Enable Custom Proxy in WorkloadIdentityCredential (#47041)

* changes to add proxy in wic

* integration with wicbuilder and wic

* review comments

* added wic testcases and some review comments

* unit test

* live testing based updates

* spotless, spotbugs, checkstyle and local server test

* addressed review comments

* updated unit tests

* updated test to not use bouncycastle

* spotless apply

* TC review comment

* move validation to builder

* removed an accidental logging statement

Author: anannya03

sdk/identity/azure-identity/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 1.19.0-beta.1 (Unreleased)
 
 ### Features Added
+- Added `enableAzureTokenProxy()` method to `WorkloadIdentityCredentialBuilder` to enable custom token proxy support for Azure Kubernetes clusters. When enabled, the credential attempts to use a custom token proxy configured through environment variables (`AZURE_KUBERNETES_TOKEN_PROXY`, `AZURE_KUBERNETES_CA_FILE`, `AZURE_KUBERNETES_CA_DATA`, `AZURE_KUBERNETES_SNI_NAME`).
 
 ### Breaking Changes
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/WorkloadIdentityCredentialBuilder.java

@@ -6,6 +6,9 @@
 import com.azure.core.util.Configuration;
 import com.azure.core.util.CoreUtils;
 import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.implementation.customtokenproxy.CustomTokenProxyConfiguration;
+import com.azure.identity.implementation.customtokenproxy.CustomTokenProxyHttpClient;
+import com.azure.identity.implementation.customtokenproxy.ProxyConfig;
 import com.azure.identity.implementation.util.ValidationUtil;
 
 import static com.azure.identity.ManagedIdentityCredential.AZURE_FEDERATED_TOKEN_FILE;
@@ -47,6 +50,7 @@
 public class WorkloadIdentityCredentialBuilder extends AadCredentialBuilderBase<WorkloadIdentityCredentialBuilder> {
     private static final ClientLogger LOGGER = new ClientLogger(WorkloadIdentityCredentialBuilder.class);
     private String tokenFilePath;
+    private boolean enableTokenProxy;
 
     /**
      * Creates an instance of a WorkloadIdentityCredentialBuilder.
@@ -66,6 +70,19 @@ public WorkloadIdentityCredentialBuilder tokenFilePath(String tokenFilePath) {
         return this;
     }
 
+    /**
+     * Enables the custom token proxy feature for clusters running in Azure.
+     * When enabled, the credential will attempt to use a custom token proxy configured through
+     * environment variables (AZURE_KUBERNETES_TOKEN_PROXY, AZURE_KUBERNETES_CA_FILE,
+     * AZURE_KUBERNETES_CA_DATA, AZURE_KUBERNETES_SNI_NAME).
+     *
+     * @return An updated instance of this builder with Azure token proxy enabled.
+     */
+    public WorkloadIdentityCredentialBuilder enableAzureTokenProxy() {
+        this.enableTokenProxy = true;
+        return this;
+    }
+
     /**
      * Creates new {@link WorkloadIdentityCredential} with the configured options set.
      *
@@ -88,6 +105,13 @@ public WorkloadIdentityCredential build() {
         ValidationUtil.validate(this.getClass().getSimpleName(), LOGGER, "Client ID", clientIdInput, "Tenant ID",
             tenantIdInput, "Service Token File Path", federatedTokenFilePathInput);
 
+        if (enableTokenProxy) {
+            ProxyConfig proxyConfig = CustomTokenProxyConfiguration.parseAndValidate(configuration);
+            if (proxyConfig != null) {
+                identityClientOptions.setHttpClient(new CustomTokenProxyHttpClient(proxyConfig));
+            }
+        }
+
         return new WorkloadIdentityCredential(tenantIdInput, clientIdInput, federatedTokenFilePathInput,
             identityClientOptions.clone());
     }

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/SniSslSocketFactory.java

@@ -0,0 +1,86 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity.implementation;
+
+import com.azure.core.util.CoreUtils;
+import javax.net.ssl.SNIServerName;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import java.io.IOException;
+import java.net.Socket;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.net.InetAddress;
+
+public final class SniSslSocketFactory extends SSLSocketFactory {
+    private final SSLSocketFactory sslSocketFactory;
+    private final String sniName;
+
+    public SniSslSocketFactory(SSLSocketFactory sslSocketFactory, String sniName) {
+        this.sslSocketFactory = sslSocketFactory;
+        this.sniName = sniName;
+    }
+
+    @Override
+    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
+        Socket sslSocket = (SSLSocket) sslSocketFactory.createSocket(s, host, port, autoClose);
+        configureSni(sslSocket);
+        return sslSocket;
+    }
+
+    @Override
+    public Socket createSocket(String host, int port) throws IOException {
+        Socket sslSocket = sslSocketFactory.createSocket(host, port);
+        configureSni(sslSocket);
+        return sslSocket;
+    }
+
+    @Override
+    public Socket createSocket(String host, int port, InetAddress localAddress, int localPort) throws IOException {
+        Socket sslSocket = sslSocketFactory.createSocket(host, port, localAddress, localPort);
+        configureSni(sslSocket);
+        return sslSocket;
+    }
+
+    @Override
+    public Socket createSocket(InetAddress host, int port) throws IOException {
+        Socket sslSocket = sslSocketFactory.createSocket(host, port);
+        configureSni(sslSocket);
+        return sslSocket;
+    }
+
+    @Override
+    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort)
+        throws IOException {
+        Socket sslSocket = sslSocketFactory.createSocket(address, port, localAddress, localPort);
+        configureSni(sslSocket);
+        return sslSocket;
+    }
+
+    @Override
+    public String[] getDefaultCipherSuites() {
+        return sslSocketFactory.getDefaultCipherSuites();
+    }
+
+    @Override
+    public String[] getSupportedCipherSuites() {
+        return sslSocketFactory.getSupportedCipherSuites();
+    }
+
+    private void configureSni(Socket socket) {
+        if (socket instanceof SSLSocket && !CoreUtils.isNullOrEmpty(sniName)) {
+            SSLSocket sslSocket = (SSLSocket) socket;
+            SSLParameters sslParameters = sslSocket.getSSLParameters();
+            sslParameters.setServerNames(Collections.singletonList(new RawSniServerName(sniName)));
+            sslSocket.setSSLParameters(sslParameters);
+        }
+    }
+
+    private static final class RawSniServerName extends SNIServerName {
+        RawSniServerName(String sniHost) {
+            super(0, sniHost.getBytes(StandardCharsets.UTF_8));
+        }
+    }
+}

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/customtokenproxy/CustomTokenProxyConfiguration.java

@@ -0,0 +1,102 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity.implementation.customtokenproxy;
+
+import com.azure.core.util.logging.ClientLogger;
+
+import java.net.URI;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import java.net.URISyntaxException;
+
+import com.azure.core.util.Configuration;
+import com.azure.core.util.CoreUtils;
+
+public final class CustomTokenProxyConfiguration {
+
+    private static final ClientLogger LOGGER = new ClientLogger(CustomTokenProxyConfiguration.class);
+
+    private static final String AZURE_KUBERNETES_TOKEN_PROXY = "AZURE_KUBERNETES_TOKEN_PROXY";
+    private static final String AZURE_KUBERNETES_CA_FILE = "AZURE_KUBERNETES_CA_FILE";
+    private static final String AZURE_KUBERNETES_CA_DATA = "AZURE_KUBERNETES_CA_DATA";
+    private static final String AZURE_KUBERNETES_SNI_NAME = "AZURE_KUBERNETES_SNI_NAME";
+
+    private CustomTokenProxyConfiguration() {
+    }
+
+    public static ProxyConfig parseAndValidate(Configuration configuration) {
+        String tokenProxyUrl = configuration.get(AZURE_KUBERNETES_TOKEN_PROXY);
+        String caFile = configuration.get(AZURE_KUBERNETES_CA_FILE);
+        String caData = configuration.get(AZURE_KUBERNETES_CA_DATA);
+        String sniName = configuration.get(AZURE_KUBERNETES_SNI_NAME);
+
+        if (CoreUtils.isNullOrEmpty(tokenProxyUrl)) {
+            if (!CoreUtils.isNullOrEmpty(sniName)
+                || !CoreUtils.isNullOrEmpty(caFile)
+                || !CoreUtils.isNullOrEmpty(caData)) {
+                throw LOGGER.logExceptionAsError(new IllegalArgumentException(
+                    "AZURE_KUBERNETES_TOKEN_PROXY is not set but other custom endpoint-related environment variables are present"));
+            }
+            return null;
+        }
+
+        if (!CoreUtils.isNullOrEmpty(caFile) && !CoreUtils.isNullOrEmpty(caData)) {
+            throw LOGGER.logExceptionAsError(new IllegalArgumentException(
+                "Only one of AZURE_KUBERNETES_CA_FILE or AZURE_KUBERNETES_CA_DATA can be set."));
+        }
+
+        URL proxyUrl = validateProxyUrl(tokenProxyUrl);
+
+        byte[] caCertBytes = null;
+        if (!CoreUtils.isNullOrEmpty(caData)) {
+            caCertBytes = caData.getBytes(StandardCharsets.UTF_8);
+        }
+
+        ProxyConfig config = new ProxyConfig(proxyUrl, sniName, caFile, caCertBytes);
+        return config;
+    }
+
+    private static URL validateProxyUrl(String endpoint) {
+        if (CoreUtils.isNullOrEmpty(endpoint)) {
+            throw LOGGER.logExceptionAsError(new IllegalArgumentException("Proxy endpoint cannot be null or empty"));
+        }
+
+        try {
+            URI tokenProxy = new URI(endpoint);
+
+            if (!"https".equals(tokenProxy.getScheme())) {
+                throw LOGGER.logExceptionAsError(new IllegalArgumentException(
+                    "Custom token endpoint must use https scheme, got: " + tokenProxy.getScheme()));
+            }
+
+            if (tokenProxy.getRawUserInfo() != null) {
+                throw LOGGER.logExceptionAsError(
+                    new IllegalArgumentException("Custom token endpoint URL must not contain user info: " + endpoint));
+            }
+
+            if (tokenProxy.getRawQuery() != null) {
+                throw LOGGER.logExceptionAsError(
+                    new IllegalArgumentException("Custom token endpoint URL must not contain a query: " + endpoint));
+            }
+
+            if (tokenProxy.getRawFragment() != null) {
+                throw LOGGER.logExceptionAsError(
+                    new IllegalArgumentException("Custom token endpoint URL must not contain a fragment: " + endpoint));
+            }
+
+            if (tokenProxy.getRawPath() == null || tokenProxy.getRawPath().isEmpty()) {
+                tokenProxy = new URI(tokenProxy.getScheme(), null, tokenProxy.getHost(), tokenProxy.getPort(), "/",
+                    null, null);
+            }
+
+            return tokenProxy.toURL();
+
+        } catch (URISyntaxException | IllegalArgumentException e) {
+            throw LOGGER.logExceptionAsError(new IllegalArgumentException("Failed to normalize proxy URL path", e));
+        } catch (Exception e) {
+            throw new RuntimeException("Unexpected error while validating proxy URL: " + endpoint, e);
+        }
+    }
+
+}