update login code

DESCRIPTION

@@ -1,6 +1,6 @@
 Package: AzureRMR
 Title: Interface to 'Azure Resource Manager'
-Version: 2.1.0
+Version: 2.1.0.9000
 Authors@R: c(
     person("Hong", "Ooi", , "hongooi@microsoft.com", role = c("aut", "cre")),
     person("Microsoft", role="cph")

NEWS.md

@@ -1,3 +1,7 @@
+# AzureRMR 2.1.0.9000
+
+* Some refactoring of login code to better handle AzureAuth options.
+
 # AzureRMR 2.1.0
 
 * This version adds basic support for role-based access control (RBAC) at subscription, resource group and resource level. Add and remove role assignments, and retrieve role definitions. See `?rbac` for more information.

R/az_login.R

@@ -4,6 +4,7 @@
 #' @param app The client/app ID to use to authenticate with Azure Active Directory. The default is to login interactively using the Azure CLI cross-platform app, but you can supply your own app credentials as well.
 #' @param password If `auth_type == "client_credentials"`, the app secret; if `auth_type == "resource_owner"`, your account password.
 #' @param username If `auth_type == "resource_owner"`, your username.
+#' @param certificate If `auth_type == "client_credentials", a certificate to authenticate with. This is a more secure alternative to using an app secret.
 #' @param auth_type The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". If `NULL`, this is chosen based on the presence of the `username` and `password` arguments.
 #' @param host Your ARM host. Defaults to `https://management.azure.com/`. Change this if you are using a government or private cloud.
 #' @param aad_host Azure Active Directory host for authentication. Defaults to `https://login.microsoftonline.com/`. Change this if you are using a government or private cloud.
@@ -11,7 +12,7 @@
 #' @param refresh For `get_azure_login`, whether to refresh the authentication token on loading the client.
 #' @param selection For `get_azure_login`, if you have multiple logins for a given tenant, which one to use. This can be a number, or the input MD5 hash of the token used for the login. If not supplied, `get_azure_login` will print a menu and ask you to choose a login.
 #' @param confirm For `delete_azure_login`, whether to ask for confirmation before deleting.
-#' @param ... Other arguments passed to `az_rm$new()`.
+#' @param ... Other arguments passed to `get_azure_token`.
 #'
 #' @details
 #' `create_azure_login` creates a login client to authenticate with Azure Resource Manager (ARM), using the supplied arguments. The Azure Active Directory (AAD) authentication token is obtained using [get_azure_token], which automatically caches and reuses tokens for subsequent sessions. Note that credentials are only cached if you allowed AzureRMR to create a data directory at package startup.
@@ -49,9 +50,9 @@
 #' # retrieve the login in subsequent sessions
 #' az <- get_azure_login()
 #'
-#' # this will create a Resource Manager client for the AAD tenant 'microsoft.onmicrosoft.com',
+#' # this will create a Resource Manager client for the AAD tenant 'myaadtenant.onmicrosoft.com',
 #' # using the client_credentials method
-#' az <- create_azure_login("microsoft", app="{app_id}", password="{password}")
+#' az <- create_azure_login("myaadtenant", app="app_id", password="password")
 #'
 #' # you can also login using credentials in a json file
 #' az <- create_azure_login(config_file="~/creds.json")
@@ -59,31 +60,31 @@
 #' }
 #' @rdname azure_login
 #' @export
-create_azure_login <- function(tenant="common", app=.az_cli_app_id, password=NULL, username=NULL, auth_type=NULL,
+create_azure_login <- function(tenant="common", app=.az_cli_app_id,
+                               password=NULL, username=NULL, certificate=NULL, auth_type=NULL,
                                host="https://management.azure.com/", aad_host="https://login.microsoftonline.com/",
                                config_file=NULL, ...)
 {
+    tenant <- normalize_tenant(tenant)
+    app <- normalize_guid(app)
+
+    token_args <- list(resource=host, 
+        tenant=tenant, 
+        app=app, 
+        password=password, 
+        username=username,
+        certificate=certificate,
+        auth_type=auth_type, 
+        aad_host=aad_host,
+        ...)
+
     if(!is.null(config_file))
     {
         conf <- jsonlite::fromJSON(config_file)
-        if(!is.null(conf$tenant)) tenant <- conf$tenant
-        if(!is.null(conf$app)) app <- conf$app
-        if(!is.null(conf$auth_type)) auth_type <- conf$auth_type
-        if(!is.null(conf$password)) password <- conf$password
-        if(!is.null(conf$username)) username <- conf$username
-        if(!is.null(conf$host)) host <- conf$host
-        if(!is.null(conf$aad_host)) aad_host <- conf$aad_host
+        token_args <- modifyList(token_args, conf)
     }
 
-    hash <- token_hash(
-        resource=host,
-        tenant=tenant,
-        app=app,
-        password=password,
-        username=username,
-        auth_type=auth_type,
-        aad_host=aad_host
-    )
+    hash <- do.call(token_hash, token_args)
     tokenfile <- file.path(AzureR_dir(), hash)
     if(file.exists(tokenfile))
     {
@@ -91,11 +92,9 @@ create_azure_login <- function(tenant="common", app=.az_cli_app_id, password=NUL
         file.remove(tokenfile)
     }
 
-    tenant <- normalize_tenant(tenant)
-    app <- normalize_guid(app)
-
     message("Creating Azure Resource Manager login for ", format_tenant(tenant))
-    client <- az_rm$new(tenant, app, password, username, auth_type, host, aad_host, config_file, ...)
+    token <- do.call(get_azure_token, token_args)
+    client <- az_rm$new(token=token)
 
     # save login info for future sessions
     arm_logins <- load_arm_logins()

R/az_rm.R

@@ -19,9 +19,11 @@
 #' - `app`: The client/app ID to use to authenticate with Azure Active Directory. The default is to login interactively using the Azure CLI cross-platform app, but it's recommended to supply your own app credentials if possible.
 #' - `password`: if `auth_type == "client_credentials"`, the app secret; if `auth_type == "resource_owner"`, your account password.
 #' - `username`: if `auth_type == "resource_owner"`, your username.
+#' - `certificate`: If `auth_type == "client_credentials", a certificate to authenticate with. This is a more secure alternative to using an app secret.
 #' - `auth_type`: The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". See [get_azure_token] for how the default method is chosen, along with some caveats.
 #' - `host`: your ARM host. Defaults to `https://management.azure.com/`. Change this if you are using a government or private cloud.
 #' - `aad_host`: Azure Active Directory host for authentication. Defaults to `https://login.microsoftonline.com/`. Change this if you are using a government or private cloud.
+#' - `...`: Further arguments to pass to `get_azure_token`.
 #' - `config_file`: Optionally, a JSON file containing any of the arguments listed above. Arguments supplied in this file take priority over those supplied on the command line. You can also use the output from the Azure CLI `az ad sp create-for-rbac` command.
 #' - `token`: Optionally, an OAuth 2.0 token, of class [AzureToken]. This allows you to reuse the authentication details for an existing session. If supplied, all other arguments will be ignored.
 #'
@@ -60,9 +62,10 @@ public=list(
     token=NULL,
 
     # authenticate and get subscriptions
-    initialize=function(tenant="common", app=.az_cli_app_id, password=NULL, username=NULL, auth_type=NULL,
+    initialize=function(tenant="common", app=.az_cli_app_id,
+                        password=NULL, username=NULL, certificate=NULL, auth_type=NULL,
                         host="https://management.azure.com/", aad_host="https://login.microsoftonline.com/",
-                        config_file=NULL, token=NULL)
+                        ..., config_file=NULL, token=NULL)
     {
         if(is_azure_token(token))
         {
@@ -79,27 +82,27 @@ public=list(
             return(NULL)
         }
 
-        if(!is.null(config_file))
-        {
-            conf <- jsonlite::fromJSON(config_file)
-            if(!is.null(conf$tenant)) tenant <- conf$tenant
-            if(!is.null(conf$app)) app <- conf$app
-            if(!is.null(conf$auth_type)) auth_type <- conf$auth_type
-            if(!is.null(conf$password)) password <- conf$password
-            if(!is.null(conf$username)) username <- conf$username
-            if(!is.null(conf$host)) host <- conf$host
-            if(!is.null(conf$aad_host)) aad_host <- conf$aad_host
-        }
         self$host <- host
         self$tenant <- normalize_tenant(tenant)
         app <- normalize_guid(app)
-        self$token <- get_azure_token(self$host, 
-            tenant=self$tenant, 
-            app=app, 
-            password=password, 
+
+        token_args <- list(resource=self$host,
+            tenant=self$tenant,
+            app=app,
+            password=password,
             username=username, 
-            auth_type=auth_type, 
-            aad_host=aad_host)
+            certificate=certificate,
+            auth_type=auth_type,
+            aad_host=aad_host,
+            ...)
+
+        if(!is.null(config_file))
+        {
+            conf <- jsonlite::fromJSON(config_file)
+            token_args <- modifyList(token_args, conf)
+        }
+
+        self$token <- do.call(get_azure_token, token_args)
         NULL
     },
 

man/az_rm.Rd

@@ -31,9 +31,11 @@ To authenticate with the \code{az_rm} class directly, provide the following argu
 \item \code{app}: The client/app ID to use to authenticate with Azure Active Directory. The default is to login interactively using the Azure CLI cross-platform app, but it's recommended to supply your own app credentials if possible.
 \item \code{password}: if \code{auth_type == "client_credentials"}, the app secret; if \code{auth_type == "resource_owner"}, your account password.
 \item \code{username}: if \code{auth_type == "resource_owner"}, your username.
+\item \code{certificate}: If `auth_type == "client_credentials", a certificate to authenticate with. This is a more secure alternative to using an app secret.
 \item \code{auth_type}: The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". See \link{get_azure_token} for how the default method is chosen, along with some caveats.
 \item \code{host}: your ARM host. Defaults to \code{https://management.azure.com/}. Change this if you are using a government or private cloud.
 \item \code{aad_host}: Azure Active Directory host for authentication. Defaults to \code{https://login.microsoftonline.com/}. Change this if you are using a government or private cloud.
+\item \code{...}: Further arguments to pass to \code{get_azure_token}.
 \item \code{config_file}: Optionally, a JSON file containing any of the arguments listed above. Arguments supplied in this file take priority over those supplied on the command line. You can also use the output from the Azure CLI \code{az ad sp create-for-rbac} command.
 \item \code{token}: Optionally, an OAuth 2.0 token, of class \link{AzureToken}. This allows you to reuse the authentication details for an existing session. If supplied, all other arguments will be ignored.
 }

man/azure_login.Rd

@@ -8,8 +8,8 @@
 \title{Login to Azure Resource Manager}
 \usage{
 create_azure_login(tenant = "common", app = .az_cli_app_id,
-  password = NULL, username = NULL, auth_type = NULL,
-  host = "https://management.azure.com/",
+  password = NULL, username = NULL, certificate = NULL,
+  auth_type = NULL, host = "https://management.azure.com/",
   aad_host = "https://login.microsoftonline.com/", config_file = NULL,
   ...)
 
@@ -28,6 +28,8 @@ list_azure_logins()
 
 \item{username}{If \code{auth_type == "resource_owner"}, your username.}
 
+\item{certificate}{If `auth_type == "client_credentials", a certificate to authenticate with. This is a more secure alternative to using an app secret.}
+
 \item{auth_type}{The OAuth authentication method to use, one of "client_credentials", "authorization_code", "device_code" or "resource_owner". If \code{NULL}, this is chosen based on the presence of the \code{username} and \code{password} arguments.}
 
 \item{host}{Your ARM host. Defaults to \code{https://management.azure.com/}. Change this if you are using a government or private cloud.}
@@ -36,7 +38,7 @@ list_azure_logins()
 
 \item{config_file}{Optionally, a JSON file containing any of the arguments listed above. Arguments supplied in this file take priority over those supplied on the command line. You can also use the output from the Azure CLI \code{az ad sp create-for-rbac} command.}
 
-\item{...}{Other arguments passed to \code{az_rm$new()}.}
+\item{...}{Other arguments passed to \code{get_azure_token}.}
 
 \item{selection}{For \code{get_azure_login}, if you have multiple logins for a given tenant, which one to use. This can be a number, or the input MD5 hash of the token used for the login. If not supplied, \code{get_azure_login} will print a menu and ask you to choose a login.}