From 5c922f6c6a78c6a2002f02bde090ff9e912b2ab8 Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 28 Sep 2023 22:37:28 +0100 Subject: [PATCH 1/3] REBASE: update go-azure-sdk, see https://github.com/hashicorp/go-azure-sdk/pull/665 --- go.mod | 2 +- go.sum | 4 +- .../iotdpsresource/method_listkeys.go | 2 +- .../method_listkeysforkeyname.go | 2 +- .../2021-07-01/account/method_listkeys.go | 2 +- .../2022-10-27/appliances/method_listkeys.go | 2 +- .../sdk/auth/azure_cli_authorizer.go | 5 ++ .../sdk/auth/cached_authorizer.go | 12 ++++- .../sdk/auth/client_credentials.go | 5 ++ .../sdk/auth/client_secret_authorizer.go | 5 ++ .../sdk/auth/github_oidc_authorizer.go | 5 ++ .../go-azure-sdk/sdk/auth/interface.go | 2 +- .../sdk/auth/managed_identity_authorizer.go | 5 ++ .../sdk/auth/shared_key_authorizer.go | 5 +- .../hashicorp/go-azure-sdk/sdk/auth/token.go | 51 +++++++++++++++++-- .../go-azure-sdk/sdk/claims/claims.go | 1 + .../go-azure-sdk/sdk/client/client.go | 7 +-- .../sdk/environments/application_ids.go | 3 ++ .../sdk/environments/constants.go | 3 ++ vendor/modules.txt | 2 +- 20 files changed, 105 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index a8a1abc89d86..d2c56fde8b70 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/google/go-cmp v0.5.9 github.com/google/uuid v1.3.1 github.com/hashicorp/go-azure-helpers v0.61.0 - github.com/hashicorp/go-azure-sdk v0.20230918.1115907 + github.com/hashicorp/go-azure-sdk v0.20230922.1111208-0.20230928213051-e2ff919cff2f github.com/hashicorp/go-hclog v1.5.0 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-uuid v1.0.3 diff --git a/go.sum b/go.sum index 76fae18e20e3..2496c4db6075 100644 --- a/go.sum +++ b/go.sum @@ -101,8 +101,8 @@ github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brv github.com/hashicorp/go-azure-helpers v0.12.0/go.mod h1:Zc3v4DNeX6PDdy7NljlYpnrdac1++qNW0I4U+ofGwpg= github.com/hashicorp/go-azure-helpers v0.61.0 h1:dIz23Vp8LdErxuImc6V5QIPtJcWjMgqP75bfp8o1Lro= github.com/hashicorp/go-azure-helpers v0.61.0/go.mod h1:BQUQp5udwbJ8pnzl0wByCLVEEyPMAFpJ9vOREiCzObo= -github.com/hashicorp/go-azure-sdk v0.20230918.1115907 h1:V+SyLwBD9tpnW00H/AnqM2ir11CUchc0EPuf2Mi0c+s= -github.com/hashicorp/go-azure-sdk v0.20230918.1115907/go.mod h1:KSQRt0kuQGxFXo3t0KtQwTXhOWWxso2ZoSbtqQitruY= +github.com/hashicorp/go-azure-sdk v0.20230922.1111208-0.20230928213051-e2ff919cff2f h1:yQMyvKptrCkCnY49FYYM1nDqEx+HSrJ/lQCh2TR09BA= +github.com/hashicorp/go-azure-sdk v0.20230922.1111208-0.20230928213051-e2ff919cff2f/go.mod h1:KSQRt0kuQGxFXo3t0KtQwTXhOWWxso2ZoSbtqQitruY= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= diff --git a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeys.go b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeys.go index 44db0ebc7d1c..ac5ca445e8dc 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeys.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeys.go @@ -31,7 +31,7 @@ func (c IotDpsResourceClient) ListKeys(ctx context.Context, id commonids.Provisi http.StatusOK, }, HttpMethod: http.MethodPost, - Path: fmt.Sprintf("%s/listkeys", id.ID()), + Path: fmt.Sprintf("%s/listKeys", id.ID()), } req, err := c.Client.NewRequest(ctx, opts) diff --git a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeysforkeyname.go b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeysforkeyname.go index e69e22dd8a6a..71982c4e96f6 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeysforkeyname.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/deviceprovisioningservices/2022-02-05/iotdpsresource/method_listkeysforkeyname.go @@ -26,7 +26,7 @@ func (c IotDpsResourceClient) ListKeysForKeyName(ctx context.Context, id KeyId) http.StatusOK, }, HttpMethod: http.MethodPost, - Path: fmt.Sprintf("%s/listkeys", id.ID()), + Path: fmt.Sprintf("%s/listKeys", id.ID()), } req, err := c.Client.NewRequest(ctx, opts) diff --git a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/purview/2021-07-01/account/method_listkeys.go b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/purview/2021-07-01/account/method_listkeys.go index 627d1914d56a..c63e54a1d3f0 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/purview/2021-07-01/account/method_listkeys.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/purview/2021-07-01/account/method_listkeys.go @@ -26,7 +26,7 @@ func (c AccountClient) ListKeys(ctx context.Context, id AccountId) (result ListK http.StatusOK, }, HttpMethod: http.MethodPost, - Path: fmt.Sprintf("%s/listkeys", id.ID()), + Path: fmt.Sprintf("%s/listKeys", id.ID()), } req, err := c.Client.NewRequest(ctx, opts) diff --git a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/resourceconnector/2022-10-27/appliances/method_listkeys.go b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/resourceconnector/2022-10-27/appliances/method_listkeys.go index 934aad299db0..36647fbf3818 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/resourceconnector/2022-10-27/appliances/method_listkeys.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/resource-manager/resourceconnector/2022-10-27/appliances/method_listkeys.go @@ -53,7 +53,7 @@ func (c AppliancesClient) ListKeys(ctx context.Context, id ApplianceId, options http.StatusOK, }, HttpMethod: http.MethodPost, - Path: fmt.Sprintf("%s/listkeys", id.ID()), + Path: fmt.Sprintf("%s/listKeys", id.ID()), OptionsObject: options, } diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go index 21de3aaa457a..48bd6729016e 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go @@ -143,6 +143,11 @@ func (a *AzureCliAuthorizer) AuxiliaryTokens(_ context.Context, _ *http.Request) return tokens, nil } +// ExpireToken has no effect with uncached Authorizers +func (a *AzureCliAuthorizer) ExpireTokens() error { + return nil +} + const ( AzureCliMinimumVersion = "2.0.81" AzureCliMsalVersion = "2.30.0" diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go index 6043dda77cec..2bc2e210c017 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go @@ -8,6 +8,7 @@ import ( "fmt" "net/http" "sync" + "time" "golang.org/x/oauth2" ) @@ -54,7 +55,7 @@ func (c *CachedAuthorizer) AuxiliaryTokens(ctx context.Context, req *http.Reques } c.mutex.RUnlock() - if !dueForRenewal { + if dueForRenewal || len(c.auxTokens) == 0 { c.mutex.Lock() defer c.mutex.Unlock() var err error @@ -67,6 +68,15 @@ func (c *CachedAuthorizer) AuxiliaryTokens(ctx context.Context, req *http.Reques return c.auxTokens, nil } +// ExpireTokens expires the currently cached token and auxTokens, forcing new tokens to be acquired when Token() or AuxiliaryTokens() are next called +func (c *CachedAuthorizer) ExpireTokens() error { + c.token.Expiry = time.Now() + for i := range c.auxTokens { + c.auxTokens[i].Expiry = time.Now() + } + return nil +} + // NewCachedAuthorizer returns an Authorizer that caches an access token for the duration of its validity. // If the cached token expires, a new one is acquired and cached. func NewCachedAuthorizer(src Authorizer) (Authorizer, error) { diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go index 571a12ccd8f3..84116240a887 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go @@ -314,6 +314,11 @@ func (a *ClientAssertionAuthorizer) AuxiliaryTokens(ctx context.Context, _ *http return tokens, nil } +// ExpireToken has no effect with uncached Authorizers +func (a *ClientAssertionAuthorizer) ExpireTokens() error { + return nil +} + func clientCredentialsToken(ctx context.Context, endpoint string, params *url.Values) (*oauth2.Token, error) { req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewBuffer([]byte(params.Encode()))) if err != nil { diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go index dcbd3ffe85a5..91fb5d23568e 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go @@ -131,3 +131,8 @@ func (a *ClientSecretAuthorizer) AuxiliaryTokens(ctx context.Context, _ *http.Re return tokens, nil } + +// ExpireToken has no effect with uncached Authorizers +func (a *ClientSecretAuthorizer) ExpireTokens() error { + return nil +} diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go index a369ebf9828f..4a6212d52128 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go @@ -190,6 +190,11 @@ type gitHubOIDCConfig struct { Audience string } +// ExpireToken has no effect with uncached Authorizers +func (a *GitHubOIDCAuthorizer) ExpireTokens() error { + return nil +} + func (c *gitHubOIDCConfig) TokenSource(ctx context.Context) (Authorizer, error) { return NewCachedAuthorizer(&GitHubOIDCAuthorizer{ conf: c, diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go index 7620f5d76f9d..fe5256e5e9b9 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go @@ -13,8 +13,8 @@ import ( // Authorizer is anything that can return an access token for authorizing API connections type Authorizer interface { Token(ctx context.Context, request *http.Request) (*oauth2.Token, error) - AuxiliaryTokens(ctx context.Context, request *http.Request) ([]*oauth2.Token, error) + ExpireTokens() error } // HTTPClient is an HTTP client used for sending authentication requests and obtaining tokens diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go index 718e6693d98c..3a16e553f8c4 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go @@ -118,6 +118,11 @@ func (a *ManagedIdentityAuthorizer) AuxiliaryTokens(_ context.Context, _ *http.R return []*oauth2.Token{}, nil } +// ExpireToken has no effect with uncached Authorizers +func (a *ManagedIdentityAuthorizer) ExpireTokens() error { + return nil +} + // managedIdentityConfig configures an ManagedIdentityAuthorizer. type managedIdentityConfig struct { // ClientID is optionally used to determine which application to assume when a resource has multiple managed identities diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go index e817bb438bae..4e41c87cedca 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go @@ -64,7 +64,10 @@ func (s *SharedKeyAuthorizer) AuxiliaryTokens(_ context.Context, _ *http.Request return []*oauth2.Token{}, nil } -// --- +// ExpireToken has no effect with shared keys +func (c *SharedKeyAuthorizer) ExpireTokens() error { + return fmt.Errorf("SharedKeyAuthorizer tokens cannot expire") +} const ( storageEmulatorAccountName string = "devstoreaccount1" diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go index 864b2d2fea34..ea06e560c97d 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go @@ -4,15 +4,54 @@ package auth import ( - "golang.org/x/oauth2" + "context" + "fmt" + "net/http" + "strings" "time" "github.com/hashicorp/go-azure-sdk/sdk/claims" + "golang.org/x/oauth2" ) +// SetAuthHeaders decorates a *http.Request with necessary authorization headers for Azure APIs. For more information about the vendor-specific +// `x-ms-authorization-auxiliary` header, see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant +func SetAuthHeaders(ctx context.Context, req *http.Request, authorizer Authorizer) error { + if req == nil { + return fmt.Errorf("request was nil") + } + if authorizer == nil { + return fmt.Errorf("authorizer was nil") + } + + token, err := authorizer.Token(ctx, req) + if err != nil { + return err + } + + if req.Header == nil { + req.Header = make(http.Header) + } + + req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken)) + + auxTokens, err := authorizer.AuxiliaryTokens(ctx, req) + if err != nil { + return err + } + + auxTokenValues := make([]string, 0) + for _, auxToken := range auxTokens { + auxTokenValues = append(auxTokenValues, fmt.Sprintf("%s %s", auxToken.Type(), auxToken.AccessToken)) + } + req.Header.Set("X-Ms-Authorization-Auxiliary", strings.Join(auxTokenValues, ", ")) + + return nil +} + const tokenExpiryDelta = 20 * time.Minute -// tokenExpiresSoon returns true if the token expires within 10 minutes, or if more than 50% of its validity period has elapsed (if this can be determined), whichever is later +// tokenDueForRenewal returns true if the token expires within 10 minutes, or if more than 50% of its validity period has elapsed (if this can be determined), whichever is later func tokenDueForRenewal(token *oauth2.Token) bool { if token == nil { return true @@ -26,7 +65,11 @@ func tokenDueForRenewal(token *oauth2.Token) bool { expiry := token.Expiry.Round(0) delta := tokenExpiryDelta now := time.Now() - expiresWithinTenMinutes := expiry.Add(-delta).Before(now) + + // Always return early if the token validity doesn't extend past the expiry delta + if expiry.Add(-delta).Before(now) { + return true + } // Try to parse the token claims to retrieve the issuedAt time if claims, err := claims.ParseClaims(token); err == nil { @@ -43,5 +86,5 @@ func tokenDueForRenewal(token *oauth2.Token) bool { } } - return expiresWithinTenMinutes + return false } diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go index 97683b0c65f2..15444cdf36d1 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go @@ -15,6 +15,7 @@ import ( // Claims is used to unmarshall the claims from a JWT issued by the Microsoft Identity Platform. type Claims struct { Audience string `json:"aud"` + Expires int64 `json:"exp"` IssuedAt int64 `json:"iat"` Issuer string `json:"iss"` IdentityProvider string `json:"idp"` diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go index 05682f8bcaab..f38b6e497e95 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go @@ -327,14 +327,11 @@ func (c *Client) Execute(ctx context.Context, req *Request) (*Response, error) { return nil, fmt.Errorf("req.Request was nil") } - // at this point we're ready to send the HTTP Request, as such let's get the Authorization token - // and add that to the request + // Set Authorization and X-Ms-Authorization-Auxiliary headers if c.Authorizer != nil { - token, err := c.Authorizer.Token(ctx, req.Request) - if err != nil { + if err := auth.SetAuthHeaders(ctx, req.Request, c.Authorizer); err != nil { return nil, err } - token.SetAuthHeader(req.Request) } var err error diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/application_ids.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/application_ids.go index e10e3d2e7e66..388b85b93c8b 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/application_ids.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/application_ids.go @@ -33,6 +33,7 @@ var PublishedApis = map[string]string{ "AzureIotHubDeviceProvisioning": iotHubDeviceProvisioningAppId, "AzureKeyVault": keyVaultAppId, "AzureKubernetesServiceAadServer": kubernetesServiceAadServerAppId, + "AzureLinuxVirtualMachineSignIn": azureLinuxVmSignIn, "AzureMaps": mapsAppId, "AzureMediaServices": mediaServicesAppId, "AzurePortal": portalAppId, @@ -48,6 +49,7 @@ var PublishedApis = map[string]string{ "AzureSynapseStudio": synapseStudioAppId, "AzureTimeSeriesInsights": timeSeriesInsightsAppId, "AzureVPN": azureVPNAppId, + "AzureWindowsVirtualMachineSignIn": azureWindowsVmSignIn, "Bing": bingAppId, "BotFrameworkDevPortal": botFrameworkDevPortalAppId, "BranchConnectWebService": branchConnectWebServiceAppId, @@ -79,6 +81,7 @@ var PublishedApis = map[string]string{ "Microsoft365DataAtRestEncryption": microsoft365DataAtRestEncryptionAppId, "MicrosoftAzureCli": microsoftAzureCliAppId, "MicrosoftGraph": microsoftGraphAppId, + "MicrosoftIntuneEnrollment": microsoftIntuneEnrollment, "MicrosoftInvoicing": microsoftInvoicingAppId, "MicrosoftOffice": microsoftOfficeAppId, "MicrosoftStorageSync": microsoftStorageSyncAppId, diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/constants.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/constants.go index a15c4c044493..1459fc7e7986 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/constants.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/constants.go @@ -13,6 +13,8 @@ const azureAdIdentityGovernanceInsightsAppId = "58c746b0-a0b0-4647-a8f6-12dde598 const azureAdIntegratedAppAppId = "af47b99c-8954-4b45-ab68-8121157418ef" const azureAdNotificationAppId = "fc03f97a-9db0-4627-a216-ec98ce54e018" const azureDevOpsAppId = "499b84ac-1321-427f-aa17-267ca6975798" +const azureLinuxVmSignIn = "ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0" +const azureWindowsVmSignIn = "372140e0-b3b7-4226-8ef9-d57986796201" const azureServiceManagementAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013" const azureVPNAppId = "41b23e61-6c1e-4545-b367-cd054e0ed4b4" const batchAppId = "ddbf3205-c6bd-46ae-8127-60eb93363864" @@ -62,6 +64,7 @@ const microsoft365DataAtRestEncryptionAppId = "c066d759-24ae-40e7-a56f-027002b5d const microsoftAzureCliAppId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46" const microsoftGraphAppId = "00000003-0000-0000-c000-000000000000" const microsoftInvoicingAppId = "b6b84568-6c01-4981-a80f-09da9a20bbed" +const microsoftIntuneEnrollment = "d4ebce55-015a-49b5-a083-c84d1797ae8c" const microsoftOfficeAppId = "d3590ed6-52b3-4102-aeff-aad2292ab01c" const microsoftStorageSyncAppId = "9469b9f5-6722-4481-a2b2-14ed560b706f" const microsoftTeamsAppId = "1fec8e78-bce4-4aaf-ab1b-5451cc387264" diff --git a/vendor/modules.txt b/vendor/modules.txt index 5ac0dce13de8..302167435594 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -156,7 +156,7 @@ github.com/hashicorp/go-azure-helpers/resourcemanager/tags github.com/hashicorp/go-azure-helpers/resourcemanager/zones github.com/hashicorp/go-azure-helpers/sender github.com/hashicorp/go-azure-helpers/storage -# github.com/hashicorp/go-azure-sdk v0.20230918.1115907 +# github.com/hashicorp/go-azure-sdk v0.20230922.1111208-0.20230928213051-e2ff919cff2f ## explicit; go 1.19 github.com/hashicorp/go-azure-sdk/resource-manager/aad/2021-05-01/domainservices github.com/hashicorp/go-azure-sdk/resource-manager/aadb2c/2021-04-01-preview From 5a176da75137f550d9a0541f0670be75c5e639fe Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Thu, 28 Sep 2023 22:38:32 +0100 Subject: [PATCH 2/3] tests: explicit test for cross-tenant usage of `azurerm_private_dns_zone_virtual_network_link` --- internal/provider/provider.go | 2 +- ...zone_virtual_network_link_resource_test.go | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+), 1 deletion(-) diff --git a/internal/provider/provider.go b/internal/provider/provider.go index 50fd34f0f4b5..e669474b9ed2 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -373,7 +373,7 @@ func providerConfigure(p *schema.Provider) schema.ConfigureContextFunc { } if len(auxTenants) > 3 { - return nil, diag.Errorf("the provider only supports 3 auxiliary tenant IDs") + return nil, diag.Errorf("the provider only supports up to 3 auxiliary tenant IDs") } var clientCertificateData []byte diff --git a/internal/services/privatedns/private_dns_zone_virtual_network_link_resource_test.go b/internal/services/privatedns/private_dns_zone_virtual_network_link_resource_test.go index d5cf5ee1bdc9..2ea21655403c 100644 --- a/internal/services/privatedns/private_dns_zone_virtual_network_link_resource_test.go +++ b/internal/services/privatedns/private_dns_zone_virtual_network_link_resource_test.go @@ -6,6 +6,7 @@ package privatedns_test import ( "context" "fmt" + "os" "testing" "github.com/hashicorp/go-azure-sdk/resource-manager/privatedns/2020-06-01/virtualnetworklinks" @@ -46,6 +47,28 @@ func TestAccPrivateDnsZoneVirtualNetworkLink_complete(t *testing.T) { }) } +func TestAccPrivateDnsZoneVirtualNetworkLink_crossTenant(t *testing.T) { + // Multiple tenants are needed for this test + altTenantId := os.Getenv("ARM_TENANT_ID_ALT") + subscriptionIdAltTenant := os.Getenv("ARM_SUBSCRIPTION_ID_ALT_TENANT") + + if altTenantId == "" || subscriptionIdAltTenant == "" { + t.Skip("One of ARM_TENANT_ID_ALT, ARM_SUBSCRIPTION_ID_ALT_TENANT are not specified") + } + + data := acceptance.BuildTestData(t, "azurerm_private_dns_zone_virtual_network_link", "test") + r := PrivateDnsZoneVirtualNetworkLinkResource{} + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.crossTenant(data, altTenantId, subscriptionIdAltTenant), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + func TestAccPrivateDnsZoneVirtualNetworkLink_requiresImport(t *testing.T) { data := acceptance.BuildTestData(t, "azurerm_private_dns_zone_virtual_network_link", "test") r := PrivateDnsZoneVirtualNetworkLinkResource{} @@ -171,6 +194,61 @@ resource "azurerm_private_dns_zone_virtual_network_link" "test" { `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger, data.RandomInteger) } +func (PrivateDnsZoneVirtualNetworkLinkResource) crossTenant(data acceptance.TestData, altTenantId, subscriptionIdAltTenant string) string { + return fmt.Sprintf(` +provider "azurerm" { + auxiliary_tenant_ids = ["%[1]s"] + + features {} +} + +provider "azurerm-alt" { + tenant_id = "%[1]s" + subscription_id = "%[2]s" + + features {} +} + +resource "azurerm_resource_group" "test_alt" { + provider = azurerm-alt + + name = "acctestRG-%[3]d" + location = "%[4]s" +} + +resource "azurerm_virtual_network" "test_alt" { + provider = azurerm-alt + + name = "vnet%[3]d" + location = azurerm_resource_group.test_alt.location + resource_group_name = azurerm_resource_group.test_alt.name + address_space = ["10.0.0.0/16"] + + subnet { + name = "subnet1" + address_prefix = "10.0.1.0/24" + } +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-%[3]d" + location = "%[4]s" +} + +resource "azurerm_private_dns_zone" "test" { + name = "acctestzone%[3]d.com" + resource_group_name = azurerm_resource_group.test.name +} + +resource "azurerm_private_dns_zone_virtual_network_link" "test" { + name = "acctestVnetZone%[3]d.com" + resource_group_name = azurerm_resource_group.test.name + private_dns_zone_name = azurerm_private_dns_zone.test.name + virtual_network_id = azurerm_virtual_network.test_alt.id +} +`, altTenantId, subscriptionIdAltTenant, data.RandomInteger, data.Locations.Primary) +} + func (r PrivateDnsZoneVirtualNetworkLinkResource) requiresImport(data acceptance.TestData) string { return fmt.Sprintf(` %s From dc7e67732d8ca957519a491dfaaf727d1044870a Mon Sep 17 00:00:00 2001 From: kt Date: Thu, 23 Nov 2023 20:16:43 -0800 Subject: [PATCH 3/3] go mod vendor; go mod tidy --- .../sdk/auth/azure_cli_authorizer.go | 5 -- .../sdk/auth/cached_authorizer.go | 12 +---- .../sdk/auth/client_credentials.go | 5 -- .../sdk/auth/client_secret_authorizer.go | 5 -- .../sdk/auth/github_oidc_authorizer.go | 5 -- .../go-azure-sdk/sdk/auth/interface.go | 2 +- .../sdk/auth/managed_identity_authorizer.go | 5 -- .../sdk/auth/shared_key_authorizer.go | 5 +- .../hashicorp/go-azure-sdk/sdk/auth/token.go | 51 ++----------------- .../go-azure-sdk/sdk/claims/claims.go | 1 - .../go-azure-sdk/sdk/client/client.go | 7 ++- 11 files changed, 12 insertions(+), 91 deletions(-) diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go index 48bd6729016e..21de3aaa457a 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/azure_cli_authorizer.go @@ -143,11 +143,6 @@ func (a *AzureCliAuthorizer) AuxiliaryTokens(_ context.Context, _ *http.Request) return tokens, nil } -// ExpireToken has no effect with uncached Authorizers -func (a *AzureCliAuthorizer) ExpireTokens() error { - return nil -} - const ( AzureCliMinimumVersion = "2.0.81" AzureCliMsalVersion = "2.30.0" diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go index 2bc2e210c017..6043dda77cec 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/cached_authorizer.go @@ -8,7 +8,6 @@ import ( "fmt" "net/http" "sync" - "time" "golang.org/x/oauth2" ) @@ -55,7 +54,7 @@ func (c *CachedAuthorizer) AuxiliaryTokens(ctx context.Context, req *http.Reques } c.mutex.RUnlock() - if dueForRenewal || len(c.auxTokens) == 0 { + if !dueForRenewal { c.mutex.Lock() defer c.mutex.Unlock() var err error @@ -68,15 +67,6 @@ func (c *CachedAuthorizer) AuxiliaryTokens(ctx context.Context, req *http.Reques return c.auxTokens, nil } -// ExpireTokens expires the currently cached token and auxTokens, forcing new tokens to be acquired when Token() or AuxiliaryTokens() are next called -func (c *CachedAuthorizer) ExpireTokens() error { - c.token.Expiry = time.Now() - for i := range c.auxTokens { - c.auxTokens[i].Expiry = time.Now() - } - return nil -} - // NewCachedAuthorizer returns an Authorizer that caches an access token for the duration of its validity. // If the cached token expires, a new one is acquired and cached. func NewCachedAuthorizer(src Authorizer) (Authorizer, error) { diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go index 84116240a887..571a12ccd8f3 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_credentials.go @@ -314,11 +314,6 @@ func (a *ClientAssertionAuthorizer) AuxiliaryTokens(ctx context.Context, _ *http return tokens, nil } -// ExpireToken has no effect with uncached Authorizers -func (a *ClientAssertionAuthorizer) ExpireTokens() error { - return nil -} - func clientCredentialsToken(ctx context.Context, endpoint string, params *url.Values) (*oauth2.Token, error) { req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewBuffer([]byte(params.Encode()))) if err != nil { diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go index 91fb5d23568e..dcbd3ffe85a5 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/client_secret_authorizer.go @@ -131,8 +131,3 @@ func (a *ClientSecretAuthorizer) AuxiliaryTokens(ctx context.Context, _ *http.Re return tokens, nil } - -// ExpireToken has no effect with uncached Authorizers -func (a *ClientSecretAuthorizer) ExpireTokens() error { - return nil -} diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go index 4a6212d52128..a369ebf9828f 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/github_oidc_authorizer.go @@ -190,11 +190,6 @@ type gitHubOIDCConfig struct { Audience string } -// ExpireToken has no effect with uncached Authorizers -func (a *GitHubOIDCAuthorizer) ExpireTokens() error { - return nil -} - func (c *gitHubOIDCConfig) TokenSource(ctx context.Context) (Authorizer, error) { return NewCachedAuthorizer(&GitHubOIDCAuthorizer{ conf: c, diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go index fe5256e5e9b9..7620f5d76f9d 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/interface.go @@ -13,8 +13,8 @@ import ( // Authorizer is anything that can return an access token for authorizing API connections type Authorizer interface { Token(ctx context.Context, request *http.Request) (*oauth2.Token, error) + AuxiliaryTokens(ctx context.Context, request *http.Request) ([]*oauth2.Token, error) - ExpireTokens() error } // HTTPClient is an HTTP client used for sending authentication requests and obtaining tokens diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go index 3a16e553f8c4..718e6693d98c 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/managed_identity_authorizer.go @@ -118,11 +118,6 @@ func (a *ManagedIdentityAuthorizer) AuxiliaryTokens(_ context.Context, _ *http.R return []*oauth2.Token{}, nil } -// ExpireToken has no effect with uncached Authorizers -func (a *ManagedIdentityAuthorizer) ExpireTokens() error { - return nil -} - // managedIdentityConfig configures an ManagedIdentityAuthorizer. type managedIdentityConfig struct { // ClientID is optionally used to determine which application to assume when a resource has multiple managed identities diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go index 4e41c87cedca..e817bb438bae 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/shared_key_authorizer.go @@ -64,10 +64,7 @@ func (s *SharedKeyAuthorizer) AuxiliaryTokens(_ context.Context, _ *http.Request return []*oauth2.Token{}, nil } -// ExpireToken has no effect with shared keys -func (c *SharedKeyAuthorizer) ExpireTokens() error { - return fmt.Errorf("SharedKeyAuthorizer tokens cannot expire") -} +// --- const ( storageEmulatorAccountName string = "devstoreaccount1" diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go index ea06e560c97d..864b2d2fea34 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/token.go @@ -4,54 +4,15 @@ package auth import ( - "context" - "fmt" - "net/http" - "strings" + "golang.org/x/oauth2" "time" "github.com/hashicorp/go-azure-sdk/sdk/claims" - "golang.org/x/oauth2" ) -// SetAuthHeaders decorates a *http.Request with necessary authorization headers for Azure APIs. For more information about the vendor-specific -// `x-ms-authorization-auxiliary` header, see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant -func SetAuthHeaders(ctx context.Context, req *http.Request, authorizer Authorizer) error { - if req == nil { - return fmt.Errorf("request was nil") - } - if authorizer == nil { - return fmt.Errorf("authorizer was nil") - } - - token, err := authorizer.Token(ctx, req) - if err != nil { - return err - } - - if req.Header == nil { - req.Header = make(http.Header) - } - - req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken)) - - auxTokens, err := authorizer.AuxiliaryTokens(ctx, req) - if err != nil { - return err - } - - auxTokenValues := make([]string, 0) - for _, auxToken := range auxTokens { - auxTokenValues = append(auxTokenValues, fmt.Sprintf("%s %s", auxToken.Type(), auxToken.AccessToken)) - } - req.Header.Set("X-Ms-Authorization-Auxiliary", strings.Join(auxTokenValues, ", ")) - - return nil -} - const tokenExpiryDelta = 20 * time.Minute -// tokenDueForRenewal returns true if the token expires within 10 minutes, or if more than 50% of its validity period has elapsed (if this can be determined), whichever is later +// tokenExpiresSoon returns true if the token expires within 10 minutes, or if more than 50% of its validity period has elapsed (if this can be determined), whichever is later func tokenDueForRenewal(token *oauth2.Token) bool { if token == nil { return true @@ -65,11 +26,7 @@ func tokenDueForRenewal(token *oauth2.Token) bool { expiry := token.Expiry.Round(0) delta := tokenExpiryDelta now := time.Now() - - // Always return early if the token validity doesn't extend past the expiry delta - if expiry.Add(-delta).Before(now) { - return true - } + expiresWithinTenMinutes := expiry.Add(-delta).Before(now) // Try to parse the token claims to retrieve the issuedAt time if claims, err := claims.ParseClaims(token); err == nil { @@ -86,5 +43,5 @@ func tokenDueForRenewal(token *oauth2.Token) bool { } } - return false + return expiresWithinTenMinutes } diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go index 15444cdf36d1..97683b0c65f2 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/claims/claims.go @@ -15,7 +15,6 @@ import ( // Claims is used to unmarshall the claims from a JWT issued by the Microsoft Identity Platform. type Claims struct { Audience string `json:"aud"` - Expires int64 `json:"exp"` IssuedAt int64 `json:"iat"` Issuer string `json:"iss"` IdentityProvider string `json:"idp"` diff --git a/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go b/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go index d08581c05697..1710691f44ea 100644 --- a/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go +++ b/vendor/github.com/hashicorp/go-azure-sdk/sdk/client/client.go @@ -327,11 +327,14 @@ func (c *Client) Execute(ctx context.Context, req *Request) (*Response, error) { return nil, fmt.Errorf("req.Request was nil") } - // Set Authorization and X-Ms-Authorization-Auxiliary headers + // at this point we're ready to send the HTTP Request, as such let's get the Authorization token + // and add that to the request if c.Authorizer != nil { - if err := auth.SetAuthHeaders(ctx, req.Request, c.Authorizer); err != nil { + token, err := c.Authorizer.Token(ctx, req.Request) + if err != nil { return nil, err } + token.SetAuthHeader(req.Request) } var err error