progress update

author: vnugent <public@vaughnnugent.com> 2024-01-28 19:56:02 -0500
committer: vnugent <public@vaughnnugent.com> 2024-01-28 19:56:02 -0500
commit: 87645bfad3943e1110e4cb2e038124083e8ae793 (patch)
tree: c327a4437c98d973f45c313cf8259ad75515c4fe /lib/NVault.VaultExtensions/src
parent: c438ee90e3be4e5e01ae3d045d6b841a03bd46eb (diff)
8 files changed, 436 insertions, 0 deletions
diff --git a/lib/NVault.VaultExtensions/src/IClientAccessScope.cs b/lib/NVault.VaultExtensions/src/IClientAccessScope.cs
new file mode 100644
index 0000000..c79f75e
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/IClientAccessScope.cs
@@ -0,0 +1,48 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+using System;
+using System.Collections.Generic;
+
+namespace NVault.VaultExtensions
+{
+    /// <summary>
+    /// Represents a user auth token access scope 
+    /// configuration.
+    /// </summary>
+    public interface IClientAccessScope
+    {
+        /// <summary>
+        /// The list of policies for new token generation
+        /// </summary>
+        IList<string> Policies { get; }
+
+        /// <summary>
+        /// Allows the user to renew the access token
+        /// </summary>
+        bool Renewable { get; }
+
+        /// <summary>
+        /// The token
+        /// </summary>
+        string TokenTtl { get; }
+
+        /// <summary>
+        /// The explicit number of token uses allowed by the genreated token,
+        /// 0 for unlimited uses
+        /// </summary>
+        int NumberOfUses { get; }
+    }
+}
+\ No newline at end of file
diff --git a/lib/NVault.VaultExtensions/src/IKvVaultStore.cs b/lib/NVault.VaultExtensions/src/IKvVaultStore.cs
new file mode 100644
index 0000000..037fe6c
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/IKvVaultStore.cs
@@ -0,0 +1,52 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+using System.Threading.Tasks;
+
+using VNLib.Utils.Memory;
+
+namespace NVault.VaultExtensions
+{
+    /// <summary>
+    /// Represents a vault key-value store that can be used to store secrets
+    /// </summary>
+    public interface IKvVaultStore
+    {
+        /// <summary>
+        /// Deletes a secret from the vault
+        /// </summary>
+        /// <param name="user">The user scope of the secret</param>
+        /// <param name="path">The path to the secret</param>
+        /// <returns>A task that returns when the operation has completed</returns>
+        Task DeleteSecretAsync(VaultUserScope user, string path);
+
+        /// <summary>
+        /// Sets a secret in the vault at the specified path and user scope
+        /// </summary>
+        /// <param name="user">The user scope to store the value at</param>
+        /// <param name="path">The path to the secret</param>
+        /// <param name="secret">The secret value to set</param>
+        /// <returns>A task that resolves when the secret has been updated</returns>
+        Task SetSecretAsync(VaultUserScope user, string path, PrivateString secret);
+
+        /// <summary>
+        /// Gets a secret from the vault at the specified path and user scope
+        /// </summary>
+        /// <param name="user">The user scope to get the value from</param>
+        /// <param name="path">The secret path</param>
+        /// <returns>A task that resolves the secret if found, null otherwise</returns>
+        Task<PrivateString?> GetSecretAsync(VaultUserScope user, string path);
+    }
+}
+\ No newline at end of file
diff --git a/lib/NVault.VaultExtensions/src/IVaultClientScope.cs b/lib/NVault.VaultExtensions/src/IVaultClientScope.cs
new file mode 100644
index 0000000..d53bc4a
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/IVaultClientScope.cs
@@ -0,0 +1,33 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+namespace NVault.VaultExtensions
+{
+    /// <summary>
+    /// Represents a vault client scope configuration
+    /// </summary>
+    public interface IVaultClientScope
+    {
+        /// <summary>
+        /// The mount point for the vault
+        /// </summary>
+        string? MountPoint { get; }
+
+        /// <summary>
+        /// The entry path for the vault
+        /// </summary>
+        string? EntryPath { get; }
+    }
+}
+\ No newline at end of file
diff --git a/lib/NVault.VaultExtensions/src/IVaultKvClientScope.cs b/lib/NVault.VaultExtensions/src/IVaultKvClientScope.cs
new file mode 100644
index 0000000..f763473
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/IVaultKvClientScope.cs
@@ -0,0 +1,29 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+namespace NVault.VaultExtensions
+{
+    /// <summary>
+    /// A key-value specific scoped client
+    /// </summary>
+    public interface IVaultKvClientScope : IVaultClientScope
+    {
+        /// <summary>
+        /// The property to store the secret value in the 
+        /// storage dictionary
+        /// </summary>
+        string StorageProperty { get; }
+    }
+}
+\ No newline at end of file
diff --git a/lib/NVault.VaultExtensions/src/KvVaultStorage.cs b/lib/NVault.VaultExtensions/src/KvVaultStorage.cs
new file mode 100644
index 0000000..8a2b9b6
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/KvVaultStorage.cs
@@ -0,0 +1,66 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+using System.Threading.Tasks;
+
+using VaultSharp;
+
+using VNLib.Utils.Memory;
+
+namespace NVault.VaultExtensions
+{
+    /// <summary>
+    /// An abstract kv storage implementation that uses the vault client to store secrets
+    /// </summary>
+    public abstract class KvVaultStorage : IKvVaultStore
+    {
+        /// <summary>
+        /// The vault client
+        /// </summary>
+        protected abstract IVaultClient Client { get; }
+
+        /// <summary>
+        /// The storage scope
+        /// </summary>
+        protected abstract IVaultKvClientScope Scope { get; }
+
+        public virtual Task DeleteSecretAsync(VaultUserScope user, string path)
+        {
+            string tPath = TranslatePath(path);
+            return Client.DeleteSecretAsync(Scope, user, tPath);
+        }
+
+        public virtual Task SetSecretAsync(VaultUserScope user, string path, PrivateString secret)
+        {
+            string tPath = TranslatePath(path);
+            return Client.SetSecretAsync(Scope, user, tPath, secret);
+        }
+
+        public virtual Task<PrivateString?> GetSecretAsync(VaultUserScope user, string path)
+        {
+            string tPath = TranslatePath(path);
+            return Client.GetSecretAsync(Scope, user, tPath);
+        }
+
+        /// <summary>
+        /// Translates a realtive item path to a full path 
+        /// within the scope of the storage. This may be used to 
+        /// extend the scope of the operation
+        /// </summary>
+        /// <param name="path">The item path to scope</param>
+        /// <returns>The further scoped vault path for the item</returns>
+        public virtual string TranslatePath(string path) => path;
+    }
+}
+\ No newline at end of file
diff --git a/lib/NVault.VaultExtensions/src/NVault.VaultExtensions.csproj b/lib/NVault.VaultExtensions/src/NVault.VaultExtensions.csproj
new file mode 100644
index 0000000..e5dbe8c
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/NVault.VaultExtensions.csproj
@@ -0,0 +1,27 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <PackageReadmeFile>README.md</PackageReadmeFile>
+    <RootNamespace>NVault.VaultExtensions</RootNamespace>
+    <AssemblyName>NVault.VaultExtensions</AssemblyName>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <Authors>Vaughn Nugent</Authors>
+    <Company>Vaughn Nugent</Company>
+    <Product>NVault.VaultExtensions</Product>
+    <Description>A Hashicorp Vault unified extension library for NVault</Description>
+    <Copyright>Copyright © 2024 Vaughn Nugent</Copyright>
+    <PackageProjectUrl>https://www.vaughnnugent.com/resources/software/modules/NVault</PackageProjectUrl>
+    <RepositoryUrl>https://github.com/VnUgE/NVault/tree/master/</RepositoryUrl>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="VaultSharp" Version="1.13.0.1" />
+    <PackageReference Include="VNLib.Plugins.Extensions.Loading" Version="0.1.0-ci0047" />
+  </ItemGroup>
+
+</Project>
diff --git a/lib/NVault.VaultExtensions/src/VaultClientExtensions.cs b/lib/NVault.VaultExtensions/src/VaultClientExtensions.cs
new file mode 100644
index 0000000..d90941a
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/VaultClientExtensions.cs
@@ -0,0 +1,156 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+using System.Threading;
+using System.Threading.Tasks;
+using System.Collections.Generic;
+
+using VaultSharp;
+using VaultSharp.V1.Commons;
+
+using VNLib.Utils.Memory;
+using VNLib.Plugins.Essentials.Extensions;
+
+
+namespace NVault.VaultExtensions
+{
+
+    public static class VaultClientExtensions
+    {
+        
+        private static string GetKeyPath(IVaultClientScope client, in VaultUserScope scope, string itemPath)
+        {
+            //Allow for null entry path
+            return client.EntryPath == null ? $"{scope.UserId}/{itemPath}" : $"{client.EntryPath}/{scope.UserId}/{itemPath}";
+        }
+
+
+        public static Task<PrivateString?> GetSecretAsync(this IVaultClient client, IVaultKvClientScope scope, VaultUserScope user, string path)
+        {
+            return GetSecretAsync(client, scope, user, path, scope.StorageProperty);
+        }
+
+        public static async Task<PrivateString?> GetSecretAsync(this IVaultClient client, IVaultClientScope scope, VaultUserScope user, string path, string property)
+        {
+            //Get the path complete path for the scope
+            string fullPath = GetKeyPath(scope, user, path);
+
+            //Get the secret from the vault
+            Secret<SecretData> result = await client.V1.Secrets.KeyValue.V2.ReadSecretAsync(fullPath, mountPoint:scope.MountPoint);
+
+            //Try to get the secret value from the store
+            string? value = result.Data.Data.GetValueOrDefault(property)?.ToString();
+
+            //Return the secret value as a private string
+            return value == null ? null : PrivateString.ToPrivateString(value, true);
+        }
+
+        /// <summary>
+        /// Writes a secret to the vault that is scoped by the vault scope, and the user scope.
+        /// </summary>
+        /// <param name="client"></param>
+        /// <param name="scope">The client scope configuration</param>
+        /// <param name="user">The user scope to isolate the </param>
+        /// <param name="path">The item path within the current scope</param>
+        /// <param name="secret">The secret value to set at the desired property</param>
+        /// <returns>A task that resolves when the secret has been updated</returns>
+        public static async Task<CurrentSecretMetadata> SetSecretAsync(this IVaultClient client, IVaultKvClientScope scope, VaultUserScope user, string path, PrivateString secret)
+        {
+            Dictionary<string, string> secretDict = new()
+            {
+                //Dangerous cast, but we know the type
+                { scope.StorageProperty, (string)secret }
+            };
+
+            //Await the result so we be sure the secret is not destroyed
+            return await SetSecretAsync(client, scope, user, path, secretDict);
+        }
+
+        /// <summary>
+        /// Writes a secret to the vault that is scoped by the vault scope, and the user scope.
+        /// </summary>
+        /// <param name="client"></param>
+        /// <param name="scope">The client scope configuration</param>
+        /// <param name="user">The user scope to isolate the </param>
+        /// <param name="path">The item path within the current scope</param>
+        /// <param name="secret">The secret value to set at the desired property</param>
+        /// <returns>A task that resolves when the secret has been updated</returns>
+        public static async Task<CurrentSecretMetadata> SetSecretAsync(this IVaultClient client, IVaultClientScope scope, VaultUserScope user, string path, IDictionary<string, string> secret)
+        {
+            //Get the path complete path for the scope
+            string fullPath = GetKeyPath(scope, user, path);
+
+            //Get the secret from the vault
+            Secret<CurrentSecretMetadata> result = await client.V1.Secrets.KeyValue.V2.WriteSecretAsync(fullPath, secret, mountPoint:scope.MountPoint);
+
+            return result.Data;
+        }
+
+        /// <summary>
+        /// Deletes a secret from the vault that is scoped by the vault scope, and the user scope.
+        /// </summary>
+        /// <param name="client"></param>
+        /// <param name="scope">The client scope</param>
+        /// <param name="user">The vault user scope</param>
+        /// <param name="path">The path to the storage</param>
+        /// <returns>A task that resolves when the delete operation has completed</returns>
+        public static Task DeleteSecretAsync(this IVaultClient client, IVaultClientScope scope, VaultUserScope user, string path)
+        {
+            string fullApth = GetKeyPath(scope, user, path);
+            return client.V1.Secrets.KeyValue.V2.DeleteSecretAsync(fullApth, mountPoint:scope.MountPoint);
+        }
+
+        /// <summary>
+        /// Deletes a secret from the vault
+        /// </summary>
+        /// <param name="user">The user scope of the secret</param>
+        /// <param name="path">The path to the secret</param>
+        /// <param name="cancellation">A token to cancel the operation</param>
+        /// <returns>A task that returns when the operation has completed</returns>
+        public static Task DeleteSecretAsync(this IKvVaultStore store, VaultUserScope user, string path, CancellationToken cancellation)
+        {
+            return store.DeleteSecretAsync(user, path).WaitAsync(cancellation);
+        }
+
+
+        /// <summary>
+        /// Gets a secret from the vault at the specified path and user scope
+        /// </summary>
+        /// <param name="user">The user scope to get the value from</param>
+        /// <param name="path">The secret path</param>
+        /// <param name="cancellation">A token to cancel the operation</param>
+        /// <returns>A task that resolves the secret if found, null otherwise</returns>
+        public static Task<PrivateString?> GetSecretAsync(this IKvVaultStore store, VaultUserScope user, string path, CancellationToken cancellation)
+        {
+            return store.GetSecretAsync(user, path).WaitAsync(cancellation);
+        }
+
+
+        /// <summary>
+        /// Sets a secret in the vault at the specified path and user scope
+        /// </summary>
+        /// <param name="user">The user scope to store the value at</param>
+        /// <param name="path">The path to the secret</param>
+        /// <param name="secret">The secret value to set</param>
+        /// <param name="cancellation">The cancellation token</param>
+        /// <returns>A task that resolves when the secret has been updated</returns>
+        public static Task SetSecretAsync(this IKvVaultStore store, VaultUserScope user, string path, PrivateString secret, CancellationToken cancellation)
+        {
+            return store.SetSecretAsync(user, path, secret).WaitAsync(cancellation);
+        }
+
+
+    }
+}
+\ No newline at end of file
diff --git a/lib/NVault.VaultExtensions/src/VaultUserScope.cs b/lib/NVault.VaultExtensions/src/VaultUserScope.cs
new file mode 100644
index 0000000..0e8796c
--- /dev/null
+++ b/lib/NVault.VaultExtensions/src/VaultUserScope.cs
@@ -0,0 +1,25 @@
+// Copyright (C) 2024 Vaughn Nugent
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+namespace NVault.VaultExtensions
+{
+    /// <summary>
+    /// Represents a user scope for the vault. It isolates the user's
+    /// secrets from other users.
+    /// </summary>
+    /// <param name="UserId">The id of the user to scope the vault to</param>
+    public readonly record struct VaultUserScope(string UserId)
+    { }
+}
+\ No newline at end of file
author	vnugent <public@vaughnnugent.com>	2024-01-28 19:56:02 -0500
committer	vnugent <public@vaughnnugent.com>	2024-01-28 19:56:02 -0500
commit	87645bfad3943e1110e4cb2e038124083e8ae793 (patch)
tree	c327a4437c98d973f45c313cf8259ad75515c4fe /lib/NVault.VaultExtensions/src
parent	c438ee90e3be4e5e01ae3d045d6b841a03bd46eb (diff)