BearerTokenChallengeAuthenticationPolicy refactor (Azure#19215)

christothes · web-flow · commit 9681941a1e8a · 2021-03-05T20:47:13.000Z
* refactor BearerTokenChallengeAuthenticationPolicy
diff --git a/sdk/core/Azure.Core/src/Shared/ARMChallengeAuthenticationPolicy.cs b/sdk/core/Azure.Core/src/Shared/ARMChallengeAuthenticationPolicy.cs
@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Threading.Tasks;
 using System.Collections.Generic;
 
 #nullable enable
@@ -29,25 +30,18 @@ public ARMChallengeAuthenticationPolicy(TokenCredential credential, string scope
         public ARMChallengeAuthenticationPolicy(TokenCredential credential, IEnumerable<string> scopes)
             : base(credential, scopes, TimeSpan.FromMinutes(5), TimeSpan.FromSeconds(30)) { }
 
-        /// <summary>
-        /// Executed in the event a 401 response with a WWW-Authenticate authentication challenge header is received after the initial request.
-        /// </summary>
-        /// <remarks>Handles claims authentication challenges.</remarks>
-        /// <param name="message">The <see cref="HttpMessage"/> to be authenticated.</param>
-        /// <param name="context">If the return value is <c>true</c>, a <see cref="TokenRequestContext"/>.</param>
-        /// <returns>A boolean indicated whether the request contained a valid challenge and a <see cref="TokenRequestContext"/> was successfully initialized with it.</returns>
-        protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
+        /// <inheritdoc cref="BearerTokenChallengeAuthenticationPolicy.AuthenticateRequestOnChallengeAsync(HttpMessage, bool)" />
+        protected override async ValueTask<bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
         {
-            context = default;
-
             var challenge = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
             if (challenge == null)
             {
                 return false;
             }
 
             string claimsChallenge = Base64Url.DecodeString(challenge.ToString());
-           context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);
+            var context = new TokenRequestContext(Scopes, message.Request.ClientRequestId, claimsChallenge);
+            await SetAuthorizationHeader(message, context, async);
             return true;
         }
     }
diff --git a/sdk/core/Azure.Core/src/Shared/BearerTokenChallengeAuthenticationPolicy.cs b/sdk/core/Azure.Core/src/Shared/BearerTokenChallengeAuthenticationPolicy.cs
@@ -19,7 +19,8 @@ namespace Azure.Core.Pipeline
     internal class BearerTokenChallengeAuthenticationPolicy : HttpPipelinePolicy
     {
         private readonly AccessTokenCache _accessTokenCache;
-        protected string[] Scopes { get; set; }
+        protected string[] Scopes { get; private set; }
+        private readonly ValueTask<bool> _falseValueTask = new ValueTask<bool>(Task.FromResult(false));
 
         /// <summary>
         /// Creates a new instance of <see cref="BearerTokenChallengeAuthenticationPolicy"/> using provided token credential and scope to authenticate for.
@@ -57,17 +58,29 @@ public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePol
             ProcessAsync(message, pipeline, false).EnsureCompleted();
         }
 
+        /// <summary>
+        /// Executes before <see cref="ProcessAsync(HttpMessage, ReadOnlyMemory{HttpPipelinePolicy})"/> or <see cref="Process(HttpMessage, ReadOnlyMemory{HttpPipelinePolicy})"/> is called.
+        /// Implementers of this method are expected to call <see cref="SetAuthorizationHeader(HttpMessage, TokenRequestContext, bool)"/> if authorization is required for requests not related to handling a challenge response.
+        /// </summary>
+        /// <param name="message">The <see cref="HttpMessage"/> this policy would be applied to.</param>
+        /// <param name="async">Indicates whether the method was called from an asynchronous context.</param>
+        /// <returns>The <see cref="ValueTask"/> representing the asynchronous operation.</returns>
+        protected virtual Task AuthenticateRequestAsync(HttpMessage message, bool async)
+        {
+            var context = new TokenRequestContext(Scopes, message.Request.ClientRequestId);
+            return SetAuthorizationHeader(message, context, async);
+        }
+
         /// <summary>
         /// Executed in the event a 401 response with a WWW-Authenticate authentication challenge header is received after the initial request.
         /// </summary>
-        /// <remarks>Service client libraries may derive from this and extend to handle service specific authentication challenges.</remarks>
+        /// <remarks>Service client libraries may override this to handle service specific authentication challenges.</remarks>
         /// <param name="message">The <see cref="HttpMessage"/> to be authenticated.</param>
-        /// <param name="context">If the return value is <c>true</c>, a <see cref="TokenRequestContext"/>.</param>
-        /// <returns>A boolean indicated whether the request contained a valid challenge and a <see cref="TokenRequestContext"/> was successfully initialized with it.</returns>
-        protected virtual bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
+        /// <param name="async">Indicates whether the method was called from an asynchronous context.</param>
+        /// <returns>A boolean indicating whether the request was successfully authenticated and should be sent to the transport.</returns>
+        protected virtual ValueTask<bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
         {
-            context = default;
-            return false;
+            return _falseValueTask;
         }
 
         private async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline, bool async)
@@ -77,31 +90,14 @@ private async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPip
                 throw new InvalidOperationException("Bearer token authentication is not permitted for non TLS protected (https) endpoints.");
             }
 
-            TokenRequestContext context;
-
-            // If the message already has a challenge response due to a sub-class pre-processing the request, get the context from the challenge.
-            if (message.HasResponse && message.Response.Status == (int)HttpStatusCode.Unauthorized && message.Response.Headers.Contains(HttpHeader.Names.WWWAuthenticate))
-            {
-                if (!TryGetTokenRequestContextFromChallenge(message, out context))
-                {
-                    // We were unsuccessful in handling the challenge, so bail out now.
-                    return;
-                }
-                Scopes = context.Scopes;
-            }
-            else
-            {
-                context = new TokenRequestContext(Scopes, message.Request.ClientRequestId);
-            }
-
-            await AuthenticateRequestAsync(message, context, async).ConfigureAwait(false);
-
             if (async)
             {
+                await AuthenticateRequestAsync(message, true).ConfigureAwait(false);
                 await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
             }
             else
             {
+                AuthenticateRequestAsync(message, false).EnsureCompleted();
                 ProcessNext(message, pipeline);
             }
 
@@ -111,13 +107,8 @@ private async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPip
                 // Attempt to get the TokenRequestContext based on the challenge.
                 // If we fail to get the context, the challenge was not present or invalid.
                 // If we succeed in getting the context, authenticate the request and pass it up the policy chain.
-                if (TryGetTokenRequestContextFromChallenge(message, out context))
+                if (await AuthenticateRequestOnChallengeAsync(message, async).ConfigureAwait(false))
                 {
-                    // Ensure the scopes are consistent with what was set by <see cref="TryGetTokenRequestContextFromChallenge" />.
-                    Scopes = context.Scopes;
-
-                    await AuthenticateRequestAsync(message, context, async).ConfigureAwait(false);
-
                     if (async)
                     {
                         await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
@@ -130,7 +121,13 @@ private async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPip
             }
         }
 
-        private async Task AuthenticateRequestAsync(HttpMessage message, TokenRequestContext context, bool async)
+        /// <summary>
+        /// Sets the Authorization header on the <see cref="Request"/>.
+        /// </summary>
+        /// <param name="message">The <see cref="HttpMessage"/> with the <see cref="Request"/> to be authorized.</param>
+        /// <param name="context">The <see cref="TokenRequestContext"/> used to authorize the <see cref="Request"/>.</param>
+        /// <param name="async">Indicates whether the method was called from an asynchronous context.</param>
+        protected async Task SetAuthorizationHeader(HttpMessage message, TokenRequestContext context, bool async)
         {
             string headerValue;
             if (async)
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs b/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs
@@ -13,69 +13,50 @@ namespace Azure.Security.KeyVault
     internal class ChallengeBasedAuthenticationPolicy : BearerTokenChallengeAuthenticationPolicy
     {
         private static ConcurrentDictionary<string, AuthorityScope> _scopeCache = new ConcurrentDictionary<string, AuthorityScope>();
+        private const string KeyVaultStashedContentKey = "KeyVaultContent";
         private AuthorityScope _scope;
 
         public ChallengeBasedAuthenticationPolicy(TokenCredential credential) : base(credential, Array.Empty<string>())
         { }
 
-        public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline)
-        {
-            PreProcessAsync(message, pipeline, false).EnsureCompleted();
-            base.Process(message, pipeline);
-        }
-
-        public override async ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline)
-        {
-            await PreProcessAsync(message, pipeline, true).ConfigureAwait(false);
-            await base.ProcessAsync(message, pipeline).ConfigureAwait(false);
-        }
-
-        protected async Task PreProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline, bool async)
+        /// <inheritdoc cref="BearerTokenChallengeAuthenticationPolicy.AuthenticateRequestOnChallengeAsync(HttpMessage, bool)" />
+        protected override async Task AuthenticateRequestAsync(HttpMessage message, bool async)
         {
             if (message.Request.Uri.Scheme != Uri.UriSchemeHttps)
             {
                 throw new InvalidOperationException("Bearer token authentication is not permitted for non TLS protected (https) endpoints.");
             }
 
-            // if this policy doesn't have _scope cached try to get it from the static challenge cache.
-            if (_scope != null)
+            // If this policy doesn't have _scope cached try to get it from the static challenge cache.
+            if (_scope == null)
             {
-                return;
+                string authority = GetRequestAuthority(message.Request);
+                _scopeCache.TryGetValue(authority, out _scope);
             }
 
-            string authority = GetRequestAuthority(message.Request);
-            _scopeCache.TryGetValue(authority, out _scope);
-
-            if (_scope == null)
+            if (_scope != null)
             {
-                // The body is removed from the initial request because Key Vault supports other authentication schemes which also protect the body of the request.
-                // As a result, before we know the auth scheme we need to avoid sending an unprotected body to Key Vault.
-                // We don't currently support this enhanced auth scheme in the SDK but we still don't want to send any unprotected data to vaults which require it.
+                // We fetched the scope from the cache, but we have not initialized the Scopes in the base yet.
+                var context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);
+                await SetAuthorizationHeader(message, context, async).ConfigureAwait(false);
+                return;
+            }
 
-                RequestContent originalContent = message.Request.Content;
-                message.Request.Content = null;
+            // The body is removed from the initial request because Key Vault supports other authentication schemes which also protect the body of the request.
+            // As a result, before we know the auth scheme we need to avoid sending an unprotected body to Key Vault.
+            // We don't currently support this enhanced auth scheme in the SDK but we still don't want to send any unprotected data to vaults which require it.
 
-                if (async)
-                {
-                    await ProcessNextAsync(message, pipeline).ConfigureAwait(false);
-                }
-                else
-                {
-                    ProcessNext(message, pipeline);
-                }
+            message.SetProperty(KeyVaultStashedContentKey, message.Request.Content);
+            message.Request.Content = null;
+        }
 
-                // set the content to the original content.
-                message.Request.Content = originalContent;
-            }
-            else
+        protected override async ValueTask<bool> AuthenticateRequestOnChallengeAsync(HttpMessage message, bool async)
+        {
+            if (message.Request.Content == null && message.TryGetProperty(KeyVaultStashedContentKey, out var content))
             {
-                // We fetched the scope from the cache, but we have not initialized the Scopes in the base yet.
-                Scopes = _scope.Scopes;
+                message.Request.Content = content as RequestContent;
             }
-        }
 
-        protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage message, out TokenRequestContext context)
-        {
             string authority = GetRequestAuthority(message.Request);
             string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");
             if (scope != null)
@@ -100,7 +81,8 @@ protected override bool TryGetTokenRequestContextFromChallenge(HttpMessage messa
                 _scopeCache[authority] = _scope;
             }
 
-            context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);
+            var context = new TokenRequestContext(_scope.Scopes, message.Request.ClientRequestId);
+            await SetAuthorizationHeader(message, context, async).ConfigureAwait(false);
             return true;
         }
 
