mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-19 05:39:51 +00:00
b658290b37
Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.5.1 to 1.6.0. - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/internal/v1.5.1...sdk/azcore/v1.6.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
86 lines
3.8 KiB
Go
86 lines
3.8 KiB
Go
//go:build go1.18
|
|
// +build go1.18
|
|
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
// Licensed under the MIT License.
|
|
|
|
package azidentity
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
|
|
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
|
|
)
|
|
|
|
const credNameAssertion = "ClientAssertionCredential"
|
|
|
|
// ClientAssertionCredential authenticates an application with assertions provided by a callback function.
|
|
// This credential is for advanced scenarios. [ClientCertificateCredential] has a more convenient API for
|
|
// the most common assertion scenario, authenticating a service principal with a certificate. See
|
|
// [Microsoft Entra ID documentation] for details of the assertion format.
|
|
//
|
|
// [Microsoft Entra ID documentation]: https://learn.microsoft.com/entra/identity-platform/certificate-credentials#assertion-format
|
|
type ClientAssertionCredential struct {
|
|
client *confidentialClient
|
|
}
|
|
|
|
// ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
|
|
type ClientAssertionCredentialOptions struct {
|
|
azcore.ClientOptions
|
|
|
|
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
|
|
// Add the wildcard value "*" to allow the credential to acquire tokens for any tenant in which the
|
|
// application is registered.
|
|
AdditionallyAllowedTenants []string
|
|
|
|
// DisableInstanceDiscovery should be set true only by applications authenticating in disconnected clouds, or
|
|
// private clouds such as Azure Stack. It determines whether the credential requests Microsoft Entra instance metadata
|
|
// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
|
|
// the application responsible for ensuring the configured authority is valid and trustworthy.
|
|
DisableInstanceDiscovery bool
|
|
|
|
// tokenCachePersistenceOptions enables persistent token caching when not nil.
|
|
tokenCachePersistenceOptions *tokenCachePersistenceOptions
|
|
}
|
|
|
|
// NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults.
|
|
func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(context.Context) (string, error), options *ClientAssertionCredentialOptions) (*ClientAssertionCredential, error) {
|
|
if getAssertion == nil {
|
|
return nil, errors.New("getAssertion must be a function that returns assertions")
|
|
}
|
|
if options == nil {
|
|
options = &ClientAssertionCredentialOptions{}
|
|
}
|
|
cred := confidential.NewCredFromAssertionCallback(
|
|
func(ctx context.Context, _ confidential.AssertionRequestOptions) (string, error) {
|
|
return getAssertion(ctx)
|
|
},
|
|
)
|
|
msalOpts := confidentialClientOptions{
|
|
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
|
|
ClientOptions: options.ClientOptions,
|
|
DisableInstanceDiscovery: options.DisableInstanceDiscovery,
|
|
tokenCachePersistenceOptions: options.tokenCachePersistenceOptions,
|
|
}
|
|
c, err := newConfidentialClient(tenantID, clientID, credNameAssertion, cred, msalOpts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &ClientAssertionCredential{client: c}, nil
|
|
}
|
|
|
|
// GetToken requests an access token from Microsoft Entra ID. This method is called automatically by Azure SDK clients.
|
|
func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
|
|
var err error
|
|
ctx, endSpan := runtime.StartSpan(ctx, credNameAssertion+"."+traceOpGetToken, c.client.azClient.Tracer(), nil)
|
|
defer func() { endSpan(err) }()
|
|
tk, err := c.client.GetToken(ctx, opts)
|
|
return tk, err
|
|
}
|
|
|
|
var _ azcore.TokenCredential = (*ClientAssertionCredential)(nil)
|