Update a couple bearer token policies to use CoreUtils.parseAuthenticateHeader (#46927)

* Use CoreUtils.parseAuthenticateHeader to resolve challenge issue

* Also update Key Vault

* Fix linting

Author: alzimmermsft

sdk/containerregistry/azure-containers-containerregistry/src/main/java/com/azure/containers/containerregistry/implementation/authentication/ContainerRegistryCredentialsPolicy.java

@@ -8,6 +8,8 @@
 import com.azure.core.http.HttpPipelineCallContext;
 import com.azure.core.http.HttpResponse;
 import com.azure.core.http.policy.BearerTokenAuthenticationPolicy;
+import com.azure.core.util.AuthenticateChallenge;
+import com.azure.core.util.CoreUtils;
 import reactor.core.publisher.Mono;
 
 /**
@@ -71,12 +73,10 @@ public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext context
         if (!(response.getStatusCode() == 401 && authHeader != null)) {
             return Mono.just(false);
         } else {
-            String scope = extractValue(authHeader, SCOPES_PARAMETER);
-            String serviceName = extractValue(authHeader, SERVICE_PARAMETER);
+            ContainerRegistryTokenRequestContext tokenRequestContext = createTokenRequestContext(authHeader);
 
-            if (scope != null && serviceName != null) {
-                return setAuthorizationHeader(context, new ContainerRegistryTokenRequestContext(serviceName, scope))
-                    .thenReturn(true);
+            if (tokenRequestContext != null) {
+                return setAuthorizationHeader(context, tokenRequestContext).thenReturn(true);
             }
             return Mono.just(false);
         }
@@ -86,7 +86,6 @@ public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext context
      * Executed before sending the initial request and authenticates the request.
      *
      * @param context The request context.
-     * @return A {@link Mono} containing {@link Void}
      */
     @Override
     public void authorizeRequestSync(HttpPipelineCallContext context) {
@@ -111,39 +110,28 @@ public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext context,
         if (!(response.getStatusCode() == 401 && authHeader != null)) {
             return false;
         } else {
-            String scope = extractValue(authHeader, SCOPES_PARAMETER);
-            String serviceName = extractValue(authHeader, SERVICE_PARAMETER);
-
-            if (scope != null && serviceName != null) {
-                setAuthorizationHeaderSync(context, new ContainerRegistryTokenRequestContext(serviceName, scope));
+            ContainerRegistryTokenRequestContext tokenRequestContext = createTokenRequestContext(authHeader);
+            if (tokenRequestContext != null) {
+                setAuthorizationHeaderSync(context, tokenRequestContext);
                 return true;
             }
         }
 
         return false;
     }
 
-    /**
-     * Extracts value for given key in www-authenticate header.
-     * Expects key="value" format and return value without quotes.
-     *
-     * returns if value is not found
-     */
-    private String extractValue(String authHeader, String key) {
-        int start = authHeader.indexOf(key);
-        if (start < 0 || authHeader.length() - start < key.length() + 3) {
-            return null;
-        }
+    private static ContainerRegistryTokenRequestContext createTokenRequestContext(String authHeader) {
+        AuthenticateChallenge bearerChallenge = CoreUtils.parseAuthenticateHeader(authHeader)
+            .stream()
+            .filter(challenge -> "Bearer".equalsIgnoreCase(challenge.getScheme()))
+            .findFirst()
+            .orElse(null);
 
-        start += key.length();
-        if (authHeader.charAt(start) == '=' && authHeader.charAt(start + 1) == '"') {
-            start += 2;
-            int end = authHeader.indexOf('"', start);
-            if (end > start) {
-                return authHeader.substring(start, end);
-            }
-        }
+        String scope = bearerChallenge.getParameters().get(SCOPES_PARAMETER);
+        String serviceName = bearerChallenge.getParameters().get(SERVICE_PARAMETER);
 
-        return null;
+        return (scope != null && serviceName != null)
+            ? new ContainerRegistryTokenRequestContext(serviceName, scope)
+            : null;
     }
 }

sdk/keyvault/azure-security-keyvault-administration/src/main/java/com/azure/security/keyvault/administration/implementation/KeyVaultCredentialPolicy.java

@@ -10,6 +10,7 @@
 import com.azure.core.http.HttpRequest;
 import com.azure.core.http.HttpResponse;
 import com.azure.core.http.policy.BearerTokenAuthenticationPolicy;
+import com.azure.core.util.AuthenticateChallenge;
 import com.azure.core.util.Base64Util;
 import com.azure.core.util.BinaryData;
 import com.azure.core.util.CoreUtils;
@@ -23,8 +24,6 @@
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
-import java.util.HashMap;
-import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
@@ -41,7 +40,6 @@
  */
 public class KeyVaultCredentialPolicy extends BearerTokenAuthenticationPolicy {
     private static final ClientLogger LOGGER = new ClientLogger(KeyVaultCredentialPolicy.class);
-    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
     private static final String KEY_VAULT_STASHED_CONTENT_KEY = "KeyVaultCredentialPolicyStashedBody";
     private static final String KEY_VAULT_STASHED_CONTENT_LENGTH_KEY = "KeyVaultCredentialPolicyStashedContentLength";
     private static final ConcurrentMap<String, ChallengeParameters> CHALLENGE_CACHE = new ConcurrentHashMap<>();
@@ -63,40 +61,20 @@ public KeyVaultCredentialPolicy(TokenCredential credential, boolean disableChall
      * Extracts attributes off the bearer challenge in the authentication header.
      *
      * @param authenticateHeader The authentication header containing the challenge.
-     * @param authChallengePrefix The authentication challenge name.
-     *
      * @return A challenge attributes map.
      */
-    private static Map<String, String> extractChallengeAttributes(String authenticateHeader,
-        String authChallengePrefix) {
-        if (!isBearerChallenge(authenticateHeader, authChallengePrefix)) {
+    private static Map<String, String> extractChallengeAttributes(String authenticateHeader) {
+        AuthenticateChallenge bearerChallenge = CoreUtils.parseAuthenticateHeader(authenticateHeader)
+            .stream()
+            .filter(challenge -> "Bearer".equalsIgnoreCase(challenge.getScheme()))
+            .findFirst()
+            .orElse(null);
+
+        if (bearerChallenge == null) {
             return Collections.emptyMap();
         }
 
-        String[] attributes = authenticateHeader.replace("\"", "").substring(authChallengePrefix.length()).split(",");
-        Map<String, String> attributeMap = new HashMap<>();
-
-        for (String pair : attributes) {
-            // Using trim is ugly, but we need it here because currently the 'claims' attribute comes after two spaces.
-            String[] keyValue = pair.trim().split("=", 2);
-
-            attributeMap.put(keyValue[0], keyValue[1]);
-        }
-
-        return attributeMap;
-    }
-
-    /**
-     * Verifies whether a challenge is bearer or not.
-     *
-     * @param authenticateHeader The authentication header containing all the challenges.
-     * @param authChallengePrefix The authentication challenge name.
-     *
-     * @return A boolean indicating if the challenge is a bearer challenge or not.
-     */
-    private static boolean isBearerChallenge(String authenticateHeader, String authChallengePrefix) {
-        return (!CoreUtils.isNullOrEmpty(authenticateHeader)
-            && authenticateHeader.toLowerCase(Locale.ROOT).startsWith(authChallengePrefix.toLowerCase(Locale.ROOT)));
+        return bearerChallenge.getParameters();
     }
 
     @Override
@@ -154,7 +132,7 @@ public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext context
 
             String authority = getRequestAuthority(request);
             Map<String, String> challengeAttributes
-                = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
+                = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE));
             String scope = challengeAttributes.get("resource");
 
             if (scope != null) {
@@ -271,8 +249,7 @@ public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext context,
         }
 
         String authority = getRequestAuthority(request);
-        Map<String, String> challengeAttributes
-            = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
+        Map<String, String> challengeAttributes = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE));
         String scope = challengeAttributes.get("resource");
 
         if (scope != null) {
@@ -436,7 +413,7 @@ && isClaimsPresent(newResponse)
 
     private boolean isClaimsPresent(HttpResponse httpResponse) {
         Map<String, String> challengeAttributes
-            = extractChallengeAttributes(httpResponse.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
+            = extractChallengeAttributes(httpResponse.getHeaderValue(WWW_AUTHENTICATE));
 
         String error = challengeAttributes.get("error");
 
@@ -517,10 +494,10 @@ private static boolean isChallengeResourceValid(HttpRequest request, String scop
                 new RuntimeException(String.format("The challenge resource '%s' is not a valid URI.", scope), e));
         }
 
+        String host = request.getUrl().getHost();
+        String toEndWith = "." + scopeUri.getHost();
+
         // Returns false if the host specified in the scope does not match the requested domain.
-        return request.getUrl()
-            .getHost()
-            .toLowerCase(Locale.ROOT)
-            .endsWith("." + scopeUri.getHost().toLowerCase(Locale.ROOT));
+        return host.regionMatches(true, host.length() - toEndWith.length(), toEndWith, 0, toEndWith.length());
     }
 }

sdk/keyvault/azure-security-keyvault-certificates/src/main/java/com/azure/security/keyvault/certificates/implementation/KeyVaultCredentialPolicy.java

@@ -10,6 +10,7 @@
 import com.azure.core.http.HttpRequest;
 import com.azure.core.http.HttpResponse;
 import com.azure.core.http.policy.BearerTokenAuthenticationPolicy;
+import com.azure.core.util.AuthenticateChallenge;
 import com.azure.core.util.Base64Util;
 import com.azure.core.util.BinaryData;
 import com.azure.core.util.CoreUtils;
@@ -23,8 +24,6 @@
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
-import java.util.HashMap;
-import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ConcurrentHashMap;
@@ -41,7 +40,6 @@
  */
 public class KeyVaultCredentialPolicy extends BearerTokenAuthenticationPolicy {
     private static final ClientLogger LOGGER = new ClientLogger(KeyVaultCredentialPolicy.class);
-    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
     private static final String KEY_VAULT_STASHED_CONTENT_KEY = "KeyVaultCredentialPolicyStashedBody";
     private static final String KEY_VAULT_STASHED_CONTENT_LENGTH_KEY = "KeyVaultCredentialPolicyStashedContentLength";
     private static final ConcurrentMap<String, ChallengeParameters> CHALLENGE_CACHE = new ConcurrentHashMap<>();
@@ -63,40 +61,20 @@ public KeyVaultCredentialPolicy(TokenCredential credential, boolean disableChall
      * Extracts attributes off the bearer challenge in the authentication header.
      *
      * @param authenticateHeader The authentication header containing the challenge.
-     * @param authChallengePrefix The authentication challenge name.
-     *
      * @return A challenge attributes map.
      */
-    private static Map<String, String> extractChallengeAttributes(String authenticateHeader,
-        String authChallengePrefix) {
-        if (!isBearerChallenge(authenticateHeader, authChallengePrefix)) {
+    private static Map<String, String> extractChallengeAttributes(String authenticateHeader) {
+        AuthenticateChallenge bearerChallenge = CoreUtils.parseAuthenticateHeader(authenticateHeader)
+            .stream()
+            .filter(challenge -> "Bearer".equalsIgnoreCase(challenge.getScheme()))
+            .findFirst()
+            .orElse(null);
+
+        if (bearerChallenge == null) {
             return Collections.emptyMap();
         }
 
-        String[] attributes = authenticateHeader.replace("\"", "").substring(authChallengePrefix.length()).split(",");
-        Map<String, String> attributeMap = new HashMap<>();
-
-        for (String pair : attributes) {
-            // Using trim is ugly, but we need it here because currently the 'claims' attribute comes after two spaces.
-            String[] keyValue = pair.trim().split("=", 2);
-
-            attributeMap.put(keyValue[0], keyValue[1]);
-        }
-
-        return attributeMap;
-    }
-
-    /**
-     * Verifies whether a challenge is bearer or not.
-     *
-     * @param authenticateHeader The authentication header containing all the challenges.
-     * @param authChallengePrefix The authentication challenge name.
-     *
-     * @return A boolean indicating if the challenge is a bearer challenge or not.
-     */
-    private static boolean isBearerChallenge(String authenticateHeader, String authChallengePrefix) {
-        return (!CoreUtils.isNullOrEmpty(authenticateHeader)
-            && authenticateHeader.toLowerCase(Locale.ROOT).startsWith(authChallengePrefix.toLowerCase(Locale.ROOT)));
+        return bearerChallenge.getParameters();
     }
 
     @Override
@@ -154,7 +132,7 @@ public Mono<Boolean> authorizeRequestOnChallenge(HttpPipelineCallContext context
 
             String authority = getRequestAuthority(request);
             Map<String, String> challengeAttributes
-                = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
+                = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE));
             String scope = challengeAttributes.get("resource");
 
             if (scope != null) {
@@ -271,8 +249,7 @@ public boolean authorizeRequestOnChallengeSync(HttpPipelineCallContext context,
         }
 
         String authority = getRequestAuthority(request);
-        Map<String, String> challengeAttributes
-            = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
+        Map<String, String> challengeAttributes = extractChallengeAttributes(response.getHeaderValue(WWW_AUTHENTICATE));
         String scope = challengeAttributes.get("resource");
 
         if (scope != null) {
@@ -436,7 +413,7 @@ && isClaimsPresent(newResponse)
 
     private boolean isClaimsPresent(HttpResponse httpResponse) {
         Map<String, String> challengeAttributes
-            = extractChallengeAttributes(httpResponse.getHeaderValue(WWW_AUTHENTICATE), BEARER_TOKEN_PREFIX);
+            = extractChallengeAttributes(httpResponse.getHeaderValue(WWW_AUTHENTICATE));
 
         String error = challengeAttributes.get("error");
 
@@ -517,10 +494,10 @@ private static boolean isChallengeResourceValid(HttpRequest request, String scop
                 new RuntimeException(String.format("The challenge resource '%s' is not a valid URI.", scope), e));
         }
 
+        String host = request.getUrl().getHost();
+        String toEndWith = "." + scopeUri.getHost();
+
         // Returns false if the host specified in the scope does not match the requested domain.
-        return request.getUrl()
-            .getHost()
-            .toLowerCase(Locale.ROOT)
-            .endsWith("." + scopeUri.getHost().toLowerCase(Locale.ROOT));
+        return host.regionMatches(true, host.length() - toEndWith.length(), toEndWith, 0, toEndWith.length());
     }
 }