Merge pull request #2 from drone-plugins/aad_auth

Add support for AAD auth

Author: rutvijmehta-harness

.drone.yml

@@ -12,7 +12,7 @@ platform:
 
 steps:
   - name: vet
-    image: golang:1.17
+    image: golang:1.20
     commands:
       - go vet ./...
     environment:
@@ -43,7 +43,7 @@ pool:
 steps:
   - name: build
     pull: always
-    image: golang:1.19
+    image: golang:1.20
     commands:
       - GOOS=linux   GOARCH=amd64   go build -ldflags "-s -w" -a -tags netgo -o release/drone-buildx-acr-linux-amd64 ./cmd/drone-buildx-acr
       - GOOS=linux   GOARCH=arm64   go build -ldflags "-s -w" -a -tags netgo -o release/drone-buildx-acr-linux-arm64 ./cmd/drone-buildx-acr

cmd/drone-buildx-acr/main.go

@@ -1,15 +1,39 @@
 package main
 
 import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
 	"os"
 	"strings"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/joho/godotenv"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 
 	docker "github.com/drone-plugins/drone-buildx"
 )
 
+const (
+	acrCertPath              = "/tmp/acr-cert.pem"
+	azSubscriptionApiVersion = "2021-04-01"
+	azSubscriptionBaseUrl    = "https://management.azure.com/subscriptions/"
+	basePublicUrl            = "https://portal.azure.com/#view/Microsoft_Azure_ContainerRegistries/TagMetadataBlade/registryId/"
+	defaultUsername          = "00000000-0000-0000-0000-000000000000"
+
+	// Environment variable names for Azure Environment Credential
+	clientIdEnv        = "AZURE_CLIENT_ID"
+	clientSecretKeyEnv = "AZURE_CLIENT_SECRET"
+	tenantKeyEnv       = "AZURE_TENANT_ID"
+	certPathEnv        = "AZURE_CLIENT_CERTIFICATE_PATH"
+)
+
 func main() {
 	// Load env-file if it exists first
 	if env := os.Getenv("PLUGIN_ENV_FILE"); env != "" {
@@ -19,15 +43,37 @@ func main() {
 	var (
 		repo     = getenv("PLUGIN_REPO")
 		registry = getenv("PLUGIN_REGISTRY")
+
+		// If these credentials are provided, they will be directly used
+		// for docker login
 		username = getenv("SERVICE_PRINCIPAL_CLIENT_ID")
 		password = getenv("SERVICE_PRINCIPAL_CLIENT_SECRET")
+
+		// Service principal credentials
+		clientId       = getenv("CLIENT_ID")
+		clientSecret   = getenv("CLIENT_SECRET")
+		clientCert     = getenv("CLIENT_CERTIFICATE")
+		tenantId       = getenv("TENANT_ID")
+		subscriptionId = getenv("SUBSCRIPTION_ID")
+		publicUrl      = getenv("DAEMON_REGISTRY")
 	)
 
 	// default registry value
 	if registry == "" {
 		registry = "azurecr.io"
 	}
 
+	// Get auth if username and password is not specified
+	if username == "" && password == "" {
+		// docker login credentials are not provided
+		var err error
+		username = defaultUsername
+		password, publicUrl, err = getAuth(clientId, clientSecret, clientCert, tenantId, subscriptionId, registry)
+		if err != nil {
+			logrus.Fatal(err)
+		}
+	}
+
 	// must use the fully qualified repo name. If the
 	// repo name does not have the registry prefix we
 	// should prepend.
@@ -40,11 +86,167 @@ func main() {
 	os.Setenv("DOCKER_USERNAME", username)
 	os.Setenv("DOCKER_PASSWORD", password)
 	os.Setenv("PLUGIN_REGISTRY_TYPE", "ACR")
+	if publicUrl != "" {
+		// Set this env variable if public URL for artifact is available
+		// If not, we will fall back to registry url
+		os.Setenv("ARTIFACT_REGISTRY", publicUrl)
+	}
 
 	// invoke the base docker plugin binary
 	docker.Run()
 }
 
+func getAuth(clientId, clientSecret, clientCert, tenantId, subscriptionId, registry string) (string, string, error) {
+	// Verify inputs
+	if tenantId == "" {
+		return "", "", fmt.Errorf("tenantId cannot be empty for AAD authentication")
+	}
+	if clientId == "" {
+		return "", "", fmt.Errorf("clientId cannot be empty for AAD authentication")
+	}
+	if clientSecret == "" && clientCert == "" {
+		return "", "", fmt.Errorf("one of client secret or client cert should be defined")
+	}
+
+	// Setup cert
+	if clientCert != "" {
+		err := setupACRCert(clientCert, acrCertPath)
+		if err != nil {
+			errors.Wrap(err, "failed to push setup cert file")
+		}
+	}
+
+	// Get AZ env
+	if err := os.Setenv(clientIdEnv, clientId); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable client Id")
+	}
+	if err := os.Setenv(clientSecretKeyEnv, clientSecret); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable client secret")
+	}
+	if err := os.Setenv(tenantKeyEnv, tenantId); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable tenant Id")
+	}
+	if err := os.Setenv(certPathEnv, acrCertPath); err != nil {
+		return "", "", errors.Wrap(err, "failed to set env variable cert path")
+	}
+	env, err := azidentity.NewEnvironmentCredential(nil)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to get env credentials from azure")
+	}
+	os.Unsetenv(clientIdEnv)
+	os.Unsetenv(clientSecretKeyEnv)
+	os.Unsetenv(tenantKeyEnv)
+	os.Unsetenv(certPathEnv)
+
+	// Fetch AAD token
+	policy := policy.TokenRequestOptions{
+		Scopes: []string{"https://management.azure.com/.default"},
+	}
+	aadToken, err := env.GetToken(context.Background(), policy)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to fetch access token")
+	}
+
+	// Get public URL for artifacts
+	publicUrl, err := getPublicUrl(aadToken.Token, registry, subscriptionId)
+	if err != nil {
+		// execution should not fail because of this error
+		fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+	}
+
+	// Fetch token
+	ACRToken, err := fetchACRToken(tenantId, aadToken.Token, registry)
+	if err != nil {
+		return "", "", errors.Wrap(err, "failed to fetch ACR token")
+	}
+	return ACRToken, publicUrl, nil
+}
+
+func fetchACRToken(tenantId, token, registry string) (string, error) {
+	// oauth exchange
+	formData := url.Values{
+		"grant_type":   {"access_token"},
+		"service":      {registry},
+		"tenant":       {tenantId},
+		"access_token": {token},
+	}
+	jsonResponse, err := http.PostForm(fmt.Sprintf("https://%s/oauth2/exchange", registry), formData)
+	if err != nil || jsonResponse == nil {
+		return "", errors.Wrap(err, "failed to fetch ACR token")
+	}
+
+	// fetch token from response
+	var response map[string]interface{}
+	err = json.NewDecoder(jsonResponse.Body).Decode(&response)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to decode oauth exchange response")
+	}
+
+	// Parse the refresh_token from the response
+	if t, found := response["refresh_token"]; found {
+		if refreshToken, ok := t.(string); ok {
+			return refreshToken, nil
+		}
+		return "", errors.New("failed to cast refresh token from acr")
+	}
+	return "", errors.Wrap(err, "refresh token not found in response of oauth exchange call")
+}
+
+func setupACRCert(cert, certPath string) error {
+	decoded, err := base64.StdEncoding.DecodeString(cert)
+	if err != nil {
+		return errors.Wrap(err, "failed to base64 decode ACR certificate")
+	}
+	err = ioutil.WriteFile(certPath, decoded, 0644)
+	if err != nil {
+		return errors.Wrap(err, "failed to write ACR certificate")
+	}
+	return nil
+}
+
+func getPublicUrl(token, registryUrl, subscriptionId string) (string, error) {
+	if len(subscriptionId) == 0 || registryUrl == "" {
+		return "", nil
+	}
+
+	registry := strings.Split(registryUrl, ".")[0]
+	filter := fmt.Sprintf("resourceType eq 'Microsoft.ContainerRegistry/registries' and name eq '%s'", registry)
+	params := url.Values{}
+	params.Add("$filter", filter)
+	params.Add("api-version", azSubscriptionApiVersion)
+	params.Add("$select", "id")
+	url := azSubscriptionBaseUrl + subscriptionId + "/resources?" + params.Encode()
+
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		fmt.Println(err)
+		return "", errors.Wrap(err, "failed to create request for getting container registry setting")
+	}
+
+	req.Header.Add("Authorization", "Bearer "+token)
+	res, err := client.Do(req)
+	if err != nil {
+		fmt.Println(err)
+		return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+	}
+	defer res.Body.Close()
+
+	var response subscriptionUrlResponse
+	err = json.NewDecoder(res.Body).Decode(&response)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to send request for getting container registry setting")
+	}
+	if len(response.Value) == 0 {
+		return "", errors.New("no id present for base url")
+	}
+	return basePublicUrl + encodeParam(response.Value[0].ID), nil
+}
+
+func encodeParam(s string) string {
+	return url.QueryEscape(s)
+}
+
 func getenv(key ...string) (s string) {
 	for _, k := range key {
 		s = os.Getenv(k)
@@ -54,3 +256,9 @@ func getenv(key ...string) (s string) {
 	}
 	return
 }
+
+type subscriptionUrlResponse struct {
+	Value []struct {
+		ID string `json:"id"`
+	} `json:"value"`
+}

go.mod

@@ -1,19 +1,32 @@
 module github.com/drone-plugins/drone-buildx-acr
 
-go 1.19
+go 1.20
 
 require (
-	github.com/drone-plugins/drone-buildx v1.0.2-0.20230512061850-99d0da95877e
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
+	github.com/drone-plugins/drone-buildx v1.0.3
 	github.com/joho/godotenv v1.5.1
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.9.3
 )
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/drone-plugins/drone-plugin-lib v0.4.1 // indirect
 	github.com/drone/drone-go v1.7.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/inhies/go-bytesize v0.0.0-20210819104631-275770b98743 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/urfave/cli v1.22.2 // indirect
-	golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
+	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/net v0.14.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 )

go.sum

@@ -1,4 +1,12 @@
 github.com/99designs/httpsignatures-go v0.0.0-20170731043157-88528bf4ca7e/go.mod h1:Xa6lInWHNQnuWoF0YPSsx+INFA9qk7/7pTjwb3PInkY=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 h1:WpB/QDNLpMw72xHJc34BNNykqSOeEJDAWkhf0u12/Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
@@ -8,16 +16,29 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/drone-plugins/drone-buildx v1.0.2-0.20230512061850-99d0da95877e h1:UVfB6v/wptaDtyfhEwxnUXViMfEiN97LudyfSeLw2hA=
-github.com/drone-plugins/drone-buildx v1.0.2-0.20230512061850-99d0da95877e/go.mod h1:2CEwXGujWoB9bBQqknU214yd/FJzUNDDHGlg9qb3M4c=
+github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
+github.com/drone-plugins/drone-buildx v1.0.3 h1:xaKX5yA0oUKM35EFnlAmHcrOKg9cmSJPKkdj3AMKyNo=
+github.com/drone-plugins/drone-buildx v1.0.3/go.mod h1:z4BaR8J5oF/yly5VPW0PU61XOmrqsZvb5kdarmmSmho=
+github.com/drone-plugins/drone-plugin-lib v0.4.1 h1:47rZlmcMpr1hSp+6Gl+1Z4t+efi/gMQU3lxukC1Yg64=
+github.com/drone-plugins/drone-plugin-lib v0.4.1/go.mod h1:KwCu92jFjHV3xv2hu5Qg/8zBNvGwbhoJDQw/EwnTvoM=
 github.com/drone/drone-go v1.7.1 h1:ZX+3Rs8YHUSUQ5mkuMLmm1zr1ttiiE2YGNxF3AnyDKw=
 github.com/drone/drone-go v1.7.1/go.mod h1:fxCf9jAnXDZV1yDr0ckTuWd1intvcQwfJmTRpTZ1mXg=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inhies/go-bytesize v0.0.0-20210819104631-275770b98743 h1:X3Xxno5Ji8idrNiUoFc7QyXpqhSYlDRYQmc7mlpMBzU=
 github.com/inhies/go-bytesize v0.0.0-20210819104631-275770b98743/go.mod h1:KrtyD5PFj++GKkFS/7/RRrfnRhAMGQwy75GLCHWrCNs=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
+github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -31,11 +52,18 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220731174439-a90be440212d h1:Sv5ogFZatcgIMMtBSTTAgMYsicp25MXBubjXNDKwm80=
-golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=