[KeyVault] Challenge based authentication parallel fix, including tests

[sadasant]

Fixes #9005

The challenge based authentication hotfix introduces a bug in which: Either when the client is not authenticated, or when the token is invalid, parallel network requests end up in a race condition where while one request is authenticating, the other ones fail immediately. This is not a problem before the hotfix because the challenge based authentication was always re-authenticating before making a request.

The parallel problem in more detail is as follows:

A new token was generated only if response.status == 401, and we received a www_authenticate header, which is ok, but parallel requests would choke at the !challenge.equalTo(this.challengeCache.challenge) mark, since by the time the second request compared the challenges, they would be the same, but the "response" set at the end was the 401 one, and not a new request made with the valid challenge. The fix consists of re-loading the credentials, and re-sending the request if the challenge happens to be valid at that point.

TODOs:

• DONE: Do the same for Secrets and Certificates (should I do this in separate PRs?).
• Do this same process in the hotfix branches for KeyVault.

---

Keep in mind that this PR is not about refactoring the entirety of the challenge based authentication, which I'll be doing separately, and I'm tracking it with this issue: #9058

Update: Decided to refactor the challenge auth here, to make it easier to test it. Therefore:

Fixes #9058

[heaths]

Why the root slash? Does that still always resolve to the root? The old line didn't have it.

[sadasant]

Without the root hash, I can't re-include the challengeBasedAuth file that is in the code folder :/ I will clean this up once we move this to a common folder.

[xirzec]

huh, why are we ignoring these files anyway?

[sadasant]

Here's the common folder PR that I'm proposing: #8866

[sadasant]

@xirzec the files in the src/core folder should only come from the swagger tool we use, which makes it so that any changes we make are futile :/ ... except for the challenge based authentication code! which we should move out of there.

[xirzec]

ohh... can we rename the folder to 'generated' at some point to make this clear?

[sadasant]

Here's an issue: #9069

[heaths]

In .NET, we have this as "authorization_uri". Are you sure it's "_url"? Adding @schaabs who wrote that originally.

[sadasant]

I'm sure that's my mistake. I'll move to authorization_uri. Thank you!

[heaths]

If you're sure. I'm not so sure myself, which is why I included Scott. I'm not sure how to verify it as well. :)

[schaabs]

The authorization_uri was most likely copied from the track 1 code. If we're not sure probably best to default to what was in .NET track 1 since that SDK predates the rest. Either way this might just be a moot point left over from an older API version we're not supporting. Looking at the test recordings 7.0 seems to pass back "autorization" consistently in the challenge

        "WWW-Authenticate": "Bearer authorization=\u0022https:\u002f\u002flogin.windows.net\*****, resource=\u0022https:\u002f\u002fvault.azure.net\u0022",

[sadasant]

Sounds good!

[heaths]

I appreciate the nod, but might want to link to the main repo's source? 😉

[sadasant]

I mean, I would get lost in the main repo's source! I want to link to what's similar in that code. Let me know if you know a better link.

[heaths]

Maybe what you want is this?

https://github.com/Azure/azure-sdk-for-net/blob/70e54b878ff1d01a45266fb3674a396b4ab9c1d2/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs#L143-L147

[sadasant]

Wait, so you do compare the authority? hmm

[sadasant]

Ok! Updated!

[xirzec]

Small suggestion

[xirzec]

huh, why are we ignoring these files anyway?

[ramya-rao-a]

Do the same for Secrets and Certificates (should I do this in separate PRs?).
Do this same process in the hotfix branches for KeyVault.

I would recommend changing secrets and certificates in the same PR for the master branch.

For hotfix, just like last time, we can use 1 PR for keys & secrets, another for certificates.

[sadasant]

As a note on the wording, I'm using "parallel" since these promises are being executed at the same time, at least from the perspective of the developer. I'm using this as reference: https://takuti.me/note/parallel-vs-concurrent/

Let me know if I should change it.

[sadasant]

This file was missing in certificates.

[ramya-rao-a]

@jonathandturner, @xirzec, Can you take another look now that the PR has been update to work with secrets and certificates as well?

@sadasant, Please update the PR title and have the hotfix PRs created as well

[xirzec]

I think this will work as is, but left a couple suggestions for further polish.

[xirzec]

feels weird to do all these ! operations to assert something exists. If we know it exists, why make it optional on the type? If we don't know that it exists, why not add some checks so we don't blow up at runtime?

[sadasant]

I'll add an exception case if we don't receive the values that we expect! Thank you!

[sadasant]

I added this:

    if (!(authorization && resource)) {
      return this._nextPolicy.sendRequest(webResource);
    }

[xirzec]

can everything from here until the end be moved up after the line webResource.body = originalBody inside the body of the if? Since we didn't blank the body in the else, we know it will never respond with 401 and we can just return the response.

[sadasant]

Do we know it will never return 401? Seems like we are being extra cautious if we double check like this.

[sadasant]

Let's say we're already authenticated, but the server answers with 401 when our code tries to:

      await this.loadToken(webResource);
      response = await this._nextPolicy.sendRequest(webResource);

Seems possible! I'm assuming that if the challenge or token have some kind of expiration, this might help us correctly re-authenticate.

[xirzec]

ah, sure

[sadasant]

(I'm seeing an A-zure pun and I don't know what to do with it 😄)