/// <summary>
/// Returns all the properties of a given secretID for a given role. Returns null if the secretID could not be found.
/// </summary>
/// <param name="roleName">The name of the role that the secretID belongs to.</param>
/// <param name="secretID">The specific secretID to retrieve information on.</param>
/// <returns>The properties of the secretID</returns>
public async Task <AppRoleSecret> ReadSecretID(string roleName, string secretID)
{
string path = MountPointPath + "role/" + roleName + "/secret-id/lookup";
// Setup secret ID Parameter
Dictionary <string, object> contentParams = new Dictionary <string, object>()
{
{ "secret_id", secretID }
};
try {
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "ReadSecretID", contentParams);
// Note: We cannot test for HTTP Success as Vault returns a 204 if secretID is not found - might be a bug - filed a post on Forum.
// TODO - Follow up to see if this is a bug or feature.
if (vdro.HttpStatusCode == 200)
{
AppRoleSecret secret = await vdro.GetDotNetObject <AppRoleSecret>();
// We need to do this as Vault does NOT return the ID of the secret in the data.
// TODO - Do we want to blank it out or continue filling it in....?
secret.ID = secretID;
return(secret);
}
else
{
return(null);
}
}
catch (VaultInvalidPathException e) {
e.SpecificErrorCode = EnumVaultExceptionCodes.ObjectDoesNotExist;
throw e;
}
}
/// <summary>
/// Generates a secret ID for a given Application Role.
/// TODO - At this time this method does not support the cidr_list or token_bound_cidrs properties that restrict the IP addresses that can use a given token.
/// </summary>
/// <param name="appRoleName">The name of the Application Role that you wish to generate a Secret ID For</param>
/// <param name="returnFullSecret">Vault only returns an abbreviated secret object. If you wish to have a fully populated one then set to true. Default False.
/// Note, that this in no way affects the secret itself. By setting to true, we make an additional call to Vault to re-read the full secret object. If you do not
/// need the full secret information then leaving at false is faster.</param>
/// <param name="vaultMetadata">A Vault MetaData object that should be attached to the given secret. </param>
/// <returns>AppRoleSecret object. Whether this is fully populated or contains just the ID and accessor depends upon the returnFullSecret parameter.</returns>
public async Task <AppRoleSecret> GenerateSecretID(string appRoleName, bool returnFullSecret = false, Dictionary <string, string> vaultMetadata = null)
{
string path = MountPointPath + "role/" + appRoleName + "/secret-id";
Dictionary <string, object> contentParams = new Dictionary <string, object>();
if (vaultMetadata != null)
{
string metadataString = JsonConvert.SerializeObject(vaultMetadata);
contentParams.Add("metadata", metadataString);
}
/* if (cidrIPsAllowed != null) {
* string cidrs = JsonConvert.SerializeObject(cidrIPsAllowed);
* contentParams.Add("cidr_list", cidrs);
* }
*/
try {
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "GenerateSecretID", contentParams);
if (vdro.Success)
{
AppRoleSecret appRoleSecret = await vdro.GetDotNetObject <AppRoleSecret> ("data");
if (returnFullSecret)
{
AppRoleSecret fullSecret = await ReadSecretID(appRoleName, appRoleSecret.ID);
return(fullSecret);
}
else
{
return(appRoleSecret);
}
}
else
{
return(null);
}
}
catch (VaultInvalidPathException e) {
if (e.Message.Contains("role") && e.Message.Contains("does not exist"))
{
e.SpecificErrorCode = EnumVaultExceptionCodes.ObjectDoesNotExist;
}
throw e;
}
}
