Allow configuration of disableChallengeResourceVerification property of AKV SecretClient (Azure#36628)

* Add disableChallengeResourceVerification

Author: Netyyyy

sdk/spring/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Release History
 
+## 4.12.0-beta.1 (Unreleased)
+
+### Spring Cloud Azure Autoconfigure
+This section includes changes in `spring-cloud-azure-autoconfigure` module.
+
+#### Bugs Fixed
+- Fix the issue that prevented the `disableChallengeResourceVerification` property of the AKV `SecretClient` to be configured [#36628](https://github.com/Azure/azure-sdk-for-java/pull/36628).
+
 ## 5.5.0 (2023-08-28)
 - This release is compatible with Spring Boot 3.0.0-3.1.2. (Note: 3.1.x (x>2) should be supported, but they aren't tested with this release.)
 - This release is compatible with Spring Cloud 2022.0.0-2022.0.4. (Note: 2022.0.x (x>4) should be supported, but they aren't tested with this release.)

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/keyvault/common/AzureKeyVaultProperties.java

@@ -19,6 +19,12 @@ public class AzureKeyVaultProperties extends AbstractAzureHttpConfigurationPrope
      */
     private String endpoint;
 
+    /**
+     * Whether to enable the Azure Key Vault challenge resource verification, default: true.
+     * Calls the disableChallengeResourceVerification method of the Azure Key Vault Client Builder when set to false.
+     */
+    private boolean challengeResourceVerificationEnabled = true;
+
     /**
      *
      * @return The Azure Key Vault endpoint.
@@ -34,4 +40,21 @@ public String getEndpoint() {
     public void setEndpoint(String endpoint) {
         this.endpoint = endpoint;
     }
+
+    /**
+     *
+     * @return Whether we should keep the challenge resource verification for the Azure Key Vault Client
+     */
+    public boolean isChallengeResourceVerificationEnabled() {
+        return challengeResourceVerificationEnabled;
+    }
+
+    /**
+     *
+     * @param challengeResourceVerificationEnabled Whether we should keep Azure Key Vault challenge resource verification enabled
+     */
+    public void setChallengeResourceVerificationEnabled(
+        boolean challengeResourceVerificationEnabled) {
+        this.challengeResourceVerificationEnabled = challengeResourceVerificationEnabled;
+    }
 }

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/keyvault/secrets/properties/AzureKeyVaultPropertySourceProperties.java

@@ -43,6 +43,12 @@ public class AzureKeyVaultPropertySourceProperties extends AbstractAzureHttpConf
      */
     private Duration refreshInterval = DEFAULT_REFRESH_INTERVAL;
 
+    /**
+     * Whether to enable the Azure Key Vault challenge resource verification, default: true.
+     * Calls the disableChallengeResourceVerification method of the Azure Key Vault Client Builder when set to false.
+     */
+    private boolean challengeResourceVerificationEnabled = true;
+
     /**
      *
      * @return The name of this property source.
@@ -138,4 +144,21 @@ public Duration getRefreshInterval() {
     public void setRefreshInterval(Duration refreshInterval) {
         this.refreshInterval = refreshInterval;
     }
+
+    /**
+     *
+     * @return Whether we should keep Azure Key Vault challenge resource verification enabled
+     */
+    public boolean isChallengeResourceVerificationEnabled() {
+        return challengeResourceVerificationEnabled;
+    }
+
+    /**
+     *
+     * @param challengeResourceVerificationEnabled Whether we should keep Azure Key Vault challenge resource verification enabled
+     */
+    public void setChallengeResourceVerificationEnabled(
+        boolean challengeResourceVerificationEnabled) {
+        this.challengeResourceVerificationEnabled = challengeResourceVerificationEnabled;
+    }
 }

sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/keyvault/environment/KeyVaultEnvironmentPostProcessor.java

@@ -143,6 +143,7 @@ private AzureKeyVaultSecretProperties toAzureKeyVaultSecretProperties(
         AzurePropertiesUtils.copyAzureCommonProperties(propertySourceProperties, secretProperties);
         secretProperties.setEndpoint(propertySourceProperties.getEndpoint());
         secretProperties.setServiceVersion(propertySourceProperties.getServiceVersion());
+        secretProperties.setChallengeResourceVerificationEnabled(propertySourceProperties.isChallengeResourceVerificationEnabled());
         return secretProperties;
     }
 
@@ -197,6 +198,7 @@ private AzureKeyVaultPropertySourceProperties buildMergedProperties(
         mergedProperties.setCaseSensitive(propertySourceProperties.isCaseSensitive());
         mergedProperties.setSecretKeys(propertySourceProperties.getSecretKeys());
         mergedProperties.setRefreshInterval(propertySourceProperties.getRefreshInterval());
+        mergedProperties.setChallengeResourceVerificationEnabled(propertySourceProperties.isChallengeResourceVerificationEnabled());
         return mergedProperties;
     }
 

sdk/spring/spring-cloud-azure-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -1532,6 +1532,13 @@
       "description": "Secret service version used when making API requests.",
       "sourceType": "com.azure.spring.cloud.autoconfigure.implementation.keyvault.secrets.properties.AzureKeyVaultPropertySourceProperties"
     },
+    {
+      "name": "spring.cloud.azure.keyvault.secret.property-sources[0].challenge-resource-verification-enabled",
+      "type": "java.lang.Boolean",
+      "description": "Whether to enable the Azure Key Vault challenge resource verification, default: true. Calls the disableChallengeResourceVerification method of the Azure Key Vault Client Builder when set to false.",
+      "sourceType": "com.azure.spring.cloud.autoconfigure.implementation.keyvault.secrets.properties.AzureKeyVaultPropertySourceProperties",
+      "defaultValue": true
+    },
     {
       "name": "spring.datasource.azure.credential.client-id",
       "type": "java.lang.String",

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/keyvault/certificates/AzureKeyVaultCertificateAutoConfigurationTests.java

@@ -22,6 +22,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 
 class AzureKeyVaultCertificateAutoConfigurationTests extends AbstractAzureServiceConfigurationTests<
     CertificateClientBuilderFactory, AzureKeyVaultCertificateProperties> {
@@ -139,13 +140,15 @@ void configurationPropertiesShouldBind() {
         this.contextRunner
             .withPropertyValues(
                 "spring.cloud.azure.keyvault.certificate.endpoint=" + endpoint,
-                "spring.cloud.azure.keyvault.certificate.service-version=V7_2"
+                "spring.cloud.azure.keyvault.certificate.service-version=V7_2",
+                "spring.cloud.azure.keyvault.certificate.challenge-resource-verification-enabled=false"
             )
             .run(context -> {
                 assertThat(context).hasSingleBean(AzureKeyVaultCertificateProperties.class);
                 AzureKeyVaultCertificateProperties properties = context.getBean(AzureKeyVaultCertificateProperties.class);
                 assertEquals(endpoint, properties.getEndpoint());
                 assertEquals(CertificateServiceVersion.V7_2, properties.getServiceVersion());
+                assertFalse(properties.isChallengeResourceVerificationEnabled());
             });
     }
 

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/keyvault/environment/KeyVaultEnvironmentPostProcessorTests.java

@@ -275,6 +275,31 @@ void specificPropertiesHasHigherPriorityThanGlobalPropertiesTest() {
         assertEquals(specificMaxRetries, properties.getRetry().getFixed().getMaxRetries());
     }
 
+    @Test
+    void challengeResourceVerificationEnabledCanBeSetAsFalseTest() {
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-source-enabled", "true");
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].challenge-resource-verification-enabled", "false");
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].enabled", "true");
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].name", NAME_0);
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].endpoint", ENDPOINT_0);
+        AzureKeyVaultSecretProperties secretProperties = processor.loadProperties(environment);
+        AzureKeyVaultPropertySourceProperties properties = secretProperties.getPropertySources().get(0);
+        assertTrue(secretProperties.isChallengeResourceVerificationEnabled());
+        assertFalse(properties.isChallengeResourceVerificationEnabled());
+    }
+
+    @Test
+    void challengeResourceVerificationEnabledIsSetByDefaultTest() {
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-source-enabled", "true");
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].enabled", "true");
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].name", NAME_0);
+        environment.setProperty("spring.cloud.azure.keyvault.secret.property-sources[0].endpoint", ENDPOINT_0);
+        AzureKeyVaultSecretProperties secretProperties = processor.loadProperties(environment);
+        AzureKeyVaultPropertySourceProperties properties = secretProperties.getPropertySources().get(0);
+        assertTrue(secretProperties.isChallengeResourceVerificationEnabled());
+        assertTrue(properties.isChallengeResourceVerificationEnabled());
+    }
+
     @Disabled("Disable it to unblock Azure Dev Ops pipeline: https://dev.azure.com/azure-sdk/public/_build/results?buildId=1434354&view=logs&j=c1fb1ddd-7688-52ac-4c5f-1467e51181f3")
     @Test
     void buildKeyVaultPropertySourceWithExceptionTest() {

sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/keyvault/secrets/AzureKeyVaultSecretAutoConfigurationTests.java

@@ -145,6 +145,7 @@ void configurationPropertiesShouldBind() {
             .withPropertyValues(
                 "spring.cloud.azure.keyvault.secret.endpoint=" + endpoint,
                 "spring.cloud.azure.keyvault.secret.service-version=V7_2",
+                "spring.cloud.azure.keyvault.secret.challenge-resource-verification-enabled=false",
 
                 "spring.cloud.azure.keyvault.secret.property-source-enabled=false",
                 "spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=" + endpoint + "-1",
@@ -161,6 +162,7 @@ void configurationPropertiesShouldBind() {
                 assertEquals(endpoint, properties.getEndpoint());
                 assertFalse(properties.isPropertySourceEnabled());
                 assertEquals(SecretServiceVersion.V7_2, properties.getServiceVersion());
+                assertFalse(properties.isChallengeResourceVerificationEnabled());
 
                 AzureKeyVaultPropertySourceProperties propertySourceProperties = properties.getPropertySources().get(0);
                 assertEquals(endpoint + "-1", propertySourceProperties.getEndpoint());

sdk/spring/spring-cloud-azure-service/src/main/java/com/azure/spring/cloud/service/implementation/keyvault/KeyVaultProperties.java

@@ -13,4 +13,5 @@ public interface KeyVaultProperties extends AzureProperties, RetryOptionsProvide
 
     String getEndpoint();
 
+    boolean isChallengeResourceVerificationEnabled();
 }

sdk/spring/spring-cloud-azure-service/src/main/java/com/azure/spring/cloud/service/implementation/keyvault/certificates/CertificateClientBuilderFactory.java

@@ -88,6 +88,8 @@ protected void configureService(CertificateClientBuilder builder) {
         PropertyMapper map = new PropertyMapper();
         map.from(certificateClientProperties.getEndpoint()).to(builder::vaultUrl);
         map.from(certificateClientProperties.getServiceVersion()).to(builder::serviceVersion);
+        map.from(certificateClientProperties.isChallengeResourceVerificationEnabled())
+           .whenFalse().to(enabled -> builder.disableChallengeResourceVerification());
     }
 
     @Override