Enable AzKeyStore with keyring in Linux (Azure#20296)

* Enable AzKeystore with keyring in Linux

* Update common library version.

* Upgraded reference of azure-powershell-common to 1.3.67-preview

Co-authored-by: Vincent Dai <[email protected]>
Co-authored-by: NanxiangLiu <[email protected]>

Fix AzKeystore bugs

Fix the issue that secret cannot be retrived in headless linux
Use the seperated file names for protected and unprotected AzKeystore
Optimize the warning message for customers

Author: msJinLei

src/Accounts/Accounts.Test/AutosaveTests.cs

@@ -41,6 +41,7 @@ public AutosaveTests(ITestOutputHelper output)
             XunitTracingInterceptor.AddToContext(new XunitTracingInterceptor(output));
             commandRuntimeMock = new MockCommandRuntime();
             dataStore = new MemoryDataStore();
+            ResetState();
             keyStore = SetMockedAzKeyStore();
         }
 
@@ -50,7 +51,7 @@ private AzKeyStore SetMockedAzKeyStore()
             storageMocker.Setup(f => f.Create()).Returns(storageMocker.Object);
             storageMocker.Setup(f => f.ReadData()).Returns(new byte[0]);
             storageMocker.Setup(f => f.WriteData(It.IsAny<byte[]>())).Callback((byte[] s) => {});
-            var keyStore = new AzKeyStore(AzureSession.Instance.ARMProfileDirectory, "keystore.cache", false, false, storageMocker.Object);
+            var keyStore = new AzKeyStore(AzureSession.Instance.ARMProfileDirectory, "azkeystore", false, false, storageMocker.Object);
             AzKeyStore.RegisterJsonConverter(typeof(ServicePrincipalKey), typeof(ServicePrincipalKey).Name);
             AzKeyStore.RegisterJsonConverter(typeof(SecureString), typeof(SecureString).Name, new SecureStringConverter());
             return keyStore;

src/Accounts/Accounts.Test/ProfileCmdletTests.cs

@@ -55,7 +55,7 @@ private AzKeyStore SetMockedAzKeyStore()
             storageMocker.Setup(f => f.Create()).Returns(storageMocker.Object);
             storageMocker.Setup(f => f.ReadData()).Returns(new byte[0]);
             storageMocker.Setup(f => f.WriteData(It.IsAny<byte[]>())).Callback((byte[] s) => { });
-            var keyStore = new AzKeyStore(AzureSession.Instance.ARMProfileDirectory, "keystore.cache", false, false, storageMocker.Object);
+            var keyStore = new AzKeyStore(AzureSession.Instance.ARMProfileDirectory, "azkeystore", false, false, storageMocker.Object);
             return keyStore;
         }
 

src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs

@@ -426,6 +426,10 @@ public override void ExecuteCmdlet()
                 if (CertificatePassword != null)
                 {
                     keyStore?.SaveKey(new ServicePrincipalKey(AzureAccount.Property.CertificatePassword, azureAccount.Id, Tenant), CertificatePassword);
+                    if (GetContextModificationScope() == ContextModificationScope.CurrentUser && !keyStore.IsProtected)
+                    {
+                        WriteWarning(string.Format(Resources.ServicePrincipalWarning, keyStore.FileName, keyStore.Directory));
+                    }
                 }
             }
 
@@ -449,11 +453,9 @@ public override void ExecuteCmdlet()
             {
                 keyStore?.SaveKey(new ServicePrincipalKey(AzureAccount.Property.ServicePrincipalSecret
                     ,azureAccount.Id, Tenant), password);
-                if (GetContextModificationScope() == ContextModificationScope.CurrentUser)
+                if (GetContextModificationScope() == ContextModificationScope.CurrentUser && !keyStore.IsProtected)
                 {
-                    var file = AzureSession.Instance.ARMProfileFile;
-                    var directory = AzureSession.Instance.ARMProfileDirectory;
-                    WriteWarning(string.Format(Resources.ServicePrincipalWarning, file, directory));
+                    WriteWarning(string.Format(Resources.ServicePrincipalWarning, keyStore.FileName, keyStore.Directory));
                 }
             }
             if (azureAccount.Type == "ClientAssertion" && FederatedToken != null)
@@ -711,8 +713,8 @@ public void OnImport()
                 }
 
                 AzKeyStore keyStore = null;
-                //AzureSession.Instance.KeyStoreFile
-                keyStore = new AzKeyStore(AzureSession.Instance.ARMProfileDirectory, "keystore.cache", false, autoSaveEnabled);
+                keyStore = new AzKeyStore(AzureSession.Instance.ARMProfileDirectory, AzureSession.Instance.KeyStoreFile, false, autoSaveEnabled);
+                AzureSession.Instance.KeyStoreFile = keyStore.FileName;
                 AzKeyStore.RegisterJsonConverter(typeof(ServicePrincipalKey), typeof(ServicePrincipalKey).Name);
                 AzKeyStore.RegisterJsonConverter(typeof(SecureString), typeof(SecureString).Name, new SecureStringConverter());
                 AzureSession.Instance.RegisterComponent(AzKeyStore.Name, () => keyStore);

src/Accounts/Accounts/ChangeLog.md

@@ -24,7 +24,7 @@
     - It also fixed the incorrectly short lifespan of tokens.
 * Upgraded target framework of Microsoft.Identity.Client to net461 [#20189]
 * Stored `ServicePrincipalSecret` and `CertificatePassword` into `AzKeyStore`.
-* Updated the reference of Azure PowerShell Common to 1.3.65-preview.
+* Updated the reference of Azure PowerShell Common to 1.3.67-preview.
 
 ## Version 2.10.3
 * Updated `Get-AzSubscription` to retrieve subscription by Id rather than listed all the subscriptions from server if subscription Id is provided. [#19115]

src/Accounts/Accounts/Properties/Resources.Designer.cs

@@ -424,7 +424,7 @@
     <value>Unable to set profile because environment variable '${0}' is null.</value>
   </data>
   <data name="ServicePrincipalWarning" xml:space="preserve">
-    <value>The provided service principal secret will be included in the '{0}' file found in the user profile ( {1} ). Please ensure that this directory has appropriate protections.</value>
+    <value>The provided service principal secret or certifcate password will be included in the '{0}' file found in the user profile ( {1} ). Please ensure that this directory has appropriate protections.</value>
   </data>
   <data name="ClientAssertionWarning" xml:space="preserve">
     <value>The provided client id and assertion will be included in the '{0}' file found in the user profile ( {1} ). Please ensure that this directory has appropriate protections.</value>

src/Accounts/Accounts/Properties/Resources.resx

@@ -30,7 +30,7 @@ public class AzKeyStorageTest
         private Mock<IStorage> storageMocker = null;
         private List<byte> storageChecker = null;
         private string dummpyPath = "/home/dummy/.Azure";
-        private string keyStoreFileName = "keystore.cache";
+        private string keyStoreFileName = "azkeystore";
 
         public AzKeyStorageTest()
         {

src/Accounts/Authentication.Test/AzKeyStorageTest.cs

@@ -160,8 +160,7 @@ static ContextAutosaveSettings InitializeSessionSettings(IDataStore store, strin
                 ContextDirectory = profileDirectory,
                 Mode = ContextSaveMode.Process,
                 CacheFile = "msal.cache",
-                ContextFile = "AzureRmContext.json",
-                KeyStoreFile = "keystore.cache"
+                ContextFile = "AzureRmContext.json"
             };
 
             var settingsPath = Path.Combine(profileDirectory, settingsFile);
@@ -177,7 +176,6 @@ static ContextAutosaveSettings InitializeSessionSettings(IDataStore store, strin
                     result.ContextDirectory = migrated ? profileDirectory : settings.ContextDirectory ?? result.ContextDirectory;
                     result.Mode = settings.Mode;
                     result.ContextFile = settings.ContextFile ?? result.ContextFile;
-                    result.KeyStoreFile = settings.KeyStoreFile ?? result.KeyStoreFile;
                     result.Settings = settings.Settings;
                     bool updateSettings = false;
                     if (!settings.Settings.ContainsKey("InstallationId"))
@@ -270,6 +268,7 @@ static IAzureSession CreateInstance(IDataStore dataStore = null, Action<string>
             session.ARMProfileFile = autoSave.ContextFile;
             session.TokenCacheDirectory = autoSave.CacheDirectory;
             session.TokenCacheFile = autoSave.CacheFile;
+            session.KeyStoreFile = "azkeystore";
             autoSave.Settings.TryGetValue("InstallationId", out string installationId);
             session.ExtendedProperties.Add("InstallationId", installationId);
             InitializeConfigs(session, profilePath, writeWarning);

src/Accounts/Authentication/AzureSessionInitializer.cs

@@ -51,12 +51,6 @@ public class ContextAutosaveSettings : IExtensibleSettings
         /// </summary>
         public string CacheFile { get; set; }
 
-        /// <summary>
-        /// The name of the keystore file
-        /// </summary>
-        public string KeyStoreFile { get; set; }
-
-
         /// <summary>
         /// Extensible settings for autosave
         /// </summary>

src/Accounts/Authentication/ContextAutosaveSettings.cs

@@ -71,6 +71,21 @@ public IStorage Storage
             set => _storage = value;
         }
 
+        public bool IsProtected
+        {
+            get => Storage.IsProtected;
+        }
+
+        public string FileName
+        {
+            get => Storage.FileName;
+        }
+
+        public string Directory
+        {
+            get => Storage.Directory;
+        }
+
         public AzKeyStore()
         {
 

src/Accounts/Authentication/KeyStore/AzKeyStore.cs

@@ -28,5 +28,13 @@ public interface IStorage
         void WriteData(byte[] data);
 
         Exception GetLastError();
+
+        string FileName { get; set; }
+        string Directory { get; set; }
+
+        bool IsProtected
+        {
+            get;
+        }
     }
 }

src/Accounts/Authentication/KeyStore/IStorage.cs

@@ -14,6 +14,7 @@
 using Microsoft.Azure.Commands.Common.Authentication.Properties;
 using Microsoft.Identity.Client.Extensions.Msal;
 using System;
+using System.Collections.Generic;
 using System.Threading;
 
 namespace Microsoft.Azure.Commands.ResourceManager.Common
@@ -29,6 +30,13 @@ class StorageWrapper : IStorage
 
         private Storage _storage = null;
 
+        private bool isProtected;
+        public bool IsProtected
+        {
+            get => isProtected;
+            private set => isProtected = value;
+        }
+
         static ReaderWriterLockSlim storageLock = new ReaderWriterLockSlim(LockRecursionPolicy.SupportsRecursion);
 
         public StorageWrapper()
@@ -43,25 +51,32 @@ public IStorage Create()
             {
                 throw new InvalidOperationException(Resources.StorageLockConflicts);
             }
+            string tempFileName = null;
             try
             {
-                storageProperties = new StorageCreationPropertiesBuilder(FileName, Directory)
+                tempFileName = $"{FileName}.cache";
+                storageProperties = new StorageCreationPropertiesBuilder(tempFileName, Directory)
                     .WithMacKeyChain(KeyChainServiceName + ".other_secrets", FileName)
-                    .WithLinuxUnprotectedFile();
+                    .WithLinuxKeyring(FileName, "default", "AzKeyStoreCache",
+                    new KeyValuePair<string, string>("AzureClientID", "Microsoft.Developer.Azure.PowerShell"),
+                    new KeyValuePair<string, string>("Microsoft.Developer.Azure.PowerShell", "1.0.0.0"));
                 _storage = Storage.Create(storageProperties.Build());
                 VerifyPersistence();
+                isProtected = true;
             }
-            catch (MsalCachePersistenceException e)
+            catch (Exception e)
             {
                 _lastError = e;
-                _storage.Clear();
-                storageProperties = new StorageCreationPropertiesBuilder(FileName, Directory).WithUnprotectedFile();
+                tempFileName = $"{FileName}.json";
+                storageProperties = new StorageCreationPropertiesBuilder(tempFileName, Directory).WithUnprotectedFile();
                 _storage = Storage.Create(storageProperties.Build());
+                isProtected = false;
             }
             finally
             {
                 storageLock.ExitWriteLock();
             }
+            FileName = tempFileName ?? FileName;
             return this;
         }
 

src/Accounts/Authentication/KeyStore/StorageWrapper.cs

@@ -3,22 +3,22 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Rest.ClientRuntime" Version="2.3.24"/>
     <PackageReference Include="Microsoft.Rest.ClientRuntime.Azure" Version="3.3.19"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Aks" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Authentication.Abstractions" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Authorization" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Common" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Compute" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Graph.Rbac" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.KeyVault" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Monitor" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Network" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.PolicyInsights" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.ResourceManager" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Storage" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Storage.Management" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Strategies" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Websites" Version="1.3.65-preview"/>
-    <PackageReference Include="Microsoft.Azure.PowerShell.Common.Share" Version="1.3.65-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Aks" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Authentication.Abstractions" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Authorization" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Common" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Compute" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Graph.Rbac" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.KeyVault" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Monitor" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Network" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.PolicyInsights" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.ResourceManager" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Storage" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Storage.Management" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Strategies" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Clients.Websites" Version="1.3.67-preview"/>
+    <PackageReference Include="Microsoft.Azure.PowerShell.Common.Share" Version="1.3.67-preview"/>
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Azure.Core" Version="1.25.0"/>
@@ -36,7 +36,7 @@
     <PackageReference Include="PowerShellStandard.Library" Version="5.1.0" PrivateAssets="All" />
   </ItemGroup>
   <PropertyGroup>
-    <StorageToolsPath>$(NugetPackageRoot)\microsoft.azure.powershell.storage\1.3.65-preview\tools\</StorageToolsPath>
+    <StorageToolsPath>$(NugetPackageRoot)\microsoft.azure.powershell.storage\1.3.67-preview\tools\</StorageToolsPath>
   </PropertyGroup>
   <ItemGroup Condition="'$(OmitJsonPackage)' != 'true'">
     <PackageReference Include="Newtonsoft.Json" Version="10.0.3"/>