/
AzureDataProtectionKeyVaultKeyBuilderExtensions.cs
119 lines (102 loc) · 6.3 KB
/
AzureDataProtectionKeyVaultKeyBuilderExtensions.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
using System;
using Azure.Extensions.AspNetCore.DataProtection.Keys;
using Azure.Core;
using Azure.Core.Cryptography;
using Azure.Security.KeyVault.Keys.Cryptography;
using Microsoft.AspNetCore.DataProtection.Internal;
using Microsoft.AspNetCore.DataProtection.KeyManagement;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
#pragma warning disable AZC0001 // Extension methods have to be in the correct namespace to appear in intellisense.
namespace Microsoft.AspNetCore.DataProtection
#pragma warning disable
{
/// <summary>
/// Contains Azure KeyVault-specific extension methods for modifying a <see cref="IDataProtectionBuilder"/>.
/// </summary>
public static class AzureDataProtectionKeyVaultKeyBuilderExtensions
{
/// <summary>
/// Configures the data protection system to protect keys with specified key in Azure KeyVault.
/// </summary>
/// <param name="builder">The builder instance to modify.</param>
/// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
/// <param name="tokenCredential">The token credential to use for authentication.</param>
/// <returns>The value <paramref name="builder"/>.</returns>
public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, Uri keyIdentifier, TokenCredential tokenCredential)
{
Argument.AssertNotNull(keyIdentifier, nameof(keyIdentifier));
return ProtectKeysWithAzureKeyVault(builder, keyIdentifier.ToString(), new KeyResolver(tokenCredential));
}
/// <summary>
/// Configures the data protection system to protect keys with specified key in Azure KeyVault.
/// </summary>
/// <param name="builder">The builder instance to modify.</param>
/// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
/// <param name="keyResolver">The <see cref="IKeyEncryptionKeyResolver"/> to use for Key Vault access.</param>
/// <returns>The value <paramref name="builder"/>.</returns>
public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, IKeyEncryptionKeyResolver keyResolver)
{
Argument.AssertNotNull(builder, nameof(builder));
Argument.AssertNotNull(keyResolver, nameof(keyResolver));
Argument.AssertNotNullOrEmpty(keyIdentifier, nameof(keyIdentifier));
builder.Services.AddSingleton<IKeyEncryptionKeyResolver>(keyResolver);
builder.Services.AddSingleton<IActivator, DecryptorTypeForwardingActivator>();
builder.Services.Configure<KeyManagementOptions>(options =>
{
options.XmlEncryptor = new AzureKeyVaultXmlEncryptor(keyResolver, keyIdentifier);
});
return builder;
}
/// <summary>
/// Configures the data protection system to protect keys with specified key in Azure Key Vault.
/// </summary>
/// <param name="builder">The builder instance to modify.</param>
/// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
/// <param name="keyResolverFactory">The factory delegate to create the <see cref="IKeyEncryptionKeyResolver"/> to use for Key Vault access.</param>
/// <returns>The value <paramref name="builder"/>.</returns>
public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, Func<IServiceProvider, IKeyEncryptionKeyResolver> keyResolverFactory)
{
Argument.AssertNotNull(builder, nameof(builder));
Argument.AssertNotNull(keyResolverFactory, nameof(keyResolverFactory));
Argument.AssertNotNullOrEmpty(keyIdentifier, nameof(keyIdentifier));
builder.Services.AddSingleton<IActivator, DecryptorTypeForwardingActivator>();
builder.Services.AddSingleton<IKeyEncryptionKeyResolver>(keyResolverFactory);
builder.Services.AddSingleton(sp =>
{
var keyResolver = sp.GetRequiredService<IKeyEncryptionKeyResolver>();
return new AzureKeyVaultXmlEncryptor(keyResolver, keyIdentifier);
});
builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>, ConfigureKeyManagementKeyVaultEncryptorClientOptions>();
return builder;
}
/// <summary>
/// Configures the data protection system to protect keys with specified key in Azure Key Vault.
/// </summary>
/// <param name="builder">The builder instance to modify.</param>
/// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
/// <param name="tokenCredentialFactory">The factory delegate to create the <see cref="TokenCredential"/> to use for authenticating Key Vault access.</param>
/// <returns>The value <paramref name="builder"/>.</returns>
public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, Func<IServiceProvider, TokenCredential> tokenCredentialFactory)
{
Argument.AssertNotNull(builder, nameof(builder));
Argument.AssertNotNull(tokenCredentialFactory, nameof(tokenCredentialFactory));
Argument.AssertNotNullOrEmpty(keyIdentifier, nameof(keyIdentifier));
builder.Services.AddSingleton<IActivator, DecryptorTypeForwardingActivator>();
builder.Services.AddSingleton<IKeyEncryptionKeyResolver>(sp =>
{
var tokenCredential = tokenCredentialFactory(sp);
return new KeyResolver(tokenCredential);
});
builder.Services.AddSingleton(sp =>
{
var keyResolver = sp.GetRequiredService<IKeyEncryptionKeyResolver>();
return new AzureKeyVaultXmlEncryptor(keyResolver, keyIdentifier);
});
builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>, ConfigureKeyManagementKeyVaultEncryptorClientOptions>();
return builder;
}
}
}