Merge pull request #65 from Keyfactor/government_cloud_debug

Bug fix for government cloud host name resolution

Author: spbsoluble

AzureKeyVault/AkvProperties.cs

@@ -45,7 +45,7 @@ internal protected string VaultEndpoint
                 {
                     return PrivateEndpoint.TrimStart('.');
                 }
-                switch (AzureCloud)
+                switch (AzureCloud?.Trim()?.ToLowerInvariant())
                 {
                     case "china":
                         return "vault.azure.cn";
@@ -58,6 +58,6 @@ internal protected string VaultEndpoint
                 }
             }
         }
-        internal protected string VaultURL => $"https://{VaultName}.{VaultEndpoint}/";
+        public string VaultURL => $"https://{VaultName}.{VaultEndpoint}/";
     }
 }

AzureKeyVault/AzureClient.cs

@@ -32,16 +32,19 @@ private Uri AzureCloudEndpoint
         {
             get
             {
-                switch (VaultProperties.AzureCloud?.ToLower())
+                logger.LogTrace($"the AzureCloud is {VaultProperties.AzureCloud}, so we will use the following endpoint for authentication: ");
+                switch (VaultProperties.AzureCloud?.Trim()?.ToLowerInvariant())
                 {
-
                     case "china":
+                        logger.LogTrace(AzureAuthorityHosts.AzureChina.ToString());
                         return AzureAuthorityHosts.AzureChina;
                     //case "germany":
                     //    return AzureAuthorityHosts.AzureGermany; // germany is no longer a valid azure authority host as of 2021
                     case "government":
+                        logger.LogTrace(AzureAuthorityHosts.AzureGovernment.ToString());
                         return AzureAuthorityHosts.AzureGovernment;
                     default:
+                        logger.LogTrace(AzureAuthorityHosts.AzurePublicCloud.ToString());
                         return AzureAuthorityHosts.AzurePublicCloud;
                 }
             }
@@ -92,6 +95,8 @@ internal protected virtual ArmClient getArmClient(string tenantId)
         {
             TokenCredential credential;
             var credentialOptions = new DefaultAzureCredentialOptions { AuthorityHost = AzureCloudEndpoint, AdditionallyAllowedTenants = { "*" } };
+            logger.LogTrace($"creating an ARM client for management operations with authorityhost {AzureCloudEndpoint.ToString()}");
+
             if (this.VaultProperties.UseAzureManagedIdentity)
             {
                 logger.LogTrace("getting management client for a managed identity");

AzureKeyVault/Jobs/AzureKeyVaultJob.cs

@@ -94,12 +94,15 @@ public void InitializeStore(dynamic config)
                     VaultProperties.SubscriptionId = properties.SubscriptionId ?? VaultProperties.SubscriptionId;
                     VaultProperties.ResourceGroupName = !string.IsNullOrEmpty(properties.ResourceGroupName as string) ? properties.ResourceGroupName : VaultProperties.ResourceGroupName;
                     VaultProperties.VaultName = properties.VaultName ?? VaultProperties.VaultName; // check the field in case of legacy paths.                    
+                    
                     VaultProperties.TenantId = !string.IsNullOrEmpty(VaultProperties.TenantId) ? VaultProperties.TenantId : config.CertificateStoreDetails?.ClientMachine; // Client Machine could be null in the case of managed identity.  That's ok.
-                    VaultProperties.AzureCloud = !string.IsNullOrEmpty(properties.AzureCloud as string) ? properties.AzureCloud : VaultProperties.AzureCloud;
-                    VaultProperties.PrivateEndpoint = !string.IsNullOrEmpty(properties.PrivateEndpoint as string) ? properties.PrivateEndpoint : VaultProperties.PrivateEndpoint;
-
+                    VaultProperties.AzureCloud = properties.AzureCloud;
+                    logger.LogTrace($"Azure Cloud: {VaultProperties.AzureCloud}");
+                    VaultProperties.PrivateEndpoint = properties.PrivateEndpoint;
+                    logger.LogTrace($"Private Endpoint: {VaultProperties.PrivateEndpoint}");
                     string skuType = !string.IsNullOrEmpty(properties.SkuType as string) ? properties.SkuType : null;
                     VaultProperties.PremiumSKU = skuType?.ToLower() == "premium";
+                    
                     VaultProperties.VaultRegion = !string.IsNullOrEmpty(properties.VaultRegion as string) ? properties.VaultRegion : VaultProperties.VaultRegion;
                     VaultProperties.VaultRegion = VaultProperties.VaultRegion?.ToLower();
                 }

AzureKeyVault/Jobs/Inventory.cs

@@ -40,7 +40,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
                 inventoryItems = AzClient.GetCertificatesAsync().Result?.ToList();
 
-                logger.LogTrace($"Found {inventoryItems.Count()} Total Certificates in Azure Key Vault.");
+                logger.LogTrace($"Found {inventoryItems.Count} Total Certificates in Azure Key Vault.");
             }
 
             catch (Exception ex)

CHANGELOG.md

@@ -1,5 +1,6 @@
 - 3.1.9
   - Added optional entry parameter to indicate that existing tags should be preserved if certificate is replaced
+  - bug fix for government cloud host name resolution
 
 - 3.1.8
   - Fixed bug where enrollment would fail if the CertificateTags field was not defined as an entry parameter