[Feature] Enable get-token and bootstrap certificate from Key Vault (#613)

This pull request adds two new features to Virtual Client: a get-token subcommand to retrieve Azure access tokens for Key Vault authentication, and enhanced bootstrap command functionality to support certificate installation from Azure Key Vault. The implementation allows users to either use default Azure credential flows or explicitly provide an access token for Key Vault operations.

Changes:
Added get-token subcommand that acquires Azure access tokens using interactive browser authentication with device-code fallback
Enhanced bootstrap subcommand to support certificate installation from Azure Key Vault in addition to package installation
Introduced new components KeyVaultAccessToken and CertificateInstallation for token acquisition and certificate management

---------

authored-by: Nirjan Chapagain <nchapagain@example.com>

Author: nchapagain001

VERSION

@@ -1 +1 @@
-2.1.57
+2.1.58

src/VirtualClient/VirtualClient.Actions.FunctionalTests/GetAccessTokenProfileTests.cs

@@ -0,0 +1,63 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+namespace VirtualClient.Actions
+{
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading;
+    using System.Threading.Tasks;
+    using Moq;
+    using NUnit.Framework;
+    using VirtualClient.Common;
+    using VirtualClient.Contracts;
+
+    [TestFixture]
+    [Category("Functional")]
+    public class GetAccessTokenProfileTests
+    {
+        private DependencyFixture dependencyFixture;
+
+        [OneTimeSetUp]
+        public void SetupFixture()
+        {
+            this.dependencyFixture = new DependencyFixture();
+            ComponentTypeCache.Instance.LoadComponentTypes(TestDependencies.TestDirectory);
+        }
+
+        [Test]
+        [TestCase("GET-ACCESS-TOKEN.json", PlatformID.Unix)]
+        [TestCase("GET-ACCESS-TOKEN.json", PlatformID.Win32NT)]
+        public void GetAccessTokenProfileParametersAreInlinedCorrectly(string profile, PlatformID platform)
+        {
+            this.dependencyFixture.Setup(platform);
+            using (ProfileExecutor executor = TestDependencies.CreateProfileExecutor(profile, this.dependencyFixture.Dependencies))
+            {
+                WorkloadAssert.ParameterReferencesInlined(executor.Profile);
+            }
+        }
+
+        [Test]
+        [TestCase("GET-ACCESS-TOKEN.json", PlatformID.Unix)]
+        [TestCase("GET-ACCESS-TOKEN.json", PlatformID.Win32NT)]
+        public void GetAccessTokenProfileParametersAreAvailable(string profile, PlatformID platform)
+        {
+            this.dependencyFixture.Setup(platform);
+
+            var mandatoryParameters = new List<string> { "KeyVaultUri", "TenantId" };
+            using (ProfileExecutor executor = TestDependencies.CreateProfileExecutor(profile, this.dependencyFixture.Dependencies))
+            {
+                Assert.IsEmpty(executor.Profile.Actions);
+                Assert.AreEqual(1, executor.Profile.Dependencies.Count);
+
+                var dependencyBlock = executor.Profile.Dependencies.FirstOrDefault();
+
+                foreach (var parameters in mandatoryParameters)
+                {
+                    Assert.IsTrue(dependencyBlock.Parameters.ContainsKey(parameters));
+                }
+            }
+        }
+    }
+}

src/VirtualClient/VirtualClient.Contracts/DependencyKeyVaultStore.cs

@@ -53,4 +53,4 @@ public DependencyKeyVaultStore(string storeName, Uri endpointUri, TokenCredentia
         /// </summary>
         public TokenCredential Credentials { get; }
     }
-}
+}

src/VirtualClient/VirtualClient.Core.UnitTests/EndpointUtilityTests.cs

@@ -188,7 +188,7 @@ public void EndpointUtilityThrowsWhenCreatingBlobStoreReferenceForCDNUriIfUriIsV
             "https://anystorage.blob.core.windows.net/")]
         //
         [TestCase(
-            "https://anystorage.blob.core.windows.net?sv=2022-11-02&ss=b&srt=co&sp=rtf&se=2024-07-02T05:15:29Z&st=2024-07-01T21:15:29Z&spr=https", 
+            "https://anystorage.blob.core.windows.net?sv=2022-11-02&ss=b&srt=co&sp=rtf&se=2024-07-02T05:15:29Z&st=2024-07-01T21:15:29Z&spr=https",
             "https://anystorage.blob.core.windows.net/?sv=2022-11-02&ss=b&srt=co&sp=rtf&se=2024-07-02T05:15:29Z&st=2024-07-01T21:15:29Z&spr=https")]
         //
         [TestCase(
@@ -230,7 +230,7 @@ public void EndpointUtilityCreatesTheExpectedBlobStoreReferenceForConnectionStri
 
         [Test]
         [TestCase("https://any.service.azure.com?miid=307591a4-abb2-4559-af59-b47177d140cf", "https://any.service.azure.com")]
-        [TestCase("https://any.service.azure.com/?miid=307591a4-abb2-4559-af59-b47177d140cf","https://any.service.azure.com/")]
+        [TestCase("https://any.service.azure.com/?miid=307591a4-abb2-4559-af59-b47177d140cf", "https://any.service.azure.com/")]
         public void EndpointUtilityCreatesTheExpectedBlobStoreReferenceForUrisReferencingManagedIdentities(string uri, string expectedUri)
         {
             DependencyBlobStore store = EndpointUtility.CreateBlobStoreReference(
@@ -338,7 +338,7 @@ public void EndpointUtilityCreatesTheExpectedBlobStoreReferenceForConnectionStri
             Assert.IsNotNull(store.Credentials);
             Assert.IsInstanceOf<ClientCertificateCredential>(store.Credentials);
         }
-       
+
         [Test]
         [TestCase("https://any.service.azure.com/?cid=307591a4-abb2-4559-af59-b47177d140cf&tid=985bbc17-e3a5-4fec-b0cb-40dbb8bc5959&crti=ABC&crts=any.domain.com", "https://any.service.azure.com/")]
         [TestCase("https://any.service.azure.com/?cid=307591a4-abb2-4559-af59-b47177d140cf&tid=985bbc17-e3a5-4fec-b0cb-40dbb8bc5959&crti=ABC CA 01&crts=any.domain.com", "https://any.service.azure.com/")]
@@ -854,5 +854,37 @@ public void CreateKeyVaultStoreReference_ConnectionString_ThrowsOnInvalid()
                     "InvalidConnectionString",
                     this.mockFixture.CertificateManager.Object));
         }
+
+        [Test]
+        [TestCase("https://anyvault.vault.azure.net/?cid=123456&tid=654321")]
+        [TestCase("https://anycontentstorage.blob.core.windows.net?cid=123456&tid=654321")]
+        [TestCase("https://anypackagestorage.blob.core.windows.net?tid=654321")]
+        [TestCase("https://anynamespace.servicebus.windows.net?cid=123456&tid=654321")]
+        [TestCase("https://my-keyvault.vault.azure.net/?;tid=654321")]
+        public void TryParseMicrosoftEntraTenantIdReference_Uri_WorksAsExpected(string input)
+        {
+            // Arrange
+            Uri uri = new Uri(input);
+            bool result = EndpointUtility.TryParseMicrosoftEntraTenantIdReference(uri, out string actualTenantId);
+
+            // Assert
+            Assert.True(result);
+            Assert.AreEqual("654321", actualTenantId);
+        }
+
+        [Test]
+        [TestCase("https://anycontentstorage.blob.core.windows.net?cid=123456&tenantId=654321")]
+        [TestCase("https://anypackagestorage.blob.core.windows.net?miid=654321")]
+        [TestCase("https://my-keyvault.vault.azure.net/;cid=654321")]
+        public void TryParseMicrosoftEntraTenantIdReference_Uri_ReturnFalseWhenInvalid(string input)
+        {
+            // Arrange
+            Uri uri = new Uri(input);
+            bool result = EndpointUtility.TryParseMicrosoftEntraTenantIdReference(uri, out string actualTenantId);
+
+            // Assert
+            Assert.IsFalse(result);
+            Assert.IsNull(actualTenantId);
+        }
     }
 }

src/VirtualClient/VirtualClient.Core/EndpointUtility.cs

@@ -398,6 +398,26 @@ public static bool TryParseCertificateReference(Uri uri, out string issuer, out
             return TryGetCertificateReferenceForUri(queryParameters, out issuer, out subject);
         }
 
+        /// <summary>
+        /// Tries to parse the Microsoft Entra reference information from the provided uri. If the uri does not contain the correctly formatted client ID
+        /// and tenant ID information the method will return false, and keep the two out parameters as null.
+        /// Ex. https://anystore.blob.core.windows.net?cid={clientId};tid={tenantId}
+        /// </summary>
+        /// <param name="uri">The uri to attempt to parse the values from.</param>
+        /// <param name="tenantId">The tenant ID from the Microsoft Entra reference.</param>
+        /// <returns>True/False if the method was able to successfully parse both the client ID and the tenant ID from the Microsoft Entra reference.</returns>
+        public static bool TryParseMicrosoftEntraTenantIdReference(Uri uri, out string tenantId)
+        {
+            string queryString = Uri.UnescapeDataString(uri.Query).Trim('?').Replace("&", ",,,");
+
+            IDictionary<string, string> queryParameters = TextParsingExtensions.ParseDelimitedValues(queryString)?.ToDictionary(
+                entry => entry.Key,
+                entry => entry.Value?.ToString(),
+                StringComparer.OrdinalIgnoreCase);
+
+            return TryGetMicrosoftEntraTenantId(queryParameters, out tenantId);
+        }
+
         /// <summary>
         /// Returns the endpoint by verifying package uri checks.
         /// if the endpoint is a package uri without http or https protocols then append the protocol else return the endpoint value.
@@ -1292,5 +1312,23 @@ private static bool TryGetMicrosoftEntraReferenceForUri(IDictionary<string, stri
 
             return parametersDefined;
         }
+
+        private static bool TryGetMicrosoftEntraTenantId(IDictionary<string, string> uriParameters, out string tenantId)
+        {
+            bool parametersDefined = false;
+            tenantId = null;
+
+            if (uriParameters?.Any() == true)
+            {
+                if (uriParameters.TryGetValue(UriParameter.TenantId, out string microsoftEntraTenantId)
+                    && !string.IsNullOrWhiteSpace(microsoftEntraTenantId))
+                {
+                    tenantId = microsoftEntraTenantId;
+                    parametersDefined = true;
+                }
+            }
+
+            return parametersDefined;
+        }
     }
 }

src/VirtualClient/VirtualClient.Core/IKeyVaultManager.cs

@@ -3,6 +3,7 @@
 
 namespace VirtualClient
 {
+    using System;
     using System.Security.Cryptography.X509Certificates;
     using System.Threading;
     using System.Threading.Tasks;

src/VirtualClient/VirtualClient.Core/Identity/AccessTokenCredential.cs

@@ -0,0 +1,58 @@
+namespace VirtualClient.Identity
+{
+    using System;
+    using System.Threading;
+    using System.Threading.Tasks;
+    using Azure.Core;
+    using VirtualClient.Common.Extensions;
+
+    /// <summary>
+    /// A <see cref="TokenCredential"/> implementation that uses a pre-acquired 
+    /// access token.
+    /// </summary>
+    public class AccessTokenCredential : TokenCredential
+    {
+        /// <summary>
+        /// Creates a new instance of the <see cref="AccessTokenCredential"/> class.
+        /// </summary>
+        /// <param name="token">
+        /// The access token string to use for authentication.
+        /// </param>
+        public AccessTokenCredential(string token)
+        {
+            token.ThrowIfNull(nameof(token));
+            this.AccessToken = new AccessToken(token, DateTimeOffset.UtcNow.AddHours(1));
+        }
+
+        /// <summary>
+        /// The access token to use for authentication.
+        /// </summary>
+        public AccessToken AccessToken { get; }
+
+        /// <summary>
+        /// Gets an access token using the underlying credentials.
+        /// </summary>
+        /// <param name="requestContext">Context information used when getting the access token.</param>
+        /// <param name="cancellationToken">A token that can be used to cancel the operation.</param>
+        /// <returns>
+        /// An access token that can be used to authenticate with Azure resources.
+        /// </returns>
+        public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            return this.AccessToken;
+        }
+
+        /// <summary>
+        /// Gets an access token using the underlying credentials.
+        /// </summary>
+        /// <param name="requestContext">Context information used when getting the access token.</param>
+        /// <param name="cancellationToken">A token that can be used to cancel the operation.</param>
+        /// <returns>
+        /// An access token that can be used to authenticate with Azure resources.
+        /// </returns>
+        public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
+        {
+            return new ValueTask<AccessToken>(this.AccessToken);
+        }
+    }
+}

src/VirtualClient/VirtualClient.Core/KeyVaultManager.cs

@@ -15,7 +15,6 @@ namespace VirtualClient
     using Azure.Security.KeyVault.Secrets;
     using Polly;
     using VirtualClient.Common.Extensions;
-    using VirtualClient.Contracts;
 
     /// <summary>
     /// Provides methods for retrieving secrets, keys, and certificates from an Azure Key Vault.