Skip to content

Commit

Permalink
migrate from adal to azidentity
Browse files Browse the repository at this point in the history
adal is is out of support since March 31, 2023.
This PR migrates from adal to azidentity for azure
key vault

Signed-off-by: sp98 <[email protected]>
  • Loading branch information
sp98 committed Feb 15, 2024
1 parent 5f4b25c commit b0d2f1d
Show file tree
Hide file tree
Showing 5 changed files with 180 additions and 58 deletions.
50 changes: 33 additions & 17 deletions azure/azure_kv.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@ import (
"errors"
"time"

"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
"github.com/Azure/go-autorest/autorest/to"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/libopenstorage/secrets"
"github.com/portworx/sched-ops/task"
)
Expand All @@ -21,6 +20,10 @@ const (
AzureClientID = "AZURE_CLIENT_ID"
// AzureClientSecret of service principal account
AzureClientSecret = "AZURE_CLIENT_SECRET"
// AzureClientCertPath is path of the client certificate
AzureClientCertPath = "AZURE_CLIENT_CERT_PATH"
// AzureClientCertPassword is the password of the private key
AzureClientCertPassword = "AZURE_CIENT_CERT_PASSWORD"
// AzureEnviornment to connect
AzureEnviornment = "AZURE_ENVIRONMENT"
// AzureVaultURI of azure key vault
Expand All @@ -37,6 +40,7 @@ var (
ErrAzureTenantIDNotSet = errors.New("AZURE_TENANT_ID not set.")
ErrAzureClientIDNotSet = errors.New("AZURE_CLIENT_ID not set.")
ErrAzureSecretIDNotSet = errors.New("AZURE_SECRET_ID not set.")
ErrAzureAuthMedhodNotSet = errors.New("AZURE_SECRET_ID or AZURE_CLIENT_CERT_PATH not set")
ErrAzureVaultURLNotSet = errors.New("AZURE_VAULT_URL not set.")
ErrAzureEnvironmentNotset = errors.New("AZURE_ENVIRONMENT not set.")
ErrAzureConfigMissing = errors.New("AzureConfig is not provided")
Expand All @@ -45,7 +49,7 @@ var (
)

type azureSecrets struct {
kv keyvault.BaseClient
kv azsecrets.Client
baseURL string
}

Expand All @@ -62,9 +66,9 @@ func New(
return nil, ErrAzureClientIDNotSet
}
secretID := getAzureKVParams(secretConfig, AzureClientSecret)
if secretID == "" {
return nil, ErrAzureSecretIDNotSet
}
clientCertPath := getAzureKVParams(secretConfig, AzureClientCertPath)
clientCertPassword := getAzureKVParams(secretConfig, AzureClientCertPassword)

envName := getAzureKVParams(secretConfig, AzureEnviornment)
if envName == "" {
// we set back to default AzurePublicCloud
Expand All @@ -75,13 +79,24 @@ func New(
return nil, ErrAzureVaultURLNotSet
}

client, err := getAzureVaultClient(clientID, secretID, tenantID, envName)
if err != nil {
return nil, err
var client *azsecrets.Client
var err error
if secretID != "" {
client, err = getAzureVaultClient(clientID, secretID, tenantID, vaultURL)
if err != nil {
return nil, err
}
} else if clientCertPath != "" {
client, err = getAzureVaultClientWithCert(clientID, tenantID, vaultURL, clientCertPath, clientCertPassword)
if err != nil {
return nil, err
}
} else {
return nil, ErrAzureAuthMedhodNotSet
}

return &azureSecrets{
kv: client,
kv: *client,
baseURL: vaultURL,
}, nil
}
Expand All @@ -98,7 +113,8 @@ func (az *azureSecrets) GetSecret(
}

t := func() (interface{}, bool, error) {
secretResp, err := az.kv.GetSecret(ctx, az.baseURL, secretID, "")
// passing empty version to always get the latest version of the secret.
secretResp, err := az.kv.GetSecret(ctx, secretID, "", nil)
if err != nil {
return nil, true, err
}
Expand All @@ -109,7 +125,7 @@ func (az *azureSecrets) GetSecret(
return nil, secrets.NoVersion, err
}

secretResp, ok := resp.(keyvault.SecretBundle)
secretResp, ok := resp.(azsecrets.SecretBundle)
if !ok || secretResp.Value == nil {
return nil, secrets.NoVersion, ErrInvalidSecretResp
}
Expand All @@ -133,7 +149,7 @@ func (az *azureSecrets) PutSecret(
ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
defer cancel()

var secretResp keyvault.SecretBundle
var secretResp azsecrets.SecretBundle
if secretName == "" {
return secrets.NoVersion, secrets.ErrEmptySecretId
}
Expand All @@ -146,10 +162,10 @@ func (az *azureSecrets) PutSecret(
return secrets.NoVersion, err
}

valueStr := string(value)
t := func() (interface{}, bool, error) {
secretResp, err = az.kv.SetSecret(ctx, az.baseURL, secretName, keyvault.SecretSetParameters{
Value: to.StringPtr(string(value)),
})
params := azsecrets.SetSecretParameters{Value: &valueStr}
az.kv.SetSecret(ctx, secretName, params, nil)
if err != nil {
return nil, true, err
}
Expand All @@ -169,7 +185,7 @@ func (az *azureSecrets) DeleteSecret(
if secretName == "" {
return secrets.ErrEmptySecretId
}
_, err := az.kv.DeleteSecret(ctx, az.baseURL, secretName)
_, err := az.kv.DeleteSecret(ctx, secretName, nil)

return err
}
Expand Down
60 changes: 37 additions & 23 deletions azure/azure_kv_helper.go
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
package azure

import (
"net/url"
"fmt"
"os"
"strings"

"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/adal"
"github.com/Azure/go-autorest/autorest/azure"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)

func getAzureKVParams(secretConfig map[string]interface{}, name string) string {
Expand All @@ -19,29 +16,46 @@ func getAzureKVParams(secretConfig map[string]interface{}, name string) string {
}
}

func getAzureVaultClient(clientID, secretID, tenantID, envName string) (keyvault.BaseClient, error) {
var environment *azure.Environment
alternateEndpoint, _ := url.Parse(
"https://login.windows.net/" + tenantID + "/oauth2/token")
func getAzureVaultClient(clientID, secretID, tenantID, vaultURL string) (*azsecrets.Client, error) {
cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secretID, nil)
if err != nil {
return nil, fmt.Errorf("failed to get client secret credentials. %v", err)
}
client, err := azsecrets.NewClient(vaultURL, cred, nil)
if err != nil {
return nil, fmt.Errorf("failed to get client to access azure kv secrets. %v", err)
}

return client, nil
}

func getAzureVaultClientWithCert(clientID, tenantID, vaultURL, certPath, certPassword string) (*azsecrets.Client, error) {
certData, err := os.ReadFile(certPath)
if err != nil {
return nil, fmt.Errorf("failed read certificate from path %q. %v", certPath, err)
}

keyClient := keyvault.New()
env, err := azure.EnvironmentFromName(envName)
var passphrase []byte
if certPassword == "" {
passphrase = nil
} else {
passphrase = []byte(certPassword)
}

certs, key, err := azidentity.ParseCertificates(certData, passphrase)
if err != nil {
return keyClient, err
return nil, fmt.Errorf("failed load certificate and private key. %v", err)
}
environment = &env
oauthconfig, err := adal.NewOAuthConfig(
environment.ActiveDirectoryEndpoint, tenantID)

cred, err := azidentity.NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
if err != nil {
return keyClient, err
return nil, fmt.Errorf("failed to construct client certificate credentials. %v", err)
}
oauthconfig.AuthorizeEndpoint = *alternateEndpoint

token, err := adal.NewServicePrincipalToken(
*oauthconfig, clientID, secretID, strings.TrimSuffix(environment.KeyVaultEndpoint, "/"))
client, err := azsecrets.NewClient(vaultURL, cred, nil)
if err != nil {
return keyClient, err
return nil, fmt.Errorf("failed to get client to access azure kv secrets. %v", err)
}
keyClient.Authorizer = autorest.NewBearerAuthorizer(token)
return keyClient, nil

return client, nil
}
13 changes: 7 additions & 6 deletions azure/azure_kv_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,25 +11,26 @@ func TestNew(t *testing.T) {
os.Unsetenv("AZURE_TENANT_ID")
os.Unsetenv("AZURE_CLIENT_ID")
os.Unsetenv("AZURE_CLIENT_SECRET")
os.Unsetenv("AZURE_CLIENT_CERT_PATH")
os.Unsetenv("AZURE_ENVIRONMENT")
os.Unsetenv("AZURE_VAULT_URL")

// nil secret config
_, err := New(nil)
assert.Equal(t, err, ErrAzureTenantIDNotSet)
assert.Equal(t, ErrAzureTenantIDNotSet, err)
os.Setenv("AZURE_TENANT_ID", "invalid_tenant_id")

_, err = New(nil)
assert.Equal(t, err, ErrAzureClientIDNotSet)
assert.Equal(t, ErrAzureClientIDNotSet, err)
os.Setenv("AZURE_CLIENT_ID", "invalid-client-id")

_, err = New(nil)
assert.Equal(t, err, ErrAzureSecretIDNotSet)
os.Setenv("AZURE_CLIENT_SECRET", "invalid-secret-id")
assert.Equal(t, ErrAzureVaultURLNotSet, err)
os.Setenv("AZURE_VAULT_URL", "invalid-vault-url")

_, err = New(nil)
assert.Equal(t, err, ErrAzureVaultURLNotSet)
os.Setenv("AZURE_VAULT_URL", "invalid-vault-url")
assert.Equal(t, ErrAzureAuthMedhodNotSet, err)
os.Setenv("AZURE_CLIENT_SECRET", "invalid-secret-id")

_, err = New(nil)
assert.NoError(t, err, "Unepxected error on New")
Expand Down
7 changes: 4 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -18,21 +18,22 @@ require (
github.com/portworx/kvdb v0.0.0-20200929023115-b312c7519467
github.com/portworx/sched-ops v1.20.4-rc1
github.com/sirupsen/logrus v1.9.0
github.com/stretchr/testify v1.8.0
github.com/stretchr/testify v1.8.4
google.golang.org/api v0.83.0
k8s.io/client-go v12.0.0+incompatible
)

require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0
github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
github.com/cenkalti/backoff v2.2.1+incompatible // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.9.0 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-test/deep v1.0.8 // indirect
github.com/golang-jwt/jwt/v4 v4.3.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/imdario/mergo v0.3.13 // indirect
Expand Down
Loading

0 comments on commit b0d2f1d

Please sign in to comment.