Support reference signing keys by name (#22)

Azure · Jun 1, 2022 · 79a19c8 · 79a19c8
1 parent b8a6d14
commit 79a19c8
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 17 deletions.
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/Azure/notation-azure-kv
 go 1.17
 
 require (
-	github.com/Azure/azure-sdk-for-go v63.4.0+incompatible
+	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible
 	github.com/Azure/go-autorest/autorest v0.11.24
 	github.com/notaryproject/notation-go v0.8.0-alpha.1.0.20220518191708-407537596ed5
 	github.com/urfave/cli/v2 v2.3.0

diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-github.com/Azure/azure-sdk-for-go v63.4.0+incompatible h1:fle3M5Q7vr8auaiPffKyUQmLbvYeqpw30bKU6PrWJFo=
-github.com/Azure/azure-sdk-for-go v63.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v65.0.0+incompatible h1:HzKLt3kIwMm4KeJYTdx9EbjRYTySD/t8i1Ee/W5EGXw=
+github.com/Azure/azure-sdk-for-go v65.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.11.24 h1:1fIGgHKqVm54KIPT+q8Zmd1QlVsmHqeUGso5qm2BqqE=

diff --git a/internal/cloud/keyvault.go b/internal/cloud/keyvault.go
@@ -7,10 +7,12 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"os"
 	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
 	"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
+	"github.com/Azure/go-autorest/autorest/azure"
 )
 
 // NewAzureClient returns a new Azure Key Vault client authorized in the order:
@@ -38,14 +40,13 @@ func NewAzureClient() (*keyvault.BaseClient, error) {
 type Key struct {
 	Client *keyvault.BaseClient
 
-	id           string
 	vaultBaseURL string
 	name         string
 	version      string
 }
 
-// NewKey create a remote key referenced by a key identifier.
-func NewKey(client *keyvault.BaseClient, keyID string) (*Key, error) {
+// NewKeyFromID create a remote key referenced by a key identifier.
+func NewKeyFromID(client *keyvault.BaseClient, keyID string) (*Key, error) {
 	keyURL, err := url.Parse(keyID)
 	if err != nil {
 		return nil, fmt.Errorf("invalid keyID: %q is not a valid URI", keyID)
@@ -56,12 +57,36 @@ func NewKey(client *keyvault.BaseClient, keyID string) (*Key, error) {
 		return nil, fmt.Errorf("invalid keyID: the specified uri %q, does to match the specified format \"{vault}/keys/{name}/{version?}\"", keyID)
 	}
 
+	return &Key{
+			Client:       client,
+			vaultBaseURL: keyURL.Scheme + "://" + keyURL.Host,
+			name:         parts[1],
+			version:      parts[2],
+		},
+		nil
+}
+
+// NewKey create a remote key reference.
+func NewKey(client *keyvault.BaseClient, vaultName, keyName, keyVersion string) (*Key, error) {
+	dnssuffix := os.Getenv("AZURE_KEYVAULT_DNSSUFFIX")
+	if dnssuffix == "" {
+		var env azure.Environment
+		if envName := os.Getenv("AZURE_ENVIRONMENT"); envName == "" {
+			env = azure.PublicCloud
+		} else {
+			var err error
+			env, err = azure.EnvironmentFromName(envName)
+			if err != nil {
+				return nil, err
+			}
+		}
+		dnssuffix = env.KeyVaultDNSSuffix
+	}
 	return &Key{
 		Client:       client,
-		id:           keyID,
-		vaultBaseURL: keyURL.Scheme + "://" + keyURL.Host,
-		name:         parts[1],
-		version:      parts[2],
+		vaultBaseURL: "https://" + vaultName + "." + dnssuffix,
+		name:         keyName,
+		version:      keyVersion,
 	}, nil
 }
 
@@ -86,8 +111,8 @@ func (k *Key) Sign(ctx context.Context, algorithm keyvault.JSONWebKeySignatureAl
 	}
 
 	// Verify the result
-	if res.Kid == nil || *res.Kid != k.id {
-		return nil, errors.New("azure: response key id mismatch")
+	if res.Kid == nil {
+		return nil, errors.New("azure: nil kid")
 	}
 	if res.Result == nil {
 		return nil, errors.New("azure: invalid server response")

diff --git a/internal/signature/key.go b/internal/signature/key.go
@@ -10,12 +10,16 @@ import (
 	"github.com/notaryproject/notation-go/plugin"
 )
 
-func newKey(keyID string) (*cloud.Key, error) {
+func newKey(keyID string, pluginConfig map[string]string) (*cloud.Key, error) {
 	client, err := cloud.NewAzureClient()
 	if err != nil {
 		return nil, err
 	}
-	return cloud.NewKey(client, keyID)
+	if vaultName := pluginConfig["vaultName"]; vaultName != "" {
+		keyVersion := pluginConfig["keyVersion"]
+		return cloud.NewKey(client, vaultName, keyID, keyVersion)
+	}
+	return cloud.NewKeyFromID(client, keyID)
 }
 
 func Key(ctx context.Context, req *plugin.DescribeKeyRequest) (*plugin.DescribeKeyResponse, error) {
@@ -25,9 +29,12 @@ func Key(ctx context.Context, req *plugin.DescribeKeyRequest) (*plugin.DescribeK
 			Err:  errors.New("invalid request input"),
 		}
 	}
-	key, err := newKey(req.KeyID)
+	key, err := newKey(req.KeyID, req.PluginConfig)
 	if err != nil {
-		return nil, err
+		return nil, plugin.RequestError{
+			Code: plugin.ErrorCodeValidation,
+			Err:  err,
+		}
 	}
 	cert, err := key.Certificate(ctx)
 	if err != nil {

diff --git a/internal/signature/signer.go b/internal/signature/signer.go
@@ -24,7 +24,7 @@ func Sign(ctx context.Context, req *plugin.GenerateSignatureRequest) (*plugin.Ge
 			Err:  errors.New("invalid request input"),
 		}
 	}
-	key, err := newKey(req.KeyID)
+	key, err := newKey(req.KeyID, req.PluginConfig)
 	if err != nil {
 		return nil, plugin.RequestError{
 			Code: plugin.ErrorCodeValidation,