public void CannotAcquireTokenThroughCertTest()
{
// Import the test certificate.
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(Constants.TestCert), string.Empty);
CertUtil.ImportCertificate(cert);
// MockAuthenticationContext is being asked to act like client cert auth failed.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireInvalidTokenAsyncFail);
// Create ClientCertificateAzureServiceTokenProvider instance with a subject name
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
cert.Subject, CertificateIdentifierType.SubjectName, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
// Get the token. This will test that ClientCertificateAzureServiceTokenProvider could fetch the cert from CurrentUser store based on subject name in the connection string.
var exception = Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => provider.GetAuthResultAsync(Constants.KeyVaultResourceId, string.Empty));
// Delete the cert, since testing is done.
CertUtil.DeleteCertificate(cert.Thumbprint);
Assert.Contains(Constants.TokenFormatExceptionMessage, exception.Result.Message);
Assert.Contains(Constants.TokenNotInExpectedFormatError, exception.Result.Message);
}
/// <summary>
/// One must be logged in using Azure CLI and set AppAuthenticationTestCertUrl to a secret URL for a certificate in Key Vault before running this test.
/// The test creates a new Azure AD application and service principal, uses the cert as the credential, and then uses the library to authenticate to it, using the cert.
/// After the cert, the Azure AD application is deleted. Cert is removed from current user store on the machine.
/// </summary>
/// <param name="certIdentifierType"></param>
/// <returns></returns>
private async Task GetTokenUsingServicePrincipalWithCertTestImpl(CertIdentifierType certIdentifierType)
{
string testCertUrl = Environment.GetEnvironmentVariable(Constants.TestCertUrlEnv);
// Get a certificate from key vault.
// For security, this certificate is not hard coded in the test case, since it gets added as app credential in Azure AD, and may not get removed.
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(Constants.AzureCliConnectionString);
KeyVaultHelper keyVaultHelper = new KeyVaultHelper(new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)));
string certAsString = await keyVaultHelper.ExportCertificateAsBlob(testCertUrl).ConfigureAwait(false);
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(certAsString), string.Empty);
// Create an application
GraphHelper graphHelper = new GraphHelper(_tenantId);
Application app = await graphHelper.CreateApplicationAsync(cert).ConfigureAwait(false);
// Get token using service principal, this will cache the cert
AppAuthenticationResult authResult = null;
int count = 5;
string thumbprint = cert.Thumbprint?.ToLower();
// Construct connection string using client id and cert info
string connectionString = null;
switch (certIdentifierType)
{
case CertIdentifierType.SubjectName:
case CertIdentifierType.Thumbprint:
string thumbprintOrSubjectName = (certIdentifierType == CertIdentifierType.Thumbprint) ? $"CertificateThumbprint={thumbprint}" : $"CertificateSubjectName={cert.Subject}";
connectionString = $"RunAs=App;AppId={app.AppId};TenantId={_tenantId};{thumbprintOrSubjectName};CertificateStoreLocation={Constants.CurrentUserStore};";
break;
case CertIdentifierType.KeyVaultCertificateSecretIdentifier:
connectionString = $"RunAs=App;AppId={app.AppId};TenantId={_tenantId};CertificateKeyVaultCertificateSecretIdentifier={testCertUrl};";
break;
}
AzureServiceTokenProvider astp =
new AzureServiceTokenProvider(connectionString);
if (certIdentifierType == CertIdentifierType.SubjectName ||
certIdentifierType == CertIdentifierType.Thumbprint)
{
// Import the certificate
CertUtil.ImportCertificate(cert);
}
while (authResult == null && count > 0)
{
try
{
await astp.GetAccessTokenAsync(Constants.KeyVaultResourceId);
authResult = await astp.GetAuthenticationResultAsync(Constants.SqlAzureResourceId, _tenantId);
}
catch
{
// It takes time for Azure AD to realize a new application has been added.
await Task.Delay(15000);
count--;
}
}
if (certIdentifierType == CertIdentifierType.SubjectName ||
certIdentifierType == CertIdentifierType.Thumbprint)
{
// Delete the cert
CertUtil.DeleteCertificate(cert.Thumbprint);
var deletedCert = CertUtil.GetCertificate(cert.Thumbprint);
Assert.Null(deletedCert);
}
// Get token again using a cert which is deleted, but in the cache
await astp.GetAccessTokenAsync(Constants.SqlAzureResourceId, _tenantId);
// Delete the application and service principal
await graphHelper.DeleteApplicationAsync(app);
Validator.ValidateToken(authResult.AccessToken, astp.PrincipalUsed, Constants.AppType, _tenantId,
app.AppId, cert.Thumbprint, expiresOn: authResult.ExpiresOn);
}
