.Bind("VaultSeeder", seedData);
services.AddSingleton(seedData);
#endregion
// Add Application dependecies
services.AddTransient <IReadVault, ReadVault>();
#region Add Logging
// Add build in logging without configuration file
//services.AddSingleton(new LoggerFactory()
// .AddConsole()
// .AddDebug());
// Add build in logging with configuration file
services.AddLogging(builder =>
{
builder.AddConfiguration(Configuration.GetSection("Logging"))
.AddConsole()
.AddDebug();
});
#endregion
// Add the actual application
services.AddTransient <Application>();
}
public CustomersServiceClient(IHttpClient httpClient, HttpClientOptions options,
ICertificatesService certificatesService, VaultOptions vaultOptions, SecurityOptions securityOptions)
{
_httpClient = httpClient;
_url = options.Services["customers"];
if (!vaultOptions.Enabled || vaultOptions.Pki?.Enabled != true)
{
return;
}
var certificate = certificatesService.Get(vaultOptions.Pki.RoleName);
if (certificate is null)
{
return;
}
var header = securityOptions.Certificate.GetHeaderName();
var certificateData = certificate.GetRawCertDataString();
_httpClient.SetHeaders(h => h.Add(header, certificateData));
}
public PricingServiceClient(IHttpClient client, ICertificatesService certificatesService,
HttpClientOptions httpClientOptions, VaultOptions vaultOptions, SecurityOptions securityOptions)
{
_client = client;
_url = httpClientOptions.Services["pricing"];
if (!vaultOptions.Enabled || vaultOptions.Pki?.Enabled != true ||
securityOptions.Certificate?.Enabled != true)
{
return;
}
var certificate = certificatesService.Get(vaultOptions.Pki.RoleName);
if (certificate is null)
{
return;
}
var header = securityOptions.Certificate.GetHeaderName();
var certificateData = certificate.GetRawCertDataString();
_client.SetHeaders(h => h.Add(header, certificateData));
}
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, configBuilder) => {
configBuilder.AddEnvironmentVariables();
configBuilder.AddJsonFile("appsettings.json", optional: true);
configBuilder.AddCommandLine(args);
var configuration = configBuilder.Build();
#region DEBUG: Seed the Vault before reading into Configurations
// bind vault options
var options = new VaultOptions();
configuration.Bind("VaultOptions", options);
// bind seeder
var seedData = new List <VaultSeeder>();
configuration.Bind("VaultSeeder", seedData);
var logger = new LoggerFactory()
.AddConsole()
.AddDebug()
.CreateLogger <VaultWriteService>();
// seed
new VaultWriteService(
logger,
options,
seedData
).SeedVault();
#endregion
// retrieve encrypted values and make available to the application
configuration = configBuilder.AddHashiCorpVault(configuration).Build();
// set configuration
context.Configuration = configuration;
})
.UseStartup <Startup>();
public ValuesController(VaultOptions vaultOptions, IConfiguration configuration)
{
_options = vaultOptions;
_configuration = configuration;
}
public ReadVault(ILogger <ReadVault> logger, VaultOptions options, IConfiguration configuration)
{
_logger = logger;
_options = options;
_configuration = configuration;
}
public KeyVaultVerifyTask(
VaultOptions vaultOptions)
{
VaultOptions = vaultOptions;
}
public VaultStore(VaultOptions options)
{
_options = options;
LoadEnvironmentVariables();
}
/// <summary>
/// The <see cref="VaultWriteService"/> constructor
/// </summary>
/// <param name="logger">The <see cref="ILogger{VaultWriteService}"/> logging.</param>
/// <param name="options">The <see cref="VaultOptions"/> for the service.</param>
/// <param name="seeder">The <see cref="List{VaultSeeder}"/></param>
public VaultWriteService(ILogger <VaultWriteService> logger, VaultOptions options, List <VaultSeeder> seeder)
{
_logger = logger;
_options = options;
_seeder = seeder;
}
public KeyValueSecret(IVaultClient client, VaultOptions options)
{
_client = client ?? throw new ArgumentNullException(nameof(client));
_options = options ?? throw new ArgumentNullException(nameof(options));
}