Identity Provider - Core Interface

Author: ndyakov

identity/authority_configuration.go

@@ -0,0 +1,59 @@
+package identity
+
+import "fmt"
+
+const (
+	// AuthorityTypeDefault is the default authority type.
+	// This is used to specify the authority type when requesting a token.
+	AuthorityTypeDefault = "default"
+	// AuthorityTypeMultiTenant is the multi-tenant authority type.
+	// This is used to specify the multi-tenant authority type when requesting a token.
+	// This type of authority is used to authenticate the identity when requesting a token.
+	AuthorityTypeMultiTenant = "multi-tenant"
+	// AuthorityTypeCustom is the custom authority type.
+	// This is used to specify the custom authority type when requesting a token.
+	AuthorityTypeCustom = "custom"
+)
+
+// AuthorityConfiguration represents the authority configuration for the identity provider.
+// It is used to configure the authority type and authority URL when requesting a token.
+type AuthorityConfiguration struct {
+	// AuthorityType is the type of authority used to authenticate with the identity provider.
+	// This can be either "default", "multi-tenant", or "custom".
+	AuthorityType string
+
+	// Authority is the authority used to authenticate with the identity provider.
+	// This is typically the URL of the identity provider.
+	// For example, "https://login.microsoftonline.com/{tenantID}/v2.0"
+	Authority string
+
+	// TenantID is the tenant ID of the identity provider.
+	// This is used to identify the tenant when requesting a token.
+	// This is typically the ID of the Azure Active Directory tenant.
+	TenantID string
+}
+
+// getAuthority returns the authority URL based on the authority type.
+// The authority type can be either "default", "multi-tenant", or "custom".
+func (a AuthorityConfiguration) getAuthority() (string, error) {
+	if a.AuthorityType == "" {
+		a.AuthorityType = AuthorityTypeDefault
+	}
+
+	switch a.AuthorityType {
+	case AuthorityTypeDefault:
+		return "https://login.microsoftonline.com/common", nil
+	case AuthorityTypeMultiTenant:
+		if a.TenantID == "" {
+			return "", fmt.Errorf("tenant ID is required when using multi-tenant authority type")
+		}
+		return fmt.Sprintf("https://login.microsoftonline.com/%s", a.TenantID), nil
+	case AuthorityTypeCustom:
+		if a.Authority == "" {
+			return "", fmt.Errorf("authority is required when using custom authority type")
+		}
+		return a.Authority, nil
+	default:
+		return "", fmt.Errorf("invalid authority type: %s", a.AuthorityType)
+	}
+}

identity/authority_configuration_test.go

@@ -0,0 +1,160 @@
+package identity
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAuthorityConfiguration(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name          string
+		authorityType string
+		tenantID      string
+		authority     string
+		expected      string
+		expectError   bool
+	}{
+		{
+			name:          "Default Authority",
+			authorityType: AuthorityTypeDefault,
+			expected:      "https://login.microsoftonline.com/common",
+			expectError:   false,
+		},
+		{
+			name:          "Multi-Tenant Authority",
+			authorityType: AuthorityTypeMultiTenant,
+			tenantID:      "12345",
+			expected:      "https://login.microsoftonline.com/12345",
+			expectError:   false,
+		},
+		{
+			name:          "Custom Authority",
+			authorityType: AuthorityTypeCustom,
+			authority:     "https://custom-authority.com",
+			expected:      "https://custom-authority.com",
+			expectError:   false,
+		},
+		{
+			name:          "Invalid Authority Type",
+			authorityType: "invalid",
+			expectError:   true,
+		},
+		{
+			name:          "Missing Tenant ID for Multi-Tenant",
+			authorityType: AuthorityTypeMultiTenant,
+			expectError:   true,
+		},
+		{
+			name:          "Missing Authority for Custom",
+			authorityType: AuthorityTypeCustom,
+			expectError:   true,
+		},
+		{
+			name:          "Default Authority Type with Tenant ID",
+			authorityType: AuthorityTypeDefault,
+			tenantID:      "12345",
+			expected:      "https://login.microsoftonline.com/common",
+			expectError:   false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ac := AuthorityConfiguration{
+				AuthorityType: test.authorityType,
+				TenantID:      test.tenantID,
+				Authority:     test.authority,
+			}
+			result, err := ac.getAuthority()
+			if test.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.expected, result)
+			}
+		})
+	}
+}
+
+func TestAuthorityConfigurationDefault(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{}
+	result, err := ac.getAuthority()
+	assert.NoError(t, err)
+	assert.Equal(t, "https://login.microsoftonline.com/common", result)
+}
+
+func TestAuthorityConfigurationMultiTenant(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		AuthorityType: AuthorityTypeMultiTenant,
+		TenantID:      "12345",
+	}
+	result, err := ac.getAuthority()
+	assert.NoError(t, err)
+	assert.Equal(t, "https://login.microsoftonline.com/12345", result)
+}
+
+func TestAuthorityConfigurationCustom(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		AuthorityType: AuthorityTypeCustom,
+		Authority:     "https://custom-authority.com",
+	}
+	result, err := ac.getAuthority()
+	assert.NoError(t, err)
+	assert.Equal(t, "https://custom-authority.com", result)
+}
+
+func TestAuthorityConfigurationInvalid(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		AuthorityType: "invalid",
+	}
+	result, err := ac.getAuthority()
+	assert.Error(t, err)
+	assert.Equal(t, "", result)
+}
+
+func TestAuthorityConfigurationMissingTenantID(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		AuthorityType: AuthorityTypeMultiTenant,
+	}
+	result, err := ac.getAuthority()
+	assert.Error(t, err)
+	assert.Equal(t, "", result)
+}
+
+func TestAuthorityConfigurationMissingAuthority(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		AuthorityType: AuthorityTypeCustom,
+	}
+	result, err := ac.getAuthority()
+	assert.Error(t, err)
+	assert.Equal(t, "", result)
+}
+
+func TestAuthorityConfigurationDefaultAuthorityType(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		TenantID: "12345",
+	}
+	result, err := ac.getAuthority()
+	assert.NoError(t, err)
+	assert.Equal(t, "https://login.microsoftonline.com/common", result)
+}
+
+func TestAuthorityConfigurationDefaultAuthorityTypeWithTenantID(t *testing.T) {
+	t.Parallel()
+	ac := AuthorityConfiguration{
+		AuthorityType: AuthorityTypeDefault,
+		TenantID:      "12345",
+	}
+	result, err := ac.getAuthority()
+	assert.NoError(t, err)
+	assert.Equal(t, "https://login.microsoftonline.com/common", result)
+}

identity/azure_default_identity_provider.go

@@ -0,0 +1,77 @@
+package identity
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/redis-developer/go-redis-entraid/shared"
+)
+
+// DefaultAzureIdentityProviderOptions represents the options for the DefaultAzureIdentityProvider.
+type DefaultAzureIdentityProviderOptions struct {
+	// AzureOptions is the options used to configure the Azure identity provider.
+	AzureOptions *azidentity.DefaultAzureCredentialOptions
+	// Scopes is the list of scopes used to request a token from the identity provider.
+	Scopes []string
+
+	// credFactory is a factory for creating the default Azure credential.
+	// This is used for testing purposes, to allow mocking the credential creation.
+	// If not provided, the default implementation - azidentity.NewDefaultAzureCredential will be used
+	credFactory credFactory
+}
+
+type credFactory interface {
+	NewDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azureCredential, error)
+}
+
+type azureCredential interface {
+	GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error)
+}
+
+type defaultCredFactory struct{}
+
+func (d *defaultCredFactory) NewDefaultAzureCredential(options *azidentity.DefaultAzureCredentialOptions) (azureCredential, error) {
+	return azidentity.NewDefaultAzureCredential(options)
+}
+
+type DefaultAzureIdentityProvider struct {
+	options     *azidentity.DefaultAzureCredentialOptions
+	credFactory credFactory
+	scopes      []string
+}
+
+// NewDefaultAzureIdentityProvider creates a new DefaultAzureIdentityProvider.
+func NewDefaultAzureIdentityProvider(opts DefaultAzureIdentityProviderOptions) (*DefaultAzureIdentityProvider, error) {
+	if opts.Scopes == nil {
+		opts.Scopes = []string{RedisScopeDefault}
+	}
+
+	return &DefaultAzureIdentityProvider{
+		options:     opts.AzureOptions,
+		scopes:      opts.Scopes,
+		credFactory: opts.credFactory,
+	}, nil
+}
+
+// RequestToken requests a token from the Azure Default Identity provider.
+// It returns the token, the expiration time, and an error if any.
+func (a *DefaultAzureIdentityProvider) RequestToken() (shared.IdentityProviderResponse, error) {
+	credFactory := a.credFactory
+	if credFactory == nil {
+		credFactory = &defaultCredFactory{}
+	}
+	cred, err := credFactory.NewDefaultAzureCredential(a.options)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create default azure credential: %w", err)
+	}
+
+	token, err := cred.GetToken(context.TODO(), policy.TokenRequestOptions{Scopes: a.scopes})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get token: %w", err)
+	}
+
+	return shared.NewIDPResponse(shared.ResponseTypeAccessToken, &token)
+}