Added support for token authentication for HTTPS requests

Author: zezha-msft

ChangeLog.txt

@@ -1,4 +1,6 @@
-XXXX.XX.XX Version X.X.X
+2018.05.07 Version 7.1.0
+ * Support for 2017-11-09 REST version. Please see our REST API documentation and blogs for information about the related added features.
+ * Added OAuth token support for authentication with HTTPS requests.
  * Support for write-once read-many containers.
 
 2018.02.05 Version 7.0.0

microsoft-azure-storage-test/res/TestConfigurations.xml

@@ -26,6 +26,9 @@
     <BlobServiceSecondaryEndpoint>http://[ACCOUNT]-secondary.blob.core.windows.net</BlobServiceSecondaryEndpoint>
     <QueueServiceSecondaryEndpoint>http://[ACCOUNT]-secondary.queue.core.windows.net</QueueServiceSecondaryEndpoint>
     <TableServiceSecondaryEndpoint>http://[ACCOUNT]-secondary.table.core.windows.net</TableServiceSecondaryEndpoint>
+    <ActiveDirectoryApplicationId>[APPLICATION_ID]</ActiveDirectoryApplicationId>
+    <ActiveDirectoryApplicationSecret>[APPLICATION_SECRET]</ActiveDirectoryApplicationSecret>
+    <ActiveDirectoryTenantId>[TENANT_ID]</ActiveDirectoryTenantId>
   </TenantConfiguration>
 </TenantConfigurations>
 </TestConfigurations>

microsoft-azure-storage-test/src/com/microsoft/azure/storage/OAuthTests.java

@@ -0,0 +1,81 @@
+package com.microsoft.azure.storage;
+
+import com.microsoft.azure.storage.blob.CloudBlobClient;
+import com.microsoft.azure.storage.queue.CloudQueueClient;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import javax.naming.ServiceUnavailableException;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
+import java.util.concurrent.ExecutionException;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+/**
+ * OAuth tests.
+ */
+public class OAuthTests {
+    /**
+     * Test OAuth with respect to blob client
+     */
+    @Test
+    @Category({ TestRunners.DevFabricTests.class, TestRunners.DevStoreTests.class, TestRunners.CloudTests.class })
+    public void testOAuthTokenWithBlobClient() throws StorageException, URISyntaxException, MalformedURLException, InterruptedException, ExecutionException, ServiceUnavailableException {
+        // get the standard test account
+        CloudStorageAccount account = TestHelper.getAccount();
+
+        // create a token credential and replace the account's credential
+        StorageCredentialsToken storageCredentialsToken = new StorageCredentialsToken(TestHelper.getAccountName(), TestHelper.generateOAuthToken());
+        account.setCredentials(storageCredentialsToken);
+
+        // test to make sure authentication is working
+        CloudBlobClient blobClient = account.createCloudBlobClient();
+        blobClient.downloadServiceProperties();
+
+        // change the token to see it fail
+        try {
+            storageCredentialsToken.updateToken("BLA");
+            blobClient.downloadServiceProperties();
+            fail();
+        } catch (StorageException e) {
+            assertEquals("AuthenticationFailed", e.getErrorCode());
+        }
+
+        // change the token again to see it succeed
+        storageCredentialsToken.updateToken(TestHelper.generateOAuthToken());
+        blobClient.downloadServiceProperties();
+    }
+
+    /**
+     * Test OAuth with respect to queue client
+     */
+    @Test
+    @Category({ TestRunners.DevFabricTests.class, TestRunners.DevStoreTests.class, TestRunners.CloudTests.class })
+    public void testOAuthTokenWithQueueClient() throws StorageException, URISyntaxException, MalformedURLException, InterruptedException, ExecutionException, ServiceUnavailableException {
+        // get the standard test account
+        CloudStorageAccount account = TestHelper.getAccount();
+
+        // create a token credential and replace the account's credential
+        StorageCredentialsToken storageCredentialsToken = new StorageCredentialsToken(TestHelper.getAccountName(), TestHelper.generateOAuthToken());
+        account.setCredentials(storageCredentialsToken);
+
+        // test to make sure authentication is working
+        CloudQueueClient queueClient = account.createCloudQueueClient();
+        queueClient.downloadServiceProperties();
+
+        // change the token to see it fail
+        try {
+            storageCredentialsToken.updateToken("BLA");
+            queueClient.downloadServiceProperties();
+            fail();
+        } catch (StorageException e) {
+            assertEquals("AuthenticationFailed", e.getErrorCode());
+        }
+
+        // change the token again to see it succeed
+        storageCredentialsToken.updateToken(TestHelper.generateOAuthToken());
+        queueClient.downloadServiceProperties();
+    }
+}

microsoft-azure-storage-test/src/com/microsoft/azure/storage/Tenant.java

@@ -32,6 +32,9 @@ public class Tenant {
     private Integer fileHttpsPortOverride = null;
     private Integer queueHttpsPortOverride = null;
     private Integer tableHttpsPortOverride = null;
+    private String activeDirectoryApplicationId;
+    private String activeDirectoryApplicationSecret;
+    private String activeDirectoryTenantId;
 
     public String getTenantName() {
         return this.tenantName;
@@ -92,7 +95,31 @@ public Integer getQueueHttpsPortOverride() {
     public Integer getTableHttpsPortOverride() {
         return this.tableHttpsPortOverride;
     }
-    
+
+    public String getActiveDirectoryApplicationId() {
+        return this.activeDirectoryApplicationId;
+    }
+
+    public String getActiveDirectoryApplicationSecret() {
+        return this.activeDirectoryApplicationSecret;
+    }
+
+    public String getActiveDirectoryTenantId() {
+        return this.activeDirectoryTenantId;
+    }
+
+    public void setActiveDirectoryApplicationId(String activeDirectoryApplicationId) {
+        this.activeDirectoryApplicationId = activeDirectoryApplicationId;
+    }
+
+    public void setActiveDirectoryApplicationSecret(String activeDirectoryApplicationSecret) {
+        this.activeDirectoryApplicationSecret = activeDirectoryApplicationSecret;
+    }
+
+    public void setActiveDirectoryTenantId(String activeDirectoryTenantId) {
+        this.activeDirectoryTenantId = activeDirectoryTenantId;
+    }
+
     void setTenantName(String tenantName) {
         this.tenantName = tenantName;
     }

microsoft-azure-storage-test/src/com/microsoft/azure/storage/TestHelper.java

@@ -21,6 +21,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
@@ -32,14 +33,22 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Random;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
+import javax.naming.ServiceUnavailableException;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
+import com.microsoft.aad.adal4j.AuthenticationContext;
+import com.microsoft.aad.adal4j.AuthenticationResult;
+import com.microsoft.aad.adal4j.ClientCredential;
 import org.junit.AssumptionViolatedException;
 import org.w3c.dom.DOMException;
 import org.w3c.dom.Document;
@@ -67,6 +76,47 @@ public class TestHelper {
     private final static boolean enableFiddler = false;
     private final static boolean requireSecondaryEndpoint = false;
 
+    public static String generateOAuthToken() throws MalformedURLException, InterruptedException, ExecutionException, ServiceUnavailableException, StorageException {
+        // if the test configuration has not been read in yet, trigger a getAccount to read in the information
+        if(tenant == null) {
+            getAccount();
+        }
+
+        // this boiler plate code is from the ADAL sample
+        String authority = String.format("https://login.microsoftonline.com/%s/oauth2/token",
+                tenant.getActiveDirectoryTenantId());
+        ClientCredential credential = new ClientCredential(tenant.getActiveDirectoryApplicationId(),
+                tenant.getActiveDirectoryApplicationSecret());
+
+        ExecutorService service = null;
+        AuthenticationResult result;
+
+        try {
+            service = Executors.newFixedThreadPool(1);
+            AuthenticationContext context = new AuthenticationContext(authority, true, service);
+            Future<AuthenticationResult> future = context.acquireToken("https://storage.azure.com", credential, null);
+            result = future.get();
+        } finally {
+            if(service != null) {
+                service.shutdown();
+            }
+        }
+
+        if (result == null) {
+            throw new ServiceUnavailableException("authentication result was null");
+        }
+        return result.getAccessToken();
+    }
+
+    public static String getAccountName() throws StorageException {
+        // if the test configuration has not been read in yet, trigger a getAccount to read in the information
+        if(tenant == null) {
+            getAccount();
+        }
+
+        return tenant.getAccountName();
+    }
+
     public static CloudBlobClient createCloudBlobClient() throws StorageException {
         CloudBlobClient client = getAccount().createCloudBlobClient();
         return client;
@@ -305,7 +355,7 @@ public static void verifyServiceStats(ServiceStats stats) {
         }
     }
 
-    private static CloudStorageAccount getAccount() throws StorageException {
+    public static CloudStorageAccount getAccount() throws StorageException {
         // Only do this the first time TestBase is called as storage account is static
         if (account == null) {
             //enable fiddler
@@ -502,6 +552,15 @@ else if (name.equals("TableHttpsPortOverride")) {
                         else if (name.equals("FileHttpsPortOverride")) {
                             tenant.setFileHttpsPortOverride(Integer.parseInt(node.getTextContent()));
                         }
+                        else if (name.equals("ActiveDirectoryApplicationId")) {
+                            tenant.setActiveDirectoryApplicationId(node.getTextContent());
+                        }
+                        else if (name.equals("ActiveDirectoryApplicationSecret")) {
+                            tenant.setActiveDirectoryApplicationSecret(node.getTextContent());
+                        }
+                        else if (name.equals("ActiveDirectoryTenantId")) {
+                            tenant.setActiveDirectoryTenantId(node.getTextContent());
+                        }
                         else if (!premiumBlob){
                             throw new IllegalArgumentException(String.format(
                                     "Invalid child of TenantConfiguration with name: %s", name));

microsoft-azure-storage/src/com/microsoft/azure/storage/CloudStorageAccount.java

@@ -46,6 +46,11 @@ public final class CloudStorageAccount {
      */
     protected static final String ACCOUNT_KEY_NAME = "AccountKey";
 
+    /**
+     * Represents the setting name for the token credential.
+     */
+    protected static final String ACCOUNT_TOKEN_NAME = "AccountToken";
+
     /**
      * Represents the setting name for the account name.
      */

microsoft-azure-storage/src/com/microsoft/azure/storage/Constants.java

@@ -314,6 +314,11 @@ public static class HeaderConstants {
          */
         public static final String AUTHORIZATION = "Authorization";
 
+        /**
+         * The keyword used for bearer token authorization.
+         */
+        public static final String BEARER = "Bearer";
+
         /**
          * The format string for specifying ranges with only begin offset.
          */

microsoft-azure-storage/src/com/microsoft/azure/storage/StorageCredentials.java

@@ -25,7 +25,7 @@
 
 /**
  * Represents a set of credentials used to authenticate access to a Microsoft Azure storage account. This is the base
- * class for the {@link StorageCredentialsAccountAndKey} and {@link StorageCredentialsSharedAccessSignature} classes.
+ * class for the {@link StorageCredentialsAccountAndKey}, {@link StorageCredentialsToken}, and {@link StorageCredentialsSharedAccessSignature} classes.
  */
 public abstract class StorageCredentials {
 

microsoft-azure-storage/src/com/microsoft/azure/storage/StorageCredentialsToken.java

@@ -0,0 +1,96 @@
+package com.microsoft.azure.storage;
+
+import java.net.URI;
+
+/**
+ * Represents storage account credentials, based on an authentication token, for accessing the Microsoft Azure
+ * storage services.
+ */
+public final class StorageCredentialsToken extends StorageCredentials{
+    /**
+     * Stores the token for the credentials.
+     */
+    private volatile String token;
+
+    /**
+     * Stores the account name.
+     */
+    private volatile String accountName;
+
+    /**
+     * Creates an instance of the <code>StorageCredentialsToken</code> class, using the specified token.
+     * Token credentials must only be used with HTTPS requests on the blob and queue services.
+     * The specified token is stored as a <code>String</code>.
+     *
+     * @param token
+     *            A <code>String</code> that represents the token.
+     */
+    public StorageCredentialsToken(String accountName, String token) {
+        this.accountName = accountName;
+        this.token = token;
+    }
+
+    /**
+     * Gets whether this <code>StorageCredentials</code> object only allows access via HTTPS.
+     *
+     * @return A <code>boolean</code> representing whether this <code>StorageCredentials</code>
+     *         object only allows access via HTTPS.
+     */
+    @Override
+    public boolean isHttpsOnly() {
+        return true;
+    }
+
+    /**
+     * Gets the token.
+     *
+     * @return A <code>String</code> that contains the token.
+     */
+    public String getToken() {
+        return this.token;
+    }
+
+    /**
+     * Sets the token to be used when authenticating HTTPS requests.
+     *
+     * @param token
+     *        A <code>String</code> that represents the access token to be used when authenticating HTTPS requests.
+     */
+    public synchronized void updateToken(final String token) {
+        this.token = token;
+    }
+
+    /**
+     * Gets the account name.
+     *
+     * @return A <code>String</code> that contains the account name.
+     */
+    @Override
+    public String getAccountName() {
+        return this.accountName;
+    }
+
+    /**
+     * Returns a <code>String</code> that represents this instance, optionally including sensitive data.
+     *
+     * @param exportSecrets
+     *            <code>true</code> to include sensitive data in the return string; otherwise, <code>false</code>.
+     *
+     * @return A <code>String</code> that represents this object, optionally including sensitive data.
+     */
+    @Override
+    public String toString(final boolean exportSecrets) {
+        return String.format("%s=%s", CloudStorageAccount.ACCOUNT_TOKEN_NAME, exportSecrets ? this.token
+                        : "[token hidden]");
+    }
+
+    @Override
+    public URI transformUri(URI resourceUri, OperationContext opContext) {
+        return resourceUri;
+    }
+
+    @Override
+    public StorageUri transformUri(StorageUri resourceUri, OperationContext opContext) {
+        return resourceUri;
+    }
+}