Skip to content

[Key Vault] Support CAE in challenge auth policy #37358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mccoyp merged 25 commits into from
Oct 16, 2024
Merged

[Key Vault] Support CAE in challenge auth policy #37358

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
ccd64b9
Add tests
mccoyp Sep 12, 2024
34fcfed
Implement CAE support
mccoyp Sep 12, 2024
d07e0a5
Share implementation across libraries
mccoyp Sep 13, 2024
84351af
Enable CAE; provide claims only in challenges
mccoyp Sep 18, 2024
c22cb08
Update tests for success scenarios
mccoyp Sep 19, 2024
d854071
Handle non-consecutive challenges (in Keys)
mccoyp Sep 19, 2024
6c19bbc
Cover invalid challenge flows
mccoyp Sep 20, 2024
c919056
Handle (in)valid challenge flows
mccoyp Sep 20, 2024
ff731e8
Share updates across libraries
mccoyp Sep 20, 2024
237c57b
Fix spelling, pylint
mccoyp Sep 20, 2024
013673b
Update changelogs
mccoyp Sep 26, 2024
5da13ff
Update tests for feedback
mccoyp Sep 26, 2024
36cb9fd
Use super() instead of private attribute
mccoyp Sep 26, 2024
f9ff176
Add live test; assert scope
mccoyp Sep 26, 2024
bf8f054
Fix auth policy to send scope correctly
mccoyp Sep 26, 2024
850e6e8
Async tests; sync challenge policy code
mccoyp Sep 26, 2024
e78d4e9
Ensure no re-sending claims in tests
mccoyp Oct 3, 2024
1a6c9f7
Fix policy to handle KV -> KV challenge
mccoyp Oct 3, 2024
3fad4db
Share bug fix across libraries
mccoyp Oct 3, 2024
ba2a954
Clarify test variable names
mccoyp Oct 4, 2024
92c6704
Correctly handle token refreshes
mccoyp Oct 5, 2024
8e65726
Bump Core dep for SupportsTokenInfo protocol support
mccoyp Oct 8, 2024
93c7eaa
(Async)SupportsTokenInfo support/tests
mccoyp Oct 8, 2024
bf25378
Pylint
mccoyp Oct 8, 2024
3cb6481
Mention Core bump, enable_cae kwarg in changelogs
mccoyp Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Clarify test variable names
  • Loading branch information
@mccoyp
mccoyp committed Oct 7, 2024
commit ba2a954f76bae10f1830fad0a861606b9048dc04
16 changes: 8 additions & 8 deletions sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,12 +94,12 @@ def get_random_url():
CLAIM_TOKEN = base64.b64encode(CAE_DECODED_CLAIM.encode()).decode()
# Note that no resource or scope is necessarily provided in a CAE challenge
CLAIM_CHALLENGE = f'Bearer realm="", {URL}, {CLIENT_ID}, {CAE_ERROR}, claims="{CLAIM_TOKEN}"'
CAE_CHALLENGE_HEADER = Mock(status_code=401, headers={"WWW-Authenticate": CLAIM_CHALLENGE})
CAE_CHALLENGE_RESPONSE = Mock(status_code=401, headers={"WWW-Authenticate": CLAIM_CHALLENGE})

KV_CHALLENGE_TENANT = "tenant-id"
ENDPOINT = f"https://authority.net/{KV_CHALLENGE_TENANT}"
RESOURCE = "https://vault.azure.net"
KV_CHALLENGE_HEADER = Mock(
KV_CHALLENGE_RESPONSE = Mock(
status_code=401,
headers={"WWW-Authenticate": f'Bearer authorization="{ENDPOINT}", resource={RESOURCE}'},
)
Expand Down Expand Up @@ -578,7 +578,7 @@ def send(request):
assert not request.body
assert "Authorization" not in request.headers
assert request.headers["Content-Length"] == "0"
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
elif Requests.count == 2:
# second request should be authorized according to challenge and have the expected content
assert request.headers["Content-Length"]
Expand All @@ -602,14 +602,14 @@ def send(request):
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
elif Requests.count == 6:
# sixth request should respond to the KV challenge WITHOUT including claims
# we return another challenge to confirm that the policy will return consecutive 401s to the user
assert request.headers["Content-Length"]
assert request.body == expected_content
assert first_token in request.headers["Authorization"]
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
raise ValueError("unexpected request")

def get_token(*scopes, **kwargs):
Expand Down Expand Up @@ -642,7 +642,7 @@ def get_token(*scopes, **kwargs):
# get_token is called for the CAE challenge and first two KV challenges, but not the final KV challenge
assert credential.get_token.call_count == 3

test_with_challenge(CAE_CHALLENGE_HEADER, CAE_DECODED_CLAIM)
test_with_challenge(CAE_CHALLENGE_RESPONSE, CAE_DECODED_CLAIM)


@empty_challenge_cache
Expand All @@ -665,7 +665,7 @@ def send(request):
assert not request.body
assert "Authorization" not in request.headers
assert request.headers["Content-Length"] == "0"
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
elif Requests.count == 2:
# second request will trigger a CAE challenge response in this test scenario
assert request.headers["Content-Length"]
Expand Down Expand Up @@ -703,4 +703,4 @@ def get_token(*scopes, **kwargs):
# get_token is called for the KV challenge and first CAE challenge, but not the second CAE challenge
assert credential.get_token.call_count == 2

test_with_challenge(CAE_CHALLENGE_HEADER, CAE_DECODED_CLAIM)
test_with_challenge(CAE_CHALLENGE_RESPONSE, CAE_DECODED_CLAIM)
16 changes: 8 additions & 8 deletions sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@
empty_challenge_cache,
get_random_url,
add_url_port,
CAE_CHALLENGE_HEADER,
CAE_CHALLENGE_RESPONSE,
CAE_DECODED_CLAIM,
KV_CHALLENGE_HEADER,
KV_CHALLENGE_RESPONSE,
KV_CHALLENGE_TENANT,
RESOURCE,
)
Expand Down Expand Up @@ -534,7 +534,7 @@ async def send(request):
assert not request.body
assert "Authorization" not in request.headers
assert request.headers["Content-Length"] == "0"
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
elif Requests.count == 2:
# second request should be authorized according to challenge and have the expected content
assert request.headers["Content-Length"]
Expand All @@ -558,14 +558,14 @@ async def send(request):
assert request.headers["Content-Length"]
assert request.body == expected_content
assert expected_token in request.headers["Authorization"]
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
elif Requests.count == 6:
# sixth request should respond to the KV challenge WITHOUT including claims
# we return another challenge to confirm that the policy will return consecutive 401s to the user
assert request.headers["Content-Length"]
assert request.body == expected_content
assert first_token in request.headers["Authorization"]
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
raise ValueError("unexpected request")

async def get_token(*scopes, **kwargs):
Expand Down Expand Up @@ -598,7 +598,7 @@ async def get_token(*scopes, **kwargs):
# get_token is called for the CAE challenge and first two KV challenges, but not the final KV challenge
assert credential.get_token.call_count == 3

await test_with_challenge(CAE_CHALLENGE_HEADER, CAE_DECODED_CLAIM)
await test_with_challenge(CAE_CHALLENGE_RESPONSE, CAE_DECODED_CLAIM)


@pytest.mark.asyncio
Expand All @@ -622,7 +622,7 @@ async def send(request):
assert not request.body
assert "Authorization" not in request.headers
assert request.headers["Content-Length"] == "0"
return KV_CHALLENGE_HEADER
return KV_CHALLENGE_RESPONSE
elif Requests.count == 2:
# second request will trigger a CAE challenge response in this test scenario
assert request.headers["Content-Length"]
Expand Down Expand Up @@ -660,4 +660,4 @@ async def get_token(*scopes, **kwargs):
# get_token is called for the KV challenge and first CAE challenge, but not the second CAE challenge
assert credential.get_token.call_count == 2

await test_with_challenge(CAE_CHALLENGE_HEADER, CAE_DECODED_CLAIM)
await test_with_challenge(CAE_CHALLENGE_RESPONSE, CAE_DECODED_CLAIM)