bump azure sdk
v1.3.0 of azidentity introduces support to workload identity. Signed-off-by: Flavian Missi <fmissi@redhat.com>
This commit is contained in:
parent
8e29e870a4
commit
7caf058a65
169 changed files with 2892 additions and 1433 deletions
22
go.mod
22
go.mod
|
@ -4,8 +4,8 @@ go 1.18
|
|||
|
||||
require (
|
||||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
|
||||
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0
|
||||
github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d
|
||||
github.com/aws/aws-sdk-go v1.43.16
|
||||
|
@ -27,7 +27,7 @@ require (
|
|||
github.com/sirupsen/logrus v1.8.1
|
||||
github.com/spf13/cobra v1.6.1
|
||||
github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50
|
||||
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88
|
||||
golang.org/x/crypto v0.7.0
|
||||
golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
|
||||
google.golang.org/api v0.30.0
|
||||
google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8
|
||||
|
@ -37,8 +37,8 @@ require (
|
|||
|
||||
require (
|
||||
cloud.google.com/go v0.65.0 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 // indirect
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
|
||||
github.com/beorn7/perks v1.0.1 // indirect
|
||||
github.com/bitly/go-simplejson v0.5.0 // indirect
|
||||
github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
|
||||
|
@ -46,10 +46,10 @@ require (
|
|||
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
||||
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
|
||||
github.com/felixge/httpsnoop v1.0.1 // indirect
|
||||
github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
|
||||
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
|
||||
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
|
||||
github.com/golang/protobuf v1.5.2 // indirect
|
||||
github.com/google/uuid v1.1.1 // indirect
|
||||
github.com/google/uuid v1.3.0 // indirect
|
||||
github.com/googleapis/gax-go/v2 v2.0.5 // indirect
|
||||
github.com/inconshreveable/mousetrap v1.0.1 // indirect
|
||||
github.com/jmespath/go-jmespath v0.4.0 // indirect
|
||||
|
@ -58,7 +58,7 @@ require (
|
|||
github.com/kylelemons/godebug v1.1.0 // indirect
|
||||
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
|
||||
github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f // indirect
|
||||
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
|
||||
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
|
||||
github.com/prometheus/client_model v0.2.0 // indirect
|
||||
github.com/prometheus/common v0.32.1 // indirect
|
||||
github.com/prometheus/procfs v0.7.3 // indirect
|
||||
|
@ -66,9 +66,9 @@ require (
|
|||
github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
|
||||
github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
|
||||
go.opencensus.io v0.22.4 // indirect
|
||||
golang.org/x/net v0.7.0 // indirect; updated for CVE-2022-27664, CVE-2022-41717
|
||||
golang.org/x/sys v0.5.0 // indirect
|
||||
golang.org/x/text v0.7.0 // indirect
|
||||
golang.org/x/net v0.8.0 // indirect; updated for CVE-2022-27664, CVE-2022-41717
|
||||
golang.org/x/sys v0.6.0 // indirect
|
||||
golang.org/x/text v0.8.0 // indirect
|
||||
google.golang.org/appengine v1.6.6 // indirect
|
||||
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect
|
||||
google.golang.org/grpc v1.31.0 // indirect
|
||||
|
|
47
go.sum
47
go.sum
|
@ -34,16 +34,16 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
|
|||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8 h1:d+pBUmsteW5tM87xmVXHZ4+LibHRFn40SPAoZJOg2ak=
|
||||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8/go.mod h1:i9fr2JpcEcY/IHEvzCM3qXUZYOQHgR89dt4es1CgMhc=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0 h1:VuHAcMq8pU1IWNT/m5yRaGqbK0BiQKHT8X4DTp9CHdI=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0/go.mod h1:tZoQYdDZNOiIjdSn0dVWVfl0NEPGOJqVLzSrcFk4Is0=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 h1:T8quHYlUGyb/oqtSTwqlCr1ilJHrDv+ZtpSfo+hm1BU=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1/go.mod h1:gLa1CL2RNE4s7M3yopJ/p0iq5DdY6Yv5ZUt9MTRZOQM=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 h1:Oj853U9kG+RLTCQXpjvOnrv0WaZHxgmZz1TlLywgOPY=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 h1:u/LLAOFgsMv7HmNL4Qufg58y+qElGOt5qv0z1mURkRY=
|
||||
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0/go.mod h1:2e8rMJtl2+2j+HXbTBwnyGpm5Nou7KhvSfxOq8JpTag=
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 h1:oPdPEZFSbl7oSPEAIPMPBMUmiL+mqgzBJwM/9qYcwNg=
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1/go.mod h1:4qFor3D/HDsvBME35Xy9rwW9DecL+M2sNw1ybjPtwA0=
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY=
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
|
||||
github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
|
||||
|
@ -87,7 +87,7 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
|
|||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba h1:p6poVbjHDkKa+wtC8frBMwQtT3BmqGYBjzMwJ63tuR4=
|
||||
github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
|
||||
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=
|
||||
github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
|
||||
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
|
||||
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
|
||||
github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
|
||||
|
@ -111,8 +111,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
|
|||
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
|
||||
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
|
||||
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
|
||||
github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
|
||||
github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
|
||||
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
|
||||
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
|
||||
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
|
@ -167,8 +167,8 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hf
|
|||
github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
|
||||
github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
|
||||
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
|
||||
github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
|
||||
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
|
||||
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
||||
github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
|
||||
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
||||
|
@ -229,8 +229,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
|
|||
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
|
||||
github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
|
||||
github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
|
||||
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI=
|
||||
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
|
||||
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
|
||||
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
|
||||
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
|
||||
|
@ -301,8 +301,8 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
|
|||
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw=
|
||||
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||
golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
|
||||
golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
|
||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
|
||||
|
@ -363,8 +363,8 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
|
|||
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
|
||||
golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
||||
golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
|
||||
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||
golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
|
||||
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
|
@ -419,10 +419,11 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
|
|||
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
|
||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
|
@ -432,8 +433,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
|||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
|
||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
|
||||
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
|
|
51
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
generated
vendored
51
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md
generated
vendored
|
@ -1,5 +1,56 @@
|
|||
# Release History
|
||||
|
||||
## 1.6.0 (2023-05-04)
|
||||
|
||||
### Features Added
|
||||
* Added support for ARM cross-tenant authentication. Set the `AuxiliaryTenants` field of `arm.ClientOptions` to enable.
|
||||
* Added `TenantID` field to `policy.TokenRequestOptions`.
|
||||
|
||||
## 1.5.0 (2023-04-06)
|
||||
|
||||
### Features Added
|
||||
* Added `ShouldRetry` to `policy.RetryOptions` for finer-grained control over when to retry.
|
||||
|
||||
### Breaking Changes
|
||||
> These changes affect only code written against a beta version such as v1.5.0-beta.1
|
||||
> These features will return in v1.6.0-beta.1.
|
||||
* Removed `TokenRequestOptions.Claims` and `.TenantID`
|
||||
* Removed ARM client support for CAE and cross-tenant auth.
|
||||
|
||||
### Bugs Fixed
|
||||
* Added non-conformant LRO terminal states `Cancelled` and `Completed`.
|
||||
|
||||
### Other Changes
|
||||
* Updated to latest `internal` module.
|
||||
|
||||
## 1.5.0-beta.1 (2023-03-02)
|
||||
|
||||
### Features Added
|
||||
* This release includes the features added in v1.4.0-beta.1
|
||||
|
||||
## 1.4.0 (2023-03-02)
|
||||
> This release doesn't include features added in v1.4.0-beta.1. They will return in v1.5.0-beta.1.
|
||||
|
||||
### Features Added
|
||||
* Add `Clone()` method for `arm/policy.ClientOptions`.
|
||||
|
||||
### Bugs Fixed
|
||||
* ARM's RP registration policy will no longer swallow unrecognized errors.
|
||||
* Fixed an issue in `runtime.NewPollerFromResumeToken()` when resuming a `Poller` with a custom `PollingHandler`.
|
||||
* Fixed wrong policy copy in `arm/runtime.NewPipeline()`.
|
||||
|
||||
## 1.4.0-beta.1 (2023-02-02)
|
||||
|
||||
### Features Added
|
||||
* Added support for ARM cross-tenant authentication. Set the `AuxiliaryTenants` field of `arm.ClientOptions` to enable.
|
||||
* Added `Claims` and `TenantID` fields to `policy.TokenRequestOptions`.
|
||||
* ARM bearer token policy handles CAE challenges.
|
||||
|
||||
## 1.3.1 (2023-02-02)
|
||||
|
||||
### Other Changes
|
||||
* Update dependencies to latest versions.
|
||||
|
||||
## 1.3.0 (2023-01-06)
|
||||
|
||||
### Features Added
|
||||
|
|
24
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
generated
vendored
24
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go
generated
vendored
|
@ -11,8 +11,6 @@ import (
|
|||
"io"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
)
|
||||
|
||||
type nopCloser struct {
|
||||
|
@ -43,24 +41,6 @@ func HasStatusCode(resp *http.Response, statusCodes ...int) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
// Payload reads and returns the response body or an error.
|
||||
// On a successful read, the response body is cached.
|
||||
// Subsequent reads will access the cached value.
|
||||
// Exported as runtime.Payload().
|
||||
func Payload(resp *http.Response) ([]byte, error) {
|
||||
// r.Body won't be a nopClosingBytesReader if downloading was skipped
|
||||
if buf, ok := resp.Body.(*shared.NopClosingBytesReader); ok {
|
||||
return buf.Bytes(), nil
|
||||
}
|
||||
bytesBody, err := io.ReadAll(resp.Body)
|
||||
resp.Body.Close()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp.Body = shared.NewNopClosingBytesReader(bytesBody)
|
||||
return bytesBody, nil
|
||||
}
|
||||
|
||||
// AccessToken represents an Azure service bearer access token with expiry information.
|
||||
// Exported as azcore.AccessToken.
|
||||
type AccessToken struct {
|
||||
|
@ -73,6 +53,10 @@ type AccessToken struct {
|
|||
type TokenRequestOptions struct {
|
||||
// Scopes contains the list of permission scopes required for the token.
|
||||
Scopes []string
|
||||
|
||||
// TenantID identifies the tenant from which to request the token. azidentity credentials authenticate in
|
||||
// their configured default tenants when this field isn't set.
|
||||
TenantID string
|
||||
}
|
||||
|
||||
// TokenCredential represents a credential capable of providing an OAuth token.
|
||||
|
|
12
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go
generated
vendored
12
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go
generated
vendored
|
@ -103,6 +103,7 @@ func (req *Request) OperationValue(value interface{}) bool {
|
|||
// SetBody sets the specified ReadSeekCloser as the HTTP request body, and sets Content-Type and Content-Length
|
||||
// accordingly. If the ReadSeekCloser is nil or empty, Content-Length won't be set. If contentType is "",
|
||||
// Content-Type won't be set.
|
||||
// Use streaming.NopCloser to turn an io.ReadSeeker into an io.ReadSeekCloser.
|
||||
func (req *Request) SetBody(body io.ReadSeekCloser, contentType string) error {
|
||||
var err error
|
||||
var size int64
|
||||
|
@ -168,3 +169,14 @@ func (req *Request) Clone(ctx context.Context) *Request {
|
|||
r2.req = req.req.Clone(ctx)
|
||||
return &r2
|
||||
}
|
||||
|
||||
// not exported but dependent on Request
|
||||
|
||||
// PolicyFunc is a type that implements the Policy interface.
|
||||
// Use this type when implementing a stateless policy as a first-class function.
|
||||
type PolicyFunc func(*Request) (*http.Response, error)
|
||||
|
||||
// Do implements the Policy interface on policyFunc.
|
||||
func (pf PolicyFunc) Do(req *Request) (*http.Response, error) {
|
||||
return pf(req)
|
||||
}
|
||||
|
|
|
@ -12,6 +12,8 @@ import (
|
|||
"fmt"
|
||||
"net/http"
|
||||
"regexp"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
|
||||
)
|
||||
|
||||
// NewResponseError creates a new *ResponseError from the provided HTTP response.
|
||||
|
@ -29,7 +31,7 @@ func NewResponseError(resp *http.Response) error {
|
|||
}
|
||||
|
||||
// if we didn't get x-ms-error-code, check in the response body
|
||||
body, err := Payload(resp)
|
||||
body, err := exported.Payload(resp, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -121,7 +123,7 @@ func (e *ResponseError) Error() string {
|
|||
fmt.Fprintln(msg, "ERROR CODE UNAVAILABLE")
|
||||
}
|
||||
fmt.Fprintln(msg, "--------------------------------------------------------------------------------")
|
||||
body, err := Payload(e.RawResponse)
|
||||
body, err := exported.Payload(e.RawResponse, nil)
|
||||
if err != nil {
|
||||
// this really shouldn't fail at this point as the response
|
||||
// body is already cached (it was read in NewResponseError)
|
||||
|
|
17
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go
generated
vendored
17
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go
generated
vendored
|
@ -16,6 +16,7 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
|
||||
)
|
||||
|
||||
// see https://github.com/Azure/azure-resource-manager-rpc/blob/master/v1.0/async-api-reference.md
|
||||
|
@ -68,15 +69,15 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
|
|||
if asyncURL == "" {
|
||||
return nil, errors.New("response is missing Azure-AsyncOperation header")
|
||||
}
|
||||
if !pollers.IsValidURL(asyncURL) {
|
||||
if !poller.IsValidURL(asyncURL) {
|
||||
return nil, fmt.Errorf("invalid polling URL %s", asyncURL)
|
||||
}
|
||||
// check for provisioning state. if the operation is a RELO
|
||||
// and terminates synchronously this will prevent extra polling.
|
||||
// it's ok if there's no provisioning state.
|
||||
state, _ := pollers.GetProvisioningState(resp)
|
||||
state, _ := poller.GetProvisioningState(resp)
|
||||
if state == "" {
|
||||
state = pollers.StatusInProgress
|
||||
state = poller.StatusInProgress
|
||||
}
|
||||
p := &Poller[T]{
|
||||
pl: pl,
|
||||
|
@ -93,17 +94,17 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
|
|||
|
||||
// Done returns true if the LRO is in a terminal state.
|
||||
func (p *Poller[T]) Done() bool {
|
||||
return pollers.IsTerminalState(p.CurState)
|
||||
return poller.IsTerminalState(p.CurState)
|
||||
}
|
||||
|
||||
// Poll retrieves the current state of the LRO.
|
||||
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
||||
err := pollers.PollHelper(ctx, p.AsyncURL, p.pl, func(resp *http.Response) (string, error) {
|
||||
if !pollers.StatusCodeValid(resp) {
|
||||
if !poller.StatusCodeValid(resp) {
|
||||
p.resp = resp
|
||||
return "", exported.NewResponseError(resp)
|
||||
}
|
||||
state, err := pollers.GetStatus(resp)
|
||||
state, err := poller.GetStatus(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
} else if state == "" {
|
||||
|
@ -122,7 +123,7 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
|||
func (p *Poller[T]) Result(ctx context.Context, out *T) error {
|
||||
if p.resp.StatusCode == http.StatusNoContent {
|
||||
return nil
|
||||
} else if pollers.Failed(p.CurState) {
|
||||
} else if poller.Failed(p.CurState) {
|
||||
return exported.NewResponseError(p.resp)
|
||||
}
|
||||
var req *exported.Request
|
||||
|
@ -154,5 +155,5 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
|
|||
p.resp = resp
|
||||
}
|
||||
|
||||
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out)
|
||||
return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
|
||||
}
|
||||
|
|
25
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go
generated
vendored
25
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go
generated
vendored
|
@ -14,6 +14,7 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
|
||||
)
|
||||
|
||||
// Kind is the identifier of this type in a resume token.
|
||||
|
@ -72,9 +73,9 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
|
|||
}
|
||||
// default initial state to InProgress. depending on the HTTP
|
||||
// status code and provisioning state, we might change the value.
|
||||
curState := pollers.StatusInProgress
|
||||
provState, err := pollers.GetProvisioningState(resp)
|
||||
if err != nil && !errors.Is(err, pollers.ErrNoBody) {
|
||||
curState := poller.StatusInProgress
|
||||
provState, err := poller.GetProvisioningState(resp)
|
||||
if err != nil && !errors.Is(err, poller.ErrNoBody) {
|
||||
return nil, err
|
||||
}
|
||||
if resp.StatusCode == http.StatusCreated && provState != "" {
|
||||
|
@ -85,37 +86,37 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
|
|||
curState = provState
|
||||
} else if provState == "" {
|
||||
// for a 200, absense of provisioning state indicates success
|
||||
curState = pollers.StatusSucceeded
|
||||
curState = poller.StatusSucceeded
|
||||
}
|
||||
} else if resp.StatusCode == http.StatusNoContent {
|
||||
curState = pollers.StatusSucceeded
|
||||
curState = poller.StatusSucceeded
|
||||
}
|
||||
p.CurState = curState
|
||||
return p, nil
|
||||
}
|
||||
|
||||
func (p *Poller[T]) Done() bool {
|
||||
return pollers.IsTerminalState(p.CurState)
|
||||
return poller.IsTerminalState(p.CurState)
|
||||
}
|
||||
|
||||
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
||||
err := pollers.PollHelper(ctx, p.PollURL, p.pl, func(resp *http.Response) (string, error) {
|
||||
if !pollers.StatusCodeValid(resp) {
|
||||
if !poller.StatusCodeValid(resp) {
|
||||
p.resp = resp
|
||||
return "", exported.NewResponseError(resp)
|
||||
}
|
||||
if resp.StatusCode == http.StatusNoContent {
|
||||
p.resp = resp
|
||||
p.CurState = pollers.StatusSucceeded
|
||||
p.CurState = poller.StatusSucceeded
|
||||
return p.CurState, nil
|
||||
}
|
||||
state, err := pollers.GetProvisioningState(resp)
|
||||
if errors.Is(err, pollers.ErrNoBody) {
|
||||
state, err := poller.GetProvisioningState(resp)
|
||||
if errors.Is(err, poller.ErrNoBody) {
|
||||
// a missing response body in non-204 case is an error
|
||||
return "", err
|
||||
} else if state == "" {
|
||||
// a response body without provisioning state is considered terminal success
|
||||
state = pollers.StatusSucceeded
|
||||
state = poller.StatusSucceeded
|
||||
} else if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -130,5 +131,5 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
|||
}
|
||||
|
||||
func (p *Poller[T]) Result(ctx context.Context, out *T) error {
|
||||
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out)
|
||||
return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
|
||||
}
|
||||
|
|
19
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go
generated
vendored
19
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go
generated
vendored
|
@ -16,6 +16,7 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
|
||||
)
|
||||
|
||||
// Kind is the identifier of this type in a resume token.
|
||||
|
@ -61,15 +62,15 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
|
|||
if locURL == "" {
|
||||
return nil, errors.New("response is missing Location header")
|
||||
}
|
||||
if !pollers.IsValidURL(locURL) {
|
||||
if !poller.IsValidURL(locURL) {
|
||||
return nil, fmt.Errorf("invalid polling URL %s", locURL)
|
||||
}
|
||||
// check for provisioning state. if the operation is a RELO
|
||||
// and terminates synchronously this will prevent extra polling.
|
||||
// it's ok if there's no provisioning state.
|
||||
state, _ := pollers.GetProvisioningState(resp)
|
||||
state, _ := poller.GetProvisioningState(resp)
|
||||
if state == "" {
|
||||
state = pollers.StatusInProgress
|
||||
state = poller.StatusInProgress
|
||||
}
|
||||
return &Poller[T]{
|
||||
pl: pl,
|
||||
|
@ -81,7 +82,7 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
|
|||
}
|
||||
|
||||
func (p *Poller[T]) Done() bool {
|
||||
return pollers.IsTerminalState(p.CurState)
|
||||
return poller.IsTerminalState(p.CurState)
|
||||
}
|
||||
|
||||
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
||||
|
@ -93,17 +94,17 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
|||
// if provisioning state is available, use that. this is only
|
||||
// for some ARM LRO scenarios (e.g. DELETE with a Location header)
|
||||
// so if it's missing then use HTTP status code.
|
||||
provState, _ := pollers.GetProvisioningState(resp)
|
||||
provState, _ := poller.GetProvisioningState(resp)
|
||||
p.resp = resp
|
||||
if provState != "" {
|
||||
p.CurState = provState
|
||||
} else if resp.StatusCode == http.StatusAccepted {
|
||||
p.CurState = pollers.StatusInProgress
|
||||
p.CurState = poller.StatusInProgress
|
||||
} else if resp.StatusCode > 199 && resp.StatusCode < 300 {
|
||||
// any 2xx other than a 202 indicates success
|
||||
p.CurState = pollers.StatusSucceeded
|
||||
p.CurState = poller.StatusSucceeded
|
||||
} else {
|
||||
p.CurState = pollers.StatusFailed
|
||||
p.CurState = poller.StatusFailed
|
||||
}
|
||||
return p.CurState, nil
|
||||
})
|
||||
|
@ -114,5 +115,5 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
|||
}
|
||||
|
||||
func (p *Poller[T]) Result(ctx context.Context, out *T) error {
|
||||
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out)
|
||||
return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
|
||||
}
|
||||
|
|
21
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go
generated
vendored
21
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go
generated
vendored
|
@ -16,6 +16,7 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
|
||||
)
|
||||
|
||||
// Applicable returns true if the LRO is using Operation-Location.
|
||||
|
@ -54,19 +55,19 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
|
|||
if opURL == "" {
|
||||
return nil, errors.New("response is missing Operation-Location header")
|
||||
}
|
||||
if !pollers.IsValidURL(opURL) {
|
||||
if !poller.IsValidURL(opURL) {
|
||||
return nil, fmt.Errorf("invalid Operation-Location URL %s", opURL)
|
||||
}
|
||||
locURL := resp.Header.Get(shared.HeaderLocation)
|
||||
// Location header is optional
|
||||
if locURL != "" && !pollers.IsValidURL(locURL) {
|
||||
if locURL != "" && !poller.IsValidURL(locURL) {
|
||||
return nil, fmt.Errorf("invalid Location URL %s", locURL)
|
||||
}
|
||||
// default initial state to InProgress. if the
|
||||
// service sent us a status then use that instead.
|
||||
curState := pollers.StatusInProgress
|
||||
status, err := pollers.GetStatus(resp)
|
||||
if err != nil && !errors.Is(err, pollers.ErrNoBody) {
|
||||
curState := poller.StatusInProgress
|
||||
status, err := poller.GetStatus(resp)
|
||||
if err != nil && !errors.Is(err, poller.ErrNoBody) {
|
||||
return nil, err
|
||||
}
|
||||
if status != "" {
|
||||
|
@ -86,16 +87,16 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
|
|||
}
|
||||
|
||||
func (p *Poller[T]) Done() bool {
|
||||
return pollers.IsTerminalState(p.CurState)
|
||||
return poller.IsTerminalState(p.CurState)
|
||||
}
|
||||
|
||||
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
|
||||
err := pollers.PollHelper(ctx, p.OpLocURL, p.pl, func(resp *http.Response) (string, error) {
|
||||
if !pollers.StatusCodeValid(resp) {
|
||||
if !poller.StatusCodeValid(resp) {
|
||||
p.resp = resp
|
||||
return "", exported.NewResponseError(resp)
|
||||
}
|
||||
state, err := pollers.GetStatus(resp)
|
||||
state, err := poller.GetStatus(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
} else if state == "" {
|
||||
|
@ -118,7 +119,7 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
|
|||
req, err = exported.NewRequest(ctx, http.MethodGet, p.LocURL)
|
||||
} else if p.FinalState == pollers.FinalStateViaOpLocation && p.Method == http.MethodPost {
|
||||
// no final GET required, terminal response should have it
|
||||
} else if rl, rlErr := pollers.GetResourceLocation(p.resp); rlErr != nil && !errors.Is(rlErr, pollers.ErrNoBody) {
|
||||
} else if rl, rlErr := poller.GetResourceLocation(p.resp); rlErr != nil && !errors.Is(rlErr, poller.ErrNoBody) {
|
||||
return rlErr
|
||||
} else if rl != "" {
|
||||
req, err = exported.NewRequest(ctx, http.MethodGet, rl)
|
||||
|
@ -140,5 +141,5 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
|
|||
p.resp = resp
|
||||
}
|
||||
|
||||
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out)
|
||||
return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
|
||||
}
|
||||
|
|
148
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go
generated
vendored
148
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go
generated
vendored
|
@ -12,49 +12,15 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
|
||||
azexported "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
|
||||
)
|
||||
|
||||
// the well-known set of LRO status/provisioning state values.
|
||||
const (
|
||||
StatusSucceeded = "Succeeded"
|
||||
StatusCanceled = "Canceled"
|
||||
StatusFailed = "Failed"
|
||||
StatusInProgress = "InProgress"
|
||||
)
|
||||
|
||||
// IsTerminalState returns true if the LRO's state is terminal.
|
||||
func IsTerminalState(s string) bool {
|
||||
return strings.EqualFold(s, StatusSucceeded) || strings.EqualFold(s, StatusFailed) || strings.EqualFold(s, StatusCanceled)
|
||||
}
|
||||
|
||||
// Failed returns true if the LRO's state is terminal failure.
|
||||
func Failed(s string) bool {
|
||||
return strings.EqualFold(s, StatusFailed) || strings.EqualFold(s, StatusCanceled)
|
||||
}
|
||||
|
||||
// Succeeded returns true if the LRO's state is terminal success.
|
||||
func Succeeded(s string) bool {
|
||||
return strings.EqualFold(s, StatusSucceeded)
|
||||
}
|
||||
|
||||
// returns true if the LRO response contains a valid HTTP status code
|
||||
func StatusCodeValid(resp *http.Response) bool {
|
||||
return exported.HasStatusCode(resp, http.StatusOK, http.StatusAccepted, http.StatusCreated, http.StatusNoContent)
|
||||
}
|
||||
|
||||
// IsValidURL verifies that the URL is valid and absolute.
|
||||
func IsValidURL(s string) bool {
|
||||
u, err := url.Parse(s)
|
||||
return err == nil && u.IsAbs()
|
||||
}
|
||||
|
||||
// getTokenTypeName creates a type name from the type parameter T.
|
||||
func getTokenTypeName[T any]() (string, error) {
|
||||
tt := shared.TypeOfT[T]()
|
||||
|
@ -130,102 +96,6 @@ func IsTokenValid[T any](token string) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// ErrNoBody is returned if the response didn't contain a body.
|
||||
var ErrNoBody = errors.New("the response did not contain a body")
|
||||
|
||||
// GetJSON reads the response body into a raw JSON object.
|
||||
// It returns ErrNoBody if there was no content.
|
||||
func GetJSON(resp *http.Response) (map[string]interface{}, error) {
|
||||
body, err := exported.Payload(resp)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(body) == 0 {
|
||||
return nil, ErrNoBody
|
||||
}
|
||||
// unmarshall the body to get the value
|
||||
var jsonBody map[string]interface{}
|
||||
if err = json.Unmarshal(body, &jsonBody); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return jsonBody, nil
|
||||
}
|
||||
|
||||
// provisioningState returns the provisioning state from the response or the empty string.
|
||||
func provisioningState(jsonBody map[string]interface{}) string {
|
||||
jsonProps, ok := jsonBody["properties"]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
props, ok := jsonProps.(map[string]interface{})
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
rawPs, ok := props["provisioningState"]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
ps, ok := rawPs.(string)
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
return ps
|
||||
}
|
||||
|
||||
// status returns the status from the response or the empty string.
|
||||
func status(jsonBody map[string]interface{}) string {
|
||||
rawStatus, ok := jsonBody["status"]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
status, ok := rawStatus.(string)
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
return status
|
||||
}
|
||||
|
||||
// GetStatus returns the LRO's status from the response body.
|
||||
// Typically used for Azure-AsyncOperation flows.
|
||||
// If there is no status in the response body the empty string is returned.
|
||||
func GetStatus(resp *http.Response) (string, error) {
|
||||
jsonBody, err := GetJSON(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return status(jsonBody), nil
|
||||
}
|
||||
|
||||
// GetProvisioningState returns the LRO's state from the response body.
|
||||
// If there is no state in the response body the empty string is returned.
|
||||
func GetProvisioningState(resp *http.Response) (string, error) {
|
||||
jsonBody, err := GetJSON(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return provisioningState(jsonBody), nil
|
||||
}
|
||||
|
||||
// GetResourceLocation returns the LRO's resourceLocation value from the response body.
|
||||
// Typically used for Operation-Location flows.
|
||||
// If there is no resourceLocation in the response body the empty string is returned.
|
||||
func GetResourceLocation(resp *http.Response) (string, error) {
|
||||
jsonBody, err := GetJSON(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
v, ok := jsonBody["resourceLocation"]
|
||||
if !ok {
|
||||
// it might be ok if the field doesn't exist, the caller must make that determination
|
||||
return "", nil
|
||||
}
|
||||
vv, ok := v.(string)
|
||||
if !ok {
|
||||
return "", fmt.Errorf("the resourceLocation value %v was not in string format", v)
|
||||
}
|
||||
return vv, nil
|
||||
}
|
||||
|
||||
// used if the operation synchronously completed
|
||||
type NopPoller[T any] struct {
|
||||
resp *http.Response
|
||||
|
@ -239,7 +109,7 @@ func NewNopPoller[T any](resp *http.Response) (*NopPoller[T], error) {
|
|||
if resp.StatusCode == http.StatusNoContent {
|
||||
return np, nil
|
||||
}
|
||||
payload, err := exported.Payload(resp)
|
||||
payload, err := exported.Payload(resp, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -269,8 +139,8 @@ func (p *NopPoller[T]) Result(ctx context.Context, out *T) error {
|
|||
// If the request fails, the update func is not called.
|
||||
// The update func returns the state of the operation for logging purposes or an error
|
||||
// if it fails to extract the required state from the response.
|
||||
func PollHelper(ctx context.Context, endpoint string, pl exported.Pipeline, update func(resp *http.Response) (string, error)) error {
|
||||
req, err := exported.NewRequest(ctx, http.MethodGet, endpoint)
|
||||
func PollHelper(ctx context.Context, endpoint string, pl azexported.Pipeline, update func(resp *http.Response) (string, error)) error {
|
||||
req, err := azexported.NewRequest(ctx, http.MethodGet, endpoint)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -296,13 +166,13 @@ func ResultHelper[T any](resp *http.Response, failed bool, out *T) error {
|
|||
}
|
||||
|
||||
defer resp.Body.Close()
|
||||
if !StatusCodeValid(resp) || failed {
|
||||
if !poller.StatusCodeValid(resp) || failed {
|
||||
// the LRO failed. unmarshall the error and update state
|
||||
return exported.NewResponseError(resp)
|
||||
return azexported.NewResponseError(resp)
|
||||
}
|
||||
|
||||
// success case
|
||||
payload, err := exported.Payload(resp)
|
||||
payload, err := exported.Payload(resp, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
4
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
generated
vendored
4
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go
generated
vendored
|
@ -21,6 +21,8 @@ const (
|
|||
HeaderOperationLocation = "Operation-Location"
|
||||
HeaderRetryAfter = "Retry-After"
|
||||
HeaderUserAgent = "User-Agent"
|
||||
HeaderWWWAuthenticate = "WWW-Authenticate"
|
||||
HeaderXMSClientRequestID = "x-ms-client-request-id"
|
||||
)
|
||||
|
||||
const BearerTokenPrefix = "Bearer "
|
||||
|
@ -30,5 +32,5 @@ const (
|
|||
Module = "azcore"
|
||||
|
||||
// Version is the semantic version (see http://semver.org) of this module.
|
||||
Version = "v1.3.0"
|
||||
Version = "v1.6.0"
|
||||
)
|
||||
|
|
67
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go
generated
vendored
67
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go
generated
vendored
|
@ -8,9 +8,7 @@ package shared
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"regexp"
|
||||
|
@ -64,71 +62,6 @@ func TypeOfT[T any]() reflect.Type {
|
|||
return reflect.TypeOf((*T)(nil)).Elem()
|
||||
}
|
||||
|
||||
// BytesSetter abstracts replacing a byte slice on some type.
|
||||
type BytesSetter interface {
|
||||
Set(b []byte)
|
||||
}
|
||||
|
||||
// NewNopClosingBytesReader creates a new *NopClosingBytesReader for the specified slice.
|
||||
func NewNopClosingBytesReader(data []byte) *NopClosingBytesReader {
|
||||
return &NopClosingBytesReader{s: data}
|
||||
}
|
||||
|
||||
// NopClosingBytesReader is an io.ReadSeekCloser around a byte slice.
|
||||
// It also provides direct access to the byte slice to avoid rereading.
|
||||
type NopClosingBytesReader struct {
|
||||
s []byte
|
||||
i int64
|
||||
}
|
||||
|
||||
// Bytes returns the underlying byte slice.
|
||||
func (r *NopClosingBytesReader) Bytes() []byte {
|
||||
return r.s
|
||||
}
|
||||
|
||||
// Close implements the io.Closer interface.
|
||||
func (*NopClosingBytesReader) Close() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Read implements the io.Reader interface.
|
||||
func (r *NopClosingBytesReader) Read(b []byte) (n int, err error) {
|
||||
if r.i >= int64(len(r.s)) {
|
||||
return 0, io.EOF
|
||||
}
|
||||
n = copy(b, r.s[r.i:])
|
||||
r.i += int64(n)
|
||||
return
|
||||
}
|
||||
|
||||
// Set replaces the existing byte slice with the specified byte slice and resets the reader.
|
||||
func (r *NopClosingBytesReader) Set(b []byte) {
|
||||
r.s = b
|
||||
r.i = 0
|
||||
}
|
||||
|
||||
// Seek implements the io.Seeker interface.
|
||||
func (r *NopClosingBytesReader) Seek(offset int64, whence int) (int64, error) {
|
||||
var i int64
|
||||
switch whence {
|
||||
case io.SeekStart:
|
||||
i = offset
|
||||
case io.SeekCurrent:
|
||||
i = r.i + offset
|
||||
case io.SeekEnd:
|
||||
i = int64(len(r.s)) + offset
|
||||
default:
|
||||
return 0, errors.New("nopClosingBytesReader: invalid whence")
|
||||
}
|
||||
if i < 0 {
|
||||
return 0, errors.New("nopClosingBytesReader: negative position")
|
||||
}
|
||||
r.i = i
|
||||
return i, nil
|
||||
}
|
||||
|
||||
var _ BytesSetter = (*NopClosingBytesReader)(nil)
|
||||
|
||||
// TransportFunc is a helper to use a first-class func to satisfy the Transporter interface.
|
||||
type TransportFunc func(*http.Request) (*http.Response, error)
|
||||
|
||||
|
|
11
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go
generated
vendored
11
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go
generated
vendored
|
@ -99,7 +99,7 @@ type RetryOptions struct {
|
|||
|
||||
// MaxRetryDelay specifies the maximum delay allowed before retrying an operation.
|
||||
// Typically the value is greater than or equal to the value specified in RetryDelay.
|
||||
// The default Value is 120 seconds. A value less than zero means there is no cap.
|
||||
// The default Value is 60 seconds. A value less than zero means there is no cap.
|
||||
MaxRetryDelay time.Duration
|
||||
|
||||
// StatusCodes specifies the HTTP status codes that indicate the operation should be retried.
|
||||
|
@ -113,6 +113,15 @@ type RetryOptions struct {
|
|||
// Specifying values will replace the default values.
|
||||
// Specifying an empty slice will disable retries for HTTP status codes.
|
||||
StatusCodes []int
|
||||
|
||||
// ShouldRetry evaluates if the retry policy should retry the request.
|
||||
// When specified, the function overrides comparison against the list of
|
||||
// HTTP status codes and error checking within the retry policy. Context
|
||||
// and NonRetriable errors remain evaluated before calling ShouldRetry.
|
||||
// The *http.Response and error parameters are mutually exclusive, i.e.
|
||||
// if one is nil, the other is not nil.
|
||||
// A return value of true means the retry policy should retry.
|
||||
ShouldRetry func(*http.Response, error) bool
|
||||
}
|
||||
|
||||
// TelemetryOptions configures the telemetry policy's behavior.
|
||||
|
|
15
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pipeline.go
generated
vendored
15
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pipeline.go
generated
vendored
|
@ -7,8 +7,6 @@
|
|||
package runtime
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
)
|
||||
|
@ -46,7 +44,7 @@ func NewPipeline(module, version string, plOpts PipelineOptions, options *policy
|
|||
}
|
||||
// we put the includeResponsePolicy at the very beginning so that the raw response
|
||||
// is populated with the final response (some policies might mutate the response)
|
||||
policies := []policy.Policy{policyFunc(includeResponsePolicy)}
|
||||
policies := []policy.Policy{exported.PolicyFunc(includeResponsePolicy)}
|
||||
if cp.APIVersion != "" {
|
||||
policies = append(policies, newAPIVersionPolicy(cp.APIVersion, &plOpts.APIVersion))
|
||||
}
|
||||
|
@ -59,19 +57,10 @@ func NewPipeline(module, version string, plOpts PipelineOptions, options *policy
|
|||
policies = append(policies, plOpts.PerRetry...)
|
||||
policies = append(policies, cp.PerRetryPolicies...)
|
||||
policies = append(policies, NewLogPolicy(&cp.Logging))
|
||||
policies = append(policies, policyFunc(httpHeaderPolicy), policyFunc(bodyDownloadPolicy))
|
||||
policies = append(policies, exported.PolicyFunc(httpHeaderPolicy), exported.PolicyFunc(bodyDownloadPolicy))
|
||||
transport := cp.Transport
|
||||
if transport == nil {
|
||||
transport = defaultHTTPClient
|
||||
}
|
||||
return exported.NewPipeline(transport, policies...)
|
||||
}
|
||||
|
||||
// policyFunc is a type that implements the Policy interface.
|
||||
// Use this type when implementing a stateless policy as a first-class function.
|
||||
type policyFunc func(*policy.Request) (*http.Response, error)
|
||||
|
||||
// Do implements the Policy interface on policyFunc.
|
||||
func (pf policyFunc) Do(req *policy.Request) (*http.Response, error) {
|
||||
return pf(req)
|
||||
}
|
||||
|
|
3
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_body_download.go
generated
vendored
3
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_body_download.go
generated
vendored
|
@ -11,7 +11,6 @@ import (
|
|||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
|
||||
)
|
||||
|
@ -29,7 +28,7 @@ func bodyDownloadPolicy(req *policy.Request) (*http.Response, error) {
|
|||
}
|
||||
// Either bodyDownloadPolicyOpValues was not specified (so skip is false)
|
||||
// or it was specified and skip is false: don't skip downloading the body
|
||||
_, err = exported.Payload(resp)
|
||||
_, err = Payload(resp)
|
||||
if err != nil {
|
||||
return resp, newBodyDownloadError(err, req)
|
||||
}
|
||||
|
|
40
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_logging.go
generated
vendored
40
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_logging.go
generated
vendored
|
@ -11,6 +11,7 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
|
@ -66,12 +67,7 @@ func NewLogPolicy(o *policy.LogOptions) policy.Policy {
|
|||
allowedHeaders[strings.ToLower(ah)] = struct{}{}
|
||||
}
|
||||
// now do the same thing for query params
|
||||
allowedQP := map[string]struct{}{
|
||||
"api-version": {},
|
||||
}
|
||||
for _, qp := range o.AllowedQueryParams {
|
||||
allowedQP[strings.ToLower(qp)] = struct{}{}
|
||||
}
|
||||
allowedQP := getAllowedQueryParams(o.AllowedQueryParams)
|
||||
return &logPolicy{
|
||||
includeBody: o.IncludeBody,
|
||||
allowedHeaders: allowedHeaders,
|
||||
|
@ -79,6 +75,18 @@ func NewLogPolicy(o *policy.LogOptions) policy.Policy {
|
|||
}
|
||||
}
|
||||
|
||||
// getAllowedQueryParams merges the default set of allowed query parameters
|
||||
// with a custom set (usually comes from client options).
|
||||
func getAllowedQueryParams(customAllowedQP []string) map[string]struct{} {
|
||||
allowedQP := map[string]struct{}{
|
||||
"api-version": {},
|
||||
}
|
||||
for _, qp := range customAllowedQP {
|
||||
allowedQP[strings.ToLower(qp)] = struct{}{}
|
||||
}
|
||||
return allowedQP
|
||||
}
|
||||
|
||||
// logPolicyOpValues is the struct containing the per-operation values
|
||||
type logPolicyOpValues struct {
|
||||
try int32
|
||||
|
@ -140,20 +148,24 @@ func (p *logPolicy) Do(req *policy.Request) (*http.Response, error) {
|
|||
|
||||
const redactedValue = "REDACTED"
|
||||
|
||||
// writeRequestWithResponse appends a formatted HTTP request into a Buffer. If request and/or err are
|
||||
// not nil, then these are also written into the Buffer.
|
||||
func (p *logPolicy) writeRequestWithResponse(b *bytes.Buffer, req *policy.Request, resp *http.Response, err error) {
|
||||
// getSanitizedURL returns a sanitized string for the provided url.URL
|
||||
func getSanitizedURL(u url.URL, allowedQueryParams map[string]struct{}) string {
|
||||
// redact applicable query params
|
||||
cpURL := *req.Raw().URL
|
||||
qp := cpURL.Query()
|
||||
qp := u.Query()
|
||||
for k := range qp {
|
||||
if _, ok := p.allowedQP[strings.ToLower(k)]; !ok {
|
||||
if _, ok := allowedQueryParams[strings.ToLower(k)]; !ok {
|
||||
qp.Set(k, redactedValue)
|
||||
}
|
||||
}
|
||||
cpURL.RawQuery = qp.Encode()
|
||||
u.RawQuery = qp.Encode()
|
||||
return u.String()
|
||||
}
|
||||
|
||||
// writeRequestWithResponse appends a formatted HTTP request into a Buffer. If request and/or err are
|
||||
// not nil, then these are also written into the Buffer.
|
||||
func (p *logPolicy) writeRequestWithResponse(b *bytes.Buffer, req *policy.Request, resp *http.Response, err error) {
|
||||
// Write the request into the buffer.
|
||||
fmt.Fprint(b, " "+req.Raw().Method+" "+cpURL.String()+"\n")
|
||||
fmt.Fprint(b, " "+req.Raw().Method+" "+getSanitizedURL(*req.Raw().URL, p.allowedQP)+"\n")
|
||||
p.writeHeader(b, req.Raw().Header)
|
||||
if resp != nil {
|
||||
fmt.Fprintln(b, " --------------------------------------------------------------------------------")
|
||||
|
|
6
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_request_id.go
generated
vendored
6
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_request_id.go
generated
vendored
|
@ -9,6 +9,7 @@ package runtime
|
|||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/uuid"
|
||||
)
|
||||
|
@ -21,13 +22,12 @@ func NewRequestIDPolicy() policy.Policy {
|
|||
}
|
||||
|
||||
func (r *requestIDPolicy) Do(req *policy.Request) (*http.Response, error) {
|
||||
const requestIdHeader = "x-ms-client-request-id"
|
||||
if req.Raw().Header.Get(requestIdHeader) == "" {
|
||||
if req.Raw().Header.Get(shared.HeaderXMSClientRequestID) == "" {
|
||||
id, err := uuid.New()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Raw().Header.Set(requestIdHeader, id.String())
|
||||
req.Raw().Header.Set(shared.HeaderXMSClientRequestID, id.String())
|
||||
}
|
||||
|
||||
return req.Next()
|
||||
|
|
22
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
generated
vendored
22
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go
generated
vendored
|
@ -19,6 +19,7 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -133,7 +134,7 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
|
|||
// if the body was already downloaded or there was an error it's safe to cancel the context now
|
||||
if err != nil {
|
||||
tryCancel()
|
||||
} else if _, ok := resp.Body.(*shared.NopClosingBytesReader); ok {
|
||||
} else if exported.PayloadDownloaded(resp) {
|
||||
tryCancel()
|
||||
} else {
|
||||
// must cancel the context after the body has been read and closed
|
||||
|
@ -146,11 +147,7 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
|
|||
log.Writef(log.EventRetryPolicy, "error %v", err)
|
||||
}
|
||||
|
||||
if err == nil && !HasStatusCode(resp, options.StatusCodes...) {
|
||||
// if there is no error and the response code isn't in the list of retry codes then we're done.
|
||||
log.Write(log.EventRetryPolicy, "exit due to non-retriable status code")
|
||||
return
|
||||
} else if ctxErr := req.Raw().Context().Err(); ctxErr != nil {
|
||||
if ctxErr := req.Raw().Context().Err(); ctxErr != nil {
|
||||
// don't retry if the parent context has been cancelled or its deadline exceeded
|
||||
err = ctxErr
|
||||
log.Writef(log.EventRetryPolicy, "abort due to %v", err)
|
||||
|
@ -165,6 +162,19 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
|
|||
return
|
||||
}
|
||||
|
||||
if options.ShouldRetry != nil {
|
||||
// a non-nil ShouldRetry overrides our HTTP status code check
|
||||
if !options.ShouldRetry(resp, err) {
|
||||
// predicate says we shouldn't retry
|
||||
log.Write(log.EventRetryPolicy, "exit due to ShouldRetry")
|
||||
return
|
||||
}
|
||||
} else if err == nil && !HasStatusCode(resp, options.StatusCodes...) {
|
||||
// if there is no error and the response code isn't in the list of retry codes then we're done.
|
||||
log.Write(log.EventRetryPolicy, "exit due to non-retriable status code")
|
||||
return
|
||||
}
|
||||
|
||||
if try == options.MaxRetries+1 {
|
||||
// max number of tries has been reached, don't sleep again
|
||||
log.Writef(log.EventRetryPolicy, "MaxRetries %d exceeded", options.MaxRetries)
|
||||
|
|
9
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/poller.go
generated
vendored
9
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/poller.go
generated
vendored
|
@ -23,6 +23,7 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
|
||||
)
|
||||
|
||||
// FinalStateVia is the enumerated type for the possible final-state-via values.
|
||||
|
@ -75,7 +76,7 @@ func NewPoller[T any](resp *http.Response, pl exported.Pipeline, options *NewPol
|
|||
defer resp.Body.Close()
|
||||
// this is a back-stop in case the swagger is incorrect (i.e. missing one or more status codes for success).
|
||||
// ideally the codegen should return an error if the initial response failed and not even create a poller.
|
||||
if !pollers.StatusCodeValid(resp) {
|
||||
if !poller.StatusCodeValid(resp) {
|
||||
return nil, errors.New("the operation failed or was cancelled")
|
||||
}
|
||||
|
||||
|
@ -146,7 +147,9 @@ func NewPollerFromResumeToken[T any](token string, pl exported.Pipeline, options
|
|||
|
||||
opr := options.Handler
|
||||
// now rehydrate the poller based on the encoded poller type
|
||||
if async.CanResume(asJSON) {
|
||||
if opr != nil {
|
||||
log.Writef(log.EventLRO, "Resuming custom poller %T.", opr)
|
||||
} else if async.CanResume(asJSON) {
|
||||
opr, _ = async.New[T](pl, nil, "")
|
||||
} else if body.CanResume(asJSON) {
|
||||
opr, _ = body.New[T](pl, nil)
|
||||
|
@ -154,8 +157,6 @@ func NewPollerFromResumeToken[T any](token string, pl exported.Pipeline, options
|
|||
opr, _ = loc.New[T](pl, nil)
|
||||
} else if op.CanResume(asJSON) {
|
||||
opr, _ = op.New[T](pl, nil, "")
|
||||
} else if opr != nil {
|
||||
log.Writef(log.EventLRO, "Resuming custom poller %T.", opr)
|
||||
} else {
|
||||
return nil, fmt.Errorf("unhandled poller token %s", string(raw))
|
||||
}
|
||||
|
|
17
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/response.go
generated
vendored
17
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/response.go
generated
vendored
|
@ -15,15 +15,14 @@ import (
|
|||
"io"
|
||||
"net/http"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
|
||||
)
|
||||
|
||||
// Payload reads and returns the response body or an error.
|
||||
// On a successful read, the response body is cached.
|
||||
// Subsequent reads will access the cached value.
|
||||
func Payload(resp *http.Response) ([]byte, error) {
|
||||
return exported.Payload(resp)
|
||||
return exported.Payload(resp, nil)
|
||||
}
|
||||
|
||||
// HasStatusCode returns true if the Response's status code is one of the specified values.
|
||||
|
@ -92,15 +91,15 @@ func Drain(resp *http.Response) {
|
|||
|
||||
// removeBOM removes any byte-order mark prefix from the payload if present.
|
||||
func removeBOM(resp *http.Response) error {
|
||||
payload, err := Payload(resp)
|
||||
_, err := exported.Payload(resp, &exported.PayloadOptions{
|
||||
BytesModifier: func(b []byte) []byte {
|
||||
// UTF8
|
||||
return bytes.TrimPrefix(b, []byte("\xef\xbb\xbf"))
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// UTF8
|
||||
trimmed := bytes.TrimPrefix(payload, []byte("\xef\xbb\xbf"))
|
||||
if len(trimmed) < len(payload) {
|
||||
resp.Body.(shared.BytesSetter).Set(trimmed)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
3
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming/progress.go
generated
vendored
3
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming/progress.go
generated
vendored
|
@ -20,6 +20,9 @@ type progress struct {
|
|||
}
|
||||
|
||||
// NopCloser returns a ReadSeekCloser with a no-op close method wrapping the provided io.ReadSeeker.
|
||||
// In addition to adding a Close method to an io.ReadSeeker, this can also be used to wrap an
|
||||
// io.ReadSeekCloser with a no-op Close method to allow explicit control of when the io.ReedSeekCloser
|
||||
// has its underlying stream closed.
|
||||
func NopCloser(rs io.ReadSeeker) io.ReadSeekCloser {
|
||||
return exported.NopCloser(rs)
|
||||
}
|
||||
|
|
58
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
generated
vendored
58
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
generated
vendored
|
@ -1,9 +1,63 @@
|
|||
# Release History
|
||||
|
||||
## 1.2.1 (2023-01-26)
|
||||
## 1.3.0 (2023-05-09)
|
||||
|
||||
### Breaking Changes
|
||||
> These changes affect only code written against a beta version such as v1.3.0-beta.5
|
||||
* Renamed `NewOnBehalfOfCredentialFromCertificate` to `NewOnBehalfOfCredentialWithCertificate`
|
||||
* Renamed `NewOnBehalfOfCredentialFromSecret` to `NewOnBehalfOfCredentialWithSecret`
|
||||
|
||||
### Other Changes
|
||||
* Upgrade MSAL to v0.8.1
|
||||
* Upgraded to MSAL v1.0.0
|
||||
|
||||
## 1.3.0-beta.5 (2023-04-11)
|
||||
|
||||
### Breaking Changes
|
||||
> These changes affect only code written against a beta version such as v1.3.0-beta.4
|
||||
* Moved `NewWorkloadIdentityCredential()` parameters into `WorkloadIdentityCredentialOptions`.
|
||||
The constructor now reads default configuration from environment variables set by the Azure
|
||||
workload identity webhook by default.
|
||||
([#20478](https://github.com/Azure/azure-sdk-for-go/pull/20478))
|
||||
* Removed CAE support. It will return in v1.4.0-beta.1
|
||||
([#20479](https://github.com/Azure/azure-sdk-for-go/pull/20479))
|
||||
|
||||
### Bugs Fixed
|
||||
* Fixed an issue in `DefaultAzureCredential` that could cause the managed identity endpoint check to fail in rare circumstances.
|
||||
|
||||
## 1.3.0-beta.4 (2023-03-08)
|
||||
|
||||
### Features Added
|
||||
* Added `WorkloadIdentityCredentialOptions.AdditionallyAllowedTenants` and `.DisableInstanceDiscovery`
|
||||
|
||||
### Bugs Fixed
|
||||
* Credentials now synchronize within `GetToken()` so a single instance can be shared among goroutines
|
||||
([#20044](https://github.com/Azure/azure-sdk-for-go/issues/20044))
|
||||
|
||||
### Other Changes
|
||||
* Upgraded dependencies
|
||||
|
||||
## 1.2.2 (2023-03-07)
|
||||
|
||||
### Other Changes
|
||||
* Upgraded dependencies
|
||||
|
||||
## 1.3.0-beta.3 (2023-02-07)
|
||||
|
||||
### Features Added
|
||||
* By default, credentials set client capability "CP1" to enable support for
|
||||
[Continuous Access Evaluation (CAE)](https://docs.microsoft.com/azure/active-directory/develop/app-resilience-continuous-access-evaluation).
|
||||
This indicates to Azure Active Directory that your application can handle CAE claims challenges.
|
||||
You can disable this behavior by setting the environment variable "AZURE_IDENTITY_DISABLE_CP1" to "true".
|
||||
* `InteractiveBrowserCredentialOptions.LoginHint` enables pre-populating the login
|
||||
prompt with a username ([#15599](https://github.com/Azure/azure-sdk-for-go/pull/15599))
|
||||
* Service principal and user credentials support ADFS authentication on Azure Stack.
|
||||
Specify "adfs" as the credential's tenant.
|
||||
* Applications running in private or disconnected clouds can prevent credentials from
|
||||
requesting Azure AD instance metadata by setting the `DisableInstanceDiscovery`
|
||||
field on credential options.
|
||||
* Many credentials can now be configured to authenticate in multiple tenants. The
|
||||
options types for these credentials have an `AdditionallyAllowedTenants` field
|
||||
that specifies additional tenants in which the credential may authenticate.
|
||||
|
||||
## 1.3.0-beta.2 (2023-01-10)
|
||||
|
||||
|
|
8
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
generated
vendored
8
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md
generated
vendored
|
@ -55,8 +55,9 @@ an Azure AD access token. See [Credential Types](#credential-types "Credential T
|
|||
![DefaultAzureCredential authentication flow](img/mermaidjs/DefaultAzureCredentialAuthFlow.svg)
|
||||
|
||||
1. **Environment** - `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate.
|
||||
2. **Managed Identity** - If the app is deployed to an Azure host with managed identity enabled, `DefaultAzureCredential` will authenticate with it.
|
||||
3. **Azure CLI** - If a user or service principal has authenticated via the Azure CLI `az login` command, `DefaultAzureCredential` will authenticate that identity.
|
||||
1. **Workload Identity** - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook, `DefaultAzureCredential` will authenticate the configured identity.
|
||||
1. **Managed Identity** - If the app is deployed to an Azure host with managed identity enabled, `DefaultAzureCredential` will authenticate with it.
|
||||
1. **Azure CLI** - If a user or service principal has authenticated via the Azure CLI `az login` command, `DefaultAzureCredential` will authenticate that identity.
|
||||
|
||||
> Note: `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.
|
||||
|
||||
|
@ -128,12 +129,13 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
|
|||
|[ChainedTokenCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ChainedTokenCredential)|Define custom authentication flows, composing multiple credentials
|
||||
|[EnvironmentCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#EnvironmentCredential)|Authenticate a service principal or user configured by environment variables
|
||||
|[ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential)|Authenticate the managed identity of an Azure resource
|
||||
|[WorkloadIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#WorkloadIdentityCredential)|Authenticate a workload identity on Kubernetes
|
||||
|
||||
### Authenticating Service Principals
|
||||
|
||||
|Credential|Usage
|
||||
|-|-
|
||||
|[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.2.0-beta.2#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
|
||||
|[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
|
||||
|[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
|
||||
|[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret
|
||||
|
||||
|
|
20
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
generated
vendored
20
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
generated
vendored
|
@ -8,16 +8,17 @@ This troubleshooting guide covers failure investigation techniques, common error
|
|||
- [Permission issues](#permission-issues)
|
||||
- [Find relevant information in errors](#find-relevant-information-in-errors)
|
||||
- [Enable and configure logging](#enable-and-configure-logging)
|
||||
- [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
|
||||
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
|
||||
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
|
||||
- [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
|
||||
- [Troubleshoot EnvironmentCredential authentication issues](#troubleshoot-environmentcredential-authentication-issues)
|
||||
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
|
||||
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
|
||||
- [Troubleshoot UsernamePasswordCredential authentication issues](#troubleshoot-usernamepasswordcredential-authentication-issues)
|
||||
- [Troubleshoot ManagedIdentityCredential authentication issues](#troubleshoot-managedidentitycredential-authentication-issues)
|
||||
- [Azure Virtual Machine managed identity](#azure-virtual-machine-managed-identity)
|
||||
- [Azure App Service and Azure Functions managed identity](#azure-app-service-and-azure-functions-managed-identity)
|
||||
- [Azure Kubernetes Service managed identity](#azure-kubernetes-service-managed-identity)
|
||||
- [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
|
||||
- [Azure Virtual Machine managed identity](#azure-virtual-machine-managed-identity)
|
||||
- [Troubleshoot UsernamePasswordCredential authentication issues](#troubleshoot-usernamepasswordcredential-authentication-issues)
|
||||
- [Troubleshoot WorkloadIdentityCredential authentication issues](#troubleshoot-workloadidentitycredential-authentication-issues)
|
||||
- [Get additional help](#get-additional-help)
|
||||
|
||||
## Handle azidentity errors
|
||||
|
@ -79,7 +80,7 @@ azlog.SetEvents(azidentity.EventAuthentication)
|
|||
|
||||
| Error |Description| Mitigation |
|
||||
|---|---|---|
|
||||
|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-visualstudiocredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
|
||||
|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
|
||||
|Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>|
|
||||
|
||||
## Troubleshoot EnvironmentCredential authentication issues
|
||||
|
@ -192,6 +193,13 @@ az account get-access-token --output json --resource https://management.core.win
|
|||
|
||||
> This command's output will contain an access token and SHOULD NOT BE SHARED, to avoid compromising account security.
|
||||
|
||||
<a id="workload"></a>
|
||||
## Troubleshoot `WorkloadIdentityCredential` authentication issues
|
||||
|
||||
| Error Message |Description| Mitigation |
|
||||
|---|---|---|
|
||||
|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
|
||||
|
||||
## Get additional help
|
||||
|
||||
Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).
|
||||
|
|
6
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/assets.json
generated
vendored
Normal file
6
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/assets.json
generated
vendored
Normal file
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
"AssetsRepo": "Azure/azure-sdk-assets",
|
||||
"AssetsRepoPrefixPath": "go",
|
||||
"TagPrefix": "go/azidentity",
|
||||
"Tag": "go/azidentity_6225ab0470"
|
||||
}
|
55
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
generated
vendored
55
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
generated
vendored
|
@ -15,6 +15,7 @@ import (
|
|||
"net/url"
|
||||
"os"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
|
||||
|
@ -25,15 +26,17 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
azureAuthorityHost = "AZURE_AUTHORITY_HOST"
|
||||
azureClientCertificatePassword = "AZURE_CLIENT_CERTIFICATE_PASSWORD"
|
||||
azureClientCertificatePath = "AZURE_CLIENT_CERTIFICATE_PATH"
|
||||
azureClientID = "AZURE_CLIENT_ID"
|
||||
azureClientSecret = "AZURE_CLIENT_SECRET"
|
||||
azurePassword = "AZURE_PASSWORD"
|
||||
azureRegionalAuthorityName = "AZURE_REGIONAL_AUTHORITY_NAME"
|
||||
azureTenantID = "AZURE_TENANT_ID"
|
||||
azureUsername = "AZURE_USERNAME"
|
||||
azureAdditionallyAllowedTenants = "AZURE_ADDITIONALLY_ALLOWED_TENANTS"
|
||||
azureAuthorityHost = "AZURE_AUTHORITY_HOST"
|
||||
azureClientCertificatePassword = "AZURE_CLIENT_CERTIFICATE_PASSWORD"
|
||||
azureClientCertificatePath = "AZURE_CLIENT_CERTIFICATE_PATH"
|
||||
azureClientID = "AZURE_CLIENT_ID"
|
||||
azureClientSecret = "AZURE_CLIENT_SECRET"
|
||||
azureFederatedTokenFile = "AZURE_FEDERATED_TOKEN_FILE"
|
||||
azurePassword = "AZURE_PASSWORD"
|
||||
azureRegionalAuthorityName = "AZURE_REGIONAL_AUTHORITY_NAME"
|
||||
azureTenantID = "AZURE_TENANT_ID"
|
||||
azureUsername = "AZURE_USERNAME"
|
||||
|
||||
organizationsTenantID = "organizations"
|
||||
developerSignOnClientID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
|
||||
|
@ -41,7 +44,14 @@ const (
|
|||
tenantIDValidationErr = "invalid tenantID. You can locate your tenantID by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names"
|
||||
)
|
||||
|
||||
func getConfidentialClient(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidential.Client, error) {
|
||||
var (
|
||||
// capability CP1 indicates the client application is capable of handling CAE claims challenges
|
||||
cp1 = []string{"CP1"}
|
||||
// CP1 is disabled until CAE support is added back
|
||||
disableCP1 = true
|
||||
)
|
||||
|
||||
var getConfidentialClient = func(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidentialClient, error) {
|
||||
if !validTenantID(tenantID) {
|
||||
return confidential.Client{}, errors.New(tenantIDValidationErr)
|
||||
}
|
||||
|
@ -49,16 +59,22 @@ func getConfidentialClient(clientID, tenantID string, cred confidential.Credenti
|
|||
if err != nil {
|
||||
return confidential.Client{}, err
|
||||
}
|
||||
authority := runtime.JoinPaths(authorityHost, tenantID)
|
||||
o := []confidential.Option{
|
||||
confidential.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
|
||||
confidential.WithAzureRegion(os.Getenv(azureRegionalAuthorityName)),
|
||||
confidential.WithHTTPClient(newPipelineAdapter(co)),
|
||||
}
|
||||
if !disableCP1 {
|
||||
o = append(o, confidential.WithClientCapabilities(cp1))
|
||||
}
|
||||
o = append(o, additionalOpts...)
|
||||
return confidential.New(clientID, cred, o...)
|
||||
if strings.ToLower(tenantID) == "adfs" {
|
||||
o = append(o, confidential.WithInstanceDiscovery(false))
|
||||
}
|
||||
return confidential.New(authority, clientID, cred, o...)
|
||||
}
|
||||
|
||||
func getPublicClient(clientID, tenantID string, co *azcore.ClientOptions) (public.Client, error) {
|
||||
var getPublicClient = func(clientID, tenantID string, co *azcore.ClientOptions, additionalOpts ...public.Option) (public.Client, error) {
|
||||
if !validTenantID(tenantID) {
|
||||
return public.Client{}, errors.New(tenantIDValidationErr)
|
||||
}
|
||||
|
@ -66,10 +82,18 @@ func getPublicClient(clientID, tenantID string, co *azcore.ClientOptions) (publi
|
|||
if err != nil {
|
||||
return public.Client{}, err
|
||||
}
|
||||
return public.New(clientID,
|
||||
o := []public.Option{
|
||||
public.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
|
||||
public.WithHTTPClient(newPipelineAdapter(co)),
|
||||
)
|
||||
}
|
||||
if !disableCP1 {
|
||||
o = append(o, public.WithClientCapabilities(cp1))
|
||||
}
|
||||
o = append(o, additionalOpts...)
|
||||
if strings.ToLower(tenantID) == "adfs" {
|
||||
o = append(o, public.WithInstanceDiscovery(false))
|
||||
}
|
||||
return public.New(clientID, o...)
|
||||
}
|
||||
|
||||
// setAuthorityHost initializes the authority host for credentials. Precedence is:
|
||||
|
@ -153,6 +177,7 @@ type confidentialClient interface {
|
|||
AcquireTokenSilent(ctx context.Context, scopes []string, options ...confidential.AcquireSilentOption) (confidential.AuthResult, error)
|
||||
AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, options ...confidential.AcquireByAuthCodeOption) (confidential.AuthResult, error)
|
||||
AcquireTokenByCredential(ctx context.Context, scopes []string, options ...confidential.AcquireByCredentialOption) (confidential.AuthResult, error)
|
||||
AcquireTokenOnBehalfOf(ctx context.Context, userAssertion string, scopes []string, options ...confidential.AcquireOnBehalfOfOption) (confidential.AuthResult, error)
|
||||
}
|
||||
|
||||
// enables fakes for test scenarios
|
||||
|
|
71
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
generated
vendored
71
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
generated
vendored
|
@ -23,13 +23,20 @@ import (
|
|||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
)
|
||||
|
||||
const credNameAzureCLI = "AzureCLICredential"
|
||||
const (
|
||||
credNameAzureCLI = "AzureCLICredential"
|
||||
timeoutCLIRequest = 10 * time.Second
|
||||
)
|
||||
|
||||
// used by tests to fake invoking the CLI
|
||||
type azureCLITokenProvider func(ctx context.Context, resource string, tenantID string) ([]byte, error)
|
||||
|
||||
// AzureCLICredentialOptions contains optional parameters for AzureCLICredential.
|
||||
type AzureCLICredentialOptions struct {
|
||||
// AdditionallyAllowedTenants specifies tenants for which the credential may acquire tokens, in addition
|
||||
// to TenantID. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the
|
||||
// logged in account can access.
|
||||
AdditionallyAllowedTenants []string
|
||||
// TenantID identifies the tenant the credential should authenticate in.
|
||||
// Defaults to the CLI's default tenant, which is typically the home tenant of the logged in user.
|
||||
TenantID string
|
||||
|
@ -46,8 +53,8 @@ func (o *AzureCLICredentialOptions) init() {
|
|||
|
||||
// AzureCLICredential authenticates as the identity logged in to the Azure CLI.
|
||||
type AzureCLICredential struct {
|
||||
s *syncer
|
||||
tokenProvider azureCLITokenProvider
|
||||
tenantID string
|
||||
}
|
||||
|
||||
// NewAzureCLICredential constructs an AzureCLICredential. Pass nil to accept default options.
|
||||
|
@ -57,10 +64,9 @@ func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredent
|
|||
cp = *options
|
||||
}
|
||||
cp.init()
|
||||
return &AzureCLICredential{
|
||||
tokenProvider: cp.tokenProvider,
|
||||
tenantID: cp.TenantID,
|
||||
}, nil
|
||||
c := AzureCLICredential{tokenProvider: cp.tokenProvider}
|
||||
c.s = newSyncer(credNameAzureCLI, cp.TenantID, cp.AdditionallyAllowedTenants, c.requestToken, c.requestToken)
|
||||
return &c, nil
|
||||
}
|
||||
|
||||
// GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI.
|
||||
|
@ -70,24 +76,20 @@ func (c *AzureCLICredential) GetToken(ctx context.Context, opts policy.TokenRequ
|
|||
return azcore.AccessToken{}, errors.New(credNameAzureCLI + ": GetToken() requires exactly one scope")
|
||||
}
|
||||
// CLI expects an AAD v1 resource, not a v2 scope
|
||||
scope := strings.TrimSuffix(opts.Scopes[0], defaultSuffix)
|
||||
at, err := c.authenticate(ctx, scope)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
logGetTokenSuccess(c, opts)
|
||||
return at, nil
|
||||
opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
const timeoutCLIRequest = 10 * time.Second
|
||||
|
||||
func (c *AzureCLICredential) authenticate(ctx context.Context, resource string) (azcore.AccessToken, error) {
|
||||
output, err := c.tokenProvider(ctx, resource, c.tenantID)
|
||||
func (c *AzureCLICredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
b, err := c.tokenProvider(ctx, opts.Scopes[0], opts.TenantID)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
|
||||
return c.createAccessToken(output)
|
||||
at, err := c.createAccessToken(b)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
return at, nil
|
||||
}
|
||||
|
||||
func defaultTokenProvider() func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
|
||||
|
@ -100,8 +102,12 @@ func defaultTokenProvider() func(ctx context.Context, resource string, tenantID
|
|||
return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource)
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(ctx, timeoutCLIRequest)
|
||||
defer cancel()
|
||||
// set a default timeout for this authentication iff the application hasn't done so already
|
||||
var cancel context.CancelFunc
|
||||
if _, hasDeadline := ctx.Deadline(); !hasDeadline {
|
||||
ctx, cancel = context.WithTimeout(ctx, timeoutCLIRequest)
|
||||
defer cancel()
|
||||
}
|
||||
|
||||
commandLine := "az account get-access-token -o json --resource " + resource
|
||||
if tenantID != "" {
|
||||
|
@ -158,32 +164,17 @@ func (c *AzureCLICredential) createAccessToken(tk []byte) (azcore.AccessToken, e
|
|||
return azcore.AccessToken{}, err
|
||||
}
|
||||
|
||||
tokenExpirationDate, err := parseExpirationDate(t.ExpiresOn)
|
||||
// the Azure CLI's "expiresOn" is local time
|
||||
exp, err := time.ParseInLocation("2006-01-02 15:04:05.999999", t.ExpiresOn, time.Local)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, fmt.Errorf("Error parsing Token Expiration Date %q: %+v", t.ExpiresOn, err)
|
||||
return azcore.AccessToken{}, fmt.Errorf("Error parsing token expiration time %q: %v", t.ExpiresOn, err)
|
||||
}
|
||||
|
||||
converted := azcore.AccessToken{
|
||||
Token: t.AccessToken,
|
||||
ExpiresOn: *tokenExpirationDate,
|
||||
ExpiresOn: exp.UTC(),
|
||||
}
|
||||
return converted, nil
|
||||
}
|
||||
|
||||
// parseExpirationDate parses either a Azure CLI or CloudShell date into a time object
|
||||
func parseExpirationDate(input string) (*time.Time, error) {
|
||||
// CloudShell (and potentially the Azure CLI in future)
|
||||
expirationDate, cloudShellErr := time.Parse(time.RFC3339, input)
|
||||
if cloudShellErr != nil {
|
||||
// Azure CLI (Python) e.g. 2017-08-31 19:48:57.998857 (plus the local timezone)
|
||||
const cliFormat = "2006-01-02 15:04:05.999999"
|
||||
expirationDate, cliErr := time.ParseInLocation(cliFormat, input, time.Local)
|
||||
if cliErr != nil {
|
||||
return nil, fmt.Errorf("Error parsing expiration date %q.\n\nCloudShell Error: \n%+v\n\nCLI Error:\n%+v", input, cloudShellErr, cliErr)
|
||||
}
|
||||
return &expirationDate, nil
|
||||
}
|
||||
return &expirationDate, nil
|
||||
}
|
||||
|
||||
var _ azcore.TokenCredential = (*AzureCLICredential)(nil)
|
||||
|
|
19
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go
generated
vendored
19
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go
generated
vendored
|
@ -81,10 +81,13 @@ func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.Token
|
|||
}
|
||||
}
|
||||
|
||||
var err error
|
||||
var errs []error
|
||||
var token azcore.AccessToken
|
||||
var successfulCredential azcore.TokenCredential
|
||||
var (
|
||||
err error
|
||||
errs []error
|
||||
successfulCredential azcore.TokenCredential
|
||||
token azcore.AccessToken
|
||||
unavailableErr *credentialUnavailableError
|
||||
)
|
||||
for _, cred := range c.sources {
|
||||
token, err = cred.GetToken(ctx, opts)
|
||||
if err == nil {
|
||||
|
@ -93,12 +96,14 @@ func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.Token
|
|||
break
|
||||
}
|
||||
errs = append(errs, err)
|
||||
if _, ok := err.(*credentialUnavailableError); !ok {
|
||||
// continue to the next source iff this one returned credentialUnavailableError
|
||||
if !errors.As(err, &unavailableErr) {
|
||||
break
|
||||
}
|
||||
}
|
||||
if c.iterating {
|
||||
c.cond.L.Lock()
|
||||
// this is nil when all credentials returned an error
|
||||
c.successfulCredential = successfulCredential
|
||||
c.iterating = false
|
||||
c.cond.L.Unlock()
|
||||
|
@ -108,11 +113,11 @@ func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.Token
|
|||
if err != nil {
|
||||
// return credentialUnavailableError iff all sources did so; return AuthenticationFailedError otherwise
|
||||
msg := createChainedErrorMessage(errs)
|
||||
if _, ok := err.(*credentialUnavailableError); ok {
|
||||
if errors.As(err, &unavailableErr) {
|
||||
err = newCredentialUnavailableError(c.name, msg)
|
||||
} else {
|
||||
res := getResponseFromError(err)
|
||||
err = newAuthenticationFailedError(c.name, msg, res)
|
||||
err = newAuthenticationFailedError(c.name, msg, res, err)
|
||||
}
|
||||
}
|
||||
return token, err
|
||||
|
|
41
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
generated
vendored
41
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
generated
vendored
|
@ -18,18 +18,29 @@ import (
|
|||
const credNameAssertion = "ClientAssertionCredential"
|
||||
|
||||
// ClientAssertionCredential authenticates an application with assertions provided by a callback function.
|
||||
// This credential is for advanced scenarios. ClientCertificateCredential has a more convenient API for
|
||||
// This credential is for advanced scenarios. [ClientCertificateCredential] has a more convenient API for
|
||||
// the most common assertion scenario, authenticating a service principal with a certificate. See
|
||||
// [Azure AD documentation] for details of the assertion format.
|
||||
//
|
||||
// [Azure AD documentation]: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#assertion-format
|
||||
type ClientAssertionCredential struct {
|
||||
client confidentialClient
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
|
||||
type ClientAssertionCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
||||
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
||||
// application is registered.
|
||||
AdditionallyAllowedTenants []string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
}
|
||||
|
||||
// NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults.
|
||||
|
@ -45,29 +56,27 @@ func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(c
|
|||
return getAssertion(ctx)
|
||||
},
|
||||
)
|
||||
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions)
|
||||
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &ClientAssertionCredential{client: c}, nil
|
||||
cac := ClientAssertionCredential{client: c}
|
||||
cac.s = newSyncer(credNameAssertion, tenantID, options.AdditionallyAllowedTenants, cac.requestToken, cac.silentAuth)
|
||||
return &cac, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
|
||||
func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
if len(opts.Scopes) == 0 {
|
||||
return azcore.AccessToken{}, errors.New(credNameAssertion + ": GetToken() requires at least one scope")
|
||||
}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
|
||||
if err == nil {
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
ar, err = c.client.AcquireTokenByCredential(ctx, opts.Scopes)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameAssertion, err)
|
||||
}
|
||||
logGetTokenSuccess(c, opts)
|
||||
func (c *ClientAssertionCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *ClientAssertionCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
39
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
generated
vendored
39
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
generated
vendored
|
@ -25,6 +25,15 @@ const credNameCert = "ClientCertificateCredential"
|
|||
type ClientCertificateCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
||||
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
||||
// application is registered.
|
||||
AdditionallyAllowedTenants []string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
// SendCertificateChain controls whether the credential sends the public certificate chain in the x5c
|
||||
// header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication.
|
||||
// Defaults to False.
|
||||
|
@ -34,6 +43,7 @@ type ClientCertificateCredentialOptions struct {
|
|||
// ClientCertificateCredential authenticates a service principal with a certificate.
|
||||
type ClientCertificateCredential struct {
|
||||
client confidentialClient
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// NewClientCertificateCredential constructs a ClientCertificateCredential. Pass nil for options to accept defaults.
|
||||
|
@ -44,7 +54,7 @@ func NewClientCertificateCredential(tenantID string, clientID string, certs []*x
|
|||
if options == nil {
|
||||
options = &ClientCertificateCredentialOptions{}
|
||||
}
|
||||
cred, err := confidential.NewCredFromCertChain(certs, key)
|
||||
cred, err := confidential.NewCredFromCert(certs, key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -52,29 +62,28 @@ func NewClientCertificateCredential(tenantID string, clientID string, certs []*x
|
|||
if options.SendCertificateChain {
|
||||
o = append(o, confidential.WithX5C())
|
||||
}
|
||||
o = append(o, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
|
||||
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, o...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &ClientCertificateCredential{client: c}, nil
|
||||
cc := ClientCertificateCredential{client: c}
|
||||
cc.s = newSyncer(credNameCert, tenantID, options.AdditionallyAllowedTenants, cc.requestToken, cc.silentAuth)
|
||||
return &cc, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
|
||||
func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
if len(opts.Scopes) == 0 {
|
||||
return azcore.AccessToken{}, errors.New(credNameCert + ": GetToken() requires at least one scope")
|
||||
}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
|
||||
if err == nil {
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
ar, err = c.client.AcquireTokenByCredential(ctx, opts.Scopes)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameCert, err)
|
||||
}
|
||||
logGetTokenSuccess(c, opts)
|
||||
func (c *ClientCertificateCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *ClientCertificateCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
42
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
generated
vendored
42
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
generated
vendored
|
@ -8,7 +8,6 @@ package azidentity
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
|
@ -20,11 +19,22 @@ const credNameSecret = "ClientSecretCredential"
|
|||
// ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential.
|
||||
type ClientSecretCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
||||
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
||||
// application is registered.
|
||||
AdditionallyAllowedTenants []string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
}
|
||||
|
||||
// ClientSecretCredential authenticates an application with a client secret.
|
||||
type ClientSecretCredential struct {
|
||||
client confidentialClient
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.
|
||||
|
@ -36,29 +46,29 @@ func NewClientSecretCredential(tenantID string, clientID string, clientSecret st
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions)
|
||||
c, err := getConfidentialClient(
|
||||
clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery),
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &ClientSecretCredential{client: c}, nil
|
||||
csc := ClientSecretCredential{client: c}
|
||||
csc.s = newSyncer(credNameSecret, tenantID, options.AdditionallyAllowedTenants, csc.requestToken, csc.silentAuth)
|
||||
return &csc, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
|
||||
func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
if len(opts.Scopes) == 0 {
|
||||
return azcore.AccessToken{}, errors.New(credNameSecret + ": GetToken() requires at least one scope")
|
||||
}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
|
||||
if err == nil {
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
ar, err = c.client.AcquireTokenByCredential(ctx, opts.Scopes)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameSecret, err)
|
||||
}
|
||||
logGetTokenSuccess(c, opts)
|
||||
func (c *ClientSecretCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *ClientSecretCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
93
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
generated
vendored
93
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
generated
vendored
|
@ -23,6 +23,15 @@ import (
|
|||
type DefaultAzureCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens. Add
|
||||
// the wildcard value "*" to allow the credential to acquire tokens for any tenant. This value can also be
|
||||
// set as a semicolon delimited list of tenants in the environment variable AZURE_ADDITIONALLY_ALLOWED_TENANTS.
|
||||
AdditionallyAllowedTenants []string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
// TenantID identifies the tenant the Azure CLI should authenticate in.
|
||||
// Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI.
|
||||
TenantID string
|
||||
|
@ -30,11 +39,15 @@ type DefaultAzureCredentialOptions struct {
|
|||
|
||||
// DefaultAzureCredential is a default credential chain for applications that will deploy to Azure.
|
||||
// It combines credentials suitable for deployment with credentials suitable for local development.
|
||||
// It attempts to authenticate with each of these credential types, in the following order, stopping when one provides a token:
|
||||
// It attempts to authenticate with each of these credential types, in the following order, stopping
|
||||
// when one provides a token:
|
||||
//
|
||||
// EnvironmentCredential
|
||||
// ManagedIdentityCredential
|
||||
// AzureCLICredential
|
||||
// - [EnvironmentCredential]
|
||||
// - [WorkloadIdentityCredential], if environment variable configuration is set by the Azure workload
|
||||
// identity webhook. Use [WorkloadIdentityCredential] directly when not using the webhook or needing
|
||||
// more control over its configuration.
|
||||
// - [ManagedIdentityCredential]
|
||||
// - [AzureCLICredential]
|
||||
//
|
||||
// Consult the documentation for these credential types for more information on how they authenticate.
|
||||
// Once a credential has successfully authenticated, DefaultAzureCredential will use that credential for
|
||||
|
@ -51,8 +64,18 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
|
|||
if options == nil {
|
||||
options = &DefaultAzureCredentialOptions{}
|
||||
}
|
||||
additionalTenants := options.AdditionallyAllowedTenants
|
||||
if len(additionalTenants) == 0 {
|
||||
if tenants := os.Getenv(azureAdditionallyAllowedTenants); tenants != "" {
|
||||
additionalTenants = strings.Split(tenants, ";")
|
||||
}
|
||||
}
|
||||
|
||||
envCred, err := NewEnvironmentCredential(&EnvironmentCredentialOptions{ClientOptions: options.ClientOptions})
|
||||
envCred, err := NewEnvironmentCredential(&EnvironmentCredentialOptions{
|
||||
ClientOptions: options.ClientOptions,
|
||||
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
||||
additionallyAllowedTenants: additionalTenants,
|
||||
})
|
||||
if err == nil {
|
||||
creds = append(creds, envCred)
|
||||
} else {
|
||||
|
@ -60,20 +83,31 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
|
|||
creds = append(creds, &defaultCredentialErrorReporter{credType: "EnvironmentCredential", err: err})
|
||||
}
|
||||
|
||||
// workload identity requires values for AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID
|
||||
wic, err := NewWorkloadIdentityCredential(&WorkloadIdentityCredentialOptions{
|
||||
AdditionallyAllowedTenants: additionalTenants,
|
||||
ClientOptions: options.ClientOptions,
|
||||
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
||||
})
|
||||
if err == nil {
|
||||
creds = append(creds, wic)
|
||||
} else {
|
||||
errorMessages = append(errorMessages, credNameWorkloadIdentity+": "+err.Error())
|
||||
creds = append(creds, &defaultCredentialErrorReporter{credType: credNameWorkloadIdentity, err: err})
|
||||
}
|
||||
o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions}
|
||||
if ID, ok := os.LookupEnv(azureClientID); ok {
|
||||
o.ID = ClientID(ID)
|
||||
}
|
||||
msiCred, err := NewManagedIdentityCredential(o)
|
||||
miCred, err := NewManagedIdentityCredential(o)
|
||||
if err == nil {
|
||||
creds = append(creds, msiCred)
|
||||
msiCred.mic.imdsTimeout = time.Second
|
||||
creds = append(creds, &timeoutWrapper{mic: miCred, timeout: time.Second})
|
||||
} else {
|
||||
errorMessages = append(errorMessages, credNameManagedIdentity+": "+err.Error())
|
||||
creds = append(creds, &defaultCredentialErrorReporter{credType: credNameManagedIdentity, err: err})
|
||||
}
|
||||
|
||||
cliCred, err := NewAzureCLICredential(&AzureCLICredentialOptions{TenantID: options.TenantID})
|
||||
cliCred, err := NewAzureCLICredential(&AzureCLICredentialOptions{AdditionallyAllowedTenants: additionalTenants, TenantID: options.TenantID})
|
||||
if err == nil {
|
||||
creds = append(creds, cliCred)
|
||||
} else {
|
||||
|
@ -132,3 +166,44 @@ func (d *defaultCredentialErrorReporter) GetToken(ctx context.Context, opts poli
|
|||
}
|
||||
|
||||
var _ azcore.TokenCredential = (*defaultCredentialErrorReporter)(nil)
|
||||
|
||||
// timeoutWrapper prevents a potentially very long timeout when managed identity isn't available
|
||||
type timeoutWrapper struct {
|
||||
mic *ManagedIdentityCredential
|
||||
// timeout applies to all auth attempts until one doesn't time out
|
||||
timeout time.Duration
|
||||
}
|
||||
|
||||
// GetToken wraps DefaultAzureCredential's initial managed identity auth attempt with a short timeout
|
||||
// because managed identity may not be available and connecting to IMDS can take several minutes to time out.
|
||||
func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
var tk azcore.AccessToken
|
||||
var err error
|
||||
// no need to synchronize around this value because it's written only within ChainedTokenCredential's critical section
|
||||
if w.timeout > 0 {
|
||||
c, cancel := context.WithTimeout(ctx, w.timeout)
|
||||
defer cancel()
|
||||
tk, err = w.mic.GetToken(c, opts)
|
||||
if isAuthFailedDueToContext(err) {
|
||||
err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out")
|
||||
} else {
|
||||
// some managed identity implementation is available, so don't apply the timeout to future calls
|
||||
w.timeout = 0
|
||||
}
|
||||
} else {
|
||||
tk, err = w.mic.GetToken(ctx, opts)
|
||||
}
|
||||
return tk, err
|
||||
}
|
||||
|
||||
// unwraps nested AuthenticationFailedErrors to get the root error
|
||||
func isAuthFailedDueToContext(err error) bool {
|
||||
for {
|
||||
var authFailedErr *AuthenticationFailedError
|
||||
if !errors.As(err, &authFailedErr) {
|
||||
break
|
||||
}
|
||||
err = authFailedErr.err
|
||||
}
|
||||
return errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded)
|
||||
}
|
||||
|
|
63
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
generated
vendored
63
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
generated
vendored
|
@ -8,7 +8,6 @@ package azidentity
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
|
@ -22,13 +21,22 @@ const credNameDeviceCode = "DeviceCodeCredential"
|
|||
type DeviceCodeCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire
|
||||
// tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant.
|
||||
AdditionallyAllowedTenants []string
|
||||
// ClientID is the ID of the application users will authenticate to.
|
||||
// Defaults to the ID of an Azure development application.
|
||||
ClientID string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
|
||||
// "organizations" tenant, which can authenticate work and school accounts. Required for single-tenant
|
||||
// applications.
|
||||
TenantID string
|
||||
// ClientID is the ID of the application users will authenticate to.
|
||||
// Defaults to the ID of an Azure development application.
|
||||
ClientID string
|
||||
|
||||
// UserPrompt controls how the credential presents authentication instructions. The credential calls
|
||||
// this function with authentication details when it receives a device code. By default, the credential
|
||||
// prints these details to stdout.
|
||||
|
@ -66,9 +74,10 @@ type DeviceCodeMessage struct {
|
|||
// If a web browser is available, InteractiveBrowserCredential is more convenient because it
|
||||
// automatically opens a browser to the login page.
|
||||
type DeviceCodeCredential struct {
|
||||
client publicClient
|
||||
userPrompt func(context.Context, DeviceCodeMessage) error
|
||||
account public.Account
|
||||
account public.Account
|
||||
client publicClient
|
||||
s *syncer
|
||||
prompt func(context.Context, DeviceCodeMessage) error
|
||||
}
|
||||
|
||||
// NewDeviceCodeCredential creates a DeviceCodeCredential. Pass nil to accept default options.
|
||||
|
@ -78,41 +87,49 @@ func NewDeviceCodeCredential(options *DeviceCodeCredentialOptions) (*DeviceCodeC
|
|||
cp = *options
|
||||
}
|
||||
cp.init()
|
||||
c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions)
|
||||
c, err := getPublicClient(
|
||||
cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery),
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &DeviceCodeCredential{userPrompt: cp.UserPrompt, client: c}, nil
|
||||
cred := DeviceCodeCredential{client: c, prompt: cp.UserPrompt}
|
||||
cred.s = newSyncer(credNameDeviceCode, cp.TenantID, cp.AdditionallyAllowedTenants, cred.requestToken, cred.silentAuth)
|
||||
return &cred, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication.
|
||||
// This method is called automatically by Azure SDK clients.
|
||||
func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
if len(opts.Scopes) == 0 {
|
||||
return azcore.AccessToken{}, errors.New(credNameDeviceCode + ": GetToken() requires at least one scope")
|
||||
}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, public.WithSilentAccount(c.account))
|
||||
if err == nil {
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
dc, err := c.client.AcquireTokenByDeviceCode(ctx, opts.Scopes)
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
func (c *DeviceCodeCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
dc, err := c.client.AcquireTokenByDeviceCode(ctx, opts.Scopes, public.WithTenantID(opts.TenantID))
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameDeviceCode, err)
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
err = c.userPrompt(ctx, DeviceCodeMessage{
|
||||
err = c.prompt(ctx, DeviceCodeMessage{
|
||||
Message: dc.Result.Message,
|
||||
UserCode: dc.Result.UserCode,
|
||||
VerificationURL: dc.Result.VerificationURL,
|
||||
Message: dc.Result.Message,
|
||||
})
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
ar, err = dc.AuthenticationResult(ctx)
|
||||
ar, err := dc.AuthenticationResult(ctx)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameDeviceCode, err)
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
c.account = ar.Account
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *DeviceCodeCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
|
||||
public.WithSilentAccount(c.account),
|
||||
public.WithTenantID(opts.TenantID),
|
||||
)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
42
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
generated
vendored
42
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go
generated
vendored
|
@ -23,6 +23,17 @@ const envVarSendCertChain = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN"
|
|||
// EnvironmentCredentialOptions contains optional parameters for EnvironmentCredential
|
||||
type EnvironmentCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
// additionallyAllowedTenants is used only by NewDefaultAzureCredential() to enable that constructor's explicit
|
||||
// option to override the value of AZURE_ADDITIONALLY_ALLOWED_TENANTS. Applications using EnvironmentCredential
|
||||
// directly should set that variable instead. This field should remain unexported to preserve this credential's
|
||||
// unambiguous "all configuration from environment variables" design.
|
||||
additionallyAllowedTenants []string
|
||||
}
|
||||
|
||||
// EnvironmentCredential authenticates a service principal with a secret or certificate, or a user with a password, depending
|
||||
|
@ -55,6 +66,12 @@ type EnvironmentCredentialOptions struct {
|
|||
// AZURE_USERNAME: a username (usually an email address)
|
||||
//
|
||||
// AZURE_PASSWORD: the user's password
|
||||
//
|
||||
// # Configuration for multitenant applications
|
||||
//
|
||||
// To enable multitenant authentication, set AZURE_ADDITIONALLY_ALLOWED_TENANTS with a semicolon delimited list of tenants
|
||||
// the credential may request tokens from in addition to the tenant specified by AZURE_TENANT_ID. Set
|
||||
// AZURE_ADDITIONALLY_ALLOWED_TENANTS to "*" to enable the credential to request a token from any tenant.
|
||||
type EnvironmentCredential struct {
|
||||
cred azcore.TokenCredential
|
||||
}
|
||||
|
@ -72,9 +89,20 @@ func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*Environme
|
|||
if clientID == "" {
|
||||
return nil, errors.New("missing environment variable " + azureClientID)
|
||||
}
|
||||
// tenants set by NewDefaultAzureCredential() override the value of AZURE_ADDITIONALLY_ALLOWED_TENANTS
|
||||
additionalTenants := options.additionallyAllowedTenants
|
||||
if len(additionalTenants) == 0 {
|
||||
if tenants := os.Getenv(azureAdditionallyAllowedTenants); tenants != "" {
|
||||
additionalTenants = strings.Split(tenants, ";")
|
||||
}
|
||||
}
|
||||
if clientSecret := os.Getenv(azureClientSecret); clientSecret != "" {
|
||||
log.Write(EventAuthentication, "EnvironmentCredential will authenticate with ClientSecretCredential")
|
||||
o := &ClientSecretCredentialOptions{ClientOptions: options.ClientOptions}
|
||||
o := &ClientSecretCredentialOptions{
|
||||
AdditionallyAllowedTenants: additionalTenants,
|
||||
ClientOptions: options.ClientOptions,
|
||||
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
||||
}
|
||||
cred, err := NewClientSecretCredential(tenantID, clientID, clientSecret, o)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -95,7 +123,11 @@ func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*Environme
|
|||
if err != nil {
|
||||
return nil, fmt.Errorf(`failed to load certificate from "%s": %v`, certPath, err)
|
||||
}
|
||||
o := &ClientCertificateCredentialOptions{ClientOptions: options.ClientOptions}
|
||||
o := &ClientCertificateCredentialOptions{
|
||||
AdditionallyAllowedTenants: additionalTenants,
|
||||
ClientOptions: options.ClientOptions,
|
||||
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
||||
}
|
||||
if v, ok := os.LookupEnv(envVarSendCertChain); ok {
|
||||
o.SendCertificateChain = v == "1" || strings.ToLower(v) == "true"
|
||||
}
|
||||
|
@ -108,7 +140,11 @@ func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*Environme
|
|||
if username := os.Getenv(azureUsername); username != "" {
|
||||
if password := os.Getenv(azurePassword); password != "" {
|
||||
log.Write(EventAuthentication, "EnvironmentCredential will authenticate with UsernamePasswordCredential")
|
||||
o := &UsernamePasswordCredentialOptions{ClientOptions: options.ClientOptions}
|
||||
o := &UsernamePasswordCredentialOptions{
|
||||
AdditionallyAllowedTenants: additionalTenants,
|
||||
ClientOptions: options.ClientOptions,
|
||||
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
||||
}
|
||||
cred, err := NewUsernamePasswordCredential(tenantID, clientID, username, password, o)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
39
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
generated
vendored
39
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
generated
vendored
|
@ -39,15 +39,11 @@ type AuthenticationFailedError struct {
|
|||
|
||||
credType string
|
||||
message string
|
||||
err error
|
||||
}
|
||||
|
||||
func newAuthenticationFailedError(credType string, message string, resp *http.Response) error {
|
||||
return &AuthenticationFailedError{credType: credType, message: message, RawResponse: resp}
|
||||
}
|
||||
|
||||
func newAuthenticationFailedErrorFromMSALError(credType string, err error) error {
|
||||
res := getResponseFromError(err)
|
||||
return newAuthenticationFailedError(credType, err.Error(), res)
|
||||
func newAuthenticationFailedError(credType string, message string, resp *http.Response, err error) error {
|
||||
return &AuthenticationFailedError{credType: credType, message: message, RawResponse: resp, err: err}
|
||||
}
|
||||
|
||||
// Error implements the error interface. Note that the message contents are not contractual and can change over time.
|
||||
|
@ -87,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
|
|||
anchor = "managed-id"
|
||||
case credNameUserPassword:
|
||||
anchor = "username-password"
|
||||
case credNameWorkloadIdentity:
|
||||
anchor = "workload"
|
||||
}
|
||||
if anchor != "" {
|
||||
fmt.Fprintf(msg, "To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#%s", anchor)
|
||||
|
@ -101,24 +99,31 @@ func (*AuthenticationFailedError) NonRetriable() {
|
|||
|
||||
var _ errorinfo.NonRetriable = (*AuthenticationFailedError)(nil)
|
||||
|
||||
// credentialUnavailableError indicates a credential can't attempt
|
||||
// authentication because it lacks required data or state.
|
||||
// credentialUnavailableError indicates a credential can't attempt authentication because it lacks required
|
||||
// data or state
|
||||
type credentialUnavailableError struct {
|
||||
credType string
|
||||
message string
|
||||
message string
|
||||
}
|
||||
|
||||
// newCredentialUnavailableError is an internal helper that ensures consistent error message formatting
|
||||
func newCredentialUnavailableError(credType, message string) error {
|
||||
return &credentialUnavailableError{credType: credType, message: message}
|
||||
msg := fmt.Sprintf("%s: %s", credType, message)
|
||||
return &credentialUnavailableError{msg}
|
||||
}
|
||||
|
||||
// NewCredentialUnavailableError constructs an error indicating a credential can't attempt authentication
|
||||
// because it lacks required data or state. When [ChainedTokenCredential] receives this error it will try
|
||||
// its next credential, if any.
|
||||
func NewCredentialUnavailableError(message string) error {
|
||||
return &credentialUnavailableError{message}
|
||||
}
|
||||
|
||||
// Error implements the error interface. Note that the message contents are not contractual and can change over time.
|
||||
func (e *credentialUnavailableError) Error() string {
|
||||
return e.credType + ": " + e.message
|
||||
return e.message
|
||||
}
|
||||
|
||||
// NonRetriable indicates that this error should not be retried.
|
||||
func (e *credentialUnavailableError) NonRetriable() {
|
||||
// marker method
|
||||
}
|
||||
// NonRetriable is a marker method indicating this error should not be retried. It has no implementation.
|
||||
func (e *credentialUnavailableError) NonRetriable() {}
|
||||
|
||||
var _ errorinfo.NonRetriable = (*credentialUnavailableError)(nil)
|
||||
|
|
|
@ -8,28 +8,41 @@ package azidentity
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
|
||||
)
|
||||
|
||||
const credNameBrowser = "InteractiveBrowserCredentiall"
|
||||
const credNameBrowser = "InteractiveBrowserCredential"
|
||||
|
||||
// InteractiveBrowserCredentialOptions contains optional parameters for InteractiveBrowserCredential.
|
||||
type InteractiveBrowserCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
|
||||
// "organizations" tenant, which can authenticate work and school accounts.
|
||||
TenantID string
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire
|
||||
// tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant.
|
||||
AdditionallyAllowedTenants []string
|
||||
// ClientID is the ID of the application users will authenticate to.
|
||||
// Defaults to the ID of an Azure development application.
|
||||
ClientID string
|
||||
// RedirectURL will be supported in a future version but presently doesn't work: https://github.com/Azure/azure-sdk-for-go/issues/15632.
|
||||
// Applications which have "http://localhost" registered as a redirect URL need not set this option.
|
||||
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
|
||||
// LoginHint pre-populates the account prompt with a username. Users may choose to authenticate a different account.
|
||||
LoginHint string
|
||||
// RedirectURL is the URL Azure Active Directory will redirect to with the access token. This is required
|
||||
// only when setting ClientID, and must match a redirect URI in the application's registration.
|
||||
// Applications which have registered "http://localhost" as a redirect URI need not set this option.
|
||||
RedirectURL string
|
||||
|
||||
// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
|
||||
// "organizations" tenant, which can authenticate work and school accounts.
|
||||
TenantID string
|
||||
}
|
||||
|
||||
func (o *InteractiveBrowserCredentialOptions) init() {
|
||||
|
@ -43,9 +56,10 @@ func (o *InteractiveBrowserCredentialOptions) init() {
|
|||
|
||||
// InteractiveBrowserCredential opens a browser to interactively authenticate a user.
|
||||
type InteractiveBrowserCredential struct {
|
||||
account public.Account
|
||||
client publicClient
|
||||
options InteractiveBrowserCredentialOptions
|
||||
account public.Account
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. Pass nil to accept default options.
|
||||
|
@ -55,30 +69,37 @@ func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOption
|
|||
cp = *options
|
||||
}
|
||||
cp.init()
|
||||
c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions)
|
||||
c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &InteractiveBrowserCredential{options: cp, client: c}, nil
|
||||
ibc := InteractiveBrowserCredential{client: c, options: cp}
|
||||
ibc.s = newSyncer(credNameBrowser, cp.TenantID, cp.AdditionallyAllowedTenants, ibc.requestToken, ibc.silentAuth)
|
||||
return &ibc, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
|
||||
func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
if len(opts.Scopes) == 0 {
|
||||
return azcore.AccessToken{}, errors.New(credNameBrowser + ": GetToken() requires at least one scope")
|
||||
}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, public.WithSilentAccount(c.account))
|
||||
if err == nil {
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
ar, err = c.client.AcquireTokenInteractive(ctx, opts.Scopes, public.WithRedirectURI(c.options.RedirectURL))
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameBrowser, err)
|
||||
func (c *InteractiveBrowserCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenInteractive(ctx, opts.Scopes,
|
||||
public.WithLoginHint(c.options.LoginHint),
|
||||
public.WithRedirectURI(c.options.RedirectURL),
|
||||
public.WithTenantID(opts.TenantID),
|
||||
)
|
||||
if err == nil {
|
||||
c.account = ar.Account
|
||||
}
|
||||
c.account = ar.Account
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *InteractiveBrowserCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
|
||||
public.WithSilentAccount(c.account),
|
||||
public.WithTenantID(opts.TenantID),
|
||||
)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
18
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go
generated
vendored
18
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go
generated
vendored
|
@ -6,25 +6,9 @@
|
|||
|
||||
package azidentity
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
|
||||
)
|
||||
import "github.com/Azure/azure-sdk-for-go/sdk/internal/log"
|
||||
|
||||
// EventAuthentication entries contain information about authentication.
|
||||
// This includes information like the names of environment variables
|
||||
// used when obtaining credentials and the type of credential used.
|
||||
const EventAuthentication log.Event = "Authentication"
|
||||
|
||||
func logGetTokenSuccess(cred azcore.TokenCredential, opts policy.TokenRequestOptions) {
|
||||
if !log.Should(EventAuthentication) {
|
||||
return
|
||||
}
|
||||
scope := strings.Join(opts.Scopes, ", ")
|
||||
msg := fmt.Sprintf("%T.GetToken() acquired a token for scope %s\n", cred, scope)
|
||||
log.Write(EventAuthentication, msg)
|
||||
}
|
||||
|
|
35
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
generated
vendored
35
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
generated
vendored
|
@ -55,11 +55,10 @@ const (
|
|||
// managedIdentityClient provides the base for authenticating in managed identity environments
|
||||
// This type includes an runtime.Pipeline and TokenCredentialOptions.
|
||||
type managedIdentityClient struct {
|
||||
pipeline runtime.Pipeline
|
||||
msiType msiType
|
||||
endpoint string
|
||||
id ManagedIDKind
|
||||
imdsTimeout time.Duration
|
||||
pipeline runtime.Pipeline
|
||||
msiType msiType
|
||||
endpoint string
|
||||
id ManagedIDKind
|
||||
}
|
||||
|
||||
type wrappedNumber json.Number
|
||||
|
@ -162,12 +161,6 @@ func (c *managedIdentityClient) provideToken(ctx context.Context, params confide
|
|||
|
||||
// authenticate acquires an access token
|
||||
func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKind, scopes []string) (azcore.AccessToken, error) {
|
||||
var cancel context.CancelFunc
|
||||
if c.imdsTimeout > 0 && c.msiType == msiTypeIMDS {
|
||||
ctx, cancel = context.WithTimeout(ctx, c.imdsTimeout)
|
||||
defer cancel()
|
||||
}
|
||||
|
||||
msg, err := c.createAuthRequest(ctx, id, scopes)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, err
|
||||
|
@ -175,27 +168,21 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
|
|||
|
||||
resp, err := c.pipeline.Do(msg)
|
||||
if err != nil {
|
||||
if cancel != nil && errors.Is(err, context.DeadlineExceeded) {
|
||||
return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "IMDS token request timed out")
|
||||
}
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, err.Error(), nil)
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, err.Error(), nil, err)
|
||||
}
|
||||
|
||||
// got a response, remove the IMDS timeout so future requests use the transport's configuration
|
||||
c.imdsTimeout = 0
|
||||
|
||||
if runtime.HasStatusCode(resp, http.StatusOK, http.StatusCreated) {
|
||||
return c.createAccessToken(resp)
|
||||
}
|
||||
|
||||
if c.msiType == msiTypeIMDS && resp.StatusCode == 400 {
|
||||
if id != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp)
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
|
||||
}
|
||||
return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")
|
||||
}
|
||||
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp)
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)
|
||||
}
|
||||
|
||||
func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.AccessToken, error) {
|
||||
|
@ -223,10 +210,10 @@ func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.Ac
|
|||
if expiresOn, err := strconv.Atoi(v); err == nil {
|
||||
return azcore.AccessToken{Token: value.Token, ExpiresOn: time.Unix(int64(expiresOn), 0).UTC()}, nil
|
||||
}
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "unexpected expires_on value: "+v, res)
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "unexpected expires_on value: "+v, res, nil)
|
||||
default:
|
||||
msg := fmt.Sprintf("unsupported type received in expires_on: %T, %v", v, v)
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, msg, res)
|
||||
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, msg, res, nil)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -241,7 +228,7 @@ func (c *managedIdentityClient) createAuthRequest(ctx context.Context, id Manage
|
|||
key, err := c.getAzureArcSecretKey(ctx, scopes)
|
||||
if err != nil {
|
||||
msg := fmt.Sprintf("failed to retreive secret key from the identity endpoint: %v", err)
|
||||
return nil, newAuthenticationFailedError(credNameManagedIdentity, msg, nil)
|
||||
return nil, newAuthenticationFailedError(credNameManagedIdentity, msg, nil, err)
|
||||
}
|
||||
return c.createAzureArcAuthRequest(ctx, id, scopes, key)
|
||||
case msiTypeServiceFabric:
|
||||
|
@ -335,7 +322,7 @@ func (c *managedIdentityClient) getAzureArcSecretKey(ctx context.Context, resour
|
|||
// of the secret key file. Any other status code indicates an error in the request.
|
||||
if response.StatusCode != 401 {
|
||||
msg := fmt.Sprintf("expected a 401 response, received %d", response.StatusCode)
|
||||
return "", newAuthenticationFailedError(credNameManagedIdentity, msg, response)
|
||||
return "", newAuthenticationFailedError(credNameManagedIdentity, msg, response, nil)
|
||||
}
|
||||
header := response.Header.Get("WWW-Authenticate")
|
||||
if len(header) == 0 {
|
||||
|
|
34
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
generated
vendored
34
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
generated
vendored
|
@ -73,6 +73,7 @@ type ManagedIdentityCredentialOptions struct {
|
|||
type ManagedIdentityCredential struct {
|
||||
client confidentialClient
|
||||
mic *managedIdentityClient
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// NewManagedIdentityCredential creates a ManagedIdentityCredential. Pass nil to accept default options.
|
||||
|
@ -85,20 +86,21 @@ func NewManagedIdentityCredential(options *ManagedIdentityCredentialOptions) (*M
|
|||
return nil, err
|
||||
}
|
||||
cred := confidential.NewCredFromTokenProvider(mic.provideToken)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// It's okay to give MSAL an invalid client ID because MSAL will use it only as part of a cache key.
|
||||
// ManagedIdentityClient handles all the details of authentication and won't receive this value from MSAL.
|
||||
clientID := "SYSTEM-ASSIGNED-MANAGED-IDENTITY"
|
||||
if options.ID != nil {
|
||||
clientID = options.ID.String()
|
||||
}
|
||||
c, err := confidential.New(clientID, cred)
|
||||
// similarly, it's okay to give MSAL an incorrect authority URL because that URL won't be used
|
||||
c, err := confidential.New("https://login.microsoftonline.com/common", clientID, cred)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &ManagedIdentityCredential{client: c, mic: mic}, nil
|
||||
m := ManagedIdentityCredential{client: c, mic: mic}
|
||||
m.s = newSyncer(credNameManagedIdentity, "", nil, m.requestToken, m.silentAuth)
|
||||
return &m, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from the hosting environment. This method is called automatically by Azure SDK clients.
|
||||
|
@ -108,17 +110,17 @@ func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts policy.To
|
|||
return azcore.AccessToken{}, err
|
||||
}
|
||||
// managed identity endpoints require an AADv1 resource (i.e. token audience), not a v2 scope, so we remove "/.default" here
|
||||
scopes := []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, scopes)
|
||||
if err == nil {
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, nil
|
||||
}
|
||||
ar, err = c.client.AcquireTokenByCredential(ctx, scopes)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, err
|
||||
}
|
||||
logGetTokenSuccess(c, opts)
|
||||
opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
func (c *ManagedIdentityCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *ManagedIdentityCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
99
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
generated
vendored
Normal file
99
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
generated
vendored
Normal file
|
@ -0,0 +1,99 @@
|
|||
//go:build go1.18
|
||||
// +build go1.18
|
||||
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
// Licensed under the MIT License.
|
||||
|
||||
package azidentity
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"crypto/x509"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
|
||||
)
|
||||
|
||||
const credNameOBO = "OnBehalfOfCredential"
|
||||
|
||||
// OnBehalfOfCredential authenticates a service principal via the on-behalf-of flow. This is typically used by
|
||||
// middle-tier services that authorize requests to other services with a delegated user identity. Because this
|
||||
// is not an interactive authentication flow, an application using it must have admin consent for any delegated
|
||||
// permissions before requesting tokens for them. See [Azure Active Directory documentation] for more details.
|
||||
//
|
||||
// [Azure Active Directory documentation]: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
|
||||
type OnBehalfOfCredential struct {
|
||||
assertion string
|
||||
client confidentialClient
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// OnBehalfOfCredentialOptions contains optional parameters for OnBehalfOfCredential
|
||||
type OnBehalfOfCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
||||
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
||||
// application is registered.
|
||||
AdditionallyAllowedTenants []string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
// SendCertificateChain applies only when the credential is configured to authenticate with a certificate.
|
||||
// This setting controls whether the credential sends the public certificate chain in the x5c header of each
|
||||
// token request's JWT. This is required for, and only used in, Subject Name/Issuer (SNI) authentication.
|
||||
SendCertificateChain bool
|
||||
}
|
||||
|
||||
// NewOnBehalfOfCredentialWithCertificate constructs an OnBehalfOfCredential that authenticates with a certificate.
|
||||
// See [ParseCertificates] for help loading a certificate.
|
||||
func NewOnBehalfOfCredentialWithCertificate(tenantID, clientID, userAssertion string, certs []*x509.Certificate, key crypto.PrivateKey, options *OnBehalfOfCredentialOptions) (*OnBehalfOfCredential, error) {
|
||||
cred, err := confidential.NewCredFromCert(certs, key)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return newOnBehalfOfCredential(tenantID, clientID, userAssertion, cred, options)
|
||||
}
|
||||
|
||||
// NewOnBehalfOfCredentialWithSecret constructs an OnBehalfOfCredential that authenticates with a client secret.
|
||||
func NewOnBehalfOfCredentialWithSecret(tenantID, clientID, userAssertion, clientSecret string, options *OnBehalfOfCredentialOptions) (*OnBehalfOfCredential, error) {
|
||||
cred, err := confidential.NewCredFromSecret(clientSecret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return newOnBehalfOfCredential(tenantID, clientID, userAssertion, cred, options)
|
||||
}
|
||||
|
||||
func newOnBehalfOfCredential(tenantID, clientID, userAssertion string, cred confidential.Credential, options *OnBehalfOfCredentialOptions) (*OnBehalfOfCredential, error) {
|
||||
if options == nil {
|
||||
options = &OnBehalfOfCredentialOptions{}
|
||||
}
|
||||
opts := []confidential.Option{}
|
||||
if options.SendCertificateChain {
|
||||
opts = append(opts, confidential.WithX5C())
|
||||
}
|
||||
opts = append(opts, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
|
||||
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
obo := OnBehalfOfCredential{assertion: userAssertion, client: c}
|
||||
obo.s = newSyncer(credNameOBO, tenantID, options.AdditionallyAllowedTenants, obo.requestToken, obo.requestToken)
|
||||
return &obo, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
|
||||
func (o *OnBehalfOfCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
return o.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
func (o *OnBehalfOfCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := o.client.AcquireTokenOnBehalfOf(ctx, o.assertion, opts.Scopes, confidential.WithTenantID(opts.TenantID))
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
var _ azcore.TokenCredential = (*OnBehalfOfCredential)(nil)
|
130
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go
generated
vendored
Normal file
130
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go
generated
vendored
Normal file
|
@ -0,0 +1,130 @@
|
|||
//go:build go1.18
|
||||
// +build go1.18
|
||||
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
// Licensed under the MIT License.
|
||||
|
||||
package azidentity
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
|
||||
)
|
||||
|
||||
type authFn func(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error)
|
||||
|
||||
// syncer synchronizes authentication calls so that goroutines can share a credential instance
|
||||
type syncer struct {
|
||||
addlTenants []string
|
||||
authing bool
|
||||
cond *sync.Cond
|
||||
reqToken, silent authFn
|
||||
name, tenant string
|
||||
}
|
||||
|
||||
func newSyncer(name, tenant string, additionalTenants []string, reqToken, silentAuth authFn) *syncer {
|
||||
return &syncer{
|
||||
addlTenants: resolveAdditionalTenants(additionalTenants),
|
||||
cond: &sync.Cond{L: &sync.Mutex{}},
|
||||
name: name,
|
||||
reqToken: reqToken,
|
||||
silent: silentAuth,
|
||||
tenant: tenant,
|
||||
}
|
||||
}
|
||||
|
||||
// GetToken ensures that only one goroutine authenticates at a time
|
||||
func (s *syncer) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
var at azcore.AccessToken
|
||||
var err error
|
||||
if len(opts.Scopes) == 0 {
|
||||
return at, errors.New(s.name + ".GetToken() requires at least one scope")
|
||||
}
|
||||
// we don't resolve the tenant for managed identities because they can acquire tokens only from their home tenants
|
||||
if s.name != credNameManagedIdentity {
|
||||
tenant, err := s.resolveTenant(opts.TenantID)
|
||||
if err != nil {
|
||||
return at, err
|
||||
}
|
||||
opts.TenantID = tenant
|
||||
}
|
||||
auth := false
|
||||
s.cond.L.Lock()
|
||||
defer s.cond.L.Unlock()
|
||||
for {
|
||||
at, err = s.silent(ctx, opts)
|
||||
if err == nil {
|
||||
// got a token
|
||||
break
|
||||
}
|
||||
if !s.authing {
|
||||
// this goroutine will request a token
|
||||
s.authing, auth = true, true
|
||||
break
|
||||
}
|
||||
// another goroutine is acquiring a token; wait for it to finish, then try silent auth again
|
||||
s.cond.Wait()
|
||||
}
|
||||
if auth {
|
||||
s.authing = false
|
||||
at, err = s.reqToken(ctx, opts)
|
||||
s.cond.Broadcast()
|
||||
}
|
||||
if err != nil {
|
||||
// Return credentialUnavailableError directly because that type affects the behavior of credential chains.
|
||||
// Otherwise, return AuthenticationFailedError.
|
||||
var unavailableErr *credentialUnavailableError
|
||||
if !errors.As(err, &unavailableErr) {
|
||||
res := getResponseFromError(err)
|
||||
err = newAuthenticationFailedError(s.name, err.Error(), res, err)
|
||||
}
|
||||
} else if log.Should(EventAuthentication) {
|
||||
scope := strings.Join(opts.Scopes, ", ")
|
||||
msg := fmt.Sprintf(`%s.GetToken() acquired a token for scope "%s"\n`, s.name, scope)
|
||||
log.Write(EventAuthentication, msg)
|
||||
}
|
||||
return at, err
|
||||
}
|
||||
|
||||
// resolveTenant returns the correct tenant for a token request given the credential's
|
||||
// configuration, or an error when the specified tenant isn't allowed by that configuration
|
||||
func (s *syncer) resolveTenant(requested string) (string, error) {
|
||||
if requested == "" || requested == s.tenant {
|
||||
return s.tenant, nil
|
||||
}
|
||||
if s.tenant == "adfs" {
|
||||
return "", errors.New("ADFS doesn't support tenants")
|
||||
}
|
||||
if !validTenantID(requested) {
|
||||
return "", errors.New(tenantIDValidationErr)
|
||||
}
|
||||
for _, t := range s.addlTenants {
|
||||
if t == "*" || t == requested {
|
||||
return requested, nil
|
||||
}
|
||||
}
|
||||
return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, s.name, requested)
|
||||
}
|
||||
|
||||
// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
|
||||
func resolveAdditionalTenants(tenants []string) []string {
|
||||
if len(tenants) == 0 {
|
||||
return nil
|
||||
}
|
||||
for _, t := range tenants {
|
||||
// a wildcard makes all other values redundant
|
||||
if t == "*" {
|
||||
return []string{"*"}
|
||||
}
|
||||
}
|
||||
cp := make([]string, len(tenants))
|
||||
copy(cp, tenants)
|
||||
return cp
|
||||
}
|
51
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
generated
vendored
51
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
generated
vendored
|
@ -8,7 +8,6 @@ package azidentity
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
|
@ -20,6 +19,16 @@ const credNameUserPassword = "UsernamePasswordCredential"
|
|||
// UsernamePasswordCredentialOptions contains optional parameters for UsernamePasswordCredential.
|
||||
type UsernamePasswordCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
||||
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
||||
// application is registered.
|
||||
AdditionallyAllowedTenants []string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
}
|
||||
|
||||
// UsernamePasswordCredential authenticates a user with a password. Microsoft doesn't recommend this kind of authentication,
|
||||
|
@ -27,10 +36,10 @@ type UsernamePasswordCredentialOptions struct {
|
|||
// with any form of multi-factor authentication, and the application must already have user or admin consent.
|
||||
// This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts.
|
||||
type UsernamePasswordCredential struct {
|
||||
client publicClient
|
||||
username string
|
||||
password string
|
||||
account public.Account
|
||||
account public.Account
|
||||
client publicClient
|
||||
password, username string
|
||||
s *syncer
|
||||
}
|
||||
|
||||
// NewUsernamePasswordCredential creates a UsernamePasswordCredential. clientID is the ID of the application the user
|
||||
|
@ -39,29 +48,33 @@ func NewUsernamePasswordCredential(tenantID string, clientID string, username st
|
|||
if options == nil {
|
||||
options = &UsernamePasswordCredentialOptions{}
|
||||
}
|
||||
c, err := getPublicClient(clientID, tenantID, &options.ClientOptions)
|
||||
c, err := getPublicClient(clientID, tenantID, &options.ClientOptions, public.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &UsernamePasswordCredential{username: username, password: password, client: c}, nil
|
||||
upc := UsernamePasswordCredential{client: c, password: password, username: username}
|
||||
upc.s = newSyncer(credNameUserPassword, tenantID, options.AdditionallyAllowedTenants, upc.requestToken, upc.silentAuth)
|
||||
return &upc, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
|
||||
func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
if len(opts.Scopes) == 0 {
|
||||
return azcore.AccessToken{}, errors.New(credNameUserPassword + ": GetToken() requires at least one scope")
|
||||
}
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, public.WithSilentAccount(c.account))
|
||||
return c.s.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
func (c *UsernamePasswordCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenByUsernamePassword(ctx, opts.Scopes, c.username, c.password, public.WithTenantID(opts.TenantID))
|
||||
if err == nil {
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
c.account = ar.Account
|
||||
}
|
||||
ar, err = c.client.AcquireTokenByUsernamePassword(ctx, opts.Scopes, c.username, c.password)
|
||||
if err != nil {
|
||||
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameUserPassword, err)
|
||||
}
|
||||
c.account = ar.Account
|
||||
logGetTokenSuccess(c, opts)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
func (c *UsernamePasswordCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
|
||||
public.WithSilentAccount(c.account),
|
||||
public.WithTenantID(opts.TenantID),
|
||||
)
|
||||
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
|
||||
}
|
||||
|
||||
|
|
2
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
generated
vendored
2
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
generated
vendored
|
@ -11,5 +11,5 @@ const (
|
|||
component = "azidentity"
|
||||
|
||||
// Version is the semantic version (see http://semver.org) of this module.
|
||||
version = "v1.2.1"
|
||||
version = "v1.3.0"
|
||||
)
|
||||
|
|
126
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
generated
vendored
Normal file
126
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
generated
vendored
Normal file
|
@ -0,0 +1,126 @@
|
|||
//go:build go1.18
|
||||
// +build go1.18
|
||||
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
// Licensed under the MIT License.
|
||||
|
||||
package azidentity
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"os"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
||||
)
|
||||
|
||||
const credNameWorkloadIdentity = "WorkloadIdentityCredential"
|
||||
|
||||
// WorkloadIdentityCredential supports Azure workload identity on Kubernetes.
|
||||
// See [Azure Kubernetes Service documentation] for more information.
|
||||
//
|
||||
// [Azure Kubernetes Service documentation]: https://learn.microsoft.com/azure/aks/workload-identity-overview
|
||||
type WorkloadIdentityCredential struct {
|
||||
assertion, file string
|
||||
cred *ClientAssertionCredential
|
||||
expires time.Time
|
||||
mtx *sync.RWMutex
|
||||
}
|
||||
|
||||
// WorkloadIdentityCredentialOptions contains optional parameters for WorkloadIdentityCredential.
|
||||
type WorkloadIdentityCredentialOptions struct {
|
||||
azcore.ClientOptions
|
||||
|
||||
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
||||
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
||||
// application is registered.
|
||||
AdditionallyAllowedTenants []string
|
||||
// ClientID of the service principal. Defaults to the value of the environment variable AZURE_CLIENT_ID.
|
||||
ClientID string
|
||||
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
||||
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
|
||||
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
||||
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
||||
DisableInstanceDiscovery bool
|
||||
// TenantID of the service principal. Defaults to the value of the environment variable AZURE_TENANT_ID.
|
||||
TenantID string
|
||||
// TokenFilePath is the path a file containing the workload identity token. Defaults to the value of the
|
||||
// environment variable AZURE_FEDERATED_TOKEN_FILE.
|
||||
TokenFilePath string
|
||||
}
|
||||
|
||||
// NewWorkloadIdentityCredential constructs a WorkloadIdentityCredential. Service principal configuration is read
|
||||
// from environment variables as set by the Azure workload identity webhook. Set options to override those values.
|
||||
func NewWorkloadIdentityCredential(options *WorkloadIdentityCredentialOptions) (*WorkloadIdentityCredential, error) {
|
||||
if options == nil {
|
||||
options = &WorkloadIdentityCredentialOptions{}
|
||||
}
|
||||
ok := false
|
||||
clientID := options.ClientID
|
||||
if clientID == "" {
|
||||
if clientID, ok = os.LookupEnv(azureClientID); !ok {
|
||||
return nil, errors.New("no client ID specified. Check pod configuration or set ClientID in the options")
|
||||
}
|
||||
}
|
||||
file := options.TokenFilePath
|
||||
if file == "" {
|
||||
if file, ok = os.LookupEnv(azureFederatedTokenFile); !ok {
|
||||
return nil, errors.New("no token file specified. Check pod configuration or set TokenFilePath in the options")
|
||||
}
|
||||
}
|
||||
tenantID := options.TenantID
|
||||
if tenantID == "" {
|
||||
if tenantID, ok = os.LookupEnv(azureTenantID); !ok {
|
||||
return nil, errors.New("no tenant ID specified. Check pod configuration or set TenantID in the options")
|
||||
}
|
||||
}
|
||||
w := WorkloadIdentityCredential{file: file, mtx: &sync.RWMutex{}}
|
||||
caco := ClientAssertionCredentialOptions{
|
||||
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
|
||||
ClientOptions: options.ClientOptions,
|
||||
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
||||
}
|
||||
cred, err := NewClientAssertionCredential(tenantID, clientID, w.getAssertion, &caco)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// we want "WorkloadIdentityCredential" in log messages, not "ClientAssertionCredential"
|
||||
cred.s.name = credNameWorkloadIdentity
|
||||
w.cred = cred
|
||||
return &w, nil
|
||||
}
|
||||
|
||||
// GetToken requests an access token from Azure Active Directory. Azure SDK clients call this method automatically.
|
||||
func (w *WorkloadIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
||||
return w.cred.GetToken(ctx, opts)
|
||||
}
|
||||
|
||||
// getAssertion returns the specified file's content, which is expected to be a Kubernetes service account token.
|
||||
// Kubernetes is responsible for updating the file as service account tokens expire.
|
||||
func (w *WorkloadIdentityCredential) getAssertion(context.Context) (string, error) {
|
||||
w.mtx.RLock()
|
||||
if w.expires.Before(time.Now()) {
|
||||
// ensure only one goroutine at a time updates the assertion
|
||||
w.mtx.RUnlock()
|
||||
w.mtx.Lock()
|
||||
defer w.mtx.Unlock()
|
||||
// double check because another goroutine may have acquired the write lock first and done the update
|
||||
if now := time.Now(); w.expires.Before(now) {
|
||||
content, err := os.ReadFile(w.file)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
w.assertion = string(content)
|
||||
// Kubernetes rotates service account tokens when they reach 80% of their total TTL. The shortest TTL
|
||||
// is 1 hour. That implies the token we just read is valid for at least 12 minutes (20% of 1 hour),
|
||||
// but we add some margin for safety.
|
||||
w.expires = now.Add(10 * time.Minute)
|
||||
}
|
||||
} else {
|
||||
defer w.mtx.RUnlock()
|
||||
}
|
||||
return w.assertion, nil
|
||||
}
|
124
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/exported/exported.go
generated
vendored
Normal file
124
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/exported/exported.go
generated
vendored
Normal file
|
@ -0,0 +1,124 @@
|
|||
//go:build go1.18
|
||||
// +build go1.18
|
||||
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
// Licensed under the MIT License.
|
||||
|
||||
package exported
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"io"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
// HasStatusCode returns true if the Response's status code is one of the specified values.
|
||||
// Exported as runtime.HasStatusCode().
|
||||
func HasStatusCode(resp *http.Response, statusCodes ...int) bool {
|
||||
if resp == nil {
|
||||
return false
|
||||
}
|
||||
for _, sc := range statusCodes {
|
||||
if resp.StatusCode == sc {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// PayloadOptions contains the optional values for the Payload func.
|
||||
// NOT exported but used by azcore.
|
||||
type PayloadOptions struct {
|
||||
// BytesModifier receives the downloaded byte slice and returns an updated byte slice.
|
||||
// Use this to modify the downloaded bytes in a payload (e.g. removing a BOM).
|
||||
BytesModifier func([]byte) []byte
|
||||
}
|
||||
|
||||
// Payload reads and returns the response body or an error.
|
||||
// On a successful read, the response body is cached.
|
||||
// Subsequent reads will access the cached value.
|
||||
// Exported as runtime.Payload() WITHOUT the opts parameter.
|
||||
func Payload(resp *http.Response, opts *PayloadOptions) ([]byte, error) {
|
||||
modifyBytes := func(b []byte) []byte { return b }
|
||||
if opts != nil && opts.BytesModifier != nil {
|
||||
modifyBytes = opts.BytesModifier
|
||||
}
|
||||
|
||||
// r.Body won't be a nopClosingBytesReader if downloading was skipped
|
||||
if buf, ok := resp.Body.(*nopClosingBytesReader); ok {
|
||||
bytesBody := modifyBytes(buf.Bytes())
|
||||
buf.Set(bytesBody)
|
||||
return bytesBody, nil
|
||||
}
|
||||
|
||||
bytesBody, err := io.ReadAll(resp.Body)
|
||||
resp.Body.Close()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
bytesBody = modifyBytes(bytesBody)
|
||||
resp.Body = &nopClosingBytesReader{s: bytesBody}
|
||||
return bytesBody, nil
|
||||
}
|
||||
|
||||
// PayloadDownloaded returns true if the response body has already been downloaded.
|
||||
// This implies that the Payload() func above has been previously called.
|
||||
// NOT exported but used by azcore.
|
||||
func PayloadDownloaded(resp *http.Response) bool {
|
||||
_, ok := resp.Body.(*nopClosingBytesReader)
|
||||
return ok
|
||||
}
|
||||
|
||||
// nopClosingBytesReader is an io.ReadSeekCloser around a byte slice.
|
||||
// It also provides direct access to the byte slice to avoid rereading.
|
||||
type nopClosingBytesReader struct {
|
||||
s []byte
|
||||
i int64
|
||||
}
|
||||
|
||||
// Bytes returns the underlying byte slice.
|
||||
func (r *nopClosingBytesReader) Bytes() []byte {
|
||||
return r.s
|
||||
}
|
||||
|
||||
// Close implements the io.Closer interface.
|
||||
func (*nopClosingBytesReader) Close() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Read implements the io.Reader interface.
|
||||
func (r *nopClosingBytesReader) Read(b []byte) (n int, err error) {
|
||||
if r.i >= int64(len(r.s)) {
|
||||
return 0, io.EOF
|
||||
}
|
||||
n = copy(b, r.s[r.i:])
|
||||
r.i += int64(n)
|
||||
return
|
||||
}
|
||||
|
||||
// Set replaces the existing byte slice with the specified byte slice and resets the reader.
|
||||
func (r *nopClosingBytesReader) Set(b []byte) {
|
||||
r.s = b
|
||||
r.i = 0
|
||||
}
|
||||
|
||||
// Seek implements the io.Seeker interface.
|
||||
func (r *nopClosingBytesReader) Seek(offset int64, whence int) (int64, error) {
|
||||
var i int64
|
||||
switch whence {
|
||||
case io.SeekStart:
|
||||
i = offset
|
||||
case io.SeekCurrent:
|
||||
i = r.i + offset
|
||||
case io.SeekEnd:
|
||||
i = int64(len(r.s)) + offset
|
||||
default:
|
||||
return 0, errors.New("nopClosingBytesReader: invalid whence")
|
||||
}
|
||||
if i < 0 {
|
||||
return 0, errors.New("nopClosingBytesReader: negative position")
|
||||
}
|
||||
r.i = i
|
||||
return i, nil
|
||||
}
|
155
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/poller/util.go
generated
vendored
Normal file
155
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/poller/util.go
generated
vendored
Normal file
|
@ -0,0 +1,155 @@
|
|||
//go:build go1.18
|
||||
// +build go1.18
|
||||
|
||||
// Copyright (c) Microsoft Corporation. All rights reserved.
|
||||
// Licensed under the MIT License.
|
||||
|
||||
package poller
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
|
||||
)
|
||||
|
||||
// the well-known set of LRO status/provisioning state values.
|
||||
const (
|
||||
StatusSucceeded = "Succeeded"
|
||||
StatusCanceled = "Canceled"
|
||||
StatusFailed = "Failed"
|
||||
StatusInProgress = "InProgress"
|
||||
)
|
||||
|
||||
// these are non-conformant states that we've seen in the wild.
|
||||
// we support them for back-compat.
|
||||
const (
|
||||
StatusCancelled = "Cancelled"
|
||||
StatusCompleted = "Completed"
|
||||
)
|
||||
|
||||
// IsTerminalState returns true if the LRO's state is terminal.
|
||||
func IsTerminalState(s string) bool {
|
||||
return Failed(s) || Succeeded(s)
|
||||
}
|
||||
|
||||
// Failed returns true if the LRO's state is terminal failure.
|
||||
func Failed(s string) bool {
|
||||
return strings.EqualFold(s, StatusFailed) || strings.EqualFold(s, StatusCanceled) || strings.EqualFold(s, StatusCancelled)
|
||||
}
|
||||
|
||||
// Succeeded returns true if the LRO's state is terminal success.
|
||||
func Succeeded(s string) bool {
|
||||
return strings.EqualFold(s, StatusSucceeded) || strings.EqualFold(s, StatusCompleted)
|
||||
}
|
||||
|
||||
// returns true if the LRO response contains a valid HTTP status code
|
||||
func StatusCodeValid(resp *http.Response) bool {
|
||||
return exported.HasStatusCode(resp, http.StatusOK, http.StatusAccepted, http.StatusCreated, http.StatusNoContent)
|
||||
}
|
||||
|
||||
// IsValidURL verifies that the URL is valid and absolute.
|
||||
func IsValidURL(s string) bool {
|
||||
u, err := url.Parse(s)
|
||||
return err == nil && u.IsAbs()
|
||||
}
|
||||
|
||||
// ErrNoBody is returned if the response didn't contain a body.
|
||||
var ErrNoBody = errors.New("the response did not contain a body")
|
||||
|
||||
// GetJSON reads the response body into a raw JSON object.
|
||||
// It returns ErrNoBody if there was no content.
|
||||
func GetJSON(resp *http.Response) (map[string]any, error) {
|
||||
body, err := exported.Payload(resp, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(body) == 0 {
|
||||
return nil, ErrNoBody
|
||||
}
|
||||
// unmarshall the body to get the value
|
||||
var jsonBody map[string]any
|
||||
if err = json.Unmarshal(body, &jsonBody); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return jsonBody, nil
|
||||
}
|
||||
|
||||
// provisioningState returns the provisioning state from the response or the empty string.
|
||||
func provisioningState(jsonBody map[string]any) string {
|
||||
jsonProps, ok := jsonBody["properties"]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
props, ok := jsonProps.(map[string]any)
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
rawPs, ok := props["provisioningState"]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
ps, ok := rawPs.(string)
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
return ps
|
||||
}
|
||||
|
||||
// status returns the status from the response or the empty string.
|
||||
func status(jsonBody map[string]any) string {
|
||||
rawStatus, ok := jsonBody["status"]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
status, ok := rawStatus.(string)
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
return status
|
||||
}
|
||||
|
||||
// GetStatus returns the LRO's status from the response body.
|
||||
// Typically used for Azure-AsyncOperation flows.
|
||||
// If there is no status in the response body the empty string is returned.
|
||||
func GetStatus(resp *http.Response) (string, error) {
|
||||
jsonBody, err := GetJSON(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return status(jsonBody), nil
|
||||
}
|
||||
|
||||
// GetProvisioningState returns the LRO's state from the response body.
|
||||
// If there is no state in the response body the empty string is returned.
|
||||
func GetProvisioningState(resp *http.Response) (string, error) {
|
||||
jsonBody, err := GetJSON(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return provisioningState(jsonBody), nil
|
||||
}
|
||||
|
||||
// GetResourceLocation returns the LRO's resourceLocation value from the response body.
|
||||
// Typically used for Operation-Location flows.
|
||||
// If there is no resourceLocation in the response body the empty string is returned.
|
||||
func GetResourceLocation(resp *http.Response) (string, error) {
|
||||
jsonBody, err := GetJSON(resp)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
v, ok := jsonBody["resourceLocation"]
|
||||
if !ok {
|
||||
// it might be ok if the field doesn't exist, the caller must make that determination
|
||||
return "", nil
|
||||
}
|
||||
vv, ok := v.(string)
|
||||
if !ok {
|
||||
return "", fmt.Errorf("the resourceLocation value %v was not in string format", v)
|
||||
}
|
||||
return vv, nil
|
||||
}
|
33
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache/cache.go
generated
vendored
33
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache/cache.go
generated
vendored
|
@ -11,6 +11,8 @@ implementers on the format being passed.
|
|||
*/
|
||||
package cache
|
||||
|
||||
import "context"
|
||||
|
||||
// Marshaler marshals data from an internal cache to bytes that can be stored.
|
||||
type Marshaler interface {
|
||||
Marshal() ([]byte, error)
|
||||
|
@ -27,13 +29,26 @@ type Serializer interface {
|
|||
Unmarshaler
|
||||
}
|
||||
|
||||
// ExportReplace is used export or replace what is in the cache.
|
||||
type ExportReplace interface {
|
||||
// Replace replaces the cache with what is in external storage.
|
||||
// key is the suggested key which can be used for partioning the cache
|
||||
Replace(cache Unmarshaler, key string)
|
||||
// Export writes the binary representation of the cache (cache.Marshal()) to
|
||||
// external storage. This is considered opaque.
|
||||
// key is the suggested key which can be used for partioning the cache
|
||||
Export(cache Marshaler, key string)
|
||||
// ExportHints are suggestions for storing data.
|
||||
type ExportHints struct {
|
||||
// PartitionKey is a suggested key for partitioning the cache
|
||||
PartitionKey string
|
||||
}
|
||||
|
||||
// ReplaceHints are suggestions for loading data.
|
||||
type ReplaceHints struct {
|
||||
// PartitionKey is a suggested key for partitioning the cache
|
||||
PartitionKey string
|
||||
}
|
||||
|
||||
// ExportReplace exports and replaces in-memory cache data. It doesn't support nil Context or
|
||||
// define the outcome of passing one. A Context without a timeout must receive a default timeout
|
||||
// specified by the implementor. Retries must be implemented inside the implementation.
|
||||
type ExportReplace interface {
|
||||
// Replace replaces the cache with what is in external storage. Implementors should honor
|
||||
// Context cancellations and return context.Canceled or context.DeadlineExceeded in those cases.
|
||||
Replace(ctx context.Context, cache Unmarshaler, hints ReplaceHints) error
|
||||
// Export writes the binary representation of the cache (cache.Marshal()) to external storage.
|
||||
// This is considered opaque. Context cancellations should be honored as in Replace.
|
||||
Export(ctx context.Context, cache Marshaler, hints ExportHints) error
|
||||
}
|
||||
|
|
|
@ -18,7 +18,6 @@ import (
|
|||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/url"
|
||||
|
||||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
|
||||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base"
|
||||
|
@ -50,8 +49,7 @@ duplication.
|
|||
.Net People, Take note on X509:
|
||||
This uses x509.Certificates and private keys. x509 does not store private keys. .Net
|
||||
has some x509.Certificate2 thing that has private keys, but that is just some bullcrap that .Net
|
||||
added, it doesn't exist in real life. Seriously, "x509.Certificate2", bahahahaha. As such I've
|
||||
put a PEM decoder into here.
|
||||
added, it doesn't exist in real life. As such I've put a PEM decoder into here.
|
||||
*/
|
||||
|
||||
// TODO(msal): This should have example code for each method on client using Go's example doc framework.
|
||||
|
@ -63,7 +61,7 @@ type AuthResult = base.AuthResult
|
|||
|
||||
type Account = shared.Account
|
||||
|
||||
// CertFromPEM converts a PEM file (.pem or .key) for use with NewCredFromCert(). The file
|
||||
// CertFromPEM converts a PEM file (.pem or .key) for use with [NewCredFromCert]. The file
|
||||
// must contain the public certificate and the private key. If a PEM block is encrypted and
|
||||
// password is not an empty string, it attempts to decrypt the PEM blocks using the password.
|
||||
// Multiple certs are due to certificate chaining for use cases like TLS that sign from root to leaf.
|
||||
|
@ -179,33 +177,15 @@ func NewCredFromSecret(secret string) (Credential, error) {
|
|||
return Credential{secret: secret}, nil
|
||||
}
|
||||
|
||||
// NewCredFromAssertion creates a Credential from a signed assertion.
|
||||
//
|
||||
// Deprecated: a Credential created by this function can't refresh the
|
||||
// assertion when it expires. Use NewCredFromAssertionCallback instead.
|
||||
func NewCredFromAssertion(assertion string) (Credential, error) {
|
||||
if assertion == "" {
|
||||
return Credential{}, errors.New("assertion can't be empty string")
|
||||
}
|
||||
return NewCredFromAssertionCallback(func(context.Context, AssertionRequestOptions) (string, error) { return assertion, nil }), nil
|
||||
}
|
||||
|
||||
// NewCredFromAssertionCallback creates a Credential that invokes a callback to get assertions
|
||||
// authenticating the application. The callback must be thread safe.
|
||||
func NewCredFromAssertionCallback(callback func(context.Context, AssertionRequestOptions) (string, error)) Credential {
|
||||
return Credential{assertionCallback: callback}
|
||||
}
|
||||
|
||||
// NewCredFromCert creates a Credential from an x509.Certificate and an RSA private key.
|
||||
// CertFromPEM() can be used to get these values from a PEM file.
|
||||
func NewCredFromCert(cert *x509.Certificate, key crypto.PrivateKey) Credential {
|
||||
cred, _ := NewCredFromCertChain([]*x509.Certificate{cert}, key)
|
||||
return cred
|
||||
}
|
||||
|
||||
// NewCredFromCertChain creates a Credential from a chain of x509.Certificates and an RSA private key
|
||||
// as returned by CertFromPEM().
|
||||
func NewCredFromCertChain(certs []*x509.Certificate, key crypto.PrivateKey) (Credential, error) {
|
||||
// NewCredFromCert creates a Credential from a certificate or chain of certificates and an RSA private key
|
||||
// as returned by [CertFromPEM].
|
||||
func NewCredFromCert(certs []*x509.Certificate, key crypto.PrivateKey) (Credential, error) {
|
||||
cred := Credential{key: key}
|
||||
k, ok := key.(*rsa.PrivateKey)
|
||||
if !ok {
|
||||
|
@ -255,73 +235,32 @@ func AutoDetectRegion() string {
|
|||
// For more information, visit https://docs.microsoft.com/azure/active-directory/develop/msal-client-applications
|
||||
type Client struct {
|
||||
base base.Client
|
||||
|
||||
cred *accesstokens.Credential
|
||||
|
||||
// userID is some unique identifier for a user. It actually isn't used by us at all, it
|
||||
// simply acts as another hint that a confidential.Client is for a single user.
|
||||
userID string
|
||||
}
|
||||
|
||||
// Options are optional settings for New(). These options are set using various functions
|
||||
// clientOptions are optional settings for New(). These options are set using various functions
|
||||
// returning Option calls.
|
||||
type Options struct {
|
||||
// Accessor controls cache persistence.
|
||||
// By default there is no cache persistence. This can be set using the WithAccessor() option.
|
||||
Accessor cache.ExportReplace
|
||||
|
||||
// The host of the Azure Active Directory authority.
|
||||
// The default is https://login.microsoftonline.com/common. This can be changed using the
|
||||
// WithAuthority() option.
|
||||
Authority string
|
||||
|
||||
// The HTTP client used for making requests.
|
||||
// It defaults to a shared http.Client.
|
||||
HTTPClient ops.HTTPClient
|
||||
|
||||
// SendX5C specifies if x5c claim(public key of the certificate) should be sent to STS.
|
||||
SendX5C bool
|
||||
|
||||
// Instructs MSAL Go to use an Azure regional token service with sepcified AzureRegion.
|
||||
AzureRegion string
|
||||
|
||||
capabilities []string
|
||||
|
||||
disableInstanceDiscovery bool
|
||||
}
|
||||
|
||||
func (o Options) validate() error {
|
||||
u, err := url.Parse(o.Authority)
|
||||
if err != nil {
|
||||
return fmt.Errorf("the Authority(%s) does not parse as a valid URL", o.Authority)
|
||||
}
|
||||
if u.Scheme != "https" {
|
||||
return fmt.Errorf("the Authority(%s) does not appear to use https", o.Authority)
|
||||
}
|
||||
return nil
|
||||
type clientOptions struct {
|
||||
accessor cache.ExportReplace
|
||||
authority, azureRegion string
|
||||
capabilities []string
|
||||
disableInstanceDiscovery, sendX5C bool
|
||||
httpClient ops.HTTPClient
|
||||
}
|
||||
|
||||
// Option is an optional argument to New().
|
||||
type Option func(o *Options)
|
||||
type Option func(o *clientOptions)
|
||||
|
||||
// WithAuthority allows you to provide a custom authority for use in the client.
|
||||
func WithAuthority(authority string) Option {
|
||||
return func(o *Options) {
|
||||
o.Authority = authority
|
||||
}
|
||||
}
|
||||
|
||||
// WithAccessor provides a cache accessor that will read and write to some externally managed cache
|
||||
// that may or may not be shared with other applications.
|
||||
func WithAccessor(accessor cache.ExportReplace) Option {
|
||||
return func(o *Options) {
|
||||
o.Accessor = accessor
|
||||
// WithCache provides an accessor that will read and write authentication data to an externally managed cache.
|
||||
func WithCache(accessor cache.ExportReplace) Option {
|
||||
return func(o *clientOptions) {
|
||||
o.accessor = accessor
|
||||
}
|
||||
}
|
||||
|
||||
// WithClientCapabilities allows configuring one or more client capabilities such as "CP1"
|
||||
func WithClientCapabilities(capabilities []string) Option {
|
||||
return func(o *Options) {
|
||||
return func(o *clientOptions) {
|
||||
// there's no danger of sharing the slice's underlying memory with the application because
|
||||
// this slice is simply passed to base.WithClientCapabilities, which copies its data
|
||||
o.capabilities = capabilities
|
||||
|
@ -330,21 +269,21 @@ func WithClientCapabilities(capabilities []string) Option {
|
|||
|
||||
// WithHTTPClient allows for a custom HTTP client to be set.
|
||||
func WithHTTPClient(httpClient ops.HTTPClient) Option {
|
||||
return func(o *Options) {
|
||||
o.HTTPClient = httpClient
|
||||
return func(o *clientOptions) {
|
||||
o.httpClient = httpClient
|
||||
}
|
||||
}
|
||||
|
||||
// WithX5C specifies if x5c claim(public key of the certificate) should be sent to STS to enable Subject Name Issuer Authentication.
|
||||
func WithX5C() Option {
|
||||
return func(o *Options) {
|
||||
o.SendX5C = true
|
||||
return func(o *clientOptions) {
|
||||
o.sendX5C = true
|
||||
}
|
||||
}
|
||||
|
||||
// WithInstanceDiscovery set to false to disable authority validation (to support private cloud scenarios)
|
||||
func WithInstanceDiscovery(enabled bool) Option {
|
||||
return func(o *Options) {
|
||||
return func(o *clientOptions) {
|
||||
o.disableInstanceDiscovery = !enabled
|
||||
}
|
||||
}
|
||||
|
@ -361,44 +300,37 @@ func WithInstanceDiscovery(enabled bool) Option {
|
|||
// If auto-detection fails, the non-regional endpoint will be used.
|
||||
// If an invalid region name is provided, the non-regional endpoint MIGHT be used or the token request MIGHT fail.
|
||||
func WithAzureRegion(val string) Option {
|
||||
return func(o *Options) {
|
||||
o.AzureRegion = val
|
||||
return func(o *clientOptions) {
|
||||
o.azureRegion = val
|
||||
}
|
||||
}
|
||||
|
||||
// New is the constructor for Client. userID is the unique identifier of the user this client
|
||||
// will store credentials for (a Client is per user). clientID is the Azure clientID and cred is
|
||||
// the type of credential to use.
|
||||
func New(clientID string, cred Credential, options ...Option) (Client, error) {
|
||||
// New is the constructor for Client. authority is the URL of a token authority such as "https://login.microsoftonline.com/<your tenant>".
|
||||
// If the Client will connect directly to AD FS, use "adfs" for the tenant. clientID is the application's client ID (also called its
|
||||
// "application ID").
|
||||
func New(authority, clientID string, cred Credential, options ...Option) (Client, error) {
|
||||
internalCred, err := cred.toInternal()
|
||||
if err != nil {
|
||||
return Client{}, err
|
||||
}
|
||||
|
||||
opts := Options{
|
||||
Authority: base.AuthorityPublicCloud,
|
||||
HTTPClient: shared.DefaultClient,
|
||||
opts := clientOptions{
|
||||
authority: authority,
|
||||
// if the caller specified a token provider, it will handle all details of authentication, using Client only as a token cache
|
||||
disableInstanceDiscovery: cred.tokenProvider != nil,
|
||||
httpClient: shared.DefaultClient,
|
||||
}
|
||||
|
||||
for _, o := range options {
|
||||
o(&opts)
|
||||
}
|
||||
if err := opts.validate(); err != nil {
|
||||
return Client{}, err
|
||||
}
|
||||
|
||||
baseOpts := []base.Option{
|
||||
base.WithCacheAccessor(opts.Accessor),
|
||||
base.WithCacheAccessor(opts.accessor),
|
||||
base.WithClientCapabilities(opts.capabilities),
|
||||
base.WithRegionDetection(opts.AzureRegion),
|
||||
base.WithX5C(opts.SendX5C),
|
||||
base.WithInstanceDiscovery(!opts.disableInstanceDiscovery),
|
||||
base.WithRegionDetection(opts.azureRegion),
|
||||
base.WithX5C(opts.sendX5C),
|
||||
}
|
||||
if cred.tokenProvider != nil {
|
||||
// The caller will handle all details of authentication, using Client only as a token cache.
|
||||
baseOpts = append(baseOpts, base.WithInstanceDiscovery(false))
|
||||
}
|
||||
base, err := base.New(clientID, opts.Authority, oauth.New(opts.HTTPClient), baseOpts...)
|
||||
base, err := base.New(clientID, opts.authority, oauth.New(opts.httpClient), baseOpts...)
|
||||
if err != nil {
|
||||
return Client{}, err
|
||||
}
|
||||
|
@ -407,11 +339,6 @@ func New(clientID string, cred Credential, options ...Option) (Client, error) {
|
|||
return Client{base: base, cred: internalCred}, nil
|
||||
}
|
||||
|
||||
// UserID is the unique user identifier this client if for.
|
||||
func (cca Client) UserID() string {
|
||||
return cca.userID
|
||||
}
|
||||
|
||||
// authCodeURLOptions contains options for AuthCodeURL
|
||||
type authCodeURLOptions struct {
|
||||
claims, loginHint, tenantID, domainHint string
|
||||
|
@ -508,13 +435,13 @@ func WithClaims(claims string) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenByAuthCodeOptions:
|
||||
case *acquireTokenByAuthCodeOptions:
|
||||
t.claims = claims
|
||||
case *acquireTokenByCredentialOptions:
|
||||
t.claims = claims
|
||||
case *acquireTokenOnBehalfOfOptions:
|
||||
t.claims = claims
|
||||
case *AcquireTokenSilentOptions:
|
||||
case *acquireTokenSilentOptions:
|
||||
t.claims = claims
|
||||
case *authCodeURLOptions:
|
||||
t.claims = claims
|
||||
|
@ -527,7 +454,7 @@ func WithClaims(claims string) interface {
|
|||
}
|
||||
}
|
||||
|
||||
// WithTenantID specifies a tenant for a single authentication. It may be different than the tenant set in [New] by [WithAuthority].
|
||||
// WithTenantID specifies a tenant for a single authentication. It may be different than the tenant set in [New].
|
||||
// This option is valid for any token acquisition method.
|
||||
func WithTenantID(tenantID string) interface {
|
||||
AcquireByAuthCodeOption
|
||||
|
@ -548,13 +475,13 @@ func WithTenantID(tenantID string) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenByAuthCodeOptions:
|
||||
case *acquireTokenByAuthCodeOptions:
|
||||
t.tenantID = tenantID
|
||||
case *acquireTokenByCredentialOptions:
|
||||
t.tenantID = tenantID
|
||||
case *acquireTokenOnBehalfOfOptions:
|
||||
t.tenantID = tenantID
|
||||
case *AcquireTokenSilentOptions:
|
||||
case *acquireTokenSilentOptions:
|
||||
t.tenantID = tenantID
|
||||
case *authCodeURLOptions:
|
||||
t.tenantID = tenantID
|
||||
|
@ -567,12 +494,10 @@ func WithTenantID(tenantID string) interface {
|
|||
}
|
||||
}
|
||||
|
||||
// AcquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
|
||||
// acquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
|
||||
// These are set by using various AcquireTokenSilentOption functions.
|
||||
type AcquireTokenSilentOptions struct {
|
||||
// Account represents the account to use. To set, use the WithSilentAccount() option.
|
||||
Account Account
|
||||
|
||||
type acquireTokenSilentOptions struct {
|
||||
account Account
|
||||
claims, tenantID string
|
||||
}
|
||||
|
||||
|
@ -581,11 +506,6 @@ type AcquireSilentOption interface {
|
|||
acquireSilentOption()
|
||||
}
|
||||
|
||||
// AcquireTokenSilentOption changes options inside AcquireTokenSilentOptions used in .AcquireTokenSilent().
|
||||
type AcquireTokenSilentOption func(a *AcquireTokenSilentOptions)
|
||||
|
||||
func (AcquireTokenSilentOption) acquireSilentOption() {}
|
||||
|
||||
// WithSilentAccount uses the passed account during an AcquireTokenSilent() call.
|
||||
func WithSilentAccount(account Account) interface {
|
||||
AcquireSilentOption
|
||||
|
@ -598,8 +518,8 @@ func WithSilentAccount(account Account) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenSilentOptions:
|
||||
t.Account = account
|
||||
case *acquireTokenSilentOptions:
|
||||
t.account = account
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
}
|
||||
|
@ -613,7 +533,7 @@ func WithSilentAccount(account Account) interface {
|
|||
//
|
||||
// Options: [WithClaims], [WithSilentAccount], [WithTenantID]
|
||||
func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) {
|
||||
o := AcquireTokenSilentOptions{}
|
||||
o := acquireTokenSilentOptions{}
|
||||
if err := options.ApplyOptions(&o, opts); err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
|
@ -624,21 +544,19 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts
|
|||
|
||||
silentParameters := base.AcquireTokenSilentParameters{
|
||||
Scopes: scopes,
|
||||
Account: o.Account,
|
||||
Account: o.account,
|
||||
RequestType: accesstokens.ATConfidential,
|
||||
Credential: cca.cred,
|
||||
IsAppCache: o.Account.IsZero(),
|
||||
IsAppCache: o.account.IsZero(),
|
||||
TenantID: o.tenantID,
|
||||
}
|
||||
|
||||
return cca.base.AcquireTokenSilent(ctx, silentParameters)
|
||||
}
|
||||
|
||||
// AcquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow.
|
||||
type AcquireTokenByAuthCodeOptions struct {
|
||||
Challenge string
|
||||
|
||||
claims, tenantID string
|
||||
// acquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow.
|
||||
type acquireTokenByAuthCodeOptions struct {
|
||||
challenge, claims, tenantID string
|
||||
}
|
||||
|
||||
// AcquireByAuthCodeOption is implemented by options for AcquireTokenByAuthCode
|
||||
|
@ -646,11 +564,6 @@ type AcquireByAuthCodeOption interface {
|
|||
acquireByAuthCodeOption()
|
||||
}
|
||||
|
||||
// AcquireTokenByAuthCodeOption changes options inside AcquireTokenByAuthCodeOptions used in .AcquireTokenByAuthCode().
|
||||
type AcquireTokenByAuthCodeOption func(a *AcquireTokenByAuthCodeOptions)
|
||||
|
||||
func (AcquireTokenByAuthCodeOption) acquireByAuthCodeOption() {}
|
||||
|
||||
// WithChallenge allows you to provide a challenge for the .AcquireTokenByAuthCode() call.
|
||||
func WithChallenge(challenge string) interface {
|
||||
AcquireByAuthCodeOption
|
||||
|
@ -663,8 +576,8 @@ func WithChallenge(challenge string) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenByAuthCodeOptions:
|
||||
t.Challenge = challenge
|
||||
case *acquireTokenByAuthCodeOptions:
|
||||
t.challenge = challenge
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
}
|
||||
|
@ -679,7 +592,7 @@ func WithChallenge(challenge string) interface {
|
|||
//
|
||||
// Options: [WithChallenge], [WithClaims], [WithTenantID]
|
||||
func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, opts ...AcquireByAuthCodeOption) (AuthResult, error) {
|
||||
o := AcquireTokenByAuthCodeOptions{}
|
||||
o := acquireTokenByAuthCodeOptions{}
|
||||
if err := options.ApplyOptions(&o, opts); err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
|
@ -687,7 +600,7 @@ func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
|
|||
params := base.AcquireTokenAuthCodeParameters{
|
||||
Scopes: scopes,
|
||||
Code: code,
|
||||
Challenge: o.Challenge,
|
||||
Challenge: o.challenge,
|
||||
Claims: o.claims,
|
||||
AppType: accesstokens.ATConfidential,
|
||||
Credential: cca.cred, // This setting differs from public.Client.AcquireTokenByAuthCode
|
||||
|
@ -762,12 +675,11 @@ func (cca Client) AcquireTokenOnBehalfOf(ctx context.Context, userAssertion stri
|
|||
}
|
||||
|
||||
// Account gets the account in the token cache with the specified homeAccountID.
|
||||
func (cca Client) Account(homeAccountID string) Account {
|
||||
return cca.base.Account(homeAccountID)
|
||||
func (cca Client) Account(ctx context.Context, accountID string) (Account, error) {
|
||||
return cca.base.Account(ctx, accountID)
|
||||
}
|
||||
|
||||
// RemoveAccount signs the account out and forgets account from token cache.
|
||||
func (cca Client) RemoveAccount(account Account) error {
|
||||
cca.base.RemoveAccount(account)
|
||||
return nil
|
||||
func (cca Client) RemoveAccount(ctx context.Context, account Account) error {
|
||||
return cca.base.RemoveAccount(ctx, account)
|
||||
}
|
||||
|
|
|
@ -69,7 +69,7 @@ func (e CallErr) Error() string {
|
|||
|
||||
// Verbose prints a versbose error message with the request or response.
|
||||
func (e CallErr) Verbose() string {
|
||||
e.Resp.Request = nil // This brings in a bunch of TLS crap we don't need
|
||||
e.Resp.Request = nil // This brings in a bunch of TLS stuff we don't need
|
||||
e.Resp.TLS = nil // Same
|
||||
return fmt.Sprintf("%s:\nRequest:\n%s\nResponse:\n%s", e.Err, prettyConf.Sprint(e.Req), prettyConf.Sprint(e.Resp))
|
||||
}
|
||||
|
|
194
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
generated
vendored
194
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go
generated
vendored
|
@ -10,6 +10,7 @@ import (
|
|||
"net/url"
|
||||
"reflect"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
|
||||
|
@ -27,27 +28,21 @@ const (
|
|||
)
|
||||
|
||||
// manager provides an internal cache. It is defined to allow faking the cache in tests.
|
||||
// In all production use it is a *storage.Manager.
|
||||
// In production it's a *storage.Manager or *storage.PartitionedManager.
|
||||
type manager interface {
|
||||
Read(ctx context.Context, authParameters authority.AuthParams, account shared.Account) (storage.TokenResponse, error)
|
||||
Write(authParameters authority.AuthParams, tokenResponse accesstokens.TokenResponse) (shared.Account, error)
|
||||
cache.Serializer
|
||||
Read(context.Context, authority.AuthParams) (storage.TokenResponse, error)
|
||||
Write(authority.AuthParams, accesstokens.TokenResponse) (shared.Account, error)
|
||||
}
|
||||
|
||||
// accountManager is a manager that also caches accounts. In production it's a *storage.Manager.
|
||||
type accountManager interface {
|
||||
manager
|
||||
AllAccounts() []shared.Account
|
||||
Account(homeAccountID string) shared.Account
|
||||
RemoveAccount(account shared.Account, clientID string)
|
||||
}
|
||||
|
||||
// partitionedManager provides an internal cache. It is defined to allow faking the cache in tests.
|
||||
// In all production use it is a *storage.PartitionedManager.
|
||||
type partitionedManager interface {
|
||||
Read(ctx context.Context, authParameters authority.AuthParams) (storage.TokenResponse, error)
|
||||
Write(authParameters authority.AuthParams, tokenResponse accesstokens.TokenResponse) (shared.Account, error)
|
||||
}
|
||||
|
||||
type noopCacheAccessor struct{}
|
||||
|
||||
func (n noopCacheAccessor) Replace(cache cache.Unmarshaler, key string) {}
|
||||
func (n noopCacheAccessor) Export(cache cache.Marshaler, key string) {}
|
||||
|
||||
// AcquireTokenSilentParameters contains the parameters to acquire a token silently (from cache).
|
||||
type AcquireTokenSilentParameters struct {
|
||||
Scopes []string
|
||||
|
@ -133,12 +128,14 @@ func NewAuthResult(tokenResponse accesstokens.TokenResponse, account shared.Acco
|
|||
// Client is a base client that provides access to common methods and primatives that
|
||||
// can be used by multiple clients.
|
||||
type Client struct {
|
||||
Token *oauth.Client
|
||||
manager manager // *storage.Manager or fakeManager in tests
|
||||
pmanager partitionedManager // *storage.PartitionedManager or fakeManager in tests
|
||||
Token *oauth.Client
|
||||
manager accountManager // *storage.Manager or fakeManager in tests
|
||||
// pmanager is a partitioned cache for OBO authentication. *storage.PartitionedManager or fakeManager in tests
|
||||
pmanager manager
|
||||
|
||||
AuthParams authority.AuthParams // DO NOT EVER MAKE THIS A POINTER! See "Note" in New().
|
||||
cacheAccessor cache.ExportReplace
|
||||
AuthParams authority.AuthParams // DO NOT EVER MAKE THIS A POINTER! See "Note" in New().
|
||||
cacheAccessor cache.ExportReplace
|
||||
cacheAccessorMu *sync.RWMutex
|
||||
}
|
||||
|
||||
// Option is an optional argument to the New constructor.
|
||||
|
@ -210,11 +207,11 @@ func New(clientID string, authorityURI string, token *oauth.Client, options ...O
|
|||
}
|
||||
authParams := authority.NewAuthParams(clientID, authInfo)
|
||||
client := Client{ // Note: Hey, don't even THINK about making Base into *Base. See "design notes" in public.go and confidential.go
|
||||
Token: token,
|
||||
AuthParams: authParams,
|
||||
cacheAccessor: noopCacheAccessor{},
|
||||
manager: storage.New(token),
|
||||
pmanager: storage.NewPartitionedManager(token),
|
||||
Token: token,
|
||||
AuthParams: authParams,
|
||||
cacheAccessorMu: &sync.RWMutex{},
|
||||
manager: storage.New(token),
|
||||
pmanager: storage.NewPartitionedManager(token),
|
||||
}
|
||||
for _, o := range options {
|
||||
if err = o(&client); err != nil {
|
||||
|
@ -280,11 +277,12 @@ func (b Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, s
|
|||
}
|
||||
|
||||
func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilentParameters) (AuthResult, error) {
|
||||
// when tenant == "", the caller didn't specify a tenant and WithTenant will use the client's configured tenant
|
||||
ar := AuthResult{}
|
||||
// when tenant == "", the caller didn't specify a tenant and WithTenant will choose the client's configured tenant
|
||||
tenant := silent.TenantID
|
||||
authParams, err := b.AuthParams.WithTenant(tenant)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
return ar, err
|
||||
}
|
||||
authParams.Scopes = silent.Scopes
|
||||
authParams.HomeAccountID = silent.Account.HomeAccountID
|
||||
|
@ -292,52 +290,45 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
|
|||
authParams.Claims = silent.Claims
|
||||
authParams.UserAssertion = silent.UserAssertion
|
||||
|
||||
var storageTokenResponse storage.TokenResponse
|
||||
if authParams.AuthorizationType == authority.ATOnBehalfOf {
|
||||
if s, ok := b.pmanager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := authParams.CacheKey(silent.IsAppCache)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
}
|
||||
storageTokenResponse, err = b.pmanager.Read(ctx, authParams)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
} else {
|
||||
if s, ok := b.manager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := authParams.CacheKey(silent.IsAppCache)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
}
|
||||
m := b.pmanager
|
||||
if authParams.AuthorizationType != authority.ATOnBehalfOf {
|
||||
authParams.AuthorizationType = authority.ATRefreshToken
|
||||
storageTokenResponse, err = b.manager.Read(ctx, authParams, silent.Account)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
m = b.manager
|
||||
}
|
||||
if b.cacheAccessor != nil {
|
||||
key := authParams.CacheKey(silent.IsAppCache)
|
||||
b.cacheAccessorMu.RLock()
|
||||
err = b.cacheAccessor.Replace(ctx, m, cache.ReplaceHints{PartitionKey: key})
|
||||
b.cacheAccessorMu.RUnlock()
|
||||
}
|
||||
if err != nil {
|
||||
return ar, err
|
||||
}
|
||||
storageTokenResponse, err := m.Read(ctx, authParams)
|
||||
if err != nil {
|
||||
return ar, err
|
||||
}
|
||||
|
||||
// ignore cached access tokens when given claims
|
||||
if silent.Claims == "" {
|
||||
result, err := AuthResultFromStorage(storageTokenResponse)
|
||||
ar, err = AuthResultFromStorage(storageTokenResponse)
|
||||
if err == nil {
|
||||
return result, nil
|
||||
return ar, err
|
||||
}
|
||||
}
|
||||
|
||||
// redeem a cached refresh token, if available
|
||||
if reflect.ValueOf(storageTokenResponse.RefreshToken).IsZero() {
|
||||
return AuthResult{}, errors.New("no token found")
|
||||
return ar, errors.New("no token found")
|
||||
}
|
||||
var cc *accesstokens.Credential
|
||||
if silent.RequestType == accesstokens.ATConfidential {
|
||||
cc = silent.Credential
|
||||
}
|
||||
|
||||
token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, cc, storageTokenResponse.RefreshToken)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
return ar, err
|
||||
}
|
||||
|
||||
return b.AuthResultFromToken(ctx, authParams, token, true)
|
||||
}
|
||||
|
||||
|
@ -405,63 +396,72 @@ func (b Client) AuthResultFromToken(ctx context.Context, authParams authority.Au
|
|||
if !cacheWrite {
|
||||
return NewAuthResult(token, shared.Account{})
|
||||
}
|
||||
|
||||
var account shared.Account
|
||||
var err error
|
||||
var m manager = b.manager
|
||||
if authParams.AuthorizationType == authority.ATOnBehalfOf {
|
||||
if s, ok := b.pmanager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := token.CacheKey(authParams)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
}
|
||||
account, err = b.pmanager.Write(authParams, token)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
} else {
|
||||
if s, ok := b.manager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := token.CacheKey(authParams)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
}
|
||||
account, err = b.manager.Write(authParams, token)
|
||||
m = b.pmanager
|
||||
}
|
||||
key := token.CacheKey(authParams)
|
||||
if b.cacheAccessor != nil {
|
||||
b.cacheAccessorMu.Lock()
|
||||
defer b.cacheAccessorMu.Unlock()
|
||||
err := b.cacheAccessor.Replace(ctx, m, cache.ReplaceHints{PartitionKey: key})
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
}
|
||||
return NewAuthResult(token, account)
|
||||
account, err := m.Write(authParams, token)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
ar, err := NewAuthResult(token, account)
|
||||
if err == nil && b.cacheAccessor != nil {
|
||||
err = b.cacheAccessor.Export(ctx, b.manager, cache.ExportHints{PartitionKey: key})
|
||||
}
|
||||
return ar, err
|
||||
}
|
||||
|
||||
func (b Client) AllAccounts() []shared.Account {
|
||||
if s, ok := b.manager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := b.AuthParams.CacheKey(false)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
func (b Client) AllAccounts(ctx context.Context) ([]shared.Account, error) {
|
||||
if b.cacheAccessor != nil {
|
||||
b.cacheAccessorMu.RLock()
|
||||
defer b.cacheAccessorMu.RUnlock()
|
||||
key := b.AuthParams.CacheKey(false)
|
||||
err := b.cacheAccessor.Replace(ctx, b.manager, cache.ReplaceHints{PartitionKey: key})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
accounts := b.manager.AllAccounts()
|
||||
return accounts
|
||||
return b.manager.AllAccounts(), nil
|
||||
}
|
||||
|
||||
func (b Client) Account(homeAccountID string) shared.Account {
|
||||
authParams := b.AuthParams // This is a copy, as we dont' have a pointer receiver and .AuthParams is not a pointer.
|
||||
authParams.AuthorizationType = authority.AccountByID
|
||||
authParams.HomeAccountID = homeAccountID
|
||||
if s, ok := b.manager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := b.AuthParams.CacheKey(false)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
func (b Client) Account(ctx context.Context, homeAccountID string) (shared.Account, error) {
|
||||
if b.cacheAccessor != nil {
|
||||
b.cacheAccessorMu.RLock()
|
||||
defer b.cacheAccessorMu.RUnlock()
|
||||
authParams := b.AuthParams // This is a copy, as we don't have a pointer receiver and .AuthParams is not a pointer.
|
||||
authParams.AuthorizationType = authority.AccountByID
|
||||
authParams.HomeAccountID = homeAccountID
|
||||
key := b.AuthParams.CacheKey(false)
|
||||
err := b.cacheAccessor.Replace(ctx, b.manager, cache.ReplaceHints{PartitionKey: key})
|
||||
if err != nil {
|
||||
return shared.Account{}, err
|
||||
}
|
||||
}
|
||||
account := b.manager.Account(homeAccountID)
|
||||
return account
|
||||
return b.manager.Account(homeAccountID), nil
|
||||
}
|
||||
|
||||
// RemoveAccount removes all the ATs, RTs and IDTs from the cache associated with this account.
|
||||
func (b Client) RemoveAccount(account shared.Account) {
|
||||
if s, ok := b.manager.(cache.Serializer); ok {
|
||||
suggestedCacheKey := b.AuthParams.CacheKey(false)
|
||||
b.cacheAccessor.Replace(s, suggestedCacheKey)
|
||||
defer b.cacheAccessor.Export(s, suggestedCacheKey)
|
||||
func (b Client) RemoveAccount(ctx context.Context, account shared.Account) error {
|
||||
if b.cacheAccessor == nil {
|
||||
b.manager.RemoveAccount(account, b.AuthParams.ClientID)
|
||||
return nil
|
||||
}
|
||||
b.cacheAccessorMu.Lock()
|
||||
defer b.cacheAccessorMu.Unlock()
|
||||
key := b.AuthParams.CacheKey(false)
|
||||
err := b.cacheAccessor.Replace(ctx, b.manager, cache.ReplaceHints{PartitionKey: key})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
b.manager.RemoveAccount(account, b.AuthParams.ClientID)
|
||||
return b.cacheAccessor.Export(ctx, b.manager, cache.ExportHints{PartitionKey: key})
|
||||
}
|
||||
|
|
|
@ -83,7 +83,7 @@ func isMatchingScopes(scopesOne []string, scopesTwo string) bool {
|
|||
}
|
||||
|
||||
// Read reads a storage token from the cache if it exists.
|
||||
func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams, account shared.Account) (TokenResponse, error) {
|
||||
func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams) (TokenResponse, error) {
|
||||
tr := TokenResponse{}
|
||||
homeAccountID := authParameters.HomeAccountID
|
||||
realm := authParameters.AuthorityInfo.Tenant
|
||||
|
@ -103,7 +103,8 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams,
|
|||
accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes)
|
||||
tr.AccessToken = accessToken
|
||||
|
||||
if account.IsZero() {
|
||||
if homeAccountID == "" {
|
||||
// caller didn't specify a user, so there's no reason to search for an ID or refresh token
|
||||
return tr, nil
|
||||
}
|
||||
// errors returned by read* methods indicate a cache miss and are therefore non-fatal. We continue populating
|
||||
|
@ -122,7 +123,7 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams,
|
|||
}
|
||||
}
|
||||
|
||||
account, err = m.readAccount(homeAccountID, aliases, realm)
|
||||
account, err := m.readAccount(homeAccountID, aliases, realm)
|
||||
if err == nil {
|
||||
tr.Account = account
|
||||
}
|
||||
|
@ -493,6 +494,8 @@ func (m *Manager) update(cache *Contract) {
|
|||
|
||||
// Marshal implements cache.Marshaler.
|
||||
func (m *Manager) Marshal() ([]byte, error) {
|
||||
m.contractMu.RLock()
|
||||
defer m.contractMu.RUnlock()
|
||||
return json.Marshal(m.contract)
|
||||
}
|
||||
|
||||
|
|
|
@ -76,12 +76,17 @@ func (t *Client) ResolveEndpoints(ctx context.Context, authorityInfo authority.I
|
|||
return t.Resolver.ResolveEndpoints(ctx, authorityInfo, userPrincipalName)
|
||||
}
|
||||
|
||||
// AADInstanceDiscovery attempts to discover a tenant endpoint (used in OIDC auth with an authorization endpoint).
|
||||
// This is done by AAD which allows for aliasing of tenants (windows.sts.net is the same as login.windows.com).
|
||||
func (t *Client) AADInstanceDiscovery(ctx context.Context, authorityInfo authority.Info) (authority.InstanceDiscoveryResponse, error) {
|
||||
return t.Authority.AADInstanceDiscovery(ctx, authorityInfo)
|
||||
}
|
||||
|
||||
// AuthCode returns a token based on an authorization code.
|
||||
func (t *Client) AuthCode(ctx context.Context, req accesstokens.AuthCodeRequest) (accesstokens.TokenResponse, error) {
|
||||
if err := scopeError(req.AuthParams); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
if err := t.resolveEndpoint(ctx, &req.AuthParams, ""); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
|
@ -107,6 +112,10 @@ func (t *Client) Credential(ctx context.Context, authParams authority.AuthParams
|
|||
}
|
||||
tr, err := cred.TokenProvider(ctx, params)
|
||||
if err != nil {
|
||||
if len(scopes) == 0 {
|
||||
err = fmt.Errorf("token request had an empty authority.AuthParams.Scopes, which may cause the following error: %w", err)
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return accesstokens.TokenResponse{
|
||||
|
@ -134,6 +143,9 @@ func (t *Client) Credential(ctx context.Context, authParams authority.AuthParams
|
|||
|
||||
// Credential acquires a token from the authority using a client credentials grant.
|
||||
func (t *Client) OnBehalfOf(ctx context.Context, authParams authority.AuthParams, cred *accesstokens.Credential) (accesstokens.TokenResponse, error) {
|
||||
if err := scopeError(authParams); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
|
@ -145,20 +157,35 @@ func (t *Client) OnBehalfOf(ctx context.Context, authParams authority.AuthParams
|
|||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return t.AccessTokens.FromUserAssertionClientCertificate(ctx, authParams, authParams.UserAssertion, jwt)
|
||||
tr, err := t.AccessTokens.FromUserAssertionClientCertificate(ctx, authParams, authParams.UserAssertion, jwt)
|
||||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return tr, nil
|
||||
}
|
||||
|
||||
func (t *Client) Refresh(ctx context.Context, reqType accesstokens.AppType, authParams authority.AuthParams, cc *accesstokens.Credential, refreshToken accesstokens.RefreshToken) (accesstokens.TokenResponse, error) {
|
||||
if err := scopeError(authParams); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
|
||||
return t.AccessTokens.FromRefreshToken(ctx, reqType, authParams, cc, refreshToken.Secret)
|
||||
tr, err := t.AccessTokens.FromRefreshToken(ctx, reqType, authParams, cc, refreshToken.Secret)
|
||||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return tr, nil
|
||||
}
|
||||
|
||||
// UsernamePassword retrieves a token where a username and password is used. However, if this is
|
||||
// a user realm of "Federated", this uses SAML tokens. If "Managed", uses normal username/password.
|
||||
func (t *Client) UsernamePassword(ctx context.Context, authParams authority.AuthParams) (accesstokens.TokenResponse, error) {
|
||||
if err := scopeError(authParams); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
|
||||
if authParams.AuthorityInfo.AuthorityType == authority.ADFS {
|
||||
if err := t.resolveEndpoint(ctx, &authParams, authParams.Username); err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
|
@ -171,22 +198,32 @@ func (t *Client) UsernamePassword(ctx context.Context, authParams authority.Auth
|
|||
|
||||
userRealm, err := t.Authority.UserRealm(ctx, authParams)
|
||||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting user realm(user: %s) from authority: %w", authParams.Username, err)
|
||||
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting user realm from authority: %w", err)
|
||||
}
|
||||
|
||||
switch userRealm.AccountType {
|
||||
case authority.Federated:
|
||||
mexDoc, err := t.WSTrust.Mex(ctx, userRealm.FederationMetadataURL)
|
||||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting mex doc from federated url(%s): %w", userRealm.FederationMetadataURL, err)
|
||||
err = fmt.Errorf("problem getting mex doc from federated url(%s): %w", userRealm.FederationMetadataURL, err)
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
|
||||
saml, err := t.WSTrust.SAMLTokenInfo(ctx, authParams, userRealm.CloudAudienceURN, mexDoc.UsernamePasswordEndpoint)
|
||||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting SAML token info: %w", err)
|
||||
err = fmt.Errorf("problem getting SAML token info: %w", err)
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return t.AccessTokens.FromSamlGrant(ctx, authParams, saml)
|
||||
tr, err := t.AccessTokens.FromSamlGrant(ctx, authParams, saml)
|
||||
if err != nil {
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return tr, nil
|
||||
case authority.Managed:
|
||||
if len(authParams.Scopes) == 0 {
|
||||
err = fmt.Errorf("token request had an empty authority.AuthParams.Scopes, which may cause the following error: %w", err)
|
||||
return accesstokens.TokenResponse{}, err
|
||||
}
|
||||
return t.AccessTokens.FromUsernamePassword(ctx, authParams)
|
||||
}
|
||||
return accesstokens.TokenResponse{}, errors.New("unknown account type")
|
||||
|
@ -212,7 +249,6 @@ func (d DeviceCode) Token(ctx context.Context) (accesstokens.TokenResponse, erro
|
|||
}
|
||||
|
||||
var cancel context.CancelFunc
|
||||
d.Result.ExpiresOn.Sub(time.Now().UTC())
|
||||
if deadline, ok := ctx.Deadline(); !ok || d.Result.ExpiresOn.Before(deadline) {
|
||||
ctx, cancel = context.WithDeadline(ctx, d.Result.ExpiresOn)
|
||||
} else {
|
||||
|
@ -275,6 +311,10 @@ func isWaitDeviceCodeErr(err error) bool {
|
|||
// DeviceCode returns a DeviceCode object that can be used to get the code that must be entered on the second
|
||||
// device and optionally the token once the code has been entered on the second device.
|
||||
func (t *Client) DeviceCode(ctx context.Context, authParams authority.AuthParams) (DeviceCode, error) {
|
||||
if err := scopeError(authParams); err != nil {
|
||||
return DeviceCode{}, err
|
||||
}
|
||||
|
||||
if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil {
|
||||
return DeviceCode{}, err
|
||||
}
|
||||
|
@ -295,3 +335,19 @@ func (t *Client) resolveEndpoint(ctx context.Context, authParams *authority.Auth
|
|||
authParams.Endpoints = endpoints
|
||||
return nil
|
||||
}
|
||||
|
||||
// scopeError takes an authority.AuthParams and returns an error
|
||||
// if len(AuthParams.Scope) == 0.
|
||||
func scopeError(a authority.AuthParams) error {
|
||||
// TODO(someone): we could look deeper at the message to determine if
|
||||
// it's a scope error, but this is a good start.
|
||||
/*
|
||||
{error":"invalid_scope","error_description":"AADSTS1002012: The provided value for scope
|
||||
openid offline_access profile is not valid. Client credential flows must have a scope value
|
||||
with /.default suffixed to the resource identifier (application ID URI)...}
|
||||
*/
|
||||
if len(a.Scopes) == 0 {
|
||||
return fmt.Errorf("token request had an empty authority.AuthParams.Scopes, which is invalid")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -28,10 +28,19 @@ const (
|
|||
regionName = "REGION_NAME"
|
||||
defaultAPIVersion = "2021-10-01"
|
||||
imdsEndpoint = "http://169.254.169.254/metadata/instance/compute/location?format=text&api-version=" + defaultAPIVersion
|
||||
defaultHost = "login.microsoftonline.com"
|
||||
autoDetectRegion = "TryAutoDetect"
|
||||
)
|
||||
|
||||
// These are various hosts that host AAD Instance discovery endpoints.
|
||||
const (
|
||||
defaultHost = "login.microsoftonline.com"
|
||||
loginMicrosoft = "login.microsoft.com"
|
||||
loginWindows = "login.windows.net"
|
||||
loginSTSWindows = "sts.windows.net"
|
||||
loginMicrosoftOnline = defaultHost
|
||||
)
|
||||
|
||||
// jsonCaller is an interface that allows us to mock the JSONCall method.
|
||||
type jsonCaller interface {
|
||||
JSONCall(ctx context.Context, endpoint string, headers http.Header, qv url.Values, body, resp interface{}) error
|
||||
}
|
||||
|
@ -54,6 +63,8 @@ func TrustedHost(host string) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
// OAuthResponseBase is the base JSON return message for an OAuth call.
|
||||
// This is embedded in other calls to get the base fields from every response.
|
||||
type OAuthResponseBase struct {
|
||||
Error string `json:"error"`
|
||||
SubError string `json:"suberror"`
|
||||
|
@ -309,31 +320,24 @@ func firstPathSegment(u *url.URL) (string, error) {
|
|||
return pathParts[1], nil
|
||||
}
|
||||
|
||||
return "", errors.New("authority does not have two segments")
|
||||
return "", errors.New(`authority must be an https URL such as "https://login.microsoftonline.com/<your tenant>"`)
|
||||
}
|
||||
|
||||
// NewInfoFromAuthorityURI creates an AuthorityInfo instance from the authority URL provided.
|
||||
func NewInfoFromAuthorityURI(authorityURI string, validateAuthority bool, instanceDiscoveryDisabled bool) (Info, error) {
|
||||
authorityURI = strings.ToLower(authorityURI)
|
||||
var authorityType string
|
||||
u, err := url.Parse(authorityURI)
|
||||
if err != nil {
|
||||
return Info{}, fmt.Errorf("authorityURI passed could not be parsed: %w", err)
|
||||
}
|
||||
if u.Scheme != "https" {
|
||||
return Info{}, fmt.Errorf("authorityURI(%s) must have scheme https", authorityURI)
|
||||
func NewInfoFromAuthorityURI(authority string, validateAuthority bool, instanceDiscoveryDisabled bool) (Info, error) {
|
||||
u, err := url.Parse(strings.ToLower(authority))
|
||||
if err != nil || u.Scheme != "https" {
|
||||
return Info{}, errors.New(`authority must be an https URL such as "https://login.microsoftonline.com/<your tenant>"`)
|
||||
}
|
||||
|
||||
tenant, err := firstPathSegment(u)
|
||||
if tenant == "adfs" {
|
||||
authorityType = ADFS
|
||||
} else {
|
||||
authorityType = AAD
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return Info{}, err
|
||||
}
|
||||
authorityType := AAD
|
||||
if tenant == "adfs" {
|
||||
authorityType = ADFS
|
||||
}
|
||||
|
||||
// u.Host includes the port, if any, which is required for private cloud deployments
|
||||
return Info{
|
||||
|
@ -449,6 +453,8 @@ func (c Client) GetTenantDiscoveryResponse(ctx context.Context, openIDConfigurat
|
|||
return resp, err
|
||||
}
|
||||
|
||||
// AADInstanceDiscovery attempts to discover a tenant endpoint (used in OIDC auth with an authorization endpoint).
|
||||
// This is done by AAD which allows for aliasing of tenants (windows.sts.net is the same as login.windows.com).
|
||||
func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (InstanceDiscoveryResponse, error) {
|
||||
region := ""
|
||||
var err error
|
||||
|
@ -461,9 +467,10 @@ func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (I
|
|||
if region != "" {
|
||||
environment := authorityInfo.Host
|
||||
switch environment {
|
||||
case "login.microsoft.com", "login.windows.net", "sts.windows.net", defaultHost:
|
||||
environment = "r." + defaultHost
|
||||
case loginMicrosoft, loginWindows, loginSTSWindows, defaultHost:
|
||||
environment = loginMicrosoft
|
||||
}
|
||||
|
||||
resp.TenantDiscoveryEndpoint = fmt.Sprintf(tenantDiscoveryEndpointWithRegion, region, environment, authorityInfo.Tenant)
|
||||
metadata := InstanceDiscoveryMetadata{
|
||||
PreferredNetwork: fmt.Sprintf("%v.%v", region, authorityInfo.Host),
|
||||
|
|
|
@ -5,4 +5,4 @@
|
|||
package version
|
||||
|
||||
// Version is the version of this client package that is communicated to the server.
|
||||
const Version = "0.8.1"
|
||||
const Version = "1.0.0"
|
||||
|
|
189
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
generated
vendored
189
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go
generated
vendored
|
@ -47,27 +47,17 @@ type AuthResult = base.AuthResult
|
|||
|
||||
type Account = shared.Account
|
||||
|
||||
// Options configures the Client's behavior.
|
||||
type Options struct {
|
||||
// Accessor controls cache persistence. By default there is no cache persistence.
|
||||
// This can be set with the WithCache() option.
|
||||
Accessor cache.ExportReplace
|
||||
|
||||
// The host of the Azure Active Directory authority. The default is https://login.microsoftonline.com/common.
|
||||
// This can be changed with the WithAuthority() option.
|
||||
Authority string
|
||||
|
||||
// The HTTP client used for making requests.
|
||||
// It defaults to a shared http.Client.
|
||||
HTTPClient ops.HTTPClient
|
||||
|
||||
capabilities []string
|
||||
|
||||
// clientOptions configures the Client's behavior.
|
||||
type clientOptions struct {
|
||||
accessor cache.ExportReplace
|
||||
authority string
|
||||
capabilities []string
|
||||
disableInstanceDiscovery bool
|
||||
httpClient ops.HTTPClient
|
||||
}
|
||||
|
||||
func (p *Options) validate() error {
|
||||
u, err := url.Parse(p.Authority)
|
||||
func (p *clientOptions) validate() error {
|
||||
u, err := url.Parse(p.authority)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Authority options cannot be URL parsed: %w", err)
|
||||
}
|
||||
|
@ -78,25 +68,25 @@ func (p *Options) validate() error {
|
|||
}
|
||||
|
||||
// Option is an optional argument to the New constructor.
|
||||
type Option func(o *Options)
|
||||
type Option func(o *clientOptions)
|
||||
|
||||
// WithAuthority allows for a custom authority to be set. This must be a valid https url.
|
||||
func WithAuthority(authority string) Option {
|
||||
return func(o *Options) {
|
||||
o.Authority = authority
|
||||
return func(o *clientOptions) {
|
||||
o.authority = authority
|
||||
}
|
||||
}
|
||||
|
||||
// WithCache allows you to set some type of cache for storing authentication tokens.
|
||||
// WithCache provides an accessor that will read and write authentication data to an externally managed cache.
|
||||
func WithCache(accessor cache.ExportReplace) Option {
|
||||
return func(o *Options) {
|
||||
o.Accessor = accessor
|
||||
return func(o *clientOptions) {
|
||||
o.accessor = accessor
|
||||
}
|
||||
}
|
||||
|
||||
// WithClientCapabilities allows configuring one or more client capabilities such as "CP1"
|
||||
func WithClientCapabilities(capabilities []string) Option {
|
||||
return func(o *Options) {
|
||||
return func(o *clientOptions) {
|
||||
// there's no danger of sharing the slice's underlying memory with the application because
|
||||
// this slice is simply passed to base.WithClientCapabilities, which copies its data
|
||||
o.capabilities = capabilities
|
||||
|
@ -105,14 +95,14 @@ func WithClientCapabilities(capabilities []string) Option {
|
|||
|
||||
// WithHTTPClient allows for a custom HTTP client to be set.
|
||||
func WithHTTPClient(httpClient ops.HTTPClient) Option {
|
||||
return func(o *Options) {
|
||||
o.HTTPClient = httpClient
|
||||
return func(o *clientOptions) {
|
||||
o.httpClient = httpClient
|
||||
}
|
||||
}
|
||||
|
||||
// WithInstanceDiscovery set to false to disable authority validation (to support private cloud scenarios)
|
||||
func WithInstanceDiscovery(enabled bool) Option {
|
||||
return func(o *Options) {
|
||||
return func(o *clientOptions) {
|
||||
o.disableInstanceDiscovery = !enabled
|
||||
}
|
||||
}
|
||||
|
@ -125,9 +115,9 @@ type Client struct {
|
|||
|
||||
// New is the constructor for Client.
|
||||
func New(clientID string, options ...Option) (Client, error) {
|
||||
opts := Options{
|
||||
Authority: base.AuthorityPublicCloud,
|
||||
HTTPClient: shared.DefaultClient,
|
||||
opts := clientOptions{
|
||||
authority: base.AuthorityPublicCloud,
|
||||
httpClient: shared.DefaultClient,
|
||||
}
|
||||
|
||||
for _, o := range options {
|
||||
|
@ -137,28 +127,28 @@ func New(clientID string, options ...Option) (Client, error) {
|
|||
return Client{}, err
|
||||
}
|
||||
|
||||
base, err := base.New(clientID, opts.Authority, oauth.New(opts.HTTPClient), base.WithCacheAccessor(opts.Accessor), base.WithClientCapabilities(opts.capabilities), base.WithInstanceDiscovery(!opts.disableInstanceDiscovery))
|
||||
base, err := base.New(clientID, opts.authority, oauth.New(opts.httpClient), base.WithCacheAccessor(opts.accessor), base.WithClientCapabilities(opts.capabilities), base.WithInstanceDiscovery(!opts.disableInstanceDiscovery))
|
||||
if err != nil {
|
||||
return Client{}, err
|
||||
}
|
||||
return Client{base}, nil
|
||||
}
|
||||
|
||||
// createAuthCodeURLOptions contains options for CreateAuthCodeURL
|
||||
type createAuthCodeURLOptions struct {
|
||||
// authCodeURLOptions contains options for AuthCodeURL
|
||||
type authCodeURLOptions struct {
|
||||
claims, loginHint, tenantID, domainHint string
|
||||
}
|
||||
|
||||
// CreateAuthCodeURLOption is implemented by options for CreateAuthCodeURL
|
||||
type CreateAuthCodeURLOption interface {
|
||||
createAuthCodeURLOption()
|
||||
// AuthCodeURLOption is implemented by options for AuthCodeURL
|
||||
type AuthCodeURLOption interface {
|
||||
authCodeURLOption()
|
||||
}
|
||||
|
||||
// CreateAuthCodeURL creates a URL used to acquire an authorization code.
|
||||
// AuthCodeURL creates a URL used to acquire an authorization code.
|
||||
//
|
||||
// Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID]
|
||||
func (pca Client) CreateAuthCodeURL(ctx context.Context, clientID, redirectURI string, scopes []string, opts ...CreateAuthCodeURLOption) (string, error) {
|
||||
o := createAuthCodeURLOptions{}
|
||||
func (pca Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, scopes []string, opts ...AuthCodeURLOption) (string, error) {
|
||||
o := authCodeURLOptions{}
|
||||
if err := options.ApplyOptions(&o, opts); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -181,7 +171,7 @@ func WithClaims(claims string) interface {
|
|||
AcquireByUsernamePasswordOption
|
||||
AcquireInteractiveOption
|
||||
AcquireSilentOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
} {
|
||||
return struct {
|
||||
|
@ -190,23 +180,23 @@ func WithClaims(claims string) interface {
|
|||
AcquireByUsernamePasswordOption
|
||||
AcquireInteractiveOption
|
||||
AcquireSilentOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
}{
|
||||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenByAuthCodeOptions:
|
||||
case *acquireTokenByAuthCodeOptions:
|
||||
t.claims = claims
|
||||
case *acquireTokenByDeviceCodeOptions:
|
||||
t.claims = claims
|
||||
case *acquireTokenByUsernamePasswordOptions:
|
||||
t.claims = claims
|
||||
case *AcquireTokenSilentOptions:
|
||||
case *acquireTokenSilentOptions:
|
||||
t.claims = claims
|
||||
case *createAuthCodeURLOptions:
|
||||
case *authCodeURLOptions:
|
||||
t.claims = claims
|
||||
case *InteractiveAuthOptions:
|
||||
case *interactiveAuthOptions:
|
||||
t.claims = claims
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
|
@ -225,7 +215,7 @@ func WithTenantID(tenantID string) interface {
|
|||
AcquireByUsernamePasswordOption
|
||||
AcquireInteractiveOption
|
||||
AcquireSilentOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
} {
|
||||
return struct {
|
||||
|
@ -234,23 +224,23 @@ func WithTenantID(tenantID string) interface {
|
|||
AcquireByUsernamePasswordOption
|
||||
AcquireInteractiveOption
|
||||
AcquireSilentOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
}{
|
||||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenByAuthCodeOptions:
|
||||
case *acquireTokenByAuthCodeOptions:
|
||||
t.tenantID = tenantID
|
||||
case *acquireTokenByDeviceCodeOptions:
|
||||
t.tenantID = tenantID
|
||||
case *acquireTokenByUsernamePasswordOptions:
|
||||
t.tenantID = tenantID
|
||||
case *AcquireTokenSilentOptions:
|
||||
case *acquireTokenSilentOptions:
|
||||
t.tenantID = tenantID
|
||||
case *createAuthCodeURLOptions:
|
||||
case *authCodeURLOptions:
|
||||
t.tenantID = tenantID
|
||||
case *InteractiveAuthOptions:
|
||||
case *interactiveAuthOptions:
|
||||
t.tenantID = tenantID
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
|
@ -261,12 +251,10 @@ func WithTenantID(tenantID string) interface {
|
|||
}
|
||||
}
|
||||
|
||||
// AcquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
|
||||
// acquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
|
||||
// These are set by using various AcquireTokenSilentOption functions.
|
||||
type AcquireTokenSilentOptions struct {
|
||||
// Account represents the account to use. To set, use the WithSilentAccount() option.
|
||||
Account Account
|
||||
|
||||
type acquireTokenSilentOptions struct {
|
||||
account Account
|
||||
claims, tenantID string
|
||||
}
|
||||
|
||||
|
@ -275,11 +263,6 @@ type AcquireSilentOption interface {
|
|||
acquireSilentOption()
|
||||
}
|
||||
|
||||
// AcquireTokenSilentOption changes options inside AcquireTokenSilentOptions used in .AcquireTokenSilent().
|
||||
type AcquireTokenSilentOption func(a *AcquireTokenSilentOptions)
|
||||
|
||||
func (AcquireTokenSilentOption) acquireSilentOption() {}
|
||||
|
||||
// WithSilentAccount uses the passed account during an AcquireTokenSilent() call.
|
||||
func WithSilentAccount(account Account) interface {
|
||||
AcquireSilentOption
|
||||
|
@ -292,8 +275,8 @@ func WithSilentAccount(account Account) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenSilentOptions:
|
||||
t.Account = account
|
||||
case *acquireTokenSilentOptions:
|
||||
t.account = account
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
}
|
||||
|
@ -307,14 +290,14 @@ func WithSilentAccount(account Account) interface {
|
|||
//
|
||||
// Options: [WithClaims], [WithSilentAccount], [WithTenantID]
|
||||
func (pca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) {
|
||||
o := AcquireTokenSilentOptions{}
|
||||
o := acquireTokenSilentOptions{}
|
||||
if err := options.ApplyOptions(&o, opts); err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
|
||||
silentParameters := base.AcquireTokenSilentParameters{
|
||||
Scopes: scopes,
|
||||
Account: o.Account,
|
||||
Account: o.account,
|
||||
Claims: o.claims,
|
||||
RequestType: accesstokens.ATPublic,
|
||||
IsAppCache: false,
|
||||
|
@ -420,11 +403,9 @@ func (pca Client) AcquireTokenByDeviceCode(ctx context.Context, scopes []string,
|
|||
return DeviceCode{Result: dc.Result, authParams: authParams, client: pca, dc: dc}, nil
|
||||
}
|
||||
|
||||
// AcquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow.
|
||||
type AcquireTokenByAuthCodeOptions struct {
|
||||
Challenge string
|
||||
|
||||
claims, tenantID string
|
||||
// acquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow.
|
||||
type acquireTokenByAuthCodeOptions struct {
|
||||
challenge, claims, tenantID string
|
||||
}
|
||||
|
||||
// AcquireByAuthCodeOption is implemented by options for AcquireTokenByAuthCode
|
||||
|
@ -432,11 +413,6 @@ type AcquireByAuthCodeOption interface {
|
|||
acquireByAuthCodeOption()
|
||||
}
|
||||
|
||||
// AcquireTokenByAuthCodeOption changes options inside AcquireTokenByAuthCodeOptions used in .AcquireTokenByAuthCode().
|
||||
type AcquireTokenByAuthCodeOption func(a *AcquireTokenByAuthCodeOptions)
|
||||
|
||||
func (AcquireTokenByAuthCodeOption) acquireByAuthCodeOption() {}
|
||||
|
||||
// WithChallenge allows you to provide a code for the .AcquireTokenByAuthCode() call.
|
||||
func WithChallenge(challenge string) interface {
|
||||
AcquireByAuthCodeOption
|
||||
|
@ -449,8 +425,8 @@ func WithChallenge(challenge string) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *AcquireTokenByAuthCodeOptions:
|
||||
t.Challenge = challenge
|
||||
case *acquireTokenByAuthCodeOptions:
|
||||
t.challenge = challenge
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
}
|
||||
|
@ -465,7 +441,7 @@ func WithChallenge(challenge string) interface {
|
|||
//
|
||||
// Options: [WithChallenge], [WithClaims], [WithTenantID]
|
||||
func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, opts ...AcquireByAuthCodeOption) (AuthResult, error) {
|
||||
o := AcquireTokenByAuthCodeOptions{}
|
||||
o := acquireTokenByAuthCodeOptions{}
|
||||
if err := options.ApplyOptions(&o, opts); err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
|
@ -473,7 +449,7 @@ func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
|
|||
params := base.AcquireTokenAuthCodeParameters{
|
||||
Scopes: scopes,
|
||||
Code: code,
|
||||
Challenge: o.Challenge,
|
||||
Challenge: o.challenge,
|
||||
Claims: o.claims,
|
||||
AppType: accesstokens.ATPublic,
|
||||
RedirectURI: redirectURI,
|
||||
|
@ -485,23 +461,18 @@ func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
|
|||
|
||||
// Accounts gets all the accounts in the token cache.
|
||||
// If there are no accounts in the cache the returned slice is empty.
|
||||
func (pca Client) Accounts() []Account {
|
||||
return pca.base.AllAccounts()
|
||||
func (pca Client) Accounts(ctx context.Context) ([]Account, error) {
|
||||
return pca.base.AllAccounts(ctx)
|
||||
}
|
||||
|
||||
// RemoveAccount signs the account out and forgets account from token cache.
|
||||
func (pca Client) RemoveAccount(account Account) error {
|
||||
pca.base.RemoveAccount(account)
|
||||
return nil
|
||||
func (pca Client) RemoveAccount(ctx context.Context, account Account) error {
|
||||
return pca.base.RemoveAccount(ctx, account)
|
||||
}
|
||||
|
||||
// InteractiveAuthOptions contains the optional parameters used to acquire an access token for interactive auth code flow.
|
||||
type InteractiveAuthOptions struct {
|
||||
// Used to specify a custom port for the local server. http://localhost:portnumber
|
||||
// All other URI components are ignored.
|
||||
RedirectURI string
|
||||
|
||||
claims, loginHint, tenantID, domainHint string
|
||||
// interactiveAuthOptions contains the optional parameters used to acquire an access token for interactive auth code flow.
|
||||
type interactiveAuthOptions struct {
|
||||
claims, domainHint, loginHint, redirectURI, tenantID string
|
||||
}
|
||||
|
||||
// AcquireInteractiveOption is implemented by options for AcquireTokenInteractive
|
||||
|
@ -509,28 +480,23 @@ type AcquireInteractiveOption interface {
|
|||
acquireInteractiveOption()
|
||||
}
|
||||
|
||||
// InteractiveAuthOption changes options inside InteractiveAuthOptions used in .AcquireTokenInteractive().
|
||||
type InteractiveAuthOption func(*InteractiveAuthOptions)
|
||||
|
||||
func (InteractiveAuthOption) acquireInteractiveOption() {}
|
||||
|
||||
// WithLoginHint pre-populates the login prompt with a username.
|
||||
func WithLoginHint(username string) interface {
|
||||
AcquireInteractiveOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
} {
|
||||
return struct {
|
||||
AcquireInteractiveOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
}{
|
||||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *createAuthCodeURLOptions:
|
||||
case *authCodeURLOptions:
|
||||
t.loginHint = username
|
||||
case *InteractiveAuthOptions:
|
||||
case *interactiveAuthOptions:
|
||||
t.loginHint = username
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
|
@ -544,20 +510,20 @@ func WithLoginHint(username string) interface {
|
|||
// WithDomainHint adds the IdP domain as domain_hint query parameter in the auth url.
|
||||
func WithDomainHint(domain string) interface {
|
||||
AcquireInteractiveOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
} {
|
||||
return struct {
|
||||
AcquireInteractiveOption
|
||||
CreateAuthCodeURLOption
|
||||
AuthCodeURLOption
|
||||
options.CallOption
|
||||
}{
|
||||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *createAuthCodeURLOptions:
|
||||
case *authCodeURLOptions:
|
||||
t.domainHint = domain
|
||||
case *InteractiveAuthOptions:
|
||||
case *interactiveAuthOptions:
|
||||
t.domainHint = domain
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
|
@ -568,7 +534,8 @@ func WithDomainHint(domain string) interface {
|
|||
}
|
||||
}
|
||||
|
||||
// WithRedirectURI uses the specified redirect URI for interactive auth.
|
||||
// WithRedirectURI sets a port for the local server used in interactive authentication, for
|
||||
// example http://localhost:port. All URI components other than the port are ignored.
|
||||
func WithRedirectURI(redirectURI string) interface {
|
||||
AcquireInteractiveOption
|
||||
options.CallOption
|
||||
|
@ -580,8 +547,8 @@ func WithRedirectURI(redirectURI string) interface {
|
|||
CallOption: options.NewCallOption(
|
||||
func(a any) error {
|
||||
switch t := a.(type) {
|
||||
case *InteractiveAuthOptions:
|
||||
t.RedirectURI = redirectURI
|
||||
case *interactiveAuthOptions:
|
||||
t.redirectURI = redirectURI
|
||||
default:
|
||||
return fmt.Errorf("unexpected options type %T", a)
|
||||
}
|
||||
|
@ -596,7 +563,7 @@ func WithRedirectURI(redirectURI string) interface {
|
|||
//
|
||||
// Options: [WithDomainHint], [WithLoginHint], [WithRedirectURI], [WithTenantID]
|
||||
func (pca Client) AcquireTokenInteractive(ctx context.Context, scopes []string, opts ...AcquireInteractiveOption) (AuthResult, error) {
|
||||
o := InteractiveAuthOptions{}
|
||||
o := interactiveAuthOptions{}
|
||||
if err := options.ApplyOptions(&o, opts); err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
|
@ -607,8 +574,8 @@ func (pca Client) AcquireTokenInteractive(ctx context.Context, scopes []string,
|
|||
return AuthResult{}, err
|
||||
}
|
||||
var redirectURL *url.URL
|
||||
if o.RedirectURI != "" {
|
||||
redirectURL, err = url.Parse(o.RedirectURI)
|
||||
if o.redirectURI != "" {
|
||||
redirectURL, err = url.Parse(o.redirectURI)
|
||||
if err != nil {
|
||||
return AuthResult{}, err
|
||||
}
|
||||
|
|
18
vendor/github.com/golang-jwt/jwt/v4/README.md
generated
vendored
18
vendor/github.com/golang-jwt/jwt/v4/README.md
generated
vendored
|
@ -54,9 +54,9 @@ import "github.com/golang-jwt/jwt/v4"
|
|||
|
||||
See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v4) for examples of usage:
|
||||
|
||||
* [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-Parse-Hmac)
|
||||
* [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-New-Hmac)
|
||||
* [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt#pkg-examples)
|
||||
* [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#example-Parse-Hmac)
|
||||
* [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#example-New-Hmac)
|
||||
* [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#pkg-examples)
|
||||
|
||||
## Extensions
|
||||
|
||||
|
@ -96,7 +96,7 @@ A token is simply a JSON object that is signed by its author. this tells you exa
|
|||
* The author of the token was in the possession of the signing secret
|
||||
* The data has not been modified since it was signed
|
||||
|
||||
It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. JWE is currently outside the scope of this library.
|
||||
It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. The companion project https://github.com/golang-jwt/jwe aims at a (very) experimental implementation of the JWE standard.
|
||||
|
||||
### Choosing a Signing Method
|
||||
|
||||
|
@ -110,10 +110,10 @@ Asymmetric signing methods, such as RSA, use different keys for signing and veri
|
|||
|
||||
Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones:
|
||||
|
||||
* The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
|
||||
* The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
|
||||
* The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
|
||||
* The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation
|
||||
* The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
|
||||
* The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
|
||||
* The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
|
||||
* The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation
|
||||
|
||||
### JWT and OAuth
|
||||
|
||||
|
@ -131,7 +131,7 @@ This library uses descriptive error messages whenever possible. If you are not g
|
|||
|
||||
## More
|
||||
|
||||
Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt).
|
||||
Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v4).
|
||||
|
||||
The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.
|
||||
|
||||
|
|
6
vendor/github.com/golang-jwt/jwt/v4/claims.go
generated
vendored
6
vendor/github.com/golang-jwt/jwt/v4/claims.go
generated
vendored
|
@ -265,9 +265,5 @@ func verifyIss(iss string, cmp string, required bool) bool {
|
|||
if iss == "" {
|
||||
return !required
|
||||
}
|
||||
if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 {
|
||||
return true
|
||||
} else {
|
||||
return false
|
||||
}
|
||||
return subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0
|
||||
}
|
||||
|
|
7
vendor/github.com/golang-jwt/jwt/v4/parser.go
generated
vendored
7
vendor/github.com/golang-jwt/jwt/v4/parser.go
generated
vendored
|
@ -42,6 +42,13 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
|
|||
return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
|
||||
}
|
||||
|
||||
// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
|
||||
// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
|
||||
// than the default MapClaims implementation of Claims.
|
||||
//
|
||||
// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
|
||||
// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
|
||||
// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
|
||||
func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
|
||||
token, parts, err := p.ParseUnverified(tokenString, claims)
|
||||
if err != nil {
|
||||
|
|
20
vendor/github.com/golang-jwt/jwt/v4/token.go
generated
vendored
20
vendor/github.com/golang-jwt/jwt/v4/token.go
generated
vendored
|
@ -14,6 +14,12 @@ import (
|
|||
// To use the non-recommended decoding, set this boolean to `true` prior to using this package.
|
||||
var DecodePaddingAllowed bool
|
||||
|
||||
// DecodeStrict will switch the codec used for decoding JWTs into strict mode.
|
||||
// In this mode, the decoder requires that trailing padding bits are zero, as described in RFC 4648 section 3.5.
|
||||
// Note that this is a global variable, and updating it will change the behavior on a package level, and is also NOT go-routine safe.
|
||||
// To use strict decoding, set this boolean to `true` prior to using this package.
|
||||
var DecodeStrict bool
|
||||
|
||||
// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
|
||||
// You can override it to use another time value. This is useful for testing or if your
|
||||
// server uses a different time zone than your tokens.
|
||||
|
@ -99,6 +105,11 @@ func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token
|
|||
return NewParser(options...).Parse(tokenString, keyFunc)
|
||||
}
|
||||
|
||||
// ParseWithClaims is a shortcut for NewParser().ParseWithClaims().
|
||||
//
|
||||
// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
|
||||
// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
|
||||
// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
|
||||
func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
|
||||
return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc)
|
||||
}
|
||||
|
@ -116,12 +127,17 @@ func EncodeSegment(seg []byte) string {
|
|||
// Deprecated: In a future release, we will demote this function to a non-exported function, since it
|
||||
// should only be used internally
|
||||
func DecodeSegment(seg string) ([]byte, error) {
|
||||
encoding := base64.RawURLEncoding
|
||||
|
||||
if DecodePaddingAllowed {
|
||||
if l := len(seg) % 4; l > 0 {
|
||||
seg += strings.Repeat("=", 4-l)
|
||||
}
|
||||
return base64.URLEncoding.DecodeString(seg)
|
||||
encoding = base64.URLEncoding
|
||||
}
|
||||
|
||||
return base64.RawURLEncoding.DecodeString(seg)
|
||||
if DecodeStrict {
|
||||
encoding = encoding.Strict()
|
||||
}
|
||||
return encoding.DecodeString(seg)
|
||||
}
|
||||
|
|
2
vendor/github.com/google/uuid/README.md
generated
vendored
2
vendor/github.com/google/uuid/README.md
generated
vendored
|
@ -16,4 +16,4 @@ change is the ability to represent an invalid UUID (vs a NIL UUID).
|
|||
|
||||
Full `go doc` style documentation for the package can be viewed online without
|
||||
installing this package by using the GoDoc site here:
|
||||
http://godoc.org/github.com/google/uuid
|
||||
http://pkg.go.dev/github.com/google/uuid
|
||||
|
|
4
vendor/github.com/google/uuid/hash.go
generated
vendored
4
vendor/github.com/google/uuid/hash.go
generated
vendored
|
@ -26,8 +26,8 @@ var (
|
|||
// NewMD5 and NewSHA1.
|
||||
func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID {
|
||||
h.Reset()
|
||||
h.Write(space[:])
|
||||
h.Write(data)
|
||||
h.Write(space[:]) //nolint:errcheck
|
||||
h.Write(data) //nolint:errcheck
|
||||
s := h.Sum(nil)
|
||||
var uuid UUID
|
||||
copy(uuid[:], s)
|
||||
|
|
7
vendor/github.com/google/uuid/marshal.go
generated
vendored
7
vendor/github.com/google/uuid/marshal.go
generated
vendored
|
@ -16,10 +16,11 @@ func (uuid UUID) MarshalText() ([]byte, error) {
|
|||
// UnmarshalText implements encoding.TextUnmarshaler.
|
||||
func (uuid *UUID) UnmarshalText(data []byte) error {
|
||||
id, err := ParseBytes(data)
|
||||
if err == nil {
|
||||
*uuid = id
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return err
|
||||
*uuid = id
|
||||
return nil
|
||||
}
|
||||
|
||||
// MarshalBinary implements encoding.BinaryMarshaler.
|
||||
|
|
118
vendor/github.com/google/uuid/null.go
generated
vendored
Normal file
118
vendor/github.com/google/uuid/null.go
generated
vendored
Normal file
|
@ -0,0 +1,118 @@
|
|||
// Copyright 2021 Google Inc. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package uuid
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"database/sql/driver"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
var jsonNull = []byte("null")
|
||||
|
||||
// NullUUID represents a UUID that may be null.
|
||||
// NullUUID implements the SQL driver.Scanner interface so
|
||||
// it can be used as a scan destination:
|
||||
//
|
||||
// var u uuid.NullUUID
|
||||
// err := db.QueryRow("SELECT name FROM foo WHERE id=?", id).Scan(&u)
|
||||
// ...
|
||||
// if u.Valid {
|
||||
// // use u.UUID
|
||||
// } else {
|
||||
// // NULL value
|
||||
// }
|
||||
//
|
||||
type NullUUID struct {
|
||||
UUID UUID
|
||||
Valid bool // Valid is true if UUID is not NULL
|
||||
}
|
||||
|
||||
// Scan implements the SQL driver.Scanner interface.
|
||||
func (nu *NullUUID) Scan(value interface{}) error {
|
||||
if value == nil {
|
||||
nu.UUID, nu.Valid = Nil, false
|
||||
return nil
|
||||
}
|
||||
|
||||
err := nu.UUID.Scan(value)
|
||||
if err != nil {
|
||||
nu.Valid = false
|
||||
return err
|
||||
}
|
||||
|
||||
nu.Valid = true
|
||||
return nil
|
||||
}
|
||||
|
||||
// Value implements the driver Valuer interface.
|
||||
func (nu NullUUID) Value() (driver.Value, error) {
|
||||
if !nu.Valid {
|
||||
return nil, nil
|
||||
}
|
||||
// Delegate to UUID Value function
|
||||
return nu.UUID.Value()
|
||||
}
|
||||
|
||||
// MarshalBinary implements encoding.BinaryMarshaler.
|
||||
func (nu NullUUID) MarshalBinary() ([]byte, error) {
|
||||
if nu.Valid {
|
||||
return nu.UUID[:], nil
|
||||
}
|
||||
|
||||
return []byte(nil), nil
|
||||
}
|
||||
|
||||
// UnmarshalBinary implements encoding.BinaryUnmarshaler.
|
||||
func (nu *NullUUID) UnmarshalBinary(data []byte) error {
|
||||
if len(data) != 16 {
|
||||
return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
|
||||
}
|
||||
copy(nu.UUID[:], data)
|
||||
nu.Valid = true
|
||||
return nil
|
||||
}
|
||||
|
||||
// MarshalText implements encoding.TextMarshaler.
|
||||
func (nu NullUUID) MarshalText() ([]byte, error) {
|
||||
if nu.Valid {
|
||||
return nu.UUID.MarshalText()
|
||||
}
|
||||
|
||||
return jsonNull, nil
|
||||
}
|
||||
|
||||
// UnmarshalText implements encoding.TextUnmarshaler.
|
||||
func (nu *NullUUID) UnmarshalText(data []byte) error {
|
||||
id, err := ParseBytes(data)
|
||||
if err != nil {
|
||||
nu.Valid = false
|
||||
return err
|
||||
}
|
||||
nu.UUID = id
|
||||
nu.Valid = true
|
||||
return nil
|
||||
}
|
||||
|
||||
// MarshalJSON implements json.Marshaler.
|
||||
func (nu NullUUID) MarshalJSON() ([]byte, error) {
|
||||
if nu.Valid {
|
||||
return json.Marshal(nu.UUID)
|
||||
}
|
||||
|
||||
return jsonNull, nil
|
||||
}
|
||||
|
||||
// UnmarshalJSON implements json.Unmarshaler.
|
||||
func (nu *NullUUID) UnmarshalJSON(data []byte) error {
|
||||
if bytes.Equal(data, jsonNull) {
|
||||
*nu = NullUUID{}
|
||||
return nil // valid null UUID
|
||||
}
|
||||
err := json.Unmarshal(data, &nu.UUID)
|
||||
nu.Valid = err == nil
|
||||
return err
|
||||
}
|
2
vendor/github.com/google/uuid/sql.go
generated
vendored
2
vendor/github.com/google/uuid/sql.go
generated
vendored
|
@ -9,7 +9,7 @@ import (
|
|||
"fmt"
|
||||
)
|
||||
|
||||
// Scan implements sql.Scanner so UUIDs can be read from databases transparently
|
||||
// Scan implements sql.Scanner so UUIDs can be read from databases transparently.
|
||||
// Currently, database types that map to string and []byte are supported. Please
|
||||
// consult database-specific driver documentation for matching types.
|
||||
func (uuid *UUID) Scan(src interface{}) error {
|
||||
|
|
55
vendor/github.com/google/uuid/uuid.go
generated
vendored
55
vendor/github.com/google/uuid/uuid.go
generated
vendored
|
@ -12,6 +12,7 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
"strings"
|
||||
"sync"
|
||||
)
|
||||
|
||||
// A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC
|
||||
|
@ -33,7 +34,27 @@ const (
|
|||
Future // Reserved for future definition.
|
||||
)
|
||||
|
||||
var rander = rand.Reader // random function
|
||||
const randPoolSize = 16 * 16
|
||||
|
||||
var (
|
||||
rander = rand.Reader // random function
|
||||
poolEnabled = false
|
||||
poolMu sync.Mutex
|
||||
poolPos = randPoolSize // protected with poolMu
|
||||
pool [randPoolSize]byte // protected with poolMu
|
||||
)
|
||||
|
||||
type invalidLengthError struct{ len int }
|
||||
|
||||
func (err invalidLengthError) Error() string {
|
||||
return fmt.Sprintf("invalid UUID length: %d", err.len)
|
||||
}
|
||||
|
||||
// IsInvalidLengthError is matcher function for custom error invalidLengthError
|
||||
func IsInvalidLengthError(err error) bool {
|
||||
_, ok := err.(invalidLengthError)
|
||||
return ok
|
||||
}
|
||||
|
||||
// Parse decodes s into a UUID or returns an error. Both the standard UUID
|
||||
// forms of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and
|
||||
|
@ -68,7 +89,7 @@ func Parse(s string) (UUID, error) {
|
|||
}
|
||||
return uuid, nil
|
||||
default:
|
||||
return uuid, fmt.Errorf("invalid UUID length: %d", len(s))
|
||||
return uuid, invalidLengthError{len(s)}
|
||||
}
|
||||
// s is now at least 36 bytes long
|
||||
// it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
|
||||
|
@ -112,7 +133,7 @@ func ParseBytes(b []byte) (UUID, error) {
|
|||
}
|
||||
return uuid, nil
|
||||
default:
|
||||
return uuid, fmt.Errorf("invalid UUID length: %d", len(b))
|
||||
return uuid, invalidLengthError{len(b)}
|
||||
}
|
||||
// s is now at least 36 bytes long
|
||||
// it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
|
||||
|
@ -243,3 +264,31 @@ func SetRand(r io.Reader) {
|
|||
}
|
||||
rander = r
|
||||
}
|
||||
|
||||
// EnableRandPool enables internal randomness pool used for Random
|
||||
// (Version 4) UUID generation. The pool contains random bytes read from
|
||||
// the random number generator on demand in batches. Enabling the pool
|
||||
// may improve the UUID generation throughput significantly.
|
||||
//
|
||||
// Since the pool is stored on the Go heap, this feature may be a bad fit
|
||||
// for security sensitive applications.
|
||||
//
|
||||
// Both EnableRandPool and DisableRandPool are not thread-safe and should
|
||||
// only be called when there is no possibility that New or any other
|
||||
// UUID Version 4 generation function will be called concurrently.
|
||||
func EnableRandPool() {
|
||||
poolEnabled = true
|
||||
}
|
||||
|
||||
// DisableRandPool disables the randomness pool if it was previously
|
||||
// enabled with EnableRandPool.
|
||||
//
|
||||
// Both EnableRandPool and DisableRandPool are not thread-safe and should
|
||||
// only be called when there is no possibility that New or any other
|
||||
// UUID Version 4 generation function will be called concurrently.
|
||||
func DisableRandPool() {
|
||||
poolEnabled = false
|
||||
defer poolMu.Unlock()
|
||||
poolMu.Lock()
|
||||
poolPos = randPoolSize
|
||||
}
|
||||
|
|
12
vendor/github.com/google/uuid/version1.go
generated
vendored
12
vendor/github.com/google/uuid/version1.go
generated
vendored
|
@ -17,12 +17,6 @@ import (
|
|||
//
|
||||
// In most cases, New should be used.
|
||||
func NewUUID() (UUID, error) {
|
||||
nodeMu.Lock()
|
||||
if nodeID == zeroID {
|
||||
setNodeInterface("")
|
||||
}
|
||||
nodeMu.Unlock()
|
||||
|
||||
var uuid UUID
|
||||
now, seq, err := GetTime()
|
||||
if err != nil {
|
||||
|
@ -38,7 +32,13 @@ func NewUUID() (UUID, error) {
|
|||
binary.BigEndian.PutUint16(uuid[4:], timeMid)
|
||||
binary.BigEndian.PutUint16(uuid[6:], timeHi)
|
||||
binary.BigEndian.PutUint16(uuid[8:], seq)
|
||||
|
||||
nodeMu.Lock()
|
||||
if nodeID == zeroID {
|
||||
setNodeInterface("")
|
||||
}
|
||||
copy(uuid[10:], nodeID[:])
|
||||
nodeMu.Unlock()
|
||||
|
||||
return uuid, nil
|
||||
}
|
||||
|
|
40
vendor/github.com/google/uuid/version4.go
generated
vendored
40
vendor/github.com/google/uuid/version4.go
generated
vendored
|
@ -14,11 +14,21 @@ func New() UUID {
|
|||
return Must(NewRandom())
|
||||
}
|
||||
|
||||
// NewString creates a new random UUID and returns it as a string or panics.
|
||||
// NewString is equivalent to the expression
|
||||
//
|
||||
// uuid.New().String()
|
||||
func NewString() string {
|
||||
return Must(NewRandom()).String()
|
||||
}
|
||||
|
||||
// NewRandom returns a Random (Version 4) UUID.
|
||||
//
|
||||
// The strength of the UUIDs is based on the strength of the crypto/rand
|
||||
// package.
|
||||
//
|
||||
// Uses the randomness pool if it was enabled with EnableRandPool.
|
||||
//
|
||||
// A note about uniqueness derived from the UUID Wikipedia entry:
|
||||
//
|
||||
// Randomly generated UUIDs have 122 random bits. One's annual risk of being
|
||||
|
@ -27,8 +37,16 @@ func New() UUID {
|
|||
// equivalent to the odds of creating a few tens of trillions of UUIDs in a
|
||||
// year and having one duplicate.
|
||||
func NewRandom() (UUID, error) {
|
||||
if !poolEnabled {
|
||||
return NewRandomFromReader(rander)
|
||||
}
|
||||
return newRandomFromPool()
|
||||
}
|
||||
|
||||
// NewRandomFromReader returns a UUID based on bytes read from a given io.Reader.
|
||||
func NewRandomFromReader(r io.Reader) (UUID, error) {
|
||||
var uuid UUID
|
||||
_, err := io.ReadFull(rander, uuid[:])
|
||||
_, err := io.ReadFull(r, uuid[:])
|
||||
if err != nil {
|
||||
return Nil, err
|
||||
}
|
||||
|
@ -36,3 +54,23 @@ func NewRandom() (UUID, error) {
|
|||
uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
|
||||
return uuid, nil
|
||||
}
|
||||
|
||||
func newRandomFromPool() (UUID, error) {
|
||||
var uuid UUID
|
||||
poolMu.Lock()
|
||||
if poolPos == randPoolSize {
|
||||
_, err := io.ReadFull(rander, pool[:])
|
||||
if err != nil {
|
||||
poolMu.Unlock()
|
||||
return Nil, err
|
||||
}
|
||||
poolPos = 0
|
||||
}
|
||||
copy(uuid[:], pool[poolPos:(poolPos+16)])
|
||||
poolPos += 16
|
||||
poolMu.Unlock()
|
||||
|
||||
uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
|
||||
uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
|
||||
return uuid, nil
|
||||
}
|
||||
|
|
10
vendor/github.com/pkg/browser/browser.go
generated
vendored
10
vendor/github.com/pkg/browser/browser.go
generated
vendored
|
@ -30,7 +30,7 @@ func OpenFile(path string) error {
|
|||
// OpenReader consumes the contents of r and presents the
|
||||
// results in a new browser window.
|
||||
func OpenReader(r io.Reader) error {
|
||||
f, err := ioutil.TempFile("", "browser")
|
||||
f, err := ioutil.TempFile("", "browser.*.html")
|
||||
if err != nil {
|
||||
return fmt.Errorf("browser: could not create temporary file: %v", err)
|
||||
}
|
||||
|
@ -41,12 +41,7 @@ func OpenReader(r io.Reader) error {
|
|||
if err := f.Close(); err != nil {
|
||||
return fmt.Errorf("browser: caching temporary file failed: %v", err)
|
||||
}
|
||||
oldname := f.Name()
|
||||
newname := oldname + ".html"
|
||||
if err := os.Rename(oldname, newname); err != nil {
|
||||
return fmt.Errorf("browser: renaming temporary file failed: %v", err)
|
||||
}
|
||||
return OpenFile(newname)
|
||||
return OpenFile(f.Name())
|
||||
}
|
||||
|
||||
// OpenURL opens a new browser window pointing to url.
|
||||
|
@ -58,6 +53,5 @@ func runCmd(prog string, args ...string) error {
|
|||
cmd := exec.Command(prog, args...)
|
||||
cmd.Stdout = Stdout
|
||||
cmd.Stderr = Stderr
|
||||
setFlags(cmd)
|
||||
return cmd.Run()
|
||||
}
|
||||
|
|
4
vendor/github.com/pkg/browser/browser_darwin.go
generated
vendored
4
vendor/github.com/pkg/browser/browser_darwin.go
generated
vendored
|
@ -1,9 +1,5 @@
|
|||
package browser
|
||||
|
||||
import "os/exec"
|
||||
|
||||
func openBrowser(url string) error {
|
||||
return runCmd("open", url)
|
||||
}
|
||||
|
||||
func setFlags(cmd *exec.Cmd) {}
|
||||
|
|
2
vendor/github.com/pkg/browser/browser_freebsd.go
generated
vendored
2
vendor/github.com/pkg/browser/browser_freebsd.go
generated
vendored
|
@ -12,5 +12,3 @@ func openBrowser(url string) error {
|
|||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func setFlags(cmd *exec.Cmd) {}
|
||||
|
|
2
vendor/github.com/pkg/browser/browser_linux.go
generated
vendored
2
vendor/github.com/pkg/browser/browser_linux.go
generated
vendored
|
@ -19,5 +19,3 @@ func openBrowser(url string) error {
|
|||
|
||||
return &exec.Error{Name: strings.Join(providers, ","), Err: exec.ErrNotFound}
|
||||
}
|
||||
|
||||
func setFlags(cmd *exec.Cmd) {}
|
||||
|
|
14
vendor/github.com/pkg/browser/browser_netbsd.go
generated
vendored
Normal file
14
vendor/github.com/pkg/browser/browser_netbsd.go
generated
vendored
Normal file
|
@ -0,0 +1,14 @@
|
|||
package browser
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"os/exec"
|
||||
)
|
||||
|
||||
func openBrowser(url string) error {
|
||||
err := runCmd("xdg-open", url)
|
||||
if e, ok := err.(*exec.Error); ok && e.Err == exec.ErrNotFound {
|
||||
return errors.New("xdg-open: command not found - install xdg-utils from pkgsrc(7)")
|
||||
}
|
||||
return err
|
||||
}
|
2
vendor/github.com/pkg/browser/browser_openbsd.go
generated
vendored
2
vendor/github.com/pkg/browser/browser_openbsd.go
generated
vendored
|
@ -12,5 +12,3 @@ func openBrowser(url string) error {
|
|||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func setFlags(cmd *exec.Cmd) {}
|
||||
|
|
5
vendor/github.com/pkg/browser/browser_unsupported.go
generated
vendored
5
vendor/github.com/pkg/browser/browser_unsupported.go
generated
vendored
|
@ -1,15 +1,12 @@
|
|||
// +build !linux,!windows,!darwin,!openbsd,!freebsd
|
||||
// +build !linux,!windows,!darwin,!openbsd,!freebsd,!netbsd
|
||||
|
||||
package browser
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
)
|
||||
|
||||
func openBrowser(url string) error {
|
||||
return fmt.Errorf("openBrowser: unsupported operating system: %v", runtime.GOOS)
|
||||
}
|
||||
|
||||
func setFlags(cmd *exec.Cmd) {}
|
||||
|
|
10
vendor/github.com/pkg/browser/browser_windows.go
generated
vendored
10
vendor/github.com/pkg/browser/browser_windows.go
generated
vendored
|
@ -1,13 +1,7 @@
|
|||
//go:generate mkwinsyscall -output zbrowser_windows.go browser_windows.go
|
||||
//sys ShellExecute(hwnd int, verb string, file string, args string, cwd string, showCmd int) (err error) = shell32.ShellExecuteW
|
||||
package browser
|
||||
|
||||
import "os/exec"
|
||||
const SW_SHOWNORMAL = 1
|
||||
import "golang.org/x/sys/windows"
|
||||
|
||||
func openBrowser(url string) error {
|
||||
return ShellExecute(0, "", url, "", "", SW_SHOWNORMAL)
|
||||
}
|
||||
|
||||
func setFlags(cmd *exec.Cmd) {
|
||||
return windows.ShellExecute(0, nil, windows.StringToUTF16Ptr(url), nil, nil, windows.SW_SHOWNORMAL)
|
||||
}
|
||||
|
|
76
vendor/github.com/pkg/browser/zbrowser_windows.go
generated
vendored
76
vendor/github.com/pkg/browser/zbrowser_windows.go
generated
vendored
|
@ -1,76 +0,0 @@
|
|||
// Code generated by 'go generate'; DO NOT EDIT.
|
||||
|
||||
package browser
|
||||
|
||||
import (
|
||||
"syscall"
|
||||
"unsafe"
|
||||
|
||||
"golang.org/x/sys/windows"
|
||||
)
|
||||
|
||||
var _ unsafe.Pointer
|
||||
|
||||
// Do the interface allocations only once for common
|
||||
// Errno values.
|
||||
const (
|
||||
errnoERROR_IO_PENDING = 997
|
||||
)
|
||||
|
||||
var (
|
||||
errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
|
||||
errERROR_EINVAL error = syscall.EINVAL
|
||||
)
|
||||
|
||||
// errnoErr returns common boxed Errno values, to prevent
|
||||
// allocations at runtime.
|
||||
func errnoErr(e syscall.Errno) error {
|
||||
switch e {
|
||||
case 0:
|
||||
return errERROR_EINVAL
|
||||
case errnoERROR_IO_PENDING:
|
||||
return errERROR_IO_PENDING
|
||||
}
|
||||
// TODO: add more here, after collecting data on the common
|
||||
// error values see on Windows. (perhaps when running
|
||||
// all.bat?)
|
||||
return e
|
||||
}
|
||||
|
||||
var (
|
||||
modshell32 = windows.NewLazySystemDLL("shell32.dll")
|
||||
|
||||
procShellExecuteW = modshell32.NewProc("ShellExecuteW")
|
||||
)
|
||||
|
||||
func ShellExecute(hwnd int, verb string, file string, args string, cwd string, showCmd int) (err error) {
|
||||
var _p0 *uint16
|
||||
_p0, err = syscall.UTF16PtrFromString(verb)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
var _p1 *uint16
|
||||
_p1, err = syscall.UTF16PtrFromString(file)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
var _p2 *uint16
|
||||
_p2, err = syscall.UTF16PtrFromString(args)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
var _p3 *uint16
|
||||
_p3, err = syscall.UTF16PtrFromString(cwd)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
return _ShellExecute(hwnd, _p0, _p1, _p2, _p3, showCmd)
|
||||
}
|
||||
|
||||
func _ShellExecute(hwnd int, verb *uint16, file *uint16, args *uint16, cwd *uint16, showCmd int) (err error) {
|
||||
r1, _, e1 := syscall.Syscall6(procShellExecuteW.Addr(), 6, uintptr(hwnd), uintptr(unsafe.Pointer(verb)), uintptr(unsafe.Pointer(file)), uintptr(unsafe.Pointer(args)), uintptr(unsafe.Pointer(cwd)), uintptr(showCmd))
|
||||
if r1 == 0 {
|
||||
err = errnoErr(e1)
|
||||
}
|
||||
return
|
||||
}
|
3
vendor/golang.org/x/crypto/AUTHORS
generated
vendored
3
vendor/golang.org/x/crypto/AUTHORS
generated
vendored
|
@ -1,3 +0,0 @@
|
|||
# This source code refers to The Go Authors for copyright purposes.
|
||||
# The master list of authors is in the main Go distribution,
|
||||
# visible at https://tip.golang.org/AUTHORS.
|
3
vendor/golang.org/x/crypto/CONTRIBUTORS
generated
vendored
3
vendor/golang.org/x/crypto/CONTRIBUTORS
generated
vendored
|
@ -1,3 +0,0 @@
|
|||
# This source code was written by the Go contributors.
|
||||
# The master list of contributors is in the main Go distribution,
|
||||
# visible at https://tip.golang.org/CONTRIBUTORS.
|
16
vendor/golang.org/x/crypto/acme/acme.go
generated
vendored
16
vendor/golang.org/x/crypto/acme/acme.go
generated
vendored
|
@ -88,7 +88,7 @@ type Client struct {
|
|||
//
|
||||
// The following algorithms are supported:
|
||||
// RS256, ES256, ES384 and ES512.
|
||||
// See RFC7518 for more details about the algorithms.
|
||||
// See RFC 7518 for more details about the algorithms.
|
||||
Key crypto.Signer
|
||||
|
||||
// HTTPClient optionally specifies an HTTP client to use
|
||||
|
@ -306,6 +306,20 @@ func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error)
|
|||
return c.updateRegRFC(ctx, acct)
|
||||
}
|
||||
|
||||
// AccountKeyRollover attempts to transition a client's account key to a new key.
|
||||
// On success client's Key is updated which is not concurrency safe.
|
||||
// On failure an error will be returned.
|
||||
// The new key is already registered with the ACME provider if the following is true:
|
||||
// - error is of type acme.Error
|
||||
// - StatusCode should be 409 (Conflict)
|
||||
// - Location header will have the KID of the associated account
|
||||
//
|
||||
// More about account key rollover can be found at
|
||||
// https://tools.ietf.org/html/rfc8555#section-7.3.5.
|
||||
func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
|
||||
return c.accountKeyRollover(ctx, newKey)
|
||||
}
|
||||
|
||||
// Authorize performs the initial step in the pre-authorization flow,
|
||||
// as opposed to order-based flow.
|
||||
// The caller will then need to choose from and perform a set of returned
|
||||
|
|
4
vendor/golang.org/x/crypto/acme/autocert/autocert.go
generated
vendored
4
vendor/golang.org/x/crypto/acme/autocert/autocert.go
generated
vendored
|
@ -463,7 +463,7 @@ func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error
|
|||
leaf: cert.Leaf,
|
||||
}
|
||||
m.state[ck] = s
|
||||
go m.startRenew(ck, s.key, s.leaf.NotAfter)
|
||||
m.startRenew(ck, s.key, s.leaf.NotAfter)
|
||||
return cert, nil
|
||||
}
|
||||
|
||||
|
@ -609,7 +609,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate,
|
|||
}
|
||||
state.cert = der
|
||||
state.leaf = leaf
|
||||
go m.startRenew(ck, state.key, state.leaf.NotAfter)
|
||||
m.startRenew(ck, state.key, state.leaf.NotAfter)
|
||||
return state.tlscert()
|
||||
}
|
||||
|
||||
|
|
11
vendor/golang.org/x/crypto/acme/autocert/cache.go
generated
vendored
11
vendor/golang.org/x/crypto/acme/autocert/cache.go
generated
vendored
|
@ -7,7 +7,6 @@ package autocert
|
|||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
)
|
||||
|
@ -41,14 +40,14 @@ type DirCache string
|
|||
|
||||
// Get reads a certificate data from the specified file name.
|
||||
func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) {
|
||||
name = filepath.Join(string(d), name)
|
||||
name = filepath.Join(string(d), filepath.Clean("/"+name))
|
||||
var (
|
||||
data []byte
|
||||
err error
|
||||
done = make(chan struct{})
|
||||
)
|
||||
go func() {
|
||||
data, err = ioutil.ReadFile(name)
|
||||
data, err = os.ReadFile(name)
|
||||
close(done)
|
||||
}()
|
||||
select {
|
||||
|
@ -82,7 +81,7 @@ func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
|
|||
case <-ctx.Done():
|
||||
// Don't overwrite the file if the context was canceled.
|
||||
default:
|
||||
newName := filepath.Join(string(d), name)
|
||||
newName := filepath.Join(string(d), filepath.Clean("/"+name))
|
||||
err = os.Rename(tmp, newName)
|
||||
}
|
||||
}()
|
||||
|
@ -96,7 +95,7 @@ func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
|
|||
|
||||
// Delete removes the specified file name.
|
||||
func (d DirCache) Delete(ctx context.Context, name string) error {
|
||||
name = filepath.Join(string(d), name)
|
||||
name = filepath.Join(string(d), filepath.Clean("/"+name))
|
||||
var (
|
||||
err error
|
||||
done = make(chan struct{})
|
||||
|
@ -119,7 +118,7 @@ func (d DirCache) Delete(ctx context.Context, name string) error {
|
|||
// writeTempFile writes b to a temporary file, closes the file and returns its path.
|
||||
func (d DirCache) writeTempFile(prefix string, b []byte) (name string, reterr error) {
|
||||
// TempFile uses 0600 permissions
|
||||
f, err := ioutil.TempFile(string(d), prefix)
|
||||
f, err := os.CreateTemp(string(d), prefix)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
|
6
vendor/golang.org/x/crypto/acme/http.go
generated
vendored
6
vendor/golang.org/x/crypto/acme/http.go
generated
vendored
|
@ -12,7 +12,7 @@ import (
|
|||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"io"
|
||||
"math/big"
|
||||
"net/http"
|
||||
"strconv"
|
||||
|
@ -156,7 +156,7 @@ func (c *Client) get(ctx context.Context, url string, ok resOkay) (*http.Respons
|
|||
}
|
||||
}
|
||||
|
||||
// postAsGet is POST-as-GET, a replacement for GET in RFC8555
|
||||
// postAsGet is POST-as-GET, a replacement for GET in RFC 8555
|
||||
// as described in https://tools.ietf.org/html/rfc8555#section-6.3.
|
||||
// It makes a POST request in KID form with zero JWS payload.
|
||||
// See nopayload doc comments in jws.go.
|
||||
|
@ -310,7 +310,7 @@ func isRetriable(code int) bool {
|
|||
func responseError(resp *http.Response) error {
|
||||
// don't care if ReadAll returns an error:
|
||||
// json.Unmarshal will fail in that case anyway
|
||||
b, _ := ioutil.ReadAll(resp.Body)
|
||||
b, _ := io.ReadAll(resp.Body)
|
||||
e := &wireError{Status: resp.StatusCode}
|
||||
if err := json.Unmarshal(b, e); err != nil {
|
||||
// this is not a regular error response:
|
||||
|
|
37
vendor/golang.org/x/crypto/acme/jws.go
generated
vendored
37
vendor/golang.org/x/crypto/acme/jws.go
generated
vendored
|
@ -33,6 +33,10 @@ const noKeyID = KeyID("")
|
|||
// See https://tools.ietf.org/html/rfc8555#section-6.3 for more details.
|
||||
const noPayload = ""
|
||||
|
||||
// noNonce indicates that the nonce should be omitted from the protected header.
|
||||
// See jwsEncodeJSON for details.
|
||||
const noNonce = ""
|
||||
|
||||
// jsonWebSignature can be easily serialized into a JWS following
|
||||
// https://tools.ietf.org/html/rfc7515#section-3.2.
|
||||
type jsonWebSignature struct {
|
||||
|
@ -45,10 +49,15 @@ type jsonWebSignature struct {
|
|||
// The result is serialized in JSON format containing either kid or jwk
|
||||
// fields based on the provided KeyID value.
|
||||
//
|
||||
// If kid is non-empty, its quoted value is inserted in the protected head
|
||||
// The claimset is marshalled using json.Marshal unless it is a string.
|
||||
// In which case it is inserted directly into the message.
|
||||
//
|
||||
// If kid is non-empty, its quoted value is inserted in the protected header
|
||||
// as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted
|
||||
// as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive.
|
||||
//
|
||||
// If nonce is non-empty, its quoted value is inserted in the protected header.
|
||||
//
|
||||
// See https://tools.ietf.org/html/rfc7515#section-7.
|
||||
func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) {
|
||||
if key == nil {
|
||||
|
@ -58,20 +67,36 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, ur
|
|||
if alg == "" || !sha.Available() {
|
||||
return nil, ErrUnsupportedKey
|
||||
}
|
||||
var phead string
|
||||
headers := struct {
|
||||
Alg string `json:"alg"`
|
||||
KID string `json:"kid,omitempty"`
|
||||
JWK json.RawMessage `json:"jwk,omitempty"`
|
||||
Nonce string `json:"nonce,omitempty"`
|
||||
URL string `json:"url"`
|
||||
}{
|
||||
Alg: alg,
|
||||
Nonce: nonce,
|
||||
URL: url,
|
||||
}
|
||||
switch kid {
|
||||
case noKeyID:
|
||||
jwk, err := jwkEncode(key.Public())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
phead = fmt.Sprintf(`{"alg":%q,"jwk":%s,"nonce":%q,"url":%q}`, alg, jwk, nonce, url)
|
||||
headers.JWK = json.RawMessage(jwk)
|
||||
default:
|
||||
phead = fmt.Sprintf(`{"alg":%q,"kid":%q,"nonce":%q,"url":%q}`, alg, kid, nonce, url)
|
||||
headers.KID = string(kid)
|
||||
}
|
||||
phead = base64.RawURLEncoding.EncodeToString([]byte(phead))
|
||||
phJSON, err := json.Marshal(headers)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
phead := base64.RawURLEncoding.EncodeToString([]byte(phJSON))
|
||||
var payload string
|
||||
if claimset != noPayload {
|
||||
if val, ok := claimset.(string); ok {
|
||||
payload = val
|
||||
} else {
|
||||
cs, err := json.Marshal(claimset)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
46
vendor/golang.org/x/crypto/acme/rfc8555.go
generated
vendored
46
vendor/golang.org/x/crypto/acme/rfc8555.go
generated
vendored
|
@ -13,7 +13,6 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"time"
|
||||
)
|
||||
|
@ -24,6 +23,9 @@ import (
|
|||
//
|
||||
// It only works with CAs implementing RFC 8555.
|
||||
func (c *Client) DeactivateReg(ctx context.Context) error {
|
||||
if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
|
||||
return err
|
||||
}
|
||||
url := string(c.accountKID(ctx))
|
||||
if url == "" {
|
||||
return ErrNoAccount
|
||||
|
@ -115,7 +117,7 @@ func (c *Client) updateRegRFC(ctx context.Context, a *Account) (*Account, error)
|
|||
return responseAccount(res)
|
||||
}
|
||||
|
||||
// getGegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555.
|
||||
// getRegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555.
|
||||
// It expects c.Discover to have already been called.
|
||||
func (c *Client) getRegRFC(ctx context.Context) (*Account, error) {
|
||||
req := json.RawMessage(`{"onlyReturnExisting": true}`)
|
||||
|
@ -148,6 +150,42 @@ func responseAccount(res *http.Response) (*Account, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
// accountKeyRollover attempts to perform account key rollover.
|
||||
// On success it will change client.Key to the new key.
|
||||
func (c *Client) accountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
|
||||
dir, err := c.Discover(ctx) // Also required by c.accountKID
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
kid := c.accountKID(ctx)
|
||||
if kid == noKeyID {
|
||||
return ErrNoAccount
|
||||
}
|
||||
oldKey, err := jwkEncode(c.Key.Public())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
payload := struct {
|
||||
Account string `json:"account"`
|
||||
OldKey json.RawMessage `json:"oldKey"`
|
||||
}{
|
||||
Account: string(kid),
|
||||
OldKey: json.RawMessage(oldKey),
|
||||
}
|
||||
inner, err := jwsEncodeJSON(payload, newKey, noKeyID, noNonce, dir.KeyChangeURL)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
res, err := c.post(ctx, nil, dir.KeyChangeURL, base64.RawURLEncoding.EncodeToString(inner), wantStatus(http.StatusOK))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer res.Body.Close()
|
||||
c.Key = newKey
|
||||
return nil
|
||||
}
|
||||
|
||||
// AuthorizeOrder initiates the order-based application for certificate issuance,
|
||||
// as opposed to pre-authorization in Authorize.
|
||||
// It is only supported by CAs implementing RFC 8555.
|
||||
|
@ -351,7 +389,7 @@ func (c *Client) fetchCertRFC(ctx context.Context, url string, bundle bool) ([][
|
|||
// Get all the bytes up to a sane maximum.
|
||||
// Account very roughly for base64 overhead.
|
||||
const max = maxCertChainSize + maxCertChainSize/33
|
||||
b, err := ioutil.ReadAll(io.LimitReader(res.Body, max+1))
|
||||
b, err := io.ReadAll(io.LimitReader(res.Body, max+1))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("acme: fetch cert response stream: %v", err)
|
||||
}
|
||||
|
@ -430,7 +468,7 @@ func (c *Client) ListCertAlternates(ctx context.Context, url string) ([]string,
|
|||
|
||||
// We don't need the body but we need to discard it so we don't end up
|
||||
// preventing keep-alive
|
||||
if _, err := io.Copy(ioutil.Discard, res.Body); err != nil {
|
||||
if _, err := io.Copy(io.Discard, res.Body); err != nil {
|
||||
return nil, fmt.Errorf("acme: cert alternates response stream: %v", err)
|
||||
}
|
||||
alts := linkHeader(res.Header, "alternate")
|
||||
|
|
4
vendor/golang.org/x/crypto/acme/types.go
generated
vendored
4
vendor/golang.org/x/crypto/acme/types.go
generated
vendored
|
@ -297,7 +297,7 @@ type Directory struct {
|
|||
|
||||
// CAA consists of lowercase hostname elements, which the ACME server
|
||||
// recognises as referring to itself for the purposes of CAA record validation
|
||||
// as defined in RFC6844.
|
||||
// as defined in RFC 6844.
|
||||
CAA []string
|
||||
|
||||
// ExternalAccountRequired indicates that the CA requires for all account-related
|
||||
|
@ -440,7 +440,7 @@ func DomainIDs(names ...string) []AuthzID {
|
|||
|
||||
// IPIDs creates a slice of AuthzID with "ip" identifier type.
|
||||
// Each element of addr is textual form of an address as defined
|
||||
// in RFC1123 Section 2.1 for IPv4 and in RFC5952 Section 4 for IPv6.
|
||||
// in RFC 1123 Section 2.1 for IPv4 and in RFC 5952 Section 4 for IPv6.
|
||||
func IPIDs(addr ...string) []AuthzID {
|
||||
a := make([]AuthzID, len(addr))
|
||||
for i, v := range addr {
|
||||
|
|
11
vendor/golang.org/x/crypto/bcrypt/bcrypt.go
generated
vendored
11
vendor/golang.org/x/crypto/bcrypt/bcrypt.go
generated
vendored
|
@ -50,7 +50,7 @@ func (ih InvalidHashPrefixError) Error() string {
|
|||
type InvalidCostError int
|
||||
|
||||
func (ic InvalidCostError) Error() string {
|
||||
return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
|
||||
return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), MinCost, MaxCost)
|
||||
}
|
||||
|
||||
const (
|
||||
|
@ -82,11 +82,20 @@ type hashed struct {
|
|||
minor byte
|
||||
}
|
||||
|
||||
// ErrPasswordTooLong is returned when the password passed to
|
||||
// GenerateFromPassword is too long (i.e. > 72 bytes).
|
||||
var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes")
|
||||
|
||||
// GenerateFromPassword returns the bcrypt hash of the password at the given
|
||||
// cost. If the cost given is less than MinCost, the cost will be set to
|
||||
// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
|
||||
// to compare the returned hashed password with its cleartext version.
|
||||
// GenerateFromPassword does not accept passwords longer than 72 bytes, which
|
||||
// is the longest password bcrypt will operate on.
|
||||
func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
|
||||
if len(password) > 72 {
|
||||
return nil, ErrPasswordTooLong
|
||||
}
|
||||
p, err := newFromPassword(password, cost)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
2
vendor/golang.org/x/crypto/pkcs12/crypto.go
generated
vendored
2
vendor/golang.org/x/crypto/pkcs12/crypto.go
generated
vendored
|
@ -117,7 +117,7 @@ func pbDecrypt(info decryptable, password []byte) (decrypted []byte, err error)
|
|||
}
|
||||
ps := decrypted[len(decrypted)-psLen:]
|
||||
decrypted = decrypted[:len(decrypted)-psLen]
|
||||
if bytes.Compare(ps, bytes.Repeat([]byte{byte(psLen)}, psLen)) != 0 {
|
||||
if !bytes.Equal(ps, bytes.Repeat([]byte{byte(psLen)}, psLen)) {
|
||||
return nil, ErrDecryption
|
||||
}
|
||||
|
||||
|
|
53
vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go
generated
vendored
53
vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go
generated
vendored
|
@ -14,6 +14,7 @@ package rc2
|
|||
import (
|
||||
"crypto/cipher"
|
||||
"encoding/binary"
|
||||
"math/bits"
|
||||
)
|
||||
|
||||
// The rc2 block size in bytes
|
||||
|
@ -80,10 +81,6 @@ func expandKey(key []byte, t1 int) [64]uint16 {
|
|||
return k
|
||||
}
|
||||
|
||||
func rotl16(x uint16, b uint) uint16 {
|
||||
return (x >> (16 - b)) | (x << b)
|
||||
}
|
||||
|
||||
func (c *rc2Cipher) Encrypt(dst, src []byte) {
|
||||
|
||||
r0 := binary.LittleEndian.Uint16(src[0:])
|
||||
|
@ -96,22 +93,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
|
|||
for j <= 16 {
|
||||
// mix r0
|
||||
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
|
||||
r0 = rotl16(r0, 1)
|
||||
r0 = bits.RotateLeft16(r0, 1)
|
||||
j++
|
||||
|
||||
// mix r1
|
||||
r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
|
||||
r1 = rotl16(r1, 2)
|
||||
r1 = bits.RotateLeft16(r1, 2)
|
||||
j++
|
||||
|
||||
// mix r2
|
||||
r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
|
||||
r2 = rotl16(r2, 3)
|
||||
r2 = bits.RotateLeft16(r2, 3)
|
||||
j++
|
||||
|
||||
// mix r3
|
||||
r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
|
||||
r3 = rotl16(r3, 5)
|
||||
r3 = bits.RotateLeft16(r3, 5)
|
||||
j++
|
||||
|
||||
}
|
||||
|
@ -124,22 +121,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
|
|||
for j <= 40 {
|
||||
// mix r0
|
||||
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
|
||||
r0 = rotl16(r0, 1)
|
||||
r0 = bits.RotateLeft16(r0, 1)
|
||||
j++
|
||||
|
||||
// mix r1
|
||||
r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
|
||||
r1 = rotl16(r1, 2)
|
||||
r1 = bits.RotateLeft16(r1, 2)
|
||||
j++
|
||||
|
||||
// mix r2
|
||||
r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
|
||||
r2 = rotl16(r2, 3)
|
||||
r2 = bits.RotateLeft16(r2, 3)
|
||||
j++
|
||||
|
||||
// mix r3
|
||||
r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
|
||||
r3 = rotl16(r3, 5)
|
||||
r3 = bits.RotateLeft16(r3, 5)
|
||||
j++
|
||||
|
||||
}
|
||||
|
@ -152,22 +149,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
|
|||
for j <= 60 {
|
||||
// mix r0
|
||||
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
|
||||
r0 = rotl16(r0, 1)
|
||||
r0 = bits.RotateLeft16(r0, 1)
|
||||
j++
|
||||
|
||||
// mix r1
|
||||
r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
|
||||
r1 = rotl16(r1, 2)
|
||||
r1 = bits.RotateLeft16(r1, 2)
|
||||
j++
|
||||
|
||||
// mix r2
|
||||
r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
|
||||
r2 = rotl16(r2, 3)
|
||||
r2 = bits.RotateLeft16(r2, 3)
|
||||
j++
|
||||
|
||||
// mix r3
|
||||
r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
|
||||
r3 = rotl16(r3, 5)
|
||||
r3 = bits.RotateLeft16(r3, 5)
|
||||
j++
|
||||
}
|
||||
|
||||
|
@ -188,22 +185,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
|
|||
|
||||
for j >= 44 {
|
||||
// unmix r3
|
||||
r3 = rotl16(r3, 16-5)
|
||||
r3 = bits.RotateLeft16(r3, 16-5)
|
||||
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
|
||||
j--
|
||||
|
||||
// unmix r2
|
||||
r2 = rotl16(r2, 16-3)
|
||||
r2 = bits.RotateLeft16(r2, 16-3)
|
||||
r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
|
||||
j--
|
||||
|
||||
// unmix r1
|
||||
r1 = rotl16(r1, 16-2)
|
||||
r1 = bits.RotateLeft16(r1, 16-2)
|
||||
r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
|
||||
j--
|
||||
|
||||
// unmix r0
|
||||
r0 = rotl16(r0, 16-1)
|
||||
r0 = bits.RotateLeft16(r0, 16-1)
|
||||
r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
|
||||
j--
|
||||
}
|
||||
|
@ -215,22 +212,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
|
|||
|
||||
for j >= 20 {
|
||||
// unmix r3
|
||||
r3 = rotl16(r3, 16-5)
|
||||
r3 = bits.RotateLeft16(r3, 16-5)
|
||||
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
|
||||
j--
|
||||
|
||||
// unmix r2
|
||||
r2 = rotl16(r2, 16-3)
|
||||
r2 = bits.RotateLeft16(r2, 16-3)
|
||||
r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
|
||||
j--
|
||||
|
||||
// unmix r1
|
||||
r1 = rotl16(r1, 16-2)
|
||||
r1 = bits.RotateLeft16(r1, 16-2)
|
||||
r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
|
||||
j--
|
||||
|
||||
// unmix r0
|
||||
r0 = rotl16(r0, 16-1)
|
||||
r0 = bits.RotateLeft16(r0, 16-1)
|
||||
r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
|
||||
j--
|
||||
|
||||
|
@ -243,22 +240,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
|
|||
|
||||
for j >= 0 {
|
||||
// unmix r3
|
||||
r3 = rotl16(r3, 16-5)
|
||||
r3 = bits.RotateLeft16(r3, 16-5)
|
||||
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
|
||||
j--
|
||||
|
||||
// unmix r2
|
||||
r2 = rotl16(r2, 16-3)
|
||||
r2 = bits.RotateLeft16(r2, 16-3)
|
||||
r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
|
||||
j--
|
||||
|
||||
// unmix r1
|
||||
r1 = rotl16(r1, 16-2)
|
||||
r1 = bits.RotateLeft16(r1, 16-2)
|
||||
r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
|
||||
j--
|
||||
|
||||
// unmix r0
|
||||
r0 = rotl16(r0, 16-1)
|
||||
r0 = bits.RotateLeft16(r0, 16-1)
|
||||
r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
|
||||
j--
|
||||
|
||||
|
|
17
vendor/golang.org/x/sys/unix/ioctl.go
generated
vendored
17
vendor/golang.org/x/sys/unix/ioctl.go
generated
vendored
|
@ -8,7 +8,6 @@
|
|||
package unix
|
||||
|
||||
import (
|
||||
"runtime"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
|
@ -27,7 +26,7 @@ func IoctlSetInt(fd int, req uint, value int) error {
|
|||
// passing the integer value directly.
|
||||
func IoctlSetPointerInt(fd int, req uint, value int) error {
|
||||
v := int32(value)
|
||||
return ioctl(fd, req, uintptr(unsafe.Pointer(&v)))
|
||||
return ioctlPtr(fd, req, unsafe.Pointer(&v))
|
||||
}
|
||||
|
||||
// IoctlSetWinsize performs an ioctl on fd with a *Winsize argument.
|
||||
|
@ -36,9 +35,7 @@ func IoctlSetPointerInt(fd int, req uint, value int) error {
|
|||
func IoctlSetWinsize(fd int, req uint, value *Winsize) error {
|
||||
// TODO: if we get the chance, remove the req parameter and
|
||||
// hardcode TIOCSWINSZ.
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(value)))
|
||||
runtime.KeepAlive(value)
|
||||
return err
|
||||
return ioctlPtr(fd, req, unsafe.Pointer(value))
|
||||
}
|
||||
|
||||
// IoctlSetTermios performs an ioctl on fd with a *Termios.
|
||||
|
@ -46,9 +43,7 @@ func IoctlSetWinsize(fd int, req uint, value *Winsize) error {
|
|||
// The req value will usually be TCSETA or TIOCSETA.
|
||||
func IoctlSetTermios(fd int, req uint, value *Termios) error {
|
||||
// TODO: if we get the chance, remove the req parameter.
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(value)))
|
||||
runtime.KeepAlive(value)
|
||||
return err
|
||||
return ioctlPtr(fd, req, unsafe.Pointer(value))
|
||||
}
|
||||
|
||||
// IoctlGetInt performs an ioctl operation which gets an integer value
|
||||
|
@ -58,18 +53,18 @@ func IoctlSetTermios(fd int, req uint, value *Termios) error {
|
|||
// for those, IoctlRetInt should be used instead of this function.
|
||||
func IoctlGetInt(fd int, req uint) (int, error) {
|
||||
var value int
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value)))
|
||||
err := ioctlPtr(fd, req, unsafe.Pointer(&value))
|
||||
return value, err
|
||||
}
|
||||
|
||||
func IoctlGetWinsize(fd int, req uint) (*Winsize, error) {
|
||||
var value Winsize
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value)))
|
||||
err := ioctlPtr(fd, req, unsafe.Pointer(&value))
|
||||
return &value, err
|
||||
}
|
||||
|
||||
func IoctlGetTermios(fd int, req uint) (*Termios, error) {
|
||||
var value Termios
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value)))
|
||||
err := ioctlPtr(fd, req, unsafe.Pointer(&value))
|
||||
return &value, err
|
||||
}
|
||||
|
|
8
vendor/golang.org/x/sys/unix/ioctl_zos.go
generated
vendored
8
vendor/golang.org/x/sys/unix/ioctl_zos.go
generated
vendored
|
@ -27,9 +27,7 @@ func IoctlSetInt(fd int, req uint, value int) error {
|
|||
func IoctlSetWinsize(fd int, req uint, value *Winsize) error {
|
||||
// TODO: if we get the chance, remove the req parameter and
|
||||
// hardcode TIOCSWINSZ.
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(value)))
|
||||
runtime.KeepAlive(value)
|
||||
return err
|
||||
return ioctlPtr(fd, req, unsafe.Pointer(value))
|
||||
}
|
||||
|
||||
// IoctlSetTermios performs an ioctl on fd with a *Termios.
|
||||
|
@ -51,13 +49,13 @@ func IoctlSetTermios(fd int, req uint, value *Termios) error {
|
|||
// for those, IoctlRetInt should be used instead of this function.
|
||||
func IoctlGetInt(fd int, req uint) (int, error) {
|
||||
var value int
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value)))
|
||||
err := ioctlPtr(fd, req, unsafe.Pointer(&value))
|
||||
return value, err
|
||||
}
|
||||
|
||||
func IoctlGetWinsize(fd int, req uint) (*Winsize, error) {
|
||||
var value Winsize
|
||||
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value)))
|
||||
err := ioctlPtr(fd, req, unsafe.Pointer(&value))
|
||||
return &value, err
|
||||
}
|
||||
|
||||
|
|
6
vendor/golang.org/x/sys/unix/ptrace_darwin.go
generated
vendored
6
vendor/golang.org/x/sys/unix/ptrace_darwin.go
generated
vendored
|
@ -7,6 +7,12 @@
|
|||
|
||||
package unix
|
||||
|
||||
import "unsafe"
|
||||
|
||||
func ptrace(request int, pid int, addr uintptr, data uintptr) error {
|
||||
return ptrace1(request, pid, addr, data)
|
||||
}
|
||||
|
||||
func ptracePtr(request int, pid int, addr uintptr, data unsafe.Pointer) error {
|
||||
return ptrace1Ptr(request, pid, addr, data)
|
||||
}
|
||||
|
|
6
vendor/golang.org/x/sys/unix/ptrace_ios.go
generated
vendored
6
vendor/golang.org/x/sys/unix/ptrace_ios.go
generated
vendored
|
@ -7,6 +7,12 @@
|
|||
|
||||
package unix
|
||||
|
||||
import "unsafe"
|
||||
|
||||
func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
|
||||
return ENOTSUP
|
||||
}
|
||||
|
||||
func ptracePtr(request int, pid int, addr uintptr, data unsafe.Pointer) (err error) {
|
||||
return ENOTSUP
|
||||
}
|
||||
|
|
5
vendor/golang.org/x/sys/unix/syscall_aix.go
generated
vendored
5
vendor/golang.org/x/sys/unix/syscall_aix.go
generated
vendored
|
@ -292,9 +292,7 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
|
|||
break
|
||||
}
|
||||
}
|
||||
|
||||
bytes := (*[len(pp.Path)]byte)(unsafe.Pointer(&pp.Path[0]))[0:n]
|
||||
sa.Name = string(bytes)
|
||||
sa.Name = string(unsafe.Slice((*byte)(unsafe.Pointer(&pp.Path[0])), n))
|
||||
return sa, nil
|
||||
|
||||
case AF_INET:
|
||||
|
@ -411,6 +409,7 @@ func (w WaitStatus) CoreDump() bool { return w&0x80 == 0x80 }
|
|||
func (w WaitStatus) TrapCause() int { return -1 }
|
||||
|
||||
//sys ioctl(fd int, req uint, arg uintptr) (err error)
|
||||
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = ioctl
|
||||
|
||||
// fcntl must never be called with cmd=F_DUP2FD because it doesn't work on AIX
|
||||
// There is no way to create a custom fcntl and to keep //sys fcntl easily,
|
||||
|
|
3
vendor/golang.org/x/sys/unix/syscall_bsd.go
generated
vendored
3
vendor/golang.org/x/sys/unix/syscall_bsd.go
generated
vendored
|
@ -245,8 +245,7 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
|
|||
break
|
||||
}
|
||||
}
|
||||
bytes := (*[len(pp.Path)]byte)(unsafe.Pointer(&pp.Path[0]))[0:n]
|
||||
sa.Name = string(bytes)
|
||||
sa.Name = string(unsafe.Slice((*byte)(unsafe.Pointer(&pp.Path[0])), n))
|
||||
return sa, nil
|
||||
|
||||
case AF_INET:
|
||||
|
|
12
vendor/golang.org/x/sys/unix/syscall_darwin.go
generated
vendored
12
vendor/golang.org/x/sys/unix/syscall_darwin.go
generated
vendored
|
@ -14,7 +14,6 @@ package unix
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"runtime"
|
||||
"syscall"
|
||||
"unsafe"
|
||||
)
|
||||
|
@ -376,11 +375,10 @@ func Flistxattr(fd int, dest []byte) (sz int, err error) {
|
|||
func Kill(pid int, signum syscall.Signal) (err error) { return kill(pid, int(signum), 1) }
|
||||
|
||||
//sys ioctl(fd int, req uint, arg uintptr) (err error)
|
||||
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
|
||||
|
||||
func IoctlCtlInfo(fd int, ctlInfo *CtlInfo) error {
|
||||
err := ioctl(fd, CTLIOCGINFO, uintptr(unsafe.Pointer(ctlInfo)))
|
||||
runtime.KeepAlive(ctlInfo)
|
||||
return err
|
||||
return ioctlPtr(fd, CTLIOCGINFO, unsafe.Pointer(ctlInfo))
|
||||
}
|
||||
|
||||
// IfreqMTU is struct ifreq used to get or set a network device's MTU.
|
||||
|
@ -394,16 +392,14 @@ type IfreqMTU struct {
|
|||
func IoctlGetIfreqMTU(fd int, ifname string) (*IfreqMTU, error) {
|
||||
var ifreq IfreqMTU
|
||||
copy(ifreq.Name[:], ifname)
|
||||
err := ioctl(fd, SIOCGIFMTU, uintptr(unsafe.Pointer(&ifreq)))
|
||||
err := ioctlPtr(fd, SIOCGIFMTU, unsafe.Pointer(&ifreq))
|
||||
return &ifreq, err
|
||||
}
|
||||
|
||||
// IoctlSetIfreqMTU performs the SIOCSIFMTU ioctl operation on fd to set the MTU
|
||||
// of the network device specified by ifreq.Name.
|
||||
func IoctlSetIfreqMTU(fd int, ifreq *IfreqMTU) error {
|
||||
err := ioctl(fd, SIOCSIFMTU, uintptr(unsafe.Pointer(ifreq)))
|
||||
runtime.KeepAlive(ifreq)
|
||||
return err
|
||||
return ioctlPtr(fd, SIOCSIFMTU, unsafe.Pointer(ifreq))
|
||||
}
|
||||
|
||||
//sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS_SYSCTL
|
||||
|
|
1
vendor/golang.org/x/sys/unix/syscall_darwin_amd64.go
generated
vendored
1
vendor/golang.org/x/sys/unix/syscall_darwin_amd64.go
generated
vendored
|
@ -47,5 +47,6 @@ func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr,
|
|||
//sys getfsstat(buf unsafe.Pointer, size uintptr, flags int) (n int, err error) = SYS_GETFSSTAT64
|
||||
//sys Lstat(path string, stat *Stat_t) (err error) = SYS_LSTAT64
|
||||
//sys ptrace1(request int, pid int, addr uintptr, data uintptr) (err error) = SYS_ptrace
|
||||
//sys ptrace1Ptr(request int, pid int, addr unsafe.Pointer, data uintptr) (err error) = SYS_ptrace
|
||||
//sys Stat(path string, stat *Stat_t) (err error) = SYS_STAT64
|
||||
//sys Statfs(path string, stat *Statfs_t) (err error) = SYS_STATFS64
|
||||
|
|
1
vendor/golang.org/x/sys/unix/syscall_darwin_arm64.go
generated
vendored
1
vendor/golang.org/x/sys/unix/syscall_darwin_arm64.go
generated
vendored
|
@ -47,5 +47,6 @@ func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr,
|
|||
//sys getfsstat(buf unsafe.Pointer, size uintptr, flags int) (n int, err error) = SYS_GETFSSTAT
|
||||
//sys Lstat(path string, stat *Stat_t) (err error)
|
||||
//sys ptrace1(request int, pid int, addr uintptr, data uintptr) (err error) = SYS_ptrace
|
||||
//sys ptrace1Ptr(request int, pid int, addr unsafe.Pointer, data uintptr) (err error) = SYS_ptrace
|
||||
//sys Stat(path string, stat *Stat_t) (err error)
|
||||
//sys Statfs(path string, stat *Statfs_t) (err error)
|
||||
|
|
1
vendor/golang.org/x/sys/unix/syscall_dragonfly.go
generated
vendored
1
vendor/golang.org/x/sys/unix/syscall_dragonfly.go
generated
vendored
|
@ -172,6 +172,7 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
|
|||
}
|
||||
|
||||
//sys ioctl(fd int, req uint, arg uintptr) (err error)
|
||||
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
|
||||
|
||||
//sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS___SYSCTL
|
||||
|
||||
|
|
43
vendor/golang.org/x/sys/unix/syscall_freebsd.go
generated
vendored
43
vendor/golang.org/x/sys/unix/syscall_freebsd.go
generated
vendored
|
@ -161,7 +161,8 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
|
|||
return
|
||||
}
|
||||
|
||||
//sys ioctl(fd int, req uint, arg uintptr) (err error)
|
||||
//sys ioctl(fd int, req uint, arg uintptr) (err error) = SYS_IOCTL
|
||||
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
|
||||
|
||||
//sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS___SYSCTL
|
||||
|
||||
|
@ -253,6 +254,7 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
|
|||
}
|
||||
|
||||
//sys ptrace(request int, pid int, addr uintptr, data int) (err error)
|
||||
//sys ptracePtr(request int, pid int, addr unsafe.Pointer, data int) (err error) = SYS_PTRACE
|
||||
|
||||
func PtraceAttach(pid int) (err error) {
|
||||
return ptrace(PT_ATTACH, pid, 0, 0)
|
||||
|
@ -267,19 +269,36 @@ func PtraceDetach(pid int) (err error) {
|
|||
}
|
||||
|
||||
func PtraceGetFpRegs(pid int, fpregsout *FpReg) (err error) {
|
||||
return ptrace(PT_GETFPREGS, pid, uintptr(unsafe.Pointer(fpregsout)), 0)
|
||||
return ptracePtr(PT_GETFPREGS, pid, unsafe.Pointer(fpregsout), 0)
|
||||
}
|
||||
|
||||
func PtraceGetRegs(pid int, regsout *Reg) (err error) {
|
||||
return ptrace(PT_GETREGS, pid, uintptr(unsafe.Pointer(regsout)), 0)
|
||||
return ptracePtr(PT_GETREGS, pid, unsafe.Pointer(regsout), 0)
|
||||
}
|
||||
|
||||
func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
|
||||
ioDesc := PtraceIoDesc{
|
||||
Op: int32(req),
|
||||
Offs: offs,
|
||||
}
|
||||
if countin > 0 {
|
||||
_ = out[:countin] // check bounds
|
||||
ioDesc.Addr = &out[0]
|
||||
} else if out != nil {
|
||||
ioDesc.Addr = (*byte)(unsafe.Pointer(&_zero))
|
||||
}
|
||||
ioDesc.SetLen(countin)
|
||||
|
||||
err = ptracePtr(PT_IO, pid, unsafe.Pointer(&ioDesc), 0)
|
||||
return int(ioDesc.Len), err
|
||||
}
|
||||
|
||||
func PtraceLwpEvents(pid int, enable int) (err error) {
|
||||
return ptrace(PT_LWP_EVENTS, pid, 0, enable)
|
||||
}
|
||||
|
||||
func PtraceLwpInfo(pid int, info uintptr) (err error) {
|
||||
return ptrace(PT_LWPINFO, pid, info, int(unsafe.Sizeof(PtraceLwpInfoStruct{})))
|
||||
func PtraceLwpInfo(pid int, info *PtraceLwpInfoStruct) (err error) {
|
||||
return ptracePtr(PT_LWPINFO, pid, unsafe.Pointer(info), int(unsafe.Sizeof(*info)))
|
||||
}
|
||||
|
||||
func PtracePeekData(pid int, addr uintptr, out []byte) (count int, err error) {
|
||||
|
@ -299,13 +318,25 @@ func PtracePokeText(pid int, addr uintptr, data []byte) (count int, err error) {
|
|||
}
|
||||
|
||||
func PtraceSetRegs(pid int, regs *Reg) (err error) {
|
||||
return ptrace(PT_SETREGS, pid, uintptr(unsafe.Pointer(regs)), 0)
|
||||
return ptracePtr(PT_SETREGS, pid, unsafe.Pointer(regs), 0)
|
||||
}
|
||||
|
||||
func PtraceSingleStep(pid int) (err error) {
|
||||
return ptrace(PT_STEP, pid, 1, 0)
|
||||
}
|
||||
|
||||
func Dup3(oldfd, newfd, flags int) error {
|
||||
if oldfd == newfd || flags&^O_CLOEXEC != 0 {
|
||||
return EINVAL
|
||||
}
|
||||
how := F_DUP2FD
|
||||
if flags&O_CLOEXEC != 0 {
|
||||
how = F_DUP2FD_CLOEXEC
|
||||
}
|
||||
_, err := fcntl(oldfd, how, newfd)
|
||||
return err
|
||||
}
|
||||
|
||||
/*
|
||||
* Exposed directly
|
||||
*/
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue