Kv jca cache token (Azure#23847)

* Cache the access token

* Added unit test for cache token

* Added one more test for expired cache token


Co-authored-by: michaelqi793 <[email protected]>

Author: michaelqi793

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java

@@ -11,11 +11,12 @@
 import com.azure.security.keyvault.jca.implementation.model.CertificateListResult;
 import com.azure.security.keyvault.jca.implementation.model.CertificatePolicy;
 import com.azure.security.keyvault.jca.implementation.model.KeyProperties;
+import com.azure.security.keyvault.jca.implementation.model.AccessToken;
 import com.azure.security.keyvault.jca.implementation.model.SecretBundle;
+import com.azure.security.keyvault.jca.implementation.model.SignResult;
 import com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil;
 import com.azure.security.keyvault.jca.implementation.utils.HttpUtil;
 import com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil;
-import com.azure.security.keyvault.jca.implementation.model.SignResult;
 
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
@@ -116,6 +117,11 @@ public static String getAADLoginURIByKeyVaultBaseUri(String keyVaultBaseUri) {
      */
     private String managedIdentity;
 
+    /**
+     * Stores the token.
+     */
+    private AccessToken accessToken;
+
     /**
      * Constructor for authentication with user-assigned managed identity.
      *
@@ -183,8 +189,21 @@ public static KeyVaultClient createKeyVaultClientBySystemProperty() {
      * @return the access token.
      */
     private String getAccessToken() {
+        if (accessToken != null && !accessToken.isExpired()) {
+            return accessToken.getAccessToken();
+        }
+        accessToken = getAccessTokenByHttpRequest();
+        return accessToken.getAccessToken();
+    }
+
+    /**
+     * Get the access token.
+     *
+     * @return the access token.
+     */
+    private AccessToken getAccessTokenByHttpRequest() {
         LOGGER.entering("KeyVaultClient", "getAccessToken");
-        String accessToken = null;
+        AccessToken accessToken = null;
         try {
             String resource = URLEncoder.encode(keyVaultBaseUri, "UTF-8");
             if (managedIdentity != null) {

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/AccessToken.java

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+package com.azure.security.keyvault.jca.implementation.model;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.time.OffsetDateTime;
+
+/**
+ * An OAuth2 token.
+ */
+public class AccessToken {
+
+    /**
+     * Stores the access token.
+     */
+    @JsonProperty("access_token")
+    private String accessToken;
+
+    /**
+     * Stores the life duration of the access token.
+     */
+    @JsonProperty("expires_in")
+    private long expiresIn;
+
+    /**
+     *
+     * @return the life duration of the access token in seconds
+     */
+    public long getExpiresIn() {
+        return expiresIn;
+    }
+
+    /**
+     * Set the life duration of the access token in seconds
+     *
+     * @param expiresIn
+     */
+    public void setExpiresIn(long expiresIn) {
+        this.expiresIn = expiresIn;
+    }
+
+    /**
+     * Stores the time when the token is retrieved for the first time.
+     */
+    private final OffsetDateTime creationDate = OffsetDateTime.now();
+
+    /**
+     * Get the access token.
+     *
+     * @return the access token.
+     */
+    public String getAccessToken() {
+        return accessToken;
+    }
+
+    /**
+     * Set the access token.
+     *
+     * @param accessToken the access token.
+     */
+    public void setAccessToken(String accessToken) {
+        this.accessToken = accessToken;
+    }
+
+    /**
+     * Reserve 60 seconds, in case that the time the token is used it is valid but when the token gets to the server side, it expires.
+     * @return boolean, whether the token is expired.
+     *
+     */
+    public boolean isExpired() {
+        return OffsetDateTime.now().isAfter(creationDate.plusSeconds(expiresIn - 60));
+    }
+}

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/model/OAuthToken.java

@@ -5,7 +5,7 @@
 import static java.util.logging.Level.FINER;
 import static java.util.logging.Level.INFO;
 
-import com.azure.security.keyvault.jca.implementation.model.OAuthToken;
+import com.azure.security.keyvault.jca.implementation.model.AccessToken;
 import java.util.HashMap;
 import java.util.logging.Logger;
 
@@ -62,8 +62,8 @@ public final class AccessTokenUtil {
      * @param identity the user-assigned identity (null if system-assigned)
      * @return the authorization token.
      */
-    public static String getAccessToken(String resource, String identity) {
-        String result;
+    public static AccessToken getAccessToken(String resource, String identity) {
+        AccessToken result;
 
         if (System.getenv("WEBSITE_SITE_NAME") != null
             && !System.getenv("WEBSITE_SITE_NAME").isEmpty()) {
@@ -84,13 +84,13 @@ public static String getAccessToken(String resource, String identity) {
      * @param clientSecret         the client secret.
      * @return the authorization token.
      */
-    public static String getAccessToken(String resource, String aadAuthenticationUrl,
-        String tenantId, String clientId, String clientSecret) {
+    public static AccessToken getAccessToken(String resource, String aadAuthenticationUrl,
+               String tenantId, String clientId, String clientSecret) {
 
         LOGGER.entering("AccessTokenUtil", "getAccessToken", new Object[]{
             resource, tenantId, clientId, clientSecret});
         LOGGER.info("Getting access token using client ID / client secret");
-        String result = null;
+        AccessToken result = null;
 
         StringBuilder oauth2Url = new StringBuilder();
         oauth2Url.append(aadAuthenticationUrl == null ? OAUTH2_TOKEN_BASE_URL : aadAuthenticationUrl)
@@ -106,8 +106,7 @@ public static String getAccessToken(String resource, String aadAuthenticationUrl
         String body = HttpUtil
             .post(oauth2Url.toString(), requestBody.toString(), "application/x-www-form-urlencoded");
         if (body != null) {
-            OAuthToken token = (OAuthToken) JsonConverterUtil.fromJson(body, OAuthToken.class);
-            result = token.getAccessToken();
+            result = (AccessToken) JsonConverterUtil.fromJson(body, AccessToken.class);
         }
         LOGGER.log(FINER, "Access token: {0}", result);
         return result;
@@ -120,11 +119,10 @@ public static String getAccessToken(String resource, String aadAuthenticationUrl
      * @param clientId the user-assigned managed identity (null if system-assigned).
      * @return the authorization token.
      */
-    private static String getAccessTokenOnAppService(String resource, String clientId) {
+    private static AccessToken getAccessTokenOnAppService(String resource, String clientId) {
         LOGGER.entering("AccessTokenUtil", "getAccessTokenOnAppService", resource);
         LOGGER.info("Getting access token using managed identity based on MSI_SECRET");
-        String result = null;
-
+        AccessToken result = null;
         StringBuilder url = new StringBuilder();
         url.append(System.getenv("MSI_ENDPOINT"))
            .append("?api-version=2017-09-01")
@@ -140,8 +138,7 @@ private static String getAccessTokenOnAppService(String resource, String clientI
         String body = HttpUtil.get(url.toString(), headers);
 
         if (body != null) {
-            OAuthToken token = (OAuthToken) JsonConverterUtil.fromJson(body, OAuthToken.class);
-            result = token.getAccessToken();
+            result = (AccessToken) JsonConverterUtil.fromJson(body, AccessToken.class);
         }
         LOGGER.exiting("AccessTokenUtil", "getAccessTokenOnAppService", result);
         return result;
@@ -154,13 +151,13 @@ private static String getAccessTokenOnAppService(String resource, String clientI
      * @param identity the user-assigned identity (null if system-assigned).
      * @return the authorization token.
      */
-    private static String getAccessTokenOnOthers(String resource, String identity) {
+    private static AccessToken getAccessTokenOnOthers(String resource, String identity) {
         LOGGER.entering("AccessTokenUtil", "getAccessTokenOnOthers", resource);
         LOGGER.info("Getting access token using managed identity");
         if (identity != null) {
             LOGGER.log(INFO, "Using managed identity with object ID: {0}", identity);
         }
-        String result = null;
+        AccessToken result = null;
 
         StringBuilder url = new StringBuilder();
         url.append(OAUTH2_MANAGED_IDENTITY_TOKEN_URL)
@@ -174,8 +171,7 @@ private static String getAccessTokenOnOthers(String resource, String identity) {
         String body = HttpUtil.get(url.toString(), headers);
 
         if (body != null) {
-            OAuthToken token = (OAuthToken) JsonConverterUtil.fromJson(body, OAuthToken.class);
-            result = token.getAccessToken();
+            result = (AccessToken) JsonConverterUtil.fromJson(body, AccessToken.class);
         }
         LOGGER.exiting("AccessTokenUtil", "getAccessTokenOnOthers", result);
         return result;

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/AccessTokenUtil.java

@@ -3,6 +3,7 @@
 
 package com.azure.security.keyvault.jca;
 
+import com.azure.security.keyvault.jca.implementation.model.AccessToken;
 import com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable;
@@ -27,7 +28,7 @@ public void testGetAuthorizationToken() throws Exception {
         String tenantId = System.getenv("AZURE_KEYVAULT_TENANT_ID");
         String clientId = System.getenv("AZURE_KEYVAULT_CLIENT_ID");
         String clientSecret = System.getenv("AZURE_KEYVAULT_CLIENT_SECRET");
-        String result = AccessTokenUtil.getAccessToken(
+        AccessToken result = AccessTokenUtil.getAccessToken(
             "https://management.azure.com/",
             null,
             tenantId,

sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/AccessTokenUtilTest.java

@@ -3,8 +3,10 @@
 
 package com.azure.security.keyvault.jca.implementation;
 
+import com.azure.security.keyvault.jca.implementation.model.AccessToken;
 import com.azure.security.keyvault.jca.implementation.model.CertificateItem;
 import com.azure.security.keyvault.jca.implementation.model.CertificateListResult;
+import com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil;
 import com.azure.security.keyvault.jca.implementation.utils.HttpUtil;
 import com.azure.security.keyvault.jca.implementation.utils.JsonConverterUtil;
 import org.junit.jupiter.api.Assertions;
@@ -27,7 +29,7 @@
 import static com.azure.security.keyvault.jca.implementation.KeyVaultClient.KEY_VAULT_BASE_URI_US;
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.*;
-import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.*;
 
 public class KeyVaultClientTest {
 
@@ -155,4 +157,43 @@ private KeyVaultClient getKeyVaultClient() {
         String clientSecret = System.getProperty("azure.keyvault.client-secret");
         return new KeyVaultClient(keyVaultUri, tenantId, clientId, clientSecret);
     }
+
+
+    @Test
+    public void testCacheToken() {
+        try (MockedStatic<AccessTokenUtil> tokenUtilMockedStatic = Mockito.mockStatic(AccessTokenUtil.class); MockedStatic<HttpUtil> httpUtilMockedStatic = Mockito.mockStatic(HttpUtil.class)) {
+            AccessToken cacheToken = new AccessToken();
+            cacheToken.setExpiresIn(300); // 300 seconds.
+            tokenUtilMockedStatic.when(() -> AccessTokenUtil.getAccessToken(anyString(), anyString())).thenReturn(cacheToken);
+            CertificateItem fakeCertificateItem = new CertificateItem();
+            fakeCertificateItem.setId("certificates/fakeCertificateItem");
+            CertificateListResult certificateListResult = new CertificateListResult();
+            certificateListResult.setValue(Arrays.asList(fakeCertificateItem));
+            String certificateListResultString = JsonConverterUtil.toJson(certificateListResult);
+            httpUtilMockedStatic.when(() -> HttpUtil.get(anyString(), anyMap())).thenReturn(certificateListResultString);
+            KeyVaultClient keyVaultClient = new KeyVaultClient(KEY_VAULT_TEST_URI_GLOBAL, "");
+            keyVaultClient.getAliases();
+            keyVaultClient.getAliases(); // get aliases the second time.
+            tokenUtilMockedStatic.verify(() -> AccessTokenUtil.getAccessToken(anyString(), anyString()), times(1));
+        }
+    }
+
+    @Test
+    public void testCacheTokenExpired() {
+        try (MockedStatic<AccessTokenUtil> tokenUtilMockedStatic = Mockito.mockStatic(AccessTokenUtil.class); MockedStatic<HttpUtil> httpUtilMockedStatic = Mockito.mockStatic(HttpUtil.class)) {
+            AccessToken cacheToken = new AccessToken();
+            cacheToken.setExpiresIn(50); // 50 seconds.
+            tokenUtilMockedStatic.when(() -> AccessTokenUtil.getAccessToken(anyString(), anyString())).thenReturn(cacheToken);
+            CertificateItem fakeCertificateItem = new CertificateItem();
+            fakeCertificateItem.setId("certificates/fakeCertificateItem");
+            CertificateListResult certificateListResult = new CertificateListResult();
+            certificateListResult.setValue(Arrays.asList(fakeCertificateItem));
+            String certificateListResultString = JsonConverterUtil.toJson(certificateListResult);
+            httpUtilMockedStatic.when(() -> HttpUtil.get(anyString(), anyMap())).thenReturn(certificateListResultString);
+            KeyVaultClient keyVaultClient = new KeyVaultClient(KEY_VAULT_TEST_URI_GLOBAL, "");
+            keyVaultClient.getAliases();
+            keyVaultClient.getAliases(); // get aliases the second time.
+            tokenUtilMockedStatic.verify(() -> AccessTokenUtil.getAccessToken(anyString(), anyString()), times(2));
+        }
+    }
 }