fix: resolving azure overage claim should include api-version=1.6 query parameter (#2000)

As unfortunately documented almost nowhere, sending a request to the
Microsoft Graph API requires a query parameter to specify an
undocumented `api-version` with value `1.6`.

Source:
https://stackoverflow.com/questions/51085863/retrieve-group-claims-using-claim-sources-returns-the-specified-api-version-is

Author: hf

internal/api/provider/azure.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"regexp"
 	"strings"
 	"unicode/utf8"
@@ -198,7 +199,19 @@ func (c *AzureIDTokenClaims) ResolveIndirectClaims(ctx context.Context, httpClie
 			continue
 		}
 
-		claimEndpoint := claimEndpointObject.Endpoint
+		u, err := url.ParseRequestURI(claimEndpointObject.Endpoint)
+		if err != nil {
+			return nil, fmt.Errorf("azure: failed to parse endpoint URL %q (resolving overage claim %q): %w", claimEndpointObject.Endpoint, claimName, err)
+		}
+
+		queryParams := u.Query()
+		if !queryParams.Has("api-version") {
+			// https://stackoverflow.com/questions/51085863/retrieve-group-claims-using-claim-sources-returns-the-specified-api-version-is
+			queryParams.Add("api-version", "1.6")
+			u.RawQuery = queryParams.Encode()
+		}
+
+		claimEndpoint := u.String()
 
 		req, err := http.NewRequestWithContext(ctx, http.MethodPost, claimEndpoint, strings.NewReader(`{"securityEnabledOnly":true}`))
 		if err != nil {

internal/api/provider/azure_test.go

@@ -99,7 +99,7 @@ func TestAzureResolveIndirectClaimsFailures(t *testing.T) {
 		{
 			name:          "invalid url",
 			urlSuffix:     "\000",
-			expectedError: "azure: failed to create POST request to \"SERVER-URL\\x00\" (resolving overage claim \"groups\"): parse \"SERVER-URL\\x00\": net/url: invalid control character in URL",
+			expectedError: "azure: failed to parse endpoint URL \"SERVER-URL\\x00\" (resolving overage claim \"groups\"): parse \"SERVER-URL\\x00\": net/url: invalid control character in URL",
 		},
 		{
 			name:          "no such server",
@@ -141,6 +141,8 @@ func TestAzureResolveIndirectClaimsFailures(t *testing.T) {
 	for _, example := range examples {
 		t.Run(example.name, func(t *testing.T) {
 			server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				require.Equal(t, "1.6", r.URL.Query().Get("api-version"))
+
 				w.WriteHeader(example.statusCode)
 
 				w.Write(example.body)
@@ -164,7 +166,7 @@ func TestAzureResolveIndirectClaimsFailures(t *testing.T) {
 			resolvedClaims, err := claims.ResolveIndirectClaims(context.Background(), server.Client(), "access-token")
 			require.Nil(t, resolvedClaims)
 			require.Error(t, err)
-			require.Equal(t, example.expectedError, strings.ReplaceAll(strings.ReplaceAll(err.Error(), server.URL, "SERVER-URL"), u.Port(), "PORT"))
+			require.Equal(t, example.expectedError, strings.ReplaceAll(strings.ReplaceAll(strings.ReplaceAll(err.Error(), server.URL, "SERVER-URL"), u.Port(), "PORT"), "?api-version=1.6", ""))
 		})
 	}