Verify challenge resource matches request domain

eng/common/pipelines/templates/steps/sparse-checkout.yml

@@ -44,8 +44,10 @@ steps:
               Write-Host "git sparse-checkout init"
               git sparse-checkout init
 
-              Write-Host "git sparse-checkout set '/*' '!/*/' '/eng'"
-              git sparse-checkout set '/*' '!/*/' '/eng'
+              # Set non-cone mode otherwise path filters will not work in git >= 2.37.0
+              # See https://github.blog/2022-06-27-highlights-from-git-2-37/#tidbits
+              Write-Host "git sparse-checkout set --no-cone '/*' '!/*/' '/eng'"
+              git sparse-checkout set --no-cone '/*' '!/*/' '/eng'
             }
 
             # Prevent wildcard expansion in Invoke-Expression (e.g. for checkout path '/*')

sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+## 4.2.0 (2022-09-13)
+
+### Breaking Changes
+
+- Verify the challenge resource matches the vault domain.
+  This should affect few customers who can set `KeyVaultAdministrationClientOptions.VerifyChallengeResource` to `false` to disable.
+
 ## 4.1.0 (2022-03-24)
 
 Changes from both the last release and the last beta include:

sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs

@@ -39,6 +39,7 @@ public KeyVaultAccessControlClient(System.Uri vaultUri, Azure.Core.TokenCredenti
     public partial class KeyVaultAdministrationClientOptions : Azure.Core.ClientOptions
     {
         public KeyVaultAdministrationClientOptions(Azure.Security.KeyVault.Administration.KeyVaultAdministrationClientOptions.ServiceVersion version = Azure.Security.KeyVault.Administration.KeyVaultAdministrationClientOptions.ServiceVersion.V7_3) { }
+        public bool VerifyChallengeResource { get { throw null; } set { } }
         public Azure.Security.KeyVault.Administration.KeyVaultAdministrationClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

sdk/keyvault/Azure.Security.KeyVault.Administration/src/Azure.Security.KeyVault.Administration.csproj

@@ -3,7 +3,7 @@
 <PropertyGroup>
     <Description>This is the Microsoft Azure Key Vault Administration client library</Description>
     <AssemblyTitle>Microsoft Azure.Security.KeyVault.Administration client library</AssemblyTitle>
-    <Version>4.1.0</Version>
+    <Version>4.2.0</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>4.0.0</ApiCompatVersion>
     <PackageTags>Microsoft Azure Key Vault Administration;$(PackageCommonTags)</PackageTags>

sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAccessControlClient.cs

@@ -36,7 +36,7 @@ protected KeyVaultAccessControlClient()
         /// <summary>
         /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for the specified vault.
         /// </summary>
-        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal. You should validate that this URI references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.</param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
         public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential)
@@ -47,7 +47,7 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential)
         /// <summary>
         /// Initializes a new instance of the <see cref="KeyVaultAccessControlClient"/> class for the specified vault.
         /// </summary>
-        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal. You should validate that this URI references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.</param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <param name="options"><see cref="KeyVaultAdministrationClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
@@ -62,7 +62,7 @@ public KeyVaultAccessControlClient(Uri vaultUri, TokenCredential credential, Key
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
 
             _diagnostics = new ClientDiagnostics(options);
             _definitionsRestClient = new RoleDefinitionsRestClient(_diagnostics, pipeline, apiVersion);

sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationClientOptions.cs

@@ -59,6 +59,12 @@ public KeyVaultAdministrationClientOptions(ServiceVersion version = LatestVersio
             this.ConfigureLogging();
         }
 
+        /// <summary>
+        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
+        /// The default is true.
+        /// </summary>
+        public bool VerifyChallengeResource { get; set; } = true;
+
         internal string GetVersionString()
         {
             return Version switch

sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultBackupClient.cs

@@ -33,7 +33,7 @@ protected KeyVaultBackupClient()
         /// <summary>
         /// Initializes a new instance of the <see cref="KeyVaultBackupClient"/> class for the specified vault.
         /// </summary>
-        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal. You should validate that this URI references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.</param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
         public KeyVaultBackupClient(Uri vaultUri, TokenCredential credential)
@@ -43,7 +43,7 @@ public KeyVaultBackupClient(Uri vaultUri, TokenCredential credential)
         /// <summary>
         /// Initializes a new instance of the <see cref="KeyVaultBackupClient"/> class for the specified vault.
         /// </summary>
-        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.</param>
+        /// <param name="vaultUri">A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal You should validate that this URI references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details..</param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <param name="options"><see cref="KeyVaultAdministrationClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
@@ -58,7 +58,7 @@ public KeyVaultBackupClient(Uri vaultUri, TokenCredential credential, KeyVaultAd
             string apiVersion = options.GetVersionString();
 
             HttpPipeline pipeline = HttpPipelineBuilder.Build(options,
-                    new ChallengeBasedAuthenticationPolicy(credential));
+                    new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
 
             _diagnostics = new ClientDiagnostics(options);
             _restClient = new BackupRestoreRestClient(_diagnostics, pipeline, apiVersion);

sdk/keyvault/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs

@@ -2,6 +2,8 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
+using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using Azure.Core;
@@ -10,39 +12,85 @@
 
 namespace Azure.Security.KeyVault.Tests
 {
+    [NonParallelizable]
     public class ChallengeBasedAuthenticationPolicyTests : SyncAsyncPolicyTestBase
     {
         internal ChallengeBasedAuthenticationPolicy _policy;
         private const string KeyVaultChallenge = "Bearer authorization=\"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\", resource=\"https://vault.azure.net\"";
         public ChallengeBasedAuthenticationPolicyTests(bool isAsync) : base(isAsync)
         {
-            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes());
+            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes(), true);
         }
 
-        [Test]
-        [NonParallelizable]
-        public async Task ScopesAreInitializedFromCache()
+        [SetUp]
+        public void SetUp()
         {
             // Clear the cache to ensure the test starts with an empty cache.
             ChallengeBasedAuthenticationPolicy.ClearCache();
+        }
 
+        [Test]
+        public async Task ScopesAreInitializedFromCache()
+        {
             var keyvaultChallengeResponse = new MockResponse(401);
             keyvaultChallengeResponse.AddHeader(new HttpHeader("WWW-Authenticate", KeyVaultChallenge));
             MockTransport transport = CreateMockTransport(keyvaultChallengeResponse, new MockResponse(200));
 
-            var response = await SendGetRequest(transport, _policy, uri: new Uri("https://example.com"));
+            Response response = await SendGetRequest(transport, _policy, uri: new Uri("https://myvault.vault.azure.net"));
 
             Assert.That(response.Status, Is.EqualTo(200));
 
             // Construct a new policy so that we can get the Scopes from cache.
-            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes());
+            _policy = new ChallengeBasedAuthenticationPolicy(new MockCredentialThrowsWithNoScopes(), true);
 
-            transport = CreateMockTransport(keyvaultChallengeResponse, new MockResponse(200));
-            response = await SendGetRequest(transport, _policy, uri: new Uri("https://example.com"));
+            transport = CreateMockTransport(new MockResponse(200));
+            response = await SendGetRequest(transport, _policy, uri: new Uri("https://myvault.vault.azure.net"));
 
             Assert.That(response.Status, Is.EqualTo(200));
         }
 
+        [TestCaseSource(nameof(VerifyChallengeResourceData))]
+        public async Task VerifyChallengeResource(Uri uri, bool verify)
+        {
+            var keyvaultChallengeResponse = new MockResponse(401);
+            keyvaultChallengeResponse.AddHeader(new HttpHeader("WWW-Authenticate", KeyVaultChallenge));
+            MockTransport transport = CreateMockTransport(keyvaultChallengeResponse, new MockResponse(200));
+
+            ChallengeBasedAuthenticationPolicy policy = new(new MockCredentialThrowsWithNoScopes(), verify);
+
+            if (verify)
+            {
+                InvalidOperationException ex = Assert.ThrowsAsync<InvalidOperationException>(async () => await SendGetRequest(transport, policy, uri: uri));
+                Assert.That(ex.Message, Is.EqualTo("The challenge resource 'vault.azure.net' does not match the requested domain."));
+            }
+            else
+            {
+                Response response = await SendGetRequest(transport, policy, uri: uri);
+                Assert.That(response.Status, Is.EqualTo(200));
+            }
+        }
+
+        private static IEnumerable<object[]> VerifyChallengeResourceData => new[]
+        {
+            "https://example.com",
+            "https://examplevault.azure.net",
+            "https://example.vault.azure.com",
+        }.Zip(new[] { false, true }, (uri, verify) => new object[] { new Uri(uri), verify });
+
+        [Test]
+        public void VerifyChallengeResourceInvalidUri()
+        {
+            var keyvaultChallengeResponse = new MockResponse(401);
+            keyvaultChallengeResponse.AddHeader(new HttpHeader("WWW-Authenticate", "Bearer authorization=\"https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47\", resource=\"invalid-uri\""));
+            MockTransport transport = CreateMockTransport(keyvaultChallengeResponse, new MockResponse(200));
+
+            ChallengeBasedAuthenticationPolicy policy = new(new MockCredentialThrowsWithNoScopes(), true);
+            Uri uri = new("https://example.com");
+
+            InvalidOperationException ex = Assert.ThrowsAsync<InvalidOperationException>(async () => await SendGetRequest(transport, policy, uri: uri));
+            Assert.That(ex.Message, Is.EqualTo("The challenge contains invalid scope 'invalid-uri/.default'."));
+        }
+
         public class MockCredentialThrowsWithNoScopes : TokenCredential
         {
             public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)

sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+## 4.4.0 (2022-09-13)
+
+### Breaking Changes
+
+- Verify the challenge resource matches the vault domain.
+  This should affect few customers who can set `CertificateClientOptions.VerifyChallengeResource` to `false` to disable.
+
 ## 4.3.0 (2022-03-24)
 
 Changes from both the last release and the last beta include:

sdk/keyvault/Azure.Security.KeyVault.Certificates/api/Azure.Security.KeyVault.Certificates.netstandard2.0.cs

@@ -74,6 +74,7 @@ public CertificateClient(System.Uri vaultUri, Azure.Core.TokenCredential credent
     public partial class CertificateClientOptions : Azure.Core.ClientOptions
     {
         public CertificateClientOptions(Azure.Security.KeyVault.Certificates.CertificateClientOptions.ServiceVersion version = Azure.Security.KeyVault.Certificates.CertificateClientOptions.ServiceVersion.V7_3) { }
+        public bool VerifyChallengeResource { get { throw null; } set { } }
         public Azure.Security.KeyVault.Certificates.CertificateClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

sdk/keyvault/Azure.Security.KeyVault.Certificates/src/Azure.Security.KeyVault.Certificates.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <Description>This is the Microsoft Azure Key Vault Certificates client library</Description>
     <AssemblyTitle>Microsoft Azure.Security.KeyVault.Certificates client library</AssemblyTitle>
-    <Version>4.3.0</Version>
+    <Version>4.4.0</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>4.2.0</ApiCompatVersion>
     <PackageTags>Microsoft Azure Key Vault Certificates;$(PackageCommonTags)</PackageTags>

sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClient.cs

@@ -42,6 +42,7 @@ protected CertificateClient()
         /// <param name="vaultUri">
         /// A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.
         /// If you have a certificate <see cref="Uri"/>, use <see cref="KeyVaultCertificateIdentifier"/> to parse the <see cref="KeyVaultCertificateIdentifier.VaultUri"/> and other information.
+        /// You should validate that this URI references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details.
         /// </param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <exception cref="ArgumentNullException"><paramref name="vaultUri"/> or <paramref name="credential"/> is null.</exception>
@@ -56,6 +57,7 @@ public CertificateClient(Uri vaultUri, TokenCredential credential)
         /// <param name="vaultUri">
         /// A <see cref="Uri"/> to the vault on which the client operates. Appears as "DNS Name" in the Azure portal.
         /// If you have a certificate <see cref="Uri"/>, use <see cref="KeyVaultCertificateIdentifier"/> to parse the <see cref="KeyVaultCertificateIdentifier.VaultUri"/> and other information.
+        /// You should validate that this URI references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details.
         /// </param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, such as DefaultAzureCredential.</param>
         /// <param name="options"><see cref="CertificateClientOptions"/> that allow to configure the management of the request sent to Key Vault.</param>
@@ -67,7 +69,7 @@ public CertificateClient(Uri vaultUri, TokenCredential credential, CertificateCl
 
             options ??= new CertificateClientOptions();
 
-            HttpPipeline pipeline = HttpPipelineBuilder.Build(options, new ChallengeBasedAuthenticationPolicy(credential));
+            HttpPipeline pipeline = HttpPipelineBuilder.Build(options, new ChallengeBasedAuthenticationPolicy(credential, options.VerifyChallengeResource));
 
             _pipeline = new KeyVaultPipeline(vaultUri, options.GetVersionString(), pipeline, new ClientDiagnostics(options));
         }

sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClientOptions.cs

@@ -69,6 +69,12 @@ public CertificateClientOptions(ServiceVersion version = LatestVersion)
             this.ConfigureLogging();
         }
 
+        /// <summary>
+        /// Gets or sets whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain.
+        /// The default is true.
+        /// </summary>
+        public bool VerifyChallengeResource { get; set; } = true;
+
         internal string GetVersionString()
         {
             return Version switch

sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Release History
 
+## 4.4.0 (2022-09-13)
+
+### Breaking Changes
+
+- Verify the challenge resource matches the vault domain.
+  This should affect few customers who can set `KeyClientOptions.VerifyChallengeResource` or `CryptographyClientOptions.VerifyChallengeResource` to `false` to disable.
+
 ## 4.3.0 (2022-03-24)
 
 Changes from both the last release and the last beta include:

sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs

@@ -160,6 +160,7 @@ public KeyClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azu
     public partial class KeyClientOptions : Azure.Core.ClientOptions
     {
         public KeyClientOptions(Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion.V7_3) { }
+        public bool VerifyChallengeResource { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {
@@ -424,6 +425,7 @@ public CryptographyClient(System.Uri keyId, Azure.Core.TokenCredential credentia
     public partial class CryptographyClientOptions : Azure.Core.ClientOptions
     {
         public CryptographyClientOptions(Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion.V7_3) { }
+        public bool VerifyChallengeResource { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
         {

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Azure.Security.KeyVault.Keys.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <Description>This is the Microsoft Azure Key Vault Keys client library</Description>
     <AssemblyTitle>Microsoft Azure.Security.KeyVault.Keys client library</AssemblyTitle>
-    <Version>4.3.0</Version>
+    <Version>4.4.0</Version>
     <!--The ApiCompatVersion is managed automatically and should not generally be modified manually.-->
     <ApiCompatVersion>4.2.0</ApiCompatVersion>
     <PackageTags>Microsoft Azure Key Vault Keys;$(PackageCommonTags)</PackageTags>