migrate from adal to azidentity

adal is is out of support since March 31, 2023.
This PR migrates from adal to azidentity for azure
key vault

Signed-off-by: sp98 <[email protected]>

Author: sp98

azure/azure_kv.go

@@ -6,8 +6,7 @@ import (
 	"errors"
 	"time"
 
-	"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
-	"github.com/Azure/go-autorest/autorest/to"
+	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
 	"github.com/libopenstorage/secrets"
 	"github.com/portworx/sched-ops/task"
 )
@@ -21,6 +20,10 @@ const (
 	AzureClientID = "AZURE_CLIENT_ID"
 	// AzureClientSecret of service principal account
 	AzureClientSecret = "AZURE_CLIENT_SECRET"
+	// AzureClientCertPath is path of the client certificate
+	AzureClientCertPath = "AZURE_CLIENT_CERT_PATH"
+	// AzureClientCertPassword is the password of the private key
+	AzureClientCertPassword = "AZURE_CIENT_CERT_PASSWORD"
 	// AzureEnviornment to connect
 	AzureEnviornment = "AZURE_ENVIRONMENT"
 	// AzureVaultURI of azure key vault
@@ -37,6 +40,7 @@ var (
 	ErrAzureTenantIDNotSet    = errors.New("AZURE_TENANT_ID not set.")
 	ErrAzureClientIDNotSet    = errors.New("AZURE_CLIENT_ID not set.")
 	ErrAzureSecretIDNotSet    = errors.New("AZURE_SECRET_ID not set.")
+	ErrAzureAuthMedhodNotSet  = errors.New("AZURE_SECRET_ID or AZURE_CLIENT_CERT_PATH not set")
 	ErrAzureVaultURLNotSet    = errors.New("AZURE_VAULT_URL not set.")
 	ErrAzureEnvironmentNotset = errors.New("AZURE_ENVIRONMENT not set.")
 	ErrAzureConfigMissing     = errors.New("AzureConfig is not provided")
@@ -45,7 +49,7 @@ var (
 )
 
 type azureSecrets struct {
-	kv      keyvault.BaseClient
+	kv      azsecrets.Client
 	baseURL string
 }
 
@@ -62,9 +66,9 @@ func New(
 		return nil, ErrAzureClientIDNotSet
 	}
 	secretID := getAzureKVParams(secretConfig, AzureClientSecret)
-	if secretID == "" {
-		return nil, ErrAzureSecretIDNotSet
-	}
+	clientCertPath := getAzureKVParams(secretConfig, AzureClientCertPath)
+	clientCertPassword := getAzureKVParams(secretConfig, AzureClientCertPassword)
+
 	envName := getAzureKVParams(secretConfig, AzureEnviornment)
 	if envName == "" {
 		// we set back to default AzurePublicCloud
@@ -75,13 +79,24 @@ func New(
 		return nil, ErrAzureVaultURLNotSet
 	}
 
-	client, err := getAzureVaultClient(clientID, secretID, tenantID, envName)
-	if err != nil {
-		return nil, err
+	var client *azsecrets.Client
+	var err error
+	if secretID != "" {
+		client, err = getAzureVaultClient(clientID, secretID, tenantID, vaultURL)
+		if err != nil {
+			return nil, err
+		}
+	} else if clientCertPath != "" {
+		client, err = getAzureVaultClientWithCert(clientID, tenantID, vaultURL, clientCertPath, clientCertPassword)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		return nil, ErrAzureAuthMedhodNotSet
 	}
 
 	return &azureSecrets{
-		kv:      client,
+		kv:      *client,
 		baseURL: vaultURL,
 	}, nil
 }
@@ -98,7 +113,8 @@ func (az *azureSecrets) GetSecret(
 	}
 
 	t := func() (interface{}, bool, error) {
-		secretResp, err := az.kv.GetSecret(ctx, az.baseURL, secretID, "")
+		// passing empty version to always get the latest version of the secret.
+		secretResp, err := az.kv.GetSecret(ctx, secretID, "", nil)
 		if err != nil {
 			return nil, true, err
 		}
@@ -109,7 +125,7 @@ func (az *azureSecrets) GetSecret(
 		return nil, secrets.NoVersion, err
 	}
 
-	secretResp, ok := resp.(keyvault.SecretBundle)
+	secretResp, ok := resp.(azsecrets.SecretBundle)
 	if !ok || secretResp.Value == nil {
 		return nil, secrets.NoVersion, ErrInvalidSecretResp
 	}
@@ -133,7 +149,7 @@ func (az *azureSecrets) PutSecret(
 	ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
 	defer cancel()
 
-	var secretResp keyvault.SecretBundle
+	var secretResp azsecrets.SecretBundle
 	if secretName == "" {
 		return secrets.NoVersion, secrets.ErrEmptySecretId
 	}
@@ -146,10 +162,10 @@ func (az *azureSecrets) PutSecret(
 		return secrets.NoVersion, err
 	}
 
+	valueStr := string(value)
 	t := func() (interface{}, bool, error) {
-		secretResp, err = az.kv.SetSecret(ctx, az.baseURL, secretName, keyvault.SecretSetParameters{
-			Value: to.StringPtr(string(value)),
-		})
+		params := azsecrets.SetSecretParameters{Value: &valueStr}
+		az.kv.SetSecret(ctx, secretName, params, nil)
 		if err != nil {
 			return nil, true, err
 		}
@@ -169,7 +185,7 @@ func (az *azureSecrets) DeleteSecret(
 	if secretName == "" {
 		return secrets.ErrEmptySecretId
 	}
-	_, err := az.kv.DeleteSecret(ctx, az.baseURL, secretName)
+	_, err := az.kv.DeleteSecret(ctx, secretName, nil)
 
 	return err
 }

azure/azure_kv_helper.go

@@ -1,14 +1,11 @@
 package azure
 
 import (
-	"net/url"
+	"fmt"
 	"os"
-	"strings"
 
-	"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
-	"github.com/Azure/go-autorest/autorest"
-	"github.com/Azure/go-autorest/autorest/adal"
-	"github.com/Azure/go-autorest/autorest/azure"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
 )
 
 func getAzureKVParams(secretConfig map[string]interface{}, name string) string {
@@ -19,29 +16,46 @@ func getAzureKVParams(secretConfig map[string]interface{}, name string) string {
 	}
 }
 
-func getAzureVaultClient(clientID, secretID, tenantID, envName string) (keyvault.BaseClient, error) {
-	var environment *azure.Environment
-	alternateEndpoint, _ := url.Parse(
-		"https://login.windows.net/" + tenantID + "/oauth2/token")
+func getAzureVaultClient(clientID, secretID, tenantID, vaultURL string) (*azsecrets.Client, error) {
+	cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, secretID, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get client secret credentials. %v", err)
+	}
+	client, err := azsecrets.NewClient(vaultURL, cred, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get client to access azure kv secrets. %v", err)
+	}
+
+	return client, nil
+}
+
+func getAzureVaultClientWithCert(clientID, tenantID, vaultURL, certPath, certPassword string) (*azsecrets.Client, error) {
+	certData, err := os.ReadFile(certPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed read certificate from path %q. %v", certPath, err)
+	}
 
-	keyClient := keyvault.New()
-	env, err := azure.EnvironmentFromName(envName)
+	var passphrase []byte
+	if certPassword == "" {
+		passphrase = nil
+	} else {
+		passphrase = []byte(certPassword)
+	}
+
+	certs, key, err := azidentity.ParseCertificates(certData, passphrase)
 	if err != nil {
-		return keyClient, err
+		return nil, fmt.Errorf("failed load certificate and private key. %v", err)
 	}
-	environment = &env
-	oauthconfig, err := adal.NewOAuthConfig(
-		environment.ActiveDirectoryEndpoint, tenantID)
+
+	cred, err := azidentity.NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
 	if err != nil {
-		return keyClient, err
+		return nil, fmt.Errorf("failed to construct client certificate credentials. %v", err)
 	}
-	oauthconfig.AuthorizeEndpoint = *alternateEndpoint
 
-	token, err := adal.NewServicePrincipalToken(
-		*oauthconfig, clientID, secretID, strings.TrimSuffix(environment.KeyVaultEndpoint, "/"))
+	client, err := azsecrets.NewClient(vaultURL, cred, nil)
 	if err != nil {
-		return keyClient, err
+		return nil, fmt.Errorf("failed to get client to access azure kv secrets. %v", err)
 	}
-	keyClient.Authorizer = autorest.NewBearerAuthorizer(token)
-	return keyClient, nil
+
+	return client, nil
 }

azure/azure_kv_test.go

@@ -11,25 +11,26 @@ func TestNew(t *testing.T) {
 	os.Unsetenv("AZURE_TENANT_ID")
 	os.Unsetenv("AZURE_CLIENT_ID")
 	os.Unsetenv("AZURE_CLIENT_SECRET")
+	os.Unsetenv("AZURE_CLIENT_CERT_PATH")
 	os.Unsetenv("AZURE_ENVIRONMENT")
 	os.Unsetenv("AZURE_VAULT_URL")
 
 	// nil secret config
 	_, err := New(nil)
-	assert.Equal(t, err, ErrAzureTenantIDNotSet)
+	assert.Equal(t, ErrAzureTenantIDNotSet, err)
 	os.Setenv("AZURE_TENANT_ID", "invalid_tenant_id")
 
 	_, err = New(nil)
-	assert.Equal(t, err, ErrAzureClientIDNotSet)
+	assert.Equal(t, ErrAzureClientIDNotSet, err)
 	os.Setenv("AZURE_CLIENT_ID", "invalid-client-id")
 
 	_, err = New(nil)
-	assert.Equal(t, err, ErrAzureSecretIDNotSet)
-	os.Setenv("AZURE_CLIENT_SECRET", "invalid-secret-id")
+	assert.Equal(t, ErrAzureVaultURLNotSet, err)
+	os.Setenv("AZURE_VAULT_URL", "invalid-vault-url")
 
 	_, err = New(nil)
-	assert.Equal(t, err, ErrAzureVaultURLNotSet)
-	os.Setenv("AZURE_VAULT_URL", "invalid-vault-url")
+	assert.Equal(t, ErrAzureAuthMedhodNotSet, err)
+	os.Setenv("AZURE_CLIENT_SECRET", "invalid-secret-id")
 
 	_, err = New(nil)
 	assert.NoError(t, err, "Unepxected error on New")

go.mod

@@ -18,21 +18,22 @@ require (
 	github.com/portworx/kvdb v0.0.0-20200929023115-b312c7519467
 	github.com/portworx/sched-ops v1.20.4-rc1
 	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.8.4
 	google.golang.org/api v0.83.0
 	k8s.io/client-go v12.0.0+incompatible
 )
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions v1.3.0
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-test/deep v1.0.8 // indirect
-	github.com/golang-jwt/jwt/v4 v4.3.0 // indirect
-	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect