diff --git a/.github/workflows/auth-tests.yml b/.github/workflows/auth-tests.yml index c746ffba..27b35938 100644 --- a/.github/workflows/auth-tests.yml +++ b/.github/workflows/auth-tests.yml @@ -7,9 +7,18 @@ on: - "auth/**.go" - ".github/workflows/auth-tests.yml" +env: + AZURE_ENVIRONMENT: ${{ secrets.AZURE_ENVIRONMENT }} + CLIENT_ID: ${{ secrets.AUTH_CLIENT_ID }} + CLIENT_CERTIFICATE: ${{ secrets.AUTH_CLIENT_CERTIFICATE }} + CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.AUTH_CLIENT_CERTIFICATE_PASSWORD }} + CLIENT_SECRET: ${{ secrets.AUTH_CLIENT_SECRET }} + MSI_TOKEN: ${{ secrets.AUTH_MSI_TOKEN }} + TENANT_ID: ${{ secrets.TENANT_ID }} + jobs: test-auth: - runs-on: self-hosted + runs-on: ubuntu-latest strategy: fail-fast: true steps: @@ -19,7 +28,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: 1.16.4 + go-version: 1.17.6 - name: Checkout uses: actions/checkout@v2 diff --git a/.github/workflows/environments-tests.yml b/.github/workflows/environments-tests.yml index 29b75aca..54badafd 100644 --- a/.github/workflows/environments-tests.yml +++ b/.github/workflows/environments-tests.yml @@ -16,7 +16,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: 1.16.4 + go-version: 1.17.6 - name: Checkout uses: actions/checkout@v2 diff --git a/.github/workflows/github-auth-tests.yml b/.github/workflows/github-auth-tests.yml index 1519fb3a..96579efd 100644 --- a/.github/workflows/github-auth-tests.yml +++ b/.github/workflows/github-auth-tests.yml @@ -35,7 +35,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: 1.16.4 + go-version: 1.17.6 - name: Checkout uses: actions/checkout@v2 diff --git a/.github/workflows/golint.yml b/.github/workflows/golint.yml index 3fd62e68..6328e570 100644 --- a/.github/workflows/golint.yml +++ b/.github/workflows/golint.yml @@ -16,9 +16,9 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-go@v2 with: - go-version: "1.16.4" + go-version: "1.17.6" - uses: golangci/golangci-lint-action@v2 with: - version: "v1.41" + version: "v1.44" # vim: set ts=2 sts=2 sw=2 et: diff --git a/.github/workflows/msgraph-tests.yml b/.github/workflows/msgraph-tests.yml index ef97eb3a..a72a6438 100644 --- a/.github/workflows/msgraph-tests.yml +++ b/.github/workflows/msgraph-tests.yml @@ -7,21 +7,30 @@ on: - "msgraph/**.go" - ".github/workflows/msgraph-tests.yml" +permissions: + contents: 'read' + id-token: 'write' + jobs: test-msgraph: - runs-on: self-hosted + runs-on: ubuntu-latest strategy: fail-fast: true steps: - name: Install Go uses: actions/setup-go@v2 with: - go-version: 1.16.4 + go-version: 1.17.6 - name: Checkout uses: actions/checkout@v2 - name: Test run: go test -count=1 -race -v ./msgraph + env: + AZURE_ENVIRONMENT: ${{ secrets.AZURE_ENVIRONMENT }} + CLIENT_ID: ${{ secrets.CLIENT_ID }} + TENANT_ID: ${{ secrets.TENANT_ID }} + TENANT_DOMAIN: ${{ secrets.TENANT_DOMAIN }} # vim: set ts=2 sts=2 sw=2 et: diff --git a/.github/workflows/odata-tests.yml b/.github/workflows/odata-tests.yml index 28004e40..7e87da0e 100644 --- a/.github/workflows/odata-tests.yml +++ b/.github/workflows/odata-tests.yml @@ -16,7 +16,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: 1.16.4 + go-version: 1.17.6 - name: Checkout uses: actions/checkout@v2 diff --git a/.github/workflows/scheduled-cleanup.yml b/.github/workflows/scheduled-cleanup.yml index e4e997be..f210abb0 100644 --- a/.github/workflows/scheduled-cleanup.yml +++ b/.github/workflows/scheduled-cleanup.yml @@ -13,7 +13,7 @@ jobs: - name: Install Go uses: actions/setup-go@v2 with: - go-version: 1.16.4 + go-version: 1.17.6 - name: Checkout uses: actions/checkout@v2 diff --git a/auth/auth.go b/auth/auth.go index 03c36553..593bd1f0 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -25,6 +25,8 @@ type Authorizer interface { // Authorizers are selected for authentication methods in the following preferential order: // - Client certificate authentication // - Client secret authentication +// - GitHub OIDC authentication +// - MSI authentication // - Azure CLI authentication // // Whether one of these is returned depends on whether it is enabled in the Config, and whether sufficient @@ -32,6 +34,7 @@ type Authorizer interface { // // For client certificate authentication, specify TenantID, ClientID and ClientCertData / ClientCertPath. // For client secret authentication, specify TenantID, ClientID and ClientSecret. +// For GitHub OIDC authentication, specify TenantID, ClientID, IDTokenRequestURL and IDTokenRequestToken. // MSI authentication (if enabled) using the Azure Metadata Service is then attempted // Azure CLI authentication (if enabled) is attempted last // @@ -59,6 +62,16 @@ func (c *Config) NewAuthorizer(ctx context.Context, api environments.Api) (Autho } } + if c.EnableGitHubOIDCAuth { + a, err := NewGitHubOIDCAuthorizer(context.Background(), c.Environment, api, c.TenantID, c.AuxiliaryTenantIDs, c.ClientID, c.IDTokenRequestURL, c.IDTokenRequestToken) + if err != nil { + return nil, fmt.Errorf("could not configure GitHubOIDC Authorizer: %s", err) + } + if a != nil { + return a, nil + } + } + if c.EnableMsiAuth { a, err := NewMsiAuthorizer(ctx, api, c.MsiEndpoint, c.ClientID) if err != nil { diff --git a/auth/config.go b/auth/config.go index 4e1a7706..426a66a3 100644 --- a/auth/config.go +++ b/auth/config.go @@ -53,4 +53,13 @@ type Config struct { // Specifies the password to authenticate with using client secret authentication ClientSecret string + + // Enables GitHub OIDC authentication + EnableGitHubOIDCAuth bool + + // The URL for GitHub's OIDC provider + IDTokenRequestURL string + + // The bearer token for the request to GitHub's OIDC provider + IDTokenRequestToken string } diff --git a/auth/github.go b/auth/github.go index 05441284..48cbf6b8 100644 --- a/auth/github.go +++ b/auth/github.go @@ -27,7 +27,7 @@ type GitHubOIDCConfig struct { // ClientID is the application's ID. ClientID string - // IDTokenRequestURL is URL for GitHub's OIDC provider. + // IDTokenRequestURL is the URL for GitHub's OIDC provider. IDTokenRequestURL string // IDTokenRequestToken is the bearer token for the request to the OIDC provider. diff --git a/auth/msi.go b/auth/msi.go index 02783d00..ab3f1a47 100644 --- a/auth/msi.go +++ b/auth/msi.go @@ -146,7 +146,7 @@ func azureMetadata(ctx context.Context, url string) (body []byte, err error) { } defer resp.Body.Close() if c := resp.StatusCode; c < 200 || c > 299 { - err = fmt.Errorf("received HTTP status %d", resp.StatusCode) + err = fmt.Errorf("received HTTP status %d with body: %s", resp.StatusCode, body) return } return diff --git a/internal/test/testing.go b/internal/test/testing.go index 54cb61ad..029e779e 100644 --- a/internal/test/testing.go +++ b/internal/test/testing.go @@ -31,6 +31,8 @@ var ( clientCertPassword = os.Getenv("CLIENT_CERTIFICATE_PASSWORD") clientSecret = os.Getenv("CLIENT_SECRET") environment = os.Getenv("AZURE_ENVIRONMENT") + idTokenRequestUrl = os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") + idTokenRequestToken = os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN") retryMax = envDefault("RETRY_MAX", "14") ) @@ -57,9 +59,12 @@ func NewConnection(tokenVersion auth.TokenVersion) *Connection { ClientCertPath: clientCertificatePath, ClientCertPassword: clientCertPassword, ClientSecret: clientSecret, + IDTokenRequestURL: idTokenRequestUrl, + IDTokenRequestToken: idTokenRequestToken, EnableClientCertAuth: true, EnableClientSecretAuth: true, EnableAzureCliToken: true, + EnableGitHubOIDCAuth: true, }, DomainName: tenantDomain, }