DELETE ME: Temporary extra debug output

pkg/api/validate/dynamic/serviceprincipal.go

@@ -27,6 +27,10 @@ func (dv *dynamic) ValidateServicePrincipal(ctx context.Context, clientID, clien
 		return err
 	}
 
+	dv.log.Print("tenantID:", tenantID)
+	dv.log.Print("clientID:", clientID)
+	dv.log.Print("clientSecret:", clientSecret)
+
 	tokenRequestOptions := policy.TokenRequestOptions{
 		Scopes: []string{dv.azEnv.ResourceManagerEndpoint + "/.default"},
 	}

pkg/env/armhelper.go

@@ -9,18 +9,22 @@ import (
 	"os"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
+	"github.com/davecgh/go-spew/spew"
+	"github.com/form3tech-oss/jwt-go"
 	"github.com/gofrs/uuid"
 	"github.com/jongio/azidext/go/azidext"
 	auth "github.com/microsoft/kiota-authentication-azure-go"
 	msgraph "github.com/microsoftgraph/msgraph-sdk-go"
 	msgraph_sps "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
 	"github.com/sirupsen/logrus"
 
+	"github.com/Azure/ARO-RP/pkg/util/azureclaim"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization"
 	"github.com/Azure/ARO-RP/pkg/util/rbac"
 )
@@ -82,6 +86,7 @@ func newARMHelper(ctx context.Context, log *logrus.Entry, env Interface) (ARMHel
 		// TODO: migrate away from AZURE_ARM_CLIENT_SECRET and remove this code
 		// path
 
+		log.Printf("ARMHelper: Using AZURE_ARM_CLIENT_SECRET (%s)", os.Getenv("AZURE_ARM_CLIENT_SECRET"))
 		tokenCredential, err = azidentity.NewClientSecretCredential(
 			env.TenantID(),
 			os.Getenv("AZURE_ARM_CLIENT_ID"),
@@ -91,6 +96,7 @@ func newARMHelper(ctx context.Context, log *logrus.Entry, env Interface) (ARMHel
 			return nil, err
 		}
 	} else {
+		log.Printf("ARMHelper: Using keyvault certificate (%s)", RPDevARMSecretName)
 		key, certs, err := env.ServiceKeyvault().GetCertificateSecret(ctx, RPDevARMSecretName)
 		if err != nil {
 			return nil, err
@@ -108,6 +114,26 @@ func newARMHelper(ctx context.Context, log *logrus.Entry, env Interface) (ARMHel
 		}
 	}
 
+	tokenRequestOptions := policy.TokenRequestOptions{
+		Scopes: []string{env.Environment().MicrosoftGraphEndpoint + "/.default"},
+	}
+
+	token, err := tokenCredential.GetToken(ctx, tokenRequestOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	parser := &jwt.Parser{}
+	claim := &azureclaim.AzureClaim{}
+	_, _, err = parser.ParseUnverified(token.Token, claim)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Print("AzureClaim:")
+	spew.Fdump(log.Writer(), tokenRequestOptions)
+	spew.Fdump(log.Writer(), claim)
+
 	scopes := []string{env.Environment().MicrosoftGraphEndpoint + "/.default"}
 	authProvider, err := auth.NewAzureIdentityAuthenticationProviderWithScopes(tokenCredential, scopes)
 	if err != nil {

pkg/util/cluster/cluster.go

@@ -16,13 +16,16 @@ import (
 	"strings"
 	"time"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
 	mgmtfeatures "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-07-01/features"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/to"
+	"github.com/davecgh/go-spew/spew"
+	"github.com/form3tech-oss/jwt-go"
 	"github.com/gofrs/uuid"
 	"github.com/jongio/azidext/go/azidext"
 	auth "github.com/microsoft/kiota-authentication-azure-go"
@@ -39,6 +42,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/deploy/generator"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
+	"github.com/Azure/ARO-RP/pkg/util/azureclaim"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/features"
 	keyvaultclient "github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/keyvault"
@@ -101,6 +105,26 @@ func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
 	}
 
 	scopes := []string{environment.Environment().MicrosoftGraphEndpoint + "/.default"}
+
+	tokenRequestOptions := policy.TokenRequestOptions{
+		Scopes: scopes,
+	}
+	token, err := tokenCredential.GetToken(context.TODO(), tokenRequestOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	parser := &jwt.Parser{}
+	claim := &azureclaim.AzureClaim{}
+	_, _, err = parser.ParseUnverified(token.Token, claim)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Print("AzureClaim:")
+	spew.Fdump(log.Writer(), tokenRequestOptions)
+	spew.Fdump(log.Writer(), claim)
+
 	authProvider, err := auth.NewAzureIdentityAuthenticationProviderWithScopes(tokenCredential, scopes)
 	if err != nil {
 		return nil, err