-
Notifications
You must be signed in to change notification settings - Fork 836
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Copy keyvault/internal to security/keyvault/internal (#19879)
- Loading branch information
Showing
12 changed files
with
557 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# Release History | ||
|
||
## 0.8.0 (Unreleased) | ||
|
||
### Features Added | ||
|
||
### Breaking Changes | ||
* Moved to new location | ||
|
||
### Bugs Fixed | ||
|
||
### Other Changes | ||
* Upgrade to `azcore` v1.3.0 | ||
|
||
## 0.7.1 (2022-11-14) | ||
|
||
### Bugs Fixed | ||
* `KeyVaultChallengePolicy` uses incorrect authentication scope when challenge verification is disabled | ||
|
||
## 0.7.0 (2022-09-20) | ||
|
||
### Breaking Changes | ||
* Added `*KeyVaultChallengePolicyOptions` parameter to `NewKeyVaultChallengePolicy` | ||
|
||
## 0.6.0 (2022-09-12) | ||
|
||
### Breaking Changes | ||
* Verify the challenge resource matches the vault domain. See https://aka.ms/azsdk/blog/vault-uri for more information. | ||
* `ParseID()` no longer appends a trailing slash to vault URLs | ||
|
||
## 0.5.0 (2022-05-12) | ||
|
||
### Breaking Changes | ||
* Removed `ExpiringResource` and its dependencies in favor of shared implementation from `internal/temporal`. | ||
|
||
### Other Changes | ||
* Updated to latest versions of `azcore` and `internal`. | ||
|
||
## 0.4.0 (2022-04-22) | ||
|
||
### Breaking Changes | ||
* Updated `ExpiringResource` and its dependent types to use generics. | ||
|
||
### Other Changes | ||
* Remove reference to `TokenRequestOptions.TenantID` as it's been removed and wasn't working anyways. | ||
|
||
## 0.3.0 (2022-04-04) | ||
|
||
### Features Added | ||
* Adds the `ParseKeyvaultID` function to parse an ID into the Key Vault URL, item name, and item version | ||
|
||
### Breaking Changes | ||
* Updates to azcore v0.23.0 | ||
|
||
## 0.2.1 (2022-01-31) | ||
|
||
### Bugs Fixed | ||
* Avoid retries on terminal failures (#16932) | ||
|
||
## 0.2.0 (2022-01-12) | ||
|
||
### Bugs Fixed | ||
* Fixes a bug with Managed HSMs that prevented correctly authorizing requests. | ||
|
||
## 0.1.0 (2021-11-09) | ||
* This is the initial release of the `internal` library for KeyVault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
MIT License | ||
|
||
Copyright (c) Microsoft Corporation. All rights reserved. | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in all | ||
copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Key Vault Internal Module for Go | ||
|
||
This module contains shared code for all the Key Vault SDKs, mainly the challenge authentication policy. | ||
|
||
## Contributing | ||
This project welcomes contributions and suggestions. Most contributions require | ||
you to agree to a Contributor License Agreement (CLA) declaring that you have | ||
the right to, and actually do, grant us the rights to use your contribution. | ||
For details, visit [https://cla.microsoft.com](https://cla.microsoft.com). | ||
|
||
When you submit a pull request, a CLA-bot will automatically determine whether | ||
you need to provide a CLA and decorate the PR appropriately (e.g., label, | ||
comment). Simply follow the instructions provided by the bot. You will only | ||
need to do this once across all repos using our CLA. | ||
|
||
This project has adopted the | ||
[Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). | ||
For more information, see the | ||
[Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) | ||
or contact [[email protected]](mailto:[email protected]) with any | ||
additional questions or comments. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,175 @@ | ||
//go:build go1.18 | ||
// +build go1.18 | ||
|
||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. See License.txt in the project root for license information. | ||
|
||
package internal | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
"io" | ||
"net/http" | ||
"net/url" | ||
"strings" | ||
|
||
"github.com/Azure/azure-sdk-for-go/sdk/azcore" | ||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" | ||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime" | ||
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo" | ||
) | ||
|
||
const challengeMatchError = `challenge resource "%s" doesn't match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information` | ||
|
||
type KeyVaultChallengePolicyOptions struct { | ||
// DisableChallengeResourceVerification controls whether the policy requires the | ||
// authentication challenge resource to match the Key Vault or Managed HSM domain | ||
DisableChallengeResourceVerification bool | ||
} | ||
|
||
type keyVaultAuthorizer struct { | ||
// tro is the policy's authentication parameters. These are discovered from an authentication challenge | ||
// elicited ahead of the first client request. | ||
tro policy.TokenRequestOptions | ||
// TODO: move into tro once it has a tenant field (https://github.com/Azure/azure-sdk-for-go/issues/19841) | ||
tenantID string | ||
verifyChallengeResource bool | ||
} | ||
|
||
type reqBody struct { | ||
body io.ReadSeekCloser | ||
contentType string | ||
} | ||
|
||
func NewKeyVaultChallengePolicy(cred azcore.TokenCredential, opts *KeyVaultChallengePolicyOptions) policy.Policy { | ||
if opts == nil { | ||
opts = &KeyVaultChallengePolicyOptions{} | ||
} | ||
kv := keyVaultAuthorizer{ | ||
verifyChallengeResource: !opts.DisableChallengeResourceVerification, | ||
} | ||
return runtime.NewBearerTokenPolicy(cred, nil, &policy.BearerTokenOptions{ | ||
AuthorizationHandler: policy.AuthorizationHandler{ | ||
OnRequest: kv.authorize, | ||
OnChallenge: kv.authorizeOnChallenge, | ||
}, | ||
}) | ||
} | ||
|
||
func (k *keyVaultAuthorizer) authorize(req *policy.Request, authNZ func(policy.TokenRequestOptions) error) error { | ||
if len(k.tro.Scopes) == 0 || k.tenantID == "" { | ||
if body := req.Body(); body != nil { | ||
// We don't know the scope or tenant ID because we haven't seen a challenge yet. We elicit one now by sending | ||
// the request without authorization, first removing its body, if any. authorizeOnChallenge will reattach the | ||
// body, authorize the request, and send it again. | ||
rb := reqBody{body, req.Raw().Header.Get("content-type")} | ||
req.SetOperationValue(rb) | ||
if err := req.SetBody(nil, ""); err != nil { | ||
return err | ||
} | ||
} | ||
// returning nil indicates the bearer token policy should send the request | ||
return nil | ||
} | ||
// else we know the auth parameters and can authorize the request as normal | ||
return authNZ(k.tro) | ||
} | ||
|
||
func (k *keyVaultAuthorizer) authorizeOnChallenge(req *policy.Request, res *http.Response, authNZ func(policy.TokenRequestOptions) error) error { | ||
// parse the challenge | ||
if err := k.updateTokenRequestOptions(res, req.Raw()); err != nil { | ||
return err | ||
} | ||
// reattach the request's original body, if it was removed by authorize(). If a bug prevents recovering | ||
// the body, this policy will send the request without it and get a 400 response from Key Vault. | ||
var rb reqBody | ||
if req.OperationValue(&rb) { | ||
if err := req.SetBody(rb.body, rb.contentType); err != nil { | ||
return err | ||
} | ||
} | ||
// authenticate with the parameters supplied by Key Vault, authorize the request, send it again | ||
return authNZ(k.tro) | ||
} | ||
|
||
// parses Tenant ID from auth challenge | ||
// https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000 | ||
func parseTenant(url string) string { | ||
if url == "" { | ||
return "" | ||
} | ||
parts := strings.Split(url, "/") | ||
tenant := parts[3] | ||
tenant = strings.ReplaceAll(tenant, ",", "") | ||
return tenant | ||
} | ||
|
||
type challengePolicyError struct { | ||
err error | ||
} | ||
|
||
func (c *challengePolicyError) Error() string { | ||
return c.err.Error() | ||
} | ||
|
||
func (*challengePolicyError) NonRetriable() { | ||
// marker method | ||
} | ||
|
||
func (c *challengePolicyError) Unwrap() error { | ||
return c.err | ||
} | ||
|
||
var _ errorinfo.NonRetriable = (*challengePolicyError)(nil) | ||
|
||
// updateTokenRequestOptions parses authentication parameters from Key Vault's challenge | ||
func (k *keyVaultAuthorizer) updateTokenRequestOptions(resp *http.Response, req *http.Request) error { | ||
authHeader := resp.Header.Get("WWW-Authenticate") | ||
if authHeader == "" { | ||
return &challengePolicyError{err: errors.New("response has no WWW-Authenticate header for challenge authentication")} | ||
} | ||
|
||
// Strip down to auth and resource | ||
// Format is "Bearer authorization=\"<site>\" resource=\"<site>\"" OR | ||
// "Bearer authorization=\"<site>\" scope=\"<site>\" resource=\"<resource>\"" | ||
authHeader = strings.ReplaceAll(authHeader, "Bearer ", "") | ||
|
||
parts := strings.Split(authHeader, " ") | ||
|
||
vals := map[string]string{} | ||
for _, part := range parts { | ||
subParts := strings.Split(part, "=") | ||
if len(subParts) == 2 { | ||
stripped := strings.ReplaceAll(subParts[1], "\"", "") | ||
stripped = strings.TrimSuffix(stripped, ",") | ||
vals[subParts[0]] = stripped | ||
} | ||
} | ||
|
||
k.tenantID = parseTenant(vals["authorization"]) | ||
scope := "" | ||
if v, ok := vals["scope"]; ok { | ||
scope = v | ||
} else if v, ok := vals["resource"]; ok { | ||
scope = v | ||
} | ||
if scope == "" { | ||
return &challengePolicyError{err: errors.New("could not find a valid resource in the WWW-Authenticate header")} | ||
} | ||
if k.verifyChallengeResource { | ||
// the challenge resource's host must match the requested vault's host | ||
parsed, err := url.Parse(scope) | ||
if err != nil { | ||
return &challengePolicyError{err: fmt.Errorf(`invalid challenge resource "%s": %v`, scope, err)} | ||
} | ||
if !strings.HasSuffix(req.URL.Host, "."+parsed.Host) { | ||
return &challengePolicyError{err: fmt.Errorf(challengeMatchError, scope)} | ||
} | ||
} | ||
if !strings.HasSuffix(scope, "/.default") { | ||
scope += "/.default" | ||
} | ||
k.tro.Scopes = []string{scope} | ||
return nil | ||
} |
109 changes: 109 additions & 0 deletions
109
sdk/security/keyvault/internal/challenge_policy_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
//go:build go1.18 | ||
// +build go1.18 | ||
|
||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. See License.txt in the project root for license information. | ||
|
||
package internal | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
"net/http" | ||
"strings" | ||
"testing" | ||
"time" | ||
|
||
"github.com/Azure/azure-sdk-for-go/sdk/azcore" | ||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" | ||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime" | ||
"github.com/Azure/azure-sdk-for-go/sdk/internal/mock" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
type credentialFunc func(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error) | ||
|
||
func (cf credentialFunc) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) { | ||
return cf(ctx, options) | ||
} | ||
|
||
func TestChallengePolicy(t *testing.T) { | ||
accessToken := "***" | ||
resource := "https://vault.azure.net" | ||
scope := "https://vault.azure.net/.default" | ||
challengeResource := `Bearer authorization="https://login.microsoftonline.com/{tenant}", resource="{resource}"` | ||
challengeScope := `Bearer authorization="https://login.microsoftonline.com/{tenant}", scope="{resource}"` | ||
|
||
for _, test := range []struct { | ||
expectedScope, format, resource string | ||
disableVerify, err bool | ||
}{ | ||
// happy path: resource matches requested vault's host (vault.azure.net) | ||
{format: challengeResource, resource: resource, expectedScope: scope}, | ||
{format: challengeResource, resource: resource, disableVerify: true, expectedScope: scope}, | ||
{format: challengeScope, resource: scope, expectedScope: scope}, | ||
{format: challengeScope, resource: scope, disableVerify: true, expectedScope: scope}, | ||
// the policy should prefer scope to resource when a challenge specifies both | ||
{format: fmt.Sprintf(`%s scope="%s"`, challengeResource, scope), resource: resource, expectedScope: scope}, | ||
{format: challengeScope + ` resource="ignore me"`, resource: scope, expectedScope: scope}, | ||
|
||
// error cases: resource/scope doesn't match the requested vault's host (vault.azure.net) | ||
{format: challengeResource, resource: "https://vault.azure.cn", err: true}, | ||
{format: challengeResource, resource: "https://myvault.azure.net", err: true}, | ||
{format: challengeScope, resource: "https://vault.azure.cn/.default", err: true}, | ||
{format: challengeScope, resource: "https://myvault.azure.net/.default", err: true}, | ||
|
||
// the policy shouldn't return errors for the above cases when verification is disabled | ||
{format: challengeResource, resource: "https://vault.azure.cn", disableVerify: true, expectedScope: "https://vault.azure.cn/.default"}, | ||
{format: challengeResource, resource: "https://myvault.azure.net", disableVerify: true, expectedScope: "https://myvault.azure.net/.default"}, | ||
{format: challengeScope, resource: "https://vault.azure.cn/.default", disableVerify: true, expectedScope: "https://vault.azure.cn/.default"}, | ||
{format: challengeScope, resource: "https://myvault.azure.net/.default", disableVerify: true, expectedScope: "https://myvault.azure.net/.default"}, | ||
} { | ||
t.Run("", func(t *testing.T) { | ||
srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl()) | ||
defer close() | ||
srv.AppendResponse( | ||
mock.WithHeader("WWW-Authenticate", strings.ReplaceAll(test.format, "{resource}", test.resource)), | ||
mock.WithStatusCode(401), | ||
) | ||
srv.AppendResponse(mock.WithPredicate(func(r *http.Request) bool { | ||
if authz := r.Header.Values("Authorization"); len(authz) != 1 || authz[0] != "Bearer "+accessToken { | ||
t.Errorf(`unexpected Authorization "%s"`, authz) | ||
} | ||
return true | ||
})) | ||
srv.AppendResponse() | ||
authenticated := false | ||
cred := credentialFunc(func(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) { | ||
authenticated = true | ||
require.Equal(t, []string{test.expectedScope}, tro.Scopes) | ||
return azcore.AccessToken{Token: accessToken, ExpiresOn: time.Now().Add(time.Hour)}, nil | ||
}) | ||
p := NewKeyVaultChallengePolicy(cred, &KeyVaultChallengePolicyOptions{DisableChallengeResourceVerification: test.disableVerify}) | ||
pl := runtime.NewPipeline("", "", | ||
runtime.PipelineOptions{PerRetry: []policy.Policy{p}}, | ||
&policy.ClientOptions{Transport: srv}, | ||
) | ||
req, err := runtime.NewRequest(context.Background(), "GET", "https://42.vault.azure.net") | ||
require.NoError(t, err) | ||
_, err = pl.Do(req) | ||
if test.err { | ||
expected := fmt.Sprintf(challengeMatchError, test.resource) | ||
require.EqualError(t, err, expected) | ||
require.IsType(t, &challengePolicyError{}, err) | ||
} else { | ||
require.True(t, authenticated, "policy should have authenticated") | ||
} | ||
}) | ||
} | ||
} | ||
|
||
func TestParseTenant(t *testing.T) { | ||
actual := parseTenant("") | ||
require.Empty(t, actual) | ||
|
||
expected := "00000000-0000-0000-0000-000000000000" | ||
sampleURL := "https://login.microsoftonline.com/" + expected | ||
actual = parseTenant(sampleURL) | ||
require.Equal(t, expected, actual, "tenant was not properly parsed, got %s, expected %s", actual, expected) | ||
} |
Oops, something went wrong.