manicminer · manicminer · Jan 31, 2022 · Jan 30, 2022 · Jan 30, 2022 · Jan 30, 2022
diff --git a/.github/workflows/auth-tests.yml b/.github/workflows/auth-tests.yml
@@ -7,9 +7,18 @@ on:
       - "auth/**.go"
       - ".github/workflows/auth-tests.yml"
 
+env:
+  AZURE_ENVIRONMENT: ${{ secrets.AZURE_ENVIRONMENT }}
+  CLIENT_ID: ${{ secrets.AUTH_CLIENT_ID }}
+  CLIENT_CERTIFICATE: ${{ secrets.AUTH_CLIENT_CERTIFICATE }}
+  CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.AUTH_CLIENT_CERTIFICATE_PASSWORD }}
+  CLIENT_SECRET: ${{ secrets.AUTH_CLIENT_SECRET }}
+  MSI_TOKEN: ${{ secrets.AUTH_MSI_TOKEN }}
+  TENANT_ID: ${{ secrets.TENANT_ID }}
+
 jobs:
   test-auth:
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: true
     steps:
@@ -19,7 +28,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.4
+          go-version: 1.17.6
 
       - name: Checkout
         uses: actions/checkout@v2

diff --git a/.github/workflows/environments-tests.yml b/.github/workflows/environments-tests.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.4
+          go-version: 1.17.6
 
       - name: Checkout
         uses: actions/checkout@v2

diff --git a/.github/workflows/github-auth-tests.yml b/.github/workflows/github-auth-tests.yml
@@ -35,7 +35,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.4
+          go-version: 1.17.6
 
       - name: Checkout
         uses: actions/checkout@v2

diff --git a/.github/workflows/golint.yml b/.github/workflows/golint.yml
@@ -16,9 +16,9 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.16.4"
+          go-version: "1.17.6"
       - uses: golangci/golangci-lint-action@v2
         with:
-          version: "v1.41"
+          version: "v1.44"
 
 # vim: set ts=2 sts=2 sw=2 et:
diff --git a/.github/workflows/msgraph-tests.yml b/.github/workflows/msgraph-tests.yml
@@ -7,21 +7,30 @@ on:
       - "msgraph/**.go"
       - ".github/workflows/msgraph-tests.yml"
 
+permissions:
+  contents: 'read'
+  id-token: 'write'
+
 jobs:
   test-msgraph:
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: true
     steps:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.4
+          go-version: 1.17.6
 
       - name: Checkout
         uses: actions/checkout@v2
 
       - name: Test
         run: go test -count=1 -race -v ./msgraph
+        env:
+          AZURE_ENVIRONMENT: ${{ secrets.AZURE_ENVIRONMENT }}
+          CLIENT_ID: ${{ secrets.CLIENT_ID }}
+          TENANT_ID: ${{ secrets.TENANT_ID }}
+          TENANT_DOMAIN: ${{ secrets.TENANT_DOMAIN }}
 
 # vim: set ts=2 sts=2 sw=2 et:
diff --git a/.github/workflows/odata-tests.yml b/.github/workflows/odata-tests.yml
@@ -16,7 +16,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.4
+          go-version: 1.17.6
 
       - name: Checkout
         uses: actions/checkout@v2

diff --git a/.github/workflows/scheduled-cleanup.yml b/.github/workflows/scheduled-cleanup.yml
@@ -13,7 +13,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.16.4
+          go-version: 1.17.6
 
       - name: Checkout
         uses: actions/checkout@v2

diff --git a/auth/auth.go b/auth/auth.go
@@ -25,13 +25,16 @@ type Authorizer interface {
 // Authorizers are selected for authentication methods in the following preferential order:
 // - Client certificate authentication
 // - Client secret authentication
+// - GitHub OIDC authentication
+// - MSI authentication
 // - Azure CLI authentication
 //
 // Whether one of these is returned depends on whether it is enabled in the Config, and whether sufficient
 // configuration fields are set to enable that authentication method.
 //
 // For client certificate authentication, specify TenantID, ClientID and ClientCertData / ClientCertPath.
 // For client secret authentication, specify TenantID, ClientID and ClientSecret.
+// For GitHub OIDC authentication, specify TenantID, ClientID, IDTokenRequestURL and IDTokenRequestToken.
 // MSI authentication (if enabled) using the Azure Metadata Service is then attempted
 // Azure CLI authentication (if enabled) is attempted last
 //
@@ -59,6 +62,16 @@ func (c *Config) NewAuthorizer(ctx context.Context, api environments.Api) (Autho
 		}
 	}
 
+	if c.EnableGitHubOIDCAuth {
+		a, err := NewGitHubOIDCAuthorizer(context.Background(), c.Environment, api, c.TenantID, c.AuxiliaryTenantIDs, c.ClientID, c.IDTokenRequestURL, c.IDTokenRequestToken)
+		if err != nil {
+			return nil, fmt.Errorf("could not configure GitHubOIDC Authorizer: %s", err)
+		}
+		if a != nil {
+			return a, nil
+		}
+	}
+
 	if c.EnableMsiAuth {
 		a, err := NewMsiAuthorizer(ctx, api, c.MsiEndpoint, c.ClientID)
 		if err != nil {

diff --git a/auth/config.go b/auth/config.go
@@ -53,4 +53,13 @@ type Config struct {
 
 	// Specifies the password to authenticate with using client secret authentication
 	ClientSecret string
+
+	// Enables GitHub OIDC authentication
+	EnableGitHubOIDCAuth bool
+
+	// The URL for GitHub's OIDC provider
+	IDTokenRequestURL string
+
+	// The bearer token for the request to GitHub's OIDC provider
+	IDTokenRequestToken string
 }
diff --git a/auth/github.go b/auth/github.go
@@ -27,7 +27,7 @@ type GitHubOIDCConfig struct {
 	// ClientID is the application's ID.
 	ClientID string
 
-	// IDTokenRequestURL is URL for GitHub's OIDC provider.
+	// IDTokenRequestURL is the URL for GitHub's OIDC provider.
 	IDTokenRequestURL string
 
 	// IDTokenRequestToken is the bearer token for the request to the OIDC provider.

diff --git a/auth/msi.go b/auth/msi.go
@@ -146,7 +146,7 @@ func azureMetadata(ctx context.Context, url string) (body []byte, err error) {
 	}
 	defer resp.Body.Close()
 	if c := resp.StatusCode; c < 200 || c > 299 {
-		err = fmt.Errorf("received HTTP status %d", resp.StatusCode)
+		err = fmt.Errorf("received HTTP status %d with body: %s", resp.StatusCode, body)
 		return
 	}
 	return

diff --git a/internal/test/testing.go b/internal/test/testing.go
@@ -31,6 +31,8 @@ var (
 	clientCertPassword    = os.Getenv("CLIENT_CERTIFICATE_PASSWORD")
 	clientSecret          = os.Getenv("CLIENT_SECRET")
 	environment           = os.Getenv("AZURE_ENVIRONMENT")
+	idTokenRequestUrl     = os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL")
+	idTokenRequestToken   = os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
 	retryMax              = envDefault("RETRY_MAX", "14")
 )
 
@@ -57,9 +59,12 @@ func NewConnection(tokenVersion auth.TokenVersion) *Connection {
 			ClientCertPath:         clientCertificatePath,
 			ClientCertPassword:     clientCertPassword,
 			ClientSecret:           clientSecret,
+			IDTokenRequestURL:      idTokenRequestUrl,
+			IDTokenRequestToken:    idTokenRequestToken,
 			EnableClientCertAuth:   true,
 			EnableClientSecretAuth: true,
 			EnableAzureCliToken:    true,
+			EnableGitHubOIDCAuth:   true,
 		},
 		DomainName: tenantDomain,
 	}