Feature | Added support for authentication to Azure Key Vault using Managed Identity

azure-pipelines.yml

@@ -10,10 +10,10 @@ jobs:
     matrix:
       SQL-2019:
         Target_SQL: 'HGS-2k19-01'
-        Ex_Groups: 'xSQLv15,clientCertAuth'
+        Ex_Groups: 'xSQLv15,MSI,clientCertAuth'
       SQL-2012:
         Target_SQL: 'SQL-2K12-SP3-1'
-        Ex_Groups: 'xSQLv12'
+        Ex_Groups: 'xSQLv12,MSI'
     maxParallel: 2
   steps:
   - powershell: |

pom.xml

@@ -54,7 +54,7 @@
 			clientCertAuth  - - For tests requiring client certificate authentication setup (excluded by default)
 			- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 			Default testing enabled with SQL Server 2019 (SQLv15) -->
-		<excludedGroups>xSQLv15, NTLM, reqExternalSetup, clientCertAuth</excludedGroups>
+		<excludedGroups>xSQLv15,NTLM,MSI,reqExternalSetup,clientCertAuth</excludedGroups>
 
 		<!-- Use -preview for preview release, leave empty for official release.-->
 		<releaseExt>-preview</releaseExt>

src/main/java/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java

@@ -851,6 +851,25 @@ public interface ISQLServerDataSource extends javax.sql.CommonDataSource {
      */
     String getMSIClientId();
 
+    /**
+     * Sets the value for the connection property 'keyStorePrincipalId'.
+     * 
+     * @param keyStorePrincipalId
+     * 
+     *        <pre>
+     *        When keyStoreAuthentication = keyVaultClientSecret, set this value to a valid Azure Active Directory Application Client ID.
+     *        When keyStoreAuthentication = keyVaultManagedIdentity, set this value to a valid Azure Active Directory Application Object ID (optional, for user-assigned only).
+     *        </pre>
+     */
+    void setKeyStorePrincipalId(String keyStorePrincipalId);
+
+    /**
+     * Returns the value for the connection property 'keyStorePrincipalId'.
+     * 
+     * @return keyStorePrincipalId
+     */
+    String getKeyStorePrincipalId();
+
     /**
      * Sets the Azure Key Vault (AKV) Provider Client Id to provided value to be used for column encryption.
      * 

src/main/java/com/microsoft/sqlserver/jdbc/KeyVaultCredential.java

@@ -27,6 +27,12 @@ class KeyVaultCredential extends KeyVaultCredentials {
     String clientKey = null;
     String accessToken = null;
 
+    KeyVaultCredential(String clientId) throws SQLServerException {
+        this.clientId = clientId;
+    }
+
+    KeyVaultCredential() {}
+
     KeyVaultCredential(String clientId, String clientKey) {
         this.clientId = clientId;
         this.clientKey = clientKey;
@@ -37,11 +43,20 @@ class KeyVaultCredential extends KeyVaultCredentials {
     }
 
     public String doAuthenticate(String authorization, String resource, String scope) {
-        String accessToken;
+        String accessToken = null;
         if (null == authenticationCallback) {
-            AuthenticationResult token = getAccessTokenFromClientCredentials(authorization, resource, clientId,
-                    clientKey);
-            accessToken = token.getAccessToken();
+            if (null == clientKey) {
+                try {
+                    SqlFedAuthToken token = SQLServerSecurityUtility.getMSIAuthToken(resource, clientId);
+                    accessToken = (null != token) ? token.accessToken : null;
+                } catch (Exception e) {
+                    throw new RuntimeException(e);
+                }
+            } else {
+                AuthenticationResult token = getAccessTokenFromClientCredentials(authorization, resource, clientId,
+                        clientKey);
+                accessToken = token.getAccessToken();
+            }
         } else {
             accessToken = authenticationCallback.getAccessToken(authorization, resource, scope);
         }

src/main/java/com/microsoft/sqlserver/jdbc/SQLServerColumnEncryptionAzureKeyVaultProvider.java

@@ -83,6 +83,22 @@ public String getName() {
         return this.name;
     }
 
+    /**
+     * Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to
+     * AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
+     * 
+     * @param clientId
+     *        Identifier of the client requesting the token.
+     * @param clientKey
+     *        Key of the client requesting the token.
+     * @throws SQLServerException
+     *         when an error occurs
+     */
+    public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey) throws SQLServerException {
+        credentials = new KeyVaultCredential(clientId, clientKey);
+        keyVaultClient = new KeyVaultClient(credentials);
+    }
+
     /**
      * Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a callback function to authenticate to AAD and
      * an executor service.. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
@@ -129,23 +145,34 @@ public SQLServerColumnEncryptionAzureKeyVaultProvider(
     }
 
     /**
-     * Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider with a client id and client key to authenticate to
-     * AAD. This is used by KeyVaultClient at runtime to authenticate to Azure Key Vault.
+     * Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD. This is used by
+     * KeyVaultClient at runtime to authenticate to Azure Key Vault.
      * 
+     * @throws SQLServerException
+     *         when an error occurs
+     */
+    SQLServerColumnEncryptionAzureKeyVaultProvider() throws SQLServerException {
+        credentials = new KeyVaultCredential();
+        keyVaultClient = new KeyVaultClient(credentials);
+    }
+
+    /**
+     * Constructs a SQLServerColumnEncryptionAzureKeyVaultProvider to authenticate to AAD. This is used by
+     * KeyVaultClient at runtime to authenticate to Azure Key Vault.
+     *
      * @param clientId
      *        Identifier of the client requesting the token.
-     * @param clientKey
-     *        Key of the client requesting the token.
+     * 
      * @throws SQLServerException
      *         when an error occurs
      */
-    public SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId, String clientKey) throws SQLServerException {
-        credentials = new KeyVaultCredential(clientId, clientKey);
+    SQLServerColumnEncryptionAzureKeyVaultProvider(String clientId) throws SQLServerException {
+        credentials = new KeyVaultCredential(clientId);
         keyVaultClient = new KeyVaultClient(credentials);
     }
 
     /**
-     * Decryptes an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
+     * Decrypts an encrypted CEK with RSA encryption algorithm using the asymmetric key specified by the key path
      * 
      * @param masterKeyPath
      *        - Complete path of an asymmetric key in AKV