Feature - add HashiCorp Vault secret provider

.gitignore

@@ -8,6 +8,7 @@
 *.user
 *.userosscache
 *.sln.docstates
+*.local.json
 
 # User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs

build/ci-build.yml

@@ -32,6 +32,7 @@ variables:
   - group: 'Arcus - GitHub Package Registry'
   - group: 'Build Configuration'
   - template: ./variables/build.yml
+  - template: ./variables/test.yml
 
 stages:
   - stage: Build
@@ -108,6 +109,11 @@ stages:
             inputs:
               packageType: 'sdk'
               version: '$(DotNet.Sdk.VersionBC)'
+          - template: 'templates/download-hashicorp-vault.yml'
+            parameters:
+              targetFolder: '$(Build.SourcesDirectory)'
+              version: $(HashiCorp.Vault.Version)
+              vaultBinVariableName: 'Arcus.HashiCorp.VaultBin'
           - template: test/run-integration-tests.yml@templates
             parameters:
               dotnetSdkVersion: '$(DotNet.Sdk.Version)'

build/nuget-release.yml

@@ -19,6 +19,7 @@ variables:
   - group: 'Arcus - GitHub Package Registry'
   - group: 'Build Configuration'
   - template: ./variables/build.yml
+  - template: ./variables/test.yml
   - name: 'Package.Version'
     value: ${{ parameters['Package.Version'] }}
 
@@ -94,6 +95,11 @@ stages:
             inputs:
               packageType: 'sdk'
               version: '$(DotNet.Sdk.VersionBC)'
+          - template: 'templates/download-hashicorp-vault.yml'
+            parameters:
+              targetFolder: '$(Build.SourcesDirectory)'
+              version: $(HashiCorp.Vault.Version)
+              vaultBinVariableName: 'Arcus.HashiCorp.VaultBin'
           - template: test/run-integration-tests.yml@templates
             parameters:
               dotnetSdkVersion: '$(DotNet.Sdk.Version)'

build/templates/download-hashicorp-vault.yml

@@ -0,0 +1,42 @@
+parameters:
+  - name: targetFolder
+    type: string
+    default: '$(Build.SourcesDirectory)'
+  - name: version
+    type: string
+  - name: vaultBinVariableName
+    type: string
+    default: 'Arcus.HashiCorp.VaultBin'
+
+steps:
+  - powershell: |
+      $vault_zip = "vault_${{ parameters.version }}_linux_amd64.zip"
+      $vault_url = "https://releases.hashicorp.com/vault/${{ parameters.version }}/$vault_zip"
+      $destination = "${{ parameters.targetFolder }}/$vault_zip"
+      if (!(Test-Path $destination)) {
+          Write-Output "Downloading $vault_url to $destination"
+          [Net.ServicePointManager]::SecurityProtocol = 'Tls12'
+          Invoke-WebRequest -Uri $vault_url -OutFile $vault_zip
+          ls
+          if (Test-Path $vault_zip) {
+            Write-Output "Downloaded .zip file to $vault_zip"
+          } else {
+            Write-Error "Could not find downloaded .zip file $vault_zip"
+          }
+      }
+      Expand-Archive -LiteralPath $vault_zip -DestinationPath ${{ parameters.targetFolder }}
+      ls
+      $vault_bin = "${{ parameters.targetFolder }}/vault"
+      if (Test-Path $vault_bin) {
+        Write-Output "Extracted HashiCorp Vault to executable file"
+      } else {
+        Write-Error "Could not find extracted HashiCorp Vault executable file"
+      }
+      Write-Host "##vso[task.setvariable variable=${{ parameters.vaultBinVariableName }}]$vault_bin"
+    workingDirectory: ${{ parameters.targetFolder }}
+    displayName: 'Download HashiCorp Vault'
+  - bash: |
+      chmod +x $VAULT_BIN
+    env:
+      VAULT_BIN: '${{ parameters.targetFolder }}/vault'
+    displayName: 'Make HashiCorp Vault executable runnable'

build/variables/test.yml

@@ -0,0 +1,2 @@
+variables:
+  HashiCorp.Vault.Version: 1.5.0

docs/preview/features/secret-store/index.md

@@ -15,9 +15,13 @@ Once register, you can fetch all secrets by using `ISecretProvider` which will g
 ## Built-in secret providers
 Several built in secret providers available in the package.
 
-* [Environment variables](./../../features/secret-store/provider/environment-variables)
 * [Configuration](./../../features/secret-store/provider/configuration)
-* [Azure key vault](./../../features/secret-store/provider/key-vault)
+* [Environment variables](./../../features/secret-store/provider/environment-variables)
+
+And several additional providers in seperate packages.
+
+* [Azure Key Vault](./../../features/secret-store/provider/key-vault)
+* [HashiCorp](./../../features/secret-store/hashicorp-vault)
 * [User Secrets](./../../features/secret-store/provider/user-secrets)
 
 If you require an additional secret providers that aren't available here, please [this document](./../../features/secret-store/create-new-secret-provider) that describes how you can create your own secret provider.

docs/preview/features/secret-store/provider/hashicorp-vault.md

@@ -0,0 +1,100 @@
+---
+title: "HashiCorp Vault secret provider"
+layout: default
+---
+
+# HashiCorp Vault secret provider
+HashiCorp Vault secret provider brings secrets from the KeyValue secret engine to your application.
+
+## Installation
+Adding secrets from HashiCorp Vault into the secret store requires following package:
+
+```shell
+PM > Install-Package Arcus.Security.Providers.HashiCorp
+```
+
+## Configuration
+After installing the package, the addtional extensions becomes available when building the secret store.
+
+```csharp
+public class Program
+{
+    public static void Main(string[] args)
+    {
+        CreateHostBuilder(args).Build().Run();
+    }
+
+    public static IHostBuilder CreateHostBuilder(string[] args)
+    {    
+        return Host.CreateDefaultBuilder(args)
+                   .ConfigureSecretStore((context, config, builder) =>
+                   {
+                         // Adding the HashiCorp Vault secret provider with the built-in overloads.
+                         // =======================================================================
+
+                         // UserPass authentication built-in overload:
+                         // ------------------------------------------
+                         builder.AddHashiCorpVaultWithUserPass(
+                             // URI where the HashiCorp Vault is running.
+                             vaultServerUriWithPort: "https://uri.to.your.running.vault:5200",
+                             // Username/Password combination to authenticate with the vault.
+                             username: "admin",
+                             password: "s3cr3t",
+                             // Path where the secrets are stored in the KeyValue secret engine.
+                             secretPath: "my-secrets"
+                         );
+
+                         // Following defaults can be overridden:
+
+                        // Mount point of UserPass athentication (default: userpass).
+                        builder.AddHashiCorpVaultWithUserPass(..., userPassMountPoint: "myuserpass");
+
+                         // Version of the KeyValue secret engine (default: V2).
+                         builder.AddHashiCorpVaultWithUserPass(..., keyValueVersion: VaultKeyValueSecretEngineVersion.V1);
+
+                        // Mount point of KeyValue secret engine (default: kv-v2).
+                        builder.AddHashiCorpVaultWithUserPass(..., keyValueMountPoint: "secret");
+
+                        // Kubernetes authentication built-in overload:
+                        // --------------------------------------------
+                        builder.AddHashiCorpVaultWithKubernetes(
+                            // URI where the HashiCorp Vault is running.
+                             vaultServerUriWithPort: "https://uri.to.your.running.vault:5200",
+                             // Role name of the Kubernetes service account.
+                             roleName: "admin",
+                             // JSON web token (JWT) of the Kubernetes service account,
+                             jwt: "ey.xxx.xxx",
+                            // Path where the secrets are stored in the KeyValue secret engine.
+                             secretPath: "my-secrets"
+                        );
+
+                        // Mount point of Kubernetes authentication (default: kubernetes).
+                        builder.AddHashiCorpVaultWithKubernetes(..., kubernetesMountPoint: "mykubernetes");
+
+                         // Version of the KeyValue secret engine (default: V2).
+                         builder.AddHashiCorpVaultWithKubernetes(..., keyValueVersion: VaultKeyValueSecretEngineVersion.V1);
+
+                        // Mount point of KeyValue secret engine (default: kv-v2).
+                        builder.AddHashiCorpVaultWithKubernetes(..., keyValueMountPoint: "secret");
+
+                        // Custom settings overload for when using the [VaultSharp](https://github.com/rajanadar/VaultSharp) settings directly:
+                        // --------------------------------------------------------------------------------------------------------------------
+                        var tokenAuthentication = new TokenAuthMethodInfo("token");
+                        var settings = VaultClientSettings("http://uri.to.your.running.vault.5200", tokenAuthentication);
+                        builder.AddHashiCorpVault(
+                            settings, 
+                            // Path where the secrets are stored in the KeyValue secret engine.
+                            secretPath: "my-secrets");
+
+                        // Version of the KeyValue secret engine (default: V2).
+                         builder.AddHashiCorpVault(..., keyValueVersion: VaultKeyValueSecretEngineVersion.V1);
+
+                        // Mount point of KeyValue secret engine (default: kv-v2).
+                        builder.AddHashiCorpVault(..., keyValueMountPoint: "secret");
+                    })
+                    .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
+    }
+}
+```
+
+[&larr; back](/)

src/Arcus.Security.Providers.HashiCorp/Arcus.Security.Providers.HashiCorp.csproj

@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>netstandard2.0</TargetFrameworks>
+    <Authors>Arcus</Authors>
+    <Description>Provides support for HashiCorp</Description>
+    <Copyright>Copyright (c) Arcus</Copyright>
+    <PackageLicenseUrl>https://github.com/arcus-azure/arcus.security/blob/master/LICENSE</PackageLicenseUrl>
+    <PackageProjectUrl>https://github.com/arcus-azure/arcus.security</PackageProjectUrl>
+    <PackageIconUrl>https://raw.githubusercontent.com/arcus-azure/arcus/master/media/arcus.png</PackageIconUrl>
+    <RepositoryUrl>https://github.com/arcus-azure/arcus.security</RepositoryUrl>
+    <RepositoryType>Git</RepositoryType>
+    <PackageTags>HashiCorp;OSS;Security</PackageTags>
+    <AssemblyName>Arcus.Security.Providers.HashiCorp</AssemblyName>
+    <RootNamespace>Arcus.Security.Providers.HashiCorp</RootNamespace>
+    <PackageId>Arcus.Security.Providers.HashiCorp</PackageId>
+    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="VaultSharp" Version="1.4.0.5" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Arcus.Security.Core\Arcus.Security.Core.csproj" />
+  </ItemGroup>
+
+</Project>