Merge pull request #5227 from markcowl/msilogin

Managed Service Identity Login

Author: maddieclayton

src/Common/Commands.Common.Authentication.Abstractions/AzureAccount.cs

@@ -84,7 +84,8 @@ public static class AccountType
             public const string Certificate = "Certificate",
             User = "User",
             ServicePrincipal = "ServicePrincipal",
-            AccessToken = "AccessToken";
+            AccessToken = "AccessToken",
+            ManagedService = "ManagedService";
         }
 
         /// <summary>
@@ -117,7 +118,12 @@ public static class Property
         /// <summary>
         /// Thumbprint for associated certificate
         /// </summary>
-        CertificateThumbprint = "CertificateThumbprint";
+        CertificateThumbprint = "CertificateThumbprint",
+
+        /// <summary>
+        /// Login Uri for Managed Service Login
+        /// </summary>
+        MSILoginUri = "MSILoginUri";
 
 
         }

src/Common/Commands.Common.Authentication.Abstractions/Interfaces/IExtensibleSettings.cs

@@ -1,5 +1,4 @@
-using System;
-// ----------------------------------------------------------------------------------
+// ----------------------------------------------------------------------------------
 //
 // Copyright Microsoft Corporation
 // Licensed under the Apache License, Version 2.0 (the "License");

src/Common/Commands.Common.Authentication.Abstractions/Properties/AssemblyInfo.cs

@@ -47,4 +47,4 @@
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
 [assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]

src/Common/Commands.Common.Authentication.Test/AuthenticationFactoryTests.cs

@@ -22,11 +22,20 @@
 using Xunit;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using System.Linq;
+using Microsoft.Azure.Commands.Common.Authentication.Test;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Xunit.Abstractions;
 
 namespace Common.Authentication.Test
 {
     public class AuthenticationFactoryTests
     {
+        ITestOutputHelper _output;
+        public AuthenticationFactoryTests(ITestOutputHelper output)
+        {
+            _output = output;
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void VerifySubscriptionTokenCacheRemove()
@@ -135,6 +144,59 @@ public void CanAuthenticateWithAccessToken()
             VerifyToken(checkKVToken, kvToken, userId, tenant);
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void CanAuthenticateUsingMSIDefault()
+        {
+            AzureSessionInitializer.InitializeAzureSession();
+            string expectedAccessToken = Guid.NewGuid().ToString();
+            _output.WriteLine("Expected access token for default URI: {0}", expectedAccessToken);
+            string expectedToken2 = Guid.NewGuid().ToString();
+            string tenant = Guid.NewGuid().ToString();
+            _output.WriteLine("Expected access token for custom URI: {0}", expectedToken2);
+            string userId = "[email protected]";
+            var account = new AzureAccount
+            {
+                Id = userId,
+                Type = AzureAccount.AccountType.ManagedService
+            };
+            var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
+            var expectedResource = environment.ActiveDirectoryServiceEndpointResourceId;
+            var builder = new UriBuilder(AuthenticationFactory.DefaultMSILoginUri);
+            builder.Query = string.Format("resource={0}", Uri.EscapeDataString(environment.ActiveDirectoryServiceEndpointResourceId));
+            var defaultUri = builder.Uri.ToString();
+
+            var responses = new Dictionary<string, ManagedServiceTokenInfo>(StringComparer.OrdinalIgnoreCase)
+            {
+                {defaultUri, new ManagedServiceTokenInfo { AccessToken = expectedAccessToken, ExpiresIn = 3600, Resource=expectedResource}},
+                {"http://myfunkyurl:10432/oauth2/token?resource=foo", new ManagedServiceTokenInfo { AccessToken = expectedToken2, ExpiresIn = 3600, Resource="foo"} }
+            };
+            AzureSession.Instance.RegisterComponent(HttpClientOperationsFactory.Name, () => TestHttpOperationsFactory.Create(responses, _output), true);
+            var authFactory = new AuthenticationFactory();
+            var token = authFactory.Authenticate(account, environment, tenant, null, null, null);
+            _output.WriteLine($"Received access token for default Uri ${token.AccessToken}");
+            Assert.Equal(expectedAccessToken, token.AccessToken);
+            var account2 = new AzureAccount
+            {
+                Id = userId,
+                Type = AzureAccount.AccountType.ManagedService
+            };
+            account2.SetProperty(AzureAccount.Property.MSILoginUri, "http://myfunkyurl:10432/oauth2/token");
+            var token2 = authFactory.Authenticate(account2, environment, tenant, null, null, null, "foo");
+            _output.WriteLine($"Received access token for custom Uri ${token2.AccessToken}");
+            Assert.Equal(expectedToken2, token2.AccessToken);
+            var token3 = authFactory.Authenticate(account, environment, tenant, null, null, null, "bar");
+            Assert.Throws<InvalidOperationException>(() => token3.AccessToken);
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        void ResponseRedactionWorks()
+        {
+            Assert.Equal("   \"access_token\": \"<redacted>\"", GeneralUtilities.TransformBody("   \"access_token\": \"eyJo1234567\""));
+            Assert.Equal("   \"foo\": \"bar\"", GeneralUtilities.TransformBody("   \"foo\": \"bar\""));
+        }
+
         void VerifyToken(IAccessToken checkToken, string expectedAccessToken, string expectedUserId, string expectedTenant)
         {
 

src/Common/Commands.Common.Authentication.Test/Commands.Common.Authentication.Test.csproj

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="12.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="..\..\packages\xunit.runner.visualstudio.2.1.0\build\net20\xunit.runner.visualstudio.props" Condition="Exists('..\..\packages\xunit.runner.visualstudio.2.1.0\build\net20\xunit.runner.visualstudio.props')" />
-  <Import Project="..\..\packages\xunit.core.2.1.0\build\portable-net45+win8+wp8+wpa81\xunit.core.props" Condition="Exists('..\..\packages\xunit.core.2.1.0\build\portable-net45+win8+wp8+wpa81\xunit.core.props')" />
+  <Import Project="..\..\packages\xunit.core.2.1.0\build\portable-net45+win8+wp8+wpa81\xunit.core.props"  Condition="Exists('..\..\packages\xunit.core.2.1.0\build\portable-net45+win8+wp8+wpa81\xunit.core.props')"/>
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <PropertyGroup>
     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
@@ -132,6 +132,7 @@
       <DesignTime>True</DesignTime>
       <DependentUpon>Resources.resx</DependentUpon>
     </Compile>
+    <Compile Include="TestHttpOperationsFactory.cs" />
     <EmbeddedResource Include="Resources\ResourceLocator.cs" />
   </ItemGroup>
   <ItemGroup>

src/Common/Commands.Common.Authentication.Test/TestHttpOperationsFactory.cs

@@ -0,0 +1,117 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+using Xunit.Abstractions;
+
+namespace Microsoft.Azure.Commands.Common.Authentication.Test
+{
+    public class TestHttpOperationsFactory : IHttpOperationsFactory
+    {
+        ITestOutputHelper _output;
+        private TestHttpOperationsFactory()
+        {
+        }
+
+        IDictionary<string, object> _responses = new ConcurrentDictionary<string, object>(StringComparer.OrdinalIgnoreCase);
+        public IHttpOperations<T> GetHttpOperations<T>()
+        {
+            var result = new TestHttpOperations<T>(_responses, _output);
+            return result;
+        }
+
+        public static IHttpOperationsFactory Create<T>(IDictionary<string, T> responses, ITestOutputHelper output)
+        {
+            var factory = new TestHttpOperationsFactory();
+            factory._output = output;
+            foreach (var response in responses)
+            {
+                output.WriteLine($"[TestHttpOperationsFactory]:  Adding request response pair {response.Key} => {response.Value}");
+                factory._responses.Add(response.Key, response.Value);
+            }
+
+            return factory;
+        }
+
+        class TestHttpOperations<T> : IHttpOperations<T>
+        {
+            ITestOutputHelper _output;
+            IDictionary<string, T> _responses = new ConcurrentDictionary<string, T>(StringComparer.OrdinalIgnoreCase);
+
+            public TestHttpOperations(IDictionary<string, T> responses, ITestOutputHelper output)
+            {
+                _output = output;
+                foreach (var responsePair in responses)
+                {
+                    output.WriteLine($"[TestHttpOperations]:  Adding request response pair {responsePair.Key} => {responsePair.Value}");
+                    _responses.Add(responsePair);
+                }
+            }
+            public TestHttpOperations(IDictionary<string, object> responses, ITestOutputHelper output)
+            {
+                _output = output;
+                foreach (var responsePair in responses)
+                {
+                    output.WriteLine($"[TestHttpOperations]:  Adding request response pair {responsePair.Key} => {responsePair.Value}");
+                    _responses.Add(responsePair.Key, (T)(responsePair.Value));
+                }
+            }
+
+            public Task DeleteAsync(string requestUri, CancellationToken token)
+            {
+                throw new NotImplementedException();
+            }
+
+            public Task<T> GetAsync(string requestUri, CancellationToken token)
+            {
+                if (!_responses.ContainsKey(requestUri))
+                {
+                    throw new InvalidOperationException(string.Format("Unexpected request Uri '{0}'", requestUri));
+                }
+
+                var output = _responses[requestUri];
+
+                _output.WriteLine($"[TestHttpOperations]: Sent Response ({output}) to request GET {requestUri}");
+                return Task.FromResult(output);
+            }
+
+            public Task<bool> HeadAsync(string requestUri, CancellationToken token)
+            {
+                throw new NotImplementedException();
+            }
+
+            public Task<IEnumerable<T>> ListAsync(string requestUri, CancellationToken token)
+            {
+                throw new NotImplementedException();
+            }
+
+            public Task<T> PutAsync(string requestUri, T payload, CancellationToken token)
+            {
+                throw new NotImplementedException();
+            }
+
+            public IHttpOperations<T> WithHeader(string name, IEnumerable<string> value)
+            {
+                // Allow the client to set one or more headers, but we are not using these in validation
+                return this;
+            }
+        }
+    }
+}

src/Common/Commands.Common.Authentication/Authentication/ManagedServiceAccessToken.cs

@@ -0,0 +1,114 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Commands.Common.Authentication.Properties;
+using System;
+using System.Net.Http;
+using System.Threading;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    public class ManagedServiceAccessToken : IAccessToken
+    {
+        IAzureAccount _account;
+        string _tenant;
+        string _resourceId;
+        IHttpOperations<ManagedServiceTokenInfo> _tokenGetter;
+        DateTime _expiration = DateTime.UtcNow;
+        string _accessToken;
+        string _requestUri;
+
+        public ManagedServiceAccessToken(IAzureAccount account, IAzureEnvironment environment, string resourceId, string tenant = "Common")
+        {
+            if (account == null || string.IsNullOrEmpty(account.Id) || !account.IsPropertySet(AzureAccount.Property.MSILoginUri))
+            {
+                throw new ArgumentNullException(nameof(account));
+            }
+
+            if (string.IsNullOrWhiteSpace(tenant))
+            {
+                throw new ArgumentNullException(nameof(tenant));
+            }
+            
+            if (environment == null)
+            {
+                throw new ArgumentNullException(nameof(environment));
+            }
+
+            _account = account;
+            _resourceId = GetResource(resourceId, environment);
+            var baseUri = _account.GetProperty(AzureAccount.Property.MSILoginUri);
+            var builder = new UriBuilder(baseUri);
+            builder.Query = string.Format("resource={0}", Uri.EscapeDataString(_resourceId));
+            _requestUri = builder.Uri.ToString();
+            _tenant = tenant;
+            IHttpOperationsFactory factory;
+            if (!AzureSession.Instance.TryGetComponent(HttpClientOperationsFactory.Name, out factory))
+            {
+                factory = HttpClientOperationsFactory.Create();
+            }
+
+            _tokenGetter = factory.GetHttpOperations<ManagedServiceTokenInfo>().WithHeader("Metadata", new[] { "true" });
+        }
+
+        public string AccessToken
+        {
+            get
+            {
+                try
+                {
+                    GetOrRenewAuthentication();
+                }
+                catch (HttpRequestException httpException)
+                {
+                    throw new InvalidOperationException(string.Format(Resources.MSITokenRequestFailed, _resourceId, _requestUri), httpException);
+                }
+
+                return _accessToken;
+            }
+        }
+
+        public string LoginType => "ManagedService";
+
+        public string TenantId => _tenant;
+
+        public string UserId => _account.Id;
+
+        public void AuthorizeRequest(Action<string, string> authTokenSetter)
+        {
+            authTokenSetter("Bearer", AccessToken);
+        }
+
+        void GetOrRenewAuthentication()
+        {
+            if (_expiration - DateTime.UtcNow < TimeSpan.FromMinutes(5))
+            {
+                var info = _tokenGetter.GetAsync(_requestUri, CancellationToken.None).ConfigureAwait(false).GetAwaiter().GetResult();
+                SetToken(info);
+            }
+        }
+
+        void SetToken(ManagedServiceTokenInfo info)
+        {
+            _expiration = DateTime.UtcNow + TimeSpan.FromSeconds(info.ExpiresIn);
+            _accessToken = info.AccessToken;
+        }
+
+        string GetResource(string endpointOrResource, IAzureEnvironment environment)
+        {
+            return environment.GetEndpoint(endpointOrResource) ?? endpointOrResource;
+        }
+    }
+}