Introduce a read-only mode for data protection keyring consumers

amcasey · github-actions · commit d8b6a2998a79 · 2024-02-29T00:13:28.000Z
When multiple app instances consume the same keyring, they all try to rotate it, leading to races. This change introduces an IConfiguration property (usually set as an env var) that puts data protection in a read-only mode. The expectation is that writing will be done by a separate (i.e. non-app-instance) component. Part of #52915
diff --git a/src/DataProtection/DataProtection/src/DataProtectionServiceCollectionExtensions.cs b/src/DataProtection/DataProtection/src/DataProtectionServiceCollectionExtensions.cs
@@ -67,6 +67,8 @@ private static void AddDataProtectionServices(IServiceCollection services)
 
         services.TryAddEnumerable(
             ServiceDescriptor.Singleton<IConfigureOptions<KeyManagementOptions>, KeyManagementOptionsSetup>());
+        services.TryAddEnumerable(
+            ServiceDescriptor.Singleton<IPostConfigureOptions<KeyManagementOptions>, KeyManagementOptionsPostSetup>());
         services.TryAddEnumerable(
             ServiceDescriptor.Transient<IConfigureOptions<DataProtectionOptions>, DataProtectionOptionsSetup>());
 
diff --git a/src/DataProtection/DataProtection/src/Internal/KeyManagementOptionsPostSetup.cs b/src/DataProtection/DataProtection/src/Internal/KeyManagementOptionsPostSetup.cs
@@ -0,0 +1,90 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.IO;
+using System.Xml.Linq;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.AspNetCore.DataProtection.Repositories;
+using Microsoft.AspNetCore.DataProtection.XmlEncryption;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal;
+
+/// <summary>
+/// Performs additional <see cref="KeyManagementOptions" /> configuration, after the user's configuration has been applied.
+/// </summary>
+/// <remarks>
+/// In practice, this type is used to set key management to readonly mode if an environment variable is set and the user
+/// has not explicitly configured data protection.
+/// </remarks>
+internal sealed class KeyManagementOptionsPostSetup : IPostConfigureOptions<KeyManagementOptions>
+{
+    /// <remarks>
+    /// Settable as `ReadOnlyDataProtectionKeyDirectory`, `DOTNET_ReadOnlyDataProtectionKeyDirectory`,
+    /// or `ASPNETCORE_ReadOnlyDataProtectionKeyDirectory`, in descending order of precedence.
+    /// </remarks>
+    internal const string ReadOnlyDataProtectionKeyDirectoryKey = "ReadOnlyDataProtectionKeyDirectory";
+
+    private readonly string? _keyDirectoryPath;
+    private readonly ILoggerFactory? _loggerFactory; // Null iff _keyDirectoryPath is null
+
+    public KeyManagementOptionsPostSetup()
+    {
+        // If there's no IConfiguration, there's no _keyDirectoryPath and this type will do nothing.
+        // This is mostly a convenience for tests since ASP.NET Core apps will have an IConfiguration.
+    }
+
+    public KeyManagementOptionsPostSetup(IConfiguration configuration, ILoggerFactory loggerFactory)
+    {
+        _keyDirectoryPath = configuration[ReadOnlyDataProtectionKeyDirectoryKey];
+        _loggerFactory = loggerFactory;
+    }
+
+    void IPostConfigureOptions<KeyManagementOptions>.PostConfigure(string? name, KeyManagementOptions options)
+    {
+        if (_keyDirectoryPath is null || name != Options.DefaultName)
+        {
+            return;
+        }
+
+        // If Data Protection has not been configured, then set it up according to the environment variable
+        if (options is { XmlRepository: null, XmlEncryptor: null })
+        {
+            var keyDirectory = new DirectoryInfo(_keyDirectoryPath);
+
+            options.AutoGenerateKeys = false;
+            options.XmlEncryptor = InvalidEncryptor.Instance;
+            options.XmlRepository = new ReadOnlyFileSystemXmlRepository(keyDirectory, _loggerFactory!);
+        }
+    }
+
+    private sealed class InvalidEncryptor : IXmlEncryptor
+    {
+        public static readonly IXmlEncryptor Instance = new InvalidEncryptor();
+
+        private InvalidEncryptor()
+        {
+        }
+
+        EncryptedXmlInfo IXmlEncryptor.Encrypt(XElement plaintextElement)
+        {
+            throw new InvalidOperationException("Keys access is set up as read-only, so nothing should be encrypting");
+        }
+    }
+
+    private sealed class ReadOnlyFileSystemXmlRepository : FileSystemXmlRepository
+    {
+        public ReadOnlyFileSystemXmlRepository(DirectoryInfo directory, ILoggerFactory loggerFactory)
+            : base(directory, loggerFactory)
+        {
+        }
+
+        public override void StoreElement(XElement element, string friendlyName)
+        {
+            throw new InvalidOperationException("Keys access is set up as read-only, so nothing should be storing keys");
+        }
+    }
+}
