pagopa · antoniotarricone · Oct 18, 2024 · Oct 18, 2024
@@ -48,7 +48,7 @@ public class AzureUserManagedIdentityClient implements AzureIdentityClient {
 	 * 
 	 * @param identityEndpoint Endpoint to get access token by means of user managed identity
 	 */
-	AzureUserManagedIdentityClient(@ConfigProperty(name = "IDENTITY_ENDPOINT") Optional<String> identityEndpoint) {
+	AzureUserManagedIdentityClient(@ConfigProperty(name = "USER_MANAGED_IDENTITY_ENDPOINT") Optional<String> identityEndpoint) {
 		Log.trace("Azure User Managed Identity client initialization");
 		restClient = QuarkusRestClientBuilder.newBuilder()
 			.baseUri(URI.create(identityEndpoint.orElseThrow()))

@@ -21,7 +21,12 @@
  * Identity.
  * </p>
  * <p>
- * To use this method, the environment variable {@code IDENTITY_CLIENT_ID} must be set.
+ * To use this method, the environment variables {@code USER_MANAGED_IDENTITY_CLIENT_ID} and
+ * {@code USER_MANAGED_IDENTITY_ENDPOINT} must be set.
+ * </p>
+ * <p>
+ * At the moment the value for {@code USER_MANAGED_IDENTITY_ENDPOINT} if
+ * {@code http://169.254.169.254/metadata/identity/oauth2/token}.
  * </p>
  * 
  * @author Antonio Tarricone
@@ -37,8 +42,7 @@ public interface AzureUserManagedIdentityRestClient {
 	 */
 	@GET
 	@Produces(MediaType.APPLICATION_JSON)
-	@ClientQueryParam(name = "api-version", value = "2019-08-01")
-	@ClientQueryParam(name = "client_id", value = "${IDENTITY_CLIENT_ID}")
-	@ClientHeaderParam(name = "x-identity-header", value = "${IDENTITY_HEADER}")
+	@ClientQueryParam(name = "api-version", value = "2018-02-01")
+	@ClientQueryParam(name = "client_id", value = "${USER_MANAGED_IDENTITY_CLIENT_ID}")
 	Uni<AccessToken> getAccessToken(@QueryParam("resource") String scope);
 }
@@ -55,18 +55,22 @@ public class AzureIdentityReactiveService {
 	 * Constructor.
 	 * </p>
 	 * 
-	 * @patam identityClientId   Client ID to get access token by means of user managed identity
-	 * @param identityEndpoint   Endpoint to get access token by means of system/user managed identity
-	 * @param identityHeader     Value to use to set x-identity-header
-	 * @param authorityHost      Endpoint to get access token by means of workload identity
-	 * @param tenantId           Tenant ID
-	 * @param clientId           Client ID
-	 * @param federatedTokenFile Token file with client assertion
-	 * @param anyIdentityClient  Any identity client
+	 * @param userManagedIdentityClientId Client ID to get access token by means of user managed
+	 *                                    identity
+	 * @param userManagedIdentityEndpoint Endpoint to get access token by means of user managed identity
+	 * @param identityEndpoint            Endpoint to get access token by means of system managed
+	 *                                    identity
+	 * @param identityHeader              Value to use to set x-identity-header
+	 * @param authorityHost               Endpoint to get access token by means of workload identity
+	 * @param tenantId                    Tenant ID
+	 * @param clientId                    Client ID
+	 * @param federatedTokenFile          Token file with client assertion
+	 * @param anyIdentityClient           Any identity client
 	 */
 	@Inject
 	AzureIdentityReactiveService(
-		@ConfigProperty(name = "IDENTITY_CLIENT_ID") Optional<String> identityClientId,
+		@ConfigProperty(name = "USER_MANAGED_IDENTITY_CLIENT_ID") Optional<String> userManagedIdentityClientId,
+		@ConfigProperty(name = "USER_MANAGED_IDENTITY_ENDPOINT") Optional<String> userManagedIdentityEndpoint,
 		@ConfigProperty(name = "IDENTITY_ENDPOINT") Optional<String> identityEndpoint,
 		@ConfigProperty(name = "IDENTITY_HEADER") Optional<String> identityHeader,
 		@ConfigProperty(name = "AZURE_AUTHORITY_HOST") Optional<String> authorityHost,
@@ -77,18 +81,18 @@ public class AzureIdentityReactiveService {
 		/*
 		 * Initialize identity client.
 		 */
-		if (identityEndpoint.isPresent() && identityHeader.isPresent() && identityClientId.isPresent()) {
+		if (userManagedIdentityClientId.isPresent() && userManagedIdentityEndpoint.isPresent()) {
 			Log.debug("Azure User Managed Identity will be use");
 			identityClient = anyIdentityClient.select(AzureUserManagedIdentityClient.class).get();
-	    } else if (identityEndpoint.isPresent() && identityHeader.isPresent()) {
+		} else if (identityEndpoint.isPresent() && identityHeader.isPresent()) {
 			Log.debug("Azure System Managed Identity will be use");
 			identityClient = anyIdentityClient.select(AzureSystemManagedIdentityClient.class).get();
 		} else if (authorityHost.isPresent() && tenantId.isPresent() && clientId.isPresent() && federatedTokenFile.isPresent()) {
 			Log.debug("Azure Workload Identity will be use");
 			identityClient = anyIdentityClient.select(AzureWorkloadIdentityClient.class).get();
 		} else {
-			Log.fatal("IDENTITY_CLIENT_ID and IDENTITY_ENDPOINT and IDENTITY_HEADER must not be null or IDENTITY_ENDPOINT and IDENTITY_HEADER must not be null or AZURE_AUTHORITY_HOST and AZURE_TENANT_ID and AZURE_CLIENT_ID and AZURE_FEDERATED_TOKEN_FILE must not be null");
-			throw new DeploymentException("IDENTITY_CLIENT_ID and IDENTITY_ENDPOINT and IDENTITY_HEADER must not be null or IDENTITY_ENDPOINT and IDENTITY_HEADER must not be null or AZURE_AUTHORITY_HOST and AZURE_TENANT_ID and AZURE_CLIENT_ID and AZURE_FEDERATED_TOKEN_FILE must not be null");
+			Log.fatal("USER_MANAGED_IDENTITY_CLIENT_ID and USER_MANAGED_IDENTITY_ENDPOINT must not be null or IDENTITY_ENDPOINT and IDENTITY_HEADER must not be null or AZURE_AUTHORITY_HOST and AZURE_TENANT_ID and AZURE_CLIENT_ID and AZURE_FEDERATED_TOKEN_FILE must not be null");
+			throw new DeploymentException("USER_MANAGED_IDENTITY_CLIENT_ID and USER_MANAGED_IDENTITY_ENDPOINT must not be null or IDENTITY_ENDPOINT and IDENTITY_HEADER must not be null or AZURE_AUTHORITY_HOST and AZURE_TENANT_ID and AZURE_CLIENT_ID and AZURE_FEDERATED_TOKEN_FILE must not be null");
 		}
 
 		/*

@@ -84,6 +84,7 @@ void given_emptyCache_when_getAccessTokenInvoked_then_getNewOneCacheAndReturnIt(
 			Optional.empty(),
 			Optional.empty(),
 			Optional.empty(),
+			Optional.empty(),
 			Optional.of("https://login.microsoftonline.com/"),
 			Optional.of("da795842-fa15-4fd4-b556-f371ac9bafed"),
 			Optional.of("aeeb30a1-2d89-42bd-832c-69dc15a53d36"),
@@ -128,6 +129,7 @@ void given_storedAccessToken_when_getAccessTokenInvoked_then_getReturnIt() {
 		 * Test
 		 */
 		AzureIdentityReactiveService identityService = spy(new AzureIdentityReactiveService(
+			Optional.empty(),
 			Optional.empty(),
 			Optional.of("https://login.microsoftonline.com/"),
 			Optional.of("45ed57a0-ec26-41c9-8333-29daf37697d3"),
@@ -189,6 +191,7 @@ void given_expAccessTokenStored_when_getAccessTokenInvoked_then_getNewOneCacheAn
 			Optional.empty(),
 			Optional.empty(),
 			Optional.empty(),
+			Optional.empty(),
 			Optional.of("https://login.microsoftonline.com/"),
 			Optional.of("da795842-fa15-4fd4-b556-f371ac9bafed"),
 			Optional.of("aeeb30a1-2d89-42bd-832c-69dc15a53d36"),
@@ -226,6 +229,7 @@ void given_systemManagedIdEnvironment_when_invokeGet_then_returnSuitableClient()
 			.thenReturn(identityClientInstance);
 
 		AzureIdentityReactiveService service = new AzureIdentityReactiveService(
+			Optional.empty(),
 			Optional.empty(),
 			Optional.of("https://login.microsoftonline.com/"),
 			Optional.of("45ed57a0-ec26-41c9-8333-29daf37697d3"),
@@ -246,6 +250,7 @@ void given_partialSystemManagedIdEnvironment_when_invokeGet_then_throwException(
 		assertThrows( // NOSONAR
 			DeploymentException.class,
 			() -> new AzureIdentityReactiveService(
+				Optional.empty(),
 				Optional.empty(),
 				Optional.of("https://login.microsoftonline.com/"),
 				Optional.empty(),
@@ -274,7 +279,8 @@ void given_userManagedIdEnvironment_when_invokeGet_then_returnSuitableClient() {
 		AzureIdentityReactiveService service = new AzureIdentityReactiveService(
 			Optional.of("67a40498-91c1-4e4c-9c43-8aeb09c0de5e"),
 			Optional.of("https://login.microsoftonline.com/"),
-			Optional.of("45ed57a0-ec26-41c9-8333-29daf37697d3"),
+			Optional.empty(),
+			Optional.empty(),
 			Optional.empty(),
 			Optional.empty(),
 			Optional.empty(),
@@ -299,6 +305,7 @@ void given_partialUserManagedIdEnvironment_when_invokeGet_then_throwException()
 				Optional.empty(),
 				Optional.empty(),
 				Optional.empty(),
+				Optional.empty(),
 				null));
 	}
 
@@ -321,6 +328,7 @@ void given_workloadIdEnvironment_when_invokeGet_then_returnSuitableClient() {
 			Optional.empty(),
 			Optional.empty(),
 			Optional.empty(),
+			Optional.empty(),
 			Optional.of("https://login.microsoftonline.com/"),
 			Optional.of("da795842-fa15-4fd4-b556-f371ac9bafed"),
 			Optional.of("aeeb30a1-2d89-42bd-832c-69dc15a53d36"),
@@ -341,6 +349,7 @@ void given_partialWorkloadIdEnvironment_when_invokeGet_then_throwException() {
 				Optional.empty(),
 				Optional.empty(),
 				Optional.empty(),
+				Optional.empty(),
 				Optional.of("https://login.microsoftonline.com/"),
 				Optional.empty(),
 				Optional.empty(),
@@ -363,6 +372,7 @@ void given_noIdentityEnvironment_when_invokeGet_then_throwException() {
 				Optional.empty(),
 				Optional.empty(),
 				Optional.empty(),
+				Optional.empty(),
 				null));
 	}
 }