Merge pull request Azure#577 from herveyw/master

Fix KeyVaultKey to not attempt to load RSA Private Key

Author: jianghaolu

services/keyvault/azure-keyvault-extensions/pom.xml

@@ -54,10 +54,12 @@
     <dependency>
       <groupId>${project.groupId}</groupId>
       <artifactId>azure-keyvault</artifactId>
+      <version>${project.version}</version>
     </dependency>
     <dependency>
       <groupId>${project.groupId}</groupId>
       <artifactId>azure-keyvault-core</artifactId>
+      <version>${project.version}</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
@@ -69,19 +71,38 @@
       <artifactId>bcprov-jdk16</artifactId>
       <scope>test</scope>
     </dependency>
+
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>${project.groupId}</groupId>
+      <artifactId>azure-core-test</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest-all</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-all</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk16</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
-  <dependencyManagement>
-  	<dependencies>
-  		<dependency>
-  			<groupId>${project.groupId}</groupId>
-  			<artifactId>azure-keyvault</artifactId>
-  			<version>${project.version}</version>
-  		</dependency>
-  		<dependency>
-  			<groupId>${project.groupId}</groupId>
-  			<artifactId>azure-keyvault-core</artifactId>
-  			<version>${project.version}</version>
-  		</dependency>
-  	</dependencies>
-  </dependencyManagement>
 </project>

services/keyvault/azure-keyvault-extensions/src/main/java/com/microsoft/azure/keyvault/extensions/KeyVaultKey.java

@@ -81,13 +81,15 @@ protected KeyVaultKey(KeyVaultClient client, KeyBundle keyBundle) {
         }
 
         if (key.getKty().equals(JsonWebKeyType.RSA)) {
-            _implementation = new RsaKey(keyBundle.getKey());
+        	// The private key is not available for KeyVault keys
+            _implementation = new RsaKey(key.getKid(), key.toRSA(false));
         } else if (key.getKty().equals(JsonWebKeyType.RSAHSM)) {
-            _implementation = new RsaKey(keyBundle.getKey());
+        	// The private key is not available for KeyVault keys
+            _implementation = new RsaKey(key.getKid(), key.toRSA(false));
         }
 
         if (_implementation == null) {
-            throw new IllegalArgumentException(String.format("The key type %s is not supported", keyBundle.getKey().getKty()));
+            throw new IllegalArgumentException(String.format("The key type %s is not supported", key.getKty()));
         }
 
         _client = client;

services/keyvault/azure-keyvault-extensions/src/test/java/com/microsoft/azure/keyvault/extensions/test/KeyVaultExtensionsIntegrationTestBase.java

@@ -0,0 +1,212 @@
+/**
+ *
+ * Copyright (c) Microsoft and contributors.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.microsoft.azure.keyvault.extensions.test;
+
+import java.util.Map;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+
+import org.apache.http.Header;
+import org.apache.http.message.BasicHeader;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.map.ObjectReader;
+import org.codehaus.jackson.map.ObjectWriter;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+
+import com.microsoft.aad.adal4j.AuthenticationContext;
+import com.microsoft.aad.adal4j.AuthenticationResult;
+import com.microsoft.aad.adal4j.ClientCredential;
+import com.microsoft.azure.keyvault.KeyVaultClient;
+import com.microsoft.azure.keyvault.KeyVaultClientService;
+import com.microsoft.azure.keyvault.KeyVaultConfiguration;
+import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
+import com.microsoft.windowsazure.Configuration;
+import com.microsoft.windowsazure.MockIntegrationTestBase;
+import com.microsoft.windowsazure.core.pipeline.filter.ServiceRequestContext;
+import com.microsoft.windowsazure.credentials.CloudCredentials;
+import com.microsoft.windowsazure.credentials.TokenCloudCredentials;
+
+public class KeyVaultExtensionsIntegrationTestBase extends MockIntegrationTestBase {
+
+    /**
+     * The client instance that should be used on tests.
+     */
+    protected static KeyVaultClient keyVaultClient;
+
+    /**
+     * <code>true</code> if current client instance can handle 401 from service,
+     * <code>false</code> otherwise.
+     */
+    protected static boolean handling401;
+
+    /**
+     * Primary vault URI, used for keys and secrets tests.
+     */
+    public static String getVaultUri() {
+        return IS_MOCKED ? MOCK_URI : getLiveVaultUri1();
+    }
+
+    /**
+     * Secondary vault URI, used to verify ability to transparently authenticate
+     * against a different resource.
+     */
+    public static String getSecondaryVaultUri() {
+        return IS_MOCKED ? MOCK_URI : getLiveVaultUri2();
+    }
+
+    private static String getLiveVaultUri1() {
+        return getenvOrDefault("keyvault.vaulturi", "https://javasdktestvault.vault.azure.net");
+    }
+
+    private static String getLiveVaultUri2() {
+        return getenvOrDefault("keyvault.vaulturi.alt", "https://javasdktestvault2.vault.azure.net");
+    }
+
+    private static String getenvOrDefault(String varName, String defValue) {
+        String value = System.getenv(varName);
+        return value != null ? value : defValue;
+    }
+
+    protected static void createKeyVaultClient() throws Exception {
+        Configuration config = createConfiguration();
+
+        keyVaultClient = KeyVaultClientService.create(config);
+        addClient(keyVaultClient.getServiceClient(), new Callable<Void>() {
+            @Override
+            public Void call() throws Exception {
+                createKeyVaultClient();
+                return null;
+            }
+        });
+        addRegexRule(getLiveVaultUri1(), MOCK_URI);
+        addRegexRule(getLiveVaultUri2(), MOCK_URI);
+    }
+
+    public static Configuration createConfiguration() throws Exception {
+        return KeyVaultConfiguration.configure(null, createTestCredentials());
+    }
+
+    private static CloudCredentials createTestCredentials() throws Exception {
+
+        handling401 = false;
+
+        if (IS_MOCKED) {
+            // When mocked, there's no authentication.
+            return new TokenCloudCredentials(null, MOCK_SUBSCRIPTION, null);
+        }
+
+        boolean preAuthenticate = "true".equalsIgnoreCase(System.getenv("arm.preauthenticate"));
+
+        if (preAuthenticate) {
+            String authorization = System.getenv("arm.aad.url") + System.getenv("arm.tenant");
+            String resource = System.getenv("arm.resource");
+            String subscriptionId = System.getenv("arm.subscriptionid");
+            return new TokenCloudCredentials(null, subscriptionId, getAccessToken(authorization, resource).getAccessToken());
+        }
+
+        handling401 = true;
+        return new KeyVaultCredentials() {
+
+            @Override
+            public Header doAuthenticate(ServiceRequestContext request, Map<String, String> challenge) {
+                try {
+                    String authorization = challenge.get("authorization");
+                    String resource = challenge.get("resource");
+                    AuthenticationResult authResult = getAccessToken(authorization, resource);
+                    return new BasicHeader("Authorization", authResult.getAccessTokenType() + " " + authResult.getAccessToken());
+                } catch (Exception ex) {
+                    throw new RuntimeException(ex);
+                }
+            }
+        };
+    }
+
+    private static AuthenticationResult getAccessToken(String authorization, String resource) throws Exception {
+
+        String clientId = System.getenv("arm.clientid");
+        if (clientId == null) {
+            throw new Exception("Please inform arm.clientid in the environment settings.");
+        }
+
+        String clientKey = System.getenv("arm.clientkey");
+        String username = System.getenv("arm.username");
+        String password = System.getenv("arm.password");
+
+        AuthenticationResult result = null;
+        ExecutorService service = null;
+        try {
+            service = Executors.newFixedThreadPool(1);
+            AuthenticationContext context = new AuthenticationContext(authorization, false, service);
+
+            Future<AuthenticationResult> future = null;
+
+            if (clientKey != null && password == null) {
+                ClientCredential credentials = new ClientCredential(clientId, clientKey);
+                future = context.acquireToken(resource, credentials, null);
+            }
+
+            if (password != null && clientKey == null) {
+                future = context.acquireToken(resource, clientId, username, password, null);
+            }
+
+            if (future == null) {
+                throw new Exception("Missing or ambiguous credentials - please inform exactly one of arm.clientkey or arm.password in the environment settings.");
+            }
+
+            result = future.get();
+        } finally {
+            service.shutdown();
+        }
+
+        if (result == null) {
+            throw new RuntimeException("authentication result was null");
+        }
+        return result;
+    }
+
+    protected static ObjectWriter jsonWriter;
+    protected static ObjectReader jsonReader;
+
+    @BeforeClass
+    public static void setup() throws Exception {
+        createKeyVaultClient();
+        jsonWriter = new ObjectMapper().writer().withDefaultPrettyPrinter();
+        jsonReader = new ObjectMapper().reader();
+    }
+
+    @AfterClass
+    public static void cleanup() throws Exception {
+    }
+
+    @Before
+    public void beforeTest() throws Exception {
+        setupTest(getClass().getSimpleName() + "-" + name.getMethodName());
+    }
+
+    @After
+    public void afterTest() throws Exception {
+        resetTest(getClass().getSimpleName() + "-" + name.getMethodName());
+    }
+
+}