| | | 1 | | namespace Envilder.Infrastructure.Aws; |
| | | 2 | | |
| | | 3 | | using Amazon.SimpleSystemsManagement; |
| | | 4 | | using Amazon.SimpleSystemsManagement.Model; |
| | | 5 | | using global::Envilder.Domain.Ports; |
| | | 6 | | using System; |
| | | 7 | | using System.Threading; |
| | | 8 | | using System.Threading.Tasks; |
| | | 9 | | |
| | | 10 | | /// <summary> |
| | | 11 | | /// <see cref="ISecretProvider"/> backed by AWS Systems Manager Parameter Store. |
| | | 12 | | /// Parameters are retrieved with decryption enabled so that <c>SecureString</c> |
| | | 13 | | /// values are returned in plain text. |
| | | 14 | | /// </summary> |
| | | 15 | | public class AwsSsmSecretProvider : ISecretProvider |
| | | 16 | | { |
| | | 17 | | private readonly IAmazonSimpleSystemsManagement _ssmClient; |
| | | 18 | | private readonly string? _profile; |
| | | 19 | | |
| | | 20 | | /// <summary> |
| | | 21 | | /// Initializes a new instance using the supplied SSM client. |
| | | 22 | | /// </summary> |
| | | 23 | | /// <param name="ssmClient">A configured <see cref="IAmazonSimpleSystemsManagement"/> instance.</param> |
| | | 24 | | /// <param name="profile">The AWS profile in use, surfaced when an SSO session has expired.</param> |
| | 1 | 25 | | public AwsSsmSecretProvider(IAmazonSimpleSystemsManagement ssmClient, string? profile = null) |
| | | 26 | | { |
| | 1 | 27 | | _ssmClient = ssmClient ?? throw new ArgumentNullException(nameof(ssmClient)); |
| | 1 | 28 | | _profile = profile; |
| | 1 | 29 | | } |
| | | 30 | | |
| | | 31 | | /// <inheritdoc /> |
| | | 32 | | public async Task<string?> GetSecretAsync(string name, CancellationToken cancellationToken = default) |
| | | 33 | | { |
| | 1 | 34 | | if (string.IsNullOrWhiteSpace(name)) |
| | | 35 | | { |
| | 0 | 36 | | throw new ArgumentException("Secret name cannot be null or whitespace.", nameof(name)); |
| | | 37 | | } |
| | | 38 | | |
| | | 39 | | try |
| | | 40 | | { |
| | 1 | 41 | | var response = await _ssmClient.GetParameterAsync(new() { Name = name, WithDecryption = true }, cancellationToken) |
| | 1 | 42 | | return response.Parameter.Value; |
| | | 43 | | } |
| | 1 | 44 | | catch (ParameterNotFoundException) |
| | | 45 | | { |
| | 1 | 46 | | return null; |
| | | 47 | | } |
| | 1 | 48 | | catch (Exception ex) when (SsoSessionExpiredDetector.IsSsoSessionExpired(ex)) |
| | | 49 | | { |
| | 1 | 50 | | throw new SsoSessionExpiredException(_profile, ex); |
| | | 51 | | } |
| | 1 | 52 | | catch (Exception ex) when (ExpiredCredentialsDetector.IsExpiredCredentials(ex)) |
| | | 53 | | { |
| | 1 | 54 | | throw new ExpiredCredentialsException(ex); |
| | | 55 | | } |
| | 1 | 56 | | } |
| | | 57 | | |
| | | 58 | | /// <inheritdoc /> |
| | | 59 | | public string? GetSecret(string name) |
| | | 60 | | { |
| | 1 | 61 | | if (string.IsNullOrWhiteSpace(name)) |
| | | 62 | | { |
| | 0 | 63 | | throw new ArgumentException("Secret name cannot be null or whitespace.", nameof(name)); |
| | | 64 | | } |
| | | 65 | | |
| | | 66 | | try |
| | | 67 | | { |
| | 1 | 68 | | using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(60)); |
| | | 69 | | #pragma warning disable VSTHRD002 // AWS SDK v4 has no synchronous GetParameter API |
| | 1 | 70 | | var response = Task.Run(() => _ssmClient.GetParameterAsync(new() { Name = name, WithDecryption = true }, cts.Token |
| | | 71 | | #pragma warning restore VSTHRD002 |
| | 1 | 72 | | return response.Parameter.Value; |
| | | 73 | | } |
| | 1 | 74 | | catch (ParameterNotFoundException) |
| | | 75 | | { |
| | 1 | 76 | | return null; |
| | | 77 | | } |
| | 1 | 78 | | catch (Exception ex) when (SsoSessionExpiredDetector.IsSsoSessionExpired(ex)) |
| | | 79 | | { |
| | 1 | 80 | | throw new SsoSessionExpiredException(_profile, ex); |
| | | 81 | | } |
| | 1 | 82 | | catch (Exception ex) when (ExpiredCredentialsDetector.IsExpiredCredentials(ex)) |
| | | 83 | | { |
| | 1 | 84 | | throw new ExpiredCredentialsException(ex); |
| | | 85 | | } |
| | 1 | 86 | | } |
| | | 87 | | } |