Merge pull request Azure#1809 from markcowl/refactor

Moving Common.Authentication into the repo

Author: markcowl

setup/azurecmdfiles.wxi

@@ -0,0 +1,94 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    /// <summary>
+    /// Base class representing an exception that occurs when
+    /// authenticating against Azure Active Directory
+    /// </summary>
+    [Serializable]
+    public abstract class AadAuthenticationException : Exception
+    {
+        protected AadAuthenticationException()
+        {
+        }
+
+        protected AadAuthenticationException(string message) : base(message)
+        {
+        }
+
+        protected AadAuthenticationException(string message, Exception innerException) : base(message, innerException)
+        {
+        }
+    }
+
+    /// <summary>
+    /// Exception that gets thrown when the user explicitly
+    /// cancels an authentication operation.
+    /// </summary>
+    [Serializable]
+    public class AadAuthenticationCanceledException : AadAuthenticationException
+    {
+        public AadAuthenticationCanceledException(string message, Exception innerException) : base(message, innerException)
+        {
+        }
+    }
+
+    /// <summary>
+    /// Exception that gets thrown when the ADAL library
+    /// is unable to authenticate without a popup dialog.
+    /// </summary>
+    [Serializable]
+    public class AadAuthenticationFailedWithoutPopupException : AadAuthenticationException
+    {
+        public AadAuthenticationFailedWithoutPopupException(string message, Exception innerException)
+            : base(message, innerException)
+        {
+        }
+    }
+
+    /// <summary>
+    /// Exception that gets thrown if an authentication operation
+    /// fails on the server.
+    /// </summary>
+    [Serializable]
+    public class AadAuthenticationFailedException : AadAuthenticationException
+    {
+        public AadAuthenticationFailedException(string message, Exception innerException) : base(message, innerException)
+        {
+        }
+    }
+
+    /// <summary>
+    /// Exception thrown if a refresh token has expired.
+    /// </summary>
+    [Serializable]
+    public class AadAuthenticationCantRenewException : AadAuthenticationException
+    {
+        public AadAuthenticationCantRenewException()
+        {
+        }
+
+        public AadAuthenticationCantRenewException(string message) : base(message)
+        {
+        }
+
+        public AadAuthenticationCantRenewException(string message, Exception innerException) : base(message, innerException)
+        {
+        }
+    }
+}

src/Common/Commands.Common.Authentication/Authentication/AadAuthenticationException.cs

@@ -0,0 +1,50 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    public class AccessTokenCredential : SubscriptionCloudCredentials
+    {
+        private readonly Guid subscriptionId;
+        private readonly IAccessToken token;
+
+        public AccessTokenCredential(Guid subscriptionId, IAccessToken token)
+        {
+            this.subscriptionId = subscriptionId;
+            this.token = token;
+            this.TenantID = token.TenantId;
+        }
+        
+        public override Task ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+        {
+            token.AuthorizeRequest((tokenType, tokenValue) => {
+                request.Headers.Authorization = new AuthenticationHeaderValue(tokenType, tokenValue);
+            });
+            return base.ProcessHttpRequestAsync(request, cancellationToken);
+        }
+
+        public override string SubscriptionId
+        {
+            get { return subscriptionId.ToString(); }
+        }
+
+        public string TenantID { get; set; }
+    }
+}

src/Common/Commands.Common.Authentication/Authentication/AccessTokenCredential.cs

@@ -0,0 +1,63 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using System;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    /// <summary>
+    /// Class storing the configuration information needed
+    /// for ADAL to request token from the right AD tenant
+    /// depending on environment.
+    /// </summary>
+    public class AdalConfiguration
+    {
+        //
+        // These constants define the default values to use for AD authentication
+        // against RDFE
+        //
+        public const string PowerShellClientId = "1950a258-227b-4e31-a9cf-717495945fc2";          
+
+        public static readonly Uri PowerShellRedirectUri = new Uri("urn:ietf:wg:oauth:2.0:oob");
+
+        // ID for site to pass to enable EBD (email-based differentiation)
+        // This gets passed in the call to get the azure branding on the
+        // login window. Also adding popup flag to handle overly large login windows.
+        public const string EnableEbdMagicCookie = "site_id=501358&display=popup";
+
+        public string AdEndpoint { get;set; }
+
+        public bool ValidateAuthority { get; set; }
+
+        public string AdDomain { get; set; }
+
+        public string ClientId { get; set; }
+
+        public Uri ClientRedirectUri { get; set; }
+
+        public string ResourceClientUri { get; set; }
+
+        public TokenCache TokenCache { get; set; }
+
+        public AdalConfiguration()
+        {
+            ClientId = PowerShellClientId;
+            ClientRedirectUri = PowerShellRedirectUri;
+            ValidateAuthority = true;
+            AdEndpoint = string.Empty;
+            ResourceClientUri = "https://management.core.windows.net/";
+        }
+    }
+}

src/Common/Commands.Common.Authentication/Authentication/AdalConfiguration.cs

@@ -0,0 +1,68 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.Authentication.Models;
+using Microsoft.Azure.Commands.Common.Authentication.Properties;
+using System;
+using System.Security;
+using System.Windows.Forms;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    /// <summary>
+    /// A token provider that uses ADAL to retrieve
+    /// tokens from Azure Active Directory
+    /// </summary>
+    public class AdalTokenProvider : ITokenProvider
+    {
+        private readonly ITokenProvider userTokenProvider;
+        private readonly ITokenProvider servicePrincipalTokenProvider;
+
+        public AdalTokenProvider()
+            : this(new ConsoleParentWindow())
+        {
+        }
+
+        public AdalTokenProvider(IWin32Window parentWindow)
+        {
+            this.userTokenProvider = new UserTokenProvider(parentWindow);
+            servicePrincipalTokenProvider = new ServicePrincipalTokenProvider();
+        }
+
+        public IAccessToken GetAccessToken(AdalConfiguration config, ShowDialog promptBehavior, string userId, SecureString password,
+            AzureAccount.AccountType credentialType)
+        {
+            switch (credentialType)
+            {
+                case AzureAccount.AccountType.User:
+                    return userTokenProvider.GetAccessToken(config, promptBehavior, userId, password, credentialType);
+                case AzureAccount.AccountType.ServicePrincipal:
+                    return servicePrincipalTokenProvider.GetAccessToken(config, promptBehavior, userId, password, credentialType);
+                default:
+                    throw new ArgumentException(Resources.UnknownCredentialType, "credentialType");
+            }
+        }
+
+        public IAccessToken GetAccessTokenWithCertificate(AdalConfiguration config, string clientId, string certificate, AzureAccount.AccountType credentialType)
+        {
+            switch (credentialType)
+            {
+                case AzureAccount.AccountType.ServicePrincipal:
+                    return servicePrincipalTokenProvider.GetAccessTokenWithCertificate(config, clientId, certificate, credentialType);
+                default:
+                    throw new ArgumentException(string.Format(Resources.UnsupportedCredentialType, credentialType), "credentialType");
+            }
+        }
+    }
+}

src/Common/Commands.Common.Authentication/Authentication/AdalTokenProvider.cs

@@ -0,0 +1,60 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
+using Microsoft.Rest.Azure.Authentication;
+using System.Security;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading.Tasks;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    /// <summary>
+    /// Interface to the certificate store for authentication
+    /// </summary>
+    internal sealed class CertificateApplicationCredentialProvider : IApplicationAuthenticationProvider
+    {
+        private string _certificateThumbprint;
+
+        /// <summary>
+        /// Create a certificate provider
+        /// </summary>
+        /// <param name="certificateThumbprint"></param>
+        public CertificateApplicationCredentialProvider(string certificateThumbprint)
+        {
+            this._certificateThumbprint = certificateThumbprint;
+        }
+        
+        /// <summary>
+        /// Authenticate using certificate thumbprint from the datastore 
+        /// </summary>
+        /// <param name="clientId">The active directory client id for the application.</param>
+        /// <param name="audience">The intended audience for authentication</param>
+        /// <param name="context">The AD AuthenticationContext to use</param>
+        /// <returns></returns>
+        public async Task<AuthenticationResult> AuthenticateAsync(string clientId, string audience, AuthenticationContext context)
+        {
+            var task = new Task<X509Certificate2>(() =>
+            {
+                return  AzureSession.DataStore.GetCertificate(this._certificateThumbprint);
+            });
+            task.Start();
+            var certificate = await task.ConfigureAwait(false);
+
+            return await context.AcquireTokenAsync(
+                audience,
+                new ClientAssertionCertificate(clientId, certificate));
+        }
+    }
+}

src/Common/Commands.Common.Authentication/Authentication/CertificateApplicationCredentialProvider.cs

@@ -0,0 +1,35 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Runtime.InteropServices;
+using System.Windows.Forms;
+
+namespace Microsoft.Azure.Commands.Common.Authentication
+{
+    /// <summary>
+    /// An implementation of <see cref="IWin32Window"/> that gives the
+    /// windows handle for the current console window.
+    /// </summary>
+    public class ConsoleParentWindow : IWin32Window
+    {
+        public IntPtr Handle { get { return NativeMethods.GetConsoleWindow(); } }
+
+        static class NativeMethods
+        {
+            [DllImport("kernel32.dll")]
+            public static extern IntPtr GetConsoleWindow();
+        }
+    }
+}