AuthJanitor Automation
AuthJanitor comes with an Azure Functions-powered REST API which provides data objects to facilitate the automation of key/secret rotation. This includes the concepts of Resources, Managed Secrets, and Rekeying Tasks. It also handles scheduling of actions, as well as manipulation of on-behalf-of access tokens to create valid access tokens for management resources using an administrator's valid credentials.
NOTE: For security reasons, any client communicating with the Administrative REST API must send the HTTP header AuthJanitor: administrator. This is to attempt to mitigate some types of XSS attacks which could be performed against the service administrator user.
A (WASM/Client-Side) Blazor web application which communicates with the Administrative REST API. It builds from the Components library to create an interface to support automated secret rotations. This UI is created with the Blazorise component library, which allows the frontend to be switched between Bootstrap, Bulma, Material, and others.
Companion application to the Administrative tools, to be run in the context of an independent service principal/managed identity. The AuthJanitor Agent is only required to be used if either of the "Agent Identity" task approval strategies are used with one or more Managed Secrets. It is suggested to not use Agent Identity wherever possible, as using it eliminates the possibility for traceable audits to a human being, and creates a valid long-term access token which can be compromised unbeknownst to the service operator. The Administrator approval strategies lend themselves to generally improved security.
A set of components and cards which can be used to visualize/edit ViewModel objects being emitted from the Administrative REST API. These are created with the Blazorise component library, which allows the frontend to be switched between Bootstrap, Bulma, Material, and others. If there is a specific business need for a different user interface, this library can be used to quickly prototype an alternative approach if Razor components can be used.
Contains interface for and an Azure Blob Storage implementation of Data Store Providers. More information on Data Stores can be found on the "Data Stores" page.
Contains data models which are stored using a Data Store Provider.
Contains interface for and a SendGrid implementation of Notification Providers. More information can be found on the "Automated Notifications" page.
Contains interface for and default implementations of persistence encryption strategies. More information can be found on the "Secure Persistence" page.
Contains interface for and a Key Vault implementation of a Secure Storage Provider. This is used when persistence of sensitive data is required. More information can be found on the "Secure Persistence" page.
ViewModels which are generated by the Administrative REST API. These can also be generated from the objects in the Models namespace with the helper class AuthJanitor.Automation.Shared.ViewModelFactory.
