From f6668f998758e19d719645fe29b3d5daa22a0cb7 Mon Sep 17 00:00:00 2001 From: Simon Scharf Date: Thu, 23 Jan 2025 13:06:41 +0100 Subject: [PATCH] update to non-deprecated azsecrets dependency switch to using azidentity.NewWorkloadIdentityCredential --- examples/msal-go/Dockerfile | 1 - examples/msal-go/go.mod | 16 +++--- examples/msal-go/go.sum | 39 +++++++++----- examples/msal-go/main.go | 23 ++------ examples/msal-go/token_credential.go | 81 ---------------------------- examples/msal-go/windows.Dockerfile | 1 - 6 files changed, 39 insertions(+), 122 deletions(-) delete mode 100644 examples/msal-go/token_credential.go diff --git a/examples/msal-go/Dockerfile b/examples/msal-go/Dockerfile index 9e50e0df1..30d96611d 100644 --- a/examples/msal-go/Dockerfile +++ b/examples/msal-go/Dockerfile @@ -10,7 +10,6 @@ RUN go mod download # Copy the go source COPY main.go main.go -COPY token_credential.go token_credential.go # Build ARG TARGETARCH diff --git a/examples/msal-go/go.mod b/examples/msal-go/go.mod index 6f5dccb85..81d84515f 100644 --- a/examples/msal-go/go.mod +++ b/examples/msal-go/go.mod @@ -3,19 +3,23 @@ module github.com/Azure/azure-workload-identity/example/msal-go go 1.19 require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 - github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 - github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 k8s.io/klog/v2 v2.130.1 ) require ( + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/google/uuid v1.6.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect - golang.org/x/net v0.29.0 // indirect - golang.org/x/text v0.18.0 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect + golang.org/x/crypto v0.32.0 // indirect + golang.org/x/net v0.34.0 // indirect + golang.org/x/sys v0.29.0 // indirect + golang.org/x/text v0.21.0 // indirect ) diff --git a/examples/msal-go/go.sum b/examples/msal-go/go.sum index d353788c0..3e66ded0e 100644 --- a/examples/msal-go/go.sum +++ b/examples/msal-go/go.sum @@ -1,32 +1,43 @@ -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 h1:1mvYtZfWQAnwNah/C+Z+Jb9rQH95LPE2vlmMuWAHJk8= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1/go.mod h1:75I/mXtme1JyWFtz8GocPHVFyH421IBoZErnO16dd0k= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1 h1:Bk5uOhSAenHyR5P61D/NzeQCv+4fEVV8mOkJ82NqpWw= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 h1:xnO4sFyG8UH2fElBkcqLTOZsAajvKfnSlgBBW8dXYjw= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0/go.mod h1:XD3DIOOVgBCO03OleB1fHjgktVRFxlT++KwKgIOewdM= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw= -github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 h1:WLUIpeyv04H0RCcQHaA4TNoyrQ39Ox7V+re+iaqzTe0= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0/go.mod h1:hd8hTTIY3VmUVPRHNH7GVCHO3SHgXkJKZHReby/bnUQ= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9kaS8TiDwXjoie3hMRLuwdUBUMW9KRgOqB3mCaw= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 h1:kYRSnvJju5gYVyhkij+RTJ/VR6QIUaCfWeaFm2ycsjQ= github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= -golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= -golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= -golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= -golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc= +golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= +golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= +golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= +golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= diff --git a/examples/msal-go/main.go b/examples/msal-go/main.go index b76e58929..60a7fce5d 100644 --- a/examples/msal-go/main.go +++ b/examples/msal-go/main.go @@ -2,10 +2,11 @@ package main import ( "context" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "os" "time" - "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets" "k8s.io/klog/v2" ) @@ -25,25 +26,9 @@ func main() { // the tenantID provided via azure-wi-webhook-config for the webhook will be used. // AZURE_FEDERATED_TOKEN_FILE is the service account token path // AZURE_AUTHORITY_HOST is the AAD authority hostname - clientID := os.Getenv("AZURE_CLIENT_ID") - tenantID := os.Getenv("AZURE_TENANT_ID") - tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE") - authorityHost := os.Getenv("AZURE_AUTHORITY_HOST") + // They are automatically picked up when calling azidentity.NewWorkloadIdentityCredential - if clientID == "" { - klog.Fatal("AZURE_CLIENT_ID environment variable is not set") - } - if tenantID == "" { - klog.Fatal("AZURE_TENANT_ID environment variable is not set") - } - if tokenFilePath == "" { - klog.Fatal("AZURE_FEDERATED_TOKEN_FILE environment variable is not set") - } - if authorityHost == "" { - klog.Fatal("AZURE_AUTHORITY_HOST environment variable is not set") - } - - cred, err := newClientAssertionCredential(tenantID, clientID, authorityHost, tokenFilePath, nil) + cred, err := azidentity.NewWorkloadIdentityCredential(nil) if err != nil { klog.Fatal(err) } diff --git a/examples/msal-go/token_credential.go b/examples/msal-go/token_credential.go deleted file mode 100644 index ee7a0c438..000000000 --- a/examples/msal-go/token_credential.go +++ /dev/null @@ -1,81 +0,0 @@ -package main - -import ( - "context" - "fmt" - "net/url" - "os" - "time" - - "github.com/Azure/azure-sdk-for-go/sdk/azcore" - "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" - "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" -) - -// clientAssertionCredential authenticates an application with assertions provided by a callback function. -type clientAssertionCredential struct { - assertion, file string - client confidential.Client - lastRead time.Time -} - -// clientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential. -type clientAssertionCredentialOptions struct { - azcore.ClientOptions -} - -// newClientAssertionCredential constructs a clientAssertionCredential. Pass nil for options to accept defaults. -func newClientAssertionCredential(tenantID, clientID, authorityHost, file string, options *clientAssertionCredentialOptions) (*clientAssertionCredential, error) { - c := &clientAssertionCredential{file: file} - - if options == nil { - options = &clientAssertionCredentialOptions{} - } - - cred := confidential.NewCredFromAssertionCallback( - func(ctx context.Context, _ confidential.AssertionRequestOptions) (string, error) { - return c.getAssertion(ctx) - }, - ) - - authority, err := url.JoinPath(authorityHost, tenantID) - if err != nil { - return nil, fmt.Errorf("failed to construct authority URL: %w", err) - } - - client, err := confidential.New(authority, clientID, cred) - if err != nil { - return nil, fmt.Errorf("failed to create confidential client: %w", err) - } - c.client = client - - return c, nil -} - -// GetToken implements the TokenCredential interface -func (c *clientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { - // get the token from the confidential client - token, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes) - if err != nil { - return azcore.AccessToken{}, err - } - - return azcore.AccessToken{ - Token: token.AccessToken, - ExpiresOn: token.ExpiresOn, - }, nil -} - -// getAssertion reads the assertion from the file and returns it -// if the file has not been read in the last 5 minutes -func (c *clientAssertionCredential) getAssertion(context.Context) (string, error) { - if now := time.Now(); c.lastRead.Add(5 * time.Minute).Before(now) { - content, err := os.ReadFile(c.file) - if err != nil { - return "", err - } - c.assertion = string(content) - c.lastRead = now - } - return c.assertion, nil -} diff --git a/examples/msal-go/windows.Dockerfile b/examples/msal-go/windows.Dockerfile index 73c47c9bf..732792098 100644 --- a/examples/msal-go/windows.Dockerfile +++ b/examples/msal-go/windows.Dockerfile @@ -13,7 +13,6 @@ RUN go mod download # Copy the go source COPY main.go main.go -COPY token_credential.go token_credential.go # Build RUN CGO_ENABLED=0 GOOS=windows GO111MODULE=on go build -a -o msalgo.exe .