Attempt at keyvault library upgrade.

agr · erdembayar · commit e382ab866f7b · 2023-08-08T15:32:23.000-07:00
diff --git a/src/NuGet.Services.Configuration/ConfigurationRootSecretReaderFactory.cs b/src/NuGet.Services.Configuration/ConfigurationRootSecretReaderFactory.cs
@@ -12,6 +12,7 @@ public class ConfigurationRootSecretReaderFactory : ISecretReaderFactory
     {
         private string _vaultName;
         private bool _useManagedIdentity;
+        private string _tenantId;
         private string _clientId;
         private string _certificateThumbprint;
         private string _storeName;
@@ -34,6 +35,7 @@ public ConfigurationRootSecretReaderFactory(IConfigurationRoot config)
                 _useManagedIdentity = bool.Parse(useManagedIdentity);
             }
 
+            _tenantId = config[Constants.KeyVaultTenanIdKey];
             _clientId = config[Constants.KeyVaultClientIdKey];
             _certificateThumbprint = config[Constants.KeyVaultCertificateThumbprintKey];
             if (_useManagedIdentity && IsCertificateConfigurationProvided())
@@ -83,7 +85,8 @@ public ISecretReader CreateSecretReader()
                     _validateCertificate);
 
                 keyVaultConfiguration = new KeyVaultConfiguration(
-                    _vaultName,                
+                    _vaultName,
+                    _tenantId,
                     _clientId,
                     certificate,
                     _sendX5c);
@@ -100,7 +103,8 @@ public ISecretInjector CreateSecretInjector(ISecretReader secretReader)
         private bool IsCertificateConfigurationProvided()
         {
             return !string.IsNullOrEmpty(_clientId)
-                || !string.IsNullOrEmpty(_certificateThumbprint);
+                || !string.IsNullOrEmpty(_certificateThumbprint)
+                || !string.IsNullOrEmpty(_tenantId);
         }
     }
 }
diff --git a/src/NuGet.Services.Configuration/Constants.cs b/src/NuGet.Services.Configuration/Constants.cs
@@ -7,6 +7,7 @@ public static class Constants
     {
         public static string KeyVaultVaultNameKey = "KeyVault_VaultName";
         public static string KeyVaultUseManagedIdentity = "KeyVault_UseManagedIdentity";
+        public static string KeyVaultTenanIdKey = "KeyVault_TenantId";
         public static string KeyVaultClientIdKey = "KeyVault_ClientId";
         public static string KeyVaultCertificateThumbprintKey = "KeyVault_CertificateThumbprint";
         public static string KeyVaultValidateCertificateKey = "KeyVault_ValidateCertificate";
diff --git a/src/NuGet.Services.KeyVault/KeyVaultConfiguration.cs b/src/NuGet.Services.KeyVault/KeyVaultConfiguration.cs
@@ -10,6 +10,7 @@ public class KeyVaultConfiguration
     {
         public string VaultName { get; }
         public bool UseManagedIdentity { get; }
+        public string TenantId { get; }
         public string ClientId { get; }
         public X509Certificate2 Certificate { get; }
         public bool SendX5c { get; }
@@ -32,10 +33,11 @@ public KeyVaultConfiguration(string vaultName)
         /// The constructor for keyvault configuration when using the certificate
         /// </summary>
         /// <param name="vaultName">The name of the keyvault</param>
+        /// <param name="tenantId">AAD tenant ID where respective client app is registered.</param>
         /// <param name="clientId">Keyvault client id</param>
         /// <param name="certificate">Certificate required to access the keyvault</param>
         /// <param name="sendX5c">SendX5c property</param>
-        public KeyVaultConfiguration(string vaultName, string clientId, X509Certificate2 certificate, bool sendX5c = false)
+        public KeyVaultConfiguration(string vaultName, string tenantId, string clientId, X509Certificate2 certificate, bool sendX5c = false)
         {
             if (string.IsNullOrWhiteSpace(vaultName))
             {
@@ -48,6 +50,7 @@ public KeyVaultConfiguration(string vaultName, string clientId, X509Certificate2
             }
 
             UseManagedIdentity = false;
+            TenantId = tenantId;
             VaultName = vaultName;
             ClientId = clientId;
             Certificate = certificate ?? throw new ArgumentNullException(nameof(certificate));
diff --git a/src/NuGet.Services.KeyVault/KeyVaultConfigurationExtensions.cs b/src/NuGet.Services.KeyVault/KeyVaultConfigurationExtensions.cs
@@ -0,0 +1,20 @@
+﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace NuGet.Services.KeyVault
+{
+    public static class KeyVaultConfigurationExtensions
+    {
+        public static Uri GetKeyVaultUri(this KeyVaultConfiguration self)
+        {
+            var uriString = $"https://{self.VaultName}.vault.azure.net/";
+            return new Uri(uriString);
+        }
+    }
+}
diff --git a/src/NuGet.Services.KeyVault/KeyVaultReader.cs b/src/NuGet.Services.KeyVault/KeyVaultReader.cs
@@ -3,10 +3,10 @@
 
 using System;
 using System.Threading.Tasks;
-using Microsoft.Azure.KeyVault;
-using Microsoft.Azure.Services.AppAuthentication;
+using Azure.Core;
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
 using Microsoft.Extensions.Logging;
-using Microsoft.IdentityModel.Clients.ActiveDirectory;
 
 namespace NuGet.Services.KeyVault
 {
@@ -17,9 +17,7 @@ namespace NuGet.Services.KeyVault
     public class KeyVaultReader : ISecretReader
     {
         private readonly KeyVaultConfiguration _configuration;
-        private readonly string _vault;
-        private readonly Lazy<KeyVaultClient> _keyVaultClient;
-        private ClientAssertionCertificate _clientAssertionCertificate;
+        private readonly Lazy<SecretClient> _keyVaultClient;
 
         protected string VaultBaseUrl => _vault;
         protected KeyVaultClient KeyVaultClient => _keyVaultClient.Value;
@@ -32,8 +30,7 @@ public KeyVaultReader(KeyVaultConfiguration configuration)
             }
 
             _configuration = configuration;
-            _vault = $"https://{_configuration.VaultName}.vault.azure.net/";
-            _keyVaultClient = new Lazy<KeyVaultClient>(InitializeClient);
+            _keyVaultClient = new Lazy<SecretClient>(InitializeClient);
         }
 
         public async Task<string> GetSecretAsync(string secretName)
@@ -43,7 +40,8 @@ public async Task<string> GetSecretAsync(string secretName)
 
         public async Task<string> GetSecretAsync(string secretName, ILogger logger)
         {
-            var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);
+            var response = await _keyVaultClient.Value.GetSecretAsync(secretName);
+            var secret = response.Value;
             return secret.Value;
         }
 
@@ -54,35 +52,23 @@ public async Task<ISecret> GetSecretObjectAsync(string secretName)
 
         public async Task<ISecret> GetSecretObjectAsync(string secretName, ILogger logger)
         {
-            var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);
-            return new KeyVaultSecret(secretName, secret.Value, secret.Attributes.Expires);
+            var response = await _keyVaultClient.Value.GetSecretAsync(secretName);
+            var secret = response.Value;
+            return new KeyVaultSecret(secretName, secret.Value, secret.Properties.ExpiresOn);
         }
 
-        private KeyVaultClient InitializeClient()
+        private SecretClient InitializeClient()
         {
+            TokenCredential credential = null;
             if (_configuration.UseManagedIdentity)
             {
-                var azureServiceTokenProvider = new AzureServiceTokenProvider();
-                return new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
+                credential = new DefaultAzureCredential();
             }
             else
             {
-                _clientAssertionCertificate = new ClientAssertionCertificate(_configuration.ClientId, _configuration.Certificate);
-                return new KeyVaultClient(GetTokenAsync);
+                credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate);
             }
-        }
-
-        private async Task<string> GetTokenAsync(string authority, string resource, string scope)
-        {
-            var authContext = new AuthenticationContext(authority);
-            var result = await authContext.AcquireTokenAsync(resource, _clientAssertionCertificate, _configuration.SendX5c);
-
-            if (result == null)
-            {
-                throw new InvalidOperationException("Bearer token acquisition needed to call the KeyVault service failed");
-            }
-
-            return result.AccessToken;
+            return new SecretClient(_configuration.GetKeyVaultUri(), credential);
         }
     }
 
diff --git a/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj b/src/NuGet.Services.KeyVault/NuGet.Services.KeyVault.csproj
@@ -6,9 +6,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.KeyVault">
-      <Version>3.0.5</Version>
-    </PackageReference>
+    <PackageReference Include="Azure.Identity" Version="1.8.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.4.0" />
     <PackageReference Include="Microsoft.Azure.Services.AppAuthentication">
       <Version>1.4.0</Version>
     </PackageReference>

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ public class ConfigurationRootSecretReaderFactory : ISecretReaderFactory`
`12`	`12`	`{`
`13`	`13`	`private string _vaultName;`
`14`	`14`	`private bool _useManagedIdentity;`
	`15`	`+ private string _tenantId;`
`15`	`16`	`private string _clientId;`
`16`	`17`	`private string _certificateThumbprint;`
`17`	`18`	`private string _storeName;`
`@@ -34,6 +35,7 @@ public ConfigurationRootSecretReaderFactory(IConfigurationRoot config)`
`34`	`35`	`_useManagedIdentity = bool.Parse(useManagedIdentity);`
`35`	`36`	`}`
`36`	`37`
	`38`	`+ _tenantId = config[Constants.KeyVaultTenanIdKey];`
`37`	`39`	`_clientId = config[Constants.KeyVaultClientIdKey];`
`38`	`40`	`_certificateThumbprint = config[Constants.KeyVaultCertificateThumbprintKey];`
`39`	`41`	`if (_useManagedIdentity && IsCertificateConfigurationProvided())`
`@@ -83,7 +85,8 @@ public ISecretReader CreateSecretReader()`
`83`	`85`	`_validateCertificate);`
`84`	`86`
`85`	`87`	`keyVaultConfiguration = new KeyVaultConfiguration(`
`86`		`- _vaultName,`
	`88`	`+ _vaultName,`
	`89`	`+ _tenantId,`
`87`	`90`	`_clientId,`
`88`	`91`	`certificate,`
`89`	`92`	`_sendX5c);`
`@@ -100,7 +103,8 @@ public ISecretInjector CreateSecretInjector(ISecretReader secretReader)`
`100`	`103`	`private bool IsCertificateConfigurationProvided()`
`101`	`104`	`{`
`102`	`105`	`return !string.IsNullOrEmpty(_clientId)`
`103`		`- \|\| !string.IsNullOrEmpty(_certificateThumbprint);`
	`106`	`+ \|\| !string.IsNullOrEmpty(_certificateThumbprint)`
	`107`	`+ \|\| !string.IsNullOrEmpty(_tenantId);`
`104`	`108`	`}`
`105`	`109`	`}`
`106`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ public static class Constants`
`7`	`7`	`{`
`8`	`8`	`public static string KeyVaultVaultNameKey = "KeyVault_VaultName";`
`9`	`9`	`public static string KeyVaultUseManagedIdentity = "KeyVault_UseManagedIdentity";`
	`10`	`+ public static string KeyVaultTenanIdKey = "KeyVault_TenantId";`
`10`	`11`	`public static string KeyVaultClientIdKey = "KeyVault_ClientId";`
`11`	`12`	`public static string KeyVaultCertificateThumbprintKey = "KeyVault_CertificateThumbprint";`
`12`	`13`	`public static string KeyVaultValidateCertificateKey = "KeyVault_ValidateCertificate";`
Original file line number	Diff line number	Diff line change
`@@ -3,10 +3,10 @@`
`3`	`3`
`4`	`4`	`using System;`
`5`	`5`	`using System.Threading.Tasks;`
`6`		`-using Microsoft.Azure.KeyVault;`
`7`		`-using Microsoft.Azure.Services.AppAuthentication;`
	`6`	`+using Azure.Core;`
	`7`	`+using Azure.Identity;`
	`8`	`+using Azure.Security.KeyVault.Secrets;`
`8`	`9`	`using Microsoft.Extensions.Logging;`
`9`		`-using Microsoft.IdentityModel.Clients.ActiveDirectory;`
`10`	`10`
`11`	`11`	`namespace NuGet.Services.KeyVault`
`12`	`12`	`{`
`@@ -17,9 +17,7 @@ namespace NuGet.Services.KeyVault`
`17`	`17`	`public class KeyVaultReader : ISecretReader`
`18`	`18`	`{`
`19`	`19`	`private readonly KeyVaultConfiguration _configuration;`
`20`		`- private readonly string _vault;`
`21`		`- private readonly Lazy<KeyVaultClient> _keyVaultClient;`
`22`		`- private ClientAssertionCertificate _clientAssertionCertificate;`
	`20`	`+ private readonly Lazy<SecretClient> _keyVaultClient;`
`23`	`21`
`24`	`22`	`protected string VaultBaseUrl => _vault;`
`25`	`23`	`protected KeyVaultClient KeyVaultClient => _keyVaultClient.Value;`
`@@ -32,8 +30,7 @@ public KeyVaultReader(KeyVaultConfiguration configuration)`
`32`	`30`	`}`
`33`	`31`
`34`	`32`	`_configuration = configuration;`
`35`		`- _vault = $"https://{_configuration.VaultName}.vault.azure.net/";`
`36`		`- _keyVaultClient = new Lazy<KeyVaultClient>(InitializeClient);`
	`33`	`+ _keyVaultClient = new Lazy<SecretClient>(InitializeClient);`
`37`	`34`	`}`
`38`	`35`
`39`	`36`	`public async Task<string> GetSecretAsync(string secretName)`
`@@ -43,7 +40,8 @@ public async Task<string> GetSecretAsync(string secretName)`
`43`	`40`
`44`	`41`	`public async Task<string> GetSecretAsync(string secretName, ILogger logger)`
`45`	`42`	`{`
`46`		`- var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);`
	`43`	`+ var response = await _keyVaultClient.Value.GetSecretAsync(secretName);`
	`44`	`+ var secret = response.Value;`
`47`	`45`	`return secret.Value;`
`48`	`46`	`}`
`49`	`47`
`@@ -54,35 +52,23 @@ public async Task<ISecret> GetSecretObjectAsync(string secretName)`
`54`	`52`
`55`	`53`	`public async Task<ISecret> GetSecretObjectAsync(string secretName, ILogger logger)`
`56`	`54`	`{`
`57`		`- var secret = await _keyVaultClient.Value.GetSecretAsync(_vault, secretName);`
`58`		`- return new KeyVaultSecret(secretName, secret.Value, secret.Attributes.Expires);`
	`55`	`+ var response = await _keyVaultClient.Value.GetSecretAsync(secretName);`
	`56`	`+ var secret = response.Value;`
	`57`	`+ return new KeyVaultSecret(secretName, secret.Value, secret.Properties.ExpiresOn);`
`59`	`58`	`}`
`60`	`59`
`61`		`- private KeyVaultClient InitializeClient()`
	`60`	`+ private SecretClient InitializeClient()`
`62`	`61`	`{`
	`62`	`+ TokenCredential credential = null;`
`63`	`63`	`if (_configuration.UseManagedIdentity)`
`64`	`64`	`{`
`65`		`- var azureServiceTokenProvider = new AzureServiceTokenProvider();`
`66`		`- return new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));`
	`65`	`+ credential = new DefaultAzureCredential();`
`67`	`66`	`}`
`68`	`67`	`else`
`69`	`68`	`{`
`70`		`- _clientAssertionCertificate = new ClientAssertionCertificate(_configuration.ClientId, _configuration.Certificate);`
`71`		`- return new KeyVaultClient(GetTokenAsync);`
	`69`	`+ credential = new ClientCertificateCredential(_configuration.TenantId, _configuration.ClientId, _configuration.Certificate);`
`72`	`70`	`}`
`73`		`- }`
`74`		`-`
`75`		`- private async Task<string> GetTokenAsync(string authority, string resource, string scope)`
`76`		`- {`
`77`		`- var authContext = new AuthenticationContext(authority);`
`78`		`- var result = await authContext.AcquireTokenAsync(resource, _clientAssertionCertificate, _configuration.SendX5c);`
`79`		`-`
`80`		`- if (result == null)`
`81`		`- {`
`82`		`- throw new InvalidOperationException("Bearer token acquisition needed to call the KeyVault service failed");`
`83`		`- }`
`84`		`-`
`85`		`- return result.AccessToken;`
	`71`	`+ return new SecretClient(_configuration.GetKeyVaultUri(), credential);`
`86`	`72`	`}`
`87`	`73`	`}`
`88`	`74`