mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 15:09:56 +00:00
47b202554e
This commit adds the Azure SDK for Azure key vault KMS integration to the Ceph CSI driver. Signed-off-by: Praveen M <m.praveen@ibm.com>
96 lines
3.1 KiB
Go
96 lines
3.1 KiB
Go
//go:build go1.18
|
|
// +build go1.18
|
|
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
// Licensed under the MIT License.
|
|
|
|
package azidentity
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
|
|
)
|
|
|
|
var supportedAuthRecordVersions = []string{"1.0"}
|
|
|
|
// authenticationRecord is non-secret account information about an authenticated user that user credentials such as
|
|
// [DeviceCodeCredential] and [InteractiveBrowserCredential] can use to access previously cached authentication
|
|
// data. Call these credentials' Authenticate method to get an authenticationRecord for a user.
|
|
type authenticationRecord struct {
|
|
// Authority is the URL of the authority that issued the token.
|
|
Authority string `json:"authority"`
|
|
|
|
// ClientID is the ID of the application that authenticated the user.
|
|
ClientID string `json:"clientId"`
|
|
|
|
// HomeAccountID uniquely identifies the account.
|
|
HomeAccountID string `json:"homeAccountId"`
|
|
|
|
// TenantID identifies the tenant in which the user authenticated.
|
|
TenantID string `json:"tenantId"`
|
|
|
|
// Username is the user's preferred username.
|
|
Username string `json:"username"`
|
|
|
|
// Version of the AuthenticationRecord.
|
|
Version string `json:"version"`
|
|
}
|
|
|
|
// UnmarshalJSON implements json.Unmarshaler for AuthenticationRecord
|
|
func (a *authenticationRecord) UnmarshalJSON(b []byte) error {
|
|
// Default unmarshaling is fine but we want to return an error if the record's version isn't supported i.e., we
|
|
// want to inspect the unmarshalled values before deciding whether to return an error. Unmarshaling a formally
|
|
// different type enables this by assigning all the fields without recursing into this method.
|
|
type r authenticationRecord
|
|
err := json.Unmarshal(b, (*r)(a))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if a.Version == "" {
|
|
return errors.New("AuthenticationRecord must have a version")
|
|
}
|
|
for _, v := range supportedAuthRecordVersions {
|
|
if a.Version == v {
|
|
return nil
|
|
}
|
|
}
|
|
return fmt.Errorf("unsupported AuthenticationRecord version %q. This module supports %v", a.Version, supportedAuthRecordVersions)
|
|
}
|
|
|
|
// account returns the AuthenticationRecord as an MSAL Account. The account is zero-valued when the AuthenticationRecord is zero-valued.
|
|
func (a *authenticationRecord) account() public.Account {
|
|
return public.Account{
|
|
Environment: a.Authority,
|
|
HomeAccountID: a.HomeAccountID,
|
|
PreferredUsername: a.Username,
|
|
}
|
|
}
|
|
|
|
func newAuthenticationRecord(ar public.AuthResult) (authenticationRecord, error) {
|
|
u, err := url.Parse(ar.IDToken.Issuer)
|
|
if err != nil {
|
|
return authenticationRecord{}, fmt.Errorf("Authenticate expected a URL issuer but got %q", ar.IDToken.Issuer)
|
|
}
|
|
tenant := ar.IDToken.TenantID
|
|
if tenant == "" {
|
|
tenant = strings.Trim(u.Path, "/")
|
|
}
|
|
username := ar.IDToken.PreferredUsername
|
|
if username == "" {
|
|
username = ar.IDToken.UPN
|
|
}
|
|
return authenticationRecord{
|
|
Authority: fmt.Sprintf("%s://%s", u.Scheme, u.Host),
|
|
ClientID: ar.IDToken.Audience,
|
|
HomeAccountID: ar.Account.HomeAccountID,
|
|
TenantID: tenant,
|
|
Username: username,
|
|
Version: "1.0",
|
|
}, nil
|
|
}
|