Merge pull request #713 from AzureAD/nebharg/MsiCloudShell

Cloud shell MSI

Author: neha-bhargava

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractManagedIdentitySource.java

@@ -3,19 +3,12 @@
 
 package com.microsoft.aad.msal4j;
 
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.SerializeException;
-import com.nimbusds.oauth2.sdk.http.HTTPRequest;
-import com.nimbusds.oauth2.sdk.http.HTTPResponse;
 import lombok.Getter;
 import lombok.Setter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.beans.Encoder;
-import java.io.IOException;
 import java.net.HttpURLConnection;
-import java.net.MalformedURLException;
 import java.net.SocketException;
 import java.net.URISyntaxException;
 
@@ -56,7 +49,15 @@ public ManagedIdentityResponse getManagedIdentityResponse(
         IHttpResponse response;
 
         try {
-            HttpRequest httpRequest = new HttpRequest(HttpMethod.GET, managedIdentityRequest.computeURI().toString(), managedIdentityRequest.headers);
+
+            HttpRequest httpRequest = managedIdentityRequest.method.equals(HttpMethod.GET) ?
+                    new HttpRequest(HttpMethod.GET,
+                            managedIdentityRequest.computeURI().toString(),
+                            managedIdentityRequest.headers) :
+                    new HttpRequest(HttpMethod.POST,
+                            managedIdentityRequest.computeURI().toString(),
+                            managedIdentityRequest.headers,
+                            managedIdentityRequest.getBodyAsString());
             response = HttpHelper.executeHttpRequest(httpRequest, managedIdentityRequest.requestContext(), serviceBundle);
         } catch (URISyntaxException e) {
             throw new RuntimeException(e);
@@ -89,7 +90,7 @@ public ManagedIdentityResponse handleResponse(
                 throw new MsalManagedIdentityException(AuthenticationErrorCode.MANAGED_IDENTITY_REQUEST_FAILED, message, managedIdentitySourceType);
             }
         } catch (Exception e) {
-            if (!(e instanceof MsalServiceException)) {
+            if (!(e instanceof MsalManagedIdentityException)) {
                 LOG.error(
                         String.format("[Managed Identity] Exception: %s Http status code: %s", e.getMessage(),
                                 response != null ? response.statusCode() : ""));

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AppServiceManagedIdentitySource.java

@@ -10,8 +10,6 @@
 import java.net.URISyntaxException;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 
 class AppServiceManagedIdentitySource extends AbstractManagedIdentitySource{
 
@@ -20,25 +18,22 @@ class AppServiceManagedIdentitySource extends AbstractManagedIdentitySource{
     // MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
     private static final String APP_SERVICE_MSI_API_VERSION = "2019-08-01";
     private static final String SECRET_HEADER_NAME = "X-IDENTITY-HEADER";
-    private static URI endpointUri;
 
-    private URI endpoint;
-    private String secret;
+    private final URI MSI_ENDPOINT;
+    private final String SECRET;
 
     @Override
     public void createManagedIdentityRequest(String resource) {
-        managedIdentityRequest.baseEndpoint = endpoint;
+        managedIdentityRequest.baseEndpoint = MSI_ENDPOINT;
         managedIdentityRequest.method = HttpMethod.GET;
 
         managedIdentityRequest.headers = new HashMap<>();
-        managedIdentityRequest.headers.put(SECRET_HEADER_NAME, secret);
+        managedIdentityRequest.headers.put(SECRET_HEADER_NAME, SECRET);
 
         managedIdentityRequest.queryParameters = new HashMap<>();
         managedIdentityRequest.queryParameters.put("api-version", Collections.singletonList(APP_SERVICE_MSI_API_VERSION));
         managedIdentityRequest.queryParameters.put("resource", Collections.singletonList(resource));
 
-        String clientId = getManagedIdentityUserAssignedClientId();
-        String resourceId = getManagedIdentityUserAssignedResourceId();
         if (!StringHelper.isNullOrBlank(getManagedIdentityUserAssignedClientId()))
         {
             LOG.info("[Managed Identity] Adding user assigned client id to the request.");
@@ -52,35 +47,34 @@ public void createManagedIdentityRequest(String resource) {
         }
     }
 
-    private AppServiceManagedIdentitySource(MsalRequest msalRequest, ServiceBundle serviceBundle, URI endpoint, String secret)
+    private AppServiceManagedIdentitySource(MsalRequest msalRequest, ServiceBundle serviceBundle, URI msiEndpoint, String secret)
     {
         super(msalRequest, serviceBundle, ManagedIdentitySourceType.AppService);
-        this.endpoint = endpoint;
-        this.secret = secret;
+        this.MSI_ENDPOINT = msiEndpoint;
+        this.SECRET = secret;
     }
 
-    protected static AbstractManagedIdentitySource create(MsalRequest msalRequest, ServiceBundle serviceBundle) {
+    static AbstractManagedIdentitySource create(MsalRequest msalRequest, ServiceBundle serviceBundle) {
 
         IEnvironmentVariables environmentVariables = getEnvironmentVariables((ManagedIdentityParameters) msalRequest.requestContext().apiParameters());
         String msiSecret = environmentVariables.getEnvironmentVariable(Constants.IDENTITY_HEADER);
         String msiEndpoint = environmentVariables.getEnvironmentVariable(Constants.IDENTITY_ENDPOINT);
 
-        return validateEnvironmentVariables(msiEndpoint, msiSecret)
-                ? new AppServiceManagedIdentitySource(msalRequest, serviceBundle, endpointUri, msiSecret)
-                : null;
+        URI validatedEndpoint = validateAndGetUri(msiEndpoint, msiSecret);
+        return validatedEndpoint == null ? null
+                : new AppServiceManagedIdentitySource(msalRequest, serviceBundle, validatedEndpoint, msiSecret);
     }
 
-    private static boolean validateEnvironmentVariables(String msiEndpoint, String secret)
+    private static URI validateAndGetUri(String msiEndpoint, String secret)
     {
-        endpointUri = null;
-
         // if BOTH the env vars endpoint and secret values are null, this MSI provider is unavailable.
         if (StringHelper.isNullOrBlank(msiEndpoint) || StringHelper.isNullOrBlank(secret))
         {
             LOG.info("[Managed Identity] App service managed identity is unavailable.");
-            return false;
+            return null;
         }
 
+        URI endpointUri;
         try
         {
             endpointUri = new URI(msiEndpoint);
@@ -93,7 +87,7 @@ private static boolean validateEnvironmentVariables(String msiEndpoint, String s
         }
 
         LOG.info("[Managed Identity] Environment variables validation passed for app service managed identity. Endpoint URI: {endpointUri}. Creating App Service managed identity.");
-        return true;
+        return endpointUri;
     }
 
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/CloudShellManagedIdentitySource.java

@@ -0,0 +1,84 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Collections;
+import java.util.HashMap;
+
+class CloudShellManagedIdentitySource extends AbstractManagedIdentitySource{
+
+    private static final Logger LOG = LoggerFactory.getLogger(CloudShellManagedIdentitySource.class);
+
+    private final URI MSI_ENDPOINT;
+
+    @Override
+    public void createManagedIdentityRequest(String resource) {
+        managedIdentityRequest.baseEndpoint = MSI_ENDPOINT;
+        managedIdentityRequest.method = HttpMethod.POST;
+
+        managedIdentityRequest.headers = new HashMap<>();
+        managedIdentityRequest.headers.put("ContentType", "application/x-www-form-urlencoded");
+        managedIdentityRequest.headers.put("Metadata", "true");
+
+        managedIdentityRequest.bodyParameters = new HashMap<>();
+        managedIdentityRequest.bodyParameters.put("resource", Collections.singletonList(resource));
+    }
+
+    private CloudShellManagedIdentitySource(MsalRequest msalRequest, ServiceBundle serviceBundle, URI msiEndpoint)
+    {
+        super(msalRequest, serviceBundle, ManagedIdentitySourceType.CloudShell);
+        this.MSI_ENDPOINT = msiEndpoint;
+
+        ManagedIdentityIdType idType =
+                ((ManagedIdentityApplication) msalRequest.application()).getManagedIdentityId().getIdType();
+        if (idType != ManagedIdentityIdType.SystemAssigned) {
+            throw new MsalManagedIdentityException(MsalError.USER_ASSIGNED_MANAGED_IDENTITY_NOT_SUPPORTED,
+                    String.format(MsalErrorMessage.MANAGED_IDENTITY_USER_ASSIGNED_NOT_SUPPORTED, "cloud shell"),
+                    ManagedIdentitySourceType.CloudShell);
+        }
+    }
+
+    static AbstractManagedIdentitySource create(MsalRequest msalRequest, ServiceBundle serviceBundle) {
+
+        IEnvironmentVariables environmentVariables = getEnvironmentVariables((ManagedIdentityParameters) msalRequest.requestContext().apiParameters());
+        String msiEndpoint = environmentVariables.getEnvironmentVariable(Constants.MSI_ENDPOINT);
+
+
+        // if ONLY the env var MSI_ENDPOINT is set the MsiType is CloudShell
+        if (StringHelper.isNullOrBlank(msiEndpoint))
+        {
+            LOG.info("[Managed Identity] Cloud shell managed identity is unavailable.");
+            return null;
+        }
+
+        URI validatedUri = validateAndGetUri(msiEndpoint);
+        return validatedUri == null ? null
+                : new CloudShellManagedIdentitySource(msalRequest, serviceBundle, validatedUri);
+    }
+
+    private static URI validateAndGetUri(String msiEndpoint)
+    {
+        URI endpointUri = null;
+
+        try
+        {
+            endpointUri = new URI(msiEndpoint);
+        }
+        catch (URISyntaxException ex)
+        {
+            throw new MsalManagedIdentityException(MsalError.INVALID_MANAGED_IDENTITY_ENDPOINT, String.format(
+                    MsalErrorMessage.MANAGED_IDENTITY_ENDPOINT_INVALID_URI_ERROR, "MSI_ENDPOINT", msiEndpoint, "Cloud Shell"),
+                    ManagedIdentitySourceType.CloudShell);
+        }
+
+        LOG.info("[Managed Identity] Environment variables validation passed for cloud shell managed identity. Endpoint URI: " + endpointUri + ". Creating cloud shell managed identity.");
+        return endpointUri;
+    }
+
+}

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/IMDSManagedIdentitySource.java

@@ -11,7 +11,6 @@
 import java.net.URISyntaxException;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.Map;
 
 class IMDSManagedIdentitySource extends AbstractManagedIdentitySource{
 
@@ -27,12 +26,8 @@ class IMDSManagedIdentitySource extends AbstractManagedIdentitySource{
         }
     }
 
-    private String imdsTokenPath = "/metadata/identity/oauth2/token";
-    private String imdsApiVersion = "2018-02-01";
-    private static String defaultMessage = "[Managed Identity] Service request failed.";
-
-    private static String identityUnavailableError = "[Managed Identity] Authentication unavailable. The requested identity has not been assigned to this resource.";
-    private static String gatewayError = "[Managed Identity] Authentication unavailable. The request failed due to a gateway error.";
+    private static final String IMDS_TOKEN_PATH = "/metadata/identity/oauth2/token";
+    private static final String IMDS_API_VERSION = "2018-02-01";
 
     private URI imdsEndpoint;
 
@@ -52,7 +47,7 @@ public IMDSManagedIdentitySource(MsalRequest msalRequest,
             }
 
             StringBuilder builder = new StringBuilder(environmentVariables.getEnvironmentVariable(Constants.AZURE_POD_IDENTITY_AUTHORITY_HOST));
-            builder.append("/" + imdsTokenPath);
+            builder.append("/" + IMDS_TOKEN_PATH);
             try {
                 imdsEndpoint = new URI(builder.toString());
             } catch (URISyntaxException e) {
@@ -82,7 +77,7 @@ public void createManagedIdentityRequest(String resource) {
         managedIdentityRequest.headers.put("Metadata", "true");
 
         managedIdentityRequest.queryParameters = new HashMap<>();
-        managedIdentityRequest.queryParameters.put("api-version", Collections.singletonList(imdsApiVersion));
+        managedIdentityRequest.queryParameters.put("api-version", Collections.singletonList(IMDS_API_VERSION));
         managedIdentityRequest.queryParameters.put("resource", Collections.singletonList(resource));
 
         String clientId = getManagedIdentityUserAssignedClientId();
@@ -109,10 +104,10 @@ public ManagedIdentityResponse handleResponse(
         String baseMessage;
 
         if(response.statusCode()== HttpURLConnection.HTTP_BAD_REQUEST){
-            baseMessage = identityUnavailableError;
+            baseMessage = MsalErrorMessage.IDENTITY_UNAVAILABLE_ERROR;
         }else if(response.statusCode()== HttpURLConnection.HTTP_BAD_GATEWAY ||
                 response.statusCode()== HttpURLConnection.HTTP_GATEWAY_TIMEOUT){
-            baseMessage = gatewayError;
+            baseMessage = MsalErrorMessage.GATEWAY_ERROR;
         }else{
             baseMessage = null;
         }
@@ -125,8 +120,8 @@ public ManagedIdentityResponse handleResponse(
 
             message = message + " " + errorContentMessage;
 
-            LOG.error("Error message: {message} Http status code: {response.StatusCode}");
-            throw new MsalManagedIdentityException("managed_identity_request_failed", message,
+            LOG.error(String.format("Error message: %s Http status code: %s"), message, response.statusCode());
+            throw new MsalManagedIdentityException(MsalError.MANAGED_IDENTITY_REQUEST_FAILED, message,
                     ManagedIdentitySourceType.Imds);
         }
 
@@ -138,7 +133,7 @@ private static String createRequestFailedMessage(IHttpResponse response, String
     {
         StringBuilder messageBuilder = new StringBuilder();
 
-        messageBuilder.append(StringHelper.isNullOrBlank(message) ? defaultMessage : message);
+        messageBuilder.append(StringHelper.isNullOrBlank(message) ? MsalErrorMessage.DEFAULT_MESSAGE : message);
         messageBuilder.append("Status: ");
         messageBuilder.append(response.statusCode());
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityClient.java

@@ -32,10 +32,12 @@ public ManagedIdentityResponse getManagedIdentityResponse(ManagedIdentityParamet
 
     // This method tries to create managed identity source for different sources, if none is created then defaults to IMDS.
     private static AbstractManagedIdentitySource createManagedIdentitySource(MsalRequest msalRequest,
-            ServiceBundle serviceBundle) throws Exception {
+            ServiceBundle serviceBundle) {
         AbstractManagedIdentitySource managedIdentitySource;
         if ((managedIdentitySource = AppServiceManagedIdentitySource.create(msalRequest, serviceBundle)) != null) {
             return managedIdentitySource;
+        } else if ((managedIdentitySource = CloudShellManagedIdentitySource.create(msalRequest, serviceBundle)) != null) {
+            return managedIdentitySource;
         } else {
             return new IMDSManagedIdentitySource(msalRequest, serviceBundle);
         }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityErrorResponse.java

@@ -4,7 +4,9 @@
 package com.microsoft.aad.msal4j;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Getter;
 
+@Getter
 public class ManagedIdentityErrorResponse {
 
     @JsonProperty("message")
@@ -18,36 +20,4 @@ public class ManagedIdentityErrorResponse {
 
     @JsonProperty("error_description")
     private String errorDescription;
-
-    public String getMessage() {
-        return message;
-    }
-
-    public void setMessage(String message) {
-        this.message = message;
-    }
-
-    public String getCorrelationId() {
-        return correlationId;
-    }
-
-    public void setCorrelationId(String correlationId) {
-        this.correlationId = correlationId;
-    }
-
-    public String getError() {
-        return error;
-    }
-
-    public void setError(String error) {
-        this.error = error;
-    }
-
-    public String getErrorDescription() {
-        return errorDescription;
-    }
-
-    public void setErrorDescription(String errorDescription) {
-        this.errorDescription = errorDescription;
-    }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityRequest.java

@@ -22,14 +22,21 @@ class ManagedIdentityRequest extends MsalRequest {
 
     Map<String, String> headers;
 
-    Map<String, String> bodyParameters;
+    Map<String, List<String>> bodyParameters;
 
     Map<String, List<String>> queryParameters;
 
     public ManagedIdentityRequest(ManagedIdentityApplication managedIdentityApplication, RequestContext requestContext) {
         super(managedIdentityApplication, requestContext);
     }
 
+    public String getBodyAsString() {
+        if (bodyParameters == null || bodyParameters.isEmpty())
+            return "";
+
+        return URLUtils.serializeParameters(bodyParameters);
+    }
+
     public URL computeURI() throws URISyntaxException {
         String endpoint = this.appendQueryParametersToBaseEndpoint();
         try {
@@ -40,7 +47,7 @@ public URL computeURI() throws URISyntaxException {
     }
 
     private String appendQueryParametersToBaseEndpoint() {
-        if (queryParameters.isEmpty()) {
+        if (queryParameters == null || queryParameters.isEmpty()) {
             return baseEndpoint.toString();
         }