From 8a5fca2207dd9a5f4f22bfbfb45652992a53cb3a Mon Sep 17 00:00:00 2001
From: lilgreenbird <v-susanh@microsoft.com>
Date: Fri, 23 Aug 2019 11:46:33 -0700
Subject: [PATCH] Fix | Add list of trusted endpoints for AKV (#1130)

* added list of trusted endpoints

* rename
---
 ...ColumnEncryptionAzureKeyVaultProvider.java | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.java
index 5b3e25eab..1ad15e4f7 100644
--- a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.java
+++ b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.java
@@ -50,7 +50,14 @@ public class SQLServerColumnEncryptionAzureKeyVaultProvider extends SQLServerCol
 
     private final String baseUrl = "https://{vaultBaseUrl}";
 
-    private final String azureKeyVaultDomainName = "vault.azure.net";
+    /**
+     * List of Azure trusted endpoints https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault
+     */
+    private final String azureTrustedEndpoints[] = {"vault.azure.net", // default
+            "vault.azure.cn", // Azure China
+            "vault.usgovcloudapi.net", // US Government
+            "vault.microsoftazure.de" // Azure Germany
+    };
 
     private final String rsaEncryptionAlgorithmWithOAEPForAKV = "RSA-OAEP";
 
@@ -448,13 +455,15 @@ private void ValidateNonEmptyAKVPath(String masterKeyPath) throws SQLServerExcep
             }
 
             // A valid URI.
-            // Check if it is pointing to AKV.
-            if (!parsedUri.getHost().toLowerCase(Locale.ENGLISH).endsWith(azureKeyVaultDomainName)) {
-                // Return an error indicating that the AKV url is invalid.
-                MessageFormat form = new MessageFormat(SQLServerException.getErrString("R_AKVMasterKeyPathInvalid"));
-                Object[] msgArgs = {masterKeyPath};
-                throw new SQLServerException(null, form.format(msgArgs), null, 0, false);
+            // Check if it is pointing to a trusted endpoint.
+            for (final String endpoint : azureTrustedEndpoints) {
+                if (parsedUri.getHost().toLowerCase(Locale.ENGLISH).endsWith(endpoint)) {
+                    return;
+                }
             }
+            MessageFormat form = new MessageFormat(SQLServerException.getErrString("R_AKVMasterKeyPathInvalid"));
+            Object[] msgArgs = {masterKeyPath};
+            throw new SQLServerException(null, form.format(msgArgs), null, 0, false);
         }
     }