diff --git a/go.mod b/go.mod index 78853690fd0..9f8779af4a2 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( cloud.google.com/go/storage v1.57.1 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 github.com/aws/aws-sdk-go v1.55.8 github.com/bshuster-repo/logrus-logstash-hook v1.0.0 @@ -65,7 +65,7 @@ require ( cloud.google.com/go/compute/metadata v0.8.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect diff --git a/go.sum b/go.sum index 6c4a1b13348..9194088196d 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,8 @@ github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8af github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= @@ -36,8 +36,8 @@ github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3 h1:ZJJNFaQ86GVKQ9ehw github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3/go.mod h1:URuDvhmATVKqHBH9/0nOiNKk0+YcwfQ3WkK5PqHKxc8= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= -github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 h1:XkkQbfMyuH2jTSjQjSoihryI8GINRcs4xp8lNawg0FI= -github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= +github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs= +github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 h1:ErKg/3iS1AKcTkf3yixlZ54f9U1rljCkQyEXWUnIUxc= github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0/go.mod h1:yAZHSGnqScoU556rBOVkwLze6WP5N+U11RHuWaGVxwY= github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM= diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md index 217d279fd4f..4a6349e1678 100644 --- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md +++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md @@ -1,5 +1,11 @@ # Release History +## 1.13.1 (2025-11-10) + +### Bugs Fixed + +- `AzureCLICredential` quoted arguments incorrectly on Windows + ## 1.13.0 (2025-10-07) ### Features Added diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go index e2ca8bced2c..cb7dbe2e4b8 100644 --- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go +++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go @@ -12,7 +12,6 @@ import ( "errors" "os" "os/exec" - "runtime" "strings" "time" ) @@ -30,17 +29,9 @@ var shellExec = func(ctx context.Context, credName, command string) ([]byte, err ctx, cancel = context.WithTimeout(ctx, cliTimeout) defer cancel() } - var cmd *exec.Cmd - if runtime.GOOS == "windows" { - dir := os.Getenv("SYSTEMROOT") - if dir == "" { - return nil, newCredentialUnavailableError(credName, `environment variable "SYSTEMROOT" has no value`) - } - cmd = exec.CommandContext(ctx, "cmd.exe", "/c", command) - cmd.Dir = dir - } else { - cmd = exec.CommandContext(ctx, "/bin/sh", "-c", command) - cmd.Dir = "/bin" + cmd, err := buildCmd(ctx, credName, command) + if err != nil { + return nil, err } cmd.Env = os.Environ() stderr := bytes.Buffer{} diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go new file mode 100644 index 00000000000..681fcd0cf9f --- /dev/null +++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_nonwindows.go @@ -0,0 +1,17 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +//go:build !windows + +package azidentity + +import ( + "context" + "os/exec" +) + +func buildCmd(ctx context.Context, _, command string) (*exec.Cmd, error) { + cmd := exec.CommandContext(ctx, "/bin/sh", "-c", command) + cmd.Dir = "/bin" + return cmd, nil +} diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go new file mode 100644 index 00000000000..09c7a1a977c --- /dev/null +++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util_windows.go @@ -0,0 +1,22 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +package azidentity + +import ( + "context" + "os" + "os/exec" + "syscall" +) + +func buildCmd(ctx context.Context, credName, command string) (*exec.Cmd, error) { + dir := os.Getenv("SYSTEMROOT") + if dir == "" { + return nil, newCredentialUnavailableError(credName, `environment variable "SYSTEMROOT" has no value`) + } + cmd := exec.CommandContext(ctx, "cmd.exe") + cmd.Dir = dir + cmd.SysProcAttr = &syscall.SysProcAttr{CmdLine: "/c " + command} + return cmd, nil +} diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go index bb8bddb16ea..041f11658df 100644 --- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go +++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go @@ -14,5 +14,5 @@ const ( module = "github.com/Azure/azure-sdk-for-go/sdk/" + component // Version is the semantic version (see http://semver.org) of this module. - version = "v1.13.0" + version = "v1.13.1" ) diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go index 549d68ab991..29c004320d6 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go @@ -596,6 +596,11 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts return AuthResult{}, errors.New("call another AcquireToken method to request a new token having these claims") } + // For service principal scenarios, require WithSilentAccount for public API + if o.account.IsZero() { + return AuthResult{}, errors.New("WithSilentAccount option is required") + } + silentParameters := base.AcquireTokenSilentParameters{ Scopes: scopes, Account: o.account, @@ -604,8 +609,15 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts IsAppCache: o.account.IsZero(), TenantID: o.tenantID, AuthnScheme: o.authnScheme, + Claims: o.claims, } + return cca.acquireTokenSilentInternal(ctx, silentParameters) +} + +// acquireTokenSilentInternal is the internal implementation shared by AcquireTokenSilent and AcquireTokenByCredential +func (cca Client) acquireTokenSilentInternal(ctx context.Context, silentParameters base.AcquireTokenSilentParameters) (AuthResult, error) { + return cca.base.AcquireTokenSilent(ctx, silentParameters) } @@ -708,8 +720,10 @@ func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir // acquireTokenByCredentialOptions contains optional configuration for AcquireTokenByCredential type acquireTokenByCredentialOptions struct { - claims, tenantID string - authnScheme AuthenticationScheme + claims, tenantID string + authnScheme AuthenticationScheme + extraBodyParameters map[string]string + cacheKeyComponents map[string]string } // AcquireByCredentialOption is implemented by options for AcquireTokenByCredential @@ -719,7 +733,7 @@ type AcquireByCredentialOption interface { // AcquireTokenByCredential acquires a security token from the authority, using the client credentials grant. // -// Options: [WithClaims], [WithTenantID] +// Options: [WithClaims], [WithTenantID], [WithFMIPath], [WithAttribute] func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string, opts ...AcquireByCredentialOption) (AuthResult, error) { o := acquireTokenByCredentialOptions{} err := options.ApplyOptions(&o, opts) @@ -736,6 +750,29 @@ func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string, if o.authnScheme != nil { authParams.AuthnScheme = o.authnScheme } + authParams.ExtraBodyParameters = o.extraBodyParameters + authParams.CacheKeyComponents = o.cacheKeyComponents + if o.claims == "" { + silentParameters := base.AcquireTokenSilentParameters{ + Scopes: scopes, + Account: Account{}, // empty account for app token + RequestType: accesstokens.ATConfidential, + Credential: cca.cred, + IsAppCache: true, + TenantID: o.tenantID, + AuthnScheme: o.authnScheme, + Claims: o.claims, + ExtraBodyParameters: o.extraBodyParameters, + CacheKeyComponents: o.cacheKeyComponents, + } + + // Use internal method with empty account (service principal scenario) + cache, err := cca.acquireTokenSilentInternal(ctx, silentParameters) + if err == nil { + return cache, nil + } + } + token, err := cca.base.Token.Credential(ctx, authParams, cca.cred) if err != nil { return AuthResult{}, err @@ -781,3 +818,63 @@ func (cca Client) Account(ctx context.Context, accountID string) (Account, error func (cca Client) RemoveAccount(ctx context.Context, account Account) error { return cca.base.RemoveAccount(ctx, account) } + +// WithFMIPath specifies the path to a federated managed identity. +// The path should point to a valid FMI configuration file that contains the necessary +// identity information for authentication. +func WithFMIPath(path string) interface { + AcquireByCredentialOption + options.CallOption +} { + return struct { + AcquireByCredentialOption + options.CallOption + }{ + CallOption: options.NewCallOption( + func(a any) error { + switch t := a.(type) { + case *acquireTokenByCredentialOptions: + if t.extraBodyParameters == nil { + t.extraBodyParameters = make(map[string]string) + } + if t.cacheKeyComponents == nil { + t.cacheKeyComponents = make(map[string]string) + } + t.cacheKeyComponents["fmi_path"] = path + t.extraBodyParameters["fmi_path"] = path + default: + return fmt.Errorf("unexpected options type %T", a) + } + return nil + }, + ), + } +} + +// WithAttribute specifies an identity attribute to include in the token request. +// The attribute is sent as "attributes" in the request body and returned as "xmc_attr" +// in the access token claims. This is sometimes used withFMIPath +func WithAttribute(attrValue string) interface { + AcquireByCredentialOption + options.CallOption +} { + return struct { + AcquireByCredentialOption + options.CallOption + }{ + CallOption: options.NewCallOption( + func(a any) error { + switch t := a.(type) { + case *acquireTokenByCredentialOptions: + if t.extraBodyParameters == nil { + t.extraBodyParameters = make(map[string]string) + } + t.extraBodyParameters["attributes"] = attrValue + default: + return fmt.Errorf("unexpected options type %T", a) + } + return nil + }, + ), + } +} diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go index 61c1c4cec1e..abf54f7e509 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go @@ -46,16 +46,18 @@ type accountManager interface { // AcquireTokenSilentParameters contains the parameters to acquire a token silently (from cache). type AcquireTokenSilentParameters struct { - Scopes []string - Account shared.Account - RequestType accesstokens.AppType - Credential *accesstokens.Credential - IsAppCache bool - TenantID string - UserAssertion string - AuthorizationType authority.AuthorizeType - Claims string - AuthnScheme authority.AuthenticationScheme + Scopes []string + Account shared.Account + RequestType accesstokens.AppType + Credential *accesstokens.Credential + IsAppCache bool + TenantID string + UserAssertion string + AuthorizationType authority.AuthorizeType + Claims string + AuthnScheme authority.AuthenticationScheme + ExtraBodyParameters map[string]string + CacheKeyComponents map[string]string } // AcquireTokenAuthCodeParameters contains the parameters required to acquire an access token using the auth code flow. @@ -327,7 +329,12 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen if silent.AuthnScheme != nil { authParams.AuthnScheme = silent.AuthnScheme } - + if silent.CacheKeyComponents != nil { + authParams.CacheKeyComponents = silent.CacheKeyComponents + } + if silent.ExtraBodyParameters != nil { + authParams.ExtraBodyParameters = silent.ExtraBodyParameters + } m := b.pmanager if authParams.AuthorizationType != authority.ATOnBehalfOf { authParams.AuthorizationType = authority.ATRefreshToken @@ -367,8 +374,19 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen // If the token is not same, we don't need to refresh it. // Which means it refreshed. if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken { - if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil { - return b.AuthResultFromToken(ctx, authParams, tr) + switch silent.RequestType { + case accesstokens.ATConfidential: + if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil { + return b.AuthResultFromToken(ctx, authParams, tr) + } + case accesstokens.ATPublic: + token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, silent.Credential, storageTokenResponse.RefreshToken) + if err != nil { + return ar, err + } + return b.AuthResultFromToken(ctx, authParams, token) + case accesstokens.ATUnknown: + return ar, errors.New("silent request type cannot be ATUnknown") } } } @@ -446,6 +464,9 @@ func (b Client) AcquireTokenOnBehalfOf(ctx context.Context, onBehalfOfParams Acq authParams.Claims = onBehalfOfParams.Claims authParams.Scopes = onBehalfOfParams.Scopes authParams.UserAssertion = onBehalfOfParams.UserAssertion + if authParams.ExtraBodyParameters != nil { + authParams.ExtraBodyParameters = silentParameters.ExtraBodyParameters + } token, err := b.Token.OnBehalfOf(ctx, authParams, onBehalfOfParams.Credential) if err == nil { ar, err = b.AuthResultFromToken(ctx, authParams, token) diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go index 7379e2233c8..b7d1a670b1e 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go @@ -79,6 +79,7 @@ type AccessToken struct { UserAssertionHash string `json:"user_assertion_hash,omitempty"` TokenType string `json:"token_type,omitempty"` AuthnSchemeKeyID string `json:"keyid,omitempty"` + ExtCacheKey string `json:"ext_cache_key,omitempty"` AdditionalFields map[string]interface{} } @@ -105,15 +106,21 @@ func NewAccessToken(homeID, env, realm, clientID string, cachedAt, refreshOn, ex // Key outputs the key that can be used to uniquely look up this entry in a map. func (a AccessToken) Key() string { ks := []string{a.HomeAccountID, a.Environment, a.CredentialType, a.ClientID, a.Realm, a.Scopes} - key := strings.Join( - ks, - shared.CacheKeySeparator, - ) + // add token type to key for new access tokens types. skip for bearer token type to // preserve fwd and back compat between a common cache and msal clients if !strings.EqualFold(a.TokenType, authority.AccessTokenTypeBearer) { - key = strings.Join([]string{key, a.TokenType}, shared.CacheKeySeparator) + ks = append(ks, a.TokenType) } + // add extra body param hash to key if present + if a.ExtCacheKey != "" { + ks[2] = "atext" // if the there is extra cache we add "atext" to the key replacing accesstoken + ks = append(ks, a.ExtCacheKey) + } + key := strings.Join( + ks, + shared.CacheKeySeparator, + ) return strings.ToLower(key) } diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go index 84a234967ff..825d8a0f660 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go @@ -135,7 +135,8 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams) aliases = metadata.Aliases } - accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes, tokenType, authnSchemeKeyID) + accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes, tokenType, authnSchemeKeyID, authParameters.CacheExtKeyGenerator()) + tr.AccessToken = accessToken if homeAccountID == "" { @@ -203,6 +204,7 @@ func (m *Manager) Write(authParameters authority.AuthParams, tokenResponse acces authnSchemeKeyID, ) + accessToken.ExtCacheKey = authParameters.CacheExtKeyGenerator() // Since we have a valid access token, cache it before moving on. if err := accessToken.Validate(); err == nil { if err := m.writeAccessToken(accessToken); err != nil { @@ -291,26 +293,49 @@ func (m *Manager) aadMetadata(ctx context.Context, authorityInfo authority.Info) return m.aadCache[authorityInfo.Host], nil } -func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID string) AccessToken { +func (m *Manager) readAccessToken(homeID string, envAliases []string, realm, clientID string, scopes []string, tokenType, authnSchemeKeyID, extCacheKey string) AccessToken { m.contractMu.RLock() - // TODO: linear search (over a map no less) is slow for a large number (thousands) of tokens. - // this shows up as the dominating node in a profile. for real-world scenarios this likely isn't - // an issue, however if it does become a problem then we know where to look. - for k, at := range m.contract.AccessTokens { + + tokensToSearch := m.contract.AccessTokens + + for k, at := range tokensToSearch { + // TODO: linear search (over a map no less) is slow for a large number (thousands) of tokens. + // this shows up as the dominating node in a profile. for real-world scenarios this likely isn't + // an issue, however if it does become a problem then we know where to look. if at.HomeAccountID == homeID && at.Realm == realm && at.ClientID == clientID { - if (strings.EqualFold(at.TokenType, tokenType) && at.AuthnSchemeKeyID == authnSchemeKeyID) || (at.TokenType == "" && (tokenType == "" || tokenType == "Bearer")) { - if checkAlias(at.Environment, envAliases) && isMatchingScopes(scopes, at.Scopes) { - m.contractMu.RUnlock() - if needsUpgrade(k) { - m.contractMu.Lock() - defer m.contractMu.Unlock() - at = upgrade(m.contract.AccessTokens, k) + // Match token type and authentication scheme + tokenTypeMatch := (strings.EqualFold(at.TokenType, tokenType) && at.AuthnSchemeKeyID == authnSchemeKeyID) || + (at.TokenType == "" && (tokenType == "" || tokenType == "Bearer")) + environmentAndScopesMatch := checkAlias(at.Environment, envAliases) && isMatchingScopes(scopes, at.Scopes) + + if tokenTypeMatch && environmentAndScopesMatch { + // For hashed tokens, check that the key contains the hash + if extCacheKey != "" { + if !strings.Contains(k, extCacheKey) { + continue // Skip this token if the key doesn't contain the hash + } + } else { + // If no extCacheKey is provided, only match tokens that also have no extCacheKey + if at.ExtCacheKey != "" { + continue // Skip tokens that require a hash when no hash is provided } + } + // Handle token upgrade if needed + if needsUpgrade(k) { + m.contractMu.RUnlock() + m.contractMu.Lock() + at = upgrade(tokensToSearch, k) + m.contractMu.Unlock() return at } + + m.contractMu.RUnlock() + return at } } } + + // No token found, unlock and return empty token m.contractMu.RUnlock() return AccessToken{} } diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go index d738c7591ee..481f9e43411 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go @@ -281,6 +281,9 @@ func (c Client) FromClientSecret(ctx context.Context, authParameters authority.A qv.Set(clientID, authParameters.ClientID) addScopeQueryParam(qv, authParameters) + // Add extra body parameters if provided + addExtraBodyParameters(ctx, qv, authParameters) + return c.doTokenResp(ctx, authParameters, qv) } @@ -296,6 +299,9 @@ func (c Client) FromAssertion(ctx context.Context, authParameters authority.Auth qv.Set(clientInfo, clientInfoVal) addScopeQueryParam(qv, authParameters) + // Add extra body parameters if provided + addExtraBodyParameters(ctx, qv, authParameters) + return c.doTokenResp(ctx, authParameters, qv) } @@ -329,6 +335,8 @@ func (c Client) FromUserAssertionClientCertificate(ctx context.Context, authPara qv.Set("requested_token_use", "on_behalf_of") addScopeQueryParam(qv, authParameters) + // Add extra body parameters if provided + addExtraBodyParameters(ctx, qv, authParameters) return c.doTokenResp(ctx, authParameters, qv) } @@ -466,3 +474,12 @@ func addScopeQueryParam(queryParams url.Values, authParameters authority.AuthPar scopes := AppendDefaultScopes(authParameters) queryParams.Set("scope", strings.Join(scopes, " ")) } + +// addExtraBodyParameters evaluates and adds extra body parameters to the request +func addExtraBodyParameters(ctx context.Context, v url.Values, ap authority.AuthParams) { + for key, value := range ap.ExtraBodyParameters { + if value != "" { + v.Set(key, value) + } + } +} diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go index 3f403746404..debd465dbad 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go @@ -15,6 +15,7 @@ import ( "net/url" "os" "path" + "sort" "strings" "time" @@ -47,6 +48,8 @@ type jsonCaller interface { } // For backward compatibility, accept both old and new China endpoints for a transition period. +// This list is derived from the AAD instance discovery metadata and represents all known trusted hosts +// across different Azure clouds (Public, China, Germany, US Government, etc.) var aadTrustedHostList = map[string]bool{ "login.windows.net": true, // Microsoft Azure Worldwide - Used in validation scenarios where host is not this list "login.partner.microsoftonline.cn": true, // Microsoft Azure China (new) @@ -55,6 +58,9 @@ var aadTrustedHostList = map[string]bool{ "login-us.microsoftonline.com": true, // Microsoft Azure US Government - Legacy "login.microsoftonline.us": true, // Microsoft Azure US Government "login.microsoftonline.com": true, // Microsoft Azure Worldwide + "login.microsoft.com": true, + "sts.windows.net": true, + "login.usgovcloudapi.net": true, } // TrustedHost checks if an AAD host is trusted/valid. @@ -103,36 +109,46 @@ func (r *TenantDiscoveryResponse) Validate() error { // ValidateIssuerMatchesAuthority validates that the issuer in the TenantDiscoveryResponse matches the authority. // This is used to identity security or configuration issues in authorities and the OIDC endpoint func (r *TenantDiscoveryResponse) ValidateIssuerMatchesAuthority(authorityURI string, aliases map[string]bool) error { - if authorityURI == "" { return errors.New("TenantDiscoveryResponse: empty authorityURI provided for validation") } + if r.Issuer == "" { + return errors.New("TenantDiscoveryResponse: empty issuer in response") + } - // Parse the issuer URL issuerURL, err := url.Parse(r.Issuer) if err != nil { return fmt.Errorf("TenantDiscoveryResponse: failed to parse issuer URL: %w", err) } + authorityURL, err := url.Parse(authorityURI) + if err != nil { + return fmt.Errorf("TenantDiscoveryResponse: failed to parse authority URL: %w", err) + } + + // Fast path: exact scheme + host match + if issuerURL.Scheme == authorityURL.Scheme && issuerURL.Host == authorityURL.Host { + return nil + } - // Even if it doesn't match the authority, issuers from known and trusted hosts are valid + // Alias-based acceptance if aliases != nil && aliases[issuerURL.Host] { return nil } - // Parse the authority URL for comparison - authorityURL, err := url.Parse(authorityURI) - if err != nil { - return fmt.Errorf("TenantDiscoveryResponse: failed to parse authority URL: %w", err) + issuerHost := issuerURL.Host + authorityHost := authorityURL.Host + + // Accept if issuer host is trusted + if TrustedHost(issuerHost) { + return nil } - // Check if the scheme and host match (paths can be ignored when validating the issuer) - if issuerURL.Scheme == authorityURL.Scheme && issuerURL.Host == authorityURL.Host { + // Accept if authority is a regional variant ending with "." + if strings.HasSuffix(authorityHost, "."+issuerHost) { return nil } - // If we get here, validation failed - return fmt.Errorf("TenantDiscoveryResponse: issuer from OIDC discovery '%s' does not match authority '%s' or a known pattern", - r.Issuer, authorityURI) + return fmt.Errorf("TenantDiscoveryResponse: issuer '%s' does not match authority '%s' or any trusted/alias rule", r.Issuer, authorityURI) } type InstanceDiscoveryMetadata struct { @@ -256,6 +272,12 @@ type AuthParams struct { DomainHint string // AuthnScheme is an optional scheme for formatting access tokens AuthnScheme AuthenticationScheme + // ExtraBodyParameters are additional parameters to include in token requests. + // The functions are evaluated at request time to get the parameter values. + // These parameters are also included in the cache key. + ExtraBodyParameters map[string]string + // CacheKeyComponents are additional components to include in the cache key. + CacheKeyComponents map[string]string } // NewAuthParams creates an authorization parameters object. @@ -642,8 +664,42 @@ func (a *AuthParams) AssertionHash() string { } func (a *AuthParams) AppKey() string { + baseKey := a.ClientID + "_" if a.AuthorityInfo.Tenant != "" { - return fmt.Sprintf("%s_%s_AppTokenCache", a.ClientID, a.AuthorityInfo.Tenant) + baseKey += a.AuthorityInfo.Tenant + } + + // Include extra body parameters in the cache key + paramHash := a.CacheExtKeyGenerator() + if paramHash != "" { + baseKey = fmt.Sprintf("%s_%s", baseKey, paramHash) + } + + return baseKey + "_AppTokenCache" +} + +// CacheExtKeyGenerator computes a hash of the Cache key components key and values +// to include in the cache key. This ensures tokens acquired with different +// parameters are cached separately. +func (a *AuthParams) CacheExtKeyGenerator() string { + if len(a.CacheKeyComponents) == 0 { + return "" + } + + // Sort keys to ensure consistent hashing + keys := make([]string, 0, len(a.CacheKeyComponents)) + for k := range a.CacheKeyComponents { + keys = append(keys, k) } - return fmt.Sprintf("%s__AppTokenCache", a.ClientID) + sort.Strings(keys) + + // Create a string by concatenating key+value pairs + keyStr := "" + for _, key := range keys { + // Append key followed by its value with no separator + keyStr += key + a.CacheKeyComponents[key] + } + + hash := sha256.Sum256([]byte(keyStr)) + return strings.ToLower(base64.RawURLEncoding.EncodeToString(hash[:])) } diff --git a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go index 7beed26174e..797c086cb87 100644 --- a/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go +++ b/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go @@ -368,9 +368,9 @@ type AcquireByUsernamePasswordOption interface { acquireByUsernamePasswordOption() } -// AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication. -// NOTE: this flow is NOT recommended. +// Deprecated: This API will be removed in a future release. Use a more secure flow instead. Follow this migration guide: https://aka.ms/msal-ropc-migration // +// AcquireTokenByUsernamePassword acquires a security token from the authority, via Username/Password Authentication. // Options: [WithClaims], [WithTenantID] func (pca Client) AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username, password string, opts ...AcquireByUsernamePasswordOption) (AuthResult, error) { o := acquireTokenByUsernamePasswordOptions{} diff --git a/vendor/modules.txt b/vendor/modules.txt index aeb8848ef92..f3bfc470ba2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -71,7 +71,7 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming github.com/Azure/azure-sdk-for-go/sdk/azcore/to github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing -# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 +# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 ## explicit; go 1.23.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal @@ -99,7 +99,7 @@ github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/internal/shared github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/pageblob github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service -# github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 +# github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 ## explicit; go 1.18 github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential