(GH-121) Add Azure Arc support

Author: TraGicCode

.fixtures.yml

@@ -4,9 +4,9 @@
 fixtures:
   forge_modules:
   repositories:
-    provision: 'https://github.com/puppetlabs/provision.git'
-    puppet_agent: 'https://github.com/puppetlabs/puppetlabs-puppet_agent.git'
-    facts: 'https://github.com/puppetlabs/puppetlabs-facts.git'
+    provision: 'git@github.com:puppetlabs/provision.git'
+    puppet_agent: 'git@github.com:puppetlabs/puppetlabs-puppet_agent'
+    facts: 'git@github.com:puppetlabs/puppetlabs-facts'
   # Should go away when Attempting to work around PDK-1137(https://tickets.puppetlabs.com/browse/PDK-1137)
   # is resolved.
   symlinks:

.gitignore

@@ -26,3 +26,9 @@
 .envrc
 /inventory.yaml
 /spec/fixtures/litmus_inventory.yaml
+.resource_types
+.modules
+.task_cache.json
+.plan_cache.json
+.rerun.json
+bolt-debug.log

.pdkignore

@@ -26,9 +26,16 @@
 .envrc
 /inventory.yaml
 /spec/fixtures/litmus_inventory.yaml
+.resource_types
+.modules
+.task_cache.json
+.plan_cache.json
+.rerun.json
+bolt-debug.log
 /.fixtures.yml
 /Gemfile
 /.gitattributes
+/.github/
 /.gitignore
 /.pdkignore
 /.puppet-lint.rc

.rubocop.yml

@@ -3,6 +3,7 @@ require:
 - rubocop-performance
 - rubocop-rspec
 AllCops:
+  NewCops: enable
   DisplayCopNames: true
   TargetRubyVersion: '2.6'
   Include:
@@ -527,6 +528,8 @@ Lint/DuplicateBranch:
   Enabled: false
 Lint/DuplicateMagicComment:
   Enabled: false
+Lint/DuplicateMatchPattern:
+  Enabled: false
 Lint/DuplicateRegexpCharacterClassElement:
   Enabled: false
 Lint/EmptyBlock:
@@ -643,6 +646,8 @@ Style/ComparableClamp:
   Enabled: false
 Style/ConcatArrayLiterals:
   Enabled: false
+Style/DataInheritance:
+  Enabled: false
 Style/DirEmpty:
   Enabled: false
 Style/DocumentDynamicEvalDefinition:
@@ -711,6 +716,8 @@ Style/RedundantHeredocDelimiterQuotes:
   Enabled: false
 Style/RedundantInitialize:
   Enabled: false
+Style/RedundantLineContinuation:
+  Enabled: false
 Style/RedundantSelfAssignmentBranch:
   Enabled: false
 Style/RedundantStringEscape:

.vscode/extensions.json

@@ -1,6 +1,6 @@
 {
   "recommendations": [
     "puppet.puppet-vscode",
-    "rebornix.Ruby"
+    "Shopify.ruby-lsp"
   ]
 }

Gemfile

@@ -20,28 +20,32 @@ group :development do
   gem "json", '= 2.6.1',                         require: false if Gem::Requirement.create(['>= 3.1.0', '< 3.1.3']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "json", '= 2.6.3',                         require: false if Gem::Requirement.create(['>= 3.2.0', '< 4.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
   gem "racc", '~> 1.4.0',                        require: false if Gem::Requirement.create(['>= 2.7.0', '< 3.0.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
+  gem "deep_merge", '~> 1.2.2',                  require: false
   gem "voxpupuli-puppet-lint-plugins", '~> 5.0', require: false
-  gem "facterdb", '~> 1.18',                     require: false
-  gem "metadata-json-lint", '~> 3.0',            require: false
-  gem "puppetlabs_spec_helper", '~> 6.0',        require: false
-  gem "rspec-puppet-facts", '~> 2.0',            require: false
-  gem "codecov", '~> 0.2',                       require: false
+  gem "facterdb", '~> 1.26',                     require: false
+  gem "metadata-json-lint", '~> 4.0',            require: false
+  gem "rspec-puppet-facts", '~> 3.0',            require: false
   gem "dependency_checker", '~> 1.0.0',          require: false
   gem "parallel_tests", '= 3.12.1',              require: false
   gem "pry", '~> 0.10',                          require: false
-  gem "simplecov-console", '~> 0.5',             require: false
+  gem "simplecov-console", '~> 0.9',             require: false
   gem "puppet-debugger", '~> 1.0',               require: false
-  gem "rubocop", '= 1.48.1',                     require: false
+  gem "rubocop", '~> 1.50.0',                    require: false
   gem "rubocop-performance", '= 1.16.0',         require: false
   gem "rubocop-rspec", '= 2.19.0',               require: false
-  gem "puppet-strings", '~> 4.0',                require: false
   gem "rb-readline", '= 0.5.5',                  require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "rexml", '>= 3.0.0', '< 3.2.7',            require: false
   gem "github_changelog_generator",              require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
   gem "webmock",                                 require: false
 end
+group :development, :release_prep do
+  gem "puppet-strings", '~> 4.0',         require: false
+  gem "puppetlabs_spec_helper", '~> 7.0', require: false
+end
 group :system_tests do
-  gem "puppet_litmus", '~> 1.0', require: false, platforms: [:ruby, :x64_mingw]
-  gem "serverspec", '~> 2.41',   require: false
+  gem "puppet_litmus", '~> 1.0',   require: false, platforms: [:ruby, :x64_mingw]
+  gem "CFPropertyList", '< 3.0.7', require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "serverspec", '~> 2.41',     require: false
 end
 
 puppet_version = ENV['PUPPET_GEM_VERSION']

Rakefile

@@ -4,86 +4,8 @@ require 'bundler'
 require 'puppet_litmus/rake_tasks' if Gem.loaded_specs.key? 'puppet_litmus'
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-syntax/tasks/puppet-syntax'
-require 'github_changelog_generator/task' if Gem.loaded_specs.key? 'github_changelog_generator'
 require 'puppet-strings/tasks' if Gem.loaded_specs.key? 'puppet-strings'
 require 'puppet-strings/tasks'
 
-def changelog_user
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = nil || JSON.load(File.read('metadata.json'))['author']
-  raise "unable to find the changelog_user in .sync.yml, or the author in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator user:#{returnVal}"
-  returnVal
-end
-
-def changelog_project
-  return unless Rake.application.top_level_tasks.include? "changelog"
-
-  returnVal = nil
-  returnVal ||= begin
-    metadata_source = JSON.load(File.read('metadata.json'))['source']
-    metadata_source_match = metadata_source && metadata_source.match(%r{.*\/([^\/]*?)(?:\.git)?\Z})
-
-    metadata_source_match && metadata_source_match[1]
-  end
-
-  raise "unable to find the changelog_project in .sync.yml or calculate it from the source in metadata.json" if returnVal.nil?
-
-  puts "GitHubChangelogGenerator project:#{returnVal}"
-  returnVal
-end
-
-def changelog_future_release
-  return unless Rake.application.top_level_tasks.include? "changelog"
-  returnVal = "v%s" % JSON.load(File.read('metadata.json'))['version']
-  raise "unable to find the future_release (version) in metadata.json" if returnVal.nil?
-  puts "GitHubChangelogGenerator future_release:#{returnVal}"
-  returnVal
-end
-
 PuppetLint.configuration.send('disable_relative')
 
-
-if Gem.loaded_specs.key? 'github_changelog_generator'
-  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
-    raise "Set CHANGELOG_GITHUB_TOKEN environment variable eg 'export CHANGELOG_GITHUB_TOKEN=valid_token_here'" if Rake.application.top_level_tasks.include? "changelog" and ENV['CHANGELOG_GITHUB_TOKEN'].nil?
-    config.user = "#{changelog_user}"
-    config.project = "#{changelog_project}"
-    config.future_release = "#{changelog_future_release}"
-    config.exclude_labels = ['maintenance']
-    config.header = "# Change log\n\nAll notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org)."
-    config.add_pr_wo_labels = true
-    config.issues = false
-    config.merge_prefix = "### UNCATEGORIZED PRS; LABEL THEM ON GITHUB"
-    config.configure_sections = {
-      "Changed" => {
-        "prefix" => "### Changed",
-        "labels" => ["backwards-incompatible"],
-      },
-      "Added" => {
-        "prefix" => "### Added",
-        "labels" => ["enhancement", "feature"],
-      },
-      "Fixed" => {
-        "prefix" => "### Fixed",
-        "labels" => ["bug", "documentation", "bugfix"],
-      },
-    }
-  end
-else
-  desc 'Generate a Changelog from GitHub'
-  task :changelog do
-    raise <<EOM
-The changelog tasks depends on recent features of the github_changelog_generator gem.
-Please manually add it to your .sync.yml for now, and run `pdk update`:
----
-Gemfile:
-  optional:
-    ':development':
-      - gem: 'github_changelog_generator'
-        version: '~> 1.15'
-        condition: "Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.3.0')"
-EOM
-  end
-end
-

lib/puppet/functions/azure_key_vault/lookup.rb

@@ -9,7 +9,8 @@
       Optional[metadata_api_version] => String,
       confine_to_keys => Array[String],
       Optional[key_replacement_token] => String,
-      Optional[service_principal_credentials] => String
+      Optional[service_principal_credentials] => String,
+      Optional[use_azure_arc_authentication] => Boolean
     }]', :options
     param 'Puppet::LookupContext', :context
     return_type 'Variant[Sensitive, Undef]'
@@ -44,6 +45,8 @@ def lookup_key(secret_name, options, context)
     if access_token.nil?
       metadata_api_version = options['metadata_api_version']
       service_principal_credentials = options['service_principal_credentials']
+      use_azure_arc_authentication = options['use_azure_arc_authentication']
+
       if metadata_api_version && service_principal_credentials
         raise ArgumentError, 'metadata_api_version and service_principal_credentials cannot be used together'
       end
@@ -54,6 +57,8 @@ def lookup_key(secret_name, options, context)
       if service_principal_credentials
         credentials = YAML.load_file(service_principal_credentials)
         access_token = TragicCode::Azure.get_access_token_service_principal(credentials)
+      elsif use_azure_arc_authentication
+        access_token = TragicCode::Azure.get_access_token_azure_arc(metadata_api_version)
       else
         access_token = TragicCode::Azure.get_access_token(metadata_api_version)
       end

lib/puppet/functions/azure_key_vault/secret.rb

@@ -18,7 +18,8 @@
         tenant_id => String,
         client_id => String,
         client_secret => String
-      }]
+      }],
+      Optional[use_azure_arc_authentication] => Boolean
     }]', :api_endpoint_hash
     optional_param 'String', :secret_version
     return_type 'Sensitive[String]'
@@ -34,23 +35,40 @@ def secret(cache, vault_name, secret_name, api_endpoint_hash, secret_version = '
       partial_credentials = api_endpoint_hash['service_principal_credentials'].slice('tenant_id', 'client_id')
       Puppet.debug("service_principal_credentials: #{partial_credentials}")
     end
+    Puppet.debug("use_azure_arc_authentication: #{api_endpoint_hash['use_azure_arc_authentication']}")
     cache_hash = cache.retrieve(self)
     access_token_id = :"access_token_#{vault_name}"
     unless cache_hash.key?(access_token_id)
       Puppet.debug("retrieving access token since it's not in the cache")
       metadata_api_version = api_endpoint_hash['metadata_api_version']
       service_principal_credentials = api_endpoint_hash['service_principal_credentials']
+      use_azure_arc_authentication = api_endpoint_hash['use_azure_arc_authentication']
+
+      if !metadata_api_version && !service_principal_credentials
+        raise ArgumentError, 'hash must contain at least one of metadata_api_version or service_principal_credentials.'
+      end
+
+      # Service principal validation
       if metadata_api_version && service_principal_credentials
-        raise ArgumentError, 'metadata_api_version and service_principal_credentials cannot be used together'
+        raise ArgumentError, 'metadata_api_version and service_principal_credentials cannot be used together.'
       end
 
-      if service_principal_credentials
-        access_token = TragicCode::Azure.get_access_token_service_principal(service_principal_credentials)
-      elsif metadata_api_version
-        access_token = TragicCode::Azure.get_access_token(metadata_api_version)
-      else
-        raise ArgumentError, 'hash must contain at least one of metadata_api_version or service_principal_credentials'
+      # Azure arc validation
+      if service_principal_credentials && use_azure_arc_authentication
+        raise ArgumentError, 'service_principal_credentials and use_azure_arc_authentication cannot be used together.'
       end
+
+      if !metadata_api_version && use_azure_arc_authentication
+        raise ArgumentError, 'use_azure_arc_authentication must be used together with metadata_api_version.'
+      end
+
+      access_token = if service_principal_credentials
+                       TragicCode::Azure.get_access_token_service_principal(service_principal_credentials)
+                     elsif use_azure_arc_authentication
+                       TragicCode::Azure.get_access_token_azure_arc(metadata_api_version)
+                     else
+                       TragicCode::Azure.get_access_token(metadata_api_version)
+                     end
       cache_hash[access_token_id] = access_token
     end
 

lib/puppet_x/tragiccode/azure.rb

@@ -4,14 +4,43 @@
 module TragicCode
   # Azure API functions
   class Azure
+    AZURE_ARC_INSTANCE_METADATA_ENPOINT_IP = '127.0.0.1'.freeze
+
     def self.normalize_object_name(object_name, replacement)
       object_name.gsub(%r{[^0-9a-zA-Z-]}, replacement)
     end
 
+    def self.get_access_token_azure_arc(api_version)
+      # Generate File and Read Challenge Token
+      uri = URI("http://#{self.AZURE_ARC_INSTANCE_METADATA_ENPOINT_IP}/metadata/identity/oauth2/token?api-version=#{api_version}&resource=https%3A%2F%2Fvault.azure.net")
+      req = Net::HTTP::Get.new(uri.request_uri)
+      req['Metadata'] = 'true'
+      res = Net::HTTP.start(uri.hostname, uri.port) do |http|
+        http.request(req)
+      end
+
+      # 403 is expected here. we do not provide ANY key
+      raise res.body unless res.is_a?(Net::HTTPUnauthorized)
+      raise 'Response header Www-Authenticate is missing' unless res['Www-Authenticate']
+
+      challenge_token_file_path = res['Www-Authenticate'].sub(%r{\s*Basic\s+realm=}, '')
+      challenge_token = File.read(challenge_token_file_path)
+
+      # Get Access Token using challenge token
+      internal_get_access_token(api_version, self.AZURE_ARC_INSTANCE_METADATA_ENPOINT_IP, { 'Authorization' => "Basic #{challenge_token}" })
+    end
+
     def self.get_access_token(api_version)
-      uri = URI("http://169.254.169.254/metadata/identity/oauth2/token?api-version=#{api_version}&resource=https%3A%2F%2Fvault.azure.net")
+      internal_get_access_token(api_version, '169.254.169.254')
+    end
+
+    def self.internal_get_access_token(api_version, instance_metadata_service_endpoint = '169.254.169.254', extra_http_headers_hash = {})
+      uri = URI("http://#{instance_metadata_service_endpoint}/metadata/identity/oauth2/token?api-version=#{api_version}&resource=https%3A%2F%2Fvault.azure.net")
       req = Net::HTTP::Get.new(uri.request_uri)
       req['Metadata'] = 'true'
+      extra_http_headers_hash.each do |key, value|
+        req[key] = value
+      end
       res = Net::HTTP.start(uri.hostname, uri.port) do |http|
         http.request(req)
       end