Use ADAL for multitenant auth or when requested. #1566

pulumi · Aug 24, 2022 · 0c8a108 · 0c8a108
1 parent ccbe54a
commit 0c8a108
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 20 deletions.
diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -82,6 +82,8 @@ type azureNativeProvider struct {
 	converter       *resources.SdkShapeConverter
 	customResources map[string]*resources.CustomResource
 	rgLocationMap   map[string]string
+	adalTokenClient tokenGetter
+	msalTokenClient tokenGetter
 }
 
 func makeProvider(host *provider.HostClient, name, version string, schemaBytes []byte, schemaString string,
@@ -103,15 +105,17 @@ func makeProvider(host *provider.HostClient, name, version string, schemaBytes [
 
 	// Return the new provider
 	return &azureNativeProvider{
-		host:          host,
-		name:          name,
-		version:       version,
-		client:        client,
-		resourceMap:   resourceMap,
-		config:        map[string]string{},
-		schemaBytes:   schemaBytes,
-		converter:     &converter,
-		rgLocationMap: map[string]string{},
+		host:            host,
+		name:            name,
+		version:         version,
+		client:          client,
+		resourceMap:     resourceMap,
+		config:          map[string]string{},
+		schemaBytes:     schemaBytes,
+		converter:       &converter,
+		rgLocationMap:   map[string]string{},
+		adalTokenClient: getOAuthTokenADAL,
+		msalTokenClient: getOAuthTokenMSAL,
 	}, nil
 }
 
@@ -250,7 +254,7 @@ func (k *azureNativeProvider) Invoke(ctx context.Context, req *rpc.InvokeRequest
 		if endpointArg := args["endpoint"]; endpointArg.HasValue() && endpointArg.IsString() {
 			endpoint = endpointArg.StringValue()
 		}
-		token, err := k.getOAuthTokenNew(ctx, auth, endpoint)
+		token, err := k.getOAuthToken(ctx, auth, endpoint)
 		if err != nil {
 			return nil, err
 		}
@@ -1748,6 +1752,20 @@ func (k *azureNativeProvider) getAuthorizers(authConfig *authentication.Config)
 }
 
 func (k *azureNativeProvider) getOAuthToken(ctx context.Context, auth *authentication.Config, endpoint string) (string, error) {
+	if len(auth.AuxiliaryTenantIDs) > 0 {
+		return k.adalTokenClient(ctx, k, auth, endpoint)
+	}
+	if k.getConfig("useLegacyADALAuth", "USE_LEGACY_ADAL_AUTH") == "true" {
+		// TODO print warning
+		return k.adalTokenClient(ctx, k, auth, endpoint)
+	}
+	return k.msalTokenClient(ctx, k, auth, endpoint)
+}
+
+type tokenGetter func(context.Context, *azureNativeProvider, *authentication.Config, string) (string, error)
+
+// Obtain a token via the deprecated ADAL method, using the hashicorp/go-azure-helpers/authentication package
+func getOAuthTokenADAL(ctx context.Context, k *azureNativeProvider, auth *authentication.Config, endpoint string) (string, error) {
 	buildSender := sender.BuildSender("AzureNative")
 	oauthConfig, err := auth.BuildOAuthConfig(k.environment.ActiveDirectoryEndpoint)
 	authorizer, err := auth.GetAuthorizationToken(buildSender, oauthConfig, endpoint)
@@ -1776,7 +1794,8 @@ func (k *azureNativeProvider) getOAuthToken(ctx context.Context, auth *authentic
 	return token, nil
 }
 
-func (k *azureNativeProvider) getOAuthTokenNew(ctx context.Context, auth *authentication.Config, endpoint string) (string, error) {
+// Obtain a token via the new MSAL method, using the azidentity package
+func getOAuthTokenMSAL(ctx context.Context, k *azureNativeProvider, auth *authentication.Config, endpoint string) (string, error) {
 	clientOpts := azcore.ClientOptions{Cloud: k.cloud()}
 
 	// There are several ways to obtain a token. We try, in order: client cert, client secret, managed service
@@ -1803,7 +1822,6 @@ func (k *azureNativeProvider) getOAuthTokenNew(ctx context.Context, auth *authen
 		if err != nil {
 			return "", err
 		}
-		// TODO,tkappler get rid of auth here
 		cred, err := azidentity.NewClientCertificateCredential(auth.TenantID, auth.ClientID, certs, key,
 			&azidentity.ClientCertificateCredentialOptions{ClientOptions: clientOpts})
 		if err != nil {

diff --git a/provider/pkg/provider/provider_test.go b/provider/pkg/provider/provider_test.go
@@ -3,25 +3,104 @@
 package provider
 
 import (
+	"context"
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/Azure/go-autorest/autorest/azure"
+	"github.com/hashicorp/go-azure-helpers/authentication"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestMapsAutorestCloudToAzureSdkCloud(t *testing.T) {
-	k := azureNativeProvider{}
+	p := azureNativeProvider{}
 
 	// default cloud
-	assert.Equal(t, k.cloud(), cloud.AzurePublic)
+	assert.Equal(t, p.cloud(), cloud.AzurePublic)
 
-	k.environment = azure.PublicCloud
-	assert.Equal(t, k.cloud(), cloud.AzurePublic)
+	p.environment = azure.PublicCloud
+	assert.Equal(t, p.cloud(), cloud.AzurePublic)
 
-	k.environment = azure.ChinaCloud
-	assert.Equal(t, k.cloud(), cloud.AzureChina)
+	p.environment = azure.ChinaCloud
+	assert.Equal(t, p.cloud(), cloud.AzureChina)
 
-	k.environment = azure.USGovernmentCloud
-	assert.Equal(t, k.cloud(), cloud.AzureGovernment)
+	p.environment = azure.USGovernmentCloud
+	assert.Equal(t, p.cloud(), cloud.AzureGovernment)
+}
+
+func TestUseMSALByDefault(t *testing.T) {
+	p, usedADAL, usedMSAL := setUpProviderWithMockTokenGetters()
+
+	callGetToken(t, p)
+	assert.False(t, *usedADAL)
+	assert.True(t, *usedMSAL)
+}
+
+func TestUseMSALForManagedIdentity(t *testing.T) {
+	p, usedADAL, usedMSAL := setUpProviderWithMockTokenGetters()
+	p.config["useMsi"] = "true"
+
+	callGetToken(t, p)
+	assert.False(t, *usedADAL)
+	assert.True(t, *usedMSAL)
+}
+
+func TestUseMSALForServicePrincipalSecret(t *testing.T) {
+	p, usedADAL, usedMSAL := setUpProviderWithMockTokenGetters()
+	p.config["clientSecret"] = "verysecret"
+	p.config["subscriptionId"] = "123"
+	p.config["clientId"] = "456"
+	p.config["tenantId"] = "789"
+
+	callGetToken(t, p)
+	assert.False(t, *usedADAL)
+	assert.True(t, *usedMSAL)
+}
+
+func TestUseADALForMultitenantAuth(t *testing.T) {
+	p, usedADAL, usedMSAL := setUpProviderWithMockTokenGetters()
+
+	p.config["auxiliaryTenantIds"] = "[\"1\"]"
+	callGetToken(t, p)
+	assert.True(t, *usedADAL)
+	assert.False(t, *usedMSAL)
+}
+
+func TestUseADALWhenRequested(t *testing.T) {
+	p, usedADAL, usedMSAL := setUpProviderWithMockTokenGetters()
+
+	p.config["useLegacyADALAuth"] = "true"
+	p.config["auxiliaryTenantIds"] = "[]" // even without multitenant auth
+	callGetToken(t, p)
+	assert.True(t, *usedADAL)
+	assert.False(t, *usedMSAL)
+}
+
+func callGetToken(t *testing.T, p *azureNativeProvider) {
+	auth, err := p.getAuthConfig()
+	assert.NoError(t, err)
+
+	p.getOAuthToken(context.Background(), auth, "")
+}
+
+// create a new provider where the func's to obtain auth tokens instead just update the bool return values if they were called
+func setUpProviderWithMockTokenGetters() (p *azureNativeProvider, usedADAL *bool, usedMSAL *bool) {
+	p = &azureNativeProvider{}
+	p.config = map[string]string{}
+
+	var adal bool
+	p.adalTokenClient = func(ctx context.Context, k *azureNativeProvider, auth *authentication.Config, endpoint string) (string, error) {
+		adal = true
+		return "", nil
+	}
+
+	var msal bool
+	p.msalTokenClient = func(ctx context.Context, k *azureNativeProvider, auth *authentication.Config, endpoint string) (string, error) {
+		msal = true
+		return "", nil
+	}
+
+	usedADAL = &adal
+	usedMSAL = &msal
+	return
 }