Upgrading to new Key Vault (and MSAL) libraries

azure-pipelines.yml

@@ -38,8 +38,8 @@ jobs:
     displayName: 'Maven build jre14'
     inputs:
       mavenPomFile: 'pom.xml'
-      goals: 'clean dependency:purge-local-repository -Dmssql_jdbc_test_connection_properties=jdbc:sqlserver://$(Target_SQL)$(server_domain);$(database);$(user);$(password); install -Pjre14 -DuserNTLM=$(userNTLM) -DpasswordNTLM=$(passwordNTLM) -DdomainNTLM=$(domainNTLM) -DexcludedGroups=$(Ex_Groups) -Dpkcs12_truststore_password=$(pkcs12_truststore_password) -Dpkcs12_truststore=$(pkcs12_truststore.secureFilePath) 
--DapplicationClientID=$(applicationClientID) -DapplicationKey=$(applicationKey) -DkeyID=$(keyID) -DwindowsKeyPath=$(windowsKeyPath) -DenclaveAttestationUrl=$(enclaveAttestationUrl) -DenclaveAttestationProtocol=$(enclaveAttestationProtocol) -DenclaveServer=$(enclaveServer)'
+      goals: 'clean dependency:purge-local-repository -Dmssql_jdbc_test_connection_properties=jdbc:sqlserver://$(Target_SQL)$(server_domain);$(database);$(user);$(password); install -Pjre14 -DuserNTLM=$(userNTLM) -DpasswordNTLM=$(passwordNTLM) -DdomainNTLM=$(domainNTLM) -DexcludedGroups=$(Ex_Groups) -Dpkcs12_truststore_password=$(pkcs12_truststore_password) -Dpkcs12_truststore=$(pkcs12_truststore.secureFilePath)
+-DapplicationClientID=$(applicationClientID) -DapplicationKey=$(applicationKey) -DkeyID=$(keyID) -DwindowsKeyPath=$(windowsKeyPath) -DenclaveAttestationUrl=$(enclaveAttestationUrl) -DenclaveAttestationProtocol=$(enclaveAttestationProtocol) -DenclaveServer=$(enclaveServer) -DtenantID=$(tenantID)'
       testResultsFiles: '**/TEST-*.xml'
       testRunTitle: 'Maven build jre14'
       javaHomeOption: Path
@@ -49,7 +49,7 @@ jobs:
     inputs:
       mavenPomFile: 'pom.xml'
       goals: 'clean dependency:purge-local-repository -Dmssql_jdbc_test_connection_properties=jdbc:sqlserver://$(Target_SQL)$(server_domain);$(database);$(user);$(password); install -Pjre11 -DuserNTLM=$(userNTLM) -DpasswordNTLM=$(passwordNTLM) -DdomainNTLM=$(domainNTLM) -DexcludedGroups=$(Ex_Groups) -Dpkcs12_truststore_password=$(pkcs12_truststore_password) -Dpkcs12_truststore=$(pkcs12_truststore.secureFilePath)
--DapplicationClientID=$(applicationClientID) -DapplicationKey=$(applicationKey) -DkeyID=$(keyID) -DwindowsKeyPath=$(windowsKeyPath) -DenclaveAttestationUrl=$(enclaveAttestationUrl) -DenclaveAttestationProtocol=$(enclaveAttestationProtocol) -DenclaveServer=$(enclaveServer)'
+-DapplicationClientID=$(applicationClientID) -DapplicationKey=$(applicationKey) -DkeyID=$(keyID) -DwindowsKeyPath=$(windowsKeyPath) -DenclaveAttestationUrl=$(enclaveAttestationUrl) -DenclaveAttestationProtocol=$(enclaveAttestationProtocol) -DenclaveServer=$(enclaveServer) -DtenantID=$(tenantID)'
       testResultsFiles: '**/TEST-*.xml'
       testRunTitle: 'Maven build jre11'
       javaHomeOption: Path
@@ -58,8 +58,8 @@ jobs:
     displayName: 'Maven build jre8'
     inputs:
       mavenPomFile: 'pom.xml'
-      goals: 'clean dependency:purge-local-repository -Dmssql_jdbc_test_connection_properties=jdbc:sqlserver://$(Target_SQL)$(server_domain);$(database);$(user);$(password); install -Pjre8 -DuserNTLM=$(userNTLM) -DpasswordNTLM=$(passwordNTLM) -DdomainNTLM=$(domainNTLM) -DexcludedGroups=$(Ex_Groups) -Dpkcs12_truststore_password=$(pkcs12_truststore_password) -Dpkcs12_truststore=$(pkcs12_truststore.secureFilePath) 
--DapplicationClientID=$(applicationClientID) -DapplicationKey=$(applicationKey) -DkeyID=$(keyID) -DwindowsKeyPath=$(windowsKeyPath) -DenclaveAttestationUrl=$(enclaveAttestationUrl) -DenclaveAttestationProtocol=$(enclaveAttestationProtocol) -DenclaveServer=$(enclaveServer)'
+      goals: 'clean dependency:purge-local-repository -Dmssql_jdbc_test_connection_properties=jdbc:sqlserver://$(Target_SQL)$(server_domain);$(database);$(user);$(password); install -Pjre8 -DuserNTLM=$(userNTLM) -DpasswordNTLM=$(passwordNTLM) -DdomainNTLM=$(domainNTLM) -DexcludedGroups=$(Ex_Groups) -Dpkcs12_truststore_password=$(pkcs12_truststore_password) -Dpkcs12_truststore=$(pkcs12_truststore.secureFilePath)
+-DapplicationClientID=$(applicationClientID) -DapplicationKey=$(applicationKey) -DkeyID=$(keyID) -DwindowsKeyPath=$(windowsKeyPath) -DenclaveAttestationUrl=$(enclaveAttestationUrl) -DenclaveAttestationProtocol=$(enclaveAttestationProtocol) -DenclaveServer=$(enclaveServer) -DtenantID=$(tenantID)'
       testResultsFiles: '**/TEST-*.xml'
       testRunTitle: 'Maven build jre8'
       javaHomeOption: Path

build.gradle

@@ -110,14 +110,12 @@ repositories {
 dependencies {
 	compile 'org.osgi:org.osgi.core:6.0.0',
 			'org.osgi:org.osgi.compendium:5.0.0'
-	compileOnly 'com.microsoft.azure:azure-keyvault:1.2.2',
-			'com.microsoft.azure:azure-keyvault-webkey:1.2.1',
-			'com.microsoft.rest:client-runtime:1.7.0',
-			'com.microsoft.azure:adal4j:1.6.4',
+	compileOnly 'com.azure:azure-security-keyvault-keys:4.2.0',
+			'com.azure:azure-identity:1.1.0',
 			'org.antlr:antlr4-runtime:4.7.2',
 			'com.google.code.gson:gson:2.8.6',
-			'org.bouncycastle:bcprov-jdk15on:1.64',
-			'org.bouncycastle:bcpkix-jdk15on:1.64'
+			'org.bouncycastle:bcprov-jdk15on:1.65',
+			'org.bouncycastle:bcpkix-jdk15on:1.65'
 	testCompile 'org.junit.platform:junit-platform-console:1.5.2',
 			'org.junit.platform:junit-platform-commons:1.5.2',
 			'org.junit.platform:junit-platform-engine:1.5.2',
@@ -127,15 +125,14 @@ dependencies {
 			'org.junit.jupiter:junit-jupiter-api:5.6.0',
 			'org.junit.jupiter:junit-jupiter-engine:5.6.0',
 			'org.junit.jupiter:junit-jupiter-params:5.6.0',
-			'com.zaxxer:HikariCP:3.4.1',
-			'org.apache.commons:commons-dbcp2:2.6.0',
+			'com.zaxxer:HikariCP:3.4.2',
+			'org.apache.commons:commons-dbcp2:2.7.0',
 			'org.slf4j:slf4j-nop:1.7.29',
 			'org.antlr:antlr4-runtime:4.7.2',
 			'org.eclipse.gemini.blueprint:gemini-blueprint-mock:2.1.0.RELEASE',
 			'com.google.code.gson:gson:2.8.6',
-			'org.bouncycastle:bcprov-jdk15on:1.64',
-			'com.microsoft.azure:adal4j:1.6.4',
-			'com.microsoft.azure:azure-keyvault:1.2.2',
-			'com.microsoft.azure:azure-keyvault-webkey:1.2.1',
+			'org.bouncycastle:bcprov-jdk15on:1.65',
+			'com.azure:azure-security-keyvault-keys:4.2.0',
+			'com.azure:azure-identity:1.1.0',
 			'com.h2database:h2:1.4.200'
 }

pom.xml

@@ -60,9 +60,8 @@
 		<releaseExt>-preview</releaseExt>
 
 		<!-- Driver Dependencies -->
-		<azure.keyvault.version>1.2.4</azure.keyvault.version>
-		<azure.adal4j.version>1.6.5</azure.adal4j.version>
-		<rest.client.version>1.7.4</rest.client.version>
+		<azure.keyvault.version>4.1.4</azure.keyvault.version>
+		<azure.identity.version>1.0.7</azure.identity.version>
 		<osgi.core.version>6.0.0</osgi.core.version>
 		<osgi.comp.version>5.0.0</osgi.comp.version>
 		<antlr.runtime.version>4.7.2</antlr.runtime.version>
@@ -86,22 +85,14 @@
 
 	<dependencies>
 		<dependency>
-			<groupId>com.microsoft.azure</groupId>
-			<artifactId>azure-keyvault</artifactId>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-security-keyvault-keys</artifactId>
 			<version>${azure.keyvault.version}</version>
-			<optional>true</optional>
 		</dependency>
 		<dependency>
-			<groupId>com.microsoft.azure</groupId>
-			<artifactId>adal4j</artifactId>
-			<version>${azure.adal4j.version}</version>
-			<optional>true</optional>
-		</dependency>
-		<dependency>
-			<groupId>com.microsoft.rest</groupId>
-			<artifactId>client-runtime</artifactId>
-			<version>${rest.client.version}</version>
-			<optional>true</optional>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-identity</artifactId>
+			<version>${azure.identity.version}</version>
 		</dependency>
 
 		<!-- dependencies for ANTLR -->

src/main/java/com/microsoft/sqlserver/jdbc/KeyVaultCredential.java

@@ -5,86 +5,117 @@
 
 package com.microsoft.sqlserver.jdbc;
 
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-
-import com.microsoft.aad.adal4j.AuthenticationContext;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-import com.microsoft.aad.adal4j.ClientCredential;
-import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
-
+import com.azure.core.annotation.Immutable;
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.util.logging.ClientLogger;
+import com.microsoft.aad.msal4j.ClientCredentialFactory;
+import com.microsoft.aad.msal4j.ClientCredentialParameters;
+import com.microsoft.aad.msal4j.ConfidentialClientApplication;
+import com.microsoft.aad.msal4j.IAuthenticationResult;
+import com.microsoft.aad.msal4j.IClientCredential;
+import com.microsoft.aad.msal4j.SilentParameters;
+import java.net.MalformedURLException;
+import java.time.OffsetDateTime;
+import java.time.ZoneOffset;
+import java.util.HashSet;
+import java.util.Objects;
+import java.util.concurrent.CompletableFuture;
+import reactor.core.publisher.Mono;
 
 /**
- * 
- * An implementation of ServiceClientCredentials that supports automatic bearer token refresh.
- *
+ * An AAD credential that acquires a token with a client secret for an AAD application.
  */
-class KeyVaultCredential extends KeyVaultCredentials {
-
-    SQLServerKeyVaultAuthenticationCallback authenticationCallback = null;
-    String clientId = null;
-    String clientKey = null;
-    String accessToken = null;
+@Immutable
+class KeyVaultCredential implements TokenCredential {
+    private final ClientLogger logger = new ClientLogger(KeyVaultCredential.class);
+    private final String clientId;
+    private final String clientSecret;
+    private String authorization;
+    private ConfidentialClientApplication confidentialClientApplication;
 
-    KeyVaultCredential(String clientId) throws SQLServerException {
+    /**
+     * Creates a KeyVaultCredential with the given identity client options.
+     *
+     * @param clientId the client ID of the application
+     * @param clientSecret the secret value of the AAD application.
+     */
+    KeyVaultCredential(String clientId, String clientSecret) {
+        Objects.requireNonNull(clientSecret, "'clientSecret' cannot be null.");
+        Objects.requireNonNull(clientSecret, "'clientId' cannot be null.");
         this.clientId = clientId;
+        this.clientSecret = clientSecret;
     }
 
-    KeyVaultCredential() {}
-
-    KeyVaultCredential(String clientId, String clientKey) {
-        this.clientId = clientId;
-        this.clientKey = clientKey;
+    @Override
+    public Mono<AccessToken> getToken(TokenRequestContext request) {
+        return authenticateWithConfidentialClientCache(request)
+                       .onErrorResume(t -> Mono.empty())
+                       .switchIfEmpty(Mono.defer(() -> authenticateWithConfidentialClient(request)));
     }
 
-    KeyVaultCredential(SQLServerKeyVaultAuthenticationCallback authenticationCallback) {
-        this.authenticationCallback = authenticationCallback;
+    public KeyVaultCredential setAuthorization(String authorization) {
+            if (this.authorization != null && this.authorization.equals(authorization)) {
+                return this;
+            }
+            this.authorization = authorization;
+            confidentialClientApplication = getConfidentialClientApplication();
+            return this;
     }
 
-    public String doAuthenticate(String authorization, String resource, String scope) {
-        String accessToken = null;
-        if (null == authenticationCallback) {
-            if (null == clientKey) {
-                try {
-                    SqlFedAuthToken token = SQLServerSecurityUtility.getMSIAuthToken(resource, clientId);
-                    accessToken = (null != token) ? token.accessToken : null;
-                } catch (Exception e) {
-                    throw new RuntimeException(e);
-                }
-            } else {
-                AuthenticationResult token = getAccessTokenFromClientCredentials(authorization, resource, clientId,
-                        clientKey);
-                accessToken = token.getAccessToken();
-            }
+    private ConfidentialClientApplication getConfidentialClientApplication() {
+        if (clientId == null) {
+            throw logger.logExceptionAsError(new IllegalArgumentException(
+                    "A non-null value for client ID must be provided for user authentication."));
+        }
+
+        if (authorization == null) {
+            throw logger.logExceptionAsError(new IllegalArgumentException(
+                    "A non-null value for authorization must be provided for user authentication."));
+        }
+
+        IClientCredential credential;
+        if (clientSecret != null) {
+            credential = ClientCredentialFactory.create(clientSecret);
         } else {
-            accessToken = authenticationCallback.getAccessToken(authorization, resource, scope);
+            throw logger.logExceptionAsError(
+                    new IllegalArgumentException("Must provide client secret."));
+        }
+        ConfidentialClientApplication.Builder applicationBuilder =
+                ConfidentialClientApplication.builder(clientId, credential);
+        try {
+            applicationBuilder = applicationBuilder.authority(authorization);
+        } catch (MalformedURLException e) {
+            throw logger.logExceptionAsWarning(new IllegalStateException(e));
         }
-        return accessToken;
+        return applicationBuilder.build();
     }
 
-    private static AuthenticationResult getAccessTokenFromClientCredentials(String authorization, String resource,
-            String clientId, String clientKey) {
-        AuthenticationContext context = null;
-        AuthenticationResult result = null;
-        ExecutorService service = null;
-        try {
-            service = Executors.newFixedThreadPool(1);
-            context = new AuthenticationContext(authorization, false, service);
-            ClientCredential credentials = new ClientCredential(clientId, clientKey);
-            Future<AuthenticationResult> future = context.acquireToken(resource, credentials, null);
-            result = future.get();
-        } catch (Exception e) {
-            throw new RuntimeException(e);
-        } finally {
-            if (null != service) {
-                service.shutdown();
+    private Mono<AccessToken> authenticateWithConfidentialClientCache(TokenRequestContext request) {
+        return Mono.fromFuture(() -> {
+            SilentParameters.SilentParametersBuilder parametersBuilder = SilentParameters
+                    .builder(new HashSet<>(request.getScopes()));
+            try {
+                return confidentialClientApplication.acquireTokenSilently(parametersBuilder.build());
+            } catch (MalformedURLException e) {
+                return getFailedCompletableFuture(logger.logExceptionAsError(new RuntimeException(e)));
             }
-        }
+        }).map(ar -> new AccessToken(ar.accessToken(),
+                OffsetDateTime.ofInstant(ar.expiresOnDate().toInstant(), ZoneOffset.UTC)))
+        .filter(t -> !t.isExpired());
+    }
 
-        if (null == result) {
-            throw new RuntimeException("authentication result was null");
-        }
-        return result;
+    private CompletableFuture<IAuthenticationResult> getFailedCompletableFuture(Exception e) {
+        CompletableFuture<IAuthenticationResult> completableFuture = new CompletableFuture<>();
+        completableFuture.completeExceptionally(e);
+        return completableFuture;
+    }
+
+    private Mono<AccessToken> authenticateWithConfidentialClient(TokenRequestContext request) {
+        return Mono.fromFuture(() -> confidentialClientApplication
+                .acquireToken(ClientCredentialParameters.builder(new HashSet<>(request.getScopes())).build()))
+                .map(ar -> new AccessToken(ar.accessToken(),
+                        OffsetDateTime.ofInstant(ar.expiresOnDate().toInstant(), ZoneOffset.UTC)));
     }
 }