Private/Get-IDBridgeAzKeyVaultContext.ps1

<#
.SYNOPSIS
Resolve the Azure Key Vault connection details for the AzKeyVault secrets provider (internal).

.DESCRIPTION
Internal helper for the AzKeyVault secrets provider. Validates the Secrets.AzKeyVault config
block (VaultUri, TenantId, ClientId, CertThumbprint), acquires a bearer token via
Get-IDBridgeAzureAuthToken, and returns everything the secret functions need to call the
Key Vault REST API:

  @{ VaultUri = 'https://<vault>.vault.azure.net/'; ApiVersion = '7.4';
     Headers = @{ Authorization = 'Bearer ...' } }

The token is cached script-scoped for the session and refreshed 5 minutes before expiry.

.EXAMPLE
$context = Get-IDBridgeAzKeyVaultContext

.NOTES
   Created by: Sam Cattanach
   Modified: 2026-07-02
#>

function Get-IDBridgeAzKeyVaultContext {
    [CmdletBinding()]
    [OutputType([hashtable])]
    param ()

    $IDConfig = Get-IDBridgeConfig
    $kvConfig = if ($IDConfig.Secrets) { $IDConfig.Secrets.AzKeyVault } else { $null }

    foreach ($key in 'VaultUri', 'TenantId', 'ClientId', 'CertThumbprint') {
        if (-not $kvConfig -or -not $kvConfig.$key) {
            Throw "The AzKeyVault secrets provider requires Secrets.AzKeyVault.$key in IDBridgeConfig.psd1 (VaultUri, TenantId, ClientId, CertThumbprint)."
        }
    }

    $vaultUri = $kvConfig.VaultUri
    if (-not $vaultUri.EndsWith('/')) { $vaultUri += '/' }

    # Reuse the cached token until close to expiry
    if (-not $script:AzKeyVaultAuth -or (Get-Date) -ge $script:AzKeyVaultAuth.RefreshAfter) {
        $tokenResponse = Get-IDBridgeAzureAuthToken -ClientId $kvConfig.ClientId -TenantId $kvConfig.TenantId -CertThumbprint $kvConfig.CertThumbprint -Scope 'https://vault.azure.net/.default'
        $script:AzKeyVaultAuth = @{
            Headers      = @{ Authorization = "Bearer $($tokenResponse.access_token)" }
            RefreshAfter = (Get-Date).AddSeconds([int]$tokenResponse.expires_in - 300)
        }
    }

    return @{
        VaultUri   = $vaultUri
        ApiVersion = '7.4'
        Headers    = $script:AzKeyVaultAuth.Headers
    }
}