diff --git a/go.mod b/go.mod
index a03cf9783fe..5d437147abd 100644
--- a/go.mod
+++ b/go.mod
@@ -11,8 +11,8 @@ require (
github.com/Azure/azure-event-hubs-go/v3 v3.6.1
github.com/Azure/azure-kusto-go v0.14.0
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
- github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
+ github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0
+ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus v1.4.1
github.com/Azure/azure-storage-blob-go v0.15.0
github.com/Azure/azure-storage-queue-go v0.0.0-20230531184854-c06a8eff66fe
diff --git a/go.sum b/go.sum
index ca8e645e7fe..55030e1a5be 100644
--- a/go.sum
+++ b/go.sum
@@ -778,11 +778,11 @@ github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2 h1:t5+QXLCK9SVi0PPdaY0PrFvYUo24KwA0QwxnaHRSVd4=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0 h1:9kDVnTz3vbfweTqAUmk/a/pH5pWFCHtvRpHYC0G/dcA=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0/go.mod h1:3Ug6Qzto9anB6mGlEdgYMDF5zHQ+wwhEaYR4s17PHMw=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs=
github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
index 93589e32561..b618676c59b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
@@ -1,5 +1,35 @@
# Release History
+## 1.8.0 (2023-10-05)
+
+### Features Added
+
+* Added `Claims` and `EnableCAE` fields to `policy.TokenRequestOptions`.
+* ARM bearer token policy handles CAE challenges.
+* `messaging/CloudEvent` allows you to serialize/deserialize CloudEvents, as described in the CloudEvents 1.0 specification: [link](https://github.com/cloudevents/spec)
+* Added functions `FetcherForNextLink` and `EncodeQueryParams` along with `FetcherForNextLinkOptions` to the `runtime` package to centralize creation of `Pager[T].Fetcher` from a next link URL.
+* Added types `KeyCredential` and `SASCredential` to the `azcore` package.
+ * Includes their respective constructor functions.
+* Added types `KeyCredentialPolicy` and `SASCredentialPolicy` to the `azcore/runtime` package.
+ * Includes their respective constructor functions and options types.
+
+### Breaking Changes
+> These changes affect only code written against beta versions of `v1.8.0`
+* The beta features for tracing and fakes have been omitted for this release.
+
+### Bugs Fixed
+
+* Fixed an issue that could cause some ARM RPs to not be automatically registered.
+* Block bearer token authentication for non TLS protected endpoints.
+
+### Other Changes
+
+* The following functions in the `runtime` package are now exposed from the `policy` package, and the `runtime` versions have been deprecated.
+ * `WithCaptureResponse`
+ * `WithHTTPHeader`
+ * `WithRetryOptions`
+* Updated dependencies.
+
## 1.7.2 (2023-09-06)
### Bugs Fixed
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go
index 9fae2a9dc4b..9f051ba4ae9 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go
@@ -22,6 +22,24 @@ type AccessToken = exported.AccessToken
// TokenCredential represents a credential capable of providing an OAuth token.
type TokenCredential = exported.TokenCredential
+// KeyCredential contains an authentication key used to authenticate to an Azure service.
+type KeyCredential = exported.KeyCredential
+
+// NewKeyCredential creates a new instance of [KeyCredential] with the specified values.
+// - key is the authentication key
+func NewKeyCredential(key string) *KeyCredential {
+ return exported.NewKeyCredential(key)
+}
+
+// SASCredential contains a shared access signature used to authenticate to an Azure service.
+type SASCredential = exported.SASCredential
+
+// NewSASCredential creates a new instance of [SASCredential] with the specified values.
+// - sas is the shared access signature
+func NewSASCredential(sas string) *SASCredential {
+ return exported.NewSASCredential(sas)
+}
+
// holds sentinel values used to send nulls
var nullables map[reflect.Type]interface{} = map[reflect.Type]interface{}{}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
index a1236b36252..e793b31db2c 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
@@ -10,6 +10,7 @@ import (
"context"
"io"
"net/http"
+ "sync/atomic"
"time"
)
@@ -51,6 +52,17 @@ type AccessToken struct {
// TokenRequestOptions contain specific parameter that may be used by credentials types when attempting to get a token.
// Exported as policy.TokenRequestOptions.
type TokenRequestOptions struct {
+ // Claims are any additional claims required for the token to satisfy a conditional access policy, such as a
+ // service may return in a claims challenge following an authorization failure. If a service returned the
+ // claims value base64 encoded, it must be decoded before setting this field.
+ Claims string
+
+ // EnableCAE indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. When true,
+ // azidentity credentials request CAE tokens for resource APIs supporting CAE. Clients are responsible for
+ // handling CAE challenges. If a client that doesn't handle CAE challenges receives a CAE token, it may end up
+ // in a loop retrying an API call with a token that has been revoked due to CAE.
+ EnableCAE bool
+
// Scopes contains the list of permission scopes required for the token.
Scopes []string
@@ -65,3 +77,65 @@ type TokenCredential interface {
// GetToken requests an access token for the specified set of scopes.
GetToken(ctx context.Context, options TokenRequestOptions) (AccessToken, error)
}
+
+// KeyCredential contains an authentication key used to authenticate to an Azure service.
+// Exported as azcore.KeyCredential.
+type KeyCredential struct {
+ cred *keyCredential
+}
+
+// NewKeyCredential creates a new instance of [KeyCredential] with the specified values.
+// - key is the authentication key
+func NewKeyCredential(key string) *KeyCredential {
+ return &KeyCredential{cred: newKeyCredential(key)}
+}
+
+// Update replaces the existing key with the specified value.
+func (k *KeyCredential) Update(key string) {
+ k.cred.Update(key)
+}
+
+// SASCredential contains a shared access signature used to authenticate to an Azure service.
+// Exported as azcore.SASCredential.
+type SASCredential struct {
+ cred *keyCredential
+}
+
+// NewSASCredential creates a new instance of [SASCredential] with the specified values.
+// - sas is the shared access signature
+func NewSASCredential(sas string) *SASCredential {
+ return &SASCredential{cred: newKeyCredential(sas)}
+}
+
+// Update replaces the existing shared access signature with the specified value.
+func (k *SASCredential) Update(sas string) {
+ k.cred.Update(sas)
+}
+
+// KeyCredentialGet returns the key for cred.
+func KeyCredentialGet(cred *KeyCredential) string {
+ return cred.cred.Get()
+}
+
+// SASCredentialGet returns the shared access sig for cred.
+func SASCredentialGet(cred *SASCredential) string {
+ return cred.cred.Get()
+}
+
+type keyCredential struct {
+ key atomic.Value // string
+}
+
+func newKeyCredential(key string) *keyCredential {
+ keyCred := keyCredential{}
+ keyCred.key.Store(key)
+ return &keyCred
+}
+
+func (k *keyCredential) Get() string {
+ return k.key.Load().(string)
+}
+
+func (k *keyCredential) Update(key string) {
+ k.key.Store(key)
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
index eb815a2a781..05e53aa76e4 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
@@ -32,5 +32,5 @@ const (
Module = "azcore"
// Version is the semantic version (see http://semver.org) of this module.
- Version = "v1.7.2"
+ Version = "v1.8.0"
)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go
index db0aaa7cb95..1bf3aca9183 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go
@@ -14,6 +14,8 @@ import (
"regexp"
"strconv"
"time"
+
+ "github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
)
// CtxWithHTTPHeaderKey is used as a context key for adding/retrieving http.Header.
@@ -22,8 +24,8 @@ type CtxWithHTTPHeaderKey struct{}
// CtxWithRetryOptionsKey is used as a context key for adding/retrieving RetryOptions.
type CtxWithRetryOptionsKey struct{}
-// CtxIncludeResponseKey is used as a context key for retrieving the raw response.
-type CtxIncludeResponseKey struct{}
+// CtxWithCaptureResponse is used as a context key for retrieving the raw response.
+type CtxWithCaptureResponse struct{}
// Delay waits for the duration to elapse or the context to be cancelled.
func Delay(ctx context.Context, delay time.Duration) error {
@@ -101,3 +103,26 @@ func ExtractModuleName(clientName string) (string, string, error) {
}
return matches[3], matches[2], nil
}
+
+// NonRetriableError marks the specified error as non-retriable.
+func NonRetriableError(err error) error {
+ return &nonRetriableError{err}
+}
+
+type nonRetriableError struct {
+ error
+}
+
+func (p *nonRetriableError) Error() string {
+ return p.error.Error()
+}
+
+func (*nonRetriableError) NonRetriable() {
+ // marker method
+}
+
+func (p *nonRetriableError) Unwrap() error {
+ return p.error
+}
+
+var _ errorinfo.NonRetriable = (*nonRetriableError)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go
index b200047834c..f73704cf016 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go
@@ -7,11 +7,13 @@
package policy
import (
+ "context"
"net/http"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing"
)
@@ -162,3 +164,22 @@ type AuthorizationHandler struct {
// the policy will return any 401 response to the client.
OnChallenge func(*Request, *http.Response, func(TokenRequestOptions) error) error
}
+
+// WithCaptureResponse applies the HTTP response retrieval annotation to the parent context.
+// The resp parameter will contain the HTTP response after the request has completed.
+func WithCaptureResponse(parent context.Context, resp **http.Response) context.Context {
+ return context.WithValue(parent, shared.CtxWithCaptureResponse{}, resp)
+}
+
+// WithHTTPHeader adds the specified http.Header to the parent context.
+// Use this to specify custom HTTP headers at the API-call level.
+// Any overlapping headers will have their values replaced with the values specified here.
+func WithHTTPHeader(parent context.Context, header http.Header) context.Context {
+ return context.WithValue(parent, shared.CtxWithHTTPHeaderKey{}, header)
+}
+
+// WithRetryOptions adds the specified RetryOptions to the parent context.
+// Use this to specify custom RetryOptions at the API-call level.
+func WithRetryOptions(parent context.Context, options RetryOptions) context.Context {
+ return context.WithValue(parent, shared.CtxWithRetryOptionsKey{}, options)
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
index 5507665d651..8a2e6c61ed1 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go
@@ -10,6 +10,9 @@ import (
"context"
"encoding/json"
"errors"
+ "net/http"
+
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
)
// PagingHandler contains the required data for constructing a Pager.
@@ -75,3 +78,41 @@ func (p *Pager[T]) NextPage(ctx context.Context) (T, error) {
func (p *Pager[T]) UnmarshalJSON(data []byte) error {
return json.Unmarshal(data, &p.current)
}
+
+// FetcherForNextLinkOptions contains the optional values for [FetcherForNextLink].
+type FetcherForNextLinkOptions struct {
+ // NextReq is the func to be called when requesting subsequent pages.
+ // Used for paged operations that have a custom next link operation.
+ NextReq func(context.Context, string) (*policy.Request, error)
+}
+
+// FetcherForNextLink is a helper containing boilerplate code to simplify creating a PagingHandler[T].Fetcher from a next link URL.
+// - ctx is the [context.Context] controlling the lifetime of the HTTP operation
+// - pl is the [Pipeline] used to dispatch the HTTP request
+// - nextLink is the URL used to fetch the next page. the empty string indicates the first page is to be requested
+// - firstReq is the func to be called when creating the request for the first page
+// - options contains any optional parameters, pass nil to accept the default values
+func FetcherForNextLink(ctx context.Context, pl Pipeline, nextLink string, firstReq func(context.Context) (*policy.Request, error), options *FetcherForNextLinkOptions) (*http.Response, error) {
+ var req *policy.Request
+ var err error
+ if nextLink == "" {
+ req, err = firstReq(ctx)
+ } else if nextLink, err = EncodeQueryParams(nextLink); err == nil {
+ if options != nil && options.NextReq != nil {
+ req, err = options.NextReq(ctx, nextLink)
+ } else {
+ req, err = NewRequest(ctx, http.MethodGet, nextLink)
+ }
+ }
+ if err != nil {
+ return nil, err
+ }
+ resp, err := pl.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ if !HasStatusCode(resp, http.StatusOK) {
+ return nil, NewResponseError(resp)
+ }
+ return resp, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go
index b61e4c121f6..ff4931cd247 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go
@@ -6,6 +6,7 @@ package runtime
import (
"errors"
"net/http"
+ "strings"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
@@ -72,6 +73,9 @@ func (b *BearerTokenPolicy) authenticateAndAuthorize(req *policy.Request) func(p
// Do authorizes a request with a bearer token
func (b *BearerTokenPolicy) Do(req *policy.Request) (*http.Response, error) {
+ if strings.ToLower(req.Raw().URL.Scheme) != "https" {
+ return nil, shared.NonRetriableError(errors.New("bearer token authentication is not permitted for non TLS protected (https) endpoints"))
+ }
var err error
if b.authzHandler.OnRequest != nil {
err = b.authzHandler.OnRequest(req, b.authenticateAndAuthorize(req))
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go
index 770e0a2b6a6..c230af0afa8 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go
@@ -34,6 +34,7 @@ func httpHeaderPolicy(req *policy.Request) (*http.Response, error) {
// WithHTTPHeader adds the specified http.Header to the parent context.
// Use this to specify custom HTTP headers at the API-call level.
// Any overlapping headers will have their values replaced with the values specified here.
+// Deprecated: use [policy.WithHTTPHeader] instead.
func WithHTTPHeader(parent context.Context, header http.Header) context.Context {
- return context.WithValue(parent, shared.CtxWithHTTPHeaderKey{}, header)
+ return policy.WithHTTPHeader(parent, header)
}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go
index 4714baa30cd..bb00f6c2fdb 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go
@@ -20,7 +20,7 @@ func includeResponsePolicy(req *policy.Request) (*http.Response, error) {
if resp == nil {
return resp, err
}
- if httpOutRaw := req.Raw().Context().Value(shared.CtxIncludeResponseKey{}); httpOutRaw != nil {
+ if httpOutRaw := req.Raw().Context().Value(shared.CtxWithCaptureResponse{}); httpOutRaw != nil {
httpOut := httpOutRaw.(**http.Response)
*httpOut = resp
}
@@ -29,6 +29,7 @@ func includeResponsePolicy(req *policy.Request) (*http.Response, error) {
// WithCaptureResponse applies the HTTP response retrieval annotation to the parent context.
// The resp parameter will contain the HTTP response after the request has completed.
+// Deprecated: use [policy.WithCaptureResponse] instead.
func WithCaptureResponse(parent context.Context, resp **http.Response) context.Context {
- return context.WithValue(parent, shared.CtxIncludeResponseKey{}, resp)
+ return policy.WithCaptureResponse(parent, resp)
}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_key_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_key_credential.go
new file mode 100644
index 00000000000..2e47a5bad06
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_key_credential.go
@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package runtime
+
+import (
+ "net/http"
+
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+)
+
+// KeyCredentialPolicy authorizes requests with a [azcore.KeyCredential].
+type KeyCredentialPolicy struct {
+ cred *exported.KeyCredential
+ header string
+ prefix string
+}
+
+// KeyCredentialPolicyOptions contains the optional values configuring [KeyCredentialPolicy].
+type KeyCredentialPolicyOptions struct {
+ // Prefix is used if the key requires a prefix before it's inserted into the HTTP request.
+ Prefix string
+}
+
+// NewKeyCredentialPolicy creates a new instance of [KeyCredentialPolicy].
+// - cred is the [azcore.KeyCredential] used to authenticate with the service
+// - header is the name of the HTTP request header in which the key is placed
+// - options contains optional configuration, pass nil to accept the default values
+func NewKeyCredentialPolicy(cred *exported.KeyCredential, header string, options *KeyCredentialPolicyOptions) *KeyCredentialPolicy {
+ if options == nil {
+ options = &KeyCredentialPolicyOptions{}
+ }
+ return &KeyCredentialPolicy{
+ cred: cred,
+ header: header,
+ prefix: options.Prefix,
+ }
+}
+
+// Do implementes the Do method on the [policy.Polilcy] interface.
+func (k *KeyCredentialPolicy) Do(req *policy.Request) (*http.Response, error) {
+ val := exported.KeyCredentialGet(k.cred)
+ if k.prefix != "" {
+ val = k.prefix + val
+ }
+ req.Raw().Header.Add(k.header, val)
+ return req.Next()
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
index e0c5929f3b7..21fcb39682d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
@@ -209,8 +209,9 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
// WithRetryOptions adds the specified RetryOptions to the parent context.
// Use this to specify custom RetryOptions at the API-call level.
+// Deprecated: use [policy.WithRetryOptions] instead.
func WithRetryOptions(parent context.Context, options policy.RetryOptions) context.Context {
- return context.WithValue(parent, shared.CtxWithRetryOptionsKey{}, options)
+ return policy.WithRetryOptions(parent, options)
}
// ********** The following type/methods implement the retryableRequestBody (a ReadSeekCloser)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_sas_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_sas_credential.go
new file mode 100644
index 00000000000..25266030ba2
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_sas_credential.go
@@ -0,0 +1,39 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package runtime
+
+import (
+ "net/http"
+
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+)
+
+// SASCredentialPolicy authorizes requests with a [azcore.SASCredential].
+type SASCredentialPolicy struct {
+ cred *exported.SASCredential
+ header string
+}
+
+// SASCredentialPolicyOptions contains the optional values configuring [SASCredentialPolicy].
+type SASCredentialPolicyOptions struct {
+ // placeholder for future optional values
+}
+
+// NewSASCredentialPolicy creates a new instance of [SASCredentialPolicy].
+// - cred is the [azcore.SASCredential] used to authenticate with the service
+// - header is the name of the HTTP request header in which the shared access signature is placed
+// - options contains optional configuration, pass nil to accept the default values
+func NewSASCredentialPolicy(cred *exported.SASCredential, header string, options *SASCredentialPolicyOptions) *SASCredentialPolicy {
+ return &SASCredentialPolicy{
+ cred: cred,
+ header: header,
+ }
+}
+
+// Do implementes the Do method on the [policy.Polilcy] interface.
+func (k *SASCredentialPolicy) Do(req *policy.Request) (*http.Response, error) {
+ req.Raw().Header.Add(k.header, exported.SASCredentialGet(k.cred))
+ return req.Next()
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
index 98e00718488..b7e6fb26f9b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go
@@ -15,6 +15,7 @@ import (
"fmt"
"io"
"mime/multipart"
+ "net/url"
"os"
"path"
"reflect"
@@ -44,6 +45,19 @@ func NewRequest(ctx context.Context, httpMethod string, endpoint string) (*polic
return exported.NewRequest(ctx, httpMethod, endpoint)
}
+// EncodeQueryParams will parse and encode any query parameters in the specified URL.
+func EncodeQueryParams(u string) (string, error) {
+ before, after, found := strings.Cut(u, "?")
+ if !found {
+ return u, nil
+ }
+ qp, err := url.ParseQuery(after)
+ if err != nil {
+ return "", err
+ }
+ return before + "?" + qp.Encode(), nil
+}
+
// JoinPaths concatenates multiple URL path segments into one path,
// inserting path separation characters as required. JoinPaths will preserve
// query parameters in the root path
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index ddb24d81023..7ea119ab30d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,10 +1,53 @@
# Release History
+## 1.4.0 (2023-10-10)
+
+### Bugs Fixed
+* `ManagedIdentityCredential` will now retry when IMDS responds 410 or 503
+
+## 1.4.0-beta.5 (2023-09-12)
+
+### Features Added
+* Service principal credentials can request CAE tokens
+
+### Breaking Changes
+> These changes affect only code written against a beta version such as v1.4.0-beta.4
+* Whether `GetToken` requests a CAE token is now determined by `TokenRequestOptions.EnableCAE`. Azure
+ SDK clients which support CAE will set this option automatically. Credentials no longer request CAE
+ tokens by default or observe the environment variable "AZURE_IDENTITY_DISABLE_CP1".
+
+### Bugs Fixed
+* Credential chains such as `DefaultAzureCredential` now try their next credential, if any, when
+ managed identity authentication fails in a Docker Desktop container
+ ([#21417](https://github.com/Azure/azure-sdk-for-go/issues/21417))
+
+## 1.4.0-beta.4 (2023-08-16)
+
+### Other Changes
+* Upgraded dependencies
+
## 1.3.1 (2023-08-16)
### Other Changes
* Upgraded dependencies
+## 1.4.0-beta.3 (2023-08-08)
+
+### Bugs Fixed
+* One invocation of `AzureCLICredential.GetToken()` and `OnBehalfOfCredential.GetToken()`
+ can no longer make two authentication attempts
+
+## 1.4.0-beta.2 (2023-07-14)
+
+### Other Changes
+* `DefaultAzureCredentialOptions.TenantID` applies to workload identity authentication
+* Upgraded dependencies
+
+## 1.4.0-beta.1 (2023-06-06)
+
+### Other Changes
+* Re-enabled CAE support as in v1.3.0-beta.3
+
## 1.3.0 (2023-05-09)
### Breaking Changes
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 7b7515ebac2..fef099813c8 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -76,12 +76,14 @@ azlog.SetListener(func(event azlog.Event, s string) {
azlog.SetEvents(azidentity.EventAuthentication)
```
+
## Troubleshoot DefaultAzureCredential authentication issues
| Error |Description| Mitigation |
|---|---|---|
|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|- [Enable logging](#enable-and-configure-logging) to get further diagnostic information.
- Consult the troubleshooting guide for underlying credential types for more information.
- [EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)
- [ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)
- [AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)
|
|Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|- [Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.
- If an unexpected credential is returning a token, check application configuration such as environment variables.
- Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.
|
+|"managed identity timed out"|`DefaultAzureCredential` sets a short timeout on its first managed identity authentication attempt to prevent very long timeouts during local development when no managed identity is available. That timeout causes this error in production when an application requests a token before the hosting environment is ready to provide one.|Use [ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential) directly, at least in production. It doesn't set a timeout on its authentication attempts.|
## Troubleshoot EnvironmentCredential authentication issues
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
index 739ff49c1ec..10b742ce1a1 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
@@ -10,12 +10,12 @@ import (
"bytes"
"context"
"errors"
+ "fmt"
"io"
"net/http"
"net/url"
"os"
"regexp"
- "strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
@@ -41,65 +41,18 @@ const (
organizationsTenantID = "organizations"
developerSignOnClientID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
defaultSuffix = "/.default"
- tenantIDValidationErr = "invalid tenantID. You can locate your tenantID by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names"
)
var (
// capability CP1 indicates the client application is capable of handling CAE claims challenges
- cp1 = []string{"CP1"}
- // CP1 is disabled until CAE support is added back
- disableCP1 = true
+ cp1 = []string{"CP1"}
+ errInvalidTenantID = errors.New("invalid tenantID. You can locate your tenantID by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names")
)
-var getConfidentialClient = func(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidentialClient, error) {
- if !validTenantID(tenantID) {
- return confidential.Client{}, errors.New(tenantIDValidationErr)
- }
- authorityHost, err := setAuthorityHost(co.Cloud)
- if err != nil {
- return confidential.Client{}, err
- }
- authority := runtime.JoinPaths(authorityHost, tenantID)
- o := []confidential.Option{
- confidential.WithAzureRegion(os.Getenv(azureRegionalAuthorityName)),
- confidential.WithHTTPClient(newPipelineAdapter(co)),
- }
- if !disableCP1 {
- o = append(o, confidential.WithClientCapabilities(cp1))
- }
- o = append(o, additionalOpts...)
- if strings.ToLower(tenantID) == "adfs" {
- o = append(o, confidential.WithInstanceDiscovery(false))
- }
- return confidential.New(authority, clientID, cred, o...)
-}
-
-var getPublicClient = func(clientID, tenantID string, co *azcore.ClientOptions, additionalOpts ...public.Option) (public.Client, error) {
- if !validTenantID(tenantID) {
- return public.Client{}, errors.New(tenantIDValidationErr)
- }
- authorityHost, err := setAuthorityHost(co.Cloud)
- if err != nil {
- return public.Client{}, err
- }
- o := []public.Option{
- public.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
- public.WithHTTPClient(newPipelineAdapter(co)),
- }
- if !disableCP1 {
- o = append(o, public.WithClientCapabilities(cp1))
- }
- o = append(o, additionalOpts...)
- if strings.ToLower(tenantID) == "adfs" {
- o = append(o, public.WithInstanceDiscovery(false))
- }
- return public.New(clientID, o...)
-}
-
// setAuthorityHost initializes the authority host for credentials. Precedence is:
-// 1. cloud.Configuration.ActiveDirectoryAuthorityHost value set by user
-// 2. value of AZURE_AUTHORITY_HOST
-// 3. default: Azure Public Cloud
+// 1. cloud.Configuration.ActiveDirectoryAuthorityHost value set by user
+// 2. value of AZURE_AUTHORITY_HOST
+// 3. default: Azure Public Cloud
func setAuthorityHost(cc cloud.Configuration) (string, error) {
host := cc.ActiveDirectoryAuthorityHost
if host == "" {
@@ -121,6 +74,41 @@ func setAuthorityHost(cc cloud.Configuration) (string, error) {
return host, nil
}
+// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
+func resolveAdditionalTenants(tenants []string) []string {
+ if len(tenants) == 0 {
+ return nil
+ }
+ for _, t := range tenants {
+ // a wildcard makes all other values redundant
+ if t == "*" {
+ return []string{"*"}
+ }
+ }
+ cp := make([]string, len(tenants))
+ copy(cp, tenants)
+ return cp
+}
+
+// resolveTenant returns the correct tenant for a token request
+func resolveTenant(defaultTenant, specified, credName string, additionalTenants []string) (string, error) {
+ if specified == "" || specified == defaultTenant {
+ return defaultTenant, nil
+ }
+ if defaultTenant == "adfs" {
+ return "", errors.New("ADFS doesn't support tenants")
+ }
+ if !validTenantID(specified) {
+ return "", errInvalidTenantID
+ }
+ for _, t := range additionalTenants {
+ if t == "*" || t == specified {
+ return specified, nil
+ }
+ }
+ return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, credName, specified)
+}
+
// validTenantID return true is it receives a valid tenantID, returns false otherwise
func validTenantID(tenantID string) bool {
match, err := regexp.MatchString("^[0-9a-zA-Z-.]+$", tenantID)
@@ -173,7 +161,7 @@ func (p pipelineAdapter) Do(r *http.Request) (*http.Response, error) {
}
// enables fakes for test scenarios
-type confidentialClient interface {
+type msalConfidentialClient interface {
AcquireTokenSilent(ctx context.Context, scopes []string, options ...confidential.AcquireSilentOption) (confidential.AuthResult, error)
AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, options ...confidential.AcquireByAuthCodeOption) (confidential.AuthResult, error)
AcquireTokenByCredential(ctx context.Context, scopes []string, options ...confidential.AcquireByCredentialOption) (confidential.AuthResult, error)
@@ -181,7 +169,7 @@ type confidentialClient interface {
}
// enables fakes for test scenarios
-type publicClient interface {
+type msalPublicClient interface {
AcquireTokenSilent(ctx context.Context, scopes []string, options ...public.AcquireSilentOption) (public.AuthResult, error)
AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username string, password string, options ...public.AcquireByUsernamePasswordOption) (public.AuthResult, error)
AcquireTokenByDeviceCode(ctx context.Context, scopes []string, options ...public.AcquireByDeviceCodeOption) (public.DeviceCode, error)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
index 33ff13c09db..55a0d654347 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
@@ -17,10 +17,12 @@ import (
"regexp"
"runtime"
"strings"
+ "sync"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+ "github.com/Azure/azure-sdk-for-go/sdk/internal/log"
)
const (
@@ -47,14 +49,14 @@ type AzureCLICredentialOptions struct {
// init returns an instance of AzureCLICredentialOptions initialized with default values.
func (o *AzureCLICredentialOptions) init() {
if o.tokenProvider == nil {
- o.tokenProvider = defaultTokenProvider()
+ o.tokenProvider = defaultTokenProvider
}
}
// AzureCLICredential authenticates as the identity logged in to the Azure CLI.
type AzureCLICredential struct {
- s *syncer
- tokenProvider azureCLITokenProvider
+ mu *sync.Mutex
+ opts AzureCLICredentialOptions
}
// NewAzureCLICredential constructs an AzureCLICredential. Pass nil to accept default options.
@@ -64,9 +66,8 @@ func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredent
cp = *options
}
cp.init()
- c := AzureCLICredential{tokenProvider: cp.tokenProvider}
- c.s = newSyncer(credNameAzureCLI, cp.TenantID, cp.AdditionallyAllowedTenants, c.requestToken, c.requestToken)
- return &c, nil
+ cp.AdditionallyAllowedTenants = resolveAdditionalTenants(cp.AdditionallyAllowedTenants)
+ return &AzureCLICredential{mu: &sync.Mutex{}, opts: cp}, nil
}
// GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI.
@@ -75,13 +76,15 @@ func (c *AzureCLICredential) GetToken(ctx context.Context, opts policy.TokenRequ
if len(opts.Scopes) != 1 {
return azcore.AccessToken{}, errors.New(credNameAzureCLI + ": GetToken() requires exactly one scope")
}
- // CLI expects an AAD v1 resource, not a v2 scope
+ tenant, err := resolveTenant(c.opts.TenantID, opts.TenantID, credNameAzureCLI, c.opts.AdditionallyAllowedTenants)
+ if err != nil {
+ return azcore.AccessToken{}, err
+ }
+ // pass the CLI an AAD v1 resource because we don't know which CLI version is installed and older ones don't support v2 scopes
opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *AzureCLICredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- b, err := c.tokenProvider(ctx, opts.Scopes[0], opts.TenantID)
+ c.mu.Lock()
+ defer c.mu.Unlock()
+ b, err := c.opts.tokenProvider(ctx, opts.Scopes[0], tenant)
if err != nil {
return azcore.AccessToken{}, err
}
@@ -89,61 +92,61 @@ func (c *AzureCLICredential) requestToken(ctx context.Context, opts policy.Token
if err != nil {
return azcore.AccessToken{}, err
}
+ msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", credNameAzureCLI, strings.Join(opts.Scopes, ", "))
+ log.Write(EventAuthentication, msg)
return at, nil
}
-func defaultTokenProvider() func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
- return func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
- match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource)
- if err != nil {
- return nil, err
- }
- if !match {
- return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource)
- }
+var defaultTokenProvider azureCLITokenProvider = func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
+ match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource)
+ if err != nil {
+ return nil, err
+ }
+ if !match {
+ return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource)
+ }
- // set a default timeout for this authentication iff the application hasn't done so already
- var cancel context.CancelFunc
- if _, hasDeadline := ctx.Deadline(); !hasDeadline {
- ctx, cancel = context.WithTimeout(ctx, timeoutCLIRequest)
- defer cancel()
- }
+ // set a default timeout for this authentication iff the application hasn't done so already
+ var cancel context.CancelFunc
+ if _, hasDeadline := ctx.Deadline(); !hasDeadline {
+ ctx, cancel = context.WithTimeout(ctx, timeoutCLIRequest)
+ defer cancel()
+ }
- commandLine := "az account get-access-token -o json --resource " + resource
- if tenantID != "" {
- commandLine += " --tenant " + tenantID
+ commandLine := "az account get-access-token -o json --resource " + resource
+ if tenantID != "" {
+ commandLine += " --tenant " + tenantID
+ }
+ var cliCmd *exec.Cmd
+ if runtime.GOOS == "windows" {
+ dir := os.Getenv("SYSTEMROOT")
+ if dir == "" {
+ return nil, newCredentialUnavailableError(credNameAzureCLI, "environment variable 'SYSTEMROOT' has no value")
}
- var cliCmd *exec.Cmd
- if runtime.GOOS == "windows" {
- dir := os.Getenv("SYSTEMROOT")
- if dir == "" {
- return nil, newCredentialUnavailableError(credNameAzureCLI, "environment variable 'SYSTEMROOT' has no value")
- }
- cliCmd = exec.CommandContext(ctx, "cmd.exe", "/c", commandLine)
- cliCmd.Dir = dir
- } else {
- cliCmd = exec.CommandContext(ctx, "/bin/sh", "-c", commandLine)
- cliCmd.Dir = "/bin"
+ cliCmd = exec.CommandContext(ctx, "cmd.exe", "/c", commandLine)
+ cliCmd.Dir = dir
+ } else {
+ cliCmd = exec.CommandContext(ctx, "/bin/sh", "-c", commandLine)
+ cliCmd.Dir = "/bin"
+ }
+ cliCmd.Env = os.Environ()
+ var stderr bytes.Buffer
+ cliCmd.Stderr = &stderr
+
+ output, err := cliCmd.Output()
+ if err != nil {
+ msg := stderr.String()
+ var exErr *exec.ExitError
+ if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.HasPrefix(msg, "'az' is not recognized") {
+ msg = "Azure CLI not found on path"
}
- cliCmd.Env = os.Environ()
- var stderr bytes.Buffer
- cliCmd.Stderr = &stderr
-
- output, err := cliCmd.Output()
- if err != nil {
- msg := stderr.String()
- var exErr *exec.ExitError
- if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.HasPrefix(msg, "'az' is not recognized") {
- msg = "Azure CLI not found on path"
- }
- if msg == "" {
- msg = err.Error()
- }
- return nil, newCredentialUnavailableError(credNameAzureCLI, msg)
+ if msg == "" {
+ msg = err.Error()
}
-
- return output, nil
+ return nil, newCredentialUnavailableError(credNameAzureCLI, msg)
}
+
+ return output, nil
}
func (c *AzureCLICredential) createAccessToken(tk []byte) (azcore.AccessToken, error) {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
index 3b443e8eedb..9002ea0b050 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
@@ -26,22 +26,9 @@ stages:
parameters:
RunLiveTests: true
ServiceDirectory: 'azidentity'
- PreSteps:
- - pwsh: |
- [System.Convert]::FromBase64String($env:PFX_CONTENTS) | Set-Content -Path $(Agent.TempDirectory)/test.pfx -AsByteStream
- Set-Content -Path $(Agent.TempDirectory)/test.pem -Value $env:PEM_CONTENTS
- [System.Convert]::FromBase64String($env:SNI_CONTENTS) | Set-Content -Path $(Agent.TempDirectory)/testsni.pfx -AsByteStream
- env:
- PFX_CONTENTS: $(net-identity-spcert-pfx)
- PEM_CONTENTS: $(net-identity-spcert-pem)
- SNI_CONTENTS: $(net-identity-spcert-sni)
- EnvVars:
- AZURE_IDENTITY_TEST_TENANTID: $(net-identity-tenantid)
- AZURE_IDENTITY_TEST_USERNAME: $(net-identity-username)
- AZURE_IDENTITY_TEST_PASSWORD: $(net-identity-password)
- IDENTITY_SP_TENANT_ID: $(net-identity-sp-tenantid)
- IDENTITY_SP_CLIENT_ID: $(net-identity-sp-clientid)
- IDENTITY_SP_CLIENT_SECRET: $(net-identity-sp-clientsecret)
- IDENTITY_SP_CERT_PEM: $(Agent.TempDirectory)/test.pem
- IDENTITY_SP_CERT_PFX: $(Agent.TempDirectory)/test.pfx
- IDENTITY_SP_CERT_SNI: $(Agent.TempDirectory)/testsni.pfx
+ CloudConfig:
+ Public:
+ SubscriptionConfigurations:
+ - $(sub-config-azure-cloud-test-resources)
+ # Contains alternate tenant, AAD app and cert info for testing
+ - $(sub-config-identity-test-resources)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
index d9d22996cd4..303d5fc0925 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
@@ -24,8 +24,7 @@ const credNameAssertion = "ClientAssertionCredential"
//
// [Azure AD documentation]: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#assertion-format
type ClientAssertionCredential struct {
- client confidentialClient
- s *syncer
+ client *confidentialClient
}
// ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
@@ -56,28 +55,21 @@ func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(c
return getAssertion(ctx)
},
)
- c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
+ msalOpts := confidentialClientOptions{
+ AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+ ClientOptions: options.ClientOptions,
+ DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+ }
+ c, err := newConfidentialClient(tenantID, clientID, credNameAssertion, cred, msalOpts)
if err != nil {
return nil, err
}
- cac := ClientAssertionCredential{client: c}
- cac.s = newSyncer(credNameAssertion, tenantID, options.AdditionallyAllowedTenants, cac.requestToken, cac.silentAuth)
- return &cac, nil
+ return &ClientAssertionCredential{client: c}, nil
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *ClientAssertionCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ClientAssertionCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*ClientAssertionCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
index 804eba899ec..d3300e3053b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
@@ -42,8 +42,7 @@ type ClientCertificateCredentialOptions struct {
// ClientCertificateCredential authenticates a service principal with a certificate.
type ClientCertificateCredential struct {
- client confidentialClient
- s *syncer
+ client *confidentialClient
}
// NewClientCertificateCredential constructs a ClientCertificateCredential. Pass nil for options to accept defaults.
@@ -58,33 +57,22 @@ func NewClientCertificateCredential(tenantID string, clientID string, certs []*x
if err != nil {
return nil, err
}
- var o []confidential.Option
- if options.SendCertificateChain {
- o = append(o, confidential.WithX5C())
+ msalOpts := confidentialClientOptions{
+ AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+ ClientOptions: options.ClientOptions,
+ DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+ SendX5C: options.SendCertificateChain,
}
- o = append(o, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
- c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, o...)
+ c, err := newConfidentialClient(tenantID, clientID, credNameCert, cred, msalOpts)
if err != nil {
return nil, err
}
- cc := ClientCertificateCredential{client: c}
- cc.s = newSyncer(credNameCert, tenantID, options.AdditionallyAllowedTenants, cc.requestToken, cc.silentAuth)
- return &cc, nil
+ return &ClientCertificateCredential{client: c}, nil
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *ClientCertificateCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ClientCertificateCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
// ParseCertificates loads certificates and a private key, in PEM or PKCS12 format, for use with NewClientCertificateCredential.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
index dda21f6b88d..d2ff7582b99 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
@@ -33,8 +33,7 @@ type ClientSecretCredentialOptions struct {
// ClientSecretCredential authenticates an application with a client secret.
type ClientSecretCredential struct {
- client confidentialClient
- s *syncer
+ client *confidentialClient
}
// NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.
@@ -46,30 +45,21 @@ func NewClientSecretCredential(tenantID string, clientID string, clientSecret st
if err != nil {
return nil, err
}
- c, err := getConfidentialClient(
- clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery),
- )
+ msalOpts := confidentialClientOptions{
+ AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+ ClientOptions: options.ClientOptions,
+ DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+ }
+ c, err := newConfidentialClient(tenantID, clientID, credNameSecret, cred, msalOpts)
if err != nil {
return nil, err
}
- csc := ClientSecretCredential{client: c}
- csc.s = newSyncer(credNameSecret, tenantID, options.AdditionallyAllowedTenants, csc.requestToken, csc.silentAuth)
- return &csc, nil
+ return &ClientSecretCredential{c}, nil
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *ClientSecretCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ClientSecretCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*ClientSecretCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
new file mode 100644
index 00000000000..4853a9a0095
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
@@ -0,0 +1,156 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azidentity
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "os"
+ "strings"
+ "sync"
+
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+ "github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+ "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
+)
+
+type confidentialClientOptions struct {
+ azcore.ClientOptions
+
+ AdditionallyAllowedTenants []string
+ // Assertion for on-behalf-of authentication
+ Assertion string
+ DisableInstanceDiscovery, SendX5C bool
+}
+
+// confidentialClient wraps the MSAL confidential client
+type confidentialClient struct {
+ cae, noCAE msalConfidentialClient
+ caeMu, noCAEMu, clientMu *sync.Mutex
+ clientID, tenantID string
+ cred confidential.Credential
+ host string
+ name string
+ opts confidentialClientOptions
+ region string
+}
+
+func newConfidentialClient(tenantID, clientID, name string, cred confidential.Credential, opts confidentialClientOptions) (*confidentialClient, error) {
+ if !validTenantID(tenantID) {
+ return nil, errInvalidTenantID
+ }
+ host, err := setAuthorityHost(opts.Cloud)
+ if err != nil {
+ return nil, err
+ }
+ opts.AdditionallyAllowedTenants = resolveAdditionalTenants(opts.AdditionallyAllowedTenants)
+ return &confidentialClient{
+ caeMu: &sync.Mutex{},
+ clientID: clientID,
+ clientMu: &sync.Mutex{},
+ cred: cred,
+ host: host,
+ name: name,
+ noCAEMu: &sync.Mutex{},
+ opts: opts,
+ region: os.Getenv(azureRegionalAuthorityName),
+ tenantID: tenantID,
+ }, nil
+}
+
+// GetToken requests an access token from MSAL, checking the cache first.
+func (c *confidentialClient) GetToken(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
+ if len(tro.Scopes) < 1 {
+ return azcore.AccessToken{}, fmt.Errorf("%s.GetToken() requires at least one scope", c.name)
+ }
+ // we don't resolve the tenant for managed identities because they acquire tokens only from their home tenants
+ if c.name != credNameManagedIdentity {
+ tenant, err := c.resolveTenant(tro.TenantID)
+ if err != nil {
+ return azcore.AccessToken{}, err
+ }
+ tro.TenantID = tenant
+ }
+ client, mu, err := c.client(ctx, tro)
+ if err != nil {
+ return azcore.AccessToken{}, err
+ }
+ mu.Lock()
+ defer mu.Unlock()
+ var ar confidential.AuthResult
+ if c.opts.Assertion != "" {
+ ar, err = client.AcquireTokenOnBehalfOf(ctx, c.opts.Assertion, tro.Scopes, confidential.WithClaims(tro.Claims), confidential.WithTenantID(tro.TenantID))
+ } else {
+ ar, err = client.AcquireTokenSilent(ctx, tro.Scopes, confidential.WithClaims(tro.Claims), confidential.WithTenantID(tro.TenantID))
+ if err != nil {
+ ar, err = client.AcquireTokenByCredential(ctx, tro.Scopes, confidential.WithClaims(tro.Claims), confidential.WithTenantID(tro.TenantID))
+ }
+ }
+ if err != nil {
+ // We could get a credentialUnavailableError from managed identity authentication because in that case the error comes from our code.
+ // We return it directly because it affects the behavior of credential chains. Otherwise, we return AuthenticationFailedError.
+ var unavailableErr *credentialUnavailableError
+ if !errors.As(err, &unavailableErr) {
+ res := getResponseFromError(err)
+ err = newAuthenticationFailedError(c.name, err.Error(), res, err)
+ }
+ } else {
+ msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", c.name, strings.Join(ar.GrantedScopes, ", "))
+ log.Write(EventAuthentication, msg)
+ }
+ return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+}
+
+func (c *confidentialClient) client(ctx context.Context, tro policy.TokenRequestOptions) (msalConfidentialClient, *sync.Mutex, error) {
+ c.clientMu.Lock()
+ defer c.clientMu.Unlock()
+ if tro.EnableCAE {
+ if c.cae == nil {
+ client, err := c.newMSALClient(true)
+ if err != nil {
+ return nil, nil, err
+ }
+ c.cae = client
+ }
+ return c.cae, c.caeMu, nil
+ }
+ if c.noCAE == nil {
+ client, err := c.newMSALClient(false)
+ if err != nil {
+ return nil, nil, err
+ }
+ c.noCAE = client
+ }
+ return c.noCAE, c.noCAEMu, nil
+}
+
+func (c *confidentialClient) newMSALClient(enableCAE bool) (msalConfidentialClient, error) {
+ authority := runtime.JoinPaths(c.host, c.tenantID)
+ o := []confidential.Option{
+ confidential.WithAzureRegion(c.region),
+ confidential.WithHTTPClient(newPipelineAdapter(&c.opts.ClientOptions)),
+ }
+ if enableCAE {
+ o = append(o, confidential.WithClientCapabilities(cp1))
+ }
+ if c.opts.SendX5C {
+ o = append(o, confidential.WithX5C())
+ }
+ if c.opts.DisableInstanceDiscovery || strings.ToLower(c.tenantID) == "adfs" {
+ o = append(o, confidential.WithInstanceDiscovery(false))
+ }
+ return confidential.New(authority, c.clientID, c.cred, o...)
+}
+
+// resolveTenant returns the correct tenant for a token request given the client's
+// configuration, or an error when that configuration doesn't allow the specified tenant
+func (c *confidentialClient) resolveTenant(specified string) (string, error) {
+ return resolveTenant(c.tenantID, specified, c.name, c.opts.AdditionallyAllowedTenants)
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
index 1e3efdc97a9..7647c60b1cb 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
@@ -21,6 +21,8 @@ import (
// DefaultAzureCredentialOptions contains optional parameters for DefaultAzureCredential.
// These options may not apply to all credentials in the chain.
type DefaultAzureCredentialOptions struct {
+ // ClientOptions has additional options for credentials that use an Azure SDK HTTP pipeline. These options don't apply
+ // to credential types that authenticate via external tools such as the Azure CLI.
azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens. Add
@@ -32,8 +34,7 @@ type DefaultAzureCredentialOptions struct {
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
- // TenantID identifies the tenant the Azure CLI should authenticate in.
- // Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI.
+ // TenantID sets the default tenant for authentication via the Azure CLI and workload identity.
TenantID string
}
@@ -83,11 +84,11 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
creds = append(creds, &defaultCredentialErrorReporter{credType: "EnvironmentCredential", err: err})
}
- // workload identity requires values for AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID
wic, err := NewWorkloadIdentityCredential(&WorkloadIdentityCredentialOptions{
AdditionallyAllowedTenants: additionalTenants,
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+ TenantID: options.TenantID,
})
if err == nil {
creds = append(creds, wic)
@@ -95,6 +96,7 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
errorMessages = append(errorMessages, credNameWorkloadIdentity+": "+err.Error())
creds = append(creds, &defaultCredentialErrorReporter{credType: credNameWorkloadIdentity, err: err})
}
+
o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions}
if ID, ok := os.LookupEnv(azureClientID); ok {
o.ID = ClientID(ID)
@@ -115,9 +117,8 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
creds = append(creds, &defaultCredentialErrorReporter{credType: credNameAzureCLI, err: err})
}
- err = defaultAzureCredentialConstructorErrorHandler(len(creds), errorMessages)
- if err != nil {
- return nil, err
+ if len(errorMessages) > 0 {
+ log.Writef(EventAuthentication, "NewDefaultAzureCredential failed to initialize some credentials:\n\t%s", strings.Join(errorMessages, "\n\t"))
}
chain, err := NewChainedTokenCredential(creds, nil)
@@ -135,20 +136,6 @@ func (c *DefaultAzureCredential) GetToken(ctx context.Context, opts policy.Token
var _ azcore.TokenCredential = (*DefaultAzureCredential)(nil)
-func defaultAzureCredentialConstructorErrorHandler(numberOfSuccessfulCredentials int, errorMessages []string) (err error) {
- errorMessage := strings.Join(errorMessages, "\n\t")
-
- if numberOfSuccessfulCredentials == 0 {
- return errors.New(errorMessage)
- }
-
- if len(errorMessages) != 0 {
- log.Writef(EventAuthentication, "NewDefaultAzureCredential failed to initialize some credentials:\n\t%s", errorMessage)
- }
-
- return nil
-}
-
// defaultCredentialErrorReporter is a substitute for credentials that couldn't be constructed.
// Its GetToken method always returns a credentialUnavailableError having the same message as
// the error that prevented constructing the credential. This ensures the message is present
@@ -185,7 +172,7 @@ func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestO
defer cancel()
tk, err = w.mic.GetToken(c, opts)
if isAuthFailedDueToContext(err) {
- err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out")
+ err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information")
} else {
// some managed identity implementation is available, so don't apply the timeout to future calls
w.timeout = 0
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
index 108e83c43ae..d245c269a76 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
@@ -12,7 +12,6 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
- "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
)
const credNameDeviceCode = "DeviceCodeCredential"
@@ -74,10 +73,7 @@ type DeviceCodeMessage struct {
// If a web browser is available, InteractiveBrowserCredential is more convenient because it
// automatically opens a browser to the login page.
type DeviceCodeCredential struct {
- account public.Account
- client publicClient
- s *syncer
- prompt func(context.Context, DeviceCodeMessage) error
+ client *publicClient
}
// NewDeviceCodeCredential creates a DeviceCodeCredential. Pass nil to accept default options.
@@ -87,50 +83,24 @@ func NewDeviceCodeCredential(options *DeviceCodeCredentialOptions) (*DeviceCodeC
cp = *options
}
cp.init()
- c, err := getPublicClient(
- cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery),
- )
+ msalOpts := publicClientOptions{
+ AdditionallyAllowedTenants: cp.AdditionallyAllowedTenants,
+ ClientOptions: cp.ClientOptions,
+ DeviceCodePrompt: cp.UserPrompt,
+ DisableInstanceDiscovery: cp.DisableInstanceDiscovery,
+ }
+ c, err := newPublicClient(cp.TenantID, cp.ClientID, credNameDeviceCode, msalOpts)
if err != nil {
return nil, err
}
- cred := DeviceCodeCredential{client: c, prompt: cp.UserPrompt}
- cred.s = newSyncer(credNameDeviceCode, cp.TenantID, cp.AdditionallyAllowedTenants, cred.requestToken, cred.silentAuth)
- return &cred, nil
+ c.name = credNameDeviceCode
+ return &DeviceCodeCredential{client: c}, nil
}
// GetToken requests an access token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication.
// This method is called automatically by Azure SDK clients.
func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *DeviceCodeCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- dc, err := c.client.AcquireTokenByDeviceCode(ctx, opts.Scopes, public.WithTenantID(opts.TenantID))
- if err != nil {
- return azcore.AccessToken{}, err
- }
- err = c.prompt(ctx, DeviceCodeMessage{
- Message: dc.Result.Message,
- UserCode: dc.Result.UserCode,
- VerificationURL: dc.Result.VerificationURL,
- })
- if err != nil {
- return azcore.AccessToken{}, err
- }
- ar, err := dc.AuthenticationResult(ctx)
- if err != nil {
- return azcore.AccessToken{}, err
- }
- c.account = ar.Account
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *DeviceCodeCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
- public.WithSilentAccount(c.account),
- public.WithTenantID(opts.TenantID),
- )
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*DeviceCodeCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index 86d8976a4b2..e1a21e0030a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -11,9 +11,9 @@ import (
"encoding/json"
"errors"
"fmt"
- "io"
"net/http"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
msal "github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors"
)
@@ -57,17 +57,16 @@ func (e *AuthenticationFailedError) Error() string {
fmt.Fprintln(msg, "--------------------------------------------------------------------------------")
fmt.Fprintf(msg, "RESPONSE %s\n", e.RawResponse.Status)
fmt.Fprintln(msg, "--------------------------------------------------------------------------------")
- body, err := io.ReadAll(e.RawResponse.Body)
- e.RawResponse.Body.Close()
- if err != nil {
+ body, err := runtime.Payload(e.RawResponse)
+ switch {
+ case err != nil:
fmt.Fprintf(msg, "Error reading response body: %v", err)
- } else if len(body) > 0 {
- e.RawResponse.Body = io.NopCloser(bytes.NewReader(body))
+ case len(body) > 0:
if err := json.Indent(msg, body, "", " "); err != nil {
// failed to pretty-print so just dump it verbatim
fmt.Fprint(msg, string(body))
}
- } else {
+ default:
fmt.Fprint(msg, "Response contained no body")
}
fmt.Fprintln(msg, "\n--------------------------------------------------------------------------------")
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
index 4868d22c3e1..08f3efbf3ec 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
@@ -11,7 +11,6 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
- "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
)
const credNameBrowser = "InteractiveBrowserCredential"
@@ -56,10 +55,7 @@ func (o *InteractiveBrowserCredentialOptions) init() {
// InteractiveBrowserCredential opens a browser to interactively authenticate a user.
type InteractiveBrowserCredential struct {
- account public.Account
- client publicClient
- options InteractiveBrowserCredentialOptions
- s *syncer
+ client *publicClient
}
// NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. Pass nil to accept default options.
@@ -69,38 +65,22 @@ func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOption
cp = *options
}
cp.init()
- c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery))
+ msalOpts := publicClientOptions{
+ ClientOptions: cp.ClientOptions,
+ DisableInstanceDiscovery: cp.DisableInstanceDiscovery,
+ LoginHint: cp.LoginHint,
+ RedirectURL: cp.RedirectURL,
+ }
+ c, err := newPublicClient(cp.TenantID, cp.ClientID, credNameBrowser, msalOpts)
if err != nil {
return nil, err
}
- ibc := InteractiveBrowserCredential{client: c, options: cp}
- ibc.s = newSyncer(credNameBrowser, cp.TenantID, cp.AdditionallyAllowedTenants, ibc.requestToken, ibc.silentAuth)
- return &ibc, nil
+ return &InteractiveBrowserCredential{client: c}, nil
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *InteractiveBrowserCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenInteractive(ctx, opts.Scopes,
- public.WithLoginHint(c.options.LoginHint),
- public.WithRedirectURI(c.options.RedirectURL),
- public.WithTenantID(opts.TenantID),
- )
- if err == nil {
- c.account = ar.Account
- }
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *InteractiveBrowserCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
- public.WithSilentAccount(c.account),
- public.WithTenantID(opts.TenantID),
- )
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*InteractiveBrowserCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
index d7b4a32a544..fdc3c1f6776 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
@@ -84,13 +84,15 @@ func setIMDSRetryOptionDefaults(o *policy.RetryOptions) {
}
if o.StatusCodes == nil {
o.StatusCodes = []int{
- // IMDS docs recommend retrying 404, 429 and all 5xx
- // https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#error-handling
+ // IMDS docs recommend retrying 404, 410, 429 and 5xx
+ // https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#error-handling
http.StatusNotFound, // 404
+ http.StatusGone, // 410
http.StatusTooManyRequests, // 429
http.StatusInternalServerError, // 500
http.StatusNotImplemented, // 501
http.StatusBadGateway, // 502
+ http.StatusServiceUnavailable, // 503
http.StatusGatewayTimeout, // 504
http.StatusHTTPVersionNotSupported, // 505
http.StatusVariantAlsoNegotiates, // 506
@@ -175,11 +177,25 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
return c.createAccessToken(resp)
}
- if c.msiType == msiTypeIMDS && resp.StatusCode == 400 {
- if id != nil {
- return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
+ if c.msiType == msiTypeIMDS {
+ switch resp.StatusCode {
+ case http.StatusBadRequest:
+ if id != nil {
+ return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
+ }
+ msg := "failed to authenticate a system assigned identity"
+ if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {
+ msg += fmt.Sprintf(". The endpoint responded with %s", body)
+ }
+ return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
+ case http.StatusForbidden:
+ // Docker Desktop runs a proxy that responds 403 to IMDS token requests. If we get that response,
+ // we return credentialUnavailableError so credential chains continue to their next credential
+ body, err := runtime.Payload(resp)
+ if err == nil && strings.Contains(string(body), "A socket operation was attempted to an unreachable network") {
+ return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, fmt.Sprintf("unexpected response %q", string(body)))
+ }
}
- return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")
}
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
index c6710ae52ae..35c5e6725cd 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
@@ -8,7 +8,6 @@ package azidentity
import (
"context"
- "errors"
"fmt"
"strings"
@@ -71,9 +70,8 @@ type ManagedIdentityCredentialOptions struct {
// user-assigned identity. See Azure Active Directory documentation for more information about managed identities:
// https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
type ManagedIdentityCredential struct {
- client confidentialClient
+ client *confidentialClient
mic *managedIdentityClient
- s *syncer
}
// NewManagedIdentityCredential creates a ManagedIdentityCredential. Pass nil to accept default options.
@@ -93,35 +91,23 @@ func NewManagedIdentityCredential(options *ManagedIdentityCredentialOptions) (*M
if options.ID != nil {
clientID = options.ID.String()
}
- // similarly, it's okay to give MSAL an incorrect authority URL because that URL won't be used
- c, err := confidential.New("https://login.microsoftonline.com/common", clientID, cred)
+ // similarly, it's okay to give MSAL an incorrect tenant because MSAL won't use the value
+ c, err := newConfidentialClient("common", clientID, credNameManagedIdentity, cred, confidentialClientOptions{})
if err != nil {
return nil, err
}
- m := ManagedIdentityCredential{client: c, mic: mic}
- m.s = newSyncer(credNameManagedIdentity, "", nil, m.requestToken, m.silentAuth)
- return &m, nil
+ return &ManagedIdentityCredential{client: c, mic: mic}, nil
}
// GetToken requests an access token from the hosting environment. This method is called automatically by Azure SDK clients.
func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) != 1 {
- err := errors.New(credNameManagedIdentity + ": GetToken() requires exactly one scope")
+ err := fmt.Errorf("%s.GetToken() requires exactly one scope", credNameManagedIdentity)
return azcore.AccessToken{}, err
}
// managed identity endpoints require an AADv1 resource (i.e. token audience), not a v2 scope, so we remove "/.default" here
opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *ManagedIdentityCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes)
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ManagedIdentityCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*ManagedIdentityCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
index 3e173f47d26..2b360b681df 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
@@ -25,9 +25,7 @@ const credNameOBO = "OnBehalfOfCredential"
//
// [Azure Active Directory documentation]: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
type OnBehalfOfCredential struct {
- assertion string
- client confidentialClient
- s *syncer
+ client *confidentialClient
}
// OnBehalfOfCredentialOptions contains optional parameters for OnBehalfOfCredential
@@ -72,28 +70,23 @@ func newOnBehalfOfCredential(tenantID, clientID, userAssertion string, cred conf
if options == nil {
options = &OnBehalfOfCredentialOptions{}
}
- opts := []confidential.Option{}
- if options.SendCertificateChain {
- opts = append(opts, confidential.WithX5C())
+ opts := confidentialClientOptions{
+ AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+ Assertion: userAssertion,
+ ClientOptions: options.ClientOptions,
+ DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+ SendX5C: options.SendCertificateChain,
}
- opts = append(opts, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
- c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, opts...)
+ c, err := newConfidentialClient(tenantID, clientID, credNameOBO, cred, opts)
if err != nil {
return nil, err
}
- obo := OnBehalfOfCredential{assertion: userAssertion, client: c}
- obo.s = newSyncer(credNameOBO, tenantID, options.AdditionallyAllowedTenants, obo.requestToken, obo.requestToken)
- return &obo, nil
+ return &OnBehalfOfCredential{c}, nil
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (o *OnBehalfOfCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return o.s.GetToken(ctx, opts)
-}
-
-func (o *OnBehalfOfCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := o.client.AcquireTokenOnBehalfOf(ctx, o.assertion, opts.Scopes, confidential.WithTenantID(opts.TenantID))
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return o.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*OnBehalfOfCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
new file mode 100644
index 00000000000..6512d3e25fd
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
@@ -0,0 +1,178 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azidentity
+
+import (
+ "context"
+ "fmt"
+ "strings"
+ "sync"
+
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+ "github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+ "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
+)
+
+type publicClientOptions struct {
+ azcore.ClientOptions
+
+ AdditionallyAllowedTenants []string
+ DeviceCodePrompt func(context.Context, DeviceCodeMessage) error
+ DisableInstanceDiscovery bool
+ LoginHint, RedirectURL string
+ Username, Password string
+}
+
+// publicClient wraps the MSAL public client
+type publicClient struct {
+ account public.Account
+ cae, noCAE msalPublicClient
+ caeMu, noCAEMu, clientMu *sync.Mutex
+ clientID, tenantID string
+ host string
+ name string
+ opts publicClientOptions
+}
+
+func newPublicClient(tenantID, clientID, name string, o publicClientOptions) (*publicClient, error) {
+ if !validTenantID(tenantID) {
+ return nil, errInvalidTenantID
+ }
+ host, err := setAuthorityHost(o.Cloud)
+ if err != nil {
+ return nil, err
+ }
+ o.AdditionallyAllowedTenants = resolveAdditionalTenants(o.AdditionallyAllowedTenants)
+ return &publicClient{
+ caeMu: &sync.Mutex{},
+ clientID: clientID,
+ clientMu: &sync.Mutex{},
+ host: host,
+ name: name,
+ noCAEMu: &sync.Mutex{},
+ opts: o,
+ tenantID: tenantID,
+ }, nil
+}
+
+// GetToken requests an access token from MSAL, checking the cache first.
+func (p *publicClient) GetToken(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
+ if len(tro.Scopes) < 1 {
+ return azcore.AccessToken{}, fmt.Errorf("%s.GetToken() requires at least one scope", p.name)
+ }
+ tenant, err := p.resolveTenant(tro.TenantID)
+ if err != nil {
+ return azcore.AccessToken{}, err
+ }
+ client, mu, err := p.client(tro)
+ if err != nil {
+ return azcore.AccessToken{}, err
+ }
+ mu.Lock()
+ defer mu.Unlock()
+ ar, err := client.AcquireTokenSilent(ctx, tro.Scopes, public.WithSilentAccount(p.account), public.WithClaims(tro.Claims), public.WithTenantID(tenant))
+ if err == nil {
+ return p.token(ar, err)
+ }
+ at, err := p.reqToken(ctx, client, tro)
+ if err == nil {
+ msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", p.name, strings.Join(ar.GrantedScopes, ", "))
+ log.Write(EventAuthentication, msg)
+ }
+ return at, err
+}
+
+// reqToken requests a token from the MSAL public client. It's separate from GetToken() to enable Authenticate() to bypass the cache.
+func (p *publicClient) reqToken(ctx context.Context, c msalPublicClient, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
+ tenant, err := p.resolveTenant(tro.TenantID)
+ if err != nil {
+ return azcore.AccessToken{}, err
+ }
+ var ar public.AuthResult
+ switch p.name {
+ case credNameBrowser:
+ ar, err = c.AcquireTokenInteractive(ctx, tro.Scopes,
+ public.WithClaims(tro.Claims),
+ public.WithLoginHint(p.opts.LoginHint),
+ public.WithRedirectURI(p.opts.RedirectURL),
+ public.WithTenantID(tenant),
+ )
+ case credNameDeviceCode:
+ dc, e := c.AcquireTokenByDeviceCode(ctx, tro.Scopes, public.WithClaims(tro.Claims), public.WithTenantID(tenant))
+ if e != nil {
+ return azcore.AccessToken{}, e
+ }
+ err = p.opts.DeviceCodePrompt(ctx, DeviceCodeMessage{
+ Message: dc.Result.Message,
+ UserCode: dc.Result.UserCode,
+ VerificationURL: dc.Result.VerificationURL,
+ })
+ if err == nil {
+ ar, err = dc.AuthenticationResult(ctx)
+ }
+ case credNameUserPassword:
+ ar, err = c.AcquireTokenByUsernamePassword(ctx, tro.Scopes, p.opts.Username, p.opts.Password, public.WithClaims(tro.Claims), public.WithTenantID(tenant))
+ default:
+ return azcore.AccessToken{}, fmt.Errorf("unknown credential %q", p.name)
+ }
+ return p.token(ar, err)
+}
+
+func (p *publicClient) client(tro policy.TokenRequestOptions) (msalPublicClient, *sync.Mutex, error) {
+ p.clientMu.Lock()
+ defer p.clientMu.Unlock()
+ if tro.EnableCAE {
+ if p.cae == nil {
+ client, err := p.newMSALClient(true)
+ if err != nil {
+ return nil, nil, err
+ }
+ p.cae = client
+ }
+ return p.cae, p.caeMu, nil
+ }
+ if p.noCAE == nil {
+ client, err := p.newMSALClient(false)
+ if err != nil {
+ return nil, nil, err
+ }
+ p.noCAE = client
+ }
+ return p.noCAE, p.noCAEMu, nil
+}
+
+func (p *publicClient) newMSALClient(enableCAE bool) (msalPublicClient, error) {
+ o := []public.Option{
+ public.WithAuthority(runtime.JoinPaths(p.host, p.tenantID)),
+ public.WithHTTPClient(newPipelineAdapter(&p.opts.ClientOptions)),
+ }
+ if enableCAE {
+ o = append(o, public.WithClientCapabilities(cp1))
+ }
+ if p.opts.DisableInstanceDiscovery || strings.ToLower(p.tenantID) == "adfs" {
+ o = append(o, public.WithInstanceDiscovery(false))
+ }
+ return public.New(p.clientID, o...)
+}
+
+func (p *publicClient) token(ar public.AuthResult, err error) (azcore.AccessToken, error) {
+ if err == nil {
+ p.account = ar.Account
+ } else {
+ res := getResponseFromError(err)
+ err = newAuthenticationFailedError(p.name, err.Error(), res, err)
+ }
+ return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+}
+
+// resolveTenant returns the correct tenant for a token request given the client's
+// configuration, or an error when that configuration doesn't allow the specified tenant
+func (p *publicClient) resolveTenant(specified string) (string, error) {
+ return resolveTenant(p.tenantID, specified, p.name, p.opts.AdditionallyAllowedTenants)
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go
deleted file mode 100644
index ae38555994b..00000000000
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go
+++ /dev/null
@@ -1,130 +0,0 @@
-//go:build go1.18
-// +build go1.18
-
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-package azidentity
-
-import (
- "context"
- "errors"
- "fmt"
- "strings"
- "sync"
-
- "github.com/Azure/azure-sdk-for-go/sdk/azcore"
- "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
- "github.com/Azure/azure-sdk-for-go/sdk/internal/log"
-)
-
-type authFn func(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error)
-
-// syncer synchronizes authentication calls so that goroutines can share a credential instance
-type syncer struct {
- addlTenants []string
- authing bool
- cond *sync.Cond
- reqToken, silent authFn
- name, tenant string
-}
-
-func newSyncer(name, tenant string, additionalTenants []string, reqToken, silentAuth authFn) *syncer {
- return &syncer{
- addlTenants: resolveAdditionalTenants(additionalTenants),
- cond: &sync.Cond{L: &sync.Mutex{}},
- name: name,
- reqToken: reqToken,
- silent: silentAuth,
- tenant: tenant,
- }
-}
-
-// GetToken ensures that only one goroutine authenticates at a time
-func (s *syncer) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- var at azcore.AccessToken
- var err error
- if len(opts.Scopes) == 0 {
- return at, errors.New(s.name + ".GetToken() requires at least one scope")
- }
- // we don't resolve the tenant for managed identities because they can acquire tokens only from their home tenants
- if s.name != credNameManagedIdentity {
- tenant, err := s.resolveTenant(opts.TenantID)
- if err != nil {
- return at, err
- }
- opts.TenantID = tenant
- }
- auth := false
- s.cond.L.Lock()
- defer s.cond.L.Unlock()
- for {
- at, err = s.silent(ctx, opts)
- if err == nil {
- // got a token
- break
- }
- if !s.authing {
- // this goroutine will request a token
- s.authing, auth = true, true
- break
- }
- // another goroutine is acquiring a token; wait for it to finish, then try silent auth again
- s.cond.Wait()
- }
- if auth {
- s.authing = false
- at, err = s.reqToken(ctx, opts)
- s.cond.Broadcast()
- }
- if err != nil {
- // Return credentialUnavailableError directly because that type affects the behavior of credential chains.
- // Otherwise, return AuthenticationFailedError.
- var unavailableErr *credentialUnavailableError
- if !errors.As(err, &unavailableErr) {
- res := getResponseFromError(err)
- err = newAuthenticationFailedError(s.name, err.Error(), res, err)
- }
- } else if log.Should(EventAuthentication) {
- scope := strings.Join(opts.Scopes, ", ")
- msg := fmt.Sprintf(`%s.GetToken() acquired a token for scope "%s"\n`, s.name, scope)
- log.Write(EventAuthentication, msg)
- }
- return at, err
-}
-
-// resolveTenant returns the correct tenant for a token request given the credential's
-// configuration, or an error when the specified tenant isn't allowed by that configuration
-func (s *syncer) resolveTenant(requested string) (string, error) {
- if requested == "" || requested == s.tenant {
- return s.tenant, nil
- }
- if s.tenant == "adfs" {
- return "", errors.New("ADFS doesn't support tenants")
- }
- if !validTenantID(requested) {
- return "", errors.New(tenantIDValidationErr)
- }
- for _, t := range s.addlTenants {
- if t == "*" || t == requested {
- return requested, nil
- }
- }
- return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, s.name, requested)
-}
-
-// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
-func resolveAdditionalTenants(tenants []string) []string {
- if len(tenants) == 0 {
- return nil
- }
- for _, t := range tenants {
- // a wildcard makes all other values redundant
- if t == "*" {
- return []string{"*"}
- }
- }
- cp := make([]string, len(tenants))
- copy(cp, tenants)
- return cp
-}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1 b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1
new file mode 100644
index 00000000000..fe0183addeb
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1
@@ -0,0 +1,36 @@
+[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
+param (
+ # Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors).
+ [Parameter(ValueFromRemainingArguments = $true)]
+ $RemainingArguments
+)
+
+if (!$CI) {
+ # TODO: Remove this once auto-cloud config downloads are supported locally
+ Write-Host "Skipping cert setup in local testing mode"
+ return
+}
+
+if ($EnvironmentVariables -eq $null -or $EnvironmentVariables.Count -eq 0) {
+ throw "EnvironmentVariables must be set in the calling script New-TestResources.ps1"
+}
+
+$tmp = $env:TEMP ? $env:TEMP : [System.IO.Path]::GetTempPath()
+$pfxPath = Join-Path $tmp "test.pfx"
+$pemPath = Join-Path $tmp "test.pem"
+$sniPath = Join-Path $tmp "testsni.pfx"
+
+Write-Host "Creating identity test files: $pfxPath $pemPath $sniPath"
+
+[System.Convert]::FromBase64String($EnvironmentVariables['PFX_CONTENTS']) | Set-Content -Path $pfxPath -AsByteStream
+Set-Content -Path $pemPath -Value $EnvironmentVariables['PEM_CONTENTS']
+[System.Convert]::FromBase64String($EnvironmentVariables['SNI_CONTENTS']) | Set-Content -Path $sniPath -AsByteStream
+
+# Set for pipeline
+Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_PFX;]$pfxPath"
+Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_PEM;]$pemPath"
+Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_SNI;]$sniPath"
+# Set for local
+$env:IDENTITY_SP_CERT_PFX = $pfxPath
+$env:IDENTITY_SP_CERT_PEM = $pemPath
+$env:IDENTITY_SP_CERT_SNI = $sniPath
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep
new file mode 100644
index 00000000000..b3490d3b50a
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep
@@ -0,0 +1 @@
+param baseName string
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
index 8e652e33ff6..f787ec0ce18 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
@@ -11,7 +11,6 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
- "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
)
const credNameUserPassword = "UsernamePasswordCredential"
@@ -36,10 +35,7 @@ type UsernamePasswordCredentialOptions struct {
// with any form of multi-factor authentication, and the application must already have user or admin consent.
// This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts.
type UsernamePasswordCredential struct {
- account public.Account
- client publicClient
- password, username string
- s *syncer
+ client *publicClient
}
// NewUsernamePasswordCredential creates a UsernamePasswordCredential. clientID is the ID of the application the user
@@ -48,34 +44,23 @@ func NewUsernamePasswordCredential(tenantID string, clientID string, username st
if options == nil {
options = &UsernamePasswordCredentialOptions{}
}
- c, err := getPublicClient(clientID, tenantID, &options.ClientOptions, public.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
+ opts := publicClientOptions{
+ AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+ ClientOptions: options.ClientOptions,
+ DisableInstanceDiscovery: options.DisableInstanceDiscovery,
+ Password: password,
+ Username: username,
+ }
+ c, err := newPublicClient(tenantID, clientID, credNameUserPassword, opts)
if err != nil {
return nil, err
}
- upc := UsernamePasswordCredential{client: c, password: password, username: username}
- upc.s = newSyncer(credNameUserPassword, tenantID, options.AdditionallyAllowedTenants, upc.requestToken, upc.silentAuth)
- return &upc, nil
+ return &UsernamePasswordCredential{client: c}, err
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- return c.s.GetToken(ctx, opts)
-}
-
-func (c *UsernamePasswordCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenByUsernamePassword(ctx, opts.Scopes, c.username, c.password, public.WithTenantID(opts.TenantID))
- if err == nil {
- c.account = ar.Account
- }
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *UsernamePasswordCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
- ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
- public.WithSilentAccount(c.account),
- public.WithTenantID(opts.TenantID),
- )
- return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+ return c.client.GetToken(ctx, opts)
}
var _ azcore.TokenCredential = (*UsernamePasswordCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 38a1f420b58..65e74e31e3b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -11,5 +11,5 @@ const (
component = "azidentity"
// Version is the semantic version (see http://semver.org) of this module.
- version = "v1.3.1"
+ version = "v1.4.0"
)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
index 7bfb3436760..7e016324d22 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
@@ -47,7 +47,7 @@ type WorkloadIdentityCredentialOptions struct {
DisableInstanceDiscovery bool
// TenantID of the service principal. Defaults to the value of the environment variable AZURE_TENANT_ID.
TenantID string
- // TokenFilePath is the path a file containing the workload identity token. Defaults to the value of the
+ // TokenFilePath is the path of a file containing a Kubernetes service account token. Defaults to the value of the
// environment variable AZURE_FEDERATED_TOKEN_FILE.
TokenFilePath string
}
@@ -88,7 +88,7 @@ func NewWorkloadIdentityCredential(options *WorkloadIdentityCredentialOptions) (
return nil, err
}
// we want "WorkloadIdentityCredential" in log messages, not "ClientAssertionCredential"
- cred.s.name = credNameWorkloadIdentity
+ cred.client.name = credNameWorkloadIdentity
w.cred = cred
return &w, nil
}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6cabdbeb538..631c4bdea1e 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -76,7 +76,7 @@ github.com/Azure/azure-sdk-for-go/services/eventhub/mgmt/2017-04-01/eventhub
github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault
github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2018-03-01/insights
github.com/Azure/azure-sdk-for-go/version
-# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.2
+# github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0
## explicit; go 1.18
github.com/Azure/azure-sdk-for-go/sdk/azcore
github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud
@@ -94,7 +94,7 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
github.com/Azure/azure-sdk-for-go/sdk/azcore/to
github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
## explicit; go 1.18
github.com/Azure/azure-sdk-for-go/sdk/azidentity
# github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0