Merge branch 'ssteiner-add_ClientCredentialAuthentication'

Author: JDetmar

src/NLog.Extensions.AzureBlobStorage/BlobStorageTarget.cs

@@ -68,6 +68,16 @@ public sealed class BlobStorageTarget : AsyncTaskTarget
         /// </summary>
         public Layout AccessKey { get; set; }
 
+        /// <summary>
+        /// Alternative to ConnectionString. Instantiates the <see cref="BlobServiceClient"/> using a <see cref="Azure.Identity.ClientSecretCredential"/> with this value as ClientId for authentication. Requires <see cref="TenantIdentity"/> and <see cref="ClientSecret"/> to be set.
+        /// </summary>
+        public Layout ClientId { get; set; }
+
+        /// <summary>
+        /// Secret when using when using <see cref="ClientId"/>. Instantiates the <see cref="BlobServiceClient"/> using a <see cref="Azure.Identity.ClientSecretCredential"/> for authentication. Requires <see cref="TenantIdentity"/> and <see cref="ClientId"/> to be set.
+        /// </summary>
+        public Layout ClientSecret { get; set; }
+
         [RequiredParameter]
         public Layout Container { get; set; }
 
@@ -120,6 +130,8 @@ protected override void InitializeTarget()
             string sharedAccessSignature = string.Empty;
             string storageAccountName = string.Empty;
             string storageAccountAccessKey = string.Empty;
+            string clientId = string.Empty;
+            string clientSecret = string.Empty;
 
             Dictionary<string, string> blobMetadata = null;
             Dictionary<string, string> blobTags = null;
@@ -138,6 +150,8 @@ protected override void InitializeTarget()
                     sharedAccessSignature = SharedAccessSignature?.Render(defaultLogEvent);
                     storageAccountName = AccountName?.Render(defaultLogEvent);
                     storageAccountAccessKey = AccessKey?.Render(defaultLogEvent);
+                    clientId = ClientId?.Render(defaultLogEvent);
+                    clientSecret = ClientSecret?.Render(defaultLogEvent);
                 }
 
                 if (BlobMetadata?.Count > 0)
@@ -169,7 +183,7 @@ protected override void InitializeTarget()
                     }
                 }
 
-                _cloudBlobService.Connect(connectionString, serviceUri, tenantIdentity, resourceIdentifier, clientIdentity, sharedAccessSignature, storageAccountName, storageAccountAccessKey, blobMetadata, blobTags);
+                _cloudBlobService.Connect(connectionString, serviceUri, tenantIdentity, resourceIdentifier, clientIdentity, sharedAccessSignature, storageAccountName, storageAccountAccessKey, clientId, clientSecret, blobMetadata, blobTags);
                 InternalLogger.Debug("AzureBlobStorageTarget(Name={0}): Initialized", Name);
             }
             catch (Exception ex)
@@ -376,7 +390,7 @@ class CloudBlobService : ICloudBlobService
             private AppendBlobClient _appendBlob;
             private BlobContainerClient _container;
 
-            public void Connect(string connectionString, string serviceUri, string tenantIdentity, string resourceIdentifier, string clientIdentity, string sharedAccessSignature, string storageAccountName, string storageAccountAccessKey, IDictionary<string, string> blobMetadata, IDictionary<string, string> blobTags)
+            public void Connect(string connectionString, string serviceUri, string tenantIdentity, string resourceIdentifier, string clientIdentity, string sharedAccessSignature, string storageAccountName, string storageAccountAccessKey, string clientId, string clientSecret, IDictionary<string, string> blobMetadata, IDictionary<string, string> blobTags)
             {
                 _blobMetadata = blobMetadata?.Count > 0 ? blobMetadata : null;
                 _blobTags = blobTags?.Count > 0 ? blobTags : null;
@@ -393,6 +407,11 @@ public void Connect(string connectionString, string serviceUri, string tenantIde
                 {
                     _client = new BlobServiceClient(new Uri(serviceUri), new Azure.Storage.StorageSharedKeyCredential(storageAccountName, storageAccountAccessKey));
                 }
+                else if (!string.IsNullOrEmpty(clientId) && !string.IsNullOrEmpty(clientSecret) && !string.IsNullOrEmpty(tenantIdentity))
+                {
+                    var tokenCredentials = new Azure.Identity.ClientSecretCredential(tenantIdentity, clientId, clientSecret);
+                    _client = new BlobServiceClient(new Uri(serviceUri), tokenCredentials);
+                }
                 else
                 {
                     var tokenCredentials = AzureCredentialHelpers.CreateTokenCredentials(clientIdentity, tenantIdentity, resourceIdentifier);

src/NLog.Extensions.AzureBlobStorage/ICloudBlobService.cs

@@ -9,7 +9,7 @@ namespace NLog.Extensions.AzureStorage
 {
     interface ICloudBlobService
     {
-        void Connect(string connectionString, string serviceUri, string tenantIdentity, string resourceIdentifier, string clientIdentity, string sharedAccessSignature, string storageAccountName, string storageAccountAccessKey, IDictionary<string, string> blobMetadata, IDictionary<string, string> blobTags);
+        void Connect(string connectionString, string serviceUri, string tenantIdentity, string resourceIdentifier, string clientIdentity, string sharedAccessSignature, string storageAccountName, string storageAccountAccessKey, string clientId, string clientSecret, IDictionary<string, string> blobMetadata, IDictionary<string, string> blobTags);
         Task AppendFromByteArrayAsync(string containerName, string blobName, string contentType, byte[] buffer, CancellationToken cancellationToken);
     }
 }

src/NLog.Extensions.AzureBlobStorage/README.md

@@ -45,14 +45,18 @@ _clientIdentity_ - Alternative to ConnectionString. Used together with ServiceUr
 
 _resourceIdentity_ - Alternative to ConnectionString. Used together with ServiceUri. Input for DefaultAzureCredential as ManagedIdentityResourceId.
 
-_tenantIdentity_ - Alternative to ConnectionString. Used together with ServiceUri. Input for DefaultAzureCredential.
+_tenantIdentity_ - Alternative to ConnectionString. Used together with ServiceUri. Input for DefaultAzureCredential / ClientSecretCredential.
 
 _sharedAccessSignature_ - Alternative to ConnectionString. Used together with ServiceUri. Input for AzureSasCredential
 
 _accountName_ - Alternative to ConnectionString. Used together with ServiceUri. Input for StorageSharedKeyCredential-AccountName
 
 _accessKey_ - Alternative to ConnectionString. Used together with ServiceUri. Input for StorageSharedKeyCredential-AccessKey
 
+_clientId_ - Alternative to ConnectionString. Instantiates the `BlobServiceClient` using a `ClientSecretCredential` for authentication. Requires `TenantIdentity` and `ClientSecret`.
+
+_clientSecret_ - Secret when using ClientId. Instantiates the `BlobServiceClient` using a `ClientSecretCredential` for authentication. Requires `TenantIdentity` and `ClientId`.
+
 ### Batching Policy
 
 _batchSize_ - Number of EventData items to send in a single batch (Default=100)

test/NLog.Extensions.AzureBlobStorage.Tests/CloudBlobServiceMock.cs

@@ -17,7 +17,7 @@ class CloudBlobServiceMock : ICloudBlobService
 
         public IDictionary<string, string> BlobTags { get; private set; }
 
-        public void Connect(string connectionString, string serviceUri, string tenantIdentity, string resourceIdentifier, string clientIdentity, string sharedAccessSignature, string storageAccountName, string storageAccountAccessKey, IDictionary<string, string> blobMetadata, IDictionary<string, string> blobTags)
+        public void Connect(string connectionString, string serviceUri, string tenantIdentity, string resourceIdentifier, string clientIdentity, string sharedAccessSignature, string storageAccountName, string storageAccountAccessKey, string clientId, string clientSecret, IDictionary<string, string> blobMetadata, IDictionary<string, string> blobTags)
         {
             ConnectionString = connectionString;
             BlobMetadata = blobMetadata;