Merge pull request #14 from alertlogic/msi

Managed Service Identity support.

Author: kkuzmin

master.js

@@ -11,8 +11,7 @@
 
 const async = require('async');
 
-const azureRest = require('ms-rest-azure');
-const azureArmClient = require('azure-arm-resource').ResourceManagementClient;
+const msRestAzure = require('ms-rest-azure');
 const azureArmWebsite = require('azure-arm-website');
 const fileTokenCache = require('azure/lib/util/fileTokenCache');
 
@@ -108,25 +107,29 @@ class AlAzureMaster {
         this._alDataResidency = alDataResidency ? alDataResidency : process.env.CUSTOMCONNSTR_APP_AL_RESIDENCY;
 
         // Init Azure optional configuration parameters
-        this._clientId = clientId ? clientId : process.env.CUSTOMCONNSTR_APP_CLIENT_ID;
         this._domain = domain ? domain : process.env.APP_TENANT_ID;
-        this._clientSecret = clientSecret ? clientSecret : process.env.CUSTOMCONNSTR_APP_CLIENT_SECRET;
+        this._clientId = clientId ? clientId : 
+            process.env.MSI_SECRET ? process.env.APP_PRINCIPAL_ID : process.env.CUSTOMCONNSTR_APP_CLIENT_ID;
+        this._clientSecret = clientSecret ? clientSecret : 
+            process.env.MSI_SECRET ? 'Managed Service Identity' : process.env.CUSTOMCONNSTR_APP_CLIENT_SECRET;
         this._subscriptionId = subscriptionId ? subscriptionId : process.env.APP_SUBSCRIPTION_ID;
         this._resourceGroup = resourceGroup ? resourceGroup : process.env.APP_RESOURCE_GROUP;
         this._webAppName = webAppName ? webAppName : process.env.WEBSITE_SITE_NAME;
 
         // Init Azure SDK
-        var tokenCache = new fileTokenCache(m_util.getADCacheFilename(
-            'https://management.azure.com',
-            this._clientId,
-            this._domain));
-
-        this._azureCreds = new azureRest.ApplicationTokenCredentials(
-            this._clientId,
-            this._domain,
-            this._clientSecret,
-            { 'tokenCache': tokenCache });
-                
+        if (process.env.MSI_ENDPOINT && process.env.MSI_SECRET) {
+            this._azureCreds = new msRestAzure.MSIAppServiceTokenCredentials();
+        } else {
+            const tokenCache = new fileTokenCache(m_util.getADCacheFilename(
+                'https://management.azure.com',
+                this._clientId,
+                this._domain));
+            this._azureCreds = new msRestAzure.ApplicationTokenCredentials(
+                this._clientId,
+                this._domain,
+                this._clientSecret,
+                { 'tokenCache': tokenCache });
+        }
         this._azureWebsiteClient = new azureArmWebsite(this._azureCreds, this._subscriptionId);
         this._appStats = new AzureWebAppStats(collectorAzureFunNames);
         this._collectionStats = new AzureCollectionStats(azureContext, {outputQueueBinding: OutputStatsBinding});

test/master_test.js

@@ -172,7 +172,7 @@ describe('Master tests', function() {
                 aimsKeyId: 'aimsKeyId',
                 aimsKeySecret: 'aimsKeySecret',
                 alApiEndpoint: 'alApiEndpoint',
-                alIngestEndpoint: 'alIngestEndpoint',
+                alAzcollectEndpoint: 'alAzcollectEndpoint',
                 alDataResidency: 'default'
             };
             var azureOpts = {
@@ -197,7 +197,77 @@ describe('Master tests', function() {
                 done();
             });
         });
-        
+
+        it('Verify register with MSI', function(done) {
+            // Mock Azure HTTP calls
+            nock('http://127.0.0.1:41963', {'encodedQueryParams':true})
+            .get(/token\/$/, /.*/ )
+            .query(true)
+            .times(5)
+            .reply(200, mock.AZURE_TOKEN_MOCK);
+            
+            nock('https://management.azure.com:443', {'encodedQueryParams':true})
+            .put(/appsettings/, /.*/ )
+            .query(true)
+            .times(4)
+            .reply(200, {});
+            
+            nock('https://management.azure.com:443', {'encodedQueryParams':true})
+            .post(/appsettings/, /.*/ )
+            .query(true)
+            .times(4)
+            .reply(200, {});
+            
+            // Mock Alert Logic HTTP calls
+            fakePost = sinon.stub(alcollector.AlServiceC.prototype, 'post');
+            fakePost.withArgs('/azure/ehub/subscription-id/rg/app-name')
+                .resolves({
+                    source: {
+                        host: {
+                            id: 'new-host-id1'
+                        },
+                        id: 'new-source-id1'
+                    }
+            });
+            
+            var alOpts = {
+                aimsKeyId: 'aimsKeyId',
+                aimsKeySecret: 'aimsKeySecret',
+                alApiEndpoint: 'alApiEndpoint',
+                alDataResidency: 'default'
+            };
+            
+            delete process.env.COLLECTOR_HOST_ID;
+            delete process.env.COLLECTOR_SOURCE_ID;
+            process.env.WEBSITE_SITE_NAME = 'app-name';
+            process.env.APP_SUBSCRIPTION_ID = 'subscription-id';
+            process.env.APP_RESOURCE_GROUP = 'rg';
+            process.env.MSI_SECRET = 'MSI secret';
+            process.env.MSI_ENDPOINT = 'http://127.0.0.1:41963/MSI/token/';
+            process.env.APP_PRINCIPAL_ID = 'msi-principal-id';
+            
+            var master = new AlAzureMaster(mock.DEFAULT_FUNCTION_CONTEXT, 'ehub', '1.0.0', [], [], alOpts);
+            
+            master.register({}, function(err, collectorHostId, collectorSourceId){
+                if (err) console.log(err);
+                assert.equal(collectorHostId, 'new-host-id1');
+                assert.equal(collectorSourceId, 'new-source-id1');
+                const expectedBody = {
+                    body: {
+                        app_tenant_id: 'tenant-id',
+                        client_id: process.env.APP_PRINCIPAL_ID,
+                        client_secret: 'Managed Service Identity',
+                        version: '1.0.0'
+                   }
+                };
+                sinon.assert.calledWith(fakePost, '/azure/ehub/subscription-id/rg/app-name', expectedBody);
+                delete process.env.MSI_SECRET;
+                delete process.env.MSI_ENDPOINT;
+                delete process.env.APP_PRINCIPAL_ID;
+                done();
+            });
+        });
+
         it('Verify register reuse endpoints and collector ids from env', function(done) {
             // Expected Alert Logic parameters
             process.env.WEBSITE_HOSTNAME = 'app-name';

updater.js

@@ -36,9 +36,17 @@ class AlAzureUpdater {
         this._webAppName = webAppName ? webAppName : process.env.WEBSITE_SITE_NAME;
     }
 
+    _getAzureCredentials() {
+        if (process.env.MSI_ENDPOINT && process.env.MSI_SECRET) {
+            return new msRestAzure.MSIAppServiceTokenCredentials();
+        } else {
+            return new msRestAzure.ApplicationTokenCredentials(this._clientId, this._domain, this._clientSecret);
+        }
+    }
+    
     syncWebApp(callback) {
-        var credentials = new msRestAzure.ApplicationTokenCredentials(this._clientId, this._domain, this._clientSecret);
-        var webSiteClient = new WebSiteManagement(credentials, this._subscriptionId);
+        const credentials = this._getAzureCredentials();
+        const webSiteClient = new WebSiteManagement(credentials, this._subscriptionId);
         return webSiteClient.webApps.syncRepository(this._resourceGroup, this._webAppName, callback);
     }
 };