Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve Key Vault references using local identity #2258

Closed
Closed
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add support for alternate KVR syntax
anthonychu committed Sep 19, 2020
commit 856d772d4e59ab99a86d8d513402a26b7754b485
58 changes: 46 additions & 12 deletions src/Azure.Functions.Cli/Common/KeyVaultReferencesManager.cs
Original file line number Diff line number Diff line change
@@ -11,6 +11,9 @@ namespace Azure.Functions.Cli.Common
{
class KeyVaultReferencesManager
{
private const string directiveStart = "@Microsoft.KeyVault(";
private const string directiveEnd = ")";
private const string vaultUriSuffix = "vault.azure.net";
private readonly ConcurrentDictionary<string, SecretClient> clients = new ConcurrentDictionary<string, SecretClient>();
private readonly TokenCredential credential = new AzureCliCredential();

@@ -26,11 +29,11 @@ public void ResolveKeyVaultReferences(IDictionary<string, string> settings)
}
}

public string GetSecretValue(string secretIdentifier)
private string GetSecretValue(string value)
{
var result = ParseSecret(secretIdentifier);
var result = ParseSecret(value);

if (result.IsSecret)
if (result != null)
{
var client = GetSecretClient(result.Uri);
var secret = client.GetSecret(result.Name, result.Version);
@@ -40,21 +43,53 @@ public string GetSecretValue(string secretIdentifier)
return null;
}

private ParseSecretResult ParseSecret(string secretIdentifier)
private ParseSecretResult ParseSecret(string value)
{
var uriMatches = Regex.Match(secretIdentifier, @"^@Microsoft.KeyVault\(SecretUri=(https://.+?)/secrets/([^/]+)/?(.*)\)$");
if (uriMatches.Success)
var referenceString = ExtractReferenceString(value);
if (string.IsNullOrEmpty(referenceString))
{
return null;
}

try
{
var uriMatches = Regex.Match(value, @"SecretUri=(https://.+?)/secrets/([^/]+)/?(.*)");
if (uriMatches.Success)
{
return new ParseSecretResult
{
Uri = new Uri(uriMatches.Groups[1].Value),
Name = uriMatches.Groups[2].Value,
Version = uriMatches.Groups[3].Value
};
}

var keyValuePairs = referenceString.Split(";")
.Select(item => item.Split("="))
.ToDictionary(pair => pair[0], pair => pair[1]);

return new ParseSecretResult
{
IsSecret = true,
Uri = new Uri(uriMatches.Groups[1].Value),
Name = uriMatches.Groups[2].Value,
Version = uriMatches.Groups[3].Value
Uri = new Uri($"https://{keyValuePairs["VaultName"]}.{vaultUriSuffix}"),
Name = keyValuePairs["SecretName"],
Version = keyValuePairs["SecretVersion"]
};
}
catch
{
throw new FormatException($"Key Vault Reference format invalid: {value}");
}
}

private string ExtractReferenceString(string value)
{
if (value == null ||
!(value.StartsWith(directiveStart) && value.EndsWith(directiveEnd)))
{
return null;
}

return new ParseSecretResult();
return value.Substring(directiveStart.Length, value.Length - directiveStart.Length - directiveEnd.Length);
}

private SecretClient GetSecretClient(Uri vaultUri)
@@ -64,7 +99,6 @@ private SecretClient GetSecretClient(Uri vaultUri)

private class ParseSecretResult
{
public bool IsSecret { get; set; }
public Uri Uri { get; set; }
public string Name { get; set; }
public string Version { get; set; }