Merge pull request #12 from microsoft/feature/cae

CAE support

CHANGELOG.md

@@ -11,6 +11,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+## [0.3.0] - 2022-05-18
+
+### Added
+
+- Added preliminary work to support continuous access evaluation.
+
 ## [0.2.1] - 2022-04-19
 
 ### Changed

azure_identity_access_token_provider.go

@@ -2,6 +2,7 @@ package microsoft_kiota_authentication_azure
 
 import (
 	"context"
+	"encoding/base64"
 	"errors"
 	"strings"
 
@@ -54,16 +55,34 @@ func NewAzureIdentityAccessTokenProviderWithScopesAndValidHosts(credential azcor
 	return result, nil
 }
 
+const claimsKey = "claims"
+
 // GetAuthorizationToken returns the access token for the provided url.
-func (p *AzureIdentityAccessTokenProvider) GetAuthorizationToken(url *u.URL) (string, error) {
+func (p *AzureIdentityAccessTokenProvider) GetAuthorizationToken(url *u.URL, additionalAuthenticationContext map[string]interface{}) (string, error) {
 	if !(*(p.allowedHostsValidator)).IsUrlHostValid(url) {
 		return "", nil
 	}
 	if !strings.EqualFold(url.Scheme, "https") {
 		return "", errors.New("url scheme must be https")
 	}
+
+	claims := ""
+
+	if additionalAuthenticationContext != nil &&
+		additionalAuthenticationContext[claimsKey] != nil {
+		if rawClaims, ok := additionalAuthenticationContext[claimsKey].(string); ok {
+			decodedClaims, err := base64.StdEncoding.DecodeString(rawClaims)
+			if err != nil {
+				return "", err
+			}
+			claims = string(decodedClaims)
+			return "", errors.New("received a claim for CAE but azure identity doesn't support claims: " + claims + " https://github.com/Azure/azure-sdk-for-go/issues/14284")
+		}
+	}
+
 	options := azpolicy.TokenRequestOptions{
 		Scopes: p.scopes,
+		//TODO pass the claims once the API is updated to support it https://github.com/Azure/azure-sdk-for-go/issues/14284
 	}
 	token, err := p.credential.GetToken(context.Background(), options)
 	if err != nil {

azure_identity_access_token_provider_test.go

@@ -2,19 +2,20 @@ package microsoft_kiota_authentication_azure
 
 import (
 	"context"
+	u "net/url"
+	"testing"
+
 	azcore "github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	policy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	assert "github.com/stretchr/testify/assert"
-	u "net/url"
-	"testing"
 )
 
 type MockTokenCredential struct {
 	TokenValue string
 }
 
-func (m *MockTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (*azcore.AccessToken, error) {
-	return &azcore.AccessToken{
+func (m *MockTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	return azcore.AccessToken{
 		Token: m.TokenValue,
 	}, nil
 }
@@ -24,7 +25,7 @@ func TestAddsTokenOnValidHost(t *testing.T) {
 	assert.Nil(t, err)
 	assert.NotNil(t, provider)
 
-	token, err := provider.GetAuthorizationToken(&u.URL{Host: "graph.microsoft.com", Scheme: "https"})
+	token, err := provider.GetAuthorizationToken(&u.URL{Host: "graph.microsoft.com", Scheme: "https"}, nil)
 	assert.Nil(t, err)
 	assert.Equal(t, "token", token)
 }
@@ -37,7 +38,7 @@ func TestAddsTokenOnValidHostFromParse(t *testing.T) {
 	url, err := u.Parse("https://graph.microsoft.com")
 	assert.Nil(t, err)
 
-	token, err := provider.GetAuthorizationToken(url)
+	token, err := provider.GetAuthorizationToken(url, nil)
 	assert.Nil(t, err)
 	assert.Equal(t, "token", token)
 }
@@ -47,7 +48,7 @@ func TestDoesntAddTokenOnDifferentHost(t *testing.T) {
 	assert.Nil(t, err)
 	assert.NotNil(t, provider)
 
-	token, err := provider.GetAuthorizationToken(&u.URL{Host: "differenthost.com"})
+	token, err := provider.GetAuthorizationToken(&u.URL{Host: "differenthost.com"}, nil)
 	assert.Nil(t, err)
 	assert.Empty(t, token)
 }
@@ -57,7 +58,22 @@ func TestDoesntAddTokenOnHttp(t *testing.T) {
 	assert.Nil(t, err)
 	assert.NotNil(t, provider)
 
-	token, err := provider.GetAuthorizationToken(&u.URL{Host: "differenthost.com", Scheme: "http"})
+	token, err := provider.GetAuthorizationToken(&u.URL{Host: "differenthost.com", Scheme: "http"}, nil)
 	assert.Nil(t, err)
 	assert.Empty(t, token)
 }
+
+func TestAddsClaimsToTokenRequest(t *testing.T) {
+	provider, err := NewAzureIdentityAccessTokenProvider(&MockTokenCredential{TokenValue: "token"})
+	assert.Nil(t, err)
+	assert.NotNil(t, provider)
+
+	url, err := u.Parse("https://graph.microsoft.com")
+	assert.Nil(t, err)
+
+	additionalContext := make(map[string]interface{})
+	additionalContext["claims"] = "eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTY1MjgxMzUwOCJ9fX0="
+	token, err := provider.GetAuthorizationToken(url, additionalContext)
+	assert.NotNil(t, err) //TODO update when azure identity has added the field
+	assert.Empty(t, token)
+}

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0
-	github.com/microsoft/kiota-abstractions-go v0.6.0
+	github.com/microsoft/kiota-abstractions-go v0.7.0
 	github.com/stretchr/testify v1.7.1
 )
 

go.sum

@@ -10,6 +10,8 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/microsoft/kiota-abstractions-go v0.6.0 h1:e/mJM8+xidaTxOvuVLdY0uB/3GFHxyZB43vhjmxAuME=
 github.com/microsoft/kiota-abstractions-go v0.6.0/go.mod h1:fL1Ni2uXdlRPGicO4Ut0aOLmkpunYuAAJwRBLgDhzw4=
+github.com/microsoft/kiota-abstractions-go v0.7.0 h1:/yPcUaiTOUvq4stz8qrPi9UWljnCGBcksRYS2BZpUBk=
+github.com/microsoft/kiota-abstractions-go v0.7.0/go.mod h1:fL1Ni2uXdlRPGicO4Ut0aOLmkpunYuAAJwRBLgDhzw4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=