Add Azure Service Fabric MI Support. (Azure#16810)

Author: g2vinay

sdk/identity/azure-identity/src/main/java/com/azure/identity/AppServiceMsiCredential.java

@@ -15,13 +15,11 @@
  * The Managed Service Identity credential for Azure App Service.
  */
 @Immutable
-class AppServiceMsiCredential {
+class AppServiceMsiCredential extends ManagedIdentityServiceCredential {
     private final String identityEndpoint;
     private final String msiEndpoint;
     private final String msiSecret;
     private final String identityHeader;
-    private final IdentityClient identityClient;
-    private final String clientId;
     private final ClientLogger logger = new ClientLogger(AppServiceMsiCredential.class);
 
     /**
@@ -31,38 +29,20 @@ class AppServiceMsiCredential {
      * @param identityClient The identity client to acquire a token with.
      */
     AppServiceMsiCredential(String clientId, IdentityClient identityClient) {
+        super(clientId, identityClient, "AZURE APP SERVICE MSI/IDENTITY ENDPOINT");
         Configuration configuration = Configuration.getGlobalConfiguration().clone();
         this.identityEndpoint = configuration.get(Configuration.PROPERTY_IDENTITY_ENDPOINT);
         this.identityHeader = configuration.get(Configuration.PROPERTY_IDENTITY_HEADER);
         this.msiEndpoint = configuration.get(Configuration.PROPERTY_MSI_ENDPOINT);
         this.msiSecret = configuration.get(Configuration.PROPERTY_MSI_SECRET);
-        this.identityClient = identityClient;
-        this.clientId = clientId;
         if (identityEndpoint != null) {
-            validateEndpointProtocol(this.identityEndpoint, "Identity");
+            validateEndpointProtocol(this.identityEndpoint, "Identity", logger);
         }
         if (msiEndpoint != null) {
-            validateEndpointProtocol(this.msiEndpoint, "MSI");
+            validateEndpointProtocol(this.msiEndpoint, "MSI", logger);
         }
     }
 
-    private void validateEndpointProtocol(String endpoint, String endpointName) {
-        if (!(endpoint.startsWith("https") || endpoint.startsWith("http"))) {
-            throw logger.logExceptionAsError(
-                new IllegalArgumentException(
-                    String.format("%s endpoint should start with 'https' or 'http' scheme.", endpointName)));
-        }
-    }
-
-    /**
-     * Gets the client ID of the user assigned or system assigned identity.
-     *
-     * @return The client ID of user assigned or system assigned identity.
-     */
-    public String getClientId() {
-        return this.clientId;
-    }
-
     /**
      * Gets an access token for a token request.
      *

sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java

@@ -20,10 +20,11 @@
  */
 @Immutable
 public final class ManagedIdentityCredential implements TokenCredential {
-    private final AppServiceMsiCredential appServiceMSICredential;
-    private final VirtualMachineMsiCredential virtualMachineMSICredential;
+    private final ManagedIdentityServiceCredential managedIdentityServiceCredential;
     private final ClientLogger logger = new ClientLogger(ManagedIdentityCredential.class);
 
+    static final String PROPERTY_IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT";
+
 
     /**
      * Creates an instance of the ManagedIdentityCredential.
@@ -36,14 +37,20 @@ public final class ManagedIdentityCredential implements TokenCredential {
             .identityClientOptions(identityClientOptions)
             .build();
         Configuration configuration = Configuration.getGlobalConfiguration().clone();
-        if (configuration.contains(Configuration.PROPERTY_MSI_ENDPOINT)
-                || (configuration.contains(Configuration.PROPERTY_IDENTITY_ENDPOINT)
-                        && configuration.contains(Configuration.PROPERTY_IDENTITY_HEADER))) {
-            appServiceMSICredential = new AppServiceMsiCredential(clientId, identityClient);
-            virtualMachineMSICredential = null;
+        if (configuration.contains(Configuration.PROPERTY_IDENTITY_ENDPOINT)) {
+            if (configuration.contains(Configuration.PROPERTY_IDENTITY_HEADER)) {
+                if (configuration.contains(PROPERTY_IDENTITY_SERVER_THUMBPRINT)) {
+                    managedIdentityServiceCredential = new ServiceFabricMsiCredential(clientId, identityClient);
+                } else {
+                    managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, identityClient);
+                }
+            } else {
+                managedIdentityServiceCredential = null;
+            }
+        } else if (configuration.contains(Configuration.PROPERTY_MSI_ENDPOINT)) {
+            managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, identityClient);
         } else {
-            virtualMachineMSICredential = new VirtualMachineMsiCredential(clientId, identityClient);
-            appServiceMSICredential = null;
+            managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, identityClient);
         }
         LoggingUtil.logAvailableEnvironmentVariables(logger, configuration);
     }
@@ -53,23 +60,22 @@ public final class ManagedIdentityCredential implements TokenCredential {
      * @return the client ID of user assigned or system assigned identity.
      */
     public String getClientId() {
-        return this.appServiceMSICredential != null
-            ? this.appServiceMSICredential.getClientId()
-            : this.virtualMachineMSICredential.getClientId();
+        return managedIdentityServiceCredential.getClientId();
     }
 
     @Override
     public Mono<AccessToken> getToken(TokenRequestContext request) {
-        Mono<AccessToken> accessTokenMono;
-        if (appServiceMSICredential != null) {
-            accessTokenMono = appServiceMSICredential.authenticate(request)
-                .doOnSuccess((t -> logger.info("Azure Identity => Managed Identity environment: MSI_ENDPOINT")));
-        } else {
-            accessTokenMono = virtualMachineMSICredential.authenticate(request)
-                .doOnSuccess((t -> logger.info("Azure Identity => Managed Identity environment: IMDS")));
+        if (managedIdentityServiceCredential == null) {
+            return Mono.error(logger.logExceptionAsError(
+                new CredentialUnavailableException("ManagedIdentityCredential authentication unavailable. "
+                                + "The Target Azure platform could not be determined from environment variables.")));
         }
-        return accessTokenMono
-            .doOnNext(token -> LoggingUtil.logTokenSuccess(logger, request))
-            .doOnError(error -> LoggingUtil.logTokenError(logger, request, error));
+        return managedIdentityServiceCredential.authenticate(request)
+                   .doOnSuccess((t -> logger.info(String.format("Azure Identity => Managed Identity environment: %s",
+                       managedIdentityServiceCredential.getEnvironment()))))
+                   .doOnNext(token -> LoggingUtil.logTokenSuccess(logger, request))
+                   .doOnError(error -> LoggingUtil.logTokenError(logger, request, error));
     }
 }
+
+

sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityServiceCredential.java

@@ -0,0 +1,61 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.IdentityClient;
+import reactor.core.publisher.Mono;
+
+/**
+ * The Managed Service Identity credential.
+ */
+abstract class ManagedIdentityServiceCredential {
+    private final String clientId;
+    private final String environment;
+    final IdentityClient identityClient;
+
+    /**
+     * Creates an instance of ManagedIdentityServiceCredential.
+     * @param clientId the client id of user assigned or system assigned identity
+     * @param identityClient the identity client to acquire a token with.
+     * @param environment The service environment of the credential.
+     */
+    ManagedIdentityServiceCredential(String clientId, IdentityClient identityClient, String environment) {
+        this.identityClient = identityClient;
+        this.clientId = clientId;
+        this.environment = environment;
+    }
+
+    /**
+     * Gets an access token for a token request.
+     *
+     * @param request The details of the token request.
+     * @return A publisher that emits an {@link AccessToken}.
+     */
+    public abstract Mono<AccessToken> authenticate(TokenRequestContext request);
+
+    /**
+     * @return the client ID of user assigned or system assigned identity.
+     */
+    public String getClientId() {
+        return clientId;
+    }
+
+    /**
+     * @return the environment of the Maanged Identity.
+     */
+    public String getEnvironment() {
+        return environment;
+    }
+
+    void validateEndpointProtocol(String endpoint, String endpointName, ClientLogger logger) {
+        if (!(endpoint.startsWith("https") || endpoint.startsWith("http"))) {
+            throw logger.logExceptionAsError(
+                new IllegalArgumentException(
+                    String.format("%s endpoint should start with 'https' or 'http' scheme.", endpointName)));
+        }
+    }
+}

sdk/identity/azure-identity/src/main/java/com/azure/identity/ServiceFabricMsiCredential.java

@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.annotation.Immutable;
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.util.Configuration;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.IdentityClient;
+import reactor.core.publisher.Mono;
+
+/**
+ * The Managed Service Identity credential for Azure Service Fabric.
+ */
+@Immutable
+class ServiceFabricMsiCredential extends ManagedIdentityServiceCredential {
+    private final String identityEndpoint;
+    private final String identityHeader;
+    private final String identityServerThumbprint;
+    private final IdentityClient identityClient;
+    private final ClientLogger logger = new ClientLogger(ServiceFabricMsiCredential.class);
+
+    /**
+     * Creates an instance of {@link ServiceFabricMsiCredential}.
+     *
+     * @param clientId The client ID of user assigned or system assigned identity.
+     * @param identityClient The identity client to acquire a token with.
+     */
+    ServiceFabricMsiCredential(String clientId, IdentityClient identityClient) {
+        super(clientId, identityClient, "AZURE SERVICE FABRIC IMDS ENDPOINT");
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+        this.identityEndpoint = configuration.get(Configuration.PROPERTY_IDENTITY_ENDPOINT);
+        this.identityHeader = configuration.get(Configuration.PROPERTY_IDENTITY_HEADER);
+        this.identityServerThumbprint = configuration
+                                            .get(ManagedIdentityCredential.PROPERTY_IDENTITY_SERVER_THUMBPRINT);
+        this.identityClient = identityClient;
+        if (identityEndpoint != null) {
+            validateEndpointProtocol(this.identityEndpoint, "Identity", logger);
+        }
+    }
+
+    /**
+     * Gets an access token for a token request.
+     *
+     * @param request The details of the token request.
+     * @return A publisher that emits an {@link AccessToken}.
+     */
+    public Mono<AccessToken> authenticate(TokenRequestContext request) {
+        return identityClient.authenticateToServiceFabricManagedIdentityEndpoint(identityEndpoint, identityHeader,
+            identityServerThumbprint, request);
+    }
+}

sdk/identity/azure-identity/src/main/java/com/azure/identity/VirtualMachineMsiCredential.java

@@ -13,26 +13,15 @@
  * The Managed Service Identity credential for Virtual Machines.
  */
 @Immutable
-class VirtualMachineMsiCredential {
-
-    private final IdentityClient identityClient;
-    private final String clientId;
+class VirtualMachineMsiCredential extends ManagedIdentityServiceCredential {
 
     /**
      * Creates an instance of VirtualMachineMSICredential.
      * @param clientId the client id of user assigned or system assigned identity
      * @param identityClient the identity client to acquire a token with.
      */
     VirtualMachineMsiCredential(String clientId, IdentityClient identityClient) {
-        this.clientId = clientId;
-        this.identityClient = identityClient;
-    }
-
-    /**
-     * @return the client ID of user assigned or system assigned identity.
-     */
-    public String getClientId() {
-        return this.clientId;
+        super(clientId, identityClient, "AZURE VM IMDS ENDPOINT");
     }
 
     /**

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -23,6 +23,7 @@
 import com.azure.identity.CredentialUnavailableException;
 import com.azure.identity.DeviceCodeInfo;
 import com.azure.identity.implementation.util.CertificateUtil;
+import com.azure.identity.implementation.util.IdentitySslUtil;
 import com.azure.identity.implementation.util.ScopeUtil;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.microsoft.aad.msal4j.AuthorizationCodeParameters;
@@ -44,6 +45,7 @@
 import com.sun.jna.Platform;
 import reactor.core.publisher.Mono;
 
+import javax.net.ssl.HttpsURLConnection;
 import java.io.BufferedReader;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -118,6 +120,7 @@ public class IdentityClient {
     private static final String MSI_ENDPOINT_VERSION = "2017-09-01";
     private static final String ADFS_TENANT = "adfs";
     private static final String HTTP_LOCALHOST = "http://localhost";
+    private static final String SERVICE_FABRIC_MANAGED_IDENTITY_API_VERSION = "2019-07-01-preview";
     private final ClientLogger logger = new ClientLogger(IdentityClient.class);
 
     private final IdentityClientOptions options;
@@ -745,6 +748,67 @@ public Mono<MsalToken> authenticateWithSharedTokenCache(TokenRequestContext requ
                     }));
     }
 
+
+    /**
+     * Asynchronously acquire a token from the App Service Managed Service Identity endpoint.
+     *
+     * @param identityEndpoint the Identity endpoint to acquire token from
+     * @param identityHeader the identity header to acquire token with
+     * @param request the details of the token request
+     * @return a Publisher that emits an AccessToken
+     */
+    public Mono<AccessToken> authenticateToServiceFabricManagedIdentityEndpoint(String identityEndpoint,
+                                                                                String identityHeader,
+                                                                                String thumbprint,
+                                                                                TokenRequestContext request) {
+        return Mono.fromCallable(() -> {
+
+            HttpsURLConnection connection = null;
+            String endpoint = identityEndpoint;
+            String headerValue = identityHeader;
+            String endpointVersion = SERVICE_FABRIC_MANAGED_IDENTITY_API_VERSION;
+
+            String resource = ScopeUtil.scopesToResource(request.getScopes());
+            StringBuilder payload = new StringBuilder();
+
+            payload.append("resource=");
+            payload.append(URLEncoder.encode(resource, "UTF-8"));
+            payload.append("&api-version=");
+            payload.append(URLEncoder.encode(endpointVersion, "UTF-8"));
+            if (clientId != null) {
+                payload.append("&client_id=");
+                payload.append(URLEncoder.encode(clientId, "UTF-8"));
+            }
+
+            try {
+
+                URL url = new URL(String.format("%s?%s", endpoint, payload));
+                connection = (HttpsURLConnection) url.openConnection();
+
+                IdentitySslUtil.addTrustedCertificateThumbprint(getClass().getSimpleName(), connection,
+                    thumbprint);
+                connection.setRequestMethod("GET");
+                if (headerValue != null) {
+                    connection.setRequestProperty("Secret", headerValue);
+                }
+                connection.setRequestProperty("Metadata", "true");
+
+                connection.connect();
+
+                Scanner s = new Scanner(connection.getInputStream(), StandardCharsets.UTF_8.name())
+                                .useDelimiter("\\A");
+
+                String result = s.hasNext() ? s.next() : "";
+                return SERIALIZER_ADAPTER.deserialize(result, MSIToken.class, SerializerEncoding.JSON);
+
+            } finally {
+                if (connection != null) {
+                    connection.disconnect();
+                }
+            }
+        });
+    }
+
     /**
      * Asynchronously acquire a token from the App Service Managed Service Identity endpoint.
      *