SMO testing - cache SecretClient for faster AKV access

David Shiflet · David Shiflet · commit 524cee0a785f · 2022-03-30T13:23:48.000Z
Each new SecretClient  instance probes available authentication methods, so caching it between secret fetches speeds things up a few seconds per secret.
diff --git a/src/FunctionalTest/Framework/Helpers/AzureKeyVaultHelper.cs b/src/FunctionalTest/Framework/Helpers/AzureKeyVaultHelper.cs
@@ -38,6 +38,8 @@ public class AzureKeyVaultHelper
         private static readonly object syncObj = new object();
         public static readonly string SSMS_TEST_SECRET_PREFIX = "SQLA-SSMS-Test-";
 
+        private SecretClient secretClient = null;
+
         /// <summary>
         /// Constructs a new AzureKeyVaultHelper that relies on an instance of Azure.Identity.DefaultAzureCredential to access the given vault.
         /// </summary>
@@ -73,22 +75,25 @@ public string GetDecryptedSecret(string secretName)
             }
             if (string.IsNullOrEmpty(secret))
             {
-                Azure.Core.TokenCredential credential = new DefaultAzureCredential();
-                foreach (var thumbprint in CertificateThumbprints ?? Enumerable.Empty<string>())
+                // It's ok if multiple threads race to construct this secretClient instance
+                if (secretClient == null)
                 {
-                    var certificate = FindCertificate(thumbprint);
-                    if (certificate != null)
+                    Azure.Core.TokenCredential credential = new DefaultAzureCredential();
+                    foreach (var thumbprint in CertificateThumbprints ?? Enumerable.Empty<string>())
                     {
-                        credential = new ClientCertificateCredential(AzureTenantId, AzureApplicationId, certificate);
+                        var certificate = FindCertificate(thumbprint);
+                        if (certificate != null)
+                        {
+                            credential = new ClientCertificateCredential(AzureTenantId, AzureApplicationId, certificate);
+                        }
+                        break;
                     }
-                    break;
+                    secretClient = new SecretClient(new Uri($"https://{KeyVaultName}.vault.azure.net"), credential);
                 }
-
                 var secretIdentifier = $"https://{KeyVaultName}.vault.azure.net/secrets/{lookupName}";
                 TraceHelper.TraceInformation("Secret {0} not set as environment variable. Looking in AKV for {1}.", secretName, secretIdentifier);
                 try
                 {
-                    var secretClient = new SecretClient(new Uri($"https://{KeyVaultName}.vault.azure.net"), credential);
                     secret = secretClient.GetSecret(lookupName).Value.Value;
                 }
                 catch (Exception e)

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,8 @@ public class AzureKeyVaultHelper`
`38`	`38`	`private static readonly object syncObj = new object();`
`39`	`39`	`public static readonly string SSMS_TEST_SECRET_PREFIX = "SQLA-SSMS-Test-";`
`40`	`40`
	`41`	`+ private SecretClient secretClient = null;`
	`42`	`+`
`41`	`43`	`/// <summary>`
`42`	`44`	`/// Constructs a new AzureKeyVaultHelper that relies on an instance of Azure.Identity.DefaultAzureCredential to access the given vault.`
`43`	`45`	`/// </summary>`
`@@ -73,22 +75,25 @@ public string GetDecryptedSecret(string secretName)`
`73`	`75`	`}`
`74`	`76`	`if (string.IsNullOrEmpty(secret))`
`75`	`77`	`{`
`76`		`- Azure.Core.TokenCredential credential = new DefaultAzureCredential();`
`77`		`- foreach (var thumbprint in CertificateThumbprints ?? Enumerable.Empty<string>())`
	`78`	`+ // It's ok if multiple threads race to construct this secretClient instance`
	`79`	`+ if (secretClient == null)`
`78`	`80`	`{`
`79`		`- var certificate = FindCertificate(thumbprint);`
`80`		`- if (certificate != null)`
	`81`	`+ Azure.Core.TokenCredential credential = new DefaultAzureCredential();`
	`82`	`+ foreach (var thumbprint in CertificateThumbprints ?? Enumerable.Empty<string>())`
`81`	`83`	`{`
`82`		`- credential = new ClientCertificateCredential(AzureTenantId, AzureApplicationId, certificate);`
	`84`	`+ var certificate = FindCertificate(thumbprint);`
	`85`	`+ if (certificate != null)`
	`86`	`+ {`
	`87`	`+ credential = new ClientCertificateCredential(AzureTenantId, AzureApplicationId, certificate);`
	`88`	`+ }`
	`89`	`+ break;`
`83`	`90`	`}`
`84`		`- break;`
	`91`	`+ secretClient = new SecretClient(new Uri($"https://{KeyVaultName}.vault.azure.net"), credential);`
`85`	`92`	`}`
`86`		`-`
`87`	`93`	`var secretIdentifier = $"https://{KeyVaultName}.vault.azure.net/secrets/{lookupName}";`
`88`	`94`	`TraceHelper.TraceInformation("Secret {0} not set as environment variable. Looking in AKV for {1}.", secretName, secretIdentifier);`
`89`	`95`	`try`
`90`	`96`	`{`
`91`		`- var secretClient = new SecretClient(new Uri($"https://{KeyVaultName}.vault.azure.net"), credential);`
`92`	`97`	`secret = secretClient.GetSecret(lookupName).Value.Value;`
`93`	`98`	`}`
`94`	`99`	`catch (Exception e)`