toolkit: enable downloads using Azure CLI credentials (microsoft#14494)

Signed-off-by: Manuel Huber <[email protected]>
Co-authored-by: Pawel Winogrodzki <[email protected]>

Author: manuelh-dev

toolkit/Makefile

@@ -23,6 +23,8 @@ PACKAGE_BUILD_LIST      ?=
 PACKAGE_REBUILD_LIST    ?=
 ##help:var:PACKAGE_IGNORE_LIST:<spec_list>=List of space-separated spec folders to ignore during the build. Must not overlap with "PACKAGE_REBUILD_LIST", may overlap with "PACKAGE_BUILD_LIST". Example: PACKAGE_IGNORE_LIST="zlib".
 PACKAGE_IGNORE_LIST     ?=
+##help:var:SOURCE_AUTH_MODE:<mode>=Mode to use for downloading source files for SRPM packing. Valid options: anonymous, azurecli (as defined in the srpmpacker code base).
+SOURCE_AUTH_MODE        ?=
 ##help:var:SRPM_PACK_LIST:<spec_list>=List of space-separated spec folders inside "SPECS_DIR" to analyze for the build. If empty, all items inside the "SPECS_DIR" will be analyzed. Example: SRPM_PACK_LIST="kernel go which".
 SRPM_PACK_LIST          ?=
 ##help:var:TEST_RUN_LIST:<spec_list>=List of space-separated spec folders to consider for package tests. Specs from the listed folders MUST contain the "%check" section. If empty, all testable items from "SRPM_PACK_LIST" will be considered. Will not re-test previously built packages. Example: TEST_RUN_LIST="libguestfs zlib".

toolkit/docs/building/building.md

@@ -370,15 +370,22 @@ Daily build packages are available via `DAILY_BUILD_ID`. Use `DAILY_BUILD_ID=lkg
 
 ### Authentication
 
-If supplying custom endpoints for source/SRPM/package servers, accessing these resources may require keys and certificates. The keys and certificates can be set using:
+If supplying custom endpoints for source/SRPM/package servers, accessing these resources may require authentication.
+Keys and certificates for TLS based authentication can be set using:
 
 ```bash
 sudo make image CONFIG_FILE="./imageconfigs/core-efi.json" CA_CERT=/path/to/rootca.crt TLS_CERT=/path/to/user.crt TLS_KEY=/path/to/user.key
 ```
 
+For SRPM packing (i.e., for retrieving package sources), Azure CLI login can be used to access authenticated Azure blob storages, which do not support anonymous access:
+```bash
+sudo make build-packages SOURCE_AUTH_MODE="azurecli"
+```
+Using this mode requires prior `az login` with your managed identity ID.
+
 ## Building Everything From Scratch
 
-**NOTE: Source files must be made available for all packages. They can be placed manually in the corresponding SPEC/\* folders, `SOURCE_URL=<YOUR_SOURCE_SERVER>` may be provided, or DOWNLOAD_SRPMS=y may be used to use pre-packages sources. Core Azure Linux source packages are available at `SOURCE_URL=https://azurelinuxsrcstorage.blob.core.windows.net/sources/core`**
+**NOTE: Source files must be made available for all packages. They can be placed manually in the corresponding SPEC/\* folders, `SOURCE_URL=<YOUR_SOURCE_SERVER>` may be provided, or DOWNLOAD_SRPMS=y may be used to use pre-packages sources. Core Azure Linux source packages are available at `SOURCE_URL=https://azurelinuxsrcstorage.blob.core.windows.net/sources/core` and support anonymous access.**
 
 The build system can operate without using pre-built components if desired. There are several variables which enable/disable build components and sources of data. They are listed here along with their default values:
 
@@ -840,6 +847,8 @@ To reproduce an ISO build, run the same make invocation as before, but set:
 | CA_CERT                       |                                                                                                          | CA cert to access the above resources, in addition to the system certificate store
 | TLS_CERT                      |                                                                                                          | TLS cert to access the above resources
 | TLS_KEY                       |                                                                                                          | TLS key to access the above resources
+| SOURCE_AUTH_MODE              |                                                                                                          |
+Authentication mode for downloading source files for SRPM packing. Valid options: anonymous, azurecli (as defined in the srpmpacker code base). The azurecli option enables Azure CLI based authentication for accessing Azure Blob Storages which do not allow for public access. The default method is anonymous access using HTTP GET.
 
 ---
 

toolkit/scripts/srpm_pack.mk

@@ -82,6 +82,7 @@ $(STATUS_FLAGS_DIR)/build_srpms.flag: $(chroot_worker) $(local_specs) $(local_sp
 		--dir=$(SPECS_DIR) \
 		--output-dir=$(BUILD_SRPMS_DIR) \
 		--source-url=$(SOURCE_URL) \
+		$(if $(SOURCE_AUTH_MODE),--source-auth-mode=$(SOURCE_AUTH_MODE)) \
 		--dist-tag=$(DIST_TAG) \
 		--ca-cert=$(CA_CERT) \
 		--tls-cert=$(TLS_CERT) \
@@ -108,6 +109,7 @@ $(STATUS_FLAGS_DIR)/build_toolchain_srpms.flag: $(toolchain_files) $(go-srpmpack
 		--dir=$(SPECS_DIR) \
 		--output-dir=$(BUILD_SRPMS_DIR) \
 		--source-url=$(SOURCE_URL) \
+		$(if $(SOURCE_AUTH_MODE),--source-auth-mode=$(SOURCE_AUTH_MODE)) \
 		--dist-tag=$(DIST_TAG) \
 		--ca-cert=$(CA_CERT) \
 		--tls-cert=$(TLS_CERT) \

toolkit/tools/internal/azureblobstorage/azureblobstorage.go

@@ -7,13 +7,17 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
+	"regexp"
+	"strings"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/retry"
 )
 
 const (
@@ -22,6 +26,60 @@ const (
 	AzureCLIAccess         = 2
 )
 
+// Azure SDK error for 404-like condition for storage blobs (a similar message is returned for storage containers):
+// RESPONSE 404: 404 The specified blob does not exist.
+// ERROR CODE: BlobNotFound
+const AzureSDK404ErrorPattern = "RESPONSE 404"
+
+var (
+	// Every valid blob URL will be of the form: <storage_account>.blob.core.windows.net/<container>/<blob_name>
+	// With <blob_name> being optional.
+	//
+	// For:
+	//     https://mystorageaccount.blob.core.windows.net/mycontainer/my/blob/name
+	//
+	// We'd get:
+	//   - storage account:	mystorageaccount
+	//   - container:       mycontainer
+	//   - blob name:       my/blob/name
+	blobStorageURLRegex = regexp.MustCompile(`^([^.]+)\.blob\.core\.windows\.net/([^/]+)(?:/([^?#]+))?`)
+)
+
+const (
+	blobStorageURLMatchSubString = iota
+	blobStorageURLStorageName
+	blobStorageURLContainerName
+	blobStorageURLBlobName
+	blobStorageURLMaxMatchLen
+)
+
+// ParseAzureBlobStorageURL parses an Azure Blob Storage URL and extracts storage account, container, and optionally blob information.
+func ParseAzureBlobStorageURL(urlStr string) (storageAccountName, containerName, blobName string, err error) {
+	parsedURL, err := url.Parse(urlStr)
+	if err != nil {
+		return "", "", "", fmt.Errorf("failed to parse URL (%s):\n%w", urlStr, err)
+	}
+
+	if parsedURL.Scheme == "" {
+		return "", "", "", fmt.Errorf("URL (%s) is not a valid Azure Blob Storage URL - must start with a scheme", urlStr)
+	}
+
+	matches := blobStorageURLRegex.FindStringSubmatch(parsedURL.Host + parsedURL.Path)
+	if len(matches) < blobStorageURLBlobName {
+		return "", "", "", fmt.Errorf("URL (%s) is not a valid Azure Blob Storage URL"+
+			" (expected: <scheme>://<storage_account>.blob.core.windows.net/<container>/<optional_blob_name>)", urlStr)
+	}
+
+	storageAccountName = matches[blobStorageURLStorageName]
+	containerName = matches[blobStorageURLContainerName]
+
+	if len(matches) > blobStorageURLBlobName {
+		blobName = matches[blobStorageURLBlobName]
+	}
+
+	return storageAccountName, containerName, blobName, nil
+}
+
 type AzureBlobStorage struct {
 	theClient *azblob.Client
 }
@@ -148,3 +206,88 @@ func Create(tenantId string, userName string, password string, storageAccount st
 
 	return nil, errors.New("unknown authentication type")
 }
+
+// CreateFromURL creates an AzureBlobStorage client from a storage account URL
+func CreateFromURL(storageAccountURL string) (abs *AzureBlobStorage, err error) {
+	// Parse the URL to extract storage account information
+	storageAccountName, _, _, parseErr := ParseAzureBlobStorageURL(storageAccountURL)
+	if parseErr != nil {
+		return nil, fmt.Errorf("failed to parse storage account URL:\n%w", parseErr)
+	}
+
+	abs, err = Create("", "", "", storageAccountName, AzureCLIAccess)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Azure Blob Storage client:\n%w", err)
+	}
+
+	return abs, nil
+}
+
+// DownloadFileWithRetry downloads a file from an Azure Blob Storage using the Azure SDK for Go with retry logic
+// ctx: The context to use for the download. Use context.Background() if no other context is available.
+// azureBlobStorage: The Azure Blob Storage client.
+// srcUrl: The full Azure Blob Storage URL including container and blob path.
+// dstFile: The local file to save the download to.
+// timeout: The maximum duration for the download operation, use 0 for no timeout.
+// returns: wasCancelled: true if the download was cancelled via the context, false otherwise.
+// returns: err: An error if the download failed (including being cancelled), nil otherwise.
+func DownloadFileWithRetry(
+	ctx context.Context,
+	azureBlobStorage *AzureBlobStorage,
+	srcUrl, dstFile string,
+	timeout time.Duration,
+) (wasCancelled bool, err error) {
+	var closeCtx context.CancelFunc
+
+	if ctx == nil {
+		return false, fmt.Errorf("context is nil")
+	}
+
+	if timeout < 0 {
+		return false, fmt.Errorf("invalid timeout: %s", timeout)
+	}
+
+	if timeout == 0 {
+		ctx, closeCtx = context.WithCancel(ctx)
+	} else {
+		ctx, closeCtx = context.WithTimeout(ctx, timeout)
+	}
+	defer closeCtx()
+
+	// Parse the URL to get container and blob names
+	_, containerName, blobName, parseErr := ParseAzureBlobStorageURL(srcUrl)
+	if parseErr != nil {
+		return false, fmt.Errorf("failed to parse source URL:\n%w", parseErr)
+	}
+
+	logger.Log.Infof("Attempting Azure SDK download for blob (%s/%s)", containerName, blobName)
+
+	retryNum := 1
+	errorWas404 := false
+	wasCancelled, err = retry.RunWithDefaultDownloadBackoff(ctx, func() error {
+		netErr := azureBlobStorage.Download(ctx, containerName, blobName, dstFile)
+		if netErr != nil {
+			// Check if the error is a 404-like condition (blob or container not found)
+			if strings.Contains(netErr.Error(), AzureSDK404ErrorPattern) {
+				logger.Log.Warnf("Attempt %d/%d: failed to download (%s/%s) with error: (%s)", retryNum, retry.DefaultDownloadRetryAttempts, containerName, blobName, netErr)
+				logger.Log.Warnf("This error is likely unrecoverable, will not retry")
+				errorWas404 = true
+				closeCtx()
+			} else {
+				logger.Log.Infof("Attempt %d/%d: failed to download (%s/%s) with error: (%s)", retryNum, retry.DefaultDownloadRetryAttempts, containerName, blobName, netErr)
+			}
+		}
+		retryNum++
+		return netErr
+	})
+
+	// If the error was a 404-like error, we should not consider the download as cancelled
+	if errorWas404 {
+		wasCancelled = false
+	}
+
+	if err != nil {
+		err = fmt.Errorf("failed to download (%s/%s) to (%s):\n%w", containerName, blobName, dstFile, err)
+	}
+	return
+}

toolkit/tools/internal/azureblobstorage/azureblobstorage_test.go

@@ -0,0 +1,140 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package azureblobstorage
+
+import (
+	"os"
+	"testing"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+)
+
+func TestMain(m *testing.M) {
+	logger.InitStderrLog()
+	os.Exit(m.Run())
+}
+
+func TestParseAzureBlobStorageURL(t *testing.T) {
+	tests := []struct {
+		name                   string
+		urlStr                 string
+		wantStorageAccountName string
+		wantContainerName      string
+		wantBlobName           string
+		wantErr                bool
+	}{
+		{
+			name:                   "Valid URL with container only",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "",
+			wantErr:                false,
+		},
+		{
+			name:                   "Valid URL with container and blob",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "myblob.txt",
+			wantErr:                false,
+		},
+		{
+			name:                   "Valid URL with container and blob in folder",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer/folder/myblob.txt",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "folder/myblob.txt",
+			wantErr:                false,
+		},
+		{
+			name:                   "Valid URL with deep folder hierarchy",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer/folder1/folder2/myfile-1.2.3.tar.gz",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "folder1/folder2/myfile-1.2.3.tar.gz",
+			wantErr:                false,
+		},
+		{
+			name:                   "Valid URL with trailing slash",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer/",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "",
+			wantErr:                false,
+		},
+		{
+			name:    "Invalid URL - not Azure Blob Storage format",
+			urlStr:  "https://example.com/container/blob",
+			wantErr: true,
+		},
+		{
+			name:    "Invalid URL - missing storage account",
+			urlStr:  "https://blob.core.windows.net/container/blob",
+			wantErr: true,
+		},
+		{
+			name:    "Invalid URL - malformed hostname",
+			urlStr:  "https://invalid.hostname/container/blob",
+			wantErr: true,
+		},
+		{
+			name:    "Invalid URL - missing container",
+			urlStr:  "https://mystorageaccount.blob.core.windows.net/",
+			wantErr: true,
+		},
+		{
+			name:    "Invalid URL - empty path",
+			urlStr:  "https://mystorageaccount.blob.core.windows.net",
+			wantErr: true,
+		},
+		{
+			name:    "Invalid URL - unparseable",
+			urlStr:  "not-a-url",
+			wantErr: true,
+		},
+		{
+			name:    "Invalid URL - scheme missing",
+			urlStr:  "mystorageaccount.blob.core.windows.net/container",
+			wantErr: true,
+		},
+		{
+			name:                   "Valid URL with query parameters",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer/myblob.txt?sv=2021-06-08",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "myblob.txt",
+			wantErr:                false,
+		},
+		{
+			name:                   "Valid URL with special characters in blob name",
+			urlStr:                 "https://mystorageaccount.blob.core.windows.net/mycontainer/my-blob_file.2023.txt",
+			wantStorageAccountName: "mystorageaccount",
+			wantContainerName:      "mycontainer",
+			wantBlobName:           "my-blob_file.2023.txt",
+			wantErr:                false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotStorageAccountName, gotContainerName, gotBlobName, err := ParseAzureBlobStorageURL(tt.urlStr)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ParseAzureBlobStorageURL() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr {
+				if gotStorageAccountName != tt.wantStorageAccountName {
+					t.Errorf("ParseAzureBlobStorageURL() gotStorageAccountName = %v, want %v", gotStorageAccountName, tt.wantStorageAccountName)
+				}
+				if gotContainerName != tt.wantContainerName {
+					t.Errorf("ParseAzureBlobStorageURL() gotContainerName = %v, want %v", gotContainerName, tt.wantContainerName)
+				}
+				if gotBlobName != tt.wantBlobName {
+					t.Errorf("ParseAzureBlobStorageURL() gotBlobName = %v, want %v", gotBlobName, tt.wantBlobName)
+				}
+			}
+		})
+	}
+}