feat-add-oidc-endpoints (rajanadar#309)

* fix: create named key API

* feat: add read named key API

* feat: add create, read and update role info

* chore: update the implementation

* chore: update the read role reponse object

* fix: endpoints

* fix: update interface for read role info

* chore: add null checks

* feat: add delete endpoints

* fix: typo in ReadRoleReponse class name

* feat: add wrapTimeToLive for PullNewSecretIdAsync

* chore: update documentation

* fix: remove Newtonsoft.Json references

* chore: update the name of the keyName parameter

---------

Co-authored-by: Raja Nadar <rajnadar@expediagroup.com>

Author: konidev20

CHANGELOG.md

@@ -1,3 +1,11 @@
+## 1.13.0.2 (TBD)
+
+**IMROVEMENTS:**
+
+ * [GH-309](https://github.com/rajanadar/VaultSharp/issues/309) identity/oidc/key: create, read, update and delete apis.
+ * [GH-309](https://github.com/rajanadar/VaultSharp/issues/309) identity/oidc/role: create, read, update and delete apis.
+ * [GH-309](https://github.com/rajanadar/VaultSharp/issues/309) auth/approle: ````PullNewSecretIdAsync``` allows for reponse wrapping using ```wrapTimeToLive``` parameter
+
 ## 1.13.0.1 (April 03, 2023)
 
 **BUG FIXES:**

src/VaultSharp/V1/AuthMethods/AppRole/AppRoleAuthMethodProvider.cs

@@ -68,12 +68,12 @@ public async Task WriteRoleIdAsync(string roleName, RoleIdInfo roleIdInfo, strin
             await _polymath.MakeVaultApiRequest("v1/auth/" + mountPoint.Trim('/') + "/role/" + roleName.Trim('/') + "/role-id", HttpMethod.Post, requestData: roleIdInfo).ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
         }
 
-        public async Task<Secret<SecretIdInfo>> PullNewSecretIdAsync(string roleName, PullSecretIdRequestOptions secretIdRequestOptions = null, string mountPoint = AuthMethodDefaultPaths.AppRole)
+        public async Task<Secret<SecretIdInfo>> PullNewSecretIdAsync(string roleName, PullSecretIdRequestOptions secretIdRequestOptions = null, string mountPoint = AuthMethodDefaultPaths.AppRole, string wrapTimeToLive = null)
         {
             Checker.NotNull(mountPoint, "mountPoint");
             Checker.NotNull(roleName, "roleName");
 
-            return await _polymath.MakeVaultApiRequest<Secret<SecretIdInfo>>("v1/auth/" + mountPoint.Trim('/') + "/role/" + roleName.Trim('/') + "/secret-id", HttpMethod.Post, secretIdRequestOptions).ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+            return await _polymath.MakeVaultApiRequest<Secret<SecretIdInfo>>("v1/auth/" + mountPoint.Trim('/') + "/role/" + roleName.Trim('/') + "/secret-id", HttpMethod.Post, secretIdRequestOptions, wrapTimeToLive: wrapTimeToLive).ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
         }
 
         public async Task<Secret<ListInfo>> ReadAllSecretIdAccessorsAsync(string roleName, string mountPoint = AuthMethodDefaultPaths.AppRole)

src/VaultSharp/V1/AuthMethods/AppRole/IAppRoleAuthMethod.cs

@@ -92,8 +92,12 @@ public interface IAppRoleAuthMethod
         /// <param name="mountPoint"><para>[optional]</para>
         /// The mount point for the Auth backend. Defaults to <see cref="AuthMethodDefaultPaths.AppRole" />
         /// Provide a value only if you have customized the mount point.</param>        
+        /// <param name="wrapTimeToLive">
+        /// <para>[optional]</para>
+        /// The TTL for the token and can be either an integer number of seconds or a string duration of seconds.
+        /// </param>
         /// <returns>The secret id info</returns>
-        Task<Secret<SecretIdInfo>> PullNewSecretIdAsync(string roleName, PullSecretIdRequestOptions secretIdRequestOptions = null, string mountPoint = AuthMethodDefaultPaths.AppRole);
+        Task<Secret<SecretIdInfo>> PullNewSecretIdAsync(string roleName, PullSecretIdRequestOptions secretIdRequestOptions = null, string mountPoint = AuthMethodDefaultPaths.AppRole, string wrapToTimeLive = null);
 
         /// <summary>
         /// Lists the accessors of all the SecretIDs issued against the AppRole. 

src/VaultSharp/V1/SecretsEngines/Identity/CreateNamedKeyRequest.cs

@@ -0,0 +1,18 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace VaultSharp.V1.SecretsEngines.Identity
+{
+    /// <summary>
+    /// Request object to create a named key which is used to sign tokens.
+    /// </summary>
+    public class CreateNamedKeyRequest : NamedKeyInfo
+    {
+        /// <summary>
+        /// Array of role client ids allowed to use this key for signing. If 
+        /// empty, no roles are allowed. If "*", all roles are allowed.
+        /// </summary>
+        [JsonPropertyName("allowed_client_ids")]
+        public List<string> AllowedClientIDs { get; set; }
+    }
+}

src/VaultSharp/V1/SecretsEngines/Identity/CreateRoleRequest.cs

@@ -0,0 +1,7 @@
+namespace VaultSharp.V1.SecretsEngines.Identity
+{
+    public class CreateRoleRequest : RoleInfo
+    {
+
+    }
+}

src/VaultSharp/V1/SecretsEngines/Identity/IIdentitySecretsEngine.cs

@@ -8,6 +8,74 @@ namespace VaultSharp.V1.SecretsEngines.Identity
     /// </summary>
     public interface IIdentitySecretsEngine
     {
+        /// <summary>
+        /// Create or update a role. ID tokens are generated against a role and
+        /// signed against a named key.
+        /// </summary>
+        /// <param name="roleName">Name of the role.</param>
+        /// <param name="createRoleRequest">Request object ot create or update a role.</param>
+        /// <param name="mountPoint"><para>[optional]</para>
+        /// The mount point for the backend. Defaults to <see cref="SecretsEngineMountPoints.Identity" />
+        /// Provide a value only if you have customized the Azure mount point.
+        /// </param>
+        /// <returns>This endpoint doesn't return anything.</returns>
+        Task CreateRoleAsync(string roleName, CreateRoleRequest createRoleRequest, string mountPoint = null);
+
+        /// <summary>
+        /// This endpoint queries a role and returs its configuration.
+        /// </summary>
+        /// <param name="roleName">Name of the role.</param>
+        /// <param name="mountPoint"><para>[optional]</para>
+        /// The mount point for the backend. Defaults to <see cref="SecretsEngineMountPoints.Identity" />
+        /// Provide a value only if you have customized the Azure mount point.
+        /// </param>
+        /// <returns>The role information</returns>
+        Task<ReadRoleResponse> ReadRoleAsync(string roleName, string mountPoint = null);
+
+        /// <summary>
+        /// This endpoint deletes a role.
+        /// </summary>
+        /// <param name="roleName">Name of the role.</param>
+        /// <param name="mountPoint"><para>[optional]</para>
+        /// The mount point for the backend. Defaults to <see cref="SecretsEngineMountPoints.Identity" />
+        /// Provide a value only if you have customized the Azure mount point.
+        /// </param>
+        /// <returns>This endpoint doesn't return anything</returns>
+        Task DeleteRoleAsync(string roleName, string mountPoint = null);
+
+        /// <summary>
+        /// This endpoint creates or updates a named key which is used by a role to sign tokens.
+        /// </summary>
+        /// <param name="keyName">Name of the named key.</param>
+        /// <param name="mountPoint"><para>[optional]</para>
+        /// The mount point for the backend. Defaults to <see cref="SecretsEngineMountPoints.Identity" />
+        /// Provide a value only if you have customized the Azure mount point.
+        /// </param>
+        /// <param name="createNamedKeyRequest">Request object to create a named key.</param>
+        /// <returns>This endpoint doesn't return anything.</returns>
+        Task CreateNamedKeyAsync(string keyName, CreateNamedKeyRequest createNamedKeyRequest, string mountPoint = null);
+
+        /// <summary>
+        /// This endpoint reads a named key which is used by a role to sign tokens.
+        /// </summary>
+        /// <param name="keyName">Name of the named key.</param>
+        /// <param name="mountPoint"><para>[optional]</para>
+        /// The mount point for the backend. Defaults to <see cref="SecretsEngineMountPoints.Identity" />
+        /// Provide a value only if you have customized the Azure mount point.
+        /// </param>
+        Task<ReadNamedKeyResponse> ReadNamedKeyAsync(string keyName, string mountPoint = null);
+
+        /// <summary>
+        /// This endpoint deletes a named key.
+        /// </summary>
+        /// <param name="keyName">Name of the key.</param>
+        /// <param name="mountPoint"><para>[optional]</para>
+        /// The mount point for the backend. Defaults to <see cref="SecretsEngineMountPoints.Identity" />
+        /// Provide a value only if you have customized the Azure mount point.
+        /// </param>
+        /// <returns>This endpoint doesn't return anything</returns>
+        Task DeleteNamedKeyAsync(string keyName, string mountPoint = null);
+
         /// <summary>
         /// Use this endpoint to generate a signed ID (OIDC) token.
         /// </summary>

src/VaultSharp/V1/SecretsEngines/Identity/IdentitySecretsEngineProvider.cs

@@ -172,5 +172,75 @@ await _polymath.MakeVaultApiRequest(
                 mergeEntitiesRequest)
                 .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
         }
+
+        public async Task CreateNamedKeyAsync(string keyName, CreateNamedKeyRequest createNamedKeyRequest, string mountPoint = null)
+        {
+            Checker.NotNull(keyName, "keyName");
+            Checker.NotNull(createNamedKeyRequest, "createNamedKeyRequest");
+
+            await _polymath.MakeVaultApiRequest(
+                mountPoint ?? _polymath.VaultClientSettings.SecretsEngineMountPoints.Identity,
+                "/oidc/key/" + keyName.Trim('/'), 
+                HttpMethod.Post, 
+                createNamedKeyRequest)
+                .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+        }
+
+        public async Task<ReadNamedKeyResponse> ReadNamedKeyAsync(string keyName, string mountPoint = null)
+        {
+            Checker.NotNull(keyName, "keyName");
+
+            return await _polymath.MakeVaultApiRequest<ReadNamedKeyResponse>(
+                mountPoint ?? _polymath.VaultClientSettings.SecretsEngineMountPoints.Identity,
+                "/oidc/key/" + keyName.Trim('/'),
+                HttpMethod.Get)
+                .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+        }
+
+        public async Task CreateRoleAsync(string roleName, CreateRoleRequest createRoleRequest, string mountPoint = null)
+        {
+            Checker.NotNull(roleName, "roleName");
+            Checker.NotNull(createRoleRequest, "createRoleRequest");
+
+            await _polymath.MakeVaultApiRequest(
+                mountPoint ?? _polymath.VaultClientSettings.SecretsEngineMountPoints.Identity,
+                "/oidc/role/" + roleName.Trim('/'),
+                HttpMethod.Post,
+                createRoleRequest)
+                .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+        }
+
+        public async Task<ReadRoleResponse> ReadRoleAsync(string roleName, string mountPoint = null)
+        {
+            Checker.NotNull(roleName, "roleName");
+
+            return await _polymath.MakeVaultApiRequest<ReadRoleResponse>(
+                mountPoint ?? _polymath.VaultClientSettings.SecretsEngineMountPoints.Identity,
+                "/oidc/role/" + roleName.Trim('/'),
+                HttpMethod.Get)
+                .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+        }
+
+        public async Task DeleteRoleAsync(string roleName, string mountPoint = null)
+        {
+            Checker.NotNull(roleName, "roleName");
+
+            await _polymath.MakeVaultApiRequest(
+                mountPoint ?? _polymath.VaultClientSettings.SecretsEngineMountPoints.Identity,
+                "/oidc/role/" + roleName.Trim('/'),
+                HttpMethod.Delete)
+                .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+        }
+
+        public async Task DeleteNamedKeyAsync(string keyName, string mountPoint = null)
+        {
+            Checker.NotNull(keyName, "keyName");
+
+            await _polymath.MakeVaultApiRequest(
+                mountPoint ?? _polymath.VaultClientSettings.SecretsEngineMountPoints.Identity,
+                "/oidc/key/" + keyName.Trim('/'),
+                HttpMethod.Delete)
+                .ConfigureAwait(_polymath.VaultClientSettings.ContinueAsyncTasksOnCapturedContext);
+        }
     }
 }

src/VaultSharp/V1/SecretsEngines/Identity/NamedKeyInfo.cs

@@ -0,0 +1,29 @@
+using System.Text.Json.Serialization;
+
+namespace VaultSharp.V1.SecretsEngines.Identity
+{
+    public class NamedKeyInfo
+    {
+        /// <summary>
+        /// How often to generate a new signing key. Uses duration format strings.
+        /// </summary>
+        /// <example>"24h"</example>
+        [JsonPropertyName("rotation_period")]
+        public string RotationPeriod { get; set; }
+
+        /// <summary>
+        /// Controls how long the public portion of a signing key will be 
+        /// available for verification after being rotated. Uses duration format strings.
+        /// </summary>
+        /// <example>"24h"</example>
+        [JsonPropertyName("verification_ttl")]
+        public string VerificationTimeToLive { get; set; }
+
+        /// <summary>
+        /// Signing algorithm to use. Allowed values are: RS256 (default), 
+        /// RS384, RS512, ES256, ES384, ES512, EdDSA.
+        /// </summary>
+        [JsonPropertyName("algorithm")]
+        public string Algorithm { get; set; }
+    }
+}

src/VaultSharp/V1/SecretsEngines/Identity/ReadNamedKeyResponse.cs

@@ -0,0 +1,10 @@
+using System.Text.Json.Serialization;
+
+namespace VaultSharp.V1.SecretsEngines.Identity
+{
+    public class ReadNamedKeyResponse 
+    {
+        [JsonPropertyName("data")]
+        public NamedKeyInfo Data { get; set; }
+    }
+}

src/VaultSharp/V1/SecretsEngines/Identity/ReadRoleReponse.cs

@@ -0,0 +1,10 @@
+using System.Text.Json.Serialization;
+
+namespace VaultSharp.V1.SecretsEngines.Identity
+{
+    public class ReadRoleResponse
+    {
+        [JsonPropertyName("data")]
+        public RoleInfo Data { get; set; }
+    }
+}

src/VaultSharp/V1/SecretsEngines/Identity/RoleInfo.cs

@@ -0,0 +1,33 @@
+using System.Text.Json.Serialization;
+
+namespace VaultSharp.V1.SecretsEngines.Identity
+{
+    public class RoleInfo
+    {
+        /// <summary>
+        /// A configured named key, the key must already exist.
+        /// </summary>
+        [JsonPropertyName("key")]
+        public string Key { get; set; }
+
+        /// <summary>
+        /// The template string to use for generating tokens. 
+        /// This may be in string-ified JSON or base64 format.
+        /// </summary>
+        [JsonPropertyName("template")]
+        public string Template { get; set; }
+
+        /// <summary>
+        /// Optional client ID. A random ID will be generated if left unset.
+        /// </summary>
+        [JsonPropertyName("client_id")]
+        public string ClientId { get; set; }
+
+        /// <summary>
+        ///  TTL of the tokens generated against the role. Uses duration format
+        ///  strings.
+        /// </summary>
+        [JsonPropertyName("ttl")]
+        public string TimeToLive { get; set; }
+    }
+}