[Key Vault] Merge hotfix/keyvault-verify with main (Azure#26384)

Author: mccoyp

.vscode/cspell.json

@@ -231,6 +231,7 @@
     "myacr",
     "mydirectory",
     "myfile",
+    "myvault",
     "nazsdk",
     "nbytes",
     "noarch",

sdk/keyvault/azure-keyvault-administration/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 4.2.0b1 (Unreleased)
+## 4.3.0b1 (Unreleased)
 
 ### Features Added
 
@@ -12,6 +12,13 @@
 - Updated minimum `azure-core` version to 1.24.0
 - Updated minimum `msrest` version to 0.7.1
 
+## 4.2.0 (2022-09-19)
+
+### Breaking Changes
+- Clients verify the challenge resource matches the vault domain. This should affect few customers,
+  who can provide `verify_challenge_resource=False` to client constructors to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
+
 ## 4.1.1 (2022-08-11)
 
 ### Other Changes

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py

@@ -23,8 +23,16 @@ class KeyVaultAccessControlClient(KeyVaultClientBase):
     """Manages role-based access to Azure Key Vault.
 
     :param str vault_url: URL of the vault the client will manage. This is also called the vault's "DNS Name".
-    :param credential: an object which can provide an access token for the vault, such as a credential from
+        You should validate that this URL references a valid Key Vault or Managed HSM resource.
+        See https://aka.ms/azsdk/blog/vault-uri for details.
+    :param credential: An object which can provide an access token for the vault, such as a credential from
         :mod:`azure.identity`
+    :type credential: :class:`~azure.core.credentials.TokenCredential`
+
+    :keyword api_version: Version of the service API to use. Defaults to the most recent.
+    :paramtype api_version: ~azure.keyvault.administration.ApiVersion
+    :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key
+        Vault or Managed HSM domain. Defaults to True.
     """
 
     # pylint:disable=protected-access

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_backup_client.py

@@ -30,8 +30,16 @@ class KeyVaultBackupClient(KeyVaultClientBase):
     """Performs Key Vault backup and restore operations.
 
     :param str vault_url: URL of the vault on which the client will operate. This is also called the vault's "DNS Name".
-    :param credential: an object which can provide an access token for the vault, such as a credential from
+        You should validate that this URL references a valid Key Vault or Managed HSM resource.
+        See https://aka.ms/azsdk/blog/vault-uri for details.
+    :param credential: An object which can provide an access token for the vault, such as a credential from
         :mod:`azure.identity`
+    :type credential: :class:`~azure.core.credentials.TokenCredential`
+
+    :keyword api_version: Version of the service API to use. Defaults to the most recent.
+    :paramtype api_version: ~azure.keyvault.administration.ApiVersion
+    :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key
+        Vault or Managed HSM domain. Defaults to True.
     """
 
     # pylint:disable=protected-access

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/async_challenge_auth_policy.py

@@ -16,6 +16,7 @@
 
 import time
 from typing import TYPE_CHECKING
+from urllib.parse import urlparse
 
 from azure.core.pipeline.policies import AsyncBearerTokenCredentialPolicy
 
@@ -36,6 +37,7 @@ def __init__(self, credential: "AsyncTokenCredential", *scopes: str, **kwargs: "
         super().__init__(credential, *scopes, **kwargs)
         self._credential = credential
         self._token = None  # type: Optional[AccessToken]
+        self._verify_challenge_resource = kwargs.pop("verify_challenge_resource", True)
 
     async def on_request(self, request: "PipelineRequest") -> None:
         _enforce_tls(request)
@@ -69,6 +71,19 @@ async def on_challenge(self, request: "PipelineRequest", response: "PipelineResp
         except ValueError:
             return False
 
+        if self._verify_challenge_resource:
+            resource_domain = urlparse(scope).netloc
+            if not resource_domain:
+                raise ValueError(f"The challenge contains invalid scope '{scope}'.")
+
+            request_domain = urlparse(request.http_request.url).netloc
+            if not request_domain.lower().endswith(f".{resource_domain.lower()}"):
+                raise ValueError(
+                    f"The challenge resource '{resource_domain}' does not match the requested domain. Pass "
+                    "`verify_challenge_resource=False` to your client's constructor to disable this verification. "
+                    "See https://aka.ms/azsdk/blog/vault-uri for more information."
+                )
+
         body = request.context.pop("key_vault_request_data", None)
         request.http_request.set_text_body(body)  # no-op when text is None
         await self.authorize_request(request, scope, tenant_id=challenge.tenant_id)

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/async_client_base.py

@@ -49,9 +49,10 @@ def __init__(self, vault_url: str, credential: "AsyncTokenCredential", **kwargs:
                 }
             )
 
+            verify_challenge = kwargs.pop("verify_challenge_resource", True)
             self._client = _KeyVaultClient(
                 api_version=api_version,
-                authentication_policy=AsyncChallengeAuthPolicy(credential),
+                authentication_policy=AsyncChallengeAuthPolicy(credential, verify_challenge_resource=verify_challenge),
                 sdk_moniker=SDK_MONIKER,
                 http_logging_policy=http_logging_policy,
                 **kwargs

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/challenge_auth_policy.py

@@ -15,6 +15,7 @@
 """
 
 import time
+from urllib.parse import urlparse
 
 from azure.core.exceptions import ServiceRequestError
 from azure.core.pipeline import PipelineRequest
@@ -63,6 +64,7 @@ def __init__(self, credential, *scopes, **kwargs):
         super(ChallengeAuthPolicy, self).__init__(credential, *scopes, **kwargs)
         self._credential = credential
         self._token = None  # type: Optional[AccessToken]
+        self._verify_challenge_resource = kwargs.pop("verify_challenge_resource", True)
 
     def on_request(self, request):
         # type: (PipelineRequest) -> None
@@ -97,6 +99,19 @@ def on_challenge(self, request, response):
         except ValueError:
             return False
 
+        if self._verify_challenge_resource:
+            resource_domain = urlparse(scope).netloc
+            if not resource_domain:
+                raise ValueError(f"The challenge contains invalid scope '{scope}'.")
+
+            request_domain = urlparse(request.http_request.url).netloc
+            if not request_domain.lower().endswith(f".{resource_domain.lower()}"):
+                raise ValueError(
+                    f"The challenge resource '{resource_domain}' does not match the requested domain. Pass "
+                    "`verify_challenge_resource=False` to your client's constructor to disable this verification. "
+                    "See https://aka.ms/azsdk/blog/vault-uri for more information."
+                )
+
         body = request.context.pop("key_vault_request_data", None)
         request.http_request.set_text_body(body)  # no-op when text is None
         self.authorize_request(request, scope, tenant_id=challenge.tenant_id)

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_internal/client_base.py

@@ -58,9 +58,10 @@ def __init__(self, vault_url, credential, **kwargs):
                 {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"}
             )
 
+            verify_challenge = kwargs.pop("verify_challenge_resource", True)
             self._client = _KeyVaultClient(
                 api_version=api_version,
-                authentication_policy=ChallengeAuthPolicy(credential),
+                authentication_policy=ChallengeAuthPolicy(credential, verify_challenge_resource=verify_challenge),
                 sdk_moniker=SDK_MONIKER,
                 http_logging_policy=http_logging_policy,
                 **kwargs

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_version.py

@@ -3,4 +3,4 @@
 # Licensed under the MIT License.
 # ------------------------------------
 
-VERSION = "4.2.0b1"
+VERSION = "4.3.0b1"

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py

@@ -24,8 +24,16 @@ class KeyVaultAccessControlClient(AsyncKeyVaultClientBase):
     """Manages role-based access to Azure Key Vault.
 
     :param str vault_url: URL of the vault the client will manage. This is also called the vault's "DNS Name".
-    :param credential: an object which can provide an access token for the vault, such as a credential from
-        :mod:`azure.identity`
+        You should validate that this URL references a valid Key Vault or Managed HSM resource.
+        See https://aka.ms/azsdk/blog/vault-uri for details.
+    :param credential: An object which can provide an access token for the vault, such as a credential from
+        :mod:`azure.identity.aio`
+    :type credential: :class:`~azure.core.credentials_async.AsyncTokenCredential`
+
+    :keyword api_version: Version of the service API to use. Defaults to the most recent.
+    :paramtype api_version: ~azure.keyvault.administration.ApiVersion
+    :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key
+        Vault or Managed HSM domain. Defaults to True.
     """
 
     # pylint:disable=protected-access