Expose Azure authenticators + fix typo (#1629)

* Expose Azure authenticators * Fix typo * Add support for default msi id by allowing for Azure client ID to exist but be empty * Clean up based on PR suggestions Co-authored-by: Le Tran <le.tran@kasten.io>
kanisterio · Sep 20, 2022 · 063138c · 063138c
1 parent 5b28871
commit 063138c
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 15 deletions.
diff --git a/pkg/blockstorage/azure/auth.go b/pkg/blockstorage/azure/auth.go
@@ -20,8 +20,8 @@ func isClientCredsAvailable(config map[string]string) bool {
 
 // determine if the combination of creds are MSI creds
 func isMSICredsAvailable(config map[string]string) bool {
-	return (config[blockstorage.AzureTenantID] == "" &&
-		config[blockstorage.AzureClientID] != "" &&
+	_, clientIDok := config[blockstorage.AzureClientID]
+	return (clientIDok && config[blockstorage.AzureTenantID] == "" &&
 		config[blockstorage.AzureClientSecret] == "")
 }
 
@@ -30,28 +30,30 @@ type AzureAuthenticator interface {
 	Authenticate(creds map[string]string) error
 }
 
-func NewAzureAutheticator(config map[string]string) (AzureAuthenticator, error) {
+func NewAzureAuthenticator(config map[string]string) (AzureAuthenticator, error) {
 	switch {
 	case isMSICredsAvailable(config):
-		return &msiAuthenticator{}, nil
+		return &MsiAuthenticator{}, nil
 	case isClientCredsAvailable(config):
-		return &clientSecretAuthenticator{}, nil
+		return &ClientSecretAuthenticator{}, nil
 	default:
 		return nil, errors.New("Fail to get an authenticator for provided creds combination")
 	}
 }
 
 // authenticate with MSI creds
-type msiAuthenticator struct{}
+type MsiAuthenticator struct{}
 
-func (m *msiAuthenticator) Authenticate(creds map[string]string) error {
+func (m *MsiAuthenticator) Authenticate(creds map[string]string) error {
 	// check if MSI endpoint is available
 	if !adal.MSIAvailable(context.Background(), nil) {
 		return errors.New("MSI endpoint is not supported")
 	}
 	// create a service principal token
 	msiConfig := auth.NewMSIConfig()
-	msiConfig.ClientID = creds[blockstorage.AzureClientID]
+	if clientID, ok := creds[blockstorage.AzureClientID]; ok && clientID != "" {
+		msiConfig.ClientID = clientID
+	}
 	spt, err := msiConfig.ServicePrincipalToken()
 	if err != nil {
 		return errors.Wrap(err, "Failed to create a service principal token")
@@ -66,9 +68,9 @@ func (m *msiAuthenticator) Authenticate(creds map[string]string) error {
 }
 
 // authenticate with client secret creds
-type clientSecretAuthenticator struct{}
+type ClientSecretAuthenticator struct{}
 
-func (c *clientSecretAuthenticator) Authenticate(creds map[string]string) error {
+func (c *ClientSecretAuthenticator) Authenticate(creds map[string]string) error {
 	credConfig, err := getCredConfigForAuth(creds)
 	if err != nil {
 		return errors.Wrap(err, "Failed to get Client Secret config")

diff --git a/pkg/blockstorage/azure/auth_tests.go b/pkg/blockstorage/azure/auth_tests.go
@@ -60,6 +60,16 @@ func (s *AuthSuite) TestIsMSICredsAvailable(c *C) {
 	// remove client secret, only client ID left
 	delete(config, blockstorage.AzureClientSecret)
 	c.Assert(isMSICredsAvailable(config), Equals, true)
+
+	// empty client ID - default msi id is implied
+	config = map[string]string{
+		blockstorage.AzureClientID: "",
+	}
+	c.Assert(isMSICredsAvailable(config), Equals, true)
+
+	// empty creds
+	config = map[string]string{}
+	c.Assert(isMSICredsAvailable(config), Equals, false)
 }
 
 func (s *AuthSuite) TestNewAzureAutheticator(c *C) {
@@ -69,26 +79,48 @@ func (s *AuthSuite) TestNewAzureAutheticator(c *C) {
 		blockstorage.AzureClientID:     "some-client-id",
 		blockstorage.AzureClientSecret: "some-client-secret",
 	}
-	authenticator, err := NewAzureAutheticator(config)
+	authenticator, err := NewAzureAuthenticator(config)
 	c.Assert(err, IsNil)
-	_, ok := authenticator.(*clientSecretAuthenticator)
+	_, ok := authenticator.(*ClientSecretAuthenticator)
 	c.Assert(ok, Equals, true)
 
 	// successful with msi creds
 	config = map[string]string{
 		blockstorage.AzureClientID: "some-client-id",
 	}
-	authenticator, err = NewAzureAutheticator(config)
+	authenticator, err = NewAzureAuthenticator(config)
 	c.Assert(err, IsNil)
-	_, ok = authenticator.(*msiAuthenticator)
+	_, ok = authenticator.(*MsiAuthenticator)
 	c.Assert(ok, Equals, true)
 
+	// successful with default msi creds
+	config = map[string]string{
+		blockstorage.AzureClientID: "",
+	}
+	authenticator, err = NewAzureAuthenticator(config)
+	c.Assert(err, IsNil)
+	c.Assert(authenticator, NotNil)
+
+	// unsuccessful with no creds
+	config = map[string]string{}
+	authenticator, err = NewAzureAuthenticator(config)
+	c.Assert(err, NotNil)
+	c.Assert(authenticator, IsNil)
+
+	// unsuccessful with an undefined combo of credss
+	config = map[string]string{
+		blockstorage.AzureClientSecret: "some-client-secret",
+	}
+	authenticator, err = NewAzureAuthenticator(config)
+	c.Assert(err, NotNil)
+	c.Assert(authenticator, IsNil)
+
 	// unsuccessful with an undefined combo of creds
 	config = map[string]string{
 		blockstorage.AzureClientID:     "some-client-id",
 		blockstorage.AzureClientSecret: "some-client-secret",
 	}
-	authenticator, err = NewAzureAutheticator(config)
+	authenticator, err = NewAzureAuthenticator(config)
 	c.Assert(err, NotNil)
 	c.Assert(authenticator, IsNil)
 }