Allow use of ServiceProvider func to create KeyResolver for ProtectKeysWithAzureKeyVault (Azure#33454)

* Allow use of ServiceProvider func to create KeyResolver for ProtectKeysWithAzureKeyVault call (for resolving nested dependencies)

* Export API

* Update sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/src/AzureDataProtectionKeyVaultKeyBuilderExtensions.cs

Co-authored-by: Heath Stewart <[email protected]>

* Update sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/src/AzureDataProtectionKeyVaultKeyBuilderExtensions.cs

Co-authored-by: Heath Stewart <[email protected]>

* Update AzureDataProtectionKeyVaultKeyBuilderExtensions.cs

* Remove warning disable line

Co-authored-by: Tom Longhurst <[email protected]>
Co-authored-by: Heath Stewart <[email protected]>

Author: 3 people

sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/api/Azure.Extensions.AspNetCore.DataProtection.Keys.netstandard2.0.cs

@@ -3,6 +3,8 @@ namespace Microsoft.AspNetCore.DataProtection
     public static partial class AzureDataProtectionKeyVaultKeyBuilderExtensions
     {
         public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, string keyIdentifier, Azure.Core.Cryptography.IKeyEncryptionKeyResolver keyResolver) { throw null; }
+        public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, string keyIdentifier, System.Func<System.IServiceProvider, Azure.Core.Cryptography.IKeyEncryptionKeyResolver> keyResolverFactory) { throw null; }
+        public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, string keyIdentifier, System.Func<System.IServiceProvider, Azure.Core.TokenCredential> tokenCredentialFactory) { throw null; }
         public static Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this Microsoft.AspNetCore.DataProtection.IDataProtectionBuilder builder, System.Uri keyIdentifier, Azure.Core.TokenCredential tokenCredential) { throw null; }
     }
 }

sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/src/AzureDataProtectionKeyVaultKeyBuilderExtensions.cs

@@ -9,6 +9,7 @@
 using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 
 #pragma warning disable AZC0001 // Extension methods have to be in the correct namespace to appear in intellisense.
 namespace Microsoft.AspNetCore.DataProtection
@@ -36,8 +37,8 @@ public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProt
         /// Configures the data protection system to protect keys with specified key in Azure KeyVault.
         /// </summary>
         /// <param name="builder">The builder instance to modify.</param>
-        /// <param name="keyResolver">The <see cref="IKeyEncryptionKeyResolver"/> to use for Key Vault access.</param>
         /// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
+        /// <param name="keyResolver">The <see cref="IKeyEncryptionKeyResolver"/> to use for Key Vault access.</param>
         /// <returns>The value <paramref name="builder"/>.</returns>
         public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, IKeyEncryptionKeyResolver keyResolver)
         {
@@ -54,5 +55,58 @@ public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProt
 
             return builder;
         }
+
+        /// <summary>
+        /// Configures the data protection system to protect keys with specified key in Azure Key Vault.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
+        /// <param name="keyResolverFactory">The factory delegate to create the <see cref="IKeyEncryptionKeyResolver"/> to use for Key Vault access.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, Func<IServiceProvider, IKeyEncryptionKeyResolver> keyResolverFactory)
+        {
+            Argument.AssertNotNull(builder, nameof(builder));
+            Argument.AssertNotNull(keyResolverFactory, nameof(keyResolverFactory));
+            Argument.AssertNotNullOrEmpty(keyIdentifier, nameof(keyIdentifier));
+
+            builder.Services.AddSingleton<IActivator, DecryptorTypeForwardingActivator>();
+
+            builder.Services.AddSingleton(sp =>
+            {
+                var keyResolver = keyResolverFactory(sp);
+                return new AzureKeyVaultXmlEncryptor(keyResolver, keyIdentifier);
+            });
+
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>, ConfigureKeyManagementKeyVaultEncryptorClientOptions>();
+
+            return builder;
+        }
+
+        /// <summary>
+        /// Configures the data protection system to protect keys with specified key in Azure Key Vault.
+        /// </summary>
+        /// <param name="builder">The builder instance to modify.</param>
+        /// <param name="keyIdentifier">The Azure Key Vault key identifier used for key encryption.</param>
+        /// <param name="tokenCredentialFactory">The factory delegate to create the <see cref="TokenCredential"/> to use for authenticating Key Vault access.</param>
+        /// <returns>The value <paramref name="builder"/>.</returns>
+        public static IDataProtectionBuilder ProtectKeysWithAzureKeyVault(this IDataProtectionBuilder builder, string keyIdentifier, Func<IServiceProvider, TokenCredential> tokenCredentialFactory)
+        {
+            Argument.AssertNotNull(builder, nameof(builder));
+            Argument.AssertNotNull(tokenCredentialFactory, nameof(tokenCredentialFactory));
+            Argument.AssertNotNullOrEmpty(keyIdentifier, nameof(keyIdentifier));
+
+            builder.Services.AddSingleton<IActivator, DecryptorTypeForwardingActivator>();
+
+            builder.Services.AddSingleton(sp =>
+            {
+                var tokenCredential = tokenCredentialFactory(sp);
+                var keyResolver = new KeyResolver(tokenCredential);
+                return new AzureKeyVaultXmlEncryptor(keyResolver, keyIdentifier);
+            });
+
+            builder.Services.AddSingleton<IConfigureOptions<KeyManagementOptions>, ConfigureKeyManagementKeyVaultEncryptorClientOptions>();
+
+            return builder;
+        }
     }
 }

sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/src/ConfigureKeyManagementKeyVaultEncryptorClientOptions.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+
+namespace Azure.Extensions.AspNetCore.DataProtection.Keys
+{
+    internal sealed class ConfigureKeyManagementKeyVaultEncryptorClientOptions : IConfigureOptions<KeyManagementOptions>
+    {
+        private readonly IServiceScopeFactory _serviceScopeFactory;
+
+        public ConfigureKeyManagementKeyVaultEncryptorClientOptions(IServiceScopeFactory serviceScopeFactory)
+        {
+            _serviceScopeFactory = serviceScopeFactory;
+        }
+
+        public void Configure(KeyManagementOptions options)
+        {
+            using var scope = _serviceScopeFactory.CreateScope();
+
+            var provider = scope.ServiceProvider;
+
+            options.XmlEncryptor = provider.GetRequiredService<AzureKeyVaultXmlEncryptor>();
+        }
+    }
+}

sdk/extensions/Azure.Extensions.AspNetCore.DataProtection.Keys/tests/AzureDataProtectionBuilderExtensionsTests.cs

@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Threading.Tasks;
+using Azure.Identity;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.DataProtection.KeyManagement;
+using Microsoft.Azure.KeyVault;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using NUnit.Framework;
+
+namespace Azure.Extensions.AspNetCore.DataProtection.Keys.Tests
+{
+    public class AzureDataProtectionBuilderExtensionsTests
+    {
+        [Test]
+        public void ProtectKeysWithAzureKeyVault_UsesAzureKeyVaultXmlEncryptor()
+        {
+            // Arrange
+            var client = new KeyVaultClient((_, _, _) => Task.FromResult(string.Empty));
+            var serviceCollection = new ServiceCollection();
+            var builder = serviceCollection.AddDataProtection();
+
+            // Act
+            builder.ProtectKeysWithAzureKeyVault(new Uri("http://www.example.com/dummyKey"), new DefaultAzureCredential());
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Assert
+            var options = services.GetRequiredService<IOptions<KeyManagementOptions>>();
+            Assert.IsInstanceOf<AzureKeyVaultXmlEncryptor>(options.Value.XmlEncryptor);
+        }
+
+        [Test]
+        public void ProtectKeysWithAzureKeyVault_WithServiceProviderFunc_UsesAzureKeyVaultXmlEncryptor()
+        {
+            // Arrange
+            var client = new KeyVaultClient((_, _, _) => Task.FromResult(string.Empty));
+            var serviceCollection = new ServiceCollection();
+            var builder = serviceCollection.AddDataProtection();
+
+            // Act
+            builder.ProtectKeysWithAzureKeyVault("http://www.example.com/dummyKey", sp => new DefaultAzureCredential());
+            var services = serviceCollection.BuildServiceProvider();
+
+            // Assert
+            var options = services.GetRequiredService<IOptions<KeyManagementOptions>>();
+            Assert.IsInstanceOf<AzureKeyVaultXmlEncryptor>(options.Value.XmlEncryptor);
+        }
+    }
+}