BearerTokenChallengeAuthorizationPolicy extracting tenant ID (Azure#44280)

ibrahimrabab · web-flow · commit 70aacfdb6387 · 2025-03-06T13:16:30.000-08:00
diff --git a/sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicy.java b/sdk/storage/azure-storage-common/src/main/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicy.java
@@ -10,8 +10,11 @@
 import com.azure.core.http.HttpResponse;
 import com.azure.core.http.policy.BearerTokenAuthenticationPolicy;
 import com.azure.core.util.CoreUtils;
+import com.azure.core.util.logging.ClientLogger;
 import reactor.core.publisher.Mono;
 
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -22,8 +25,10 @@
  */
 public class StorageBearerTokenChallengeAuthorizationPolicy extends BearerTokenAuthenticationPolicy {
 
+    private static final ClientLogger LOGGER = new ClientLogger(StorageBearerTokenChallengeAuthorizationPolicy.class);
+
     private static final String DEFAULT_SCOPE = "/.default";
-    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
+    static final String BEARER_TOKEN_PREFIX = "Bearer ";
 
     private String[] scopes;
 
@@ -64,29 +69,69 @@ public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext context
         String authHeader = response.getHeaderValue(HttpHeaderName.WWW_AUTHENTICATE);
         Map<String, String> challenges = extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
 
-        String scope = challenges.get("resource_id");
+        String scope = getScopeFromChallenges(challenges);
+        String authorization = getAuthorizationFromChallenges(challenges);
+
         if (scope != null) {
             scope += DEFAULT_SCOPE;
             scopes = new String[] { scope };
             scopes = getScopes(context, scopes);
-            return setAuthorizationHeader(context, new TokenRequestContext().addScopes(scopes)).thenReturn(true);
         }
+
+        if (authorization != null) {
+            String tenantId = extractTenantIdFromUri(authorization);
+            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes).setTenantId(tenantId);
+            return setAuthorizationHeader(context, tokenRequestContext).thenReturn(true);
+        }
+
+        if (scope != null) {
+            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes);
+            return setAuthorizationHeader(context, tokenRequestContext).thenReturn(true);
+        }
+
         return Mono.just(false);
     }
 
+    String extractTenantIdFromUri(String uri) {
+        try {
+            String[] segments = new URI(uri).getPath().split("/");
+            if (segments.length > 1) {
+                return segments[1];
+            } else {
+                throw LOGGER.logExceptionAsError(new RuntimeException("Invalid authorization URI: tenantId not found"));
+            }
+        } catch (URISyntaxException e) {
+            throw LOGGER.logExceptionAsError(new RuntimeException("Invalid authorization URI", e));
+        }
+    }
+
     @Override
     public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext context, HttpResponse response) {
         String authHeader = response.getHeaderValue(HttpHeaderName.WWW_AUTHENTICATE);
         Map<String, String> challenges = extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
 
-        String scope = challenges.get("resource_id");
+        String scope = getScopeFromChallenges(challenges);
+        String authorization = getAuthorizationFromChallenges(challenges);
+
         if (scope != null) {
             scope += DEFAULT_SCOPE;
             scopes = new String[] { scope };
             scopes = getScopes(context, scopes);
-            setAuthorizationHeaderSync(context, new TokenRequestContext().addScopes(scopes));
+        }
+
+        if (authorization != null) {
+            String tenantId = extractTenantIdFromUri(authorization);
+            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes).setTenantId(tenantId);
+            setAuthorizationHeaderSync(context, tokenRequestContext);
+            return true;
+        }
+
+        if (scope != null) {
+            TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes(scopes);
+            setAuthorizationHeaderSync(context, tokenRequestContext);
             return true;
         }
+
         return false;
     }
 
@@ -117,4 +162,12 @@ static boolean isBearerChallenge(String authenticateHeader, String authChallenge
         return (!CoreUtils.isNullOrEmpty(authenticateHeader)
             && authenticateHeader.toLowerCase(Locale.ROOT).startsWith(authChallengePrefix.toLowerCase(Locale.ROOT)));
     }
+
+    String getScopeFromChallenges(Map<String, String> challenges) {
+        return challenges.get("resource_id");
+    }
+
+    String getAuthorizationFromChallenges(Map<String, String> challenges) {
+        return challenges.get("authorization_uri");
+    }
 }
diff --git a/sdk/storage/azure-storage-common/src/test/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicyTests.java b/sdk/storage/azure-storage-common/src/test/java/com/azure/storage/common/policy/StorageBearerTokenChallengeAuthorizationPolicyTests.java
@@ -0,0 +1,211 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.storage.common.policy;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.test.utils.MockTokenCredential;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.azure.storage.common.policy.StorageBearerTokenChallengeAuthorizationPolicy.BEARER_TOKEN_PREFIX;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+public class StorageBearerTokenChallengeAuthorizationPolicyTests {
+
+    private String[] scopes;
+    private TokenCredential mockCredential;
+
+    @BeforeEach
+    public void setup() {
+        scopes = new String[] { "https://storage.azure.com/.default" };
+        mockCredential = new MockTokenCredential();
+    }
+
+    @Test
+    public void testExtractChallengeAttributes() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        String authHeader
+            = "Bearer authorization_uri=https://login.microsoftonline.com/tenantId/oauth2/authorize resource_id=https://storage.azure.com";
+        Map<String, String> challenges = policy.extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
+
+        assertNotNull(challenges);
+        assertEquals("https://login.microsoftonline.com/tenantid/oauth2/authorize",
+            challenges.get("authorization_uri"));
+        assertEquals("https://storage.azure.com", challenges.get("resource_id"));
+    }
+
+    @Test
+    public void testGetScopeFromChallenges() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        Map<String, String> challenges = new HashMap<>();
+        challenges.put("resource_id", "https://storage.azure.com");
+
+        String scope = policy.getScopeFromChallenges(challenges);
+
+        assertEquals("https://storage.azure.com", scope);
+    }
+
+    @Test
+    public void testGetAuthorizationFromChallenges() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        Map<String, String> challenges = new HashMap<>();
+        challenges.put("authorization_uri", "https://login.microsoftonline.com/tenantId/oauth2/authorize");
+
+        String authorization = policy.getAuthorizationFromChallenges(challenges);
+
+        assertEquals("https://login.microsoftonline.com/tenantId/oauth2/authorize", authorization);
+    }
+
+    @Test
+    public void usesTokenProvidedByCredentials() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, scopes);
+
+        Map<String, String> challenges = policy.extractChallengeAttributes(null, BEARER_TOKEN_PREFIX);
+
+        String scope = policy.getScopeFromChallenges(challenges);
+        String authorization = policy.getAuthorizationFromChallenges(challenges);
+
+        assertNull(scope);
+        assertNull(authorization);
+    }
+
+    @Test
+    public void doesNotSendUnauthorizedRequestWhenEnableTenantDiscoveryIsFalse() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, scopes);
+
+        Map<String, String> challenges = policy.extractChallengeAttributes(null, BEARER_TOKEN_PREFIX);
+
+        String scope = policy.getScopeFromChallenges(challenges);
+        String authorization = policy.getAuthorizationFromChallenges(challenges);
+
+        assertNull(scope);
+        assertNull(authorization);
+    }
+
+    @Test
+    public void sendsUnauthorizedRequestWhenEnableTenantDiscoveryIsTrue() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, scopes);
+
+        String expectedTenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47";
+        String authHeader = "Bearer authorization_uri=https://login.microsoftonline.com/" + expectedTenantId
+            + "/oauth2/authorize resource_id=https://storage.azure.com";
+        Map<String, String> challenges = policy.extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
+
+        String scope = policy.getScopeFromChallenges(challenges);
+        String authorization = policy.getAuthorizationFromChallenges(challenges);
+
+        assertEquals("https://storage.azure.com", scope);
+        assertEquals("https://login.microsoftonline.com/" + expectedTenantId + "/oauth2/authorize", authorization);
+    }
+
+    @Test
+    public void usesScopeFromBearerChallenge() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy = new StorageBearerTokenChallengeAuthorizationPolicy(
+            mockCredential, "https://disk.compute.azure.com/.default");
+
+        String serviceChallengeResponseScope = "https://storage.azure.com";
+        String authHeader
+            = "Bearer authorization_uri=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize resource_id="
+                + serviceChallengeResponseScope;
+        Map<String, String> challenges = policy.extractChallengeAttributes(authHeader, BEARER_TOKEN_PREFIX);
+
+        String scope = policy.getScopeFromChallenges(challenges);
+        String authorization = policy.getAuthorizationFromChallenges(challenges);
+
+        assertEquals(serviceChallengeResponseScope, scope);
+        assertEquals("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize",
+            authorization);
+    }
+
+    @Test
+    public void testMultiTenantAuthentication() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        String tenantId1 = "tenant1";
+        String tenantId2 = "tenant2";
+
+        String authHeader1 = "Bearer authorization_uri=https://login.microsoftonline.com/" + tenantId1
+            + "/oauth2/authorize resource_id=https://storage.azure.com";
+        String authHeader2 = "Bearer authorization_uri=https://login.microsoftonline.com/" + tenantId2
+            + "/oauth2/authorize resource_id=https://storage.azure.com";
+
+        Map<String, String> challenges1 = policy.extractChallengeAttributes(authHeader1, BEARER_TOKEN_PREFIX);
+        Map<String, String> challenges2 = policy.extractChallengeAttributes(authHeader2, BEARER_TOKEN_PREFIX);
+
+        String scope1 = policy.getScopeFromChallenges(challenges1);
+        String authorization1 = policy.getAuthorizationFromChallenges(challenges1);
+        String scope2 = policy.getScopeFromChallenges(challenges2);
+        String authorization2 = policy.getAuthorizationFromChallenges(challenges2);
+
+        assertEquals("https://storage.azure.com", scope1);
+        assertEquals("https://login.microsoftonline.com/" + tenantId1 + "/oauth2/authorize", authorization1);
+        assertEquals("https://storage.azure.com", scope2);
+        assertEquals("https://login.microsoftonline.com/" + tenantId2 + "/oauth2/authorize", authorization2);
+    }
+
+    @Test
+    public void testExtractTenantIdFromUri() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        String uri = "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize";
+        String expectedTenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47";
+
+        String actualTenantId = policy.extractTenantIdFromUri(uri);
+
+        assertEquals(expectedTenantId, actualTenantId);
+    }
+
+    @Test
+    public void testExtractTenantIdFromUriInvalidUri() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        String invalidUri = "https://login.microsoftonline.com/";
+
+        Exception exception = assertThrows(RuntimeException.class, () -> {
+            policy.extractTenantIdFromUri(invalidUri);
+        });
+
+        String expectedMessage = "Invalid authorization URI: tenantId not found";
+        String actualMessage = exception.getMessage();
+
+        assertTrue(actualMessage.contains(expectedMessage));
+    }
+
+    @Test
+    public void testExtractTenantIdFromUriMalformedUri() {
+        StorageBearerTokenChallengeAuthorizationPolicy policy
+            = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "https://storage.azure.com/.default");
+
+        String malformedUri = "ht!tp://invalid-uri";
+
+        Exception exception = assertThrows(RuntimeException.class, () -> {
+            policy.extractTenantIdFromUri(malformedUri);
+        });
+
+        String expectedMessage = "Invalid authorization URI";
+        String actualMessage = exception.getMessage();
+
+        assertTrue(actualMessage.contains(expectedMessage));
+    }
+
+}
