bump azure sdk

v1.3.0 of azidentity introduces support to workload identity.

Signed-off-by: Flavian Missi <fmissi@redhat.com>
This commit is contained in:
Flavian Missi 2023-05-11 15:23:47 +02:00
parent 8e29e870a4
commit 7caf058a65
No known key found for this signature in database
GPG key ID: 49F4158A5966F4B1
169 changed files with 2892 additions and 1433 deletions

22
go.mod
View file

@ -4,8 +4,8 @@ go 1.18
require ( require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8 github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0
github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d
github.com/aws/aws-sdk-go v1.43.16 github.com/aws/aws-sdk-go v1.43.16
@ -27,7 +27,7 @@ require (
github.com/sirupsen/logrus v1.8.1 github.com/sirupsen/logrus v1.8.1
github.com/spf13/cobra v1.6.1 github.com/spf13/cobra v1.6.1
github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 golang.org/x/crypto v0.7.0
golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
google.golang.org/api v0.30.0 google.golang.org/api v0.30.0
google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8 google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8
@ -37,8 +37,8 @@ require (
require ( require (
cloud.google.com/go v0.65.0 // indirect cloud.google.com/go v0.65.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect
github.com/bitly/go-simplejson v0.5.0 // indirect github.com/bitly/go-simplejson v0.5.0 // indirect
github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
@ -46,10 +46,10 @@ require (
github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect github.com/cyphar/filepath-securejoin v0.2.3 // indirect
github.com/felixge/httpsnoop v1.0.1 // indirect github.com/felixge/httpsnoop v1.0.1 // indirect
github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
github.com/golang/protobuf v1.5.2 // indirect github.com/golang/protobuf v1.5.2 // indirect
github.com/google/uuid v1.1.1 // indirect github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/gax-go/v2 v2.0.5 // indirect github.com/googleapis/gax-go/v2 v2.0.5 // indirect
github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect
@ -58,7 +58,7 @@ require (
github.com/kylelemons/godebug v1.1.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f // indirect github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f // indirect
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect github.com/prometheus/procfs v0.7.3 // indirect
@ -66,9 +66,9 @@ require (
github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
go.opencensus.io v0.22.4 // indirect go.opencensus.io v0.22.4 // indirect
golang.org/x/net v0.7.0 // indirect; updated for CVE-2022-27664, CVE-2022-41717 golang.org/x/net v0.8.0 // indirect; updated for CVE-2022-27664, CVE-2022-41717
golang.org/x/sys v0.5.0 // indirect golang.org/x/sys v0.6.0 // indirect
golang.org/x/text v0.7.0 // indirect golang.org/x/text v0.8.0 // indirect
google.golang.org/appengine v1.6.6 // indirect google.golang.org/appengine v1.6.6 // indirect
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect google.golang.org/genproto v0.0.0-20200825200019-8632dd797987 // indirect
google.golang.org/grpc v1.31.0 // indirect google.golang.org/grpc v1.31.0 // indirect

47
go.sum
View file

@ -34,16 +34,16 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8 h1:d+pBUmsteW5tM87xmVXHZ4+LibHRFn40SPAoZJOg2ak= github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8 h1:d+pBUmsteW5tM87xmVXHZ4+LibHRFn40SPAoZJOg2ak=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8/go.mod h1:i9fr2JpcEcY/IHEvzCM3qXUZYOQHgR89dt4es1CgMhc= github.com/AdaLogics/go-fuzz-headers v0.0.0-20221103172237-443f56ff4ba8/go.mod h1:i9fr2JpcEcY/IHEvzCM3qXUZYOQHgR89dt4es1CgMhc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0 h1:VuHAcMq8pU1IWNT/m5yRaGqbK0BiQKHT8X4DTp9CHdI= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.0/go.mod h1:tZoQYdDZNOiIjdSn0dVWVfl0NEPGOJqVLzSrcFk4Is0= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1 h1:T8quHYlUGyb/oqtSTwqlCr1ilJHrDv+ZtpSfo+hm1BU= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1/go.mod h1:gLa1CL2RNE4s7M3yopJ/p0iq5DdY6Yv5ZUt9MTRZOQM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 h1:Oj853U9kG+RLTCQXpjvOnrv0WaZHxgmZz1TlLywgOPY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 h1:u/LLAOFgsMv7HmNL4Qufg58y+qElGOt5qv0z1mURkRY= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0 h1:u/LLAOFgsMv7HmNL4Qufg58y+qElGOt5qv0z1mURkRY=
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0/go.mod h1:2e8rMJtl2+2j+HXbTBwnyGpm5Nou7KhvSfxOq8JpTag= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.0.0/go.mod h1:2e8rMJtl2+2j+HXbTBwnyGpm5Nou7KhvSfxOq8JpTag=
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 h1:oPdPEZFSbl7oSPEAIPMPBMUmiL+mqgzBJwM/9qYcwNg= github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY=
github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1/go.mod h1:4qFor3D/HDsvBME35Xy9rwW9DecL+M2sNw1ybjPtwA0= github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
@ -87,7 +87,7 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba h1:p6poVbjHDkKa+wtC8frBMwQtT3BmqGYBjzMwJ63tuR4= github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba h1:p6poVbjHDkKa+wtC8frBMwQtT3BmqGYBjzMwJ63tuR4=
github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
@ -111,8 +111,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@ -167,8 +167,8 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hf
github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM= github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
@ -229,8 +229,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI= github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ= github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@ -301,8 +301,8 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 h1:Tgea0cVUD0ivh5ADBX4WwuI12DUd2to3nCYe2eayMIw= golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -363,8 +363,8 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -419,10 +419,11 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -432,8 +433,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

View file

@ -1,5 +1,56 @@
# Release History # Release History
## 1.6.0 (2023-05-04)
### Features Added
* Added support for ARM cross-tenant authentication. Set the `AuxiliaryTenants` field of `arm.ClientOptions` to enable.
* Added `TenantID` field to `policy.TokenRequestOptions`.
## 1.5.0 (2023-04-06)
### Features Added
* Added `ShouldRetry` to `policy.RetryOptions` for finer-grained control over when to retry.
### Breaking Changes
> These changes affect only code written against a beta version such as v1.5.0-beta.1
> These features will return in v1.6.0-beta.1.
* Removed `TokenRequestOptions.Claims` and `.TenantID`
* Removed ARM client support for CAE and cross-tenant auth.
### Bugs Fixed
* Added non-conformant LRO terminal states `Cancelled` and `Completed`.
### Other Changes
* Updated to latest `internal` module.
## 1.5.0-beta.1 (2023-03-02)
### Features Added
* This release includes the features added in v1.4.0-beta.1
## 1.4.0 (2023-03-02)
> This release doesn't include features added in v1.4.0-beta.1. They will return in v1.5.0-beta.1.
### Features Added
* Add `Clone()` method for `arm/policy.ClientOptions`.
### Bugs Fixed
* ARM's RP registration policy will no longer swallow unrecognized errors.
* Fixed an issue in `runtime.NewPollerFromResumeToken()` when resuming a `Poller` with a custom `PollingHandler`.
* Fixed wrong policy copy in `arm/runtime.NewPipeline()`.
## 1.4.0-beta.1 (2023-02-02)
### Features Added
* Added support for ARM cross-tenant authentication. Set the `AuxiliaryTenants` field of `arm.ClientOptions` to enable.
* Added `Claims` and `TenantID` fields to `policy.TokenRequestOptions`.
* ARM bearer token policy handles CAE challenges.
## 1.3.1 (2023-02-02)
### Other Changes
* Update dependencies to latest versions.
## 1.3.0 (2023-01-06) ## 1.3.0 (2023-01-06)
### Features Added ### Features Added

View file

@ -11,8 +11,6 @@ import (
"io" "io"
"net/http" "net/http"
"time" "time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
) )
type nopCloser struct { type nopCloser struct {
@ -43,24 +41,6 @@ func HasStatusCode(resp *http.Response, statusCodes ...int) bool {
return false return false
} }
// Payload reads and returns the response body or an error.
// On a successful read, the response body is cached.
// Subsequent reads will access the cached value.
// Exported as runtime.Payload().
func Payload(resp *http.Response) ([]byte, error) {
// r.Body won't be a nopClosingBytesReader if downloading was skipped
if buf, ok := resp.Body.(*shared.NopClosingBytesReader); ok {
return buf.Bytes(), nil
}
bytesBody, err := io.ReadAll(resp.Body)
resp.Body.Close()
if err != nil {
return nil, err
}
resp.Body = shared.NewNopClosingBytesReader(bytesBody)
return bytesBody, nil
}
// AccessToken represents an Azure service bearer access token with expiry information. // AccessToken represents an Azure service bearer access token with expiry information.
// Exported as azcore.AccessToken. // Exported as azcore.AccessToken.
type AccessToken struct { type AccessToken struct {
@ -73,6 +53,10 @@ type AccessToken struct {
type TokenRequestOptions struct { type TokenRequestOptions struct {
// Scopes contains the list of permission scopes required for the token. // Scopes contains the list of permission scopes required for the token.
Scopes []string Scopes []string
// TenantID identifies the tenant from which to request the token. azidentity credentials authenticate in
// their configured default tenants when this field isn't set.
TenantID string
} }
// TokenCredential represents a credential capable of providing an OAuth token. // TokenCredential represents a credential capable of providing an OAuth token.

View file

@ -103,6 +103,7 @@ func (req *Request) OperationValue(value interface{}) bool {
// SetBody sets the specified ReadSeekCloser as the HTTP request body, and sets Content-Type and Content-Length // SetBody sets the specified ReadSeekCloser as the HTTP request body, and sets Content-Type and Content-Length
// accordingly. If the ReadSeekCloser is nil or empty, Content-Length won't be set. If contentType is "", // accordingly. If the ReadSeekCloser is nil or empty, Content-Length won't be set. If contentType is "",
// Content-Type won't be set. // Content-Type won't be set.
// Use streaming.NopCloser to turn an io.ReadSeeker into an io.ReadSeekCloser.
func (req *Request) SetBody(body io.ReadSeekCloser, contentType string) error { func (req *Request) SetBody(body io.ReadSeekCloser, contentType string) error {
var err error var err error
var size int64 var size int64
@ -168,3 +169,14 @@ func (req *Request) Clone(ctx context.Context) *Request {
r2.req = req.req.Clone(ctx) r2.req = req.req.Clone(ctx)
return &r2 return &r2
} }
// not exported but dependent on Request
// PolicyFunc is a type that implements the Policy interface.
// Use this type when implementing a stateless policy as a first-class function.
type PolicyFunc func(*Request) (*http.Response, error)
// Do implements the Policy interface on policyFunc.
func (pf PolicyFunc) Do(req *Request) (*http.Response, error) {
return pf(req)
}

View file

@ -12,6 +12,8 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"regexp" "regexp"
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
) )
// NewResponseError creates a new *ResponseError from the provided HTTP response. // NewResponseError creates a new *ResponseError from the provided HTTP response.
@ -29,7 +31,7 @@ func NewResponseError(resp *http.Response) error {
} }
// if we didn't get x-ms-error-code, check in the response body // if we didn't get x-ms-error-code, check in the response body
body, err := Payload(resp) body, err := exported.Payload(resp, nil)
if err != nil { if err != nil {
return err return err
} }
@ -121,7 +123,7 @@ func (e *ResponseError) Error() string {
fmt.Fprintln(msg, "ERROR CODE UNAVAILABLE") fmt.Fprintln(msg, "ERROR CODE UNAVAILABLE")
} }
fmt.Fprintln(msg, "--------------------------------------------------------------------------------") fmt.Fprintln(msg, "--------------------------------------------------------------------------------")
body, err := Payload(e.RawResponse) body, err := exported.Payload(e.RawResponse, nil)
if err != nil { if err != nil {
// this really shouldn't fail at this point as the response // this really shouldn't fail at this point as the response
// body is already cached (it was read in NewResponseError) // body is already cached (it was read in NewResponseError)

View file

@ -16,6 +16,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
) )
// see https://github.com/Azure/azure-resource-manager-rpc/blob/master/v1.0/async-api-reference.md // see https://github.com/Azure/azure-resource-manager-rpc/blob/master/v1.0/async-api-reference.md
@ -68,15 +69,15 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
if asyncURL == "" { if asyncURL == "" {
return nil, errors.New("response is missing Azure-AsyncOperation header") return nil, errors.New("response is missing Azure-AsyncOperation header")
} }
if !pollers.IsValidURL(asyncURL) { if !poller.IsValidURL(asyncURL) {
return nil, fmt.Errorf("invalid polling URL %s", asyncURL) return nil, fmt.Errorf("invalid polling URL %s", asyncURL)
} }
// check for provisioning state. if the operation is a RELO // check for provisioning state. if the operation is a RELO
// and terminates synchronously this will prevent extra polling. // and terminates synchronously this will prevent extra polling.
// it's ok if there's no provisioning state. // it's ok if there's no provisioning state.
state, _ := pollers.GetProvisioningState(resp) state, _ := poller.GetProvisioningState(resp)
if state == "" { if state == "" {
state = pollers.StatusInProgress state = poller.StatusInProgress
} }
p := &Poller[T]{ p := &Poller[T]{
pl: pl, pl: pl,
@ -93,17 +94,17 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
// Done returns true if the LRO is in a terminal state. // Done returns true if the LRO is in a terminal state.
func (p *Poller[T]) Done() bool { func (p *Poller[T]) Done() bool {
return pollers.IsTerminalState(p.CurState) return poller.IsTerminalState(p.CurState)
} }
// Poll retrieves the current state of the LRO. // Poll retrieves the current state of the LRO.
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) { func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
err := pollers.PollHelper(ctx, p.AsyncURL, p.pl, func(resp *http.Response) (string, error) { err := pollers.PollHelper(ctx, p.AsyncURL, p.pl, func(resp *http.Response) (string, error) {
if !pollers.StatusCodeValid(resp) { if !poller.StatusCodeValid(resp) {
p.resp = resp p.resp = resp
return "", exported.NewResponseError(resp) return "", exported.NewResponseError(resp)
} }
state, err := pollers.GetStatus(resp) state, err := poller.GetStatus(resp)
if err != nil { if err != nil {
return "", err return "", err
} else if state == "" { } else if state == "" {
@ -122,7 +123,7 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
func (p *Poller[T]) Result(ctx context.Context, out *T) error { func (p *Poller[T]) Result(ctx context.Context, out *T) error {
if p.resp.StatusCode == http.StatusNoContent { if p.resp.StatusCode == http.StatusNoContent {
return nil return nil
} else if pollers.Failed(p.CurState) { } else if poller.Failed(p.CurState) {
return exported.NewResponseError(p.resp) return exported.NewResponseError(p.resp)
} }
var req *exported.Request var req *exported.Request
@ -154,5 +155,5 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
p.resp = resp p.resp = resp
} }
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out) return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
} }

View file

@ -14,6 +14,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
) )
// Kind is the identifier of this type in a resume token. // Kind is the identifier of this type in a resume token.
@ -72,9 +73,9 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
} }
// default initial state to InProgress. depending on the HTTP // default initial state to InProgress. depending on the HTTP
// status code and provisioning state, we might change the value. // status code and provisioning state, we might change the value.
curState := pollers.StatusInProgress curState := poller.StatusInProgress
provState, err := pollers.GetProvisioningState(resp) provState, err := poller.GetProvisioningState(resp)
if err != nil && !errors.Is(err, pollers.ErrNoBody) { if err != nil && !errors.Is(err, poller.ErrNoBody) {
return nil, err return nil, err
} }
if resp.StatusCode == http.StatusCreated && provState != "" { if resp.StatusCode == http.StatusCreated && provState != "" {
@ -85,37 +86,37 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
curState = provState curState = provState
} else if provState == "" { } else if provState == "" {
// for a 200, absense of provisioning state indicates success // for a 200, absense of provisioning state indicates success
curState = pollers.StatusSucceeded curState = poller.StatusSucceeded
} }
} else if resp.StatusCode == http.StatusNoContent { } else if resp.StatusCode == http.StatusNoContent {
curState = pollers.StatusSucceeded curState = poller.StatusSucceeded
} }
p.CurState = curState p.CurState = curState
return p, nil return p, nil
} }
func (p *Poller[T]) Done() bool { func (p *Poller[T]) Done() bool {
return pollers.IsTerminalState(p.CurState) return poller.IsTerminalState(p.CurState)
} }
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) { func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
err := pollers.PollHelper(ctx, p.PollURL, p.pl, func(resp *http.Response) (string, error) { err := pollers.PollHelper(ctx, p.PollURL, p.pl, func(resp *http.Response) (string, error) {
if !pollers.StatusCodeValid(resp) { if !poller.StatusCodeValid(resp) {
p.resp = resp p.resp = resp
return "", exported.NewResponseError(resp) return "", exported.NewResponseError(resp)
} }
if resp.StatusCode == http.StatusNoContent { if resp.StatusCode == http.StatusNoContent {
p.resp = resp p.resp = resp
p.CurState = pollers.StatusSucceeded p.CurState = poller.StatusSucceeded
return p.CurState, nil return p.CurState, nil
} }
state, err := pollers.GetProvisioningState(resp) state, err := poller.GetProvisioningState(resp)
if errors.Is(err, pollers.ErrNoBody) { if errors.Is(err, poller.ErrNoBody) {
// a missing response body in non-204 case is an error // a missing response body in non-204 case is an error
return "", err return "", err
} else if state == "" { } else if state == "" {
// a response body without provisioning state is considered terminal success // a response body without provisioning state is considered terminal success
state = pollers.StatusSucceeded state = poller.StatusSucceeded
} else if err != nil { } else if err != nil {
return "", err return "", err
} }
@ -130,5 +131,5 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
} }
func (p *Poller[T]) Result(ctx context.Context, out *T) error { func (p *Poller[T]) Result(ctx context.Context, out *T) error {
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out) return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
} }

View file

@ -16,6 +16,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
) )
// Kind is the identifier of this type in a resume token. // Kind is the identifier of this type in a resume token.
@ -61,15 +62,15 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
if locURL == "" { if locURL == "" {
return nil, errors.New("response is missing Location header") return nil, errors.New("response is missing Location header")
} }
if !pollers.IsValidURL(locURL) { if !poller.IsValidURL(locURL) {
return nil, fmt.Errorf("invalid polling URL %s", locURL) return nil, fmt.Errorf("invalid polling URL %s", locURL)
} }
// check for provisioning state. if the operation is a RELO // check for provisioning state. if the operation is a RELO
// and terminates synchronously this will prevent extra polling. // and terminates synchronously this will prevent extra polling.
// it's ok if there's no provisioning state. // it's ok if there's no provisioning state.
state, _ := pollers.GetProvisioningState(resp) state, _ := poller.GetProvisioningState(resp)
if state == "" { if state == "" {
state = pollers.StatusInProgress state = poller.StatusInProgress
} }
return &Poller[T]{ return &Poller[T]{
pl: pl, pl: pl,
@ -81,7 +82,7 @@ func New[T any](pl exported.Pipeline, resp *http.Response) (*Poller[T], error) {
} }
func (p *Poller[T]) Done() bool { func (p *Poller[T]) Done() bool {
return pollers.IsTerminalState(p.CurState) return poller.IsTerminalState(p.CurState)
} }
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) { func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
@ -93,17 +94,17 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
// if provisioning state is available, use that. this is only // if provisioning state is available, use that. this is only
// for some ARM LRO scenarios (e.g. DELETE with a Location header) // for some ARM LRO scenarios (e.g. DELETE with a Location header)
// so if it's missing then use HTTP status code. // so if it's missing then use HTTP status code.
provState, _ := pollers.GetProvisioningState(resp) provState, _ := poller.GetProvisioningState(resp)
p.resp = resp p.resp = resp
if provState != "" { if provState != "" {
p.CurState = provState p.CurState = provState
} else if resp.StatusCode == http.StatusAccepted { } else if resp.StatusCode == http.StatusAccepted {
p.CurState = pollers.StatusInProgress p.CurState = poller.StatusInProgress
} else if resp.StatusCode > 199 && resp.StatusCode < 300 { } else if resp.StatusCode > 199 && resp.StatusCode < 300 {
// any 2xx other than a 202 indicates success // any 2xx other than a 202 indicates success
p.CurState = pollers.StatusSucceeded p.CurState = poller.StatusSucceeded
} else { } else {
p.CurState = pollers.StatusFailed p.CurState = poller.StatusFailed
} }
return p.CurState, nil return p.CurState, nil
}) })
@ -114,5 +115,5 @@ func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
} }
func (p *Poller[T]) Result(ctx context.Context, out *T) error { func (p *Poller[T]) Result(ctx context.Context, out *T) error {
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out) return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
} }

View file

@ -16,6 +16,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
) )
// Applicable returns true if the LRO is using Operation-Location. // Applicable returns true if the LRO is using Operation-Location.
@ -54,19 +55,19 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
if opURL == "" { if opURL == "" {
return nil, errors.New("response is missing Operation-Location header") return nil, errors.New("response is missing Operation-Location header")
} }
if !pollers.IsValidURL(opURL) { if !poller.IsValidURL(opURL) {
return nil, fmt.Errorf("invalid Operation-Location URL %s", opURL) return nil, fmt.Errorf("invalid Operation-Location URL %s", opURL)
} }
locURL := resp.Header.Get(shared.HeaderLocation) locURL := resp.Header.Get(shared.HeaderLocation)
// Location header is optional // Location header is optional
if locURL != "" && !pollers.IsValidURL(locURL) { if locURL != "" && !poller.IsValidURL(locURL) {
return nil, fmt.Errorf("invalid Location URL %s", locURL) return nil, fmt.Errorf("invalid Location URL %s", locURL)
} }
// default initial state to InProgress. if the // default initial state to InProgress. if the
// service sent us a status then use that instead. // service sent us a status then use that instead.
curState := pollers.StatusInProgress curState := poller.StatusInProgress
status, err := pollers.GetStatus(resp) status, err := poller.GetStatus(resp)
if err != nil && !errors.Is(err, pollers.ErrNoBody) { if err != nil && !errors.Is(err, poller.ErrNoBody) {
return nil, err return nil, err
} }
if status != "" { if status != "" {
@ -86,16 +87,16 @@ func New[T any](pl exported.Pipeline, resp *http.Response, finalState pollers.Fi
} }
func (p *Poller[T]) Done() bool { func (p *Poller[T]) Done() bool {
return pollers.IsTerminalState(p.CurState) return poller.IsTerminalState(p.CurState)
} }
func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) { func (p *Poller[T]) Poll(ctx context.Context) (*http.Response, error) {
err := pollers.PollHelper(ctx, p.OpLocURL, p.pl, func(resp *http.Response) (string, error) { err := pollers.PollHelper(ctx, p.OpLocURL, p.pl, func(resp *http.Response) (string, error) {
if !pollers.StatusCodeValid(resp) { if !poller.StatusCodeValid(resp) {
p.resp = resp p.resp = resp
return "", exported.NewResponseError(resp) return "", exported.NewResponseError(resp)
} }
state, err := pollers.GetStatus(resp) state, err := poller.GetStatus(resp)
if err != nil { if err != nil {
return "", err return "", err
} else if state == "" { } else if state == "" {
@ -118,7 +119,7 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
req, err = exported.NewRequest(ctx, http.MethodGet, p.LocURL) req, err = exported.NewRequest(ctx, http.MethodGet, p.LocURL)
} else if p.FinalState == pollers.FinalStateViaOpLocation && p.Method == http.MethodPost { } else if p.FinalState == pollers.FinalStateViaOpLocation && p.Method == http.MethodPost {
// no final GET required, terminal response should have it // no final GET required, terminal response should have it
} else if rl, rlErr := pollers.GetResourceLocation(p.resp); rlErr != nil && !errors.Is(rlErr, pollers.ErrNoBody) { } else if rl, rlErr := poller.GetResourceLocation(p.resp); rlErr != nil && !errors.Is(rlErr, poller.ErrNoBody) {
return rlErr return rlErr
} else if rl != "" { } else if rl != "" {
req, err = exported.NewRequest(ctx, http.MethodGet, rl) req, err = exported.NewRequest(ctx, http.MethodGet, rl)
@ -140,5 +141,5 @@ func (p *Poller[T]) Result(ctx context.Context, out *T) error {
p.resp = resp p.resp = resp
} }
return pollers.ResultHelper(p.resp, pollers.Failed(p.CurState), out) return pollers.ResultHelper(p.resp, poller.Failed(p.CurState), out)
} }

View file

@ -12,49 +12,15 @@ import (
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
"net/url"
"reflect" "reflect"
"strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported" azexported "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
) )
// the well-known set of LRO status/provisioning state values.
const (
StatusSucceeded = "Succeeded"
StatusCanceled = "Canceled"
StatusFailed = "Failed"
StatusInProgress = "InProgress"
)
// IsTerminalState returns true if the LRO's state is terminal.
func IsTerminalState(s string) bool {
return strings.EqualFold(s, StatusSucceeded) || strings.EqualFold(s, StatusFailed) || strings.EqualFold(s, StatusCanceled)
}
// Failed returns true if the LRO's state is terminal failure.
func Failed(s string) bool {
return strings.EqualFold(s, StatusFailed) || strings.EqualFold(s, StatusCanceled)
}
// Succeeded returns true if the LRO's state is terminal success.
func Succeeded(s string) bool {
return strings.EqualFold(s, StatusSucceeded)
}
// returns true if the LRO response contains a valid HTTP status code
func StatusCodeValid(resp *http.Response) bool {
return exported.HasStatusCode(resp, http.StatusOK, http.StatusAccepted, http.StatusCreated, http.StatusNoContent)
}
// IsValidURL verifies that the URL is valid and absolute.
func IsValidURL(s string) bool {
u, err := url.Parse(s)
return err == nil && u.IsAbs()
}
// getTokenTypeName creates a type name from the type parameter T. // getTokenTypeName creates a type name from the type parameter T.
func getTokenTypeName[T any]() (string, error) { func getTokenTypeName[T any]() (string, error) {
tt := shared.TypeOfT[T]() tt := shared.TypeOfT[T]()
@ -130,102 +96,6 @@ func IsTokenValid[T any](token string) error {
return nil return nil
} }
// ErrNoBody is returned if the response didn't contain a body.
var ErrNoBody = errors.New("the response did not contain a body")
// GetJSON reads the response body into a raw JSON object.
// It returns ErrNoBody if there was no content.
func GetJSON(resp *http.Response) (map[string]interface{}, error) {
body, err := exported.Payload(resp)
if err != nil {
return nil, err
}
if len(body) == 0 {
return nil, ErrNoBody
}
// unmarshall the body to get the value
var jsonBody map[string]interface{}
if err = json.Unmarshal(body, &jsonBody); err != nil {
return nil, err
}
return jsonBody, nil
}
// provisioningState returns the provisioning state from the response or the empty string.
func provisioningState(jsonBody map[string]interface{}) string {
jsonProps, ok := jsonBody["properties"]
if !ok {
return ""
}
props, ok := jsonProps.(map[string]interface{})
if !ok {
return ""
}
rawPs, ok := props["provisioningState"]
if !ok {
return ""
}
ps, ok := rawPs.(string)
if !ok {
return ""
}
return ps
}
// status returns the status from the response or the empty string.
func status(jsonBody map[string]interface{}) string {
rawStatus, ok := jsonBody["status"]
if !ok {
return ""
}
status, ok := rawStatus.(string)
if !ok {
return ""
}
return status
}
// GetStatus returns the LRO's status from the response body.
// Typically used for Azure-AsyncOperation flows.
// If there is no status in the response body the empty string is returned.
func GetStatus(resp *http.Response) (string, error) {
jsonBody, err := GetJSON(resp)
if err != nil {
return "", err
}
return status(jsonBody), nil
}
// GetProvisioningState returns the LRO's state from the response body.
// If there is no state in the response body the empty string is returned.
func GetProvisioningState(resp *http.Response) (string, error) {
jsonBody, err := GetJSON(resp)
if err != nil {
return "", err
}
return provisioningState(jsonBody), nil
}
// GetResourceLocation returns the LRO's resourceLocation value from the response body.
// Typically used for Operation-Location flows.
// If there is no resourceLocation in the response body the empty string is returned.
func GetResourceLocation(resp *http.Response) (string, error) {
jsonBody, err := GetJSON(resp)
if err != nil {
return "", err
}
v, ok := jsonBody["resourceLocation"]
if !ok {
// it might be ok if the field doesn't exist, the caller must make that determination
return "", nil
}
vv, ok := v.(string)
if !ok {
return "", fmt.Errorf("the resourceLocation value %v was not in string format", v)
}
return vv, nil
}
// used if the operation synchronously completed // used if the operation synchronously completed
type NopPoller[T any] struct { type NopPoller[T any] struct {
resp *http.Response resp *http.Response
@ -239,7 +109,7 @@ func NewNopPoller[T any](resp *http.Response) (*NopPoller[T], error) {
if resp.StatusCode == http.StatusNoContent { if resp.StatusCode == http.StatusNoContent {
return np, nil return np, nil
} }
payload, err := exported.Payload(resp) payload, err := exported.Payload(resp, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -269,8 +139,8 @@ func (p *NopPoller[T]) Result(ctx context.Context, out *T) error {
// If the request fails, the update func is not called. // If the request fails, the update func is not called.
// The update func returns the state of the operation for logging purposes or an error // The update func returns the state of the operation for logging purposes or an error
// if it fails to extract the required state from the response. // if it fails to extract the required state from the response.
func PollHelper(ctx context.Context, endpoint string, pl exported.Pipeline, update func(resp *http.Response) (string, error)) error { func PollHelper(ctx context.Context, endpoint string, pl azexported.Pipeline, update func(resp *http.Response) (string, error)) error {
req, err := exported.NewRequest(ctx, http.MethodGet, endpoint) req, err := azexported.NewRequest(ctx, http.MethodGet, endpoint)
if err != nil { if err != nil {
return err return err
} }
@ -296,13 +166,13 @@ func ResultHelper[T any](resp *http.Response, failed bool, out *T) error {
} }
defer resp.Body.Close() defer resp.Body.Close()
if !StatusCodeValid(resp) || failed { if !poller.StatusCodeValid(resp) || failed {
// the LRO failed. unmarshall the error and update state // the LRO failed. unmarshall the error and update state
return exported.NewResponseError(resp) return azexported.NewResponseError(resp)
} }
// success case // success case
payload, err := exported.Payload(resp) payload, err := exported.Payload(resp, nil)
if err != nil { if err != nil {
return err return err
} }

View file

@ -21,6 +21,8 @@ const (
HeaderOperationLocation = "Operation-Location" HeaderOperationLocation = "Operation-Location"
HeaderRetryAfter = "Retry-After" HeaderRetryAfter = "Retry-After"
HeaderUserAgent = "User-Agent" HeaderUserAgent = "User-Agent"
HeaderWWWAuthenticate = "WWW-Authenticate"
HeaderXMSClientRequestID = "x-ms-client-request-id"
) )
const BearerTokenPrefix = "Bearer " const BearerTokenPrefix = "Bearer "
@ -30,5 +32,5 @@ const (
Module = "azcore" Module = "azcore"
// Version is the semantic version (see http://semver.org) of this module. // Version is the semantic version (see http://semver.org) of this module.
Version = "v1.3.0" Version = "v1.6.0"
) )

View file

@ -8,9 +8,7 @@ package shared
import ( import (
"context" "context"
"errors"
"fmt" "fmt"
"io"
"net/http" "net/http"
"reflect" "reflect"
"regexp" "regexp"
@ -64,71 +62,6 @@ func TypeOfT[T any]() reflect.Type {
return reflect.TypeOf((*T)(nil)).Elem() return reflect.TypeOf((*T)(nil)).Elem()
} }
// BytesSetter abstracts replacing a byte slice on some type.
type BytesSetter interface {
Set(b []byte)
}
// NewNopClosingBytesReader creates a new *NopClosingBytesReader for the specified slice.
func NewNopClosingBytesReader(data []byte) *NopClosingBytesReader {
return &NopClosingBytesReader{s: data}
}
// NopClosingBytesReader is an io.ReadSeekCloser around a byte slice.
// It also provides direct access to the byte slice to avoid rereading.
type NopClosingBytesReader struct {
s []byte
i int64
}
// Bytes returns the underlying byte slice.
func (r *NopClosingBytesReader) Bytes() []byte {
return r.s
}
// Close implements the io.Closer interface.
func (*NopClosingBytesReader) Close() error {
return nil
}
// Read implements the io.Reader interface.
func (r *NopClosingBytesReader) Read(b []byte) (n int, err error) {
if r.i >= int64(len(r.s)) {
return 0, io.EOF
}
n = copy(b, r.s[r.i:])
r.i += int64(n)
return
}
// Set replaces the existing byte slice with the specified byte slice and resets the reader.
func (r *NopClosingBytesReader) Set(b []byte) {
r.s = b
r.i = 0
}
// Seek implements the io.Seeker interface.
func (r *NopClosingBytesReader) Seek(offset int64, whence int) (int64, error) {
var i int64
switch whence {
case io.SeekStart:
i = offset
case io.SeekCurrent:
i = r.i + offset
case io.SeekEnd:
i = int64(len(r.s)) + offset
default:
return 0, errors.New("nopClosingBytesReader: invalid whence")
}
if i < 0 {
return 0, errors.New("nopClosingBytesReader: negative position")
}
r.i = i
return i, nil
}
var _ BytesSetter = (*NopClosingBytesReader)(nil)
// TransportFunc is a helper to use a first-class func to satisfy the Transporter interface. // TransportFunc is a helper to use a first-class func to satisfy the Transporter interface.
type TransportFunc func(*http.Request) (*http.Response, error) type TransportFunc func(*http.Request) (*http.Response, error)

View file

@ -99,7 +99,7 @@ type RetryOptions struct {
// MaxRetryDelay specifies the maximum delay allowed before retrying an operation. // MaxRetryDelay specifies the maximum delay allowed before retrying an operation.
// Typically the value is greater than or equal to the value specified in RetryDelay. // Typically the value is greater than or equal to the value specified in RetryDelay.
// The default Value is 120 seconds. A value less than zero means there is no cap. // The default Value is 60 seconds. A value less than zero means there is no cap.
MaxRetryDelay time.Duration MaxRetryDelay time.Duration
// StatusCodes specifies the HTTP status codes that indicate the operation should be retried. // StatusCodes specifies the HTTP status codes that indicate the operation should be retried.
@ -113,6 +113,15 @@ type RetryOptions struct {
// Specifying values will replace the default values. // Specifying values will replace the default values.
// Specifying an empty slice will disable retries for HTTP status codes. // Specifying an empty slice will disable retries for HTTP status codes.
StatusCodes []int StatusCodes []int
// ShouldRetry evaluates if the retry policy should retry the request.
// When specified, the function overrides comparison against the list of
// HTTP status codes and error checking within the retry policy. Context
// and NonRetriable errors remain evaluated before calling ShouldRetry.
// The *http.Response and error parameters are mutually exclusive, i.e.
// if one is nil, the other is not nil.
// A return value of true means the retry policy should retry.
ShouldRetry func(*http.Response, error) bool
} }
// TelemetryOptions configures the telemetry policy's behavior. // TelemetryOptions configures the telemetry policy's behavior.

View file

@ -7,8 +7,6 @@
package runtime package runtime
import ( import (
"net/http"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
) )
@ -46,7 +44,7 @@ func NewPipeline(module, version string, plOpts PipelineOptions, options *policy
} }
// we put the includeResponsePolicy at the very beginning so that the raw response // we put the includeResponsePolicy at the very beginning so that the raw response
// is populated with the final response (some policies might mutate the response) // is populated with the final response (some policies might mutate the response)
policies := []policy.Policy{policyFunc(includeResponsePolicy)} policies := []policy.Policy{exported.PolicyFunc(includeResponsePolicy)}
if cp.APIVersion != "" { if cp.APIVersion != "" {
policies = append(policies, newAPIVersionPolicy(cp.APIVersion, &plOpts.APIVersion)) policies = append(policies, newAPIVersionPolicy(cp.APIVersion, &plOpts.APIVersion))
} }
@ -59,19 +57,10 @@ func NewPipeline(module, version string, plOpts PipelineOptions, options *policy
policies = append(policies, plOpts.PerRetry...) policies = append(policies, plOpts.PerRetry...)
policies = append(policies, cp.PerRetryPolicies...) policies = append(policies, cp.PerRetryPolicies...)
policies = append(policies, NewLogPolicy(&cp.Logging)) policies = append(policies, NewLogPolicy(&cp.Logging))
policies = append(policies, policyFunc(httpHeaderPolicy), policyFunc(bodyDownloadPolicy)) policies = append(policies, exported.PolicyFunc(httpHeaderPolicy), exported.PolicyFunc(bodyDownloadPolicy))
transport := cp.Transport transport := cp.Transport
if transport == nil { if transport == nil {
transport = defaultHTTPClient transport = defaultHTTPClient
} }
return exported.NewPipeline(transport, policies...) return exported.NewPipeline(transport, policies...)
} }
// policyFunc is a type that implements the Policy interface.
// Use this type when implementing a stateless policy as a first-class function.
type policyFunc func(*policy.Request) (*http.Response, error)
// Do implements the Policy interface on policyFunc.
func (pf policyFunc) Do(req *policy.Request) (*http.Response, error) {
return pf(req)
}

View file

@ -11,7 +11,6 @@ import (
"net/http" "net/http"
"strings" "strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo" "github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
) )
@ -29,7 +28,7 @@ func bodyDownloadPolicy(req *policy.Request) (*http.Response, error) {
} }
// Either bodyDownloadPolicyOpValues was not specified (so skip is false) // Either bodyDownloadPolicyOpValues was not specified (so skip is false)
// or it was specified and skip is false: don't skip downloading the body // or it was specified and skip is false: don't skip downloading the body
_, err = exported.Payload(resp) _, err = Payload(resp)
if err != nil { if err != nil {
return resp, newBodyDownloadError(err, req) return resp, newBodyDownloadError(err, req)
} }

View file

@ -11,6 +11,7 @@ import (
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
"net/url"
"sort" "sort"
"strings" "strings"
"time" "time"
@ -66,12 +67,7 @@ func NewLogPolicy(o *policy.LogOptions) policy.Policy {
allowedHeaders[strings.ToLower(ah)] = struct{}{} allowedHeaders[strings.ToLower(ah)] = struct{}{}
} }
// now do the same thing for query params // now do the same thing for query params
allowedQP := map[string]struct{}{ allowedQP := getAllowedQueryParams(o.AllowedQueryParams)
"api-version": {},
}
for _, qp := range o.AllowedQueryParams {
allowedQP[strings.ToLower(qp)] = struct{}{}
}
return &logPolicy{ return &logPolicy{
includeBody: o.IncludeBody, includeBody: o.IncludeBody,
allowedHeaders: allowedHeaders, allowedHeaders: allowedHeaders,
@ -79,6 +75,18 @@ func NewLogPolicy(o *policy.LogOptions) policy.Policy {
} }
} }
// getAllowedQueryParams merges the default set of allowed query parameters
// with a custom set (usually comes from client options).
func getAllowedQueryParams(customAllowedQP []string) map[string]struct{} {
allowedQP := map[string]struct{}{
"api-version": {},
}
for _, qp := range customAllowedQP {
allowedQP[strings.ToLower(qp)] = struct{}{}
}
return allowedQP
}
// logPolicyOpValues is the struct containing the per-operation values // logPolicyOpValues is the struct containing the per-operation values
type logPolicyOpValues struct { type logPolicyOpValues struct {
try int32 try int32
@ -140,20 +148,24 @@ func (p *logPolicy) Do(req *policy.Request) (*http.Response, error) {
const redactedValue = "REDACTED" const redactedValue = "REDACTED"
// writeRequestWithResponse appends a formatted HTTP request into a Buffer. If request and/or err are // getSanitizedURL returns a sanitized string for the provided url.URL
// not nil, then these are also written into the Buffer. func getSanitizedURL(u url.URL, allowedQueryParams map[string]struct{}) string {
func (p *logPolicy) writeRequestWithResponse(b *bytes.Buffer, req *policy.Request, resp *http.Response, err error) {
// redact applicable query params // redact applicable query params
cpURL := *req.Raw().URL qp := u.Query()
qp := cpURL.Query()
for k := range qp { for k := range qp {
if _, ok := p.allowedQP[strings.ToLower(k)]; !ok { if _, ok := allowedQueryParams[strings.ToLower(k)]; !ok {
qp.Set(k, redactedValue) qp.Set(k, redactedValue)
} }
} }
cpURL.RawQuery = qp.Encode() u.RawQuery = qp.Encode()
return u.String()
}
// writeRequestWithResponse appends a formatted HTTP request into a Buffer. If request and/or err are
// not nil, then these are also written into the Buffer.
func (p *logPolicy) writeRequestWithResponse(b *bytes.Buffer, req *policy.Request, resp *http.Response, err error) {
// Write the request into the buffer. // Write the request into the buffer.
fmt.Fprint(b, " "+req.Raw().Method+" "+cpURL.String()+"\n") fmt.Fprint(b, " "+req.Raw().Method+" "+getSanitizedURL(*req.Raw().URL, p.allowedQP)+"\n")
p.writeHeader(b, req.Raw().Header) p.writeHeader(b, req.Raw().Header)
if resp != nil { if resp != nil {
fmt.Fprintln(b, " --------------------------------------------------------------------------------") fmt.Fprintln(b, " --------------------------------------------------------------------------------")

View file

@ -9,6 +9,7 @@ package runtime
import ( import (
"net/http" "net/http"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/internal/uuid" "github.com/Azure/azure-sdk-for-go/sdk/internal/uuid"
) )
@ -21,13 +22,12 @@ func NewRequestIDPolicy() policy.Policy {
} }
func (r *requestIDPolicy) Do(req *policy.Request) (*http.Response, error) { func (r *requestIDPolicy) Do(req *policy.Request) (*http.Response, error) {
const requestIdHeader = "x-ms-client-request-id" if req.Raw().Header.Get(shared.HeaderXMSClientRequestID) == "" {
if req.Raw().Header.Get(requestIdHeader) == "" {
id, err := uuid.New() id, err := uuid.New()
if err != nil { if err != nil {
return nil, err return nil, err
} }
req.Raw().Header.Set(requestIdHeader, id.String()) req.Raw().Header.Set(shared.HeaderXMSClientRequestID, id.String())
} }
return req.Next() return req.Next()

View file

@ -19,6 +19,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo" "github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
) )
const ( const (
@ -133,7 +134,7 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
// if the body was already downloaded or there was an error it's safe to cancel the context now // if the body was already downloaded or there was an error it's safe to cancel the context now
if err != nil { if err != nil {
tryCancel() tryCancel()
} else if _, ok := resp.Body.(*shared.NopClosingBytesReader); ok { } else if exported.PayloadDownloaded(resp) {
tryCancel() tryCancel()
} else { } else {
// must cancel the context after the body has been read and closed // must cancel the context after the body has been read and closed
@ -146,11 +147,7 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
log.Writef(log.EventRetryPolicy, "error %v", err) log.Writef(log.EventRetryPolicy, "error %v", err)
} }
if err == nil && !HasStatusCode(resp, options.StatusCodes...) { if ctxErr := req.Raw().Context().Err(); ctxErr != nil {
// if there is no error and the response code isn't in the list of retry codes then we're done.
log.Write(log.EventRetryPolicy, "exit due to non-retriable status code")
return
} else if ctxErr := req.Raw().Context().Err(); ctxErr != nil {
// don't retry if the parent context has been cancelled or its deadline exceeded // don't retry if the parent context has been cancelled or its deadline exceeded
err = ctxErr err = ctxErr
log.Writef(log.EventRetryPolicy, "abort due to %v", err) log.Writef(log.EventRetryPolicy, "abort due to %v", err)
@ -165,6 +162,19 @@ func (p *retryPolicy) Do(req *policy.Request) (resp *http.Response, err error) {
return return
} }
if options.ShouldRetry != nil {
// a non-nil ShouldRetry overrides our HTTP status code check
if !options.ShouldRetry(resp, err) {
// predicate says we shouldn't retry
log.Write(log.EventRetryPolicy, "exit due to ShouldRetry")
return
}
} else if err == nil && !HasStatusCode(resp, options.StatusCodes...) {
// if there is no error and the response code isn't in the list of retry codes then we're done.
log.Write(log.EventRetryPolicy, "exit due to non-retriable status code")
return
}
if try == options.MaxRetries+1 { if try == options.MaxRetries+1 {
// max number of tries has been reached, don't sleep again // max number of tries has been reached, don't sleep again
log.Writef(log.EventRetryPolicy, "MaxRetries %d exceeded", options.MaxRetries) log.Writef(log.EventRetryPolicy, "MaxRetries %d exceeded", options.MaxRetries)

View file

@ -23,6 +23,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared" "github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
"github.com/Azure/azure-sdk-for-go/sdk/internal/poller"
) )
// FinalStateVia is the enumerated type for the possible final-state-via values. // FinalStateVia is the enumerated type for the possible final-state-via values.
@ -75,7 +76,7 @@ func NewPoller[T any](resp *http.Response, pl exported.Pipeline, options *NewPol
defer resp.Body.Close() defer resp.Body.Close()
// this is a back-stop in case the swagger is incorrect (i.e. missing one or more status codes for success). // this is a back-stop in case the swagger is incorrect (i.e. missing one or more status codes for success).
// ideally the codegen should return an error if the initial response failed and not even create a poller. // ideally the codegen should return an error if the initial response failed and not even create a poller.
if !pollers.StatusCodeValid(resp) { if !poller.StatusCodeValid(resp) {
return nil, errors.New("the operation failed or was cancelled") return nil, errors.New("the operation failed or was cancelled")
} }
@ -146,7 +147,9 @@ func NewPollerFromResumeToken[T any](token string, pl exported.Pipeline, options
opr := options.Handler opr := options.Handler
// now rehydrate the poller based on the encoded poller type // now rehydrate the poller based on the encoded poller type
if async.CanResume(asJSON) { if opr != nil {
log.Writef(log.EventLRO, "Resuming custom poller %T.", opr)
} else if async.CanResume(asJSON) {
opr, _ = async.New[T](pl, nil, "") opr, _ = async.New[T](pl, nil, "")
} else if body.CanResume(asJSON) { } else if body.CanResume(asJSON) {
opr, _ = body.New[T](pl, nil) opr, _ = body.New[T](pl, nil)
@ -154,8 +157,6 @@ func NewPollerFromResumeToken[T any](token string, pl exported.Pipeline, options
opr, _ = loc.New[T](pl, nil) opr, _ = loc.New[T](pl, nil)
} else if op.CanResume(asJSON) { } else if op.CanResume(asJSON) {
opr, _ = op.New[T](pl, nil, "") opr, _ = op.New[T](pl, nil, "")
} else if opr != nil {
log.Writef(log.EventLRO, "Resuming custom poller %T.", opr)
} else { } else {
return nil, fmt.Errorf("unhandled poller token %s", string(raw)) return nil, fmt.Errorf("unhandled poller token %s", string(raw))
} }

View file

@ -15,15 +15,14 @@ import (
"io" "io"
"net/http" "net/http"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported" "github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared"
) )
// Payload reads and returns the response body or an error. // Payload reads and returns the response body or an error.
// On a successful read, the response body is cached. // On a successful read, the response body is cached.
// Subsequent reads will access the cached value. // Subsequent reads will access the cached value.
func Payload(resp *http.Response) ([]byte, error) { func Payload(resp *http.Response) ([]byte, error) {
return exported.Payload(resp) return exported.Payload(resp, nil)
} }
// HasStatusCode returns true if the Response's status code is one of the specified values. // HasStatusCode returns true if the Response's status code is one of the specified values.
@ -92,15 +91,15 @@ func Drain(resp *http.Response) {
// removeBOM removes any byte-order mark prefix from the payload if present. // removeBOM removes any byte-order mark prefix from the payload if present.
func removeBOM(resp *http.Response) error { func removeBOM(resp *http.Response) error {
payload, err := Payload(resp) _, err := exported.Payload(resp, &exported.PayloadOptions{
BytesModifier: func(b []byte) []byte {
// UTF8
return bytes.TrimPrefix(b, []byte("\xef\xbb\xbf"))
},
})
if err != nil { if err != nil {
return err return err
} }
// UTF8
trimmed := bytes.TrimPrefix(payload, []byte("\xef\xbb\xbf"))
if len(trimmed) < len(payload) {
resp.Body.(shared.BytesSetter).Set(trimmed)
}
return nil return nil
} }

View file

@ -20,6 +20,9 @@ type progress struct {
} }
// NopCloser returns a ReadSeekCloser with a no-op close method wrapping the provided io.ReadSeeker. // NopCloser returns a ReadSeekCloser with a no-op close method wrapping the provided io.ReadSeeker.
// In addition to adding a Close method to an io.ReadSeeker, this can also be used to wrap an
// io.ReadSeekCloser with a no-op Close method to allow explicit control of when the io.ReedSeekCloser
// has its underlying stream closed.
func NopCloser(rs io.ReadSeeker) io.ReadSeekCloser { func NopCloser(rs io.ReadSeeker) io.ReadSeekCloser {
return exported.NopCloser(rs) return exported.NopCloser(rs)
} }

View file

@ -1,9 +1,63 @@
# Release History # Release History
## 1.2.1 (2023-01-26) ## 1.3.0 (2023-05-09)
### Breaking Changes
> These changes affect only code written against a beta version such as v1.3.0-beta.5
* Renamed `NewOnBehalfOfCredentialFromCertificate` to `NewOnBehalfOfCredentialWithCertificate`
* Renamed `NewOnBehalfOfCredentialFromSecret` to `NewOnBehalfOfCredentialWithSecret`
### Other Changes ### Other Changes
* Upgrade MSAL to v0.8.1 * Upgraded to MSAL v1.0.0
## 1.3.0-beta.5 (2023-04-11)
### Breaking Changes
> These changes affect only code written against a beta version such as v1.3.0-beta.4
* Moved `NewWorkloadIdentityCredential()` parameters into `WorkloadIdentityCredentialOptions`.
The constructor now reads default configuration from environment variables set by the Azure
workload identity webhook by default.
([#20478](https://github.com/Azure/azure-sdk-for-go/pull/20478))
* Removed CAE support. It will return in v1.4.0-beta.1
([#20479](https://github.com/Azure/azure-sdk-for-go/pull/20479))
### Bugs Fixed
* Fixed an issue in `DefaultAzureCredential` that could cause the managed identity endpoint check to fail in rare circumstances.
## 1.3.0-beta.4 (2023-03-08)
### Features Added
* Added `WorkloadIdentityCredentialOptions.AdditionallyAllowedTenants` and `.DisableInstanceDiscovery`
### Bugs Fixed
* Credentials now synchronize within `GetToken()` so a single instance can be shared among goroutines
([#20044](https://github.com/Azure/azure-sdk-for-go/issues/20044))
### Other Changes
* Upgraded dependencies
## 1.2.2 (2023-03-07)
### Other Changes
* Upgraded dependencies
## 1.3.0-beta.3 (2023-02-07)
### Features Added
* By default, credentials set client capability "CP1" to enable support for
[Continuous Access Evaluation (CAE)](https://docs.microsoft.com/azure/active-directory/develop/app-resilience-continuous-access-evaluation).
This indicates to Azure Active Directory that your application can handle CAE claims challenges.
You can disable this behavior by setting the environment variable "AZURE_IDENTITY_DISABLE_CP1" to "true".
* `InteractiveBrowserCredentialOptions.LoginHint` enables pre-populating the login
prompt with a username ([#15599](https://github.com/Azure/azure-sdk-for-go/pull/15599))
* Service principal and user credentials support ADFS authentication on Azure Stack.
Specify "adfs" as the credential's tenant.
* Applications running in private or disconnected clouds can prevent credentials from
requesting Azure AD instance metadata by setting the `DisableInstanceDiscovery`
field on credential options.
* Many credentials can now be configured to authenticate in multiple tenants. The
options types for these credentials have an `AdditionallyAllowedTenants` field
that specifies additional tenants in which the credential may authenticate.
## 1.3.0-beta.2 (2023-01-10) ## 1.3.0-beta.2 (2023-01-10)

View file

@ -55,8 +55,9 @@ an Azure AD access token. See [Credential Types](#credential-types "Credential T
![DefaultAzureCredential authentication flow](img/mermaidjs/DefaultAzureCredentialAuthFlow.svg) ![DefaultAzureCredential authentication flow](img/mermaidjs/DefaultAzureCredentialAuthFlow.svg)
1. **Environment** - `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate. 1. **Environment** - `DefaultAzureCredential` will read account information specified via [environment variables](#environment-variables) and use it to authenticate.
2. **Managed Identity** - If the app is deployed to an Azure host with managed identity enabled, `DefaultAzureCredential` will authenticate with it. 1. **Workload Identity** - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook, `DefaultAzureCredential` will authenticate the configured identity.
3. **Azure CLI** - If a user or service principal has authenticated via the Azure CLI `az login` command, `DefaultAzureCredential` will authenticate that identity. 1. **Managed Identity** - If the app is deployed to an Azure host with managed identity enabled, `DefaultAzureCredential` will authenticate with it.
1. **Azure CLI** - If a user or service principal has authenticated via the Azure CLI `az login` command, `DefaultAzureCredential` will authenticate that identity.
> Note: `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types. > Note: `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.
@ -128,12 +129,13 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
|[ChainedTokenCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ChainedTokenCredential)|Define custom authentication flows, composing multiple credentials |[ChainedTokenCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ChainedTokenCredential)|Define custom authentication flows, composing multiple credentials
|[EnvironmentCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#EnvironmentCredential)|Authenticate a service principal or user configured by environment variables |[EnvironmentCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#EnvironmentCredential)|Authenticate a service principal or user configured by environment variables
|[ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential)|Authenticate the managed identity of an Azure resource |[ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential)|Authenticate the managed identity of an Azure resource
|[WorkloadIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#WorkloadIdentityCredential)|Authenticate a workload identity on Kubernetes
### Authenticating Service Principals ### Authenticating Service Principals
|Credential|Usage |Credential|Usage
|-|- |-|-
|[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.2.0-beta.2#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion |[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
|[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate |[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
|[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret |[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret

View file

@ -8,16 +8,17 @@ This troubleshooting guide covers failure investigation techniques, common error
- [Permission issues](#permission-issues) - [Permission issues](#permission-issues)
- [Find relevant information in errors](#find-relevant-information-in-errors) - [Find relevant information in errors](#find-relevant-information-in-errors)
- [Enable and configure logging](#enable-and-configure-logging) - [Enable and configure logging](#enable-and-configure-logging)
- [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
- [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues) - [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
- [Troubleshoot EnvironmentCredential authentication issues](#troubleshoot-environmentcredential-authentication-issues) - [Troubleshoot EnvironmentCredential authentication issues](#troubleshoot-environmentcredential-authentication-issues)
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
- [Troubleshoot UsernamePasswordCredential authentication issues](#troubleshoot-usernamepasswordcredential-authentication-issues)
- [Troubleshoot ManagedIdentityCredential authentication issues](#troubleshoot-managedidentitycredential-authentication-issues) - [Troubleshoot ManagedIdentityCredential authentication issues](#troubleshoot-managedidentitycredential-authentication-issues)
- [Azure Virtual Machine managed identity](#azure-virtual-machine-managed-identity)
- [Azure App Service and Azure Functions managed identity](#azure-app-service-and-azure-functions-managed-identity) - [Azure App Service and Azure Functions managed identity](#azure-app-service-and-azure-functions-managed-identity)
- [Azure Kubernetes Service managed identity](#azure-kubernetes-service-managed-identity) - [Azure Kubernetes Service managed identity](#azure-kubernetes-service-managed-identity)
- [Troubleshoot AzureCliCredential authentication issues](#troubleshoot-azureclicredential-authentication-issues) - [Azure Virtual Machine managed identity](#azure-virtual-machine-managed-identity)
- [Troubleshoot UsernamePasswordCredential authentication issues](#troubleshoot-usernamepasswordcredential-authentication-issues)
- [Troubleshoot WorkloadIdentityCredential authentication issues](#troubleshoot-workloadidentitycredential-authentication-issues)
- [Get additional help](#get-additional-help) - [Get additional help](#get-additional-help)
## Handle azidentity errors ## Handle azidentity errors
@ -79,7 +80,7 @@ azlog.SetEvents(azidentity.EventAuthentication)
| Error |Description| Mitigation | | Error |Description| Mitigation |
|---|---|---| |---|---|---|
|"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-visualstudiocredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>| |"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
|Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>| |Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>|
## Troubleshoot EnvironmentCredential authentication issues ## Troubleshoot EnvironmentCredential authentication issues
@ -192,6 +193,13 @@ az account get-access-token --output json --resource https://management.core.win
> This command's output will contain an access token and SHOULD NOT BE SHARED, to avoid compromising account security. > This command's output will contain an access token and SHOULD NOT BE SHARED, to avoid compromising account security.
<a id="workload"></a>
## Troubleshoot `WorkloadIdentityCredential` authentication issues
| Error Message |Description| Mitigation |
|---|---|---|
|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
## Get additional help ## Get additional help
Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md). Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).

View file

@ -0,0 +1,6 @@
{
"AssetsRepo": "Azure/azure-sdk-assets",
"AssetsRepoPrefixPath": "go",
"TagPrefix": "go/azidentity",
"Tag": "go/azidentity_6225ab0470"
}

View file

@ -15,6 +15,7 @@ import (
"net/url" "net/url"
"os" "os"
"regexp" "regexp"
"strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
@ -25,11 +26,13 @@ import (
) )
const ( const (
azureAdditionallyAllowedTenants = "AZURE_ADDITIONALLY_ALLOWED_TENANTS"
azureAuthorityHost = "AZURE_AUTHORITY_HOST" azureAuthorityHost = "AZURE_AUTHORITY_HOST"
azureClientCertificatePassword = "AZURE_CLIENT_CERTIFICATE_PASSWORD" azureClientCertificatePassword = "AZURE_CLIENT_CERTIFICATE_PASSWORD"
azureClientCertificatePath = "AZURE_CLIENT_CERTIFICATE_PATH" azureClientCertificatePath = "AZURE_CLIENT_CERTIFICATE_PATH"
azureClientID = "AZURE_CLIENT_ID" azureClientID = "AZURE_CLIENT_ID"
azureClientSecret = "AZURE_CLIENT_SECRET" azureClientSecret = "AZURE_CLIENT_SECRET"
azureFederatedTokenFile = "AZURE_FEDERATED_TOKEN_FILE"
azurePassword = "AZURE_PASSWORD" azurePassword = "AZURE_PASSWORD"
azureRegionalAuthorityName = "AZURE_REGIONAL_AUTHORITY_NAME" azureRegionalAuthorityName = "AZURE_REGIONAL_AUTHORITY_NAME"
azureTenantID = "AZURE_TENANT_ID" azureTenantID = "AZURE_TENANT_ID"
@ -41,7 +44,14 @@ const (
tenantIDValidationErr = "invalid tenantID. You can locate your tenantID by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names" tenantIDValidationErr = "invalid tenantID. You can locate your tenantID by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names"
) )
func getConfidentialClient(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidential.Client, error) { var (
// capability CP1 indicates the client application is capable of handling CAE claims challenges
cp1 = []string{"CP1"}
// CP1 is disabled until CAE support is added back
disableCP1 = true
)
var getConfidentialClient = func(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidentialClient, error) {
if !validTenantID(tenantID) { if !validTenantID(tenantID) {
return confidential.Client{}, errors.New(tenantIDValidationErr) return confidential.Client{}, errors.New(tenantIDValidationErr)
} }
@ -49,16 +59,22 @@ func getConfidentialClient(clientID, tenantID string, cred confidential.Credenti
if err != nil { if err != nil {
return confidential.Client{}, err return confidential.Client{}, err
} }
authority := runtime.JoinPaths(authorityHost, tenantID)
o := []confidential.Option{ o := []confidential.Option{
confidential.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
confidential.WithAzureRegion(os.Getenv(azureRegionalAuthorityName)), confidential.WithAzureRegion(os.Getenv(azureRegionalAuthorityName)),
confidential.WithHTTPClient(newPipelineAdapter(co)), confidential.WithHTTPClient(newPipelineAdapter(co)),
} }
if !disableCP1 {
o = append(o, confidential.WithClientCapabilities(cp1))
}
o = append(o, additionalOpts...) o = append(o, additionalOpts...)
return confidential.New(clientID, cred, o...) if strings.ToLower(tenantID) == "adfs" {
o = append(o, confidential.WithInstanceDiscovery(false))
}
return confidential.New(authority, clientID, cred, o...)
} }
func getPublicClient(clientID, tenantID string, co *azcore.ClientOptions) (public.Client, error) { var getPublicClient = func(clientID, tenantID string, co *azcore.ClientOptions, additionalOpts ...public.Option) (public.Client, error) {
if !validTenantID(tenantID) { if !validTenantID(tenantID) {
return public.Client{}, errors.New(tenantIDValidationErr) return public.Client{}, errors.New(tenantIDValidationErr)
} }
@ -66,10 +82,18 @@ func getPublicClient(clientID, tenantID string, co *azcore.ClientOptions) (publi
if err != nil { if err != nil {
return public.Client{}, err return public.Client{}, err
} }
return public.New(clientID, o := []public.Option{
public.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)), public.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
public.WithHTTPClient(newPipelineAdapter(co)), public.WithHTTPClient(newPipelineAdapter(co)),
) }
if !disableCP1 {
o = append(o, public.WithClientCapabilities(cp1))
}
o = append(o, additionalOpts...)
if strings.ToLower(tenantID) == "adfs" {
o = append(o, public.WithInstanceDiscovery(false))
}
return public.New(clientID, o...)
} }
// setAuthorityHost initializes the authority host for credentials. Precedence is: // setAuthorityHost initializes the authority host for credentials. Precedence is:
@ -153,6 +177,7 @@ type confidentialClient interface {
AcquireTokenSilent(ctx context.Context, scopes []string, options ...confidential.AcquireSilentOption) (confidential.AuthResult, error) AcquireTokenSilent(ctx context.Context, scopes []string, options ...confidential.AcquireSilentOption) (confidential.AuthResult, error)
AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, options ...confidential.AcquireByAuthCodeOption) (confidential.AuthResult, error) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, options ...confidential.AcquireByAuthCodeOption) (confidential.AuthResult, error)
AcquireTokenByCredential(ctx context.Context, scopes []string, options ...confidential.AcquireByCredentialOption) (confidential.AuthResult, error) AcquireTokenByCredential(ctx context.Context, scopes []string, options ...confidential.AcquireByCredentialOption) (confidential.AuthResult, error)
AcquireTokenOnBehalfOf(ctx context.Context, userAssertion string, scopes []string, options ...confidential.AcquireOnBehalfOfOption) (confidential.AuthResult, error)
} }
// enables fakes for test scenarios // enables fakes for test scenarios

View file

@ -23,13 +23,20 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
) )
const credNameAzureCLI = "AzureCLICredential" const (
credNameAzureCLI = "AzureCLICredential"
timeoutCLIRequest = 10 * time.Second
)
// used by tests to fake invoking the CLI // used by tests to fake invoking the CLI
type azureCLITokenProvider func(ctx context.Context, resource string, tenantID string) ([]byte, error) type azureCLITokenProvider func(ctx context.Context, resource string, tenantID string) ([]byte, error)
// AzureCLICredentialOptions contains optional parameters for AzureCLICredential. // AzureCLICredentialOptions contains optional parameters for AzureCLICredential.
type AzureCLICredentialOptions struct { type AzureCLICredentialOptions struct {
// AdditionallyAllowedTenants specifies tenants for which the credential may acquire tokens, in addition
// to TenantID. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the
// logged in account can access.
AdditionallyAllowedTenants []string
// TenantID identifies the tenant the credential should authenticate in. // TenantID identifies the tenant the credential should authenticate in.
// Defaults to the CLI's default tenant, which is typically the home tenant of the logged in user. // Defaults to the CLI's default tenant, which is typically the home tenant of the logged in user.
TenantID string TenantID string
@ -46,8 +53,8 @@ func (o *AzureCLICredentialOptions) init() {
// AzureCLICredential authenticates as the identity logged in to the Azure CLI. // AzureCLICredential authenticates as the identity logged in to the Azure CLI.
type AzureCLICredential struct { type AzureCLICredential struct {
s *syncer
tokenProvider azureCLITokenProvider tokenProvider azureCLITokenProvider
tenantID string
} }
// NewAzureCLICredential constructs an AzureCLICredential. Pass nil to accept default options. // NewAzureCLICredential constructs an AzureCLICredential. Pass nil to accept default options.
@ -57,10 +64,9 @@ func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredent
cp = *options cp = *options
} }
cp.init() cp.init()
return &AzureCLICredential{ c := AzureCLICredential{tokenProvider: cp.tokenProvider}
tokenProvider: cp.tokenProvider, c.s = newSyncer(credNameAzureCLI, cp.TenantID, cp.AdditionallyAllowedTenants, c.requestToken, c.requestToken)
tenantID: cp.TenantID, return &c, nil
}, nil
} }
// GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI. // GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI.
@ -70,26 +76,22 @@ func (c *AzureCLICredential) GetToken(ctx context.Context, opts policy.TokenRequ
return azcore.AccessToken{}, errors.New(credNameAzureCLI + ": GetToken() requires exactly one scope") return azcore.AccessToken{}, errors.New(credNameAzureCLI + ": GetToken() requires exactly one scope")
} }
// CLI expects an AAD v1 resource, not a v2 scope // CLI expects an AAD v1 resource, not a v2 scope
scope := strings.TrimSuffix(opts.Scopes[0], defaultSuffix) opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
at, err := c.authenticate(ctx, scope) return c.s.GetToken(ctx, opts)
}
func (c *AzureCLICredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
b, err := c.tokenProvider(ctx, opts.Scopes[0], opts.TenantID)
if err != nil {
return azcore.AccessToken{}, err
}
at, err := c.createAccessToken(b)
if err != nil { if err != nil {
return azcore.AccessToken{}, err return azcore.AccessToken{}, err
} }
logGetTokenSuccess(c, opts)
return at, nil return at, nil
} }
const timeoutCLIRequest = 10 * time.Second
func (c *AzureCLICredential) authenticate(ctx context.Context, resource string) (azcore.AccessToken, error) {
output, err := c.tokenProvider(ctx, resource, c.tenantID)
if err != nil {
return azcore.AccessToken{}, err
}
return c.createAccessToken(output)
}
func defaultTokenProvider() func(ctx context.Context, resource string, tenantID string) ([]byte, error) { func defaultTokenProvider() func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
return func(ctx context.Context, resource string, tenantID string) ([]byte, error) { return func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource) match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource)
@ -100,8 +102,12 @@ func defaultTokenProvider() func(ctx context.Context, resource string, tenantID
return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource) return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource)
} }
ctx, cancel := context.WithTimeout(ctx, timeoutCLIRequest) // set a default timeout for this authentication iff the application hasn't done so already
var cancel context.CancelFunc
if _, hasDeadline := ctx.Deadline(); !hasDeadline {
ctx, cancel = context.WithTimeout(ctx, timeoutCLIRequest)
defer cancel() defer cancel()
}
commandLine := "az account get-access-token -o json --resource " + resource commandLine := "az account get-access-token -o json --resource " + resource
if tenantID != "" { if tenantID != "" {
@ -158,32 +164,17 @@ func (c *AzureCLICredential) createAccessToken(tk []byte) (azcore.AccessToken, e
return azcore.AccessToken{}, err return azcore.AccessToken{}, err
} }
tokenExpirationDate, err := parseExpirationDate(t.ExpiresOn) // the Azure CLI's "expiresOn" is local time
exp, err := time.ParseInLocation("2006-01-02 15:04:05.999999", t.ExpiresOn, time.Local)
if err != nil { if err != nil {
return azcore.AccessToken{}, fmt.Errorf("Error parsing Token Expiration Date %q: %+v", t.ExpiresOn, err) return azcore.AccessToken{}, fmt.Errorf("Error parsing token expiration time %q: %v", t.ExpiresOn, err)
} }
converted := azcore.AccessToken{ converted := azcore.AccessToken{
Token: t.AccessToken, Token: t.AccessToken,
ExpiresOn: *tokenExpirationDate, ExpiresOn: exp.UTC(),
} }
return converted, nil return converted, nil
} }
// parseExpirationDate parses either a Azure CLI or CloudShell date into a time object
func parseExpirationDate(input string) (*time.Time, error) {
// CloudShell (and potentially the Azure CLI in future)
expirationDate, cloudShellErr := time.Parse(time.RFC3339, input)
if cloudShellErr != nil {
// Azure CLI (Python) e.g. 2017-08-31 19:48:57.998857 (plus the local timezone)
const cliFormat = "2006-01-02 15:04:05.999999"
expirationDate, cliErr := time.ParseInLocation(cliFormat, input, time.Local)
if cliErr != nil {
return nil, fmt.Errorf("Error parsing expiration date %q.\n\nCloudShell Error: \n%+v\n\nCLI Error:\n%+v", input, cloudShellErr, cliErr)
}
return &expirationDate, nil
}
return &expirationDate, nil
}
var _ azcore.TokenCredential = (*AzureCLICredential)(nil) var _ azcore.TokenCredential = (*AzureCLICredential)(nil)

View file

@ -81,10 +81,13 @@ func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.Token
} }
} }
var err error var (
var errs []error err error
var token azcore.AccessToken errs []error
var successfulCredential azcore.TokenCredential successfulCredential azcore.TokenCredential
token azcore.AccessToken
unavailableErr *credentialUnavailableError
)
for _, cred := range c.sources { for _, cred := range c.sources {
token, err = cred.GetToken(ctx, opts) token, err = cred.GetToken(ctx, opts)
if err == nil { if err == nil {
@ -93,12 +96,14 @@ func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.Token
break break
} }
errs = append(errs, err) errs = append(errs, err)
if _, ok := err.(*credentialUnavailableError); !ok { // continue to the next source iff this one returned credentialUnavailableError
if !errors.As(err, &unavailableErr) {
break break
} }
} }
if c.iterating { if c.iterating {
c.cond.L.Lock() c.cond.L.Lock()
// this is nil when all credentials returned an error
c.successfulCredential = successfulCredential c.successfulCredential = successfulCredential
c.iterating = false c.iterating = false
c.cond.L.Unlock() c.cond.L.Unlock()
@ -108,11 +113,11 @@ func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.Token
if err != nil { if err != nil {
// return credentialUnavailableError iff all sources did so; return AuthenticationFailedError otherwise // return credentialUnavailableError iff all sources did so; return AuthenticationFailedError otherwise
msg := createChainedErrorMessage(errs) msg := createChainedErrorMessage(errs)
if _, ok := err.(*credentialUnavailableError); ok { if errors.As(err, &unavailableErr) {
err = newCredentialUnavailableError(c.name, msg) err = newCredentialUnavailableError(c.name, msg)
} else { } else {
res := getResponseFromError(err) res := getResponseFromError(err)
err = newAuthenticationFailedError(c.name, msg, res) err = newAuthenticationFailedError(c.name, msg, res, err)
} }
} }
return token, err return token, err

View file

@ -18,18 +18,29 @@ import (
const credNameAssertion = "ClientAssertionCredential" const credNameAssertion = "ClientAssertionCredential"
// ClientAssertionCredential authenticates an application with assertions provided by a callback function. // ClientAssertionCredential authenticates an application with assertions provided by a callback function.
// This credential is for advanced scenarios. ClientCertificateCredential has a more convenient API for // This credential is for advanced scenarios. [ClientCertificateCredential] has a more convenient API for
// the most common assertion scenario, authenticating a service principal with a certificate. See // the most common assertion scenario, authenticating a service principal with a certificate. See
// [Azure AD documentation] for details of the assertion format. // [Azure AD documentation] for details of the assertion format.
// //
// [Azure AD documentation]: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#assertion-format // [Azure AD documentation]: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#assertion-format
type ClientAssertionCredential struct { type ClientAssertionCredential struct {
client confidentialClient client confidentialClient
s *syncer
} }
// ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential. // ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
type ClientAssertionCredentialOptions struct { type ClientAssertionCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
// application is registered.
AdditionallyAllowedTenants []string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
} }
// NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults. // NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults.
@ -45,29 +56,27 @@ func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(c
return getAssertion(ctx) return getAssertion(ctx)
}, },
) )
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions) c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &ClientAssertionCredential{client: c}, nil cac := ClientAssertionCredential{client: c}
cac.s = newSyncer(credNameAssertion, tenantID, options.AdditionallyAllowedTenants, cac.requestToken, cac.silentAuth)
return &cac, nil
} }
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients. // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) == 0 { return c.s.GetToken(ctx, opts)
return azcore.AccessToken{}, errors.New(credNameAssertion + ": GetToken() requires at least one scope")
} }
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
if err == nil { func (c *ClientAssertionCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
logGetTokenSuccess(c, opts) ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }
ar, err = c.client.AcquireTokenByCredential(ctx, opts.Scopes) func (c *ClientAssertionCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if err != nil { ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameAssertion, err)
}
logGetTokenSuccess(c, opts)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -25,6 +25,15 @@ const credNameCert = "ClientCertificateCredential"
type ClientCertificateCredentialOptions struct { type ClientCertificateCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
// application is registered.
AdditionallyAllowedTenants []string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// SendCertificateChain controls whether the credential sends the public certificate chain in the x5c // SendCertificateChain controls whether the credential sends the public certificate chain in the x5c
// header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. // header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication.
// Defaults to False. // Defaults to False.
@ -34,6 +43,7 @@ type ClientCertificateCredentialOptions struct {
// ClientCertificateCredential authenticates a service principal with a certificate. // ClientCertificateCredential authenticates a service principal with a certificate.
type ClientCertificateCredential struct { type ClientCertificateCredential struct {
client confidentialClient client confidentialClient
s *syncer
} }
// NewClientCertificateCredential constructs a ClientCertificateCredential. Pass nil for options to accept defaults. // NewClientCertificateCredential constructs a ClientCertificateCredential. Pass nil for options to accept defaults.
@ -44,7 +54,7 @@ func NewClientCertificateCredential(tenantID string, clientID string, certs []*x
if options == nil { if options == nil {
options = &ClientCertificateCredentialOptions{} options = &ClientCertificateCredentialOptions{}
} }
cred, err := confidential.NewCredFromCertChain(certs, key) cred, err := confidential.NewCredFromCert(certs, key)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -52,29 +62,28 @@ func NewClientCertificateCredential(tenantID string, clientID string, certs []*x
if options.SendCertificateChain { if options.SendCertificateChain {
o = append(o, confidential.WithX5C()) o = append(o, confidential.WithX5C())
} }
o = append(o, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, o...) c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, o...)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &ClientCertificateCredential{client: c}, nil cc := ClientCertificateCredential{client: c}
cc.s = newSyncer(credNameCert, tenantID, options.AdditionallyAllowedTenants, cc.requestToken, cc.silentAuth)
return &cc, nil
} }
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients. // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) == 0 { return c.s.GetToken(ctx, opts)
return azcore.AccessToken{}, errors.New(credNameCert + ": GetToken() requires at least one scope")
} }
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
if err == nil { func (c *ClientCertificateCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
logGetTokenSuccess(c, opts) ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }
ar, err = c.client.AcquireTokenByCredential(ctx, opts.Scopes) func (c *ClientCertificateCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if err != nil { ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameCert, err)
}
logGetTokenSuccess(c, opts)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -8,7 +8,6 @@ package azidentity
import ( import (
"context" "context"
"errors"
"github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
@ -20,11 +19,22 @@ const credNameSecret = "ClientSecretCredential"
// ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential. // ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential.
type ClientSecretCredentialOptions struct { type ClientSecretCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
// application is registered.
AdditionallyAllowedTenants []string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
} }
// ClientSecretCredential authenticates an application with a client secret. // ClientSecretCredential authenticates an application with a client secret.
type ClientSecretCredential struct { type ClientSecretCredential struct {
client confidentialClient client confidentialClient
s *syncer
} }
// NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults. // NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.
@ -36,29 +46,29 @@ func NewClientSecretCredential(tenantID string, clientID string, clientSecret st
if err != nil { if err != nil {
return nil, err return nil, err
} }
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions) c, err := getConfidentialClient(
clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery),
)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &ClientSecretCredential{client: c}, nil csc := ClientSecretCredential{client: c}
csc.s = newSyncer(credNameSecret, tenantID, options.AdditionallyAllowedTenants, csc.requestToken, csc.silentAuth)
return &csc, nil
} }
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients. // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) == 0 { return c.s.GetToken(ctx, opts)
return azcore.AccessToken{}, errors.New(credNameSecret + ": GetToken() requires at least one scope")
} }
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
if err == nil { func (c *ClientSecretCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
logGetTokenSuccess(c, opts) ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }
ar, err = c.client.AcquireTokenByCredential(ctx, opts.Scopes) func (c *ClientSecretCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if err != nil { ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameSecret, err)
}
logGetTokenSuccess(c, opts)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -23,6 +23,15 @@ import (
type DefaultAzureCredentialOptions struct { type DefaultAzureCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens. Add
// the wildcard value "*" to allow the credential to acquire tokens for any tenant. This value can also be
// set as a semicolon delimited list of tenants in the environment variable AZURE_ADDITIONALLY_ALLOWED_TENANTS.
AdditionallyAllowedTenants []string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// TenantID identifies the tenant the Azure CLI should authenticate in. // TenantID identifies the tenant the Azure CLI should authenticate in.
// Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI. // Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI.
TenantID string TenantID string
@ -30,11 +39,15 @@ type DefaultAzureCredentialOptions struct {
// DefaultAzureCredential is a default credential chain for applications that will deploy to Azure. // DefaultAzureCredential is a default credential chain for applications that will deploy to Azure.
// It combines credentials suitable for deployment with credentials suitable for local development. // It combines credentials suitable for deployment with credentials suitable for local development.
// It attempts to authenticate with each of these credential types, in the following order, stopping when one provides a token: // It attempts to authenticate with each of these credential types, in the following order, stopping
// when one provides a token:
// //
// EnvironmentCredential // - [EnvironmentCredential]
// ManagedIdentityCredential // - [WorkloadIdentityCredential], if environment variable configuration is set by the Azure workload
// AzureCLICredential // identity webhook. Use [WorkloadIdentityCredential] directly when not using the webhook or needing
// more control over its configuration.
// - [ManagedIdentityCredential]
// - [AzureCLICredential]
// //
// Consult the documentation for these credential types for more information on how they authenticate. // Consult the documentation for these credential types for more information on how they authenticate.
// Once a credential has successfully authenticated, DefaultAzureCredential will use that credential for // Once a credential has successfully authenticated, DefaultAzureCredential will use that credential for
@ -51,8 +64,18 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
if options == nil { if options == nil {
options = &DefaultAzureCredentialOptions{} options = &DefaultAzureCredentialOptions{}
} }
additionalTenants := options.AdditionallyAllowedTenants
if len(additionalTenants) == 0 {
if tenants := os.Getenv(azureAdditionallyAllowedTenants); tenants != "" {
additionalTenants = strings.Split(tenants, ";")
}
}
envCred, err := NewEnvironmentCredential(&EnvironmentCredentialOptions{ClientOptions: options.ClientOptions}) envCred, err := NewEnvironmentCredential(&EnvironmentCredentialOptions{
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
additionallyAllowedTenants: additionalTenants,
})
if err == nil { if err == nil {
creds = append(creds, envCred) creds = append(creds, envCred)
} else { } else {
@ -60,20 +83,31 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
creds = append(creds, &defaultCredentialErrorReporter{credType: "EnvironmentCredential", err: err}) creds = append(creds, &defaultCredentialErrorReporter{credType: "EnvironmentCredential", err: err})
} }
// workload identity requires values for AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID
wic, err := NewWorkloadIdentityCredential(&WorkloadIdentityCredentialOptions{
AdditionallyAllowedTenants: additionalTenants,
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
})
if err == nil {
creds = append(creds, wic)
} else {
errorMessages = append(errorMessages, credNameWorkloadIdentity+": "+err.Error())
creds = append(creds, &defaultCredentialErrorReporter{credType: credNameWorkloadIdentity, err: err})
}
o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions} o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions}
if ID, ok := os.LookupEnv(azureClientID); ok { if ID, ok := os.LookupEnv(azureClientID); ok {
o.ID = ClientID(ID) o.ID = ClientID(ID)
} }
msiCred, err := NewManagedIdentityCredential(o) miCred, err := NewManagedIdentityCredential(o)
if err == nil { if err == nil {
creds = append(creds, msiCred) creds = append(creds, &timeoutWrapper{mic: miCred, timeout: time.Second})
msiCred.mic.imdsTimeout = time.Second
} else { } else {
errorMessages = append(errorMessages, credNameManagedIdentity+": "+err.Error()) errorMessages = append(errorMessages, credNameManagedIdentity+": "+err.Error())
creds = append(creds, &defaultCredentialErrorReporter{credType: credNameManagedIdentity, err: err}) creds = append(creds, &defaultCredentialErrorReporter{credType: credNameManagedIdentity, err: err})
} }
cliCred, err := NewAzureCLICredential(&AzureCLICredentialOptions{TenantID: options.TenantID}) cliCred, err := NewAzureCLICredential(&AzureCLICredentialOptions{AdditionallyAllowedTenants: additionalTenants, TenantID: options.TenantID})
if err == nil { if err == nil {
creds = append(creds, cliCred) creds = append(creds, cliCred)
} else { } else {
@ -132,3 +166,44 @@ func (d *defaultCredentialErrorReporter) GetToken(ctx context.Context, opts poli
} }
var _ azcore.TokenCredential = (*defaultCredentialErrorReporter)(nil) var _ azcore.TokenCredential = (*defaultCredentialErrorReporter)(nil)
// timeoutWrapper prevents a potentially very long timeout when managed identity isn't available
type timeoutWrapper struct {
mic *ManagedIdentityCredential
// timeout applies to all auth attempts until one doesn't time out
timeout time.Duration
}
// GetToken wraps DefaultAzureCredential's initial managed identity auth attempt with a short timeout
// because managed identity may not be available and connecting to IMDS can take several minutes to time out.
func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
var tk azcore.AccessToken
var err error
// no need to synchronize around this value because it's written only within ChainedTokenCredential's critical section
if w.timeout > 0 {
c, cancel := context.WithTimeout(ctx, w.timeout)
defer cancel()
tk, err = w.mic.GetToken(c, opts)
if isAuthFailedDueToContext(err) {
err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out")
} else {
// some managed identity implementation is available, so don't apply the timeout to future calls
w.timeout = 0
}
} else {
tk, err = w.mic.GetToken(ctx, opts)
}
return tk, err
}
// unwraps nested AuthenticationFailedErrors to get the root error
func isAuthFailedDueToContext(err error) bool {
for {
var authFailedErr *AuthenticationFailedError
if !errors.As(err, &authFailedErr) {
break
}
err = authFailedErr.err
}
return errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded)
}

View file

@ -8,7 +8,6 @@ package azidentity
import ( import (
"context" "context"
"errors"
"fmt" "fmt"
"github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore"
@ -22,13 +21,22 @@ const credNameDeviceCode = "DeviceCodeCredential"
type DeviceCodeCredentialOptions struct { type DeviceCodeCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire
// tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant.
AdditionallyAllowedTenants []string
// ClientID is the ID of the application users will authenticate to.
// Defaults to the ID of an Azure development application.
ClientID string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the // TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
// "organizations" tenant, which can authenticate work and school accounts. Required for single-tenant // "organizations" tenant, which can authenticate work and school accounts. Required for single-tenant
// applications. // applications.
TenantID string TenantID string
// ClientID is the ID of the application users will authenticate to.
// Defaults to the ID of an Azure development application.
ClientID string
// UserPrompt controls how the credential presents authentication instructions. The credential calls // UserPrompt controls how the credential presents authentication instructions. The credential calls
// this function with authentication details when it receives a device code. By default, the credential // this function with authentication details when it receives a device code. By default, the credential
// prints these details to stdout. // prints these details to stdout.
@ -66,9 +74,10 @@ type DeviceCodeMessage struct {
// If a web browser is available, InteractiveBrowserCredential is more convenient because it // If a web browser is available, InteractiveBrowserCredential is more convenient because it
// automatically opens a browser to the login page. // automatically opens a browser to the login page.
type DeviceCodeCredential struct { type DeviceCodeCredential struct {
client publicClient
userPrompt func(context.Context, DeviceCodeMessage) error
account public.Account account public.Account
client publicClient
s *syncer
prompt func(context.Context, DeviceCodeMessage) error
} }
// NewDeviceCodeCredential creates a DeviceCodeCredential. Pass nil to accept default options. // NewDeviceCodeCredential creates a DeviceCodeCredential. Pass nil to accept default options.
@ -78,41 +87,49 @@ func NewDeviceCodeCredential(options *DeviceCodeCredentialOptions) (*DeviceCodeC
cp = *options cp = *options
} }
cp.init() cp.init()
c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions) c, err := getPublicClient(
cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery),
)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &DeviceCodeCredential{userPrompt: cp.UserPrompt, client: c}, nil cred := DeviceCodeCredential{client: c, prompt: cp.UserPrompt}
cred.s = newSyncer(credNameDeviceCode, cp.TenantID, cp.AdditionallyAllowedTenants, cred.requestToken, cred.silentAuth)
return &cred, nil
} }
// GetToken requests an access token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication. // GetToken requests an access token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication.
// This method is called automatically by Azure SDK clients. // This method is called automatically by Azure SDK clients.
func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) == 0 { return c.s.GetToken(ctx, opts)
return azcore.AccessToken{}, errors.New(credNameDeviceCode + ": GetToken() requires at least one scope")
} }
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, public.WithSilentAccount(c.account))
if err == nil { func (c *DeviceCodeCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err dc, err := c.client.AcquireTokenByDeviceCode(ctx, opts.Scopes, public.WithTenantID(opts.TenantID))
}
dc, err := c.client.AcquireTokenByDeviceCode(ctx, opts.Scopes)
if err != nil { if err != nil {
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameDeviceCode, err) return azcore.AccessToken{}, err
} }
err = c.userPrompt(ctx, DeviceCodeMessage{ err = c.prompt(ctx, DeviceCodeMessage{
Message: dc.Result.Message,
UserCode: dc.Result.UserCode, UserCode: dc.Result.UserCode,
VerificationURL: dc.Result.VerificationURL, VerificationURL: dc.Result.VerificationURL,
Message: dc.Result.Message,
}) })
if err != nil { if err != nil {
return azcore.AccessToken{}, err return azcore.AccessToken{}, err
} }
ar, err = dc.AuthenticationResult(ctx) ar, err := dc.AuthenticationResult(ctx)
if err != nil { if err != nil {
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameDeviceCode, err) return azcore.AccessToken{}, err
} }
c.account = ar.Account c.account = ar.Account
logGetTokenSuccess(c, opts) return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
}
func (c *DeviceCodeCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
public.WithSilentAccount(c.account),
public.WithTenantID(opts.TenantID),
)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -23,6 +23,17 @@ const envVarSendCertChain = "AZURE_CLIENT_SEND_CERTIFICATE_CHAIN"
// EnvironmentCredentialOptions contains optional parameters for EnvironmentCredential // EnvironmentCredentialOptions contains optional parameters for EnvironmentCredential
type EnvironmentCredentialOptions struct { type EnvironmentCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// additionallyAllowedTenants is used only by NewDefaultAzureCredential() to enable that constructor's explicit
// option to override the value of AZURE_ADDITIONALLY_ALLOWED_TENANTS. Applications using EnvironmentCredential
// directly should set that variable instead. This field should remain unexported to preserve this credential's
// unambiguous "all configuration from environment variables" design.
additionallyAllowedTenants []string
} }
// EnvironmentCredential authenticates a service principal with a secret or certificate, or a user with a password, depending // EnvironmentCredential authenticates a service principal with a secret or certificate, or a user with a password, depending
@ -55,6 +66,12 @@ type EnvironmentCredentialOptions struct {
// AZURE_USERNAME: a username (usually an email address) // AZURE_USERNAME: a username (usually an email address)
// //
// AZURE_PASSWORD: the user's password // AZURE_PASSWORD: the user's password
//
// # Configuration for multitenant applications
//
// To enable multitenant authentication, set AZURE_ADDITIONALLY_ALLOWED_TENANTS with a semicolon delimited list of tenants
// the credential may request tokens from in addition to the tenant specified by AZURE_TENANT_ID. Set
// AZURE_ADDITIONALLY_ALLOWED_TENANTS to "*" to enable the credential to request a token from any tenant.
type EnvironmentCredential struct { type EnvironmentCredential struct {
cred azcore.TokenCredential cred azcore.TokenCredential
} }
@ -72,9 +89,20 @@ func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*Environme
if clientID == "" { if clientID == "" {
return nil, errors.New("missing environment variable " + azureClientID) return nil, errors.New("missing environment variable " + azureClientID)
} }
// tenants set by NewDefaultAzureCredential() override the value of AZURE_ADDITIONALLY_ALLOWED_TENANTS
additionalTenants := options.additionallyAllowedTenants
if len(additionalTenants) == 0 {
if tenants := os.Getenv(azureAdditionallyAllowedTenants); tenants != "" {
additionalTenants = strings.Split(tenants, ";")
}
}
if clientSecret := os.Getenv(azureClientSecret); clientSecret != "" { if clientSecret := os.Getenv(azureClientSecret); clientSecret != "" {
log.Write(EventAuthentication, "EnvironmentCredential will authenticate with ClientSecretCredential") log.Write(EventAuthentication, "EnvironmentCredential will authenticate with ClientSecretCredential")
o := &ClientSecretCredentialOptions{ClientOptions: options.ClientOptions} o := &ClientSecretCredentialOptions{
AdditionallyAllowedTenants: additionalTenants,
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
}
cred, err := NewClientSecretCredential(tenantID, clientID, clientSecret, o) cred, err := NewClientSecretCredential(tenantID, clientID, clientSecret, o)
if err != nil { if err != nil {
return nil, err return nil, err
@ -95,7 +123,11 @@ func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*Environme
if err != nil { if err != nil {
return nil, fmt.Errorf(`failed to load certificate from "%s": %v`, certPath, err) return nil, fmt.Errorf(`failed to load certificate from "%s": %v`, certPath, err)
} }
o := &ClientCertificateCredentialOptions{ClientOptions: options.ClientOptions} o := &ClientCertificateCredentialOptions{
AdditionallyAllowedTenants: additionalTenants,
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
}
if v, ok := os.LookupEnv(envVarSendCertChain); ok { if v, ok := os.LookupEnv(envVarSendCertChain); ok {
o.SendCertificateChain = v == "1" || strings.ToLower(v) == "true" o.SendCertificateChain = v == "1" || strings.ToLower(v) == "true"
} }
@ -108,7 +140,11 @@ func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*Environme
if username := os.Getenv(azureUsername); username != "" { if username := os.Getenv(azureUsername); username != "" {
if password := os.Getenv(azurePassword); password != "" { if password := os.Getenv(azurePassword); password != "" {
log.Write(EventAuthentication, "EnvironmentCredential will authenticate with UsernamePasswordCredential") log.Write(EventAuthentication, "EnvironmentCredential will authenticate with UsernamePasswordCredential")
o := &UsernamePasswordCredentialOptions{ClientOptions: options.ClientOptions} o := &UsernamePasswordCredentialOptions{
AdditionallyAllowedTenants: additionalTenants,
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
}
cred, err := NewUsernamePasswordCredential(tenantID, clientID, username, password, o) cred, err := NewUsernamePasswordCredential(tenantID, clientID, username, password, o)
if err != nil { if err != nil {
return nil, err return nil, err

View file

@ -39,15 +39,11 @@ type AuthenticationFailedError struct {
credType string credType string
message string message string
err error
} }
func newAuthenticationFailedError(credType string, message string, resp *http.Response) error { func newAuthenticationFailedError(credType string, message string, resp *http.Response, err error) error {
return &AuthenticationFailedError{credType: credType, message: message, RawResponse: resp} return &AuthenticationFailedError{credType: credType, message: message, RawResponse: resp, err: err}
}
func newAuthenticationFailedErrorFromMSALError(credType string, err error) error {
res := getResponseFromError(err)
return newAuthenticationFailedError(credType, err.Error(), res)
} }
// Error implements the error interface. Note that the message contents are not contractual and can change over time. // Error implements the error interface. Note that the message contents are not contractual and can change over time.
@ -87,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
anchor = "managed-id" anchor = "managed-id"
case credNameUserPassword: case credNameUserPassword:
anchor = "username-password" anchor = "username-password"
case credNameWorkloadIdentity:
anchor = "workload"
} }
if anchor != "" { if anchor != "" {
fmt.Fprintf(msg, "To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#%s", anchor) fmt.Fprintf(msg, "To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#%s", anchor)
@ -101,24 +99,31 @@ func (*AuthenticationFailedError) NonRetriable() {
var _ errorinfo.NonRetriable = (*AuthenticationFailedError)(nil) var _ errorinfo.NonRetriable = (*AuthenticationFailedError)(nil)
// credentialUnavailableError indicates a credential can't attempt // credentialUnavailableError indicates a credential can't attempt authentication because it lacks required
// authentication because it lacks required data or state. // data or state
type credentialUnavailableError struct { type credentialUnavailableError struct {
credType string
message string message string
} }
// newCredentialUnavailableError is an internal helper that ensures consistent error message formatting
func newCredentialUnavailableError(credType, message string) error { func newCredentialUnavailableError(credType, message string) error {
return &credentialUnavailableError{credType: credType, message: message} msg := fmt.Sprintf("%s: %s", credType, message)
return &credentialUnavailableError{msg}
} }
// NewCredentialUnavailableError constructs an error indicating a credential can't attempt authentication
// because it lacks required data or state. When [ChainedTokenCredential] receives this error it will try
// its next credential, if any.
func NewCredentialUnavailableError(message string) error {
return &credentialUnavailableError{message}
}
// Error implements the error interface. Note that the message contents are not contractual and can change over time.
func (e *credentialUnavailableError) Error() string { func (e *credentialUnavailableError) Error() string {
return e.credType + ": " + e.message return e.message
} }
// NonRetriable indicates that this error should not be retried. // NonRetriable is a marker method indicating this error should not be retried. It has no implementation.
func (e *credentialUnavailableError) NonRetriable() { func (e *credentialUnavailableError) NonRetriable() {}
// marker method
}
var _ errorinfo.NonRetriable = (*credentialUnavailableError)(nil) var _ errorinfo.NonRetriable = (*credentialUnavailableError)(nil)

View file

@ -8,28 +8,41 @@ package azidentity
import ( import (
"context" "context"
"errors"
"github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public" "github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
) )
const credNameBrowser = "InteractiveBrowserCredentiall" const credNameBrowser = "InteractiveBrowserCredential"
// InteractiveBrowserCredentialOptions contains optional parameters for InteractiveBrowserCredential. // InteractiveBrowserCredentialOptions contains optional parameters for InteractiveBrowserCredential.
type InteractiveBrowserCredentialOptions struct { type InteractiveBrowserCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the // AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire
// "organizations" tenant, which can authenticate work and school accounts. // tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant.
TenantID string AdditionallyAllowedTenants []string
// ClientID is the ID of the application users will authenticate to. // ClientID is the ID of the application users will authenticate to.
// Defaults to the ID of an Azure development application. // Defaults to the ID of an Azure development application.
ClientID string ClientID string
// RedirectURL will be supported in a future version but presently doesn't work: https://github.com/Azure/azure-sdk-for-go/issues/15632.
// Applications which have "http://localhost" registered as a redirect URL need not set this option. // DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// LoginHint pre-populates the account prompt with a username. Users may choose to authenticate a different account.
LoginHint string
// RedirectURL is the URL Azure Active Directory will redirect to with the access token. This is required
// only when setting ClientID, and must match a redirect URI in the application's registration.
// Applications which have registered "http://localhost" as a redirect URI need not set this option.
RedirectURL string RedirectURL string
// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
// "organizations" tenant, which can authenticate work and school accounts.
TenantID string
} }
func (o *InteractiveBrowserCredentialOptions) init() { func (o *InteractiveBrowserCredentialOptions) init() {
@ -43,9 +56,10 @@ func (o *InteractiveBrowserCredentialOptions) init() {
// InteractiveBrowserCredential opens a browser to interactively authenticate a user. // InteractiveBrowserCredential opens a browser to interactively authenticate a user.
type InteractiveBrowserCredential struct { type InteractiveBrowserCredential struct {
account public.Account
client publicClient client publicClient
options InteractiveBrowserCredentialOptions options InteractiveBrowserCredentialOptions
account public.Account s *syncer
} }
// NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. Pass nil to accept default options. // NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. Pass nil to accept default options.
@ -55,30 +69,37 @@ func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOption
cp = *options cp = *options
} }
cp.init() cp.init()
c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions) c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery))
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &InteractiveBrowserCredential{options: cp, client: c}, nil ibc := InteractiveBrowserCredential{client: c, options: cp}
ibc.s = newSyncer(credNameBrowser, cp.TenantID, cp.AdditionallyAllowedTenants, ibc.requestToken, ibc.silentAuth)
return &ibc, nil
} }
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients. // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) == 0 { return c.s.GetToken(ctx, opts)
return azcore.AccessToken{}, errors.New(credNameBrowser + ": GetToken() requires at least one scope")
} }
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, public.WithSilentAccount(c.account))
func (c *InteractiveBrowserCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
ar, err := c.client.AcquireTokenInteractive(ctx, opts.Scopes,
public.WithLoginHint(c.options.LoginHint),
public.WithRedirectURI(c.options.RedirectURL),
public.WithTenantID(opts.TenantID),
)
if err == nil { if err == nil {
logGetTokenSuccess(c, opts) c.account = ar.Account
}
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }
ar, err = c.client.AcquireTokenInteractive(ctx, opts.Scopes, public.WithRedirectURI(c.options.RedirectURL)) func (c *InteractiveBrowserCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if err != nil { ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameBrowser, err) public.WithSilentAccount(c.account),
} public.WithTenantID(opts.TenantID),
c.account = ar.Account )
logGetTokenSuccess(c, opts)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -6,25 +6,9 @@
package azidentity package azidentity
import ( import "github.com/Azure/azure-sdk-for-go/sdk/internal/log"
"fmt"
"strings"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
)
// EventAuthentication entries contain information about authentication. // EventAuthentication entries contain information about authentication.
// This includes information like the names of environment variables // This includes information like the names of environment variables
// used when obtaining credentials and the type of credential used. // used when obtaining credentials and the type of credential used.
const EventAuthentication log.Event = "Authentication" const EventAuthentication log.Event = "Authentication"
func logGetTokenSuccess(cred azcore.TokenCredential, opts policy.TokenRequestOptions) {
if !log.Should(EventAuthentication) {
return
}
scope := strings.Join(opts.Scopes, ", ")
msg := fmt.Sprintf("%T.GetToken() acquired a token for scope %s\n", cred, scope)
log.Write(EventAuthentication, msg)
}

View file

@ -59,7 +59,6 @@ type managedIdentityClient struct {
msiType msiType msiType msiType
endpoint string endpoint string
id ManagedIDKind id ManagedIDKind
imdsTimeout time.Duration
} }
type wrappedNumber json.Number type wrappedNumber json.Number
@ -162,12 +161,6 @@ func (c *managedIdentityClient) provideToken(ctx context.Context, params confide
// authenticate acquires an access token // authenticate acquires an access token
func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKind, scopes []string) (azcore.AccessToken, error) { func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKind, scopes []string) (azcore.AccessToken, error) {
var cancel context.CancelFunc
if c.imdsTimeout > 0 && c.msiType == msiTypeIMDS {
ctx, cancel = context.WithTimeout(ctx, c.imdsTimeout)
defer cancel()
}
msg, err := c.createAuthRequest(ctx, id, scopes) msg, err := c.createAuthRequest(ctx, id, scopes)
if err != nil { if err != nil {
return azcore.AccessToken{}, err return azcore.AccessToken{}, err
@ -175,14 +168,8 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
resp, err := c.pipeline.Do(msg) resp, err := c.pipeline.Do(msg)
if err != nil { if err != nil {
if cancel != nil && errors.Is(err, context.DeadlineExceeded) { return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, err.Error(), nil, err)
return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "IMDS token request timed out")
} }
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, err.Error(), nil)
}
// got a response, remove the IMDS timeout so future requests use the transport's configuration
c.imdsTimeout = 0
if runtime.HasStatusCode(resp, http.StatusOK, http.StatusCreated) { if runtime.HasStatusCode(resp, http.StatusOK, http.StatusCreated) {
return c.createAccessToken(resp) return c.createAccessToken(resp)
@ -190,12 +177,12 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
if c.msiType == msiTypeIMDS && resp.StatusCode == 400 { if c.msiType == msiTypeIMDS && resp.StatusCode == 400 {
if id != nil { if id != nil {
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp) return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
} }
return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource") return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")
} }
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp) return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)
} }
func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.AccessToken, error) { func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.AccessToken, error) {
@ -223,10 +210,10 @@ func (c *managedIdentityClient) createAccessToken(res *http.Response) (azcore.Ac
if expiresOn, err := strconv.Atoi(v); err == nil { if expiresOn, err := strconv.Atoi(v); err == nil {
return azcore.AccessToken{Token: value.Token, ExpiresOn: time.Unix(int64(expiresOn), 0).UTC()}, nil return azcore.AccessToken{Token: value.Token, ExpiresOn: time.Unix(int64(expiresOn), 0).UTC()}, nil
} }
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "unexpected expires_on value: "+v, res) return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "unexpected expires_on value: "+v, res, nil)
default: default:
msg := fmt.Sprintf("unsupported type received in expires_on: %T, %v", v, v) msg := fmt.Sprintf("unsupported type received in expires_on: %T, %v", v, v)
return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, msg, res) return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, msg, res, nil)
} }
} }
@ -241,7 +228,7 @@ func (c *managedIdentityClient) createAuthRequest(ctx context.Context, id Manage
key, err := c.getAzureArcSecretKey(ctx, scopes) key, err := c.getAzureArcSecretKey(ctx, scopes)
if err != nil { if err != nil {
msg := fmt.Sprintf("failed to retreive secret key from the identity endpoint: %v", err) msg := fmt.Sprintf("failed to retreive secret key from the identity endpoint: %v", err)
return nil, newAuthenticationFailedError(credNameManagedIdentity, msg, nil) return nil, newAuthenticationFailedError(credNameManagedIdentity, msg, nil, err)
} }
return c.createAzureArcAuthRequest(ctx, id, scopes, key) return c.createAzureArcAuthRequest(ctx, id, scopes, key)
case msiTypeServiceFabric: case msiTypeServiceFabric:
@ -335,7 +322,7 @@ func (c *managedIdentityClient) getAzureArcSecretKey(ctx context.Context, resour
// of the secret key file. Any other status code indicates an error in the request. // of the secret key file. Any other status code indicates an error in the request.
if response.StatusCode != 401 { if response.StatusCode != 401 {
msg := fmt.Sprintf("expected a 401 response, received %d", response.StatusCode) msg := fmt.Sprintf("expected a 401 response, received %d", response.StatusCode)
return "", newAuthenticationFailedError(credNameManagedIdentity, msg, response) return "", newAuthenticationFailedError(credNameManagedIdentity, msg, response, nil)
} }
header := response.Header.Get("WWW-Authenticate") header := response.Header.Get("WWW-Authenticate")
if len(header) == 0 { if len(header) == 0 {

View file

@ -73,6 +73,7 @@ type ManagedIdentityCredentialOptions struct {
type ManagedIdentityCredential struct { type ManagedIdentityCredential struct {
client confidentialClient client confidentialClient
mic *managedIdentityClient mic *managedIdentityClient
s *syncer
} }
// NewManagedIdentityCredential creates a ManagedIdentityCredential. Pass nil to accept default options. // NewManagedIdentityCredential creates a ManagedIdentityCredential. Pass nil to accept default options.
@ -85,20 +86,21 @@ func NewManagedIdentityCredential(options *ManagedIdentityCredentialOptions) (*M
return nil, err return nil, err
} }
cred := confidential.NewCredFromTokenProvider(mic.provideToken) cred := confidential.NewCredFromTokenProvider(mic.provideToken)
if err != nil {
return nil, err
}
// It's okay to give MSAL an invalid client ID because MSAL will use it only as part of a cache key. // It's okay to give MSAL an invalid client ID because MSAL will use it only as part of a cache key.
// ManagedIdentityClient handles all the details of authentication and won't receive this value from MSAL. // ManagedIdentityClient handles all the details of authentication and won't receive this value from MSAL.
clientID := "SYSTEM-ASSIGNED-MANAGED-IDENTITY" clientID := "SYSTEM-ASSIGNED-MANAGED-IDENTITY"
if options.ID != nil { if options.ID != nil {
clientID = options.ID.String() clientID = options.ID.String()
} }
c, err := confidential.New(clientID, cred) // similarly, it's okay to give MSAL an incorrect authority URL because that URL won't be used
c, err := confidential.New("https://login.microsoftonline.com/common", clientID, cred)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &ManagedIdentityCredential{client: c, mic: mic}, nil m := ManagedIdentityCredential{client: c, mic: mic}
m.s = newSyncer(credNameManagedIdentity, "", nil, m.requestToken, m.silentAuth)
return &m, nil
} }
// GetToken requests an access token from the hosting environment. This method is called automatically by Azure SDK clients. // GetToken requests an access token from the hosting environment. This method is called automatically by Azure SDK clients.
@ -108,17 +110,17 @@ func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts policy.To
return azcore.AccessToken{}, err return azcore.AccessToken{}, err
} }
// managed identity endpoints require an AADv1 resource (i.e. token audience), not a v2 scope, so we remove "/.default" here // managed identity endpoints require an AADv1 resource (i.e. token audience), not a v2 scope, so we remove "/.default" here
scopes := []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)} opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
ar, err := c.client.AcquireTokenSilent(ctx, scopes) return c.s.GetToken(ctx, opts)
if err == nil {
logGetTokenSuccess(c, opts)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, nil
} }
ar, err = c.client.AcquireTokenByCredential(ctx, scopes)
if err != nil { func (c *ManagedIdentityCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
return azcore.AccessToken{}, err ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }
logGetTokenSuccess(c, opts)
func (c *ManagedIdentityCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -0,0 +1,99 @@
//go:build go1.18
// +build go1.18
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
package azidentity
import (
"context"
"crypto"
"crypto/x509"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
)
const credNameOBO = "OnBehalfOfCredential"
// OnBehalfOfCredential authenticates a service principal via the on-behalf-of flow. This is typically used by
// middle-tier services that authorize requests to other services with a delegated user identity. Because this
// is not an interactive authentication flow, an application using it must have admin consent for any delegated
// permissions before requesting tokens for them. See [Azure Active Directory documentation] for more details.
//
// [Azure Active Directory documentation]: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
type OnBehalfOfCredential struct {
assertion string
client confidentialClient
s *syncer
}
// OnBehalfOfCredentialOptions contains optional parameters for OnBehalfOfCredential
type OnBehalfOfCredentialOptions struct {
azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
// application is registered.
AdditionallyAllowedTenants []string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// SendCertificateChain applies only when the credential is configured to authenticate with a certificate.
// This setting controls whether the credential sends the public certificate chain in the x5c header of each
// token request's JWT. This is required for, and only used in, Subject Name/Issuer (SNI) authentication.
SendCertificateChain bool
}
// NewOnBehalfOfCredentialWithCertificate constructs an OnBehalfOfCredential that authenticates with a certificate.
// See [ParseCertificates] for help loading a certificate.
func NewOnBehalfOfCredentialWithCertificate(tenantID, clientID, userAssertion string, certs []*x509.Certificate, key crypto.PrivateKey, options *OnBehalfOfCredentialOptions) (*OnBehalfOfCredential, error) {
cred, err := confidential.NewCredFromCert(certs, key)
if err != nil {
return nil, err
}
return newOnBehalfOfCredential(tenantID, clientID, userAssertion, cred, options)
}
// NewOnBehalfOfCredentialWithSecret constructs an OnBehalfOfCredential that authenticates with a client secret.
func NewOnBehalfOfCredentialWithSecret(tenantID, clientID, userAssertion, clientSecret string, options *OnBehalfOfCredentialOptions) (*OnBehalfOfCredential, error) {
cred, err := confidential.NewCredFromSecret(clientSecret)
if err != nil {
return nil, err
}
return newOnBehalfOfCredential(tenantID, clientID, userAssertion, cred, options)
}
func newOnBehalfOfCredential(tenantID, clientID, userAssertion string, cred confidential.Credential, options *OnBehalfOfCredentialOptions) (*OnBehalfOfCredential, error) {
if options == nil {
options = &OnBehalfOfCredentialOptions{}
}
opts := []confidential.Option{}
if options.SendCertificateChain {
opts = append(opts, confidential.WithX5C())
}
opts = append(opts, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, opts...)
if err != nil {
return nil, err
}
obo := OnBehalfOfCredential{assertion: userAssertion, client: c}
obo.s = newSyncer(credNameOBO, tenantID, options.AdditionallyAllowedTenants, obo.requestToken, obo.requestToken)
return &obo, nil
}
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (o *OnBehalfOfCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
return o.s.GetToken(ctx, opts)
}
func (o *OnBehalfOfCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
ar, err := o.client.AcquireTokenOnBehalfOf(ctx, o.assertion, opts.Scopes, confidential.WithTenantID(opts.TenantID))
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
}
var _ azcore.TokenCredential = (*OnBehalfOfCredential)(nil)

View file

@ -0,0 +1,130 @@
//go:build go1.18
// +build go1.18
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
package azidentity
import (
"context"
"errors"
"fmt"
"strings"
"sync"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
)
type authFn func(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error)
// syncer synchronizes authentication calls so that goroutines can share a credential instance
type syncer struct {
addlTenants []string
authing bool
cond *sync.Cond
reqToken, silent authFn
name, tenant string
}
func newSyncer(name, tenant string, additionalTenants []string, reqToken, silentAuth authFn) *syncer {
return &syncer{
addlTenants: resolveAdditionalTenants(additionalTenants),
cond: &sync.Cond{L: &sync.Mutex{}},
name: name,
reqToken: reqToken,
silent: silentAuth,
tenant: tenant,
}
}
// GetToken ensures that only one goroutine authenticates at a time
func (s *syncer) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
var at azcore.AccessToken
var err error
if len(opts.Scopes) == 0 {
return at, errors.New(s.name + ".GetToken() requires at least one scope")
}
// we don't resolve the tenant for managed identities because they can acquire tokens only from their home tenants
if s.name != credNameManagedIdentity {
tenant, err := s.resolveTenant(opts.TenantID)
if err != nil {
return at, err
}
opts.TenantID = tenant
}
auth := false
s.cond.L.Lock()
defer s.cond.L.Unlock()
for {
at, err = s.silent(ctx, opts)
if err == nil {
// got a token
break
}
if !s.authing {
// this goroutine will request a token
s.authing, auth = true, true
break
}
// another goroutine is acquiring a token; wait for it to finish, then try silent auth again
s.cond.Wait()
}
if auth {
s.authing = false
at, err = s.reqToken(ctx, opts)
s.cond.Broadcast()
}
if err != nil {
// Return credentialUnavailableError directly because that type affects the behavior of credential chains.
// Otherwise, return AuthenticationFailedError.
var unavailableErr *credentialUnavailableError
if !errors.As(err, &unavailableErr) {
res := getResponseFromError(err)
err = newAuthenticationFailedError(s.name, err.Error(), res, err)
}
} else if log.Should(EventAuthentication) {
scope := strings.Join(opts.Scopes, ", ")
msg := fmt.Sprintf(`%s.GetToken() acquired a token for scope "%s"\n`, s.name, scope)
log.Write(EventAuthentication, msg)
}
return at, err
}
// resolveTenant returns the correct tenant for a token request given the credential's
// configuration, or an error when the specified tenant isn't allowed by that configuration
func (s *syncer) resolveTenant(requested string) (string, error) {
if requested == "" || requested == s.tenant {
return s.tenant, nil
}
if s.tenant == "adfs" {
return "", errors.New("ADFS doesn't support tenants")
}
if !validTenantID(requested) {
return "", errors.New(tenantIDValidationErr)
}
for _, t := range s.addlTenants {
if t == "*" || t == requested {
return requested, nil
}
}
return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, s.name, requested)
}
// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
func resolveAdditionalTenants(tenants []string) []string {
if len(tenants) == 0 {
return nil
}
for _, t := range tenants {
// a wildcard makes all other values redundant
if t == "*" {
return []string{"*"}
}
}
cp := make([]string, len(tenants))
copy(cp, tenants)
return cp
}

View file

@ -8,7 +8,6 @@ package azidentity
import ( import (
"context" "context"
"errors"
"github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
@ -20,6 +19,16 @@ const credNameUserPassword = "UsernamePasswordCredential"
// UsernamePasswordCredentialOptions contains optional parameters for UsernamePasswordCredential. // UsernamePasswordCredentialOptions contains optional parameters for UsernamePasswordCredential.
type UsernamePasswordCredentialOptions struct { type UsernamePasswordCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
// application is registered.
AdditionallyAllowedTenants []string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
} }
// UsernamePasswordCredential authenticates a user with a password. Microsoft doesn't recommend this kind of authentication, // UsernamePasswordCredential authenticates a user with a password. Microsoft doesn't recommend this kind of authentication,
@ -27,10 +36,10 @@ type UsernamePasswordCredentialOptions struct {
// with any form of multi-factor authentication, and the application must already have user or admin consent. // with any form of multi-factor authentication, and the application must already have user or admin consent.
// This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts. // This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts.
type UsernamePasswordCredential struct { type UsernamePasswordCredential struct {
client publicClient
username string
password string
account public.Account account public.Account
client publicClient
password, username string
s *syncer
} }
// NewUsernamePasswordCredential creates a UsernamePasswordCredential. clientID is the ID of the application the user // NewUsernamePasswordCredential creates a UsernamePasswordCredential. clientID is the ID of the application the user
@ -39,29 +48,33 @@ func NewUsernamePasswordCredential(tenantID string, clientID string, username st
if options == nil { if options == nil {
options = &UsernamePasswordCredentialOptions{} options = &UsernamePasswordCredentialOptions{}
} }
c, err := getPublicClient(clientID, tenantID, &options.ClientOptions) c, err := getPublicClient(clientID, tenantID, &options.ClientOptions, public.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &UsernamePasswordCredential{username: username, password: password, client: c}, nil upc := UsernamePasswordCredential{client: c, password: password, username: username}
upc.s = newSyncer(credNameUserPassword, tenantID, options.AdditionallyAllowedTenants, upc.requestToken, upc.silentAuth)
return &upc, nil
} }
// GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients. // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
if len(opts.Scopes) == 0 { return c.s.GetToken(ctx, opts)
return azcore.AccessToken{}, errors.New(credNameUserPassword + ": GetToken() requires at least one scope")
} }
ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, public.WithSilentAccount(c.account))
func (c *UsernamePasswordCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
ar, err := c.client.AcquireTokenByUsernamePassword(ctx, opts.Scopes, c.username, c.password, public.WithTenantID(opts.TenantID))
if err == nil { if err == nil {
logGetTokenSuccess(c, opts) c.account = ar.Account
}
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }
ar, err = c.client.AcquireTokenByUsernamePassword(ctx, opts.Scopes, c.username, c.password)
if err != nil { func (c *UsernamePasswordCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
return azcore.AccessToken{}, newAuthenticationFailedErrorFromMSALError(credNameUserPassword, err) ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
} public.WithSilentAccount(c.account),
c.account = ar.Account public.WithTenantID(opts.TenantID),
logGetTokenSuccess(c, opts) )
return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
} }

View file

@ -11,5 +11,5 @@ const (
component = "azidentity" component = "azidentity"
// Version is the semantic version (see http://semver.org) of this module. // Version is the semantic version (see http://semver.org) of this module.
version = "v1.2.1" version = "v1.3.0"
) )

View file

@ -0,0 +1,126 @@
//go:build go1.18
// +build go1.18
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
package azidentity
import (
"context"
"errors"
"os"
"sync"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
)
const credNameWorkloadIdentity = "WorkloadIdentityCredential"
// WorkloadIdentityCredential supports Azure workload identity on Kubernetes.
// See [Azure Kubernetes Service documentation] for more information.
//
// [Azure Kubernetes Service documentation]: https://learn.microsoft.com/azure/aks/workload-identity-overview
type WorkloadIdentityCredential struct {
assertion, file string
cred *ClientAssertionCredential
expires time.Time
mtx *sync.RWMutex
}
// WorkloadIdentityCredentialOptions contains optional parameters for WorkloadIdentityCredential.
type WorkloadIdentityCredentialOptions struct {
azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
// application is registered.
AdditionallyAllowedTenants []string
// ClientID of the service principal. Defaults to the value of the environment variable AZURE_CLIENT_ID.
ClientID string
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
// private clouds such as Azure Stack. It determines whether the credential requests Azure AD instance metadata
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
// the application responsible for ensuring the configured authority is valid and trustworthy.
DisableInstanceDiscovery bool
// TenantID of the service principal. Defaults to the value of the environment variable AZURE_TENANT_ID.
TenantID string
// TokenFilePath is the path a file containing the workload identity token. Defaults to the value of the
// environment variable AZURE_FEDERATED_TOKEN_FILE.
TokenFilePath string
}
// NewWorkloadIdentityCredential constructs a WorkloadIdentityCredential. Service principal configuration is read
// from environment variables as set by the Azure workload identity webhook. Set options to override those values.
func NewWorkloadIdentityCredential(options *WorkloadIdentityCredentialOptions) (*WorkloadIdentityCredential, error) {
if options == nil {
options = &WorkloadIdentityCredentialOptions{}
}
ok := false
clientID := options.ClientID
if clientID == "" {
if clientID, ok = os.LookupEnv(azureClientID); !ok {
return nil, errors.New("no client ID specified. Check pod configuration or set ClientID in the options")
}
}
file := options.TokenFilePath
if file == "" {
if file, ok = os.LookupEnv(azureFederatedTokenFile); !ok {
return nil, errors.New("no token file specified. Check pod configuration or set TokenFilePath in the options")
}
}
tenantID := options.TenantID
if tenantID == "" {
if tenantID, ok = os.LookupEnv(azureTenantID); !ok {
return nil, errors.New("no tenant ID specified. Check pod configuration or set TenantID in the options")
}
}
w := WorkloadIdentityCredential{file: file, mtx: &sync.RWMutex{}}
caco := ClientAssertionCredentialOptions{
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
ClientOptions: options.ClientOptions,
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
}
cred, err := NewClientAssertionCredential(tenantID, clientID, w.getAssertion, &caco)
if err != nil {
return nil, err
}
// we want "WorkloadIdentityCredential" in log messages, not "ClientAssertionCredential"
cred.s.name = credNameWorkloadIdentity
w.cred = cred
return &w, nil
}
// GetToken requests an access token from Azure Active Directory. Azure SDK clients call this method automatically.
func (w *WorkloadIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
return w.cred.GetToken(ctx, opts)
}
// getAssertion returns the specified file's content, which is expected to be a Kubernetes service account token.
// Kubernetes is responsible for updating the file as service account tokens expire.
func (w *WorkloadIdentityCredential) getAssertion(context.Context) (string, error) {
w.mtx.RLock()
if w.expires.Before(time.Now()) {
// ensure only one goroutine at a time updates the assertion
w.mtx.RUnlock()
w.mtx.Lock()
defer w.mtx.Unlock()
// double check because another goroutine may have acquired the write lock first and done the update
if now := time.Now(); w.expires.Before(now) {
content, err := os.ReadFile(w.file)
if err != nil {
return "", err
}
w.assertion = string(content)
// Kubernetes rotates service account tokens when they reach 80% of their total TTL. The shortest TTL
// is 1 hour. That implies the token we just read is valid for at least 12 minutes (20% of 1 hour),
// but we add some margin for safety.
w.expires = now.Add(10 * time.Minute)
}
} else {
defer w.mtx.RUnlock()
}
return w.assertion, nil
}

View file

@ -0,0 +1,124 @@
//go:build go1.18
// +build go1.18
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
package exported
import (
"errors"
"io"
"net/http"
)
// HasStatusCode returns true if the Response's status code is one of the specified values.
// Exported as runtime.HasStatusCode().
func HasStatusCode(resp *http.Response, statusCodes ...int) bool {
if resp == nil {
return false
}
for _, sc := range statusCodes {
if resp.StatusCode == sc {
return true
}
}
return false
}
// PayloadOptions contains the optional values for the Payload func.
// NOT exported but used by azcore.
type PayloadOptions struct {
// BytesModifier receives the downloaded byte slice and returns an updated byte slice.
// Use this to modify the downloaded bytes in a payload (e.g. removing a BOM).
BytesModifier func([]byte) []byte
}
// Payload reads and returns the response body or an error.
// On a successful read, the response body is cached.
// Subsequent reads will access the cached value.
// Exported as runtime.Payload() WITHOUT the opts parameter.
func Payload(resp *http.Response, opts *PayloadOptions) ([]byte, error) {
modifyBytes := func(b []byte) []byte { return b }
if opts != nil && opts.BytesModifier != nil {
modifyBytes = opts.BytesModifier
}
// r.Body won't be a nopClosingBytesReader if downloading was skipped
if buf, ok := resp.Body.(*nopClosingBytesReader); ok {
bytesBody := modifyBytes(buf.Bytes())
buf.Set(bytesBody)
return bytesBody, nil
}
bytesBody, err := io.ReadAll(resp.Body)
resp.Body.Close()
if err != nil {
return nil, err
}
bytesBody = modifyBytes(bytesBody)
resp.Body = &nopClosingBytesReader{s: bytesBody}
return bytesBody, nil
}
// PayloadDownloaded returns true if the response body has already been downloaded.
// This implies that the Payload() func above has been previously called.
// NOT exported but used by azcore.
func PayloadDownloaded(resp *http.Response) bool {
_, ok := resp.Body.(*nopClosingBytesReader)
return ok
}
// nopClosingBytesReader is an io.ReadSeekCloser around a byte slice.
// It also provides direct access to the byte slice to avoid rereading.
type nopClosingBytesReader struct {
s []byte
i int64
}
// Bytes returns the underlying byte slice.
func (r *nopClosingBytesReader) Bytes() []byte {
return r.s
}
// Close implements the io.Closer interface.
func (*nopClosingBytesReader) Close() error {
return nil
}
// Read implements the io.Reader interface.
func (r *nopClosingBytesReader) Read(b []byte) (n int, err error) {
if r.i >= int64(len(r.s)) {
return 0, io.EOF
}
n = copy(b, r.s[r.i:])
r.i += int64(n)
return
}
// Set replaces the existing byte slice with the specified byte slice and resets the reader.
func (r *nopClosingBytesReader) Set(b []byte) {
r.s = b
r.i = 0
}
// Seek implements the io.Seeker interface.
func (r *nopClosingBytesReader) Seek(offset int64, whence int) (int64, error) {
var i int64
switch whence {
case io.SeekStart:
i = offset
case io.SeekCurrent:
i = r.i + offset
case io.SeekEnd:
i = int64(len(r.s)) + offset
default:
return 0, errors.New("nopClosingBytesReader: invalid whence")
}
if i < 0 {
return 0, errors.New("nopClosingBytesReader: negative position")
}
r.i = i
return i, nil
}

View file

@ -0,0 +1,155 @@
//go:build go1.18
// +build go1.18
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
package poller
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"github.com/Azure/azure-sdk-for-go/sdk/internal/exported"
)
// the well-known set of LRO status/provisioning state values.
const (
StatusSucceeded = "Succeeded"
StatusCanceled = "Canceled"
StatusFailed = "Failed"
StatusInProgress = "InProgress"
)
// these are non-conformant states that we've seen in the wild.
// we support them for back-compat.
const (
StatusCancelled = "Cancelled"
StatusCompleted = "Completed"
)
// IsTerminalState returns true if the LRO's state is terminal.
func IsTerminalState(s string) bool {
return Failed(s) || Succeeded(s)
}
// Failed returns true if the LRO's state is terminal failure.
func Failed(s string) bool {
return strings.EqualFold(s, StatusFailed) || strings.EqualFold(s, StatusCanceled) || strings.EqualFold(s, StatusCancelled)
}
// Succeeded returns true if the LRO's state is terminal success.
func Succeeded(s string) bool {
return strings.EqualFold(s, StatusSucceeded) || strings.EqualFold(s, StatusCompleted)
}
// returns true if the LRO response contains a valid HTTP status code
func StatusCodeValid(resp *http.Response) bool {
return exported.HasStatusCode(resp, http.StatusOK, http.StatusAccepted, http.StatusCreated, http.StatusNoContent)
}
// IsValidURL verifies that the URL is valid and absolute.
func IsValidURL(s string) bool {
u, err := url.Parse(s)
return err == nil && u.IsAbs()
}
// ErrNoBody is returned if the response didn't contain a body.
var ErrNoBody = errors.New("the response did not contain a body")
// GetJSON reads the response body into a raw JSON object.
// It returns ErrNoBody if there was no content.
func GetJSON(resp *http.Response) (map[string]any, error) {
body, err := exported.Payload(resp, nil)
if err != nil {
return nil, err
}
if len(body) == 0 {
return nil, ErrNoBody
}
// unmarshall the body to get the value
var jsonBody map[string]any
if err = json.Unmarshal(body, &jsonBody); err != nil {
return nil, err
}
return jsonBody, nil
}
// provisioningState returns the provisioning state from the response or the empty string.
func provisioningState(jsonBody map[string]any) string {
jsonProps, ok := jsonBody["properties"]
if !ok {
return ""
}
props, ok := jsonProps.(map[string]any)
if !ok {
return ""
}
rawPs, ok := props["provisioningState"]
if !ok {
return ""
}
ps, ok := rawPs.(string)
if !ok {
return ""
}
return ps
}
// status returns the status from the response or the empty string.
func status(jsonBody map[string]any) string {
rawStatus, ok := jsonBody["status"]
if !ok {
return ""
}
status, ok := rawStatus.(string)
if !ok {
return ""
}
return status
}
// GetStatus returns the LRO's status from the response body.
// Typically used for Azure-AsyncOperation flows.
// If there is no status in the response body the empty string is returned.
func GetStatus(resp *http.Response) (string, error) {
jsonBody, err := GetJSON(resp)
if err != nil {
return "", err
}
return status(jsonBody), nil
}
// GetProvisioningState returns the LRO's state from the response body.
// If there is no state in the response body the empty string is returned.
func GetProvisioningState(resp *http.Response) (string, error) {
jsonBody, err := GetJSON(resp)
if err != nil {
return "", err
}
return provisioningState(jsonBody), nil
}
// GetResourceLocation returns the LRO's resourceLocation value from the response body.
// Typically used for Operation-Location flows.
// If there is no resourceLocation in the response body the empty string is returned.
func GetResourceLocation(resp *http.Response) (string, error) {
jsonBody, err := GetJSON(resp)
if err != nil {
return "", err
}
v, ok := jsonBody["resourceLocation"]
if !ok {
// it might be ok if the field doesn't exist, the caller must make that determination
return "", nil
}
vv, ok := v.(string)
if !ok {
return "", fmt.Errorf("the resourceLocation value %v was not in string format", v)
}
return vv, nil
}

View file

@ -11,6 +11,8 @@ implementers on the format being passed.
*/ */
package cache package cache
import "context"
// Marshaler marshals data from an internal cache to bytes that can be stored. // Marshaler marshals data from an internal cache to bytes that can be stored.
type Marshaler interface { type Marshaler interface {
Marshal() ([]byte, error) Marshal() ([]byte, error)
@ -27,13 +29,26 @@ type Serializer interface {
Unmarshaler Unmarshaler
} }
// ExportReplace is used export or replace what is in the cache. // ExportHints are suggestions for storing data.
type ExportReplace interface { type ExportHints struct {
// Replace replaces the cache with what is in external storage. // PartitionKey is a suggested key for partitioning the cache
// key is the suggested key which can be used for partioning the cache PartitionKey string
Replace(cache Unmarshaler, key string) }
// Export writes the binary representation of the cache (cache.Marshal()) to
// external storage. This is considered opaque. // ReplaceHints are suggestions for loading data.
// key is the suggested key which can be used for partioning the cache type ReplaceHints struct {
Export(cache Marshaler, key string) // PartitionKey is a suggested key for partitioning the cache
PartitionKey string
}
// ExportReplace exports and replaces in-memory cache data. It doesn't support nil Context or
// define the outcome of passing one. A Context without a timeout must receive a default timeout
// specified by the implementor. Retries must be implemented inside the implementation.
type ExportReplace interface {
// Replace replaces the cache with what is in external storage. Implementors should honor
// Context cancellations and return context.Canceled or context.DeadlineExceeded in those cases.
Replace(ctx context.Context, cache Unmarshaler, hints ReplaceHints) error
// Export writes the binary representation of the cache (cache.Marshal()) to external storage.
// This is considered opaque. Context cancellations should be honored as in Replace.
Export(ctx context.Context, cache Marshaler, hints ExportHints) error
} }

View file

@ -18,7 +18,6 @@ import (
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt" "fmt"
"net/url"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache" "github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base" "github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base"
@ -50,8 +49,7 @@ duplication.
.Net People, Take note on X509: .Net People, Take note on X509:
This uses x509.Certificates and private keys. x509 does not store private keys. .Net This uses x509.Certificates and private keys. x509 does not store private keys. .Net
has some x509.Certificate2 thing that has private keys, but that is just some bullcrap that .Net has some x509.Certificate2 thing that has private keys, but that is just some bullcrap that .Net
added, it doesn't exist in real life. Seriously, "x509.Certificate2", bahahahaha. As such I've added, it doesn't exist in real life. As such I've put a PEM decoder into here.
put a PEM decoder into here.
*/ */
// TODO(msal): This should have example code for each method on client using Go's example doc framework. // TODO(msal): This should have example code for each method on client using Go's example doc framework.
@ -63,7 +61,7 @@ type AuthResult = base.AuthResult
type Account = shared.Account type Account = shared.Account
// CertFromPEM converts a PEM file (.pem or .key) for use with NewCredFromCert(). The file // CertFromPEM converts a PEM file (.pem or .key) for use with [NewCredFromCert]. The file
// must contain the public certificate and the private key. If a PEM block is encrypted and // must contain the public certificate and the private key. If a PEM block is encrypted and
// password is not an empty string, it attempts to decrypt the PEM blocks using the password. // password is not an empty string, it attempts to decrypt the PEM blocks using the password.
// Multiple certs are due to certificate chaining for use cases like TLS that sign from root to leaf. // Multiple certs are due to certificate chaining for use cases like TLS that sign from root to leaf.
@ -179,33 +177,15 @@ func NewCredFromSecret(secret string) (Credential, error) {
return Credential{secret: secret}, nil return Credential{secret: secret}, nil
} }
// NewCredFromAssertion creates a Credential from a signed assertion.
//
// Deprecated: a Credential created by this function can't refresh the
// assertion when it expires. Use NewCredFromAssertionCallback instead.
func NewCredFromAssertion(assertion string) (Credential, error) {
if assertion == "" {
return Credential{}, errors.New("assertion can't be empty string")
}
return NewCredFromAssertionCallback(func(context.Context, AssertionRequestOptions) (string, error) { return assertion, nil }), nil
}
// NewCredFromAssertionCallback creates a Credential that invokes a callback to get assertions // NewCredFromAssertionCallback creates a Credential that invokes a callback to get assertions
// authenticating the application. The callback must be thread safe. // authenticating the application. The callback must be thread safe.
func NewCredFromAssertionCallback(callback func(context.Context, AssertionRequestOptions) (string, error)) Credential { func NewCredFromAssertionCallback(callback func(context.Context, AssertionRequestOptions) (string, error)) Credential {
return Credential{assertionCallback: callback} return Credential{assertionCallback: callback}
} }
// NewCredFromCert creates a Credential from an x509.Certificate and an RSA private key. // NewCredFromCert creates a Credential from a certificate or chain of certificates and an RSA private key
// CertFromPEM() can be used to get these values from a PEM file. // as returned by [CertFromPEM].
func NewCredFromCert(cert *x509.Certificate, key crypto.PrivateKey) Credential { func NewCredFromCert(certs []*x509.Certificate, key crypto.PrivateKey) (Credential, error) {
cred, _ := NewCredFromCertChain([]*x509.Certificate{cert}, key)
return cred
}
// NewCredFromCertChain creates a Credential from a chain of x509.Certificates and an RSA private key
// as returned by CertFromPEM().
func NewCredFromCertChain(certs []*x509.Certificate, key crypto.PrivateKey) (Credential, error) {
cred := Credential{key: key} cred := Credential{key: key}
k, ok := key.(*rsa.PrivateKey) k, ok := key.(*rsa.PrivateKey)
if !ok { if !ok {
@ -255,73 +235,32 @@ func AutoDetectRegion() string {
// For more information, visit https://docs.microsoft.com/azure/active-directory/develop/msal-client-applications // For more information, visit https://docs.microsoft.com/azure/active-directory/develop/msal-client-applications
type Client struct { type Client struct {
base base.Client base base.Client
cred *accesstokens.Credential cred *accesstokens.Credential
// userID is some unique identifier for a user. It actually isn't used by us at all, it
// simply acts as another hint that a confidential.Client is for a single user.
userID string
} }
// Options are optional settings for New(). These options are set using various functions // clientOptions are optional settings for New(). These options are set using various functions
// returning Option calls. // returning Option calls.
type Options struct { type clientOptions struct {
// Accessor controls cache persistence. accessor cache.ExportReplace
// By default there is no cache persistence. This can be set using the WithAccessor() option. authority, azureRegion string
Accessor cache.ExportReplace
// The host of the Azure Active Directory authority.
// The default is https://login.microsoftonline.com/common. This can be changed using the
// WithAuthority() option.
Authority string
// The HTTP client used for making requests.
// It defaults to a shared http.Client.
HTTPClient ops.HTTPClient
// SendX5C specifies if x5c claim(public key of the certificate) should be sent to STS.
SendX5C bool
// Instructs MSAL Go to use an Azure regional token service with sepcified AzureRegion.
AzureRegion string
capabilities []string capabilities []string
disableInstanceDiscovery, sendX5C bool
disableInstanceDiscovery bool httpClient ops.HTTPClient
}
func (o Options) validate() error {
u, err := url.Parse(o.Authority)
if err != nil {
return fmt.Errorf("the Authority(%s) does not parse as a valid URL", o.Authority)
}
if u.Scheme != "https" {
return fmt.Errorf("the Authority(%s) does not appear to use https", o.Authority)
}
return nil
} }
// Option is an optional argument to New(). // Option is an optional argument to New().
type Option func(o *Options) type Option func(o *clientOptions)
// WithAuthority allows you to provide a custom authority for use in the client. // WithCache provides an accessor that will read and write authentication data to an externally managed cache.
func WithAuthority(authority string) Option { func WithCache(accessor cache.ExportReplace) Option {
return func(o *Options) { return func(o *clientOptions) {
o.Authority = authority o.accessor = accessor
}
}
// WithAccessor provides a cache accessor that will read and write to some externally managed cache
// that may or may not be shared with other applications.
func WithAccessor(accessor cache.ExportReplace) Option {
return func(o *Options) {
o.Accessor = accessor
} }
} }
// WithClientCapabilities allows configuring one or more client capabilities such as "CP1" // WithClientCapabilities allows configuring one or more client capabilities such as "CP1"
func WithClientCapabilities(capabilities []string) Option { func WithClientCapabilities(capabilities []string) Option {
return func(o *Options) { return func(o *clientOptions) {
// there's no danger of sharing the slice's underlying memory with the application because // there's no danger of sharing the slice's underlying memory with the application because
// this slice is simply passed to base.WithClientCapabilities, which copies its data // this slice is simply passed to base.WithClientCapabilities, which copies its data
o.capabilities = capabilities o.capabilities = capabilities
@ -330,21 +269,21 @@ func WithClientCapabilities(capabilities []string) Option {
// WithHTTPClient allows for a custom HTTP client to be set. // WithHTTPClient allows for a custom HTTP client to be set.
func WithHTTPClient(httpClient ops.HTTPClient) Option { func WithHTTPClient(httpClient ops.HTTPClient) Option {
return func(o *Options) { return func(o *clientOptions) {
o.HTTPClient = httpClient o.httpClient = httpClient
} }
} }
// WithX5C specifies if x5c claim(public key of the certificate) should be sent to STS to enable Subject Name Issuer Authentication. // WithX5C specifies if x5c claim(public key of the certificate) should be sent to STS to enable Subject Name Issuer Authentication.
func WithX5C() Option { func WithX5C() Option {
return func(o *Options) { return func(o *clientOptions) {
o.SendX5C = true o.sendX5C = true
} }
} }
// WithInstanceDiscovery set to false to disable authority validation (to support private cloud scenarios) // WithInstanceDiscovery set to false to disable authority validation (to support private cloud scenarios)
func WithInstanceDiscovery(enabled bool) Option { func WithInstanceDiscovery(enabled bool) Option {
return func(o *Options) { return func(o *clientOptions) {
o.disableInstanceDiscovery = !enabled o.disableInstanceDiscovery = !enabled
} }
} }
@ -361,44 +300,37 @@ func WithInstanceDiscovery(enabled bool) Option {
// If auto-detection fails, the non-regional endpoint will be used. // If auto-detection fails, the non-regional endpoint will be used.
// If an invalid region name is provided, the non-regional endpoint MIGHT be used or the token request MIGHT fail. // If an invalid region name is provided, the non-regional endpoint MIGHT be used or the token request MIGHT fail.
func WithAzureRegion(val string) Option { func WithAzureRegion(val string) Option {
return func(o *Options) { return func(o *clientOptions) {
o.AzureRegion = val o.azureRegion = val
} }
} }
// New is the constructor for Client. userID is the unique identifier of the user this client // New is the constructor for Client. authority is the URL of a token authority such as "https://login.microsoftonline.com/<your tenant>".
// will store credentials for (a Client is per user). clientID is the Azure clientID and cred is // If the Client will connect directly to AD FS, use "adfs" for the tenant. clientID is the application's client ID (also called its
// the type of credential to use. // "application ID").
func New(clientID string, cred Credential, options ...Option) (Client, error) { func New(authority, clientID string, cred Credential, options ...Option) (Client, error) {
internalCred, err := cred.toInternal() internalCred, err := cred.toInternal()
if err != nil { if err != nil {
return Client{}, err return Client{}, err
} }
opts := Options{ opts := clientOptions{
Authority: base.AuthorityPublicCloud, authority: authority,
HTTPClient: shared.DefaultClient, // if the caller specified a token provider, it will handle all details of authentication, using Client only as a token cache
disableInstanceDiscovery: cred.tokenProvider != nil,
httpClient: shared.DefaultClient,
} }
for _, o := range options { for _, o := range options {
o(&opts) o(&opts)
} }
if err := opts.validate(); err != nil {
return Client{}, err
}
baseOpts := []base.Option{ baseOpts := []base.Option{
base.WithCacheAccessor(opts.Accessor), base.WithCacheAccessor(opts.accessor),
base.WithClientCapabilities(opts.capabilities), base.WithClientCapabilities(opts.capabilities),
base.WithRegionDetection(opts.AzureRegion),
base.WithX5C(opts.SendX5C),
base.WithInstanceDiscovery(!opts.disableInstanceDiscovery), base.WithInstanceDiscovery(!opts.disableInstanceDiscovery),
base.WithRegionDetection(opts.azureRegion),
base.WithX5C(opts.sendX5C),
} }
if cred.tokenProvider != nil { base, err := base.New(clientID, opts.authority, oauth.New(opts.httpClient), baseOpts...)
// The caller will handle all details of authentication, using Client only as a token cache.
baseOpts = append(baseOpts, base.WithInstanceDiscovery(false))
}
base, err := base.New(clientID, opts.Authority, oauth.New(opts.HTTPClient), baseOpts...)
if err != nil { if err != nil {
return Client{}, err return Client{}, err
} }
@ -407,11 +339,6 @@ func New(clientID string, cred Credential, options ...Option) (Client, error) {
return Client{base: base, cred: internalCred}, nil return Client{base: base, cred: internalCred}, nil
} }
// UserID is the unique user identifier this client if for.
func (cca Client) UserID() string {
return cca.userID
}
// authCodeURLOptions contains options for AuthCodeURL // authCodeURLOptions contains options for AuthCodeURL
type authCodeURLOptions struct { type authCodeURLOptions struct {
claims, loginHint, tenantID, domainHint string claims, loginHint, tenantID, domainHint string
@ -508,13 +435,13 @@ func WithClaims(claims string) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenByAuthCodeOptions: case *acquireTokenByAuthCodeOptions:
t.claims = claims t.claims = claims
case *acquireTokenByCredentialOptions: case *acquireTokenByCredentialOptions:
t.claims = claims t.claims = claims
case *acquireTokenOnBehalfOfOptions: case *acquireTokenOnBehalfOfOptions:
t.claims = claims t.claims = claims
case *AcquireTokenSilentOptions: case *acquireTokenSilentOptions:
t.claims = claims t.claims = claims
case *authCodeURLOptions: case *authCodeURLOptions:
t.claims = claims t.claims = claims
@ -527,7 +454,7 @@ func WithClaims(claims string) interface {
} }
} }
// WithTenantID specifies a tenant for a single authentication. It may be different than the tenant set in [New] by [WithAuthority]. // WithTenantID specifies a tenant for a single authentication. It may be different than the tenant set in [New].
// This option is valid for any token acquisition method. // This option is valid for any token acquisition method.
func WithTenantID(tenantID string) interface { func WithTenantID(tenantID string) interface {
AcquireByAuthCodeOption AcquireByAuthCodeOption
@ -548,13 +475,13 @@ func WithTenantID(tenantID string) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenByAuthCodeOptions: case *acquireTokenByAuthCodeOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *acquireTokenByCredentialOptions: case *acquireTokenByCredentialOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *acquireTokenOnBehalfOfOptions: case *acquireTokenOnBehalfOfOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *AcquireTokenSilentOptions: case *acquireTokenSilentOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *authCodeURLOptions: case *authCodeURLOptions:
t.tenantID = tenantID t.tenantID = tenantID
@ -567,12 +494,10 @@ func WithTenantID(tenantID string) interface {
} }
} }
// AcquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call. // acquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
// These are set by using various AcquireTokenSilentOption functions. // These are set by using various AcquireTokenSilentOption functions.
type AcquireTokenSilentOptions struct { type acquireTokenSilentOptions struct {
// Account represents the account to use. To set, use the WithSilentAccount() option. account Account
Account Account
claims, tenantID string claims, tenantID string
} }
@ -581,11 +506,6 @@ type AcquireSilentOption interface {
acquireSilentOption() acquireSilentOption()
} }
// AcquireTokenSilentOption changes options inside AcquireTokenSilentOptions used in .AcquireTokenSilent().
type AcquireTokenSilentOption func(a *AcquireTokenSilentOptions)
func (AcquireTokenSilentOption) acquireSilentOption() {}
// WithSilentAccount uses the passed account during an AcquireTokenSilent() call. // WithSilentAccount uses the passed account during an AcquireTokenSilent() call.
func WithSilentAccount(account Account) interface { func WithSilentAccount(account Account) interface {
AcquireSilentOption AcquireSilentOption
@ -598,8 +518,8 @@ func WithSilentAccount(account Account) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenSilentOptions: case *acquireTokenSilentOptions:
t.Account = account t.account = account
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
} }
@ -613,7 +533,7 @@ func WithSilentAccount(account Account) interface {
// //
// Options: [WithClaims], [WithSilentAccount], [WithTenantID] // Options: [WithClaims], [WithSilentAccount], [WithTenantID]
func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) { func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) {
o := AcquireTokenSilentOptions{} o := acquireTokenSilentOptions{}
if err := options.ApplyOptions(&o, opts); err != nil { if err := options.ApplyOptions(&o, opts); err != nil {
return AuthResult{}, err return AuthResult{}, err
} }
@ -624,21 +544,19 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts
silentParameters := base.AcquireTokenSilentParameters{ silentParameters := base.AcquireTokenSilentParameters{
Scopes: scopes, Scopes: scopes,
Account: o.Account, Account: o.account,
RequestType: accesstokens.ATConfidential, RequestType: accesstokens.ATConfidential,
Credential: cca.cred, Credential: cca.cred,
IsAppCache: o.Account.IsZero(), IsAppCache: o.account.IsZero(),
TenantID: o.tenantID, TenantID: o.tenantID,
} }
return cca.base.AcquireTokenSilent(ctx, silentParameters) return cca.base.AcquireTokenSilent(ctx, silentParameters)
} }
// AcquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow. // acquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow.
type AcquireTokenByAuthCodeOptions struct { type acquireTokenByAuthCodeOptions struct {
Challenge string challenge, claims, tenantID string
claims, tenantID string
} }
// AcquireByAuthCodeOption is implemented by options for AcquireTokenByAuthCode // AcquireByAuthCodeOption is implemented by options for AcquireTokenByAuthCode
@ -646,11 +564,6 @@ type AcquireByAuthCodeOption interface {
acquireByAuthCodeOption() acquireByAuthCodeOption()
} }
// AcquireTokenByAuthCodeOption changes options inside AcquireTokenByAuthCodeOptions used in .AcquireTokenByAuthCode().
type AcquireTokenByAuthCodeOption func(a *AcquireTokenByAuthCodeOptions)
func (AcquireTokenByAuthCodeOption) acquireByAuthCodeOption() {}
// WithChallenge allows you to provide a challenge for the .AcquireTokenByAuthCode() call. // WithChallenge allows you to provide a challenge for the .AcquireTokenByAuthCode() call.
func WithChallenge(challenge string) interface { func WithChallenge(challenge string) interface {
AcquireByAuthCodeOption AcquireByAuthCodeOption
@ -663,8 +576,8 @@ func WithChallenge(challenge string) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenByAuthCodeOptions: case *acquireTokenByAuthCodeOptions:
t.Challenge = challenge t.challenge = challenge
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
} }
@ -679,7 +592,7 @@ func WithChallenge(challenge string) interface {
// //
// Options: [WithChallenge], [WithClaims], [WithTenantID] // Options: [WithChallenge], [WithClaims], [WithTenantID]
func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, opts ...AcquireByAuthCodeOption) (AuthResult, error) { func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, opts ...AcquireByAuthCodeOption) (AuthResult, error) {
o := AcquireTokenByAuthCodeOptions{} o := acquireTokenByAuthCodeOptions{}
if err := options.ApplyOptions(&o, opts); err != nil { if err := options.ApplyOptions(&o, opts); err != nil {
return AuthResult{}, err return AuthResult{}, err
} }
@ -687,7 +600,7 @@ func (cca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
params := base.AcquireTokenAuthCodeParameters{ params := base.AcquireTokenAuthCodeParameters{
Scopes: scopes, Scopes: scopes,
Code: code, Code: code,
Challenge: o.Challenge, Challenge: o.challenge,
Claims: o.claims, Claims: o.claims,
AppType: accesstokens.ATConfidential, AppType: accesstokens.ATConfidential,
Credential: cca.cred, // This setting differs from public.Client.AcquireTokenByAuthCode Credential: cca.cred, // This setting differs from public.Client.AcquireTokenByAuthCode
@ -762,12 +675,11 @@ func (cca Client) AcquireTokenOnBehalfOf(ctx context.Context, userAssertion stri
} }
// Account gets the account in the token cache with the specified homeAccountID. // Account gets the account in the token cache with the specified homeAccountID.
func (cca Client) Account(homeAccountID string) Account { func (cca Client) Account(ctx context.Context, accountID string) (Account, error) {
return cca.base.Account(homeAccountID) return cca.base.Account(ctx, accountID)
} }
// RemoveAccount signs the account out and forgets account from token cache. // RemoveAccount signs the account out and forgets account from token cache.
func (cca Client) RemoveAccount(account Account) error { func (cca Client) RemoveAccount(ctx context.Context, account Account) error {
cca.base.RemoveAccount(account) return cca.base.RemoveAccount(ctx, account)
return nil
} }

View file

@ -69,7 +69,7 @@ func (e CallErr) Error() string {
// Verbose prints a versbose error message with the request or response. // Verbose prints a versbose error message with the request or response.
func (e CallErr) Verbose() string { func (e CallErr) Verbose() string {
e.Resp.Request = nil // This brings in a bunch of TLS crap we don't need e.Resp.Request = nil // This brings in a bunch of TLS stuff we don't need
e.Resp.TLS = nil // Same e.Resp.TLS = nil // Same
return fmt.Sprintf("%s:\nRequest:\n%s\nResponse:\n%s", e.Err, prettyConf.Sprint(e.Req), prettyConf.Sprint(e.Resp)) return fmt.Sprintf("%s:\nRequest:\n%s\nResponse:\n%s", e.Err, prettyConf.Sprint(e.Req), prettyConf.Sprint(e.Resp))
} }

View file

@ -10,6 +10,7 @@ import (
"net/url" "net/url"
"reflect" "reflect"
"strings" "strings"
"sync"
"time" "time"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache" "github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
@ -27,27 +28,21 @@ const (
) )
// manager provides an internal cache. It is defined to allow faking the cache in tests. // manager provides an internal cache. It is defined to allow faking the cache in tests.
// In all production use it is a *storage.Manager. // In production it's a *storage.Manager or *storage.PartitionedManager.
type manager interface { type manager interface {
Read(ctx context.Context, authParameters authority.AuthParams, account shared.Account) (storage.TokenResponse, error) cache.Serializer
Write(authParameters authority.AuthParams, tokenResponse accesstokens.TokenResponse) (shared.Account, error) Read(context.Context, authority.AuthParams) (storage.TokenResponse, error)
Write(authority.AuthParams, accesstokens.TokenResponse) (shared.Account, error)
}
// accountManager is a manager that also caches accounts. In production it's a *storage.Manager.
type accountManager interface {
manager
AllAccounts() []shared.Account AllAccounts() []shared.Account
Account(homeAccountID string) shared.Account Account(homeAccountID string) shared.Account
RemoveAccount(account shared.Account, clientID string) RemoveAccount(account shared.Account, clientID string)
} }
// partitionedManager provides an internal cache. It is defined to allow faking the cache in tests.
// In all production use it is a *storage.PartitionedManager.
type partitionedManager interface {
Read(ctx context.Context, authParameters authority.AuthParams) (storage.TokenResponse, error)
Write(authParameters authority.AuthParams, tokenResponse accesstokens.TokenResponse) (shared.Account, error)
}
type noopCacheAccessor struct{}
func (n noopCacheAccessor) Replace(cache cache.Unmarshaler, key string) {}
func (n noopCacheAccessor) Export(cache cache.Marshaler, key string) {}
// AcquireTokenSilentParameters contains the parameters to acquire a token silently (from cache). // AcquireTokenSilentParameters contains the parameters to acquire a token silently (from cache).
type AcquireTokenSilentParameters struct { type AcquireTokenSilentParameters struct {
Scopes []string Scopes []string
@ -134,11 +129,13 @@ func NewAuthResult(tokenResponse accesstokens.TokenResponse, account shared.Acco
// can be used by multiple clients. // can be used by multiple clients.
type Client struct { type Client struct {
Token *oauth.Client Token *oauth.Client
manager manager // *storage.Manager or fakeManager in tests manager accountManager // *storage.Manager or fakeManager in tests
pmanager partitionedManager // *storage.PartitionedManager or fakeManager in tests // pmanager is a partitioned cache for OBO authentication. *storage.PartitionedManager or fakeManager in tests
pmanager manager
AuthParams authority.AuthParams // DO NOT EVER MAKE THIS A POINTER! See "Note" in New(). AuthParams authority.AuthParams // DO NOT EVER MAKE THIS A POINTER! See "Note" in New().
cacheAccessor cache.ExportReplace cacheAccessor cache.ExportReplace
cacheAccessorMu *sync.RWMutex
} }
// Option is an optional argument to the New constructor. // Option is an optional argument to the New constructor.
@ -212,7 +209,7 @@ func New(clientID string, authorityURI string, token *oauth.Client, options ...O
client := Client{ // Note: Hey, don't even THINK about making Base into *Base. See "design notes" in public.go and confidential.go client := Client{ // Note: Hey, don't even THINK about making Base into *Base. See "design notes" in public.go and confidential.go
Token: token, Token: token,
AuthParams: authParams, AuthParams: authParams,
cacheAccessor: noopCacheAccessor{}, cacheAccessorMu: &sync.RWMutex{},
manager: storage.New(token), manager: storage.New(token),
pmanager: storage.NewPartitionedManager(token), pmanager: storage.NewPartitionedManager(token),
} }
@ -280,11 +277,12 @@ func (b Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, s
} }
func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilentParameters) (AuthResult, error) { func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilentParameters) (AuthResult, error) {
// when tenant == "", the caller didn't specify a tenant and WithTenant will use the client's configured tenant ar := AuthResult{}
// when tenant == "", the caller didn't specify a tenant and WithTenant will choose the client's configured tenant
tenant := silent.TenantID tenant := silent.TenantID
authParams, err := b.AuthParams.WithTenant(tenant) authParams, err := b.AuthParams.WithTenant(tenant)
if err != nil { if err != nil {
return AuthResult{}, err return ar, err
} }
authParams.Scopes = silent.Scopes authParams.Scopes = silent.Scopes
authParams.HomeAccountID = silent.Account.HomeAccountID authParams.HomeAccountID = silent.Account.HomeAccountID
@ -292,52 +290,45 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
authParams.Claims = silent.Claims authParams.Claims = silent.Claims
authParams.UserAssertion = silent.UserAssertion authParams.UserAssertion = silent.UserAssertion
var storageTokenResponse storage.TokenResponse m := b.pmanager
if authParams.AuthorizationType == authority.ATOnBehalfOf { if authParams.AuthorizationType != authority.ATOnBehalfOf {
if s, ok := b.pmanager.(cache.Serializer); ok {
suggestedCacheKey := authParams.CacheKey(silent.IsAppCache)
b.cacheAccessor.Replace(s, suggestedCacheKey)
defer b.cacheAccessor.Export(s, suggestedCacheKey)
}
storageTokenResponse, err = b.pmanager.Read(ctx, authParams)
if err != nil {
return AuthResult{}, err
}
} else {
if s, ok := b.manager.(cache.Serializer); ok {
suggestedCacheKey := authParams.CacheKey(silent.IsAppCache)
b.cacheAccessor.Replace(s, suggestedCacheKey)
defer b.cacheAccessor.Export(s, suggestedCacheKey)
}
authParams.AuthorizationType = authority.ATRefreshToken authParams.AuthorizationType = authority.ATRefreshToken
storageTokenResponse, err = b.manager.Read(ctx, authParams, silent.Account) m = b.manager
if err != nil {
return AuthResult{}, err
} }
if b.cacheAccessor != nil {
key := authParams.CacheKey(silent.IsAppCache)
b.cacheAccessorMu.RLock()
err = b.cacheAccessor.Replace(ctx, m, cache.ReplaceHints{PartitionKey: key})
b.cacheAccessorMu.RUnlock()
}
if err != nil {
return ar, err
}
storageTokenResponse, err := m.Read(ctx, authParams)
if err != nil {
return ar, err
} }
// ignore cached access tokens when given claims // ignore cached access tokens when given claims
if silent.Claims == "" { if silent.Claims == "" {
result, err := AuthResultFromStorage(storageTokenResponse) ar, err = AuthResultFromStorage(storageTokenResponse)
if err == nil { if err == nil {
return result, nil return ar, err
} }
} }
// redeem a cached refresh token, if available // redeem a cached refresh token, if available
if reflect.ValueOf(storageTokenResponse.RefreshToken).IsZero() { if reflect.ValueOf(storageTokenResponse.RefreshToken).IsZero() {
return AuthResult{}, errors.New("no token found") return ar, errors.New("no token found")
} }
var cc *accesstokens.Credential var cc *accesstokens.Credential
if silent.RequestType == accesstokens.ATConfidential { if silent.RequestType == accesstokens.ATConfidential {
cc = silent.Credential cc = silent.Credential
} }
token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, cc, storageTokenResponse.RefreshToken) token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, cc, storageTokenResponse.RefreshToken)
if err != nil { if err != nil {
return AuthResult{}, err return ar, err
} }
return b.AuthResultFromToken(ctx, authParams, token, true) return b.AuthResultFromToken(ctx, authParams, token, true)
} }
@ -405,63 +396,72 @@ func (b Client) AuthResultFromToken(ctx context.Context, authParams authority.Au
if !cacheWrite { if !cacheWrite {
return NewAuthResult(token, shared.Account{}) return NewAuthResult(token, shared.Account{})
} }
var m manager = b.manager
var account shared.Account
var err error
if authParams.AuthorizationType == authority.ATOnBehalfOf { if authParams.AuthorizationType == authority.ATOnBehalfOf {
if s, ok := b.pmanager.(cache.Serializer); ok { m = b.pmanager
suggestedCacheKey := token.CacheKey(authParams)
b.cacheAccessor.Replace(s, suggestedCacheKey)
defer b.cacheAccessor.Export(s, suggestedCacheKey)
} }
account, err = b.pmanager.Write(authParams, token) key := token.CacheKey(authParams)
if err != nil { if b.cacheAccessor != nil {
return AuthResult{}, err b.cacheAccessorMu.Lock()
} defer b.cacheAccessorMu.Unlock()
} else { err := b.cacheAccessor.Replace(ctx, m, cache.ReplaceHints{PartitionKey: key})
if s, ok := b.manager.(cache.Serializer); ok {
suggestedCacheKey := token.CacheKey(authParams)
b.cacheAccessor.Replace(s, suggestedCacheKey)
defer b.cacheAccessor.Export(s, suggestedCacheKey)
}
account, err = b.manager.Write(authParams, token)
if err != nil { if err != nil {
return AuthResult{}, err return AuthResult{}, err
} }
} }
return NewAuthResult(token, account) account, err := m.Write(authParams, token)
if err != nil {
return AuthResult{}, err
}
ar, err := NewAuthResult(token, account)
if err == nil && b.cacheAccessor != nil {
err = b.cacheAccessor.Export(ctx, b.manager, cache.ExportHints{PartitionKey: key})
}
return ar, err
} }
func (b Client) AllAccounts() []shared.Account { func (b Client) AllAccounts(ctx context.Context) ([]shared.Account, error) {
if s, ok := b.manager.(cache.Serializer); ok { if b.cacheAccessor != nil {
suggestedCacheKey := b.AuthParams.CacheKey(false) b.cacheAccessorMu.RLock()
b.cacheAccessor.Replace(s, suggestedCacheKey) defer b.cacheAccessorMu.RUnlock()
defer b.cacheAccessor.Export(s, suggestedCacheKey) key := b.AuthParams.CacheKey(false)
err := b.cacheAccessor.Replace(ctx, b.manager, cache.ReplaceHints{PartitionKey: key})
if err != nil {
return nil, err
}
}
return b.manager.AllAccounts(), nil
} }
accounts := b.manager.AllAccounts() func (b Client) Account(ctx context.Context, homeAccountID string) (shared.Account, error) {
return accounts if b.cacheAccessor != nil {
} b.cacheAccessorMu.RLock()
defer b.cacheAccessorMu.RUnlock()
func (b Client) Account(homeAccountID string) shared.Account { authParams := b.AuthParams // This is a copy, as we don't have a pointer receiver and .AuthParams is not a pointer.
authParams := b.AuthParams // This is a copy, as we dont' have a pointer receiver and .AuthParams is not a pointer.
authParams.AuthorizationType = authority.AccountByID authParams.AuthorizationType = authority.AccountByID
authParams.HomeAccountID = homeAccountID authParams.HomeAccountID = homeAccountID
if s, ok := b.manager.(cache.Serializer); ok { key := b.AuthParams.CacheKey(false)
suggestedCacheKey := b.AuthParams.CacheKey(false) err := b.cacheAccessor.Replace(ctx, b.manager, cache.ReplaceHints{PartitionKey: key})
b.cacheAccessor.Replace(s, suggestedCacheKey) if err != nil {
defer b.cacheAccessor.Export(s, suggestedCacheKey) return shared.Account{}, err
} }
account := b.manager.Account(homeAccountID) }
return account return b.manager.Account(homeAccountID), nil
} }
// RemoveAccount removes all the ATs, RTs and IDTs from the cache associated with this account. // RemoveAccount removes all the ATs, RTs and IDTs from the cache associated with this account.
func (b Client) RemoveAccount(account shared.Account) { func (b Client) RemoveAccount(ctx context.Context, account shared.Account) error {
if s, ok := b.manager.(cache.Serializer); ok { if b.cacheAccessor == nil {
suggestedCacheKey := b.AuthParams.CacheKey(false) b.manager.RemoveAccount(account, b.AuthParams.ClientID)
b.cacheAccessor.Replace(s, suggestedCacheKey) return nil
defer b.cacheAccessor.Export(s, suggestedCacheKey) }
b.cacheAccessorMu.Lock()
defer b.cacheAccessorMu.Unlock()
key := b.AuthParams.CacheKey(false)
err := b.cacheAccessor.Replace(ctx, b.manager, cache.ReplaceHints{PartitionKey: key})
if err != nil {
return err
} }
b.manager.RemoveAccount(account, b.AuthParams.ClientID) b.manager.RemoveAccount(account, b.AuthParams.ClientID)
return b.cacheAccessor.Export(ctx, b.manager, cache.ExportHints{PartitionKey: key})
} }

View file

@ -83,7 +83,7 @@ func isMatchingScopes(scopesOne []string, scopesTwo string) bool {
} }
// Read reads a storage token from the cache if it exists. // Read reads a storage token from the cache if it exists.
func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams, account shared.Account) (TokenResponse, error) { func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams) (TokenResponse, error) {
tr := TokenResponse{} tr := TokenResponse{}
homeAccountID := authParameters.HomeAccountID homeAccountID := authParameters.HomeAccountID
realm := authParameters.AuthorityInfo.Tenant realm := authParameters.AuthorityInfo.Tenant
@ -103,7 +103,8 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams,
accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes) accessToken := m.readAccessToken(homeAccountID, aliases, realm, clientID, scopes)
tr.AccessToken = accessToken tr.AccessToken = accessToken
if account.IsZero() { if homeAccountID == "" {
// caller didn't specify a user, so there's no reason to search for an ID or refresh token
return tr, nil return tr, nil
} }
// errors returned by read* methods indicate a cache miss and are therefore non-fatal. We continue populating // errors returned by read* methods indicate a cache miss and are therefore non-fatal. We continue populating
@ -122,7 +123,7 @@ func (m *Manager) Read(ctx context.Context, authParameters authority.AuthParams,
} }
} }
account, err = m.readAccount(homeAccountID, aliases, realm) account, err := m.readAccount(homeAccountID, aliases, realm)
if err == nil { if err == nil {
tr.Account = account tr.Account = account
} }
@ -493,6 +494,8 @@ func (m *Manager) update(cache *Contract) {
// Marshal implements cache.Marshaler. // Marshal implements cache.Marshaler.
func (m *Manager) Marshal() ([]byte, error) { func (m *Manager) Marshal() ([]byte, error) {
m.contractMu.RLock()
defer m.contractMu.RUnlock()
return json.Marshal(m.contract) return json.Marshal(m.contract)
} }

View file

@ -76,12 +76,17 @@ func (t *Client) ResolveEndpoints(ctx context.Context, authorityInfo authority.I
return t.Resolver.ResolveEndpoints(ctx, authorityInfo, userPrincipalName) return t.Resolver.ResolveEndpoints(ctx, authorityInfo, userPrincipalName)
} }
// AADInstanceDiscovery attempts to discover a tenant endpoint (used in OIDC auth with an authorization endpoint).
// This is done by AAD which allows for aliasing of tenants (windows.sts.net is the same as login.windows.com).
func (t *Client) AADInstanceDiscovery(ctx context.Context, authorityInfo authority.Info) (authority.InstanceDiscoveryResponse, error) { func (t *Client) AADInstanceDiscovery(ctx context.Context, authorityInfo authority.Info) (authority.InstanceDiscoveryResponse, error) {
return t.Authority.AADInstanceDiscovery(ctx, authorityInfo) return t.Authority.AADInstanceDiscovery(ctx, authorityInfo)
} }
// AuthCode returns a token based on an authorization code. // AuthCode returns a token based on an authorization code.
func (t *Client) AuthCode(ctx context.Context, req accesstokens.AuthCodeRequest) (accesstokens.TokenResponse, error) { func (t *Client) AuthCode(ctx context.Context, req accesstokens.AuthCodeRequest) (accesstokens.TokenResponse, error) {
if err := scopeError(req.AuthParams); err != nil {
return accesstokens.TokenResponse{}, err
}
if err := t.resolveEndpoint(ctx, &req.AuthParams, ""); err != nil { if err := t.resolveEndpoint(ctx, &req.AuthParams, ""); err != nil {
return accesstokens.TokenResponse{}, err return accesstokens.TokenResponse{}, err
} }
@ -107,6 +112,10 @@ func (t *Client) Credential(ctx context.Context, authParams authority.AuthParams
} }
tr, err := cred.TokenProvider(ctx, params) tr, err := cred.TokenProvider(ctx, params)
if err != nil { if err != nil {
if len(scopes) == 0 {
err = fmt.Errorf("token request had an empty authority.AuthParams.Scopes, which may cause the following error: %w", err)
return accesstokens.TokenResponse{}, err
}
return accesstokens.TokenResponse{}, err return accesstokens.TokenResponse{}, err
} }
return accesstokens.TokenResponse{ return accesstokens.TokenResponse{
@ -134,6 +143,9 @@ func (t *Client) Credential(ctx context.Context, authParams authority.AuthParams
// Credential acquires a token from the authority using a client credentials grant. // Credential acquires a token from the authority using a client credentials grant.
func (t *Client) OnBehalfOf(ctx context.Context, authParams authority.AuthParams, cred *accesstokens.Credential) (accesstokens.TokenResponse, error) { func (t *Client) OnBehalfOf(ctx context.Context, authParams authority.AuthParams, cred *accesstokens.Credential) (accesstokens.TokenResponse, error) {
if err := scopeError(authParams); err != nil {
return accesstokens.TokenResponse{}, err
}
if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil { if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil {
return accesstokens.TokenResponse{}, err return accesstokens.TokenResponse{}, err
} }
@ -145,20 +157,35 @@ func (t *Client) OnBehalfOf(ctx context.Context, authParams authority.AuthParams
if err != nil { if err != nil {
return accesstokens.TokenResponse{}, err return accesstokens.TokenResponse{}, err
} }
return t.AccessTokens.FromUserAssertionClientCertificate(ctx, authParams, authParams.UserAssertion, jwt) tr, err := t.AccessTokens.FromUserAssertionClientCertificate(ctx, authParams, authParams.UserAssertion, jwt)
if err != nil {
return accesstokens.TokenResponse{}, err
}
return tr, nil
} }
func (t *Client) Refresh(ctx context.Context, reqType accesstokens.AppType, authParams authority.AuthParams, cc *accesstokens.Credential, refreshToken accesstokens.RefreshToken) (accesstokens.TokenResponse, error) { func (t *Client) Refresh(ctx context.Context, reqType accesstokens.AppType, authParams authority.AuthParams, cc *accesstokens.Credential, refreshToken accesstokens.RefreshToken) (accesstokens.TokenResponse, error) {
if err := scopeError(authParams); err != nil {
return accesstokens.TokenResponse{}, err
}
if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil { if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil {
return accesstokens.TokenResponse{}, err return accesstokens.TokenResponse{}, err
} }
return t.AccessTokens.FromRefreshToken(ctx, reqType, authParams, cc, refreshToken.Secret) tr, err := t.AccessTokens.FromRefreshToken(ctx, reqType, authParams, cc, refreshToken.Secret)
if err != nil {
return accesstokens.TokenResponse{}, err
}
return tr, nil
} }
// UsernamePassword retrieves a token where a username and password is used. However, if this is // UsernamePassword retrieves a token where a username and password is used. However, if this is
// a user realm of "Federated", this uses SAML tokens. If "Managed", uses normal username/password. // a user realm of "Federated", this uses SAML tokens. If "Managed", uses normal username/password.
func (t *Client) UsernamePassword(ctx context.Context, authParams authority.AuthParams) (accesstokens.TokenResponse, error) { func (t *Client) UsernamePassword(ctx context.Context, authParams authority.AuthParams) (accesstokens.TokenResponse, error) {
if err := scopeError(authParams); err != nil {
return accesstokens.TokenResponse{}, err
}
if authParams.AuthorityInfo.AuthorityType == authority.ADFS { if authParams.AuthorityInfo.AuthorityType == authority.ADFS {
if err := t.resolveEndpoint(ctx, &authParams, authParams.Username); err != nil { if err := t.resolveEndpoint(ctx, &authParams, authParams.Username); err != nil {
return accesstokens.TokenResponse{}, err return accesstokens.TokenResponse{}, err
@ -171,22 +198,32 @@ func (t *Client) UsernamePassword(ctx context.Context, authParams authority.Auth
userRealm, err := t.Authority.UserRealm(ctx, authParams) userRealm, err := t.Authority.UserRealm(ctx, authParams)
if err != nil { if err != nil {
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting user realm(user: %s) from authority: %w", authParams.Username, err) return accesstokens.TokenResponse{}, fmt.Errorf("problem getting user realm from authority: %w", err)
} }
switch userRealm.AccountType { switch userRealm.AccountType {
case authority.Federated: case authority.Federated:
mexDoc, err := t.WSTrust.Mex(ctx, userRealm.FederationMetadataURL) mexDoc, err := t.WSTrust.Mex(ctx, userRealm.FederationMetadataURL)
if err != nil { if err != nil {
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting mex doc from federated url(%s): %w", userRealm.FederationMetadataURL, err) err = fmt.Errorf("problem getting mex doc from federated url(%s): %w", userRealm.FederationMetadataURL, err)
return accesstokens.TokenResponse{}, err
} }
saml, err := t.WSTrust.SAMLTokenInfo(ctx, authParams, userRealm.CloudAudienceURN, mexDoc.UsernamePasswordEndpoint) saml, err := t.WSTrust.SAMLTokenInfo(ctx, authParams, userRealm.CloudAudienceURN, mexDoc.UsernamePasswordEndpoint)
if err != nil { if err != nil {
return accesstokens.TokenResponse{}, fmt.Errorf("problem getting SAML token info: %w", err) err = fmt.Errorf("problem getting SAML token info: %w", err)
return accesstokens.TokenResponse{}, err
} }
return t.AccessTokens.FromSamlGrant(ctx, authParams, saml) tr, err := t.AccessTokens.FromSamlGrant(ctx, authParams, saml)
if err != nil {
return accesstokens.TokenResponse{}, err
}
return tr, nil
case authority.Managed: case authority.Managed:
if len(authParams.Scopes) == 0 {
err = fmt.Errorf("token request had an empty authority.AuthParams.Scopes, which may cause the following error: %w", err)
return accesstokens.TokenResponse{}, err
}
return t.AccessTokens.FromUsernamePassword(ctx, authParams) return t.AccessTokens.FromUsernamePassword(ctx, authParams)
} }
return accesstokens.TokenResponse{}, errors.New("unknown account type") return accesstokens.TokenResponse{}, errors.New("unknown account type")
@ -212,7 +249,6 @@ func (d DeviceCode) Token(ctx context.Context) (accesstokens.TokenResponse, erro
} }
var cancel context.CancelFunc var cancel context.CancelFunc
d.Result.ExpiresOn.Sub(time.Now().UTC())
if deadline, ok := ctx.Deadline(); !ok || d.Result.ExpiresOn.Before(deadline) { if deadline, ok := ctx.Deadline(); !ok || d.Result.ExpiresOn.Before(deadline) {
ctx, cancel = context.WithDeadline(ctx, d.Result.ExpiresOn) ctx, cancel = context.WithDeadline(ctx, d.Result.ExpiresOn)
} else { } else {
@ -275,6 +311,10 @@ func isWaitDeviceCodeErr(err error) bool {
// DeviceCode returns a DeviceCode object that can be used to get the code that must be entered on the second // DeviceCode returns a DeviceCode object that can be used to get the code that must be entered on the second
// device and optionally the token once the code has been entered on the second device. // device and optionally the token once the code has been entered on the second device.
func (t *Client) DeviceCode(ctx context.Context, authParams authority.AuthParams) (DeviceCode, error) { func (t *Client) DeviceCode(ctx context.Context, authParams authority.AuthParams) (DeviceCode, error) {
if err := scopeError(authParams); err != nil {
return DeviceCode{}, err
}
if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil { if err := t.resolveEndpoint(ctx, &authParams, ""); err != nil {
return DeviceCode{}, err return DeviceCode{}, err
} }
@ -295,3 +335,19 @@ func (t *Client) resolveEndpoint(ctx context.Context, authParams *authority.Auth
authParams.Endpoints = endpoints authParams.Endpoints = endpoints
return nil return nil
} }
// scopeError takes an authority.AuthParams and returns an error
// if len(AuthParams.Scope) == 0.
func scopeError(a authority.AuthParams) error {
// TODO(someone): we could look deeper at the message to determine if
// it's a scope error, but this is a good start.
/*
{error":"invalid_scope","error_description":"AADSTS1002012: The provided value for scope
openid offline_access profile is not valid. Client credential flows must have a scope value
with /.default suffixed to the resource identifier (application ID URI)...}
*/
if len(a.Scopes) == 0 {
return fmt.Errorf("token request had an empty authority.AuthParams.Scopes, which is invalid")
}
return nil
}

View file

@ -28,10 +28,19 @@ const (
regionName = "REGION_NAME" regionName = "REGION_NAME"
defaultAPIVersion = "2021-10-01" defaultAPIVersion = "2021-10-01"
imdsEndpoint = "http://169.254.169.254/metadata/instance/compute/location?format=text&api-version=" + defaultAPIVersion imdsEndpoint = "http://169.254.169.254/metadata/instance/compute/location?format=text&api-version=" + defaultAPIVersion
defaultHost = "login.microsoftonline.com"
autoDetectRegion = "TryAutoDetect" autoDetectRegion = "TryAutoDetect"
) )
// These are various hosts that host AAD Instance discovery endpoints.
const (
defaultHost = "login.microsoftonline.com"
loginMicrosoft = "login.microsoft.com"
loginWindows = "login.windows.net"
loginSTSWindows = "sts.windows.net"
loginMicrosoftOnline = defaultHost
)
// jsonCaller is an interface that allows us to mock the JSONCall method.
type jsonCaller interface { type jsonCaller interface {
JSONCall(ctx context.Context, endpoint string, headers http.Header, qv url.Values, body, resp interface{}) error JSONCall(ctx context.Context, endpoint string, headers http.Header, qv url.Values, body, resp interface{}) error
} }
@ -54,6 +63,8 @@ func TrustedHost(host string) bool {
return false return false
} }
// OAuthResponseBase is the base JSON return message for an OAuth call.
// This is embedded in other calls to get the base fields from every response.
type OAuthResponseBase struct { type OAuthResponseBase struct {
Error string `json:"error"` Error string `json:"error"`
SubError string `json:"suberror"` SubError string `json:"suberror"`
@ -309,31 +320,24 @@ func firstPathSegment(u *url.URL) (string, error) {
return pathParts[1], nil return pathParts[1], nil
} }
return "", errors.New("authority does not have two segments") return "", errors.New(`authority must be an https URL such as "https://login.microsoftonline.com/<your tenant>"`)
} }
// NewInfoFromAuthorityURI creates an AuthorityInfo instance from the authority URL provided. // NewInfoFromAuthorityURI creates an AuthorityInfo instance from the authority URL provided.
func NewInfoFromAuthorityURI(authorityURI string, validateAuthority bool, instanceDiscoveryDisabled bool) (Info, error) { func NewInfoFromAuthorityURI(authority string, validateAuthority bool, instanceDiscoveryDisabled bool) (Info, error) {
authorityURI = strings.ToLower(authorityURI) u, err := url.Parse(strings.ToLower(authority))
var authorityType string if err != nil || u.Scheme != "https" {
u, err := url.Parse(authorityURI) return Info{}, errors.New(`authority must be an https URL such as "https://login.microsoftonline.com/<your tenant>"`)
if err != nil {
return Info{}, fmt.Errorf("authorityURI passed could not be parsed: %w", err)
}
if u.Scheme != "https" {
return Info{}, fmt.Errorf("authorityURI(%s) must have scheme https", authorityURI)
} }
tenant, err := firstPathSegment(u) tenant, err := firstPathSegment(u)
if tenant == "adfs" {
authorityType = ADFS
} else {
authorityType = AAD
}
if err != nil { if err != nil {
return Info{}, err return Info{}, err
} }
authorityType := AAD
if tenant == "adfs" {
authorityType = ADFS
}
// u.Host includes the port, if any, which is required for private cloud deployments // u.Host includes the port, if any, which is required for private cloud deployments
return Info{ return Info{
@ -449,6 +453,8 @@ func (c Client) GetTenantDiscoveryResponse(ctx context.Context, openIDConfigurat
return resp, err return resp, err
} }
// AADInstanceDiscovery attempts to discover a tenant endpoint (used in OIDC auth with an authorization endpoint).
// This is done by AAD which allows for aliasing of tenants (windows.sts.net is the same as login.windows.com).
func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (InstanceDiscoveryResponse, error) { func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (InstanceDiscoveryResponse, error) {
region := "" region := ""
var err error var err error
@ -461,9 +467,10 @@ func (c Client) AADInstanceDiscovery(ctx context.Context, authorityInfo Info) (I
if region != "" { if region != "" {
environment := authorityInfo.Host environment := authorityInfo.Host
switch environment { switch environment {
case "login.microsoft.com", "login.windows.net", "sts.windows.net", defaultHost: case loginMicrosoft, loginWindows, loginSTSWindows, defaultHost:
environment = "r." + defaultHost environment = loginMicrosoft
} }
resp.TenantDiscoveryEndpoint = fmt.Sprintf(tenantDiscoveryEndpointWithRegion, region, environment, authorityInfo.Tenant) resp.TenantDiscoveryEndpoint = fmt.Sprintf(tenantDiscoveryEndpointWithRegion, region, environment, authorityInfo.Tenant)
metadata := InstanceDiscoveryMetadata{ metadata := InstanceDiscoveryMetadata{
PreferredNetwork: fmt.Sprintf("%v.%v", region, authorityInfo.Host), PreferredNetwork: fmt.Sprintf("%v.%v", region, authorityInfo.Host),

View file

@ -5,4 +5,4 @@
package version package version
// Version is the version of this client package that is communicated to the server. // Version is the version of this client package that is communicated to the server.
const Version = "0.8.1" const Version = "1.0.0"

View file

@ -47,27 +47,17 @@ type AuthResult = base.AuthResult
type Account = shared.Account type Account = shared.Account
// Options configures the Client's behavior. // clientOptions configures the Client's behavior.
type Options struct { type clientOptions struct {
// Accessor controls cache persistence. By default there is no cache persistence. accessor cache.ExportReplace
// This can be set with the WithCache() option. authority string
Accessor cache.ExportReplace
// The host of the Azure Active Directory authority. The default is https://login.microsoftonline.com/common.
// This can be changed with the WithAuthority() option.
Authority string
// The HTTP client used for making requests.
// It defaults to a shared http.Client.
HTTPClient ops.HTTPClient
capabilities []string capabilities []string
disableInstanceDiscovery bool disableInstanceDiscovery bool
httpClient ops.HTTPClient
} }
func (p *Options) validate() error { func (p *clientOptions) validate() error {
u, err := url.Parse(p.Authority) u, err := url.Parse(p.authority)
if err != nil { if err != nil {
return fmt.Errorf("Authority options cannot be URL parsed: %w", err) return fmt.Errorf("Authority options cannot be URL parsed: %w", err)
} }
@ -78,25 +68,25 @@ func (p *Options) validate() error {
} }
// Option is an optional argument to the New constructor. // Option is an optional argument to the New constructor.
type Option func(o *Options) type Option func(o *clientOptions)
// WithAuthority allows for a custom authority to be set. This must be a valid https url. // WithAuthority allows for a custom authority to be set. This must be a valid https url.
func WithAuthority(authority string) Option { func WithAuthority(authority string) Option {
return func(o *Options) { return func(o *clientOptions) {
o.Authority = authority o.authority = authority
} }
} }
// WithCache allows you to set some type of cache for storing authentication tokens. // WithCache provides an accessor that will read and write authentication data to an externally managed cache.
func WithCache(accessor cache.ExportReplace) Option { func WithCache(accessor cache.ExportReplace) Option {
return func(o *Options) { return func(o *clientOptions) {
o.Accessor = accessor o.accessor = accessor
} }
} }
// WithClientCapabilities allows configuring one or more client capabilities such as "CP1" // WithClientCapabilities allows configuring one or more client capabilities such as "CP1"
func WithClientCapabilities(capabilities []string) Option { func WithClientCapabilities(capabilities []string) Option {
return func(o *Options) { return func(o *clientOptions) {
// there's no danger of sharing the slice's underlying memory with the application because // there's no danger of sharing the slice's underlying memory with the application because
// this slice is simply passed to base.WithClientCapabilities, which copies its data // this slice is simply passed to base.WithClientCapabilities, which copies its data
o.capabilities = capabilities o.capabilities = capabilities
@ -105,14 +95,14 @@ func WithClientCapabilities(capabilities []string) Option {
// WithHTTPClient allows for a custom HTTP client to be set. // WithHTTPClient allows for a custom HTTP client to be set.
func WithHTTPClient(httpClient ops.HTTPClient) Option { func WithHTTPClient(httpClient ops.HTTPClient) Option {
return func(o *Options) { return func(o *clientOptions) {
o.HTTPClient = httpClient o.httpClient = httpClient
} }
} }
// WithInstanceDiscovery set to false to disable authority validation (to support private cloud scenarios) // WithInstanceDiscovery set to false to disable authority validation (to support private cloud scenarios)
func WithInstanceDiscovery(enabled bool) Option { func WithInstanceDiscovery(enabled bool) Option {
return func(o *Options) { return func(o *clientOptions) {
o.disableInstanceDiscovery = !enabled o.disableInstanceDiscovery = !enabled
} }
} }
@ -125,9 +115,9 @@ type Client struct {
// New is the constructor for Client. // New is the constructor for Client.
func New(clientID string, options ...Option) (Client, error) { func New(clientID string, options ...Option) (Client, error) {
opts := Options{ opts := clientOptions{
Authority: base.AuthorityPublicCloud, authority: base.AuthorityPublicCloud,
HTTPClient: shared.DefaultClient, httpClient: shared.DefaultClient,
} }
for _, o := range options { for _, o := range options {
@ -137,28 +127,28 @@ func New(clientID string, options ...Option) (Client, error) {
return Client{}, err return Client{}, err
} }
base, err := base.New(clientID, opts.Authority, oauth.New(opts.HTTPClient), base.WithCacheAccessor(opts.Accessor), base.WithClientCapabilities(opts.capabilities), base.WithInstanceDiscovery(!opts.disableInstanceDiscovery)) base, err := base.New(clientID, opts.authority, oauth.New(opts.httpClient), base.WithCacheAccessor(opts.accessor), base.WithClientCapabilities(opts.capabilities), base.WithInstanceDiscovery(!opts.disableInstanceDiscovery))
if err != nil { if err != nil {
return Client{}, err return Client{}, err
} }
return Client{base}, nil return Client{base}, nil
} }
// createAuthCodeURLOptions contains options for CreateAuthCodeURL // authCodeURLOptions contains options for AuthCodeURL
type createAuthCodeURLOptions struct { type authCodeURLOptions struct {
claims, loginHint, tenantID, domainHint string claims, loginHint, tenantID, domainHint string
} }
// CreateAuthCodeURLOption is implemented by options for CreateAuthCodeURL // AuthCodeURLOption is implemented by options for AuthCodeURL
type CreateAuthCodeURLOption interface { type AuthCodeURLOption interface {
createAuthCodeURLOption() authCodeURLOption()
} }
// CreateAuthCodeURL creates a URL used to acquire an authorization code. // AuthCodeURL creates a URL used to acquire an authorization code.
// //
// Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID] // Options: [WithClaims], [WithDomainHint], [WithLoginHint], [WithTenantID]
func (pca Client) CreateAuthCodeURL(ctx context.Context, clientID, redirectURI string, scopes []string, opts ...CreateAuthCodeURLOption) (string, error) { func (pca Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, scopes []string, opts ...AuthCodeURLOption) (string, error) {
o := createAuthCodeURLOptions{} o := authCodeURLOptions{}
if err := options.ApplyOptions(&o, opts); err != nil { if err := options.ApplyOptions(&o, opts); err != nil {
return "", err return "", err
} }
@ -181,7 +171,7 @@ func WithClaims(claims string) interface {
AcquireByUsernamePasswordOption AcquireByUsernamePasswordOption
AcquireInteractiveOption AcquireInteractiveOption
AcquireSilentOption AcquireSilentOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
} { } {
return struct { return struct {
@ -190,23 +180,23 @@ func WithClaims(claims string) interface {
AcquireByUsernamePasswordOption AcquireByUsernamePasswordOption
AcquireInteractiveOption AcquireInteractiveOption
AcquireSilentOption AcquireSilentOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
}{ }{
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenByAuthCodeOptions: case *acquireTokenByAuthCodeOptions:
t.claims = claims t.claims = claims
case *acquireTokenByDeviceCodeOptions: case *acquireTokenByDeviceCodeOptions:
t.claims = claims t.claims = claims
case *acquireTokenByUsernamePasswordOptions: case *acquireTokenByUsernamePasswordOptions:
t.claims = claims t.claims = claims
case *AcquireTokenSilentOptions: case *acquireTokenSilentOptions:
t.claims = claims t.claims = claims
case *createAuthCodeURLOptions: case *authCodeURLOptions:
t.claims = claims t.claims = claims
case *InteractiveAuthOptions: case *interactiveAuthOptions:
t.claims = claims t.claims = claims
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
@ -225,7 +215,7 @@ func WithTenantID(tenantID string) interface {
AcquireByUsernamePasswordOption AcquireByUsernamePasswordOption
AcquireInteractiveOption AcquireInteractiveOption
AcquireSilentOption AcquireSilentOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
} { } {
return struct { return struct {
@ -234,23 +224,23 @@ func WithTenantID(tenantID string) interface {
AcquireByUsernamePasswordOption AcquireByUsernamePasswordOption
AcquireInteractiveOption AcquireInteractiveOption
AcquireSilentOption AcquireSilentOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
}{ }{
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenByAuthCodeOptions: case *acquireTokenByAuthCodeOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *acquireTokenByDeviceCodeOptions: case *acquireTokenByDeviceCodeOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *acquireTokenByUsernamePasswordOptions: case *acquireTokenByUsernamePasswordOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *AcquireTokenSilentOptions: case *acquireTokenSilentOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *createAuthCodeURLOptions: case *authCodeURLOptions:
t.tenantID = tenantID t.tenantID = tenantID
case *InteractiveAuthOptions: case *interactiveAuthOptions:
t.tenantID = tenantID t.tenantID = tenantID
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
@ -261,12 +251,10 @@ func WithTenantID(tenantID string) interface {
} }
} }
// AcquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call. // acquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
// These are set by using various AcquireTokenSilentOption functions. // These are set by using various AcquireTokenSilentOption functions.
type AcquireTokenSilentOptions struct { type acquireTokenSilentOptions struct {
// Account represents the account to use. To set, use the WithSilentAccount() option. account Account
Account Account
claims, tenantID string claims, tenantID string
} }
@ -275,11 +263,6 @@ type AcquireSilentOption interface {
acquireSilentOption() acquireSilentOption()
} }
// AcquireTokenSilentOption changes options inside AcquireTokenSilentOptions used in .AcquireTokenSilent().
type AcquireTokenSilentOption func(a *AcquireTokenSilentOptions)
func (AcquireTokenSilentOption) acquireSilentOption() {}
// WithSilentAccount uses the passed account during an AcquireTokenSilent() call. // WithSilentAccount uses the passed account during an AcquireTokenSilent() call.
func WithSilentAccount(account Account) interface { func WithSilentAccount(account Account) interface {
AcquireSilentOption AcquireSilentOption
@ -292,8 +275,8 @@ func WithSilentAccount(account Account) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenSilentOptions: case *acquireTokenSilentOptions:
t.Account = account t.account = account
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
} }
@ -307,14 +290,14 @@ func WithSilentAccount(account Account) interface {
// //
// Options: [WithClaims], [WithSilentAccount], [WithTenantID] // Options: [WithClaims], [WithSilentAccount], [WithTenantID]
func (pca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) { func (pca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) {
o := AcquireTokenSilentOptions{} o := acquireTokenSilentOptions{}
if err := options.ApplyOptions(&o, opts); err != nil { if err := options.ApplyOptions(&o, opts); err != nil {
return AuthResult{}, err return AuthResult{}, err
} }
silentParameters := base.AcquireTokenSilentParameters{ silentParameters := base.AcquireTokenSilentParameters{
Scopes: scopes, Scopes: scopes,
Account: o.Account, Account: o.account,
Claims: o.claims, Claims: o.claims,
RequestType: accesstokens.ATPublic, RequestType: accesstokens.ATPublic,
IsAppCache: false, IsAppCache: false,
@ -420,11 +403,9 @@ func (pca Client) AcquireTokenByDeviceCode(ctx context.Context, scopes []string,
return DeviceCode{Result: dc.Result, authParams: authParams, client: pca, dc: dc}, nil return DeviceCode{Result: dc.Result, authParams: authParams, client: pca, dc: dc}, nil
} }
// AcquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow. // acquireTokenByAuthCodeOptions contains the optional parameters used to acquire an access token using the authorization code flow.
type AcquireTokenByAuthCodeOptions struct { type acquireTokenByAuthCodeOptions struct {
Challenge string challenge, claims, tenantID string
claims, tenantID string
} }
// AcquireByAuthCodeOption is implemented by options for AcquireTokenByAuthCode // AcquireByAuthCodeOption is implemented by options for AcquireTokenByAuthCode
@ -432,11 +413,6 @@ type AcquireByAuthCodeOption interface {
acquireByAuthCodeOption() acquireByAuthCodeOption()
} }
// AcquireTokenByAuthCodeOption changes options inside AcquireTokenByAuthCodeOptions used in .AcquireTokenByAuthCode().
type AcquireTokenByAuthCodeOption func(a *AcquireTokenByAuthCodeOptions)
func (AcquireTokenByAuthCodeOption) acquireByAuthCodeOption() {}
// WithChallenge allows you to provide a code for the .AcquireTokenByAuthCode() call. // WithChallenge allows you to provide a code for the .AcquireTokenByAuthCode() call.
func WithChallenge(challenge string) interface { func WithChallenge(challenge string) interface {
AcquireByAuthCodeOption AcquireByAuthCodeOption
@ -449,8 +425,8 @@ func WithChallenge(challenge string) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *AcquireTokenByAuthCodeOptions: case *acquireTokenByAuthCodeOptions:
t.Challenge = challenge t.challenge = challenge
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
} }
@ -465,7 +441,7 @@ func WithChallenge(challenge string) interface {
// //
// Options: [WithChallenge], [WithClaims], [WithTenantID] // Options: [WithChallenge], [WithClaims], [WithTenantID]
func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, opts ...AcquireByAuthCodeOption) (AuthResult, error) { func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, opts ...AcquireByAuthCodeOption) (AuthResult, error) {
o := AcquireTokenByAuthCodeOptions{} o := acquireTokenByAuthCodeOptions{}
if err := options.ApplyOptions(&o, opts); err != nil { if err := options.ApplyOptions(&o, opts); err != nil {
return AuthResult{}, err return AuthResult{}, err
} }
@ -473,7 +449,7 @@ func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
params := base.AcquireTokenAuthCodeParameters{ params := base.AcquireTokenAuthCodeParameters{
Scopes: scopes, Scopes: scopes,
Code: code, Code: code,
Challenge: o.Challenge, Challenge: o.challenge,
Claims: o.claims, Claims: o.claims,
AppType: accesstokens.ATPublic, AppType: accesstokens.ATPublic,
RedirectURI: redirectURI, RedirectURI: redirectURI,
@ -485,23 +461,18 @@ func (pca Client) AcquireTokenByAuthCode(ctx context.Context, code string, redir
// Accounts gets all the accounts in the token cache. // Accounts gets all the accounts in the token cache.
// If there are no accounts in the cache the returned slice is empty. // If there are no accounts in the cache the returned slice is empty.
func (pca Client) Accounts() []Account { func (pca Client) Accounts(ctx context.Context) ([]Account, error) {
return pca.base.AllAccounts() return pca.base.AllAccounts(ctx)
} }
// RemoveAccount signs the account out and forgets account from token cache. // RemoveAccount signs the account out and forgets account from token cache.
func (pca Client) RemoveAccount(account Account) error { func (pca Client) RemoveAccount(ctx context.Context, account Account) error {
pca.base.RemoveAccount(account) return pca.base.RemoveAccount(ctx, account)
return nil
} }
// InteractiveAuthOptions contains the optional parameters used to acquire an access token for interactive auth code flow. // interactiveAuthOptions contains the optional parameters used to acquire an access token for interactive auth code flow.
type InteractiveAuthOptions struct { type interactiveAuthOptions struct {
// Used to specify a custom port for the local server. http://localhost:portnumber claims, domainHint, loginHint, redirectURI, tenantID string
// All other URI components are ignored.
RedirectURI string
claims, loginHint, tenantID, domainHint string
} }
// AcquireInteractiveOption is implemented by options for AcquireTokenInteractive // AcquireInteractiveOption is implemented by options for AcquireTokenInteractive
@ -509,28 +480,23 @@ type AcquireInteractiveOption interface {
acquireInteractiveOption() acquireInteractiveOption()
} }
// InteractiveAuthOption changes options inside InteractiveAuthOptions used in .AcquireTokenInteractive().
type InteractiveAuthOption func(*InteractiveAuthOptions)
func (InteractiveAuthOption) acquireInteractiveOption() {}
// WithLoginHint pre-populates the login prompt with a username. // WithLoginHint pre-populates the login prompt with a username.
func WithLoginHint(username string) interface { func WithLoginHint(username string) interface {
AcquireInteractiveOption AcquireInteractiveOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
} { } {
return struct { return struct {
AcquireInteractiveOption AcquireInteractiveOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
}{ }{
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *createAuthCodeURLOptions: case *authCodeURLOptions:
t.loginHint = username t.loginHint = username
case *InteractiveAuthOptions: case *interactiveAuthOptions:
t.loginHint = username t.loginHint = username
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
@ -544,20 +510,20 @@ func WithLoginHint(username string) interface {
// WithDomainHint adds the IdP domain as domain_hint query parameter in the auth url. // WithDomainHint adds the IdP domain as domain_hint query parameter in the auth url.
func WithDomainHint(domain string) interface { func WithDomainHint(domain string) interface {
AcquireInteractiveOption AcquireInteractiveOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
} { } {
return struct { return struct {
AcquireInteractiveOption AcquireInteractiveOption
CreateAuthCodeURLOption AuthCodeURLOption
options.CallOption options.CallOption
}{ }{
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *createAuthCodeURLOptions: case *authCodeURLOptions:
t.domainHint = domain t.domainHint = domain
case *InteractiveAuthOptions: case *interactiveAuthOptions:
t.domainHint = domain t.domainHint = domain
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
@ -568,7 +534,8 @@ func WithDomainHint(domain string) interface {
} }
} }
// WithRedirectURI uses the specified redirect URI for interactive auth. // WithRedirectURI sets a port for the local server used in interactive authentication, for
// example http://localhost:port. All URI components other than the port are ignored.
func WithRedirectURI(redirectURI string) interface { func WithRedirectURI(redirectURI string) interface {
AcquireInteractiveOption AcquireInteractiveOption
options.CallOption options.CallOption
@ -580,8 +547,8 @@ func WithRedirectURI(redirectURI string) interface {
CallOption: options.NewCallOption( CallOption: options.NewCallOption(
func(a any) error { func(a any) error {
switch t := a.(type) { switch t := a.(type) {
case *InteractiveAuthOptions: case *interactiveAuthOptions:
t.RedirectURI = redirectURI t.redirectURI = redirectURI
default: default:
return fmt.Errorf("unexpected options type %T", a) return fmt.Errorf("unexpected options type %T", a)
} }
@ -596,7 +563,7 @@ func WithRedirectURI(redirectURI string) interface {
// //
// Options: [WithDomainHint], [WithLoginHint], [WithRedirectURI], [WithTenantID] // Options: [WithDomainHint], [WithLoginHint], [WithRedirectURI], [WithTenantID]
func (pca Client) AcquireTokenInteractive(ctx context.Context, scopes []string, opts ...AcquireInteractiveOption) (AuthResult, error) { func (pca Client) AcquireTokenInteractive(ctx context.Context, scopes []string, opts ...AcquireInteractiveOption) (AuthResult, error) {
o := InteractiveAuthOptions{} o := interactiveAuthOptions{}
if err := options.ApplyOptions(&o, opts); err != nil { if err := options.ApplyOptions(&o, opts); err != nil {
return AuthResult{}, err return AuthResult{}, err
} }
@ -607,8 +574,8 @@ func (pca Client) AcquireTokenInteractive(ctx context.Context, scopes []string,
return AuthResult{}, err return AuthResult{}, err
} }
var redirectURL *url.URL var redirectURL *url.URL
if o.RedirectURI != "" { if o.redirectURI != "" {
redirectURL, err = url.Parse(o.RedirectURI) redirectURL, err = url.Parse(o.redirectURI)
if err != nil { if err != nil {
return AuthResult{}, err return AuthResult{}, err
} }

View file

@ -54,9 +54,9 @@ import "github.com/golang-jwt/jwt/v4"
See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v4) for examples of usage: See [the project documentation](https://pkg.go.dev/github.com/golang-jwt/jwt/v4) for examples of usage:
* [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-Parse-Hmac) * [Simple example of parsing and validating a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#example-Parse-Hmac)
* [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt#example-New-Hmac) * [Simple example of building and signing a token](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#example-New-Hmac)
* [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt#pkg-examples) * [Directory of Examples](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#pkg-examples)
## Extensions ## Extensions
@ -96,7 +96,7 @@ A token is simply a JSON object that is signed by its author. this tells you exa
* The author of the token was in the possession of the signing secret * The author of the token was in the possession of the signing secret
* The data has not been modified since it was signed * The data has not been modified since it was signed
It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. JWE is currently outside the scope of this library. It's important to know that JWT does not provide encryption, which means anyone who has access to the token can read its contents. If you need to protect (encrypt) the data, there is a companion spec, `JWE`, that provides this functionality. The companion project https://github.com/golang-jwt/jwe aims at a (very) experimental implementation of the JWE standard.
### Choosing a Signing Method ### Choosing a Signing Method
@ -110,10 +110,10 @@ Asymmetric signing methods, such as RSA, use different keys for signing and veri
Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones: Each signing method expects a different object type for its signing keys. See the package documentation for details. Here are the most common ones:
* The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation * The [HMAC signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodHMAC) (`HS256`,`HS384`,`HS512`) expect `[]byte` values for signing and validation
* The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation * The [RSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodRSA) (`RS256`,`RS384`,`RS512`) expect `*rsa.PrivateKey` for signing and `*rsa.PublicKey` for validation
* The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation * The [ECDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodECDSA) (`ES256`,`ES384`,`ES512`) expect `*ecdsa.PrivateKey` for signing and `*ecdsa.PublicKey` for validation
* The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation * The [EdDSA signing method](https://pkg.go.dev/github.com/golang-jwt/jwt/v4#SigningMethodEd25519) (`Ed25519`) expect `ed25519.PrivateKey` for signing and `ed25519.PublicKey` for validation
### JWT and OAuth ### JWT and OAuth
@ -131,7 +131,7 @@ This library uses descriptive error messages whenever possible. If you are not g
## More ## More
Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt). Documentation can be found [on pkg.go.dev](https://pkg.go.dev/github.com/golang-jwt/jwt/v4).
The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation. The command line utility included in this project (cmd/jwt) provides a straightforward example of token creation and parsing as well as a useful tool for debugging your own integration. You'll also find several implementation examples in the documentation.

View file

@ -265,9 +265,5 @@ func verifyIss(iss string, cmp string, required bool) bool {
if iss == "" { if iss == "" {
return !required return !required
} }
if subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0 { return subtle.ConstantTimeCompare([]byte(iss), []byte(cmp)) != 0
return true
} else {
return false
}
} }

View file

@ -42,6 +42,13 @@ func (p *Parser) Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc) return p.ParseWithClaims(tokenString, MapClaims{}, keyFunc)
} }
// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
// than the default MapClaims implementation of Claims.
//
// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) { func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
token, parts, err := p.ParseUnverified(tokenString, claims) token, parts, err := p.ParseUnverified(tokenString, claims)
if err != nil { if err != nil {

View file

@ -14,6 +14,12 @@ import (
// To use the non-recommended decoding, set this boolean to `true` prior to using this package. // To use the non-recommended decoding, set this boolean to `true` prior to using this package.
var DecodePaddingAllowed bool var DecodePaddingAllowed bool
// DecodeStrict will switch the codec used for decoding JWTs into strict mode.
// In this mode, the decoder requires that trailing padding bits are zero, as described in RFC 4648 section 3.5.
// Note that this is a global variable, and updating it will change the behavior on a package level, and is also NOT go-routine safe.
// To use strict decoding, set this boolean to `true` prior to using this package.
var DecodeStrict bool
// TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time). // TimeFunc provides the current time when parsing token to validate "exp" claim (expiration time).
// You can override it to use another time value. This is useful for testing or if your // You can override it to use another time value. This is useful for testing or if your
// server uses a different time zone than your tokens. // server uses a different time zone than your tokens.
@ -99,6 +105,11 @@ func Parse(tokenString string, keyFunc Keyfunc, options ...ParserOption) (*Token
return NewParser(options...).Parse(tokenString, keyFunc) return NewParser(options...).Parse(tokenString, keyFunc)
} }
// ParseWithClaims is a shortcut for NewParser().ParseWithClaims().
//
// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) { func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options ...ParserOption) (*Token, error) {
return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc) return NewParser(options...).ParseWithClaims(tokenString, claims, keyFunc)
} }
@ -116,12 +127,17 @@ func EncodeSegment(seg []byte) string {
// Deprecated: In a future release, we will demote this function to a non-exported function, since it // Deprecated: In a future release, we will demote this function to a non-exported function, since it
// should only be used internally // should only be used internally
func DecodeSegment(seg string) ([]byte, error) { func DecodeSegment(seg string) ([]byte, error) {
encoding := base64.RawURLEncoding
if DecodePaddingAllowed { if DecodePaddingAllowed {
if l := len(seg) % 4; l > 0 { if l := len(seg) % 4; l > 0 {
seg += strings.Repeat("=", 4-l) seg += strings.Repeat("=", 4-l)
} }
return base64.URLEncoding.DecodeString(seg) encoding = base64.URLEncoding
} }
return base64.RawURLEncoding.DecodeString(seg) if DecodeStrict {
encoding = encoding.Strict()
}
return encoding.DecodeString(seg)
} }

View file

@ -16,4 +16,4 @@ change is the ability to represent an invalid UUID (vs a NIL UUID).
Full `go doc` style documentation for the package can be viewed online without Full `go doc` style documentation for the package can be viewed online without
installing this package by using the GoDoc site here: installing this package by using the GoDoc site here:
http://godoc.org/github.com/google/uuid http://pkg.go.dev/github.com/google/uuid

View file

@ -26,8 +26,8 @@ var (
// NewMD5 and NewSHA1. // NewMD5 and NewSHA1.
func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID { func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID {
h.Reset() h.Reset()
h.Write(space[:]) h.Write(space[:]) //nolint:errcheck
h.Write(data) h.Write(data) //nolint:errcheck
s := h.Sum(nil) s := h.Sum(nil)
var uuid UUID var uuid UUID
copy(uuid[:], s) copy(uuid[:], s)

View file

@ -16,11 +16,12 @@ func (uuid UUID) MarshalText() ([]byte, error) {
// UnmarshalText implements encoding.TextUnmarshaler. // UnmarshalText implements encoding.TextUnmarshaler.
func (uuid *UUID) UnmarshalText(data []byte) error { func (uuid *UUID) UnmarshalText(data []byte) error {
id, err := ParseBytes(data) id, err := ParseBytes(data)
if err == nil { if err != nil {
*uuid = id
}
return err return err
} }
*uuid = id
return nil
}
// MarshalBinary implements encoding.BinaryMarshaler. // MarshalBinary implements encoding.BinaryMarshaler.
func (uuid UUID) MarshalBinary() ([]byte, error) { func (uuid UUID) MarshalBinary() ([]byte, error) {

118
vendor/github.com/google/uuid/null.go generated vendored Normal file
View file

@ -0,0 +1,118 @@
// Copyright 2021 Google Inc. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package uuid
import (
"bytes"
"database/sql/driver"
"encoding/json"
"fmt"
)
var jsonNull = []byte("null")
// NullUUID represents a UUID that may be null.
// NullUUID implements the SQL driver.Scanner interface so
// it can be used as a scan destination:
//
// var u uuid.NullUUID
// err := db.QueryRow("SELECT name FROM foo WHERE id=?", id).Scan(&u)
// ...
// if u.Valid {
// // use u.UUID
// } else {
// // NULL value
// }
//
type NullUUID struct {
UUID UUID
Valid bool // Valid is true if UUID is not NULL
}
// Scan implements the SQL driver.Scanner interface.
func (nu *NullUUID) Scan(value interface{}) error {
if value == nil {
nu.UUID, nu.Valid = Nil, false
return nil
}
err := nu.UUID.Scan(value)
if err != nil {
nu.Valid = false
return err
}
nu.Valid = true
return nil
}
// Value implements the driver Valuer interface.
func (nu NullUUID) Value() (driver.Value, error) {
if !nu.Valid {
return nil, nil
}
// Delegate to UUID Value function
return nu.UUID.Value()
}
// MarshalBinary implements encoding.BinaryMarshaler.
func (nu NullUUID) MarshalBinary() ([]byte, error) {
if nu.Valid {
return nu.UUID[:], nil
}
return []byte(nil), nil
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler.
func (nu *NullUUID) UnmarshalBinary(data []byte) error {
if len(data) != 16 {
return fmt.Errorf("invalid UUID (got %d bytes)", len(data))
}
copy(nu.UUID[:], data)
nu.Valid = true
return nil
}
// MarshalText implements encoding.TextMarshaler.
func (nu NullUUID) MarshalText() ([]byte, error) {
if nu.Valid {
return nu.UUID.MarshalText()
}
return jsonNull, nil
}
// UnmarshalText implements encoding.TextUnmarshaler.
func (nu *NullUUID) UnmarshalText(data []byte) error {
id, err := ParseBytes(data)
if err != nil {
nu.Valid = false
return err
}
nu.UUID = id
nu.Valid = true
return nil
}
// MarshalJSON implements json.Marshaler.
func (nu NullUUID) MarshalJSON() ([]byte, error) {
if nu.Valid {
return json.Marshal(nu.UUID)
}
return jsonNull, nil
}
// UnmarshalJSON implements json.Unmarshaler.
func (nu *NullUUID) UnmarshalJSON(data []byte) error {
if bytes.Equal(data, jsonNull) {
*nu = NullUUID{}
return nil // valid null UUID
}
err := json.Unmarshal(data, &nu.UUID)
nu.Valid = err == nil
return err
}

View file

@ -9,7 +9,7 @@ import (
"fmt" "fmt"
) )
// Scan implements sql.Scanner so UUIDs can be read from databases transparently // Scan implements sql.Scanner so UUIDs can be read from databases transparently.
// Currently, database types that map to string and []byte are supported. Please // Currently, database types that map to string and []byte are supported. Please
// consult database-specific driver documentation for matching types. // consult database-specific driver documentation for matching types.
func (uuid *UUID) Scan(src interface{}) error { func (uuid *UUID) Scan(src interface{}) error {

View file

@ -12,6 +12,7 @@ import (
"fmt" "fmt"
"io" "io"
"strings" "strings"
"sync"
) )
// A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC // A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC
@ -33,7 +34,27 @@ const (
Future // Reserved for future definition. Future // Reserved for future definition.
) )
var rander = rand.Reader // random function const randPoolSize = 16 * 16
var (
rander = rand.Reader // random function
poolEnabled = false
poolMu sync.Mutex
poolPos = randPoolSize // protected with poolMu
pool [randPoolSize]byte // protected with poolMu
)
type invalidLengthError struct{ len int }
func (err invalidLengthError) Error() string {
return fmt.Sprintf("invalid UUID length: %d", err.len)
}
// IsInvalidLengthError is matcher function for custom error invalidLengthError
func IsInvalidLengthError(err error) bool {
_, ok := err.(invalidLengthError)
return ok
}
// Parse decodes s into a UUID or returns an error. Both the standard UUID // Parse decodes s into a UUID or returns an error. Both the standard UUID
// forms of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and // forms of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and
@ -68,7 +89,7 @@ func Parse(s string) (UUID, error) {
} }
return uuid, nil return uuid, nil
default: default:
return uuid, fmt.Errorf("invalid UUID length: %d", len(s)) return uuid, invalidLengthError{len(s)}
} }
// s is now at least 36 bytes long // s is now at least 36 bytes long
// it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@ -112,7 +133,7 @@ func ParseBytes(b []byte) (UUID, error) {
} }
return uuid, nil return uuid, nil
default: default:
return uuid, fmt.Errorf("invalid UUID length: %d", len(b)) return uuid, invalidLengthError{len(b)}
} }
// s is now at least 36 bytes long // s is now at least 36 bytes long
// it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx // it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
@ -243,3 +264,31 @@ func SetRand(r io.Reader) {
} }
rander = r rander = r
} }
// EnableRandPool enables internal randomness pool used for Random
// (Version 4) UUID generation. The pool contains random bytes read from
// the random number generator on demand in batches. Enabling the pool
// may improve the UUID generation throughput significantly.
//
// Since the pool is stored on the Go heap, this feature may be a bad fit
// for security sensitive applications.
//
// Both EnableRandPool and DisableRandPool are not thread-safe and should
// only be called when there is no possibility that New or any other
// UUID Version 4 generation function will be called concurrently.
func EnableRandPool() {
poolEnabled = true
}
// DisableRandPool disables the randomness pool if it was previously
// enabled with EnableRandPool.
//
// Both EnableRandPool and DisableRandPool are not thread-safe and should
// only be called when there is no possibility that New or any other
// UUID Version 4 generation function will be called concurrently.
func DisableRandPool() {
poolEnabled = false
defer poolMu.Unlock()
poolMu.Lock()
poolPos = randPoolSize
}

View file

@ -17,12 +17,6 @@ import (
// //
// In most cases, New should be used. // In most cases, New should be used.
func NewUUID() (UUID, error) { func NewUUID() (UUID, error) {
nodeMu.Lock()
if nodeID == zeroID {
setNodeInterface("")
}
nodeMu.Unlock()
var uuid UUID var uuid UUID
now, seq, err := GetTime() now, seq, err := GetTime()
if err != nil { if err != nil {
@ -38,7 +32,13 @@ func NewUUID() (UUID, error) {
binary.BigEndian.PutUint16(uuid[4:], timeMid) binary.BigEndian.PutUint16(uuid[4:], timeMid)
binary.BigEndian.PutUint16(uuid[6:], timeHi) binary.BigEndian.PutUint16(uuid[6:], timeHi)
binary.BigEndian.PutUint16(uuid[8:], seq) binary.BigEndian.PutUint16(uuid[8:], seq)
nodeMu.Lock()
if nodeID == zeroID {
setNodeInterface("")
}
copy(uuid[10:], nodeID[:]) copy(uuid[10:], nodeID[:])
nodeMu.Unlock()
return uuid, nil return uuid, nil
} }

View file

@ -14,11 +14,21 @@ func New() UUID {
return Must(NewRandom()) return Must(NewRandom())
} }
// NewString creates a new random UUID and returns it as a string or panics.
// NewString is equivalent to the expression
//
// uuid.New().String()
func NewString() string {
return Must(NewRandom()).String()
}
// NewRandom returns a Random (Version 4) UUID. // NewRandom returns a Random (Version 4) UUID.
// //
// The strength of the UUIDs is based on the strength of the crypto/rand // The strength of the UUIDs is based on the strength of the crypto/rand
// package. // package.
// //
// Uses the randomness pool if it was enabled with EnableRandPool.
//
// A note about uniqueness derived from the UUID Wikipedia entry: // A note about uniqueness derived from the UUID Wikipedia entry:
// //
// Randomly generated UUIDs have 122 random bits. One's annual risk of being // Randomly generated UUIDs have 122 random bits. One's annual risk of being
@ -27,8 +37,16 @@ func New() UUID {
// equivalent to the odds of creating a few tens of trillions of UUIDs in a // equivalent to the odds of creating a few tens of trillions of UUIDs in a
// year and having one duplicate. // year and having one duplicate.
func NewRandom() (UUID, error) { func NewRandom() (UUID, error) {
if !poolEnabled {
return NewRandomFromReader(rander)
}
return newRandomFromPool()
}
// NewRandomFromReader returns a UUID based on bytes read from a given io.Reader.
func NewRandomFromReader(r io.Reader) (UUID, error) {
var uuid UUID var uuid UUID
_, err := io.ReadFull(rander, uuid[:]) _, err := io.ReadFull(r, uuid[:])
if err != nil { if err != nil {
return Nil, err return Nil, err
} }
@ -36,3 +54,23 @@ func NewRandom() (UUID, error) {
uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10 uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
return uuid, nil return uuid, nil
} }
func newRandomFromPool() (UUID, error) {
var uuid UUID
poolMu.Lock()
if poolPos == randPoolSize {
_, err := io.ReadFull(rander, pool[:])
if err != nil {
poolMu.Unlock()
return Nil, err
}
poolPos = 0
}
copy(uuid[:], pool[poolPos:(poolPos+16)])
poolPos += 16
poolMu.Unlock()
uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4
uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10
return uuid, nil
}

View file

@ -30,7 +30,7 @@ func OpenFile(path string) error {
// OpenReader consumes the contents of r and presents the // OpenReader consumes the contents of r and presents the
// results in a new browser window. // results in a new browser window.
func OpenReader(r io.Reader) error { func OpenReader(r io.Reader) error {
f, err := ioutil.TempFile("", "browser") f, err := ioutil.TempFile("", "browser.*.html")
if err != nil { if err != nil {
return fmt.Errorf("browser: could not create temporary file: %v", err) return fmt.Errorf("browser: could not create temporary file: %v", err)
} }
@ -41,12 +41,7 @@ func OpenReader(r io.Reader) error {
if err := f.Close(); err != nil { if err := f.Close(); err != nil {
return fmt.Errorf("browser: caching temporary file failed: %v", err) return fmt.Errorf("browser: caching temporary file failed: %v", err)
} }
oldname := f.Name() return OpenFile(f.Name())
newname := oldname + ".html"
if err := os.Rename(oldname, newname); err != nil {
return fmt.Errorf("browser: renaming temporary file failed: %v", err)
}
return OpenFile(newname)
} }
// OpenURL opens a new browser window pointing to url. // OpenURL opens a new browser window pointing to url.
@ -58,6 +53,5 @@ func runCmd(prog string, args ...string) error {
cmd := exec.Command(prog, args...) cmd := exec.Command(prog, args...)
cmd.Stdout = Stdout cmd.Stdout = Stdout
cmd.Stderr = Stderr cmd.Stderr = Stderr
setFlags(cmd)
return cmd.Run() return cmd.Run()
} }

View file

@ -1,9 +1,5 @@
package browser package browser
import "os/exec"
func openBrowser(url string) error { func openBrowser(url string) error {
return runCmd("open", url) return runCmd("open", url)
} }
func setFlags(cmd *exec.Cmd) {}

View file

@ -12,5 +12,3 @@ func openBrowser(url string) error {
} }
return err return err
} }
func setFlags(cmd *exec.Cmd) {}

View file

@ -19,5 +19,3 @@ func openBrowser(url string) error {
return &exec.Error{Name: strings.Join(providers, ","), Err: exec.ErrNotFound} return &exec.Error{Name: strings.Join(providers, ","), Err: exec.ErrNotFound}
} }
func setFlags(cmd *exec.Cmd) {}

14
vendor/github.com/pkg/browser/browser_netbsd.go generated vendored Normal file
View file

@ -0,0 +1,14 @@
package browser
import (
"errors"
"os/exec"
)
func openBrowser(url string) error {
err := runCmd("xdg-open", url)
if e, ok := err.(*exec.Error); ok && e.Err == exec.ErrNotFound {
return errors.New("xdg-open: command not found - install xdg-utils from pkgsrc(7)")
}
return err
}

View file

@ -12,5 +12,3 @@ func openBrowser(url string) error {
} }
return err return err
} }
func setFlags(cmd *exec.Cmd) {}

View file

@ -1,15 +1,12 @@
// +build !linux,!windows,!darwin,!openbsd,!freebsd // +build !linux,!windows,!darwin,!openbsd,!freebsd,!netbsd
package browser package browser
import ( import (
"fmt" "fmt"
"os/exec"
"runtime" "runtime"
) )
func openBrowser(url string) error { func openBrowser(url string) error {
return fmt.Errorf("openBrowser: unsupported operating system: %v", runtime.GOOS) return fmt.Errorf("openBrowser: unsupported operating system: %v", runtime.GOOS)
} }
func setFlags(cmd *exec.Cmd) {}

View file

@ -1,13 +1,7 @@
//go:generate mkwinsyscall -output zbrowser_windows.go browser_windows.go
//sys ShellExecute(hwnd int, verb string, file string, args string, cwd string, showCmd int) (err error) = shell32.ShellExecuteW
package browser package browser
import "os/exec" import "golang.org/x/sys/windows"
const SW_SHOWNORMAL = 1
func openBrowser(url string) error { func openBrowser(url string) error {
return ShellExecute(0, "", url, "", "", SW_SHOWNORMAL) return windows.ShellExecute(0, nil, windows.StringToUTF16Ptr(url), nil, nil, windows.SW_SHOWNORMAL)
}
func setFlags(cmd *exec.Cmd) {
} }

View file

@ -1,76 +0,0 @@
// Code generated by 'go generate'; DO NOT EDIT.
package browser
import (
"syscall"
"unsafe"
"golang.org/x/sys/windows"
)
var _ unsafe.Pointer
// Do the interface allocations only once for common
// Errno values.
const (
errnoERROR_IO_PENDING = 997
)
var (
errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
errERROR_EINVAL error = syscall.EINVAL
)
// errnoErr returns common boxed Errno values, to prevent
// allocations at runtime.
func errnoErr(e syscall.Errno) error {
switch e {
case 0:
return errERROR_EINVAL
case errnoERROR_IO_PENDING:
return errERROR_IO_PENDING
}
// TODO: add more here, after collecting data on the common
// error values see on Windows. (perhaps when running
// all.bat?)
return e
}
var (
modshell32 = windows.NewLazySystemDLL("shell32.dll")
procShellExecuteW = modshell32.NewProc("ShellExecuteW")
)
func ShellExecute(hwnd int, verb string, file string, args string, cwd string, showCmd int) (err error) {
var _p0 *uint16
_p0, err = syscall.UTF16PtrFromString(verb)
if err != nil {
return
}
var _p1 *uint16
_p1, err = syscall.UTF16PtrFromString(file)
if err != nil {
return
}
var _p2 *uint16
_p2, err = syscall.UTF16PtrFromString(args)
if err != nil {
return
}
var _p3 *uint16
_p3, err = syscall.UTF16PtrFromString(cwd)
if err != nil {
return
}
return _ShellExecute(hwnd, _p0, _p1, _p2, _p3, showCmd)
}
func _ShellExecute(hwnd int, verb *uint16, file *uint16, args *uint16, cwd *uint16, showCmd int) (err error) {
r1, _, e1 := syscall.Syscall6(procShellExecuteW.Addr(), 6, uintptr(hwnd), uintptr(unsafe.Pointer(verb)), uintptr(unsafe.Pointer(file)), uintptr(unsafe.Pointer(args)), uintptr(unsafe.Pointer(cwd)), uintptr(showCmd))
if r1 == 0 {
err = errnoErr(e1)
}
return
}

3
vendor/golang.org/x/crypto/AUTHORS generated vendored
View file

@ -1,3 +0,0 @@
# This source code refers to The Go Authors for copyright purposes.
# The master list of authors is in the main Go distribution,
# visible at https://tip.golang.org/AUTHORS.

View file

@ -1,3 +0,0 @@
# This source code was written by the Go contributors.
# The master list of contributors is in the main Go distribution,
# visible at https://tip.golang.org/CONTRIBUTORS.

View file

@ -306,6 +306,20 @@ func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error)
return c.updateRegRFC(ctx, acct) return c.updateRegRFC(ctx, acct)
} }
// AccountKeyRollover attempts to transition a client's account key to a new key.
// On success client's Key is updated which is not concurrency safe.
// On failure an error will be returned.
// The new key is already registered with the ACME provider if the following is true:
// - error is of type acme.Error
// - StatusCode should be 409 (Conflict)
// - Location header will have the KID of the associated account
//
// More about account key rollover can be found at
// https://tools.ietf.org/html/rfc8555#section-7.3.5.
func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
return c.accountKeyRollover(ctx, newKey)
}
// Authorize performs the initial step in the pre-authorization flow, // Authorize performs the initial step in the pre-authorization flow,
// as opposed to order-based flow. // as opposed to order-based flow.
// The caller will then need to choose from and perform a set of returned // The caller will then need to choose from and perform a set of returned

View file

@ -463,7 +463,7 @@ func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error
leaf: cert.Leaf, leaf: cert.Leaf,
} }
m.state[ck] = s m.state[ck] = s
go m.startRenew(ck, s.key, s.leaf.NotAfter) m.startRenew(ck, s.key, s.leaf.NotAfter)
return cert, nil return cert, nil
} }
@ -609,7 +609,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate,
} }
state.cert = der state.cert = der
state.leaf = leaf state.leaf = leaf
go m.startRenew(ck, state.key, state.leaf.NotAfter) m.startRenew(ck, state.key, state.leaf.NotAfter)
return state.tlscert() return state.tlscert()
} }

View file

@ -7,7 +7,6 @@ package autocert
import ( import (
"context" "context"
"errors" "errors"
"io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
) )
@ -41,14 +40,14 @@ type DirCache string
// Get reads a certificate data from the specified file name. // Get reads a certificate data from the specified file name.
func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) { func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) {
name = filepath.Join(string(d), name) name = filepath.Join(string(d), filepath.Clean("/"+name))
var ( var (
data []byte data []byte
err error err error
done = make(chan struct{}) done = make(chan struct{})
) )
go func() { go func() {
data, err = ioutil.ReadFile(name) data, err = os.ReadFile(name)
close(done) close(done)
}() }()
select { select {
@ -82,7 +81,7 @@ func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
case <-ctx.Done(): case <-ctx.Done():
// Don't overwrite the file if the context was canceled. // Don't overwrite the file if the context was canceled.
default: default:
newName := filepath.Join(string(d), name) newName := filepath.Join(string(d), filepath.Clean("/"+name))
err = os.Rename(tmp, newName) err = os.Rename(tmp, newName)
} }
}() }()
@ -96,7 +95,7 @@ func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
// Delete removes the specified file name. // Delete removes the specified file name.
func (d DirCache) Delete(ctx context.Context, name string) error { func (d DirCache) Delete(ctx context.Context, name string) error {
name = filepath.Join(string(d), name) name = filepath.Join(string(d), filepath.Clean("/"+name))
var ( var (
err error err error
done = make(chan struct{}) done = make(chan struct{})
@ -119,7 +118,7 @@ func (d DirCache) Delete(ctx context.Context, name string) error {
// writeTempFile writes b to a temporary file, closes the file and returns its path. // writeTempFile writes b to a temporary file, closes the file and returns its path.
func (d DirCache) writeTempFile(prefix string, b []byte) (name string, reterr error) { func (d DirCache) writeTempFile(prefix string, b []byte) (name string, reterr error) {
// TempFile uses 0600 permissions // TempFile uses 0600 permissions
f, err := ioutil.TempFile(string(d), prefix) f, err := os.CreateTemp(string(d), prefix)
if err != nil { if err != nil {
return "", err return "", err
} }

View file

@ -12,7 +12,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"io/ioutil" "io"
"math/big" "math/big"
"net/http" "net/http"
"strconv" "strconv"
@ -310,7 +310,7 @@ func isRetriable(code int) bool {
func responseError(resp *http.Response) error { func responseError(resp *http.Response) error {
// don't care if ReadAll returns an error: // don't care if ReadAll returns an error:
// json.Unmarshal will fail in that case anyway // json.Unmarshal will fail in that case anyway
b, _ := ioutil.ReadAll(resp.Body) b, _ := io.ReadAll(resp.Body)
e := &wireError{Status: resp.StatusCode} e := &wireError{Status: resp.StatusCode}
if err := json.Unmarshal(b, e); err != nil { if err := json.Unmarshal(b, e); err != nil {
// this is not a regular error response: // this is not a regular error response:

View file

@ -33,6 +33,10 @@ const noKeyID = KeyID("")
// See https://tools.ietf.org/html/rfc8555#section-6.3 for more details. // See https://tools.ietf.org/html/rfc8555#section-6.3 for more details.
const noPayload = "" const noPayload = ""
// noNonce indicates that the nonce should be omitted from the protected header.
// See jwsEncodeJSON for details.
const noNonce = ""
// jsonWebSignature can be easily serialized into a JWS following // jsonWebSignature can be easily serialized into a JWS following
// https://tools.ietf.org/html/rfc7515#section-3.2. // https://tools.ietf.org/html/rfc7515#section-3.2.
type jsonWebSignature struct { type jsonWebSignature struct {
@ -45,10 +49,15 @@ type jsonWebSignature struct {
// The result is serialized in JSON format containing either kid or jwk // The result is serialized in JSON format containing either kid or jwk
// fields based on the provided KeyID value. // fields based on the provided KeyID value.
// //
// If kid is non-empty, its quoted value is inserted in the protected head // The claimset is marshalled using json.Marshal unless it is a string.
// In which case it is inserted directly into the message.
//
// If kid is non-empty, its quoted value is inserted in the protected header
// as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted // as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted
// as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive. // as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive.
// //
// If nonce is non-empty, its quoted value is inserted in the protected header.
//
// See https://tools.ietf.org/html/rfc7515#section-7. // See https://tools.ietf.org/html/rfc7515#section-7.
func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) { func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) {
if key == nil { if key == nil {
@ -58,20 +67,36 @@ func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, ur
if alg == "" || !sha.Available() { if alg == "" || !sha.Available() {
return nil, ErrUnsupportedKey return nil, ErrUnsupportedKey
} }
var phead string headers := struct {
Alg string `json:"alg"`
KID string `json:"kid,omitempty"`
JWK json.RawMessage `json:"jwk,omitempty"`
Nonce string `json:"nonce,omitempty"`
URL string `json:"url"`
}{
Alg: alg,
Nonce: nonce,
URL: url,
}
switch kid { switch kid {
case noKeyID: case noKeyID:
jwk, err := jwkEncode(key.Public()) jwk, err := jwkEncode(key.Public())
if err != nil { if err != nil {
return nil, err return nil, err
} }
phead = fmt.Sprintf(`{"alg":%q,"jwk":%s,"nonce":%q,"url":%q}`, alg, jwk, nonce, url) headers.JWK = json.RawMessage(jwk)
default: default:
phead = fmt.Sprintf(`{"alg":%q,"kid":%q,"nonce":%q,"url":%q}`, alg, kid, nonce, url) headers.KID = string(kid)
} }
phead = base64.RawURLEncoding.EncodeToString([]byte(phead)) phJSON, err := json.Marshal(headers)
if err != nil {
return nil, err
}
phead := base64.RawURLEncoding.EncodeToString([]byte(phJSON))
var payload string var payload string
if claimset != noPayload { if val, ok := claimset.(string); ok {
payload = val
} else {
cs, err := json.Marshal(claimset) cs, err := json.Marshal(claimset)
if err != nil { if err != nil {
return nil, err return nil, err

View file

@ -13,7 +13,6 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"time" "time"
) )
@ -24,6 +23,9 @@ import (
// //
// It only works with CAs implementing RFC 8555. // It only works with CAs implementing RFC 8555.
func (c *Client) DeactivateReg(ctx context.Context) error { func (c *Client) DeactivateReg(ctx context.Context) error {
if _, err := c.Discover(ctx); err != nil { // required by c.accountKID
return err
}
url := string(c.accountKID(ctx)) url := string(c.accountKID(ctx))
if url == "" { if url == "" {
return ErrNoAccount return ErrNoAccount
@ -115,7 +117,7 @@ func (c *Client) updateRegRFC(ctx context.Context, a *Account) (*Account, error)
return responseAccount(res) return responseAccount(res)
} }
// getGegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555. // getRegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555.
// It expects c.Discover to have already been called. // It expects c.Discover to have already been called.
func (c *Client) getRegRFC(ctx context.Context) (*Account, error) { func (c *Client) getRegRFC(ctx context.Context) (*Account, error) {
req := json.RawMessage(`{"onlyReturnExisting": true}`) req := json.RawMessage(`{"onlyReturnExisting": true}`)
@ -148,6 +150,42 @@ func responseAccount(res *http.Response) (*Account, error) {
}, nil }, nil
} }
// accountKeyRollover attempts to perform account key rollover.
// On success it will change client.Key to the new key.
func (c *Client) accountKeyRollover(ctx context.Context, newKey crypto.Signer) error {
dir, err := c.Discover(ctx) // Also required by c.accountKID
if err != nil {
return err
}
kid := c.accountKID(ctx)
if kid == noKeyID {
return ErrNoAccount
}
oldKey, err := jwkEncode(c.Key.Public())
if err != nil {
return err
}
payload := struct {
Account string `json:"account"`
OldKey json.RawMessage `json:"oldKey"`
}{
Account: string(kid),
OldKey: json.RawMessage(oldKey),
}
inner, err := jwsEncodeJSON(payload, newKey, noKeyID, noNonce, dir.KeyChangeURL)
if err != nil {
return err
}
res, err := c.post(ctx, nil, dir.KeyChangeURL, base64.RawURLEncoding.EncodeToString(inner), wantStatus(http.StatusOK))
if err != nil {
return err
}
defer res.Body.Close()
c.Key = newKey
return nil
}
// AuthorizeOrder initiates the order-based application for certificate issuance, // AuthorizeOrder initiates the order-based application for certificate issuance,
// as opposed to pre-authorization in Authorize. // as opposed to pre-authorization in Authorize.
// It is only supported by CAs implementing RFC 8555. // It is only supported by CAs implementing RFC 8555.
@ -351,7 +389,7 @@ func (c *Client) fetchCertRFC(ctx context.Context, url string, bundle bool) ([][
// Get all the bytes up to a sane maximum. // Get all the bytes up to a sane maximum.
// Account very roughly for base64 overhead. // Account very roughly for base64 overhead.
const max = maxCertChainSize + maxCertChainSize/33 const max = maxCertChainSize + maxCertChainSize/33
b, err := ioutil.ReadAll(io.LimitReader(res.Body, max+1)) b, err := io.ReadAll(io.LimitReader(res.Body, max+1))
if err != nil { if err != nil {
return nil, fmt.Errorf("acme: fetch cert response stream: %v", err) return nil, fmt.Errorf("acme: fetch cert response stream: %v", err)
} }
@ -430,7 +468,7 @@ func (c *Client) ListCertAlternates(ctx context.Context, url string) ([]string,
// We don't need the body but we need to discard it so we don't end up // We don't need the body but we need to discard it so we don't end up
// preventing keep-alive // preventing keep-alive
if _, err := io.Copy(ioutil.Discard, res.Body); err != nil { if _, err := io.Copy(io.Discard, res.Body); err != nil {
return nil, fmt.Errorf("acme: cert alternates response stream: %v", err) return nil, fmt.Errorf("acme: cert alternates response stream: %v", err)
} }
alts := linkHeader(res.Header, "alternate") alts := linkHeader(res.Header, "alternate")

View file

@ -50,7 +50,7 @@ func (ih InvalidHashPrefixError) Error() string {
type InvalidCostError int type InvalidCostError int
func (ic InvalidCostError) Error() string { func (ic InvalidCostError) Error() string {
return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost)) return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), MinCost, MaxCost)
} }
const ( const (
@ -82,11 +82,20 @@ type hashed struct {
minor byte minor byte
} }
// ErrPasswordTooLong is returned when the password passed to
// GenerateFromPassword is too long (i.e. > 72 bytes).
var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes")
// GenerateFromPassword returns the bcrypt hash of the password at the given // GenerateFromPassword returns the bcrypt hash of the password at the given
// cost. If the cost given is less than MinCost, the cost will be set to // cost. If the cost given is less than MinCost, the cost will be set to
// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package, // DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
// to compare the returned hashed password with its cleartext version. // to compare the returned hashed password with its cleartext version.
// GenerateFromPassword does not accept passwords longer than 72 bytes, which
// is the longest password bcrypt will operate on.
func GenerateFromPassword(password []byte, cost int) ([]byte, error) { func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
if len(password) > 72 {
return nil, ErrPasswordTooLong
}
p, err := newFromPassword(password, cost) p, err := newFromPassword(password, cost)
if err != nil { if err != nil {
return nil, err return nil, err

View file

@ -117,7 +117,7 @@ func pbDecrypt(info decryptable, password []byte) (decrypted []byte, err error)
} }
ps := decrypted[len(decrypted)-psLen:] ps := decrypted[len(decrypted)-psLen:]
decrypted = decrypted[:len(decrypted)-psLen] decrypted = decrypted[:len(decrypted)-psLen]
if bytes.Compare(ps, bytes.Repeat([]byte{byte(psLen)}, psLen)) != 0 { if !bytes.Equal(ps, bytes.Repeat([]byte{byte(psLen)}, psLen)) {
return nil, ErrDecryption return nil, ErrDecryption
} }

View file

@ -14,6 +14,7 @@ package rc2
import ( import (
"crypto/cipher" "crypto/cipher"
"encoding/binary" "encoding/binary"
"math/bits"
) )
// The rc2 block size in bytes // The rc2 block size in bytes
@ -80,10 +81,6 @@ func expandKey(key []byte, t1 int) [64]uint16 {
return k return k
} }
func rotl16(x uint16, b uint) uint16 {
return (x >> (16 - b)) | (x << b)
}
func (c *rc2Cipher) Encrypt(dst, src []byte) { func (c *rc2Cipher) Encrypt(dst, src []byte) {
r0 := binary.LittleEndian.Uint16(src[0:]) r0 := binary.LittleEndian.Uint16(src[0:])
@ -96,22 +93,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
for j <= 16 { for j <= 16 {
// mix r0 // mix r0
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
r0 = rotl16(r0, 1) r0 = bits.RotateLeft16(r0, 1)
j++ j++
// mix r1 // mix r1
r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
r1 = rotl16(r1, 2) r1 = bits.RotateLeft16(r1, 2)
j++ j++
// mix r2 // mix r2
r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
r2 = rotl16(r2, 3) r2 = bits.RotateLeft16(r2, 3)
j++ j++
// mix r3 // mix r3
r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
r3 = rotl16(r3, 5) r3 = bits.RotateLeft16(r3, 5)
j++ j++
} }
@ -124,22 +121,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
for j <= 40 { for j <= 40 {
// mix r0 // mix r0
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
r0 = rotl16(r0, 1) r0 = bits.RotateLeft16(r0, 1)
j++ j++
// mix r1 // mix r1
r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
r1 = rotl16(r1, 2) r1 = bits.RotateLeft16(r1, 2)
j++ j++
// mix r2 // mix r2
r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
r2 = rotl16(r2, 3) r2 = bits.RotateLeft16(r2, 3)
j++ j++
// mix r3 // mix r3
r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
r3 = rotl16(r3, 5) r3 = bits.RotateLeft16(r3, 5)
j++ j++
} }
@ -152,22 +149,22 @@ func (c *rc2Cipher) Encrypt(dst, src []byte) {
for j <= 60 { for j <= 60 {
// mix r0 // mix r0
r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1) r0 = r0 + c.k[j] + (r3 & r2) + ((^r3) & r1)
r0 = rotl16(r0, 1) r0 = bits.RotateLeft16(r0, 1)
j++ j++
// mix r1 // mix r1
r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2) r1 = r1 + c.k[j] + (r0 & r3) + ((^r0) & r2)
r1 = rotl16(r1, 2) r1 = bits.RotateLeft16(r1, 2)
j++ j++
// mix r2 // mix r2
r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3) r2 = r2 + c.k[j] + (r1 & r0) + ((^r1) & r3)
r2 = rotl16(r2, 3) r2 = bits.RotateLeft16(r2, 3)
j++ j++
// mix r3 // mix r3
r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0) r3 = r3 + c.k[j] + (r2 & r1) + ((^r2) & r0)
r3 = rotl16(r3, 5) r3 = bits.RotateLeft16(r3, 5)
j++ j++
} }
@ -188,22 +185,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
for j >= 44 { for j >= 44 {
// unmix r3 // unmix r3
r3 = rotl16(r3, 16-5) r3 = bits.RotateLeft16(r3, 16-5)
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
j-- j--
// unmix r2 // unmix r2
r2 = rotl16(r2, 16-3) r2 = bits.RotateLeft16(r2, 16-3)
r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
j-- j--
// unmix r1 // unmix r1
r1 = rotl16(r1, 16-2) r1 = bits.RotateLeft16(r1, 16-2)
r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
j-- j--
// unmix r0 // unmix r0
r0 = rotl16(r0, 16-1) r0 = bits.RotateLeft16(r0, 16-1)
r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
j-- j--
} }
@ -215,22 +212,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
for j >= 20 { for j >= 20 {
// unmix r3 // unmix r3
r3 = rotl16(r3, 16-5) r3 = bits.RotateLeft16(r3, 16-5)
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
j-- j--
// unmix r2 // unmix r2
r2 = rotl16(r2, 16-3) r2 = bits.RotateLeft16(r2, 16-3)
r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
j-- j--
// unmix r1 // unmix r1
r1 = rotl16(r1, 16-2) r1 = bits.RotateLeft16(r1, 16-2)
r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
j-- j--
// unmix r0 // unmix r0
r0 = rotl16(r0, 16-1) r0 = bits.RotateLeft16(r0, 16-1)
r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
j-- j--
@ -243,22 +240,22 @@ func (c *rc2Cipher) Decrypt(dst, src []byte) {
for j >= 0 { for j >= 0 {
// unmix r3 // unmix r3
r3 = rotl16(r3, 16-5) r3 = bits.RotateLeft16(r3, 16-5)
r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0) r3 = r3 - c.k[j] - (r2 & r1) - ((^r2) & r0)
j-- j--
// unmix r2 // unmix r2
r2 = rotl16(r2, 16-3) r2 = bits.RotateLeft16(r2, 16-3)
r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3) r2 = r2 - c.k[j] - (r1 & r0) - ((^r1) & r3)
j-- j--
// unmix r1 // unmix r1
r1 = rotl16(r1, 16-2) r1 = bits.RotateLeft16(r1, 16-2)
r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2) r1 = r1 - c.k[j] - (r0 & r3) - ((^r0) & r2)
j-- j--
// unmix r0 // unmix r0
r0 = rotl16(r0, 16-1) r0 = bits.RotateLeft16(r0, 16-1)
r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1) r0 = r0 - c.k[j] - (r3 & r2) - ((^r3) & r1)
j-- j--

View file

@ -8,7 +8,6 @@
package unix package unix
import ( import (
"runtime"
"unsafe" "unsafe"
) )
@ -27,7 +26,7 @@ func IoctlSetInt(fd int, req uint, value int) error {
// passing the integer value directly. // passing the integer value directly.
func IoctlSetPointerInt(fd int, req uint, value int) error { func IoctlSetPointerInt(fd int, req uint, value int) error {
v := int32(value) v := int32(value)
return ioctl(fd, req, uintptr(unsafe.Pointer(&v))) return ioctlPtr(fd, req, unsafe.Pointer(&v))
} }
// IoctlSetWinsize performs an ioctl on fd with a *Winsize argument. // IoctlSetWinsize performs an ioctl on fd with a *Winsize argument.
@ -36,9 +35,7 @@ func IoctlSetPointerInt(fd int, req uint, value int) error {
func IoctlSetWinsize(fd int, req uint, value *Winsize) error { func IoctlSetWinsize(fd int, req uint, value *Winsize) error {
// TODO: if we get the chance, remove the req parameter and // TODO: if we get the chance, remove the req parameter and
// hardcode TIOCSWINSZ. // hardcode TIOCSWINSZ.
err := ioctl(fd, req, uintptr(unsafe.Pointer(value))) return ioctlPtr(fd, req, unsafe.Pointer(value))
runtime.KeepAlive(value)
return err
} }
// IoctlSetTermios performs an ioctl on fd with a *Termios. // IoctlSetTermios performs an ioctl on fd with a *Termios.
@ -46,9 +43,7 @@ func IoctlSetWinsize(fd int, req uint, value *Winsize) error {
// The req value will usually be TCSETA or TIOCSETA. // The req value will usually be TCSETA or TIOCSETA.
func IoctlSetTermios(fd int, req uint, value *Termios) error { func IoctlSetTermios(fd int, req uint, value *Termios) error {
// TODO: if we get the chance, remove the req parameter. // TODO: if we get the chance, remove the req parameter.
err := ioctl(fd, req, uintptr(unsafe.Pointer(value))) return ioctlPtr(fd, req, unsafe.Pointer(value))
runtime.KeepAlive(value)
return err
} }
// IoctlGetInt performs an ioctl operation which gets an integer value // IoctlGetInt performs an ioctl operation which gets an integer value
@ -58,18 +53,18 @@ func IoctlSetTermios(fd int, req uint, value *Termios) error {
// for those, IoctlRetInt should be used instead of this function. // for those, IoctlRetInt should be used instead of this function.
func IoctlGetInt(fd int, req uint) (int, error) { func IoctlGetInt(fd int, req uint) (int, error) {
var value int var value int
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value))) err := ioctlPtr(fd, req, unsafe.Pointer(&value))
return value, err return value, err
} }
func IoctlGetWinsize(fd int, req uint) (*Winsize, error) { func IoctlGetWinsize(fd int, req uint) (*Winsize, error) {
var value Winsize var value Winsize
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value))) err := ioctlPtr(fd, req, unsafe.Pointer(&value))
return &value, err return &value, err
} }
func IoctlGetTermios(fd int, req uint) (*Termios, error) { func IoctlGetTermios(fd int, req uint) (*Termios, error) {
var value Termios var value Termios
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value))) err := ioctlPtr(fd, req, unsafe.Pointer(&value))
return &value, err return &value, err
} }

View file

@ -27,9 +27,7 @@ func IoctlSetInt(fd int, req uint, value int) error {
func IoctlSetWinsize(fd int, req uint, value *Winsize) error { func IoctlSetWinsize(fd int, req uint, value *Winsize) error {
// TODO: if we get the chance, remove the req parameter and // TODO: if we get the chance, remove the req parameter and
// hardcode TIOCSWINSZ. // hardcode TIOCSWINSZ.
err := ioctl(fd, req, uintptr(unsafe.Pointer(value))) return ioctlPtr(fd, req, unsafe.Pointer(value))
runtime.KeepAlive(value)
return err
} }
// IoctlSetTermios performs an ioctl on fd with a *Termios. // IoctlSetTermios performs an ioctl on fd with a *Termios.
@ -51,13 +49,13 @@ func IoctlSetTermios(fd int, req uint, value *Termios) error {
// for those, IoctlRetInt should be used instead of this function. // for those, IoctlRetInt should be used instead of this function.
func IoctlGetInt(fd int, req uint) (int, error) { func IoctlGetInt(fd int, req uint) (int, error) {
var value int var value int
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value))) err := ioctlPtr(fd, req, unsafe.Pointer(&value))
return value, err return value, err
} }
func IoctlGetWinsize(fd int, req uint) (*Winsize, error) { func IoctlGetWinsize(fd int, req uint) (*Winsize, error) {
var value Winsize var value Winsize
err := ioctl(fd, req, uintptr(unsafe.Pointer(&value))) err := ioctlPtr(fd, req, unsafe.Pointer(&value))
return &value, err return &value, err
} }

View file

@ -7,6 +7,12 @@
package unix package unix
import "unsafe"
func ptrace(request int, pid int, addr uintptr, data uintptr) error { func ptrace(request int, pid int, addr uintptr, data uintptr) error {
return ptrace1(request, pid, addr, data) return ptrace1(request, pid, addr, data)
} }
func ptracePtr(request int, pid int, addr uintptr, data unsafe.Pointer) error {
return ptrace1Ptr(request, pid, addr, data)
}

View file

@ -7,6 +7,12 @@
package unix package unix
import "unsafe"
func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) { func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
return ENOTSUP return ENOTSUP
} }
func ptracePtr(request int, pid int, addr uintptr, data unsafe.Pointer) (err error) {
return ENOTSUP
}

View file

@ -292,9 +292,7 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
break break
} }
} }
sa.Name = string(unsafe.Slice((*byte)(unsafe.Pointer(&pp.Path[0])), n))
bytes := (*[len(pp.Path)]byte)(unsafe.Pointer(&pp.Path[0]))[0:n]
sa.Name = string(bytes)
return sa, nil return sa, nil
case AF_INET: case AF_INET:
@ -411,6 +409,7 @@ func (w WaitStatus) CoreDump() bool { return w&0x80 == 0x80 }
func (w WaitStatus) TrapCause() int { return -1 } func (w WaitStatus) TrapCause() int { return -1 }
//sys ioctl(fd int, req uint, arg uintptr) (err error) //sys ioctl(fd int, req uint, arg uintptr) (err error)
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = ioctl
// fcntl must never be called with cmd=F_DUP2FD because it doesn't work on AIX // fcntl must never be called with cmd=F_DUP2FD because it doesn't work on AIX
// There is no way to create a custom fcntl and to keep //sys fcntl easily, // There is no way to create a custom fcntl and to keep //sys fcntl easily,

View file

@ -245,8 +245,7 @@ func anyToSockaddr(fd int, rsa *RawSockaddrAny) (Sockaddr, error) {
break break
} }
} }
bytes := (*[len(pp.Path)]byte)(unsafe.Pointer(&pp.Path[0]))[0:n] sa.Name = string(unsafe.Slice((*byte)(unsafe.Pointer(&pp.Path[0])), n))
sa.Name = string(bytes)
return sa, nil return sa, nil
case AF_INET: case AF_INET:

View file

@ -14,7 +14,6 @@ package unix
import ( import (
"fmt" "fmt"
"runtime"
"syscall" "syscall"
"unsafe" "unsafe"
) )
@ -376,11 +375,10 @@ func Flistxattr(fd int, dest []byte) (sz int, err error) {
func Kill(pid int, signum syscall.Signal) (err error) { return kill(pid, int(signum), 1) } func Kill(pid int, signum syscall.Signal) (err error) { return kill(pid, int(signum), 1) }
//sys ioctl(fd int, req uint, arg uintptr) (err error) //sys ioctl(fd int, req uint, arg uintptr) (err error)
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
func IoctlCtlInfo(fd int, ctlInfo *CtlInfo) error { func IoctlCtlInfo(fd int, ctlInfo *CtlInfo) error {
err := ioctl(fd, CTLIOCGINFO, uintptr(unsafe.Pointer(ctlInfo))) return ioctlPtr(fd, CTLIOCGINFO, unsafe.Pointer(ctlInfo))
runtime.KeepAlive(ctlInfo)
return err
} }
// IfreqMTU is struct ifreq used to get or set a network device's MTU. // IfreqMTU is struct ifreq used to get or set a network device's MTU.
@ -394,16 +392,14 @@ type IfreqMTU struct {
func IoctlGetIfreqMTU(fd int, ifname string) (*IfreqMTU, error) { func IoctlGetIfreqMTU(fd int, ifname string) (*IfreqMTU, error) {
var ifreq IfreqMTU var ifreq IfreqMTU
copy(ifreq.Name[:], ifname) copy(ifreq.Name[:], ifname)
err := ioctl(fd, SIOCGIFMTU, uintptr(unsafe.Pointer(&ifreq))) err := ioctlPtr(fd, SIOCGIFMTU, unsafe.Pointer(&ifreq))
return &ifreq, err return &ifreq, err
} }
// IoctlSetIfreqMTU performs the SIOCSIFMTU ioctl operation on fd to set the MTU // IoctlSetIfreqMTU performs the SIOCSIFMTU ioctl operation on fd to set the MTU
// of the network device specified by ifreq.Name. // of the network device specified by ifreq.Name.
func IoctlSetIfreqMTU(fd int, ifreq *IfreqMTU) error { func IoctlSetIfreqMTU(fd int, ifreq *IfreqMTU) error {
err := ioctl(fd, SIOCSIFMTU, uintptr(unsafe.Pointer(ifreq))) return ioctlPtr(fd, SIOCSIFMTU, unsafe.Pointer(ifreq))
runtime.KeepAlive(ifreq)
return err
} }
//sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS_SYSCTL //sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS_SYSCTL

View file

@ -47,5 +47,6 @@ func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr,
//sys getfsstat(buf unsafe.Pointer, size uintptr, flags int) (n int, err error) = SYS_GETFSSTAT64 //sys getfsstat(buf unsafe.Pointer, size uintptr, flags int) (n int, err error) = SYS_GETFSSTAT64
//sys Lstat(path string, stat *Stat_t) (err error) = SYS_LSTAT64 //sys Lstat(path string, stat *Stat_t) (err error) = SYS_LSTAT64
//sys ptrace1(request int, pid int, addr uintptr, data uintptr) (err error) = SYS_ptrace //sys ptrace1(request int, pid int, addr uintptr, data uintptr) (err error) = SYS_ptrace
//sys ptrace1Ptr(request int, pid int, addr unsafe.Pointer, data uintptr) (err error) = SYS_ptrace
//sys Stat(path string, stat *Stat_t) (err error) = SYS_STAT64 //sys Stat(path string, stat *Stat_t) (err error) = SYS_STAT64
//sys Statfs(path string, stat *Statfs_t) (err error) = SYS_STATFS64 //sys Statfs(path string, stat *Statfs_t) (err error) = SYS_STATFS64

View file

@ -47,5 +47,6 @@ func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr,
//sys getfsstat(buf unsafe.Pointer, size uintptr, flags int) (n int, err error) = SYS_GETFSSTAT //sys getfsstat(buf unsafe.Pointer, size uintptr, flags int) (n int, err error) = SYS_GETFSSTAT
//sys Lstat(path string, stat *Stat_t) (err error) //sys Lstat(path string, stat *Stat_t) (err error)
//sys ptrace1(request int, pid int, addr uintptr, data uintptr) (err error) = SYS_ptrace //sys ptrace1(request int, pid int, addr uintptr, data uintptr) (err error) = SYS_ptrace
//sys ptrace1Ptr(request int, pid int, addr unsafe.Pointer, data uintptr) (err error) = SYS_ptrace
//sys Stat(path string, stat *Stat_t) (err error) //sys Stat(path string, stat *Stat_t) (err error)
//sys Statfs(path string, stat *Statfs_t) (err error) //sys Statfs(path string, stat *Statfs_t) (err error)

View file

@ -172,6 +172,7 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
} }
//sys ioctl(fd int, req uint, arg uintptr) (err error) //sys ioctl(fd int, req uint, arg uintptr) (err error)
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
//sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS___SYSCTL //sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS___SYSCTL

View file

@ -161,7 +161,8 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
return return
} }
//sys ioctl(fd int, req uint, arg uintptr) (err error) //sys ioctl(fd int, req uint, arg uintptr) (err error) = SYS_IOCTL
//sys ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
//sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS___SYSCTL //sys sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) = SYS___SYSCTL
@ -253,6 +254,7 @@ func Sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
} }
//sys ptrace(request int, pid int, addr uintptr, data int) (err error) //sys ptrace(request int, pid int, addr uintptr, data int) (err error)
//sys ptracePtr(request int, pid int, addr unsafe.Pointer, data int) (err error) = SYS_PTRACE
func PtraceAttach(pid int) (err error) { func PtraceAttach(pid int) (err error) {
return ptrace(PT_ATTACH, pid, 0, 0) return ptrace(PT_ATTACH, pid, 0, 0)
@ -267,19 +269,36 @@ func PtraceDetach(pid int) (err error) {
} }
func PtraceGetFpRegs(pid int, fpregsout *FpReg) (err error) { func PtraceGetFpRegs(pid int, fpregsout *FpReg) (err error) {
return ptrace(PT_GETFPREGS, pid, uintptr(unsafe.Pointer(fpregsout)), 0) return ptracePtr(PT_GETFPREGS, pid, unsafe.Pointer(fpregsout), 0)
} }
func PtraceGetRegs(pid int, regsout *Reg) (err error) { func PtraceGetRegs(pid int, regsout *Reg) (err error) {
return ptrace(PT_GETREGS, pid, uintptr(unsafe.Pointer(regsout)), 0) return ptracePtr(PT_GETREGS, pid, unsafe.Pointer(regsout), 0)
}
func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
ioDesc := PtraceIoDesc{
Op: int32(req),
Offs: offs,
}
if countin > 0 {
_ = out[:countin] // check bounds
ioDesc.Addr = &out[0]
} else if out != nil {
ioDesc.Addr = (*byte)(unsafe.Pointer(&_zero))
}
ioDesc.SetLen(countin)
err = ptracePtr(PT_IO, pid, unsafe.Pointer(&ioDesc), 0)
return int(ioDesc.Len), err
} }
func PtraceLwpEvents(pid int, enable int) (err error) { func PtraceLwpEvents(pid int, enable int) (err error) {
return ptrace(PT_LWP_EVENTS, pid, 0, enable) return ptrace(PT_LWP_EVENTS, pid, 0, enable)
} }
func PtraceLwpInfo(pid int, info uintptr) (err error) { func PtraceLwpInfo(pid int, info *PtraceLwpInfoStruct) (err error) {
return ptrace(PT_LWPINFO, pid, info, int(unsafe.Sizeof(PtraceLwpInfoStruct{}))) return ptracePtr(PT_LWPINFO, pid, unsafe.Pointer(info), int(unsafe.Sizeof(*info)))
} }
func PtracePeekData(pid int, addr uintptr, out []byte) (count int, err error) { func PtracePeekData(pid int, addr uintptr, out []byte) (count int, err error) {
@ -299,13 +318,25 @@ func PtracePokeText(pid int, addr uintptr, data []byte) (count int, err error) {
} }
func PtraceSetRegs(pid int, regs *Reg) (err error) { func PtraceSetRegs(pid int, regs *Reg) (err error) {
return ptrace(PT_SETREGS, pid, uintptr(unsafe.Pointer(regs)), 0) return ptracePtr(PT_SETREGS, pid, unsafe.Pointer(regs), 0)
} }
func PtraceSingleStep(pid int) (err error) { func PtraceSingleStep(pid int) (err error) {
return ptrace(PT_STEP, pid, 1, 0) return ptrace(PT_STEP, pid, 1, 0)
} }
func Dup3(oldfd, newfd, flags int) error {
if oldfd == newfd || flags&^O_CLOEXEC != 0 {
return EINVAL
}
how := F_DUP2FD
if flags&O_CLOEXEC != 0 {
how = F_DUP2FD_CLOEXEC
}
_, err := fcntl(oldfd, how, newfd)
return err
}
/* /*
* Exposed directly * Exposed directly
*/ */

View file

@ -42,6 +42,10 @@ func (cmsg *Cmsghdr) SetLen(length int) {
cmsg.Len = uint32(length) cmsg.Len = uint32(length)
} }
func (d *PtraceIoDesc) SetLen(length int) {
d.Len = uint32(length)
}
func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) { func sendfile(outfd int, infd int, offset *int64, count int) (written int, err error) {
var writtenOut uint64 = 0 var writtenOut uint64 = 0
_, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr((*offset)>>32), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0) _, _, e1 := Syscall9(SYS_SENDFILE, uintptr(infd), uintptr(outfd), uintptr(*offset), uintptr((*offset)>>32), uintptr(count), 0, uintptr(unsafe.Pointer(&writtenOut)), 0, 0)
@ -57,16 +61,5 @@ func sendfile(outfd int, infd int, offset *int64, count int) (written int, err e
func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno) func Syscall9(num, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr, err syscall.Errno)
func PtraceGetFsBase(pid int, fsbase *int64) (err error) { func PtraceGetFsBase(pid int, fsbase *int64) (err error) {
return ptrace(PT_GETFSBASE, pid, uintptr(unsafe.Pointer(fsbase)), 0) return ptracePtr(PT_GETFSBASE, pid, unsafe.Pointer(fsbase), 0)
}
func PtraceIO(req int, pid int, offs uintptr, out []byte, countin int) (count int, err error) {
ioDesc := PtraceIoDesc{
Op: int32(req),
Offs: offs,
Addr: uintptr(unsafe.Pointer(&out[0])), // TODO(#58351): this is not safe.
Len: uint32(countin),
}
err = ptrace(PT_IO, pid, uintptr(unsafe.Pointer(&ioDesc)), 0)
return int(ioDesc.Len), err
} }

Some files were not shown because too many files have changed in this diff Show more