[NewSDK]Update ValidateCertificate and ProcessSignature for new SDK (#10158)

* First attempt rebase sign changes on dev.
* Use constant values for config. Move GetServiceUri to common.
* Use new method to get Uri base.

Author: ryuyu

src/NuGet.Services.Storage/AzureStorage.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -419,5 +419,12 @@ private Uri ResolvePathedUri(string filename)
         {
             return ResolveUri(Path.Combine(_path, filename));
         }
+
+        public static Uri GetPrimaryServiceUri(string storageConnectionString)
+        {
+            var tempClient = new BlobServiceClient(storageConnectionString);
+            // if _storageConnectionString has SAS token, Uri will contain SAS signature, we need to strip it 
+            return new Uri(tempClient.Uri.GetLeftPart(UriPartial.Path));
+        }
     }
 }

src/Validation.PackageSigning.ProcessSignature/Job.cs

@@ -1,7 +1,9 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -13,6 +15,7 @@
 using NuGet.Jobs.Validation.PackageSigning.Storage;
 using NuGet.Jobs.Validation.PackageSigning.Telemetry;
 using NuGet.Jobs.Validation.Storage;
+using NuGet.Services.Configuration;
 using NuGet.Services.ServiceBus;
 using NuGet.Services.Storage;
 using NuGet.Services.Validation.PackageSigning.ProcessSignature;
@@ -49,8 +52,24 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
 
             services.AddTransient<ICertificateStore>(p =>
             {
+                var useStorageManagedIdentity = bool.Parse(configurationRoot[Constants.StorageUseManagedIdentityPropertyName]);
                 var config = p.GetRequiredService<IOptionsSnapshot<CertificateStoreConfiguration>>().Value;
-                var targetStorageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
+
+                BlobServiceClient targetStorageAccount;
+                if (useStorageManagedIdentity)
+                {
+                    var managedIdentityClientId =
+                        string.IsNullOrEmpty(configurationRoot[Constants.StorageManagedIdentityClientIdPropertyName]) ?
+                        configurationRoot[Constants.ManagedIdentityClientIdKey] :
+                        configurationRoot[Constants.StorageManagedIdentityClientIdPropertyName];
+                    var storageAccountUri = AzureStorage.GetPrimaryServiceUri(config.DataStorageAccount);
+                    var managedIdentity = new ManagedIdentityCredential(managedIdentityClientId);
+                    targetStorageAccount = new BlobServiceClient(storageAccountUri, managedIdentity);
+                }
+                else
+                {
+                    targetStorageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
+                }
 
                 var storageFactory = new AzureStorageFactory(
                     targetStorageAccount,

src/Validation.PackageSigning.ValidateCertificate/Job.cs

@@ -1,16 +1,20 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using NuGet.Jobs;
 using NuGet.Jobs.Validation;
 using NuGet.Jobs.Validation.PackageSigning.Configuration;
 using NuGet.Jobs.Validation.PackageSigning.Messages;
 using NuGet.Jobs.Validation.PackageSigning.Storage;
+using NuGet.Services.Configuration;
 using NuGet.Services.ServiceBus;
 using NuGet.Services.Storage;
 
@@ -30,8 +34,24 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
 
             services.AddTransient<ICertificateStore>(p =>
             {
+                var useStorageManagedIdentity = bool.Parse(configurationRoot[Constants.StorageUseManagedIdentityPropertyName]);
                 var config = p.GetRequiredService<IOptionsSnapshot<CertificateStoreConfiguration>>().Value;
-                var targetStorageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
+
+                BlobServiceClient targetStorageAccount;
+                if (useStorageManagedIdentity)
+                {
+                    var managedIdentityClientId =
+                        string.IsNullOrEmpty(configurationRoot[Constants.StorageManagedIdentityClientIdPropertyName]) ?
+                        configurationRoot[Constants.ManagedIdentityClientIdKey] :
+                        configurationRoot[Constants.StorageManagedIdentityClientIdPropertyName];
+                    var storageAccountUri = AzureStorage.GetPrimaryServiceUri(config.DataStorageAccount);
+                    var managedIdentity = new ManagedIdentityCredential(managedIdentityClientId);
+                    targetStorageAccount = new BlobServiceClient(storageAccountUri, managedIdentity);
+                }
+                else
+                {
+                    targetStorageAccount = new BlobServiceClient(AzureStorageFactory.PrepareConnectionString(config.DataStorageAccount));
+                }
 
                 var storageFactory = new AzureStorageFactory(
                     targetStorageAccount,