change keyvault track1 to track2 (#26)

microsoft · Oct 26, 2020 · 4d7d611 · 4d7d611
1 parent bac8579
commit 4d7d611
Show file tree

Hide file tree

Showing 17 changed files with 120 additions and 320 deletions.
diff --git a/secure-app-model/keyvault/cpvsample/README.md b/secure-app-model/keyvault/cpvsample/README.md
@@ -9,11 +9,12 @@ This sample demonstrates how a Control Panel Vendor partner can utilize the refr
 The following configurations in the [application.properties](src/main/resources/application.properties) file need to be modified:
 
 * **keyvault.baseurl** - The base address for the instance of Azure Key Vault where the refresh token has been stored.
-* **keyvault.clientId** - The identifier for the Azure AD application that has been allowed access to the instance of Azure Key Vault.
-* **keyvault.clientSecret** - The application secret associated with the application configured to access the instance of Azure Key Vault.
+* **AZURE_CLIENT_ID** - The identifier for the Azure AD application that has been allowed access to the instance of Azure Key Vault.
+* **AZURE_CLIENT_SECRET** - The application secret associated with the application configured to access the instance of Azure Key Vault.
+* **AZURE_TENANT_ID** - The application tenant id associated with the application configured to access the instance of Azure Key Vault.
 * **partnercenter.accountId** - The account identifier, also known as the Azure AD tenant identifier, for the partner.
 * **partnercenter.clientId** - The application identifier for the Azure AD application configured for use with the Partner Center API.
 * **partnercenter.clientSecret** - The application secret associated with the application configured to access the Partner Center API.
 * **partnercenter.displayName** - The display name for the Azure AD application. This will be used during the consent process, so it must what is in Azure AD.
 
-Please note that in production scenarios we recommend that you use certificate based authentication to access the instance of Azure Key Vault. The [confidential client flow](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Confidential-client-applications-flows) has been used in the sample for simplicity.
+Please note that in production scenarios we recommend that you use certificate based authentication to access the instance of Azure Key Vault. The [confidential client flow](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Confidential-client-applications-flows) has been used in the sample for simplicity.
diff --git a/secure-app-model/keyvault/cpvsample/pom.xml b/secure-app-model/keyvault/cpvsample/pom.xml
@@ -22,9 +22,14 @@
 			<version>1.18.0</version>
 		</dependency>
 		<dependency>
-			<groupId>com.microsoft.azure</groupId>
-			<artifactId>azure-keyvault</artifactId>
-			<version>1.2.2</version>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-identity</artifactId>
+			<version>1.1.2</version>
+		</dependency>
+		<dependency>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-security-keyvault-secrets</artifactId>
+			<version>4.2.1</version>
 		</dependency>
 		<dependency>
 			<groupId>com.microsoft.graph</groupId>

diff --git a/...mple/src/main/java/com/microsoft/store/samples/secureappmodel/cpvsample/PropertyName.java b/...mple/src/main/java/com/microsoft/store/samples/secureappmodel/cpvsample/PropertyName.java
@@ -28,6 +28,11 @@ public class PropertyName
      */
     public static final String KEY_VAULT_CLIENT_ID = "keyvault.clientId";
 
+    /**
+     * The name of the tenant Id property.
+     */
+    public static final String KEY_VAULT_TENANT_ID = "keyvault.tenantId";
+
     /**
      * The name of the client secret property.
      */

diff --git a/...va/com/microsoft/store/samples/secureappmodel/cpvsample/security/AccessTokenProvider.java b/...va/com/microsoft/store/samples/secureappmodel/cpvsample/security/AccessTokenProvider.java
@@ -159,9 +159,7 @@ public AuthenticationResult getAccessTokenBySecureRefreshToken(String tenantId,
         throws ExecutionException, InterruptedException, MalformedURLException
     {
         IVaultProvider vault = new KeyVaultProvider(
-            properties.getProperty(PropertyName.KEY_VAULT_BASE_URL),
-            properties.getProperty(PropertyName.KEY_VAULT_CLIENT_ID), 
-            properties.getProperty(PropertyName.KEY_VAULT_CLIENT_SECRET));
+            properties.getProperty(PropertyName.KEY_VAULT_BASE_URL));
 
         return getAccessTokenByRefreshToken(
             tenantId,  

diff --git a/.../java/com/microsoft/store/samples/secureappmodel/cpvsample/security/KeyVaultProvider.java b/.../java/com/microsoft/store/samples/secureappmodel/cpvsample/security/KeyVaultProvider.java
@@ -3,149 +3,73 @@
 
 package com.microsoft.store.samples.secureappmodel.cpvsample.security;
 
-import java.net.MalformedURLException;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.security.keyvault.secrets.SecretClient;
+import com.azure.security.keyvault.secrets.SecretClientBuilder;
 
-import com.microsoft.aad.adal4j.AuthenticationContext;
-import com.microsoft.aad.adal4j.AuthenticationResult;
-import com.microsoft.aad.adal4j.ClientCredential;
-import com.microsoft.azure.keyvault.KeyVaultClient;
-import com.microsoft.azure.keyvault.KeyVaultClientCustom;
-import com.microsoft.azure.keyvault.authentication.KeyVaultCredentials;
 
 /**
  * Provides a secure mechanism for retrieving and store sensitive information using Azure Key Vault.
  */
 public class KeyVaultProvider implements IVaultProvider
 {
     /**
-     * The client used to interact with the Azure Key Vault service.
+     * The client used to manage Secrets in the Azure KeyVault by interacting with the Azure Key Vault service.
      */
-    private KeyVaultClientCustom client;
+    private SecretClient client;
 
     /**
-     * The vault name, e.g. https://myvault.vault.azure.net
+     * The Vault URL, e.g. https://myvault.vault.azure.net
      */
     private String vaultBaseUrl; 
 
     /**
      * Initializes a new instance of the {@link KeyVaultProvider} class.
      * 
      * @param vaultBaseUrl The vault name, e.g. https://myvault.vault.azure.net
-     * @param clientId The identifier of the client requesting the token.
-     * @param clientSecret The secure secret of the client requesting the token.
      */
-    public KeyVaultProvider(String vaultBaseUrl, String clientId, String clientSecret)
+    public KeyVaultProvider(String vaultBaseUrl)
     {
-        client = getKeyVaultClient(clientId, clientSecret);
+        client = getKeyVaultClient();
         this.vaultBaseUrl = vaultBaseUrl;
     }
 
     /**
-     * Gets the specified value from the vault.
+     * Gets the value of the specified secret from the Azure Key Vault..
      * 
      * @param secretName Identifier of the value to be retrieved.
      * @return The value for the specified secret.
      */
     public String getSecret(String secretName)
     {
-        return client.getSecret(vaultBaseUrl, secretName).value();
+        return client.getSecret(secretName).getValue();
     }
 
     /**
-     * Stores the specified value in the vault.
+     * Adds a secret with the specified {@code secretName} and {@code value} to the key vault if it does not exist. 
+     * If the named secret exists, a new version of the secret is created.
      * 
      * @param secretName Identifier of the value to be stored.
      * @param value The value to be stored.
      */
     public void setSecret(String secretName, String value)
     {
-        client.setSecret(vaultBaseUrl, secretName, value);
+        client.setSecret(secretName, value);
     }
 
     /**
-     * Gets an access token from the authority.
+     * Gets the Secret Client, capable of managing Secrets in the Azure Key Vault by interacting with Azure Key Vault service.
      * 
-     * @param authorization Address of the authority to issue the token.
-     * @param resource Identifier of the target resource that is the recipient of the requested token.
-     * @param clientId The identifier of the client requesting the token.
-     * @param clientSecret The secure secret of the client requesting the token.
-     * @return An instance of {@link AuthenticationResult} that contians an access token and refresh token.
-     * 
-     * @throws ExecutionException {@link ExecutionException}
-     * @throws InterruptedException {@link InterruptedException}
-     * @throws MalformedURLException {@link MalformedURLException}
+     * @return The Secret Client, capable of managing Secrets in the Azure Key Vault by interacting with Azure Key Vault service.
      */
-    private AuthenticationResult getAccessToken(String authorization, String resource, String clientId, String clientSecret) 
-        throws ExecutionException, InterruptedException, MalformedURLException
+    private SecretClient getKeyVaultClient()
     {
-        AuthenticationContext authContext; 
-        AuthenticationResult authResult;
-        ExecutorService service = null;
-        Future<AuthenticationResult> future;
-
-        try
-        {
-            service = Executors.newFixedThreadPool(1);
-            authContext = new AuthenticationContext(authorization, true, service);
-
-            future = authContext.acquireToken(
-                resource,
-                new ClientCredential(
-                    clientId, 
-                    clientSecret), 
-                null);
-
-            authResult = future.get();
-
-            return authResult;
-        }
-        finally
-        {
-            service.shutdown();
-        }
-    }
+        client = new SecretClientBuilder()
+            .vaultUrl(vaultBaseUrl)
+            .credential(new DefaultAzureCredentialBuilder().build())
+            .buildClient();
 
-    /**
-     * Gets a client that is capable of interacting with the Azure Key Vault service.
-     *
-     * @param clientId The identifier of the client requesting the token.
-     * @param clientSecret The secure secret of the client requesting the token. 
-     * 
-     * @return A client that is capable of interacting with the Azure Key Vault service.
-     */
-    private KeyVaultClientCustom getKeyVaultClient(String clientId, String clientSecret)
-    {
-        return new KeyVaultClient(new KeyVaultCredentials() 
-        {
-            /**
-             * @param authorization Address of the authority to issue the token.
-             * @param resource Identifier of the target resource that is the recipient of the requested token, a URL.
-             * @param scope The scope of the authentication request.
-             *
-             * @return Access token to be used with Azure Key Vault operations.
-             */
-            @Override
-             public String doAuthenticate(String authorization, String resource, String scope) 
-             {
-                 AuthenticationResult authResult; 
-
-                 try 
-                 {
-                     authResult = getAccessToken(authorization, resource, clientId, clientSecret);
-
-                     return authResult.getAccessToken();
-                 }
-                 catch(Exception ex)
-                 {
-                     ex.printStackTrace();
-                 }
-
-                 return "";
-             }
-        });
+        return client;
+
     }
 }
diff --git a/secure-app-model/keyvault/cpvsample/src/main/resources/application.properties b/secure-app-model/keyvault/cpvsample/src/main/resources/application.properties
@@ -2,6 +2,7 @@ azuread.authority=https://login.microsoftonline.com
 keyvault.baseurl=
 keyvault.clientId=
 keyvault.clientSecret=
+keyvault.tenantId=
 partnercenter.accountId=
 partnercenter.clientId=
 partnercenter.clientSecret=

diff --git a/secure-app-model/keyvault/cspsample/README.md b/secure-app-model/keyvault/cspsample/README.md
@@ -9,10 +9,11 @@ This sample demonstrates how a Cloud Solution Provider partner can utilize the r
 The following configurations in the [application.properties](src/main/resources/application.properties) file need to be modified:
 
 * **keyvault.baseurl** - The base address for the instance of Azure Key Vault where the refresh token has been stored.
-* **keyvault.clientId** - The identifier for the Azure AD application that has been allowed access to the instance of Azure Key Vault.
-* **keyvault.clientSecret** - The application secret associated with the application configured to access the instance of Azure Key Vault.
+* **AZURE_CLIENT_ID** - The identifier for the Azure AD application that has been allowed access to the instance of Azure Key Vault.
+* **AZURE_CLIENT_SECRET** - The application secret associated with the application configured to access the instance of Azure Key Vault.
+* **AZURE_TENANT_ID** - The application tenant id associated with the application configured to access the instance of Azure Key Vault.
 * **partnercenter.accountId** - The account identifier, also known as the Azure AD tenant identifier, for the partner.
 * **partnercenter.clientId** - The application identifier for the Azure AD application configured for use with the Partner Center API.
 * **partnercenter.clientSecret** - The application secret associated with the application configured to access the Partner Center API.
 
-Please note that in production scenarios we recommend that you use certificate based authentication to access the instance of Azure Key Vault. The [confidential client flow](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Confidential-client-applications-flows) has been used in the sample for simplicity.
+Please note that in production scenarios we recommend that you use certificate based authentication to access the instance of Azure Key Vault. The [confidential client flow](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Confidential-client-applications-flows) has been used in the sample for simplicity.
diff --git a/secure-app-model/keyvault/cspsample/pom.xml b/secure-app-model/keyvault/cspsample/pom.xml
@@ -22,9 +22,14 @@
 			<version>1.18.0</version>
 		</dependency>
 		<dependency>
-			<groupId>com.microsoft.azure</groupId>
-			<artifactId>azure-keyvault</artifactId>
-			<version>1.2.2</version>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-identity</artifactId>
+			<version>1.1.2</version>
+		</dependency>
+		<dependency>
+			<groupId>com.azure</groupId>
+			<artifactId>azure-security-keyvault-secrets</artifactId>
+			<version>4.2.1</version>
 		</dependency>
 		<dependency>
 			<groupId>com.microsoft.graph</groupId>

diff --git a/...mple/src/main/java/com/microsoft/store/samples/secureappmodel/cspsample/PropertyName.java b/...mple/src/main/java/com/microsoft/store/samples/secureappmodel/cspsample/PropertyName.java
@@ -33,6 +33,11 @@ public class PropertyName
      */
     public static final String KEY_VAULT_CLIENT_SECRET = "keyvault.clientSecret";
 
+    /**
+     * The name of the tenant Id property.
+     */
+    public static final String KEY_VAULT_TENANT_ID = "keyvault.tenantId";
+
     /**
      * The name of the Partner Center account identifier property.
      */

diff --git a/...va/com/microsoft/store/samples/secureappmodel/cspsample/security/AccessTokenProvider.java b/...va/com/microsoft/store/samples/secureappmodel/cspsample/security/AccessTokenProvider.java
@@ -159,9 +159,7 @@ public AuthenticationResult getAccessTokenBySecureRefreshToken(String tenantId,
         throws ExecutionException, InterruptedException, MalformedURLException
     {
         IVaultProvider vault = new KeyVaultProvider(
-            properties.getProperty(PropertyName.KEY_VAULT_BASE_URL),
-            properties.getProperty(PropertyName.KEY_VAULT_CLIENT_ID), 
-            properties.getProperty(PropertyName.KEY_VAULT_CLIENT_SECRET));
+            properties.getProperty(PropertyName.KEY_VAULT_BASE_URL));
 
         return getAccessTokenByRefreshToken(
             tenantId,