forked from TrueCloudLab/distribution
7caf058a65
v1.3.0 of azidentity introduces support to workload identity. Signed-off-by: Flavian Missi <fmissi@redhat.com>
130 lines
3.8 KiB
Go
130 lines
3.8 KiB
Go
//go:build go1.18
|
|
// +build go1.18
|
|
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
// Licensed under the MIT License.
|
|
|
|
package azidentity
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
|
"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
|
|
)
|
|
|
|
type authFn func(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error)
|
|
|
|
// syncer synchronizes authentication calls so that goroutines can share a credential instance
|
|
type syncer struct {
|
|
addlTenants []string
|
|
authing bool
|
|
cond *sync.Cond
|
|
reqToken, silent authFn
|
|
name, tenant string
|
|
}
|
|
|
|
func newSyncer(name, tenant string, additionalTenants []string, reqToken, silentAuth authFn) *syncer {
|
|
return &syncer{
|
|
addlTenants: resolveAdditionalTenants(additionalTenants),
|
|
cond: &sync.Cond{L: &sync.Mutex{}},
|
|
name: name,
|
|
reqToken: reqToken,
|
|
silent: silentAuth,
|
|
tenant: tenant,
|
|
}
|
|
}
|
|
|
|
// GetToken ensures that only one goroutine authenticates at a time
|
|
func (s *syncer) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
|
var at azcore.AccessToken
|
|
var err error
|
|
if len(opts.Scopes) == 0 {
|
|
return at, errors.New(s.name + ".GetToken() requires at least one scope")
|
|
}
|
|
// we don't resolve the tenant for managed identities because they can acquire tokens only from their home tenants
|
|
if s.name != credNameManagedIdentity {
|
|
tenant, err := s.resolveTenant(opts.TenantID)
|
|
if err != nil {
|
|
return at, err
|
|
}
|
|
opts.TenantID = tenant
|
|
}
|
|
auth := false
|
|
s.cond.L.Lock()
|
|
defer s.cond.L.Unlock()
|
|
for {
|
|
at, err = s.silent(ctx, opts)
|
|
if err == nil {
|
|
// got a token
|
|
break
|
|
}
|
|
if !s.authing {
|
|
// this goroutine will request a token
|
|
s.authing, auth = true, true
|
|
break
|
|
}
|
|
// another goroutine is acquiring a token; wait for it to finish, then try silent auth again
|
|
s.cond.Wait()
|
|
}
|
|
if auth {
|
|
s.authing = false
|
|
at, err = s.reqToken(ctx, opts)
|
|
s.cond.Broadcast()
|
|
}
|
|
if err != nil {
|
|
// Return credentialUnavailableError directly because that type affects the behavior of credential chains.
|
|
// Otherwise, return AuthenticationFailedError.
|
|
var unavailableErr *credentialUnavailableError
|
|
if !errors.As(err, &unavailableErr) {
|
|
res := getResponseFromError(err)
|
|
err = newAuthenticationFailedError(s.name, err.Error(), res, err)
|
|
}
|
|
} else if log.Should(EventAuthentication) {
|
|
scope := strings.Join(opts.Scopes, ", ")
|
|
msg := fmt.Sprintf(`%s.GetToken() acquired a token for scope "%s"\n`, s.name, scope)
|
|
log.Write(EventAuthentication, msg)
|
|
}
|
|
return at, err
|
|
}
|
|
|
|
// resolveTenant returns the correct tenant for a token request given the credential's
|
|
// configuration, or an error when the specified tenant isn't allowed by that configuration
|
|
func (s *syncer) resolveTenant(requested string) (string, error) {
|
|
if requested == "" || requested == s.tenant {
|
|
return s.tenant, nil
|
|
}
|
|
if s.tenant == "adfs" {
|
|
return "", errors.New("ADFS doesn't support tenants")
|
|
}
|
|
if !validTenantID(requested) {
|
|
return "", errors.New(tenantIDValidationErr)
|
|
}
|
|
for _, t := range s.addlTenants {
|
|
if t == "*" || t == requested {
|
|
return requested, nil
|
|
}
|
|
}
|
|
return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, s.name, requested)
|
|
}
|
|
|
|
// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
|
|
func resolveAdditionalTenants(tenants []string) []string {
|
|
if len(tenants) == 0 {
|
|
return nil
|
|
}
|
|
for _, t := range tenants {
|
|
// a wildcard makes all other values redundant
|
|
if t == "*" {
|
|
return []string{"*"}
|
|
}
|
|
}
|
|
cp := make([]string, len(tenants))
|
|
copy(cp, tenants)
|
|
return cp
|
|
}
|