StorageBearerTokenChallengeAuthorizationPolicy now supports CAE (Azure#48974)

Author: christothes

sdk/storage/Azure.Storage.Common/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 12.24.0-beta.1 (Unreleased)
 
 ### Features Added
+- `StorageBearerTokenChallengeAuthorizationPolicy` now will attempt to handle Continuous Access Evaluation (CAE) challenges, if present, by default.
 
 ### Breaking Changes
 
@@ -214,55 +215,55 @@
 ## 12.5.0-preview.5 (2020-07-03)
 - This release contains bug fixes to improve quality.
 
-## 12.5.0-preview.4 
+## 12.5.0-preview.4
 - This preview contains bug fixes to improve quality.
 
-## 12.5.0-preview.1 
+## 12.5.0-preview.1
 - This preview adds support for client-side encryption, compatible with data uploaded in previous major versions.
 
-## 12.4.3 
+## 12.4.3
 - This release contains bug fixes to improve quality.
 
-## 12.4.2 
+## 12.4.2
 - This release contains bug fixes to improve quality.
 
-## 12.4.1 
+## 12.4.1
 - This release contains bug fixes to improve quality.
 
-## 12.4.0 
+## 12.4.0
 - This release contains bug fixes to improve quality.
 
-## 12.3.0 
+## 12.3.0
 - Added InitialTransferLength to StorageTransferOptions
 
-## 12.2.0 
+## 12.2.0
 - Added support for service version 2019-07-07.
 - Update StorageSharedKeyPipelinePolicy to upload the request date header each retry.
 - Sanitized header values in exceptions.
 
-## 12.1.1 
+## 12.1.1
  - Fixed issue where SAS content headers were not URL encoded when using Sas builders.
  - Fixed bug where using SAS connection string from portal would throw an exception if it included
    table endpoint.
 
-## 12.1.0 
+## 12.1.0
 - Add support for populating AccountName properties of the UriBuilders
   for non-IP style Uris.
 
-## 12.0.0-preview.4 
+## 12.0.0-preview.4
 - Bug fixes
 
-## 12.0.0-preview.3 
+## 12.0.0-preview.3
 - Support new for Blobs/Files features
 - Bug fixes
 
 For more information, please visit: https://aka.ms/azure-sdk-preview3-net.
 
-## 12.0.0-preview.2 
+## 12.0.0-preview.2
 - Credential rolling
 - Bug fixes
 
-## 12.0.0-preview.1 
+## 12.0.0-preview.1
 This preview is the first release of a ground-up rewrite of our client
 libraries to ensure consistency, idiomatic design, productivity, and an
 excellent developer experience.  It was created following the Azure SDK Design

sdk/storage/Azure.Storage.Common/src/Shared/StorageBearerTokenChallengeAuthorizationPolicy.cs

@@ -4,6 +4,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text;
 using System.Threading.Tasks;
 using Azure.Core;
 using Azure.Core.Pipeline;
@@ -60,7 +61,7 @@ private async ValueTask AuthorizeRequestInternal(HttpMessage message, bool async
         {
             if (tenantId != null || !_enableTenantDiscovery)
             {
-                TokenRequestContext context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, tenantId: tenantId);
+                TokenRequestContext context = new TokenRequestContext(_scopes, message.Request.ClientRequestId, tenantId: tenantId, isCaeEnabled: true);
                 if (async)
                 {
                     await base.AuthenticateAndAuthorizeRequestAsync(message, context).ConfigureAwait(false);
@@ -82,6 +83,23 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeInternalAsync(HttpMessa
         {
             try
             {
+                if (AuthorizationChallengeParser.IsCaeClaimsChallenge(message.Response))
+                {
+                    if (TryGetTokenRequestContextForCaeChallenge(message, out var tokenRequestContext))
+                    {
+                        if (async)
+                        {
+                            await AuthenticateAndAuthorizeRequestAsync(message, tokenRequestContext).ConfigureAwait(false);
+                        }
+                        else
+                        {
+                            AuthenticateAndAuthorizeRequest(message, tokenRequestContext);
+                        }
+                        return true;
+                    }
+                    return false;
+                }
+
                 var authUri = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "authorization_uri");
 
                 // tenantId should be the guid as seen in this example: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
@@ -110,5 +128,32 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeInternalAsync(HttpMessa
                 return default;
             }
         }
+
+        internal bool TryGetTokenRequestContextForCaeChallenge(HttpMessage message, out TokenRequestContext tokenRequestContext)
+        {
+            string decodedClaims = null;
+            string encodedClaims = AuthorizationChallengeParser.GetChallengeParameterFromResponse(message.Response, "Bearer", "claims");
+            try
+            {
+                decodedClaims = encodedClaims switch
+                {
+                    null => null,
+                    { Length: 0 } => null,
+                    string enc => Encoding.UTF8.GetString(Convert.FromBase64String(enc))
+                };
+            }
+            catch
+            {
+                // The claims are not in the expected format. This is not a CAE challenge.
+            }
+            if (decodedClaims == null)
+            {
+                tokenRequestContext = default;
+                return false;
+            }
+
+            tokenRequestContext = new TokenRequestContext(_scopes, message.Request.ClientRequestId, decodedClaims, isCaeEnabled: true);
+            return true;
+        }
     }
 }

sdk/storage/Azure.Storage.Common/tests/StorageBearerTokenChallengeAuthorizationPolicyTests.cs

@@ -2,11 +2,13 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.Linq;
 using System.Net;
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
+using Azure.Core.Diagnostics;
 using Azure.Core.TestFramework;
 using Azure.Storage.Shared;
 using Moq;
@@ -147,5 +149,73 @@ public async Task UsesScopeFromBearerChallange()
             await SendGetRequest(transport, tokenChallengeAuthorizationPolicy, uri: new Uri("https://example.com"));
             await SendGetRequest(transport, tokenChallengeAuthorizationPolicy, uri: new Uri("https://example.com"));
         }
+
+        [Test]
+        [TestCaseSource(nameof(CaeTestDetails))]
+        public async Task StorageBearerTokenChallengeAuthorizationPolicy_CAE_TokenRevocation(string description, string challenge, int expectedResponseCode, string expectedClaims, string encodedClaims)
+        {
+            string serviceChallengeResponseScope = "https://storage.azure.com";
+            string[] serviceChallengeResponseScopes = new string[] { serviceChallengeResponseScope + "/.default" };
+            string claims = null;
+            int callCount = 0;
+
+            MockCredential mockCredential = new MockCredential()
+            {
+                GetTokenCallback = (trc, _) =>
+                {
+                    // Assert.AreEqual(serviceChallengeResponseScopes, trc.Scopes);
+                    claims = trc.Claims;
+                    Interlocked.Increment(ref callCount);
+                    Assert.AreEqual(true, trc.IsCaeEnabled);
+                }
+            };
+
+            var transport = CreateMockTransport(req =>
+            {
+                if (callCount <= 1)
+                {
+                    return challenge == null ? new(200) : new MockResponse(401).WithHeader("WWW-Authenticate", challenge);
+                }
+                else
+                {
+                    return new(200);
+                }
+            });
+
+            var policy = new StorageBearerTokenChallengeAuthorizationPolicy(mockCredential, "scope", enableTenantDiscovery: false);
+
+            using AzureEventSourceListener listener = new((args, text) =>
+            {
+                TestContext.WriteLine(text);
+                if (args.EventName == "FailedToDecodeCaeChallengeClaims")
+                {
+                    Assert.That(text, Does.Contain($"'{encodedClaims}'"));
+                }
+            }, System.Diagnostics.Tracing.EventLevel.Error);
+
+            var response = await SendGetRequest(transport, policy, uri: new("https://example.com/1/Original"));
+            Assert.AreEqual(expectedClaims, claims);
+            Assert.AreEqual(expectedResponseCode, response.Status);
+
+            var response2 = await SendGetRequest(transport, policy, uri: new("https://example.com/1/Original"));
+            if (expectedClaims != null)
+            {
+                Assert.IsNull(claims);
+            }
+        }
+
+        private static IEnumerable<object[]> CaeTestDetails()
+        {
+            //args: description, challenge, expectedResponseCode, expectedClaims, encodedClaims
+            yield return new object[] { "no challenge", null, 200, null, null };
+            yield return new object[] { "unexpected error value", """Bearer authorization_uri="https://login.windows.net/", error="invalid_token", claims="ey==" """, 401, null, "ey==" };
+            yield return new object[] { "unexpected error value", """Bearer authorization_uri="https://login.windows.net/", error="invalid_token", claims="ey==" """, 401, null, "ey==" };
+            yield return new object[] { "parsing error", """Bearer claims="not base64", error="insufficient_claims" """, 401, null, "not base64" };
+            yield return new object[] { "no padding", """Bearer error="insufficient_claims", authorization_uri="http://localhost", claims="ey" """, 401, null, "ey" };
+            yield return new object[] { "more parameters, different order", """Bearer realm="", authorization_uri="http://localhost", client_id="00000003-0000-0000-c000-000000000000", error="insufficient_claims", claims="ey==" """, 200, "{", "ey==" };
+            yield return new object[] { "more parameters, different order", """Bearer realm="", authorization_uri="http://localhost", client_id="00000003-0000-0000-c000-000000000000", error="insufficient_claims", claims="ey==" """, 200, "{", "ey==" };
+            yield return new object[] { "standard", """Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ==" """, 200, """{"access_token":{"nbf":{"essential":true,"value":"1726077595"},"xms_caeerror":{"value":"10012"}}}""", "eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzI2MDc3NTk1In0sInhtc19jYWVlcnJvciI6eyJ2YWx1ZSI6IjEwMDEyIn19fQ==" };
+            yield return new object[] { "multiple challenges", """PoP realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", nonce="ey==", Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", client_id="00000003-0000-0000-c000-000000000000", error_description="Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenIssuedBeforeRevocationTimestamp", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTcyNjI1ODEyMiJ9fX0=" """, 200, """{"access_token":{"nbf":{"essential":true, "value":"1726258122"}}}""", "eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTcyNjI1ODEyMiJ9fX0=" };
+        }
     }
 }