End to End TLS SSL - step #9 - add Azure AD authentication URL (Azure…

…#17074) * Added Azure AD authentication URL
mssfang · Nov 12, 2020 · 9d07c03 · 9d07c03
1 parent c2dc73c
commit 9d07c03
Show file tree

Hide file tree

Showing 12 changed files with 97 additions and 48 deletions.
diff --git a/...azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/AuthClient.java b/...azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/AuthClient.java
@@ -1,6 +1,5 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
-
 package com.azure.security.keyvault.jca;
 
 import com.azure.security.keyvault.jca.model.OAuthToken;
@@ -50,7 +49,7 @@ class AuthClient extends DelegateRestClient {
      * Stores the OAuth2 managed identity URL.
      */
     private static final String OAUTH2_MANAGED_IDENTITY_TOKEN_URL
-        = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01";
+            = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01";
 
     /**
      * Stores our logger.
@@ -96,23 +95,24 @@ public String getAccessToken(String resource, String identity) {
      * @param clientSecret the client secret.
      * @return the authorization token.
      */
-    public String getAccessToken(String resource, String tenantId,
-                                 String clientId, String clientSecret) {
-        LOGGER.entering("AuthClient", "getAccessToken", new Object[] {
-            resource, tenantId, clientId, clientSecret });
+    public String getAccessToken(String resource, String aadAuthenticationUrl,
+            String tenantId, String clientId, String clientSecret) {
+
+        LOGGER.entering("AuthClient", "getAccessToken", new Object[]{
+            resource, tenantId, clientId, clientSecret});
         LOGGER.info("Getting access token using client ID / client secret");
         String result = null;
 
         StringBuilder oauth2Url = new StringBuilder();
-        oauth2Url.append(OAUTH2_TOKEN_BASE_URL)
-                 .append(tenantId)
-                 .append(OAUTH2_TOKEN_POSTFIX);
+        oauth2Url.append(aadAuthenticationUrl == null ? OAUTH2_TOKEN_BASE_URL : aadAuthenticationUrl)
+                .append(tenantId)
+                .append(OAUTH2_TOKEN_POSTFIX);
 
         StringBuilder requestBody = new StringBuilder();
         requestBody.append(GRANT_TYPE_FRAGMENT)
-                   .append(CLIENT_ID_FRAGMENT).append(clientId)
-                   .append(CLIENT_SECRET_FRAGMENT).append(clientSecret)
-                   .append(RESOURCE_FRAGMENT).append(resource);
+                .append(CLIENT_ID_FRAGMENT).append(clientId)
+                .append(CLIENT_SECRET_FRAGMENT).append(clientSecret)
+                .append(RESOURCE_FRAGMENT).append(resource);
 
         String body = post(oauth2Url.toString(), requestBody.toString(), "application/x-www-form-urlencoded");
         if (body != null) {
@@ -143,7 +143,6 @@ private String getAccessTokenOnAppService(String resource, String identity) {
         url.append(System.getenv("MSI_ENDPOINT"))
            .append("?api-version=2017-09-01")
            .append(RESOURCE_FRAGMENT).append(resource);
-
         if (identity != null) {
             url.append("&objectid=").append(identity);
         }
@@ -175,13 +174,11 @@ private String getAccessTokenOnOthers(String resource, String identity) {
         if (identity != null) {
             LOGGER.log(INFO, "Using managed identity with object ID: {0}", identity);
         }
-
         String result = null;
 
         StringBuilder url = new StringBuilder();
         url.append(OAUTH2_MANAGED_IDENTITY_TOKEN_URL)
            .append(RESOURCE_FRAGMENT).append(resource);
-
         if (identity != null) {
             url.append("&object_id=").append(identity);
         }

diff --git a/...e-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultClient.java b/...e-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultClient.java
@@ -58,6 +58,12 @@ class KeyVaultClient extends DelegateRestClient {
      */
     private final String keyVaultUrl;
 
+    /**
+     * Stores the AAD authentication URL (or null to default to Azure Public
+     * Cloud).
+     */
+    private String aadAuthenticationUrl;
+
     /**
      * Stores the tenant ID.
      */
@@ -113,12 +119,15 @@ class KeyVaultClient extends DelegateRestClient {
      * Constructor.
      *
      * @param keyVaultUri the Azure Key Vault URI.
+     * @param aadAuthenticationUrl the Azure AD authentication URL.
      * @param tenantId the tenant ID.
      * @param clientId the client ID.
      * @param clientSecret the client secret.
      */
-    KeyVaultClient(final String keyVaultUri, final String tenantId, final String clientId, final String clientSecret) {
+    KeyVaultClient(final String keyVaultUri, final String aadAuthenticationUrl,
+            final String tenantId, final String clientId, final String clientSecret) {
         this(keyVaultUri);
+        this.aadAuthenticationUrl = aadAuthenticationUrl;
         this.tenantId = tenantId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
@@ -141,7 +150,7 @@ private String getAccessToken() {
             }
 
             if (tenantId != null && clientId != null && clientSecret != null) {
-                accessToken = authClient.getAccessToken(resource, tenantId, clientId, clientSecret);
+                accessToken = authClient.getAccessToken(resource, aadAuthenticationUrl, tenantId, clientId, clientSecret);
             } else {
                 accessToken = authClient.getAccessToken(resource, managedIdentity);
             }
@@ -295,10 +304,9 @@ Key getKey(String alias, char[] password) {
      * @throws IOException when an I/O error occurs.
      * @throws NoSuchAlgorithmException when algorithm is unavailable.
      * @throws InvalidKeySpecException when the private key cannot be generated.
-     */
+     * */
     private PrivateKey createPrivateKeyFromPem(String pemString) 
             throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
-
         StringBuilder builder = new StringBuilder();
         try (BufferedReader reader = new BufferedReader(new StringReader(pemString))) {
             String line = reader.readLine();

diff --git a/...security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java b/...security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java
@@ -71,22 +71,25 @@ public final class KeyVaultKeyStore extends KeyStoreSpi {
      *
      * <p>
      * The constructor uses System.getProperty for
-     * <code>azure.keyvault.uri</code>, <code>azure.keyvault.tenantId</code>,
+     * <code>azure.keyvault.uri</code>, 
+     * <code>azure.keyvault.aadAuthenticationUrl</code>, 
+     * <code>azure.keyvault.tenantId</code>,
      * <code>azure.keyvault.clientId</code>,
      * <code>azure.keyvault.clientSecret</code> and
-     * <code>azure.keyvault.userAssignedIdentity</code> to initialize the
-     * keyvault client.
+     * <code>azure.keyvault.managedIdentity</code> to initialize the
+     * Key Vault client.
      * </p>
      */
     public KeyVaultKeyStore() {
         creationDate = new Date();
         String keyVaultUri = System.getProperty("azure.keyvault.uri");
+        String aadAuthenticationUrl = System.getProperty("azure.keyvault.aadAuthenticationUrl");
         String tenantId = System.getProperty("azure.keyvault.tenantId");
         String clientId = System.getProperty("azure.keyvault.clientId");
         String clientSecret = System.getProperty("azure.keyvault.clientSecret");
         String managedIdentity = System.getProperty("azure.keyvault.managedIdentity");
         if (clientId != null) {
-            keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
+            keyVaultClient = new KeyVaultClient(keyVaultUri, aadAuthenticationUrl, tenantId, clientId, clientSecret);
         } else {
             keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity);
         }
@@ -210,13 +213,14 @@ public void engineLoad(KeyStore.LoadStoreParameter param) {
             if (parameter.getClientId() != null) {
                 keyVaultClient = new KeyVaultClient(
                         parameter.getUri(),
+                        parameter.getAadAuthenticationUrl(),
                         parameter.getTenantId(),
                         parameter.getClientId(),
                         parameter.getClientSecret());
-            } else if (parameter.getUserAssignedIdentity() != null) {
+            } else if (parameter.getManagedIdentity() != null) {
                 keyVaultClient = new KeyVaultClient(
                         parameter.getUri(),
-                        parameter.getUserAssignedIdentity()
+                        parameter.getManagedIdentity()
                 );
             } else {
                 keyVaultClient = new KeyVaultClient(parameter.getUri());

diff --git a/...eyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java b/...eyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java
@@ -14,6 +14,11 @@ public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
      * Stores the URI.
      */
     private final String uri;
+
+    /**
+     * Stores the Azure AD authentication URL.
+     */
+    private final String aadAuthenticationUrl;
 
     /**
      * Stores the tenant id.
@@ -33,36 +38,40 @@ public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
     /**
      * Stores the user-assigned identity.
      */
-    private final String userAssignedIdentity;
+    private final String managedIdentity;
 
     /**
      * Constructor.
      *
      * @param uri the Azure Key Vault URI.
+     * @param aadAuthenticationUrl the Azure AD authentication URL.
      * @param tenantId the tenant ID.
      * @param clientId the client ID.
      * @param clientSecret the client secret.
      */
-    public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret) {
+    public KeyVaultLoadStoreParameter(String uri, String aadAuthenticationUrl, 
+            String tenantId, String clientId, String clientSecret) {
         this.uri = uri;
+        this.aadAuthenticationUrl = aadAuthenticationUrl;
         this.tenantId = tenantId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
-        this.userAssignedIdentity = null;
+        this.managedIdentity = null;
     }
 
     /**
      * Constructor.
      *
      * @param uri the Azure Key Vault URI.
-     * @param userAssignedIdentity the user-assigned identity.
+     * @param managedIdentity the managed identity.
      */
-    public KeyVaultLoadStoreParameter(String uri, String userAssignedIdentity) {
+    public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
         this.uri = uri;
+        this.aadAuthenticationUrl = null;
         this.tenantId = null;
         this.clientId = null;
         this.clientSecret = null;
-        this.userAssignedIdentity = userAssignedIdentity;
+        this.managedIdentity = managedIdentity;
     }
 
     /**
@@ -72,10 +81,11 @@ public KeyVaultLoadStoreParameter(String uri, String userAssignedIdentity) {
      */
     public KeyVaultLoadStoreParameter(String uri) {
         this.uri = uri;
+        this.aadAuthenticationUrl = null;
         this.tenantId = null;
         this.clientId = null;
         this.clientSecret = null;
-        this.userAssignedIdentity = null;
+        this.managedIdentity = null;
     }
 
     /**
@@ -88,6 +98,15 @@ public KeyStore.ProtectionParameter getProtectionParameter() {
         return null;
     }
 
+    /**
+     * Get the Azure AD authentication URL.
+     * 
+     * @return the Azure AD authentication URL.
+     */
+    public String getAadAuthenticationUrl() {
+        return aadAuthenticationUrl;
+    }
+
     /**
      * Get the client id.
      *
@@ -106,6 +125,15 @@ public String getClientSecret() {
         return clientSecret;
     }
 
+    /**
+     * Get the managed identity.
+     * 
+     * @return the managed identity.
+     */
+    public String getManagedIdentity() {
+        return managedIdentity;
+    }
+
     /**
      * Get the tenant id.
      *
@@ -123,13 +151,4 @@ public String getTenantId() {
     public String getUri() {
         return uri;
     }
-
-    /**
-     * Get the user-assigned identity.
-     * 
-     * @return the user-assign identity.
-     */
-    public String getUserAssignedIdentity() {
-        return userAssignedIdentity;
-    }
 }
diff --git a/...keyvault-jca/src/samples/java/sample/com/azure/security/keyvault/jca/ClientSSLSample.java b/...keyvault-jca/src/samples/java/sample/com/azure/security/keyvault/jca/ClientSSLSample.java
@@ -31,6 +31,7 @@ public void clientSSLSample() throws Exception {
         KeyStore ks = KeyStore.getInstance("AzureKeyVault");
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
                 System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
                 System.getProperty("azure.tenant.id"),
                 System.getProperty("azure.client.id"),
                 System.getProperty("azure.client.secret"));

diff --git a/...keyvault-jca/src/samples/java/sample/com/azure/security/keyvault/jca/ServerSSLSample.java b/...keyvault-jca/src/samples/java/sample/com/azure/security/keyvault/jca/ServerSSLSample.java
@@ -21,6 +21,7 @@ public void serverSSLSample() throws Exception {
         KeyStore ks = KeyStore.getInstance("AzureKeyVault");
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));

diff --git a/...e-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/AuthClientTest.java b/...e-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/AuthClientTest.java
@@ -27,6 +27,7 @@ public void testGetAuthorizationToken() throws Exception {
         AuthClient authClient = new AuthClient();
         String result = authClient.getAccessToken(
             "https://management.azure.com/",
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             tenantId,
             clientId,
             URLEncoder.encode(clientSecret, "UTF-8")

diff --git a/...y-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultJcaProviderTest.java b/...y-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultJcaProviderTest.java
@@ -36,6 +36,7 @@ public void testGetCertificate() throws Exception {
         KeyStore keystore = KeyStore.getInstance("AzureKeyVault");
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));

diff --git a/...rity-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreTest.java b/...rity-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreTest.java
@@ -51,6 +51,7 @@ public void testEngineGetCertificate() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -63,6 +64,7 @@ public void testEngineGetCertificateAlias() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -75,6 +77,7 @@ public void testEngineGetCertificateChain() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -87,6 +90,7 @@ public void testEngineIsCertificateEntry() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -99,6 +103,7 @@ public void testEngineSetCertificateEntry() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -123,6 +128,7 @@ public void testEngineGetKey() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -135,6 +141,7 @@ public void testEngineIsKeyEntry() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -159,6 +166,7 @@ public void testEngineAliases() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));
@@ -171,6 +179,7 @@ public void testEngineContainsAlias() {
         KeyVaultKeyStore keystore = new KeyVaultKeyStore();
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
+            System.getProperty("azure.keyvault.aadAuthenticationUrl"),
             System.getProperty("azure.tenant.id"),
             System.getProperty("azure.client.id"),
             System.getProperty("azure.client.secret"));