Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: feature-toggled authentication methods #2199

Merged
merged 18 commits into from
Nov 6, 2018
Merged

Conversation

tombuildsstuff
Copy link
Contributor

@tombuildsstuff tombuildsstuff commented Oct 31, 2018

This PR refactors the authentication package such that it's capable of supporting multiple authentication methods which may be feature toggled on or off. This is the second step in refactoring the authentication package out into it's own library such that it can be consumed in Terraform Core(for the AzureRM Backend), the Azure Stack Provider and this Provider.

Due to the nature of the fact this is authentication related; this may require some additional unit testing and some manual UX testing to ensure we're supporting all the known scenarios:

  • Azure CLI
    • Parsing the ClientID, Subscription ID and Tenant ID when nothings specified
    • Parsing the Tenant ID when the Subscription ID is specified
    • Parsing the Client ID when the Subscription ID & Tenant ID are specified

  • CloudShell
    • Parsing the ClientID, Subscription ID and Tenant ID when nothings specified
    • Parsing the Tenant ID when the Subscription Id is specified
    • Parsing the Client ID when the Subscription ID & Tenant ID are specified

  • Managed Service Identity
  • Service Principal Client Certificate (this is intentionally feature-toggled off)
  • Service Principal Client Secret

@tombuildsstuff
Copy link
Contributor Author

Acceptance Tests still pass - so that works too 🙌

 $ acctests azurerm TestAccAzureRMResourceGroup_withTags
=== RUN   TestAccAzureRMResourceGroup_withTags
--- PASS: TestAccAzureRMResourceGroup_withTags (88.29s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	90.068s

Copy link
Contributor Author

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some comments on the first skim-thru

azurerm/helpers/authentication/builder.go Outdated Show resolved Hide resolved
azurerm/helpers/authentication/config.go Outdated Show resolved Hide resolved
azurerm/helpers/authentication/builder.go Show resolved Hide resolved
azurerm/helpers/authentication/builder.go Show resolved Hide resolved
azurerm/helpers/authentication/config.go Show resolved Hide resolved
@tombuildsstuff tombuildsstuff force-pushed the refactor/auth branch 2 times, most recently from 5fc8593 to 925061f Compare November 2, 2018 19:23
if a.tenantId == "" {
err = multierror.Append(err, fmt.Errorf(fmtErrorMessage, "Tenant ID"))
}
if a.environment == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like some of these fields aren't used, do they have to be required?

Copy link
Collaborator

@katbyte katbyte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from a couple comments LGTM 👍

feature toggling support for service principal client secret
making a bunch of the methods private

tests pass:

```
$ go test -v ./azurerm/helpers/authentication/
=== RUN   TestAzureCLIParsingAuth_validate
--- PASS: TestAzureCLIParsingAuth_validate (0.00s)
=== RUN   TestServicePrincipalClientSecretAuth_builder
--- PASS: TestServicePrincipalClientSecretAuth_builder (0.00s)
=== RUN   TestServicePrincipalClientSecretAuth_validate
--- PASS: TestServicePrincipalClientSecretAuth_validate (0.00s)
=== RUN   TestManagedServiceIdentity_builder
2018/10/31 23:24:40 [DEBUG] Using MSI endpoint "https://hello-world"
--- PASS: TestManagedServiceIdentity_builder (0.00s)
=== RUN   TestManagedServiceIdentity_validate
--- PASS: TestManagedServiceIdentity_validate (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_InvalidDate
--- PASS: TestAzureFindValidAccessTokenForTenant_InvalidDate (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_Expired
2018/10/31 23:24:40 [DEBUG] Token "7cabcf30-8dca-43f9-91e6-fd56dfb8632f" has expired
--- PASS: TestAzureFindValidAccessTokenForTenant_Expired (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ExpiringIn
--- PASS: TestAzureFindValidAccessTokenForTenant_ExpiringIn (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain
2018/10/31 23:24:40 [DEBUG] Resource "https://portal.azure.com/" isn't a management domain
--- PASS: TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_DifferentTenant
2018/10/31 23:24:40 [DEBUG] Resource "https://management.core.windows.net/" isn't for the correct Tenant
--- PASS: TestAzureFindValidAccessTokenForTenant_DifferentTenant (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell
--- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI
--- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_NoTokens
--- PASS: TestAzureFindValidAccessTokenForTenant_NoTokens (0.00s)
=== RUN   TestAzureCliProfile_populateSubscriptionIdMissing
--- PASS: TestAzureCliProfile_populateSubscriptionIdMissing (0.00s)
=== RUN   TestAzureCliProfile_populateSubscriptionIdNoDefault
--- PASS: TestAzureCliProfile_populateSubscriptionIdNoDefault (0.00s)
=== RUN   TestAzureCliProfile_populateSubscriptionIdValid
--- PASS: TestAzureCliProfile_populateSubscriptionIdValid (0.00s)
=== RUN   TestAzureCliProfile_populateTenantIdEmpty
--- PASS: TestAzureCliProfile_populateTenantIdEmpty (0.00s)
=== RUN   TestAzureCliProfile_populateTenantIdMissingSubscription
--- PASS: TestAzureCliProfile_populateTenantIdMissingSubscription (0.00s)
=== RUN   TestAzureCliProfile_populateTenantIdValid
--- PASS: TestAzureCliProfile_populateTenantIdValid (0.00s)
=== RUN   TestAzureCLIProfileFindDefaultSubscription
--- PASS: TestAzureCLIProfileFindDefaultSubscription (0.00s)
=== RUN   TestAzureCLIProfileFindSubscription
--- PASS: TestAzureCLIProfileFindSubscription (0.00s)
=== RUN   TestAzureEnvironmentNames
--- PASS: TestAzureEnvironmentNames (0.00s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/authentication	0.791s
```
NOTE: this is /intentionally/ feature-toggled off for now
Tests pass:

```
$ go test -v ./azurerm/helpers/authentication/
=== RUN   TestAzureCLIParsingAuth_isApplicable
--- PASS: TestAzureCLIParsingAuth_isApplicable (0.00s)
=== RUN   TestAzureCLIParsingAuth_populateConfig
--- PASS: TestAzureCLIParsingAuth_populateConfig (0.00s)
=== RUN   TestAzureCLIParsingAuth_validate
--- PASS: TestAzureCLIParsingAuth_validate (0.00s)
=== RUN   TestServicePrincipalClientCertAuth_builder
--- PASS: TestServicePrincipalClientCertAuth_builder (0.00s)
=== RUN   TestServicePrincipalClientCertAuth_isApplicable
--- PASS: TestServicePrincipalClientCertAuth_isApplicable (0.00s)
=== RUN   TestServicePrincipalClientCertAuth_populateConfig
--- PASS: TestServicePrincipalClientCertAuth_populateConfig (0.00s)
=== RUN   TestServicePrincipalClientCertAuth_validate
--- PASS: TestServicePrincipalClientCertAuth_validate (0.00s)
=== RUN   TestServicePrincipalClientSecretAuth_builder
--- PASS: TestServicePrincipalClientSecretAuth_builder (0.00s)
=== RUN   TestServicePrincipalClientSecretAuth_isApplicable
--- PASS: TestServicePrincipalClientSecretAuth_isApplicable (0.00s)
=== RUN   TestServicePrincipalClientSecretAuth_populateConfig
--- PASS: TestServicePrincipalClientSecretAuth_populateConfig (0.00s)
=== RUN   TestServicePrincipalClientSecretAuth_validate
--- PASS: TestServicePrincipalClientSecretAuth_validate (0.00s)
=== RUN   TestManagedServiceIdentity_builder
2018/11/06 14:18:37 [DEBUG] Using MSI endpoint "https://hello-world"
--- PASS: TestManagedServiceIdentity_builder (0.00s)
=== RUN   TestManagedServiceIdentity_isApplicable
--- PASS: TestManagedServiceIdentity_isApplicable (0.00s)
=== RUN   TestManagedServiceIdentity_populateConfig
--- PASS: TestManagedServiceIdentity_populateConfig (0.00s)
=== RUN   TestManagedServiceIdentity_validate
--- PASS: TestManagedServiceIdentity_validate (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_InvalidDate
--- PASS: TestAzureFindValidAccessTokenForTenant_InvalidDate (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_Expired
2018/11/06 14:18:37 [DEBUG] Token "7cabcf30-8dca-43f9-91e6-fd56dfb8632f" has expired
--- PASS: TestAzureFindValidAccessTokenForTenant_Expired (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ExpiringIn
--- PASS: TestAzureFindValidAccessTokenForTenant_ExpiringIn (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain
2018/11/06 14:18:37 [DEBUG] Resource "https://portal.azure.com/" isn't a management domain
--- PASS: TestAzureFindValidAccessTokenForTenant_InvalidManagementDomain (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_DifferentTenant
2018/11/06 14:18:37 [DEBUG] Resource "https://management.core.windows.net/" isn't for the correct Tenant
--- PASS: TestAzureFindValidAccessTokenForTenant_DifferentTenant (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell
--- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromCloudShell (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI
--- PASS: TestAzureFindValidAccessTokenForTenant_ValidFromAzureCLI (0.00s)
=== RUN   TestAzureFindValidAccessTokenForTenant_NoTokens
--- PASS: TestAzureFindValidAccessTokenForTenant_NoTokens (0.00s)
=== RUN   TestAzureCliProfile_populateSubscriptionIdMissing
--- PASS: TestAzureCliProfile_populateSubscriptionIdMissing (0.00s)
=== RUN   TestAzureCliProfile_populateSubscriptionIdNoDefault
--- PASS: TestAzureCliProfile_populateSubscriptionIdNoDefault (0.00s)
=== RUN   TestAzureCliProfile_populateSubscriptionIdValid
--- PASS: TestAzureCliProfile_populateSubscriptionIdValid (0.00s)
=== RUN   TestAzureCliProfile_populateTenantIdEmpty
--- PASS: TestAzureCliProfile_populateTenantIdEmpty (0.00s)
=== RUN   TestAzureCliProfile_populateTenantIdMissingSubscription
--- PASS: TestAzureCliProfile_populateTenantIdMissingSubscription (0.00s)
=== RUN   TestAzureCliProfile_populateTenantIdValid
--- PASS: TestAzureCliProfile_populateTenantIdValid (0.00s)
=== RUN   TestAzureCLIProfileFindDefaultSubscription
--- PASS: TestAzureCLIProfileFindDefaultSubscription (0.00s)
=== RUN   TestAzureCLIProfileFindSubscription
--- PASS: TestAzureCLIProfileFindSubscription (0.00s)
=== RUN   TestAzureEnvironmentNames
--- PASS: TestAzureEnvironmentNames (0.00s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/authentication	0.851s
```
@ghost
Copy link

ghost commented Mar 6, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 6, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants