Feature - add Azure Key Vault secret store overloads w/o Managed Identity clientId (#236)

stijnmoreels · web-flow · commit a0e0acd6c975 · 2021-01-22T06:53:23.000+01:00
* Feature - add Azure Key Vault secret store overloads w/o Managed Identity clientId

* pr-style: remove unnecessary blank line
diff --git a/src/Arcus.Security.Providers.AzureKeyVault/Extensions/SecretStoreBuilderExtensions.cs b/src/Arcus.Security.Providers.AzureKeyVault/Extensions/SecretStoreBuilderExtensions.cs
@@ -372,6 +372,27 @@ public static SecretStoreBuilder AddAzureKeyVaultWithManagedServiceIdentityWithO
                 configureOptions);
         }
 
+        /// <summary>
+        /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
+        /// </summary>
+        /// <param name="builder">The builder to create the secret store.</param>
+        /// <param name="rawVaultUri">The Uri of the Azure Key Vault you want to connect to.</param>
+        ///     The optional client id to authenticate for a user assigned managed identity.
+        ///     More information on user assigned managed identities can be found here: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm</param>
+        /// <param name="allowCaching">The flag to indicate whether to include caching during secret retrieval in Azure key vault.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> is <c>null</c>.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="rawVaultUri"/> is blank.</exception>
+        public static SecretStoreBuilder AddAzureKeyVaultWithManagedIdentity(
+            this SecretStoreBuilder builder,
+            string rawVaultUri,
+            bool allowCaching = false)
+        {
+            Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the Azure Key Vault secret provider");
+            Guard.NotNullOrWhitespace(rawVaultUri, nameof(rawVaultUri), "Requires a non-blank URI of the Azure Key Vault instance to add the secret provider to the secret store");
+
+            return AddAzureKeyVaultWithManagedIdentity(builder, rawVaultUri, clientId: null, allowCaching: allowCaching);
+        }
+        
         /// <summary>
         /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
         /// </summary>
@@ -402,6 +423,38 @@ public static SecretStoreBuilder AddAzureKeyVaultWithManagedIdentity(
                 allowCaching: allowCaching);
         }
 
+        /// <summary>
+        /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
+        /// </summary>
+        /// <param name="builder">The builder to create the secret store.</param>
+        /// <param name="rawVaultUri">The Uri of the Azure Key Vault you want to connect to.</param>
+        /// <param name="allowCaching">The flag to indicate whether to include caching during secret retrieval in Azure key vault.</param>
+        /// <param name="configureOptions">The optional additional options to configure the Azure Key Vault secret source.</param>
+        /// <param name="name">The unique name to register this Azure Key Vault provider in the secret store.</param>
+        /// <param name="mutateSecretName">The optional function to mutate the secret name before looking it up.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> is <c>null</c>.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="rawVaultUri"/> is blank.</exception>
+        public static SecretStoreBuilder AddAzureKeyVaultWithManagedIdentity(
+            this SecretStoreBuilder builder,
+            string rawVaultUri,
+            Action<KeyVaultOptions> configureOptions,
+            string name,
+            Func<string, string> mutateSecretName,
+            bool allowCaching = false)
+        {
+            Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the Azure Key Vault secret provider");
+            Guard.NotNullOrWhitespace(rawVaultUri, nameof(rawVaultUri), "Requires a non-blank URI of the Azure Key Vault instance to add the secret provider to the secret store");
+
+            return AddAzureKeyVaultWithManagedIdentity(
+                builder,
+                rawVaultUri,
+                clientId: null,
+                configureOptions: configureOptions,
+                name: name,
+                mutateSecretName: mutateSecretName,
+                allowCaching: allowCaching);
+        }
+
         /// <summary>
         /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
         /// </summary>
@@ -500,6 +553,29 @@ public static SecretStoreBuilder AddAzureKeyVaultWithManagedServiceIdentityWithO
                 configureOptions);
         }
 
+        /// <summary>
+        /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
+        /// </summary>
+        /// <param name="builder">The builder to create the secret store.</param>
+        /// <param name="rawVaultUri">The Uri of the Azure Key Vault you want to connect to.</param>
+        /// <param name="cacheConfiguration">The configuration to control how the caching will be done.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> is <c>null</c>.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="rawVaultUri"/> is blank.</exception>
+        public static SecretStoreBuilder AddAzureKeyVaultWithManagedIdentity(
+            this SecretStoreBuilder builder,
+            string rawVaultUri,
+            ICacheConfiguration cacheConfiguration)
+        {
+            Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the Azure Key Vault secret provider");
+            Guard.NotNullOrWhitespace(rawVaultUri, nameof(rawVaultUri), "Requires a non-blank URI of the Azure Key Vault instance to add the secret provider to the secret store");
+
+            return AddAzureKeyVaultWithManagedIdentity(
+                builder,
+                rawVaultUri,
+                cacheConfiguration,
+                clientId: null);
+        }
+        
         /// <summary>
         /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
         /// </summary>
@@ -529,6 +605,38 @@ public static SecretStoreBuilder AddAzureKeyVaultWithManagedIdentity(
                 name: null,
                 mutateSecretName: null);
         }
+        
+        /// <summary>
+        /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
+        /// </summary>
+        /// <param name="builder">The builder to create the secret store.</param>
+        /// <param name="rawVaultUri">The Uri of the Azure Key Vault you want to connect to.</param>
+        /// <param name="cacheConfiguration">The configuration to control how the caching will be done.</param>
+        /// <param name="configureOptions">The optional additional options to configure the Azure Key Vault secret source.</param>
+        /// <param name="name">The unique name to register this Azure Key Vault provider in the secret store.</param>
+        /// <param name="mutateSecretName">The optional function to mutate the secret name before looking it up.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="builder"/> is <c>null</c>.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="rawVaultUri"/> is blank.</exception>
+        public static SecretStoreBuilder AddAzureKeyVaultWithManagedIdentity(
+            this SecretStoreBuilder builder,
+            string rawVaultUri,
+            ICacheConfiguration cacheConfiguration,
+            Action<KeyVaultOptions> configureOptions,
+            string name,
+            Func<string, string> mutateSecretName)
+        {
+            Guard.NotNull(builder, nameof(builder), "Requires a secret store builder to add the Azure Key Vault secret provider");
+            Guard.NotNullOrWhitespace(rawVaultUri, nameof(rawVaultUri), "Requires a non-blank URI of the Azure Key Vault instance to add the secret provider to the secret store");
+
+            return AddAzureKeyVaultWithManagedIdentity(
+                builder,
+                rawVaultUri,
+                cacheConfiguration,
+                clientId: null,
+                configureOptions: configureOptions,
+                name: name,
+                mutateSecretName: mutateSecretName);
+        }
 
         /// <summary>
         /// Adds Azure Key Vault as a secret source which uses Managed Identity authentication.
diff --git a/src/Arcus.Security.Tests.Unit/KeyVault/Extensions/SecretStoreBuilderExtensionsTests.cs b/src/Arcus.Security.Tests.Unit/KeyVault/Extensions/SecretStoreBuilderExtensionsTests.cs
@@ -536,7 +536,22 @@ public void AddAzureKeyVaultWithManagedServiceIdentity_WithCachingWithBlankVault
             // Assert
             Assert.ThrowsAny<ArgumentException>(() => builder.Build());
         }
-        
+       
+        [Theory]
+        [ClassData(typeof(Blanks))]
+        public void AddAzureKeyVaultWithManagedIdentitySimple_WithoutVaultUriWithoutClientId_Throws(string vaultUri)
+        {
+            // Arrange
+            var builder = new HostBuilder();
+
+            // Act
+            builder.ConfigureSecretStore(
+                (config, stores) => stores.AddAzureKeyVaultWithManagedIdentity(vaultUri));
+
+            // Assert
+            Assert.ThrowsAny<ArgumentException>(() => builder.Build());
+        }
+
         [Theory]
         [ClassData(typeof(Blanks))]
         public void AddAzureKeyVaultWithManagedIdentitySimple_WithoutVaultUri_Throws(string vaultUri)
@@ -552,6 +567,22 @@ public void AddAzureKeyVaultWithManagedIdentitySimple_WithoutVaultUri_Throws(str
             Assert.ThrowsAny<ArgumentException>(() => builder.Build());
         }
         
+        [Theory]
+        [ClassData(typeof(Blanks))]
+        public void AddAzureKeyVaultWithManagedIdentitySimpleCacheConfiguration_WithoutVaultUriWithoutClientId_Throws(string vaultUri)
+        {
+            // Arrange
+            var builder = new HostBuilder();
+            var cacheConfiguration = new CacheConfiguration();
+            
+            // Act
+            builder.ConfigureSecretStore(
+                (config, stores) => stores.AddAzureKeyVaultWithManagedIdentity(vaultUri, cacheConfiguration));
+
+            // Assert
+            Assert.ThrowsAny<ArgumentException>(() => builder.Build());
+        }
+        
         [Theory]
         [ClassData(typeof(Blanks))]
         public void AddAzureKeyVaultWithManagedIdentitySimpleCacheConfiguration_WithoutVaultUri_Throws(string vaultUri)
@@ -583,6 +614,21 @@ public void AddAzureKeyVaultWithManagedServiceIdentityWithOptions_WithCachingWit
             // Assert
             Assert.ThrowsAny<ArgumentException>(() => builder.Build());
         }
+        
+        [Theory]
+        [ClassData(typeof(Blanks))]
+        public void AddAzureKeyVaultWithManagedIdentity_WithBlankVaultUriWithoutClientId_Throws(string vaultUri)
+        {
+            // Arrange
+            var builder = new HostBuilder();
+
+            // Act
+            builder.ConfigureSecretStore(
+                (config, stores) => stores.AddAzureKeyVaultWithManagedIdentity(vaultUri, configureOptions: null, name: null, mutateSecretName: null));
+
+            // Assert
+            Assert.ThrowsAny<ArgumentException>(() => builder.Build());
+        }
 
         [Theory]
         [ClassData(typeof(Blanks))]
@@ -599,6 +645,22 @@ public void AddAzureKeyVaultWithManagedIdentity_WithBlankVaultUri_Throws(string
             Assert.ThrowsAny<ArgumentException>(() => builder.Build());
         }
 
+        [Theory]
+        [ClassData(typeof(Blanks))]
+        public void AddAzureKeyVaultWithManagedIdentity_WithCachingWithBlankVaultUriWithoutClientId_Throws(string vaultUri)
+        {
+            // Arrange
+            var builder = new HostBuilder();
+            var cacheConfiguration = Mock.Of<ICacheConfiguration>();
+
+            // Act
+            builder.ConfigureSecretStore(
+                (config, stores) => stores.AddAzureKeyVaultWithManagedIdentity(vaultUri, cacheConfiguration: cacheConfiguration, configureOptions: null, name: null, mutateSecretName: null));
+
+            // Assert
+            Assert.ThrowsAny<ArgumentException>(() => builder.Build());
+        }
+        
         [Theory]
         [ClassData(typeof(Blanks))]
         public void AddAzureKeyVaultWithManagedIdentity_WithCachingWithBlankVaultUri_Throws(string vaultUri)
@@ -615,6 +677,30 @@ public void AddAzureKeyVaultWithManagedIdentity_WithCachingWithBlankVaultUri_Thr
             Assert.ThrowsAny<ArgumentException>(() => builder.Build());
         }
         
+        [Fact]
+        public void AddAzureKeyVaultWithManagedIdentity_WithValidArgumentsWithoutClientId_CreatesProvider()
+        {
+            // Arrange
+            var builder = new HostBuilder();
+            
+            // Act
+            builder.ConfigureSecretStore(
+                (config, stores) =>
+                {
+                    stores.AddAzureKeyVaultWithManagedIdentity(
+                        GenerateVaultUri(),
+                        configureOptions: options => options.TrackDependency = true,
+                        name: "Azure Key Vault",
+                        mutateSecretName: name => name.Replace(":", "."));
+                });
+
+            // Assert
+            using (IHost host = builder.Build())
+            {
+                Assert.NotNull(host.Services.GetRequiredService<ISecretProvider>());
+            }
+        }
+        
         [Fact]
         public void AddAzureKeyVaultWithManagedIdentity_WithValidArguments_CreatesProvider()
         {
@@ -640,6 +726,32 @@ public void AddAzureKeyVaultWithManagedIdentity_WithValidArguments_CreatesProvid
             }
         }
         
+        [Fact]
+        public void AddAzureKeyVaultWithManagedIdentityWithCacheConfiguration_WithValidArgumentsWithoutClientId_CreatesProvider()
+        {
+            // Arrange
+            var builder = new HostBuilder();
+            var cacheConfiguration = new CacheConfiguration();
+            
+            // Act
+            builder.ConfigureSecretStore(
+                (config, stores) =>
+                {
+                    stores.AddAzureKeyVaultWithManagedIdentity(
+                        GenerateVaultUri(),
+                        cacheConfiguration: cacheConfiguration,
+                        configureOptions: options => options.TrackDependency = true,
+                        name: "Azure Key Vault",
+                        mutateSecretName: name => name.Replace(":", "."));
+                });
+
+            // Assert
+            using (IHost host = builder.Build())
+            {
+                Assert.NotNull(host.Services.GetRequiredService<ISecretProvider>());
+            }
+        }
+        
         [Fact]
         public void AddAzureKeyVaultWithManagedIdentityWithCacheConfiguration_WithValidArguments_CreatesProvider()
         {
