Implemented custom Azure CLI token authorizer (#282)

nfx · web-flow · commit 1391821666ef · 2020-08-31T12:25:18.000+02:00
* Implemented custom Azure CLI token authorizer * Refresh behavior is triggering approximately every 4 minutes. * Fixes #275 * Updated documentation and linux az cli mock Co-authored-by: Serge Smertin <serge.smertin@databricks.com>
diff --git a/.github/ISSUE_TEMPLATE/provider-issue.md b/.github/ISSUE_TEMPLATE/provider-issue.md
@@ -19,7 +19,11 @@ Please list the resources as a list, for example:
 
 If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
 
-### Terraform Configuration Files & Environment Variable Names
+### Environment variable names
+To get relevant environment variable _names_ please copypaste the output of the following command:
+`$ env | sort | grep -E 'DATABRICKS|AWS|AZURE|ARM|TEST' | awk -F= '{print $1}'`
+
+### Terraform Configuration Files
 ```hcl
 # Copy-paste your Terraform configurations here - for large Terraform configs,
 # please use a service like Dropbox and share a link to the ZIP file. For
diff --git a/Makefile b/Makefile
@@ -45,15 +45,15 @@ vendor:
 
 test-azcli:
 	@echo "✓ Running Terraform Acceptance Tests for Azure..."
-	@/bin/bash scripts/run.sh azcli '^(TestAcc|TestAzureAcc)' --debug
+	@/bin/bash scripts/run.sh azcli '^(TestAcc|TestAzureAcc)' --debug --tee
 
 test-azsp:
 	@echo "✓ Running Terraform Acceptance Tests for Azure..."
-	@/bin/bash scripts/run.sh azsp '^(TestAcc|TestAzureAcc)' --debug
+	@/bin/bash scripts/run.sh azsp '^(TestAcc|TestAzureAcc)' --debug --tee
 
 test-mws:
 	@echo "✓ Running acceptance Tests for Multiple Workspace APIs on AWS..."
-	@/bin/bash scripts/run.sh mws '^TestMwsAcc' --debug
+	@/bin/bash scripts/run.sh mws '^TestMwsAcc' --debug --tee
 
 test-awsst:
 	@echo "✓ Running Terraform Acceptance Tests for AWS ST..."
diff --git a/common/azure_auth.go b/common/azure_auth.go
@@ -13,7 +13,6 @@ import (
 	"github.com/Azure/go-autorest/autorest/adal"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/azure/auth"
-	"github.com/Azure/go-autorest/autorest/azure/cli"
 )
 
 // List of management information
@@ -128,37 +127,6 @@ func (aa *AzureAuth) addSpManagementTokenVisitor(r *http.Request, management aut
 	return nil
 }
 
-func (aa *AzureAuth) configureWithAzureCLI() (func(r *http.Request) error, error) {
-	if aa.resourceID() == "" {
-		return nil, nil
-	}
-	if aa.IsClientSecretSet() {
-		return nil, nil
-	}
-	// verify that Azure CLI is authenticated
-	_, err := cli.GetTokenFromCLI(AzureDatabricksResourceID)
-	if err != nil {
-		if err.Error() == "Invoking Azure CLI failed with the following error: " {
-			return nil, fmt.Errorf("Most likely Azure CLI is not installed. " +
-				"See https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest for details.")
-		}
-		return nil, err
-	}
-	if aa.UsePATForCLI {
-		log.Printf("[INFO] Using Azure CLI authentication with session-generated PAT")
-		return func(r *http.Request) error {
-			pat, err := aa.acquirePAT(auth.NewAuthorizerFromCLIWithResource)
-			if err != nil {
-				return err
-			}
-			r.Header.Set("Authorization", fmt.Sprintf("Bearer %s", pat.TokenValue))
-			return nil
-		}, nil
-	}
-	log.Printf("[INFO] Using Azure CLI authentication with AAD tokens")
-	return aa.simpleAADRequestVisitor(auth.NewAuthorizerFromCLIWithResource)
-}
-
 // go nolint
 func (aa *AzureAuth) simpleAADRequestVisitor(
 	authorizerFactory func(resource string) (autorest.Authorizer, error),
diff --git a/common/azure_cli_auth.go b/common/azure_cli_auth.go
@@ -0,0 +1,130 @@
+package common
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"os/exec"
+	"sync"
+	"time"
+
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/adal"
+	"github.com/Azure/go-autorest/autorest/azure/cli"
+)
+
+type refreshableCliToken struct {
+	resource       string
+	token          *adal.Token
+	lock           *sync.RWMutex
+	refreshMinutes int
+}
+
+// OAuthToken implements adal.OAuthTokenProvider
+func (rct *refreshableCliToken) OAuthToken() string {
+	if rct == nil {
+		return ""
+	}
+	if rct.token == nil {
+		return ""
+	}
+	return rct.token.OAuthToken()
+}
+
+// EnsureFreshWithContext implements adal.RefresherWithContext
+func (rct *refreshableCliToken) EnsureFreshWithContext(ctx context.Context) error {
+	refreshInterval := time.Duration(rct.refreshMinutes) * time.Minute
+	if !rct.token.WillExpireIn(refreshInterval) {
+		return nil
+	}
+	rct.lock.Lock()
+	defer rct.lock.Unlock()
+	if !rct.token.WillExpireIn(refreshInterval) {
+		return nil
+	}
+	return rct.refreshInternal(rct.resource)
+}
+
+// RefreshWithContext implements adal.RefresherWithContext
+func (rct *refreshableCliToken) RefreshWithContext(ctx context.Context) error {
+	rct.lock.Lock()
+	defer rct.lock.Unlock()
+	return rct.refreshInternal(rct.resource)
+}
+
+// RefreshExchangeWithContext implements adal.RefresherWithContext
+func (rct *refreshableCliToken) RefreshExchangeWithContext(ctx context.Context, resource string) error {
+	rct.lock.Lock()
+	defer rct.lock.Unlock()
+	return rct.refreshInternal(rct.resource)
+}
+
+func (rct *refreshableCliToken) refreshInternal(resource string) (err error) {
+	out, err := exec.Command("az", "account", "get-access-token", "--resource", resource).Output()
+	if ee, ok := err.(*exec.ExitError); ok {
+		err = fmt.Errorf("Cannot get access token: %s", string(ee.Stderr))
+		return
+	}
+	if err != nil {
+		err = fmt.Errorf("Cannot get access token: %v", err)
+		return
+	}
+	var cliToken cli.Token
+	err = json.Unmarshal(out, &cliToken)
+	if err != nil {
+		return
+	}
+	token, err := cliToken.ToADALToken()
+	if err != nil {
+		return err
+	}
+	log.Printf("[INFO] Refreshed OAuth token for %s from Azure CLI, which expires on %s", resource, cliToken.ExpiresOn)
+	rct.token = &token
+	return
+}
+
+func (aa *AzureAuth) cliAuthorizer(resource string) (autorest.Authorizer, error) {
+	rct := refreshableCliToken{
+		lock:           &sync.RWMutex{},
+		resource:       resource,
+		refreshMinutes: 6,
+	}
+	err := rct.refreshInternal(resource)
+	if err != nil {
+		return nil, err
+	}
+	return autorest.NewBearerAuthorizer(&rct), nil
+}
+
+func (aa *AzureAuth) configureWithAzureCLI() (func(r *http.Request) error, error) {
+	if aa.resourceID() == "" {
+		return nil, nil
+	}
+	if aa.IsClientSecretSet() {
+		return nil, nil
+	}
+	// verify that Azure CLI is authenticated
+	_, err := cli.GetTokenFromCLI(AzureDatabricksResourceID)
+	if err != nil {
+		if err.Error() == "Invoking Azure CLI failed with the following error: " {
+			return nil, fmt.Errorf("Most likely Azure CLI is not installed. " +
+				"See https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest for details.")
+		}
+		return nil, err
+	}
+	if aa.UsePATForCLI {
+		log.Printf("[INFO] Using Azure CLI authentication with session-generated PAT")
+		return func(r *http.Request) error {
+			pat, err := aa.acquirePAT(aa.cliAuthorizer)
+			if err != nil {
+				return err
+			}
+			r.Header.Set("Authorization", fmt.Sprintf("Bearer %s", pat.TokenValue))
+			return nil
+		}, nil
+	}
+	log.Printf("[INFO] Using Azure CLI authentication with AAD tokens")
+	return aa.simpleAADRequestVisitor(aa.cliAuthorizer)
+}
diff --git a/common/azure_cli_auth_test.go b/common/azure_cli_auth_test.go
@@ -0,0 +1,58 @@
+package common
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAzureCliAuth(t *testing.T) {
+	defer CleanupEnvironment()()
+	os.Setenv("PATH", "testdata:/bin")
+	// fake expiration date for az mock cli
+	os.Setenv("EXPIRE", "15M")
+
+	cnt := []int{0}
+	server := httptest.NewServer(http.HandlerFunc(
+		func(rw http.ResponseWriter, req *http.Request) {
+			cnt[0]++
+			if req.RequestURI == "/api/2.0/clusters/list-zones" {
+				assert.Equal(t, "Bearer ...", req.Header.Get("Authorization"))
+				_, err := rw.Write([]byte(`{"zones": ["a", "b", "c"]}`))
+				assert.NoError(t, err)
+				return
+			}
+			assert.Fail(t, fmt.Sprintf("Received unexpected call: %s %s",
+				req.Method, req.RequestURI))
+		}))
+	defer server.Close()
+
+	client := DatabricksClient{
+		Host: server.URL,
+		AzureAuth: AzureAuth{
+			ResourceID: "/a/b/c",
+		},
+		InsecureSkipVerify: true,
+	}
+	err := client.Configure()
+	assert.NoError(t, err)
+
+	type ZonesInfo struct {
+		Zones       []string `json:"zones,omitempty"`
+		DefaultZone string   `json:"default_zone,omitempty"`
+	}
+	var zi ZonesInfo
+	err = client.Get("/clusters/list-zones", nil, &zi)
+	assert.NoError(t, err)
+	assert.NotNil(t, zi)
+	assert.Len(t, zi.Zones, 3)
+
+	err = client.Get("/clusters/list-zones", nil, &zi)
+	assert.NoError(t, err)
+
+	assert.Equal(t, 2, cnt[0], "There should be only one HTTP call")
+}
diff --git a/common/testdata/az b/common/testdata/az
@@ -5,11 +5,19 @@ if [ "yes" == "$FAIL" ]; then
     exit 1
 fi
 
+# Macos
+EXP="$(date -v+${EXPIRE:=10S} +'%F %T' 2>/dev/null)"
+if [ "" = "${EXP}" ]; then
+  # Linux
+  EXPIRE=$(echo $EXPIRE | sed 's/S/seconds/')
+  EXPIRE=$(echo $EXPIRE | sed 's/M/minutes/')
+  EXP=$(date --date=+${EXPIRE:=10seconds} +'%F %T')
+fi
 
-echo '{
-  "accessToken": "...",
-  "expiresOn": "2020-08-20 11:02:42.634058",
-  "subscription": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
-  "tenant": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
-  "tokenType": "Bearer"
-}'
+echo "{
+  \"accessToken\": \"...\",
+  \"expiresOn\": \"${EXP}\",
+  \"subscription\": \"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",
+  \"tenant\": \"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",
+  \"tokenType\": \"Bearer\"
+}"
diff --git a/docs/index.md b/docs/index.md
@@ -113,13 +113,11 @@ environment variable `DATABRICKS_TOKEN`.
 
 ## Special configurations for Azure
 
-!> **Warning** Please note that the azure service principal authentication currently uses a generated Databricks PAT token and not a AAD token for the authentication. This is due to the Databricks AAD feature not yet supporting AAD tokens for secret scopes. This will be refactored in a transparent manner when that support is enabled. The only field to be impacted is `pat_token_duration_seconds` which will be deprecated and after AAD support is fully supported. 
-
 In order to work with Azure Databricks workspace, provider has to know it's `id` (or construct it from `azure_subscription_id`, `azure_workspace_name` and `azure_workspace_name`). Provider works with [Azure CLI authentication](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest) to facilitate local development workflows, though for automated scenarios a service principal auth is necessary (and specification of `azure_client_id`, `azure_client_secret` and `azure_tenant_id` parameters).
 
 ### Authenticating with Azure Service Principal
 
--> **Note** **Azure Service Principal Authentication** will only work on Azure Databricks where as the API Token authentication will work on both **Azure** and **AWS**. Internally `azure_auth` will generate a session-based PAT token.
+!> **Warning** Please note that the azure service principal authentication currently uses a generated Databricks PAT token and not a AAD token for the authentication. This is due to the Databricks AAD feature not yet supporting AAD tokens for [secret scopes](https://docs.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/secrets#--create-secret-scope). This will be refactored in a transparent manner when that support is available. The only field to be impacted is `pat_token_duration_seconds` which will be deprecated and after AAD support is fully supported. 
 
 ```hcl
 provider "azurerm" {
@@ -129,15 +127,15 @@ provider "azurerm" {
   subscription_id   = var.subscription_id
 }
 
-resource "azurerm_databricks_workspace" "demo_test_workspace" {
+resource "azurerm_databricks_workspace" "this" {
   location                      = "centralus"
   name                          = "my-workspace-name"
   resource_group_name           = var.resource_group
   sku                           = "premium"
 }
 
 provider "databricks" {
-  azure_workspace_resource_id = azurerm_databricks_workspace.demo_test_workspace.id
+  azure_workspace_resource_id = azurerm_databricks_workspace.this.id
   azure_client_id             = var.client_id
   azure_client_secret         = var.client_secret
   azure_tenant_id             = var.tenant_id
@@ -151,22 +149,22 @@ resource "databricks_scim_user" "my-user" {
 
 ### Authenticating with Azure CLI
 
--> **Note** **Azure Service Principal Authentication** will only work on Azure Databricks where as the API Token authentication will work on both **Azure** and **AWS**. Internally `azure_auth` will generate a session-based PAT token.
+It's possible to use _experimental_ [Azure CLI](https://docs.microsoft.com/cli/azure/) authentication, where provider would rely on access token cached by `az login` command, so that local development scenarios are possible. Technically, provider will call `az account get-access-token` each time before an access token is about to expire. It is [verified to work](https://github.com/databrickslabs/terraform-provider-databricks/pull/282) with all API and is enabled by default. It could be turned off by setting `azure_use_pat_for_cli` to `true` on provider configuration.
 
 ```hcl
 provider "azurerm" {
   features {}
 }
 
-resource "azurerm_databricks_workspace" "demo_test_workspace" {
+resource "azurerm_databricks_workspace" "this" {
   location                      = "centralus"
   name                          = "my-workspace-name"
   resource_group_name           = var.resource_group
   sku                           = "premium"
 }
 
 provider "databricks" {
-  azure_workspace_resource_id = azurerm_databricks_workspace.demo_test_workspace.id
+  azure_workspace_resource_id = azurerm_databricks_workspace.this.id
 }
 
 resource "databricks_scim_user" "my-user" {
diff --git a/provider/provider.go b/provider/provider.go
@@ -217,7 +217,7 @@ func DatabricksProvider() terraform.ResourceProvider {
 			"azure_use_pat_for_cli": {
 				Type:        schema.TypeBool,
 				Optional:    true,
-				Default:     true,
+				Default:     false,
 				Description: "Create ephemeral PAT tokens also for AZ CLI authenticated requests",
 			},
 			"azure_auth": {
