-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Add auxiliary authentication header policy in core pipeline #25270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
MaryGao
merged 31 commits into
Azure:main
from
MaryGao:add-auxiliary-auth-policy-in-core
May 10, 2023
Merged
Changes from 25 commits
Commits
Show all changes
31 commits
Select commit
Hold shift + click to select a range
99c74f7
Update auxiliary auth toke policy
MaryGao 78884f2
Update the changelog and bump the version
MaryGao e43ac87
Update the test name
MaryGao 9ad2d94
Update format
MaryGao e7e8e14
Update the lint fix
MaryGao 85c52b4
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao 97d37a6
Update sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticati…
MaryGao ba32825
Merge branch 'main' into add-auxiliary-auth-policy-in-core
MaryGao 1ed399a
Update typo issues
MaryGao 0cf0f6f
Update the name to MultiTenantAuthenticationPolicy
MaryGao aee479a
Update the policy name and test cases
MaryGao c386660
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao f50ca20
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao 51bfbae
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao 0c14094
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao 1bbbb24
Update the test cases and policy code
MaryGao c5dd52d
Update the documents for this policy
MaryGao ed3adc1
Update the policy name and CHANGELOG
MaryGao e1aad77
Update the index
MaryGao 05150e1
Fix the linter issue
MaryGao 08e59ac
Update the format
MaryGao 46f9def
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao 1d3f912
Skip header set if None of the auxiliary tokens are valid
MaryGao 2d9c935
Update the test cases
MaryGao 7bfe2a7
Update sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticati…
MaryGao ba4c69d
Merge remote-tracking branch 'origin/main' into add-auxiliary-auth-po…
MaryGao e2e7f7f
Update sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticati…
MaryGao 8ac016e
Update sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticati…
MaryGao 2d9646a
Update sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticati…
MaryGao 6f110a6
Update sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticati…
MaryGao 2e7254e
Update format
MaryGao File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
106 changes: 106 additions & 0 deletions
106
sdk/core/core-rest-pipeline/src/policies/auxiliaryAuthenticationHeaderPolicy.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT license. | ||
|
|
||
| import { GetTokenOptions, TokenCredential } from "@azure/core-auth"; | ||
| import { AzureLogger } from "@azure/logger"; | ||
| import { PipelineRequest, PipelineResponse, SendRequest } from "../interfaces"; | ||
| import { PipelinePolicy } from "../pipeline"; | ||
| import { AccessTokenGetter, createTokenCycler } from "../util/tokenCycler"; | ||
| import { logger as coreLogger } from "../log"; | ||
| import { AuthorizeRequestOptions } from "./bearerTokenAuthenticationPolicy"; | ||
|
|
||
| /** | ||
| * The programmatic identifier of the auxiliaryAuthenticationHeaderPolicy. | ||
| */ | ||
| export const auxiliaryAuthenticationHeaderPolicyName = "auxiliaryAuthenticationHeaderPolicy"; | ||
| const AUTHORIZATION_AUXILIARY_HEADER = "x-ms-authorization-auxiliary"; | ||
|
|
||
| /** | ||
| * Options to configure the auxiliaryAuthenticationHeaderPolicy | ||
| */ | ||
| export interface AuxiliaryAuthenticationHeaderPolicyOptions { | ||
| /** | ||
| * TokenCredential list used to get token from auxiliary tenants and | ||
| * one credential for each tenant the client may need to access | ||
| */ | ||
| credentials?: TokenCredential[]; | ||
| /** | ||
| * Scopes depend on the cloud your application runs in | ||
| */ | ||
| scopes: string | string[]; | ||
| /** | ||
| * A logger can be sent for debugging purposes. | ||
| */ | ||
| logger?: AzureLogger; | ||
| } | ||
|
|
||
| type NullableString = string | null | undefined; | ||
|
|
||
| async function sendAuthorizeRequest(options: AuthorizeRequestOptions): Promise<NullableString> { | ||
| const { scopes, getAccessToken, request } = options; | ||
| const getTokenOptions: GetTokenOptions = { | ||
| abortSignal: request.abortSignal, | ||
| tracingOptions: request.tracingOptions, | ||
| }; | ||
|
|
||
| return (await getAccessToken(scopes, getTokenOptions))?.token; | ||
|
MaryGao marked this conversation as resolved.
Outdated
|
||
| } | ||
|
|
||
| /** | ||
| * A policy for external tokens to `x-ms-authorization-auxiliary` header. | ||
| * This header will be used when creating a cross-tenant application we may need to handle authentication requests | ||
| * for resources that are in different tenants. | ||
| * You could see [ARM docs](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant) for a rundown of how this feature works | ||
| */ | ||
| export function auxiliaryAuthenticationHeaderPolicy( | ||
| options: AuxiliaryAuthenticationHeaderPolicyOptions | ||
| ): PipelinePolicy { | ||
| const { credentials, scopes } = options; | ||
| const logger = options.logger || coreLogger; | ||
| const tokenCyclerMap = new WeakMap<TokenCredential, AccessTokenGetter>(); | ||
|
|
||
| return { | ||
| name: auxiliaryAuthenticationHeaderPolicyName, | ||
| async sendRequest(request: PipelineRequest, next: SendRequest): Promise<PipelineResponse> { | ||
| if (!request.url.toLowerCase().startsWith("https://")) { | ||
| throw new Error( | ||
| "Bearer token authentication for auxiliary header is not permitted for non-TLS protected (non-https) URLs." | ||
| ); | ||
| } | ||
| if (!credentials || credentials.length === 0) { | ||
| logger.info(`Skip ${auxiliaryAuthenticationHeaderPolicyName} due to empty credentials`); | ||
| return next(request); | ||
| } | ||
|
|
||
| const tokenPromises: Promise<NullableString>[] = []; | ||
| for (const credential of credentials) { | ||
| if (!tokenCyclerMap.has(credential)) { | ||
| tokenCyclerMap.set(credential, createTokenCycler(credential)); | ||
| } | ||
| tokenPromises.push( | ||
| sendAuthorizeRequest({ | ||
| scopes: Array.isArray(scopes) ? scopes : [scopes], | ||
| request, | ||
| getAccessToken: tokenCyclerMap.get(credential)!, | ||
| logger, | ||
| }) | ||
| ); | ||
|
MaryGao marked this conversation as resolved.
Outdated
|
||
| } | ||
| const auxiliaryTokens: NullableString[] = (await Promise.all(tokenPromises)).filter((token) => | ||
|
MaryGao marked this conversation as resolved.
Outdated
|
||
| Boolean(token) | ||
| ); | ||
| if (auxiliaryTokens.length === 0) { | ||
| logger.warning( | ||
| `None of the auxiliary tokens are valid and skip to set ${AUTHORIZATION_AUXILIARY_HEADER} header` | ||
|
MaryGao marked this conversation as resolved.
Outdated
|
||
| ); | ||
| return next(request); | ||
| } | ||
| request.headers.set( | ||
| AUTHORIZATION_AUXILIARY_HEADER, | ||
| auxiliaryTokens.map((token) => `Bearer ${token}`).join(", ") | ||
| ); | ||
|
|
||
| return next(request); | ||
| }, | ||
| }; | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.