Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Arc VM support for auth via managed identity #2

Merged
merged 36 commits into from
Oct 4, 2021
Merged
Changes from 1 commit
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
019f340
Add Azure Arc server VMs support
Sep 10, 2021
e4b2b3e
Add function for modularity
Sep 11, 2021
fcf5a43
Minor fixes
Sep 13, 2021
783a40b
Minor fixes
Sep 13, 2021
34842ad
Minor fixes
Sep 13, 2021
8f2aeb6
Minor fixes
Sep 13, 2021
bafba0d
Minor fixes
Sep 13, 2021
60f6c50
Minor fix
Sep 14, 2021
f08e98c
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
d68cc14
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
a16b9e9
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
f16d603
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
651c1ad
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
167c9b0
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
a1fc07e
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
9735ffe
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
3552402
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
92c45e4
Minor Fix
ArnavPrasadMicrosoft Sep 15, 2021
efbfd87
Reverse Arc and Azure VM check sequence
ArnavPrasadMicrosoft Sep 17, 2021
cf90b8a
Fix --delete-destination on Windows download (#1547)
adreed-msft Sep 20, 2021
aa84bea
Fix --delete-destination on Windows download (#1547) (#1560)
siminsavani-msft Sep 20, 2021
8b9e424
Update version to 10.12.2 and update changelog (#1558)
siminsavani-msft Sep 20, 2021
0a14fbd
Merge branch 'dev' into main
zezha-msft Sep 20, 2021
f64ac4c
Merge pull request #1 from Strikerzee/feature/arcvmsupport
Strikerzee Sep 21, 2021
ee11cb1
Minor fixes
ArnavPrasadMicrosoft Sep 21, 2021
47d8819
Minor fixes
ArnavPrasadMicrosoft Sep 21, 2021
dcc5a6a
Minor fixes
ArnavPrasadMicrosoft Sep 21, 2021
f8cb26e
Add robust error checking
ArnavPrasadMicrosoft Sep 29, 2021
343fb9c
Minor fix
ArnavPrasadMicrosoft Sep 29, 2021
441a16a
Minor fix
ArnavPrasadMicrosoft Sep 29, 2021
230233b
Minor fix
ArnavPrasadMicrosoft Sep 29, 2021
2ca60d2
Minor fix
ArnavPrasadMicrosoft Sep 29, 2021
addbfab
Minor fix
ArnavPrasadMicrosoft Sep 29, 2021
d7dd381
A
ArnavPrasadMicrosoft Sep 29, 2021
a43ca60
Minor fix
ArnavPrasadMicrosoft Sep 29, 2021
b663c2b
Minor fixes
Strikerzee Sep 30, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add robust error checking
ArnavPrasadMicrosoft committed Sep 29, 2021
commit f8cb26eab6ad7d03363ca58be90f2313c3626bb2
65 changes: 61 additions & 4 deletions common/oauthTokenManager.go
Original file line number Diff line number Diff line change
@@ -39,6 +39,7 @@ import (
"runtime"
"strconv"
"strings"
"syscall"
"time"

"golang.org/x/crypto/pkcs12"
@@ -59,6 +60,9 @@ const IMDSAPIVersionAzureVM = "2018-02-01"
const MSIEndpointAzureVM = "http://169.254.169.254/metadata/identity/oauth2/token"
const MSIEndpointArcVM = "http://127.0.0.1:40342/metadata/identity/oauth2/token"

// Refer to https://docs.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2 for details
const WSAECONNREFUSED = 10061

var DefaultTokenExpiryWithinThreshold = time.Minute * 10

// UserOAuthTokenManager for token management.
@@ -731,6 +735,17 @@ func (credInfo *OAuthTokenInfo) queryIMDS(msiEndpoint string, resource string, i
return req, resp, err
}

// checkIfWWWAuthenticateUnavailable checks if the key "Www-Authenticate" is unavailable in the header of an http response
func checkIfWWWAuthenticateUnavailable(resp *http.Response) bool {
wwwAuthenticateExists := false
if resp != nil {
if resp.Header != nil {
_, wwwAuthenticateExists = resp.Header["Www-Authenticate"]
}
}
return !wwwAuthenticateExists
}

// fixupTokenJson corrects the value of JSON field "not_before" in the Byte slice from blank to a valid value and returns the corrected Byte slice.

// Dated 15th Sep 2021.
@@ -760,11 +775,52 @@ func fixupTokenJson(bytes []byte) []byte {
func (credInfo *OAuthTokenInfo) GetNewTokenFromMSI(ctx context.Context) (*adal.Token, error) {
// Try Arc VM
req, resp, err := credInfo.queryIMDS(MSIEndpointArcVM, Resource, IMDSAPIVersionArcVM, ctx)
// fmt.Println(resp)
// fmt.Println(err)
if err != nil {
// Try Azure VM
req, resp, err = credInfo.queryIMDS(MSIEndpointAzureVM, Resource, IMDSAPIVersionAzureVM, ctx)
if err != nil {
return nil, fmt.Errorf("please check whether MSI is enabled on this PC, to enable MSI please refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-identity-on-an-existing-vm: %v", err)
// Try Azure VM since there was an error in trying Arc VM
reqAzureVM, respAzureVM, errAzureVM := credInfo.queryIMDS(MSIEndpointAzureVM, Resource, IMDSAPIVersionAzureVM, ctx)
var serr syscall.Errno
errorConverted := errors.As(err, &serr)
if errAzureVM != nil {
// fmt.Printf("error is a syscall.Errno value: %#v\n%#v", serr, syscall.ECONNREFUSED)
// fmt.Printf("%#v\n", syscall.WSAECONNREFUSED)
if errorConverted {
var econnrefusedValue int
if runtime.GOOS == "linux" {
econnrefusedValue = int(syscall.ECONNREFUSED)
} else if runtime.GOOS == "windows" {
econnrefusedValue = WSAECONNREFUSED
} else {
econnrefusedValue = -1
}

if int(serr) == econnrefusedValue {
// If connection to Arc endpoint was refused
return nil, fmt.Errorf("please check whether MSI is enabled on this PC, to enable MSI please refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-identity-on-an-existing-vm: %v", errAzureVM)
} else if checkIfWWWAuthenticateUnavailable(resp) {
// If response was malformed
return nil, fmt.Errorf("unknown process running at the endpoint: %v", err)
} else {
// If there is some other issue
return nil, fmt.Errorf("failed to process request at MSI endpoint: %v", err)
}
} else if checkIfWWWAuthenticateUnavailable(resp) {
// If response was malformed
return nil, fmt.Errorf("unknown process running at the endpoint: %v", err)
} else {
// If there is some other issue
return nil, fmt.Errorf("failed to process request at MSI endpoint: %v", err)
}
} else {
req, resp = reqAzureVM, respAzureVM
}
} else if checkIfWWWAuthenticateUnavailable(resp) {
reqAzureVM, respAzureVM, errAzureVM := credInfo.queryIMDS(MSIEndpointAzureVM, Resource, IMDSAPIVersionAzureVM, ctx)
if errAzureVM != nil {
return nil, fmt.Errorf("please check if IMDS is running at the endpoint: %v", err)
} else {
req, resp = reqAzureVM, respAzureVM
}
} else {
challengeTokenPath := strings.Split(resp.Header["Www-Authenticate"][0], "=")[1]
@@ -798,6 +854,7 @@ func (credInfo *OAuthTokenInfo) GetNewTokenFromMSI(ctx context.Context) (*adal.T
return nil, fmt.Errorf("failed to query token from Arc IMDS endpoint. Please report the issue to xxx@microsoft.com: %v", err)
}
}

defer func() { // resp and Body should not be nil
io.Copy(ioutil.Discard, resp.Body)
resp.Body.Close()