Add ACR challenge-based authentication and remove basic auth policy (Azure#19696)

* add challenge-based auth policy

* retrieve aad access token from request header.

* use two http pipelines

* test cleanup and re-record

* update api

* rename policy and begin work on test.

* upgrade to latest swagger to reduce number of auth clients

* add policy test

* update api for changes from generated code

* parameter refactor

Author: annelo-msft

sdk/containerregistry/Azure.Containers.ContainerRegistry/api/Azure.Containers.ContainerRegistry.netstandard2.0.cs

@@ -3,8 +3,8 @@ namespace Azure.Containers.ContainerRegistry
     public partial class ContainerRegistryClient
     {
         protected ContainerRegistryClient() { }
-        public ContainerRegistryClient(System.Uri endpoint, string username, string password) { }
-        public ContainerRegistryClient(System.Uri endpoint, string username, string password, Azure.Containers.ContainerRegistry.ContainerRegistryClientOptions options) { }
+        public ContainerRegistryClient(System.Uri endpoint, Azure.Core.TokenCredential credential) { }
+        public ContainerRegistryClient(System.Uri endpoint, Azure.Core.TokenCredential credential, Azure.Containers.ContainerRegistry.ContainerRegistryClientOptions options) { }
         public virtual Azure.Pageable<string> GetRepositories(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.AsyncPageable<string> GetRepositoriesAsync(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
     }
@@ -19,8 +19,8 @@ public enum ServiceVersion
     public partial class ContainerRepositoryClient
     {
         protected ContainerRepositoryClient() { }
-        public ContainerRepositoryClient(System.Uri endpoint, string repository, string username, string password) { }
-        public ContainerRepositoryClient(System.Uri endpoint, string repository, string username, string password, Azure.Containers.ContainerRegistry.ContainerRegistryClientOptions options) { }
+        public ContainerRepositoryClient(System.Uri endpoint, string repository, Azure.Core.TokenCredential credential) { }
+        public ContainerRepositoryClient(System.Uri endpoint, string repository, Azure.Core.TokenCredential credential, Azure.Containers.ContainerRegistry.ContainerRegistryClientOptions options) { }
         public virtual System.Uri Endpoint { get { throw null; } }
         public virtual Azure.Response DeleteTag(string tag, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response> DeleteTagAsync(string tag, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -44,23 +44,21 @@ public ContentProperties() { }
     public partial class RepositoryProperties
     {
         internal RepositoryProperties() { }
-        public System.DateTimeOffset? CreatedOn { get { throw null; } }
+        public System.DateTimeOffset CreatedOn { get { throw null; } }
         public System.DateTimeOffset? LastUpdatedOn { get { throw null; } }
         public string Name { get { throw null; } }
-        public string Registry { get { throw null; } }
-        public int? RegistryArtifactCount { get { throw null; } }
-        public int? TagCount { get { throw null; } }
+        public int RegistryArtifactCount { get { throw null; } }
+        public int TagCount { get { throw null; } }
         public Azure.Containers.ContainerRegistry.ContentProperties WriteableProperties { get { throw null; } }
     }
     public partial class TagProperties
     {
         internal TagProperties() { }
-        public System.DateTimeOffset? CreatedOn { get { throw null; } }
+        public System.DateTimeOffset CreatedOn { get { throw null; } }
         public string Digest { get { throw null; } }
-        public System.DateTimeOffset? LastUpdatedOn { get { throw null; } }
-        public Azure.Containers.ContainerRegistry.ContentProperties ModifiableProperties { get { throw null; } }
+        public System.DateTimeOffset LastUpdatedOn { get { throw null; } }
         public string Name { get { throw null; } }
-        public string Registry { get { throw null; } }
         public string Repository { get { throw null; } }
+        public Azure.Containers.ContainerRegistry.ContentProperties WriteableProperties { get { throw null; } }
     }
 }

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Authentication/AuthenticationRestClient.cs

@@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Azure.Containers.ContainerRegistry
+{
+    internal partial class AuthenticationRestClient : IContainerRegistryAuthenticationClient
+    {
+    }
+}

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Authentication/ContainerRegistryChallengeAuthenticationPolicy.cs

@@ -0,0 +1,123 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Core.Pipeline;
+
+namespace Azure.Containers.ContainerRegistry
+{
+    /// <summary>
+    /// Challenge-based authentication policy for Container Registry Service.
+    ///
+    /// The challenge-based authorization flow for ACR is illustrated in the following steps.
+    /// For example, GET /api/v1/acr/repositories translates into the following calls.
+    ///
+    /// Step 1: GET /api/v1/acr/repositories
+    /// Return Header: 401: www-authenticate header - Bearer realm="{url}",service="{serviceName}",scope="{scope}",error="invalid_token"
+    ///
+    /// Step 2: Retrieve the serviceName, scope from the WWW-Authenticate header.  (Parse the string.)
+    ///
+    /// Step 3: POST /api/oauth2/exchange
+    /// Request Body : { service, scope, grant-type, aadToken with ARM scope }
+    /// Response Body: { acrRefreshToken }
+    ///
+    /// Step 4: POST /api/oauth2/token
+    /// Request Body: { acrRefreshToken, scope, grant-type }
+    /// Response Body: { acrAccessToken }
+    ///
+    /// Step 5: GET /api/v1/acr/repositories
+    /// Request Header: { Bearer acrTokenAccess }
+    /// </summary>
+    internal class ContainerRegistryChallengeAuthenticationPolicy : BearerTokenChallengeAuthenticationPolicy
+    {
+        private readonly IContainerRegistryAuthenticationClient _authenticationClient;
+
+        public ContainerRegistryChallengeAuthenticationPolicy(TokenCredential credential, string aadScope, IContainerRegistryAuthenticationClient authenticationClient)
+            : base(credential, aadScope)
+        {
+            Argument.AssertNotNull(credential, nameof(credential));
+            Argument.AssertNotNull(aadScope, nameof(aadScope));
+
+            _authenticationClient = authenticationClient;
+        }
+
+        protected override async ValueTask<bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
+        {
+            // Once we're here, we've completed Step 1.
+
+            // Step 2: Parse challenge string to retrieve serviceName and scope, where scope is the ACR Scope
+            var service = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "service");
+            var scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "scope");
+
+            string acrAccessToken = string.Empty;
+            if (async)
+            {
+                // Step 3: Exchange AAD Access Token for ACR Refresh Token
+                string acrRefreshToken = await ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, true).ConfigureAwait(false);
+
+                // Step 4: Send in acrRefreshToken and get back acrAccessToken
+                acrAccessToken = await ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, true, message.CancellationToken).ConfigureAwait(false);
+            }
+            else
+            {
+                // Step 3: Exchange AAD Access Token for ACR Refresh Token
+                string acrRefreshToken = ExchangeAadAccessTokenForAcrRefreshTokenAsync(message, service, false).EnsureCompleted();
+
+                // Step 4: Send in acrRefreshToken and get back acrAccessToken
+                acrAccessToken = ExchangeAcrRefreshTokenForAcrAccessTokenAsync(acrRefreshToken, service, scope, false, message.CancellationToken).EnsureCompleted();
+            }
+
+            // Step 5 - Authorize Request.  Note, we don't use SetAuthorizationHeader here, because it
+            // sets an AAD access token header, and at this point we're done with AAD and using an ACR access token.
+            message.Request.Headers.SetValue(HttpHeader.Names.Authorization, $"Bearer {acrAccessToken}");
+
+            return true;
+        }
+
+        private async Task<string> ExchangeAadAccessTokenForAcrRefreshTokenAsync(HttpMessage message, string service, bool async)
+        {
+            string aadAccessToken = GetAuthorizationToken(message);
+
+            Response<AcrRefreshToken> acrRefreshToken = null;
+            if (async)
+            {
+                acrRefreshToken = await _authenticationClient.ExchangeAadAccessTokenForAcrRefreshTokenAsync(service, aadAccessToken, message.CancellationToken).ConfigureAwait(false);
+            }
+            else
+            {
+                acrRefreshToken = _authenticationClient.ExchangeAadAccessTokenForAcrRefreshToken(service, aadAccessToken, message.CancellationToken);
+            }
+
+            return acrRefreshToken.Value.RefreshToken;
+        }
+
+        private async Task<string> ExchangeAcrRefreshTokenForAcrAccessTokenAsync(string acrRefreshToken, string service, string scope, bool async, CancellationToken cancellationToken)
+        {
+            Response<AcrAccessToken> acrAccessToken = null;
+            if (async)
+            {
+                acrAccessToken = await _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessTokenAsync(service, scope, acrRefreshToken, cancellationToken).ConfigureAwait(false);
+            }
+            else
+            {
+                acrAccessToken = _authenticationClient.ExchangeAcrRefreshTokenForAcrAccessToken(service, scope, acrRefreshToken, cancellationToken);
+            }
+
+            return acrAccessToken.Value.AccessToken;
+        }
+
+        private static string GetAuthorizationToken(HttpMessage message)
+        {
+            string aadAuthHeader;
+            if (!message.Request.Headers.TryGetValue(HttpHeader.Names.Authorization, out aadAuthHeader))
+            {
+                throw new InvalidOperationException("Failed to retrieve Authentication header from message request.");
+            }
+
+            return aadAuthHeader.Remove(0, "Bearer ".Length);
+        }
+    }
+}

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Authentication/IContainerRegistryAuthenticationClient.cs

@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Azure.Containers.ContainerRegistry
+{
+    internal interface IContainerRegistryAuthenticationClient
+    {
+        Task<Response<AcrRefreshToken>> ExchangeAadAccessTokenForAcrRefreshTokenAsync(string service, string aadAccessToken, CancellationToken token = default);
+        Response<AcrRefreshToken> ExchangeAadAccessTokenForAcrRefreshToken(string service, string aadAccessToken, CancellationToken token = default);
+
+        Task<Response<AcrAccessToken>> ExchangeAcrRefreshTokenForAcrAccessTokenAsync(string service, string scope, string acrRefreshToken, CancellationToken token = default);
+        Response<AcrAccessToken> ExchangeAcrRefreshTokenForAcrAccessToken(string service, string scope, string acrRefreshToken, CancellationToken token = default);
+    }
+}

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/Azure.Containers.ContainerRegistry.csproj

@@ -1,12 +1,12 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <Description></Description>
     <AssemblyTitle>Microsoft Azure.Containers.ContainerRegistry client library</AssemblyTitle>
     <Version>1.0.0-beta.1</Version>
     <PackageTags>Azure Container Registry;$(PackageCommonTags)</PackageTags>
     <TargetFrameworks>$(RequiredTargetFrameworks)</TargetFrameworks>
   </PropertyGroup>
-  
+
   <ItemGroup>
     <PackageReference Include="System.Text.Json" />
   </ItemGroup>
@@ -15,7 +15,9 @@
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)Argument.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)ArrayBufferWriter.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)AuthorizationChallengeParser.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)BearerTokenChallengeAuthenticationPolicy.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)ClientDiagnostics.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)ContentTypeUtilities.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)DiagnosticScope.cs" LinkBase="Shared" />

sdk/containerregistry/Azure.Containers.ContainerRegistry/src/ContainerRegistryClient.cs

@@ -16,33 +16,34 @@ public partial class ContainerRegistryClient
     {
         private readonly Uri _endpoint;
         private readonly HttpPipeline _pipeline;
+        private readonly HttpPipeline _acrAuthPipeline;
         private readonly ClientDiagnostics _clientDiagnostics;
         private readonly ContainerRegistryRestClient _restClient;
 
+        private readonly AuthenticationRestClient _acrAuthClient;
+        private readonly string AcrAadScope = "https://management.core.windows.net/.default";
+
         /// <summary>
-        /// <paramref name="endpoint"/>
         /// </summary>
-        public ContainerRegistryClient(Uri endpoint, string username, string password) : this(endpoint, username, password,  new ContainerRegistryClientOptions())
+        public ContainerRegistryClient(Uri endpoint, TokenCredential credential) : this(endpoint, credential, new ContainerRegistryClientOptions())
         {
         }
 
         /// <summary>
         /// </summary>
-        /// <param name="endpoint"></param>
-        /// <param name="username"></param>
-        /// <param name="password"></param>
-        /// <param name="options"></param>
-        public ContainerRegistryClient(Uri endpoint, string username, string password, ContainerRegistryClientOptions options)
+        public ContainerRegistryClient(Uri endpoint, TokenCredential credential, ContainerRegistryClientOptions options)
         {
             Argument.AssertNotNull(endpoint, nameof(endpoint));
+            Argument.AssertNotNull(credential, nameof(credential));
             Argument.AssertNotNull(options, nameof(options));
 
-            _pipeline = HttpPipelineBuilder.Build(options, new BasicAuthenticationPolicy(username, password));
-
+            _endpoint = endpoint;
             _clientDiagnostics = new ClientDiagnostics(options);
 
-            _endpoint = endpoint;
+            _acrAuthPipeline = HttpPipelineBuilder.Build(options);
+            _acrAuthClient = new AuthenticationRestClient(_clientDiagnostics, _acrAuthPipeline, endpoint.AbsoluteUri);
 
+            _pipeline = HttpPipelineBuilder.Build(options, new ContainerRegistryChallengeAuthenticationPolicy(credential, AcrAadScope, _acrAuthClient));
             _restClient = new ContainerRegistryRestClient(_clientDiagnostics, _pipeline, _endpoint.AbsoluteUri);
         }