Azure Key Vault Health check package and Unit tests project

AspNetCore.Diagnostics.HealthChecks.sln

@@ -73,6 +73,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "HealthChecks.Elasticsearch"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "HealthChecks.EventStore", "src\HealthChecks.EventStore\HealthChecks.EventStore.csproj", "{39667845-526D-46ED-90F0-05ED6B8814F1}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "HealthChecks.AzureKeyVault", "src\HealthChecks.AzureKeyVault\HealthChecks.AzureKeyVault.csproj", "{A6414860-EBAE-43E4-8109-DE745DA15C43}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "UnitTests", "test\UnitTests\UnitTests.csproj", "{300A1B42-EA00-480A-AC43-007EBC7CE472}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -187,6 +191,14 @@ Global
 		{39667845-526D-46ED-90F0-05ED6B8814F1}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{39667845-526D-46ED-90F0-05ED6B8814F1}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{39667845-526D-46ED-90F0-05ED6B8814F1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A6414860-EBAE-43E4-8109-DE745DA15C43}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A6414860-EBAE-43E4-8109-DE745DA15C43}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A6414860-EBAE-43E4-8109-DE745DA15C43}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A6414860-EBAE-43E4-8109-DE745DA15C43}.Release|Any CPU.Build.0 = Release|Any CPU
+		{300A1B42-EA00-480A-AC43-007EBC7CE472}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{300A1B42-EA00-480A-AC43-007EBC7CE472}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{300A1B42-EA00-480A-AC43-007EBC7CE472}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{300A1B42-EA00-480A-AC43-007EBC7CE472}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -219,6 +231,8 @@ Global
 		{6FB1E70A-2915-4810-BCA4-AF38010AF949} = {2A3FD988-2BB8-43CF-B3A2-B70E648259D4}
 		{8ACAEE4F-55EA-452F-A5EF-9D99EA9885F9} = {2A3FD988-2BB8-43CF-B3A2-B70E648259D4}
 		{39667845-526D-46ED-90F0-05ED6B8814F1} = {2A3FD988-2BB8-43CF-B3A2-B70E648259D4}
+		{A6414860-EBAE-43E4-8109-DE745DA15C43} = {2A3FD988-2BB8-43CF-B3A2-B70E648259D4}
+		{300A1B42-EA00-480A-AC43-007EBC7CE472} = {FF4414C2-8863-4ADA-8A1D-4B9F25C361FE}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {2B8C62A1-11B6-469F-874C-A02443256568}

README.md

@@ -24,6 +24,7 @@ HealthChecks packages include health checks for:
 - System: Disk Storage, Private Memory, Virtual Memory
 - Azure Service Bus: EventHub, Queue and Topics
 - Azure Storage: Blob, Queue and Table
+- Azure Key Vault
 - Azure DocumentDb
 - Amazon DynamoDb
 - Amazon S3
@@ -44,6 +45,7 @@ Install-Package AspNetCore.HealthChecks.Redis
 Install-Package AspNetCore.HealthChecks.EventStore
 Install-Package AspNetCore.HealthChecks.AzureStorage
 Install-Package AspNetCore.HealthChecks.AzureServiceBus
+Install-Package AspNetCore.HealthChecks.AzureKeyVault
 Install-Package AspNetCore.HealthChecks.MySql
 Install-Package AspNetCore.HealthChecks.DocumentDb
 Install-Package AspNetCore.HealthChecks.SqLite

build.ps1

@@ -38,13 +38,24 @@ echo "build: Build version suffix is $buildSuffix"
 
 exec { & dotnet build AspNetCore.Diagnostics.HealthChecks.sln -c Release --version-suffix=$buildSuffix -v q /nologo }
 
+echo "Running unit tests" 
+
+try {
+
+Push-Location -Path .\test\UnitTests
+        exec { & dotnet test}
+} finally {
+        Pop-Location
+}
+
+
 if (-Not (Test-Path 'env:APPVEYOR')) {
 	exec { & docker-compose up -d }
 }
 
 echo "compose up done"
 
-echo "running tests"
+echo "Running functional tests"
 
 try {
 
@@ -75,7 +86,8 @@ if ($suffix -eq "") {
     exec { & dotnet pack .\src\HealthChecks.Oracle\HealthChecks.Oracle.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
     exec { & dotnet pack .\src\HealthChecks.System\HealthChecks.System.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
     exec { & dotnet pack .\src\HealthChecks.Network\HealthChecks.Network.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
-	exec { & dotnet pack .\src\HealthChecks.Aws.S3\HealthChecks.Aws.S3.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
+    exec { & dotnet pack .\src\HealthChecks.Aws.S3\HealthChecks.Aws.S3.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
+    exec { & dotnet pack .\src\HealthChecks.HealthChecks.AzureKeyVault\HealthChecks.AzureKeyVault.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
     exec { & dotnet pack .\src\HealthChecks.UI\HealthChecks.UI.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
     exec { & dotnet pack .\src\HealthChecks.UI.Client\HealthChecks.UI.Client.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
     exec { & dotnet pack .\src\HealthChecks.Publisher.ApplicationInsights\HealthChecks.Publisher.ApplicationInsights.csproj -c Release -o ..\..\artifacts --include-symbols --no-build }
@@ -102,7 +114,8 @@ else {
     exec { & dotnet pack .\src\HealthChecks.Oracle\HealthChecks.Oracle.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
     exec { & dotnet pack .\src\HealthChecks.System\HealthChecks.System.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
     exec { & dotnet pack .\src\HealthChecks.Network\HealthChecks.Network.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
-	exec { & dotnet pack .\src\HealthChecks.Aws.S3\HealthChecks.Aws.S3.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
+    exec { & dotnet pack .\src\HealthChecks.Aws.S3\HealthChecks.Aws.S3.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
+    exec { & dotnet pack .\src\HealthChecks.AzureKeyVault\HealthChecks.AzureKeyVault.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
     exec { & dotnet pack .\src\HealthChecks.UI\HealthChecks.UI.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
     exec { & dotnet pack .\src\HealthChecks.UI.Client\HealthChecks.UI.Client.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }
 	exec { & dotnet pack .\src\HealthChecks.Publisher.ApplicationInsights\HealthChecks.Publisher.ApplicationInsights.csproj -c Release -o ..\..\artifacts --include-symbols --no-build --version-suffix=$suffix }

build/dependencies.props

@@ -48,9 +48,13 @@
     <MicrosoftEntityFrameworkCoreSqlite>2.1.1</MicrosoftEntityFrameworkCoreSqlite>
     <MicrosoftEntityFrameworkCoreSqliteDesign>1.1.5</MicrosoftEntityFrameworkCoreSqliteDesign>
     <MicrosoftExtensionsConfigurationBinder>2.1.1</MicrosoftExtensionsConfigurationBinder>
+    <MicrosoftExtensionsDependencyInjection>2.1.1</MicrosoftExtensionsDependencyInjection>
     <MicrosoftApplicationInsights>2.7.2</MicrosoftApplicationInsights>
     <PrometheusNet>2.1.3</PrometheusNet>
     <AWSSKDS3>3.3.29</AWSSKDS3>
+    <MicrosoftAzureKeyVault>3.0.2</MicrosoftAzureKeyVault>
+    <MicrosoftIdentityModelClientsActiveDirectory>4.4.1</MicrosoftIdentityModelClientsActiveDirectory>
+    <MicrosoftAzureServicesAppAuthentication>1.0.3</MicrosoftAzureServicesAppAuthentication>
   </PropertyGroup>
 
   <PropertyGroup Label="CLI Tools Versions">
@@ -77,11 +81,12 @@
     <HealthCheckDynamoDb>2.2.0</HealthCheckDynamoDb>
     <HealthCheckDocumentDb>2.2.0</HealthCheckDocumentDb>
     <HealthCheckAzureStorage>2.2.0</HealthCheckAzureStorage>
-    <HealthCheckAzureServiceBus>2.2.0</HealthCheckAzureServiceBus>
+    <HealthCheckAzureServiceBus>2.2.1</HealthCheckAzureServiceBus>
     <HealthCheckUI>2.2.4</HealthCheckUI>
     <HealthCheckUIClient>2.2.2</HealthCheckUIClient>
     <HealthCheckPublisherAppplicationInsights>2.2.0</HealthCheckPublisherAppplicationInsights>
     <HealthCheckPublisherPrometheus>2.2.0</HealthCheckPublisherPrometheus>
     <HealthCheckAWSS3>2.2.0</HealthCheckAWSS3>
+    <HealthCheckKeyVault>2.2.0</HealthCheckKeyVault>
   </PropertyGroup>
 </Project>

src/HealthChecks.AzureKeyVault/AzureKeyVaultHealthCheck.cs

@@ -0,0 +1,75 @@
+using Microsoft.Azure.KeyVault;
+using Microsoft.Azure.Services.AppAuthentication;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using static Microsoft.Azure.KeyVault.KeyVaultClient;
+
+namespace HealthChecks.AzureKeyVault
+{
+    public class AzureKeyVaultHealthCheck : IHealthCheck
+    {
+        private readonly AzureKeyVaultOptions _keyVaultOptions;
+
+        public AzureKeyVaultHealthCheck(AzureKeyVaultOptions keyVaultOptions)
+        {
+            if (!Uri.TryCreate(keyVaultOptions.KeyVaultUrlBase, UriKind.Absolute, out var _))
+            {
+                throw new ArgumentException("KeyVaultUrlBase must be a valid Uri");
+            }
+
+            _keyVaultOptions = keyVaultOptions;
+        }
+        public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context, CancellationToken cancellationToken = default)
+        {
+            var currentSecret = string.Empty;
+
+            try
+            {
+                var client = GetClient(_keyVaultOptions);
+                foreach (var secretIdentifier in _keyVaultOptions.Secrets)
+                {
+                    currentSecret = secretIdentifier;
+                    await client.GetSecretAsync(_keyVaultOptions.KeyVaultUrlBase, secretIdentifier, cancellationToken);
+                }
+
+                return HealthCheckResult.Healthy();
+            }
+            catch (Exception ex)
+            {
+                var secretException = new Exception($"{currentSecret} secret error - {ex.Message}", ex);
+                return new HealthCheckResult(context.Registration.FailureStatus, exception: secretException);
+            }
+        }
+
+        private KeyVaultClient GetClient(AzureKeyVaultOptions options)
+        {
+            if (string.IsNullOrEmpty(options.ClientId))
+            {
+                var azureServiceTokenProvider = new AzureServiceTokenProvider();
+                return new KeyVaultClient(new AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
+            }
+            else
+            {
+                return new KeyVaultClient(GetToken);
+            }
+        }
+
+        public async Task<string> GetToken(string authority, string resource, string scope)
+        {
+            var authContext = new AuthenticationContext(authority);
+            ClientCredential clientCred = new ClientCredential(_keyVaultOptions.ClientId, _keyVaultOptions.ClientSecret);
+            AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
+
+            if (result == null)
+                throw new InvalidOperationException($"[{nameof(AzureKeyVaultHealthCheck)}] - Failed to obtain the JWT token");
+
+            return result.AccessToken;
+        }
+    }
+}

src/HealthChecks.AzureKeyVault/AzureKeyVaultMsiHealthCheck.cs

@@ -0,0 +1,51 @@
+using Microsoft.Azure.KeyVault;
+using Microsoft.Azure.Services.AppAuthentication;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using static Microsoft.Azure.KeyVault.KeyVaultClient;
+
+namespace HealthChecks.AzureKeyVault
+{
+    public class AzureKeyVaultMsiHealthCheck : IHealthCheck
+    {
+        private readonly AzureKeyVaultOptions _keyVaultOptions;
+
+        public AzureKeyVaultMsiHealthCheck(AzureKeyVaultOptions keyVaultOptions)
+        {
+            if (string.IsNullOrEmpty(keyVaultOptions.KeyVaultUrlBase))
+            {
+                throw new ArgumentNullException(nameof(keyVaultOptions.KeyVaultUrlBase));
+            }
+
+            _keyVaultOptions = keyVaultOptions;
+        }
+        public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context, CancellationToken cancellationToken = default)
+        {
+            var currentSecret = string.Empty;
+
+            try
+            {
+                var azureServiceTokenProvider = new AzureServiceTokenProvider();
+
+                var client = new KeyVaultClient(new AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
+
+                foreach (var secretIdentifier in _keyVaultOptions.Secrets)
+                {
+                    currentSecret = secretIdentifier;
+                    await client.GetSecretAsync(_keyVaultOptions.KeyVaultUrlBase, secretIdentifier, cancellationToken);
+                }
+
+                return HealthCheckResult.Healthy();
+            }
+            catch (Exception ex)
+            {
+                var secretException = new Exception($"{currentSecret} secret error - {ex.Message}", ex);
+                return new HealthCheckResult(context.Registration.FailureStatus, exception: secretException);
+            }
+        }
+    }
+}

src/HealthChecks.AzureKeyVault/AzureKeyVaultOptions.cs

@@ -0,0 +1,61 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace HealthChecks.AzureKeyVault
+{
+    public class AzureKeyVaultOptions
+    {
+        internal List<string> Secrets { get; } =  new List<string>();      
+        internal string KeyVaultUrlBase { get; set; }       
+        internal string ClientId { get; set; }       
+        internal string ClientSecret { get; set; }
+
+
+        /// <summary>
+        /// Configures remote Azure Key Vault Url service
+        /// </summary>
+        /// <param name="keyVaultUrlBase"></param>
+        /// <returns></returns>
+        public AzureKeyVaultOptions UseKeyVaultUrl(string keyVaultUrlBase)
+        {
+            KeyVaultUrlBase = keyVaultUrlBase;
+            return this;
+        }
+
+        /// <summary>
+        /// Azure key vault connection is performed using provided Client Id and Client Secret
+        /// </summary>
+        /// <param name="keyVaultUrlBase">Azure Key Vault base url - https://[vaultname].vault.azure.net/ </param>
+        /// <param name="clientId">Registered application Id</param>
+        /// <param name="clientSecret">Registered application secret</param>
+        /// <returns></returns>
+        public AzureKeyVaultOptions UseClientSecrets(string clientId, string clientSecret)
+        {            
+            if(string.IsNullOrEmpty(clientId) || string.IsNullOrEmpty(clientSecret))
+            {
+                throw new ArgumentNullException("ClientId and ClientSecret parameters should not be empty");
+            }
+
+            ClientId = clientId;
+            ClientSecret = clientSecret;
+
+            return this;
+        }
+
+        /// <summary>
+        /// Add a Azure Key Vault secret to be checked
+        /// </summary>
+        /// <param name="secretIdentifier"></param>
+        /// <returns></returns>
+        public AzureKeyVaultOptions AddSecret(string secretIdentifier)
+        {
+            if(!Secrets.Contains(secretIdentifier))
+            {
+                Secrets.Add(secretIdentifier);
+            }
+
+            return this;
+        }
+    }
+}

src/HealthChecks.AzureKeyVault/DependencyInjection/AzureKeyVaultHealthChecksBuilderExtensions.cs

@@ -0,0 +1,37 @@
+using HealthChecks.AzureKeyVault;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Extensions.DependencyInjection
+{
+    public static class AzureKeyVaultHealthChecksBuilderExtensions
+    {
+        /// <summary>
+        /// Add a health check for Azure Key Vault. Default behaviour is using Managed Service Identity, to use Client Secrets call UseClientSecrets in setup action
+        /// </summary>
+        /// <param name="builder">The <see cref="IHealthChecksBuilder"/>.</param>
+        /// <param name="setup"> Setup action to configure Azure Key Vault options </param>    
+        /// <param name="name">The health check name. Optional. If <c>null</c> the type name 'azurekeyvault' will be used for the name.</param>
+        /// <param name="failureStatus">
+        /// The <see cref="HealthStatus"/> that should be reported when the health check fails. Optional. If <c>null</c> then
+        /// the default status of <see cref="HealthStatus.Unhealthy"/> will be reported.
+        /// </param>
+        /// <param name="tags">A list of tags that can be used to filter sets of health checks. Optional.</param>
+        /// <returns>The <see cref="IHealthChecksBuilder"/>.</returns></param>
+        public static IHealthChecksBuilder AddAzureKeyVault(this IHealthChecksBuilder builder, Action<AzureKeyVaultOptions> setup,
+            string name = default, HealthStatus? failureStatus = default, IEnumerable<string> tags = default)
+        {
+            var options = new AzureKeyVaultOptions();
+            setup?.Invoke(options);
+
+            return builder.Add(new HealthCheckRegistration(
+               name ?? "azurekeyvault",
+               sp => new AzureKeyVaultHealthCheck(options),
+               failureStatus,
+               tags));
+        }
+    }
+}

src/HealthChecks.AzureKeyVault/HealthChecks.AzureKeyVault.csproj

@@ -0,0 +1,27 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>$(NetStandardTargetVersion)</TargetFramework>
+    <PackageLicenseUrl>$(PackageLicenseUrl)</PackageLicenseUrl>
+    <PackageProjectUrl>$(PackageProjectUrl)</PackageProjectUrl>
+    <PackageTags>HealthCheck;Azure Key Vault;Secrets</PackageTags>
+    <Description>HealthChecks.AzureKeyVault is the health check package for Azure Key Vault secrets</Description>
+    <Version>$(HealthCheckKeyVault)</Version>
+    <RepositoryUrl>$(RepositoryUrl)</RepositoryUrl>
+    <Company>$(Company)</Company>
+    <Authors>$(Authors)</Authors>
+    <LangVersion>latest</LangVersion>
+    <PackageId>AspNetCore.HealthChecks.AzureKeyVault</PackageId>
+    <PublishRepositoryUrl>$(PublishRepositoryUrl)</PublishRepositoryUrl>
+    <AllowedOutputExtensionsInPackageBuildOutputFolder>$(AllowedOutputExtensionsInPackageBuildOutputFolder)</AllowedOutputExtensionsInPackageBuildOutputFolder>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="$(MicrosoftAzureServicesAppAuthentication)" />
+    <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="$(MicrosoftExtensionsDiagnosticsHealthChecks)" />
+    <PackageReference Include="Microsoft.Azure.KeyVault" Version="$(MicrosoftAzureKeyVault)" />
+    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="$(MicrosoftIdentityModelClientsActiveDirectory)" />
+    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0-beta-63127-02">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+</Project>