Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure cloud from keyvault uri #20530

Merged
merged 10 commits into from
Apr 19, 2021
3 changes: 2 additions & 1 deletion sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# Release History

## 1.0.0-beta.6 (Unreleased)

### Breaking Changes
- Remove configurable property of azure.keyvault.aad-authentication-url which is configured according to azure.keyvault.uri automatically [#20530](https://github.com/Azure/azure-sdk-for-java/pull/20530)

## 1.0.0-beta.5 (2021-03-22)

Expand Down
6 changes: 2 additions & 4 deletions sdk/keyvault/azure-security-keyvault-jca/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,14 @@ az keyvault create --resource-group <your-resource-group-name> --name <your-key-
### Server side SSL
If you are looking to integrate the JCA provider to create an SSLServerSocket see the example below.

<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java#L18-L37 -->
<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java#L18-L36 -->
```java
KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
Security.addProvider(provider);

KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand All @@ -67,15 +66,14 @@ Note if you want to use Azure Managed Identity, you should set the value of `azu
### Client side SSL
If you are looking to integrate the JCA provider for client side socket connections, see the Apache HTTP client example below.

<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java#L28-L68 -->
<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java#L28-L67 -->
```java
KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
Security.addProvider(provider);

KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import java.util.Optional;
import java.util.logging.Logger;

import static com.azure.security.keyvault.jca.UriUtil.getAADLoginURIByKeyVaultBaseUri;
import static java.util.logging.Level.INFO;
import static java.util.logging.Level.WARNING;

Expand All @@ -46,12 +47,18 @@ class KeyVaultClient extends DelegateRestClient {
* Stores the logger.
*/
private static final Logger LOGGER = Logger.getLogger(KeyVaultClient.class.getName());
private static final String HTTPS_PREFIX = "https://";

/**
* Stores the API version postfix.
*/
private static final String API_VERSION_POSTFIX = "?api-version=7.1";

/**
* Stores the Key Vault cloud URI.
*/
private String keyVaultBaseUri;

/**
* Stores the Azure Key Vault URL.
*/
Expand Down Expand Up @@ -85,51 +92,65 @@ class KeyVaultClient extends DelegateRestClient {
private String managedIdentity;

/**
* Constructor.
* Constructor for authentication with system-assigned managed identity.
*
* @param keyVaultUri the Azure Key Vault URI.
*/
KeyVaultClient(String keyVaultUri) {
super(RestClientFactory.createClient());
LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
if (!keyVaultUri.endsWith("/")) {
keyVaultUri = keyVaultUri + "/";
}
this.keyVaultUrl = keyVaultUri;
this(keyVaultUri, null, null, null, null);
}

/**
* Constructor.
* Constructor for authentication with user-assigned managed identity.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param managedIdentity the managed identity object ID.
* @param managedIdentity the user-assigned managed identity object ID.
*/
KeyVaultClient(String keyVaultUri, String managedIdentity) {
super(RestClientFactory.createClient());
LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
if (!keyVaultUri.endsWith("/")) {
keyVaultUri = keyVaultUri + "/";
}
this.keyVaultUrl = keyVaultUri;
this.managedIdentity = managedIdentity;
this(keyVaultUri, null, null, null, managedIdentity);
}

/**
* Constructor for authentication with service principal.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
*/
KeyVaultClient(final String keyVaultUri, final String tenantId, final String clientId, final String clientSecret) {
yiliuTo marked this conversation as resolved.
Show resolved Hide resolved
this(keyVaultUri, tenantId, clientId, clientSecret, null);
}


/**
* Constructor.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param aadAuthenticationUrl the Azure AD authentication URL.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
* @param managedIdentity the user-assigned managed identity object ID.
*/
KeyVaultClient(final String keyVaultUri, final String aadAuthenticationUrl,
final String tenantId, final String clientId, final String clientSecret) {
this(keyVaultUri);
this.aadAuthenticationUrl = aadAuthenticationUrl;
KeyVaultClient(String keyVaultUri, String tenantId, String clientId, String clientSecret, String managedIdentity) {
super(RestClientFactory.createClient());
LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
if (!keyVaultUri.endsWith("/")) {
keyVaultUri = keyVaultUri + "/";
}
this.keyVaultUrl = keyVaultUri;
//Base Uri shouldn't end with a slash.
String domainNameSuffix = Optional.of(keyVaultUri)
.map(uri -> uri.split("\\.", 2)[1])
.map(suffix -> suffix.substring(0, suffix.length() - 1))
.get();
keyVaultBaseUri = HTTPS_PREFIX + domainNameSuffix;
aadAuthenticationUrl = getAADLoginURIByKeyVaultBaseUri(keyVaultBaseUri);

this.tenantId = tenantId;
this.clientId = clientId;
this.clientSecret = clientSecret;
this.managedIdentity = managedIdentity;
}

/**
Expand All @@ -143,7 +164,7 @@ private String getAccessToken() {
try {
AuthClient authClient = new AuthClient();

String resource = URLEncoder.encode("https://vault.azure.net", "UTF-8");
String resource = URLEncoder.encode(keyVaultBaseUri, "UTF-8");
if (managedIdentity != null) {
managedIdentity = URLEncoder.encode(managedIdentity, "UTF-8");
}
Expand Down Expand Up @@ -326,4 +347,12 @@ private PrivateKey createPrivateKeyFromPem(String pemString)
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(spec);
}

String getKeyVaultBaseUri() {
return keyVaultBaseUri;
}

String getAadAuthenticationUrl() {
return aadAuthenticationUrl;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,12 @@ public final class KeyVaultKeyStore extends KeyStoreSpi {
public KeyVaultKeyStore() {
creationDate = new Date();
String keyVaultUri = System.getProperty("azure.keyvault.uri");
String aadAuthenticationUrl = System.getProperty("azure.keyvault.aad-authentication-url");
String tenantId = System.getProperty("azure.keyvault.tenant-id");
String clientId = System.getProperty("azure.keyvault.client-id");
String clientSecret = System.getProperty("azure.keyvault.client-secret");
String managedIdentity = System.getProperty("azure.keyvault.managed-identity");
if (clientId != null) {
keyVaultClient = new KeyVaultClient(keyVaultUri, aadAuthenticationUrl, tenantId, clientId, clientSecret);
keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
} else {
keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity);
}
Expand Down Expand Up @@ -226,7 +225,6 @@ public void engineLoad(KeyStore.LoadStoreParameter param) {
if (parameter.getClientId() != null) {
keyVaultClient = new KeyVaultClient(
parameter.getUri(),
parameter.getAadAuthenticationUrl(),
parameter.getTenantId(),
parameter.getClientId(),
parameter.getClientSecret());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,11 @@
*/
public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {

private static final String DEFAULT_AAD_AUTHENTICATION_URL = "https://login.microsoftonline.com/";

/**
* Stores the URI.
*/
private final String uri;

/**
* Stores the Azure AD authentication URL.
*/
private final String aadAuthenticationUrl;

/**
* Stores the tenant id.
*/
Expand Down Expand Up @@ -59,7 +52,6 @@ public KeyVaultLoadStoreParameter(String uri) {
*/
public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
this.uri = uri;
this.aadAuthenticationUrl = null;
this.tenantId = null;
this.clientId = null;
this.clientSecret = null;
Expand All @@ -75,23 +67,7 @@ public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
* @param clientSecret the client secret.
*/
public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret) {
this(uri, DEFAULT_AAD_AUTHENTICATION_URL, tenantId, clientId, clientSecret);
}


/**
* Constructor.
*
* @param uri the Azure Key Vault URI.
* @param aadAuthenticationUrl the Azure AD authentication URL.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
*/
public KeyVaultLoadStoreParameter(String uri, String aadAuthenticationUrl,
String tenantId, String clientId, String clientSecret) {
this.uri = uri;
this.aadAuthenticationUrl = aadAuthenticationUrl;
this.tenantId = tenantId;
this.clientId = clientId;
this.clientSecret = clientSecret;
Expand All @@ -109,15 +85,6 @@ public KeyStore.ProtectionParameter getProtectionParameter() {
return null;
}

/**
* Get the Azure AD authentication URL.
*
* @return the Azure AD authentication URL.
*/
public String getAadAuthenticationUrl() {
return aadAuthenticationUrl;
}

/**
* Get the client id.
*
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

package com.azure.security.keyvault.jca;

/**
* Constants used for Key Vault related URLs.
*/
public class UriUtil {

public static final String KEY_VAULT_BASE_URI_GLOBAL = "https://vault.azure.net";
public static final String KEY_VAULT_BASE_URI_CN = "https://vault.azure.cn";
public static final String KEY_VAULT_BASE_URI_US = "https://vault.usgovcloudapi.net";
public static final String KEY_VAULT_BASE_URI_DE = "https://vault.microsoftazure.de";

public static final String AAD_LOGIN_URI_GLOBAL = "https://login.microsoftonline.com/";
public static final String AAD_LOGIN_URI_CN = "https://login.partner.microsoftonline.cn/";
public static final String AAD_LOGIN_URI_US = "https://login.microsoftonline.us/";
public static final String AAD_LOGIN_URI_DE = "https://login.microsoftonline.de/";

static String getAADLoginURIByKeyVaultBaseUri(String keyVaultBaseUri) {
String aadAuthenticationUrl;
switch (keyVaultBaseUri) {
case KEY_VAULT_BASE_URI_GLOBAL :
aadAuthenticationUrl = AAD_LOGIN_URI_GLOBAL;
break;
case KEY_VAULT_BASE_URI_CN :
aadAuthenticationUrl = AAD_LOGIN_URI_CN;
break;
case KEY_VAULT_BASE_URI_US :
aadAuthenticationUrl = AAD_LOGIN_URI_US;
break;
case KEY_VAULT_BASE_URI_DE:
aadAuthenticationUrl = AAD_LOGIN_URI_DE;
break;
default:
throw new IllegalArgumentException("Property of azure.keyvault.uri is illegal.");
}
return aadAuthenticationUrl;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ public static void main(String[] args) throws Exception {
KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aad-authentication-url"),
System.getProperty("azure.keyvault.tenant-id"),
System.getProperty("azure.keyvault.client-id"),
System.getProperty("azure.keyvault.client-secret"));
Expand Down
Loading