OCPBUGS-7860: azure: session: fix unclear auth error messages

go.mod

@@ -10,7 +10,6 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1
 	github.com/Azure/go-autorest/autorest v0.11.28
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.1
 	github.com/Azure/go-autorest/autorest/to v0.4.0
 	github.com/IBM-Cloud/bluemix-go v0.0.0-20211102075456-ffc4e11dfb16
 	github.com/IBM-Cloud/power-go-client v1.2.0
@@ -135,7 +134,6 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.0 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
@@ -153,7 +151,6 @@ require (
 	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
 	github.com/coreos/vcontext v0.0.0-20211021162308-f1dbbca7bef4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dimchansky/utfbom v1.1.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect

go.sum

@@ -78,31 +78,22 @@ github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
 github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U=
 github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM=
 github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
-github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
-github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE=
 github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
 github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
 github.com/Azure/go-autorest/autorest/adal v0.9.21 h1:jjQnVFXPfekaqb8vIsv2G1lxshoW+oGv4MDlhRtnYZk=
 github.com/Azure/go-autorest/autorest/adal v0.9.21/go.mod h1:zua7mBUaCc5YnSLKYgGJR/w5ePdMDA6H56upLsHzA9U=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.1 h1:bvUhZciHydpBxBmCheUgxxbSwJy7xcfjkUsjUcqSojc=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.0 h1:Ml+UCrnlKD+cJmSzrZ/RDcDw86NjkRUpnFh7V5JUhzU=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s=
 github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
-github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
 github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
 github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
 github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
 github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac=
 github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
-github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
@@ -302,8 +293,6 @@ github.com/davecgh/go-xdr v0.0.0-20161123171359-e6a2ba005892/go.mod h1:CTDl0pzVz
 github.com/daviddengcn/go-colortext v0.0.0-20160507010035-511bcaf42ccd/go.mod h1:dv4zxwHi5C/8AeI+4gX4dCWOIvNi7I6JCSX0HvlKPgE=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4=
-github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
 github.com/diskfs/go-diskfs v1.2.1-0.20210727185522-a769efacd235 h1:+NFKI4ptfB3AKeut6a538wanUHOKEMwZfznBZZ6a5Qc=
 github.com/diskfs/go-diskfs v1.2.1-0.20210727185522-a769efacd235/go.mod h1:IoDpuEbpS+D+yCGdoOm6GNfyTeEws77ALvcMQFxmenw=
 github.com/dnaeon/go-vcr v1.1.0 h1:ReYa/UBrRyQdant9B4fNHGoCNKw6qh6P0fsdGmZpR7c=

pkg/asset/installconfig/azure/session.go

@@ -2,6 +2,7 @@ package azure
 
 import (
 	"encoding/json"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -13,7 +14,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/go-autorest/autorest"
 	azureenv "github.com/Azure/go-autorest/autorest/azure"
-	"github.com/Azure/go-autorest/autorest/azure/auth"
 	"github.com/jongio/azidext/go/azidext"
 	azurekiota "github.com/microsoft/kiota-authentication-azure-go"
 	"github.com/pkg/errors"
@@ -43,8 +43,8 @@ type Credentials struct {
 	ClientID                  string `json:"clientId,omitempty"`
 	ClientSecret              string `json:"clientSecret,omitempty"`
 	TenantID                  string `json:"tenantId,omitempty"`
-	ClientCertificatePath     string `json:"certificatePath,omitempty"`
-	ClientCertificatePassword string `json:"certificatePassword,omitempty"`
+	ClientCertificatePath     string `json:"clientCertificate,omitempty"`
+	ClientCertificatePassword string `json:"clientCertificatePassword,omitempty"`
 }
 
 // GetSession returns an azure session by using credentials found in ~/.azure/osServicePrincipal.json
@@ -90,13 +90,14 @@ func GetSessionWithCredentials(cloudName azure.CloudEnvironment, armEndpoint str
 	}
 
 	if credentials == nil {
-		credentials, err = credentialsFromFileOrUser(&cloudEnv)
+		credentials, err = credentialsFromFileOrUser()
 		if err != nil {
 			return nil, err
 		}
 	}
 	var cred azcore.TokenCredential
 	if credentials.ClientCertificatePath != "" {
+		logrus.Warnf("Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does.")
 		cred, err = newTokenCredentialFromCertificates(credentials, cloudConfig)
 	} else {
 		cred, err = newTokenCredentialFromCredentials(credentials, cloudConfig)
@@ -110,37 +111,41 @@ func GetSessionWithCredentials(cloudName azure.CloudEnvironment, armEndpoint str
 // credentialsFromFileOrUser returns credentials found
 // in ~/.azure/osServicePrincipal.json and, if no creds are found,
 // asks for them and stores them on disk in a config file
-func credentialsFromFileOrUser(cloudEnv *azureenv.Environment) (*Credentials, error) {
+func credentialsFromFileOrUser() (*Credentials, error) {
 	authFilePath := defaultAuthFilePath
 	if f := os.Getenv(azureAuthEnv); len(f) > 0 {
 		authFilePath = f
 	}
-	// NewAuthorizerFromFileWithResource uses `auth.GetSettingsFromFile`, which uses the `azureAuthEnv` to fetch the auth credentials.
-	// therefore setting the local env here to authFilePath allows NewAuthorizerFromFileWithResource to load credentials.
-	os.Setenv(azureAuthEnv, authFilePath)
-	_, err := auth.NewAuthorizerFromFileWithResource(cloudEnv.ResourceManagerEndpoint)
+
+	var authFile Credentials
+
+	contents, err := os.ReadFile(authFilePath)
 	if err != nil {
-		logrus.Infof("Could not get an azure authorizer from file: %s", err.Error())
-		logrus.Infof("Asking user to provide authentication info")
-		credentials, err := askForCredentials()
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to retrieve credentials from user")
+		// If the file with creds was not found, ask user for auth info
+		if errors.Is(err, fs.ErrNotExist) {
+			logrus.Infof("Asking user to provide authentication info")
+			credentials, cerr := askForCredentials()
+			if cerr != nil {
+				return nil, errors.Wrap(cerr, "failed to retrieve credentials from user")
+			}
+			logrus.Infof("Saving user credentials to %q", authFilePath)
+			if cerr = saveCredentials(*credentials, authFilePath); cerr != nil {
+				return nil, errors.Wrap(cerr, "failed to save credentials")
+			}
+			authFile = *credentials
+		} else {
+			// File was found but we failed to read it, just error out and let the user handle it
+			return nil, err
 		}
-		logrus.Infof("Saving user credentials to %q", authFilePath)
-		if err = saveCredentials(*credentials, authFilePath); err != nil {
-			return nil, errors.Wrap(err, "failed to save credentials")
+	} else {
+		err = json.Unmarshal(contents, &authFile)
+		if err != nil {
+			return nil, err
 		}
 	}
 
-	//If the authorizer worked right away, we need to read credentials details
-	authSettings, err := auth.GetSettingsFromFile()
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to get settings from file")
-	}
-
-	credentials, err := getCredentials(authSettings)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to map authsettings to credentials")
+	if err := checkCredentials(authFile); err != nil {
+		return nil, err
 	}
 
 	if _, has := onceLoggers[authFilePath]; !has {
@@ -150,40 +155,23 @@ func credentialsFromFileOrUser(cloudEnv *azureenv.Environment) (*Credentials, er
 		logrus.Infof("Credentials loaded from file %q", authFilePath)
 	})
 
-	return credentials, nil
+	return &authFile, nil
 }
 
-func getCredentials(fs auth.FileSettings) (*Credentials, error) {
-	subscriptionID := fs.GetSubscriptionID()
-	if subscriptionID == "" {
-		return nil, errors.New("could not retrieve subscriptionId from auth file")
+func checkCredentials(creds Credentials) error {
+	if creds.SubscriptionID == "" {
+		return errors.New("could not retrieve subscriptionId from auth file")
 	}
-
-	clientID := fs.Values[auth.ClientID]
-	if clientID == "" {
-		return nil, errors.New("could not retrieve clientId from auth file")
+	if creds.ClientID == "" {
+		return errors.New("could not retrieve clientId from auth file")
 	}
-	clientSecret := fs.Values[auth.ClientSecret]
-	tenantID := fs.Values[auth.TenantID]
-	if tenantID == "" {
-		return nil, errors.New("could not retrieve tenantId from auth file")
+	if creds.TenantID == "" {
+		return errors.New("could not retrieve tenantId from auth file")
 	}
-	clientCertificatePassword := fs.Values[auth.CertificatePassword]
-	clientCertificatePath := fs.Values[auth.CertificatePath]
-	if clientSecret == "" {
-		if clientCertificatePath == "" {
-			return nil, errors.New("could not retrieve either client secret or client certs from auth file")
-		}
-		logrus.Warnf("Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does.")
+	if creds.ClientSecret == "" && creds.ClientCertificatePath == "" {
+		return errors.New("could not retrieve either client secret or client certs from auth file")
 	}
-	return &Credentials{
-		SubscriptionID:            subscriptionID,
-		ClientID:                  clientID,
-		ClientSecret:              clientSecret,
-		TenantID:                  tenantID,
-		ClientCertificatePath:     clientCertificatePath,
-		ClientCertificatePassword: clientCertificatePassword,
-	}, nil
+	return nil
 }
 
 func askForCredentials() (*Credentials, error) {