[Key Vault] Add CAE support

sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - Added support for service API version `7.6-preview.1`.
 - Added new methods `StartPreRestoreAsync`, `StartPreRestore`, `StartPreBackupAsync`, and `StartPreBackupAsync` to the `KeyVaultBackupClient`.
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 4.7.0-beta.1 (Unreleased)
 
 ### Features Added
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 4.7.0-beta.1 (Unreleased)
 
 ### Features Added
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 4.7.0-beta.1 (Unreleased)
 
 ### Features Added
+- Support for Continuous Access Evaluation (CAE).
 
 ### Breaking Changes
 

sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/ChallengeBasedAuthenticationPolicyTests.cs

@@ -199,6 +199,221 @@ public async Task ReauthenticatesWhenTenantChanged()
             Assert.AreEqual("secret-value", response.Value.Value);
         }
 
+        [Test]
+        public void GetClaimsFromChallengeHeaders()
+        {
+            MockResponse response401WithClaims = new MockResponse(401)
+                .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlIjoiY3AxIn19fQ==""");
+            Assert.AreEqual(ChallengeBasedAuthenticationPolicy.getDecodedClaimsParameter("insufficient_claims", response401WithClaims), @"{""access_token"":{""acrs"":{""essential"":true,""value"":""cp1""}}}");
+
+            MockResponse response401 = new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net""");
+            Assert.IsNull(ChallengeBasedAuthenticationPolicy.getDecodedClaimsParameter(null, response401));
+        }
+
+        [Test]
+        public void HandlesCaeChallenges(){
+            MockTransport keyVaultTransport = new(new[]
+            {
+                // Initial scope challlenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net"""),
+
+                // CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ=="""),
+
+                new MockResponse(200)
+                {
+                    ContentStream = new KeyVaultSecret("test-secret", "secret-value").ToStream(),
+                },
+            });
+
+            MockTransport credentialTransport = new(new[]
+            {
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "ZGU3NjNhMjEtNDlmNy00YjA4LWE4ZTEtNTJjOGZiYzEwM2I0"
+                    }
+                    """),
+
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "NzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3"
+                    }
+                    """),
+            });
+
+            SecretClient client = new(
+                VaultUri,
+                new MockCredential(credentialTransport),
+                new SecretClientOptions()
+                {
+                    Transport = keyVaultTransport,
+                });
+
+            Response<KeyVaultSecret> response = client.GetSecret("test-secret");
+            Assert.AreEqual(200, response.GetRawResponse().Status);
+            Assert.AreEqual("secret-value", response.Value.Value);
+        }
+
+        [Test]
+        public void ThrowsWithTwoConsecutiveCaeChallenges()
+        {
+            MockTransport keyVaultTransport = new(new[]
+            {
+                // Initial scope challlenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net"""),
+
+                // CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ=="""),
+
+                // Second CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer realm="""", authorization_uri=""https://login.microsoftonline.com/common/oauth2/authorize"", error=""insufficient_claims"", claims=""eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ=="""),
+
+                new MockResponse(200)
+                {
+                    ContentStream = new KeyVaultSecret("test-secret", "secret-value").ToStream(),
+                },
+            });
+
+            MockTransport credentialTransport = new(new[]
+            {
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "ZGU3NjNhMjEtNDlmNy00YjA4LWE4ZTEtNTJjOGZiYzEwM2I0"
+                    }
+                    """),
+
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": "NzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3"
+                    }
+                    """),
+
+                new MockResponse(200)
+                    .WithJson("""
+                    {
+                        "token_type": "Bearer",
+                        "expires_in": 3599,
+                        "resource": "https://vault.azure.net",
+                        "access_token": GUID.NewGuid().ToString()
+                    }
+                    """),
+            });
+
+            SecretClient client = new(
+                VaultUri,
+                new MockCredential(credentialTransport),
+                new SecretClientOptions()
+                {
+                    Transport = keyVaultTransport,
+                });
+
+            try
+            {
+                client.GetSecret("test-secret");
+            }
+            catch (RequestFailedException ex)
+            {
+                Assert.AreEqual(401, ex.Status);
+            }
+            catch (Exception ex)
+            {
+                Assert.Fail($"Expected RequestFailedException, but got {ex.GetType()}");
+            }
+        }
+
+        [Test]
+        [TestCase("""Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ==" """, """{"access_token":{"nbf":{"essential":true,"value":"1726077595"},"xms_caeerror":{"value":"10012"}}}""")]
+        public async Task VerifyClaimsInToken(string challenge, string expectedClaims)
+        {
+            string claims = null;
+            int callCount = 0;
+
+            MockTransport keyVaultTransport = new(new[]
+            {
+                // Initial challlenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", @"Bearer authorization=""https://login.windows.net/de763a21-49f7-4b08-a8e1-52c8fbc103b4"", resource=""https://vault.azure.net"""),
+
+                // CAE Challenge
+                new MockResponse(401)
+                    .WithHeader("WWW-Authenticate", challenge),
+
+                new MockResponse(200)
+                {
+                    ContentStream = new KeyVaultSecret("test-secret", "secret-value").ToStream(),
+                },
+            });
+
+            var credential = new TokenCredentialStub((r, c) =>
+            {
+                claims = r.Claims;
+                Interlocked.Increment(ref callCount);
+                Assert.AreEqual(true, r.IsCaeEnabled);
+
+                return new(callCount.ToString(), DateTimeOffset.Now.AddHours(2));
+            }, true);
+            var policy = new BearerTokenAuthenticationPolicy(credential, "scope");
+
+            SecretClient client = new(
+            VaultUri,
+            credential,
+            new SecretClientOptions()
+            {
+                Transport = keyVaultTransport,
+            });
+
+            var FooResponse = await client.GetSecretAsync("test-secret");
+            Assert.AreEqual(expectedClaims, claims);
+        }
+
+        private class TokenCredentialStub : TokenCredential
+        {
+            public TokenCredentialStub(Func<TokenRequestContext, CancellationToken, AccessToken> handler, bool isAsync)
+            {
+                if (isAsync)
+                {
+#pragma warning disable 1998
+                    _getTokenAsyncHandler = async (r, c) => handler(r, c);
+#pragma warning restore 1998
+                }
+                else
+                {
+                    _getTokenHandler = handler;
+                }
+            }
+
+            private readonly Func<TokenRequestContext, CancellationToken, ValueTask<AccessToken>> _getTokenAsyncHandler;
+            private readonly Func<TokenRequestContext, CancellationToken, AccessToken> _getTokenHandler;
+
+            public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+                => _getTokenAsyncHandler(requestContext, cancellationToken);
+
+            public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
+                => _getTokenHandler(requestContext, cancellationToken);
+        }
+
         private class MockTransportBuilder
         {
             private const string AuthorizationHeader = "Authorization";