Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[keyvault] CAE support #31140

Merged
merged 33 commits into from
Oct 8, 2024
Merged
Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
da5b147
[keyvault] CAE support
timovv Sep 17, 2024
16b2f51
More realistic tests; add a test specifically for Base64-encoded clai…
timovv Sep 17, 2024
b85d3bb
Do not throw if scopes are missing
timovv Sep 17, 2024
899b535
CAE challenges happen after the initial challenge
timovv Sep 17, 2024
f52b4f6
Update test
timovv Sep 17, 2024
3fb0a8c
Cache the tenant ID; always pass enableCae: true and not just for CAE…
timovv Sep 18, 2024
81bd417
Add additional pipeline policy for CAE
timovv Sep 23, 2024
a8dde3f
Use new common policy in client libraries
timovv Sep 24, 2024
70c9a82
Update sdk/keyvault/keyvault-common/test/internal/challengeAuthentica…
timovv Sep 24, 2024
4ad3111
bump keyvault-common version
timovv Sep 24, 2024
f9108f9
Fix tests
timovv Sep 24, 2024
4321ff3
Custom keyVaultAuthPolicy
timovv Sep 24, 2024
97ac25c
format
timovv Sep 24, 2024
bb1b482
Place KV policy after deserializationPolicy
timovv Sep 25, 2024
944237e
Document name
timovv Sep 25, 2024
d0091c4
Comments
timovv Sep 25, 2024
1cac78e
Minor version bump for KV libraries
timovv Sep 25, 2024
52ef790
wording
timovv Sep 25, 2024
ce4983f
Undo samples change
timovv Sep 30, 2024
7be756f
Merge remote-tracking branch 'upstream/main' into keyvault/cae
timovv Sep 30, 2024
7b38818
Renames
timovv Oct 1, 2024
47d18d2
Comment to show tokenCycler is a copy
timovv Oct 1, 2024
18178da
Improve WWW-authenticate error message
timovv Oct 1, 2024
da49ada
Update assertions
timovv Oct 1, 2024
5e1eb6a
Update API doc
timovv Oct 1, 2024
50f7797
Format
timovv Oct 1, 2024
dc6aace
Add test for subsequent getToken call
timovv Oct 3, 2024
10e0c88
Update KV challenge
timovv Oct 3, 2024
19a89f5
Address feedback
timovv Oct 7, 2024
5bf7da8
Merge branch 'keyvault/cae' of https://github.com/timovv/azure-sdk-fo…
timovv Oct 7, 2024
c375f9f
Merge remote-tracking branch 'upstream/main' into keyvault/cae
timovv Oct 7, 2024
78584db
Rename test file to match new policy name
timovv Oct 7, 2024
c876100
Remove unnecessary "|| {}"
timovv Oct 8, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion sdk/keyvault/keyvault-admin/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
# Release History

## 4.5.1 (Unreleased)
## 4.6.0 (Unreleased)

### Features Added

- Add support for Continuous Access Evaluation (CAE). [#31140](https://github.com/Azure/azure-sdk-for-js/pull/31140)

### Breaking Changes

### Bugs Fixed
Expand Down
4 changes: 2 additions & 2 deletions sdk/keyvault/keyvault-admin/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "@azure/keyvault-admin",
"sdk-type": "client",
"author": "Microsoft Corporation",
"version": "4.5.1",
"version": "4.6.0",
"license": "MIT",
"description": "Isomorphic client library for Azure KeyVault's administrative functions.",
"homepage": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/keyvault/keyvault-admin/README.md",
Expand Down Expand Up @@ -98,7 +98,7 @@
"@azure/core-util": "^1.0.0",
"@azure/core-rest-pipeline": "^1.1.0",
"@azure/core-tracing": "^1.0.0",
"@azure/keyvault-common": "^1.0.0",
"@azure/keyvault-common": "^2.0.0",
"@azure/logger": "^1.0.0",
"tslib": "^2.2.0"
},
Expand Down
17 changes: 6 additions & 11 deletions sdk/keyvault/keyvault-admin/src/accessControlClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,7 @@ import { LATEST_API_VERSION } from "./constants.js";
import { PagedAsyncIterableIterator } from "@azure/core-paging";
import { RoleAssignmentsListForScopeOptionalParams } from "./generated/models/index.js";
import { TokenCredential } from "@azure/core-auth";
import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
import { logger } from "./log.js";
import { mappings } from "./mappings.js";
import { tracingClient } from "./tracing.js";
Expand Down Expand Up @@ -86,15 +85,11 @@ export class KeyVaultAccessControlClient {

this.client = new KeyVaultClient(serviceVersion, clientOptions);

this.client.pipeline.addPolicy(
bearerTokenAuthenticationPolicy({
credential,
// The scopes will be populated in the challenge callbacks based on the WWW-authenticate header
// returned by the challenge, so pass an empty array as a placeholder.
scopes: [],
challengeCallbacks: createKeyVaultChallengeCallbacks(options),
}),
);
// The authentication policy must come after the deserialization policy since the deserialization policy
// converts 401 responses to an Error, and we don't want to deal with that.
this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
afterPolicies: ["deserializationPolicy"],
});
}

/**
Expand Down
17 changes: 6 additions & 11 deletions sdk/keyvault/keyvault-admin/src/backupClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ import { KeyVaultSelectiveKeyRestorePoller } from "./lro/selectiveKeyRestore/pol
import { LATEST_API_VERSION } from "./constants.js";
import { PollerLike } from "@azure/core-lro";
import { TokenCredential } from "@azure/core-auth";
import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
import { logger } from "./log.js";
import { mappings } from "./mappings.js";

Expand Down Expand Up @@ -89,15 +88,11 @@ export class KeyVaultBackupClient {
};

this.client = new KeyVaultClient(apiVersion, clientOptions);
this.client.pipeline.addPolicy(
bearerTokenAuthenticationPolicy({
credential,
// The scopes will be populated in the challenge callbacks based on the WWW-authenticate header
// returned by the challenge, so pass an empty array as a placeholder.
scopes: [],
challengeCallbacks: createKeyVaultChallengeCallbacks(options),
}),
);
// The authentication policy must come after the deserialization policy since the deserialization policy
// converts 401 responses to an Error, and we don't want to deal with that.
this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
afterPolicies: ["deserializationPolicy"],
});
}

/**
Expand Down
2 changes: 1 addition & 1 deletion sdk/keyvault/keyvault-admin/src/constants.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
/**
* Current version of the Key Vault Admin SDK.
*/
export const SDK_VERSION: string = "4.5.1";
export const SDK_VERSION: string = "4.6.0";

/**
* The latest supported Key Vault service API version.
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 7 additions & 9 deletions sdk/keyvault/keyvault-admin/src/settingsClient.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@
// Licensed under the MIT License.

import { TokenCredential } from "@azure/core-auth";
import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
import { LATEST_API_VERSION } from "./constants.js";
import { KeyVaultClient, Setting as GeneratedSetting } from "./generated/index.js";
import { logger } from "./log.js";
Expand Down Expand Up @@ -91,13 +90,12 @@ export class KeyVaultSettingsClient {
};

this.client = new KeyVaultClient(apiVersion, clientOptions);
this.client.pipeline.addPolicy(
bearerTokenAuthenticationPolicy({
credential,
scopes: [],
challengeCallbacks: createKeyVaultChallengeCallbacks(options),
}),
);

// The authentication policy must come after the deserialization policy since the deserialization policy
// converts 401 responses to an Error, and we don't want to deal with that.
this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
afterPolicies: ["deserializationPolicy"],
});
}

/**
Expand Down
2 changes: 1 addition & 1 deletion sdk/keyvault/keyvault-admin/swagger/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ input-file:
- https://raw.githubusercontent.com/Azure/azure-rest-api-specs/7452e1cc7db72fbc6cd9539b390d8b8e5c2a1864/specification/keyvault/data-plane/Microsoft.KeyVault/stable/7.5/settings.json
output-folder: ../
source-code-folder-path: ./src/generated
package-version: 4.5.1
package-version: 4.6.0
use-extension:
"@autorest/typescript": "6.0.0-beta.15"
```
Expand Down
4 changes: 3 additions & 1 deletion sdk/keyvault/keyvault-certificates/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
# Release History

## 4.8.1 (Unreleased)
## 4.9.0 (Unreleased)

### Features Added

- Add support for Continuous Access Evaluation (CAE). [#31140](https://github.com/Azure/azure-sdk-for-js/pull/31140)

### Breaking Changes

### Bugs Fixed
Expand Down
4 changes: 2 additions & 2 deletions sdk/keyvault/keyvault-certificates/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "@azure/keyvault-certificates",
"sdk-type": "client",
"author": "Microsoft Corporation",
"version": "4.8.1",
"version": "4.9.0",
"license": "MIT",
"description": "Isomorphic client library for Azure KeyVault's certificates.",
"homepage": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/keyvault/keyvault-certificates/README.md",
Expand Down Expand Up @@ -102,7 +102,7 @@
"@azure/core-paging": "^1.1.1",
"@azure/core-util": "^1.6.1",
"@azure/core-tracing": "^1.0.0",
"@azure/keyvault-common": "^1.0.0",
"@azure/keyvault-common": "^2.0.0",
"@azure/logger": "^1.0.0",
"tslib": "^2.2.0"
},
Expand Down
2 changes: 1 addition & 1 deletion sdk/keyvault/keyvault-certificates/src/constants.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

export const SDK_VERSION: string = "4.8.1";
export const SDK_VERSION: string = "4.9.0";

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 7 additions & 9 deletions sdk/keyvault/keyvault-certificates/src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
/// <reference lib="esnext.asynciterable" />

import { InternalClientPipelineOptions } from "@azure/core-client";
import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";

import { TokenCredential } from "@azure/core-auth";

Expand Down Expand Up @@ -100,7 +99,7 @@ import {
} from "./generated/models/index.js";
import { KeyVaultClient } from "./generated/keyVaultClient.js";
import { PageSettings, PagedAsyncIterableIterator } from "@azure/core-paging";
import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
import { CreateCertificatePoller } from "./lro/create/poller.js";
import { CertificateOperationPoller } from "./lro/operation/poller.js";
import { DeleteCertificatePoller } from "./lro/delete/poller.js";
Expand Down Expand Up @@ -247,12 +246,6 @@ export class CertificateClient {
) {
this.vaultUrl = vaultUrl;

const authPolicy = bearerTokenAuthenticationPolicy({
credential,
scopes: [],
challengeCallbacks: createKeyVaultChallengeCallbacks(clientOptions),
});

const internalClientPipelineOptions: InternalClientPipelineOptions = {
...clientOptions,
loggingOptions: {
Expand All @@ -269,7 +262,12 @@ export class CertificateClient {
clientOptions.serviceVersion || LATEST_API_VERSION,
internalClientPipelineOptions,
);
this.client.pipeline.addPolicy(authPolicy);

// The authentication policy must come after the deserialization policy since the deserialization policy
// converts 401 responses to an Error, and we don't want to deal with that.
this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
afterPolicies: ["deserializationPolicy"],
});
}

private async *listPropertiesOfCertificatesPage(
Expand Down
2 changes: 1 addition & 1 deletion sdk/keyvault/keyvault-certificates/swagger/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ input-file: https://raw.githubusercontent.com/Azure/azure-rest-api-specs/7452e1c
output-folder: ../
source-code-folder-path: ./src/generated
hide-clients: true
package-version: 4.8.1
package-version: 4.9.0
openapi-type: data-plane
```

Expand Down
7 changes: 6 additions & 1 deletion sdk/keyvault/keyvault-common/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,16 @@
# Release History

## 1.0.1 (Unreleased)
## 2.0.0 (Unreleased)

### Features Added

- Add support for Continuous Access Evaluation (CAE).
- To take advantage of this support, the newly added `keyVaultAuthenticationPolicy` should be used in place of `bearerTokenAuthenticationPolicy`.

### Breaking Changes

- Removed `createKeyVaultChallengeCallbacks`, which was used to add Key Vault specific handling to Core's `bearerTokenAuthenticationPolicy`. The new `keyVaultAuthenticationPolicy` should be used instead.
timovv marked this conversation as resolved.
Show resolved Hide resolved

### Bugs Fixed

### Other Changes
Expand Down
6 changes: 4 additions & 2 deletions sdk/keyvault/keyvault-common/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@azure/keyvault-common",
"version": "1.0.1",
"version": "2.0.0",
"description": "Common internal functionality for all of the Azure Key Vault clients in the Azure SDK for JavaScript",
"sdk-type": "client",
"author": "Microsoft Corporation",
Expand Down Expand Up @@ -58,7 +58,9 @@
"@azure/core-tracing": "^1.0.0",
"@azure/core-auth": "^1.3.0",
"@azure/abort-controller": "^2.0.0",
"tslib": "^2.2.0"
"@azure/logger": "^1.1.5",
"tslib": "^2.2.0",
"@azure/core-util": "^1.10.1"
},
"devDependencies": {
"@azure-tools/test-utils-vitest": "^1.0.0",
Expand Down
8 changes: 6 additions & 2 deletions sdk/keyvault/keyvault-common/review/keyvault-common.api.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,19 @@

```ts

import { ChallengeCallbacks } from '@azure/core-rest-pipeline';
import { PipelinePolicy } from '@azure/core-rest-pipeline';
import { TokenCredential } from '@azure/core-auth';

// @public
export interface CreateChallengeCallbacksOptions {
disableChallengeResourceVerification?: boolean;
}

// @public
export function createKeyVaultChallengeCallbacks(options?: CreateChallengeCallbacksOptions): ChallengeCallbacks;
export function keyVaultAuthenticationPolicy(credential: TokenCredential, options?: CreateChallengeCallbacksOptions): PipelinePolicy;
timovv marked this conversation as resolved.
Show resolved Hide resolved

// @public
export const keyVaultAuthenticationPolicyName = "keyVaultAuthenticationPolicy";

// @public
export interface KeyVaultEntityIdentifier {
Expand Down
Loading
Loading