Make AzureKeyVaultConfigurationProvider public (Azure#19788)

Author: pakrym

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 1.1.0-beta.1 (Unreleased)
 
+### Added
+
+- The `AzureKeyVaultConfigurationProvider` was made public.
+- The `KeyVaultSecretManager.GetData` method was added to allow customizing the way secrets are turned into configuration values.
 
 ## 1.0.2 (2020-11-10)
 

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/api/Azure.Extensions.AspNetCore.Configuration.Secrets.netstandard2.0.cs

@@ -6,9 +6,17 @@ public AzureKeyVaultConfigurationOptions() { }
         public Azure.Extensions.AspNetCore.Configuration.Secrets.KeyVaultSecretManager Manager { get { throw null; } set { } }
         public System.TimeSpan? ReloadInterval { get { throw null; } set { } }
     }
+    public partial class AzureKeyVaultConfigurationProvider : Microsoft.Extensions.Configuration.ConfigurationProvider, System.IDisposable
+    {
+        public AzureKeyVaultConfigurationProvider(Azure.Security.KeyVault.Secrets.SecretClient client, Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationOptions options = null) { }
+        public void Dispose() { }
+        protected virtual void Dispose(bool disposing) { }
+        public override void Load() { }
+    }
     public partial class KeyVaultSecretManager
     {
         public KeyVaultSecretManager() { }
+        public virtual System.Collections.Generic.Dictionary<string, string> GetData(System.Collections.Generic.IEnumerable<Azure.Security.KeyVault.Secrets.KeyVaultSecret> secrets) { throw null; }
         public virtual string GetKey(Azure.Security.KeyVault.Secrets.KeyVaultSecret secret) { throw null; }
         public virtual bool Load(Azure.Security.KeyVault.Secrets.SecretProperties secret) { throw null; }
     }

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/src/AzureKeyVaultConfigurationExtensions.cs

@@ -44,9 +44,8 @@ public static IConfigurationBuilder AddAzureKeyVault(
             TokenCredential credential,
             KeyVaultSecretManager manager)
         {
-            return AddAzureKeyVault(configurationBuilder, new AzureKeyVaultConfigurationOptions
+            return AddAzureKeyVault(configurationBuilder, new SecretClient(vaultUri, credential), new AzureKeyVaultConfigurationOptions
             {
-                Client = new SecretClient(vaultUri, credential),
                 Manager = manager
             });
         }
@@ -63,11 +62,10 @@ public static IConfigurationBuilder AddAzureKeyVault(
             SecretClient client,
             KeyVaultSecretManager manager)
         {
-            return configurationBuilder.Add(new AzureKeyVaultConfigurationSource(new AzureKeyVaultConfigurationOptions()
+            return AddAzureKeyVault(configurationBuilder, client, new AzureKeyVaultConfigurationOptions()
             {
-                Client = client,
                 Manager = manager
-            }));
+            });
         }
 
         /// <summary>
@@ -98,25 +96,13 @@ public static IConfigurationBuilder AddAzureKeyVault(
             this IConfigurationBuilder configurationBuilder,
             SecretClient client,
             AzureKeyVaultConfigurationOptions options)
-        {
-            options.Client = client;
-            return configurationBuilder.AddAzureKeyVault(options);
-        }
-
-        /// <summary>
-        /// Adds an <see cref="IConfigurationProvider"/> that reads configuration values from the Azure KeyVault.
-        /// </summary>
-        /// <param name="configurationBuilder">The <see cref="IConfigurationBuilder"/> to add to.</param>
-        /// <param name="options">The <see cref="AzureKeyVaultConfigurationOptions"/> to use.</param>
-        /// <returns>The <see cref="IConfigurationBuilder"/>.</returns>
-        internal static IConfigurationBuilder AddAzureKeyVault(this IConfigurationBuilder configurationBuilder, AzureKeyVaultConfigurationOptions options)
         {
             Argument.AssertNotNull(configurationBuilder, nameof(configurationBuilder));
             Argument.AssertNotNull(options, nameof(configurationBuilder));
-            Argument.AssertNotNull(options.Client, $"{nameof(options)}.{nameof(options.Client)}");
+            Argument.AssertNotNull(client, nameof(client));
             Argument.AssertNotNull(options.Manager, $"{nameof(options)}.{nameof(options.Manager)}");
 
-            configurationBuilder.Add(new AzureKeyVaultConfigurationSource(options));
+            configurationBuilder.Add(new AzureKeyVaultConfigurationSource(client, options));
 
             return configurationBuilder;
         }

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/src/AzureKeyVaultConfigurationOptions.cs

@@ -20,11 +20,6 @@ public AzureKeyVaultConfigurationOptions()
             Manager = KeyVaultSecretManager.Instance;
         }
 
-        /// <summary>
-        /// Gets or sets the <see cref="SecretClient"/> to use for retrieving values.
-        /// </summary>
-        internal SecretClient Client { get; set; }
-
         /// <summary>
         /// Gets or sets the <see cref="KeyVaultSecretManager"/> instance used to control secret loading.
         /// </summary>

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/src/AzureKeyVaultConfigurationProvider.cs

@@ -15,36 +15,38 @@ namespace Azure.Extensions.AspNetCore.Configuration.Secrets
     /// <summary>
     /// An AzureKeyVault based <see cref="ConfigurationProvider"/>.
     /// </summary>
-    internal class AzureKeyVaultConfigurationProvider : ConfigurationProvider, IDisposable
+    public class AzureKeyVaultConfigurationProvider : ConfigurationProvider, IDisposable
     {
         private readonly TimeSpan? _reloadInterval;
         private readonly SecretClient _client;
         private readonly KeyVaultSecretManager _manager;
-        private Dictionary<string, LoadedSecret> _loadedSecrets;
+        private Dictionary<string, KeyVaultSecret> _loadedSecrets;
         private Task _pollingTask;
         private readonly CancellationTokenSource _cancellationToken;
 
         /// <summary>
         /// Creates a new instance of <see cref="AzureKeyVaultConfigurationProvider"/>.
         /// </summary>
         /// <param name="client">The <see cref="SecretClient"/> to use for retrieving values.</param>
-        /// <param name="manager">The <see cref="KeyVaultSecretManager"/> to use in managing values.</param>
-        /// <param name="reloadInterval">The timespan to wait in between each attempt at polling the Azure Key Vault for changes. Default is null which indicates no reloading.</param>
-        public AzureKeyVaultConfigurationProvider(SecretClient client, KeyVaultSecretManager manager, TimeSpan? reloadInterval = null)
+        /// <param name="options">The <see cref="AzureKeyVaultConfigurationOptions"/> to configure provider behaviors.</param>
+        /// <exception cref="ArgumentNullException">When either <paramref name="client"/> or <see cref="AzureKeyVaultConfigurationOptions.Manager"/> is <code>null</code>.</exception>
+        /// <exception cref="ArgumentOutOfRangeException">When either <see cref="AzureKeyVaultConfigurationOptions.ReloadInterval"/> is not positive or <code>null</code>.</exception>
+        public AzureKeyVaultConfigurationProvider(SecretClient client, AzureKeyVaultConfigurationOptions options = null)
         {
+            options ??= new AzureKeyVaultConfigurationOptions();
             Argument.AssertNotNull(client, nameof(client));
-            Argument.AssertNotNull(manager, nameof(manager));
+            Argument.AssertNotNull(options.Manager, $"{nameof(options)}.{nameof(options.Manager)}");
 
             _client = client;
-            _manager = manager;
-            if (reloadInterval != null && reloadInterval.Value <= TimeSpan.Zero)
+            if (options.ReloadInterval != null && options.ReloadInterval.Value <= TimeSpan.Zero)
             {
-                throw new ArgumentOutOfRangeException(nameof(reloadInterval), reloadInterval, nameof(reloadInterval) + " must be positive.");
+                throw new ArgumentOutOfRangeException(nameof(options.ReloadInterval), options.ReloadInterval, nameof(options.ReloadInterval) + " must be positive.");
             }
 
             _pollingTask = null;
             _cancellationToken = new CancellationTokenSource();
-            _reloadInterval = reloadInterval;
+            _reloadInterval = options.ReloadInterval;
+            _manager = options.Manager;
         }
 
         /// <summary>
@@ -68,7 +70,7 @@ private async Task PollForSecretChangesAsync()
             }
         }
 
-        protected virtual Task WaitForReload()
+        internal virtual Task WaitForReload()
         {
             // WaitForReload is only called when the _reloadInterval has a value.
             return Task.Delay(_reloadInterval.Value, _cancellationToken.Token);
@@ -79,7 +81,7 @@ private async Task LoadAsync()
             var secretPages = _client.GetPropertiesOfSecretsAsync();
 
             using var secretLoader = new ParallelSecretLoader(_client);
-            var newLoadedSecrets = new Dictionary<string, LoadedSecret>();
+            var newLoadedSecrets = new Dictionary<string, KeyVaultSecret>();
             var oldLoadedSecrets = Interlocked.Exchange(ref _loadedSecrets, null);
 
             await foreach (var secret in secretPages.ConfigureAwait(false))
@@ -92,7 +94,7 @@ private async Task LoadAsync()
                 var secretId = secret.Name;
                 if (oldLoadedSecrets != null &&
                     oldLoadedSecrets.TryGetValue(secretId, out var existingSecret) &&
-                    existingSecret.IsUpToDate(secret.UpdatedOn))
+                    IsUpToDate(existingSecret, secret))
                 {
                     oldLoadedSecrets.Remove(secretId);
                     newLoadedSecrets.Add(secretId, existingSecret);
@@ -106,7 +108,7 @@ private async Task LoadAsync()
             var loadedSecret = await secretLoader.WaitForAll().ConfigureAwait(false);
             foreach (var secretBundle in loadedSecret)
             {
-                newLoadedSecrets.Add(secretBundle.Value.Name, new LoadedSecret(_manager.GetKey(secretBundle), secretBundle.Value.Value, secretBundle.Value.Properties.UpdatedOn));
+                newLoadedSecrets.Add(secretBundle.Value.Name, secretBundle);
             }
 
             _loadedSecrets = newLoadedSecrets;
@@ -115,7 +117,11 @@ private async Task LoadAsync()
             // secret that was loaded previously is not available anymore
             if (loadedSecret.Any() || oldLoadedSecrets?.Any() == true)
             {
-                SetData(_loadedSecrets, fireToken: oldLoadedSecrets != null);
+                Data = _manager.GetData(newLoadedSecrets.Values);
+                if (oldLoadedSecrets != null)
+                {
+                    OnReload();
+                }
             }
 
             // schedule a polling task only if none exists and a valid delay is specified
@@ -125,68 +131,36 @@ private async Task LoadAsync()
             }
         }
 
-        private void SetData(Dictionary<string, LoadedSecret> loadedSecrets, bool fireToken)
-        {
-            var data = new Dictionary<string, LoadedSecret>(loadedSecrets.Count, StringComparer.OrdinalIgnoreCase);
-
-            // The loadesSecrets dictionary contains LoadedSecrets objects that has
-            // the configuration value and the configuration key (created by the
-            // KeyVaultSecretManager object). It is possible that multiple
-            // LoadedSecrets objects uses the same configuration key. This loop
-            // takes the latest updated value for each key.
-            foreach (var secretItem in loadedSecrets)
-            {
-                string key = secretItem.Value.Key;
-
-                if (data.TryGetValue(key, out LoadedSecret currentSecret))
-                {
-                    if (secretItem.Value.Updated > currentSecret.Updated)
-                    {
-                        data[key] = secretItem.Value;
-                    }
-                }
-                else
-                {
-                    data.Add(key, secretItem.Value);
-                }
-            }
-
-            Data = data.ToDictionary(d => d.Key, v => v.Value.Value);
-            if (fireToken)
-            {
-                OnReload();
-            }
-        }
-
-        /// <inheritdoc/>
+        /// <summary>
+        /// Frees resources held by the <see cref="AzureKeyVaultConfigurationProvider"/> object.
+        /// </summary>
         public void Dispose()
         {
-            _cancellationToken.Cancel();
-            _cancellationToken.Dispose();
+            Dispose(true);
+            GC.SuppressFinalize(this);
         }
 
-        private readonly struct LoadedSecret
+        /// <summary>
+        /// Frees resources held by the <see cref="AzureKeyVaultConfigurationProvider"/> object.
+        /// </summary>
+        /// <param name="disposing">true if called from <see cref="Dispose()"/>, otherwise false.</param>
+        protected virtual void Dispose(bool disposing)
         {
-            public LoadedSecret(string key, string value, DateTimeOffset? updated)
+            if (disposing)
             {
-                Key = key;
-                Value = value;
-                Updated = updated;
+                _cancellationToken.Cancel();
+                _cancellationToken.Dispose();
             }
+        }
 
-            public string Key { get; }
-            public string Value { get; }
-            public DateTimeOffset? Updated { get; }
-
-            public bool IsUpToDate(DateTimeOffset? updated)
+        private static bool IsUpToDate(KeyVaultSecret current, SecretProperties updated)
+        {
+            if (updated.UpdatedOn.HasValue != current.Properties.UpdatedOn.HasValue)
             {
-                if (updated.HasValue != Updated.HasValue)
-                {
-                    return false;
-                }
-
-                return updated.GetValueOrDefault() == Updated.GetValueOrDefault();
+                return false;
             }
+
+            return updated.UpdatedOn.GetValueOrDefault() == current.Properties.UpdatedOn.GetValueOrDefault();
         }
     }
 }

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/src/AzureKeyVaultConfigurationSource.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using Azure.Security.KeyVault.Secrets;
 using Microsoft.Extensions.Configuration;
 
 namespace Azure.Extensions.AspNetCore.Configuration.Secrets
@@ -11,16 +12,18 @@ namespace Azure.Extensions.AspNetCore.Configuration.Secrets
     internal class AzureKeyVaultConfigurationSource : IConfigurationSource
     {
         private readonly AzureKeyVaultConfigurationOptions _options;
+        private readonly SecretClient _client;
 
-        public AzureKeyVaultConfigurationSource(AzureKeyVaultConfigurationOptions options)
+        public AzureKeyVaultConfigurationSource(SecretClient client, AzureKeyVaultConfigurationOptions options)
         {
             _options = options;
+            _client = client;
         }
 
         /// <inheritdoc />
         public IConfigurationProvider Build(IConfigurationBuilder builder)
         {
-            return new AzureKeyVaultConfigurationProvider(_options.Client, _options.Manager, _options.ReloadInterval);
+            return new AzureKeyVaultConfigurationProvider(_client, _options);
         }
     }
 }

sdk/extensions/Azure.Extensions.AspNetCore.Configuration.Secrets/src/KeyVaultSecretManager.cs

@@ -1,6 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Azure.Core;
 using Azure.Security.KeyVault.Secrets;
 using Microsoft.Extensions.Configuration;
 
@@ -24,6 +28,42 @@ public virtual string GetKey(KeyVaultSecret secret)
             return secret.Name.Replace("--", ConfigurationPath.KeyDelimiter);
         }
 
+        /// <summary>
+        /// Converts a loaded list of secrets into a corresponding set of configuration key-value pairs.
+        /// </summary>
+        /// <param name="secrets">A set of secrets retrieved during <see cref="AzureKeyVaultConfigurationProvider.Load"/> call.</param>
+        /// <returns>The dictionary of configuration key-value pairs that would be assigned to the <see cref="ConfigurationProvider.Data"/>
+        /// and exposed from the <see cref="IConfiguration"/>.</returns>
+        /// <exception cref="ArgumentNullException">When <paramref name="secrets"/> is <code>null</code>.</exception>
+        public virtual Dictionary<string, string> GetData(IEnumerable<KeyVaultSecret> secrets)
+        {
+            Argument.AssertNotNull(secrets, nameof(secrets));
+
+            var data = new Dictionary<string, KeyVaultSecret>(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var secret in secrets)
+            {
+                string key = GetKey(secret);
+
+                // It is possible that multiple
+                // LoadedSecrets objects uses the same configuration key. This loop
+                // takes the latest updated value for each key.
+                if (data.TryGetValue(key, out KeyVaultSecret currentSecret))
+                {
+                    if (secret.Properties.UpdatedOn > currentSecret.Properties.UpdatedOn)
+                    {
+                        data[key] = secret;
+                    }
+                }
+                else
+                {
+                    data.Add(key, secret);
+                }
+            }
+
+            return data.ToDictionary(d => d.Key, v => v.Value.Value);
+        }
+
         /// <summary>
         /// Checks if <see cref="KeyVaultSecret"/> value should be retrieved.
         /// </summary>