Merge pull request #1261 from Pietervanhove/AlwaysEncryptedDemos

Sample application using AE with VBS enclaves

Author: uc-msft

samples/features/security/always-encrypted-with-secure-enclaves/sample-application/AlwaysEncryptedConsole.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.8.34408.163
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AlwaysEncryptedConsole", "AlwaysEncryptedConsole\AlwaysEncryptedConsole.csproj", "{66F6F7D3-3B6E-4460-921F-8E6127C73F33}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{66F6F7D3-3B6E-4460-921F-8E6127C73F33}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{66F6F7D3-3B6E-4460-921F-8E6127C73F33}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{66F6F7D3-3B6E-4460-921F-8E6127C73F33}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{66F6F7D3-3B6E-4460-921F-8E6127C73F33}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {B18CFE54-1A5E-4299-96CE-11F0DCB01A9D}
+	EndGlobalSection
+EndGlobal

samples/features/security/always-encrypted-with-secure-enclaves/sample-application/AlwaysEncryptedConsole/AlwaysEncryptedConsole.csproj

@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0-windows10.0.22621.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <EnforceCodeStyleInBuild>False</EnforceCodeStyleInBuild>
+    <AnalysisLevel>none</AnalysisLevel>
+    <RunAnalyzersDuringBuild>False</RunAnalyzersDuringBuild>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" Version="1.10.4" />
+    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.4" />
+    <PackageReference Include="Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider" Version="3.0.0" />
+  </ItemGroup>
+
+</Project>

samples/features/security/always-encrypted-with-secure-enclaves/sample-application/AlwaysEncryptedConsole/AlwaysEncryptedConsole.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.5.002.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AlwaysEncryptedConsole", "AlwaysEncryptedConsole.csproj", "{D51BF679-04F7-40F7-8652-2921AA73593F}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D51BF679-04F7-40F7-8652-2921AA73593F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D51BF679-04F7-40F7-8652-2921AA73593F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D51BF679-04F7-40F7-8652-2921AA73593F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D51BF679-04F7-40F7-8652-2921AA73593F}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {30E31893-7EC2-4FC1-91E4-C3781F5FF081}
+	EndGlobalSection
+EndGlobal

samples/features/security/always-encrypted-with-secure-enclaves/sample-application/AlwaysEncryptedConsole/DumpData.cs

@@ -0,0 +1,62 @@
+//********************************************************* 
+// Copyright (c) Microsoft. All rights reserved. 
+// This code is licensed under the MIT License (MIT). 
+// THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF 
+// ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY 
+// IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR 
+// PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT. 
+// 
+// Author: Michael Howard, Azure Data Security
+//*********************************************************
+
+using Microsoft.Data.SqlClient;
+
+partial class Program
+{
+    // Displays rows and  cols from a SqlDataReader query result
+    public static void DumpData(SqlDataReader? data)
+    {
+        if (data is null)
+        {
+            Console.WriteLine("No data");
+            return;
+        }
+
+        // get column headers
+        Console.WriteLine("Fetching Data");
+        for (int i = 0; i < data.FieldCount; i++)
+            Console.Write(data.GetName(i) + ", ");
+
+        Console.WriteLine();
+
+        // get data
+        while (data.Read())
+        {
+            for (int i = 0; i < data.FieldCount; i++)
+            {
+                var value = data.GetValue(i);
+
+                if (value is not null)
+                {
+                    var type = data.GetFieldType(i);
+
+                    // if the data is a byte array (ie; ciphertext)
+                    // dump the first 16 bytes of hex string
+                    if (type == typeof(byte[]))
+// Possible null reference argument. There *IS* a check two lines up!
+#pragma warning disable CS8604 
+                        value = ByteArrayToHexString(value as byte[], 16);
+#pragma warning restore CS8604 
+                }
+                else
+                {
+                    value = "?";
+                }
+
+                Console.Write(value + ", ");
+            }
+            Console.WriteLine();
+        }
+    }
+}
+

samples/features/security/always-encrypted-with-secure-enclaves/sample-application/AlwaysEncryptedConsole/Program.cs

@@ -0,0 +1,176 @@
+//********************************************************* 
+// Copyright (c) Microsoft. All rights reserved. 
+// This code is licensed under the MIT License (MIT). 
+// THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF 
+// ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY 
+// IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR 
+// PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT. 
+// 
+// Author: Michael Howard, Azure Data Security
+//*********************************************************
+
+//*********************************************************
+// Demo Steps
+// Step 1
+// Run, as-is, AE is set to false,
+// and the code will return ciphertext
+// 
+// Step 2
+// Set useAlwaysEncrypted to true (line 47)
+// Re-run code, will fail because of no params
+//
+// Step 3
+// Set testWithParams to true (line 50)
+// Re-run code, but will fail because of no AKV
+//
+// Step 4
+// Set registerAkv4Ae to true (line 53)
+// Re-run. At this point everything should work.
+// Two queries, the first is slow because intial authn/authz/column metadata
+// Second is much faster
+
+using Azure.Core;
+using Microsoft.Data.SqlClient;
+using System.Data;
+using System.Diagnostics;
+
+partial class Program
+{
+    static void Main()
+    {
+        // START all these flags should be false
+
+        // Demo step 1 will not use AE,
+        // and you will only see the SSN and Salary columns as ciphertext
+
+        // Demo step 2 set this to true
+        bool useAlwaysEncrypted = true;
+
+        // Demo step 3 set this to true
+        bool testWithParams = true;
+
+        // Demo step 4 set this to true
+        bool registerAkv4Ae = true;
+
+        Console.WriteLine($"Cold Start\nUse Always Encrypted with Enclaves? {(useAlwaysEncrypted ? "Yes" : "No")}");
+
+        // Login to Azure and get Azure SQL DB OAuth2 token
+        Console.WriteLine("Connecting to Azure");
+        (TokenCredential? credential, string? oauth2TokenSql) = LoginToAure();
+        if (credential is null || oauth2TokenSql is null)
+            throw new ArgumentNullException("Unable to login to Azure");
+
+        Console.WriteLine("Connecting to Azure SQL DB");
+
+        // Connect to Azure SQL DB using EntraID AuthN rather than Windows or SQL AuthN
+        var connectionString = GetSQLConnectionString(useAlwaysEncrypted);
+        using SqlConnection conn = new(connectionString)
+        {
+            AccessToken = oauth2TokenSql
+        };
+        conn.Open();
+
+        // Register the enclave attestation URL, do this once on app startup
+        if (useAlwaysEncrypted && registerAkv4Ae)
+            RegisterAkvForAe(credential);
+
+        // From here on is real database work
+        SqlCommand sqlCommand;
+
+        if (useAlwaysEncrypted == false)
+        {
+            string query =
+                "SELECT Top 10 SSN, Salary, LastName, FirstName " +
+                "FROM Employees";
+
+            sqlCommand = new(query, conn);
+            DoQuery(sqlCommand);
+        }
+        else
+        {
+            ///////////////////////////////////////////////////
+            // QUERY #1: Get count based on employee salary 
+            // Demo step 4 - keep as is, but after demo set to false
+            if (testWithParams == false)
+            {
+                string query1 = "SELECT count(*) FROM Employees where [Salary] > 50000";
+                sqlCommand = new(query1, conn);
+                DoQuery(sqlCommand);
+            }
+
+            ///////////////////////////////////////////////////
+            // QUERY #2: Find minimum salary with specific SSN
+            string query2 =
+                "SELECT [SSN], [Salary], [LastName], [FirstName] " +
+                "FROM Employees WHERE [Salary] > @MinSalary AND [SSN] LIKE @SSN " +
+                "ORDER by [Salary] DESC";
+
+            sqlCommand = new(query2, conn);
+
+            // MUST use parameters
+            SqlParameter minSalaryParam = new("@MinSalary", SqlDbType.Money) {
+                Value = 50_000
+            };
+            sqlCommand.Parameters.Add(minSalaryParam);
+
+            SqlParameter ssnParam = new("@SSN", SqlDbType.Char) {
+                Value = "6%"
+            };
+            sqlCommand.Parameters.Add(ssnParam);
+
+            DoQuery(sqlCommand);
+
+            ///////////////////////////////////////////////////
+            // QUERY #2: sproc to find salary range
+            string query3 = "EXEC usp_GetSalary @MinSalary = @MinSalaryRange, @MaxSalary = @MaxSalaryRange";
+
+            sqlCommand = new(query3, conn);
+
+            SqlParameter minSalaryRange = new("@MinSalaryRange", SqlDbType.Money) {
+                Value = 40_000
+            };
+            sqlCommand.Parameters.Add(minSalaryRange);
+
+            SqlParameter maxSalaryRange = new("@MaxSalaryRange", SqlDbType.Money) {
+                Value = 42_000
+            };
+            sqlCommand.Parameters.Add(maxSalaryRange);
+
+            DoQuery(sqlCommand);
+        }
+    }
+    
+    // Perform the actual query and gather stats
+    // The time is the round trip time to and from the database
+    // This will be higher than the actual query time due to network latency
+    // IMPORTANT: the first query is slower due to lots of moving parts
+    // getting loaded, authN, AuthZ, etc.
+    static void DoQuery(SqlCommand sqlCommand)
+    {
+        var stopwatch = Stopwatch.StartNew();
+
+        Console.WriteLine($"\nPerforming Query\n{sqlCommand.CommandText}");
+        
+        SqlDataReader? data = null;
+        try
+        {
+            data = sqlCommand.ExecuteReader();
+        }
+        catch (SqlException ex)
+        {
+            Console.WriteLine(ex.Message);
+            Environment.Exit(-1);
+        }
+        catch (System.InvalidOperationException ex)
+        {
+            Console.WriteLine(ex.Message);
+            Environment.Exit(-1);
+        }
+
+        stopwatch.Stop();
+        Console.WriteLine($"Network Roundtrip + Query took [{stopwatch.ElapsedMilliseconds}ms]");
+
+        DumpData(data);
+        data.Close();
+    }
+}

samples/features/security/always-encrypted-with-secure-enclaves/sample-application/AlwaysEncryptedConsole/Utils.cs

@@ -0,0 +1,80 @@
+//********************************************************* 
+// Copyright (c) Microsoft. All rights reserved. 
+// This code is licensed under the MIT License (MIT). 
+// THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF 
+// ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY 
+// IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR 
+// PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT. 
+// 
+// Author: Michael Howard, Azure Data Security
+//*********************************************************
+
+using System.Text;
+using Azure.Core;
+using Azure.Identity;
+using Microsoft.Data.SqlClient;
+using Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider;
+
+partial class Program
+{
+    // Helper function to dump binary data
+    // Can truncate the output if needed
+    public static string ByteArrayToHexString(byte[] byteArray, int maxLen = 16)
+    {
+        StringBuilder hex = new(byteArray.Length * 2);
+        foreach (byte b in byteArray)
+            hex.AppendFormat("{0:x2}", b);
+
+        return hex.ToString()[..maxLen];
+    }
+
+    // Build SQL Connection String 
+    public static string GetSQLConnectionString(bool useAE = true)
+    {
+        const string _EnvVar = "ConnectContosoHR";
+
+        string? sqlConn = 
+            Environment.GetEnvironmentVariable(_EnvVar, EnvironmentVariableTarget.Process) 
+            ?? throw new ArgumentException($"Missing environment variable, {_EnvVar}");
+
+        // Add AE settings if needed
+        // You could also use a connection string builder, SqlConnectionStringBuilder 
+        if (useAE)
+            sqlConn += ";Column Encryption Setting=Enabled;Attestation Protocol=None;";
+
+        return sqlConn;
+    }
+
+    // Login to Azure and get token to Azure SQL DB OAuth2 token
+    // This uses Azure CLI for authentication, but you could change this 
+    // to use other methods such as Managed Identity, Service Principal, etc.
+    // You'll get an error if you don't have the Azure CLI installed and have yet to login.
+    // Learn more about the various Azure token credential sources at
+    // https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
+    public static (TokenCredential? tok, string? oauth2Sql) LoginToAure()
+    {
+        try
+        {
+            var credential = new AzureCliCredential();
+            var oauth2TokenSql = credential.GetToken(
+                    new TokenRequestContext(
+                        ["https://database.windows.net/.default"])).Token;
+            return (credential, oauth2TokenSql);
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine(ex.Message);
+            return (null, null);
+        }
+    }
+
+    // We need to register the use of AKV for AE, do these once per app on startup
+    public static void RegisterAkvForAe(TokenCredential cred)
+    {
+        var akvAeProvider = new SqlColumnEncryptionAzureKeyVaultProvider(cred);
+        SqlConnection.RegisterColumnEncryptionKeyStoreProviders(
+            customProviders: new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>() {
+                { SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, akvAeProvider }
+            });
+    }
+}