Skip to content

Commit

Permalink
Configure cloud from keyvault uri (#20530)
Browse files Browse the repository at this point in the history 
* identify and configure cloud environment from keyvault uri

* add unit test to check url initialization

* remove slash in base uri

* refactor contructors

* add changelog
  • Loading branch information
@yiliuTo @benbp
yiliuTo authored and benbp committed Apr 28, 2021
1 parent ad6cae9 commit baa4ac3
Show file tree
Hide file tree
Showing 17 changed files with 151 additions and 87 deletions.
3 changes: 2 additions & 1 deletion sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# Release History

## 1.0.0-beta.6 (Unreleased)

### Breaking Changes
- Remove configurable property of azure.keyvault.aad-authentication-url which is configured according to azure.keyvault.uri automatically [#20530](https://github.com/Azure/azure-sdk-for-java/pull/20530)

## 1.0.0-beta.5 (2021-03-22)

Expand Down
6 changes: 2 additions & 4 deletions sdk/keyvault/azure-security-keyvault-jca/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,14 @@ az keyvault create --resource-group <your-resource-group-name> --name <your-key-
### Server side SSL
If you are looking to integrate the JCA provider to create an SSLServerSocket see the example below.

<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java#L18-L37 -->
<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java#L18-L36 -->
```java
KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
Security.addProvider(provider);

KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand All @@ -67,15 +66,14 @@ Note if you want to use Azure Managed Identity, you should set the value of `azu
### Client side SSL
If you are looking to integrate the JCA provider for client side socket connections, see the Apache HTTP client example below.

<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java#L28-L68 -->
<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java#L28-L67 -->
```java
KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
Security.addProvider(provider);

KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand Down
73 changes: 51 additions & 22 deletions ...e-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import java.util.Optional;
import java.util.logging.Logger;

import static com.azure.security.keyvault.jca.UriUtil.getAADLoginURIByKeyVaultBaseUri;
import static java.util.logging.Level.INFO;
import static java.util.logging.Level.WARNING;

Expand All @@ -46,12 +47,18 @@ class KeyVaultClient extends DelegateRestClient {
* Stores the logger.
*/
private static final Logger LOGGER = Logger.getLogger(KeyVaultClient.class.getName());
private static final String HTTPS_PREFIX = "https://";

/**
* Stores the API version postfix.
*/
private static final String API_VERSION_POSTFIX = "?api-version=7.1";

/**
* Stores the Key Vault cloud URI.
*/
private String keyVaultBaseUri;

/**
* Stores the Azure Key Vault URL.
*/
Expand Down Expand Up @@ -85,51 +92,65 @@ class KeyVaultClient extends DelegateRestClient {
private String managedIdentity;

/**
* Constructor.
* Constructor for authentication with system-assigned managed identity.
*
* @param keyVaultUri the Azure Key Vault URI.
*/
KeyVaultClient(String keyVaultUri) {
super(RestClientFactory.createClient());
LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
if (!keyVaultUri.endsWith("/")) {
keyVaultUri = keyVaultUri + "/";
}
this.keyVaultUrl = keyVaultUri;
this(keyVaultUri, null, null, null, null);
}

/**
* Constructor.
* Constructor for authentication with user-assigned managed identity.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param managedIdentity the managed identity object ID.
* @param managedIdentity the user-assigned managed identity object ID.
*/
KeyVaultClient(String keyVaultUri, String managedIdentity) {
super(RestClientFactory.createClient());
LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
if (!keyVaultUri.endsWith("/")) {
keyVaultUri = keyVaultUri + "/";
}
this.keyVaultUrl = keyVaultUri;
this.managedIdentity = managedIdentity;
this(keyVaultUri, null, null, null, managedIdentity);
}

/**
* Constructor for authentication with service principal.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
*/
KeyVaultClient(final String keyVaultUri, final String tenantId, final String clientId, final String clientSecret) {
this(keyVaultUri, tenantId, clientId, clientSecret, null);
}


/**
* Constructor.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param aadAuthenticationUrl the Azure AD authentication URL.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
* @param managedIdentity the user-assigned managed identity object ID.
*/
KeyVaultClient(final String keyVaultUri, final String aadAuthenticationUrl,
final String tenantId, final String clientId, final String clientSecret) {
this(keyVaultUri);
this.aadAuthenticationUrl = aadAuthenticationUrl;
KeyVaultClient(String keyVaultUri, String tenantId, String clientId, String clientSecret, String managedIdentity) {
super(RestClientFactory.createClient());
LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
if (!keyVaultUri.endsWith("/")) {
keyVaultUri = keyVaultUri + "/";
}
this.keyVaultUrl = keyVaultUri;
//Base Uri shouldn't end with a slash.
String domainNameSuffix = Optional.of(keyVaultUri)
.map(uri -> uri.split("\\.", 2)[1])
.map(suffix -> suffix.substring(0, suffix.length() - 1))
.get();
keyVaultBaseUri = HTTPS_PREFIX + domainNameSuffix;
aadAuthenticationUrl = getAADLoginURIByKeyVaultBaseUri(keyVaultBaseUri);

this.tenantId = tenantId;
this.clientId = clientId;
this.clientSecret = clientSecret;
this.managedIdentity = managedIdentity;
}

/**
Expand All @@ -143,7 +164,7 @@ private String getAccessToken() {
try {
AuthClient authClient = new AuthClient();

String resource = URLEncoder.encode("https://vault.azure.net", "UTF-8");
String resource = URLEncoder.encode(keyVaultBaseUri, "UTF-8");
if (managedIdentity != null) {
managedIdentity = URLEncoder.encode(managedIdentity, "UTF-8");
}
Expand Down Expand Up @@ -326,4 +347,12 @@ private PrivateKey createPrivateKeyFromPem(String pemString)
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(spec);
}

String getKeyVaultBaseUri() {
return keyVaultBaseUri;
}

String getAadAuthenticationUrl() {
return aadAuthenticationUrl;
}
}
4 changes: 1 addition & 3 deletions ...security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,12 @@ public final class KeyVaultKeyStore extends KeyStoreSpi {
public KeyVaultKeyStore() {
creationDate = new Date();
String keyVaultUri = System.getProperty("azure.keyvault.uri");
String aadAuthenticationUrl = System.getProperty("azure.keyvault.aad-authentication-url");
String tenantId = System.getProperty("azure.keyvault.tenant-id");
String clientId = System.getProperty("azure.keyvault.client-id");
String clientSecret = System.getProperty("azure.keyvault.client-secret");
String managedIdentity = System.getProperty("azure.keyvault.managed-identity");
if (clientId != null) {
keyVaultClient = new KeyVaultClient(keyVaultUri, aadAuthenticationUrl, tenantId, clientId, clientSecret);
keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
} else {
keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity);
}
Expand Down Expand Up @@ -226,7 +225,6 @@ public void engineLoad(KeyStore.LoadStoreParameter param) {
if (parameter.getClientId() != null) {
keyVaultClient = new KeyVaultClient(
parameter.getUri(),
parameter.getAadAuthenticationUrl(),
parameter.getTenantId(),
parameter.getClientId(),
parameter.getClientSecret());
Expand Down
33 changes: 0 additions & 33 deletions ...eyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,11 @@
*/
public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {

private static final String DEFAULT_AAD_AUTHENTICATION_URL = "https://login.microsoftonline.com/";

/**
* Stores the URI.
*/
private final String uri;

/**
* Stores the Azure AD authentication URL.
*/
private final String aadAuthenticationUrl;

/**
* Stores the tenant id.
*/
Expand Down Expand Up @@ -59,7 +52,6 @@ public KeyVaultLoadStoreParameter(String uri) {
*/
public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
this.uri = uri;
this.aadAuthenticationUrl = null;
this.tenantId = null;
this.clientId = null;
this.clientSecret = null;
Expand All @@ -75,23 +67,7 @@ public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
* @param clientSecret the client secret.
*/
public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret) {
this(uri, DEFAULT_AAD_AUTHENTICATION_URL, tenantId, clientId, clientSecret);
}


/**
* Constructor.
*
* @param uri the Azure Key Vault URI.
* @param aadAuthenticationUrl the Azure AD authentication URL.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
*/
public KeyVaultLoadStoreParameter(String uri, String aadAuthenticationUrl,
String tenantId, String clientId, String clientSecret) {
this.uri = uri;
this.aadAuthenticationUrl = aadAuthenticationUrl;
this.tenantId = tenantId;
this.clientId = clientId;
this.clientSecret = clientSecret;
Expand All @@ -109,15 +85,6 @@ public KeyStore.ProtectionParameter getProtectionParameter() {
return null;
}

/**
* Get the Azure AD authentication URL.
*
* @return the Azure AD authentication URL.
*/
public String getAadAuthenticationUrl() {
return aadAuthenticationUrl;
}

/**
* Get the client id.
*
Expand Down
41 changes: 41 additions & 0 deletions ...lt/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/UriUtil.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

package com.azure.security.keyvault.jca;

/**
* Constants used for Key Vault related URLs.
*/
public class UriUtil {

public static final String KEY_VAULT_BASE_URI_GLOBAL = "https://vault.azure.net";
public static final String KEY_VAULT_BASE_URI_CN = "https://vault.azure.cn";
public static final String KEY_VAULT_BASE_URI_US = "https://vault.usgovcloudapi.net";
public static final String KEY_VAULT_BASE_URI_DE = "https://vault.microsoftazure.de";

public static final String AAD_LOGIN_URI_GLOBAL = "https://login.microsoftonline.com/";
public static final String AAD_LOGIN_URI_CN = "https://login.partner.microsoftonline.cn/";
public static final String AAD_LOGIN_URI_US = "https://login.microsoftonline.us/";
public static final String AAD_LOGIN_URI_DE = "https://login.microsoftonline.de/";

static String getAADLoginURIByKeyVaultBaseUri(String keyVaultBaseUri) {
String aadAuthenticationUrl;
switch (keyVaultBaseUri) {
case KEY_VAULT_BASE_URI_GLOBAL :
aadAuthenticationUrl = AAD_LOGIN_URI_GLOBAL;
break;
case KEY_VAULT_BASE_URI_CN :
aadAuthenticationUrl = AAD_LOGIN_URI_CN;
break;
case KEY_VAULT_BASE_URI_US :
aadAuthenticationUrl = AAD_LOGIN_URI_US;
break;
case KEY_VAULT_BASE_URI_DE:
aadAuthenticationUrl = AAD_LOGIN_URI_DE;
break;
default:
throw new IllegalArgumentException("Property of azure.keyvault.uri is illegal.");
}
return aadAuthenticationUrl;
}
}
1 change: 0 additions & 1 deletion ...curity-keyvault-jca/src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand Down
1 change: 0 additions & 1 deletion ...curity-keyvault-jca/src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand Down
Loading

0 comments on commit baa4ac3

Please sign in to comment.