Creating an Application Lifecycle Provider
An Application Lifecycle Provider is a provider which contains logic to manage the lifecycle of an application which consumes a Managed Secret. The ALC Provider is intended to handle zero-downtime managed secret rotations, but ultimately if that is not possible, it should be communicated as a part of the provider's GetDescription method.
[Provider(Name = "My First ALC Provider",
IconClass = "fa fa-gears",
Description = "This is the first ALC provider I wrote!")]
[ProviderImage(MY_PROVIDERS_SVG_LOGO_STRING)]
public class MyFirstALCProvider : ApplicationLifecycleProvider<MyFirstProviderConfiguration>
{
public override Task BeforeRekeying(List<RegeneratedSecret> temporaryUseSecrets)
{
// This method is called prior to any rekeyings occurring.
// A list of temporary secrets, from the RekeyableObjectProviders, is passed as an argument to be used temporarily during the rekeying operation.
// When working with multiple providers, all Application Lifecycle Providers will have BeforeRekeying invoked (potentially in parallel).
return Task.FromResult(true);
}
public override async Task CommitNewSecrets(List<RegeneratedSecret> newSecrets)
{
// This method is called after all Rekeyable Object Providers have been rekeyed.
// The expectation is that this method understands how to take secrets and put them in place for the Application Lifecycle.
// When using multiple providers in the same ManagedSecret, disambiguation is performed by the standard "UserHint" field.
// Each "RegeneratedSecret" object contains the configured UserHint. It is entirely up to the developer of the Provider
// on how multiple RegeneratedSecrets are handled.
return Task.FromResult(true);
}
public override Task AfterRekeying()
{
// This method is called after all Rekeyable Object Providers have been rekeyed and the resulting RegeneratedSecrets have
// been committed.
return Task.FromResult(true);
}
public override Task Test()
{
// This optional method is called before any rekeying action, to ensure the credentials provided are sufficient to perform
// the requested action. If not specified, the test will always pass.
return Task.FromResult(true);
}
public override IList<RiskyConfigurationItem> GetRisks(TimeSpan requestedValidPeriod)
{
// This optional method is called to assess the Provider as-configured for risks, when taking into account the requested
// period of validity for the ManagedSecret. When implemented, GetRisks methods should always call each other as well as
// the GetRisks method of the ProviderConfiguration structure for this Provider.
// When not implemented, GetRisks(TimeSpan) calls GetRisks(), which calls Configuration.GetRiskyConfigurations().
// These three methods together should enumerate any risky configurations.
return GetRisks();
}
public override IList<RiskyConfigurationItem> GetRisks()
{
// This optional method is called to assess the Provider as-configured for risks, independent of the configuration of the
// ManagedSecret. When implemented, GetRisks methods should always call each other as well as the GetRisks method of the
// ProviderConfiguration structure for this Provider.
// When not implemented, GetRisks(TimeSpan) calls GetRisks(), which calls Configuration.GetRiskyConfigurations().
// These three methods together should enumerate any risky configurations.
return new List<RiskyConfigurationItem>();
}
// This method should be a human readable sentence-or-two description of what the Provider does.
public override string GetDescription() => "This provider is my first ALC provider, and it does some things!";
}