Fixed scope of bearer token (#15042)

Azure · Sep 16, 2020 · 1f1e8fb · 1f1e8fb
1 parent 01f304a
commit 1f1e8fb
Show file tree

Hide file tree

Showing 22 changed files with 523 additions and 27 deletions.
diff --git a/sdk/storage/azure-storage-blob-cryptography/CHANGELOG.md b/sdk/storage/azure-storage-blob-cryptography/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Release History
 
 ## 12.9.0-beta.1 (Unreleased)
+- Fixed a bug where the TokenCredential scope would be incorrect for custom URLs.
 - Fixed a bug where a custom application id in HttpLogOptions would not be added to the User Agent String.
 
 ## 12.8.0 (2020-08-13)

diff --git a/...main/java/com/azure/storage/blob/specialized/cryptography/EncryptedBlobClientBuilder.java b/...main/java/com/azure/storage/blob/specialized/cryptography/EncryptedBlobClientBuilder.java
@@ -202,7 +202,7 @@ private HttpPipeline getHttpPipeline() {
             policies.add(new StorageSharedKeyCredentialPolicy(storageSharedKeyCredential));
         } else if (tokenCredential != null) {
             BuilderHelper.httpsValidation(tokenCredential, "bearer token", endpoint, logger);
-            policies.add(new BearerTokenAuthenticationPolicy(tokenCredential, String.format("%s/.default", endpoint)));
+            policies.add(new BearerTokenAuthenticationPolicy(tokenCredential, Constants.STORAGE_SCOPE));
         } else if (sasTokenCredential != null) {
             policies.add(new SasTokenCredentialPolicy(sasTokenCredential));
         }

diff --git a/sdk/storage/azure-storage-blob/CHANGELOG.md b/sdk/storage/azure-storage-blob/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Release History
 
 ## 12.9.0-beta.1 (Unreleased)
+- Fixed a bug where the TokenCredential scope would be incorrect for custom URLs.
+- Fixed a bug where Default Azure Credential would not work with Azurite.
 - Fixed a bug where a custom application id in HttpLogOptions would not be added to the User Agent String.
 - Fixed a bug where BlockBlobOutputStream would not handle certain errors.
 

diff --git a/...-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BuilderHelper.java b/...-storage-blob/src/main/java/com/azure/storage/blob/implementation/util/BuilderHelper.java
@@ -80,8 +80,7 @@ public static HttpPipeline buildPipeline(StorageSharedKeyCredential storageShare
             credentialPolicy =  new StorageSharedKeyCredentialPolicy(storageSharedKeyCredential);
         } else if (tokenCredential != null) {
             httpsValidation(tokenCredential, "bearer token", endpoint, logger);
-            credentialPolicy =  new BearerTokenAuthenticationPolicy(tokenCredential,
-                String.format("%s/.default", getPrimaryEndpointForTokenAuth(endpoint)));
+            credentialPolicy =  new BearerTokenAuthenticationPolicy(tokenCredential, Constants.STORAGE_SCOPE);
         } else if (sasTokenCredential != null) {
             credentialPolicy =  new SasTokenCredentialPolicy(sasTokenCredential);
         } else {
@@ -108,19 +107,6 @@ public static HttpPipeline buildPipeline(StorageSharedKeyCredential storageShare
             .build();
     }
 
-    /**
-     *
-     * @param endpoint The endpoint passed by the customer.
-     * @return The primary endpoint for the account. It may be the same endpoint passed if it is already a primary or it
-     * may have had "-secondary" stripped from the end of the account name.
-     */
-    private static String getPrimaryEndpointForTokenAuth(String endpoint) {
-        String[] parts = endpoint.split("\\.");
-        parts[0] = parts[0].endsWith("-secondary") ? parts[0].substring(0, parts[0].length() - "-secondary".length())
-            : parts[0];
-        return String.join(".", parts);
-    }
-
     /**
      * Gets the default http log option for Storage Blob.
      *

diff --git a/sdk/storage/azure-storage-blob/src/test/java/com/azure/storage/blob/AzuriteTest.groovy b/sdk/storage/azure-storage-blob/src/test/java/com/azure/storage/blob/AzuriteTest.groovy
@@ -4,23 +4,24 @@
 package com.azure.storage.blob
 
 import com.azure.core.test.TestMode
+import com.azure.identity.DefaultAzureCredentialBuilder
 import com.azure.storage.blob.specialized.BlobClientBase
 import com.azure.storage.blob.specialized.BlobLeaseClientBuilder
 import com.azure.storage.blob.specialized.SpecializedBlobClientBuilder
 import com.azure.storage.common.StorageSharedKeyCredential
 import spock.lang.Unroll
 
 class AzuriteTest extends APISpec {
-    String[] azuriteEndpoints = ["http://127.0.0.1:10000/devstoreaccount1",
-                                 "http://azure-storage-emulator-azurite:10000/devstoreaccount1"]
+    String[] azuriteEndpoints = ["https://127.0.0.1:10000/devstoreaccount1",
+                                 "https://azure-storage-emulator-azurite:10000/devstoreaccount1"]
 
     /*
      * The credential information for Azurite is static and documented in numerous locations, therefore it is okay to have this "secret" written into public code.
      */
     StorageSharedKeyCredential azuriteCredential = new StorageSharedKeyCredential("devstoreaccount1", "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==")
 
     private getAzuriteBlobConnectionString(String azuriteEndpoint) {
-        return "DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=" + azuriteEndpoint + ";"
+        return "DefaultEndpointsProtocol=https;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=" + azuriteEndpoint + ";"
     }
 
     private BlobServiceClient getAzuriteServiceClient(String azuriteEndpoint) {
@@ -116,6 +117,21 @@ class AzuriteTest extends APISpec {
         1     | _
     }
 
+    @Unroll
+    def "Azurite URL constructing service client default azure credential"() {
+        when:
+        def serviceClient = getAzuriteServiceClient(azuriteEndpoints[index])
+
+        then:
+        serviceClient.getAccountName() == "devstoreaccount1"
+        serviceClient.getAccountUrl() == azuriteEndpoints[index]
+
+        where:
+        index | _
+        0     | _
+        1     | _
+    }
+
     @Unroll
     def "Azurite URL get container client"() {
         when:
@@ -151,6 +167,25 @@ class AzuriteTest extends APISpec {
         1     | _
     }
 
+    @Unroll
+    def "Azurite URL construct container client with default azure credential"() {
+        when:
+        def containerClient = new BlobContainerClientBuilder()
+            .endpoint(azuriteEndpoints[index] + "/container")
+            .credential(new DefaultAzureCredentialBuilder().build())
+            .buildClient()
+
+        then:
+        containerClient.getAccountName() == "devstoreaccount1"
+        containerClient.getBlobContainerName() == "container"
+        containerClient.getBlobContainerUrl() == azuriteEndpoints[index] + "/container"
+
+        where:
+        index | _
+        0     | _
+        1     | _
+    }
+
     @Unroll
     def "Azurite URL get blob client"() {
         when:
@@ -186,6 +221,24 @@ class AzuriteTest extends APISpec {
         1     | _
     }
 
+    @Unroll
+    def "Azurite URL construct blob client default azure credential"() {
+        when:
+        def blobClient = new BlobClientBuilder()
+            .endpoint(azuriteEndpoints[index] + "/container/blob")
+            .credential(new DefaultAzureCredentialBuilder().build())
+            .buildClient()
+
+        then:
+        validateBlobClient(blobClient, "devstoreaccount1", "container", "blob",
+            azuriteEndpoints[index] + "/container/blob")
+
+        where:
+        index | _
+        0     | _
+        1     | _
+    }
+
     @Unroll
     def "Azurite URL get specialized clients"() {
         when:

diff --git a/...es/session-records/AzuriteTestazuriteurlconstructblobclientdefaultazurecredential[0].json b/...es/session-records/AzuriteTestazuriteurlconstructblobclientdefaultazurecredential[0].json
@@ -0,0 +1,66 @@
+{
+  "networkCallRecords" : [ {
+    "Method" : "PUT",
+    "Uri" : "https://REDACTED.blob.core.windows.net/jtcazuriteurlconstructblobclientdefaultazurecredentia09628438?restype=container",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "4c8260e1-8a9f-4a2a-97be-0520d6569986"
+    },
+    "Response" : {
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "ETag" : "0x8D85905CCDB4FE0",
+      "Last-Modified" : "Mon, 14 Sep 2020 23:27:51 GMT",
+      "retry-after" : "0",
+      "Content-Length" : "0",
+      "StatusCode" : "201",
+      "x-ms-request-id" : "8557a9f5-601e-00b7-18ee-8a7e5e000000",
+      "Date" : "Mon, 14 Sep 2020 23:27:51 GMT",
+      "x-ms-client-request-id" : "4c8260e1-8a9f-4a2a-97be-0520d6569986"
+    },
+    "Exception" : null
+  }, {
+    "Method" : "GET",
+    "Uri" : "https://REDACTED.blob.core.windows.net?prefix=jtcazuriteurlconstructblobclientdefaultazurecredentia&comp=list",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "1e812d5c-f278-4ef9-9925-3950024ee474"
+    },
+    "Response" : {
+      "Transfer-Encoding" : "chunked",
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "Vary" : "Origin",
+      "retry-after" : "0",
+      "StatusCode" : "200",
+      "x-ms-request-id" : "8557aa8f-601e-00b7-11ee-8a7e5e000000",
+      "Body" : "<?xml version=\"1.0\" encoding=\"utf-8\"?><EnumerationResults ServiceEndpoint=\"https://emilydevtest.blob.core.windows.net/\"><Prefix>jtcazuriteurlconstructblobclientdefaultazurecredentia</Prefix><Containers><Container><Name>jtcazuriteurlconstructblobclientdefaultazurecredentia09628438</Name><Properties><Last-Modified>Mon, 14 Sep 2020 23:27:51 GMT</Last-Modified><Etag>\"0x8D85905CCDB4FE0\"</Etag><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><DefaultEncryptionScope>$account-encryption-key</DefaultEncryptionScope><DenyEncryptionScopeOverride>false</DenyEncryptionScopeOverride><HasImmutabilityPolicy>false</HasImmutabilityPolicy><HasLegalHold>false</HasLegalHold></Properties></Container></Containers><NextMarker /></EnumerationResults>",
+      "Date" : "Mon, 14 Sep 2020 23:27:52 GMT",
+      "x-ms-client-request-id" : "1e812d5c-f278-4ef9-9925-3950024ee474",
+      "Content-Type" : "application/xml"
+    },
+    "Exception" : null
+  }, {
+    "Method" : "DELETE",
+    "Uri" : "https://REDACTED.blob.core.windows.net/jtcazuriteurlconstructblobclientdefaultazurecredentia09628438?restype=container",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "fa7e6334-e1de-463e-af59-0ede9aa760f0"
+    },
+    "Response" : {
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "retry-after" : "0",
+      "Content-Length" : "0",
+      "StatusCode" : "202",
+      "x-ms-request-id" : "8557aabf-601e-00b7-3eee-8a7e5e000000",
+      "Date" : "Mon, 14 Sep 2020 23:27:52 GMT",
+      "x-ms-client-request-id" : "fa7e6334-e1de-463e-af59-0ede9aa760f0"
+    },
+    "Exception" : null
+  } ],
+  "variables" : [ "jtcazuriteurlconstructblobclientdefaultazurecredentia09628438" ]
+}
diff --git a/...es/session-records/AzuriteTestazuriteurlconstructblobclientdefaultazurecredential[1].json b/...es/session-records/AzuriteTestazuriteurlconstructblobclientdefaultazurecredential[1].json
@@ -0,0 +1,66 @@
+{
+  "networkCallRecords" : [ {
+    "Method" : "PUT",
+    "Uri" : "https://REDACTED.blob.core.windows.net/jtcazuriteurlconstructblobclientdefaultazurecredentia0658914e?restype=container",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "ac26e81c-ddbb-43c9-8db8-9eae118980fa"
+    },
+    "Response" : {
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "ETag" : "0x8D85905CD583766",
+      "Last-Modified" : "Mon, 14 Sep 2020 23:27:52 GMT",
+      "retry-after" : "0",
+      "Content-Length" : "0",
+      "StatusCode" : "201",
+      "x-ms-request-id" : "8557aadd-601e-00b7-5aee-8a7e5e000000",
+      "Date" : "Mon, 14 Sep 2020 23:27:52 GMT",
+      "x-ms-client-request-id" : "ac26e81c-ddbb-43c9-8db8-9eae118980fa"
+    },
+    "Exception" : null
+  }, {
+    "Method" : "GET",
+    "Uri" : "https://REDACTED.blob.core.windows.net?prefix=jtcazuriteurlconstructblobclientdefaultazurecredentia&comp=list",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "0e5c34f6-4e95-4db8-96e9-1ae0c8ce37a6"
+    },
+    "Response" : {
+      "Transfer-Encoding" : "chunked",
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "Vary" : "Origin",
+      "retry-after" : "0",
+      "StatusCode" : "200",
+      "x-ms-request-id" : "8557aae9-601e-00b7-65ee-8a7e5e000000",
+      "Body" : "<?xml version=\"1.0\" encoding=\"utf-8\"?><EnumerationResults ServiceEndpoint=\"https://emilydevtest.blob.core.windows.net/\"><Prefix>jtcazuriteurlconstructblobclientdefaultazurecredentia</Prefix><Containers><Container><Name>jtcazuriteurlconstructblobclientdefaultazurecredentia0658914e</Name><Properties><Last-Modified>Mon, 14 Sep 2020 23:27:52 GMT</Last-Modified><Etag>\"0x8D85905CD583766\"</Etag><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><DefaultEncryptionScope>$account-encryption-key</DefaultEncryptionScope><DenyEncryptionScopeOverride>false</DenyEncryptionScopeOverride><HasImmutabilityPolicy>false</HasImmutabilityPolicy><HasLegalHold>false</HasLegalHold></Properties></Container></Containers><NextMarker /></EnumerationResults>",
+      "Date" : "Mon, 14 Sep 2020 23:27:52 GMT",
+      "x-ms-client-request-id" : "0e5c34f6-4e95-4db8-96e9-1ae0c8ce37a6",
+      "Content-Type" : "application/xml"
+    },
+    "Exception" : null
+  }, {
+    "Method" : "DELETE",
+    "Uri" : "https://REDACTED.blob.core.windows.net/jtcazuriteurlconstructblobclientdefaultazurecredentia0658914e?restype=container",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "3045863a-dec0-45df-b99e-9db242356878"
+    },
+    "Response" : {
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "retry-after" : "0",
+      "Content-Length" : "0",
+      "StatusCode" : "202",
+      "x-ms-request-id" : "8557aaef-601e-00b7-6bee-8a7e5e000000",
+      "Date" : "Mon, 14 Sep 2020 23:27:52 GMT",
+      "x-ms-client-request-id" : "3045863a-dec0-45df-b99e-9db242356878"
+    },
+    "Exception" : null
+  } ],
+  "variables" : [ "jtcazuriteurlconstructblobclientdefaultazurecredentia0658914e" ]
+}
diff --git a/...n-records/AzuriteTestazuriteurlconstructcontainerclientwithdefaultazurecredential[0].json b/...n-records/AzuriteTestazuriteurlconstructcontainerclientwithdefaultazurecredential[0].json
@@ -0,0 +1,66 @@
+{
+  "networkCallRecords" : [ {
+    "Method" : "PUT",
+    "Uri" : "https://REDACTED.blob.core.windows.net/jtcazuriteurlconstructcontainerclientwithdefaultazure040710d5?restype=container",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "05d0947f-2c43-403e-9514-e61f42232c78"
+    },
+    "Response" : {
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "ETag" : "0x8D85905C319B82F",
+      "Last-Modified" : "Mon, 14 Sep 2020 23:27:35 GMT",
+      "retry-after" : "0",
+      "Content-Length" : "0",
+      "StatusCode" : "201",
+      "x-ms-request-id" : "938f0f0f-701e-004f-4aee-8a22a0000000",
+      "Date" : "Mon, 14 Sep 2020 23:27:35 GMT",
+      "x-ms-client-request-id" : "05d0947f-2c43-403e-9514-e61f42232c78"
+    },
+    "Exception" : null
+  }, {
+    "Method" : "GET",
+    "Uri" : "https://REDACTED.blob.core.windows.net?prefix=jtcazuriteurlconstructcontainerclientwithdefaultazure&comp=list",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "76c04c5e-0e01-4643-b8f1-1072da04b795"
+    },
+    "Response" : {
+      "Transfer-Encoding" : "chunked",
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "Vary" : "Origin",
+      "retry-after" : "0",
+      "StatusCode" : "200",
+      "x-ms-request-id" : "938f1066-701e-004f-0cee-8a22a0000000",
+      "Body" : "<?xml version=\"1.0\" encoding=\"utf-8\"?><EnumerationResults ServiceEndpoint=\"https://emilydevtest.blob.core.windows.net/\"><Prefix>jtcazuriteurlconstructcontainerclientwithdefaultazure</Prefix><Containers><Container><Name>jtcazuriteurlconstructcontainerclientwithdefaultazure040710d5</Name><Properties><Last-Modified>Mon, 14 Sep 2020 23:27:35 GMT</Last-Modified><Etag>\"0x8D85905C319B82F\"</Etag><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><DefaultEncryptionScope>$account-encryption-key</DefaultEncryptionScope><DenyEncryptionScopeOverride>false</DenyEncryptionScopeOverride><HasImmutabilityPolicy>false</HasImmutabilityPolicy><HasLegalHold>false</HasLegalHold></Properties></Container></Containers><NextMarker /></EnumerationResults>",
+      "Date" : "Mon, 14 Sep 2020 23:27:35 GMT",
+      "x-ms-client-request-id" : "76c04c5e-0e01-4643-b8f1-1072da04b795",
+      "Content-Type" : "application/xml"
+    },
+    "Exception" : null
+  }, {
+    "Method" : "DELETE",
+    "Uri" : "https://REDACTED.blob.core.windows.net/jtcazuriteurlconstructcontainerclientwithdefaultazure040710d5?restype=container",
+    "Headers" : {
+      "x-ms-version" : "2019-12-12",
+      "User-Agent" : "azsdk-java-azure-storage-blob/12.9.0-beta.1 (11.0.7; Windows 10; 10.0)",
+      "x-ms-client-request-id" : "4c8a9a86-5ff0-4334-9187-e67fdb6a36e5"
+    },
+    "Response" : {
+      "x-ms-version" : "2019-12-12",
+      "Server" : "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0",
+      "retry-after" : "0",
+      "Content-Length" : "0",
+      "StatusCode" : "202",
+      "x-ms-request-id" : "938f1107-701e-004f-1cee-8a22a0000000",
+      "Date" : "Mon, 14 Sep 2020 23:27:35 GMT",
+      "x-ms-client-request-id" : "4c8a9a86-5ff0-4334-9187-e67fdb6a36e5"
+    },
+    "Exception" : null
+  } ],
+  "variables" : [ "jtcazuriteurlconstructcontainerclientwithdefaultazure040710d5" ]
+}