End to End TLS SSL step #7 - Add support for user-assigned managed identity (Azure#17015)

mnriem · web-flow · commit c32f09cd71db · 2020-11-05T17:03:07.000+08:00
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/AuthClient.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/AuthClient.java
@@ -3,12 +3,13 @@
 
 package com.azure.security.keyvault.jca;
 
-import com.azure.security.keyvault.jca.rest.OAuthToken;
+import com.azure.security.keyvault.jca.model.OAuthToken;
 
 import java.util.HashMap;
 import java.util.logging.Logger;
 
 import static java.util.logging.Level.FINER;
+import static java.util.logging.Level.INFO;
 
 /**
  * The REST client specific to getting an access token for Azure REST APIs.
@@ -71,16 +72,17 @@ class AuthClient extends DelegateRestClient {
      * Get an access token for a managed identity.
      *
      * @param resource the resource.
+     * @param identity the user-assigned identity (null if system-assigned)
      * @return the authorization token.
      */
-    public String getAccessToken(String resource) {
+    public String getAccessToken(String resource, String identity) {
         String result;
 
         if (System.getenv("WEBSITE_SITE_NAME") != null
             && !System.getenv("WEBSITE_SITE_NAME").isEmpty()) {
-            result = getAccessTokenOnAppService(resource);
+            result = getAccessTokenOnAppService(resource, identity);
         } else {
-            result = getAccessTokenOnOthers(resource);
+            result = getAccessTokenOnOthers(resource, identity);
         }
         return result;
     }
@@ -126,17 +128,25 @@ public String getAccessToken(String resource, String tenantId,
      * Get the access token on Azure App Service.
      *
      * @param resource the resource.
+     * @param identity the user-assigned identity (null if system-assigned).
      * @return the authorization token.
      */
-    private String getAccessTokenOnAppService(String resource) {
+    private String getAccessTokenOnAppService(String resource, String identity) {
         LOGGER.entering("AuthClient", "getAccessTokenOnAppService", resource);
         LOGGER.info("Getting access token using managed identity based on MSI_SECRET");
+        if (identity != null) {
+            LOGGER.log(INFO, "Using managed identity with object ID: {0}", identity);
+        }
         String result = null;
 
         StringBuilder url = new StringBuilder();
         url.append(System.getenv("MSI_ENDPOINT"))
            .append("?api-version=2017-09-01")
            .append(RESOURCE_FRAGMENT).append(resource);
+        
+        if (identity != null) {
+            url.append("&objectid=").append(identity);
+        }
 
         HashMap<String, String> headers = new HashMap<>();
         headers.put("Metadata", "true");
@@ -156,16 +166,25 @@ private String getAccessTokenOnAppService(String resource) {
      * Get the authorization token on everything else but Azure App Service.
      *
      * @param resource the resource.
+     * @param identity the user-assigned identity (null if system-assigned).
      * @return the authorization token.
      */
-    private String getAccessTokenOnOthers(String resource) {
+    private String getAccessTokenOnOthers(String resource, String identity) {
         LOGGER.entering("AuthClient", "getAccessTokenOnOthers", resource);
         LOGGER.info("Getting access token using managed identity");
+        if (identity != null) {
+            LOGGER.log(INFO, "Using managed identity with object ID: {0}", identity);
+        }
+        
         String result = null;
 
         StringBuilder url = new StringBuilder();
         url.append(OAUTH2_MANAGED_IDENTITY_TOKEN_URL)
            .append(RESOURCE_FRAGMENT).append(resource);
+        
+        if (identity != null) {
+            url.append("&object_id=").append(identity);
+        }
 
         HashMap<String, String> headers = new HashMap<>();
         headers.put("Metadata", "true");
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultClient.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultClient.java
@@ -2,12 +2,12 @@
 // Licensed under the MIT License.
 package com.azure.security.keyvault.jca;
 
-import com.azure.security.keyvault.jca.rest.CertificateBundle;
-import com.azure.security.keyvault.jca.rest.CertificateItem;
-import com.azure.security.keyvault.jca.rest.CertificateListResult;
-import com.azure.security.keyvault.jca.rest.CertificatePolicy;
-import com.azure.security.keyvault.jca.rest.KeyProperties;
-import com.azure.security.keyvault.jca.rest.SecretBundle;
+import com.azure.security.keyvault.jca.model.CertificateBundle;
+import com.azure.security.keyvault.jca.model.CertificateItem;
+import com.azure.security.keyvault.jca.model.CertificateListResult;
+import com.azure.security.keyvault.jca.model.CertificatePolicy;
+import com.azure.security.keyvault.jca.model.KeyProperties;
+import com.azure.security.keyvault.jca.model.SecretBundle;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -67,6 +67,12 @@ class KeyVaultClient extends DelegateRestClient {
      */
     private String clientSecret;
 
+    /**
+     * Stores the managed identity (either the user-assigned managed identity
+     * object ID or null if system-assigned)
+     */
+    private String managedIdentity;
+
     /**
      * Constructor.
      *
@@ -81,6 +87,22 @@ class KeyVaultClient extends DelegateRestClient {
         this.keyVaultUrl = keyVaultUri;
     }
 
+    /**
+     * Constructor.
+     *
+     * @param keyVaultUri the Azure Key Vault URI.
+     * @param managedIdentity the managed identity object ID.
+     */
+    KeyVaultClient(String keyVaultUri, String managedIdentity) {
+        super(RestClientFactory.createClient());
+        LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
+        if (!keyVaultUri.endsWith("/")) {
+            keyVaultUri = keyVaultUri + "/";
+        }
+        this.keyVaultUrl = keyVaultUri;
+        this.managedIdentity = managedIdentity;
+    }
+
     /**
      * Constructor.
      *
@@ -106,11 +128,16 @@ private String getAccessToken() {
         String accessToken = null;
         try {
             AuthClient authClient = new AuthClient();
+
             String resource = URLEncoder.encode("https://vault.azure.net", "UTF-8");
+            if (managedIdentity != null) {
+                managedIdentity = URLEncoder.encode(managedIdentity, "UTF-8");
+            }
+
             if (tenantId != null && clientId != null && clientSecret != null) {
                 accessToken = authClient.getAccessToken(resource, tenantId, clientId, clientSecret);
             } else {
-                accessToken = authClient.getAccessToken(resource);
+                accessToken = authClient.getAccessToken(resource, managedIdentity);
             }
         } catch (UnsupportedEncodingException uee) {
             LOGGER.log(WARNING, "Unsupported encoding", uee);
@@ -235,13 +262,12 @@ Key getKey(String alias, char[] password) {
                 }
             }
         }
-        
+
         // 
         // If the private key is not available the certificate cannot be
         // used for server side certificates or mTLS. Then we do not know
         // the intent of the usage at this stage we skip this key.
         //
-
         LOGGER.exiting("KeyVaultClient", "getKey", key);
         return key;
     }
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java
@@ -73,8 +73,9 @@ public final class KeyVaultKeyStore extends KeyStoreSpi {
      * The constructor uses System.getProperty for
      * <code>azure.keyvault.uri</code>, <code>azure.keyvault.tenantId</code>,
      * <code>azure.keyvault.clientId</code>,
-     * <code>azure.keyvault.clientSecret</code> to initialize the keyvault
-     * client.
+     * <code>azure.keyvault.clientSecret</code> and
+     * <code>azure.keyvault.userAssignedIdentity</code> to initialize the
+     * keyvault client.
      * </p>
      */
     public KeyVaultKeyStore() {
@@ -83,7 +84,12 @@ public KeyVaultKeyStore() {
         String tenantId = System.getProperty("azure.keyvault.tenantId");
         String clientId = System.getProperty("azure.keyvault.clientId");
         String clientSecret = System.getProperty("azure.keyvault.clientSecret");
-        keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
+        String managedIdentity = System.getProperty("azure.keyvault.managedIdentity");
+        if (clientId != null) {
+            keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
+        } else {
+            keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity);
+        }
     }
 
     @Override
@@ -198,11 +204,20 @@ public boolean engineIsKeyEntry(String alias) {
     public void engineLoad(KeyStore.LoadStoreParameter param) {
         if (param instanceof KeyVaultLoadStoreParameter) {
             KeyVaultLoadStoreParameter parameter = (KeyVaultLoadStoreParameter) param;
-            keyVaultClient = new KeyVaultClient(
-                    parameter.getUri(),
-                    parameter.getTenantId(),
-                    parameter.getClientId(),
-                    parameter.getClientSecret());
+            if (parameter.getClientId() != null) {
+                keyVaultClient = new KeyVaultClient(
+                        parameter.getUri(),
+                        parameter.getTenantId(),
+                        parameter.getClientId(),
+                        parameter.getClientSecret());
+            } else if (parameter.getUserAssignedIdentity() != null) {
+                keyVaultClient = new KeyVaultClient(
+                        parameter.getUri(),
+                        parameter.getUserAssignedIdentity()
+                );
+            } else {
+                keyVaultClient = new KeyVaultClient(parameter.getUri());
+            }
         }
         sideLoad();
     }
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java
@@ -29,6 +29,11 @@ public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
      * Stores the client secret.
      */
     private final String clientSecret;
+    
+    /**
+     * Stores the user-assigned identity.
+     */
+    private final String userAssignedIdentity;
 
     /**
      * Constructor.
@@ -43,8 +48,36 @@ public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId,
         this.tenantId = tenantId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
+        this.userAssignedIdentity = null;
     }
 
+    /**
+     * Constructor.
+     *
+     * @param uri the Azure Key Vault URI.
+     * @param userAssignedIdentity the user-assigned identity.
+     */
+    public KeyVaultLoadStoreParameter(String uri, String userAssignedIdentity) {
+        this.uri = uri;
+        this.tenantId = null;
+        this.clientId = null;
+        this.clientSecret = null;
+        this.userAssignedIdentity = userAssignedIdentity;
+    }
+
+    /**
+     * Constructor.
+     *
+     * @param uri the Azure Key Vault URI.
+     */
+    public KeyVaultLoadStoreParameter(String uri) {
+        this.uri = uri;
+        this.tenantId = null;
+        this.clientId = null;
+        this.clientSecret = null;
+        this.userAssignedIdentity = null;
+    }
+    
     /**
      * Get the protection parameter.
      *
@@ -90,4 +123,13 @@ public String getTenantId() {
     public String getUri() {
         return uri;
     }
+
+    /**
+     * Get the user-assigned identity.
+     * 
+     * @return the user-assign identity.
+     */
+    public String getUserAssignedIdentity() {
+        return userAssignedIdentity;
+    }
 }
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificateBundle.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificateBundle.java
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import java.io.Serializable;
 
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificateItem.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificateItem.java
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import java.io.Serializable;
 
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificateListResult.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificateListResult.java
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import java.io.Serializable;
 import java.util.List;
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificatePolicy.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/CertificatePolicy.java
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/KeyProperties.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/KeyProperties.java
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import java.io.Serializable;
 
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/OAuthToken.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/OAuthToken.java
@@ -1,6 +1,6 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import java.io.Serializable;
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/SecretBundle.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/SecretBundle.java
@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
 
 import java.io.Serializable;
 
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/package-info.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/model/package-info.java
@@ -4,4 +4,4 @@
 /**
  * The Azure Key Vault JCA Provider models package.
  */
-package com.azure.security.keyvault.jca.rest;
+package com.azure.security.keyvault.jca.model;
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/AuthClientTest.java b/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/AuthClientTest.java
@@ -16,12 +16,14 @@ public class AuthClientTest {
 
     /**
      * Test getAuthorizationToken method.
+     * 
+     * @throws Exception when a serious error occurs.
      */
     @Test
     public void testGetAuthorizationToken() throws Exception {
-        String tenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47";
-        String clientId = "2b8f123b-b18a-4077-bce0-42e10ce8bbab";
-        String clientSecret = "72-~tZ9~cG~rimDI0EkQSMQ1D9DYmGmI_I";
+        String tenantId = System.getProperty("azure.tenant.id");
+        String clientId = System.getProperty("azure.client.id");
+        String clientSecret = System.getProperty("azure.client.secret");
         AuthClient authClient = new AuthClient();
         String result = authClient.getAccessToken(
             "https://management.azure.com/",
diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JacksonJsonConverterTest.java b/sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/JacksonJsonConverterTest.java
@@ -3,7 +3,7 @@
 
 package com.azure.security.keyvault.jca;
 
-import com.azure.security.keyvault.jca.rest.CertificateBundle;
+import com.azure.security.keyvault.jca.model.CertificateBundle;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-keyvault-certificates/src/main/resources/application.properties b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-keyvault-certificates/src/main/resources/application.properties
@@ -18,6 +18,10 @@ azure.keyvault.clientId=${AZURE_KEYVAULT_CLIENT_ID}
 # if you are not using managed identity).
 azure.keyvault.clientSecret=${AZURE_KEYVAULT_CLIENT_SECRET}
 # The server port.
+
+# The user-assigned managed identity object-id to use.
+#azure.keyvault.managedIdentity=
+
 server.port=8443
 # Just for debugging purposes.
 management.endpoints.web.exposure.include=*
diff --git a/sdk/spring/azure-spring-boot-starter-keyvault-certificates/src/main/java/com/azure/spring/security/keyvault/certificates/starter/KeyVaultCertificatesEnvironmentPostProcessor.java b/sdk/spring/azure-spring-boot-starter-keyvault-certificates/src/main/java/com/azure/spring/security/keyvault/certificates/starter/KeyVaultCertificatesEnvironmentPostProcessor.java
