From d988bbc48ba157cf690e159d67767613b96ec3a8 Mon Sep 17 00:00:00 2001 From: bolt-io Date: Tue, 11 Apr 2023 15:37:57 +0100 Subject: [PATCH 1/2] FEAT: Added Azure Key Vault for storing application secrets --- Extensions/KeyVaultConfigurationExtensions.cs | 28 +++++++++++++++++ KeyVault/PrefixKeyVaultSecretManager.cs | 30 +++++++++++++++++++ MyAccountPage.csproj | 6 +++- Program.cs | 5 ++-- ReadmeFiles/Deployment.md | 14 +++++++++ appsettings.json | 6 ++++ 6 files changed, 85 insertions(+), 4 deletions(-) create mode 100644 Extensions/KeyVaultConfigurationExtensions.cs create mode 100644 KeyVault/PrefixKeyVaultSecretManager.cs diff --git a/Extensions/KeyVaultConfigurationExtensions.cs b/Extensions/KeyVaultConfigurationExtensions.cs new file mode 100644 index 0000000..11df74e --- /dev/null +++ b/Extensions/KeyVaultConfigurationExtensions.cs @@ -0,0 +1,28 @@ +using Azure.Extensions.AspNetCore.Configuration.Secrets; +using Azure.Identity; + +namespace MyAccountPage +{ + public static class KeyVaultConfigurationExtensions + { + + public static IConfigurationBuilder ConfigureAzureKeyVault(this WebApplicationBuilder builder) + { + var kvName = builder.Configuration["KeyVault:Name"]; + if (kvName is null) + return builder.Configuration; + + var kvPrefix = builder.Configuration["KeyVault:SecretsPrefix"]; + var kvReloadIntervalInMinutes = builder.Configuration.GetValue("KeyVault:ReloadIntervalInMinutes", default); + + TimeSpan? kvReloadInterval = kvReloadIntervalInMinutes == default ? null : new TimeSpan(hours: 0, minutes: kvReloadIntervalInMinutes, seconds: 0); + + var kvOptions = new AzureKeyVaultConfigurationOptions() { ReloadInterval = kvReloadInterval, Manager = new KeyVault.PrefixKeyVaultSecretManager(kvPrefix) }; + + return builder.Configuration.AddAzureKeyVault( + vaultUri: new Uri($"https://{kvName}.vault.azure.net/"), + credential: new ChainedTokenCredential(new DefaultAzureCredential() + ), kvOptions); + } + } +} diff --git a/KeyVault/PrefixKeyVaultSecretManager.cs b/KeyVault/PrefixKeyVaultSecretManager.cs new file mode 100644 index 0000000..bdcb225 --- /dev/null +++ b/KeyVault/PrefixKeyVaultSecretManager.cs @@ -0,0 +1,30 @@ +using Azure.Extensions.AspNetCore.Configuration.Secrets; +using Azure.Security.KeyVault.Secrets; +using Microsoft.IdentityModel.Tokens; + +namespace KeyVault +{ + public class PrefixKeyVaultSecretManager : KeyVaultSecretManager + { + private readonly string _prefix; + + + public PrefixKeyVaultSecretManager(string? prefix) + { + prefix ??= string.Empty; + _prefix = prefix.IsNullOrEmpty() || prefix.EndsWith("--") ? prefix : $"{prefix}--"; + } + + public override bool Load(SecretProperties secret) + { + return secret.Name.StartsWith(_prefix, StringComparison.OrdinalIgnoreCase); + } + + public override string GetKey(KeyVaultSecret secret) + { + return secret.Name + .Substring(_prefix.Length) + .Replace("--", ConfigurationPath.KeyDelimiter); + } + } +} diff --git a/MyAccountPage.csproj b/MyAccountPage.csproj index 53c846e..03595f6 100644 --- a/MyAccountPage.csproj +++ b/MyAccountPage.csproj @@ -1,4 +1,4 @@ - + net6.0 @@ -7,11 +7,15 @@ + + + + diff --git a/Program.cs b/Program.cs index 4b265b5..69501ce 100644 --- a/Program.cs +++ b/Program.cs @@ -2,14 +2,13 @@ using Microsoft.AspNetCore.HttpOverrides; using Microsoft.Identity.Web; using Microsoft.Identity.Web.UI; -using Microsoft.Extensions.DependencyInjection; using Microsoft.AspNetCore.Authentication.Cookies; using MyAccountPage; -using Microsoft.AspNetCore.Authentication; -using Microsoft.Extensions.Options; var builder = WebApplication.CreateBuilder(args); +builder.ConfigureAzureKeyVault(); + var initialScopes = builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' '); // Add services to the container. diff --git a/ReadmeFiles/Deployment.md b/ReadmeFiles/Deployment.md index 119caf1..b11db01 100644 --- a/ReadmeFiles/Deployment.md +++ b/ReadmeFiles/Deployment.md @@ -196,6 +196,20 @@ And the last bit is your configuration for your Verified Employee credential and "Authority": "YOUR VC SERVICE AUTHORITY/DID" }, ``` + +If you want to add Azure Key Vault for storing secrets, add the following configuration section. +``` +"KeyVault": { + "Name": "YOUR KEYVAULT NAME", + "SecretsPrefix": "", + "ReloadIntervalInMinutes": 15 +}, +``` +The Name is the name of your key vault (not the full url). +The secrets prefix is optional and can be used if you store multiple applications in the same key vault. +The reload interval is the interval in minutes the application will reload the secrets from the key vault. This is useful if you want to change the configuration without restarting the application. + + If you want to configure the app through web app configuration navigates to your created web app and select configuration on the left-hand side. ![Web Application Configuration](Images/WebApplicationConfiguration.png) diff --git a/appsettings.json b/appsettings.json index 813e5b3..694939f 100644 --- a/appsettings.json +++ b/appsettings.json @@ -50,6 +50,12 @@ "Scopes": "user.read" }, + "KeyVault": { + //"Name": "YOUR KEYVAULT NAME", + //"SecretsPrefix": "", + //"ReloadIntervalInMinutes": 15 + }, + "Logging": { "LogLevel": { "Default": "Information", From d1319996710946bf69c350de3dfcb2614a87e277 Mon Sep 17 00:00:00 2001 From: bolt-io Date: Fri, 14 Apr 2023 11:15:13 +0100 Subject: [PATCH 2/2] Checking keyvault name against IsNullOrWhiteSpace --- Extensions/KeyVaultConfigurationExtensions.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Extensions/KeyVaultConfigurationExtensions.cs b/Extensions/KeyVaultConfigurationExtensions.cs index 11df74e..9b3f7aa 100644 --- a/Extensions/KeyVaultConfigurationExtensions.cs +++ b/Extensions/KeyVaultConfigurationExtensions.cs @@ -9,7 +9,7 @@ public static class KeyVaultConfigurationExtensions public static IConfigurationBuilder ConfigureAzureKeyVault(this WebApplicationBuilder builder) { var kvName = builder.Configuration["KeyVault:Name"]; - if (kvName is null) + if (string.IsNullOrWhiteSpace(kvName)) return builder.Configuration; var kvPrefix = builder.Configuration["KeyVault:SecretsPrefix"];