Support InputStream as input for ClientCertificateCredential

sdk/identity/azure-identity/src/main/java/com/azure/identity/ClientCertificateCredential.java

@@ -14,6 +14,7 @@
 import com.azure.identity.implementation.util.LoggingUtil;
 import reactor.core.publisher.Mono;
 
+import java.io.InputStream;
 import java.util.Objects;
 
 /**
@@ -35,16 +36,19 @@ public class ClientCertificateCredential implements TokenCredential {
      * @param tenantId the tenant ID of the application
      * @param clientId the client ID of the application
      * @param certificatePath the PEM file or PFX file containing the certificate
+     * @param certificate the PEM or PFX certificate
      * @param certificatePassword the password protecting the PFX file
      * @param identityClientOptions the options to configure the identity client
      */
-    ClientCertificateCredential(String tenantId, String clientId, String certificatePath, String certificatePassword,
-                                IdentityClientOptions identityClientOptions) {
-        Objects.requireNonNull(certificatePath, "'certificatePath' cannot be null.");
+    ClientCertificateCredential(String tenantId, String clientId, String certificatePath, InputStream certificate,
+                                String certificatePassword, IdentityClientOptions identityClientOptions) {
+        Objects.requireNonNull(certificatePath == null ? certificate : certificatePath,
+                "'certificate' and 'certificatePath' cannot both be null.");
         identityClient = new IdentityClientBuilder()
             .tenantId(tenantId)
             .clientId(clientId)
             .certificatePath(certificatePath)
+            .certificate(certificate)
             .certificatePassword(certificatePassword)
             .identityClientOptions(identityClientOptions)
             .build();

sdk/identity/azure-identity/src/main/java/com/azure/identity/ClientCertificateCredentialBuilder.java

@@ -3,8 +3,10 @@
 
 package com.azure.identity;
 
+import com.azure.core.util.logging.ClientLogger;
 import com.azure.identity.implementation.util.ValidationUtil;
 
+import java.io.InputStream;
 import java.util.HashMap;
 
 /**
@@ -13,31 +15,59 @@
  * @see ClientCertificateCredential
  */
 public class ClientCertificateCredentialBuilder extends AadCredentialBuilderBase<ClientCertificateCredentialBuilder> {
-    private String clientCertificate;
+    private String clientCertificatePath;
+    private InputStream clientCertificate;
     private String clientCertificatePassword;
+    private final ClientLogger logger = new ClientLogger(ClientCertificateCredentialBuilder.class);
 
     /**
-     * Sets the client certificate for authenticating to AAD.
+     * Sets the path of the PEM certificate for authenticating to AAD.
      *
      * @param certificatePath the PEM file containing the certificate
      * @return An updated instance of this builder.
      */
     public ClientCertificateCredentialBuilder pemCertificate(String certificatePath) {
         ValidationUtil.validateFilePath(getClass().getSimpleName(), certificatePath, "Pem Certificate Path");
-        this.clientCertificate = certificatePath;
+        this.clientCertificatePath = certificatePath;
         return this;
     }
 
     /**
-     * Sets the client certificate for authenticating to AAD.
+     * Sets the input stream holding the PEM certificate for authenticating to AAD.
+     *
+     * @param certificate the input stream containing the PEM certificate
+     * @return An updated instance of this builder.
+     */
+    public ClientCertificateCredentialBuilder pemCertificate(InputStream certificate) {
+        this.clientCertificate = certificate;
+        return this;
+    }
+
+    /**
+     * Sets the path and password of the PFX certificate for authenticating to AAD.
      *
      * @param certificatePath the password protected PFX file containing the certificate
      * @param clientCertificatePassword the password protecting the PFX file
      * @return An updated instance of this builder.
      */
-    public ClientCertificateCredentialBuilder pfxCertificate(String certificatePath, String clientCertificatePassword) {
+    public ClientCertificateCredentialBuilder pfxCertificate(String certificatePath,
+                                                             String clientCertificatePassword) {
         ValidationUtil.validateFilePath(getClass().getSimpleName(), certificatePath, "Pfx Certificate Path");
-        this.clientCertificate = certificatePath;
+        this.clientCertificatePath = certificatePath;
+        this.clientCertificatePassword = clientCertificatePassword;
+        return this;
+    }
+
+    /**
+     * Sets the input stream holding the PFX certificate and its password for authenticating to AAD.
+     *
+     * @param certificate the input stream containing the password protected PFX certificate
+     * @param clientCertificatePassword the password protecting the PFX file
+     * @return An updated instance of this builder.
+     */
+    public ClientCertificateCredentialBuilder pfxCertificate(InputStream certificate,
+                                                             String clientCertificatePassword) {
+        this.clientCertificate = certificate;
         this.clientCertificatePassword = clientCertificatePassword;
         return this;
     }
@@ -86,9 +116,14 @@ public ClientCertificateCredential build() {
         ValidationUtil.validate(getClass().getSimpleName(), new HashMap<String, Object>() {{
                 put("clientId", clientId);
                 put("tenantId", tenantId);
-                put("clientCertificate", clientCertificate);
+                put("clientCertificate", clientCertificate == null ? clientCertificatePath : clientCertificate);
             }});
-        return new ClientCertificateCredential(tenantId, clientId, clientCertificate, clientCertificatePassword,
-            identityClientOptions);
+        if (clientCertificate != null && clientCertificatePath != null) {
+            throw logger.logExceptionAsWarning(new IllegalArgumentException("Both certificate input stream and "
+                    + "certificate path are provided in ClientCertificateCredentialBuilder. Only one of them should "
+                    + "be provided."));
+        }
+        return new ClientCertificateCredential(tenantId, clientId, clientCertificatePath, clientCertificate,
+            clientCertificatePassword, identityClientOptions);
     }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/EnvironmentCredential.java

@@ -70,8 +70,9 @@ public class EnvironmentCredential implements TokenCredential {
                 } else if (verifyNotNull(certPath)) {
                     // 1.2 Attempt ClientCertificateCredential
                     logger.info("Azure Identity => EnvironmentCredential invoking ClientCertificateCredential");
-                    targetCredential = new ClientCertificateCredential(tenantId, clientId, certPath,
-                        null, identityClientOptions);
+                    ValidationUtil.validateFilePath(getClass().getSimpleName(), certPath, "Pem Certificate Path");
+                    targetCredential = new ClientCertificateCredential(tenantId, clientId, certPath, null, null,
+                            identityClientOptions);
                 } else {
                     // 1.3 Log error if neither is found
                     logger.error("Azure Identity => ERROR in EnvironmentCredential: Failed to create a "

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -45,9 +45,11 @@
 import reactor.core.publisher.Mono;
 
 import java.io.BufferedReader;
+import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
@@ -122,6 +124,7 @@ public class IdentityClient {
     private final String tenantId;
     private final String clientId;
     private final String clientSecret;
+    private final InputStream certificate;
     private final String certificatePath;
     private final String certificatePassword;
     private HttpPipelineAdapter httpPipelineAdapter;
@@ -135,13 +138,14 @@ public class IdentityClient {
      * @param clientId the client ID of the application.
      * @param clientSecret the client secret of the application.
      * @param certificatePath the path to the PKCS12 or PEM certificate of the application.
+     * @param certificate the PKCS12 or PEM certificate of the application.
      * @param certificatePassword the password protecting the PFX certificate.
      * @param isSharedTokenCacheCredential Indicate whether the credential is
      * {@link com.azure.identity.SharedTokenCacheCredential} or not.
      * @param options the options configuring the client.
      */
-    IdentityClient(String tenantId, String clientId, String clientSecret,
-                   String certificatePath, String certificatePassword, boolean isSharedTokenCacheCredential,
+    IdentityClient(String tenantId, String clientId, String clientSecret, String certificatePath,
+                   InputStream certificate, String certificatePassword, boolean isSharedTokenCacheCredential,
                    IdentityClientOptions options) {
         if (tenantId == null) {
             tenantId = "organizations";
@@ -153,6 +157,7 @@ public class IdentityClient {
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.certificatePath = certificatePath;
+        this.certificate = certificate;
         this.certificatePassword = certificatePassword;
         this.options = options;
 
@@ -172,10 +177,10 @@ private ConfidentialClientApplication getConfidentialClientApplication() {
         IClientCredential credential;
         if (clientSecret != null) {
             credential = ClientCredentialFactory.createFromSecret(clientSecret);
-        } else if (certificatePath != null) {
+        } else if (certificate != null || certificatePath != null) {
             try {
                 if (certificatePassword == null) {
-                    byte[] pemCertificateBytes = Files.readAllBytes(Paths.get(certificatePath));
+                    byte[] pemCertificateBytes = getCertificateBytes();
 
                     List<X509Certificate> x509CertificateList =  CertificateUtil.publicKeyFromPem(pemCertificateBytes);
                     PrivateKey privateKey = CertificateUtil.privateKeyFromPem(pemCertificateBytes);
@@ -187,8 +192,9 @@ private ConfidentialClientApplication getConfidentialClientApplication() {
                             privateKey, x509CertificateList);
                     }
                 } else {
+                    InputStream pfxCertificateStream = getCertificateInputStream();
                     credential = ClientCredentialFactory.createFromCertificate(
-                        new FileInputStream(certificatePath), certificatePassword);
+                            pfxCertificateStream, certificatePassword);
                 }
             } catch (IOException | GeneralSecurityException e) {
                 throw logger.logExceptionAsError(new RuntimeException(
@@ -1038,4 +1044,31 @@ public String getClientId() {
     private boolean isADFSTenant() {
         return this.tenantId.equals(ADFS_TENANT);
     }
+
+    private byte[] getCertificateBytes() throws IOException {
+        if (certificatePath != null) {
+            return Files.readAllBytes(Paths.get(certificatePath));
+        } else if (certificate != null) {
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            byte[] buffer = new byte[1024];
+            int read = certificate.read(buffer, 0, buffer.length);
+            while (read != -1) {
+                outputStream.write(buffer, 0, read);
+                read = certificate.read(buffer, 0, buffer.length);
+            }
+            return outputStream.toByteArray();
+        } else {
+            return new byte[0];
+        }
+    }
+
+    private InputStream getCertificateInputStream() throws IOException {
+        if (certificatePath != null) {
+            return new FileInputStream(certificatePath);
+        } else if (certificate != null) {
+            return certificate;
+        } else {
+            return null;
+        }
+    }
 }

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClientBuilder.java

@@ -5,6 +5,8 @@
 
 import com.azure.identity.SharedTokenCacheCredential;
 
+import java.io.InputStream;
+
 /**
  * Fluent client builder for instantiating an {@link IdentityClient}.
  *
@@ -16,6 +18,7 @@ public final class IdentityClientBuilder {
     private String clientId;
     private String clientSecret;
     private String certificatePath;
+    private InputStream certificate;
     private String certificatePassword;
     private boolean sharedTokenCacheCred;
 
@@ -60,6 +63,17 @@ public IdentityClientBuilder certificatePath(String certificatePath) {
         return this;
     }
 
+    /**
+     * Sets the client certificate for the client.
+     *
+     * @param certificate the PEM/PFX certificate
+     * @return the IdentityClientBuilder itself
+     */
+    public IdentityClientBuilder certificate(InputStream certificate) {
+        this.certificate = certificate;
+        return this;
+    }
+
     /**
      * Sets the client certificate for the client.
      *
@@ -96,7 +110,7 @@ public IdentityClientBuilder sharedTokenCacheCredential(boolean isSharedTokenCac
      * @return a {@link IdentityClient} with the current configurations.
      */
     public IdentityClient build() {
-        return new IdentityClient(tenantId, clientId, clientSecret, certificatePath,
+        return new IdentityClient(tenantId, clientId, clientSecret, certificatePath, certificate,
             certificatePassword, sharedTokenCacheCred, identityClientOptions);
     }
 }