diff --git a/azuredeploy.json b/azuredeploy.json index 66b5817b7..e3245235b 100644 --- a/azuredeploy.json +++ b/azuredeploy.json @@ -340,8 +340,7 @@ "dependsOn": [ "[concat('Microsoft.Web/sites/', variables('foxidsDefaultName'))]", "[resourceId('microsoft.insights/components', variables('foxidsDefaultName'))]", - "[concat('Microsoft.DocumentDB/databaseAccounts/', variables('foxidsDefaultName'))]", - "[concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))]" + "[concat('Microsoft.DocumentDB/databaseAccounts/', variables('foxidsDefaultName'))]" ], "properties": { "WEBSITES_ENABLE_APP_SERVICE_STORAGE": false, @@ -353,12 +352,11 @@ "Settings__TrustProxySchemeHeader": true, "Settings__Options__Log": "ApplicationInsights", "Settings__Options__DataStorage": "CosmosDb", - "Settings__Options__KeyStorage": "KeyVault", + "Settings__Options__KeyStorage": "None", "Settings__Options__Cache": "Redis", "Settings__Options__DataCache": "Default", "ApplicationInsights__ConnectionString": "[reference(concat('microsoft.insights/components/', variables('foxidsDefaultName'))).ConnectionString]", "Settings__CosmosDb__EndpointUri": "[reference(concat('Microsoft.DocumentDb/databaseAccounts/', variables('foxidsDefaultName'))).documentEndpoint]", - "Settings__KeyVault__EndpointUri": "[reference(concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))).vaultUri]", "Settings__Sendgrid__FromEmail": "[parameters('sendgridFromEmail')]" } }, @@ -369,8 +367,7 @@ "dependsOn": [ "[concat('Microsoft.Web/sites/', variables('foxidsControlSiteName'))]", "[resourceId('microsoft.insights/components', variables('foxidsDefaultName'))]", - "[concat('Microsoft.DocumentDB/databaseAccounts/', variables('foxidsDefaultName'))]", - "[concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))]" + "[concat('Microsoft.DocumentDB/databaseAccounts/', variables('foxidsDefaultName'))]" ], "properties": { "WEBSITES_ENABLE_APP_SERVICE_STORAGE": false, @@ -384,12 +381,11 @@ "Settings__FoxIDsControlEndpoint": "[variables('foxidsControlSiteEndpoint')]", "Settings__Options__Log": "ApplicationInsights", "Settings__Options__DataStorage": "CosmosDb", - "Settings__Options__KeyStorage": "KeyVault", + "Settings__Options__KeyStorage": "None", "Settings__Options__Cache": "Redis", "Settings__Options__DataCache": "Default", "Settings__MasterSeedEnabled": true, "Settings__CosmosDb__EndpointUri": "[reference(concat('Microsoft.DocumentDb/databaseAccounts/', variables('foxidsDefaultName'))).documentEndpoint]", - "Settings__KeyVault__EndpointUri": "[reference(concat('Microsoft.KeyVault/vaults/', variables('foxidsDefaultName'))).vaultUri]", "Settings__ApplicationInsights__WorkspaceId": "[reference(concat('microsoft.operationalinsights/workspaces/', variables('foxidsDefaultName'))).customerId]" } }, diff --git a/docs/certificates.md b/docs/certificates.md index 79ba43d0d..aa726e1cc 100644 --- a/docs/certificates.md +++ b/docs/certificates.md @@ -1,24 +1,14 @@ # Certificates -When a environment is created it is default equipped with a self-signed certificate stored in Cosmos DB, called a contained certificate. The certificate can afterword's be updated / changed and likewise the certificate container type can be changed. +When a environment is created it is default equipped with a automatically renewed self-signed certificate. You can optionally change the certificate container type. -There are tree different certificate container types: +There are two different certificate container types: -**Contained certificates (default)** -- Certificates is stored in Cosmos DB including private key. -- Self-signed certificates is created by FoxIDs or you can upload your one certificates. -- Support primary and secondary certificates, and certificate swap. -- Not automatically renewed. -- No cost per signing. +**Renewed self-signed certificates (default)** +- Automatically created self-signed certificates. +- Automatically renewed with 3 month validity period. Renewed 10 days before expiration and promoted to primary certificate 5 days before expiration. -**Key Vault, renewed self-signed certificates** -- Certificates is stored in Key Vault and the private key is not exportable. -- Self-signed certificates is created by Key Vault. -- Automatically renewed with 3 month validity period. Renewed 10 days before expiration and exposed as the secondary certificate. Promoted to be the primary certificate 5 days before expiration. -- Key Vault cost per signing. - -**Key Vault, upload your one certificate *(future support)*** -- Certificates is stored in Key Vault and the private key is not exportable. -- Not automatically renewed. -- Key Vault cost per signing. +**Self-signed or your certificates** +- Automatically created self-signed certificates or upload your one certificates. +- NOT automatically renewed. diff --git a/docs/faq.md b/docs/faq.md index 9d2ed0125..b628c947e 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -11,9 +11,6 @@ Navigating to the application registration then click Show advanced and add a `* Yes FoxIDs support to forward the login hint from an authentication method to an external IdP or another FoxIDs application registration. In OpenID Connect the login hint is forwarded in the `login_hint` parameter. In SAML 2.0 the login hint is forwarded as a `NameID` with the Email Format `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` in the `Subject` element. -##### Way am I unable to login for a moment when I change the certificate container types to 'Key Vault renewed self-signed certificates'? -The first certificate have to be generated by Key Vault before the environment can perform logins again. Thereafter the certificate is renewed seamlessly. - ##### I am unable to logout of a client using OIDC if I login and theafter changed the certificate container type. The problem occurs if the OIDC logout require an ID Token before accepting logout. In this case the ID Token is invalid because the container type and there by the signing certificate have changed. Solution: You need to close the browser and start over. diff --git a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs index bbf11035e..f33392252 100644 --- a/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs +++ b/src/FoxIDs.Control/Controllers/Parties/GenericOAuthClientKeyUpPartyController.cs @@ -13,8 +13,6 @@ using System.Security.Cryptography.X509Certificates; using System; using FoxIDs.Infrastructure.Security; -using Microsoft.Extensions.DependencyInjection; -using FoxIDs.Models.Config; using System.ComponentModel.DataAnnotations; namespace FoxIDs.Controllers @@ -25,18 +23,14 @@ namespace FoxIDs.Controllers [TenantScopeAuthorize(Constants.ControlApi.Segment.Party)] public abstract class GenericOAuthClientKeyUpPartyController : ApiController where TParty : OAuthUpParty where TClient : OAuthUpClient { - private readonly FoxIDsControlSettings settings; private readonly TelemetryScopedLogger logger; - private readonly IServiceProvider serviceProvider; private readonly IMapper mapper; private readonly ITenantDataRepository tenantDataRepository; private readonly PlanCacheLogic planCacheLogic; - public GenericOAuthClientKeyUpPartyController(FoxIDsControlSettings settings, TelemetryScopedLogger logger, IServiceProvider serviceProvider, IMapper mapper, ITenantDataRepository tenantDataRepository, PlanCacheLogic planCacheLogic) : base(logger) + public GenericOAuthClientKeyUpPartyController(TelemetryScopedLogger logger, IMapper mapper, ITenantDataRepository tenantDataRepository, PlanCacheLogic planCacheLogic) : base(logger) { - this.settings = settings; this.logger = logger; - this.serviceProvider = serviceProvider; this.mapper = mapper; this.tenantDataRepository = tenantDataRepository; this.planCacheLogic = planCacheLogic; @@ -93,36 +87,24 @@ public GenericOAuthClientKeyUpPartyController(FoxIDsControlSettings settings, Te var oauthUpParty = await tenantDataRepository.GetAsync(await UpParty.IdFormatAsync(RouteBinding, keyRequest.PartyName)); - var clientKey = new ClientKey(); - if(settings.Options.KeyStorage == KeyStorageOptions.None) + var certificate = keyRequest.Password.IsNullOrWhiteSpace() switch { - var certificate = keyRequest.Password.IsNullOrWhiteSpace() switch - { - true => new X509Certificate2(WebEncoders.Base64UrlDecode(keyRequest.Certificate), string.Empty, keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable), - false => new X509Certificate2(WebEncoders.Base64UrlDecode(keyRequest.Certificate), keyRequest.Password, keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable), - }; - if (!keyRequest.Password.IsNullOrWhiteSpace() && !certificate.HasPrivateKey) - { - throw new ValidationException("Unable to read the certificates private key. E.g, try to convert the certificate and save the certificate with 'TripleDES-SHA1'."); - } - var jwt = await certificate.ToFTJsonWebKeyAsync(includePrivateKey: true); - clientKey.Type = ClientKeyTypes.Contained; - clientKey.ExternalName = Guid.NewGuid().ToString(); - clientKey.Key = jwt; - clientKey.PublicKey = jwt.GetPublicKey(); - } - else if (settings.Options.KeyStorage == KeyStorageOptions.None) + true => new X509Certificate2(WebEncoders.Base64UrlDecode(keyRequest.Certificate), string.Empty, keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable), + false => new X509Certificate2(WebEncoders.Base64UrlDecode(keyRequest.Certificate), keyRequest.Password, keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable), + }; + if (!keyRequest.Password.IsNullOrWhiteSpace() && !certificate.HasPrivateKey) { - (var externalName, var publicCertificate, var externalId) = await GetExternalKeyLogic().ImportExternalKeyAsync(WebEncoders.Base64UrlDecode(keyRequest.Certificate), keyRequest.Password, upPartyName: keyRequest.PartyName); - clientKey.Type = ClientKeyTypes.KeyVaultImport; - clientKey.ExternalName = externalName; - clientKey.ExternalId = externalId; - clientKey.PublicKey = new X509Certificate2(publicCertificate).ToFTJsonWebKey(); + throw new ValidationException("Unable to read the certificates private key. E.g, try to convert the certificate and save the certificate with 'TripleDES-SHA1'."); } - else + + var jwt = await certificate.ToFTJsonWebKeyAsync(includePrivateKey: true); + var clientKey = new ClientKey { - throw new NotSupportedException(); - } + Type = ClientKeyTypes.Contained, + ExternalName = Guid.NewGuid().ToString(), + Key = jwt, + PublicKey = jwt.GetPublicKey() + }; var secondaryKey = oauthUpParty.Client.ClientKeys?.Count() > 1 ? oauthUpParty.Client.ClientKeys[2] : null; oauthUpParty.Client.ClientKeys = new List @@ -172,10 +154,6 @@ protected async Task Delete(string name) { oauthUpParty.Client.ClientKeys.Remove(key); await tenantDataRepository.UpdateAsync(oauthUpParty); - if (key.Type == ClientKeyTypes.KeyVaultImport) - { - await GetExternalKeyLogic().DeleteExternalKeyAsync(externalName); - } } return NoContent(); @@ -190,7 +168,5 @@ protected async Task Delete(string name) throw; } } - - private ExternalKeyLogic GetExternalKeyLogic() => serviceProvider.GetService(); } } diff --git a/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs b/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs index 129ac3030..c80c8c2c4 100644 --- a/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs +++ b/src/FoxIDs.Control/Controllers/Parties/TOidcClientKeyUpPartyController.cs @@ -8,8 +8,6 @@ using System.Collections.Generic; using FoxIDs.Logic; using Microsoft.AspNetCore.Http; -using System; -using FoxIDs.Models.Config; namespace FoxIDs.Controllers { @@ -18,7 +16,7 @@ namespace FoxIDs.Controllers /// public class TOidcClientKeyUpPartyController : GenericOAuthClientKeyUpPartyController { - public TOidcClientKeyUpPartyController(FoxIDsControlSettings settings, TelemetryScopedLogger logger, IServiceProvider serviceProvider, IMapper mapper, ITenantDataRepository tenantDataRepository, PlanCacheLogic planCacheLogic) : base(settings, logger, serviceProvider, mapper, tenantDataRepository, planCacheLogic) + public TOidcClientKeyUpPartyController(TelemetryScopedLogger logger, IMapper mapper, ITenantDataRepository tenantDataRepository, PlanCacheLogic planCacheLogic) : base(logger, mapper, tenantDataRepository, planCacheLogic) { } /// diff --git a/src/FoxIDs.Control/Controllers/Tenants/TTenantController.cs b/src/FoxIDs.Control/Controllers/Tenants/TTenantController.cs index 85c484002..ddb997a2c 100644 --- a/src/FoxIDs.Control/Controllers/Tenants/TTenantController.cs +++ b/src/FoxIDs.Control/Controllers/Tenants/TTenantController.cs @@ -111,13 +111,13 @@ public TTenantController(FoxIDsControlSettings settings, TelemetryScopedLogger l await tenantCacheLogic.InvalidateCustomDomainCacheAsync(tenant.CustomDomain); } - await masterTenantLogic.CreateMasterTrackDocumentAsync(tenant.Name, plan.GetKeyType(settings.Options.KeyStorage == KeyStorageOptions.KeyVault)); + await masterTenantLogic.CreateMasterTrackDocumentAsync(tenant.Name); var mLoginUpParty = await masterTenantLogic.CreateMasterLoginDocumentAsync(tenant.Name); await masterTenantLogic.CreateFirstAdminUserDocumentAsync(tenant.Name, tenant.AdministratorEmail, tenant.AdministratorPassword, tenant.ChangeAdministratorPassword, true, tenant.ConfirmAdministratorAccount); await masterTenantLogic.CreateMasterFoxIDsControlApiResourceDocumentAsync(tenant.Name); await masterTenantLogic.CreateMasterControlClientDocmentAsync(tenant.Name, tenant.ControlClientBaseUri, mLoginUpParty); - await masterTenantLogic.CreateDefaultTracksDocmentsAsync(tenant.Name, plan.GetKeyType(settings.Options.KeyStorage == KeyStorageOptions.KeyVault)); + await masterTenantLogic.CreateDefaultTracksDocmentsAsync(tenant.Name); return Created(mapper.Map(mTenant)); } diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs index c400f64f7..d3f496893 100644 --- a/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs +++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackController.cs @@ -102,7 +102,7 @@ public TTrackController(FoxIDsControlSettings settings, TelemetryScopedLogger lo } var mTrack = mapper.Map(track); - await trackLogic.CreateTrackDocumentAsync(mTrack, await GetKeyTypeAsync()); + await trackLogic.CreateTrackDocumentAsync(mTrack); await trackLogic.CreateLoginDocumentAsync(mTrack); return Created(mapper.Map(mTrack)); @@ -118,21 +118,6 @@ public TTrackController(FoxIDsControlSettings settings, TelemetryScopedLogger lo } } - private async Task GetKeyTypeAsync() - { - if (settings.Options.KeyStorage != KeyStorageOptions.KeyVault) - { - return TrackKeyTypes.Contained; - } - - Plan plan = null; - if (!RouteBinding.PlanName.IsNullOrEmpty()) - { - plan = await planCacheLogic.GetPlanAsync(RouteBinding.PlanName); - } - return plan.GetKeyType(settings.Options.KeyStorage == KeyStorageOptions.KeyVault); - } - /// /// Update environment. /// diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs index 563c5e855..6715b2e86 100644 --- a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs +++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedController.cs @@ -6,7 +6,6 @@ using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using System.Threading.Tasks; -using System.Net; using System.ComponentModel.DataAnnotations; using ITfoxtec.Identity; using FoxIDs.Logic; @@ -117,8 +116,8 @@ public TTrackKeyContainedController(TelemetryScopedLogger logger, IMapper mapper if (trackKeyRequest.CreateSelfSigned) { - var certificate = await RouteBinding.CreateSelfSignedCertificateBySubjectAsync(); - mTrackKey.Key = await certificate.ToFTJsonWebKeyAsync(true); + var certificateItem = await RouteBinding.CreateSelfSignedCertificateBySubjectAsync(); + mTrackKey.Key = await certificateItem.Certificate.ToFTJsonWebKeyAsync(true); } if (trackKeyRequest.IsPrimary) diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs index cd5e3d66f..8fd827a1d 100644 --- a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs +++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyContainedSwapController.cs @@ -6,7 +6,6 @@ using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using System.Threading.Tasks; -using System.Net; using System.ComponentModel.DataAnnotations; using FoxIDs.Logic; using FoxIDs.Infrastructure.Security; diff --git a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs index 88b0d642c..3dfc68638 100644 --- a/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs +++ b/src/FoxIDs.Control/Controllers/Tracks/TTrackKeyTypeController.cs @@ -24,17 +24,15 @@ public class TTrackKeyTypeController : ApiController private readonly IServiceProvider serviceProvider; private readonly IMapper mapper; private readonly ITenantDataRepository tenantDataRepository; - private readonly PlanCacheLogic planCacheLogic; private readonly TrackCacheLogic trackCacheLogic; - public TTrackKeyTypeController(FoxIDsControlSettings settings, TelemetryScopedLogger logger, IServiceProvider serviceProvider, IMapper mapper, ITenantDataRepository tenantDataRepository, PlanCacheLogic planCacheLogic, TrackCacheLogic trackCacheLogic) : base(logger) + public TTrackKeyTypeController(FoxIDsControlSettings settings, TelemetryScopedLogger logger, IServiceProvider serviceProvider, IMapper mapper, ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic) : base(logger) { this.settings = settings; this.logger = logger; this.serviceProvider = serviceProvider; this.mapper = mapper; this.tenantDataRepository = tenantDataRepository; - this.planCacheLogic = planCacheLogic; this.trackCacheLogic = trackCacheLogic; } @@ -77,51 +75,40 @@ public TTrackKeyTypeController(FoxIDsControlSettings settings, TelemetryScopedLo var mTrackKey = mapper.Map(trackKey); - if (settings.Options.KeyStorage != KeyStorageOptions.KeyVault && (mTrackKey.Type == TrackKeyTypes.KeyVaultRenewSelfSigned || mTrackKey.Type == TrackKeyTypes.KeyVaultImport)) + if (mTrackKey.Type == TrackKeyTypes.KeyVaultRenewSelfSigned) { - throw new Exception("KeyVault option not enabled."); - } - - if (!RouteBinding.PlanName.IsNullOrEmpty() && mTrackKey.Type != TrackKeyTypes.Contained) - { - var plan = await planCacheLogic.GetPlanAsync(RouteBinding.PlanName); - if (!plan.EnableKeyVault) - { - throw new Exception($"Key Vault is not supported in the '{plan.Name}' plan."); - } + throw new Exception("KeyVault is phased out."); } var trackIdKey = new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName }; var mTrack = await tenantDataRepository.GetTrackByNameAsync(trackIdKey); if (mTrack.Key.Type != mTrackKey.Type) { - switch (mTrackKey.Type) + if (mTrack.Key.Type == TrackKeyTypes.Contained || mTrack.Key.Type == TrackKeyTypes.ContainedRenewSelfSigned) { - case TrackKeyTypes.Contained: - mTrack.Key.Type = mTrackKey.Type; - var certificate = await RouteBinding.CreateSelfSignedCertificateBySubjectAsync(); - mTrack.Key.Keys = new List { new TrackKeyItem { Key = await certificate.ToFTJsonWebKeyAsync(true) } }; - if (!mTrack.Key.ExternalName.IsNullOrWhiteSpace()) - { - await GetExternalKeyLogic().DeleteExternalKeyAsync(mTrack.Key.ExternalName); - mTrack.Key.ExternalName = null; - } - break; + mTrack.Key.Type = mTrackKey.Type; + var certificate = mTrack.Key.Type == TrackKeyTypes.Contained ? await RouteBinding.CreateSelfSignedCertificateBySubjectAsync() : await RouteBinding.CreateSelfSignedCertificateBySubjectAsync(mTrack.KeyValidityInMonths); + mTrack.Key.Keys = new List + { + await certificate.ToTrackKeyItemAsync(true) + }; - case TrackKeyTypes.KeyVaultRenewSelfSigned: - mTrack.Key.Type = mTrackKey.Type; - mTrack.Key.Keys = null; - mTrack.Key.ExternalName = await GetExternalKeyLogic().CreateExternalKeyAsync(mTrack); - break; + var externalName = mTrack.Key.ExternalName; + mTrack.Key.ExternalName = null; - case TrackKeyTypes.KeyVaultImport: - default: - throw new Exception($"Track key type not supported '{mTrackKey.Type}'."); - } + await tenantDataRepository.UpdateAsync(mTrack); + await trackCacheLogic.InvalidateTrackCacheAsync(trackIdKey); - await tenantDataRepository.UpdateAsync(mTrack); - - await trackCacheLogic.InvalidateTrackCacheAsync(trackIdKey); + if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault && !externalName.IsNullOrWhiteSpace()) + { + var externalKeyLogic = serviceProvider.GetService(); + await externalKeyLogic.DeleteExternalKeyAsync(externalName); + } + } + else + { + throw new NotSupportedException($"Track key type '{mTrack.Key.Type}' not supported."); + } } return Ok(mapper.Map(mTrack.Key)); @@ -136,7 +123,5 @@ public TTrackKeyTypeController(FoxIDsControlSettings settings, TelemetryScopedLo throw; } } - - private ExternalKeyLogic GetExternalKeyLogic() => serviceProvider.GetService(); } } diff --git a/src/FoxIDs.Control/FoxIDs.Control.csproj b/src/FoxIDs.Control/FoxIDs.Control.csproj index c49783f6c..63581377c 100644 --- a/src/FoxIDs.Control/FoxIDs.Control.csproj +++ b/src/FoxIDs.Control/FoxIDs.Control.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.3 + 1.8.0 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.Control/Logic/Seed/MainTenantDocumentsSeedLogic.cs b/src/FoxIDs.Control/Logic/Seed/MainTenantDocumentsSeedLogic.cs index 0ba913b7e..d688165f2 100644 --- a/src/FoxIDs.Control/Logic/Seed/MainTenantDocumentsSeedLogic.cs +++ b/src/FoxIDs.Control/Logic/Seed/MainTenantDocumentsSeedLogic.cs @@ -33,13 +33,13 @@ public async Task SeedAsync() return false; } - await masterTenantLogic.CreateMasterTrackDocumentAsync(Constants.Routes.MainTenantName, TrackKeyType); + await masterTenantLogic.CreateMasterTrackDocumentAsync(Constants.Routes.MainTenantName); var mLoginUpParty = await masterTenantLogic.CreateMasterLoginDocumentAsync(Constants.Routes.MainTenantName); await masterTenantLogic.CreateFirstAdminUserDocumentAsync(Constants.Routes.MainTenantName, Constants.DefaultAdminAccount.Email, Constants.DefaultAdminAccount.Password, true, false, false, isMasterTenant: true); await masterTenantLogic.CreateMasterFoxIDsControlApiResourceDocumentAsync(Constants.Routes.MainTenantName, isMasterTenant: true); await masterTenantLogic.CreateMasterControlClientDocmentAsync(Constants.Routes.MainTenantName, settings.FoxIDsControlEndpoint, mLoginUpParty, includeMasterTenantScope: true); - await masterTenantLogic.CreateDefaultTracksDocmentsAsync(Constants.Routes.MainTenantName, TrackKeyType); + await masterTenantLogic.CreateDefaultTracksDocmentsAsync(Constants.Routes.MainTenantName); return true; } catch (Exception ex) @@ -49,8 +49,6 @@ public async Task SeedAsync() } } - private TrackKeyTypes TrackKeyType => settings.Options.KeyStorage == KeyStorageOptions.KeyVault ? TrackKeyTypes.KeyVaultRenewSelfSigned : TrackKeyTypes.Contained; - private async Task CreateAndValidateMainTenantDocumentAsync(string foxIDsEndpoint) { var mainTenant = new Tenant(); diff --git a/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs b/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs index b8bf894c5..6eda7b1f5 100644 --- a/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs +++ b/src/FoxIDs.Control/Logic/Seed/MasterTenantDocumentsSeedLogic.cs @@ -4,7 +4,6 @@ using FoxIDs.Repository; using Microsoft.AspNetCore.Http; using System; -using System.Net; using System.Threading.Tasks; namespace FoxIDs.Logic.Seed @@ -33,7 +32,7 @@ public async Task SeedAsync() return false; } - await masterTenantLogic.CreateMasterTrackDocumentAsync(Constants.Routes.MasterTenantName, settings.Options.KeyStorage == KeyStorageOptions.KeyVault ? TrackKeyTypes.KeyVaultRenewSelfSigned : TrackKeyTypes.Contained); + await masterTenantLogic.CreateMasterTrackDocumentAsync(Constants.Routes.MasterTenantName); var mLoginUpParty = await masterTenantLogic.CreateMasterLoginDocumentAsync(Constants.Routes.MasterTenantName); await masterTenantLogic.CreateFirstAdminUserDocumentAsync(Constants.Routes.MasterTenantName, Constants.DefaultAdminAccount.Email, Constants.DefaultAdminAccount.Password, true, false, false, isMasterTenant: true); await masterTenantLogic.CreateMasterFoxIDsControlApiResourceDocumentAsync(Constants.Routes.MasterTenantName, isMasterTenant: true); diff --git a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj index a65ab07d9..ad7ee8895 100644 --- a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj +++ b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.3 + 1.8.0 FoxIDs.Client Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.ControlClient/Pages/Certificates.razor b/src/FoxIDs.ControlClient/Pages/Certificates.razor index 9fc394a4e..7a4612511 100644 --- a/src/FoxIDs.ControlClient/Pages/Certificates.razor +++ b/src/FoxIDs.ControlClient/Pages/Certificates.razor @@ -3,7 +3,7 @@
- The primary certificate is the environments and thus the Identity Provider's unique certificate. The are different certificate container types to choose from. + The primary certificate is the environments and thus the Identity Provider's unique certificate. The are two different certificate container types to choose from.
@@ -100,7 +100,7 @@ } @if (certificate.Form.Model.Key == null) { - + } else { @@ -138,11 +138,12 @@
} - else if (trackKey?.Type == TrackKeyTypes.KeyVaultImport) + else if (trackKey?.Type == TrackKeyTypes.ContainedRenewSelfSigned) {
-
Key Vault upload your one certificate - not supported, to be implemented.
+
Renewed self-signed certificates
+
Automatically renewed with 3 month validity period. Renewed 10 days before expiration and promoted to primary certificate 5 days before expiration.
} @@ -179,66 +180,49 @@ }
-
Contained certificates
+
Renewed self-signed certificates
    -
  • Certificates stored in Cosmos DB including private key.
    • -
  • Self-signed certificates created by FoxIDs or upload your one certificates.
    • -
  • Not automatically renewed.
    • -
  • No cost per signing.
    • +
  • Automatically created self-signed certificates.
    • +
  • Automatically renewed with 3 month validity period. Renewed 10 days before expiration and promoted to primary certificate 5 days before expiration.
- @if (trackKey?.Type == TrackKeyTypes.Contained) + @if (trackKey?.Type == TrackKeyTypes.ContainedRenewSelfSigned) {
Current container type.
} else { - + }
-
-
Key Vault renewed self-signed certificates
+
Self-signed or your certificates
    -
  • Certificates stored in Key Vault and private key not exportable.
    • -
  • Self-signed certificates created by Key Vault.
    • -
  • Automatically renewed with 3 month validity period. Renewed 10 days before expiration and promoted to primary certificate 5 days before expiration.
    • -
  • Cost per signing.
    • +
  • Automatically created self-signed certificates or upload your one certificates.
    • +
  • NOT automatically renewed.
- @if (trackKey?.Type == TrackKeyTypes.KeyVaultRenewSelfSigned) + @if (trackKey?.Type == TrackKeyTypes.Contained) {
Current container type.
} else { - + }
-
-
-
Key Vault upload your one certificate (not supported, to be implemented)
-
-
    -
  • Certificates stored in Key Vault and private key not exportable.
    • -
  • Not automatically renewed.
    • -
  • Cost per signing.
    • -
-
-
-
diff --git a/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs b/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs index 2e0ecae2f..89eb0a70a 100644 --- a/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs +++ b/src/FoxIDs.ControlClient/Pages/Components/EOidcUpParty.cs @@ -322,7 +322,7 @@ private async Task OnImportClientKeyFileAsync(GeneralOidcUpPartyViewModel oidcUp } var base64UrlEncodeCertificate = WebEncoders.Base64UrlEncode(certificateBytes); - var clientKeyResponse = await UpPartyService.CreateOidcClientKeyUpPartyAsync(new OAuthClientKeyRequest { Type = ClientKeyTypes.KeyVaultImport, PartyName = UpParty.Name, Certificate = base64UrlEncodeCertificate, Password = importClientKeyForm.Model.Password }); + var clientKeyResponse = await UpPartyService.CreateOidcClientKeyUpPartyAsync(new OAuthClientKeyRequest { PartyName = UpParty.Name, Certificate = base64UrlEncodeCertificate, Password = importClientKeyForm.Model.Password }); oidcUpParty.Form.Model.Client.PublicClientKeyInfo = importClientKeyForm.Model.PublicClientKeyInfo = new KeyInfoViewModel { diff --git a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj index 9275f6327..9ccbba8e2 100644 --- a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj +++ b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.3 + 1.8.0 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKeyTypes.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKeyTypes.cs index 3ffbb8b60..cbce727ae 100644 --- a/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKeyTypes.cs +++ b/src/FoxIDs.ControlShared/Models/Api/Parties/ClientKeyTypes.cs @@ -1,8 +1,11 @@ -namespace FoxIDs.Models.Api +using System; + +namespace FoxIDs.Models.Api { public enum ClientKeyTypes { - KeyVaultSelfSigned = 10, + Contained = 0, + [Obsolete("KeyVault is phased out.")] KeyVaultImport = 20, } } diff --git a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientKeyRequest.cs b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientKeyRequest.cs index 029888aea..75d4fb59c 100644 --- a/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientKeyRequest.cs +++ b/src/FoxIDs.ControlShared/Models/Api/Parties/OAuthClientKeyRequest.cs @@ -1,12 +1,11 @@ -using System.Collections.Generic; -using System.ComponentModel.DataAnnotations; +using System.ComponentModel.DataAnnotations; namespace FoxIDs.Models.Api { /// /// OAuth client key import request. /// - public class OAuthClientKeyRequest : IValidatableObject + public class OAuthClientKeyRequest { /// /// OAuth 2.0 authentication method name. @@ -16,9 +15,6 @@ public class OAuthClientKeyRequest : IValidatableObject [RegularExpression(Constants.Models.Party.NameRegExPattern)] public string PartyName { get; set; } - [Required] - public ClientKeyTypes Type { get; set; } - /// /// Base64 url encode certificate. /// @@ -31,15 +27,5 @@ public class OAuthClientKeyRequest : IValidatableObject /// [MaxLength(Constants.Models.SecretHash.SecretLength)] public string Password { get; set; } - - public IEnumerable Validate(ValidationContext validationContext) - { - var results = new List(); - if (Type != ClientKeyTypes.KeyVaultImport) - { - results.Add(new ValidationResult($"Only the type '{ClientKeyTypes.KeyVaultImport}' is supported.", new[] { nameof(Type) })); - } - return results; - } } } diff --git a/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyTypes.cs b/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyTypes.cs index b68f7c97c..b1405e08c 100644 --- a/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyTypes.cs +++ b/src/FoxIDs.ControlShared/Models/Api/Tracks/TrackKeyTypes.cs @@ -1,9 +1,12 @@ -namespace FoxIDs.Models.Api +using System; + +namespace FoxIDs.Models.Api { public enum TrackKeyTypes { Contained = 0, + [Obsolete("KeyVault is phased out.")] KeyVaultRenewSelfSigned = 1, - KeyVaultImport = 2, + ContainedRenewSelfSigned = 10 } } diff --git a/src/FoxIDs.Shared/Extensions/PlanExtensions.cs b/src/FoxIDs.Shared/Extensions/PlanExtensions.cs deleted file mode 100644 index fe1f91577..000000000 --- a/src/FoxIDs.Shared/Extensions/PlanExtensions.cs +++ /dev/null @@ -1,19 +0,0 @@ -using FoxIDs.Models; - -namespace FoxIDs -{ - public static class PlanExtensions - { - /// - /// Get the default supported key type. - /// - public static TrackKeyTypes GetKeyType(this Plan plan, bool keyVaultOptionEnabled) - { - if (!keyVaultOptionEnabled || (plan != null && !plan.EnableKeyVault)) - { - return TrackKeyTypes.Contained; - } - return TrackKeyTypes.KeyVaultRenewSelfSigned; - } - } -} diff --git a/src/FoxIDs.Shared/Extensions/X509Certificate2Extensions.cs b/src/FoxIDs.Shared/Extensions/X509Certificate2Extensions.cs index 4c67de9e5..7710d7335 100644 --- a/src/FoxIDs.Shared/Extensions/X509Certificate2Extensions.cs +++ b/src/FoxIDs.Shared/Extensions/X509Certificate2Extensions.cs @@ -14,18 +14,26 @@ public static class X509Certificate2Extensions { public static string GetCertificateSubject(this (string tenantName, string trackName) subjectData) { - return $"CN={subjectData.tenantName}{(subjectData.trackName.Equals("-", StringComparison.Ordinal) ? string.Empty : $"-{subjectData.trackName}")}, O=FoxIDs"; + return $"CN=FoxIDs - {subjectData.tenantName}{(subjectData.trackName.Equals("-", StringComparison.Ordinal) ? string.Empty : $"-{subjectData.trackName}")}, O=FoxIDs"; } - public static Task CreateSelfSignedCertificateBySubjectAsync(this RouteBinding routeBinding) + public static Task CreateSelfSignedCertificateBySubjectAsync(this RouteBinding routeBinding, int expiryInMonths = 36) { - return (routeBinding.TenantName, routeBinding.TrackName).CreateSelfSignedCertificateBySubjectAsync(); + return (routeBinding.TenantName, routeBinding.TrackName).CreateSelfSignedCertificateBySubjectAsync(expiryInMonths); } - public static Task CreateSelfSignedCertificateBySubjectAsync(this (string tenantName, string trackName) subjectData) + public static async Task CreateSelfSignedCertificateBySubjectAsync(this (string tenantName, string trackName) subjectData, int expiryInMonths = 36) { var subject = (subjectData.tenantName, subjectData.trackName).GetCertificateSubject(); - return subject.CreateSelfSignedCertificateAsync(expiry: TimeSpan.FromDays(365.0 * 3)); + var now = DateTimeOffset.UtcNow; + var notBefore = now.AddSeconds(-5); + var notAfter = now.AddMonths(expiryInMonths); + return new CertificateItem + { + Certificate = await subject.CreateSelfSignedCertificateAsync(notBefore, notAfter), + NotBefore = notBefore.ToUnixTimeSeconds(), + NotAfter = notAfter.ToUnixTimeSeconds() + }; } public static bool IsValidateCertificate(this X509Certificate2 certificate) diff --git a/src/FoxIDs.Shared/FoxIDs.Shared.csproj b/src/FoxIDs.Shared/FoxIDs.Shared.csproj index 5b482e32f..d8f6aee34 100644 --- a/src/FoxIDs.Shared/FoxIDs.Shared.csproj +++ b/src/FoxIDs.Shared/FoxIDs.Shared.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.3 + 1.8.0 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.Shared/Infrastructure/Hosting/RouteBindingMiddleware.cs b/src/FoxIDs.Shared/Infrastructure/Hosting/RouteBindingMiddleware.cs index 0771aa532..75699f38e 100644 --- a/src/FoxIDs.Shared/Infrastructure/Hosting/RouteBindingMiddleware.cs +++ b/src/FoxIDs.Shared/Infrastructure/Hosting/RouteBindingMiddleware.cs @@ -103,7 +103,7 @@ private async Task GetRouteDataAsync(TelemetryScopedLogger scopedL } } - var track = await GetTrackAsync(trackIdKey, useCustomDomain); + var track = await GetTrackAsync(scopedLogger, requestServices, trackIdKey, useCustomDomain); scopedLogger.SetScopeProperty(Constants.Logs.TenantName, trackIdKey.TenantName); scopedLogger.SetScopeProperty(Constants.Logs.TrackName, trackIdKey.TrackName); var routeBinding = new RouteBinding @@ -136,9 +136,9 @@ private TelemetryClient GetTelmetryClient(string applicationInsightsConnectionSt } } - private static async Task GetTenantAsync(IServiceProvider requestServices, bool useCustomDomain, string customDomain, string tenantName) + private static async Task GetTenantAsync(IServiceProvider serviceProvider, bool useCustomDomain, string customDomain, string tenantName) { - var tenantCacheLogic = requestServices.GetService(); + var tenantCacheLogic = serviceProvider.GetService(); if (useCustomDomain) { return await tenantCacheLogic.GetTenantByCustomDomainAsync(customDomain); @@ -149,21 +149,33 @@ private static async Task GetTenantAsync(IServiceProvider requestService } } - private async Task GetPlanAsync(IServiceProvider requestServices, string planName) + private async Task GetPlanAsync(IServiceProvider serviceProvider, string planName) { if (planName.IsNullOrEmpty()) { return null; } - var planCacheLogic = requestServices.GetService(); + var planCacheLogic = serviceProvider.GetService(); return await planCacheLogic.GetPlanAsync(planName, required: false); } - private async Task GetTrackAsync(Track.IdKey idKey, bool useCustomDomain) + private async Task GetTrackAsync(TelemetryScopedLogger scopedLogger, IServiceProvider serviceProvider, Track.IdKey idKey, bool useCustomDomain) { try { - return await trackCacheLogic.GetTrackAsync(idKey); + var track = await trackCacheLogic.GetTrackAsync(idKey); + if(track.Key.Type == TrackKeyTypes.ContainedRenewSelfSigned) + { + var containedKeyLogic = serviceProvider.GetService(); + track = await containedKeyLogic.RenewCertificateAsync(idKey, track); + + } + else if (track.Key.Type == TrackKeyTypes.KeyVaultRenewSelfSigned) + { + var externalKeyLogic = serviceProvider.GetService(); + track = await externalKeyLogic.PhasedOutExternalKeyAsync(scopedLogger, idKey, track); + } + return track; } catch (Exception ex) { diff --git a/src/FoxIDs.Shared/Infrastructure/Hosting/ServiceCollectionExtensions.cs b/src/FoxIDs.Shared/Infrastructure/Hosting/ServiceCollectionExtensions.cs index b1675dc3d..baa8b6631 100644 --- a/src/FoxIDs.Shared/Infrastructure/Hosting/ServiceCollectionExtensions.cs +++ b/src/FoxIDs.Shared/Infrastructure/Hosting/ServiceCollectionExtensions.cs @@ -24,6 +24,7 @@ public static class ServiceCollectionExtensions public static IServiceCollection AddSharedLogic(this IServiceCollection services, Settings settings) { services.AddTransient(); + services.AddTransient(); if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault) { diff --git a/src/FoxIDs.Shared/Logic/Exceptions/X509Certificate2Extensions.cs b/src/FoxIDs.Shared/Logic/Exceptions/X509Certificate2Extensions.cs new file mode 100644 index 000000000..2b5001b6c --- /dev/null +++ b/src/FoxIDs.Shared/Logic/Exceptions/X509Certificate2Extensions.cs @@ -0,0 +1,19 @@ +using FoxIDs.Models; +using ITfoxtec.Identity; +using System.Threading.Tasks; + +namespace FoxIDs.Logic +{ + public static class X509Certificate2Extensions + { + public static async Task ToTrackKeyItemAsync(this CertificateItem certificateItem, bool includePrivateKey = false) + { + return new TrackKeyItem + { + Key = await certificateItem.Certificate.ToFTJsonWebKeyAsync(includePrivateKey), + NotBefore = certificateItem.NotBefore, + NotAfter = certificateItem.NotAfter + }; + } + } +} diff --git a/src/FoxIDs.Shared/Logic/ExternalKeySecret/ExternalKeyLogic.cs b/src/FoxIDs.Shared/Logic/ExternalKeySecret/ExternalKeyLogic.cs deleted file mode 100644 index decc3e14a..000000000 --- a/src/FoxIDs.Shared/Logic/ExternalKeySecret/ExternalKeyLogic.cs +++ /dev/null @@ -1,159 +0,0 @@ -using FoxIDs.Models; -using Microsoft.AspNetCore.Http; -using System.Threading.Tasks; -using System; -using Azure.Core; -using Azure.Security.KeyVault.Certificates; -using FoxIDs.Models.Config; -using ITfoxtec.Identity; -using ITfoxtec.Identity.Util; -using System.Security.Cryptography; -using RSAKeyVaultProvider; -using ITfoxtec.Identity.Models; -using FoxIDs.Infrastructure; -using System.Collections.Generic; -using System.Security.Cryptography.X509Certificates; -using System.Linq; - -namespace FoxIDs.Logic -{ - public class ExternalKeyLogic : LogicBase - { - private readonly Settings settings; - private readonly TokenCredential tokenCredential; - - public ExternalKeyLogic(Settings settings, TokenCredential tokenCredential, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) - { - this.settings = settings; - this.tokenCredential = tokenCredential; - } - - public async Task CreateExternalKeyAsync(Track mTrack, string tenantName = null, string trackName = null, string upPartyName = null, bool autoRenew = true, int? ValidityInMonths = null) - { - tenantName = tenantName ?? RouteBinding.TenantName; - trackName = trackName ?? RouteBinding.TrackName; - var externalName = $"{tenantName}-{trackName}-{(upPartyName.IsNullOrEmpty() ? string.Empty : $"UP{upPartyName}-")}{Guid.NewGuid()}"; - externalName = externalName.Replace('_', 'U'); - - var certificatePolicy = new CertificatePolicy("self", (tenantName, trackName).GetCertificateSubject()) - { - Exportable = false, - ValidityInMonths = ValidityInMonths ?? mTrack.KeyExternalValidityInMonths - }; - certificatePolicy.KeyUsage.Add(CertificateKeyUsage.DigitalSignature); - certificatePolicy.KeyUsage.Add(CertificateKeyUsage.KeyEncipherment); - certificatePolicy.KeyUsage.Add(CertificateKeyUsage.DataEncipherment); - if (autoRenew) - { - certificatePolicy.LifetimeActions.Add(new LifetimeAction(CertificatePolicyAction.AutoRenew) - { - DaysBeforeExpiry = mTrack.KeyExternalAutoRenewDaysBeforeExpiry - }); - } - var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); - var response = await certificateClient.StartCreateCertificateAsync(externalName, certificatePolicy); - - return externalName; - } - - public async Task<(string externalName, byte[] publicCertificate, string externalId)> ImportExternalKeyAsync(byte[] certificate, string password, string tenantName = null, string trackName = null, string upPartyName = null) - { - tenantName = tenantName ?? RouteBinding.TenantName; - trackName = trackName ?? RouteBinding.TrackName; - var externalName = $"{tenantName}-{trackName}-{(upPartyName.IsNullOrEmpty() ? string.Empty : $"UP{upPartyName}-")}{Guid.NewGuid()}"; - externalName = externalName.Replace('_', 'U'); - - var importCertificateOptions = new ImportCertificateOptions(externalName, certificate) - { - Enabled = true, - Password = password - }; - - var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); - var response = await certificateClient.ImportCertificateAsync(importCertificateOptions); - - return (externalName, response.Value.Cer, response.Value.Properties.Version); - } - - public async Task DeleteExternalKeyAsync(string externalName) - { - var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); - await certificateClient.StartDeleteCertificateAsync(externalName); - } - - public RSA GetExternalRSAKey(ClientKey clientKey) - { - return GetExternalRSAKey(clientKey.ExternalName, clientKey.ExternalId, clientKey.PublicKey); - } - - public RSA GetExternalRSAKey(RouteTrackKey trackKey, RouteTrackKeyItem keyItem) - { - return GetExternalRSAKey(trackKey.ExternalName, keyItem.ExternalId, keyItem.Key); - } - - private RSA GetExternalRSAKey(string externalName, string externalId, JsonWebKey publicKey) - { - return RSAFactory.Create(tokenCredential, new Uri(UrlCombine.Combine(settings.KeyVault.EndpointUri, "keys", externalName, externalId)), new Azure.Security.KeyVault.Keys.JsonWebKey(publicKey.ToRsa())); - } - - public async Task LoadTrackKeyExternalFromKeyVaultAsync(TelemetryScopedLogger scopedLogger, Track track) - { - var now = DateTimeOffset.UtcNow; - var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); - - var externalKeys = new List<(string Id, DateTimeOffset? NotBefore)>(); - var certificateVersions = certificateClient.GetPropertiesOfCertificateVersionsAsync(track.Key.ExternalName); - await foreach (var certificateVersion in certificateVersions) - { - if (certificateVersion.Enabled == true && certificateVersion.ExpiresOn >= now) - { - externalKeys.Add((certificateVersion.Version, certificateVersion.NotBefore)); - } - } - - if (externalKeys.Count <= 0) - { - try - { - throw new Exception($"Track key external certificate '{track.Key.ExternalName}' do not exist in Key Vault, probably because it is not ready in Key Vault."); - } - catch (Exception ex) - { - scopedLogger.Warning(ex); - return null; - } - } - - var trackKeyExternal = new TrackKeyExternal(); - if (externalKeys.Count == 1) - { - trackKeyExternal.Keys = new List { new TrackKeyExternalItem { ExternalId = externalKeys.First().Id } }; - } - else - { - var topTwoExternalKeys = externalKeys.OrderByDescending(e => e.NotBefore).Take(2); - var firstExternalKey = topTwoExternalKeys.First(); - if (firstExternalKey.NotBefore <= now.AddDays(-track.KeyExternalPrimaryAfterDays)) - { - trackKeyExternal.Keys = new List { new TrackKeyExternalItem { ExternalId = firstExternalKey.Id }, new TrackKeyExternalItem { ExternalId = topTwoExternalKeys.Last().Id } }; - } - else - { - trackKeyExternal.Keys = new List { new TrackKeyExternalItem { ExternalId = topTwoExternalKeys.Last().Id }, new TrackKeyExternalItem { ExternalId = firstExternalKey.Id } }; - } - } - - foreach (var keyItem in trackKeyExternal.Keys) - { - var certificateWithPolicy = certificateClient.GetCertificateVersion(track.Key.ExternalName, keyItem.ExternalId); - var certificateRawValue = certificateWithPolicy?.Value?.Cer; - if (certificateRawValue == null) - { - throw new Exception($"Track key external certificate '{track.Key.ExternalName}' version '{keyItem.ExternalId}' from Key Vault is null."); - } - keyItem.Key = await new X509Certificate2(certificateRawValue).ToFTJsonWebKeyAsync(); - } - return trackKeyExternal; - } - } -} diff --git a/src/FoxIDs.Shared/Logic/Keys/ContainedKeyLogic.cs b/src/FoxIDs.Shared/Logic/Keys/ContainedKeyLogic.cs new file mode 100644 index 000000000..8da44629a --- /dev/null +++ b/src/FoxIDs.Shared/Logic/Keys/ContainedKeyLogic.cs @@ -0,0 +1,85 @@ +using FoxIDs.Models; +using FoxIDs.Repository; +using Microsoft.AspNetCore.Http; +using System; +using System.Collections.Generic; +using System.Threading.Tasks; + +namespace FoxIDs.Logic +{ + public class ContainedKeyLogic : LogicBase + { + private readonly ITenantDataRepository tenantDataRepository; + private readonly TrackCacheLogic trackCacheLogic; + + public ContainedKeyLogic(ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) + { + this.tenantDataRepository = tenantDataRepository; + this.trackCacheLogic = trackCacheLogic; + } + + public async Task RenewCertificateAsync(Track.IdKey idKey, Track track) + { + var utcNow = DateTimeOffset.UtcNow; + + if (track.Key.Keys[0].NotAfter < utcNow.AddDays(1).ToUnixTimeSeconds()) + { + // new key + track.Key.Keys = new List + { + await GetNewTrackKeyItemAsync(idKey, track) + }; + await tenantDataRepository.UpdateAsync(track); + await trackCacheLogic.InvalidateTrackCacheAsync(idKey); + } + else + { + if (track.Key.Keys.Count == 1) + { + if (track.Key.Keys[0].NotAfter < utcNow.AddDays(track.KeyAutoRenewDaysBeforeExpiry).ToUnixTimeSeconds()) + { + track.Key.Keys.Add(await GetNewTrackKeyItemAsync(idKey, track)); + await tenantDataRepository.UpdateAsync(track); + await trackCacheLogic.InvalidateTrackCacheAsync(idKey); + } + } + else if (track.Key.Keys.Count > 1) + { + if (track.Key.Keys[1].NotBefore < utcNow.AddDays(-track.KeyPrimaryAfterDays).ToUnixTimeSeconds()) + { + if (track.Key.Keys[1].NotAfter < utcNow.AddDays(1).ToUnixTimeSeconds()) + { + // new key if only valid for one more day + track.Key.Keys = new List + { + await GetNewTrackKeyItemAsync(idKey, track) + }; + } + else + { + //swap keys + track.Key.Keys = new List + { + track.Key.Keys[1] + }; + } + await tenantDataRepository.UpdateAsync(track); + await trackCacheLogic.InvalidateTrackCacheAsync(idKey); + } + } + else + { + throw new InvalidOperationException(); + } + } + + return track; + } + + private async Task GetNewTrackKeyItemAsync(Track.IdKey idKey, Track track) + { + var newCertificateItem = await (idKey.TenantName, idKey.TrackName).CreateSelfSignedCertificateBySubjectAsync(track.KeyValidityInMonths); + return await newCertificateItem.ToTrackKeyItemAsync(true); + } + } +} diff --git a/src/FoxIDs.Shared/Logic/Keys/ExternalKeyLogic.cs b/src/FoxIDs.Shared/Logic/Keys/ExternalKeyLogic.cs new file mode 100644 index 000000000..45633ee24 --- /dev/null +++ b/src/FoxIDs.Shared/Logic/Keys/ExternalKeyLogic.cs @@ -0,0 +1,241 @@ +using FoxIDs.Models; +using Microsoft.AspNetCore.Http; +using System.Threading.Tasks; +using System; +using Azure.Core; +using Azure.Security.KeyVault.Certificates; +using FoxIDs.Models.Config; +using ITfoxtec.Identity; +using ITfoxtec.Identity.Util; +using System.Security.Cryptography; +using RSAKeyVaultProvider; +using ITfoxtec.Identity.Models; +using FoxIDs.Infrastructure; +using System.Collections.Generic; +using System.Security.Cryptography.X509Certificates; +using System.Linq; +using FoxIDs.Repository; +using FoxIDs.Logic.Caches.Providers; +using Azure.Security.KeyVault.Secrets; + +namespace FoxIDs.Logic +{ + public class ExternalKeyLogic : LogicBase + { + private readonly Settings settings; + private readonly ICacheProvider cacheProvider; + private readonly ITenantDataRepository tenantDataRepository; + private readonly TrackCacheLogic trackCacheLogic; + private readonly TokenCredential tokenCredential; + + public ExternalKeyLogic(Settings settings, ICacheProvider cacheProvider, ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic, TokenCredential tokenCredential, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) + { + this.settings = settings; + this.cacheProvider = cacheProvider; + this.tenantDataRepository = tenantDataRepository; + this.trackCacheLogic = trackCacheLogic; + this.tokenCredential = tokenCredential; + } + + public async Task DeleteExternalKeyAsync(string externalName) + { + var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); + await certificateClient.StartDeleteCertificateAsync(externalName); + } + + public RSA GetExternalRSAKey(RouteTrackKey trackKey, RouteTrackKeyItem keyItem) + { + return GetExternalRSAKey(trackKey.ExternalName, keyItem.ExternalId, keyItem.Key); + } + + private RSA GetExternalRSAKey(string externalName, string externalId, JsonWebKey publicKey) + { + return RSAFactory.Create(tokenCredential, new Uri(UrlCombine.Combine(settings.KeyVault.EndpointUri, "keys", externalName, externalId)), new Azure.Security.KeyVault.Keys.JsonWebKey(publicKey.ToRsa())); + } + + public async Task GetExternalKeyAsync(ClientKey clientKey) + { + var secretClient = new SecretClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); + KeyVaultSecret keyVaultSecret = secretClient.GetSecret(clientKey.ExternalName); + var certificate = new X509Certificate2(Convert.FromBase64String(keyVaultSecret.Value), string.Empty, keyStorageFlags: X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable); + if (certificate == null) + { + throw new Exception($"External client key certificate '{clientKey.ExternalName}' from Key Vault is null."); + } + return await certificate.ToFTJsonWebKeyAsync(true); + } + + public async Task GetTrackKeyItemsAsync(TelemetryScopedLogger scopedLogger, string tenantName, string trackName, Track track) + { + var key = CacheTrackKeyExternalKey(tenantName, trackName, track.Key.ExternalName); + + var trackKeyExternalValue = await cacheProvider.GetAsync(key); + if (!trackKeyExternalValue.IsNullOrEmpty()) + { + return trackKeyExternalValue.ToObject(); + } + + var trackKeyExternal = await LoadTrackKeyExternalFromKeyVaultAsync(scopedLogger, track); + if (trackKeyExternal != null) + { + await cacheProvider.SetAsync(key, trackKeyExternal.ToJson(), track.KeyExternalCacheLifetime); + } + return trackKeyExternal; + } + + private string CacheTrackKeyExternalKey(string tenantName, string trackName, string name) + { + return $"track_key_ext_{tenantName}_{trackName}_{name}"; + } + + private async Task LoadTrackKeyExternalFromKeyVaultAsync(TelemetryScopedLogger scopedLogger, Track track) + { + var now = DateTimeOffset.UtcNow; + var certificateClient = new CertificateClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); + + var externalKeys = new List<(string Id, DateTimeOffset? NotBefore)>(); + var certificateVersions = certificateClient.GetPropertiesOfCertificateVersionsAsync(track.Key.ExternalName); + await foreach (var certificateVersion in certificateVersions) + { + if (certificateVersion.Enabled == true && certificateVersion.ExpiresOn >= now) + { + externalKeys.Add((certificateVersion.Version, certificateVersion.NotBefore)); + } + } + + if (externalKeys.Count <= 0) + { + try + { + throw new Exception($"Track key external certificate '{track.Key.ExternalName}' do not exist in Key Vault, probably because it is not ready in Key Vault."); + } + catch (Exception ex) + { + scopedLogger.Warning(ex); + return null; + } + } + + var trackKeyExternal = new TrackKeyExternal(); + if (externalKeys.Count == 1) + { + trackKeyExternal.Keys = new List { new TrackKeyExternalItem { ExternalId = externalKeys.First().Id } }; + } + else + { + var topTwoExternalKeys = externalKeys.OrderByDescending(e => e.NotBefore).Take(2); + var firstExternalKey = topTwoExternalKeys.First(); + if (firstExternalKey.NotBefore <= now.AddDays(-track.KeyPrimaryAfterDays)) + { + trackKeyExternal.Keys = new List { new TrackKeyExternalItem { ExternalId = firstExternalKey.Id }, new TrackKeyExternalItem { ExternalId = topTwoExternalKeys.Last().Id } }; + } + else + { + trackKeyExternal.Keys = new List { new TrackKeyExternalItem { ExternalId = topTwoExternalKeys.Last().Id }, new TrackKeyExternalItem { ExternalId = firstExternalKey.Id } }; + } + } + + foreach (var keyItem in trackKeyExternal.Keys) + { + var certificateWithPolicy = certificateClient.GetCertificateVersion(track.Key.ExternalName, keyItem.ExternalId); + var certificateRawValue = certificateWithPolicy?.Value?.Cer; + if (certificateRawValue == null) + { + throw new Exception($"Track key external certificate '{track.Key.ExternalName}' version '{keyItem.ExternalId}' from Key Vault is null."); + } + keyItem.Key = await new X509Certificate2(certificateRawValue).ToFTJsonWebKeyAsync(); + } + + return trackKeyExternal; + } + + public async Task PhasedOutExternalKeyAsync(TelemetryScopedLogger scopedLogger, Track.IdKey idKey, Track track) + { + if(!track.Key.ExternalName.IsNullOrWhiteSpace()) + { + var trackKeyExternal = await GetTrackKeyItemsAsync(scopedLogger, idKey.TenantName, idKey.TrackName, track); + if (trackKeyExternal == null) + { + // new key and type + track.Key = new TrackKey() + { + Type = TrackKeyTypes.ContainedRenewSelfSigned, + Keys = new List + { + await GetNewTrackKeyItemAsync(idKey, track) + } + }; + await tenantDataRepository.UpdateAsync(track); + await trackCacheLogic.InvalidateTrackCacheAsync(idKey); + } + else if (track.Key.Keys == null) + { + if (trackKeyExternal.Keys.Count == 1) + { + var newCertificateItem = await (idKey.TenantName, idKey.TrackName).CreateSelfSignedCertificateBySubjectAsync(track.KeyValidityInMonths); + track.Key.Keys = new List + { + await newCertificateItem.ToTrackKeyItemAsync(true) + }; + await tenantDataRepository.UpdateAsync(track); + await trackCacheLogic.InvalidateTrackCacheAsync(idKey); + } + } + else + { + var utcNow = DateTimeOffset.UtcNow; + if (track.Key.Keys[0].NotBefore < utcNow.AddDays(-(track.KeyPrimaryAfterDays - 2)).ToUnixTimeSeconds()) + { + var externalName = track.Key.ExternalName; + if (track.Key.Keys[0].NotAfter < utcNow.AddDays(1).ToUnixTimeSeconds()) + { + // new key and type if only valid for one more day + track.Key = new TrackKey() + { + Type = TrackKeyTypes.ContainedRenewSelfSigned, + Keys = new List + { + await GetNewTrackKeyItemAsync(idKey, track) + } + }; + } + else + { + // change container type + track.Key.Type = TrackKeyTypes.ContainedRenewSelfSigned; + track.Key.ExternalName = null; + } + await tenantDataRepository.UpdateAsync(track); + await trackCacheLogic.InvalidateTrackCacheAsync(idKey); + + await DeleteExternalKeyAsync(externalName); + } + } + } + + return track; + } + + private async Task GetNewTrackKeyItemAsync(Track.IdKey idKey, Track track) + { + var newCertificateItem = await (idKey.TenantName, idKey.TrackName).CreateSelfSignedCertificateBySubjectAsync(track.KeyValidityInMonths); + return await newCertificateItem.ToTrackKeyItemAsync(true); + } + + public async Task PhasedOutExternalClientKeyAsync(TParty party) where TParty : OidcUpParty where TClient : OidcUpClient + { + foreach (var clientKey in party.Client.ClientKeys) + { + if(clientKey.Type == ClientKeyTypes.KeyVaultImport) + { + clientKey.Type = ClientKeyTypes.Contained; + clientKey.Key = await GetExternalKeyAsync(clientKey); + clientKey.ExternalId = null; + + await tenantDataRepository.UpdateAsync(party); + await DeleteExternalKeyAsync(clientKey.ExternalName); + } + } + } + } +} diff --git a/src/FoxIDs.Shared/Logic/ExternalKeySecret/ExternalSecretLogic.cs b/src/FoxIDs.Shared/Logic/Keys/ExternalSecretLogic.cs similarity index 62% rename from src/FoxIDs.Shared/Logic/ExternalKeySecret/ExternalSecretLogic.cs rename to src/FoxIDs.Shared/Logic/Keys/ExternalSecretLogic.cs index f73fb5b1b..dccf8959d 100644 --- a/src/FoxIDs.Shared/Logic/ExternalKeySecret/ExternalSecretLogic.cs +++ b/src/FoxIDs.Shared/Logic/Keys/ExternalSecretLogic.cs @@ -19,26 +19,6 @@ public ExternalSecretLogic(Settings settings, TokenCredential tokenCredential, I this.tokenCredential = tokenCredential; } - public async Task SetExternalSecretByNameAsync(string name, string value) - { - var externalName = $"{name}-{Guid.NewGuid()}"; - - var keyVaultSecret = new KeyVaultSecret(GetExternalFullName(externalName), value); - var secretClient = new SecretClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); - await secretClient.SetSecretAsync(keyVaultSecret); - - return externalName; - } - - public async Task SetExternalSecretByExternalNameAsync(string externalName, string value) - { - var keyVaultSecret = new KeyVaultSecret(externalName, value); - var secretClient = new SecretClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); - await secretClient.SetSecretAsync(keyVaultSecret); - - return externalName; - } - public async Task GetExternalSecretAsync(string externalName) { var secretClient = new SecretClient(new Uri(settings.KeyVault.EndpointUri), tokenCredential); diff --git a/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs b/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs index d46967cbc..7fd12fee3 100644 --- a/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs +++ b/src/FoxIDs.Shared/Logic/MasterTenantLogic.cs @@ -28,7 +28,7 @@ public MasterTenantLogic(ITenantDataRepository tenantDataRepository, BaseAccount this.downPartyCacheLogic = downPartyCacheLogic; } - public async Task CreateMasterTrackDocumentAsync(string tenantName, TrackKeyTypes keyType) + public async Task CreateMasterTrackDocumentAsync(string tenantName) { tenantName = tenantName?.ToLower(); var trackName = Constants.Routes.MasterTrackName; @@ -47,16 +47,16 @@ public async Task CreateMasterTrackDocumentAsync(string tenantName, TrackKeyType }; await mTrack.SetIdAsync(new Track.IdKey { TenantName = tenantName, TrackName = trackName }); - await trackLogic.CreateTrackDocumentAsync(mTrack, keyType, tenantName, trackName); + await trackLogic.CreateTrackDocumentAsync(mTrack, tenantName, trackName); } - public async Task CreateTrackDocumentAsync(string tenantName, Track mTrack, TrackKeyTypes keyType) + public async Task CreateTrackDocumentAsync(string tenantName, Track mTrack) { tenantName = tenantName?.ToLower(); await mTrack.SetIdAsync(new Track.IdKey { TenantName = tenantName, TrackName = mTrack.Name }); - await trackLogic.CreateTrackDocumentAsync(mTrack, keyType, tenantName, mTrack.Name); + await trackLogic.CreateTrackDocumentAsync(mTrack, tenantName, mTrack.Name); } public async Task CreateMasterLoginDocumentAsync(string tenantName) @@ -251,20 +251,20 @@ private IEnumerable GetControlClientRedirectUris(string tenantName, stri yield return UrlCombine.Combine(baseUrl, tenantName, "authentication/logout_callback"); } - public async Task CreateDefaultTracksDocmentsAsync(string tenantName, TrackKeyTypes trackKeyTypes) + public async Task CreateDefaultTracksDocmentsAsync(string tenantName) { - await CreateTrackDocumentsAsync(tenantName, Constants.TrackDefaults.DefaultTrackTestDisplayName, Constants.TrackDefaults.DefaultTrackTestName, trackKeyTypes); - await CreateTrackDocumentsAsync(tenantName, Constants.TrackDefaults.DefaultTrackProductionDisplayName, Constants.TrackDefaults.DefaultTrackProductionName, trackKeyTypes); + await CreateTrackDocumentsAsync(tenantName, Constants.TrackDefaults.DefaultTrackTestDisplayName, Constants.TrackDefaults.DefaultTrackTestName); + await CreateTrackDocumentsAsync(tenantName, Constants.TrackDefaults.DefaultTrackProductionDisplayName, Constants.TrackDefaults.DefaultTrackProductionName); } - private async Task CreateTrackDocumentsAsync(string tenantName, string trackDisplayName, string trackName, TrackKeyTypes keyType) + private async Task CreateTrackDocumentsAsync(string tenantName, string trackDisplayName, string trackName) { var mTrack = new Track { DisplayName = trackDisplayName, Name = trackName?.ToLower() }; - await CreateTrackDocumentAsync(tenantName, mTrack, keyType); + await CreateTrackDocumentAsync(tenantName, mTrack); await CreateLoginDocumentAsync(tenantName, mTrack.Name); } } diff --git a/src/FoxIDs.Shared/Logic/Tracks/TrackLogic.cs b/src/FoxIDs.Shared/Logic/Tracks/TrackLogic.cs index 7a5d7605a..2fa2ccb91 100644 --- a/src/FoxIDs.Shared/Logic/Tracks/TrackLogic.cs +++ b/src/FoxIDs.Shared/Logic/Tracks/TrackLogic.cs @@ -1,9 +1,6 @@ using FoxIDs.Models; using FoxIDs.Repository; -using ITfoxtec.Identity; using Microsoft.AspNetCore.Http; -using Microsoft.Extensions.DependencyInjection; -using System; using System.Collections.Generic; using System.Threading.Tasks; @@ -11,42 +8,28 @@ namespace FoxIDs.Logic { public class TrackLogic : LogicBase { - private readonly IServiceProvider serviceProvider; private readonly ITenantDataRepository tenantDataRepository; private readonly TrackCacheLogic trackCacheLogic; private readonly UpPartyCacheLogic upPartyCacheLogic; - public TrackLogic(IServiceProvider serviceProvider, ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic, UpPartyCacheLogic upPartyCacheLogic, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) + public TrackLogic(ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic, UpPartyCacheLogic upPartyCacheLogic, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) { - this.serviceProvider = serviceProvider; this.tenantDataRepository = tenantDataRepository; this.trackCacheLogic = trackCacheLogic; this.upPartyCacheLogic = upPartyCacheLogic; } - public async Task CreateTrackDocumentAsync(Track mTrack, TrackKeyTypes keyType, string tenantName = null, string trackName = null) + public async Task CreateTrackDocumentAsync(Track mTrack, string tenantName = null, string trackName = null) { - if (keyType == TrackKeyTypes.Contained) + var certificateItem = await (tenantName ?? RouteBinding.TenantName, mTrack.Name).CreateSelfSignedCertificateBySubjectAsync(mTrack.KeyValidityInMonths); + mTrack.Key = new TrackKey() { - var certificate = await (tenantName ?? RouteBinding.TenantName, mTrack.Name).CreateSelfSignedCertificateBySubjectAsync(); - mTrack.Key = new TrackKey() + Type = TrackKeyTypes.ContainedRenewSelfSigned, + Keys = new List { - Type = keyType, - Keys = new List { new TrackKeyItem { Key = await certificate.ToFTJsonWebKeyAsync(true) } } - }; - } - else if (keyType == TrackKeyTypes.KeyVaultRenewSelfSigned) - { - mTrack.Key = new TrackKey() - { - Type = keyType, - ExternalName = await serviceProvider.GetService().CreateExternalKeyAsync(mTrack, tenantName, trackName) - }; - } - else - { - throw new NotSupportedException($"Track key type '{keyType}' not supported."); - } + await certificateItem.ToTrackKeyItemAsync(true) + } + }; await tenantDataRepository.CreateAsync(mTrack); diff --git a/src/FoxIDs.Shared/Models/Parties/ClientKey.cs b/src/FoxIDs.Shared/Models/Parties/ClientKey.cs index 8b2b3f2e0..e4b66de2a 100644 --- a/src/FoxIDs.Shared/Models/Parties/ClientKey.cs +++ b/src/FoxIDs.Shared/Models/Parties/ClientKey.cs @@ -31,12 +31,12 @@ public IEnumerable Validate(ValidationContext validationContex var results = new List(); if (Type == ClientKeyTypes.KeyVaultImport && ExternalId.IsNullOrWhiteSpace()) { - results.Add(new ValidationResult($"The field {nameof(ExternalId)} is required for key type '{Type}'.", new[] { nameof(ExternalId) })); + results.Add(new ValidationResult($"The field {nameof(ExternalId)} is required for key type '{Type}'.", [nameof(ExternalId)])); } if (Type == ClientKeyTypes.Contained && Key == null) { - results.Add(new ValidationResult($"The field {nameof(Key)} is required for key type '{Type}'.", new[] { nameof(Key) })); + results.Add(new ValidationResult($"The field {nameof(Key)} is required for key type '{Type}'.", [nameof(Key)])); } return results; diff --git a/src/FoxIDs.Shared/Models/Parties/ClientKeyTypes.cs b/src/FoxIDs.Shared/Models/Parties/ClientKeyTypes.cs index afbcde161..20d5579b1 100644 --- a/src/FoxIDs.Shared/Models/Parties/ClientKeyTypes.cs +++ b/src/FoxIDs.Shared/Models/Parties/ClientKeyTypes.cs @@ -1,4 +1,5 @@ -using System.Runtime.Serialization; +using System; +using System.Runtime.Serialization; namespace FoxIDs.Models { @@ -6,6 +7,7 @@ public enum ClientKeyTypes { [EnumMember(Value = "contained")] Contained = 0, + [Obsolete("KeyVault is phased out.")] [EnumMember(Value = "key_vault_upload")] KeyVaultImport = 20, } diff --git a/src/FoxIDs.Shared/Models/Tracks/CertificateItem.cs b/src/FoxIDs.Shared/Models/Tracks/CertificateItem.cs new file mode 100644 index 000000000..ca95b5b9f --- /dev/null +++ b/src/FoxIDs.Shared/Models/Tracks/CertificateItem.cs @@ -0,0 +1,13 @@ +using System.Security.Cryptography.X509Certificates; + +namespace FoxIDs.Models +{ + public class CertificateItem + { + public X509Certificate2 Certificate { get; set; } + + public long NotBefore { get; set; } + + public long NotAfter { get; set; } + } +} diff --git a/src/FoxIDs.Shared/Models/Tracks/Track.cs b/src/FoxIDs.Shared/Models/Tracks/Track.cs index a845d39cc..5f09c2919 100644 --- a/src/FoxIDs.Shared/Models/Tracks/Track.cs +++ b/src/FoxIDs.Shared/Models/Tracks/Track.cs @@ -43,17 +43,17 @@ public static async Task IdFormatAsync(RouteBinding routeBinding, string [JsonProperty(PropertyName = "key")] public TrackKey Key { get; set; } - [Range(Constants.Models.Track.KeyExternalValidityInMonthsMin, Constants.Models.Track.KeyExternalValidityInMonthsMax)] - [JsonProperty(PropertyName = "key_external_validity_in_months")] - public int KeyExternalValidityInMonths { get; set; } = 3; + [Range(Constants.Models.Track.KeyValidityInMonthsMin, Constants.Models.Track.KeyValidityInMonthsMax)] + [JsonProperty(PropertyName = "key_validity_in_months")] + public int KeyValidityInMonths { get; set; } = 3; - [Range(Constants.Models.Track.KeyExternalAutoRenewDaysBeforeExpiryMin, Constants.Models.Track.KeyExternalAutoRenewDaysBeforeExpiryMax)] - [JsonProperty(PropertyName = "key_external_auto_renew_days_before_expiry")] - public int KeyExternalAutoRenewDaysBeforeExpiry { get; set; } = 10; + [Range(Constants.Models.Track.KeyAutoRenewDaysBeforeExpiryMin, Constants.Models.Track.KeyAutoRenewDaysBeforeExpiryMax)] + [JsonProperty(PropertyName = "key_auto_renew_days_before_expiry")] + public int KeyAutoRenewDaysBeforeExpiry { get; set; } = 10; - [Range(Constants.Models.Track.KeyExternalPrimaryAfterDaysMin, Constants.Models.Track.KeyExternalPrimaryAfterDaysMax)] - [JsonProperty(PropertyName = "key_external_primary_after_days")] - public int KeyExternalPrimaryAfterDays { get; set; } = 5; + [Range(Constants.Models.Track.KeyPrimaryAfterDaysMin, Constants.Models.Track.KeyPrimaryAfterDaysMax)] + [JsonProperty(PropertyName = "key_primary_after_days")] + public int KeyPrimaryAfterDays { get; set; } = 5; [Range(Constants.Models.Track.KeyExternalCacheLifetimeMin, Constants.Models.Track.KeyExternalCacheLifetimeMax)] [JsonProperty(PropertyName = "key_external_cache_lifetime")] diff --git a/src/FoxIDs.Shared/Models/Tracks/TrackKey.cs b/src/FoxIDs.Shared/Models/Tracks/TrackKey.cs index 707384377..b56fa4a1d 100644 --- a/src/FoxIDs.Shared/Models/Tracks/TrackKey.cs +++ b/src/FoxIDs.Shared/Models/Tracks/TrackKey.cs @@ -24,20 +24,16 @@ public IEnumerable Validate(ValidationContext validationContex var results = new List(); if (Type == TrackKeyTypes.KeyVaultRenewSelfSigned && ExternalName.IsNullOrWhiteSpace()) { - results.Add(new ValidationResult($"The field {nameof(ExternalName)} is required for environment key type '{Type}'.", new[] { nameof(ExternalName) })); + results.Add(new ValidationResult($"The field {nameof(ExternalName)} is required for environment key type '{Type}'.", [nameof(ExternalName)])); } else if(Type != TrackKeyTypes.KeyVaultRenewSelfSigned && !ExternalName.IsNullOrWhiteSpace()) { - results.Add(new ValidationResult($"The field {nameof(ExternalName)} is not supported for environment key type '{Type}'.", new[] { nameof(ExternalName) })); + results.Add(new ValidationResult($"The field {nameof(ExternalName)} is not supported for environment key type '{Type}'.", [nameof(ExternalName)])); } - if(Type == TrackKeyTypes.Contained && Keys?.Count < 1) + if(Type != TrackKeyTypes.KeyVaultRenewSelfSigned && Keys?.Count < 1) { - results.Add(new ValidationResult($"The field {nameof(Keys)} required at least one element for environment key type '{Type}'.", new[] { nameof(Keys) })); - } - else if (Type != TrackKeyTypes.Contained && Keys?.Count > 0) - { - results.Add(new ValidationResult($"The field {nameof(Keys)} is not supported for environment key type '{Type}'.", new[] { nameof(Keys) })); + results.Add(new ValidationResult($"The field {nameof(Keys)} required at least one element for environment key type '{Type}'.", [nameof(Keys)])); } return results; diff --git a/src/FoxIDs.Shared/Models/Tracks/TrackKeyItem.cs b/src/FoxIDs.Shared/Models/Tracks/TrackKeyItem.cs index d27440646..410d34ed8 100644 --- a/src/FoxIDs.Shared/Models/Tracks/TrackKeyItem.cs +++ b/src/FoxIDs.Shared/Models/Tracks/TrackKeyItem.cs @@ -9,5 +9,11 @@ public class TrackKeyItem [Required] [JsonProperty(PropertyName = "key")] public JsonWebKey Key { get; set; } + + [JsonProperty(PropertyName = "not_before")] + public long NotBefore { get; set; } + + [JsonProperty(PropertyName = "not_after")] + public long NotAfter { get; set; } } } diff --git a/src/FoxIDs.Shared/Models/Tracks/TrackKeyTypes.cs b/src/FoxIDs.Shared/Models/Tracks/TrackKeyTypes.cs index e242243e2..9f2274eed 100644 --- a/src/FoxIDs.Shared/Models/Tracks/TrackKeyTypes.cs +++ b/src/FoxIDs.Shared/Models/Tracks/TrackKeyTypes.cs @@ -1,4 +1,5 @@ -using System.Runtime.Serialization; +using System; +using System.Runtime.Serialization; namespace FoxIDs.Models { @@ -6,9 +7,10 @@ public enum TrackKeyTypes { [EnumMember(Value = "contained")] Contained = 0, + [Obsolete("KeyVault is phased out.")] [EnumMember(Value = "key_vault_renew_self_signed")] KeyVaultRenewSelfSigned = 1, - [EnumMember(Value = "key_vault_upload")] - KeyVaultImport = 2, + [EnumMember(Value = "contained_renew_self_signed")] + ContainedRenewSelfSigned = 10 } } diff --git a/src/FoxIDs.SharedBase/Constants.cs b/src/FoxIDs.SharedBase/Constants.cs index 52400a55e..c01f8af63 100644 --- a/src/FoxIDs.SharedBase/Constants.cs +++ b/src/FoxIDs.SharedBase/Constants.cs @@ -339,12 +339,12 @@ public static class Track public const int KeysMin = 0; public const int KeysMax = 2; - public const int KeyExternalValidityInMonthsMin = 1; - public const int KeyExternalValidityInMonthsMax = 12; - public const int KeyExternalAutoRenewDaysBeforeExpiryMin = 4; - public const int KeyExternalAutoRenewDaysBeforeExpiryMax = 30; - public const int KeyExternalPrimaryAfterDaysMin = 2; - public const int KeyExternalPrimaryAfterDaysMax = 20; + public const int KeyValidityInMonthsMin = 1; + public const int KeyValidityInMonthsMax = 12; + public const int KeyAutoRenewDaysBeforeExpiryMin = 4; + public const int KeyAutoRenewDaysBeforeExpiryMax = 30; + public const int KeyPrimaryAfterDaysMin = 2; + public const int KeyPrimaryAfterDaysMax = 20; public const int KeyExternalCacheLifetimeMin = 3600; public const int KeyExternalCacheLifetimeMax = 86400; diff --git a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj index b06b7538b..6ab33eaf4 100644 --- a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj +++ b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.3 + 1.8.0 FoxIDs Anders Revsgaard ITfoxtec @@ -10,7 +10,7 @@ - + diff --git a/src/FoxIDs/Controllers/MfaController.cs b/src/FoxIDs/Controllers/MfaController.cs index e807dc31a..f5d0b406b 100644 --- a/src/FoxIDs/Controllers/MfaController.cs +++ b/src/FoxIDs/Controllers/MfaController.cs @@ -168,7 +168,7 @@ public async Task RecCodeTwoFactor(RecoveryCodeTwoFactorViewModel logger.ScopeTrace(() => "Two factor recovery code post."); - var user = await accountTwoFactorLogic.SetTwoFactorAppSecretUser(sequenceData.Email, sequenceData.TwoFactorAppNewSecret, sequenceData.TwoFactorAppSecretOrExtName, sequenceData.TwoFactorAppRecoveryCode); + var user = await accountTwoFactorLogic.SetTwoFactorAppSecretUser(sequenceData.Email, sequenceData.TwoFactorAppNewSecret, sequenceData.TwoFactorAppRecoveryCode); var authMethods = sequenceData.AuthMethods.ConcatOnce(new[] { IdentityConstants.AuthenticationMethodReferenceValues.Otp, IdentityConstants.AuthenticationMethodReferenceValues.Mfa }); return await loginPageLogic.LoginResponseSequenceAsync(sequenceData, loginUpParty, user, authMethods: authMethods, fromStep: LoginResponseSequenceSteps.FromLoginResponseStep); } @@ -271,7 +271,7 @@ public async Task TwoFactor(TwoFactorViewModel registerTwoFactor) { try { - await accountTwoFactorLogic.ValidateTwoFactorByExternalSecretAsync(sequenceData.Email, sequenceData.TwoFactorAppSecretOrExtName, registerTwoFactor.AppCode); + await accountTwoFactorLogic.ValidateTwoFactorBySecretAsync(sequenceData.Email, sequenceData.TwoFactorAppSecret, registerTwoFactor.AppCode); var user = await accountLogic.GetUserAsync(sequenceData.Email); var authMethods = sequenceData.AuthMethods.ConcatOnce(new[] { IdentityConstants.AuthenticationMethodReferenceValues.Otp, IdentityConstants.AuthenticationMethodReferenceValues.Mfa }); diff --git a/src/FoxIDs/FoxIDs.csproj b/src/FoxIDs/FoxIDs.csproj index 5bec9d62b..e6467a9ef 100644 --- a/src/FoxIDs/FoxIDs.csproj +++ b/src/FoxIDs/FoxIDs.csproj @@ -1,7 +1,7 @@  net8.0 - 1.7.3 + 1.8.0 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs/Logic/Login/LoginPageLogic.cs b/src/FoxIDs/Logic/Login/LoginPageLogic.cs index 00677d23b..cc122dbe0 100644 --- a/src/FoxIDs/Logic/Login/LoginPageLogic.cs +++ b/src/FoxIDs/Logic/Login/LoginPageLogic.cs @@ -14,6 +14,7 @@ using FoxIDs.Models.Logic; using FoxIDs.Models.Config; using Microsoft.Extensions.DependencyInjection; +using FoxIDs.Repository; namespace FoxIDs.Logic { @@ -98,17 +99,22 @@ public async Task LoginResponseSequenceAsync(LoginUpSequenceData } else { - if (settings.Options.KeyStorage == KeyStorageOptions.None) + if (!user.TwoFactorAppSecret.IsNullOrWhiteSpace()) { - sequenceData.TwoFactorAppSecretOrExtName = user.TwoFactorAppSecret; + sequenceData.TwoFactorAppSecret = user.TwoFactorAppSecret; } else if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault) { - sequenceData.TwoFactorAppSecretOrExtName = user.TwoFactorAppSecretExternalName; - } - else - { - throw new NotSupportedException(); + var externalSecretLogic = serviceProvider.GetService(); + sequenceData.TwoFactorAppSecret = user.TwoFactorAppSecret = await externalSecretLogic.GetExternalSecretAsync(user.TwoFactorAppSecretExternalName); + if (sequenceData.TwoFactorAppSecret.IsNullOrWhiteSpace()) + { + throw new InvalidOperationException($"Unable to get external secret from Key Vault, {nameof(user.TwoFactorAppSecretExternalName)} '{user.TwoFactorAppSecretExternalName}'."); + } + await externalSecretLogic.DeleteExternalSecretAsync(user.TwoFactorAppSecretExternalName); + user.TwoFactorAppSecretExternalName = null; + var tenantDataRepository = serviceProvider.GetService(); + await tenantDataRepository.SaveAsync(user); } sequenceData.TwoFactorAppState = TwoFactorAppSequenceStates.Validate; await sequenceLogic.SaveSequenceDataAsync(sequenceData); @@ -123,17 +129,20 @@ public async Task LoginResponseSequenceAsync(LoginUpSequenceData private bool RegisterTwoFactor(User user) { - if (settings.Options.KeyStorage == KeyStorageOptions.None) + if (user.TwoFactorAppSecret.IsNullOrEmpty()) { - return user.TwoFactorAppSecret.IsNullOrEmpty(); - } - else if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault) - { - return user.TwoFactorAppSecretExternalName.IsNullOrEmpty(); + if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault) + { + return user.TwoFactorAppSecretExternalName.IsNullOrEmpty(); + } + else + { + return true; + } } else { - throw new NotSupportedException(); + return false; } } diff --git a/src/FoxIDs/Logic/Oidc/ClientKeySecretLogic.cs b/src/FoxIDs/Logic/Oidc/ClientKeySecretLogic.cs index bbcf44727..44625cf1f 100644 --- a/src/FoxIDs/Logic/Oidc/ClientKeySecretLogic.cs +++ b/src/FoxIDs/Logic/Oidc/ClientKeySecretLogic.cs @@ -4,18 +4,13 @@ using Microsoft.IdentityModel.Tokens; using ITfoxtec.Identity; using System.Linq; -using Microsoft.Extensions.DependencyInjection; namespace FoxIDs.Logic { public class ClientKeySecretLogic : LogicSequenceBase where TClient : OAuthUpClient { - private readonly IServiceProvider serviceProvider; - - public ClientKeySecretLogic(IServiceProvider serviceProvider, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) - { - this.serviceProvider = serviceProvider; - } + public ClientKeySecretLogic(IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) + { } public SecurityKey GetClientKey(TClient client) { @@ -32,10 +27,6 @@ public SecurityKey GetClientKey(TClient client) { return clientKey.Key.ToSecurityKey(); } - else if (clientKey.Type == ClientKeyTypes.KeyVaultImport) - { - return serviceProvider.GetService().GetExternalRSAKey(clientKey).ToSecurityKey(clientKey.PublicKey.Kid); - } else { throw new NotSupportedException(); diff --git a/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs b/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs index 855607927..41a57fa17 100644 --- a/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs +++ b/src/FoxIDs/Logic/Oidc/OidcAuthUpLogic.cs @@ -210,6 +210,11 @@ public async Task AuthenticationResponseAsync(string partyId) throw; } + if(party.Client.ClientKeys?.Where(ck => ck.Type == ClientKeyTypes.KeyVaultImport).Count() > 0) + { + await serviceProvider.GetService().PhasedOutExternalClientKeyAsync(party); + } + var sessionResponse = formOrQueryDictionary.ToObject(); if (sessionResponse != null) { diff --git a/src/FoxIDs/Logic/Tracks/AccountTwoFactorLogic.cs b/src/FoxIDs/Logic/Tracks/AccountTwoFactorLogic.cs index 962b596b8..eae9da5c9 100644 --- a/src/FoxIDs/Logic/Tracks/AccountTwoFactorLogic.cs +++ b/src/FoxIDs/Logic/Tracks/AccountTwoFactorLogic.cs @@ -71,27 +71,12 @@ public async Task ValidateTwoFactorBySecretAsync(string email, string secret, st } } - public async Task ValidateTwoFactorByExternalSecretAsync(string email, string secretOrExtName, string appCode) - { - email = email?.ToLowerInvariant(); - if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault) - { - secretOrExtName = await GetExternalSecretLogic().GetExternalSecretAsync(secretOrExtName); - if (secretOrExtName.IsNullOrWhiteSpace()) - { - throw new InvalidOperationException($"Unable to get external secret from Key Vault, {nameof(secretOrExtName)} '{secretOrExtName}'."); - } - } - - await ValidateTwoFactorBySecretAsync(email, secretOrExtName, appCode); - } - public string CreateRecoveryCode() { return Base32Encoding.ToString(RandomGenerator.GenerateBytes(secretAndRecoveryCodeLength)).TrimEnd('='); } - public async Task SetTwoFactorAppSecretUser(string email, string newSecret, string secretOrExtName, string twoFactorAppRecoveryCode) + public async Task SetTwoFactorAppSecretUser(string email, string newSecret, string twoFactorAppRecoveryCode) { email = email?.ToLowerInvariant(); logger.ScopeTrace(() => $"Set two-factor app secret user '{email}', Route '{RouteBinding?.Route}'."); @@ -102,25 +87,7 @@ public async Task SetTwoFactorAppSecretUser(string email, string newSecret throw new UserNotExistsException($"User '{user.Email}' do not exist or is disabled, trying to set two-factor app secret."); } - if (settings.Options.KeyStorage == KeyStorageOptions.None) - { - user.TwoFactorAppSecret = newSecret; - } - else if (settings.Options.KeyStorage == KeyStorageOptions.KeyVault) - { - if (!secretOrExtName.IsNullOrEmpty()) - { - user.TwoFactorAppSecretExternalName = await GetExternalSecretLogic().SetExternalSecretByExternalNameAsync(secretOrExtName, newSecret); - } - else - { - user.TwoFactorAppSecretExternalName = await GetExternalSecretLogic().SetExternalSecretByNameAsync(secretName, newSecret); - } - } - else - { - throw new NotSupportedException(); - } + user.TwoFactorAppSecret = newSecret; var recoveryCode = new TwoFactorAppRecoveryCode(); await secretHashLogic.AddSecretHashAsync(recoveryCode, twoFactorAppRecoveryCode); @@ -163,6 +130,6 @@ public async Task ValidateTwoFactorAppRecoveryCodeUser(string email, strin } } - private ExternalSecretLogic GetExternalSecretLogic() => serviceProvider.GetService(); + } } diff --git a/src/FoxIDs/Logic/Tracks/TrackKeyLogic.cs b/src/FoxIDs/Logic/Tracks/TrackKeyLogic.cs index 1b1d21929..00a7f3096 100644 --- a/src/FoxIDs/Logic/Tracks/TrackKeyLogic.cs +++ b/src/FoxIDs/Logic/Tracks/TrackKeyLogic.cs @@ -10,21 +10,18 @@ using Microsoft.IdentityModel.Tokens; using System.Collections.Generic; using Microsoft.Extensions.DependencyInjection; -using FoxIDs.Logic.Caches.Providers; namespace FoxIDs.Logic { public class TrackKeyLogic : LogicSequenceBase { private readonly IServiceProvider serviceProvider; - private readonly ICacheProvider cacheProvider; private readonly ITenantDataRepository tenantDataRepository; private readonly TrackCacheLogic trackCacheLogic; - public TrackKeyLogic(IServiceProvider serviceProvider, ICacheProvider cacheProvider, ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) + public TrackKeyLogic(IServiceProvider serviceProvider, ITenantDataRepository tenantDataRepository, TrackCacheLogic trackCacheLogic, IHttpContextAccessor httpContextAccessor) : base(httpContextAccessor) { this.serviceProvider = serviceProvider; - this.cacheProvider = cacheProvider; this.tenantDataRepository = tenantDataRepository; this.trackCacheLogic = trackCacheLogic; } @@ -36,12 +33,12 @@ public async Task GetPrimarySecurityKeyAsync(RouteTrackKey trackKey switch (trackKey.Type) { case TrackKeyTypes.Contained: + case TrackKeyTypes.ContainedRenewSelfSigned: return trackKey.PrimaryKey.Key.ToSecurityKey(); case TrackKeyTypes.KeyVaultRenewSelfSigned: return GetPrimaryRSAKeyVault(trackKey).ToSecurityKey(trackKey.PrimaryKey.Key.Kid); - case TrackKeyTypes.KeyVaultImport: default: throw new NotSupportedException($"Track primary key type '{trackKey.Type}' not supported."); } @@ -54,12 +51,12 @@ public async Task GetPrimarySaml2X509CertificateAsync(Rout switch (trackKey.Type) { case TrackKeyTypes.Contained: + case TrackKeyTypes.ContainedRenewSelfSigned: return trackKey.PrimaryKey.Key.ToSaml2X509Certificate(true); case TrackKeyTypes.KeyVaultRenewSelfSigned: return new Saml2X509Certificate(trackKey.PrimaryKey.Key.ToX509Certificate(), GetPrimaryRSAKeyVault(trackKey)); - case TrackKeyTypes.KeyVaultImport: default: throw new NotSupportedException($"Track primary key type '{trackKey.Type}' not supported."); } @@ -76,12 +73,12 @@ public Saml2X509Certificate GetSecondarySaml2X509Certificate(RouteTrackKey track switch (trackKey.Type) { case TrackKeyTypes.Contained: + case TrackKeyTypes.ContainedRenewSelfSigned: return trackKey.SecondaryKey.Key.ToSaml2X509Certificate(true); case TrackKeyTypes.KeyVaultRenewSelfSigned: return new Saml2X509Certificate(trackKey.SecondaryKey.Key.ToX509Certificate(), GetPrimaryRSAKeyVault(trackKey)); - case TrackKeyTypes.KeyVaultImport: default: throw new NotSupportedException($"Track secondary key type '{trackKey.Type}' not supported."); } @@ -107,32 +104,21 @@ private async Task ValidatePrimaryTrackKeyAsync(RouteTrackKey trackKey) } catch (Exception ex) { - if (RouteBinding.TrackName == Constants.Routes.MasterTrackName && RouteBinding.Key.Type != TrackKeyTypes.KeyVaultRenewSelfSigned) + if (RouteBinding.Key.Type != TrackKeyTypes.KeyVaultRenewSelfSigned) { var trackIdKey = new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName }; var mTrack = await tenantDataRepository.GetTrackByNameAsync(trackIdKey); - if (RouteBinding.Key.Type == TrackKeyTypes.Contained) + var newCertificate = mTrack.Key.Type == TrackKeyTypes.Contained ? await RouteBinding.CreateSelfSignedCertificateBySubjectAsync() : await RouteBinding.CreateSelfSignedCertificateBySubjectAsync(mTrack.KeyValidityInMonths); + mTrack.Key.Keys = new List { - var ContainedCertificate = await RouteBinding.CreateSelfSignedCertificateBySubjectAsync(); - mTrack.Key.Keys = new List { new TrackKeyItem { Key = await ContainedCertificate.ToFTJsonWebKeyAsync(true) } }; - await tenantDataRepository.UpdateAsync(mTrack); - - await trackCacheLogic.InvalidateTrackCacheAsync(trackIdKey); - - throw new ExternalKeyIsNotReadyException("The old primary master environment key certificate is invalid. A new primary environment key certificate has been created, please try one more time.", ex); - } - else - { - mTrack.Key.Type = TrackKeyTypes.KeyVaultRenewSelfSigned; - mTrack.Key.Keys = null; - mTrack.Key.ExternalName = await GetExternalKeyLogic().CreateExternalKeyAsync(mTrack); - await tenantDataRepository.UpdateAsync(mTrack); + await newCertificate.ToTrackKeyItemAsync(true) + }; + await tenantDataRepository.UpdateAsync(mTrack); - await trackCacheLogic.InvalidateTrackCacheAsync(trackIdKey); + await trackCacheLogic.InvalidateTrackCacheAsync(trackIdKey); - throw new ExternalKeyIsNotReadyException("The old primary master environment key certificate is invalid. A new primary external environment key certificate is under construction in Key Vault, it is ready in a little while.", ex); - } + throw new ExternalKeyIsNotReadyException("The old primary environment key certificate is invalid. A new primary environment key certificate has been created, please try one more time.", ex); } throw; @@ -150,6 +136,7 @@ public async Task LoadTrackKeyAsync(TelemetryScopedLogger scopedL switch (track.Key.Type) { case TrackKeyTypes.Contained: + case TrackKeyTypes.ContainedRenewSelfSigned: return new RouteTrackKey { Type = track.Key.Type, @@ -158,7 +145,7 @@ public async Task LoadTrackKeyAsync(TelemetryScopedLogger scopedL }; case TrackKeyTypes.KeyVaultRenewSelfSigned: - var trackKeyExternal = await GetTrackKeyItemsAsync(scopedLogger, trackIdKey.TenantName, trackIdKey.TrackName, track); + var trackKeyExternal = await GetExternalKeyLogic().GetTrackKeyItemsAsync(scopedLogger, trackIdKey.TenantName, trackIdKey.TrackName, track); var externalRouteTrackKey = new RouteTrackKey { Type = track.Key.Type, @@ -166,44 +153,35 @@ public async Task LoadTrackKeyAsync(TelemetryScopedLogger scopedL }; if (trackKeyExternal == null) { - externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem { ExternalKeyIsNotReady = true }; + if (track.Key.Keys != null) + { + externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem { Key = track.Key.Keys[0].Key }; + } + else + { + externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem { ExternalKeyIsNotReady = true }; + } } else { externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem { ExternalId = trackKeyExternal.Keys[0].ExternalId, Key = trackKeyExternal.Keys[0].Key }; - externalRouteTrackKey.SecondaryKey = trackKeyExternal.Keys.Count > 1 ? new RouteTrackKeyItem { ExternalId = trackKeyExternal.Keys[1].ExternalId, Key = trackKeyExternal.Keys[1].Key } : null; + if (track.Key.Keys != null) + { + externalRouteTrackKey.SecondaryKey = new RouteTrackKeyItem { Key = track.Key.Keys[0].Key }; + } + else + { + externalRouteTrackKey.SecondaryKey = trackKeyExternal.Keys.Count > 1 ? new RouteTrackKeyItem { ExternalId = trackKeyExternal.Keys[1].ExternalId, Key = trackKeyExternal.Keys[1].Key } : null; + } } + return externalRouteTrackKey; - case TrackKeyTypes.KeyVaultImport: default: throw new Exception($"Track key type not supported '{track.Key.Type}'."); } } - public async Task GetTrackKeyItemsAsync(TelemetryScopedLogger scopedLogger, string tenantName, string trackName, Track track) - { - var key = CacheTrackKeyExternalKey(tenantName, trackName, track.Key.ExternalName); - - var trackKeyExternalValue = await cacheProvider.GetAsync(key); - if (!trackKeyExternalValue.IsNullOrEmpty()) - { - return trackKeyExternalValue.ToObject(); - } - - var trackKeyExternal = await GetExternalKeyLogic().LoadTrackKeyExternalFromKeyVaultAsync(scopedLogger, track); - if (trackKeyExternal != null) - { - await cacheProvider.SetAsync(key, trackKeyExternal.ToJson(), track.KeyExternalCacheLifetime); - } - return trackKeyExternal; - } - - private string CacheTrackKeyExternalKey(string tenantName, string trackName, string name) - { - return $"track_key_ext_{tenantName}_{trackName}_{name}"; - } - private ExternalKeyLogic GetExternalKeyLogic() => serviceProvider.GetService(); } } diff --git a/src/FoxIDs/Models/Sequences/Base/ILoginUpSequenceDataBase.cs b/src/FoxIDs/Models/Sequences/Base/ILoginUpSequenceDataBase.cs index e15de0b13..300eefd89 100644 --- a/src/FoxIDs/Models/Sequences/Base/ILoginUpSequenceDataBase.cs +++ b/src/FoxIDs/Models/Sequences/Base/ILoginUpSequenceDataBase.cs @@ -1,5 +1,4 @@ -using FoxIDs.Models.Sequences; -using System.Collections.Generic; +using System.Collections.Generic; namespace FoxIDs.Models.Sequences { @@ -12,7 +11,7 @@ public interface ILoginUpSequenceDataBase : IUpSequenceData IEnumerable Acr { get; set; } IEnumerable AuthMethods { get; set; } TwoFactorAppSequenceStates TwoFactorAppState { get; set; } - string TwoFactorAppSecretOrExtName { get; set; } + string TwoFactorAppSecret { get; set; } string TwoFactorAppNewSecret { get; set; } string TwoFactorAppRecoveryCode { get; set; } } diff --git a/src/FoxIDs/Models/Sequences/ExternalLoginUpSequenceData.cs b/src/FoxIDs/Models/Sequences/ExternalLoginUpSequenceData.cs index c1b2d7a43..f0dd2f6b3 100644 --- a/src/FoxIDs/Models/Sequences/ExternalLoginUpSequenceData.cs +++ b/src/FoxIDs/Models/Sequences/ExternalLoginUpSequenceData.cs @@ -32,8 +32,8 @@ public class ExternalLoginUpSequenceData : UpSequenceData, ILoginUpSequenceDataB [JsonProperty(PropertyName = "fst")] public TwoFactorAppSequenceStates TwoFactorAppState { get; set; } - [JsonProperty(PropertyName = "fse")] - public string TwoFactorAppSecretOrExtName { get; set; } + [JsonProperty(PropertyName = "fas")] + public string TwoFactorAppSecret { get; set; } [JsonProperty(PropertyName = "fns")] public string TwoFactorAppNewSecret { get; set; } diff --git a/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs b/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs index 5da760f8f..52c8b3e65 100644 --- a/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs +++ b/src/FoxIDs/Models/Sequences/LoginUpSequenceData.cs @@ -38,8 +38,8 @@ public class LoginUpSequenceData : UpSequenceData, ILoginUpSequenceDataBase [JsonProperty(PropertyName = "fst")] public TwoFactorAppSequenceStates TwoFactorAppState { get; set; } - [JsonProperty(PropertyName = "fse")] - public string TwoFactorAppSecretOrExtName { get; set; } + [JsonProperty(PropertyName = "fas")] + public string TwoFactorAppSecret { get; set; } [JsonProperty(PropertyName = "fns")] public string TwoFactorAppNewSecret { get; set; } diff --git a/src/FoxIDs/package-lock.json b/src/FoxIDs/package-lock.json deleted file mode 100644 index 4b4d3bc8e..000000000 --- a/src/FoxIDs/package-lock.json +++ /dev/null @@ -1,89 +0,0 @@ -{ - "name": "foxids", - "version": "1.0.0", - "lockfileVersion": 2, - "requires": true, - "packages": { - "": { - "name": "foxids", - "version": "1.0.0", - "devDependencies": { - "bootstrap": "4.6.0", - "jquery": "3.5.1", - "jquery-validation": "1.19.5", - "jquery-validation-unobtrusive": "3.2.12" - } - }, - "node_modules/bootstrap": { - "version": "4.6.0", - "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.6.0.tgz", - "integrity": "sha512-Io55IuQY3kydzHtbGvQya3H+KorS/M9rSNyfCGCg9WZ4pyT/lCxIlpJgG1GXW/PswzC84Tr2fBYi+7+jFVQQBw==", - "dev": true, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/bootstrap" - }, - "peerDependencies": { - "jquery": "1.9.1 - 3", - "popper.js": "^1.16.1" - } - }, - "node_modules/jquery": { - "version": "3.5.1", - "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.5.1.tgz", - "integrity": "sha512-XwIBPqcMn57FxfT+Go5pzySnm4KWkT1Tv7gjrpT1srtf8Weynl6R273VJ5GjkRb51IzMp5nbaPjJXMWeju2MKg==", - "dev": true - }, - "node_modules/jquery-validation": { - "version": "1.19.5", - "resolved": "https://registry.npmjs.org/jquery-validation/-/jquery-validation-1.19.5.tgz", - "integrity": "sha512-X2SmnPq1mRiDecVYL8edWx+yTBZDyC8ohWXFhXdtqFHgU9Wd4KHkvcbCoIZ0JaSaumzS8s2gXSkP8F7ivg/8ZQ==", - "dev": true, - "peerDependencies": { - "jquery": "^1.7 || ^2.0 || ^3.1" - } - }, - "node_modules/jquery-validation-unobtrusive": { - "version": "3.2.12", - "resolved": "https://registry.npmjs.org/jquery-validation-unobtrusive/-/jquery-validation-unobtrusive-3.2.12.tgz", - "integrity": "sha512-kPixGhVcuat7vZXngGFfSIksy4VlzZcHyRgnBIZdsfVneCU+D5sITC8T8dD/9c9K/Q+qkMlgp7ufJHz93nKSuQ==", - "dev": true, - "dependencies": { - "jquery": "^3.5.1", - "jquery-validation": ">=1.16" - } - } - }, - "dependencies": { - "bootstrap": { - "version": "4.6.0", - "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.6.0.tgz", - "integrity": "sha512-Io55IuQY3kydzHtbGvQya3H+KorS/M9rSNyfCGCg9WZ4pyT/lCxIlpJgG1GXW/PswzC84Tr2fBYi+7+jFVQQBw==", - "dev": true, - "requires": {} - }, - "jquery": { - "version": "3.5.1", - "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.5.1.tgz", - "integrity": "sha512-XwIBPqcMn57FxfT+Go5pzySnm4KWkT1Tv7gjrpT1srtf8Weynl6R273VJ5GjkRb51IzMp5nbaPjJXMWeju2MKg==", - "dev": true - }, - "jquery-validation": { - "version": "1.19.5", - "resolved": "https://registry.npmjs.org/jquery-validation/-/jquery-validation-1.19.5.tgz", - "integrity": "sha512-X2SmnPq1mRiDecVYL8edWx+yTBZDyC8ohWXFhXdtqFHgU9Wd4KHkvcbCoIZ0JaSaumzS8s2gXSkP8F7ivg/8ZQ==", - "dev": true, - "requires": {} - }, - "jquery-validation-unobtrusive": { - "version": "3.2.12", - "resolved": "https://registry.npmjs.org/jquery-validation-unobtrusive/-/jquery-validation-unobtrusive-3.2.12.tgz", - "integrity": "sha512-kPixGhVcuat7vZXngGFfSIksy4VlzZcHyRgnBIZdsfVneCU+D5sITC8T8dD/9c9K/Q+qkMlgp7ufJHz93nKSuQ==", - "dev": true, - "requires": { - "jquery": "^3.5.1", - "jquery-validation": ">=1.16" - } - } - } -}