[Feature] Add credential provider for Azure Github OIDC (#307)

## Changes

This PR adds a `CredentialsProvider` to authenticate with Azure from a
Github action using OIDC. The implementation echoes the one in the Go
and Python SDKs.

## Tests

Most of the new code paths are covered by the test. Note that I'm adding
the `org.json` library to help building JSON object in a concise way.
The library is fairly mature and part of the Android SDK.

Author: renaudhartert-db

databricks-sdk-java/pom.xml

@@ -86,6 +86,11 @@
       <version>${mockito.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.json</groupId>
+      <artifactId>json</artifactId>
+      <version>20240303</version>
+    </dependency>
     <!-- Google Auth Library -->
     <dependency>
       <groupId>com.google.auth</groupId>

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java

@@ -86,6 +86,12 @@ public class DatabricksConfig {
   @ConfigAttribute(env = "ARM_ENVIRONMENT")
   private String azureEnvironment;
 
+  @ConfigAttribute(env = "ACTIONS_ID_TOKEN_REQUEST_URL")
+  private String actionsIdTokenRequestUrl;
+
+  @ConfigAttribute(env = "ACTIONS_ID_TOKEN_REQUEST_TOKEN")
+  private String actionsIdTokenRequestToken;
+
   @ConfigAttribute(env = "DATABRICKS_CLI_PATH")
   private String databricksCliPath;
 
@@ -421,6 +427,24 @@ public DatabricksConfig setAzureEnvironment(String azureEnvironment) {
     return this;
   }
 
+  public String getActionsIdTokenRequestUrl() {
+    return actionsIdTokenRequestUrl;
+  }
+
+  public DatabricksConfig setActionsIdTokenRequestUrl(String url) {
+    this.actionsIdTokenRequestUrl = url;
+    return this;
+  }
+
+  public String getActionsIdTokenRequestToken() {
+    return actionsIdTokenRequestToken;
+  }
+
+  public DatabricksConfig setActionsIdTokenRequestToken(String token) {
+    this.actionsIdTokenRequestToken = token;
+    return this;
+  }
+
   public String getEffectiveAzureLoginAppId() {
     return getDatabricksEnvironment().getAzureApplicationId();
   }

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DefaultCredentialsProvider.java

@@ -1,5 +1,6 @@
 package com.databricks.sdk.core;
 
+import com.databricks.sdk.core.oauth.AzureGithubOidcCredentialsProvider;
 import com.databricks.sdk.core.oauth.AzureServicePrincipalCredentialsProvider;
 import com.databricks.sdk.core.oauth.ExternalBrowserCredentialsProvider;
 import com.databricks.sdk.core.oauth.OAuthM2MServicePrincipalCredentialsProvider;
@@ -17,6 +18,7 @@ public class DefaultCredentialsProvider implements CredentialsProvider {
           PatCredentialsProvider.class,
           BasicCredentialsProvider.class,
           OAuthM2MServicePrincipalCredentialsProvider.class,
+          AzureGithubOidcCredentialsProvider.class,
           AzureServicePrincipalCredentialsProvider.class,
           AzureCliCredentialsProvider.class,
           ExternalBrowserCredentialsProvider.class,

databricks-sdk-java/src/main/java/com/databricks/sdk/core/http/Response.java

@@ -81,17 +81,21 @@ public Response(
     this(request, url, statusCode, status, headers, body, "\"<InputStream>\"");
   }
 
-  public Response(String body, URL url) {
+  public Response(String body, int statusCode, String status, URL url) {
     this(
         new Request("GET", "/"),
         url,
-        200,
-        "OK",
+        statusCode,
+        status,
         Collections.emptyMap(),
         new ByteArrayInputStream(body.getBytes(StandardCharsets.UTF_8)),
         body);
   }
 
+  public Response(String body, URL url) {
+    this(body, 200, "OK", url);
+  }
+
   private Response(
       Request request,
       URL url,

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/AzureGithubOidcCredentialsProvider.java

@@ -0,0 +1,101 @@
+package com.databricks.sdk.core.oauth;
+
+import com.databricks.sdk.core.*;
+import com.databricks.sdk.core.http.Request;
+import com.databricks.sdk.core.http.Response;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * {@code AzureGithubOidcCredentialsProvider} is a credentials provider for GitHub Actions that use
+ * an Azure Active Directory Federated Identity. It authenticates with Azure by exchanging GitHub's
+ * OIDC token for an Azure Active Directory (AAD) Service Principal OAuth token. This class handles
+ * the process of obtaining, refreshing, and attaching the necessary tokens to each HTTP request.
+ */
+public class AzureGithubOidcCredentialsProvider implements CredentialsProvider {
+  private final ObjectMapper mapper = new ObjectMapper();
+
+  @Override
+  public String authType() {
+    return "github-oidc-azure";
+  }
+
+  @Override
+  public HeaderFactory configure(DatabricksConfig config) {
+    if (!config.isAzure()
+        || config.getAzureClientId() == null
+        || config.getAzureTenantId() == null
+        || config.getHost() == null) {
+      return null;
+    }
+
+    Optional<String> idToken = requestIdToken(config);
+    if (!idToken.isPresent()) {
+      return null;
+    }
+
+    TokenSource tokenSource =
+        new OidcTokenSource(
+            config.getHttpClient(),
+            "",
+            config.getClientId(),
+            config.getEffectiveAzureLoginAppId(),
+            idToken.get(),
+            "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
+
+    return () -> {
+      Map<String, String> headers = new HashMap<>();
+      headers.put("Authorization", "Bearer " + tokenSource.getToken().getAccessToken());
+      return headers;
+    };
+  }
+
+  /**
+   * Requests an Azure access token using GitHub's OIDC token.
+   *
+   * @param config The DatabricksConfig instance containing the required authentication parameters.
+   * @return An optional Azure access token.
+   */
+  private Optional<String> requestIdToken(DatabricksConfig config) {
+    if (config.getActionsIdTokenRequestUrl() == null
+        || config.getActionsIdTokenRequestToken() == null) {
+      return Optional.empty();
+    }
+
+    String requestUrl =
+        config.getActionsIdTokenRequestUrl() + "&audience=api://AzureADTokenExchange";
+    Request req =
+        new Request("GET", requestUrl)
+            .withHeader("Authorization", "Bearer " + config.getActionsIdTokenRequestToken());
+
+    Response resp;
+    try {
+      resp = config.getHttpClient().execute(req);
+    } catch (IOException e) {
+      throw new DatabricksException(
+          "Failed to request ID token from " + requestUrl + ":" + e.getMessage(), e);
+    }
+
+    if (resp.getStatusCode() != 200) {
+      throw new DatabricksException(
+          "Failed to request ID token: status code "
+              + resp.getStatusCode()
+              + ", response body: "
+              + resp.getBody());
+    }
+
+    ObjectNode jsonResp;
+    try {
+      jsonResp = mapper.readValue(resp.getBody(), ObjectNode.class);
+    } catch (IOException e) {
+      throw new DatabricksException(
+          "Failed to request ID token: corrupted token: " + e.getMessage());
+    }
+
+    return Optional.ofNullable(jsonResp.get("value").textValue());
+  }
+}

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/OidcTokenSource.java

@@ -0,0 +1,83 @@
+package com.databricks.sdk.core.oauth;
+
+import com.databricks.sdk.core.DatabricksException;
+import com.databricks.sdk.core.http.FormRequest;
+import com.databricks.sdk.core.http.HttpClient;
+import com.databricks.sdk.core.http.Response;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableMap;
+import java.io.IOException;
+import java.time.LocalDateTime;
+
+/**
+ * {@code OidcTokenSource} is responsible for obtaining OAuth tokens using the OpenID Connect (OIDC)
+ * protocol. It communicates with an OAuth server to request access tokens using the client
+ * credentials grant type instead of a client secret.
+ */
+class OidcTokenSource extends RefreshableTokenSource {
+
+  private final HttpClient httpClient;
+  private final String tokenUrl;
+  private final ImmutableMap<String, String> params;
+
+  /**
+   * Constructs an {@code OidcTokenSource} with the specified parameters.
+   *
+   * @param httpClient The HttpClient used to make HTTP requests.
+   * @param tokenUrl The URL of the token endpoint.
+   * @param clientId The client ID for the OAuth application.
+   * @param resource The resource for which the token is requested.
+   * @param clientAssertion The client assertion used for authentication.
+   * @param clientAssertionType The type of the client assertion.
+   */
+  public OidcTokenSource(
+      HttpClient httpClient,
+      String tokenUrl,
+      String clientId,
+      String resource,
+      String clientAssertion,
+      String clientAssertionType) {
+    this.httpClient = httpClient;
+    this.tokenUrl = tokenUrl;
+
+    ImmutableMap.Builder<String, String> builder = new ImmutableMap.Builder<>();
+    putIfDefined(builder, "grant_type", "client_credentials");
+    putIfDefined(builder, "resource", resource);
+    putIfDefined(builder, "client_id", clientId);
+    putIfDefined(builder, "client_assertion_type", clientAssertionType);
+    putIfDefined(builder, "client_assertion", clientAssertion);
+    this.params = builder.build();
+  }
+
+  // Add the key-value pair to the builder iff the value is a non-empty string.
+  private static void putIfDefined(
+      ImmutableMap.Builder<String, String> builder, String key, String value) {
+    if (!Strings.isNullOrEmpty(value)) {
+      builder.put(key, value);
+    }
+  }
+
+  protected Token refresh() {
+    Response rawResp;
+    try {
+      rawResp = httpClient.execute(new FormRequest(tokenUrl, params));
+    } catch (IOException e) {
+      throw new DatabricksException("Failed to request auth token: " + e.getMessage(), e);
+    }
+
+    OAuthResponse resp;
+    try {
+      resp = new ObjectMapper().readValue(rawResp.getBody(), OAuthResponse.class);
+    } catch (IOException e) {
+      throw new DatabricksException(
+          "Failed to request auth token: corrupted token: " + e.getMessage());
+    }
+
+    if (resp.getErrorCode() != null) {
+      throw new IllegalArgumentException(resp.getErrorCode() + ": " + resp.getErrorSummary());
+    }
+    LocalDateTime expiry = LocalDateTime.now().plusSeconds(resp.getExpiresIn());
+    return new Token(resp.getAccessToken(), resp.getTokenType(), resp.getRefreshToken(), expiry);
+  }
+}