Imdsv2: Generate CSR and execute CSR request

src/client/Microsoft.Identity.Client/ManagedIdentity/CsrRequest.cs

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+
+namespace Microsoft.Identity.Client.ManagedIdentity
+{
+    internal class CsrRequest
+    {
+        public string Pem { get; }
+
+        public CsrRequest(string pem)
+        {
+            Pem = pem ?? throw new ArgumentNullException(nameof(pem));
+        }
+
+        /// <summary>
+        /// Generates a CSR for the given client, tenant, and CUID info.
+        /// </summary>
+        /// <param name="clientId">Managed Identity client_id.</param>
+        /// <param name="tenantId">AAD tenant_id.</param>
+        /// <param name="cuid">CuidInfo object containing VMID and VMSSID.</param>
+        /// <returns>CsrRequest containing the PEM CSR.</returns>
+        public static CsrRequest Generate(string clientId, string tenantId, CuidInfo cuid)
+        {
+            if (string.IsNullOrWhiteSpace(clientId))
+                throw new ArgumentException("clientId must not be null or empty.", nameof(clientId));
+            if (string.IsNullOrWhiteSpace(tenantId))
+                throw new ArgumentException("tenantId must not be null or empty.", nameof(tenantId));
+            if (cuid == null)
+                throw new ArgumentNullException(nameof(cuid));
+            if (string.IsNullOrWhiteSpace(cuid.Vmid))
+                throw new ArgumentException("cuid.Vmid must not be null or empty.", nameof(cuid.Vmid));
+            if (string.IsNullOrWhiteSpace(cuid.Vmssid))
+                throw new ArgumentException("cuid.Vmssid must not be null or empty.", nameof(cuid.Vmssid));
+
+            // TODO: Implement the actual CSR generation logic.
+            return new CsrRequest("pem");
+        }
+    }
+}

src/client/Microsoft.Identity.Client/ManagedIdentity/CsrRequestResponse.cs

@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#if SUPPORTS_SYSTEM_TEXT_JSON
+    using JsonProperty = System.Text.Json.Serialization.JsonPropertyNameAttribute;
+#else
+using Microsoft.Identity.Client.Utils;
+using Microsoft.Identity.Json;
+#endif
+
+namespace Microsoft.Identity.Client.ManagedIdentity
+{
+    /// <summary>
+    /// Represents the response for a Managed Identity CSR request.
+    /// </summary>
+    internal class CsrRequestResponse
+    {
+        [JsonProperty("client_id")]
+        public string ClientId { get; }
+
+        [JsonProperty("tenant_id")]
+        public string TenantId { get; }
+
+        [JsonProperty("client_credential")]
+        public string ClientCredential { get; }
+
+        [JsonProperty("regional_token_url")]
+        public string RegionalTokenUrl { get; }
+
+        [JsonProperty("expires_in")]
+        public int ExpiresIn { get; }
+
+        [JsonProperty("refresh_in")]
+        public int RefreshIn { get; }
+
+        public CsrRequestResponse() { }
+
+        public static bool ValidateCsrRequestResponse(CsrRequestResponse csrRequestResponse)
+        {
+            if (string.IsNullOrEmpty(csrRequestResponse.ClientId) ||
+                string.IsNullOrEmpty(csrRequestResponse.TenantId) ||
+                string.IsNullOrEmpty(csrRequestResponse.ClientCredential) ||
+                string.IsNullOrEmpty(csrRequestResponse.RegionalTokenUrl) ||
+                csrRequestResponse.ExpiresIn <= 0 ||
+                csrRequestResponse.RefreshIn <= 0)
+            {
+                return false;
+            }
+
+            return true;
+        }
+    }
+}

src/client/Microsoft.Identity.Client/ManagedIdentity/ImdsV2ManagedIdentitySource.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Net;
+using System.Net.Http;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Http;
@@ -16,6 +17,7 @@ namespace Microsoft.Identity.Client.ManagedIdentity
     internal class ImdsV2ManagedIdentitySource : AbstractManagedIdentity
     {
         private const string CsrMetadataPath = "/metadata/identity/getPlatformMetadata";
+        private const string CsrRequestPath = "/metadata/identity/issuecredential";
 
         public static async Task<CsrMetadata> GetCsrMetadataAsync(
             RequestContext requestContext,
@@ -29,7 +31,7 @@ public static async Task<CsrMetadata> GetCsrMetadataAsync(
                 requestContext.Logger);
             if (userAssignedIdQueryParam != null)
             {
-                queryParams += $"{userAssignedIdQueryParam.Value.Key}={userAssignedIdQueryParam.Value.Value}";
+                queryParams += $"&{userAssignedIdQueryParam.Value.Key}={userAssignedIdQueryParam.Value.Value}";
             }
 
             var headers = new Dictionary<string, string>
@@ -41,7 +43,6 @@ public static async Task<CsrMetadata> GetCsrMetadataAsync(
             IRetryPolicyFactory retryPolicyFactory = requestContext.ServiceBundle.Config.RetryPolicyFactory;
             IRetryPolicy retryPolicy = retryPolicyFactory.GetRetryPolicy(RequestType.CsrMetadataProbe);
 
-            // CSR metadata GET request
             HttpResponse response = null;
 
             try
@@ -50,7 +51,7 @@ public static async Task<CsrMetadata> GetCsrMetadataAsync(
                     ImdsManagedIdentitySource.GetValidatedEndpoint(requestContext.Logger, CsrMetadataPath, queryParams),
                     headers,
                     body: null,
-                    method: System.Net.Http.HttpMethod.Get,
+                    method: HttpMethod.Get,
                     logger: requestContext.Logger,
                     doNotThrow: false,
                     mtlsCertificate: null,
@@ -194,8 +195,75 @@ public static AbstractManagedIdentity Create(RequestContext requestContext)
         internal ImdsV2ManagedIdentitySource(RequestContext requestContext) :
             base(requestContext, ManagedIdentitySource.ImdsV2) { }
 
+        private async Task<CsrRequestResponse> ExecuteCsrRequestAsync(
+            RequestContext requestContext,
+            string queryParams,
+            string pem)
+        {
+            var headers = new Dictionary<string, string>
+            {
+                { "Metadata", "true" },
+                { "x-ms-client-request-id", requestContext.CorrelationId.ToString() }
+            };
+
+            IRetryPolicyFactory retryPolicyFactory = requestContext.ServiceBundle.Config.RetryPolicyFactory;
+            IRetryPolicy retryPolicy = retryPolicyFactory.GetRetryPolicy(RequestType.Imds);
+
+            HttpResponse response = null;
+
+            try
+            {
+                response = await requestContext.ServiceBundle.HttpManager.SendRequestAsync(
+                    ImdsManagedIdentitySource.GetValidatedEndpoint(requestContext.Logger, CsrRequestPath, queryParams),
+                    headers,
+                    body: new StringContent($"{{\"pem\":\"{pem}\"}}", System.Text.Encoding.UTF8, "application/json"),
+                    method: HttpMethod.Post,
+                    logger: requestContext.Logger,
+                    doNotThrow: false,
+                    mtlsCertificate: null,
+                    validateServerCertificate: null,
+                    cancellationToken: requestContext.UserCancellationToken,
+                    retryPolicy: retryPolicy)
+                .ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                throw MsalServiceExceptionFactory.CreateManagedIdentityException(
+                    MsalError.ManagedIdentityRequestFailed,
+                    $"[ImdsV2] ImdsV2ManagedIdentitySource.ExecuteCsrRequest failed.",
+                    ex,
+                    ManagedIdentitySource.ImdsV2,
+                    (int)response.StatusCode);
+            }
+
+            var csrRequestResponse = JsonHelper.DeserializeFromJson<CsrRequestResponse>(response.Body);
+            if (!CsrRequestResponse.ValidateCsrRequestResponse(csrRequestResponse))
+            {
+                throw MsalServiceExceptionFactory.CreateManagedIdentityException(
+                    MsalError.ManagedIdentityRequestFailed,
+                    $"[ImdsV2] ImdsV2ManagedIdentitySource.GetCsrMetadataAsync failed because the CsrMetadata response is invalid. Status code: {response.StatusCode} Body: {response.Body}",
+                    null,
+                    ManagedIdentitySource.ImdsV2,
+                    (int)response.StatusCode);
+            }
+
+            return csrRequestResponse;
+        }
+
         protected override ManagedIdentityRequest CreateRequest(string resource)
         {
+            var csrMetadata = GetCsrMetadataAsync(_requestContext, false).GetAwaiter().GetResult();
+            var csrRequest = CsrRequest.Generate(csrMetadata.ClientId, csrMetadata.TenantId, csrMetadata.Cuid);
+
+            var queryParams = $"cid={csrMetadata.Cuid}";
+            if (_requestContext.ServiceBundle.Config.ManagedIdentityId.UserAssignedId != null)
+            {
+                queryParams += $"&uaid{_requestContext.ServiceBundle.Config.ManagedIdentityId.UserAssignedId}";
+            }
+            queryParams += $"&api-version={ImdsManagedIdentitySource.ImdsApiVersion}";
+
+            var csrRequestResponse = ExecuteCsrRequestAsync(_requestContext, queryParams, csrRequest.Pem);
+
             throw new NotImplementedException();
         }
     }

tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs

@@ -130,5 +130,7 @@ public async Task GetCsrMetadataAsyncFails404WhichIsNonRetriableAndRetryPolicyIs
                 Assert.AreEqual(ManagedIdentitySource.DefaultToImds, miSource);
             }
         }
+
+        // TODO: Create CSR generation unit tests
     }
 }