fix: remove as_secrets config

Signed-off-by: Junjie Gao <[email protected]>
Azure · Jul 13, 2023 · e33803d · e33803d
1 parent 6bf62ca
commit e33803d
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/Notation.Plugin.AzureKeyVault/Command/GenerateSignature.cs b/Notation.Plugin.AzureKeyVault/Command/GenerateSignature.cs
@@ -52,27 +52,32 @@ public async Task<IPluginResponse> RunAsync()
                 // obtain the leaf certificate from Azure Key Vault
                 leafCert = await _keyVaultClient.GetCertificateAsync();
             }
-            else if (_request.PluginConfig?.TryGetValue("as_secret", out var asSecret) == true && asSecret.Equals("true", StringComparison.OrdinalIgnoreCase))
+            else
             {
                 // Obtain the certificate chain from Azure Key Vault using 
                 // GetSecret permission. Ensure intermediate and root 
                 // certificates are merged into the Key Vault certificate to 
                 // retrieve the full chain.
                 // reference: https://learn.microsoft.com//azure/key-vault/certificates/create-certificate-signing-request
-                var certificateChain = await _keyVaultClient.GetCertificateChainAsync();
+                X509Certificate2Collection? certificateChain;
+                try
+                {
+                    certificateChain = await _keyVaultClient.GetCertificateChainAsync();
+                }
+                catch (Azure.RequestFailedException ex)
+                {
+                    if (ex.Message.Contains("does not have secrets get permission")){
+                        throw new PluginException("The plugin does not have secrets get permission. Please grant the permission to the credential associated with the plugin or specify the file path of the certificate chain bundle through the `ca_certs` parameter in the plugin config.");
+                    }
+                    throw;
+                }
 
                 // the certBundle is the certificates start from the second one of certificateChain
                 certBundle = new X509Certificate2Collection(certificateChain.Skip(1).ToArray());
 
                 // the leafCert is the first certificate in the certBundle
                 leafCert = certificateChain[0];
             }
-            else
-            {
-                // only have the leaf certificate
-                certBundle = new X509Certificate2Collection();
-                leafCert = await _keyVaultClient.GetCertificateAsync();
-            }
 
             // Extract KeySpec from the certificate
             var keySpec = leafCert.KeySpec();