Add credential provider chain (DPAPI, env vars, XML) with --setup-secrets

Author: kill74

SPOtoSQL-Net8/ConsoleApp1Net8/ConsoleApp1Net8.csproj

@@ -40,6 +40,7 @@
     <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="8.0.8" />
     <PackageReference Include="Microsoft.Extensions.Http.Polly" Version="8.0.8" />
     <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
+    <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup>
@@ -74,6 +75,11 @@
     <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Sharepoint\SPOUser.cs" />
     <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Sharepoint\TimesheetDQ.cs" />
     <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Sharepoint\TwoFactorAuth.cs" />
+    <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Security\CredentialManager.cs" />
+    <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Security\DpapiCredentialProvider.cs" />
+    <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Security\EnvCredentialProvider.cs" />
+    <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Security\ICredentialProvider.cs" />
+    <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\Security\XmlCredentialProvider.cs" />
     <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\XmlConfig\ConfigHelper.cs" />
     <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\ConsoleLogger\Logger.cs" />
     <Compile Include="..\..\SPOtoSQL-Snapshots\ConsoleApp1\AssemblyInfo.cs" />

SPOtoSQL-Net8/ConsoleApp1Net8/GlobalUsings.cs

@@ -12,4 +12,5 @@
 global using Bring.SPODataQuality;
 global using Bring.Sharepoint;
 global using Bring.Sqlserver;
+global using Bring.Security;
 global using Bring.XmlConfig;

SPOtoSQL-Snapshots/ConsoleApp1/ConsoleApp1.csproj

@@ -101,6 +101,11 @@
 		<Compile Include="Sharepoint\SPOUser.cs" />
 		<Compile Include="Sharepoint\TimesheetDQ.cs" />
 		<Compile Include="Sharepoint\TwoFactorAuth.cs" />
+		<Compile Include="Security\CredentialManager.cs" />
+		<Compile Include="Security\DpapiCredentialProvider.cs" />
+		<Compile Include="Security\EnvCredentialProvider.cs" />
+		<Compile Include="Security\ICredentialProvider.cs" />
+		<Compile Include="Security\XmlCredentialProvider.cs" />
 		<Compile Include="XmlConfig\ConfigHelper.cs" />
 		<Compile Include="ConsoleLogger\Logger.cs" />
 		<Compile Include="AssemblyInfo.cs" />

SPOtoSQL-Snapshots/ConsoleApp1/SPODataQuality/RefreshSPOLists.cs

@@ -1,4 +1,5 @@
-using Bring.Sharepoint;
+using Bring.Security;
+using Bring.Sharepoint;
 using Bring.Sqlserver;
 using Bring.XmlConfig;
 using Microsoft.SharePoint.Client;
@@ -20,6 +21,13 @@ private static void Main(string[] args)
             try
             {
                 InitializeApplication(args);
+
+                if (args.Any(a => a.Equals("--setup-secrets", StringComparison.OrdinalIgnoreCase)))
+                {
+                    RunSetupSecrets();
+                    return;
+                }
+
                 RunMainWorkflow();
             }
             catch (Exception ex)
@@ -28,6 +36,48 @@ private static void Main(string[] args)
             }
         }
 
+        private static void RunSetupSecrets()
+        {
+            Console.WriteLine("=== Secure Credential Setup ===");
+            Console.WriteLine("Credentials will be encrypted and stored at:");
+            Console.WriteLine("  %APPDATA%\\SPO2SQL\\credentials.enc");
+            Console.WriteLine();
+
+            Console.Write("SharePoint Username: ");
+            string username = Console.ReadLine()?.Trim();
+            Console.Write("SharePoint Password: ");
+            string password = Console.ReadLine()?.Trim();
+            Console.Write("SQL Connection String: ");
+            string connString = Console.ReadLine()?.Trim();
+
+            if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
+            {
+                Console.WriteLine("ERROR: Username and password are required.");
+                Environment.Exit(1);
+            }
+
+            try
+            {
+                var dpapi = new DpapiCredentialProvider();
+                dpapi.SaveCredentials(username, password, connString ?? "");
+                Console.WriteLine("Credentials saved securely.");
+            }
+            catch (PlatformNotSupportedException)
+            {
+                Console.WriteLine("ERROR: DPAPI encryption is not available on this platform.");
+                Console.WriteLine("Use environment variables instead:");
+                Console.WriteLine("  set SPO_USERNAME=" + username);
+                Console.WriteLine("  set SPO_PASSWORD=...");
+                Console.WriteLine("  set SQL_CONNECTION_STRING=...");
+                Environment.Exit(1);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("ERROR: Failed to save credentials: " + ex.Message);
+                Environment.Exit(1);
+            }
+        }
+
         private static void InitializeApplication(string[] args)
         {
             Logger.Log(1, "DEBUG: Using the Default config");

SPOtoSQL-Snapshots/ConsoleApp1/Security/CredentialManager.cs

@@ -0,0 +1,65 @@
+using System;
+using System.Collections.Generic;
+
+namespace Bring.Security
+{
+    public static class CredentialManager
+    {
+        private static readonly List<ICredentialProvider> Providers;
+        private static bool _initialized;
+
+        static CredentialManager()
+        {
+            Providers = new List<ICredentialProvider>();
+        }
+
+        private static void EnsureInitialized()
+        {
+            if (_initialized) return;
+            _initialized = true;
+
+            Providers.Add(new EnvCredentialProvider());
+            Providers.Add(new DpapiCredentialProvider());
+        }
+
+        public static void RegisterProvider(ICredentialProvider provider)
+        {
+            EnsureInitialized();
+            Providers.Insert(0, provider);
+        }
+
+        public static (string Username, string Password) GetSharePointCredentials()
+        {
+            EnsureInitialized();
+
+            foreach (var provider in Providers)
+            {
+                var result = provider.GetCredentials();
+                if (result != null && !string.IsNullOrEmpty(result.Value.Username) && !string.IsNullOrEmpty(result.Value.Password))
+                {
+                    Logger.Log(2, $"[CredentialManager] Using provider: {provider.GetType().Name}");
+                    return (result.Value.Username, result.Value.Password);
+                }
+            }
+
+            throw new InvalidOperationException("No credential provider returned valid SharePoint credentials.");
+        }
+
+        public static string GetSqlConnectionString()
+        {
+            EnsureInitialized();
+
+            foreach (var provider in Providers)
+            {
+                var result = provider.GetCredentials();
+                if (result != null && !string.IsNullOrEmpty(result.Value.SqlConnectionString))
+                {
+                    Logger.Log(2, $"[CredentialManager] Using provider: {provider.GetType().Name}");
+                    return result.Value.SqlConnectionString;
+                }
+            }
+
+            throw new InvalidOperationException("No credential provider returned a valid SQL connection string.");
+        }
+    }
+}

SPOtoSQL-Snapshots/ConsoleApp1/Security/DpapiCredentialProvider.cs

@@ -0,0 +1,49 @@
+using System;
+using System.IO;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Bring.Security
+{
+    public class DpapiCredentialProvider : ICredentialProvider
+    {
+        private string FilePath => Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
+            "SPO2SQL",
+            "credentials.enc");
+
+        public (string Username, string Password, string SqlConnectionString)? GetCredentials()
+        {
+            try
+            {
+                if (!File.Exists(FilePath))
+                    return null;
+
+                byte[] encrypted = File.ReadAllBytes(FilePath);
+                byte[] decrypted = ProtectedData.Unprotect(encrypted, null, DataProtectionScope.CurrentUser);
+                string plaintext = Encoding.UTF8.GetString(decrypted);
+
+                string[] parts = plaintext.Split('|');
+                return parts.Length >= 3
+                    ? (parts[0], parts[1], parts[2])
+                    : null;
+            }
+            catch
+            {
+                return null;
+            }
+        }
+
+        public void SaveCredentials(string username, string password, string connectionString)
+        {
+            string dir = Path.GetDirectoryName(FilePath);
+            Directory.CreateDirectory(dir);
+
+            string plaintext = $"{username}|{password}|{connectionString}";
+            byte[] data = Encoding.UTF8.GetBytes(plaintext);
+            byte[] encrypted = ProtectedData.Protect(data, null, DataProtectionScope.CurrentUser);
+
+            File.WriteAllBytes(FilePath, encrypted);
+        }
+    }
+}

SPOtoSQL-Snapshots/ConsoleApp1/Security/EnvCredentialProvider.cs

@@ -0,0 +1,19 @@
+using System;
+
+namespace Bring.Security
+{
+    public class EnvCredentialProvider : ICredentialProvider
+    {
+        public (string Username, string Password, string SqlConnectionString)? GetCredentials()
+        {
+            string user = Environment.GetEnvironmentVariable("SPO_USERNAME");
+            string pass = Environment.GetEnvironmentVariable("SPO_PASSWORD");
+            string conn = Environment.GetEnvironmentVariable("SQL_CONNECTION_STRING");
+
+            if (!string.IsNullOrEmpty(user) && !string.IsNullOrEmpty(pass))
+                return (user, pass, conn ?? string.Empty);
+
+            return null;
+        }
+    }
+}

SPOtoSQL-Snapshots/ConsoleApp1/Security/ICredentialProvider.cs

@@ -0,0 +1,7 @@
+namespace Bring.Security
+{
+    public interface ICredentialProvider
+    {
+        (string Username, string Password, string SqlConnectionString)? GetCredentials();
+    }
+}

SPOtoSQL-Snapshots/ConsoleApp1/Security/XmlCredentialProvider.cs

@@ -0,0 +1,21 @@
+using Bring.XmlConfig;
+
+namespace Bring.Security
+{
+    public class XmlCredentialProvider : ICredentialProvider
+    {
+        public (string Username, string Password, string SqlConnectionString)? GetCredentials()
+        {
+            try
+            {
+                var (user, pass) = ConfigurationReader.GetSharePointCredentials();
+                string conn = ConfigurationReader.GetSqlConnectionString();
+                return (user, pass, conn);
+            }
+            catch
+            {
+                return null;
+            }
+        }
+    }
+}

SPOtoSQL-Snapshots/ConsoleApp1/XmlConfig/ConfigHelper.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Xml;
 using Bring.SPODataQuality;
+using Bring.Security;
 using System.Linq;
 
 namespace Bring.XmlConfig
@@ -183,8 +184,15 @@ public static HashSet<string> GetIgnoredColumns()
         /// <exception cref="InvalidOperationException">Thrown when required configuration elements are missing or invalid.</exception>
         public static (string Username, string Password) GetSharePointCredentials()
         {
-            LoadConfig();
+            try
+            {
+                return CredentialManager.GetSharePointCredentials();
+            }
+            catch
+            {
+            }
 
+            LoadConfig();
             try
             {
                 var spNode = _xmlDoc.SelectSingleNode("//Configuration/SharePoint");
@@ -196,26 +204,25 @@ public static (string Username, string Password) GetSharePointCredentials()
 
                 if (usernameNode == null)
                     throw new InvalidOperationException("Username element not found in SharePoint configuration.");
-                
+
                 if (passwordNode == null)
                     throw new InvalidOperationException("Password element not found in SharePoint configuration.");
 
                 var username = usernameNode.InnerText.Trim();
                 var password = passwordNode.InnerText.Trim();
 
-                // Basic validation
                 if (string.IsNullOrEmpty(username))
                     throw new InvalidOperationException("Username cannot be empty.");
-                
+
                 if (string.IsNullOrEmpty(password))
                     throw new InvalidOperationException("Password cannot be empty.");
 
-                Logger.Log(2, "SharePoint credentials retrieved successfully.");
+                Logger.Log(2, "SharePoint credentials retrieved successfully from XML config.");
                 return (username, password);
             }
             catch (InvalidOperationException)
             {
-                throw; // Re-throw configuration-specific exceptions
+                throw;
             }
             catch (Exception ex)
             {
@@ -224,16 +231,17 @@ public static (string Username, string Password) GetSharePointCredentials()
             }
         }
 
-        /// <summary>
-        /// Retrieves the SQL Server connection string from the configuration file.
-        /// </summary>
-        /// <returns>The SQL Server connection string.</returns>
-        /// <exception cref="FileNotFoundException">Thrown when the configuration file is not found.</exception>
-        /// <exception cref="InvalidOperationException">Thrown when the connection string configuration is missing or invalid.</exception>
         public static string GetSqlConnectionString()
         {
-            LoadConfig();
+            try
+            {
+                return CredentialManager.GetSqlConnectionString();
+            }
+            catch
+            {
+            }
 
+            LoadConfig();
             try
             {
                 var connNode = _xmlDoc.SelectSingleNode("//Configuration/SQL/ConnectionString");
@@ -244,12 +252,12 @@ public static string GetSqlConnectionString()
                 if (string.IsNullOrEmpty(connectionString))
                     throw new InvalidOperationException("SQL connection string cannot be empty.");
 
-                Logger.Log(2, "SQL connection string retrieved successfully.");
+                Logger.Log(2, "SQL connection string retrieved successfully from XML config.");
                 return connectionString;
             }
             catch (InvalidOperationException)
             {
-                throw; // Re-throw configuration-specific exceptions
+                throw;
             }
             catch (Exception ex)
             {