Add Azure Arc MI Support (Azure#17013)

Author: g2vinay

sdk/identity/azure-identity/src/main/java/com/azure/identity/ArcIdentityCredential.java

@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.annotation.Immutable;
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.exception.ClientAuthenticationException;
+import com.azure.core.util.Configuration;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.IdentityClient;
+import reactor.core.publisher.Mono;
+
+/**
+ * The Managed Service Identity credential for Azure Arc Service.
+ */
+@Immutable
+class ArcIdentityCredential extends ManagedIdentityServiceCredential {
+    private final String identityEndpoint;
+    private final ClientLogger logger = new ClientLogger(ArcIdentityCredential.class);
+
+    /**
+     * Creates an instance of {@link ArcIdentityCredential}.
+     *
+     * @param clientId The client ID of user assigned or system assigned identity.
+     * @param identityClient The identity client to acquire a token with.
+     */
+    ArcIdentityCredential(String clientId, IdentityClient identityClient) {
+        super(clientId, identityClient, "AZURE ARC IDENTITY ENDPOINT");
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+        this.identityEndpoint = configuration.get(Configuration.PROPERTY_IDENTITY_ENDPOINT);
+        if (identityEndpoint != null) {
+            validateEndpointProtocol(this.identityEndpoint, "Identity", logger);
+        }
+    }
+
+    /**
+     * Gets an access token for a token request.
+     *
+     * @param request The details of the token request.
+     * @return A publisher that emits an {@link AccessToken}.
+     */
+    public Mono<AccessToken> authenticate(TokenRequestContext request) {
+        if  (getClientId() == null) {
+            return Mono.error(logger.logExceptionAsError(new ClientAuthenticationException(
+                "User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate "
+                    + "with the system assigned identity omit the client id when constructing the"
+                    + " ManagedIdentityCredential.", null)));
+        }
+        return identityClient.authenticateToArcManagedIdentityEndpoint(identityEndpoint, request);
+    }
+}

sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java

@@ -23,6 +23,7 @@ public final class ManagedIdentityCredential implements TokenCredential {
     private final ManagedIdentityServiceCredential managedIdentityServiceCredential;
     private final ClientLogger logger = new ClientLogger(ManagedIdentityCredential.class);
 
+    static final String PROPERTY_IMDS_ENDPOINT = "IMDS_ENDPOINT";
     static final String PROPERTY_IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT";
 
 
@@ -42,10 +43,12 @@ public final class ManagedIdentityCredential implements TokenCredential {
                 if (configuration.contains(PROPERTY_IDENTITY_SERVER_THUMBPRINT)) {
                     managedIdentityServiceCredential = new ServiceFabricMsiCredential(clientId, identityClient);
                 } else {
-                    managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, identityClient);
+                    managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, identityClient);
                 }
+            } else if (configuration.contains(PROPERTY_IMDS_ENDPOINT)) {
+                managedIdentityServiceCredential = new ArcIdentityCredential(clientId, identityClient);
             } else {
-                managedIdentityServiceCredential = null;
+                managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, identityClient);
             }
         } else if (configuration.contains(Configuration.PROPERTY_MSI_ENDPOINT)) {
             managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, identityClient);
@@ -68,13 +71,13 @@ public Mono<AccessToken> getToken(TokenRequestContext request) {
         if (managedIdentityServiceCredential == null) {
             return Mono.error(logger.logExceptionAsError(
                 new CredentialUnavailableException("ManagedIdentityCredential authentication unavailable. "
-                                + "The Target Azure platform could not be determined from environment variables.")));
+                   + "The Target Azure platform could not be determined from environment variables.")));
         }
         return managedIdentityServiceCredential.authenticate(request)
-                   .doOnSuccess((t -> logger.info(String.format("Azure Identity => Managed Identity environment: %s",
-                       managedIdentityServiceCredential.getEnvironment()))))
-                   .doOnNext(token -> LoggingUtil.logTokenSuccess(logger, request))
-                   .doOnError(error -> LoggingUtil.logTokenError(logger, request, error));
+            .doOnSuccess((t -> logger.info(String.format("Azure Identity => Managed Identity environment: %s",
+                    managedIdentityServiceCredential.getEnvironment()))))
+            .doOnNext(token -> LoggingUtil.logTokenSuccess(logger, request))
+            .doOnError(error -> LoggingUtil.logTokenError(logger, request, error));
     }
 }
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -750,7 +750,101 @@ public Mono<MsalToken> authenticateWithSharedTokenCache(TokenRequestContext requ
 
 
     /**
-     * Asynchronously acquire a token from the App Service Managed Service Identity endpoint.
+     * Asynchronously acquire a token from the Azure Arc Managed Service Identity endpoint.
+     *
+     * @param identityEndpoint the Identity endpoint to acquire token from
+     * @param request the details of the token request
+     * @return a Publisher that emits an AccessToken
+     */
+    public Mono<AccessToken> authenticateToArcManagedIdentityEndpoint(String identityEndpoint,
+                                                                      TokenRequestContext request) {
+        return Mono.fromCallable(() -> {
+            HttpURLConnection connection = null;
+            StringBuilder payload = new StringBuilder();
+            payload.append("resource=");
+            payload.append(URLEncoder.encode(ScopeUtil.scopesToResource(request.getScopes()), "UTF-8"));
+            payload.append("&api-version=");
+            payload.append(URLEncoder.encode("2019-11-01", "UTF-8"));
+
+            URL url = new URL(String.format("%s?%s", identityEndpoint, payload));
+
+
+            String secretKey = null;
+            try {
+                connection = (HttpURLConnection) url.openConnection();
+                connection.setRequestMethod("GET");
+                connection.setRequestProperty("Metadata", "true");
+                connection.connect();
+
+                new Scanner(connection.getInputStream(), "UTF-8").useDelimiter("\\A");
+            } catch (IOException e) {
+                if (connection == null) {
+                    throw logger.logExceptionAsError(new ClientAuthenticationException("Failed to initialize "
+                                                                       + "Http URL connection to the endpoint.",
+                        null, e));
+                }
+                int status = connection.getResponseCode();
+                if (status != 401) {
+                    throw logger.logExceptionAsError(new ClientAuthenticationException(String.format("Expected a 401"
+                         + " Unauthorized response from Azure Arc Managed Identity Endpoint, received: %d", status),
+                        null, e));
+                }
+
+                String realm = connection.getHeaderField("WWW-Authenticate");
+
+                if (realm == null) {
+                    throw logger.logExceptionAsError(new ClientAuthenticationException("Did not receive a value"
+                           + " for WWW-Authenticate header in the response from Azure Arc Managed Identity Endpoint",
+                        null));
+                }
+
+                int separatorIndex = realm.indexOf("=");
+                if (separatorIndex == -1) {
+                    throw logger.logExceptionAsError(new ClientAuthenticationException("Did not receive a correct value"
+                           + " for WWW-Authenticate header in the response from Azure Arc Managed Identity Endpoint",
+                        null));
+                }
+
+                String secretKeyPath = realm.substring(separatorIndex + 1);
+                secretKey = new String(Files.readAllBytes(Paths.get(secretKeyPath)), StandardCharsets.UTF_8);
+
+            } finally {
+                if (connection != null) {
+                    connection.disconnect();
+                }
+            }
+
+
+            if (secretKey == null) {
+                throw logger.logExceptionAsError(new ClientAuthenticationException("Did not receive a secret value"
+                     + " in the response from Azure Arc Managed Identity Endpoint",
+                    null));
+            }
+
+
+            try {
+
+                connection = (HttpURLConnection) url.openConnection();
+                connection.setRequestMethod("GET");
+                connection.setRequestProperty("Authorization", String.format("Basic %s", secretKey));
+                connection.setRequestProperty("Metadata", "true");
+                connection.connect();
+
+                Scanner scanner = new Scanner(connection.getInputStream(), "UTF-8").useDelimiter("\\A");
+                String result = scanner.hasNext() ? scanner.next() : "";
+
+                return SERIALIZER_ADAPTER.deserialize(result, MSIToken.class, SerializerEncoding.JSON);
+
+            } finally {
+                if (connection != null) {
+                    connection.disconnect();
+                }
+            }
+        });
+    }
+
+    /**
+     * Asynchronously acquire a token from the Azure Service Fabric Managed Service Identity endpoint.
      *
      * @param identityEndpoint the Identity endpoint to acquire token from
      * @param identityHeader the identity header to acquire token with
@@ -941,6 +1035,12 @@ public Mono<AccessToken> authenticateToIMDSEndpoint(TokenRequestContext request)
                                     + "Connection to IMDS endpoint cannot be established, "
                                     + e.getMessage() + ".", e));
                     }
+                    if (responseCode == 400) {
+                        throw logger.logExceptionAsError(
+                            new CredentialUnavailableException(
+                                "ManagedIdentityCredential authentication unavailable. "
+                                    + "Connection to IMDS endpoint cannot be established.", null));
+                    }
                     if (responseCode == 410
                             || responseCode == 429
                             || responseCode == 404

sdk/identity/azure-identity/src/test/java/com/azure/identity/ManagedIdentityCredentialTest.java

@@ -67,38 +67,6 @@ public void testMSIEndpoint() throws Exception {
         }
     }
 
-    @Test
-    public void testIdentityEndpoint() throws Exception {
-        Configuration configuration = Configuration.getGlobalConfiguration();
-
-        try {
-            // setup
-            String endpoint = "http://localhost";
-            String secret = "secret";
-            String token1 = "token1";
-            TokenRequestContext request1 = new TokenRequestContext().addScopes("https://management.azure.com");
-            OffsetDateTime expiresAt = OffsetDateTime.now(ZoneOffset.UTC).plusHours(1);
-            configuration.put("IDENTITY_ENDPOINT", endpoint);
-            configuration.put("IDENTITY_HEADER", secret);
-
-            // mock
-            IdentityClient identityClient = PowerMockito.mock(IdentityClient.class);
-            when(identityClient.authenticateToManagedIdentityEndpoint(endpoint, secret, null, null, request1)).thenReturn(TestUtils.getMockAccessToken(token1, expiresAt));
-            PowerMockito.whenNew(IdentityClient.class).withAnyArguments().thenReturn(identityClient);
-
-            // test
-            ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder().clientId(CLIENT_ID).build();
-            StepVerifier.create(credential.getToken(request1))
-                .expectNextMatches(token -> token1.equals(token.getToken())
-                                                && expiresAt.getSecond() == token.getExpiresAt().getSecond())
-                .verifyComplete();
-        } finally {
-            // clean up
-            configuration.remove("IDENTITY_ENDPOINT");
-            configuration.remove("IDENTITY_HEADER");
-        }
-    }
-
     @Test
     public void testIMDS() throws Exception {
         // setup

sdk/identity/azure-identity/src/test/java/com/azure/identity/implementation/IdentityClientTests.java

@@ -5,6 +5,7 @@
 
 import com.azure.core.credential.AccessToken;
 import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.exception.ClientAuthenticationException;
 import com.azure.core.util.Configuration;
 import com.azure.core.util.logging.ClientLogger;
 import com.azure.identity.implementation.util.CertificateUtil;
@@ -35,6 +36,7 @@
 
 import javax.net.ssl.HttpsURLConnection;
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
 import java.net.URI;
@@ -260,6 +262,36 @@ public void testValidIdentityEndpointMSICodeFlow() throws Exception {
         Assert.assertEquals(expiresOn.getSecond(), token.getExpiresAt().getSecond());
     }
 
+    @Test (expected = ClientAuthenticationException.class)
+    public void testInValidIdentityEndpointSecretArcCodeFlow() throws Exception {
+        // setup
+        Configuration configuration = Configuration.getGlobalConfiguration();
+        String endpoint = "http://localhost";
+        TokenRequestContext request = new TokenRequestContext().addScopes("https://management.azure.com");
+        configuration.put("IDENTITY_ENDPOINT", endpoint);
+        // mock
+        mockForArcCodeFlow(401);
+
+        // test
+        IdentityClient client = new IdentityClientBuilder().build();
+        client.authenticateToArcManagedIdentityEndpoint(endpoint, request).block();
+    }
+
+    @Test (expected = ClientAuthenticationException.class)
+    public void testInValidIdentityEndpointResponseCodeArcCodeFlow() throws Exception {
+        // setup
+        Configuration configuration = Configuration.getGlobalConfiguration();
+        String endpoint = "http://localhost";
+        TokenRequestContext request = new TokenRequestContext().addScopes("https://management.azure.com");
+        configuration.put("IDENTITY_ENDPOINT", endpoint);
+        // mock
+        mockForArcCodeFlow(200);
+
+        // test
+        IdentityClient client = new IdentityClientBuilder().build();
+        client.authenticateToArcManagedIdentityEndpoint(endpoint, request).block();
+    }
+
     @Test
     public void testValidIMDSCodeFlow() throws Exception {
         // setup
@@ -527,6 +559,18 @@ private void mockForServiceFabricCodeFlow(String tokenJson) throws Exception {
         when(huc.getInputStream()).thenReturn(inputStream);
     }
 
+    private void mockForArcCodeFlow(int responseCode) throws Exception {
+        URL u = PowerMockito.mock(URL.class);
+        whenNew(URL.class).withAnyArguments().thenReturn(u);
+        HttpURLConnection initConnection = PowerMockito.mock(HttpURLConnection.class);
+        when(u.openConnection()).thenReturn(initConnection);
+        PowerMockito.doNothing().when(initConnection).setRequestMethod(anyString());
+        PowerMockito.doNothing().when(initConnection).setRequestProperty(anyString(), anyString());
+        PowerMockito.doNothing().when(initConnection).connect();
+        when(initConnection.getInputStream()).thenThrow(new IOException());
+        when(initConnection.getResponseCode()).thenReturn(responseCode);
+    }
+
     private void mockForIMDSCodeFlow(String tokenJson) throws Exception {
         URL u = PowerMockito.mock(URL.class);
         whenNew(URL.class).withAnyArguments().thenReturn(u);