Skip to content

Commit

Permalink
End to End TLS SSL - step #9 - add Azure AD authentication URL (#17074)
Browse files Browse the repository at this point in the history
* Added Azure AD authentication URL
  • Loading branch information
mnriem authored Nov 12, 2020
1 parent c2dc73c commit 9d07c03
Show file tree
Hide file tree
Showing 12 changed files with 97 additions and 48 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

package com.azure.security.keyvault.jca;

import com.azure.security.keyvault.jca.model.OAuthToken;
Expand Down Expand Up @@ -50,7 +49,7 @@ class AuthClient extends DelegateRestClient {
* Stores the OAuth2 managed identity URL.
*/
private static final String OAUTH2_MANAGED_IDENTITY_TOKEN_URL
= "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01";
= "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01";

/**
* Stores our logger.
Expand Down Expand Up @@ -96,23 +95,24 @@ public String getAccessToken(String resource, String identity) {
* @param clientSecret the client secret.
* @return the authorization token.
*/
public String getAccessToken(String resource, String tenantId,
String clientId, String clientSecret) {
LOGGER.entering("AuthClient", "getAccessToken", new Object[] {
resource, tenantId, clientId, clientSecret });
public String getAccessToken(String resource, String aadAuthenticationUrl,
String tenantId, String clientId, String clientSecret) {

LOGGER.entering("AuthClient", "getAccessToken", new Object[]{
resource, tenantId, clientId, clientSecret});
LOGGER.info("Getting access token using client ID / client secret");
String result = null;

StringBuilder oauth2Url = new StringBuilder();
oauth2Url.append(OAUTH2_TOKEN_BASE_URL)
.append(tenantId)
.append(OAUTH2_TOKEN_POSTFIX);
oauth2Url.append(aadAuthenticationUrl == null ? OAUTH2_TOKEN_BASE_URL : aadAuthenticationUrl)
.append(tenantId)
.append(OAUTH2_TOKEN_POSTFIX);

StringBuilder requestBody = new StringBuilder();
requestBody.append(GRANT_TYPE_FRAGMENT)
.append(CLIENT_ID_FRAGMENT).append(clientId)
.append(CLIENT_SECRET_FRAGMENT).append(clientSecret)
.append(RESOURCE_FRAGMENT).append(resource);
.append(CLIENT_ID_FRAGMENT).append(clientId)
.append(CLIENT_SECRET_FRAGMENT).append(clientSecret)
.append(RESOURCE_FRAGMENT).append(resource);

String body = post(oauth2Url.toString(), requestBody.toString(), "application/x-www-form-urlencoded");
if (body != null) {
Expand Down Expand Up @@ -143,7 +143,6 @@ private String getAccessTokenOnAppService(String resource, String identity) {
url.append(System.getenv("MSI_ENDPOINT"))
.append("?api-version=2017-09-01")
.append(RESOURCE_FRAGMENT).append(resource);

if (identity != null) {
url.append("&objectid=").append(identity);
}
Expand Down Expand Up @@ -175,13 +174,11 @@ private String getAccessTokenOnOthers(String resource, String identity) {
if (identity != null) {
LOGGER.log(INFO, "Using managed identity with object ID: {0}", identity);
}

String result = null;

StringBuilder url = new StringBuilder();
url.append(OAUTH2_MANAGED_IDENTITY_TOKEN_URL)
.append(RESOURCE_FRAGMENT).append(resource);

if (identity != null) {
url.append("&object_id=").append(identity);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ class KeyVaultClient extends DelegateRestClient {
*/
private final String keyVaultUrl;

/**
* Stores the AAD authentication URL (or null to default to Azure Public
* Cloud).
*/
private String aadAuthenticationUrl;

/**
* Stores the tenant ID.
*/
Expand Down Expand Up @@ -113,12 +119,15 @@ class KeyVaultClient extends DelegateRestClient {
* Constructor.
*
* @param keyVaultUri the Azure Key Vault URI.
* @param aadAuthenticationUrl the Azure AD authentication URL.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
*/
KeyVaultClient(final String keyVaultUri, final String tenantId, final String clientId, final String clientSecret) {
KeyVaultClient(final String keyVaultUri, final String aadAuthenticationUrl,
final String tenantId, final String clientId, final String clientSecret) {
this(keyVaultUri);
this.aadAuthenticationUrl = aadAuthenticationUrl;
this.tenantId = tenantId;
this.clientId = clientId;
this.clientSecret = clientSecret;
Expand All @@ -141,7 +150,7 @@ private String getAccessToken() {
}

if (tenantId != null && clientId != null && clientSecret != null) {
accessToken = authClient.getAccessToken(resource, tenantId, clientId, clientSecret);
accessToken = authClient.getAccessToken(resource, aadAuthenticationUrl, tenantId, clientId, clientSecret);
} else {
accessToken = authClient.getAccessToken(resource, managedIdentity);
}
Expand Down Expand Up @@ -295,10 +304,9 @@ Key getKey(String alias, char[] password) {
* @throws IOException when an I/O error occurs.
* @throws NoSuchAlgorithmException when algorithm is unavailable.
* @throws InvalidKeySpecException when the private key cannot be generated.
*/
* */
private PrivateKey createPrivateKeyFromPem(String pemString)
throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {

StringBuilder builder = new StringBuilder();
try (BufferedReader reader = new BufferedReader(new StringReader(pemString))) {
String line = reader.readLine();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,22 +71,25 @@ public final class KeyVaultKeyStore extends KeyStoreSpi {
*
* <p>
* The constructor uses System.getProperty for
* <code>azure.keyvault.uri</code>, <code>azure.keyvault.tenantId</code>,
* <code>azure.keyvault.uri</code>,
* <code>azure.keyvault.aadAuthenticationUrl</code>,
* <code>azure.keyvault.tenantId</code>,
* <code>azure.keyvault.clientId</code>,
* <code>azure.keyvault.clientSecret</code> and
* <code>azure.keyvault.userAssignedIdentity</code> to initialize the
* keyvault client.
* <code>azure.keyvault.managedIdentity</code> to initialize the
* Key Vault client.
* </p>
*/
public KeyVaultKeyStore() {
creationDate = new Date();
String keyVaultUri = System.getProperty("azure.keyvault.uri");
String aadAuthenticationUrl = System.getProperty("azure.keyvault.aadAuthenticationUrl");
String tenantId = System.getProperty("azure.keyvault.tenantId");
String clientId = System.getProperty("azure.keyvault.clientId");
String clientSecret = System.getProperty("azure.keyvault.clientSecret");
String managedIdentity = System.getProperty("azure.keyvault.managedIdentity");
if (clientId != null) {
keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
keyVaultClient = new KeyVaultClient(keyVaultUri, aadAuthenticationUrl, tenantId, clientId, clientSecret);
} else {
keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity);
}
Expand Down Expand Up @@ -210,13 +213,14 @@ public void engineLoad(KeyStore.LoadStoreParameter param) {
if (parameter.getClientId() != null) {
keyVaultClient = new KeyVaultClient(
parameter.getUri(),
parameter.getAadAuthenticationUrl(),
parameter.getTenantId(),
parameter.getClientId(),
parameter.getClientSecret());
} else if (parameter.getUserAssignedIdentity() != null) {
} else if (parameter.getManagedIdentity() != null) {
keyVaultClient = new KeyVaultClient(
parameter.getUri(),
parameter.getUserAssignedIdentity()
parameter.getManagedIdentity()
);
} else {
keyVaultClient = new KeyVaultClient(parameter.getUri());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
* Stores the URI.
*/
private final String uri;

/**
* Stores the Azure AD authentication URL.
*/
private final String aadAuthenticationUrl;

/**
* Stores the tenant id.
Expand All @@ -33,36 +38,40 @@ public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
/**
* Stores the user-assigned identity.
*/
private final String userAssignedIdentity;
private final String managedIdentity;

/**
* Constructor.
*
* @param uri the Azure Key Vault URI.
* @param aadAuthenticationUrl the Azure AD authentication URL.
* @param tenantId the tenant ID.
* @param clientId the client ID.
* @param clientSecret the client secret.
*/
public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret) {
public KeyVaultLoadStoreParameter(String uri, String aadAuthenticationUrl,
String tenantId, String clientId, String clientSecret) {
this.uri = uri;
this.aadAuthenticationUrl = aadAuthenticationUrl;
this.tenantId = tenantId;
this.clientId = clientId;
this.clientSecret = clientSecret;
this.userAssignedIdentity = null;
this.managedIdentity = null;
}

/**
* Constructor.
*
* @param uri the Azure Key Vault URI.
* @param userAssignedIdentity the user-assigned identity.
* @param managedIdentity the managed identity.
*/
public KeyVaultLoadStoreParameter(String uri, String userAssignedIdentity) {
public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
this.uri = uri;
this.aadAuthenticationUrl = null;
this.tenantId = null;
this.clientId = null;
this.clientSecret = null;
this.userAssignedIdentity = userAssignedIdentity;
this.managedIdentity = managedIdentity;
}

/**
Expand All @@ -72,10 +81,11 @@ public KeyVaultLoadStoreParameter(String uri, String userAssignedIdentity) {
*/
public KeyVaultLoadStoreParameter(String uri) {
this.uri = uri;
this.aadAuthenticationUrl = null;
this.tenantId = null;
this.clientId = null;
this.clientSecret = null;
this.userAssignedIdentity = null;
this.managedIdentity = null;
}

/**
Expand All @@ -88,6 +98,15 @@ public KeyStore.ProtectionParameter getProtectionParameter() {
return null;
}

/**
* Get the Azure AD authentication URL.
*
* @return the Azure AD authentication URL.
*/
public String getAadAuthenticationUrl() {
return aadAuthenticationUrl;
}

/**
* Get the client id.
*
Expand All @@ -106,6 +125,15 @@ public String getClientSecret() {
return clientSecret;
}

/**
* Get the managed identity.
*
* @return the managed identity.
*/
public String getManagedIdentity() {
return managedIdentity;
}

/**
* Get the tenant id.
*
Expand All @@ -123,13 +151,4 @@ public String getTenantId() {
public String getUri() {
return uri;
}

/**
* Get the user-assigned identity.
*
* @return the user-assign identity.
*/
public String getUserAssignedIdentity() {
return userAssignedIdentity;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public void clientSSLSample() throws Exception {
KeyStore ks = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ public void serverSSLSample() throws Exception {
KeyStore ks = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ public void testGetAuthorizationToken() throws Exception {
AuthClient authClient = new AuthClient();
String result = authClient.getAccessToken(
"https://management.azure.com/",
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
tenantId,
clientId,
URLEncoder.encode(clientSecret, "UTF-8")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ public void testGetCertificate() throws Exception {
KeyStore keystore = KeyStore.getInstance("AzureKeyVault");
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ public void testEngineGetCertificate() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -63,6 +64,7 @@ public void testEngineGetCertificateAlias() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -75,6 +77,7 @@ public void testEngineGetCertificateChain() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -87,6 +90,7 @@ public void testEngineIsCertificateEntry() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -99,6 +103,7 @@ public void testEngineSetCertificateEntry() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -123,6 +128,7 @@ public void testEngineGetKey() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -135,6 +141,7 @@ public void testEngineIsKeyEntry() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -159,6 +166,7 @@ public void testEngineAliases() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand All @@ -171,6 +179,7 @@ public void testEngineContainsAlias() {
KeyVaultKeyStore keystore = new KeyVaultKeyStore();
KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
System.getProperty("azure.keyvault.uri"),
System.getProperty("azure.keyvault.aadAuthenticationUrl"),
System.getProperty("azure.tenant.id"),
System.getProperty("azure.client.id"),
System.getProperty("azure.client.secret"));
Expand Down
Loading

0 comments on commit 9d07c03

Please sign in to comment.