wip, idp basic abstraction

Author: ndyakov

confidential_identity_provider.go

@@ -0,0 +1,174 @@
+package entraid
+
+import (
+	"context"
+	"crypto"
+	"errors"
+	"fmt"
+	confidential "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
+)
+
+import "crypto/x509"
+
+const (
+	// AuthorityTypeDefault is the default authority type.
+	// This is used to specify the authority type when requesting a token.
+	AuthorityTypeDefault = "default"
+	// AuthorityTypeMultiTenant is the multi-tenant authority type.
+	// This is used to specify the multi-tenant authority type when requesting a token.
+	// This type of authority is used to authenticate the identity when requesting a token.
+	AuthorityTypeMultiTenant = "multi-tenant"
+	// AuthorityTypeCustom is the custom authority type.
+	// This is used to specify the custom authority type when requesting a token.
+	AuthorityTypeCustom = "custom"
+)
+
+type AuthorityConfiguration struct {
+	// AuthorityType is the type of authority used to authenticate with the identity provider.
+	// This can be either "default", "multi-tenant", or "custom".
+	AuthorityType string
+
+	// Authority is the authority used to authenticate with the identity provider.
+	// This is typically the URL of the identity provider.
+	// For example, "https://login.microsoftonline.com/{tenantID}/v2.0"
+	Authority string
+
+	// TenantID is the tenant ID of the identity provider.
+	// This is used to identify the tenant when requesting a token.
+	// This is typically the ID of the Azure Active Directory tenant.
+	TenantID string
+}
+
+func (a AuthorityConfiguration) GetAuthority() (string, error) {
+	if a.AuthorityType == "" {
+		a.AuthorityType = AuthorityTypeDefault
+	}
+
+	switch a.AuthorityType {
+	case AuthorityTypeDefault:
+		return "https://login.microsoftonline.com/common", nil
+	case AuthorityTypeMultiTenant:
+		if a.TenantID == "" {
+			return "", errors.New("tenant ID is required when using multi-tenant authority type")
+		}
+		return fmt.Sprintf("https://login.microsoftonline.com/%s", a.TenantID), nil
+	case AuthorityTypeCustom:
+		if a.Authority == "" {
+			return "", errors.New("authority is required when using custom authority type")
+		}
+		return a.Authority, nil
+	default:
+		return "", errors.New("invalid authority type")
+	}
+}
+
+type ConfidentialIdentityProvider struct {
+	// clientID is the client ID used to authenticate with the identity provider.
+	clientID string
+
+	// credential is the credential used to authenticate with the identity provider.
+	credential confidential.Credential
+
+	// scopes is the list of scopes used to request a token from the identity provider.
+	scopes []string
+
+	// client confidential is the client used to request a token from the identity provider.
+	client *confidential.Client
+}
+
+type ConfidentialIdentityProviderOptions struct {
+	// ClientID is the client ID used to authenticate with the identity provider.
+	ClientID string
+
+	// CredentialsType is the type of credentials used to authenticate with the identity provider.
+	// This can be either "ClientSecret" or "ClientCertificate".
+	CredentialsType string
+
+	// ClientSecret is the client secret used to authenticate with the identity provider.
+	ClientSecret string
+
+	// ClientCert is the client certificate used to authenticate with the identity provider.
+	ClientCert []*x509.Certificate
+	// ClientPrivateKey is the private key used to authenticate with the identity provider.
+	ClientPrivateKey crypto.PrivateKey
+
+	// Scopes is the list of scopes used to request a token from the identity provider.
+	Scopes []string
+
+	// Authority is the authority used to authenticate with the identity provider.
+	Authority AuthorityConfiguration
+}
+
+func NewConfidentialIdentityProvider(opts ConfidentialIdentityProviderOptions) (*ConfidentialIdentityProvider, error) {
+	var credential confidential.Credential
+	var authority string
+	var err error
+
+	if opts.ClientID == "" {
+		return nil, errors.New("client ID is required")
+	}
+
+	if opts.CredentialsType != ClientSecretCredentialType && opts.CredentialsType != ClientCertificateCredentialType {
+		return nil, errors.New("invalid credentials type")
+	}
+
+	// Get the authority from the authority configuration.
+	authority, err = opts.Authority.GetAuthority()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get authority: %w", err)
+	}
+
+	switch opts.CredentialsType {
+	case ClientSecretCredentialType:
+		// ClientSecretCredentialType is the type of credentials that uses a client secret to authenticate.
+		if opts.ClientSecret == "" {
+			return nil, errors.New("client secret is required when using client secret credentials")
+		}
+
+		credential, err = confidential.NewCredFromSecret(opts.ClientSecret)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create client secret credential: %w", err)
+		}
+	case ClientCertificateCredentialType:
+		// ClientCertificateCredentialType is the type of credentials that uses a client certificate to authenticate.
+		if opts.ClientCert == nil {
+			return nil, errors.New("client certificate is required when using client certificate credentials")
+		}
+		if opts.ClientPrivateKey == nil {
+			return nil, errors.New("client private key is required when using client certificate credentials")
+		}
+		credential, err = confidential.NewCredFromCert(opts.ClientCert, opts.ClientPrivateKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create client certificate credential: %w", err)
+		}
+	}
+
+	client, err := confidential.New(authority, opts.ClientID, credential)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create client: %w", err)
+	}
+
+	if opts.Scopes == nil {
+		opts.Scopes = []string{RedisScopeDefault}
+	}
+
+	return &ConfidentialIdentityProvider{
+		clientID:   opts.ClientID,
+		credential: credential,
+		scopes:     opts.Scopes,
+		client:     &client,
+	}, nil
+}
+
+func (c *ConfidentialIdentityProvider) RequestToken() (string, error) {
+	if c.client == nil {
+		return "", errors.New("client is not initialized")
+	}
+
+	result, err := c.client.AcquireTokenByCredential(context.TODO(), c.scopes)
+	if err != nil {
+		return "", fmt.Errorf("failed to acquire token: %w", err)
+	}
+
+	return result.AccessToken, nil
+}

credentials_provider.go

@@ -93,24 +93,6 @@ func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener
 	return credentials, cancel, nil
 }
 
-// newCredentialsProvider creates a new credentials provider.
-// It takes a TokenManager and CredentialProviderOptions as arguments and returns a StreamingCredentialsProvider interface.
-// The TokenManager is used to obtain the token, and the CredentialProviderOptions contains options for the credentials provider.
-// The credentials provider is responsible for managing the credentials and refreshing them when necessary.
-// It returns an error if the token manager cannot be started.
-func newCredentialsProvider(tokenManager TokenManager, options CredentialProviderOptions) (auth.StreamingCredentialsProvider, error) {
-	cp := &entraidCredentialsProvider{
-		tokenManager: tokenManager,
-		options:      options,
-	}
-	cancelTokenManager, err := cp.tokenManager.Start(tokenListenerFromCP(cp))
-	if err != nil {
-		return nil, fmt.Errorf("couldn't start token manager: %w", err)
-	}
-	cp.cancelTokenManager = cancelTokenManager
-	return cp, nil
-}
-
 type entraidTokenListener struct {
 	onTokenNext  func(token *Token)
 	onTokenError func(err error)
@@ -130,3 +112,21 @@ func (l *entraidTokenListener) OnTokenNext(token *Token) {
 func (l *entraidTokenListener) OnTokenError(err error) {
 	l.onTokenError(err)
 }
+
+// newCredentialsProvider creates a new credentials provider.
+// It takes a TokenManager and CredentialProviderOptions as arguments and returns a StreamingCredentialsProvider interface.
+// The TokenManager is used to obtain the token, and the CredentialProviderOptions contains options for the credentials provider.
+// The credentials provider is responsible for managing the credentials and refreshing them when necessary.
+// It returns an error if the token manager cannot be started.
+func newCredentialsProvider(tokenManager TokenManager, options CredentialsProviderOptions) (auth.StreamingCredentialsProvider, error) {
+	cp := &entraidCredentialsProvider{
+		tokenManager: tokenManager,
+		options:      options,
+	}
+	cancelTokenManager, err := cp.tokenManager.Start(tokenListenerFromCP(cp))
+	if err != nil {
+		return nil, fmt.Errorf("couldn't start token manager: %w", err)
+	}
+	cp.cancelTokenManager = cancelTokenManager
+	return cp, nil
+}

managed_identity_provider.go

@@ -0,0 +1,96 @@
+package entraid
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	mi "github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity"
+)
+
+type ManagedIdentityProvider struct {
+	// UserAssignedClientID is the client ID of the user assigned identity.
+	// This is used to identify the identity when requesting a token.
+	UserAssignedClientID string
+
+	// ManagedIdentityType is the type of managed identity.
+	// This can be either SystemAssigned or UserAssigned.
+	ManagedIdentityType string
+
+	// Scopes is a list of scopes that the identity has access to.
+	// This is used to specify the permissions that the identity has when requesting a token.
+	Scopes []string
+
+	// Client is the managed identity client used to request a token.
+	Client *mi.Client
+}
+
+type ManagedIdentityProviderOptions struct {
+	// UserAssignedClientID is the client ID of the user assigned identity.
+	// This is used to identify the identity when requesting a token.
+	UserAssignedClientID string
+	// ManagedIdentityType is the type of managed identity.
+	// This can be either SystemAssigned or UserAssigned.
+	ManagedIdentityType string
+	// Scopes is a list of scopes that the identity has access to.
+	// This is used to specify the permissions that the identity has when requesting a token.
+	Scopes []string
+}
+
+func NewManagedIdentityProvider(opts ManagedIdentityProviderOptions) (*ManagedIdentityProvider, error) {
+	var client mi.Client
+	var err error
+
+	if opts.ManagedIdentityType != SystemAssignedIdentity && opts.ManagedIdentityType != UserAssignedIdentity {
+		return nil, errors.New("invalid managed identity type")
+	}
+
+	switch opts.ManagedIdentityType {
+	case SystemAssignedIdentity:
+		// SystemAssignedIdentity is the type of identity that is automatically managed by Azure.
+		// This type of identity is automatically created and managed by Azure.
+		// It is used to authenticate the identity when requesting a token.
+		client, err = mi.New(mi.SystemAssigned())
+	case UserAssignedIdentity:
+		// UserAssignedIdentity is required to be specified when using a user assigned identity.
+		if opts.UserAssignedClientID == "" {
+			return nil, errors.New("user assigned client ID is required when using user assigned identity")
+		}
+		// UserAssignedIdentity is the type of identity that is managed by the user.
+		client, err = mi.New(mi.UserAssignedClientID(opts.UserAssignedClientID))
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("couldn't create managed identity client: %w", err)
+	}
+
+	return &ManagedIdentityProvider{
+		UserAssignedClientID: opts.UserAssignedClientID,
+		ManagedIdentityType:  opts.ManagedIdentityType,
+		Scopes:               opts.Scopes,
+		Client:               &client,
+	}, nil
+}
+
+func (m *ManagedIdentityProvider) requestToken() (string, error) {
+	if m.Client == nil {
+		return "", errors.New("managed identity client is not initialized")
+	}
+
+	// default resource is RedisResource == "https://redis.azure.com"
+	// if no scopes are provided, use the default resource
+	// if scopes are provided, use the first scope as the resource
+	resource := RedisResource
+	if len(m.Scopes) > 0 {
+		resource = m.Scopes[0]
+	}
+	// acquire token using the managed identity client
+	// the resource is the URL of the resource that the identity has access to
+	token, err := m.Client.AcquireToken(context.TODO(), resource)
+	if err != nil {
+		return "", fmt.Errorf("coudn't acquire token: %w", err)
+	}
+
+	// return the access token
+	return token.AccessToken, nil
+}