Skip to content

Commit

Permalink
Reword functions.
Browse files Browse the repository at this point in the history
  • Loading branch information
preslavgerchev committed Apr 4, 2024
1 parent 45d3fb1 commit 6bd6007
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 52 deletions.
47 changes: 0 additions & 47 deletions providers-sdk/v1/util/azauth/credential.go

This file was deleted.

40 changes: 38 additions & 2 deletions providers-sdk/v1/util/azauth/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,23 @@ package azauth

import (
"context"
"errors"
"fmt"
"strings"
"time"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/pkg/errors"
"github.com/rs/zerolog/log"
"go.mondoo.com/cnquery/v10/providers-sdk/v1/vault"
)

// sometimes we run into a 'managed identity timed out' error when using a managed identity.
// according to https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TROUBLESHOOTING.md#troubleshoot-defaultazurecredential-authentication-issues
// we should instead use the NewManagedIdentityCredential directly.
// This function mimics the behavior of the DefaultAzureCredential, but with a higher timeout on the managed identity
func GetTokenChain(options *azidentity.DefaultAzureCredentialOptions) (*azidentity.ChainedTokenCredential, error) {
func GetChainedToken(options *azidentity.DefaultAzureCredentialOptions) (*azidentity.ChainedTokenCredential, error) {
if options == nil {
options = &azidentity.DefaultAzureCredentialOptions{}
}
Expand Down Expand Up @@ -78,3 +81,36 @@ func (t *timedManagedIdentityCredential) GetToken(ctx context.Context, opts poli
}
return tk, err
}

func GetTokenFromCredential(credential *vault.Credential, tenantId, clientId string) (azcore.TokenCredential, error) {
var azCred azcore.TokenCredential
var err error
// fallback to default authorizer if no credentials are specified
if credential == nil {
log.Debug().Msg("using default azure token chain resolver")
azCred, err = GetChainedToken(&azidentity.DefaultAzureCredentialOptions{})
if err != nil {
return nil, errors.Wrap(err, "error creating CLI credentials")
}
} else {
switch credential.Type {
case vault.CredentialType_pkcs12:
certs, privateKey, err := azidentity.ParseCertificates(credential.Secret, []byte(credential.Password))
if err != nil {
return nil, errors.Wrap(err, fmt.Sprintf("could not parse provided certificate at %s", credential.PrivateKeyPath))
}
azCred, err = azidentity.NewClientCertificateCredential(tenantId, clientId, certs, privateKey, &azidentity.ClientCertificateCredentialOptions{})
if err != nil {
return nil, errors.Wrap(err, "error creating credentials from a certificate")
}
case vault.CredentialType_password:
azCred, err = azidentity.NewClientSecretCredential(tenantId, clientId, string(credential.Secret), &azidentity.ClientSecretCredentialOptions{})
if err != nil {
return nil, errors.Wrap(err, "error creating credentials from a secret")
}
default:
return nil, errors.New("invalid secret configuration for microsoft transport: " + credential.Type.String())
}
}
return azCred, nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ func NewAzureSnapshotConnection(id uint32, conf *inventory.Config, asset *invent
if len(conf.Credentials) > 0 {
cred = conf.Credentials[0]
}
token, err := azauth.GetTokenCredential(cred, conf.Options["tenant-id"], conf.Options["client-id"])
token, err := azauth.GetTokenFromCredential(cred, conf.Options["tenant-id"], conf.Options["client-id"])
if err != nil {
return nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion providers/azure/connection/connection.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ func NewAzureConnection(id uint32, asset *inventory.Asset, conf *inventory.Confi
cred = conf.Credentials[0]
}

token, err := azauth.GetTokenCredential(cred, tenantId, clientId)
token, err := azauth.GetTokenFromCredential(cred, tenantId, clientId)
if err != nil {
return nil, errors.Wrap(err, "cannot fetch credentials for microsoft provider")
}
Expand Down
2 changes: 1 addition & 1 deletion providers/ms365/connection/connection.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func NewMs365Connection(id uint32, asset *inventory.Asset, conf *inventory.Confi
if len(tenantId) == 0 {
return nil, errors.New("ms365 backend requires a tenant-id")
}
token, err := azauth.GetTokenCredential(cred, tenantId, clientId)
token, err := azauth.GetTokenFromCredential(cred, tenantId, clientId)
if err != nil {
return nil, errors.Wrap(err, "cannot fetch credentials for microsoft provider")
}
Expand Down

0 comments on commit 6bd6007

Please sign in to comment.