[Tables] Enable cross-tenant authentication (Azure#21678)

### Packages impacted by this PR
@azure/core-client
@azure/data-tables
@azure/core-rest-pipeline

### Issues associated with this PR
N/A

### Describe the problem that is addressed by this PR
This PR adds support for Storage Challenge authentication, this enables cross-tenant authentication for Tables SDK, which is the following scenario:

Storage Account (TenantA)
Service Principal (TenantB)

1. Initial call grabs a token for service principal in TenantB which is its home tenant
2. The request reaches the Storage Account and is rejected with 401 with the accompanying WWW-Authenticate header which contains the tenant id for where the Storage Account is located (**TenantA**)
3. We handle the challenge and request a new token, this time for **TenantA** which we extracted from the challenge information. Also the challenge may contain information about the correct scopes to use, if present, we use them to get the new token as well
4. Re-try the original request with the new token.

Implementation is based on the storage [Bearer Challenge spec](https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#bearer-challenge)

### What are the possible designs available to address the problem? If there are more than one possible design, why was the one in this PR chosen?

I considered the following alternatives:

1. Enable this challenge logic by default in bearerTokenAuthenticationPolicy so that all libraries could leverage this functionality. However, each service seems to implement the challenge slightly differently. For example KeyVault requires an initial request with empty body to be sent to get the challenge. Storage uses differtent charaters to separate values.
2. Add the challenge callback in the Tables package. However I realized that the Storage packages need the same functionality, but they are still in corev1, so it would be beneficial if the callbacks live in core-client and can be accessed in the future by Storage when they migrate to **corev2** saving extra work on their side
3. Chosen approach is to create an authentication policy that wraps the bearerTokenAuthenticationPolicy from core-rest-pipeline and feeds it a new challenge handling callback, inspired on what the Storage team has in place at the moment. This new policy `storageChallengeAuthenticationPolicy` lives in core-client to be accessible by the Storage packages when they make the move to corev2 

### Are there test cases added in this PR? _(If not, why?)_
Yes

### Provide a list of related PRs _(if any)_
N/A

### Command used to generate this PR:**_(Applicable only to SDK release request PRs)_
`rushx generate:client`

### Checklists
- [x] Added impacted package name to the issue description
- [x] Does this PR needs any fixes in the SDK Generator?** _(If so, create an Issue in the [Autorest/typescript](https://github.com/Azure/autorest.typescript) repository and link it here)_
- [x] Added a changelog (if necessary)

Author: joheredi

sdk/core/core-client/CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - Added a new property endpoint in ServiceClientOptions and mark the baseUri as deprecated to encourage people to use endpoint. See issue link [here](https://github.com/Azure/autorest.typescript/issues/1337)
 - Upgraded our `@azure/core-tracing` dependency to version 1.0
+- Add callbacks to support Storage challenge authentication [PR#21678](https://github.com/Azure/azure-sdk-for-js/pull/21678)
 
 ## 1.5.0 (2022-02-03)
 

sdk/core/core-client/package.json

@@ -72,6 +72,7 @@
     "@azure/core-auth": "^1.3.0",
     "@azure/core-rest-pipeline": "^1.5.0",
     "@azure/core-tracing": "^1.0.0",
+    "@azure/core-util": "^1.0.0",
     "@azure/logger": "^1.0.0",
     "tslib": "^2.2.0"
   },

sdk/core/core-client/review/core-client.api.md

@@ -27,6 +27,9 @@ export interface AdditionalPolicyConfig {
 // @public
 export function authorizeRequestOnClaimChallenge(onChallengeOptions: AuthorizeRequestOnChallengeOptions): Promise<boolean>;
 
+// @public
+export const authorizeRequestOnTenantChallenge: (challengeOptions: AuthorizeRequestOnChallengeOptions) => Promise<boolean>;
+
 // @public
 export interface BaseMapper {
     constraints?: MapperConstraints;

sdk/core/core-client/src/authorizeRequestOnTenantChallenge.ts

@@ -0,0 +1,138 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import {
+  AuthorizeRequestOnChallengeOptions,
+  PipelineRequest,
+  PipelineResponse,
+} from "@azure/core-rest-pipeline";
+
+import { GetTokenOptions } from "@azure/core-auth";
+
+/**
+ * A set of constants used internally when processing requests.
+ */
+const Constants = {
+  DefaultScope: "/.default",
+  /**
+   * Defines constants for use with HTTP headers.
+   */
+  HeaderConstants: {
+    /**
+     * The Authorization header.
+     */
+    AUTHORIZATION: "authorization",
+  },
+};
+
+/**
+ * Defines a callback to handle auth challenge for Storage APIs.
+ * This implements the bearer challenge process described here: https://docs.microsoft.com/rest/api/storageservices/authorize-with-azure-active-directory#bearer-challenge
+ * Handling has specific features for storage that departs to the general AAD challenge docs.
+ **/
+export const authorizeRequestOnTenantChallenge: (
+  challengeOptions: AuthorizeRequestOnChallengeOptions
+) => Promise<boolean> = async (challengeOptions) => {
+  const requestOptions = requestToOptions(challengeOptions.request);
+  const challenge = getChallenge(challengeOptions.response);
+  if (challenge) {
+    const challengeInfo: Challenge = parseChallenge(challenge);
+    const challengeScopes = buildScopes(challengeOptions, challengeInfo);
+    const tenantId = extractTenantId(challengeInfo);
+    const accessToken = await challengeOptions.getAccessToken(challengeScopes, {
+      ...requestOptions,
+      tenantId,
+    });
+
+    if (!accessToken) {
+      return false;
+    }
+
+    challengeOptions.request.headers.set(
+      Constants.HeaderConstants.AUTHORIZATION,
+      `Bearer ${accessToken.token}`
+    );
+    return true;
+  }
+  return false;
+};
+
+/**
+ * Extracts the tenant id from the challenge information
+ * The tenant id is contained in the authorization_uri as the first
+ * path part.
+ */
+function extractTenantId(challengeInfo: Challenge): string {
+  const parsedAuthUri = new URL(challengeInfo.authorization_uri);
+  const pathSegments = parsedAuthUri.pathname.split("/");
+  const tenantId = pathSegments[1];
+
+  return tenantId;
+}
+
+/**
+ * Builds the authentication scopes based on the information that comes in the
+ * challenge information. Scopes url is present in the resource_id, if it is empty
+ * we keep using the original scopes.
+ */
+function buildScopes(
+  challengeOptions: AuthorizeRequestOnChallengeOptions,
+  challengeInfo: Challenge
+): string[] {
+  if (!challengeInfo.resource_uri) {
+    return challengeOptions.scopes;
+  }
+
+  const challengeScopes = new URL(challengeInfo.resource_uri);
+  challengeScopes.pathname = Constants.DefaultScope;
+  return [challengeScopes.toString()];
+}
+
+/**
+ * We will retrieve the challenge only if the response status code was 401,
+ * and if the response contained the header "WWW-Authenticate" with a non-empty value.
+ */
+function getChallenge(response: PipelineResponse): string | undefined {
+  const challenge = response.headers.get("WWW-Authenticate");
+  if (response.status === 401 && challenge) {
+    return challenge;
+  }
+  return;
+}
+
+/**
+ * Challenge structure
+ */
+interface Challenge {
+  authorization_uri: string;
+  resource_uri?: string;
+}
+
+/**
+ * Converts: `Bearer a="b" c="d"`.
+ * Into: `[ { a: 'b', c: 'd' }]`.
+ *
+ * @internal
+ */
+function parseChallenge(challenge: string): Challenge {
+  const bearerChallenge = challenge.slice("Bearer ".length);
+  const challengeParts = `${bearerChallenge.trim()} `.split(" ").filter((x) => x);
+  const keyValuePairs = challengeParts.map((keyValue) =>
+    (([key, value]) => ({ [key]: value }))(keyValue.trim().split("="))
+  );
+  // Key-value pairs to plain object:
+  return keyValuePairs.reduce((a, b) => ({ ...a, ...b }), {} as Challenge);
+}
+
+/**
+ * Extracts the options form a Pipeline Request for later re-use
+ */
+function requestToOptions(request: PipelineRequest): GetTokenOptions {
+  return {
+    abortSignal: request.abortSignal,
+    requestOptions: {
+      timeout: request.timeout,
+    },
+    tracingOptions: request.tracingOptions,
+  };
+}

sdk/core/core-client/src/index.ts

@@ -54,3 +54,4 @@ export {
   SerializationPolicyOptions,
 } from "./serializationPolicy";
 export { authorizeRequestOnClaimChallenge } from "./authorizeRequestOnClaimChallenge";
+export { authorizeRequestOnTenantChallenge } from "./authorizeRequestOnTenantChallenge";