[keyvault] CAE support (#31140)

### Packages impacted by this PR

- `@azure/keyvault-common`
- Downstream Key Vault packages

### Issues associated with this PR

- Private

### Describe the problem that is addressed by this PR

In future, the Key Vault service will be adding support for Continuous
Access Evaluation (CAE). This PR adds the necessary support to the SDK's
challenge-based authentication policy to enable this feature.

After the initial challenge, with CAE enabled, any future request may
result in a 401 response, even if the access token used is valid. This
PR adds a new policy that handles this CAE challenge alongside the
normal challenge. The new policy replaces the existing use of Core's
`bearerTokenAuthenticationPolicy`, which is no longer suitable for this
use case since it cannot handle a CAE challenge that comes immediately
after a regular challenge.

### Are there test cases added in this PR? _(If not, why?)_

Yes, added test cases with mock requests and responses to cover a number
of different scenarios, ensuring the policy is doing the right thing.

I also manually tested against a test resource provided by the Key Vault
team which returns a CAE challenge in response to any authorized request
to the vault, and got the expected result (a normal challenge handled
successfully, followed by a CAE challenge handled successfully, followed
by another CAE challenge which the policy does not handle).

### Provide a list of related PRs _(if any)_

- Java PR for same feature:
Azure/azure-sdk-for-java#41814

Author: timovv

sdk/keyvault/keyvault-admin/CHANGELOG.md

@@ -1,9 +1,11 @@
 # Release History
 
-## 4.5.1 (Unreleased)
+## 4.6.0 (Unreleased)
 
 ### Features Added
 
+- Add support for Continuous Access Evaluation (CAE). [#31140](https://github.com/Azure/azure-sdk-for-js/pull/31140)
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/keyvault/keyvault-admin/package.json

@@ -2,7 +2,7 @@
   "name": "@azure/keyvault-admin",
   "sdk-type": "client",
   "author": "Microsoft Corporation",
-  "version": "4.5.1",
+  "version": "4.6.0",
   "license": "MIT",
   "description": "Isomorphic client library for Azure KeyVault's administrative functions.",
   "homepage": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/keyvault/keyvault-admin/README.md",
@@ -99,7 +99,7 @@
     "@azure/core-rest-pipeline": "^1.1.0",
     "@azure/core-tracing": "^1.0.0",
     "@azure/core-util": "^1.0.0",
-    "@azure/keyvault-common": "^1.0.0",
+    "@azure/keyvault-common": "^2.0.0",
     "@azure/logger": "^1.0.0",
     "tslib": "^2.2.0"
   },

sdk/keyvault/keyvault-admin/src/accessControlClient.ts

@@ -23,8 +23,7 @@ import { LATEST_API_VERSION } from "./constants.js";
 import { PagedAsyncIterableIterator } from "@azure/core-paging";
 import { RoleAssignmentsListForScopeOptionalParams } from "./generated/models/index.js";
 import { TokenCredential } from "@azure/core-auth";
-import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
-import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
+import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
 import { logger } from "./log.js";
 import { mappings } from "./mappings.js";
 import { tracingClient } from "./tracing.js";
@@ -87,15 +86,11 @@ export class KeyVaultAccessControlClient {
 
     this.client = new KeyVaultClient(serviceVersion, clientOptions);
 
-    this.client.pipeline.addPolicy(
-      bearerTokenAuthenticationPolicy({
-        credential,
-        // The scopes will be populated in the challenge callbacks based on the WWW-authenticate header
-        // returned by the challenge, so pass an empty array as a placeholder.
-        scopes: [],
-        challengeCallbacks: createKeyVaultChallengeCallbacks(options),
-      }),
-    );
+    // The authentication policy must come after the deserialization policy since the deserialization policy
+    // converts 401 responses to an Error, and we don't want to deal with that.
+    this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
+      afterPolicies: ["deserializationPolicy"],
+    });
   }
 
   /**

sdk/keyvault/keyvault-admin/src/backupClient.ts

@@ -21,8 +21,7 @@ import { KeyVaultSelectiveKeyRestorePoller } from "./lro/selectiveKeyRestore/pol
 import { LATEST_API_VERSION } from "./constants.js";
 import { PollerLike } from "@azure/core-lro";
 import { TokenCredential } from "@azure/core-auth";
-import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
-import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
+import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
 import { logger } from "./log.js";
 import { mappings } from "./mappings.js";
 
@@ -89,15 +88,11 @@ export class KeyVaultBackupClient {
     };
 
     this.client = new KeyVaultClient(apiVersion, clientOptions);
-    this.client.pipeline.addPolicy(
-      bearerTokenAuthenticationPolicy({
-        credential,
-        // The scopes will be populated in the challenge callbacks based on the WWW-authenticate header
-        // returned by the challenge, so pass an empty array as a placeholder.
-        scopes: [],
-        challengeCallbacks: createKeyVaultChallengeCallbacks(options),
-      }),
-    );
+    // The authentication policy must come after the deserialization policy since the deserialization policy
+    // converts 401 responses to an Error, and we don't want to deal with that.
+    this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
+      afterPolicies: ["deserializationPolicy"],
+    });
   }
 
   /**

sdk/keyvault/keyvault-admin/src/constants.ts

@@ -4,7 +4,7 @@
 /**
  * Current version of the Key Vault Admin SDK.
  */
-export const SDK_VERSION: string = "4.5.1";
+export const SDK_VERSION: string = "4.6.0";
 
 /**
  * The latest supported Key Vault service API version.

sdk/keyvault/keyvault-admin/src/generated/keyVaultClientContext.ts

@@ -2,8 +2,7 @@
 // Licensed under the MIT License.
 
 import { TokenCredential } from "@azure/core-auth";
-import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
-import { createKeyVaultChallengeCallbacks } from "@azure/keyvault-common";
+import { keyVaultAuthenticationPolicy } from "@azure/keyvault-common";
 import { LATEST_API_VERSION } from "./constants.js";
 import { KeyVaultClient, Setting as GeneratedSetting } from "./generated/index.js";
 import { logger } from "./log.js";
@@ -92,13 +91,12 @@ export class KeyVaultSettingsClient {
     };
 
     this.client = new KeyVaultClient(apiVersion, clientOptions);
-    this.client.pipeline.addPolicy(
-      bearerTokenAuthenticationPolicy({
-        credential,
-        scopes: [],
-        challengeCallbacks: createKeyVaultChallengeCallbacks(options),
-      }),
-    );
+
+    // The authentication policy must come after the deserialization policy since the deserialization policy
+    // converts 401 responses to an Error, and we don't want to deal with that.
+    this.client.pipeline.addPolicy(keyVaultAuthenticationPolicy(credential, clientOptions), {
+      afterPolicies: ["deserializationPolicy"],
+    });
   }
 
   /**

sdk/keyvault/keyvault-admin/src/settingsClient.ts

@@ -16,7 +16,7 @@ input-file:
   - https://raw.githubusercontent.com/Azure/azure-rest-api-specs/7452e1cc7db72fbc6cd9539b390d8b8e5c2a1864/specification/keyvault/data-plane/Microsoft.KeyVault/stable/7.5/settings.json
 output-folder: ../
 source-code-folder-path: ./src/generated
-package-version: 4.5.1
+package-version: 4.6.0
 use-extension:
   "@autorest/typescript": "6.0.0-beta.15"
 ```

sdk/keyvault/keyvault-admin/swagger/README.md

@@ -1,9 +1,11 @@
 # Release History
 
-## 4.8.1 (Unreleased)
+## 4.9.0 (Unreleased)
 
 ### Features Added
 
+- Add support for Continuous Access Evaluation (CAE). [#31140](https://github.com/Azure/azure-sdk-for-js/pull/31140)
+
 ### Breaking Changes
 
 ### Bugs Fixed

sdk/keyvault/keyvault-certificates/CHANGELOG.md

@@ -2,7 +2,7 @@
   "name": "@azure/keyvault-certificates",
   "sdk-type": "client",
   "author": "Microsoft Corporation",
-  "version": "4.8.1",
+  "version": "4.9.0",
   "license": "MIT",
   "description": "Isomorphic client library for Azure KeyVault's certificates.",
   "homepage": "https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/keyvault/keyvault-certificates/README.md",
@@ -103,7 +103,7 @@
     "@azure/core-rest-pipeline": "^1.8.0",
     "@azure/core-tracing": "^1.0.0",
     "@azure/core-util": "^1.6.1",
-    "@azure/keyvault-common": "^1.0.0",
+    "@azure/keyvault-common": "^2.0.0",
     "@azure/logger": "^1.0.0",
     "tslib": "^2.2.0"
   },