Make WWW-Authenticate header resource parameter configurable

lowkey-vault-app/README.md

@@ -94,6 +94,19 @@ Set `--server.port=<port>` as an argument as usual with Spring Boot apps:
 java -jar lowkey-vault-app-<version>.jar --server.port=8443
 ```
 
+## Challenge resource URI
+
+The official Azure Key Vault clients verify the challenge resource URL returned by the server (see
+[blog](https://devblogs.microsoft.com/azure-sdk/guidance-for-applications-using-the-key-vault-libraries/)). You can either set
+`DisableChallengeResourceVerification=true` in your client, or you can configure the resource URL returned by the Lowkey Vault:
+
+```
+java -jar lowkey-vault-app-<version>.jar --LOWKEY_AUTH_RESOURCE="vault.azure.net"
+```
+
+You should be running the Lowkey Vault with a resolvable hostname as a subdomain of `vault.azure.net` (e.g. `lowkey.vault.azure.net`) and
+have appropriate SSL certificates registered if you choose to configure the auth resource.
+
 ### Importing vault content at startup
 
 When you need to automatically import the contents of the vaults form a previously created JSON export, you can

lowkey-vault-app/src/main/java/com/github/nagyesta/lowkeyvault/filter/CommonAuthHeaderFilter.java

@@ -6,6 +6,7 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.lang.NonNull;
 import org.springframework.stereotype.Component;
@@ -28,6 +29,11 @@ public class CommonAuthHeaderFilter extends OncePerRequestFilter {
     private static final String BEARER_FAKE_TOKEN = "Bearer resource=\"%s\", authorization_uri=\"%s\"";
     private final AntPathMatcher antPathMatcher = new AntPathMatcher();
     private final Set<String> skipUrisIfMatch = Set.of("/ping", "/management/**", "/api/**", "/metadata/**");
+    private String authResource;
+
+    CommonAuthHeaderFilter(@Value("${LOWKEY_AUTH_RESOURCE:localhost}") final String authResource) {
+        this.authResource = authResource;
+    }
 
     @Override
     protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response,
@@ -38,7 +44,7 @@ protected void doFilterInternal(final HttpServletRequest request, final HttpServ
         final URI baseUri = URI.create(HTTPS + request.getServerName() + port);
         request.setAttribute(ApiConstants.REQUEST_BASE_URI, baseUri);
         response.setHeader(HttpHeaders.WWW_AUTHENTICATE,
-                String.format(BEARER_FAKE_TOKEN, baseUri, baseUri + request.getRequestURI()));
+                String.format(BEARER_FAKE_TOKEN, URI.create(HTTPS + authResource), baseUri + request.getRequestURI()));
         if (!StringUtils.hasText(request.getHeader(HttpHeaders.AUTHORIZATION))) {
             log.info("Sending token to client without processing payload: {}", request.getRequestURI());
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

lowkey-vault-app/src/test/java/com/github/nagyesta/lowkeyvault/TestConstants.java

@@ -46,6 +46,7 @@ private TestConstants() {
     public static final String LOWKEY_VAULT = "lowkey-vault";
     public static final String DEFAULT_SUB = "default.";
     public static final String DEFAULT_LOWKEY_VAULT = DEFAULT_SUB + LOWKEY_VAULT;
+    public static final String AZURE_CLOUD = "vault.azure.net";
     //</editor-fold>
 
     //<editor-fold defaultstate="collapsed" desc="Port">

lowkey-vault-app/src/test/java/com/github/nagyesta/lowkeyvault/TestConstantsUri.java

@@ -25,6 +25,7 @@ private TestConstantsUri() {
     public static final URI HTTPS_DEFAULT_LOWKEY_VAULT = URI.create(HTTPS + DEFAULT_SUB + LOWKEY_VAULT);
     public static final URI HTTPS_DEFAULT_LOWKEY_VAULT_8443 = URI.create(HTTPS_DEFAULT_LOWKEY_VAULT + PORT_8443);
     public static final URI HTTPS_DEFAULT_LOWKEY_VAULT_80 = URI.create(HTTPS_DEFAULT_LOWKEY_VAULT + PORT_80);
+    public static final URI HTTPS_AZURE_CLOUD = URI.create(HTTPS + AZURE_CLOUD);
     //</editor-fold>
 
     public static String getRandomVaultUriAsString() {

lowkey-vault-app/src/test/java/com/github/nagyesta/lowkeyvault/filter/CommonAuthHeaderFilterTest.java

@@ -30,7 +30,6 @@
 
 class CommonAuthHeaderFilterTest {
 
-    private final CommonAuthHeaderFilter underTest = new CommonAuthHeaderFilter();
     @Mock
     private HttpServletRequest request;
     @Mock
@@ -59,6 +58,13 @@ public static Stream<Arguments> hostAndPortProvider() {
                 .build();
     }
 
+    public static Stream<Arguments> authResourceProvider() {
+        return Stream.<Arguments>builder()
+                .add(Arguments.of(LOCALHOST, HTTPS_LOCALHOST))
+                .add(Arguments.of(AZURE_CLOUD, HTTPS_AZURE_CLOUD))
+                .build();
+    }
+
     @BeforeEach
     void setUp() {
         openMocks = MockitoAnnotations.openMocks(this);
@@ -74,6 +80,8 @@ void tearDown() throws Exception {
     @ValueSource(strings = {EMPTY, HEADER_VALUE})
     void testDoFilterInternalShouldNotCallNextOnChainWhenAuthorizationHeaderMissing(final String headerValue)
             throws ServletException, IOException {
+        final CommonAuthHeaderFilter underTest = new CommonAuthHeaderFilter(LOCALHOST);
+
         //given
         when(request.getHeader(eq(HttpHeaders.AUTHORIZATION))).thenReturn(headerValue);
 
@@ -94,6 +102,8 @@ void testDoFilterInternalShouldNotCallNextOnChainWhenAuthorizationHeaderMissing(
     @ValueSource(strings = {EMPTY, HEADER_VALUE})
     void testDoFilterInternalShouldAddTokenToResponseHeaderWhenCalled(final String headerValue)
             throws ServletException, IOException {
+        final CommonAuthHeaderFilter underTest = new CommonAuthHeaderFilter(LOCALHOST);
+
         //given
         when(request.getHeader(eq(HttpHeaders.AUTHORIZATION))).thenReturn(headerValue);
 
@@ -104,10 +114,28 @@ void testDoFilterInternalShouldAddTokenToResponseHeaderWhenCalled(final String h
         verify(response).setHeader(eq(HttpHeaders.WWW_AUTHENTICATE), anyString());
     }
 
+    @ParameterizedTest
+    @MethodSource("authResourceProvider")
+    void testDoFilterInternalShouldSetResourceOnResponseHeaderWhenCalled(final String authResource, final URI expected)
+            throws ServletException, IOException {
+        final CommonAuthHeaderFilter underTest = new CommonAuthHeaderFilter(authResource);
+
+        //given
+        when(request.getHeader(eq(HttpHeaders.AUTHORIZATION))).thenReturn(HEADER_VALUE);
+
+        //when
+        underTest.doFilterInternal(request, response, chain);
+
+        //then
+        verify(response).setHeader(eq(HttpHeaders.WWW_AUTHENTICATE), contains("resource=\"" + expected + "\""));
+    }
+
     @ParameterizedTest
     @MethodSource("hostAndPortProvider")
     void testDoFilterInternalShouldSetRequestBaseUriRequestAttributeWhenCalled(
             final String hostName, final int port, final String path, final URI expected) throws ServletException, IOException {
+        final CommonAuthHeaderFilter underTest = new CommonAuthHeaderFilter(LOCALHOST);
+
         //given
         when(request.getServerName()).thenReturn(hostName);
         when(request.getServerPort()).thenReturn(port);
@@ -125,6 +153,8 @@ void testDoFilterInternalShouldSetRequestBaseUriRequestAttributeWhenCalled(
 
     @Test
     void testShouldNotFilterShouldReturnTrueWhenRequestBaseUriIsPing() {
+        final CommonAuthHeaderFilter underTest = new CommonAuthHeaderFilter(LOCALHOST);
+
         //given
         when(request.getRequestURI()).thenReturn("/ping");