For example, I'm currently writing an API client and user-secrets + the new Configuration code would be really handy for storing and retrieving authentication tokens.

Process id 27532

User id 10222
Group id 10222

Today we check for the presence of the file before adding the configuration source. Instead register it as an optional source.

https://github.com/aspnet/UserSecrets/blob/dev/src/Microsoft.Framework.ConfigurationModel.UserSecrets/ConfigurationExtensions.cs#L24

https://github.com/aspnet/UserSecrets/blob/dev/src/Microsoft.Framework.ConfigurationModel.UserSecrets/ConfigurationExtensions.cs#L42

For example, in order to display a grid, you would need to parse out the info: output from the results of dotnet user-secrets list. Ideally, this should just be a --json or similar switch which would just output the secrets as json.

Similarly, it would also be good to be able to pass in json via the set command, bonus if nested json could be passed in here and the tool would take care of flattening.

Case-sensitivity of keys when setting the value:
user-secret set "AppSettings:Name" "red"
user-secret set "appsettings:name" "blue"

Expected: the key should be case-insensitive. i.e the value "red" should have been overridden with value "blue",

Actual: I noticed that both the values were getting stored as separate entries.
In secrets.json:
{
"appsettings:name": "red",
"AppSettings:Name": "blue"
}

When I launch the application, this results in an error like below:

System.FormatException: A duplicate key 'AppSettings:Name' was found.
   at Microsoft.Framework.Configuration.Json.JsonConfigurationFileParser.VisitPrimitive(JToken data)
   at Microsoft.Framework.Configuration.Json.JsonConfigurationFileParser.VisitToken(JToken token)
   at Microsoft.Framework.Configuration.Json.JsonConfigurationFileParser.VisitProperty(JProperty property)
   at Microsoft.Framework.Configuration.Json.JsonConfigurationFileParser.VisitJObject(JObject jObject)
   at Microsoft.Framework.Configuration.Json.JsonConfigurationFileParser.Parse(Stream input)
   at Microsoft.Framework.Configuration.JsonConfigurationSource.Load(Stream stream)
   at Microsoft.Framework.Configuration.JsonConfigurationSource.Load()
   at Microsoft.Framework.Configuration.ConfigurationBuilder.Add(IConfigurationSource configurationSource, Boolean load)
   at Microsoft.Framework.Configuration.ConfigurationBuilder.Add(IConfigurationSource configurationSource)
   at Microsoft.Framework.Configuration.JsonConfigurationExtension.AddJsonFile(IConfigurationBuilder configuration, String path, Boolean optional)
   at Microsoft.Framework.Configuration.ConfigurationExtensions.AddUserSecrets(IConfigurationBuilder configuration)
   at SampleWebApp.Startup..ctor(IApplicationEnvironment env, IRuntimeEnvironment runtimeEnvironment) in C:\Users\kichalla\Desktop\TestApps\src\WebApp\Startup.cs:line 15
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.Framework.DependencyInjection.ActivatorUtilities.ConstructorMatcher.CreateInstance(IServiceProvider provider)
   at Microsoft.Framework.DependencyInjection.ActivatorUtilities.CreateInstance(IServiceProvider provider, Type instanceType, Object[] parameters)
   at Microsoft.Framework.DependencyInjection.ActivatorUtilities.GetServiceOrCreateInstance(IServiceProvider provider, Type type)
   at Microsoft.AspNet.Hosting.Startup.StartupLoader.LoadMethods(Type startupType, IList`1 diagnosticMessages)
   at Microsoft.AspNet.Hosting.Internal.HostingEngine.EnsureStartup()
   at Microsoft.AspNet.Hosting.Internal.HostingEngine.EnsureApplicationServices()
   at Microsoft.AspNet.Hosting.Internal.HostingEngine.Start()
   at Microsoft.AspNet.Loader.IIS.RuntimeHttpApplication.ApplicationStart(IHttpApplication application)
   at Microsoft.AspNet.Loader.IIS.HttpApplicationBase.InvokeApplicationStart(IHttpApplication application)

"user-secret remove" is also being case-sensitive.
Expected: key is case-Insensitive
Actual: is case-sensitive

The readme should contain some hints as to what this project does. I've read the source and other than encrypting secrets I have no idea of its purpose. Are these connection strings that are encrypted? Passwords? The membership lists for the illuminati?

DNX/EF/DNVM all have much cooler banners. I feel like UserSecrets needs some love, too.

The error message displayed when {path} is invalid is not descriptive and references an argument rather than the command-line option.

For example,

dotnet user-secrets list --project \garbage

Results in

critical: Command failed : The directory name C:\garbage\ is invalid.
Parameter name: path

Note the parameter name mentioned above is inconsistent w/ the in #77. It's the same command-line option and the parameter should also be the same.

Unable to resolve 'Microsoft.Extensions.Configuration.UserSecrets (>= 1.0.0-rc3-21157)' for '.NETCoreApp,Version=v1.0'.

The storage mechanism for user secrets should be an opaque implementation detail. We've encountered a few issues when users or tools edit secrets.json in inconsistent ways with how our tooling understands the file. (Example: nesting or flattening keys, see #79). We should find ways to discourage manually editing of this storage.

Possible solutions (one or many may be good)

• Add comment to top of json file warning users that manually editing may cause issues
• Change storage formats
  • example idea: use a SQLite database with a simple table of key/value pairs
• Ensure VS tooling doesn't open a text editor to the secrets.json file but instead wraps the contents of the file in UI

The secrets.json file can be directly edited by the user, and as such is subject to typos and other corruption. Once corrupted all operations fail with json parsing errors and the file cannot be fixed/cleared/deleted by user-secret. Instead you have to go find the file and correct it by hand.

Recommendation: user-secret clear should overwrite the file without attempting to parse it. This will allow you to easily recover from corrupted files.

Hi,

I'm trying to add Microsoft.Extensions.SecretManager.Tools package to my ASP.Net Core project. The project was created with the VS 2015 Update 3 template ASP.Net Core Web Application (.Net Framework). I'm getting the following error:
The dependency Microsoft.Extensions.SecretManager.Tools 1.0.0-preview2-final does not support framework .NETFramework,Version=v4.5.2.

Are there plans to add .NetFramework support for SecretManager?
The other Microsoft.Extensions.Logging and Microsoft.Extensions.Configuration packages have.

Thanks

Donal

Slightly related #62.

Since project.json is going away, we'll need to resolve this soon.

@glennc @davidfowl @natemcmaster @Tratcher

Though configuration files (and therefore secrets.json files) support the full breadth of JSON syntax, dotnet user-secrets does not. Comments are correctly ignored but that's it.

dotnet user-secrets list

When the secrets.json file contains

{
  "L1": {
    // This is a supported comment.
    "Dictionary": {
      "k1": "v1",
      "k2": 425,
      "ă2": "ő23"
    }
  }
}

Results in

info: L1 = {
  "Dictionary": {
    "k1": "v1",
    "k2": 425,
    "ă2": "ő23"
  }
}

The configuration framework would treat the above identically to

{
  "L1:Dictionary:k1": "v1",
  "L1:Dictionary:k2": 425,
  "L1:Dictionary:ă2": "ő23"
}

Similarly, with the original secrets.json file, dotnet user-secrets remove L1:Dictionary finds nothing to remove and dotnet user-secrets set L1:Dictionary Fred creates a new, separate key named L1:Dictionary.

ConfigurationBuilder extension method AddUserSecrets should have an overloaded version with additional Optional(boolean) parameter. This param should be propagated to AddJsonFile method. Without it it's almost impossible to debug any issues related with the incorrect path to secrets file. I recently had an issue with application redirecting %AppData% to C:\Windows\system32\config\systemprofile\AppData\Roaming instead of C:\Users\MyUsername\AppData\Roaming and I actually had to get the code from git and manually debug it in order to find out that secrets.json has not been found.

Currently it is just for developing, in production key/value still has to be read from somewhere, which is a hell lot of work and burden. Also the following code is confusing: what? No secret in production environment? production environment is less important?
if (env.IsEnvironment("Development"))
{
cfgbuilder.AddUserSecrets();
}

So I think Secrets tool should be extended to handle production as follows: During project building, Secrets tool loads key/value from its store and plugs them into according configuration file.
For a total solution example:

1. User creates appsettings.json has the following section:
   "AppSettings": {
   "SiteTitle": "ZaxiTech"
   }
2. User adds appsettings.json.
   .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
3. Users adds key/value and its mapping path.
   dotnet user-secrets AppSettings.SiteTitle = ZaxiTech_123.

Key/value: AppSettings.SiteTitle = ZaxiTech_123
Mapping path: AppSettings.SiteTitle

1. In project.json:
   "scripts": {
   "prebuild": [“dotnet user-secrets apply appsettings.json”],
   }

During building, the Secret Tool replaces value of AppSettings.SiteTitle in appsettings.json.
And the result appsettings.json (to be run or published) will be:
"AppSettings": {
"SiteTitle": "ZaxiTech_123"
}

So source control sees "SiteTitle"="ZaxiTech"; but in runtime, it is "SiteTitle"= " ZaxiTech_123"

I hope this gets added to next build and makes asp.net a little easier to use.

https://github.com/aspnet/UserSecrets/blob/dev/src/SecretManager/project.json#L13

It needs to read userSecretsId from the project.json. We should find a different way to publish this value.

C:\git\Universe\Security\samples\SocialSample\bin\Debug\dnx451>SocialSample.exe
Application startup exception: System.InvalidOperationException: Unable to locate a project.json at 'C:\git\Universe\
Security\samples\SocialSample\bin\Debug\dnx451\project.json'.
   at Microsoft.Extensions.Configuration.UserSecrets.PathHelper.GetSecretsPath(String projectPath)
   at Microsoft.Extensions.Configuration.ConfigurationExtensions.AddUserSecrets(IConfigurationBuilder configuration)
   at SocialSample.Startup..ctor() in C:\git\Universe\Security\samples\SocialSample\Startup.cs:line 35
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.ConstructorMatcher.CreateInstance(IServiceProvider
provider)
   at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.GetServiceOrCreateInstance(IServiceProvider provide
r, Type type)
   at Microsoft.AspNetCore.Hosting.Startup.StartupLoader.LoadMethods(Type startupType, IList`1 diagnosticMessages)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureStartup()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()

From @dougbu on May 12, 2016 18:18

Steps to reproduce

1. Open VS in an existing .NET Core web project
2. Open the project.json file
3. Attempt to add the userSecretsId property

Expected behavior

• A suggestion once I've typed u for the property name.
• Addition of double quotes around the value once I've typed the : between name and value.

Actual behavior

Nope, no help at all.

Environment data

dotnet --info output:

.NET Command Line Tools (1.0.0-preview1-002700)

Product Information:
 Version:     1.0.0-preview1-002700
 Commit Sha:  0336f6bb34

Runtime Environment:
 OS Name:     Windows
 OS Version:  6.3.9600
 OS Platform: Windows
 RID:         win81-x64

Copied from original issue: dotnet/cli#3014

Not sure if this is in the cards, but a thought that came to mind would be to have an artifact generated on build that shipped when publishing a project.

I'm thinking of the situation where you have a number of variables defined and stored in secrets, these may not be evident/exposed without some digging into code.

So back to the idea: use an overload of the list command (or an export command?) as part of build to dump a JSON file to the output directory. If Kudu then picked up that artifact on deployment, it could then create placeholder values in the web app. Of course, if stored as JSON, any deployment script could read it and configure the hosting environment.

Maybe this isn't the right project for this, but it should be the right set of eyeballs. :)

When using secret manager it's not clear what version you are using. The only way to find out at the moment is to edit c:\users\%userprofile%\.dnx\bin\user-secret.cmd.

Recommendation: user-secret -h should display the version of the utility.

cc @blowdart @Eilon

Trying to use SecretManager with beta7. It reports installing perfectly, but when running I get the following error. @davidfowl said the package was renamed to something else and I assume that's why it's failing.

PM> dnu commands install secretmanager
***Good to go***

PM> user-secret -h
user-secret.cmd : System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.Framework.ApplicationHost' or one of its dependencies. The system cannot find the file specified.
At line:1 char:1
+ user-secret.cmd
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (System.IO.FileN...file specified.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

File name: 'Microsoft.Framework.ApplicationHost'
   at System.Reflection.Runtime
Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean 
suppressSecurityChecks)
   at System.Reflection.RuntimeAssembly.InternalLoadAssemblyName(AssemblyName assemblyRef, Evidence assemblySecurity, RuntimeAssembly reqAssembly, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean throwOnFileNotFound, Boolean forIntrospection, 
Boolean suppressSecurityChecks)
   at System.Reflection.Assembly.Load(AssemblyName assemblyRef)
   at Microsoft.Dnx.Runtime.Loader.LoadContext.Load(AssemblyName assemblyName)
   at Microsoft.Dnx.Host.Bootstrapper.RunAsync(List`1 args, IRuntimeEnvironment env, FrameworkName targetFramework)
   at Microsoft.Dnx.Host.RuntimeBootstrapper.ExecuteAsync(String[] args, FrameworkName targetFramework)
   at Microsoft.Dnx.Host.RuntimeBootstrapper.Execute(String[] args, FrameworkName targetFramework)

WRN: Assembly binding logging is turned OFF.
To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

For example the command dotnet user-secrets set '"""' '"""' sets a key named " to the value ". The key and value are escaped correctly in the secrets.json file. But what happened to the other quotes?

Similarly

• dotnet user-secrets set '"quoted"' '"quoted"' sets a key named quoted to the value quoted -- no surrounding quotes
• dotnet user-secrets set 'is "quote"d' 'is "quote"d' sets a key named is quoted to the value is quoted
• dotnet user-secrets set '"' '"' sets a key named to the valuenull.

Haven't tried every possible character but suspect this issue is specific to double quotes. For example dotnet user-secrets set '[23]' '{ "joe": "jones" }' doesn't mess up the braces or brackets. That sets a key named [23] to the value { joe: jones }.

We should throw a better error message .
Two customers confirm this.
I can confirm that the same code on Mac/vscode work but on Windows/vscode it doesn't.

From: Daniel Roth
Any idea what could be going on with this customer reported issue with VSCode and user secrets?:

I have a project setup to use secret and if I run the project in VS15 or cmd using "dnx web" work but if I run it from VSCode Command Palette -> dnx:Run Command -> dnx web I get the following error:

Application startup exception: System.ArgumentNullException: Value cannot be null.
Parameter name: paths
at System.IO.Path.Combine(String[] paths)
at Microsoft.Extensions.Configuration.UserSecrets.PathHelper.GetSecretsPathFromSecretsId(String userSecretsId)
at Microsoft.Extensions.Configuration.ConfigurationExtensions.AddUserSecrets(IConfigurationBuilder configuration)
at aspnet.Startup..ctor(IHostingEnvironment env) in c:\Users\rspaulino\Documents\vscodeprojects\aspnet\Startup.cs:lin
e 23
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.ConstructorMatcher.CreateInstance(IServiceProvider pro
vider)
at Microsoft.Extensions.DependencyInjection.ActivatorUtilities.CreateInstance(IServiceProvider provider, Type instanc
eType, Object[] parameters)
at Microsoft.AspNet.Hosting.Startup.StartupLoader.LoadMethods(Type startupType, IList`1 diagnosticMessages)
at Microsoft.AspNet.Hosting.Internal.HostingEngine.EnsureStartup()
at Microsoft.AspNet.Hosting.Internal.HostingEngine.BuildApplication()
Hosting environment: Development
Now listening on: http://localhost:5000
Application started. Press Ctrl+C to shut down.

From: Glenn Condron
Environment.GetEnvironmentVariable("APPDATA”) is null for some reason?

See: https://github.com/aspnet/UserSecrets/blob/dev/src/Microsoft.Extensions.Configuration.UserSecrets/PathHelper.cs#L61

Need to rename assemblies and namespaces from Microsoft.Framework.* to Microsoft.Extensions.*.

Once the change is committed, please post an issue in the https://github.com/aspnet/Announcements/issues/ repo that links back to this issue.

see aspnet/Configuration#295, aspnet/Templates#269

public static class ConfigurationExtensions
    {
        /// <summary>
        /// Adds the user secrets configuration source.
        /// </summary>
        /// <param name="configuration"></param>
        /// <returns></returns>
        public static IConfigurationBuilder AddUserSecrets(this IConfigurationBuilder configuration)
        {
            if (configuration == null)
            {
                throw new ArgumentNullException(nameof(configuration));
            }

            if (string.IsNullOrEmpty(configuration.GetBasePath()))
            {
                throw new InvalidOperationException(Resources.FormatError_MissingBasePath(
                    configuration.GetBasePath(),
                    typeof(IConfigurationBuilder).Name,
                    "BasePath"));
            }

            var secretPath = PathHelper.GetSecretsPath(configuration.GetBasePath());
            return configuration.AddJsonFile(secretPath, optional: true);
        }

I stumbled upon the answer to the first of a series of problems I've been encountered when following the http://docs.asp.net/en/latest/security/sociallogins.html tutorial.

After using the information I found here: #15 to solve the first problem, I'm now encountered a second problem where I get a critical error message reading Command failed : Missing 'userSecretsId' (see image below) when I runt he command user-secret set Authentication:Facebook:AppId XXXXXX.

Is this an issue that is related to UserSecrets?

This is a DNX command, not an ASP.NET 5 tool. The description should be updated.

When you try to use user-secret on a new project it fails with:
critical: Command failed : Missing 'userSecretsId' in 'C:\git\Universe\Security\samples\JwtBearerSample\project.json'

There should be an init command to generate the userSecretsId in the project.json.

Moved from aspnet/Configuration#163

Create a new project with work and school account authentication using Microsoft AD.
In the project folder, run

AuthTest\src\AuthTest>dotnet user-secrets list
info: Authentication = {
  "AzureAd": {
    "ClientSecret": "secretmodified"
  }
}

Now try to set the value for the ClientSecret

AuthTest\src\AuthTest>dotnet user-secrets set Authentication:AzureAd:ClientSecret="AJKHAFU*(@&JKLAS"
info: Successfully saved Authentication:AzureAd:ClientSecret=AJKHAFU*(@&JKLAS =  to the secret store.

Try to list the value:

AuthTest\src\AuthTest>dotnet user-secrets list
info: Authentication = {
  "AzureAd": {
    "ClientSecret": "secretmodified"
  }
}
info: Authentication:AzureAd:ClientSecret=AJKHAFU*(@&JKLAS =

The tool needs to handle CRUD in a consistent way.

I would like to use the CommandOutputLogger for the global command that I have in SqlServer distributed cache package.

Should we move this logger out to some common location so that other packages can use it?
/cc: @Eilon @davidfowl

Before recent changes on Configuration to use FileProviders the UserSecrets provider was relying on the SetBasePath()/GetBasePath() mechanism in the ConfigurationBuilder to find the project.json file from which to extract the secretsId.

@HaoK and I believe that the approach only worked accidentally and in #68 we have moved to a SetProjectPath()/GetProjectPath() couple of extension methods defined by UserSecrets so that the tests that took advantage of this could still pass.

I have created this issue to give UserSecrets owners the heads up so that they can decide if they want to rely on this mechanism or do something else (e.g. change/remove those tests, create different overloads of AddUserSecrets(), etc.

Discussion of aspnet/Announcements#64

It'd be good to have some guidance on how to use secret-manager when deploying an ASP.NET 5 application or how you envision secrets.json to be deployed from a staging environment to a production environment.

It's very common for developers to use full IIS locally on their dev machines because it more closely resembles a real server than IIS Express. However, IIS runs as a different user so it won't pick up the user secrets configured with an application. This is similar to how environment variables need to be set machine wide rather than for for a specific user.

Does there need to be a way to read/set user-secrets for another user, or machine wide?

I am using gulp-azure-storage and was using an additional file at the solution level, "secrets.json" which contained the storage connection string to storage. This allowed me to publish static files to a CDN in azure during the build of my static files. Using the file in my %appdata% directory is long and cumbersome. Can we change the location of the secrets file? Also it would be nice to change the name to something that closer matches the xproj name, if we have changed the xproj name. Here is a reference to my project. MyWebTemplate

I have added "Microsoft.Extensions.SecretManager.Tools": "1.0.0-preview2-final" in project.json
Whenever I am trying to dotnet user-secrets -h
I am getting this reply : �[1m�[31mNo executable found matching command "dotnet-user-secrets"�[39m�[22m in the console

I am following the instructions here:
http://docs.asp.net/en/latest/security/sociallogins.html

• I start the VS 2015 Developer Command Prompt in Administrator Mode:
• Open a Command Prompt and navigate to the folder of project.json for your project.
• Use DNVM (.NET Version Manager) to set a runtime version by running:
  • dnvm use 1.0.0-beta4
• Install the SecretManager tool using DNU (Microsoft .NET Development Utility) by running:
  • dnu commands install SecretManager
• Set the Facebook AppId by running:
  • user-secret set Authentication:Facebook:AppId 862373430475128

At this point I get an exception: NullReferenceException

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>user-secret help
System.NullReferenceException: Object reference not set to an instance of an obj
ect.
at SecretManager.CommandOutputProvider..ctor(IRuntimeEnvironment runtimeEnv)
at SecretManager.Program..ctor(IRuntimeEnvironment runtimeEnv)

Console log below:

C:\Windows\system32>cd C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>dnvm use 1.0.0-beta4
Adding C:\Users\...\.dnx\runtimes\dnx-clr-win-x86.1.0.0-beta4\bin to pr
ocess PATH

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>dnvm list

Active Version     Runtime Architecture Location                            Ali
                                                                            as
------ -------     ------- ------------ --------                            ---
       1.0.0-beta4 clr     x64          C:\Users\...\.dnx\runtimes
  *    1.0.0-beta4 clr     x86          C:\Users\...\.dnx\runtimes def
       1.0.0-beta4 coreclr x64          C:\Users\...\.dnx\runtimes
       1.0.0-beta4 coreclr x86          C:\Users\...\.dnx\runtimes



C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>dnu commands install SecretMa
nager
  CACHE https://www.nuget.org/api/v2/FindPackagesById()?Id='SecretManager'
Restoring packages for C:\Users\...\.dnx\bin\packages\b35711727c404fd08
07f649dd45c8975\project.json
Writing lock file C:\Users\...\.dnx\bin\packages\b35711727c404fd0807f64
9dd45c8975\project.lock.json
Restore complete, 325ms elapsed
Restoring packages for C:\Users\...\.dnx\bin\packages\SecretManager\1.0
.0-beta5\app\project.json
  CACHE https://www.nuget.org/api/v2/FindPackagesById()?Id='System.Console'
Writing lock file C:\Users\...\.dnx\bin\packages\SecretManager\1.0.0-be
ta5\app\project.lock.json
Restore complete, 484ms elapsed
The following commands were installed: user-secret

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>user-secret help
System.NullReferenceException: Object reference not set to an instance of an obj
ect.
   at SecretManager.CommandOutputProvider..ctor(IRuntimeEnvironment runtimeEnv)
   at SecretManager.Program..ctor(IRuntimeEnvironment runtimeEnv)

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>user-secret ?
System.NullReferenceException: Object reference not set to an instance of an obj
ect.
   at SecretManager.CommandOutputProvider..ctor(IRuntimeEnvironment runtimeEnv)
   at SecretManager.Program..ctor(IRuntimeEnvironment runtimeEnv)

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>user-secret
System.NullReferenceException: Object reference not set to an instance of an obj
ect.
   at SecretManager.CommandOutputProvider..ctor(IRuntimeEnvironment runtimeEnv)
   at SecretManager.Program..ctor(IRuntimeEnvironment runtimeEnv)

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>user-secret set
System.NullReferenceException: Object reference not set to an instance of an obj
ect.
   at SecretManager.CommandOutputProvider..ctor(IRuntimeEnvironment runtimeEnv)
   at SecretManager.Program..ctor(IRuntimeEnvironment runtimeEnv)

C:\Projects\Test\AspNet5\TestWepApp\src\TestWepApp>

I'm attempting to install SecretManager via the following command line with dnu` v1.0.0-beta5-11566:

dnu commands install SecretManager

However the install fails, referencing an error in the SecretManager project.json:

PS C:\Projects\diva-focus> dnu commands uninstall SecretManager
SecretManager command is not installed.
PS C:\Projects\diva-focus> dnu commands install SecretManager
  CACHE https://www.nuget.org/api/v2/FindPackagesById()?Id='SecretManager'
Restoring packages for C:\Users\Matt Dwen\.dnx\bin\packages\7aa68819f2a0433d874c2922bdccf39b\project.json
Writing lock file C:\Users\Matt Dwen\.dnx\bin\packages\7aa68819f2a0433d874c2922bdccf39b\project.lock.json
Restore complete, 238ms elapsed
Restoring packages for C:\Users\Matt Dwen\.dnx\bin\packages\SecretManager\1.0.0-beta4\app\project.json
  CACHE https://www.nuget.org/api/v2/FindPackagesById()?Id='SecretManager'
  CACHE https://www.nuget.org/api/v2/FindPackagesById()?Id='System.Console'
Unable to locate SecretManager >= 1.0.0-beta4-10173
Writing lock file C:\Users\Matt Dwen\.dnx\bin\packages\SecretManager\1.0.0-beta4\app\project.lock.json
Restore complete, 149ms elapsed
Errors in C:\Users\Matt Dwen\.dnx\bin\packages\SecretManager\1.0.0-beta4\app\project.json
    Unable to locate SecretManager >= 1.0.0-beta4-10173

The package ends up inside C:\Users\Matt Dwen\.dnx\bin\packages\SecretManager\1.0.0-beta4 but attempting to execute user-secret results in a PowerShell ObjectNotFound dump.

It seems odd to me that installing SecretManager enables the user-secrets command. I think the command should be named a little differently. Also, user-secrets is exteremly generic... I'd prefer something like aspnet-secrets or dnx-secrets.

I really like aspnet-secrets as a prelude to possibly introducing a more generic aspnet command that behaves like git (where git foo is just rewritten as a call to git-foo). Then the command would (eventually) be something more like aspnet secrets set, etc.

I'm missing a simple way to generate cryptographic keys (using CSPRNG, various lengths and encoding). I'm willing to write one, but I'm not sure where it belongs

The wiki page asks for more generators:

No other generators yet, but if you have one that works feel free to send a PR to add it to this list.
However, I am unable to find out how to write generators, where's the extensibility point. Can someone please point me somewhere?

Or, maybe the better idea is to generate the keys in the user-secret utility? Add new command with them?

1. It isn't clear why we need the --project option at all. The dotnet user-secrets command must be executed in a project directory with Microsoft.Extensions.SecretManager.Tools fully configured.
2. If this option is needed, it should support relative paths. That would at least be useful in corner cases where user secrets are used in a group of projects but only one has the tool configured.
3. dotnet user-secrets list --project $pwd/../../src/UserSecrets.work is ugly as sin.
4. What is the parameter named root?

For example

dotnet user-secrets list --project ../../src/UserSecrets.work

Results in

critical: Command failed : The path must be absolute.
Parameter name: root

Have this

            var builder = new ConfigurationBuilder(appEnv.ApplicationBasePath)
                .AddJsonFile("config.json")
                .AddJsonFile($"config.{env.EnvironmentName}.json", optional: true)
                .AddEnvironmentVariables();
                .AddUserSecrets();
            Configuration = builder.Build();

And get error

The name 'AddUserSecrets' does not exist in the current context

Based on the discussion with @DamianEdwards @glennc @davidfowl and others today, the UserSecrets configuration provider should read project.json from the same location used for configuration files, i.e. it should use the IFileProvider obtained from configurationBuilder.GetFileProvider() to read the file.

In addition, if the project.json file is not found it shouldn't fail.

@muratg we need someone to make this change for RC2.

I have in my test project

    public Startup(IHostingEnvironment env, IApplicationEnvironment appEnv)
    {
        var builder = new ConfigurationBuilder(appEnv.ApplicationBasePath)
            .AddJsonFile("config.json")
            .AddJsonFile($"config.{env.EnvironmentName}.json", optional: true)
            .AddEnvironmentVariables()
            .AddUserSecrets();
        Configuration = builder.Build();
    }

but I see others use:

    public Startup(IHostingEnvironment env, IApplicationEnvironment appEnv)
    {
        var builder = new ConfigurationBuilder(appEnv.ApplicationBasePath)
            .AddJsonFile("config.json")
            .AddJsonFile($"config.{env.EnvironmentName}.json", optional: true)
            .AddEnvironmentVariables();
        if (env.EnvironmentName =="Development" )
        {
            builder.AddUserSecrets();
        }
        Configuration = builder.Build();
    }

So I'm curious if there is a good rationale for doing the later with the conditional.