Support multi-tenant authentication in Key Vault

Resolves Azure#18359
heaths · Oct 14, 2021 · d17a04a · d17a04a
1 parent e929867
commit d17a04a
Show file tree

Hide file tree

Showing 10 changed files with 297 additions and 23 deletions.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 ### Features Added
 
+- Support multi-tenant authentication against Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
+
 ### Breaking Changes
 
 ### Bugs Fixed

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Features Added
 
 - Added `KeyVaultCertificateIdentifier.TryCreate` to parse certificate URIs without throwing an exception when invalid. ([#23146](https://github.com/Azure/azure-sdk-for-net/issues/23146))
+- Support multi-tenant authentication against Key Vault and Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
 
 ### Breaking Changes
 

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Added `KeyClient.GetCryptographyClient` to get a `CryptographyClient` that uses the same options, policies, and pipeline as the `KeyClient` that created it. ([#23786](https://github.com/Azure/azure-sdk-for-net/issues/23786))
 - Added `KeyRotationPolicy` class and new methods including `KeyClient.GetKeyRotationPolicy`, `KeyClient.RotateKey`, and `KeyClient.UpdateKeyRotationPolicy`.
 - Added `KeyVaultKeyIdentifier.TryCreate` to parse key URIs without throwing an exception when invalid. ([#23146](https://github.com/Azure/azure-sdk-for-net/issues/23146))
+- Support multi-tenant authentication against Key Vault and Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
 
 ### Breaking Changes
 

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Features Added
 
 - Added `KeyVaultSecretIdentifier.TryCreate` to parse secret URIs without throwing an exception when invalid. ([#23146](https://github.com/Azure/azure-sdk-for-net/issues/23146))
+- Support multi-tenant authentication against Key Vault and Managed HSM when using Azure.Identity 1.5.0 or newer. ([#18359](https://github.com/Azure/azure-sdk-for-net/issues/18359))
 
 ### Breaking Changes
 

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Azure.Security.KeyVault.Secrets.csproj b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/Azure.Security.KeyVault.Secrets.csproj
@@ -25,6 +25,11 @@
     <PackageReference Include="System.Text.Json" />
     <PackageReference Include="System.Threading.Tasks.Extensions" />
   </ItemGroup>
+
+  <ItemGroup>
+    <!-- TODO: Remove once Azure.Identity 1.5.0 ships. -->
+    <ProjectReference Include="..\..\..\identity\Azure.Identity\src\Azure.Identity.csproj" />
+  </ItemGroup>
 
   <ItemGroup>
     <Compile Include="$(AzureCoreSharedSources)AppContextSwitchHelper.cs" LinkBase="Shared" />

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretClientLiveTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretClientLiveTests.cs
@@ -4,10 +4,11 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Text;
 using System.Threading.Tasks;
 using NUnit.Framework;
+using Azure.Core;
 using Azure.Core.TestFramework;
-using System.Text;
 using NUnit.Framework.Constraints;
 
 namespace Azure.Security.KeyVault.Secrets.Tests
@@ -460,5 +461,19 @@ public async Task GetDeletedSecrets()
                 AssertSecretPropertiesEqual(deletedSecret.Properties, returnedSecret.Properties, compareId: false);
             }
         }
+
+        [Test]
+        public async Task AuthenticateCrossTenant()
+        {
+            TokenCredential credential = GetCredential(Recording.Random.NewGuid().ToString());
+            SecretClient client = GetClient(credential);
+
+            string secretName = Recording.GenerateId();
+
+            Response<KeyVaultSecret> response = await client.SetSecretAsync(secretName, "secret");
+            RegisterForCleanup(secretName);
+
+            Assert.AreEqual(200, response.GetRawResponse().Status);
+        }
     }
 }
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretsTestBase.cs b/sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretsTestBase.cs
@@ -5,7 +5,9 @@
 using System.Collections.Concurrent;
 using System.Collections.Generic;
 using System.Threading.Tasks;
+using Azure.Core;
 using Azure.Core.TestFramework;
+using Azure.Identity;
 using Azure.Security.KeyVault.Tests;
 using NUnit.Framework;
 
@@ -41,12 +43,12 @@ protected SecretsTestBase(bool isAsync, SecretClientOptions.ServiceVersion servi
             _serviceVersion = serviceVersion;
         }
 
-        internal SecretClient GetClient()
+        internal SecretClient GetClient(TokenCredential credential = default)
         {
             return InstrumentClient
                 (new SecretClient(
                     new Uri(TestEnvironment.KeyVaultUrl),
-                    TestEnvironment.Credential,
+                    credential ?? TestEnvironment.Credential,
                     InstrumentClientOptions(
                         new SecretClientOptions(_serviceVersion)
                         {
@@ -256,5 +258,23 @@ protected Task WaitForSecret(string name)
                 return TestRetryHelper.RetryAsync(async () => await Client.GetSecretAsync(name).ConfigureAwait(false), delay: PollingInterval);
             }
         }
+
+        protected TokenCredential GetCredential(string tenantId)
+        {
+            if (Mode == RecordedTestMode.Playback)
+            {
+                return new MockCredential();
+            }
+
+            return new ClientSecretCredential(
+                tenantId ?? TestEnvironment.TenantId,
+                TestEnvironment.ClientId,
+                TestEnvironment.ClientSecret,
+                new ClientSecretCredentialOptions()
+                {
+                    AuthorityHost = new Uri(TestEnvironment.AuthorityHostUrl),
+                }
+            );
+        }
     }
 }
diff --git a/....KeyVault.Secrets/tests/SessionRecords/SecretClientLiveTests/AuthenticateCrossTenant.json b/....KeyVault.Secrets/tests/SessionRecords/SecretClientLiveTests/AuthenticateCrossTenant.json
diff --git a/...ault.Secrets/tests/SessionRecords/SecretClientLiveTests/AuthenticateCrossTenantAsync.json b/...ault.Secrets/tests/SessionRecords/SecretClientLiveTests/AuthenticateCrossTenantAsync.json