From 5410a9f9a0f18a666db8eb5b41421ed52136fc8c Mon Sep 17 00:00:00 2001
From: Sergio Matias Urquin <Sergio.Urquin@heathus.com>
Date: Sun, 1 Jun 2025 21:03:03 -0600
Subject: [PATCH] Implement hashi corp vault

---
 .../Configuration/RegisterBlueprint.cs        |  29 ++-
 .../Configuration/VaultOptions.cs             |  16 ++
 .../Core.Blueprint.KeyVault.csproj            |   2 +
 .../Provider/KeyVaultProvider.cs              | 215 +++++++++++-------
 4 files changed, 170 insertions(+), 92 deletions(-)
 create mode 100644 Core.Blueprint.KeyVault/Configuration/VaultOptions.cs

diff --git a/Core.Blueprint.KeyVault/Configuration/RegisterBlueprint.cs b/Core.Blueprint.KeyVault/Configuration/RegisterBlueprint.cs
index ea094e9..0b2ce9a 100644
--- a/Core.Blueprint.KeyVault/Configuration/RegisterBlueprint.cs
+++ b/Core.Blueprint.KeyVault/Configuration/RegisterBlueprint.cs
@@ -16,17 +16,34 @@ namespace Core.Blueprint.KeyVault.Configuration
     {
         public static IServiceCollection AddKeyVault(this IServiceCollection services, IConfiguration configuration)
         {
-            var keyVaultUriString = configuration["ConnectionStrings:KeyVaultDAL"];
 
-            if (string.IsNullOrEmpty(keyVaultUriString))
+            var environment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? string.Empty;
+
+            if(environment ==  "Local")
             {
-                throw new ArgumentNullException("ConnectionStrings:KeyVault", "KeyVault URI is missing in the configuration.");
+                var vaultSettings = configuration.GetSection("Vault").Get<VaultOptions>();
+
+                if (string.IsNullOrEmpty(vaultSettings?.Address) || string.IsNullOrEmpty(vaultSettings.Token) ||
+                    string.IsNullOrEmpty(vaultSettings?.SecretPath) || string.IsNullOrEmpty(vaultSettings.SecretMount))
+                {
+                    throw new ArgumentNullException("Vault options are not configured correctly.");
+                }
+
+                services.AddSingleton(vaultSettings);
             }
+            else
+            {
+                var keyVaultUriString = configuration["ConnectionStrings:KeyVaultDAL"];
 
-            var keyVaultUri = new Uri(keyVaultUriString);
+                if (string.IsNullOrEmpty(keyVaultUriString))
+                {
+                    throw new ArgumentNullException("ConnectionStrings:KeyVault", "KeyVault URI is missing in the configuration.");
+                }
 
-            // Register SecretClient as a singleton
-            services.AddSingleton(_ => new SecretClient(keyVaultUri, new DefaultAzureCredential()));
+                var keyVaultUri = new Uri(keyVaultUriString);
+
+                services.AddSingleton(_ => new SecretClient(keyVaultUri, new DefaultAzureCredential()));
+            }
 
             services.AddSingleton<IKeyVaultProvider, KeyVaultProvider>();
             return services;
diff --git a/Core.Blueprint.KeyVault/Configuration/VaultOptions.cs b/Core.Blueprint.KeyVault/Configuration/VaultOptions.cs
new file mode 100644
index 0000000..48aa990
--- /dev/null
+++ b/Core.Blueprint.KeyVault/Configuration/VaultOptions.cs
@@ -0,0 +1,16 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Core.Blueprint.KeyVault.Configuration
+{
+    public class VaultOptions
+    {
+        public string Address { get; set; } = string.Empty;
+        public string Token { get; set; } = string.Empty;
+        public string SecretMount { get; set; } = string.Empty;
+        public string SecretPath { get; set; } = string.Empty;
+    }
+}
diff --git a/Core.Blueprint.KeyVault/Core.Blueprint.KeyVault.csproj b/Core.Blueprint.KeyVault/Core.Blueprint.KeyVault.csproj
index 84d4a87..7e8dd63 100644
--- a/Core.Blueprint.KeyVault/Core.Blueprint.KeyVault.csproj
+++ b/Core.Blueprint.KeyVault/Core.Blueprint.KeyVault.csproj
@@ -10,7 +10,9 @@
     <PackageReference Include="Azure.Identity" Version="1.13.1" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="9.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="9.0.0" />
+    <PackageReference Include="VaultSharp" Version="1.17.5.1" />
   </ItemGroup>
 
 </Project>
diff --git a/Core.Blueprint.KeyVault/Provider/KeyVaultProvider.cs b/Core.Blueprint.KeyVault/Provider/KeyVaultProvider.cs
index 707fb5c..74d495e 100644
--- a/Core.Blueprint.KeyVault/Provider/KeyVaultProvider.cs
+++ b/Core.Blueprint.KeyVault/Provider/KeyVaultProvider.cs
@@ -1,93 +1,136 @@
-using Azure;
-using Azure.Security.KeyVault.Secrets;
+using Azure.Security.KeyVault.Secrets;
+using VaultSharp;
+using VaultSharp.V1.AuthMethods.Token;
+using Core.Blueprint.KeyVault.Configuration;
+using Microsoft.Extensions.Configuration;
 
-namespace Core.Blueprint.KeyVault
+namespace Core.Blueprint.KeyVault;
+
+/// <summary>
+/// Provides operations for managing secrets in Azure Key Vault or HashiCorp Vault transparently based on the environment.
+/// </summary>
+public sealed class KeyVaultProvider : IKeyVaultProvider
 {
-    /// <summary>
-    /// Provides operations for managing secrets in Azure Key Vault.
-    /// </summary>
-    public sealed class KeyVaultProvider(SecretClient keyVaultProvider): IKeyVaultProvider
+    private readonly string environment;
+    private readonly SecretClient? azureClient;
+    private readonly IVaultClient? hashiClient;
+    private readonly VaultOptions? hashiOptions;
+
+    public KeyVaultProvider(IConfiguration configuration)
     {
-        /// <summary>
-        /// Creates a new secret in Azure Key Vault.
-        /// </summary>
-        /// <param name="keyVaultRequest">The request containing the name and value of the secret.</param>
-        /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
-        /// <returns>A <see cref="KeyVaultResponse"/> containing the details of the created secret.</returns>
-        public async ValueTask<KeyVaultResponse> CreateSecretAsync(KeyVaultRequest keyVaultRequest, CancellationToken cancellationToken)
+        environment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production";
+
+        if (environment == "Local")
         {
-            KeyVaultResponse _response = new();
-            KeyVaultSecret azureResponse = await keyVaultProvider.SetSecretAsync(new KeyVaultSecret(keyVaultRequest.Name, keyVaultRequest.Value), cancellationToken);
-
-            _response.Value = azureResponse.Value;
-            _response.Name = azureResponse.Name;
-
-            return _response;
-        }
-
-        /// <summary>
-        /// Deletes a secret from Azure Key Vault if it exists.
-        /// </summary>
-        /// <param name="secretName">The name of the secret to delete.</param>
-        /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
-        /// <returns>
-        /// A <see cref="Tuple"/> containing a status message and a boolean indicating whether the secret was successfully deleted.
-        /// </returns>
-        public async ValueTask<Tuple<string, bool>> DeleteSecretAsync(string secretName, CancellationToken cancellationToken)
-        {
-            var existingSecret = await this.GetSecretAsync(secretName, cancellationToken);
-            if (existingSecret != null)
-            {
-                await keyVaultProvider.StartDeleteSecretAsync(secretName, cancellationToken);
-                return new("Key Deleted", true);
-            }
-
-            return new("Key Not Found", false);
-        }
-
-        /// <summary>
-        /// Retrieves a secret from Azure Key Vault.
-        /// </summary>
-        /// <param name="secretName">The name of the secret to retrieve.</param>
-        /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
-        /// <returns>
-        /// A <see cref="Tuple"/> containing the <see cref="KeyVaultResponse"/> with secret details 
-        /// and an optional error message if the secret was not found.
-        /// </returns>
-        public async ValueTask<Tuple<KeyVaultResponse, string?>> GetSecretAsync(string secretName, CancellationToken cancellationToken)
-        {
-            KeyVaultSecret azureResponse = await keyVaultProvider.GetSecretAsync(secretName, cancellationToken: cancellationToken);
-
-            if (azureResponse == null)
-            {
-                return new(new KeyVaultResponse(), "Key Not Found");
-            }
-
-            return new(new KeyVaultResponse { Name = secretName, Value = azureResponse.Value }, string.Empty);
-        }
-
-        /// <summary>
-        /// Updates an existing secret in Azure Key Vault. If the secret does not exist, an error is returned.
-        /// </summary>
-        /// <param name="newSecret">The updated secret information.</param>
-        /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
-        /// <returns>
-        /// A <see cref="Tuple"/> containing the updated <see cref="KeyVaultResponse"/> and an optional error message if the secret was not found.
-        /// </returns>
-        public async ValueTask<Tuple<KeyVaultResponse, string>> UpdateSecretAsync(KeyVaultRequest newSecret, CancellationToken cancellationToken)
-        {
-            KeyVaultResponse _response = new();
-            var existingSecret = await this.GetSecretAsync(newSecret.Name, cancellationToken);
-            if (existingSecret == null)
-            {
-                return new(new KeyVaultResponse(), "Key Not Found");
-            }
-            KeyVaultSecret azureResponse = await keyVaultProvider.SetSecretAsync(new KeyVaultSecret(newSecret.Name, newSecret.Value), cancellationToken);
-
-            _response.Value = azureResponse.Value;
-            _response.Name = azureResponse.Name;
-
-            return new(new KeyVaultResponse { Name = newSecret.Name, Value = azureResponse.Value }, string.Empty);
+            hashiOptions = configuration.GetSection("Vault").Get<VaultOptions>();
+            hashiClient = new VaultClient(new VaultClientSettings(
+                hashiOptions?.Address,
+                new TokenAuthMethodInfo(hashiOptions?.Token)
+            ));
         }
     }
+
+    /// <summary>
+    /// Creates a new secret in Azure Key Vault or HashiCorp Vault.
+    /// </summary>
+    /// <param name="keyVaultRequest">The request containing the name and value of the secret.</param>
+    /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
+    /// <returns>A <see cref="KeyVaultResponse"/> containing the details of the created secret.</returns>
+    public async ValueTask<KeyVaultResponse> CreateSecretAsync(KeyVaultRequest keyVaultRequest, CancellationToken cancellationToken)
+    {
+        if (environment == "Local")
+        {
+            await hashiClient!.V1.Secrets.KeyValue.V2.WriteSecretAsync(
+                path: hashiOptions!.SecretPath,
+                data: new Dictionary<string, object> { { keyVaultRequest.Name, keyVaultRequest.Value } },
+                mountPoint: hashiOptions.SecretMount
+            );
+            return new KeyVaultResponse { Name = keyVaultRequest.Name, Value = keyVaultRequest.Value };
+        }
+
+        KeyVaultSecret azureResponse = await azureClient!.SetSecretAsync(
+            new KeyVaultSecret(keyVaultRequest.Name, keyVaultRequest.Value), cancellationToken
+        );
+
+        return new KeyVaultResponse { Name = azureResponse.Name, Value = azureResponse.Value };
+    }
+
+    /// <summary>
+    /// Deletes a secret from Azure Key Vault or HashiCorp Vault if it exists.
+    /// </summary>
+    /// <param name="secretName">The name of the secret to delete.</param>
+    /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
+    /// <returns>
+    /// A <see cref="Tuple"/> containing a status message and a boolean indicating whether the secret was successfully deleted.
+    /// </returns>
+    public async ValueTask<Tuple<string, bool>> DeleteSecretAsync(string secretName, CancellationToken cancellationToken)
+    {
+        if (environment == "Local")
+        {
+            await hashiClient!.V1.Secrets.KeyValue.V2.DeleteSecretAsync(
+                path: hashiOptions!.SecretPath,
+                mountPoint: hashiOptions.SecretMount
+            );
+
+            return new("Key Deleted", true);
+        }
+
+        var existingSecret = await this.GetSecretAsync(secretName, cancellationToken);
+        if (existingSecret != null)
+        {
+            await azureClient!.StartDeleteSecretAsync(secretName, cancellationToken);
+            return new("Key Deleted", true);
+        }
+
+        return new("Key Not Found", false);
+    }
+
+    /// <summary>
+    /// Retrieves a secret from Azure Key Vault or HashiCorp Vault.
+    /// </summary>
+    /// <param name="secretName">The name of the secret to retrieve.</param>
+    /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
+    /// <returns>
+    /// A <see cref="Tuple"/> containing the <see cref="KeyVaultResponse"/> with secret details 
+    /// and an optional error message if the secret was not found.
+    /// </returns>
+    public async ValueTask<Tuple<KeyVaultResponse, string?>> GetSecretAsync(string secretName, CancellationToken cancellationToken)
+    {
+        if (environment == "Local")
+        {
+            var secret = await hashiClient!.V1.Secrets.KeyValue.V2.ReadSecretAsync(
+                path: hashiOptions!.SecretPath,
+                mountPoint: hashiOptions.SecretMount
+            );
+
+            if (secret.Data.Data.TryGetValue(secretName, out var value))
+            {
+                return new(new KeyVaultResponse { Name = secretName, Value = value?.ToString() ?? "" }, string.Empty);
+            }
+
+            return new(new KeyVaultResponse(), "Key Not Found");
+        }
+
+        KeyVaultSecret azureResponse = await azureClient!.GetSecretAsync(secretName, cancellationToken: cancellationToken);
+        return new(new KeyVaultResponse { Name = secretName, Value = azureResponse.Value }, string.Empty);
+    }
+
+    /// <summary>
+    /// Updates an existing secret in Azure Key Vault or HashiCorp Vault. If the secret does not exist, an error is returned.
+    /// </summary>
+    /// <param name="newSecret">The updated secret information.</param>
+    /// <param name="cancellationToken">The cancellation token to cancel the operation.</param>
+    /// <returns>
+    /// A <see cref="Tuple"/> containing the updated <see cref="KeyVaultResponse"/> and an optional error message if the secret was not found.
+    /// </returns>
+    public async ValueTask<Tuple<KeyVaultResponse, string>> UpdateSecretAsync(KeyVaultRequest newSecret, CancellationToken cancellationToken)
+    {
+        var existingSecret = await this.GetSecretAsync(newSecret.Name, cancellationToken);
+        if (existingSecret == null)
+        {
+            return new(new KeyVaultResponse(), "Key Not Found");
+        }
+
+        return new(await CreateSecretAsync(newSecret, cancellationToken), string.Empty);
+    }
 }