v1.0.4

- Password encryption/decryption added using DPAPI on Win and equivalent for Mac.

Author: swhitley

CLARiNET.csproj

@@ -7,11 +7,14 @@
     <PackageIcon>CLARiNET.ico</PackageIcon>
     <PackageIconUrl />
     <ApplicationIcon>CLARiNET.ico</ApplicationIcon>
-    <Version>1.0.2</Version>
+    <Version>1.0.4</Version>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="CommandLineParser" Version="2.8.0" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="5.0.9" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="5.0.2" />
+    <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="5.0.0" />
   </ItemGroup>
 
   <ItemGroup>

CommandLineOptions.cs

@@ -24,10 +24,15 @@ public class Options
         [Value(index: 4, MetaName = "Username", Required = false, HelpText = "Username")]
         public string Username { get; set; }
 
-        [Value(index: 5, MetaName = "Password", Required = false, HelpText = "Password")]
+        [Value(index: 5, MetaName = "Password", Required = false, HelpText = "Password (must be encrypted using the -e option)")]
         public string Password { get; set; }
 
-        [Option('e', "environments", Required = false,
+        [Option('e', "encrypt", Required = false,
+          HelpText =
+              "Encrypt a password for use on the command line")]
+        public bool Encrypt { get; set; }
+
+        [Option('w', "wdenvironments", Required = false,
          HelpText =
              "Display the Workday environments and their associated numbers")]
         public bool PrintEnvironments { get; set; }

Crypto.cs

@@ -0,0 +1,133 @@
+using System;
+using System.Text;
+using System.Security.Cryptography;
+using System.Runtime.InteropServices;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.AspNetCore.DataProtection;
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+
+namespace CLARiNET
+{
+    class Crypto
+    {
+        public static string Protect(string stringToEncrypt)
+        {
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                return Convert.ToBase64String(
+                    ProtectedData.Protect(
+                        Encoding.UTF8.GetBytes(stringToEncrypt)
+                        , null
+                        , DataProtectionScope.CurrentUser));
+            }
+            else
+            {
+                return Convert.ToBase64String(
+                    ProtectMac(stringToEncrypt)
+                );
+            }
+        }
+
+        public static string Unprotect(string encryptedString)
+        {
+            if (String.IsNullOrEmpty(encryptedString))
+            {
+                return "";
+            }
+
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                return Encoding.UTF8.GetString(
+                ProtectedData.Unprotect(
+                    Convert.FromBase64String(encryptedString)
+                    , null
+                    , DataProtectionScope.CurrentUser));
+            }
+            else
+            {
+                return Encoding.UTF8.GetString(
+                    UnProtectMac(Convert.FromBase64String(encryptedString)));
+            }
+        }
+
+        // Credit: Oleg Batashov
+        // https://simplecodesoftware.com/articles/how-to-encrypt-data-on-macos-without-dpapi
+        private static IDataProtector MacEncryption()
+        {
+            IServiceCollection serviceCollection = new ServiceCollection();
+            ConfigureServices(serviceCollection);
+            IDataProtector dataProtector = serviceCollection
+                .BuildServiceProvider()
+                .GetDataProtector(purpose: "MacOsEncryption");
+
+            return dataProtector;
+        }
+
+        private static byte[] ProtectMac(string stringToEncrypt)
+        {
+            return MacEncryption().Protect(Encoding.UTF8.GetBytes(stringToEncrypt));
+        }
+
+        private static byte[] UnProtectMac(byte[] encryptedBytes)
+        {
+            return MacEncryption().Unprotect(encryptedBytes);
+        }
+
+        private static void ConfigureServices(IServiceCollection serviceCollection)
+        {
+            X509Certificate2 cert = SetupDataProtectionCertificate();
+
+            serviceCollection.AddDataProtection()
+                .PersistKeysToFileSystem(new DirectoryInfo(AppDomain.CurrentDomain.BaseDirectory))
+                .SetApplicationName("CLARiNET")
+                .ProtectKeysWithCertificate(cert);
+        }
+
+        static X509Certificate2 SetupDataProtectionCertificate()
+        {
+            string subjectName = "CN=CLARiNET Data Protection Certificate";
+            string subjectNameFind = subjectName.Substring(3);
+
+            using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadOnly))
+            {
+                X509Certificate2Collection certificateCollection = store.Certificates.Find(X509FindType.FindBySubjectName,
+                    subjectNameFind,
+                    // self-signed certificate won't pass X509 chain validation
+                    validOnly: false);
+                if (certificateCollection.Count > 0)
+                {
+                    return certificateCollection[0];
+                }
+
+                X509Certificate2 certificate = CreateSelfSignedDataProtectionCertificate(subjectName);
+                InstallCertificateAsNonExportable(certificate);
+                return certificate;
+            }
+        }
+
+        static X509Certificate2 CreateSelfSignedDataProtectionCertificate(string subjectName)
+        {            
+            using (RSA rsa = RSA.Create(2048))
+            {
+                CertificateRequest request = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256,
+                    RSASignaturePadding.Pkcs1);
+                X509Certificate2 cert = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-1), DateTimeOffset.UtcNow.AddYears(50));
+                return cert;
+            }
+        }
+
+        static void InstallCertificateAsNonExportable(X509Certificate2 cert)
+        {
+            byte[] rawData = cert.Export(X509ContentType.Pkcs12, password: "CLARiNET" );
+            X509Certificate2 certPersistKey = new X509Certificate2(rawData, "CLARiNET", X509KeyStorageFlags.PersistKeySet);
+
+            using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
+            {
+                store.Open(OpenFlags.MaxAllowed | OpenFlags.ReadWrite);
+                store.Add(certPersistKey);                
+                store.Close();
+            }
+        }
+    }
+}

Program.cs

@@ -33,14 +33,33 @@ static void Main(string[] args)
                     return;
                 }
 
+                if (options.Encrypt)
+                {
+                    Console.WriteLine("Enter a password to encrypt:\n");
+                    string pass = PasswordPrompt();
+                    string encPass = "";
+                    try
+                    {
+                        encPass = Crypto.Protect(pass);
+                    }
+                    // Perform a retry
+                    catch
+                    {
+                        encPass = Crypto.Protect(pass);
+                    }
+                    Console.WriteLine("\n\n" + encPass);
+                    Console.WriteLine("\n");
+                    return;
+                }
+
                 if (options.PrintEnvironments)
                 {
                     PrintEnvironments(envs);
                     return;
                 }
 
                 // CLAR file
-                if (options.ClarFile == null)
+                if (String.IsNullOrEmpty(options.ClarFile))
                 {
                     // Check for a single CLAR file in this directory.
                     string[] files = Directory.GetFiles(AppDomain.CurrentDomain.BaseDirectory, "*.clar");
@@ -58,15 +77,15 @@ static void Main(string[] args)
                 }
 
                 // Collection Name
-                if (options.CollectionName == null)
+                if (String.IsNullOrEmpty(options.CollectionName))
                 {
                     Console.WriteLine("Enter the Workday Cloud Collection name:\n");
                     options.CollectionName = Console.ReadLine().Trim();
                     Console.WriteLine("");
                 }
 
                 // Environment Number
-                if (options.EnvNum == null)
+                if (String.IsNullOrEmpty(options.EnvNum))
                 {
                     do
                     {
@@ -98,27 +117,31 @@ static void Main(string[] args)
                 }
 
                 // Tenant
-                if (options.Tenant == null)
+                if (String.IsNullOrEmpty(options.Tenant))
                 {
                     Console.WriteLine("Enter the tenant:\n");
                     options.Tenant = Console.ReadLine().Trim();
                     Console.WriteLine("");
                 }
 
                 // Username
-                if (options.Username == null)
+                if (String.IsNullOrEmpty(options.Username))
                 {
                     Console.WriteLine("Enter the username:\n");
                     options.Username = Console.ReadLine().Trim();
                     Console.WriteLine("");
                 }
 
                 // Password
-                if (options.Password == null)
+                if (String.IsNullOrEmpty(options.Password))
                 {
                     Console.WriteLine("Enter the password (will not be displayed):\n");
                     options.Password = PasswordPrompt();
                 }
+                else
+                {
+                    options.Password = Crypto.Unprotect(options.Password);
+                }
 
                 Console.WriteLine("\n\nDeploying the CLAR and awaiting the result...\n\n");
 
@@ -127,12 +150,22 @@ static void Main(string[] args)
                 options.Username = options.Username + "@" + options.Tenant;
                 url = url.Replace("{host}", host) + options.CollectionName;
                 string result = WDWebService.CallRest(options.Tenant, options.Username, options.Password, url, "PUT", bytes);
-                Console.WriteLine("Result:\n");
-                Console.WriteLine(result);
+
+                if (result.IndexOf("<?xml") < 0)
+                {
+                    Console.WriteLine("No XML response detected.  Workday may be unavailable or your parameters are incorrect.");
+                }
+                else
+                {
+                    Console.WriteLine("Result:\n");
+                    Console.WriteLine(result);
+                    Console.WriteLine("\n");
+                }
             }
             catch (Exception ex)
             {
-                Console.WriteLine(ex.Message);
+                Console.WriteLine("\n\n" + ex.Message);
+                Console.WriteLine("\n");
             }
         }