feat(azuredns): allow oidc authentication

go-acme · Oct 26, 2023 · b975e27 · b975e27
1 parent c9ff534
commit b975e27
Show file tree

Hide file tree

Showing 3 changed files with 144 additions and 0 deletions.
diff --git a/docs/content/dns/zz_gen_azuredns.md b/docs/content/dns/zz_gen_azuredns.md
@@ -110,6 +110,8 @@ Default Azure Credentials automatically detects in the following locations and p
 3. Workload identity for resources hosted in Azure environment (see below)
 4. Shared credentials (defaults to `~/.azure` folder), used by Azure CLI
 
+**Open ID Connect authentication is not supported by default.**
+
 Link:
 - [Azure Authentication](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication)
 
@@ -210,6 +212,11 @@ The generated token will be cached by default in the `~/.azure` folder.
 
 This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`.
 
+### Open ID Connect
+
+Open ID Connect is a mechanism that establish a trust relationship between a running environment and the Azure AD identity provider.
+It is not supported by default, but can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oidc`.
+
 
 
 

diff --git a/providers/dns/azuredns/azuredns.go b/providers/dns/azuredns/azuredns.go
@@ -4,8 +4,13 @@ package azuredns
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
 	"strings"
 	"time"
 
@@ -31,12 +36,22 @@ const (
 	EnvClientID     = envNamespace + "CLIENT_ID"
 	EnvClientSecret = envNamespace + "CLIENT_SECRET"
 
+	EnvOidcToken         = envNamespace + "OIDC_TOKEN"
+	EnvOidcTokenFilePath = envNamespace + "OIDC_TOKEN_FILE_PATH"
+	EnvOidcRequestURL    = envNamespace + "OIDC_REQUEST_URL"
+	EnvOidcRequestToken  = envNamespace + "OIDC_REQUEST_TOKEN"
+
 	EnvAuthMethod     = envNamespace + "AUTH_METHOD"
 	EnvAuthMSITimeout = envNamespace + "AUTH_MSI_TIMEOUT"
 
 	EnvTTL                = envNamespace + "TTL"
 	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
 	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+
+	envGihubActions = "ACTIONS_"
+
+	EnvGithubOidcRequestURL   = envGihubActions + "ID_TOKEN_REQUEST_URL"
+	EnvGithubOidcRequestToken = envGihubActions + "ID_TOKEN_REQUEST_TOKEN"
 )
 
 // Config is used to configure the creation of the DNSProvider.
@@ -52,12 +67,18 @@ type Config struct {
 	ClientSecret string
 	TenantID     string
 
+	OidcToken         string
+	OidcTokenFilePath string
+	OidcRequestURL    string
+	OidcRequestToken  string
+
 	AuthMethod     string
 	AuthMSITimeout time.Duration
 
 	PropagationTimeout time.Duration
 	PollingInterval    time.Duration
 	TTL                int
+	HTTPClient         *http.Client
 }
 
 // NewDefaultConfig returns a default configuration for the DNSProvider.
@@ -103,6 +124,17 @@ func NewDNSProvider() (*DNSProvider, error) {
 	config.ClientSecret = env.GetOrFile(EnvClientSecret)
 	config.TenantID = env.GetOrFile(EnvTenantID)
 
+	config.OidcToken = env.GetOrFile(EnvOidcToken)
+	config.OidcTokenFilePath = env.GetOrFile(EnvOidcTokenFilePath)
+
+	oidcRequest, _ := env.GetWithFallback(
+		[]string{EnvOidcRequestURL, EnvGithubOidcRequestURL},
+		[]string{EnvOidcRequestToken, EnvGithubOidcRequestToken},
+	)
+
+	config.OidcRequestURL = oidcRequest[EnvOidcRequestURL]
+	config.OidcRequestToken = oidcRequest[EnvOidcRequestToken]
+
 	config.AuthMethod = env.GetOrFile(EnvAuthMethod)
 	config.AuthMSITimeout = env.GetOrDefaultSecond(EnvAuthMSITimeout, 2*time.Second)
 
@@ -115,6 +147,10 @@ func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
 		return nil, errors.New("azuredns: the configuration of the DNS provider is nil")
 	}
 
+	if config.HTTPClient == nil {
+		config.HTTPClient = &http.Client{Timeout: 5 * time.Second}
+	}
+
 	credentials, err := getCredentials(config)
 	if err != nil {
 		return nil, fmt.Errorf("azuredns: Unable to retrieve valid credentials: %w", err)
@@ -170,11 +206,105 @@ func getCredentials(config *Config) (azcore.TokenCredential, error) {
 	case "cli":
 		return azidentity.NewAzureCLICredential(nil)
 
+	case "oidc":
+		return getOidcCredentials(config, clientOptions)
+
 	default:
 		return azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{ClientOptions: clientOptions})
 	}
 }
 
+//nolint:gocyclo
+func getOidcCredentials(config *Config, clientOptions azcore.ClientOptions) (azcore.TokenCredential, error) {
+	if config.TenantID == "" {
+		return nil, fmt.Errorf("azuredns: TenantId is missing")
+	}
+
+	if config.ClientID == "" {
+		return nil, fmt.Errorf("azuredns: ClientId is missing")
+	}
+
+	if config.OidcToken == "" && config.OidcTokenFilePath == "" && (config.OidcRequestURL == "" || config.OidcRequestToken == "") {
+		return nil, fmt.Errorf("azuredns: OidcToken, OidcTokenFilePath or OidcRequestURL and OidcRequestToken must be set")
+	}
+
+	getAssertion := func(ctx context.Context) (string, error) {
+		var token string
+		if config.OidcToken != "" {
+			token = strings.TrimSpace(config.OidcToken)
+		}
+
+		if config.OidcTokenFilePath != "" {
+			fileTokenRaw, err := os.ReadFile(config.OidcTokenFilePath)
+			if err != nil {
+				return "", fmt.Errorf("azuredns: error retrieving token file with path %s: %w", config.OidcTokenFilePath, err)
+			}
+
+			fileToken := strings.TrimSpace(string(fileTokenRaw))
+			if config.OidcToken != fileToken {
+				return "", fmt.Errorf("azuredns: token file with path %s does not match token from environment variable", config.OidcTokenFilePath)
+			}
+
+			token = fileToken
+		}
+
+		if token == "" && config.OidcRequestURL != "" && config.OidcRequestToken != "" {
+			return requestToken(config)
+		}
+
+		return token, nil
+	}
+
+	return azidentity.NewClientAssertionCredential(config.TenantID, config.ClientID, getAssertion,
+		&azidentity.ClientAssertionCredentialOptions{ClientOptions: clientOptions})
+}
+
+func requestToken(config *Config) (string, error) {
+	req, err := http.NewRequest(http.MethodGet, config.OidcRequestURL, http.NoBody)
+	if err != nil {
+		return "", fmt.Errorf("azuredns: failed to build OIDC request: %w", err)
+	}
+
+	query, err := url.ParseQuery(req.URL.RawQuery)
+	if err != nil {
+		return "", fmt.Errorf("azuredns: cannot parse OIDC request URL query")
+	}
+
+	if query.Get("audience") == "" {
+		query.Set("audience", "api://AzureADTokenExchange")
+		req.URL.RawQuery = query.Encode()
+	}
+
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", config.OidcRequestToken))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := config.HTTPClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("azuredns: cannot request OIDC token: %w", err)
+	}
+
+	defer resp.Body.Close()
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
+	if err != nil {
+		return "", fmt.Errorf("azuredns: cannot parse OIDC token response: %w", err)
+	}
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusNoContent {
+		return "", fmt.Errorf("azuredns: OIDC token request received HTTP status %d with response: %s", resp.StatusCode, body)
+	}
+
+	var returnedToken struct {
+		Count *int    `json:"count"`
+		Value *string `json:"value"`
+	}
+	if err := json.Unmarshal(body, &returnedToken); err != nil {
+		return "", fmt.Errorf("azuredns: cannot unmarshal OIDC token response: %w", err)
+	}
+
+	return *returnedToken.Value, nil
+}
+
 // Timeout returns the timeout and interval to use when checking for DNS propagation.
 // Adjusting here to cope with spikes in propagation times.
 func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {

diff --git a/providers/dns/azuredns/azuredns.toml b/providers/dns/azuredns/azuredns.toml
@@ -56,6 +56,8 @@ Default Azure Credentials automatically detects in the following locations and p
 3. Workload identity for resources hosted in Azure environment (see below)
 4. Shared credentials (defaults to `~/.azure` folder), used by Azure CLI
 
+**Open ID Connect authentication is not supported by default.**
+
 Link:
 - [Azure Authentication](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication)
 
@@ -156,6 +158,11 @@ The generated token will be cached by default in the `~/.azure` folder.
 
 This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`.
 
+### Open ID Connect
+
+Open ID Connect is a mechanism that establish a trust relationship between a running environment and the Azure AD identity provider.
+It is not supported by default, but can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oidc`.
+
 '''
 
 [Configuration]