azuredns: allow oidc authentication (#2036)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
go-acme · Oct 30, 2023 · 4f242c9 · 4f242c9
1 parent c9ff534
commit 4f242c9
Show file tree

Hide file tree

Showing 4 changed files with 168 additions and 16 deletions.
diff --git a/docs/content/dns/zz_gen_azuredns.md b/docs/content/dns/zz_gen_azuredns.md
@@ -210,6 +210,11 @@ The generated token will be cached by default in the `~/.azure` folder.
 
 This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`.
 
+### Open ID Connect
+
+Open ID Connect is a mechanism that establish a trust relationship between a running environment and the Azure AD identity provider.
+It can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oidc`.
+
 
 
 

diff --git a/providers/dns/azuredns/azuredns.go b/providers/dns/azuredns/azuredns.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"strings"
 	"time"
 
@@ -31,12 +32,20 @@ const (
 	EnvClientID     = envNamespace + "CLIENT_ID"
 	EnvClientSecret = envNamespace + "CLIENT_SECRET"
 
+	EnvOIDCToken         = envNamespace + "OIDC_TOKEN"
+	EnvOIDCTokenFilePath = envNamespace + "OIDC_TOKEN_FILE_PATH"
+	EnvOIDCRequestURL    = envNamespace + "OIDC_REQUEST_URL"
+	EnvOIDCRequestToken  = envNamespace + "OIDC_REQUEST_TOKEN"
+
 	EnvAuthMethod     = envNamespace + "AUTH_METHOD"
 	EnvAuthMSITimeout = envNamespace + "AUTH_MSI_TIMEOUT"
 
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
 	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+
+	EnvGitHubOIDCRequestURL   = "ACTIONS_ID_TOKEN_REQUEST_URL"
+	EnvGitHubOIDCRequestToken = "ACTIONS_ID_TOKEN_REQUEST_TOKEN"
 )
 
 // Config is used to configure the creation of the DNSProvider.
@@ -52,12 +61,18 @@ type Config struct {
 	ClientSecret string
 	TenantID     string
 
+	OIDCToken         string
+	OIDCTokenFilePath string
+	OIDCRequestURL    string
+	OIDCRequestToken  string
+
 	AuthMethod     string
 	AuthMSITimeout time.Duration
 
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
 	TTL                int
+	HTTPClient         *http.Client
 }
 
 // NewDefaultConfig returns a default configuration for the DNSProvider.
@@ -103,6 +118,17 @@ func NewDNSProvider() (*DNSProvider, error) {
 	config.ClientSecret = env.GetOrFile(EnvClientSecret)
 	config.TenantID = env.GetOrFile(EnvTenantID)
 
+	config.OIDCToken = env.GetOrFile(EnvOIDCToken)
+	config.OIDCTokenFilePath = env.GetOrFile(EnvOIDCTokenFilePath)
+
+	oidcValues, _ := env.GetWithFallback(
+		[]string{EnvOIDCRequestURL, EnvGitHubOIDCRequestURL},
+		[]string{EnvOIDCRequestToken, EnvGitHubOIDCRequestToken},
+	)
+
+	config.OIDCRequestURL = oidcValues[EnvOIDCRequestURL]
+	config.OIDCRequestToken = oidcValues[EnvOIDCRequestToken]
+
 	config.AuthMethod = env.GetOrFile(EnvAuthMethod)
 	config.AuthMSITimeout = env.GetOrDefaultSecond(EnvAuthMSITimeout, 2*time.Second)
 
@@ -115,6 +141,10 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 		return nil, errors.New("azuredns: the configuration of the DNS provider is nil")
 	}
 
+	if config.HTTPClient == nil {
+		config.HTTPClient = &http.Client{Timeout: 5 * time.Second}
+	}
+
 	credentials, err := getCredentials(config)
 	if err != nil {
 		return nil, fmt.Errorf("azuredns: Unable to retrieve valid credentials: %w", err)
@@ -144,6 +174,22 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 	return &DNSProvider{provider: dnsProvider}, nil
 }
 
+// Timeout returns the timeout and interval to use when checking for DNS propagation.
+// Adjusting here to cope with spikes in propagation times.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.provider.Timeout()
+}
+
+// Present creates a TXT record to fulfill the dns-01 challenge.
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	return d.provider.Present(domain, token, keyAuth)
+}
+
+// CleanUp removes the TXT record matching the specified parameters.
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	return d.provider.CleanUp(domain, token, keyAuth)
+}
+
 func getCredentials(config *Config) (azcore.TokenCredential, error) {
 	clientOptions := azcore.ClientOptions{Cloud: config.Environment}
 
@@ -170,27 +216,19 @@ func getCredentials(config *Config) (azcore.TokenCredential, error) {
 	case "cli":
 		return azidentity.NewAzureCLICredential(nil)
 
+	case "oidc":
+		err := checkOIDCConfig(config)
+		if err != nil {
+			return nil, err
+		}
+
+		return azidentity.NewClientAssertionCredential(config.TenantID, config.ClientID, getOIDCAssertion(config), &azidentity.ClientAssertionCredentialOptions{ClientOptions: clientOptions})
+
 	default:
 		return azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{ClientOptions: clientOptions})
 	}
 }
 
-// Timeout returns the timeout and interval to use when checking for DNS propagation.
-// Adjusting here to cope with spikes in propagation times.
-func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
-	return d.provider.Timeout()
-}
-
-// Present creates a TXT record to fulfill the dns-01 challenge.
-func (d *DNSProvider) Present(domain, token, keyAuth string) error {
-	return d.provider.Present(domain, token, keyAuth)
-}
-
-// CleanUp removes the TXT record matching the specified parameters.
-func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
-	return d.provider.CleanUp(domain, token, keyAuth)
-}
-
 // timeoutTokenCredential wraps a TokenCredential to add a timeout.
 type timeoutTokenCredential struct {
 	cred    azcore.TokenCredential

diff --git a/providers/dns/azuredns/azuredns.toml b/providers/dns/azuredns/azuredns.toml
@@ -156,6 +156,11 @@ The generated token will be cached by default in the `~/.azure` folder.
 
 This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`.
 
+### Open ID Connect
+
+Open ID Connect is a mechanism that establish a trust relationship between a running environment and the Azure AD identity provider.
+It can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oidc`.
+
 '''
 
 [Configuration]

diff --git a/providers/dns/azuredns/oidc.go b/providers/dns/azuredns/oidc.go
@@ -0,0 +1,104 @@
+package azuredns
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+)
+
+func checkOIDCConfig(config *Config) error {
+	if config.TenantID == "" {
+		return fmt.Errorf("azuredns: TenantID is missing")
+	}
+
+	if config.ClientID == "" {
+		return fmt.Errorf("azuredns: ClientID is missing")
+	}
+
+	if config.OIDCToken == "" && config.OIDCTokenFilePath == "" && (config.OIDCRequestURL == "" || config.OIDCRequestToken == "") {
+		return fmt.Errorf("azuredns: OIDCToken, OIDCTokenFilePath or OIDCRequestURL and OIDCRequestToken must be set")
+	}
+
+	return nil
+}
+
+func getOIDCAssertion(config *Config) func(ctx context.Context) (string, error) {
+	return func(ctx context.Context) (string, error) {
+		var token string
+		if config.OIDCToken != "" {
+			token = strings.TrimSpace(config.OIDCToken)
+		}
+
+		if config.OIDCTokenFilePath != "" {
+			fileTokenRaw, err := os.ReadFile(config.OIDCTokenFilePath)
+			if err != nil {
+				return "", fmt.Errorf("azuredns: error retrieving token file with path %s: %w", config.OIDCTokenFilePath, err)
+			}
+
+			fileToken := strings.TrimSpace(string(fileTokenRaw))
+			if config.OIDCToken != fileToken {
+				return "", fmt.Errorf("azuredns: token file with path %s does not match token from environment variable", config.OIDCTokenFilePath)
+			}
+
+			token = fileToken
+		}
+
+		if token == "" && config.OIDCRequestURL != "" && config.OIDCRequestToken != "" {
+			return getOIDCToken(config)
+		}
+
+		return token, nil
+	}
+}
+
+func getOIDCToken(config *Config) (string, error) {
+	req, err := http.NewRequest(http.MethodGet, config.OIDCRequestURL, http.NoBody)
+	if err != nil {
+		return "", fmt.Errorf("azuredns: failed to build OIDC request: %w", err)
+	}
+
+	query, err := url.ParseQuery(req.URL.RawQuery)
+	if err != nil {
+		return "", fmt.Errorf("azuredns: cannot parse OIDC request URL query")
+	}
+
+	if query.Get("audience") == "" {
+		query.Set("audience", "api://AzureADTokenExchange")
+		req.URL.RawQuery = query.Encode()
+	}
+
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", config.OIDCRequestToken))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := config.HTTPClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("azuredns: cannot request OIDC token: %w", err)
+	}
+
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if err != nil {
+		return "", fmt.Errorf("azuredns: cannot parse OIDC token response: %w", err)
+	}
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusNoContent {
+		return "", fmt.Errorf("azuredns: OIDC token request received HTTP status %d with response: %s", resp.StatusCode, body)
+	}
+
+	var returnedToken struct {
+		Count int    `json:"count"`
+		Value string `json:"value"`
+	}
+	if err := json.Unmarshal(body, &returnedToken); err != nil {
+		return "", fmt.Errorf("azuredns: cannot unmarshal OIDC token response: %w", err)
+	}
+
+	return returnedToken.Value, nil
+}