Skip to content

Commit

Permalink
Merge pull request #99 from grafana/andreas/update-builder
Browse files Browse the repository at this point in the history 
Update credentials builder for user-auth service credentials
  • Loading branch information
@aangelisc
aangelisc authored Feb 26, 2024
2 parents 3dc3da5 + 329f4ab commit c281aad
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 1 deletion.
21 changes: 20 additions & 1 deletion azcredentials/builder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,26 @@ func getFromCredentialsObject(credentialsObj map[string]interface{}, secureData

switch authType {
case AzureAuthCurrentUserIdentity:
credentials := &AadCurrentUserCredentials{}
serviceCredentialsEnabled, err := maputil.GetBoolOptional(credentialsObj, "serviceCredentialsEnabled")
if err != nil {
return nil, err
}

var fallbackCredentials AzureCredentials
if serviceCredentialsEnabled {
creds, err := maputil.GetMapOptional(credentialsObj, "serviceCredentials")
if err != nil {
return nil, err
}
fallbackCredentials, err = getFromCredentialsObject(creds, secureData)
if err != nil {
return nil, err
}
}
credentials := &AadCurrentUserCredentials{
ServiceCredentialsEnabled: serviceCredentialsEnabled,
ServiceCredentials: fallbackCredentials,
}
return credentials, nil

case AzureAuthManagedIdentity:
Expand Down
111 changes: 111 additions & 0 deletions azcredentials/builder_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,117 @@ func TestFromDatasourceData(t *testing.T) {
assert.IsType(t, &AadCurrentUserCredentials{}, result)
})

t.Run("should return current user credentials with service credentials (client secret)", func(t *testing.T) {
var data = map[string]interface{}{
"azureCredentials": map[string]interface{}{
"authType": "currentuser",
"serviceCredentialsEnabled": true,
"serviceCredentials": map[string]interface{}{
"authType": "clientsecret",
"azureCloud": "AzureCloud",
"tenantId": "TENANT-ID",
"clientId": "CLIENT-ID",
},
},
}
var secureData = map[string]string{
"azureClientSecret": "FAKE-SECRET",
}

result, err := FromDatasourceData(data, secureData)
require.NoError(t, err)

require.NotNil(t, result)
assert.IsType(t, &AadCurrentUserCredentials{}, result)

credential := result.(*AadCurrentUserCredentials)
serviceCredential := credential.ServiceCredentials

assert.Equal(t, credential.ServiceCredentialsEnabled, true)
assert.NotNil(t, credential.ServiceCredentials)
assert.IsType(t, &AzureClientSecretCredentials{}, serviceCredential)
assert.Equal(t, serviceCredential.(*AzureClientSecretCredentials).ClientId, "CLIENT-ID")
assert.Equal(t, serviceCredential.(*AzureClientSecretCredentials).TenantId, "TENANT-ID")
assert.Equal(t, serviceCredential.(*AzureClientSecretCredentials).ClientSecret, "FAKE-SECRET")
assert.Equal(t, serviceCredential.(*AzureClientSecretCredentials).AzureCloud, "AzureCloud")
})

t.Run("should return current user credentials with service credentials (workload identity)", func(t *testing.T) {
var data = map[string]interface{}{
"azureCredentials": map[string]interface{}{
"authType": "currentuser",
"serviceCredentialsEnabled": true,
"serviceCredentials": map[string]interface{}{
"authType": "workloadidentity",
},
},
}
var secureData = map[string]string{}

result, err := FromDatasourceData(data, secureData)
require.NoError(t, err)

require.NotNil(t, result)
assert.IsType(t, &AadCurrentUserCredentials{}, result)

credential := result.(*AadCurrentUserCredentials)
serviceCredential := credential.ServiceCredentials

assert.Equal(t, credential.ServiceCredentialsEnabled, true)
assert.NotNil(t, credential.ServiceCredentials)
assert.IsType(t, &AzureWorkloadIdentityCredentials{}, serviceCredential)
})

t.Run("should return current user credentials with service credentials (managed identity)", func(t *testing.T) {
var data = map[string]interface{}{
"azureCredentials": map[string]interface{}{
"authType": "currentuser",
"serviceCredentialsEnabled": true,
"serviceCredentials": map[string]interface{}{
"authType": "msi",
},
},
}
var secureData = map[string]string{}

result, err := FromDatasourceData(data, secureData)
require.NoError(t, err)

require.NotNil(t, result)
assert.IsType(t, &AadCurrentUserCredentials{}, result)

credential := result.(*AadCurrentUserCredentials)
serviceCredential := credential.ServiceCredentials

assert.Equal(t, credential.ServiceCredentialsEnabled, true)
assert.NotNil(t, credential.ServiceCredentials)
assert.IsType(t, &AzureManagedIdentityCredentials{}, serviceCredential)
})

t.Run("should return current user credentials without service credentials if disabled", func(t *testing.T) {
var data = map[string]interface{}{
"azureCredentials": map[string]interface{}{
"authType": "currentuser",
"serviceCredentialsEnabled": false,
"serviceCredentials": map[string]interface{}{
"authType": "msi",
},
},
}
var secureData = map[string]string{}

result, err := FromDatasourceData(data, secureData)
require.NoError(t, err)

require.NotNil(t, result)
assert.IsType(t, &AadCurrentUserCredentials{}, result)

credential := result.(*AadCurrentUserCredentials)

assert.Equal(t, credential.ServiceCredentialsEnabled, false)
assert.Nil(t, credential.ServiceCredentials)
})

t.Run("should return managed identity credentials when managed identity auth configured", func(t *testing.T) {
var data = map[string]interface{}{
"azureCredentials": map[string]interface{}{
Expand Down

0 comments on commit c281aad

Please sign in to comment.