Add AzureKeyVault to configure ASP.NET Core Data Protection (#260)

src/Core/Grand.Infrastructure/Configuration/AzureConfig.cs

@@ -21,5 +21,36 @@ public partial class AzureConfig
         /// </summary>
         public string AzureBlobStorageEndPoint { get; set; }
 
+
+
+        /// <summary>
+        /// Connection string for PersistKeys Azure BLOB storage 
+        /// </summary>
+        public string PersistKeysAzureBlobStorageConnectionString { get; set; }
+
+        /// <summary>
+        /// Indicates whether we should use Azure Key Vault to store data protection keys
+        /// </summary>
+        public bool PersistKeysToAzureKeyVault { get; set; }
+
+        /// <summary>
+        /// Indicates whether we should use Azure blob storage to store data protection
+        /// </summary>
+        public bool PersistKeysToAzureBlobStorage { get; set; }
+
+        /// <summary>
+        /// Azure blob storage container name
+        /// </summary>
+        public string DataProtectionContainerName { get; set; }
+
+        /// <summary>
+        /// Azure blob storage blob name
+        /// </summary>
+        public string DataProtectionBlobName { get; set; }
+
+        /// <summary>
+        /// The keyIdentifier is the key vault key identifier used for key encryption.
+        /// </summary>
+        public string KeyIdentifier { get; set; }
     }
 }

src/Web/Grand.Web.Common/Grand.Web.Common.csproj

@@ -1,6 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <Import Project="..\..\Build\Grand.Common.props" />
   <ItemGroup>
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.2.1" />
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.1.0" />
+    <PackageReference Include="Azure.Identity" Version="1.6.0" />
     <PackageReference Include="Flurl.Http" Version="3.2.2" />
     <PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="6.0.4" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="6.0.4" />

src/Web/Grand.Web.Common/Infrastructure/ServiceCollectionExtensions.cs

@@ -1,4 +1,5 @@
-using Grand.Business.Core.Interfaces.Authentication;
+using Azure.Identity;
+using Grand.Business.Core.Interfaces.Authentication;
 using Grand.Business.Core.Interfaces.Common.Configuration;
 using Grand.Business.Core.Interfaces.Common.Security;
 using Grand.Business.Core.Utilities.Authentication;
@@ -101,13 +102,31 @@ public static void AddThemes(this IServiceCollection services)
         /// </summary>
         public static void AddGrandDataProtection(this IServiceCollection services, IConfiguration configuration)
         {
-            var config = new RedisConfig();
-            configuration.GetSection("Redis").Bind(config);
+            var redisconfig = new RedisConfig();
+            configuration.GetSection("Redis").Bind(redisconfig);
 
-            if (config.PersistKeysToRedis)
+            var azureconfig = new AzureConfig();
+            configuration.GetSection("Azure").Bind(azureconfig);
+
+            if (redisconfig.PersistKeysToRedis)
             {
                 services.AddDataProtection(opt => opt.ApplicationDiscriminator = "grandnode")
-                    .PersistKeysToStackExchangeRedis(ConnectionMultiplexer.Connect(config.PersistKeysToRedisUrl));
+                    .PersistKeysToStackExchangeRedis(ConnectionMultiplexer.Connect(redisconfig.PersistKeysToRedisUrl));
+            }
+            else if (azureconfig.PersistKeysToAzureKeyVault || azureconfig.PersistKeysToAzureBlobStorage)
+            {
+                if (azureconfig.PersistKeysToAzureKeyVault)
+                    services.AddDataProtection()
+                        // This blob must already exist before the application is run
+                        .PersistKeysToAzureBlobStorage(azureconfig.PersistKeysAzureBlobStorageConnectionString, azureconfig.DataProtectionContainerName, azureconfig.DataProtectionBlobName)
+                        .ProtectKeysWithAzureKeyVault(new Uri(azureconfig.KeyIdentifier),
+                        new DefaultAzureCredential());
+                else
+                {
+                    services.AddDataProtection()
+                        .PersistKeysToAzureBlobStorage(azureconfig.PersistKeysAzureBlobStorageConnectionString, azureconfig.DataProtectionContainerName, azureconfig.DataProtectionBlobName);
+                }
+
             }
             else
             {
@@ -183,7 +202,7 @@ public static IMvcBuilder AddGrandMvc(this IServiceCollection services, IConfigu
             mvcBuilder.AddViewLocalization();
             //add razor runtime compilation
             mvcBuilder.AddRazorRuntimeCompilation();
-                        
+
             var securityConfig = new SecurityConfig();
             configuration.GetSection("Security").Bind(securityConfig);
 
@@ -339,7 +358,7 @@ public static void AddApplicationInsights(this IServiceCollection services, ICon
         {
             var applicationInsights = new ApplicationInsightsConfig();
             configuration.GetSection("ApplicationInsights").Bind(applicationInsights);
-            if(applicationInsights.Enabled)
+            if (applicationInsights.Enabled)
             {
                 services.AddApplicationInsightsTelemetry();
             }

src/Web/Grand.Web/App_Data/appsettings.json

@@ -179,7 +179,16 @@
     //Specify your connection string, container name, end point for BLOB storage here
     "AzureBlobStorageConnectionString": "",
     "AzureBlobStorageContainerName": "",
-    "AzureBlobStorageEndPoint": ""
+    "AzureBlobStorageEndPoint": "",
+
+    //DataProtection - Azure Key Vault - you can use only one of method PersistKeysToAzureKeyVault or PersistKeysToAzureBlobStorage
+    "PersistKeysAzureBlobStorageConnectionString": "", //required 
+    "PersistKeysToAzureKeyVault": false,
+    "PersistKeysToAzureBlobStorage": false,
+    "DataProtectionContainerName": "", //required 
+    "DataProtectionBlobName": "keys.xml", //required 
+    "KeyIdentifier": "" //required when use PersistKeysToAzureKeyVault
+
   },
   "Amazon": {