Updated KeyVaultCredentialPolicy to extend BearerTokenAuthenticationPolicy in Key Vault clients.
#24199
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…icationPolicy in Key Vault clients. Removed the KeyVaultCredentialPolicy and ScopeTokeCache classes from all Track 2 Key Vault libraries.
vcolin7
requested review from
JonathanGiles,
mssfang and
samvaity
as code owners
ghost
added
the
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
…creating a new instance in client builders, tests and samples.
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
...main/java/com/azure/security/keyvault/administration/KeyVaultAccessControlClientBuilder.java
Outdated
Show resolved
Hide resolved
Hi @alzimmermsft, according to @g2vinay, the current implementation of |
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
g2vinay
reviewed
Sep 21, 2021
| @@ -156,7 +158,7 @@ public KeyVaultAccessControlAsyncClient buildAsyncClient() { | |||
| // Add retry policy. | |||
| policies.add(retryPolicy == null ? new RetryPolicy() : retryPolicy); | |||
|
|
|||
| policies.add(new KeyVaultCredentialPolicy(credential)); | |||
| policies.add(new BearerTokenAuthenticationPolicy(credential, MANAGED_HSM_SCOPE)); | |||
There was a problem hiding this comment.
In order to utilize the Challenge Based Auth Support in BTA policy from azure-core
we need to create a custom policy in KV package that doesn't hard code the scopes as above.
The scopes and tenant id are dynamically parsed in KV challenge that gets returned back from the service.
Here's the .NET impl for reference: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs#L13
You can port that over to Java and then utilize that policy here, instead of above.
…BearerTokenAuthenticationPolicy while extracting the scope provided in bearer challenges returned by the Key Vault service.
vcolin7
changed the title
KeyVaultCredentialPolicy with BearerTokenAuthenticationPolicy in Key Vault clients.KeyVaultCredentialPolicy to extend BearerTokenAuthenticationPolicy in Key Vault clients.
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
…a request as null, but an empty String instead.
|
Azure Pipelines successfully started running 1 pipeline(s). |
…tent of the request being originally sent were null from the beginning.
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run java - keyvault - tests |
|
Azure Pipelines successfully started running 1 pipeline(s). |
...java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
Outdated
Show resolved
Hide resolved
| @@ -21,12 +21,6 @@ | |||
| "Pool": "azsdk-pool-mms-ubuntu-2004-general", | |||
| "TestGoals": "surefire:test", | |||
| "TestFromSource": true | |||
| }, | |||
| "windows-2019_am_verify": { | |||
There was a problem hiding this comment.
Any reason why this was removed?
There was a problem hiding this comment.
Running two HSM tests in parallel sometimes made it problematic for some scenarios, for example, you cannot run a restore operation while another one is in progress. The FromSource build already runs a verify step so I though it is would be redundant to have a separate verify run.
alzimmermsft
approved these changes
Sep 29, 2021
g2vinay
reviewed
Sep 29, 2021
...java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
Outdated
Show resolved
Hide resolved
g2vinay
reviewed
Sep 29, 2021
...java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
Outdated
Show resolved
Hide resolved
g2vinay
reviewed
Sep 29, 2021
...java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
Outdated
Show resolved
Hide resolved
g2vinay
reviewed
Sep 29, 2021
...java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java
Outdated
Show resolved
Hide resolved
rickle-msft
added a commit
that referenced
this pull request
Oct 4, 2021
* ADT ownership transitioning (#24404) * Remove SchemaRegistryClient caching (#24380) * Remove builder caching references. * Remove caching from SchemaRegistryAsyncClient. Make methods public for Response. * Remove cached tests. * Adding service annotation. * [Amqp-core, EH]: Prepending namespace|entitypath consistenty in log, first untrack processor subscriber then notify and adding retry to EventHubConsumer[Receiver]Client (#24417) * Added encryption scope blob sas * Hide HttpHeaders.toMultiMap API (#24428) * . (#24440) * mgmt, bug fix, container group without ports (#24418) * Update TRC in Azure Core (#24436) * Sync eng/common directory with azure-sdk-tools for PR 2046 (#24431) * Pass package name from calling pipeline to uniquely identify pull request review * Update log summary * Update eng/common/scripts/Detect-Api-Changes.ps1 Co-authored-by: Wes Haggard <weshaggard@users.noreply.github.com> Co-authored-by: praveenkuttappan <prmarott@microsoft.com> Co-authored-by: praveenkuttappan <55455725+praveenkuttappan@users.noreply.github.com> Co-authored-by: Wes Haggard <weshaggard@users.noreply.github.com> * Enable API change detection in PR pipeline (#24234) * Enable API change detection in PR pipeline * Communication: Add TokenCredentialAddHostHeaderPolicy for TokenCredential Requests (#24442) * Communication: Add TokenCredentialAdditionalHeaderPolicy for CallingServerClientBuilder * Add TokenCredentialAddHostHeaderPolicyTests * Fixing comment * Use URL class to get hostname * Fix style errors Co-authored-by: Melissa Neubert <mneubert@microsoft.com> * Add Compliance stage with policheck (#24276) * Add Compliance stage with policheck * Add vmImage pool * Fix issues flagged by PoliCheck * Move credscan into the compliance stage * update readme for storage libraries to include BOM information. (#22858) update readme for storage libraries * Enable dependency validation of a single library (#24241) * Enable validation of a library via it's POM file. * Incorporate feedback and remove unused code. * PR feedback * Move Form Recognizer beta to public (#24453) * Increment version for appconfiguration releases (#24450) * Rename certificates-refresh-interval to certificates-refresh-interval--in-ms in keyvault jca (#24339) * Prepare to release azure-spring-bom and azure-spring-cloud-dependencies. (#24425) * mgmt, support validateMoveResources (#24465) * Updated `KeyVaultCredentialPolicy` to extend `BearerTokenAuthenticationPolicy` in Key Vault clients. (#24199) * Replaced all uses of KeyVaultCredentialPolicy with BearerTokenAuthenticationPolicy in Key Vault clients. Removed the KeyVaultCredentialPolicy and ScopeTokeCache classes from all Track 2 Key Vault libraries. * We now pass the appropriate scope to BearerTokenAuthenticationPolicy creating a new instance in client builders, tests and samples. * Added tests and recordings for KEK tests on MHSM. Fixed and cleaned up tests. * Removed unused imports. * Renamed MHSM_SCOPE to MANAGED_HSM_SCOPE in all client builders. * Reintroduced KeyVaultCredentialPolicy and modified it to extend from BearerTokenAuthenticationPolicy while extracting the scope provided in bearer challenges returned by the Key Vault service. * Fixed CvheckStyle errors. * Made changes to KeyVaultCredentialPolicy so we don't set the body of a request as null, but an empty String instead. * Removed scope constants from Key vault client builders. * Attempted to fix flaky live tests. * Removed verify test for HSM as the FromSource test already verifies the build's code coverage and running in parallel against the same HSM can cause problems for some tests. * Reverted KeyVaultCredentialPolicy in all libraries to set the request body to null instead of an empty string when sending the first unauthenticated request to get a bearer challenge. Also stored the value of the "Content-Length" header in the pipeline context for use in a subsequent request. * Fixed KV Administration client live tests that failed due to the authentication policy changes. Also fixed some flaky live tests. * Fixed CheckStyle issues. * Fixed another CheckStyle issue. * Fixed issue that caused an NPE in KeyVaultCredentialPolicy if the content of the request being originally sent were null from the beginning. * Updated KeyVaultCredentialPolicy in all other libraries. * Made an attempt at fixing the backup async live tests. * Added sleep timer when running against service for restore operations. * Applied PR feedback. * [Storage] Try GMavenPlus to unblock Java 17 adoption. (#24471) * lets try. * fix java8 * fix java8 again:/ * track 1 * Update Form recognizer readme (#24476) * [Storage] Bump Groovy version to 3 that works with Java 17. (#24477) * bump groovy version * Revert "bump groovy version" This reverts commit a80c805. * use different spocks depending on java version. * rename. * Use New Javadoc Codesnippet Tooling to Support Java 17 (#24475) Use New Javadoc Snippet Tooling to Support Java 17 * Delete unused tests pipeline for track 1 blob package (#24488) * [Storage] Fix track 1 tests. (#24490) * Fix track 1 tests. * revert that. * Use Different Dummy Javadoc Option (#24491) * Update Jackson, Netty, and Reactor Versions (#24312) * Adding additional logging to ReactorDispatcher and ReactorExecutor. Adding closing logic (#24457) * Closing ReactorExecutor if it has never been run. * Adding documentation to ReactorDispatcher. * Updating ReactorExecutor to schedule close work when reactor has not started or scheduler is closed. * Adding tests. * In method invocations, adding catch for RejectedExecutionException in the case that the scheduler is disposed. * Adding assertion for ReactorExecutorTest that an onError is also called. * Adding documentatioln to reactor connection and timeout to closing execturo. * Splitting try/catch conditions. * Add documentation to RequestResponseChannel. * Using testPublisher for AmqpChannelProcessorTest. Using Flux.never(). * Adding Andy to the IoT CODEOWNERS (#24438) Adding Andy to the IoT CODEOWNERS * [Form Recognizer] Update to latest swagger (#24494) * Update docker-start-proxy.ps1 (#24495) Update to the latest version of the container Co-authored-by: Sean Kane <68240067+seankane-msft@users.noreply.github.com> * Added support for Key Rotation. (#24452) * Added support for Key Rotation. * Added tests and updated recordings where necessary. * Added code snippets for Key Rotation. Updated client documentation and existing code snippets. * Applied PR feedback. * Removed unused import. * Updated releaseKey test for MHSM. * Fixed tests after merge from main. * Renamed Mixed Audio models ( Addressed comments in apiview ) (#24481) * Suggestions after apiview review * Changes for the comments of API Review * tests added back * Added StartRecordingOptions class * Annotation added for new class * Setters return type changed * Renaming enum names ( feedback on APIView review ) Co-authored-by: Ninika Sharma <ninsharm@microsoft.com> * Prepare Azure Core Libraries for October 2021 Release (#24498) Prepare Azure Core Libraries for October 2021 Release * [EventGrid] Regenerate code using the latest rest commit sha (#24482) * Add Storage Live Test Run to Core Live Test Run (#24499) Add Storage Live Test Run to Core Live Test Run * [Storage] Run CI and live tests on Java 17 (#24492) * does this work? * try this. * Revert "try this." This reverts commit f157e60. * does this help ? * hmm? * hungry? * use java 17 in ci. * fix at least nio. * move it. * fixes. * disable these tests on java 17. CGLib doesn't work * fix that. * add support for setting throughput on database creation (#24456) * add support for setting throughput on database creation * added section to readme * removed locale from links * fix checkstyle issues * do not overwrite cosmosTemplate * Increment version for core releases (#24504) Increment package version after release of Core libraries * fix(*): use library RedirectPolicy now that it is available (#24502) * Fix azure-core-http-jdk-httpclient Tests (#24511) Fix azure-core-http-jdk-httpclient Tests * Add Form recognizer migration guide (#24472) * Fixed some test build failures Co-authored-by: David R. Williamson <drwill@microsoft.com> Co-authored-by: Connie Yau <conniey@microsoft.com> Co-authored-by: Anu Thomas Chandy <anuamd@hotmail.com> Co-authored-by: Alan Zimmer <48699787+alzimmermsft@users.noreply.github.com> Co-authored-by: Soyoung Eom <soeom@microsoft.com> Co-authored-by: Weidong Xu <weidxu@microsoft.com> Co-authored-by: Vinay Gera <vigera@microsoft.com> Co-authored-by: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Co-authored-by: praveenkuttappan <prmarott@microsoft.com> Co-authored-by: praveenkuttappan <55455725+praveenkuttappan@users.noreply.github.com> Co-authored-by: Wes Haggard <weshaggard@users.noreply.github.com> Co-authored-by: Melissa Neubert <melissa.neubert1@gmail.com> Co-authored-by: Melissa Neubert <mneubert@microsoft.com> Co-authored-by: Chidozie Ononiwu (His Righteousness) <31145988+chidozieononiwu@users.noreply.github.com> Co-authored-by: Pallavi Taneja <pallavit@users.noreply.github.com> Co-authored-by: Sameeksha Vaity <savaity@microsoft.com> Co-authored-by: liuzhicheng <70368631+zhichengliu12581@users.noreply.github.com> Co-authored-by: Rujun Chen <Rujun.Chen@microsoft.com> Co-authored-by: vcolin7 <vicolina@microsoft.com> Co-authored-by: Kamil Sobol <61715331+kasobol-msft@users.noreply.github.com> Co-authored-by: jamdavi <73593426+jamdavi@users.noreply.github.com> Co-authored-by: Sean Kane <68240067+seankane-msft@users.noreply.github.com> Co-authored-by: ninikasharma <67986119+ninikasharma@users.noreply.github.com> Co-authored-by: Ninika Sharma <ninsharm@microsoft.com> Co-authored-by: Shawn Fang <45607042+mssfang@users.noreply.github.com> Co-authored-by: Blackbaud-MikeLueders <Blackbaud-MikeLueders@users.noreply.github.com> Co-authored-by: Christian Whitehead (MSFT) <35080559+chrwhit@users.noreply.github.com>
|
@vcolin7 , could you please let us know in which version of the jar this fix is available. Thanks. |
azure-sdk
pushed a commit
to azure-sdk/azure-sdk-for-java
that referenced
this pull request
Jun 2, 2023
[TypeSpec] Remove "./" from tspconfig.yaml (Azure#24199) - Prefix is unnecessary and clutters config
azure-sdk
pushed a commit
to azure-sdk/azure-sdk-for-java
that referenced
this pull request
Jun 2, 2023
[TypeSpec] Remove "./" from tspconfig.yaml (Azure#24199) - Prefix is unnecessary and clutters config
azure-sdk
pushed a commit
to azure-sdk/azure-sdk-for-java
that referenced
this pull request
Jun 2, 2023
[TypeSpec] Remove "./" from tspconfig.yaml (Azure#24199) - Prefix is unnecessary and clutters config
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #10381.
Fixes: #23556.
Also removed the internal
ScopeTokeCacheclass from all Track 2 Key Vault libraries and fixed live tests to reduce flakiness.