Add support for keyVault integration in virtual client to resolve secrets, certificates and keys (#513)

* adding KeyVault Capability

* resolve enum

* 2nd commit

* working solution

* add unit tests

* more conflicts

* more conflicts part 2

* more conflicts part 3

* more conflicts part 4

* remove extra changes

* add doc

* resolve comments

* nit spaces

* nit

* resolve doc build

* resolve comments

* remove keyvaultdescriptor

* cleanup

---------

Co-authored-by: Aditya Abhishek <[email protected]>

Author: imadityaa

src/VirtualClient/Module.props

@@ -31,6 +31,15 @@
 
         <!-- Azure.Messaging.EventHubs -->
         <Azure_Messaging_EventHubs_PackageVersion>5.11.5</Azure_Messaging_EventHubs_PackageVersion>
+      
+        <!-- Azure.Security.KeyVault.Certificates -->
+        <Azure_Security_KeyVault_Certificates_PackageVersion>4.7.0</Azure_Security_KeyVault_Certificates_PackageVersion>
+      
+        <!-- Azure.Security.KeyVault.Keys -->
+        <Azure_Security_KeyVault_Keys_PackageVersion>4.7.0</Azure_Security_KeyVault_Keys_PackageVersion>
+      
+        <!-- Azure.Security.KeyVault.Secrets -->
+        <Azure_Security_KeyVault_Secrets_PackageVersion>4.7.0</Azure_Security_KeyVault_Secrets_PackageVersion>
 
         <!-- Azure.Storage.Blobs -->
         <Azure_Storage_Blobs_PackageVersion>12.18.0</Azure_Storage_Blobs_PackageVersion>
@@ -145,7 +154,7 @@
 
         <!-- System.ServiceProcess.ServiceController -->
         <System_ServiceProcess_ServiceController_PackageVersion>9.0.3</System_ServiceProcess_ServiceController_PackageVersion>
-        
+
         <!-- YamlDotNet -->
         <YamlDotNet_PackageVersion>15.1.1</YamlDotNet_PackageVersion>
 

src/VirtualClient/VirtualClient.Contracts/DependencyKeyVaultStore.cs

@@ -0,0 +1,56 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace VirtualClient
+{
+    using System;
+    using Azure.Core;
+    using VirtualClient.Common.Extensions;
+
+    /// <summary>
+    /// Represents an Azure Key vault Namespace store
+    /// </summary>
+    public class DependencyKeyVaultStore : DependencyStore
+    {
+        /// <summary>
+        /// Initializes an instance of the <see cref="DependencyKeyVaultStore"/> class.
+        /// </summary>
+        /// <param name="storeName">The name of the KeyVault store (e.g. KeyVault).</param>
+        /// <param name="endpointUri">The URI/SAS for the target Key Vault.</param>
+        public DependencyKeyVaultStore(string storeName, Uri endpointUri)
+            : base(storeName, DependencyStore.StoreTypeAzureKeyVault)
+        {
+            endpointUri.ThrowIfNull(nameof(endpointUri));
+            this.EndpointUri = endpointUri;
+            this.KeyVaultNameSpace = endpointUri.Host;
+        }
+
+        /// <summary>
+        /// Initializes an instance of the <see cref="DependencyKeyVaultStore"/> class.
+        /// </summary>
+        /// <param name="storeName">The name of the KeyVault store (e.g. KeyVault).</param>
+        /// <param name="endpointUri">The URI/SAS for the target Key Vault.</param>
+        /// <param name="credentials">An identity token credential to use for authentication against the Key Vault.</param>
+        public DependencyKeyVaultStore(string storeName, Uri endpointUri, TokenCredential credentials)
+            : this(storeName, endpointUri)
+        {
+            credentials.ThrowIfNull(nameof(credentials));
+            this.Credentials = credentials;
+        }
+
+        /// <summary>
+        /// The URI/SAS for the target Key Vault.
+        /// </summary>
+        public Uri EndpointUri { get; }
+
+        /// <summary>
+        /// The Key Vault namespace.
+        /// </summary>
+        public string KeyVaultNameSpace { get; }
+
+        /// <summary>
+        /// An identity token credential to use for authentication against the Key vault. 
+        /// </summary>
+        public TokenCredential Credentials { get; }
+    }
+}

src/VirtualClient/VirtualClient.Contracts/DependencyStore.cs

@@ -16,6 +16,11 @@ public class DependencyStore
         /// </summary>
         public const string Content = nameof(DependencyStore.Content);
 
+        /// <summary>
+        /// KeyVault store name.
+        /// </summary>
+        public const string KeyVault = nameof(DependencyStore.KeyVault);
+
         /// <summary>
         /// Packages store name.
         /// </summary>
@@ -41,6 +46,11 @@ public class DependencyStore
         /// </summary>
         public const string StoreTypeFileSystem = "FileSystem";
 
+        /// <summary>
+        /// Store Type = AzureKeyVault
+        /// </summary>
+        public const string StoreTypeAzureKeyVault = "AzureKeyVault";
+
         /// <summary>
         /// Store Type = ProxyApi
         /// </summary>

src/VirtualClient/VirtualClient.Core.UnitTests/DependencyFactoryTests.cs

@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+using System;
+using NUnit.Framework;
+using VirtualClient.Contracts;
+using VirtualClient;
+
+namespace VirtualClient.Core.UnitTests
+{
+    [TestFixture]
+    [Category("Unit")]
+    public class DependencyFactoryTests
+    {
+        [Test]
+        public void CreateKeyVaultManager_ThrowsIfDependencyStoreIsNotKeyVaultStore()
+        {
+            // Arrange: Use a base DependencyBlobStore, not a DependencyKeyVaultStore
+            var store = new DependencyBlobStore("KeyVault", new Uri("https://myblob.azure.net/"));
+
+            // Act & Assert
+            var ex = Assert.Throws<DependencyException>(() => DependencyFactory.CreateKeyVaultManager(store));
+            StringAssert.Contains("Required Key Vault information not provided", ex.Message);
+        }
+
+        [Test]
+        public void CreateKeyVaultManager_ReturnsKeyVaultManagerForValidStore()
+        {
+            // Arrange: Use a valid DependencyKeyVaultStore
+            var keyVaultStore = new DependencyKeyVaultStore("KeyVault", new Uri("https://myvault.vault.azure.net/"));
+
+            // Act
+            var manager = DependencyFactory.CreateKeyVaultManager(keyVaultStore);
+
+            // Assert
+            Assert.IsNotNull(manager);
+            Assert.IsInstanceOf<IKeyVaultManager>(manager);
+        }
+
+        [Test]
+        public void CreateKeyVaultManager_ThrowsIfNullPassed()
+        {
+            // Act & Assert
+            Assert.Throws<DependencyException>(() => DependencyFactory.CreateKeyVaultManager(null));
+        }
+    }
+}

src/VirtualClient/VirtualClient.Core.UnitTests/EndpointUtilityTests.cs

@@ -12,6 +12,7 @@ namespace VirtualClient
     using Moq;
     using NUnit.Framework;
     using VirtualClient.Contracts;
+    using VirtualClient.Identity;
     using VirtualClient.TestExtensions;
 
     [TestFixture]
@@ -795,5 +796,63 @@ public void EndpointUtilityThrowsWhenCreatingAProfileReferenceIfTheValueProvided
                 invalidEndpoint,
                 this.mockFixture.CertificateManager.Object));
         }
+
+        [Test]
+        [TestCase(
+            "https://my-keyvault.vault.azure.net/?cid=985bbc17-e3a5-4fec-b0cb-40dbb8bc5959&tid=307591a4-abb2-4559-af59-b47177d140cf&crtt=1234567",
+            "https://my-keyvault.vault.azure.net/")]
+        [TestCase(
+            "Endpoint=https://my-keyvault.vault.azure.net/;CertificateThumbprint=1234567;ClientId=985bbc17;TenantId=307591a4",
+            "https://my-keyvault.vault.azure.net/")]
+        public void EndpointUtility_CreateKeyVaultStoreReference_Entra(string connectionString, string expectedUri)
+        {
+            // Setup: A matching certificate is found in the local store.
+            this.mockFixture.CertificateManager.Setup(mgr => mgr.GetCertificateFromStoreAsync("1234567", It.IsAny<IEnumerable<StoreLocation>>(), It.IsAny<StoreName>()))
+                .ReturnsAsync(this.mockFixture.Create<X509Certificate2>());
+
+            var store = EndpointUtility.CreateKeyVaultStoreReference(
+                DependencyStore.KeyVault,
+                connectionString,
+                this.mockFixture.CertificateManager.Object);
+
+            Assert.IsNotNull(store);
+            Assert.AreEqual(DependencyStore.KeyVault, store.StoreName);
+            Assert.AreEqual(DependencyStore.StoreTypeAzureKeyVault, store.StoreType);
+            Assert.AreEqual(new Uri(expectedUri).ToString(), store.EndpointUri.ToString());
+            Assert.IsNotNull(store.Credentials);
+            Assert.IsInstanceOf<ClientCertificateCredential>(store.Credentials);
+        }
+
+        [Test]
+        [TestCase(
+            "Endpoint=https://my-keyvault.vault.azure.net/;ManagedIdentityId=307591a4-abb2-4559-af59-b47177d140cf",
+            "https://my-keyvault.vault.azure.net/")]
+        [TestCase(
+            "https://my-keyvault.vault.azure.net/?miid=307591a4-abb2-4559-af59-b47177d140cf",
+            "https://my-keyvault.vault.azure.net/")]
+        public void EndpointUtility_CreateKeyVaultStoreReference_Miid(string connectionString, string expectedUri)
+        {
+            var store = EndpointUtility.CreateKeyVaultStoreReference(
+                DependencyStore.KeyVault,
+                connectionString,
+                this.mockFixture.CertificateManager.Object);
+
+            Assert.IsNotNull(store);
+            Assert.AreEqual(DependencyStore.KeyVault, store.StoreName);
+            Assert.AreEqual(DependencyStore.StoreTypeAzureKeyVault, store.StoreType);
+            Assert.AreEqual(new Uri(expectedUri).ToString(), store.EndpointUri.ToString());
+            Assert.IsNotNull(store.Credentials);
+            Assert.IsInstanceOf<ManagedIdentityCredential>(store.Credentials);
+        }
+
+        [Test]
+        public void CreateKeyVaultStoreReference_ConnectionString_ThrowsOnInvalid()
+        {
+            Assert.Throws<SchemaException>(() =>
+                EndpointUtility.CreateKeyVaultStoreReference(
+                    DependencyStore.KeyVault,
+                    "InvalidConnectionString",
+                    this.mockFixture.CertificateManager.Object));
+        }
     }
 }