Implement stored credential unlock where allowed by the credential, add optional expiry info

Author: webprofusion-chrisc

src/Certify.CLI/CertifyCLI.StoredCredentials.cs

@@ -25,7 +25,7 @@ internal async Task UpdateStoredCredential(string[] args)
             var cred = new StoredCredential
             {
                 StorageKey = storageKey,
-                DateCreated = DateTime.UtcNow,
+                DateCreated = DateTimeOffset.UtcNow,
                 ProviderType = credentialType,
                 Secret = secretValue,
                 Title = title

src/Certify.Core/Management/CertifyManager/CertifyManager.ManagementHub.cs

@@ -617,6 +617,31 @@ public async Task<InstanceCommandResult> PerformHubCommandWithResult(InstanceCom
                 var itemArg = args.FirstOrDefault(a => a.Key == "storageKey");
                 val = await _credentialsManager.Delete(_itemManager, itemArg.Value);
             }
+            else if (arg.CommandType == ManagementHubCommands.UnlockStoredCredential)
+            {
+                var args = JsonSerializer.Deserialize<KeyValuePair<string, string>[]>(arg.Value, JsonOptions.DefaultJsonSerializerOptions);
+                var itemArg = args.FirstOrDefault(a => a.Key == "storageKey");
+                var key = itemArg.Value;
+                var cred = await _credentialsManager.GetCredential(key);
+                if (cred.AllowUnlock)
+                {
+                    var unlockedCredValue = await _credentialsManager.GetUnlockedCredential(key);
+                    if (unlockedCredValue != null)
+                    {
+
+                        cred.Secret = unlockedCredValue;
+                        val = new StoredCredentialUnlockResult { IsSuccess = true, Result = cred };
+                    }
+                    else
+                    {
+                        val = null;
+                    }
+                }
+                else
+                {
+                    val = new StoredCredentialUnlockResult { IsSuccess = false, Message = "This credential does not allow unlocking" };
+                }
+            }
             else if (arg.CommandType == ManagementHubCommands.GetChallengeProviders)
             {
                 val = await Core.Management.Challenges.ChallengeProviders.GetChallengeAPIProviders();

src/Certify.Models/Config/StoredCredential.cs

@@ -7,11 +7,26 @@ public class StoredCredential
         public string? ProviderType { get; set; } = string.Empty;
         public string? Title { get; set; } = string.Empty;
         public string? StorageKey { get; set; }
-        public DateTime DateCreated { get; set; }
+        public DateTimeOffset DateCreated { get; set; }
+
+        /// <summary>
+        /// Optionally set expiry date for this credential, if not set we do not expect it to expire
+        /// </summary>
+        public DateTimeOffset? DateExpiry { get; set; }
 
         /// <summary>
         /// Secret is only populated in the client when saving, the secret is not available to the UI 
         /// </summary>
         public string? Secret { get; set; }
+
+        /// <summary>
+        /// If true, this item can be unlocked for download or sharing to authorized consumers
+        /// </summary>
+        public bool AllowUnlock { get; set; }
+    }
+
+    public class StoredCredentialUnlockResult : ActionResult<StoredCredential>
+    {
+
     }
 }

src/Certify.Models/Hub/AccessControlConfig.cs

@@ -128,7 +128,7 @@ public static class StandardResourceActions
         public const string StoredCredentialUpdate = "storedcredential_update_action";
         public const string StoredCredentialDelete = "storedcredential_delete_action";
         public const string StoredCredentialList = "storedcredential_list_action";
-        public const string StoredCredentialDownload = "storedcredential_consumer_action";
+        public const string StoredCredentialReadSecret = "storedcredential_consumer_action";
 
         public const string SecurityPrincipalList = "securityprincipal_list_action";
         public const string SecurityPrincipalAdd = "securityprincipal_add_action";
@@ -247,7 +247,7 @@ public static List<ResourceAction> GetStandardResourceActions()
                 new(StandardResourceActions.StoredCredentialUpdate, "Update Stored Credential", ResourceTypes.StoredCredential),
                 new(StandardResourceActions.StoredCredentialDelete, "Delete Stored Credential", ResourceTypes.StoredCredential),
                 new(StandardResourceActions.StoredCredentialList, "List Stored Credentials", ResourceTypes.StoredCredential),
-                new(StandardResourceActions.StoredCredentialDownload, "Fetch Decrypted Stored Credential", ResourceTypes.StoredCredential),
+                new(StandardResourceActions.StoredCredentialReadSecret, "Fetch Decrypted Stored Credential", ResourceTypes.StoredCredential),
 
                 new(StandardResourceActions.SecurityPrincipalList, "List Security Principals", ResourceTypes.SecurityPrincipal),
                 new(StandardResourceActions.SecurityPrincipalAdd, "Add New Security Principal", ResourceTypes.SecurityPrincipal),
@@ -425,7 +425,7 @@ public static List<ResourcePolicy> GetStandardPolicies()
                     SecurityPermissionType = SecurityPermissionType.ALLOW,
                     IsResourceSpecific = true,
                     ResourceActions = [
-                        StandardResourceActions.StoredCredentialDownload
+                        StandardResourceActions.StoredCredentialReadSecret
                     ]
                 },
                 new() {

src/Certify.Models/Hub/ManagementHubMessages.cs

@@ -37,6 +37,7 @@ public class ManagementHubCommands
         public const string GetStoredCredentials = "GetStoredCredentials";
         public const string UpdateStoredCredential = "UpdateStoredCredential";
         public const string RemoveStoredCredential = "RemoveStoredCredential";
+        public const string UnlockStoredCredential = "UnlockStoredCredential";
 
         public const string GetChallengeProviders = "GetChallengeProviders";
         public const string GetDnsZones = "GetDnsZones";

src/Certify.Server/Certify.Server.Hub.Api.Client/Certify.Server.Hub.Api.Client.cs

@@ -1487,7 +1487,7 @@ public virtual async System.Threading.Tasks.Task<AuthResponse> LoginAsync(AuthRe
         }
 
         /// <summary>
-        /// Refresh users current auth token
+        /// Refresh users current auth token using refresh token
         /// </summary>
         /// <returns>OK</returns>
         /// <exception cref="ApiException">A server side error occurred.</exception>
@@ -1498,7 +1498,7 @@ public virtual System.Threading.Tasks.Task<AuthResponse> RefreshAsync(string ref
 
         /// <param name="cancellationToken">A cancellation token that can be used by other objects or threads to receive notice of cancellation.</param>
         /// <summary>
-        /// Refresh users current auth token
+        /// Refresh users current auth token using refresh token
         /// </summary>
         /// <returns>OK</returns>
         /// <exception cref="ApiException">A server side error occurred.</exception>
@@ -3350,7 +3350,7 @@ public virtual async System.Threading.Tasks.Task<ActionResult> RemoveAcmeAccount
         /// </summary>
         /// <returns>OK</returns>
         /// <exception cref="ApiException">A server side error occurred.</exception>
-        public virtual System.Threading.Tasks.Task<System.Collections.Generic.ICollection<DnsZone>> GetDnsZonesAsync(string instanceId, string providerTypeId, string credentialId)
+        public virtual System.Threading.Tasks.Task<DnsZoneQueryResult> GetDnsZonesAsync(string instanceId, string providerTypeId, string credentialId)
         {
             return GetDnsZonesAsync(instanceId, providerTypeId, credentialId, System.Threading.CancellationToken.None);
         }
@@ -3361,7 +3361,7 @@ public virtual async System.Threading.Tasks.Task<ActionResult> RemoveAcmeAccount
         /// </summary>
         /// <returns>OK</returns>
         /// <exception cref="ApiException">A server side error occurred.</exception>
-        public virtual async System.Threading.Tasks.Task<System.Collections.Generic.ICollection<DnsZone>> GetDnsZonesAsync(string instanceId, string providerTypeId, string credentialId, System.Threading.CancellationToken cancellationToken)
+        public virtual async System.Threading.Tasks.Task<DnsZoneQueryResult> GetDnsZonesAsync(string instanceId, string providerTypeId, string credentialId, System.Threading.CancellationToken cancellationToken)
         {
             if (instanceId == null)
                 throw new System.ArgumentNullException("instanceId");
@@ -3416,7 +3416,7 @@ public virtual async System.Threading.Tasks.Task<ActionResult> RemoveAcmeAccount
                         var status_ = (int)response_.StatusCode;
                         if (status_ == 200)
                         {
-                            var objectResponse_ = await ReadObjectResponseAsync<System.Collections.Generic.ICollection<DnsZone>>(response_, headers_, cancellationToken).ConfigureAwait(false);
+                            var objectResponse_ = await ReadObjectResponseAsync<DnsZoneQueryResult>(response_, headers_, cancellationToken).ConfigureAwait(false);
                             if (objectResponse_.Object == null)
                             {
                                 throw new ApiException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
@@ -5371,6 +5371,101 @@ public virtual async System.Threading.Tasks.Task<ActionResult> RemoveStoredCrede
             }
         }
 
+        /// <summary>
+        /// Unlock Stored Credential [Generated]
+        /// </summary>
+        /// <returns>OK</returns>
+        /// <exception cref="ApiException">A server side error occurred.</exception>
+        public virtual System.Threading.Tasks.Task<StoredCredentialUnlockResult> UnlockStoredCredentialAsync(string instanceId, string storageKey)
+        {
+            return UnlockStoredCredentialAsync(instanceId, storageKey, System.Threading.CancellationToken.None);
+        }
+
+        /// <param name="cancellationToken">A cancellation token that can be used by other objects or threads to receive notice of cancellation.</param>
+        /// <summary>
+        /// Unlock Stored Credential [Generated]
+        /// </summary>
+        /// <returns>OK</returns>
+        /// <exception cref="ApiException">A server side error occurred.</exception>
+        public virtual async System.Threading.Tasks.Task<StoredCredentialUnlockResult> UnlockStoredCredentialAsync(string instanceId, string storageKey, System.Threading.CancellationToken cancellationToken)
+        {
+            if (instanceId == null)
+                throw new System.ArgumentNullException("instanceId");
+
+            if (storageKey == null)
+                throw new System.ArgumentNullException("storageKey");
+
+            var client_ = _httpClient;
+            var disposeClient_ = false;
+            try
+            {
+                using (var request_ = new System.Net.Http.HttpRequestMessage())
+                {
+                    request_.Content = new System.Net.Http.StringContent(string.Empty, System.Text.Encoding.UTF8, "application/json");
+                    request_.Method = new System.Net.Http.HttpMethod("POST");
+                    request_.Headers.Accept.Add(System.Net.Http.Headers.MediaTypeWithQualityHeaderValue.Parse("text/plain"));
+
+                    var urlBuilder_ = new System.Text.StringBuilder();
+                    if (!string.IsNullOrEmpty(_baseUrl)) urlBuilder_.Append(_baseUrl);
+                    // Operation Path: "internal/v1/credentials/{instanceId}/{storageKey}/unlock"
+                    urlBuilder_.Append("internal/v1/credentials/");
+                    urlBuilder_.Append(System.Uri.EscapeDataString(ConvertToString(instanceId, System.Globalization.CultureInfo.InvariantCulture)));
+                    urlBuilder_.Append('/');
+                    urlBuilder_.Append(System.Uri.EscapeDataString(ConvertToString(storageKey, System.Globalization.CultureInfo.InvariantCulture)));
+                    urlBuilder_.Append("/unlock");
+
+                    PrepareRequest(client_, request_, urlBuilder_);
+
+                    var url_ = urlBuilder_.ToString();
+                    request_.RequestUri = new System.Uri(url_, System.UriKind.RelativeOrAbsolute);
+
+                    PrepareRequest(client_, request_, url_);
+
+                    var response_ = await client_.SendAsync(request_, System.Net.Http.HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
+                    var disposeResponse_ = true;
+                    try
+                    {
+                        var headers_ = new System.Collections.Generic.Dictionary<string, System.Collections.Generic.IEnumerable<string>>();
+                        foreach (var item_ in response_.Headers)
+                            headers_[item_.Key] = item_.Value;
+                        if (response_.Content != null && response_.Content.Headers != null)
+                        {
+                            foreach (var item_ in response_.Content.Headers)
+                                headers_[item_.Key] = item_.Value;
+                        }
+
+                        ProcessResponse(client_, response_);
+
+                        var status_ = (int)response_.StatusCode;
+                        if (status_ == 200)
+                        {
+                            var objectResponse_ = await ReadObjectResponseAsync<StoredCredentialUnlockResult>(response_, headers_, cancellationToken).ConfigureAwait(false);
+                            if (objectResponse_.Object == null)
+                            {
+                                throw new ApiException("Response was null which was not expected.", status_, objectResponse_.Text, headers_, null);
+                            }
+                            return objectResponse_.Object;
+                        }
+                        else
+                        {
+                            var responseData_ = response_.Content == null ? null : await response_.Content.ReadAsStringAsync().ConfigureAwait(false);
+                            throw new ApiException("The HTTP status code of the response was not expected (" + status_ + ").", status_, responseData_, headers_, null);
+                        }
+                    }
+                    finally
+                    {
+                        if (disposeResponse_)
+                            response_.Dispose();
+                    }
+                }
+            }
+            finally
+            {
+                if (disposeClient_)
+                    client_.Dispose();
+            }
+        }
+
         /// <summary>
         /// Get the server software version
         /// </summary>

src/Certify.Server/Certify.Server.Hub.Api/Services/ManagementAPI.cs

@@ -1,4 +1,4 @@
-using System.Text.Json;
+using System.Text.Json;
 using Certify.Client;
 using Certify.Models;
 using Certify.Models.Config;
@@ -526,6 +526,25 @@ public async Task<StatusSummary> GetManagedCertificateSummary(AuthContext? curre
             return await PerformInstanceCommandTaskWithResult<ActionResult?>(instanceId, args, ManagementHubCommands.RemoveStoredCredential);
         }
 
+        /// <summary>
+        /// Unlocks (decrypts and fetches) a stored credential from the target instance.
+        /// </summary>
+        /// <param name="instanceId">The target instance identifier.</param>
+        /// <param name="storageKey">The storage key of the credential to unlock.</param>
+        /// <param name="authContext">The authentication context.</param>
+        /// <returns>An <see cref="StoredCredentialUnlockResult"/> decrypted stored credential result.</returns>
+        public async Task<StoredCredentialUnlockResult?> UnlockStoredCredential(string instanceId, string storageKey, AuthContext authContext)
+        {
+            // return populated stored credential via management hub
+
+            var args = new KeyValuePair<string, string>[] {
+                        new("instanceId", instanceId) ,
+                        new("storageKey",storageKey)
+                    };
+
+            return await PerformInstanceCommandTaskWithResult<StoredCredentialUnlockResult?>(instanceId, args, ManagementHubCommands.UnlockStoredCredential);
+        }
+
         /// <summary>
         /// Retrieves the log entries of a managed certificate from the target instance.
         /// </summary>

src/Certify.SourceGenerators/ApiMethods.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using Certify.Models;
@@ -492,6 +492,18 @@ public static List<GeneratedAPI> GetApiDefinitions()
                     RequiredPermissions = [new(ResourceTypes.StoredCredential, StandardResourceActions.StoredCredentialDelete)]
                 },
                 new()
+                {
+                    OperationName = "UnlockStoredCredential",
+                    OperationMethod = HttpPost,
+                    Comment = "Unlock Stored Credential",
+                    UseManagementAPI = true,
+                    PublicAPIController = "StoredCredential",
+                    PublicAPIRoute = "{instanceId}/{storageKey}/unlock",
+                    ReturnType = GetFormattedTypeName(typeof(Models.Config.StoredCredentialUnlockResult)),
+                    Params = new Dictionary<string, string> { { "instanceId", "string" }, { "storageKey", "string" } },
+                    RequiredPermissions = [new(ResourceTypes.StoredCredential, StandardResourceActions.StoredCredentialReadSecret)]
+                },
+                new()
                 {
                     OperationName = "GetDeploymentProviders",
                     OperationMethod = HttpGet,

src/Certify.Tests/Certify.Core.Tests.Unit/Tests/AccessControlTests.cs

@@ -866,7 +866,7 @@ public void TestAllStandardResourceActionsAreAllowedByAtLeastOneRole()
                 .ToList();
 
             // Remove actions that are not applicable to the administrator role
-            actionsNotAllowedByAdmin.RemoveAll(a => a == StandardResourceActions.StoredCredentialDownload);
+            actionsNotAllowedByAdmin.RemoveAll(a => a == StandardResourceActions.StoredCredentialReadSecret);
             actionsNotAllowedByAdmin.RemoveAll(a => a == StandardResourceActions.ManagementHubInstanceJoin);
             actionsNotAllowedByAdmin.RemoveAll(a => a == StandardResourceActions.ManagedChallengeRequest);
             actionsNotAllowedByAdmin.RemoveAll(a => a == StandardResourceActions.ManagedChallengeCleanup);