func oauthClient() autorest.Client {
c := autorest.NewClientWithUserAgent(fmt.Sprintf("docker-machine/%s", version.Version))
c.RequestInspector = withInspection()
c.ResponseInspector = byInspecting()
// TODO set user agent
return c
}
// NewWithBaseURI creates an instance of the ManagementClient client.
func NewWithBaseURI(baseURI string, subscriptionID string) ManagementClient {
return ManagementClient{
Client: autorest.NewClientWithUserAgent(UserAgent()),
BaseURI: baseURI,
SubscriptionID: subscriptionID,
}
}
// NewClient creates an instance of RateCard Client
func NewClient(subscriptionID string) Client {
return Client{
Client: autorest.NewClientWithUserAgent(""),
BaseURI: DefaultBaseURI,
SubscriptionID: subscriptionID,
}
}
func NewManagementClient(baseURI string) ManagementClient {
return ManagementClient{
Client: autorest.NewClientWithUserAgent(UserAgent()),
BaseURI: baseURI,
APIVersion: APIVersion,
}
}
// New creates an instance of the ManagementClient client.
func New(subscriptionID string) ManagementClient {
return ManagementClient{
Client: autorest.NewClientWithUserAgent(UserAgent()),
BaseURI: DefaultBaseURI,
APIVersion: APIVersion,
SubscriptionID: subscriptionID,
}
}
// NewWithBaseURI creates an instance of the ManagementClient client.
func NewWithBaseURI(baseURI string, adlsFileSystemDNSSuffix string) ManagementClient {
return ManagementClient{
Client: autorest.NewClientWithUserAgent(UserAgent()),
BaseURI: baseURI,
APIVersion: APIVersion,
AdlsFileSystemDNSSuffix: adlsFileSystemDNSSuffix,
}
}
// NewWithBaseURI creates an instance of the ManagementClient client.
func NewWithBaseURI(baseURI string, subscriptionID string, resourceGroupName string, appCollection string, appName string) ManagementClient {
return ManagementClient{
Client: autorest.NewClientWithUserAgent(UserAgent()),
BaseURI: baseURI,
APIVersion: APIVersion,
SubscriptionID: subscriptionID,
ResourceGroupName: resourceGroupName,
AppCollection: appCollection,
AppName: appName,
}
}
// tokenFromDeviceFlow prints a message to the screen for user to take action to
// consent application on a browser and in the meanwhile the authentication
// endpoint is polled until user gives consent, denies or the flow times out.
// Returned token must be saved.
func tokenFromDeviceFlow(say func(string), oauthCfg azure.OAuthConfig, tokenPath, clientID, resource string) (*azure.ServicePrincipalToken, error) {
cl := autorest.NewClientWithUserAgent(userAgent)
deviceCode, err := azure.InitiateDeviceAuth(&cl, oauthCfg, clientID, resource)
if err != nil {
return nil, fmt.Errorf("Failed to start device auth: %v", err)
}
// Example message: “To sign in, open https://aka.ms/devicelogin and enter
// the code 0000000 to authenticate.”
say(fmt.Sprintf("Microsoft Azure: %s", to.String(deviceCode.Message)))
token, err := azure.WaitForUserCompletion(&cl, deviceCode)
if err != nil {
return nil, fmt.Errorf("Failed to complete device auth: %v", err)
}
spt, err := azure.NewServicePrincipalTokenFromManualToken(oauthCfg, clientID, resource, *token)
if err != nil {
return nil, fmt.Errorf("Error constructing service principal token: %v", err)
}
return spt, nil
}
// InteractiveCreateServicePrincipal interactively creates service
// principals for a subscription.
func InteractiveCreateServicePrincipal(
stderr io.Writer,
sender autorest.Sender,
requestInspector autorest.PrepareDecorator,
resourceManagerEndpoint string,
graphEndpoint string,
subscriptionId string,
clock clock.Clock,
newUUID func() (utils.UUID, error),
) (appId, password string, _ error) {
subscriptionsClient := subscriptions.Client{
subscriptions.NewWithBaseURI(resourceManagerEndpoint),
}
subscriptionsClient.Sender = sender
setClientInspectors(&subscriptionsClient.Client, requestInspector, "azure.subscriptions")
oauthConfig, tenantId, err := OAuthConfig(
subscriptionsClient,
resourceManagerEndpoint,
subscriptionId,
)
if err != nil {
return "", "", errors.Trace(err)
}
client := autorest.NewClientWithUserAgent("juju")
client.Sender = sender
setClientInspectors(&client, requestInspector, "azure.autorest")
// Perform the interactive authentication. The user will be prompted to
// open a URL and input a device code, after which they will have to
// enter their username and password if they are not already
// authenticated with Azure.
fmt.Fprintln(stderr, "Initiating interactive authentication.")
fmt.Fprintln(stderr)
armResource := TokenResource(resourceManagerEndpoint)
clientId := jujuApplicationId
deviceCode, err := azure.InitiateDeviceAuth(&client, *oauthConfig, clientId, armResource)
if err != nil {
return "", "", errors.Annotate(err, "initiating interactive authentication")
}
fmt.Fprintln(stderr, to.String(deviceCode.Message)+"\n")
token, err := azure.WaitForUserCompletion(&client, deviceCode)
if err != nil {
return "", "", errors.Annotate(err, "waiting for interactive authentication to completed")
}
// Create service principal tokens that we can use to authorize API
// requests to Active Directory and Resource Manager. These tokens
// are only valid for a short amount of time, so we must create a
// service principal password that can be used to obtain new tokens.
armSpt, err := azure.NewServicePrincipalTokenFromManualToken(*oauthConfig, clientId, armResource, *token)
if err != nil {
return "", "", errors.Annotate(err, "creating temporary ARM service principal token")
}
if client.Sender != nil {
armSpt.SetSender(client.Sender)
}
if err := armSpt.Refresh(); err != nil {
return "", "", errors.Trace(err)
}
// The application requires permissions for both ARM and AD, so we
// can use the token for both APIs.
graphResource := TokenResource(graphEndpoint)
graphToken := armSpt.Token
graphToken.Resource = graphResource
graphSpt, err := azure.NewServicePrincipalTokenFromManualToken(*oauthConfig, clientId, graphResource, graphToken)
if err != nil {
return "", "", errors.Annotate(err, "creating temporary Graph service principal token")
}
if client.Sender != nil {
graphSpt.SetSender(client.Sender)
}
if err := graphSpt.Refresh(); err != nil {
return "", "", errors.Trace(err)
}
directoryURL, err := url.Parse(graphEndpoint)
if err != nil {
return "", "", errors.Annotate(err, "parsing identity endpoint")
}
directoryURL.Path = path.Join(directoryURL.Path, tenantId)
directoryClient := ad.NewManagementClient(directoryURL.String())
authorizationClient := authorization.NewWithBaseURI(resourceManagerEndpoint, subscriptionId)
directoryClient.Authorizer = graphSpt
authorizationClient.Authorizer = armSpt
authorizationClient.Sender = client.Sender
directoryClient.Sender = client.Sender
setClientInspectors(&directoryClient.Client, requestInspector, "azure.directory")
setClientInspectors(&authorizationClient.Client, requestInspector, "azure.authorization")
userObject, err := ad.UsersClient{directoryClient}.GetCurrentUser()
if err != nil {
return "", "", errors.Trace(err)
}
fmt.Fprintf(stderr, "Authenticated as %q.\n", userObject.DisplayName)
fmt.Fprintln(stderr, "Creating/updating service principal.")
servicePrincipalObjectId, password, err := createOrUpdateServicePrincipal(
ad.ServicePrincipalsClient{directoryClient},
subscriptionId,
clock,
newUUID,
)
if err != nil {
return "", "", errors.Trace(err)
}
fmt.Fprintln(stderr, "Assigning Owner role to service principal.")
if err := createRoleAssignment(
authorizationClient,
subscriptionId,
servicePrincipalObjectId,
newUUID,
); err != nil {
return "", "", errors.Trace(err)
}
return jujuApplicationId, password, nil
}