Skip to content

Commit

Permalink
feat: use DefaultAzureCredential in Azure Key Vault (#82)
Browse files Browse the repository at this point in the history 
* feat: use DefaultAzureCredential in Azure Key Vault

* add documentation
  • Loading branch information
@bscholtes1A
bscholtes1A authored Oct 27, 2023
1 parent 6e23ec4 commit 61e5eb8
Show file tree
Hide file tree
Showing 13 changed files with 119 additions and 293 deletions.
41 changes: 9 additions & 32 deletions DEPENDENCIES
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,16 +56,13 @@ maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.14.2, Apache-2.
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.1, Apache-2.0, approved, #7934
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.2, Apache-2.0, approved, #7934
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.3, Apache-2.0, approved, #7934
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.9.8, Apache-2.0 AND EPL-1.0, approved, CQ21704
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.13.5, Apache-2.0, approved, #3768
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.14.2, Apache-2.0, approved, #4300
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.15.3, Apache-2.0, approved, #9237
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.12.1, Apache-2.0, approved, CQ23167
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.1, Apache-2.0, approved, #8802
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.3, Apache-2.0, approved, #8802
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jakarta-jsonp/2.15.3, Apache-2.0, approved, #9179
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-joda/2.10.5, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-joda/2.15.3, , restricted, clearlydefined
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.12.1, Apache-2.0, approved, CQ23727
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.13.5, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.14.2, Apache-2.0, approved, #4699
Expand All @@ -86,37 +83,24 @@ maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0,
maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, Apache-2.0, approved, #20
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.7.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654
maven/mavencentral/com.google.guava/guava/20.0, Apache-2.0, approved, CQ12329
maven/mavencentral/com.google.guava/guava/31.0.1-jre, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657
maven/mavencentral/com.google.j2objc/j2objc-annotations/1.3, Apache-2.0, approved, CQ21195
maven/mavencentral/com.microsoft.azure/azure-annotations/1.10.0, MIT, approved, clearlydefined
maven/mavencentral/com.microsoft.azure/azure-client-runtime/1.7.14, MIT, approved, clearlydefined
maven/mavencentral/com.microsoft.azure/azure-mgmt-resources/1.41.4, MIT, approved, clearlydefined
maven/mavencentral/com.microsoft.azure/msal4j-persistence-extension/1.2.0, MIT, approved, clearlydefined
maven/mavencentral/com.microsoft.azure/msal4j/1.13.9, MIT, approved, clearlydefined
maven/mavencentral/com.microsoft.azure/msal4j/1.4.0, MIT, approved, clearlydefined
maven/mavencentral/com.microsoft.rest/client-runtime/1.7.14, MIT, approved, clearlydefined
maven/mavencentral/com.nimbusds/content-type/2.2, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.nimbusds/lang-tag/1.7, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.25, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.30.2, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.37, Apache-2.0, approved, #11086
maven/mavencentral/com.nimbusds/oauth2-oidc-sdk/10.7.1, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.puppycrawl.tools/checkstyle/10.0, LGPL-2.1-or-later, approved, #7936
maven/mavencentral/com.squareup.okhttp3/logging-interceptor/3.12.12, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okhttp3/okhttp-dnsoverhttps/4.11.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okhttp3/okhttp-urlconnection/3.12.12, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okhttp3/okhttp/3.12.0, Apache-2.0, approved, CQ19549
maven/mavencentral/com.squareup.okhttp3/okhttp/3.12.12, Apache-2.0, approved, CQ19549
maven/mavencentral/com.squareup.okhttp3/okhttp/4.11.0, Apache-2.0, approved, #9240
maven/mavencentral/com.squareup.okhttp3/okhttp-dnsoverhttps/4.12.0, Apache-2.0, approved, #11159
maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156
maven/mavencentral/com.squareup.okhttp3/okhttp/4.9.3, Apache-2.0 AND MPL-2.0, approved, #3225
maven/mavencentral/com.squareup.okio/okio-jvm/3.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okio/okio/1.15.0, Apache-2.0, approved, CQ20187
maven/mavencentral/com.squareup.okio/okio/3.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.retrofit2/adapter-rxjava/2.6.4, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.retrofit2/converter-jackson/2.6.4, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.retrofit2/retrofit/2.6.4, Apache-2.0, approved, clearlydefined
maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158
maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155
maven/mavencentral/com.sun.activation/jakarta.activation/2.0.0, EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jaf
maven/mavencentral/commons-beanutils/commons-beanutils/1.9.4, Apache-2.0, approved, CQ12654
maven/mavencentral/commons-codec/commons-codec/1.11, Apache-2.0 AND BSD-3-Clause, approved, CQ15971
Expand Down Expand Up @@ -154,8 +138,6 @@ maven/mavencentral/io.opentelemetry/opentelemetry-context/1.31.0, Apache-2.0, ap
maven/mavencentral/io.projectreactor.netty/reactor-netty-core/1.0.34, Apache-2.0, approved, #9687
maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.0.34, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.projectreactor/reactor-core/3.4.31, Apache-2.0, approved, #7517
maven/mavencentral/io.reactivex/rxjava/1.3.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.reactivex/rxjava/1.3.8, Apache-2.0, approved, clearlydefined
maven/mavencentral/io.rest-assured/json-path/5.3.2, Apache-2.0, approved, #9261
maven/mavencentral/io.rest-assured/rest-assured-common/5.3.2, Apache-2.0, approved, #9264
maven/mavencentral/io.rest-assured/rest-assured/5.3.2, Apache-2.0, approved, #9262
Expand All @@ -181,7 +163,6 @@ maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0,
maven/mavencentral/jakarta.ws.rs/jakarta.ws.rs-api/3.1.0, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.rest
maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/3.0.0, BSD-3-Clause, approved, ee4j.jaxb
maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.0, BSD-3-Clause, approved, ee4j.jaxb
maven/mavencentral/joda-time/joda-time/2.10.14, Apache-2.0, approved, clearlydefined
maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636
maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.1, Apache-2.0, approved, #7164
maven/mavencentral/net.bytebuddy/byte-buddy/1.12.10, Apache-2.0 AND BSD-3-Clause, approved, #1811
Expand All @@ -198,14 +179,12 @@ maven/mavencentral/org.antlr/antlr4-runtime/4.9.3, BSD-3-Clause, approved, #322
maven/mavencentral/org.apache.commons/commons-compress/1.24.0, Apache-2.0 AND BSD-3-Clause AND bzip2-1.0.6 AND LicenseRef-Public-Domain, approved, #10368
maven/mavencentral/org.apache.commons/commons-lang3/3.11, Apache-2.0, approved, CQ22642
maven/mavencentral/org.apache.commons/commons-lang3/3.12.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.apache.commons/commons-lang3/3.4, Apache-2.0, approved, CQ9623
maven/mavencentral/org.apache.groovy/groovy-bom/4.0.11, Apache-2.0, approved, #9266
maven/mavencentral/org.apache.groovy/groovy-json/4.0.11, Apache-2.0, approved, #7411
maven/mavencentral/org.apache.groovy/groovy-xml/4.0.11, Apache-2.0, approved, #10179
maven/mavencentral/org.apache.groovy/groovy/4.0.11, Apache-2.0 AND BSD-3-Clause AND MIT, approved, #1742
maven/mavencentral/org.apache.httpcomponents/httpclient/4.5.13, Apache-2.0 AND LicenseRef-Public-Domain, approved, CQ23527
maven/mavencentral/org.apache.httpcomponents/httpcore/4.4.13, Apache-2.0, approved, CQ23528
maven/mavencentral/org.apache.httpcomponents/httpcore/4.4.5, Apache-2.0, approved, CQ11716
maven/mavencentral/org.apache.httpcomponents/httpmime/4.5.13, Apache-2.0, approved, CQ11718
maven/mavencentral/org.apiguardian/apiguardian-api/1.1.2, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.assertj/assertj-core/3.23.1, Apache-2.0, approved, clearlydefined
Expand Down Expand Up @@ -367,11 +346,11 @@ maven/mavencentral/org.jacoco/org.jacoco.report/0.8.8, EPL-2.0 AND Apache-2.0, a
maven/mavencentral/org.javassist/javassist/3.25.0-GA, MPL-1.1 OR LGPL-2.1-or-later OR Apache-2.0, approved, CQ19885
maven/mavencentral/org.javassist/javassist/3.28.0-GA, Apache-2.0 OR LGPL-2.1-or-later OR MPL-1.1, approved, #327
maven/mavencentral/org.javassist/javassist/3.29.2-GA, Apache-2.0 AND LGPL-2.1-or-later AND MPL-1.1, approved, #6023
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-common/1.6.20, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.6.20, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.6.10, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.6.20, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib/1.6.20, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-common/1.9.10, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.9.10, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.8.21, Apache-2.0, approved, #8919
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.9.10, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib/1.9.10, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains/annotations/13.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains/annotations/17.0.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.jetbrains/annotations/24.0.1, Apache-2.0, approved, #7417
Expand All @@ -391,7 +370,6 @@ maven/mavencentral/org.junit/junit-bom/5.10.0, EPL-2.0, approved, #9844
maven/mavencentral/org.junit/junit-bom/5.9.2, EPL-2.0, approved, #4711
maven/mavencentral/org.jvnet.mimepull/mimepull/1.9.15, CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0, approved, CQ21484
maven/mavencentral/org.mockito/mockito-core/5.2.0, MIT AND (Apache-2.0 AND MIT) AND Apache-2.0, approved, #7401
maven/mavencentral/org.mockito/mockito-inline/5.2.0, MIT, approved, clearlydefined
maven/mavencentral/org.objenesis/objenesis/3.3, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.opentest4j/opentest4j/1.2.0, Apache-2.0, approved, clearlydefined
maven/mavencentral/org.opentest4j/opentest4j/1.3.0, Apache-2.0, approved, #9713
Expand All @@ -407,7 +385,6 @@ maven/mavencentral/org.postgresql/postgresql/42.6.0, BSD-2-Clause AND Apache-2.0
maven/mavencentral/org.reactivestreams/reactive-streams/1.0.4, CC0-1.0, approved, CQ16332
maven/mavencentral/org.reflections/reflections/0.10.2, Apache-2.0 AND WTFPL, approved, clearlydefined
maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlydefined
maven/mavencentral/org.slf4j/slf4j-api/1.7.22, MIT, approved, CQ11943
maven/mavencentral/org.slf4j/slf4j-api/1.7.25, MIT, approved, CQ13368
maven/mavencentral/org.slf4j/slf4j-api/1.7.30, MIT, approved, CQ13368
maven/mavencentral/org.slf4j/slf4j-api/1.7.35, MIT, approved, CQ13368
Expand Down
13 changes: 3 additions & 10 deletions ...er/src/main/java/org/eclipse/edc/azure/resourcemanager/AzureResourceManagerExtension.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,32 +23,25 @@
import org.eclipse.edc.runtime.metamodel.annotation.Provides;
import org.eclipse.edc.spi.system.ServiceExtension;
import org.eclipse.edc.spi.system.ServiceExtensionContext;
import org.eclipse.edc.spi.system.SettingResolver;

import java.util.Objects;

/**
* Provides Azure Identity SDK and Azure Resource Manager SDK objects configured based on runtime settings.
*/
@Provides({ AzureEnvironment.class, TokenCredential.class, AzureProfile.class, AzureResourceManager.class })
@Provides({AzureEnvironment.class, TokenCredential.class, AzureProfile.class, AzureResourceManager.class})
@Extension(value = AzureResourceManagerExtension.NAME)
public class AzureResourceManagerExtension implements ServiceExtension {

public static final String NAME = "Azure Resource Manager";

private static String requiredSetting(SettingResolver context, String s) {
return Objects.requireNonNull(context.getSetting(s, null), s);
}

@Override
public String name() {
return NAME;
}

@Override
public void initialize(ServiceExtensionContext context) {
var tenantId = requiredSetting(context, "edc.azure.tenant.id");
var subscriptionId = requiredSetting(context, "edc.azure.subscription.id");
var tenantId = context.getConfig().getString("edc.azure.tenant.id");
var subscriptionId = context.getConfig().getString("edc.azure.subscription.id");

// Detect credential source based on runtime environment, e.g. Azure CLI, environment variables
var credential = new DefaultAzureCredentialBuilder().build();
Expand Down
34 changes: 34 additions & 0 deletions extensions/common/vault/vault-azure/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Azure Key Vault Extension

The extension provides a `Vault` implementation interfacing with an Azure Key Vault.

## Authentication

This extension connects to Azure Key Vault using the
standard `AzureDefaultCredential`
provided by the Azure Identity library. This generic credential fits most use-cases and will attempt to authenticate via
a predefined chain of methods until one is successful. More details about the authentication methods used can be found
in
this [page]([DefaultAzureCredential](https://learn.microsoft.com/en-gb/java/api/com.azure.identity.defaultazurecredential?view=azure-java-stable)).

### Example 1: connect with Principal client id and a client secret (see [EnvironmentCredential](https://learn.microsoft.com/en-gb/java/api/com.azure.identity.environmentcredential?view=azure-java-stable))

The following environments variables must be set:

- `AZURE_CLIENT_ID`
- `AZURE_CLIENT_SECRET`
- `AZURE_TENANT_ID`
-

### Example 2: connect with Principal client id and a client certificate (see [EnvironmentCredential](https://learn.microsoft.com/en-gb/java/api/com.azure.identity.environmentcredential?view=azure-java-stable))

The following environments variables must be set:

- `AZURE_CLIENT_ID`
- `AZURE_CLIENT_CERTIFICATE_PATH`
- `AZURE_CLIENT_CERTIFICATE_PASSWORD`
- `AZURE_TENANT_ID`




8 changes: 1 addition & 7 deletions extensions/common/vault/vault-azure/build.gradle.kts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,10 @@ plugins {
dependencies {
api(libs.edc.spi.core)

implementation(libs.edc.util)
implementation(libs.azure.keyvault)
implementation(libs.azure.identity)
implementation(libs.jakarta.rsApi)

testImplementation(libs.azure.mgmt.resources)
testImplementation(libs.azure.resourcemanager)
testImplementation(libs.azure.resourcemanager.keyvault)

testImplementation(libs.mockito.inline)
testImplementation(libs.edc.junit)
}


32 changes: 0 additions & 32 deletions ...nsions/common/vault/vault-azure/src/main/java/org/eclipse/edc/vault/azure/AzureVault.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,9 @@

package org.eclipse.edc.vault.azure;

import com.azure.core.credential.TokenCredential;
import com.azure.core.exception.ResourceNotFoundException;
import com.azure.core.util.polling.SyncPoller;
import com.azure.identity.ClientCertificateCredentialBuilder;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.DeletedSecret;
import org.eclipse.edc.spi.monitor.Monitor;
import org.eclipse.edc.spi.result.Result;
Expand Down Expand Up @@ -50,34 +46,6 @@ public AzureVault(Monitor monitor, SecretClient secretClient) {
this.secretClient = secretClient;
}

public static AzureVault authenticateWithSecret(Monitor monitor, String clientId, String tenantId, String clientSecret, String keyVaultName) {
var credential = new ClientSecretCredentialBuilder()
.clientId(clientId)
.tenantId(tenantId)
.clientSecret(clientSecret)
.build();

return new AzureVault(monitor, createSecretClient(credential, keyVaultName));
}

public static AzureVault authenticateWithCertificate(Monitor monitor, String clientId, String tenantId, String certificatePath, String keyVaultName) {
var credential = new ClientCertificateCredentialBuilder()
.clientId(clientId)
.tenantId(tenantId)
.pfxCertificate(certificatePath, "")
.build();

return new AzureVault(monitor, createSecretClient(credential, keyVaultName));
}

@NotNull
private static SecretClient createSecretClient(TokenCredential credential, String keyVaultName) {
return new SecretClientBuilder()
.vaultUrl("https://" + keyVaultName + ".vault.azure.net")
.credential(credential)
.buildClient();
}

@Override
public @Nullable String resolveSecret(String key) {
var sanitizedKey = sanitizeKey(key);
Expand Down
21 changes: 0 additions & 21 deletions ...mmon/vault/vault-azure/src/main/java/org/eclipse/edc/vault/azure/AzureVaultException.java
View file

This file was deleted.

Loading

0 comments on commit 61e5eb8

Please sign in to comment.