Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[keyvault] add cae support #23543

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+167 −17
Open

[keyvault] add cae support #23543

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e5e6d4b
cae-tests
gracewilcox Oct 3, 2024
4a4099f
update azcore
gracewilcox Oct 14, 2024
5821ca7
version
gracewilcox Oct 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
144 changes: 144 additions & 0 deletions sdk/security/keyvault/internal/challenge_policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,150 @@ func TestChallengePolicy(t *testing.T) {
}
}

var (
accessTk = "***"
kvChallenge = `Bearer authorization="https://login.microsoftonline.com/tenant", resource="https://vault.azure.net"`
Comment on lines +104 to +105
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider sharing these constants with the test above

caeChallenge1 = `Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="dGVzdGluZzE="`
caeChallenge2 = `Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="dGVzdGluZzI="`
)

func TestChallengePolicy_CAE(t *testing.T) {
srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
defer close()
srv.AppendResponse(
mock.WithHeader("WWW-Authenticate", kvChallenge),
mock.WithStatusCode(401),
)
srv.AppendResponse()
srv.AppendResponse(
mock.WithHeader("WWW-Authenticate", caeChallenge1),
mock.WithStatusCode(401),
)
srv.AppendResponse()

tkReqs := 0
cred := credentialFunc(func(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
require.True(t, tro.EnableCAE)
tkReqs += 1
switch tkReqs {
case 1:
require.Empty(t, tro.Claims)
case 2:
// second call should include challenge claims
require.Equal(t, "testing1", tro.Claims)
default:
t.Fatal("unexpected token request")
}
return azcore.AccessToken{Token: accessTk, ExpiresOn: time.Now().Add(time.Hour)}, nil
})
p := NewKeyVaultChallengePolicy(cred, nil)
pl := runtime.NewPipeline("", "",
runtime.PipelineOptions{PerRetry: []policy.Policy{p}},
&policy.ClientOptions{Transport: srv},
)

// req 1 kv then regular
req, err := runtime.NewRequest(context.Background(), "GET", "https://42.vault.azure.net")
require.NoError(t, err)
res, err := pl.Do(req)
require.NoError(t, err)
require.Equal(t, 200, res.StatusCode)
require.Equal(t, tkReqs, 1)

// req 2 cae
req, err = runtime.NewRequest(context.Background(), "GET", "https://42.vault.azure.net")
require.NoError(t, err)
res, err = pl.Do(req)
require.NoError(t, err)
require.Equal(t, 200, res.StatusCode)
require.Equal(t, tkReqs, 2)
}

func TestChallengePolicy_KVThenCAE(t *testing.T) {
srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
defer close()
srv.AppendResponse(
mock.WithHeader("WWW-Authenticate", kvChallenge),
mock.WithStatusCode(401),
)
srv.AppendResponse(
mock.WithHeader("WWW-Authenticate", caeChallenge1),
mock.WithStatusCode(401),
)
srv.AppendResponse()

tkReqs := 0
cred := credentialFunc(func(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
require.True(t, tro.EnableCAE)
tkReqs += 1
switch tkReqs {
case 1:
require.Empty(t, tro.Claims)
case 2:
// second call should include challenge claims
require.Equal(t, "testing1", tro.Claims)
default:
t.Fatal("unexpected token request")
}
return azcore.AccessToken{Token: accessTk, ExpiresOn: time.Now().Add(time.Hour)}, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please also check that the policy uses the correct access token after handling the CAE challenge? Something simple like this should do in the credential:

Suggested change
return azcore.AccessToken{Token: accessTk, ExpiresOn: time.Now().Add(time.Hour)}, nil
return azcore.AccessToken{Token: fmt.Sprint(tkReqs), ExpiresOn: time.Now().Add(time.Hour)}, nil

...then a predicate in the AppendResponse calls can compare the actual value of the Authorization header

})
p := NewKeyVaultChallengePolicy(cred, nil)
pl := runtime.NewPipeline("", "",
runtime.PipelineOptions{PerRetry: []policy.Policy{p}},
&policy.ClientOptions{Transport: srv},
)
req, err := runtime.NewRequest(context.Background(), "GET", "https://42.vault.azure.net")
require.NoError(t, err)
res, err := pl.Do(req)
require.NoError(t, err)
require.Equal(t, 200, res.StatusCode)
require.Equal(t, tkReqs, 2)
}

func TestChallengePolicy_TwoCAEChallenges(t *testing.T) {
srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
defer close()
srv.AppendResponse(
mock.WithHeader("WWW-Authenticate", kvChallenge),
mock.WithStatusCode(401),
)
srv.AppendResponse(
gracewilcox marked this conversation as resolved.
Show resolved Hide resolved
mock.WithHeader("WWW-Authenticate", caeChallenge1),
mock.WithStatusCode(401),
)
srv.AppendResponse(
mock.WithHeader("WWW-Authenticate", caeChallenge2),
mock.WithStatusCode(401),
)
tkReqs := 0
cred := credentialFunc(func(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
require.True(t, tro.EnableCAE)
tkReqs += 1
switch tkReqs {
case 1:
require.Empty(t, tro.Claims)
case 2:
// second call should include challenge claims
require.Equal(t, "testing1", tro.Claims)
default:
t.Fatal("unexpected token request")
}
return azcore.AccessToken{Token: accessTk, ExpiresOn: time.Now().Add(time.Hour)}, nil
})
p := NewKeyVaultChallengePolicy(cred, nil)
pl := runtime.NewPipeline("", "",
runtime.PipelineOptions{PerRetry: []policy.Policy{p}},
&policy.ClientOptions{Transport: srv},
)
req, err := runtime.NewRequest(context.Background(), "GET", "https://42.vault.azure.net")
require.NoError(t, err)
res, err := pl.Do(req)
require.NoError(t, err)
require.Equal(t, 401, res.StatusCode)
require.Equal(t, caeChallenge2, res.Header.Get("WWW-Authenticate"))
require.Equal(t, tkReqs, 2)
}

func TestParseTenant(t *testing.T) {
actual := parseTenant("")
require.Empty(t, actual)
Expand Down
Loading