/
service.go
347 lines (298 loc) · 11.8 KB
/
service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
package azure
import (
"bytes"
"context"
"encoding/json"
"fmt"
"os"
"os/exec"
"regexp"
"runtime"
"strings"
"time"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/Azure/go-autorest/autorest/azure/auth"
"github.com/Azure/go-autorest/autorest/azure/cli"
"github.com/turbot/go-kit/types"
"github.com/turbot/steampipe-plugin-sdk/v5/plugin"
)
// Session info
type Session struct {
Authorizer autorest.Authorizer
CloudEnvironment string
Expires *time.Time
GraphEndpoint string
ResourceManagerEndpoint string
StorageEndpointSuffix string
SubscriptionID string
TenantID string
}
/*
GetNewSession creates an session configured from (~/.steampipe/config, environment variables and CLI) in the order:
1. Client secret
2. Client certificate
3. Username and password
4. MSI
5. CLI
*/
func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience string) (session *Session, err error) {
logger := plugin.Logger(ctx)
cacheKey := "GetNewSession" + tokenAudience
if cachedData, ok := d.ConnectionManager.Cache.Get(cacheKey); ok {
session = cachedData.(*Session)
if session.Expires != nil && WillExpireIn(*session.Expires, 0) {
logger.Trace("GetNewSession", "cache expired", "delete cache and obtain new session token")
d.ConnectionManager.Cache.Delete(cacheKey)
} else {
return cachedData.(*Session), nil
}
}
logger.Debug("Auth session not found in cache, creating new session")
var subscriptionID, tenantID string
settings := auth.EnvironmentSettings{
Values: map[string]string{},
Environment: azure.PublicCloud, // Set public cloud as default
}
azureConfig := GetConfig(d.Connection)
if azureConfig.TenantID != nil {
tenantID = *azureConfig.TenantID
settings.Values[auth.TenantID] = *azureConfig.TenantID
} else {
tenantID = os.Getenv(auth.TenantID)
settings.Values[auth.TenantID] = os.Getenv(auth.TenantID)
}
if azureConfig.SubscriptionID != nil {
subscriptionID = *azureConfig.SubscriptionID
settings.Values[auth.SubscriptionID] = *azureConfig.SubscriptionID
} else {
subscriptionID = os.Getenv(auth.SubscriptionID)
settings.Values[auth.SubscriptionID] = os.Getenv(auth.SubscriptionID)
}
if azureConfig.ClientID != nil {
settings.Values[auth.ClientID] = *azureConfig.ClientID
} else {
settings.Values[auth.ClientID] = os.Getenv(auth.ClientID)
}
if azureConfig.ClientSecret != nil {
settings.Values[auth.ClientSecret] = *azureConfig.ClientSecret
} else {
settings.Values[auth.ClientSecret] = os.Getenv(auth.ClientSecret)
}
if azureConfig.CertificatePath != nil {
settings.Values[auth.CertificatePath] = *azureConfig.CertificatePath
} else {
settings.Values[auth.CertificatePath] = os.Getenv(auth.CertificatePath)
}
if azureConfig.CertificatePassword != nil {
settings.Values[auth.CertificatePassword] = *azureConfig.CertificatePassword
} else {
settings.Values[auth.CertificatePassword] = os.Getenv(auth.CertificatePassword)
}
if azureConfig.Username != nil {
settings.Values[auth.Username] = *azureConfig.Username
} else {
settings.Values[auth.Username] = os.Getenv(auth.Username)
}
if azureConfig.Password != nil {
settings.Values[auth.Password] = *azureConfig.Password
} else {
settings.Values[auth.Password] = os.Getenv(auth.Password)
}
if azureConfig.Environment != nil {
env, err := azure.EnvironmentFromName(*azureConfig.Environment)
if err != nil {
logger.Error("GetNewSession", "Error getting environment from name with config environment", err)
return nil, err
}
settings.Environment = env
settings.Values[auth.EnvironmentName] = *azureConfig.Environment
} else {
env := azure.PublicCloud
envName, ok := os.LookupEnv(auth.EnvironmentName)
if ok {
env, err = azure.EnvironmentFromName(envName)
if err != nil {
logger.Error("GetNewSession", "Error getting environment from name with no config environment", err)
return nil, err
}
settings.Values[auth.EnvironmentName] = envName
}
settings.Environment = env
}
authMethod, resource, err := getApplicableAuthorizationDetails(ctx, settings, tokenAudience)
if err != nil {
logger.Error("GetNewSession", "getApplicableAuthorizationDetails error", err)
return nil, err
}
settings.Values[auth.Resource] = resource
var authorizer autorest.Authorizer
var expiresOn *time.Time
// so if it was not in cache - create session
switch authMethod {
case "Environment":
logger.Trace("Creating new session authorizer from environment")
authorizer, err = settings.GetAuthorizer()
if err != nil {
logger.Error("GetNewSession", "NewAuthorizerFromEnvironmentWithResource error", err)
return nil, err
}
// Get the subscription ID and tenant ID for "GRAPH" token audience
case "CLI":
logger.Trace("Getting token for authorizer from Azure CLI")
token, err := cli.GetTokenFromCLI(resource)
if err != nil {
logger.Error("GetNewSession", "get_token_from_cli_error", err)
return nil, err
}
adalToken, err := token.ToADALToken()
expiresOn = types.Time(adalToken.Expires())
logger.Trace("GetNewSession", "Getting token for authorizer from Azure CLI, expiresOn", expiresOn.Local())
if err != nil {
logger.Error("GetNewSession", "Get token from Azure CLI error", err)
// Check if the password was changed and the session token is stored in the system, or if the CLI is outdated
if strings.Contains(err.Error(), "invalid_grant") {
return nil, fmt.Errorf("ValidationError: The credential data used by the CLI has expired because you might have changed or reset the password. Please clear your browser's cookies and run 'az login'.")
}
return nil, err
}
authorizer = autorest.NewBearerAuthorizer(&adalToken)
default:
return nil, fmt.Errorf("invalid Azure authentication method: %s", authMethod)
}
// Get the subscription ID and tenant ID from CLI if not set in connection
// config or environment variables
if authMethod == "CLI" && (settings.Values[auth.SubscriptionID] == "" || settings.Values[auth.TenantID] == "") {
logger.Trace("Getting subscription ID and/or tenant ID from from Azure CLI")
subscription, err := getSubscriptionFromCLI(resource)
if err != nil {
logger.Error("GetNewSession", "getSubscriptionFromCLI error", err)
return nil, err
}
tenantID = subscription.TenantID
// Subscription ID set in config file or environment variable takes
// precedence over the subscription ID set in the CLI
if subscriptionID == "" {
subscriptionID = subscription.SubscriptionID
logger.Trace("Setting subscription ID from Azure CLI", "subscription_id", subscriptionID)
}
}
sess := &Session{
Authorizer: authorizer,
CloudEnvironment: settings.Environment.Name,
Expires: expiresOn,
GraphEndpoint: settings.Environment.GraphEndpoint,
ResourceManagerEndpoint: settings.Environment.ResourceManagerEndpoint,
StorageEndpointSuffix: settings.Environment.StorageEndpointSuffix,
SubscriptionID: subscriptionID,
TenantID: tenantID,
}
var expireMins time.Duration
if expiresOn != nil {
expireMins = time.Until(*sess.Expires)
} else {
// Cache for 55 minutes to avoid expiry issue
expireMins = time.Minute * 55
}
logger.Debug("Session saved in cache", "expiration_time", expireMins)
d.ConnectionManager.Cache.SetWithTTL(cacheKey, sess, expireMins)
return sess, err
}
func getApplicableAuthorizationDetails(ctx context.Context, settings auth.EnvironmentSettings, tokenAudience string) (authMethod string, resource string, err error) {
logger := plugin.Logger(ctx)
subscriptionID := settings.Values[auth.SubscriptionID]
tenantID := settings.Values[auth.TenantID]
clientID := settings.Values[auth.ClientID]
// Azure environment name
environmentName := settings.Values[auth.EnvironmentName]
// CLI is the default authentication method
authMethod = "CLI"
if subscriptionID == "" || (subscriptionID == "" && tenantID == "") {
authMethod = "CLI"
} else if subscriptionID != "" && tenantID != "" && clientID != "" {
// Works for client secret credentials, client certificate credentials, resource owner password, and managed identities
authMethod = "Environment"
}
logger.Debug("getApplicableAuthorizationDetails", "auth_method", authMethod)
var environment azure.Environment
// Get the environment endpoint to be used for authorization
if environmentName == "" {
settings.Environment = azure.PublicCloud
} else {
environment, err = azure.EnvironmentFromName(environmentName)
if err != nil {
logger.Error("getApplicableAuthorizationDetails", "get_environment_name_error", err)
return
}
settings.Environment = environment
}
logger.Debug("getApplicableAuthorizationDetails", "token_audience", tokenAudience)
switch tokenAudience {
case "GRAPH":
resource = settings.Environment.GraphEndpoint
case "VAULT":
resource = strings.TrimSuffix(settings.Environment.KeyVaultEndpoint, "/")
case "MANAGEMENT":
resource = settings.Environment.ResourceManagerEndpoint
default:
resource = settings.Environment.ResourceManagerEndpoint
}
logger.Debug("getApplicableAuthorizationDetails", "resource", resource)
return
}
type subscription struct {
SubscriptionID string `json:"subscriptionID,omitempty"`
TenantID string `json:"tenantID,omitempty"`
}
// https://github.com/Azure/go-autorest/blob/3fb5326fea196cd5af02cf105ca246a0fba59021/autorest/azure/cli/token.go#L126
// NewAuthorizerFromCLIWithResource creates an Authorizer configured from Azure CLI 2.0 for local development scenarios.
func getSubscriptionFromCLI(resource string) (*subscription, error) {
// This is the path that a developer can set to tell this class what the install path for Azure CLI is.
const azureCLIPath = "AzureCLIPath"
// The default install paths are used to find Azure CLI. This is for security, so that any path in the calling program's Path environment is not used to execute Azure CLI.
azureCLIDefaultPathWindows := fmt.Sprintf("%s\\Microsoft SDKs\\Azure\\CLI2\\wbin; %s\\Microsoft SDKs\\Azure\\CLI2\\wbin", os.Getenv("ProgramFiles(x86)"), os.Getenv("ProgramFiles"))
// Default path for non-Windows.
const azureCLIDefaultPath = "/bin:/sbin:/usr/bin:/usr/local/bin"
// Validate resource, since it gets sent as a command line argument to Azure CLI
const invalidResourceErrorTemplate = "Resource %s is not in expected format. Only alphanumeric characters, [dot], [colon], [hyphen], and [forward slash] are allowed."
match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource)
if err != nil {
return nil, err
}
if !match {
return nil, fmt.Errorf(invalidResourceErrorTemplate, resource)
}
// Execute Azure CLI to get token
var cliCmd *exec.Cmd
if runtime.GOOS == "windows" {
cliCmd = exec.Command(fmt.Sprintf("%s\\system32\\cmd.exe", os.Getenv("windir")))
cliCmd.Env = os.Environ()
cliCmd.Env = append(cliCmd.Env, fmt.Sprintf("PATH=%s;%s", os.Getenv(azureCLIPath), azureCLIDefaultPathWindows))
cliCmd.Args = append(cliCmd.Args, "/c", "az")
} else {
cliCmd = exec.Command("az")
cliCmd.Env = os.Environ()
cliCmd.Env = append(cliCmd.Env, fmt.Sprintf("PATH=%s:%s", os.Getenv(azureCLIPath), azureCLIDefaultPath))
}
cliCmd.Args = append(cliCmd.Args, "account", "get-access-token", "-o", "json", "--resource", resource)
var stderr bytes.Buffer
cliCmd.Stderr = &stderr
output, err := cliCmd.Output()
if err != nil {
return nil, fmt.Errorf("Invoking Azure CLI failed with the following error: %v", err)
}
var tokenResponse map[string]interface{}
err = json.Unmarshal(output, &tokenResponse)
if err != nil {
return nil, err
}
return &subscription{
SubscriptionID: tokenResponse["subscription"].(string),
TenantID: tokenResponse["tenant"].(string),
}, nil
}
// WillExpireIn returns true if the Token will expire after the passed time.Duration interval
// from now, false otherwise.
func WillExpireIn(t time.Time, d time.Duration) bool {
return !t.After(time.Now().Add(d))
}