Skip to content

[Key Vault] Support CAE in challenge auth policy #37358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mccoyp merged 25 commits into from
Oct 16, 2024
Merged

[Key Vault] Support CAE in challenge auth policy #37358

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
ccd64b9
Add tests
mccoyp Sep 12, 2024
34fcfed
Implement CAE support
mccoyp Sep 12, 2024
d07e0a5
Share implementation across libraries
mccoyp Sep 13, 2024
84351af
Enable CAE; provide claims only in challenges
mccoyp Sep 18, 2024
c22cb08
Update tests for success scenarios
mccoyp Sep 19, 2024
d854071
Handle non-consecutive challenges (in Keys)
mccoyp Sep 19, 2024
6c19bbc
Cover invalid challenge flows
mccoyp Sep 20, 2024
c919056
Handle (in)valid challenge flows
mccoyp Sep 20, 2024
ff731e8
Share updates across libraries
mccoyp Sep 20, 2024
237c57b
Fix spelling, pylint
mccoyp Sep 20, 2024
013673b
Update changelogs
mccoyp Sep 26, 2024
5da13ff
Update tests for feedback
mccoyp Sep 26, 2024
36cb9fd
Use super() instead of private attribute
mccoyp Sep 26, 2024
f9ff176
Add live test; assert scope
mccoyp Sep 26, 2024
bf8f054
Fix auth policy to send scope correctly
mccoyp Sep 26, 2024
850e6e8
Async tests; sync challenge policy code
mccoyp Sep 26, 2024
e78d4e9
Ensure no re-sending claims in tests
mccoyp Oct 3, 2024
1a6c9f7
Fix policy to handle KV -> KV challenge
mccoyp Oct 3, 2024
3fad4db
Share bug fix across libraries
mccoyp Oct 3, 2024
ba2a954
Clarify test variable names
mccoyp Oct 4, 2024
92c6704
Correctly handle token refreshes
mccoyp Oct 5, 2024
8e65726
Bump Core dep for SupportsTokenInfo protocol support
mccoyp Oct 8, 2024
93c7eaa
(Async)SupportsTokenInfo support/tests
mccoyp Oct 8, 2024
bf25378
Pylint
mccoyp Oct 8, 2024
3cb6481
Mention Core bump, enable_cae kwarg in changelogs
mccoyp Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Cover invalid challenge flows
  • Loading branch information
@mccoyp
mccoyp committed Oct 7, 2024
commit 6c19bbc40533436e8af102817df4e143a4900fe1
36 changes: 20 additions & 16 deletions sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -544,14 +544,14 @@ def test_cae():

expected_content = b"a duck"

def test_with_challenge(challenge, expected_claim):
def test_with_challenge(claims_challenge, expected_claim):
first_token = "first_token"
expected_token = "expected_token"
tenant = "tenant-id"
endpoint = f"https://authority.net/{tenant}"
resource = "https://vault.azure.net"

first_challenge = Mock(
kv_challenge = Mock(
status_code=401,
headers={"WWW-Authenticate": f'Bearer authorization="{endpoint}", resource={resource}'},
)
Expand All @@ -562,10 +562,10 @@ class Requests:
def send(request):
Requests.count += 1
if Requests.count == 1:
# first request should be unauthorized and have no content
# first request should be unauthorized and have no content; triggers a KV challenge response
assert not request.body
assert request.headers["Content-Length"] == "0"
return first_challenge
return kv_challenge
elif Requests.count == 2:
# second request should be authorized according to challenge and have the expected content
assert request.headers["Content-Length"]
Expand All @@ -577,13 +577,14 @@ def send(request):
assert request.headers["Content-Length"]
assert request.body == expected_content
assert first_token in request.headers["Authorization"]
return challenge
return claims_challenge
elif Requests.count == 4:
# fourth request should include the required claims and correctly use context from the first challenge
# we return another KV challenge to verify that the policy doesn't try to handle this invalid flow
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return Mock(status_code=200)
return kv_challenge
raise ValueError("unexpected request")

def get_token(*_, **kwargs):
Expand All @@ -605,6 +606,7 @@ def get_token(*_, **kwargs):
pipeline.run(request) # Send the request once to trigger a regular auth challenge
pipeline.run(request) # Send the request again to trigger a CAE challenge

# get_token is called for the first KV challenge and CAE challenge, but not the second KV challenge
assert credential.get_token.call_count == 2

url = f'authorization_uri="{get_random_url()}"'
Expand All @@ -616,9 +618,9 @@ def get_token(*_, **kwargs):
# Note that no resource or scope is necessarily proovided in a CAE challenge
challenge = f'Bearer realm="", {url}, {cid}, {err}, claims="{claim_token}"'

challenge_response = Mock(status_code=401, headers={"WWW-Authenticate": challenge})
claims_challenge = Mock(status_code=401, headers={"WWW-Authenticate": challenge})

test_with_challenge(challenge_response, claim)
test_with_challenge(claims_challenge, claim)


@empty_challenge_cache
Expand All @@ -627,14 +629,14 @@ def test_cae_consecutive_challenges():

expected_content = b"a duck"

def test_with_challenge(challenge, expected_claim):
def test_with_challenge(claims_challenge, expected_claim):
first_token = "first_token"
expected_token = "expected_token"
tenant = "tenant-id"
endpoint = f"https://authority.net/{tenant}"
resource = "https://vault.azure.net"

first_challenge = Mock(
kv_challenge = Mock(
status_code=401,
headers={"WWW-Authenticate": f'Bearer authorization="{endpoint}", resource={resource}'},
)
Expand All @@ -645,22 +647,23 @@ class Requests:
def send(request):
Requests.count += 1
if Requests.count == 1:
# first request should be unauthorized and have no content
# first request should be unauthorized and have no content; triggers a KV challenge response
assert not request.body
assert request.headers["Content-Length"] == "0"
return first_challenge
return kv_challenge
elif Requests.count == 2:
# second request will trigger a CAE challenge response in this test scenario
assert request.headers["Content-Length"]
assert request.body == expected_content
assert first_token in request.headers["Authorization"]
return challenge
return claims_challenge
elif Requests.count == 3:
# third request should include the required claims and correctly use context from the first challenge
# we return another CAE challenge to verify that the policy will return consecutive CAE 401s to the user
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return Mock(status_code=200)
return claims_challenge
raise ValueError("unexpected request")

def get_token(*_, **kwargs):
Expand All @@ -681,6 +684,7 @@ def get_token(*_, **kwargs):
request.set_bytes_body(expected_content)
pipeline.run(request)

# get_token is called for the KV challenge and first CAE challenge, but not the second CAE challenge
assert credential.get_token.call_count == 2

url = f'authorization_uri="{get_random_url()}"'
Expand All @@ -692,6 +696,6 @@ def get_token(*_, **kwargs):
# Note that no resource or scope is necessarily proovided in a CAE challenge
challenge = f'Bearer realm="", {url}, {cid}, {err}, claims="{claim_token}"'

challenge_response = Mock(status_code=401, headers={"WWW-Authenticate": challenge})
claims_challenge = Mock(status_code=401, headers={"WWW-Authenticate": challenge})

test_with_challenge(challenge_response, claim)
test_with_challenge(claims_challenge, claim)
36 changes: 20 additions & 16 deletions sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -510,14 +510,14 @@ async def test_cae():

expected_content = b"a duck"

async def test_with_challenge(challenge, expected_claim):
async def test_with_challenge(claims_challenge, expected_claim):
first_token = "first_token"
expected_token = "expected_token"
tenant = "tenant-id"
endpoint = f"https://authority.net/{tenant}"
resource = "https://vault.azure.net"

first_challenge = Mock(
kv_challenge = Mock(
status_code=401,
headers={"WWW-Authenticate": f'Bearer authorization="{endpoint}", resource={resource}'},
)
Expand All @@ -528,10 +528,10 @@ class Requests:
async def send(request):
Requests.count += 1
if Requests.count == 1:
# first request should be unauthorized and have no content
# first request should be unauthorized and have no content; triggers a KV challenge response
assert not request.body
assert request.headers["Content-Length"] == "0"
return first_challenge
return kv_challenge
elif Requests.count == 2:
# second request should be authorized according to challenge and have the expected content
assert request.headers["Content-Length"]
Expand All @@ -543,13 +543,14 @@ async def send(request):
assert request.headers["Content-Length"]
assert request.body == expected_content
assert first_token in request.headers["Authorization"]
return challenge
return claims_challenge
elif Requests.count == 4:
# fourth request should include the required claims and correctly use context from the first challenge
# we return another KV challenge to verify that the policy doesn't try to handle this invalid flow
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return Mock(status_code=200)
return kv_challenge
raise ValueError("unexpected request")

async def get_token(*_, **kwargs):
Expand Down Expand Up @@ -582,9 +583,10 @@ async def get_token(*_, **kwargs):
# Note that no resource or scope is necessarily proovided in a CAE challenge
challenge = f'Bearer realm="", {url}, {cid}, {err}, claims="{claim_token}"'

challenge_response = Mock(status_code=401, headers={"WWW-Authenticate": challenge})
# get_token is called for the first KV challenge and CAE challenge, but not the second KV challenge
claims_challenge = Mock(status_code=401, headers={"WWW-Authenticate": challenge})

await test_with_challenge(challenge_response, claim)
await test_with_challenge(claims_challenge, claim)


@pytest.mark.asyncio
Expand All @@ -594,14 +596,14 @@ async def test_cae_consecutive_challenges():

expected_content = b"a duck"

async def test_with_challenge(challenge, expected_claim):
async def test_with_challenge(claims_challenge, expected_claim):
first_token = "first_token"
expected_token = "expected_token"
tenant = "tenant-id"
endpoint = f"https://authority.net/{tenant}"
resource = "https://vault.azure.net"

first_challenge = Mock(
kv_challenge = Mock(
status_code=401,
headers={"WWW-Authenticate": f'Bearer authorization="{endpoint}", resource={resource}'},
)
Expand All @@ -612,22 +614,23 @@ class Requests:
async def send(request):
Requests.count += 1
if Requests.count == 1:
# first request should be unauthorized and have no content
# first request should be unauthorized and have no content; triggers a KV challenge response
assert not request.body
assert request.headers["Content-Length"] == "0"
return first_challenge
return kv_challenge
elif Requests.count == 2:
# second request will trigger a CAE challenge response in this test scenario
assert request.headers["Content-Length"]
assert request.body == expected_content
assert first_token in request.headers["Authorization"]
return challenge
return claims_challenge
elif Requests.count == 3:
# third request should include the required claims and correctly use context from the first challenge
# we return another CAE challenge to verify that the policy will return consecutive CAE 401s to the user
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return Mock(status_code=200)
return claims_challenge
raise ValueError("unexpected request")

async def get_token(*_, **kwargs):
Expand All @@ -648,6 +651,7 @@ async def get_token(*_, **kwargs):
request.set_bytes_body(expected_content)
await pipeline.run(request)

# get_token is called for the KV challenge and first CAE challenge, but not the second CAE challenge
assert credential.get_token.call_count == 2

url = f'authorization_uri="{get_random_url()}"'
Expand All @@ -659,6 +663,6 @@ async def get_token(*_, **kwargs):
# Note that no resource or scope is necessarily proovided in a CAE challenge
challenge = f'Bearer realm="", {url}, {cid}, {err}, claims="{claim_token}"'

challenge_response = Mock(status_code=401, headers={"WWW-Authenticate": challenge})
claims_challenge = Mock(status_code=401, headers={"WWW-Authenticate": challenge})

await test_with_challenge(challenge_response, claim)
await test_with_challenge(claims_challenge, claim)