[keyvault] Verify challenge response matches request domain (#23283)

sdk/keyvault/keyvault-admin/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 4.2.3 (Unreleased)
+## 4.3.1 (Unreleased)
 
 ### Features Added
 
@@ -10,6 +10,14 @@
 
 ### Other Changes
 
+## 4.3.0 (2022-09-20)
+
+### Breaking Changes
+
+- Verify the challenge resource matches the vault domain.
+  This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
+
 ## 4.2.2 (2022-08-09)
 
 ### Other Changes

sdk/keyvault/keyvault-admin/package.json

@@ -2,7 +2,7 @@
   "name": "@azure/keyvault-admin",
   "sdk-type": "client",
   "author": "Microsoft Corporation",
-  "version": "4.2.3",
+  "version": "4.3.1",
   "license": "MIT",
   "description": "Isomorphic client library for Azure KeyVault's administrative functions.",
   "homepage": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/keyvault/keyvault-admin/README.md",

sdk/keyvault/keyvault-admin/review/keyvault-admin.api.md

@@ -15,6 +15,7 @@ import { TokenCredential } from '@azure/core-auth';
 
 // @public
 export interface AccessControlClientOptions extends CommonClientOptions {
+    disableChallengeResourceVerification?: boolean;
     serviceVersion?: SUPPORTED_API_VERSIONS;
 }
 
@@ -72,6 +73,7 @@ export class KeyVaultBackupClient {
 
 // @public
 export interface KeyVaultBackupClientOptions extends CommonClientOptions {
+    disableChallengeResourceVerification?: boolean;
     serviceVersion?: SUPPORTED_API_VERSIONS;
 }
 

sdk/keyvault/keyvault-admin/src/accessControlClient.ts

@@ -59,9 +59,9 @@ export class KeyVaultAccessControlClient {
    *
    * let client = new KeyVaultAccessControlClient(vaultUrl, credentials);
    * ```
-   * @param vaultUrl - the URL of the Key Vault. It should have this shape: `https://${your-key-vault-name}.vault.azure.net`
+   * @param vaultUrl - the URL of the Key Vault. It should have this shape: `https://${your-key-vault-name}.vault.azure.net`. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.
    * @param credential - An object that implements the `TokenCredential` interface used to authenticate requests to the service. Use the \@azure/identity package to create a credential that suits your needs.
-   * @param pipelineOptions - Pipeline options used to configure Key Vault API requests. Omit this parameter to use the default pipeline configuration.
+   * @param options - Options used to configure Key Vault API requests. Omit this parameter to use the default configuration.
    */
   constructor(
     vaultUrl: string,
@@ -92,7 +92,7 @@ export class KeyVaultAccessControlClient {
         // The scopes will be populated in the challenge callbacks based on the WWW-authenticate header
         // returned by the challenge, so pass an empty array as a placeholder.
         scopes: [],
-        challengeCallbacks: createChallengeCallbacks(),
+        challengeCallbacks: createChallengeCallbacks(options),
       })
     );
   }

sdk/keyvault/keyvault-admin/src/accessControlModels.ts

@@ -20,6 +20,12 @@ export interface AccessControlClientOptions extends CommonClientOptions {
    * The accepted versions of the Key Vault's service API.
    */
   serviceVersion?: SUPPORTED_API_VERSIONS;
+
+  /**
+   * Whether to disable verification that the authentication challenge resource matches the Key Vault or Managed HSM domain.
+   * Defaults to false.
+   */
+  disableChallengeResourceVerification?: boolean;
 }
 
 /**

sdk/keyvault/keyvault-admin/src/backupClient.ts

@@ -63,7 +63,7 @@ export class KeyVaultBackupClient {
    *
    * let client = new KeyVaultBackupClient(vaultUrl, credentials);
    * ```
-   * @param vaultUrl - the URL of the Key Vault. It should have this shape: `https://${your-key-vault-name}.vault.azure.net`
+   * @param vaultUrl - the URL of the Key Vault. It should have this shape: `https://${your-key-vault-name}.vault.azure.net`. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.
    * @param credential - An object that implements the `TokenCredential` interface used to authenticate requests to the service. Use the \@azure/identity package to create a credential that suits your needs.
    * @param options - options used to configure Key Vault API requests.
    */
@@ -95,7 +95,7 @@ export class KeyVaultBackupClient {
         // The scopes will be populated in the challenge callbacks based on the WWW-authenticate header
         // returned by the challenge, so pass an empty array as a placeholder.
         scopes: [],
-        challengeCallbacks: createChallengeCallbacks(),
+        challengeCallbacks: createChallengeCallbacks(options),
       })
     );
   }

sdk/keyvault/keyvault-admin/src/backupClientModels.ts

@@ -12,6 +12,12 @@ export interface KeyVaultBackupClientOptions extends CommonClientOptions {
    * The accepted versions of the Key Vault's service API.
    */
   serviceVersion?: SUPPORTED_API_VERSIONS;
+
+  /**
+   * Whether to disable verification that the authentication challenge resource matches the Key Vault or Managed HSM domain.
+   * Defaults to false.
+   */
+  disableChallengeResourceVerification?: boolean;
 }
 
 /**

sdk/keyvault/keyvault-admin/src/constants.ts

@@ -4,7 +4,7 @@
 /**
  * Current version of the Key Vault Admin SDK.
  */
-export const SDK_VERSION: string = "4.2.3";
+export const SDK_VERSION: string = "4.3.1";
 
 /**
  * The latest supported Key Vault service API version.

sdk/keyvault/keyvault-admin/swagger/README.md

@@ -15,7 +15,7 @@ input-file:
   - https://raw.githubusercontent.com/Azure/azure-rest-api-specs/e2ef44b87405b412403ccb005bfb3975411adf60/specification/keyvault/data-plane/Microsoft.KeyVault/stable/7.3/backuprestore.json
 output-folder: ../
 source-code-folder-path: ./src/generated
-package-version: 4.2.3
+package-version: 4.3.1
 use-extension:
   "@autorest/typescript": "6.0.0-beta.15"
 ```

sdk/keyvault/keyvault-admin/test/internal/challengeAuthenticationCallbacks.spec.ts

@@ -17,7 +17,7 @@ describe("Challenge based authentication tests", function () {
   let challengeCallbacks: ChallengeCallbacks;
 
   beforeEach(() => {
-    request = createPipelineRequest({ url: "https://foo.bar" });
+    request = createPipelineRequest({ url: "https://myvault.vault.azure.net" });
     challengeCallbacks = createChallengeCallbacks();
   });
 
@@ -59,7 +59,7 @@ describe("Challenge based authentication tests", function () {
         request,
         response: {
           headers: createHttpHeaders({
-            "WWW-Authenticate": `Bearer resource="cae_scope"`,
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
           }),
           request,
           status: 200,
@@ -118,36 +118,100 @@ describe("Challenge based authentication tests", function () {
         request,
         response: {
           headers: createHttpHeaders({
-            "WWW-Authenticate": `Bearer resource="cae_scope"`,
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
           }),
           request,
           status: 200,
         },
         scopes: [],
       });
 
-      assert.sameMembers(getAccessTokenScopes, ["cae_scope/.default"]);
+      assert.sameMembers(getAccessTokenScopes, ["https://vault.azure.net/.default"]);
     });
 
-    it("prefers resource scope and adds .default to resource when provided", async () => {
-      let getAccessTokenScopes: string[] = [];
+    it("throws if the resource is not a valid URL", async () => {
+      await assert.isRejected(
+        challengeCallbacks.authorizeRequestOnChallenge!({
+          getAccessToken: () => Promise.resolve(null),
+          request,
+          response: {
+            headers: createHttpHeaders({
+              "WWW-Authenticate": `Bearer resource="invalid_scope"`,
+            }),
+            request,
+            status: 200,
+          },
+          scopes: [],
+        }),
+        `The challenge contains invalid scope 'invalid_scope/.default'`
+      );
+    });
+
+    it("throws if the resource URI host does not match the request by default", async () => {
+      await assert.isRejected(
+        challengeCallbacks.authorizeRequestOnChallenge!({
+          getAccessToken: () => Promise.resolve(null),
+          request: createPipelineRequest({ url: "https://foo.bar" }),
+          response: {
+            headers: createHttpHeaders({
+              "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
+            }),
+            request,
+            status: 200,
+          },
+          scopes: [],
+        }),
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
+      );
+    });
+
+    it("throws if the request host is a prefix, but not a subdomain, of the resource URI host", async () => {
+      await assert.isRejected(
+        challengeCallbacks.authorizeRequestOnChallenge!({
+          getAccessToken: () => Promise.resolve(null),
+          request: createPipelineRequest({ url: "https://myvault.azure.net" }),
+          response: {
+            headers: createHttpHeaders({
+              "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
+            }),
+            request,
+            status: 200,
+          },
+          scopes: [],
+        }),
+        "The challenge resource 'vault.azure.net' does not match the requested domain. Set disableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."
+      );
+    });
+
+    it("does not throw if the resource URI matches the request", async () => {
       await challengeCallbacks.authorizeRequestOnChallenge!({
-        getAccessToken: (scopes) => {
-          getAccessTokenScopes = scopes;
-          return Promise.resolve(null);
-        },
-        request,
+        getAccessToken: () => Promise.resolve(null),
+        request: createPipelineRequest({ url: "https://myvault.vault.azure.net" }),
         response: {
           headers: createHttpHeaders({
-            "WWW-Authenticate": `Bearer resource="cae_resource", scope="cae_scope"`,
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
           }),
           request,
           status: 200,
         },
         scopes: [],
       });
+    });
 
-      assert.sameMembers(getAccessTokenScopes, ["cae_resource/.default"]);
+    it("does not throw if the resource URI host does not match the request but verifyChallengeResource is false", async () => {
+      challengeCallbacks = createChallengeCallbacks({ disableChallengeResourceVerification: true });
+      await challengeCallbacks.authorizeRequestOnChallenge!({
+        getAccessToken: () => Promise.resolve(null),
+        request: createPipelineRequest({ url: "https://foo.bar" }),
+        response: {
+          headers: createHttpHeaders({
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
+          }),
+          request,
+          status: 200,
+        },
+        scopes: [],
+      });
     });
 
     it("passes the tenantId if provided", async () => {
@@ -163,7 +227,7 @@ describe("Challenge based authentication tests", function () {
         request,
         response: {
           headers: createHttpHeaders({
-            "WWW-Authenticate": `Bearer resource="cae_scope" authorization="http://login.windows.net/${expectedTenantId}"`,
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net" authorization="http://login.windows.net/${expectedTenantId}"`,
           }),
           request,
           status: 200,
@@ -182,7 +246,7 @@ describe("Challenge based authentication tests", function () {
         request,
         response: {
           headers: createHttpHeaders({
-            "WWW-Authenticate": `Bearer resource="cae_scope"`,
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
           }),
           request,
           status: 200,
@@ -200,7 +264,7 @@ describe("Challenge based authentication tests", function () {
         request,
         response: {
           headers: createHttpHeaders({
-            "WWW-Authenticate": `Bearer resource="cae_scope"`,
+            "WWW-Authenticate": `Bearer resource="https://vault.azure.net"`,
           }),
           request,
           status: 200,

sdk/keyvault/keyvault-certificates/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 4.5.1 (Unreleased)
+## 4.6.1 (Unreleased)
 
 ### Features Added
 
@@ -10,6 +10,14 @@
 
 ### Other Changes
 
+## 4.6.0 (2022-09-20)
+
+### Breaking Changes
+
+- Verify the challenge resource matches the vault domain.
+  This should affect few customers who can set `disableChallengeResourceVerification` in the options bag to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
+
 ## 4.5.0 (2022-08-09)
 
 ### Breaking Changes

sdk/keyvault/keyvault-certificates/package.json

@@ -2,7 +2,7 @@
   "name": "@azure/keyvault-certificates",
   "sdk-type": "client",
   "author": "Microsoft Corporation",
-  "version": "4.5.1",
+  "version": "4.6.1",
   "license": "MIT",
   "description": "Isomorphic client library for Azure KeyVault's certificates.",
   "homepage": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/keyvault/keyvault-certificates/README.md",

sdk/keyvault/keyvault-certificates/review/keyvault-certificates.api.md

@@ -88,6 +88,7 @@ export class CertificateClient {
 
 // @public
 export interface CertificateClientOptions extends ExtendedCommonClientOptions {
+    disableChallengeResourceVerification?: boolean;
     serviceVersion?: "7.0" | "7.1" | "7.2" | "7.3";
 }
 

sdk/keyvault/keyvault-certificates/src/certificatesModels.ts

@@ -18,13 +18,19 @@ import {
 export const LATEST_API_VERSION = "7.3";
 
 /**
- * The optional parameters accepted by the KeyVault's KeyClient
+ * The optional parameters accepted by the KeyVault's CertificateClient
  */
 export interface CertificateClientOptions extends ExtendedCommonClientOptions {
   /**
    * The accepted versions of the KeyVault's service API.
    */
   serviceVersion?: "7.0" | "7.1" | "7.2" | "7.3";
+
+  /**
+   * Whether to disable verification that the authentication challenge resource matches the Key Vault domain.
+   * Defaults to false.
+   */
+  disableChallengeResourceVerification?: boolean;
 }
 
 /**

sdk/keyvault/keyvault-certificates/src/constants.ts

@@ -1,4 +1,4 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-export const SDK_VERSION: string = "4.5.1";
+export const SDK_VERSION: string = "4.6.1";

sdk/keyvault/keyvault-certificates/src/index.ts

@@ -236,7 +236,7 @@ export class CertificateClient {
 
   /**
    * Creates an instance of CertificateClient.
-   * @param vaultUrl - the base URL to the vault.
+   * @param vaultUrl - the base URL to the vault. You should validate that this URL references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details.
    * @param credential - An object that implements the `TokenCredential` interface used to authenticate requests to the service. Use the \@azure/identity package to create a credential that suits your needs.
    * @param clientOptions - Pipeline options used to configure Key Vault API requests.
    *                          Omit this parameter to use the default pipeline configuration.
@@ -251,7 +251,7 @@ export class CertificateClient {
     const authPolicy = bearerTokenAuthenticationPolicy({
       credential,
       scopes: [],
-      challengeCallbacks: createChallengeCallbacks(),
+      challengeCallbacks: createChallengeCallbacks(clientOptions),
     });
 
     const internalClientPipelineOptions: InternalClientPipelineOptions = {

sdk/keyvault/keyvault-certificates/swagger/README.md

@@ -20,6 +20,6 @@ input-file: https://raw.githubusercontent.com/Azure/azure-rest-api-specs/e2ef44b
 output-folder: ../
 source-code-folder-path: ./src/generated
 hide-clients: true
-package-version: 4.5.1
+package-version: 4.6.1
 openapi-type: data-plane
 ```