manage data protection keys with azure and enc

2025-04-10 07:38:13 -05:00 · 2017-03-23 22:02:55 -04:00 · 2017-03-23 22:02:55 -04:00 · ca9aa40873
commit ca9aa40873
parent 47477f6ca5
4 changed files with 23 additions and 0 deletions
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@ -22,6 +22,7 @@
  </ItemGroup>

  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.AzureStorage" Version="1.0.1" />
    <PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.1.1" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
    <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.1.1" />
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -31,6 +31,8 @@ using Serilog;
 using Serilog.Events;
 using Bit.Api.IdentityServer;
 using Bit.Core.Enums;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.WindowsAzure.Storage;

 namespace Bit.Api
 {
@ -71,6 +73,16 @@ namespace Bit.Api
            services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimitOptions"));
            services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));

+            // Data Protection
+            if(Environment.IsProduction())
+            {
+                var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
+                var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
+                services.AddDataProtection()
+                    .PersistKeysToAzureBlobStorage(storageAccount, "aspnet-dataprotection/keys.xml")
+                    .ProtectKeysWithCertificate(dataProtectionCert);
+            }
+
            // Repositories
            services.AddSingleton<IUserRepository, SqlServerRepos.UserRepository>();
            services.AddSingleton<ICipherRepository, SqlServerRepos.CipherRepository>();
@ -81,6 +93,7 @@ namespace Bit.Api
            services.AddSingleton<ISubvaultRepository, SqlServerRepos.SubvaultRepository>();
            services.AddSingleton<ISubvaultUserRepository, SqlServerRepos.SubvaultUserRepository>();
            services.AddSingleton<IFolderRepository, SqlServerRepos.FolderRepository>();
+            services.AddSingleton<ISubvaultCipherRepository, SqlServerRepos.SubvaultCipherRepository>();

            // Context
            services.AddScoped<CurrentContext>();
--- a/src/Api/settings.json
+++ b/src/Api/settings.json
@ -24,6 +24,9 @@
    "identityServer": {
      "certificateThumbprint": "SECRET"
    },
+    "dataProtection": {
+      "certificateThumbprint": "SECRET"
+    },
    "storage": {
      "connectionString": "SECRET"
    },
--- a/src/Core/GlobalSettings.cs
+++ b/src/Core/GlobalSettings.cs
@ -11,6 +11,7 @@
        public virtual PushSettings Push { get; set; } = new PushSettings();
        public virtual StorageSettings Storage { get; set; } = new StorageSettings();
        public virtual IdentityServerSettings IdentityServer { get; set; } = new IdentityServerSettings();
+        public virtual DataProtectionSettings DataProtection { get; set; } = new DataProtectionSettings();
        public virtual DocumentDbSettings DocumentDb { get; set; } = new DocumentDbSettings();

        public class SqlServerSettings
@ -49,6 +50,11 @@
            public string CertificateThumbprint { get; set; }
        }

+        public class DataProtectionSettings
+        {
+            public string CertificateThumbprint { get; set; }
+        }
+
        public class DocumentDbSettings
        {
            public string Uri { get; set; }