Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Key Vault] Add CAE support #46013

Merged
merged 30 commits into from
Oct 11, 2024
+795 −3
Merged

[Key Vault] Add CAE support #46013

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
71190d0
Add flag and enable CAE to AuthorizeRequestInternal
JonathanCrd Sep 17, 2024
36643e2
Enable CAE for AuthorizeRequestOnChallenge
JonathanCrd Sep 17, 2024
02a805d
Add flag in SecretClientOption and SecretClient
JonathanCrd Sep 17, 2024
8bd442a
Revert "Add flag in SecretClientOption and SecretClient"
JonathanCrd Sep 17, 2024
c6a65da
Enable CAE by default
JonathanCrd Sep 17, 2024
8b4e44c
Removing unused parameter
JonathanCrd Sep 17, 2024
a8772d5
Remove saving the claims in the cache
JonathanCrd Sep 17, 2024
ee0b2c6
Update Changelog
JonathanCrd Sep 17, 2024
f645368
Update changelogs
JonathanCrd Sep 18, 2024
1a74490
Simplify error checking logic
JonathanCrd Sep 18, 2024
5df4002
Add test for base64 claims
JonathanCrd Sep 23, 2024
2451396
Override Process function to handle the first CAE Challenge after a s…
JonathanCrd Sep 25, 2024
1f9a73c
Add tests
JonathanCrd Sep 25, 2024
daa03ef
Separate credential and client transports and assert for a 401.
JonathanCrd Sep 25, 2024
f454e4d
Nest rety inside challenge if block
JonathanCrd Sep 27, 2024
5b09202
Merge remote-tracking branch 'upstream/main' into Enable-CAE-for-KeyV…
JonathanCrd Sep 30, 2024
de6d54d
Add test for claims in token
JonathanCrd Oct 1, 2024
72d98ef
Fix CI by removing extra test case parameter
JonathanCrd Oct 1, 2024
46909fe
Nit changes to tests
JonathanCrd Oct 3, 2024
15a5ab7
Simplify tests
JonathanCrd Oct 3, 2024
ee196ec
removing unnecessary mock responses
JonathanCrd Oct 3, 2024
0c33973
Refactor tests to test CAE in all projects
JonathanCrd Oct 7, 2024
a0de67f
Make tests non parallelizable
JonathanCrd Oct 7, 2024
0ffee52
Add setup method to CAE tests
JonathanCrd Oct 8, 2024
f03fe3b
Test for tokens obtained from cae challenges
JonathanCrd Oct 10, 2024
a9657ef
Merge remote-tracking branch 'upstream/main' into Enable-CAE-for-KeyV…
JonathanCrd Oct 10, 2024
8bd6cfc
Fix test / CI
JonathanCrd Oct 10, 2024
d3e535d
Merge remote-tracking branch 'upstream/main' into Enable-CAE-for-KeyV…
JonathanCrd Oct 10, 2024
8544ff6
Update dependency for System.ClientModel
JonathanCrd Oct 10, 2024
6ac9c91
Apply suggestions
JonathanCrd Oct 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

- Added support for service API version `7.6-preview.1`.
- Added new methods `StartPreRestoreAsync`, `StartPreRestore`, `StartPreBackupAsync`, and `StartPreBackupAsync` to the `KeyVaultBackupClient`.
- Added support for Continuous Access Evaluation (CAE).

### Breaking Changes

Expand Down
19 changes: 17 additions & 2 deletions sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ private async ValueTask AuthorizeRequestInternal(HttpMessage message, bool async
if (_challenge != null)
{
// We fetched the challenge from the cache, but we have not initialized the Scopes in the base yet.
var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId);
var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId, isCaeEnabled: true);
if (async)
{
await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
Expand Down Expand Up @@ -93,6 +93,21 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa

string authority = GetRequestAuthority(message.Request);
string scope = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "resource");

string error = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "error");
JonathanCrd marked this conversation as resolved.
Show resolved Hide resolved
string claims = null;

if (error != null)
{
// The challenge response contained an error.
string base64Claims = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");

if (error == "insufficient_claims" && base64Claims != null)
JonathanCrd marked this conversation as resolved.
Show resolved Hide resolved
{
claims = System.Text.Encoding.UTF8.GetString(Convert.FromBase64String(base64Claims));
}
}
JonathanCrd marked this conversation as resolved.
Show resolved Hide resolved

if (scope != null)
{
scope += "/.default";
Expand Down Expand Up @@ -140,7 +155,7 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa
s_challengeCache[authority] = _challenge;
}

var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId);
var context = new TokenRequestContext(_challenge.Scopes, parentRequestId: message.Request.ClientRequestId, tenantId: _challenge.TenantId, isCaeEnabled: true, claims: claims);
if (async)
{
await AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
Expand Down