add secret provider

Author: zhiyuanliang-ms

src/AzureAppConfigurationImpl.ts

@@ -1,14 +1,15 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-import { AppConfigurationClient, ConfigurationSetting, ConfigurationSettingId, GetConfigurationSettingOptions, GetConfigurationSettingResponse, ListConfigurationSettingsOptions, featureFlagPrefix, isFeatureFlag } from "@azure/app-configuration";
+import { AppConfigurationClient, ConfigurationSetting, ConfigurationSettingId, GetConfigurationSettingOptions, GetConfigurationSettingResponse, ListConfigurationSettingsOptions, featureFlagPrefix, isFeatureFlag, isSecretReference } from "@azure/app-configuration";
 import { isRestError } from "@azure/core-rest-pipeline";
 import { AzureAppConfiguration, ConfigurationObjectConstructionOptions } from "./AzureAppConfiguration.js";
 import { AzureAppConfigurationOptions } from "./AzureAppConfigurationOptions.js";
 import { IKeyValueAdapter } from "./IKeyValueAdapter.js";
 import { JsonKeyValueAdapter } from "./JsonKeyValueAdapter.js";
 import { DEFAULT_STARTUP_TIMEOUT_IN_MS } from "./StartupOptions.js";
 import { DEFAULT_REFRESH_INTERVAL_IN_MS, MIN_REFRESH_INTERVAL_IN_MS } from "./refresh/refreshOptions.js";
+import { MIN_SECRET_REFRESH_INTERVAL_IN_MS } from "./keyvault/KeyVaultOptions.js";
 import { Disposable } from "./common/disposable.js";
 import { base64Helper, jsonSorter } from "./common/utils.js";
 import {
@@ -87,6 +88,10 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
     #ffRefreshInterval: number = DEFAULT_REFRESH_INTERVAL_IN_MS;
     #ffRefreshTimer: RefreshTimer;
 
+    // Key Vault references
+    #secretRefreshEnabled: boolean = false;
+    #secretReferences: ConfigurationSetting[] = []; // cached key vault references
+    #secretRefreshTimer: RefreshTimer;
     /**
      * Selectors of key-values obtained from @see AzureAppConfigurationOptions.selectors
      */
@@ -139,9 +144,8 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
             if (refreshIntervalInMs !== undefined) {
                 if (refreshIntervalInMs < MIN_REFRESH_INTERVAL_IN_MS) {
                     throw new RangeError(`The refresh interval cannot be less than ${MIN_REFRESH_INTERVAL_IN_MS} milliseconds.`);
-                } else {
-                    this.#kvRefreshInterval = refreshIntervalInMs;
                 }
+                this.#kvRefreshInterval = refreshIntervalInMs;
             }
             this.#kvRefreshTimer = new RefreshTimer(this.#kvRefreshInterval);
         }
@@ -157,16 +161,25 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
                 if (refreshIntervalInMs !== undefined) {
                     if (refreshIntervalInMs < MIN_REFRESH_INTERVAL_IN_MS) {
                         throw new RangeError(`The feature flag refresh interval cannot be less than ${MIN_REFRESH_INTERVAL_IN_MS} milliseconds.`);
-                    } else {
-                        this.#ffRefreshInterval = refreshIntervalInMs;
                     }
+                    this.#ffRefreshInterval = refreshIntervalInMs;
                 }
 
                 this.#ffRefreshTimer = new RefreshTimer(this.#ffRefreshInterval);
             }
         }
 
-        this.#adapters.push(new AzureKeyVaultKeyValueAdapter(options?.keyVaultOptions));
+        if (options?.keyVaultOptions) {
+            const { secretRefreshIntervalInMs } = options.keyVaultOptions;
+            if (secretRefreshIntervalInMs !== undefined) {
+                if (secretRefreshIntervalInMs < MIN_SECRET_REFRESH_INTERVAL_IN_MS) {
+                    throw new RangeError(`The key vault secret refresh interval cannot be less than ${MIN_REFRESH_INTERVAL_IN_MS} milliseconds.`);
+                }
+                this.#secretRefreshEnabled = true;
+                this.#secretRefreshTimer = new RefreshTimer(secretRefreshIntervalInMs);
+            }
+        }
+        this.#adapters.push(new AzureKeyVaultKeyValueAdapter(options?.keyVaultOptions, this.#secretRefreshTimer));
         this.#adapters.push(new JsonKeyValueAdapter());
     }
 
@@ -305,8 +318,8 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
      * Refreshes the configuration.
      */
     async refresh(): Promise<void> {
-        if (!this.#refreshEnabled && !this.#featureFlagRefreshEnabled) {
-            throw new OperationError("Refresh is not enabled for key-values or feature flags.");
+        if (!this.#refreshEnabled && !this.#featureFlagRefreshEnabled && !this.#secretRefreshEnabled) {
+            throw new OperationError("Refresh is not enabled for key-values, key vault secrets or feature flags.");
         }
 
         if (this.#refreshInProgress) {
@@ -324,8 +337,8 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
      * Registers a callback function to be called when the configuration is refreshed.
      */
     onRefresh(listener: () => any, thisArg?: any): Disposable {
-        if (!this.#refreshEnabled && !this.#featureFlagRefreshEnabled) {
-            throw new OperationError("Refresh is not enabled for key-values or feature flags.");
+        if (!this.#refreshEnabled && !this.#featureFlagRefreshEnabled && !this.#secretRefreshEnabled) {
+            throw new OperationError("Refresh is not enabled for key-values, key vault secrets or feature flags.");
         }
 
         const boundedListener = listener.bind(thisArg);
@@ -399,6 +412,9 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
         if (this.#featureFlagRefreshEnabled) {
             refreshTasks.push(this.#refreshFeatureFlags());
         }
+        if (this.#secretRefreshEnabled) {
+            refreshTasks.push(this.#refreshSecrets());
+        }
 
         // wait until all tasks are either resolved or rejected
         const results = await Promise.allSettled(refreshTasks);
@@ -481,8 +497,12 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
             await this.#updateWatchedKeyValuesEtag(loadedSettings);
         }
 
-        // adapt configuration settings to key-values
+        // clear all cached key vault references
+        this.#secretReferences = [];
         for (const setting of loadedSettings) {
+            if (this.#secretRefreshEnabled && isSecretReference(setting)) {
+                this.#secretReferences.push(setting);
+            }
             const [key, value] = await this.#processKeyValues(setting);
             keyValues.push([key, value]);
         }
@@ -597,6 +617,21 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
         return Promise.resolve(needRefresh);
     }
 
+    async #refreshSecrets(): Promise<boolean> {
+        // if still within refresh interval/backoff, return
+        if (!this.#secretRefreshTimer.canRefresh()) {
+            return Promise.resolve(false);
+        }
+
+        for (const setting of this.#secretReferences) {
+            const [key, value] = await this.#processKeyValues(setting);
+            this.#configMap.set(key, value);
+        }
+
+        this.#secretRefreshTimer.reset();
+        return Promise.resolve(true);
+    }
+
     /**
      * Checks whether the key-value collection has changed.
      * @param selectors - The @see PagedSettingSelector of the kev-value collection.

src/StartupOptions.ts

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-export const DEFAULT_STARTUP_TIMEOUT_IN_MS = 100 * 1000; // 100 seconds in milliseconds
+export const DEFAULT_STARTUP_TIMEOUT_IN_MS = 100_000; // 100 seconds in milliseconds
 
 export interface StartupOptions {
     /**

src/keyvault/AzureKeyVaultKeyValueAdapter.ts

@@ -3,79 +3,42 @@
 
 import { ConfigurationSetting, isSecretReference, parseSecretReference } from "@azure/app-configuration";
 import { IKeyValueAdapter } from "../IKeyValueAdapter.js";
+import { AzureKeyVaultSecretProvider } from "./AzureKeyVaultSecretProvider.js";
 import { KeyVaultOptions } from "./KeyVaultOptions.js";
-import { getUrlHost } from "../common/utils.js";
+import { RefreshTimer } from "../refresh/RefreshTimer.js";
 import { ArgumentError, KeyVaultReferenceError } from "../error.js";
-import { SecretClient, parseKeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
+import { parseKeyVaultSecretIdentifier, KeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
 
 export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
-    /**
-     * Map vault hostname to corresponding secret client.
-    */
-    #secretClients: Map<string, SecretClient>;
     #keyVaultOptions: KeyVaultOptions | undefined;
+    #keyVaultSecretProvider: AzureKeyVaultSecretProvider;
 
-    constructor(keyVaultOptions: KeyVaultOptions | undefined) {
+    constructor(keyVaultOptions: KeyVaultOptions | undefined, refreshTimer?: RefreshTimer) {
         this.#keyVaultOptions = keyVaultOptions;
+        this.#keyVaultSecretProvider = new AzureKeyVaultSecretProvider(keyVaultOptions, refreshTimer);
     }
 
     canProcess(setting: ConfigurationSetting): boolean {
         return isSecretReference(setting);
     }
 
     async processKeyValue(setting: ConfigurationSetting): Promise<[string, unknown]> {
-        // TODO: cache results to save requests.
         if (!this.#keyVaultOptions) {
             throw new ArgumentError("Failed to process the key vault reference. The keyVaultOptions is not configured.");
         }
 
-        const { name: secretName, vaultUrl, sourceId, version } = parseKeyVaultSecretIdentifier(
+        const secretIdentifier: KeyVaultSecretIdentifier = parseKeyVaultSecretIdentifier(
             parseSecretReference(setting).value.secretId
         );
         try {
-            // precedence: secret clients > credential > secret resolver
-            const client = this.#getSecretClient(new URL(vaultUrl));
-            if (client) {
-                const secret = await client.getSecret(secretName, { version });
-                return [setting.key, secret.value];
-            }
-            if (this.#keyVaultOptions.secretResolver) {
-                return [setting.key, await this.#keyVaultOptions.secretResolver(new URL(sourceId))];
-            }
+            const secretValue = await this.#keyVaultSecretProvider.getSecretValue(secretIdentifier);
+            return [setting.key, secretValue];
         } catch (error) {
-            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage(error.message, setting, sourceId));
-        }
-
-        // When code reaches here, it means that the key vault reference cannot be resolved in all possible ways.
-        throw new ArgumentError("Failed to process the key vault reference. No key vault secret client, credential or secret resolver callback is available to resolve the secret.");
-    }
-
-    /**
-     *
-     * @param vaultUrl - The url of the key vault.
-     * @returns
-     */
-    #getSecretClient(vaultUrl: URL): SecretClient | undefined {
-        if (this.#secretClients === undefined) {
-            this.#secretClients = new Map();
-            for (const client of this.#keyVaultOptions?.secretClients ?? []) {
-                this.#secretClients.set(getUrlHost(client.vaultUrl), client);
+            if (error instanceof ArgumentError) {
+                throw error;
             }
+            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage(error.message, setting, secretIdentifier.sourceId));
         }
-
-        let client: SecretClient | undefined;
-        client = this.#secretClients.get(vaultUrl.host);
-        if (client !== undefined) {
-            return client;
-        }
-
-        if (this.#keyVaultOptions?.credential) {
-            client = new SecretClient(vaultUrl.toString(), this.#keyVaultOptions.credential);
-            this.#secretClients.set(vaultUrl.host, client);
-            return client;
-        }
-
-        return undefined;
     }
 }
 

src/keyvault/AzureKeyVaultSecretProvider.ts

@@ -0,0 +1,61 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+import { KeyVaultOptions } from "./KeyVaultOptions.js";
+import { RefreshTimer } from "../refresh/RefreshTimer.js";
+import { getUrlHost } from "../common/utils.js";
+import { ArgumentError } from "../error.js";
+import { SecretClient,  KeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
+
+export class AzureKeyVaultSecretProvider {
+    #keyVaultOptions: KeyVaultOptions | undefined;
+    #secretClients: Map<string, SecretClient>; // map key vault hostname to corresponding secret client
+
+    constructor(keyVaultOptions: KeyVaultOptions | undefined, refreshTimer?: RefreshTimer) {
+        if (keyVaultOptions?.secretRefreshIntervalInMs !== undefined) {
+            if (refreshTimer === undefined) {
+                throw new ArgumentError("Refresh timer must be specified when Key Vault secret refresh is enabled.");
+            }
+            if (refreshTimer.interval !== keyVaultOptions.secretRefreshIntervalInMs) {
+                throw new ArgumentError("Refresh timer does not match the secret refresh interval.");
+            }
+        }
+        this.#keyVaultOptions = keyVaultOptions;
+        this.#secretClients = new Map();
+        for (const client of this.#keyVaultOptions?.secretClients ?? []) {
+            this.#secretClients.set(getUrlHost(client.vaultUrl), client);
+        }
+    }
+
+    async getSecretValue(secretIdentifier: KeyVaultSecretIdentifier): Promise<unknown> {
+        if (!this.#keyVaultOptions) {
+            throw new ArgumentError("Failed to get secret value. The keyVaultOptions is not configured.");
+        }
+        const { name: secretName, vaultUrl, sourceId, version } = secretIdentifier;
+        // precedence: secret clients > custom secret resolver
+        const client = this.#getSecretClient(new URL(vaultUrl));
+        if (client) {
+            const secret = await client.getSecret(secretName, { version });
+            return secret.value;
+        }
+        if (this.#keyVaultOptions.secretResolver) {
+            return await this.#keyVaultOptions.secretResolver(new URL(sourceId));
+        }
+        // When code reaches here, it means that the key vault reference cannot be resolved in all possible ways.
+        throw new ArgumentError("Failed to get secret value. No key vault secret client, credential or secret resolver callback is available to resolve the secret.");
+    }
+
+    #getSecretClient(vaultUrl: URL): SecretClient | undefined {
+        let client = this.#secretClients.get(vaultUrl.host);
+        if (client !== undefined) {
+            return client;
+        }
+        if (this.#keyVaultOptions?.credential) {
+            client = new SecretClient(vaultUrl.toString(), this.#keyVaultOptions.credential);
+            this.#secretClients.set(vaultUrl.host, client);
+            return client;
+        }
+
+        return undefined;
+    }
+}

src/keyvault/KeyVaultOptions.ts

@@ -4,6 +4,8 @@
 import { TokenCredential } from "@azure/identity";
 import { SecretClient } from "@azure/keyvault-secrets";
 
+export const MIN_SECRET_REFRESH_INTERVAL_IN_MS = 60_000;
+
 /**
  * Options used to resolve Key Vault references.
  */

src/refresh/RefreshTimer.ts

@@ -3,22 +3,22 @@
 
 export class RefreshTimer {
     #backoffEnd: number; // Timestamp
-    #interval: number;
+    readonly interval: number;
 
     constructor(interval: number) {
         if (interval <= 0) {
-            throw new RangeError(`Refresh interval must be greater than 0. Given: ${this.#interval}`);
+            throw new RangeError(`Refresh interval must be greater than 0. Given: ${this.interval}`);
         }
 
-        this.#interval = interval;
-        this.#backoffEnd = Date.now() + this.#interval;
+        this.interval = interval;
+        this.#backoffEnd = Date.now() + this.interval;
     }
 
     canRefresh(): boolean {
         return Date.now() >= this.#backoffEnd;
     }
 
     reset(): void {
-        this.#backoffEnd = Date.now() + this.#interval;
+        this.#backoffEnd = Date.now() + this.interval;
     }
 }

src/refresh/refreshOptions.ts

@@ -3,8 +3,8 @@
 
 import { WatchedSetting } from "../WatchedSetting.js";
 
-export const DEFAULT_REFRESH_INTERVAL_IN_MS = 30 * 1000;
-export const MIN_REFRESH_INTERVAL_IN_MS = 1 * 1000;
+export const DEFAULT_REFRESH_INTERVAL_IN_MS = 30_000;
+export const MIN_REFRESH_INTERVAL_IN_MS = 1_000;
 
 export interface RefreshOptions {
     /**

src/requestTracing/constants.ts

@@ -49,6 +49,7 @@ export const REPLICA_COUNT_KEY = "ReplicaCount";
 
 // Tag names
 export const KEY_VAULT_CONFIGURED_TAG = "UsesKeyVault";
+export const KEY_VAULT_REFRESH_CONFIGURED_TAG = "RefreshesKeyVault";
 export const FAILOVER_REQUEST_TAG = "Failover";
 
 // Compact feature tags

src/requestTracing/utils.ts

@@ -17,6 +17,7 @@ import {
     HOST_TYPE_KEY,
     HostType,
     KEY_VAULT_CONFIGURED_TAG,
+    KEY_VAULT_REFRESH_CONFIGURED_TAG,
     KUBERNETES_ENV_VAR,
     NODEJS_DEV_ENV_VAL,
     NODEJS_ENV_VAR,
@@ -100,10 +101,13 @@ export function createCorrelationContextHeader(requestTracingOptions: RequestTra
 
     const appConfigOptions = requestTracingOptions.appConfigOptions;
     if (appConfigOptions?.keyVaultOptions) {
-        const { credential, secretClients, secretResolver } = appConfigOptions.keyVaultOptions;
+        const { credential, secretClients, secretRefreshIntervalInMs, secretResolver } = appConfigOptions.keyVaultOptions;
         if (credential !== undefined || secretClients?.length || secretResolver !== undefined) {
             tags.push(KEY_VAULT_CONFIGURED_TAG);
         }
+        if (secretRefreshIntervalInMs !== undefined) {
+            tags.push(KEY_VAULT_REFRESH_CONFIGURED_TAG);
+        }
     }
 
     const featureFlagTracing = requestTracingOptions.featureFlagTracing;

test/keyvault.test.ts

@@ -96,7 +96,7 @@ describe("key vault reference", function () {
                 ]
             }
         });
-        return expect(loadKeyVaultPromise).eventually.rejectedWith("Failed to process the key vault reference. No key vault secret client, credential or secret resolver callback is available to resolve the secret.");
+        return expect(loadKeyVaultPromise).eventually.rejectedWith("Failed to get secret value. No key vault secret client, credential or secret resolver callback is available to resolve the secret.");
     });
 
     it("should fallback to use default credential when corresponding secret client not provided", async () => {