Update AzureKeyVault to use modern KeyVault SDK. (#88)

Author: StephenMolloy

samples/SampleWebApp/SampleWebApp.csproj

@@ -56,14 +56,8 @@
     <PackageReference Include="Azure.Identity">
       <Version>1.0.0</Version>
     </PackageReference>
-    <PackageReference Include="Microsoft.Azure.KeyVault">
-      <Version>2.3.2</Version>
-    </PackageReference>
-    <PackageReference Include="Microsoft.Azure.Services.AppAuthentication">
-      <Version>1.0.1</Version>
-    </PackageReference>
-    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory">
-      <Version>3.19.2</Version>
+    <PackageReference Include="Azure.Security.KeyVault.Secrets">
+      <Version>4.0.0</Version>
     </PackageReference>
     <PackageReference Include="Newtonsoft.Json">
       <Version>11.0.1</Version>

samples/SampleWebApp/Web.config

@@ -45,7 +45,7 @@
       <add name="KeyPerFile" directoryPath="~/../KeyPerFileSampleRoot" mode="Strict" keyDelimiter="--" type="Microsoft.Configuration.ConfigurationBuilders.KeyPerFileConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.KeyPerFile, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
 
       <add name="KV1" vaultName="${ConfigBuilderTestKeyVaultName}" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
-      <add name="KV2" vaultName="${ConfigBuilderTestKeyVaultName}" version="d14197de791c4ffe8e79bc7fc0f766b0" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
+      <add name="KV2" vaultName="${ConfigBuilderTestKeyVaultName}" preloadSecretNames="false" version="d14197de791c4ffe8e79bc7fc0f766b0" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
       <add name="KV3" vaultName="${ConfigBuilderTestKeyVaultName}" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
       <add name="KV4" vaultName="${ConfigBuilderTestKeyVaultName}" mode="Greedy" version="0de51928e49144ce86eb1de9056ac937" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
 
@@ -59,7 +59,7 @@
     </builders>
   </configBuilders>
 
-  <appSettings configBuilders="Environment,Secrets,Json,KeyPerFile">
+  <appSettings configBuilders="Environment,Secrets,Json,KeyPerFile,KV1,KV2,KV3,KV4">
     <add key="app~Settings_Colon-and$friends@super+duper,awesome#cool:Test." value="true"/>
     <add key="WINDIR" value="Will be replaced by 'Environment' in Strict and Greedy modes."/>
     <add key="SYSTEMDRIVE" value="Will initally be replaced by 'Environment' in Strict and Greedy modes... but then superceded by 'Secrets' in the same modes."/>
@@ -114,8 +114,15 @@
     <httpRuntime targetFramework="4.7.1"/>
   </system.web>
 
-	<runtime>
-		<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
+	<system.codedom>
+		<compilers>
+			<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
+			<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+"/>
+		</compilers>
+	</system.codedom>
+
+  <runtime>
+    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
 			<dependentAssembly>
 				<assemblyIdentity name="System.Xml.XPath.XDocument" publicKeyToken="B03F5F7F11D50A3A" culture="neutral"/>
 				<bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0"/>
@@ -165,47 +172,33 @@
 				<bindingRedirect oldVersion="0.0.0.0-4.2.0.0" newVersion="4.2.0.0"/>
 			</dependentAssembly>
 			<dependentAssembly>
-				<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="Microsoft.IdentityModel.Clients.ActiveDirectory" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-3.19.2.6005" newVersion="3.19.2.6005"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="Microsoft.IdentityModel.Clients.ActiveDirectory.Platform" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-3.19.2.6005" newVersion="3.19.2.6005"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="Azure.Core" publicKeyToken="92742159e12e44c8" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-1.0.1.0" newVersion="1.0.1.0"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.0.5.0" newVersion="4.0.5.0"/>
-			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
+				<assemblyIdentity name="System.ValueTuple" publicKeyToken="CC7B13FFCD2DDD51" culture="neutral"/>
 				<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0"/>
 			</dependentAssembly>
-			<dependentAssembly>
-				<assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
-				<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0"/>
-			</dependentAssembly>
-		</assemblyBinding>
-	</runtime>
-	<system.codedom>
-		<compilers>
-			<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701"/>
-			<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+"/>
-		</compilers>
-	</system.codedom>
+      <dependentAssembly>
+        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="Azure.Core" publicKeyToken="92742159e12e44c8" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-1.0.1.0" newVersion="1.0.1.0"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.0.5.0" newVersion="4.0.5.0"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0"/>
+      </dependentAssembly>
+      <dependentAssembly>
+        <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
+        <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0"/>
+      </dependentAssembly>
+    </assemblyBinding>
+  </runtime>
 </configuration>

src/Azure/Azure.csproj

@@ -40,7 +40,6 @@
   <ItemGroup>
     <Reference Include="System" />
     <Reference Include="System.Configuration" />
-    <Reference Include="System.Net.Http" />
   </ItemGroup>
   <ItemGroup>
     <Compile Include="AzureKeyVaultConfigBuilder.cs" />
@@ -53,14 +52,11 @@
     </ProjectReference>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.KeyVault">
-      <Version>2.3.2</Version>
+    <PackageReference Include="Azure.Identity">
+      <Version>1.0.0</Version>
     </PackageReference>
-    <PackageReference Include="Microsoft.Azure.Services.AppAuthentication">
-      <Version>1.0.1</Version>
-    </PackageReference>
-    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory">
-      <Version>3.19.2</Version>
+    <PackageReference Include="Azure.Security.KeyVault.Secrets">
+      <Version>4.0.0</Version>
     </PackageReference>
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />

src/Azure/AzureKeyVaultConfigBuilder.cs

@@ -9,9 +9,9 @@
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 
-using Microsoft.Azure.KeyVault;
-using Microsoft.Azure.KeyVault.Models;
-using Microsoft.Azure.Services.AppAuthentication;
+using Azure;
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
 
 namespace Microsoft.Configuration.ConfigurationBuilders
 {
@@ -35,7 +35,7 @@ public class AzureKeyVaultConfigBuilder : KeyValueConfigBuilder
         private bool _preload;
         private bool _preloadFailed;
 
-        private KeyVaultClient _kvClient;
+        private SecretClient _kvClient;
         private List<string> _allKeys;
 
         /// <summary>
@@ -58,6 +58,8 @@ protected override void LazyInitialize(string name, NameValueCollection config)
             _uri = UpdateConfigSettingWithAppSettings(uriTag);
             _vaultName = UpdateConfigSettingWithAppSettings(vaultNameTag);
             _version = UpdateConfigSettingWithAppSettings(versionTag);
+            if (String.IsNullOrWhiteSpace(_version))
+                _version = null;
 
             if (String.IsNullOrWhiteSpace(_uri))
             {
@@ -83,8 +85,7 @@ protected override void LazyInitialize(string name, NameValueCollection config)
             // Connect to KeyVault
             try
             {
-                AzureServiceTokenProvider tokenProvider = new AzureServiceTokenProvider(_connectionString);
-                _kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));
+                _kvClient = new SecretClient(new Uri(_uri), new DefaultAzureCredential());
             }
             catch (Exception)
             {
@@ -130,10 +131,10 @@ public override ICollection<KeyValuePair<string, string>> GetAllValues(string pr
                     {
                         // Azure Key Vault keys are case-insensitive, so there shouldn't be any races here.
                         // Include version information. It will get filtered out later before updating config.
-                        SecretBundle secret = t.Result;
+                        KeyVaultSecret secret = t.Result;
                         if (secret != null)
                         {
-                            string versionedKey = key + "/" + (secret.SecretIdentifier.Version ?? "0");
+                            string versionedKey = key + "/" + (secret.Properties?.Version ?? "0");
                             d[versionedKey] = secret.Value;
                         }
                     })));
@@ -184,31 +185,36 @@ public override string UpdateKey(string rawKey)
             return new VersionedKey(rawKey).Key;
         }
 
-        private async Task<SecretBundle> GetValueAsync(string key)
+        private async Task<KeyVaultSecret> GetValueAsync(string key)
         {
             if (_kvClient == null)
                 return null;
 
             VersionedKey vKey = new VersionedKey(key);
 
+            // If we successfully preloaded key names, see if the requested key is valid before making network request.
             if (!_preload || _preloadFailed || _allKeys.Contains(vKey.Key, StringComparer.OrdinalIgnoreCase))
             {
                 try
                 {
-                    string version = !String.IsNullOrWhiteSpace(_version) ? _version : vKey.Version;
+                    string version = _version ?? vKey.Version;
                     if (version != null)
                     {
-                        SecretBundle versionedSecret = await _kvClient.GetSecretAsync(_uri, vKey.Key, version);
+                        KeyVaultSecret versionedSecret = await _kvClient.GetSecretAsync(vKey.Key, version);
                         return versionedSecret;
                     }
 
-                    SecretBundle secret = await _kvClient.GetSecretAsync(_uri, vKey.Key);
+                    KeyVaultSecret secret = await _kvClient.GetSecretAsync(vKey.Key);
                     return secret;
                 }
-                catch (KeyVaultErrorException kve)
+                catch (RequestFailedException rfex)
                 {
                     // Simply return null if the secret wasn't found
-                    if (kve.Body.Error.Code == "SecretNotFound" || kve.Body.Error.Code == "BadParameter")
+                    //if (rfex.ErrorCode == "SecretNotFound" || rfex.ErrorCode == "BadParameter")
+                    // .ErrorCode doesn't get populated. :/
+                    // "SecretNotFound" == 404
+                    // "BadParameter" = 400
+                    if (rfex.Status == 404 || rfex.Status == 400)
                         return null;
 
                     // If there was a permission issue or some other error, let the exception bubble
@@ -230,35 +236,25 @@ private List<string> GetAllKeys()
 
             try
             {
-                // Get first page of secret keys
-                var allSecrets = Task.Run(async () => { return await _kvClient.GetSecretsAsync(_uri); }).Result;
-                foreach (var secretItem in allSecrets)
-                    keys.Add(secretItem.Identifier.Name);
-
-                // If there more more pages, get those too
-                string nextPage = allSecrets.NextPageLink;
-                while (!String.IsNullOrWhiteSpace(nextPage))
+                foreach (SecretProperties secretProps in _kvClient.GetPropertiesOfSecrets())
                 {
-                    var moreSecrets = Task.Run(async () => { return await _kvClient.GetSecretsNextAsync(nextPage); }).Result;
-                    foreach (var secretItem in moreSecrets)
-                        keys.Add(secretItem.Identifier.Name);
-                    nextPage = moreSecrets.NextPageLink;
+                    // Don't include disabled secrets
+                    if (!secretProps.Enabled.GetValueOrDefault())
+                        continue;
+
+                    keys.Add(secretProps.Name);
                 }
             }
-            catch (AggregateException ae)
+            catch (RequestFailedException rfex)
             {
-                ae.Handle(ex =>
-                {
-                    var exAsKve = ex as KeyVaultErrorException;
-                    // If List Permission on Secrets in not available return empty list of keys
-                    if (exAsKve != null && exAsKve.Body.Error.Code == "Forbidden")
-                    {
-                        _preloadFailed = true;
-                        return true;
-                    }
-                    else
-                        return Optional;    // False == throw.
-                });
+                _preloadFailed = true;
+
+                // If List Permission on Secrets in not available return empty list of keys
+                if (rfex.ErrorCode == "Forbidden")
+                    return keys;
+
+                if (!Optional)
+                    throw;
             }
 
             return keys;

src/packages/ConfigurationBuilders.Azure.nupkg/Microsoft.Configuration.ConfigurationBuilders.Azure.nuspec

@@ -18,8 +18,8 @@
 
     <dependencies>
       <dependency id="Microsoft.Configuration.ConfigurationBuilders.Base" version="$NuGetPackageBaseDependencyVersion$" />
-      <dependency id="Microsoft.Azure.KeyVault" version="2.3.2" />
-      <dependency id="Microsoft.Azure.Services.AppAuthentication" version="1.0.1" />
+      <dependency id="Azure.Security.KeyVault.Secrets" version="4.0.0" />
+      <dependency id="Azure.Identity" version="1.0.0" />
     </dependencies>
   </metadata>
 </package>