Configure cloud from keyvault uri

sdk/keyvault/azure-security-keyvault-jca/README.md

@@ -38,15 +38,14 @@ az keyvault create --resource-group <your-resource-group-name> --name <your-key-
 ### Server side SSL
 If you are looking to integrate the JCA provider to create an SSLServerSocket see the example below.
 
-<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java#L18-L37 -->
+<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java#L18-L36 -->
 ```java
 KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
 Security.addProvider(provider);
 
 KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
 KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
     System.getProperty("azure.keyvault.uri"),
-    System.getProperty("azure.keyvault.aad-authentication-url"),
     System.getProperty("azure.keyvault.tenant-id"),
     System.getProperty("azure.keyvault.client-id"),
     System.getProperty("azure.keyvault.client-secret"));
@@ -67,15 +66,14 @@ Note if you want to use Azure Managed Identity, you should set the value of `azu
 ### Client side SSL
 If you are looking to integrate the JCA provider for client side socket connections, see the Apache HTTP client example below.
 
-<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java#L28-L68 -->
+<!-- embedme ./src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java#L28-L67 -->
 ```java
 KeyVaultJcaProvider provider = new KeyVaultJcaProvider();
 Security.addProvider(provider);
 
 KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
 KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
     System.getProperty("azure.keyvault.uri"),
-    System.getProperty("azure.keyvault.aad-authentication-url"),
     System.getProperty("azure.keyvault.tenant-id"),
     System.getProperty("azure.keyvault.client-id"),
     System.getProperty("azure.keyvault.client-secret"));

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultClient.java

@@ -34,6 +34,7 @@
 import java.util.Optional;
 import java.util.logging.Logger;
 
+import static com.azure.security.keyvault.jca.UriUtil.getAADLoginURIByKeyVaultBaseUri;
 import static java.util.logging.Level.INFO;
 import static java.util.logging.Level.WARNING;
 
@@ -46,12 +47,18 @@ class KeyVaultClient extends DelegateRestClient {
      * Stores the logger.
      */
     private static final Logger LOGGER = Logger.getLogger(KeyVaultClient.class.getName());
+    private static final String HTTPS_PREFIX = "https://";
 
     /**
      * Stores the API version postfix.
      */
     private static final String API_VERSION_POSTFIX = "?api-version=7.1";
 
+    /**
+     * Stores the Key Vault cloud URI.
+     */
+    private String keyVaultBaseUri;
+
     /**
      * Stores the Azure Key Vault URL.
      */
@@ -85,51 +92,65 @@ class KeyVaultClient extends DelegateRestClient {
     private String managedIdentity;
 
     /**
-     * Constructor.
+     * Constructor for authentication with system-assigned managed identity.
      *
      * @param keyVaultUri the Azure Key Vault URI.
      */
     KeyVaultClient(String keyVaultUri) {
-        super(RestClientFactory.createClient());
-        LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
-        if (!keyVaultUri.endsWith("/")) {
-            keyVaultUri = keyVaultUri + "/";
-        }
-        this.keyVaultUrl = keyVaultUri;
+        this(keyVaultUri, null, null, null, null);
     }
 
     /**
-     * Constructor.
+     * Constructor for authentication with user-assigned managed identity.
      *
      * @param keyVaultUri the Azure Key Vault URI.
-     * @param managedIdentity the managed identity object ID.
+     * @param managedIdentity the user-assigned managed identity object ID.
      */
     KeyVaultClient(String keyVaultUri, String managedIdentity) {
-        super(RestClientFactory.createClient());
-        LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
-        if (!keyVaultUri.endsWith("/")) {
-            keyVaultUri = keyVaultUri + "/";
-        }
-        this.keyVaultUrl = keyVaultUri;
-        this.managedIdentity = managedIdentity;
+        this(keyVaultUri, null, null, null, managedIdentity);
+    }
+
+    /**
+     * Constructor for authentication with service principal.
+     *
+     * @param keyVaultUri the Azure Key Vault URI.
+     * @param tenantId the tenant ID.
+     * @param clientId the client ID.
+     * @param clientSecret the client secret.
+     */
+    KeyVaultClient(final String keyVaultUri, final String tenantId, final String clientId, final String clientSecret) {
+        this(keyVaultUri, tenantId, clientId, clientSecret, null);
     }
 
+
     /**
      * Constructor.
      *
      * @param keyVaultUri the Azure Key Vault URI.
-     * @param aadAuthenticationUrl the Azure AD authentication URL.
      * @param tenantId the tenant ID.
      * @param clientId the client ID.
      * @param clientSecret the client secret.
+     * @param managedIdentity the user-assigned managed identity object ID.
      */
-    KeyVaultClient(final String keyVaultUri, final String aadAuthenticationUrl,
-            final String tenantId, final String clientId, final String clientSecret) {
-        this(keyVaultUri);
-        this.aadAuthenticationUrl = aadAuthenticationUrl;
+    KeyVaultClient(String keyVaultUri, String tenantId, String clientId, String clientSecret, String managedIdentity) {
+        super(RestClientFactory.createClient());
+        LOGGER.log(INFO, "Using Azure Key Vault: {0}", keyVaultUri);
+        if (!keyVaultUri.endsWith("/")) {
+            keyVaultUri = keyVaultUri + "/";
+        }
+        this.keyVaultUrl = keyVaultUri;
+        //Base Uri shouldn't end with a slash.
+        String domainNameSuffix = Optional.of(keyVaultUri)
+                                          .map(uri -> uri.split("\\.", 2)[1])
+                                          .map(suffix -> suffix.substring(0, suffix.length() - 1))
+                                          .get();
+        keyVaultBaseUri = HTTPS_PREFIX + domainNameSuffix;
+        aadAuthenticationUrl = getAADLoginURIByKeyVaultBaseUri(keyVaultBaseUri);
+
         this.tenantId = tenantId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
+        this.managedIdentity = managedIdentity;
     }
 
     /**
@@ -143,7 +164,7 @@ private String getAccessToken() {
         try {
             AuthClient authClient = new AuthClient();
 
-            String resource = URLEncoder.encode("https://vault.azure.net", "UTF-8");
+            String resource = URLEncoder.encode(keyVaultBaseUri, "UTF-8");
             if (managedIdentity != null) {
                 managedIdentity = URLEncoder.encode(managedIdentity, "UTF-8");
             }
@@ -326,4 +347,12 @@ private PrivateKey createPrivateKeyFromPem(String pemString)
         KeyFactory factory = KeyFactory.getInstance("RSA");
         return factory.generatePrivate(spec);
     }
+
+    String getKeyVaultBaseUri() {
+        return keyVaultBaseUri;
+    }
+
+    String getAadAuthenticationUrl() {
+        return aadAuthenticationUrl;
+    }
 }

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java

@@ -93,13 +93,12 @@ public final class KeyVaultKeyStore extends KeyStoreSpi {
     public KeyVaultKeyStore() {
         creationDate = new Date();
         String keyVaultUri = System.getProperty("azure.keyvault.uri");
-        String aadAuthenticationUrl = System.getProperty("azure.keyvault.aad-authentication-url");
         String tenantId = System.getProperty("azure.keyvault.tenant-id");
         String clientId = System.getProperty("azure.keyvault.client-id");
         String clientSecret = System.getProperty("azure.keyvault.client-secret");
         String managedIdentity = System.getProperty("azure.keyvault.managed-identity");
         if (clientId != null) {
-            keyVaultClient = new KeyVaultClient(keyVaultUri, aadAuthenticationUrl, tenantId, clientId, clientSecret);
+            keyVaultClient = new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
         } else {
             keyVaultClient = new KeyVaultClient(keyVaultUri, managedIdentity);
         }
@@ -226,7 +225,6 @@ public void engineLoad(KeyStore.LoadStoreParameter param) {
             if (parameter.getClientId() != null) {
                 keyVaultClient = new KeyVaultClient(
                         parameter.getUri(),
-                        parameter.getAadAuthenticationUrl(),
                         parameter.getTenantId(),
                         parameter.getClientId(),
                         parameter.getClientSecret());

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultLoadStoreParameter.java

@@ -10,18 +10,11 @@
  */
 public class KeyVaultLoadStoreParameter implements KeyStore.LoadStoreParameter {
 
-    private static final String DEFAULT_AAD_AUTHENTICATION_URL = "https://login.microsoftonline.com/";
-
     /**
      * Stores the URI.
      */
     private final String uri;
 
-    /**
-     * Stores the Azure AD authentication URL.
-     */
-    private final String aadAuthenticationUrl;
-
     /**
      * Stores the tenant id.
      */
@@ -59,7 +52,6 @@ public KeyVaultLoadStoreParameter(String uri) {
      */
     public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
         this.uri = uri;
-        this.aadAuthenticationUrl = null;
         this.tenantId = null;
         this.clientId = null;
         this.clientSecret = null;
@@ -75,23 +67,7 @@ public KeyVaultLoadStoreParameter(String uri, String managedIdentity) {
      * @param clientSecret the client secret.
      */
     public KeyVaultLoadStoreParameter(String uri, String tenantId, String clientId, String clientSecret) {
-        this(uri, DEFAULT_AAD_AUTHENTICATION_URL, tenantId, clientId, clientSecret);
-    }
-
-
-    /**
-     * Constructor.
-     *
-     * @param uri the Azure Key Vault URI.
-     * @param aadAuthenticationUrl the Azure AD authentication URL.
-     * @param tenantId the tenant ID.
-     * @param clientId the client ID.
-     * @param clientSecret the client secret.
-     */
-    public KeyVaultLoadStoreParameter(String uri, String aadAuthenticationUrl,
-            String tenantId, String clientId, String clientSecret) {
         this.uri = uri;
-        this.aadAuthenticationUrl = aadAuthenticationUrl;
         this.tenantId = tenantId;
         this.clientId = clientId;
         this.clientSecret = clientSecret;
@@ -109,15 +85,6 @@ public KeyStore.ProtectionParameter getProtectionParameter() {
         return null;
     }
 
-    /**
-     * Get the Azure AD authentication URL.
-     *
-     * @return the Azure AD authentication URL.
-     */
-    public String getAadAuthenticationUrl() {
-        return aadAuthenticationUrl;
-    }
-
     /**
      * Get the client id.
      *

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/UriUtil.java

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.security.keyvault.jca;
+
+/**
+ * Constants used for Key Vault related URLs.
+ */
+public class UriUtil {
+
+    public static final String KEY_VAULT_BASE_URI_GLOBAL = "https://vault.azure.net";
+    public static final String KEY_VAULT_BASE_URI_CN = "https://vault.azure.cn";
+    public static final String KEY_VAULT_BASE_URI_US = "https://vault.usgovcloudapi.net";
+    public static final String KEY_VAULT_BASE_URI_DE = "https://vault.microsoftazure.de";
+
+    public static final String AAD_LOGIN_URI_GLOBAL = "https://login.microsoftonline.com/";
+    public static final String AAD_LOGIN_URI_CN = "https://login.partner.microsoftonline.cn/";
+    public static final String AAD_LOGIN_URI_US = "https://login.microsoftonline.us/";
+    public static final String AAD_LOGIN_URI_DE = "https://login.microsoftonline.de/";
+
+    static String getAADLoginURIByKeyVaultBaseUri(String keyVaultBaseUri) {
+        String aadAuthenticationUrl;
+        switch (keyVaultBaseUri) {
+            case KEY_VAULT_BASE_URI_GLOBAL :
+                aadAuthenticationUrl = AAD_LOGIN_URI_GLOBAL;
+                break;
+            case KEY_VAULT_BASE_URI_CN :
+                aadAuthenticationUrl = AAD_LOGIN_URI_CN;
+                break;
+            case KEY_VAULT_BASE_URI_US :
+                aadAuthenticationUrl = AAD_LOGIN_URI_US;
+                break;
+            case KEY_VAULT_BASE_URI_DE:
+                aadAuthenticationUrl = AAD_LOGIN_URI_DE;
+                break;
+            default:
+                throw new IllegalArgumentException("Property of azure.keyvault.uri is illegal.");
+        }
+        return aadAuthenticationUrl;
+    }
+}

sdk/keyvault/azure-security-keyvault-jca/src/samples/java/com/azure/security/keyvault/jca/ClientSSLSample.java

@@ -31,7 +31,6 @@ public static void main(String[] args) throws Exception {
         KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
-            System.getProperty("azure.keyvault.aad-authentication-url"),
             System.getProperty("azure.keyvault.tenant-id"),
             System.getProperty("azure.keyvault.client-id"),
             System.getProperty("azure.keyvault.client-secret"));

sdk/keyvault/azure-security-keyvault-jca/src/samples/java/com/azure/security/keyvault/jca/ServerSSLSample.java

@@ -21,7 +21,6 @@ public static void main(String[] args) throws Exception {
         KeyStore keyStore = KeyStore.getInstance("AzureKeyVault");
         KeyVaultLoadStoreParameter parameter = new KeyVaultLoadStoreParameter(
             System.getProperty("azure.keyvault.uri"),
-            System.getProperty("azure.keyvault.aad-authentication-url"),
             System.getProperty("azure.keyvault.tenant-id"),
             System.getProperty("azure.keyvault.client-id"),
             System.getProperty("azure.keyvault.client-secret"));