1 files changed, 110 insertions, 0 deletions

diff --git a/src/third_party/kms-message/src/kms_message/kms_azure_request.h b/src/third_party/kms-message/src/kms_message/kms_azure_request.h
new file mode 100644
index 00000000000..2e9af68fd03
--- /dev/null
+++ b/src/third_party/kms-message/src/kms_message/kms_azure_request.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2020-present MongoDB, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef KMS_AZURE_REQUEST_H
+#define KMS_AZURE_REQUEST_H
+
+#include "kms_message_defines.h"
+#include "kms_request.h"
+#include "kms_request_opt.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Constructs an oauth client credentials grant request for Azure.
+ * See
+ * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token.
+ *
+ * Parameters:
+ * All parameters must be NULL terminated strings.
+ * - host: The value of the Host header. This should be a custom host or
+ * "login.microsoftonline.com".
+ * - scope: The oauth scope. This should be a custom scope or
+ * "https%3A%2F%2Fvault.azure.net%2F.default". Must be URL encoded.
+ * - tenant_id: The Azure tenant ID.
+ * - client_id: The client ID to authenticate.
+ * - client_secret: The client secret to authenticate.
+ * - opt: Additional options. This must have the Azure provider set via
+ * kms_request_opt_set_provider.
+ *
+ * Returns: A new kms_request_t.
+ * Always returns a new kms_request_t, even on error.
+ * Caller must check if an error occurred by calling kms_request_get_error.
+ */
+KMS_MSG_EXPORT (kms_request_t *)
+kms_azure_request_oauth_new (const char *host,
+                             const char *scope,
+                             const char *tenant_id,
+                             const char *client_id,
+                             const char *client_secret,
+                             const kms_request_opt_t *opt);
+
+/* Constructs a wrapkey request for Azure.
+ * See https://docs.microsoft.com/en-us/rest/api/keyvault/wrapkey/wrapkey
+ *
+ * Parameters:
+ * All parameters must be NULL terminated strings.
+ * - host: The value of the Host header, like "mykeyvault.vault.azure.net".
+ * - access_token: The access_token obtained from an oauth response as a
+ * base64url encoded string.
+ * - key_name: The azure key name.
+ * - key_version: An optional key version. May be NULL or empty string.
+ * - plaintext: The plaintext key to encrypt.
+ * - plaintext_len: The number of bytes of plaintext.
+ * - opt: Additional options. This must have the Azure provider set via
+ * kms_request_opt_set_provider.
+ */
+
+KMS_MSG_EXPORT (kms_request_t *)
+kms_azure_request_wrapkey_new (const char *host,
+                               const char *access_token,
+                               const char *key_name,
+                               const char *key_version,
+                               const uint8_t *plaintext,
+                               size_t plaintext_len,
+                               const kms_request_opt_t *opt);
+
+/* Constructs an unwrapkey request for Azure.
+ * See https://docs.microsoft.com/en-us/rest/api/keyvault/unwrapkey/unwrapkey
+ *
+ * Parameters:
+ * All parameters must be NULL terminated strings.
+ * - host: The value of the Host header, like "mykeyvault.vault.azure.net".
+ * - access_token: The access_token obtained from an oauth response as a
+ * base64url encoded string.
+ * - key_name: The azure key name.
+ * - key_version: An optional key version. May be NULL or empty string.
+ * - ciphertext: The ciphertext key to decrypt.
+ * - ciphertext_len: The number of bytes of ciphertext.
+ * - opt: Additional options. This must have the Azure provider set via
+ * kms_request_opt_set_provider.
+ */
+
+KMS_MSG_EXPORT (kms_request_t *)
+kms_azure_request_unwrapkey_new (const char *host,
+                                 const char *access_token,
+                                 const char *key_name,
+                                 const char *key_version,
+                                 const uint8_t *ciphertext,
+                                 size_t ciphertext_len,
+                                 const kms_request_opt_t *opt);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* KMS_AZURE_REQUEST_H */