WIP: Support OIDC in Azure Pipelines

This change teaches `azd` how to login using a service connection for an OIDC like experience when running in Azure Pipelines using service connections and then updates our pipelines to use this authentication strategy. Contributes To #4341
Azure · Sep 20, 2024 · 2ee5a78 · 2ee5a78
1 parent 3b48ae5
commit 2ee5a78
Show file tree

Hide file tree

Showing 11 changed files with 188 additions and 89 deletions.
diff --git a/cli/azd/.vscode/cspell.yaml b/cli/azd/.vscode/cspell.yaml
@@ -26,6 +26,9 @@ dictionaryDefinitions:
 dictionaries:
   - azdProjectDictionary
 overrides:
+  - filename: cmd/auth_login.go
+    words:
+      - ACCESSTOKEN
   - filename: internal/tracing/fields/domains.go
     words:
       - azmk
@@ -110,6 +113,9 @@ overrides:
   - filename: test/functional/testdata/samples/funcapp/getting_started.md
     words:
       - funcignore
+  - filename: test/recording/recording.go
+    words:
+      - oidctoken
   - filename: internal/vsrpc/handler.go
     words:
       - arity

diff --git a/cli/azd/cmd/auth_login.go b/cli/azd/cmd/auth_login.go
@@ -46,18 +46,20 @@ func newAuthLoginFlags(cmd *cobra.Command, global *internal.GlobalCommandOptions
 }
 
 type loginFlags struct {
-	onlyCheckStatus        bool
-	browser                bool
-	managedIdentity        bool
-	useDeviceCode          boolPtr
-	tenantID               string
-	clientID               string
-	clientSecret           stringPtr
-	clientCertificate      string
-	federatedTokenProvider string
-	scopes                 []string
-	redirectPort           int
-	global                 *internal.GlobalCommandOptions
+	onlyCheckStatus         bool
+	browser                 bool
+	managedIdentity         bool
+	useDeviceCode           boolPtr
+	tenantID                string
+	clientID                string
+	clientSecret            stringPtr
+	clientCertificate       string
+	serviceConnectionID     string
+	systemAccessTokenEnvVar string
+	federatedTokenProvider  string
+	scopes                  []string
+	redirectPort            int
+	global                  *internal.GlobalCommandOptions
 }
 
 // stringPtr implements a pflag.Value and allows us to distinguish between a flag value being explicitly set to the empty
@@ -139,6 +141,16 @@ func (lf *loginFlags) Bind(local *pflag.FlagSet, global *internal.GlobalCommandO
 		cClientCertificateFlagName,
 		"",
 		"The path to the client certificate for the service principal to authenticate with.")
+	local.StringVar(
+		&lf.serviceConnectionID,
+		"service-connection-id",
+		"",
+		"The service connection id to authenticate with.")
+	local.StringVar(
+		&lf.systemAccessTokenEnvVar,
+		"system-access-token-environment-variable-name",
+		"SYSTEM_ACCESSTOKEN",
+		"The name of the environment variable that contains the system access token to authenticate with.")
 	local.StringVar(
 		&lf.federatedTokenProvider,
 		cFederatedCredentialProviderFlagName,
@@ -407,6 +419,7 @@ func (la *loginAction) login(ctx context.Context) error {
 		if countTrue(
 			la.flags.clientSecret.ptr != nil,
 			la.flags.clientCertificate != "",
+			la.flags.serviceConnectionID != "",
 			la.flags.federatedTokenProvider != "",
 		) != 1 {
 			return fmt.Errorf(
@@ -457,6 +470,12 @@ func (la *loginAction) login(ctx context.Context) error {
 			); err != nil {
 				return fmt.Errorf("logging in: %w", err)
 			}
+		case la.flags.serviceConnectionID != "":
+			if _, err := la.authManager.LoginWithServiceConnection(
+				ctx, la.flags.tenantID, la.flags.clientID, la.flags.serviceConnectionID, la.flags.systemAccessTokenEnvVar,
+			); err != nil {
+				return fmt.Errorf("logging in: %w", err)
+			}
 		}
 
 		return nil

diff --git a/cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap b/cli/azd/cmd/testdata/TestUsage-azd-auth-login.snap
@@ -5,17 +5,19 @@ Usage
   azd auth login [flags]
 
 Flags
-        --check-status                         	: Checks the log-in status instead of logging in.
-        --client-certificate string            	: The path to the client certificate for the service principal to authenticate with.
-        --client-id string                     	: The client id for the service principal to authenticate with.
-        --client-secret string                 	: The client secret for the service principal to authenticate with. Set to the empty string to read the value from the console.
-        --docs                                 	: Opens the documentation for azd auth login in your web browser.
-        --federated-credential-provider string 	: The provider to use to acquire a federated token to authenticate with.
-    -h, --help                                 	: Gets help for login.
-        --managed-identity                     	: Use a managed identity to authenticate.
-        --redirect-port int                    	: Choose the port to be used as part of the redirect URI during interactive login.
-        --tenant-id string                     	: The tenant id or domain name to authenticate with.
-        --use-device-code                      	: When true, log in by using a device code instead of a browser.
+        --check-status                                         	: Checks the log-in status instead of logging in.
+        --client-certificate string                            	: The path to the client certificate for the service principal to authenticate with.
+        --client-id string                                     	: The client id for the service principal to authenticate with.
+        --client-secret string                                 	: The client secret for the service principal to authenticate with. Set to the empty string to read the value from the console.
+        --docs                                                 	: Opens the documentation for azd auth login in your web browser.
+        --federated-credential-provider string                 	: The provider to use to acquire a federated token to authenticate with.
+    -h, --help                                                 	: Gets help for login.
+        --managed-identity                                     	: Use a managed identity to authenticate.
+        --redirect-port int                                    	: Choose the port to be used as part of the redirect URI during interactive login.
+        --service-connection-id string                         	: The service connection id to authenticate with.
+        --system-access-token-environment-variable-name string 	: The name of the environment variable that contains the system access token to authenticate with.
+        --tenant-id string                                     	: The tenant id or domain name to authenticate with.
+        --use-device-code                                      	: When true, log in by using a device code instead of a browser.
 
 Global Flags
     -C, --cwd string 	: Sets the current working directory.

diff --git a/cli/azd/pkg/auth/manager.go b/cli/azd/pkg/auth/manager.go
@@ -312,11 +312,6 @@ func (m *Manager) CredentialForCurrentUser(
 		}
 		return m.newCredentialFromManagedIdentity(clientID)
 	} else if currentUser.TenantID != nil && currentUser.ClientID != nil {
-		ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
-		if err != nil {
-			return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
-		}
-
 		// by default we used the stored tenant (i.e. the one provided with the tenant id parameter when a user ran
 		// `azd auth login`), but we allow an override using the options bag, when
 		// TenantID is non-empty and PreferFallbackTenant is not true.
@@ -326,6 +321,16 @@ func (m *Manager) CredentialForCurrentUser(
 			tenantID = options.TenantID
 		}
 
+		if currentUser.ServiceConnectionID != nil && currentUser.SystemAccessTokenName != nil {
+			return m.newCredentialFromServiceConnection(
+				tenantID, *currentUser.ClientID, *currentUser.ServiceConnectionID, *currentUser.SystemAccessTokenName)
+		}
+
+		ps, err := m.loadSecret(*currentUser.TenantID, *currentUser.ClientID)
+		if err != nil {
+			return nil, fmt.Errorf("loading secret: %w: %w", err, ErrNoCurrentUser)
+		}
+
 		if ps.ClientSecret != nil {
 			return m.newCredentialFromClientSecret(tenantID, *currentUser.ClientID, *ps.ClientSecret)
 		} else if ps.ClientCertificate != nil {
@@ -481,6 +486,36 @@ func (m *Manager) newCredentialFromClientSecret(
 	return cred, nil
 }
 
+func (m *Manager) newCredentialFromServiceConnection(
+	tenantID string,
+	clientID string,
+	serviceConnectionID string,
+	systemAccessTokenEnvVar string,
+) (azcore.TokenCredential, error) {
+	options := &azidentity.AzurePipelinesCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: m.httpClient,
+			// TODO: Inject client options instead? this can be done if we're OK
+			// using the default user agent string.
+			Cloud: m.cloud.Configuration,
+		},
+	}
+
+	systemAccessToken := os.Getenv(systemAccessTokenEnvVar)
+	if systemAccessToken == "" {
+		// nolint:lll
+		return nil, fmt.Errorf("system access token not found, ensure the System.AccessToken value is mapped to an environment variable named %s", systemAccessTokenEnvVar)
+	}
+
+	cred, err := azidentity.NewAzurePipelinesCredential(
+		tenantID, clientID, serviceConnectionID, systemAccessToken, options)
+	if err != nil {
+		return nil, fmt.Errorf("creating credential: %w: %w", err, ErrNoCurrentUser)
+	}
+
+	return cred, nil
+}
+
 func (m *Manager) newCredentialFromClientCertificate(
 	tenantID string,
 	clientID string,
@@ -688,6 +723,37 @@ func (m *Manager) LoginWithDeviceCode(
 
 }
 
+func (m *Manager) LoginWithServiceConnection(
+	ctx context.Context, tenantID string, clientID string, serviceConnectionID string, systemAccessTokenEnvVar string,
+) (azcore.TokenCredential, error) {
+	systemAccessToken := os.Getenv(systemAccessTokenEnvVar)
+
+	if systemAccessToken == "" {
+		// nolint:lll
+		return nil, fmt.Errorf("system access token not found, ensure the System.AccessToken value is mapped to an environment variable named %s", systemAccessTokenEnvVar)
+	}
+
+	options := &azidentity.AzurePipelinesCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Transport: m.httpClient,
+			// TODO: Inject client options instead? this can be done if we're OK
+			// using the default user agent string.
+			Cloud: m.cloud.Configuration,
+		},
+	}
+
+	cred, err := azidentity.NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken, options)
+	if err != nil {
+		return nil, fmt.Errorf("creating credential: %w", err)
+	}
+
+	if err := m.saveLoginForServiceConnection(tenantID, clientID, serviceConnectionID, systemAccessTokenEnvVar); err != nil {
+		return nil, err
+	}
+
+	return cred, nil
+}
+
 func (m *Manager) LoginWithManagedIdentity(ctx context.Context, clientID string) (azcore.TokenCredential, error) {
 	options := &azidentity.ManagedIdentityCredentialOptions{}
 	if clientID != "" {
@@ -848,6 +914,22 @@ func (m *Manager) saveLoginForManagedIdentity(clientID string) error {
 	return nil
 }
 
+func (m *Manager) saveLoginForServiceConnection(
+	tenantID, clientID, serviceConnectionID, systemAccessTokenEnvVar string,
+) error {
+	props := &userProperties{
+		ClientID:              &clientID,
+		TenantID:              &tenantID,
+		ServiceConnectionID:   &serviceConnectionID,
+		SystemAccessTokenName: &systemAccessTokenEnvVar,
+	}
+	if err := m.saveUserProperties(props); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (m *Manager) saveLoginForServicePrincipal(tenantId, clientId string, secret *persistedSecret) error {
 	if err := m.saveSecret(tenantId, clientId, secret); err != nil {
 		return err
@@ -1033,11 +1115,13 @@ type federatedAuth struct {
 // either an home account id (when logging in using a public client) or a client and tenant id (when using a confidential
 // client).
 type userProperties struct {
-	ManagedIdentity bool    `json:"managedIdentity,omitempty"`
-	HomeAccountID   *string `json:"homeAccountId,omitempty"`
-	FromOneAuth     bool    `json:"fromOneAuth,omitempty"`
-	ClientID        *string `json:"clientId,omitempty"`
-	TenantID        *string `json:"tenantId,omitempty"`
+	ManagedIdentity       bool    `json:"managedIdentity,omitempty"`
+	HomeAccountID         *string `json:"homeAccountId,omitempty"`
+	FromOneAuth           bool    `json:"fromOneAuth,omitempty"`
+	ClientID              *string `json:"clientId,omitempty"`
+	TenantID              *string `json:"tenantId,omitempty"`
+	ServiceConnectionID   *string `json:"serviceConnectionId,omitempty"`
+	SystemAccessTokenName *string `json:"systemAccessTokenName,omitempty"`
 }
 
 func readUserProperties(cfg config.Config) (*userProperties, error) {

diff --git a/cli/azd/test/functional/deployment_stacks_test.go b/cli/azd/test/functional/deployment_stacks_test.go
@@ -18,8 +18,6 @@ import (
 )
 
 func Test_DeploymentStacks(t *testing.T) {
-	t.Skip("azure/azure-dev#4341")
-
 	t.Run("Subscription_Scope_Up_Down", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := newTestContext(t)

diff --git a/cli/azd/test/functional/login_test.go b/cli/azd/test/functional/login_test.go
@@ -53,47 +53,6 @@ func Test_CLI_AuthLoginStatus(t *testing.T) {
 	}
 }
 
-func Test_CLI_LoginServicePrincipal(t *testing.T) {
-	t.Skip("azure/azure-dev#4341")
-
-	ctx, cancel := newTestContext(t)
-	defer cancel()
-
-	dir := t.TempDir()
-
-	cli := azdcli.NewCLI(t)
-	// Isolate login to a separate configuration directory
-	cli.Env = append(cli.Env, "AZD_CONFIG_DIR="+dir)
-	if cfg.ClientID == "" || cfg.TenantID == "" /* || cfg.ClientSecret == "" */ {
-		if cfg.CI {
-			panic("Service principal is not configured. AZD_TEST_* variables are required to be set for live testing.")
-		}
-
-		t.Skip("Skipping test because service principal is not configured. " +
-			"Set the relevant AZD_TEST_* variables to run this test.")
-		return
-	}
-
-	loginState := loginStatus(t, ctx, cli)
-	require.Equal(t, contracts.LoginStatusUnauthenticated, loginState.Status)
-
-	_, err := cli.RunCommand(ctx,
-		"auth", "login",
-		"--client-id", cfg.ClientID,
-		//		"--client-secret", cfg.ClientSecret,
-		"--tenant-id", cfg.TenantID)
-	require.NoError(t, err)
-
-	loginState = loginStatus(t, ctx, cli)
-	require.Equal(t, contracts.LoginStatusSuccess, loginState.Status)
-
-	_, err = cli.RunCommand(ctx, "auth", "logout")
-	require.NoError(t, err)
-
-	loginState = loginStatus(t, ctx, cli)
-	require.Equal(t, contracts.LoginStatusUnauthenticated, loginState.Status)
-}
-
 func loginStatus(t *testing.T, ctx context.Context, cli *azdcli.CLI) contracts.LoginResult {
 	result, err := cli.RunCommand(ctx, "auth", "login", "--check-status", "--output", "json")
 	require.NoError(t, err)

diff --git a/cli/azd/test/recording/recording.go b/cli/azd/test/recording/recording.go
@@ -306,7 +306,9 @@ func Start(t *testing.T, opts ...Options) *Session {
 				strings.Contains(req.URL.Path, "/azure-dev")) ||
 			strings.Contains(req.URL.Host, "azure-dev.azureedge.net") ||
 			strings.Contains(req.URL.Host, "azdrelease.azureedge.net") ||
-			strings.Contains(req.URL.Host, "default.exp-tas.com")
+			strings.Contains(req.URL.Host, "default.exp-tas.com") ||
+			(strings.Contains(req.URL.Host, "dev.azure.com") &&
+				strings.Contains(req.URL.Path, "/oidctoken"))
 	})
 
 	proxy := &connectHandler{

diff --git a/eng/pipelines/templates/jobs/build-cli.yml b/eng/pipelines/templates/jobs/build-cli.yml
@@ -121,9 +121,14 @@ jobs:
           AZD_TEST_AZURE_SUBSCRIPTION_ID: $(SubscriptionId)
           AZD_TEST_AZURE_LOCATION: eastus2
           AZURE_RECORD_MODE: $(AZURE_RECORD_MODE)
-          # AZD Live Test: Terraform authentication via `az`
-          ARM_USE_CLI: true
+          SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+          # AZD Live Test: Terraform authentication via OIDC.
+          ARM_CLIENT_ID: $(arm-client-id)
+          ARM_SUBSCRIPTION_ID: $(SubscriptionId)
           ARM_TENANT_ID: $(arm-tenant-id)
+          ARM_USE_OIDC: true
+          ARM_OIDC_REQUEST_URL: $(arm-oidc-request-url)
+          ARM_OIDC_REQUEST_TOKEN: $(System.AccessToken)
           # Code Coverage: Generate junit report to publish results
           GOTESTSUM_JUNITFILE: junitTestReport.xml
 

diff --git a/eng/pipelines/templates/steps/azd-login.yml b/eng/pipelines/templates/steps/azd-login.yml
@@ -1,9 +1,12 @@
 parameters:
   SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
   AzdDirectory: ""
+  ServiceConnectionId: "3d79cc98-46f2-428c-bdd5-861414f85602"
 
 steps:
   - pwsh: |
+      Get-ChildItem Env: | Sort-Object Name | Format-List
+
       $azdCmd = "azd"
 
       if ("${{ parameters.AzdDirectory }}" -ne "") {
@@ -14,8 +17,10 @@ steps:
         ${{ parameters.SubscriptionConfiguration }}
       '@ | ConvertFrom-Json -AsHashtable;
 
-      # Delegate auth to az CLI which supports federated auth in AzDo
-      & $azdCmd config set auth.useAzCliAuth true
+      & $azdCmd login `
+        --client-id "$($subscriptionConfiguration.TestApplicationId)" `
+        --tenant-id "$($subscriptionConfiguration.TenantId)" `
+        --service-connection-id "${{ parameters.ServiceConnectionId }}"
 
       if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
@@ -27,8 +32,11 @@ steps:
       Write-Host "##vso[task.setvariable variable=SubscriptionId]$($subscriptionConfiguration.SubscriptionId)"
 
       # Export service principal auth information for terraform testing
+      Write-Host "##vso[task.setvariable variable=arm-oidc-request-url;issecret=false]$($env:SYSTEM_OIDCREQUESTURI)?api-version=7.1&serviceConnectionId=${{ parameters.ServiceConnectionId }}"
       Write-Host "##vso[task.setvariable variable=arm-client-id;issecret=false]$($subscriptionConfiguration.TestApplicationId)"
       Write-Host "##vso[task.setvariable variable=arm-tenant-id;issecret=false]$($subscriptionConfiguration.TenantId)"
 
     condition: and(succeeded(), ne(variables['Skip.LiveTest'], 'true'))
     displayName: Azure Dev Login
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)