зеркало из https://github.com/Azure/ARO-RP.git
Update msi-dataplane module tto v0.0.8
This commit is contained in:
Nicolas Ontiveros
Родитель
283043eaa0
Коммит
d50809453f
2
go.mod
2
go.mod
|
|
@ -22,7 +22,7 @@ require (
|
|||
github.com/Azure/go-autorest/autorest/to v0.4.0
|
||||
github.com/Azure/go-autorest/autorest/validation v0.3.1
|
||||
github.com/Azure/go-autorest/tracing v0.6.0
|
||||
github.com/Azure/msi-dataplane v0.0.6
|
||||
github.com/Azure/msi-dataplane v0.0.8
|
||||
github.com/apparentlymart/go-cidr v1.1.0
|
||||
github.com/codahale/etm v0.0.0-20141003032925-c00c9e6fb4c9
|
||||
github.com/containers/image/v5 v5.30.1
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -60,8 +60,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
|
|||
github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
|
||||
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
|
||||
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
|
||||
github.com/Azure/msi-dataplane v0.0.6 h1:+IhGETRF9lLNlbs6793xWFKMcbborBtaR2ops1XWlPo=
|
||||
github.com/Azure/msi-dataplane v0.0.6/go.mod h1:/fXvAsxSogxoT7If0xfaeyaIQ7Q/0xAY9ISn7lOpA4o=
|
||||
github.com/Azure/msi-dataplane v0.0.8 h1:vIopp85cLy1kWdZUaMnNlu1ssvdRLOxU8KRdTahWrwg=
|
||||
github.com/Azure/msi-dataplane v0.0.8/go.mod h1:/fXvAsxSogxoT7If0xfaeyaIQ7Q/0xAY9ISn7lOpA4o=
|
||||
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
|
||||
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
|
||||
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
|
||||
|
|
|
|||
|
|
@ -4,10 +4,10 @@ import (
|
|||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
|
||||
azcloud "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
|
||||
"github.com/Azure/msi-dataplane/pkg/dataplane/swagger"
|
||||
|
|
@ -17,6 +17,7 @@ var (
|
|||
// Errors returned when processing idenities
|
||||
errDecodeClientSecret = errors.New("failed to decode client secret")
|
||||
errParseCertificate = errors.New("failed to parse certificate")
|
||||
errParseResourceID = errors.New("failed to parse resource ID")
|
||||
errNilField = errors.New("expected non nil field in identity")
|
||||
errNoUserAssignedMSIs = errors.New("credentials object does not contain user-assigned managed identities")
|
||||
errResourceIDNotFound = errors.New("resource ID not found in user-assigned managed identity")
|
||||
|
|
@ -49,10 +50,20 @@ func (c CredentialsObject) IsUserAssigned() bool {
|
|||
|
||||
// Get an AzIdentity credential for the given user-assigned identity resource ID
|
||||
// Clients can use the credential to get a token for the user-assigned identity
|
||||
func (u UserAssignedIdentities) GetCredential(resourceID string) (*azidentity.ClientCertificateCredential, error) {
|
||||
func (u UserAssignedIdentities) GetCredential(requestedResourceID string) (*azidentity.ClientCertificateCredential, error) {
|
||||
requestedARMResourceID, err := arm.ParseResourceID(requestedResourceID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("%w for requested resource ID %s: %w", errParseResourceID, requestedResourceID, err)
|
||||
}
|
||||
requestedResourceID = requestedARMResourceID.String()
|
||||
|
||||
for _, id := range u.ExplicitIdentities {
|
||||
if id != nil && id.ResourceID != nil {
|
||||
if *id.ResourceID == resourceID {
|
||||
idARMResourceID, err := arm.ParseResourceID(*id.ResourceID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("%w for identity resource ID %s: %w", errParseResourceID, *id.ResourceID, err)
|
||||
}
|
||||
if requestedResourceID == idARMResourceID.String() {
|
||||
return getClientCertificateCredential(*id, u.cloud)
|
||||
}
|
||||
}
|
||||
|
|
@ -61,6 +72,15 @@ func (u UserAssignedIdentities) GetCredential(resourceID string) (*azidentity.Cl
|
|||
return nil, errResourceIDNotFound
|
||||
}
|
||||
|
||||
func getAzCoreCloud(cloud string) azcloud.Configuration {
|
||||
switch cloud {
|
||||
case AzureUSGovCloud:
|
||||
return azcloud.AzureGovernment
|
||||
default:
|
||||
return azcloud.AzurePublic
|
||||
}
|
||||
}
|
||||
|
||||
func getClientCertificateCredential(identity swagger.NestedCredentialsObject, cloud string) (*azidentity.ClientCertificateCredential, error) {
|
||||
// Double check nil pointers so we don't panic
|
||||
fieldsToCheck := map[string]*string{
|
||||
|
|
@ -86,6 +106,10 @@ func getClientCertificateCredential(identity swagger.NestedCredentialsObject, cl
|
|||
|
||||
// x5c header required: https://eng.ms/docs/products/arm/rbac/managed_identities/msionboardingrequestingatoken
|
||||
SendCertificateChain: true,
|
||||
|
||||
// Disable instance discovery because MSI credential may have regional AAD endpoint that instance discovery endpoint doesn't support
|
||||
// e.g. when MSI credential has westus2.login.microsoft.com, it will cause instance discovery to fail with HTTP 400
|
||||
DisableInstanceDiscovery: true,
|
||||
}
|
||||
|
||||
// Set the regional AAD endpoint
|
||||
|
|
@ -116,30 +140,26 @@ func validateUserAssignedMSIs(identities []*swagger.NestedCredentialsObject, res
|
|||
if identity == nil {
|
||||
return errNilMSI
|
||||
}
|
||||
|
||||
v := reflect.ValueOf(*identity)
|
||||
for i := 0; i < v.NumField(); i++ {
|
||||
if v.Field(i).IsNil() {
|
||||
return fmt.Errorf("%w, field %s", errNilField, v.Type().Field(i).Name)
|
||||
}
|
||||
if identity.ResourceID == nil {
|
||||
return fmt.Errorf("%w, resource ID", errNilField)
|
||||
}
|
||||
resourceIDMap[*identity.ResourceID] = true
|
||||
armResourceID, err := arm.ParseResourceID(*identity.ResourceID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%w for received resource ID %s: %w", errParseResourceID, *identity.ResourceID, err)
|
||||
}
|
||||
|
||||
resourceIDMap[armResourceID.String()] = true
|
||||
}
|
||||
|
||||
for _, resourceID := range resourceIDs {
|
||||
if _, ok := resourceIDMap[resourceID]; !ok {
|
||||
armResourceID, err := arm.ParseResourceID(resourceID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%w for requested resource ID %s: %w", errParseResourceID, resourceID, err)
|
||||
}
|
||||
if _, ok := resourceIDMap[armResourceID.String()]; !ok {
|
||||
return fmt.Errorf("%w, resource ID %s", errResourceIDNotFound, resourceID)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func getAzCoreCloud(cloud string) azcloud.Configuration {
|
||||
switch cloud {
|
||||
case AzureUSGovCloud:
|
||||
return azcloud.AzureGovernment
|
||||
default:
|
||||
return azcloud.AzurePublic
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
|
||||
type KeyVaultClient interface {
|
||||
DeleteSecret(ctx context.Context, name string, options *azsecrets.DeleteSecretOptions) (azsecrets.DeleteSecretResponse, error)
|
||||
GetDeletedSecret(ctx context.Context, name string, options *azsecrets.GetDeletedSecretOptions) (azsecrets.GetDeletedSecretResponse, error)
|
||||
GetSecret(ctx context.Context, name string, version string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error)
|
||||
NewListDeletedSecretPropertiesPager(options *azsecrets.ListDeletedSecretPropertiesOptions) *runtime.Pager[azsecrets.ListDeletedSecretPropertiesResponse]
|
||||
NewListSecretPropertiesPager(options *azsecrets.ListSecretPropertiesOptions) *runtime.Pager[azsecrets.ListSecretPropertiesResponse]
|
||||
|
|
|
|||
15
vendor/github.com/Azure/msi-dataplane/pkg/store/mock_kvclient/zz_generated_mocks.go
сгенерированный
поставляемый
15
vendor/github.com/Azure/msi-dataplane/pkg/store/mock_kvclient/zz_generated_mocks.go
сгенерированный
поставляемый
|
|
@ -56,6 +56,21 @@ func (mr *MockKeyVaultClientMockRecorder) DeleteSecret(ctx, name, options any) *
|
|||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteSecret", reflect.TypeOf((*MockKeyVaultClient)(nil).DeleteSecret), ctx, name, options)
|
||||
}
|
||||
|
||||
// GetDeletedSecret mocks base method.
|
||||
func (m *MockKeyVaultClient) GetDeletedSecret(ctx context.Context, name string, options *azsecrets.GetDeletedSecretOptions) (azsecrets.GetDeletedSecretResponse, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "GetDeletedSecret", ctx, name, options)
|
||||
ret0, _ := ret[0].(azsecrets.GetDeletedSecretResponse)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// GetDeletedSecret indicates an expected call of GetDeletedSecret.
|
||||
func (mr *MockKeyVaultClientMockRecorder) GetDeletedSecret(ctx, name, options any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDeletedSecret", reflect.TypeOf((*MockKeyVaultClient)(nil).GetDeletedSecret), ctx, name, options)
|
||||
}
|
||||
|
||||
// GetSecret mocks base method.
|
||||
func (m *MockKeyVaultClient) GetSecret(ctx context.Context, name, version string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error) {
|
||||
m.ctrl.T.Helper()
|
||||
|
|
|
|||
|
|
@ -14,6 +14,17 @@ var (
|
|||
errNilSecretValue = errors.New("secret value is nil")
|
||||
)
|
||||
|
||||
type DeletedSecretProperties struct {
|
||||
Name string
|
||||
RecoveryLevel string
|
||||
DeletedDate time.Time
|
||||
}
|
||||
|
||||
type DeletedSecretResponse struct {
|
||||
CredentialsObject dataplane.CredentialsObject
|
||||
Properties DeletedSecretProperties
|
||||
}
|
||||
|
||||
type MsiKeyVaultStore struct {
|
||||
kvClient KeyVaultClient
|
||||
}
|
||||
|
|
@ -85,6 +96,42 @@ func (s *MsiKeyVaultStore) GetCredentialsObject(ctx context.Context, secretName
|
|||
return &SecretResponse{CredentialsObject: credentialsObject, Properties: secretProperties}, nil
|
||||
}
|
||||
|
||||
// Get a deleted credentials object from the key vault using the specified secret name.
|
||||
func (s *MsiKeyVaultStore) GetDeletedCredentialsObject(ctx context.Context, secretName string) (*DeletedSecretResponse, error) {
|
||||
response, err := s.kvClient.GetDeletedSecret(ctx, secretName, nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if response.Value == nil {
|
||||
return nil, errNilSecretValue
|
||||
}
|
||||
|
||||
var credentialsObject dataplane.CredentialsObject
|
||||
if err := credentialsObject.UnmarshalJSON([]byte(*response.Value)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
deletedSecretProperties := DeletedSecretProperties{
|
||||
Name: secretName,
|
||||
RecoveryLevel: "",
|
||||
DeletedDate: time.Time{},
|
||||
}
|
||||
|
||||
if response.DeletedDate != nil {
|
||||
deletedSecretProperties.DeletedDate = *response.DeletedDate
|
||||
}
|
||||
|
||||
if response.Attributes != nil {
|
||||
// Override defaults if values are present
|
||||
if response.Attributes.RecoveryLevel != nil {
|
||||
deletedSecretProperties.RecoveryLevel = *response.Attributes.RecoveryLevel
|
||||
}
|
||||
}
|
||||
|
||||
return &DeletedSecretResponse{CredentialsObject: credentialsObject, Properties: deletedSecretProperties}, nil
|
||||
}
|
||||
|
||||
// Get a pager for listing credentials objects from the key vault.
|
||||
func (s *MsiKeyVaultStore) GetCredentialsObjectPager() *runtime.Pager[azsecrets.ListSecretPropertiesResponse] {
|
||||
return s.kvClient.NewListSecretPropertiesPager(nil)
|
||||
|
|
|
|||
|
|
@ -136,7 +136,7 @@ github.com/Azure/go-autorest/logger
|
|||
# github.com/Azure/go-autorest/tracing v0.6.0
|
||||
## explicit; go 1.12
|
||||
github.com/Azure/go-autorest/tracing
|
||||
# github.com/Azure/msi-dataplane v0.0.6
|
||||
# github.com/Azure/msi-dataplane v0.0.8
|
||||
## explicit; go 1.21
|
||||
github.com/Azure/msi-dataplane/pkg/dataplane
|
||||
github.com/Azure/msi-dataplane/pkg/dataplane/swagger
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче