Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for authenticating using azureauth cli #1464

Merged
merged 15 commits into from
Nov 29, 2023
Merged

Add support for authenticating using azureauth cli #1464

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
7c192e8
include setting the mode
Nov 16, 2023
6a09a23
fix lint issue from 1.74.0 in unrelated code
Nov 16, 2023
7780f0e
fix unit tests
Nov 16, 2023
40c0186
add `aad` subcommand
Nov 16, 2023
d8d1c77
IWA is only valid on windows
Nov 17, 2023
69eb5a5
wrap azureauth-cli in a feature
Nov 17, 2023
3d18828
fix syntax
Nov 17, 2023
642ef26
add support for prompt-hint
Nov 21, 2023
7b017d6
use `--scope` instead of `--resource`
Nov 21, 2023
54ae30f
add prompt hint to default struct
Nov 27, 2023
7cf30e6
only pass down windows auth modes when using azureauth.exe
Nov 28, 2023
7a52b53
address clippy issue
Nov 28, 2023
1e0ed15
Merge branch 'main' into add-azureauth-support
Nov 29, 2023
f11f043
address feedback
Nov 29, 2023
bd58766
Merge branch 'main' into add-azureauth-support
Nov 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion eng/test/mock_transport/src/recorder_policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ impl Policy for MockTransportRecorderPolicy {
{
let mut request_contents_stream = std::fs::File::create(&request_path).unwrap();
request_contents_stream
.write_all(request_contents.as_str().as_bytes())
.write_all(request_contents.as_bytes())
.context(ErrorKind::MockFramework, "cannot write request file")?;
}

Expand Down
182 changes: 182 additions & 0 deletions sdk/identity/src/token_credentials/azureauth_cli_credentials.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
use azure_core::{
auth::{AccessToken, TokenCredential, TokenResponse},
error::{Error, ErrorKind, ResultExt},
};
use oauth2::ClientId;
use serde::Deserialize;
use std::process::Command;
use std::str;
use time::OffsetDateTime;

mod unix_date_string {
use azure_core::error::{Error, ErrorKind};
use serde::{Deserialize, Deserializer};
use time::OffsetDateTime;

pub fn parse(s: &str) -> azure_core::Result<OffsetDateTime> {
let as_i64 = s.parse().map_err(|_| {
Error::with_message(ErrorKind::DataConversion, || {
format!("unable to parse expiration_date '{s}")
})
})?;

OffsetDateTime::from_unix_timestamp(as_i64).map_err(|_| {
Error::with_message(ErrorKind::DataConversion, || {
format!("unable to parse expiration_date '{s}")
})
})
}

pub fn deserialize<'de, D>(deserializer: D) -> Result<OffsetDateTime, D::Error>
where
D: Deserializer<'de>,
{
let s = String::deserialize(deserializer)?;
parse(&s).map_err(serde::de::Error::custom)
}
}

#[derive(Debug, Clone, Deserialize)]
struct CliTokenResponse {
pub token: AccessToken,
#[serde(with = "unix_date_string")]
pub expiration_date: OffsetDateTime,
}

/// Authentication Mode
///
/// Note: While the azureauth CLI supports devicecode, users wishing to use
/// devicecode should use `azure_identity::device_code_flow`
#[derive(Debug, Clone, Copy)]
pub enum AzureauthCliMode {
All,
IntegratedWindowsAuth,
demoray marked this conversation as resolved.
Show resolved Hide resolved
Broker,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Broker,
#[cfg(target_os = "windows")]
Broker,

Broker would also need it's own cfg atribute right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@demoray ping.

Web,
}

/// Enables authentication to Azure Active Directory using Azure CLI to obtain an access token.
pub struct AzureauthCliCredential {
tenant_id: String,
client_id: ClientId,
modes: Vec<AzureauthCliMode>,
}

impl AzureauthCliCredential {
/// Create a new `AzureCliCredential`
pub fn new<T, C>(tenant_id: T, client_id: C) -> Self
where
T: Into<String>,
C: Into<ClientId>,
{
Self {
tenant_id: tenant_id.into(),
client_id: client_id.into(),
modes: Vec::new(),
}
}

pub fn add_mode(mut self, mode: AzureauthCliMode) -> Self {
self.modes.push(mode);
self
}

pub fn with_modes(mut self, modes: Vec<AzureauthCliMode>) -> Self {
self.modes = modes;
self
}

fn get_access_token(&self, resource: &str) -> azure_core::Result<CliTokenResponse> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we take scopes: &Vec<String> or similar here instead of a single resource?

Copy link
Contributor

@kyle-rader-msft kyle-rader-msft Nov 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@demoray After reading the TokenCredential trait source, I see that resource here is actually a space separated list of scopes, or potentially the concept of a resource as parsed by the az CLI. But MSAL only takes a list of scopes, which AzureAuth will turn --resource into, but we recommend passing --scope repeatedly for each scope needed.

I think we need to test this a little further and likely split this "resource" (maybe rename it scopes), and pass each value as it's own --scope for azureauth to correctly handle them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to do this as a follow-up PR, as I think the underlying trait should be updated to take a list of scopes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So long as this doesn't ship, a follow up PR seems okay. I do not think this will work as is.

// try using azureauth.exe first, such that azureauth through WSL is
// used first if possible.
let cmd_name = if Command::new("azureauth.exe")
.arg("--version")
.output()
.map(|x| x.status.success())
.unwrap_or(false)
{
"azureauth.exe"
} else {
"azureauth"
};

let mut cmd = Command::new(cmd_name);
cmd.args([
"--resource",
cataggar marked this conversation as resolved.
Show resolved Hide resolved
resource,
"--client",
self.client_id.as_str(),
"--tenant",
self.tenant_id.as_str(),
"--output",
"json",
]);

for mode in &self.modes {
cmd.arg("--mode");
match mode {
AzureauthCliMode::All => cmd.arg("all"),
AzureauthCliMode::IntegratedWindowsAuth => cmd.arg("iwa"),
AzureauthCliMode::Broker => cmd.arg("broker"),
AzureauthCliMode::Web => cmd.arg("web"),
};
}

let result = cmd.output();

let output = result.map_err(|e| match e.kind() {
std::io::ErrorKind::NotFound => {
Error::message(ErrorKind::Other, "azureauth CLI not installed")
}
error_kind => Error::with_message(ErrorKind::Other, || {
format!("Unknown error of kind: {error_kind:?}")
}),
})?;

if !output.status.success() {
let output = String::from_utf8_lossy(&output.stderr);
heaths marked this conversation as resolved.
Show resolved Hide resolved
return Err(Error::with_message(ErrorKind::Credential, || {
format!("'azureauth' command failed: {output}")
}));
}

let output = String::from_utf8(output.stdout)?;

let token_response = serde_json::from_str::<CliTokenResponse>(&output)
.map_kind(ErrorKind::DataConversion)?;
Ok(token_response)
}
}

#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl TokenCredential for AzureauthCliCredential {
async fn get_token(&self, resource: &str) -> azure_core::Result<TokenResponse> {
let tr = self.get_access_token(resource)?;
Ok(TokenResponse::new(tr.token, tr.expiration_date))
}
}

#[cfg(test)]
mod tests {
use super::*;

#[test]
fn parse_example() -> azure_core::Result<()> {
let src = r#"{
"user": "[email protected]",
"display_name": "Example User",
"token": "security token here",
"expiration_date": "1700166595"
}"#;

let response: CliTokenResponse = serde_json::from_str(src)?;
assert_eq!(response.token.secret(), "security token here");
assert_eq!(
response.expiration_date,
OffsetDateTime::from_unix_timestamp(1700166595).expect("known valid date")
);

Ok(())
}
}
2 changes: 2 additions & 0 deletions sdk/identity/src/token_credentials/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
//! * Client secret
mod auto_refreshing_credentials;
mod azure_cli_credentials;
mod azureauth_cli_credentials;
#[cfg(feature = "client_certificate")]
mod client_certificate_credentials;
mod client_secret_credentials;
Expand All @@ -17,6 +18,7 @@ mod workload_identity_credentials;

pub use auto_refreshing_credentials::*;
pub use azure_cli_credentials::*;
pub use azureauth_cli_credentials::*;
demoray marked this conversation as resolved.
Show resolved Hide resolved
#[cfg(feature = "client_certificate")]
pub use client_certificate_credentials::*;
pub use client_secret_credentials::*;
Expand Down