Enable Azure Key Vault IT (#10142)

- Add Lowkey Vault Client dependency to be able to use custom HTTP client during tests
- Reconfigure SecretClient to use custom HTTP client and accept self-signed cert
- Enable previously disabled test

Signed-off-by: Esta Nagy <nagyesta@gmail.com>

catalog/secrets/azure/build.gradle.kts

@@ -44,6 +44,7 @@ dependencies {
   intTestImplementation("org.testcontainers:testcontainers")
   intTestImplementation("org.testcontainers:junit-jupiter")
   intTestImplementation(libs.lowkey.vault.testcontainers)
+  intTestImplementation(libs.lowkey.vault.client)
   intTestImplementation(project(":nessie-container-spec-helper"))
   intTestRuntimeOnly(libs.logback.classic)
 }

catalog/secrets/azure/src/intTest/java/org/projectnessie/catalog/secrets/azure/ITAzureSecretsProvider.java

@@ -15,25 +15,28 @@
  */
 package org.projectnessie.catalog.secrets.azure;
 
-import static java.lang.String.format;
 import static org.assertj.core.api.InstanceOfAssertFactories.type;
 import static org.projectnessie.catalog.secrets.BasicCredentials.basicCredentials;
 import static org.projectnessie.catalog.secrets.KeySecret.keySecret;
 import static org.projectnessie.catalog.secrets.TokenSecret.tokenSecret;
 
-import com.azure.identity.UsernamePasswordCredentialBuilder;
+import com.azure.core.credential.BasicAuthenticationCredential;
+import com.azure.core.credential.TokenCredential;
 import com.azure.security.keyvault.secrets.SecretAsyncClient;
 import com.azure.security.keyvault.secrets.SecretClientBuilder;
+import com.github.nagyesta.lowkeyvault.http.ApacheHttpClient;
+import com.github.nagyesta.lowkeyvault.http.AuthorityOverrideFunction;
 import com.github.nagyesta.lowkeyvault.testcontainers.LowkeyVaultContainer;
 import com.github.nagyesta.lowkeyvault.testcontainers.LowkeyVaultContainerBuilder;
 import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Set;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.assertj.core.api.SoftAssertions;
 import org.assertj.core.api.junit.jupiter.InjectSoftAssertions;
 import org.assertj.core.api.junit.jupiter.SoftAssertionsExtension;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.projectnessie.catalog.secrets.BasicCredentials;
@@ -48,8 +51,6 @@
 
 @Testcontainers
 @ExtendWith(SoftAssertionsExtension.class)
-@Disabled(
-    "Azure SecretClient requires an SSL connection, verifying the server certificates, which needs to used by the test container and trusted by the client. No way around it.")
 public class ITAzureSecretsProvider {
   private static final Logger LOGGER = LoggerFactory.getLogger(ITAzureSecretsProvider.class);
 
@@ -71,15 +72,23 @@ public class ITAzureSecretsProvider {
 
   @Test
   public void azureSecrets() {
+    final String endpoint = lowkeyVault.getVaultBaseUrl("default");
+    final AuthorityOverrideFunction authorityOverrideFunction =
+        new AuthorityOverrideFunction(
+            lowkeyVault.getVaultAuthority("default"), lowkeyVault.getEndpointAuthority());
+    final TokenCredential credentials =
+        new BasicAuthenticationCredential(lowkeyVault.getUsername(), lowkeyVault.getPassword());
+    final ApacheHttpClient httpClient =
+        new ApacheHttpClient(
+            authorityOverrideFunction,
+            new TrustSelfSignedStrategy(),
+            new DefaultHostnameVerifier());
     SecretAsyncClient client =
         new SecretClientBuilder()
-            .vaultUrl(format("https://%s.localhost:%d", "default", lowkeyVault.getMappedPort(8443)))
-            .credential(
-                new UsernamePasswordCredentialBuilder()
-                    .clientId("ITAzureSecretsSupplier")
-                    .username(lowkeyVault.getUsername())
-                    .password(lowkeyVault.getPassword())
-                    .build())
+            .vaultUrl(endpoint)
+            .credential(credentials)
+            .httpClient(httpClient)
+            .disableChallengeResourceVerification()
             .buildAsyncClient();
 
     String instantStr = "2024-06-05T20:38:16Z";

catalog/secrets/azure/src/main/java/org/projectnessie/catalog/secrets/azure/AzureSecretsManager.java

@@ -21,6 +21,7 @@
 import com.azure.security.keyvault.secrets.SecretAsyncClient;
 import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
 import java.time.Duration;
+import java.util.Optional;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeoutException;
@@ -57,7 +58,9 @@ protected String resolveSecretString(String name) {
                 });
 
     try {
-      return future.get(timeout, MILLISECONDS).getValue();
+      return Optional.ofNullable(future.get(timeout, MILLISECONDS))
+          .map(KeyVaultSecret::getValue)
+          .orElse(null);
     } catch (InterruptedException | ExecutionException | TimeoutException e) {
       throw new RuntimeException(e);
     }

gradle/libs.versions.toml

@@ -103,6 +103,7 @@ junit-platform-reporting = { module = "org.junit.platform:junit-platform-reporti
 kafka-clients = { module = "org.apache.kafka:kafka-clients", version.ref = "kafka" }
 logback-classic = { module = "ch.qos.logback:logback-classic", version.ref = "logback" }
 lowkey-vault-testcontainers = { module = "com.github.nagyesta.lowkey-vault:lowkey-vault-testcontainers", version = "2.6.0" }
+lowkey-vault-client = { module = "com.github.nagyesta.lowkey-vault:lowkey-vault-client", version = "2.6.0" }
 keycloak-admin-client = { module = "org.keycloak:keycloak-admin-client", version.ref = "keycloak" }
 mariadb-java-client = { module = "org.mariadb.jdbc:mariadb-java-client", version = "3.5.1" }
 maven-resolver-supplier = { module = "org.apache.maven.resolver:maven-resolver-supplier", version.ref = "mavenResolver" }