plugins/rest: Add Azure Managed Identities Auth Plugin

[Scowluga]

This PR introduces an HTTP auth plugin for Azure managed identities. Tokens are acquired following Azure docs, and each of the HTTP request params can be specified using the plugin.

Related to #2938 - adding a GCP metadata auth plugin

Fixes #3916

Signed-off-by: David Lu david.scowluga@gmail.com

[anderseknert]

Looks like a good first step to me! Formatting looks a little off, but I guess go fmt will take care of that. Looking forward to see this done!

[Scowluga]

I did some manual testing via the following process:

• Created an Azure account & Linux VM
• Confirmed requests were working manually for both the token request and a simple Azure resource request that requires the token
• Setup and built OPA on the VM
• Inserted log statements into my Azure plugin
• Ran OPA with a bundle plugin and credentials.azure_managed_identity. I was not actually able to fetch any bundle, but I was able to view that the token was successfully added via the plugin.

From the above I'm fairly confident in the correctness of the plugin, but to fully test I would need to use bundles. I'm a bit stuck here. I've created an Azure storage account, but am not entirely sure how to upload a bundle, and assign it managed identities so I can access it from my VM. Any help would be much appreciated.

[anderseknert]

Thanks David!

And great work on this. I don't have the time to test this week but will be happy to do it next week. Since you've verified the token gets fetched we could have it merged before that, but on the other hand there's almost a month before next release, so there's no stress to make it into that. I'll get back to you once I've taken it for a test drive :)

[anderseknert]

Great work! Left a few comments.

[srenatus]

Looks pretty good, and it's an impressive first contribution 👏 -- some nitpicks inline 🙃 👇

We're trying not to use any assertions framework in OPA's tests. You might notice that there are tests using github.com/stretchr/testify, but they are only in vendored code (or code copied into the project, like the jwt and jsonschema bits).

[srenatus]

Nothing to add as far as I am concerned. Thanks for bearing with me on the nitpicks! 👍

[Scowluga]

Thanks David!

And great work on this. I don't have the time to test this week but will be happy to do it next week. Since you've verified the token gets fetched we could have it merged before that, but on the other hand there's almost a month before next release, so there's no stress to make it into that. I'll get back to you once I've taken it for a test drive :)

Looks like we're in no hurry to merge the PR. I will try to get to manual testing again soon, though I've been struggling a bit due to lack of Azure/OPA knowledge. If you could also take a look next week that'd be great, then we can circle back. Thanks for the review and all the support.

[Scowluga]

I decided to give it another go, and was successfully able to test this plugin end-to-end by pulling a bundle from Azure storage using managed identities. This is my first time using Azure and first time downloading OPA, so if any of the following doesn't make any sense feel free to let me know. Here is my full procedure:

1. Create an Azure Linux VM

   • Tutorial

2. Configure the VM to have managed identities

   • Tutorial

3. Create an Azure storage account

   • Tutorial
   • Create a blob container
   • Upload your bundle

4. Configure the Azure storage account

   • Tutorial: Assign the VM (via managed identity) the Reader and Storage Blob Data Contributor roles
   • Tutorial: Disable public access to the blob

5. Connect to the VM (ssh)

6. Build OPA

   • sudo apt-get install git
   • sudo apt-get install make
   • Clone OPA git clone https://github.com/Scowluga/opa.git
   • Tutorial: Install Go
   • go build

7. Run OPA - Pull a Bundle from Azure storage

   • I used the following config.yaml file. I was able to successfully load the bundle from my blob.
   • For some reason, you need to specify x-ms-version as a header. Not sure why, just got it from here.

services:
 azure_storage_account:
   url: https://myopastorageaccount.blob.core.windows.net/myblobcontainer/
   headers: 
     x-ms-version: 2017-11-09
   credentials: 
     azure_managed_identity: {}

bundles:
 bundle:
   service: azure_storage_account
   resource: bundle.tar.gz
   persist: true
   polling:
     min_delay_seconds: 60
     max_delay_seconds: 120

I may be missing a few small steps since I had to try many things but this should cover almost everything. If everything looks good, I think the PR is ready for merge.

[anderseknert]

LGTM. Impressive first contribution, and great seeing how you've responded to PR feedback. Awesome! 👏

[anderseknert]

For some reason, you need to specify x-ms-version as a header. Not sure why, just got it from here.

This has been my experience too working with Azure in the past. I think your docs should be amended with this detail so that others don't get stuck here... even if it's technically no auth plug-in responsibility. It's not of much use though if people can't use it to actually fetch anything 😄

[srenatus]

@Scowluga for future reference, you can skip the "Build OPA" step when testing out PRs:

On the "checks" tab for this PR,

selecting "PR Checks" gets you to this page,

and if you scroll down there, you'll see the binaries zip archive, which contains all the opa binaries built from this branch:

[Scowluga]

Thanks @srenatus for the tip, I've somehow never actually clicked that "Checks" tab before 😄

I added the x-ms-version header to the example and provided a note linking users to documentation related to it. Let me know if there's anything else I should do.