Opensourcing of dnf-plugin-azure-auth

.gitignore

@@ -30,7 +30,6 @@ MANIFEST
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 *.manifest
-*.spec
 
 # Installer logs
 pip-log.txt

Makefile

@@ -0,0 +1,20 @@
+VERSION?=0.1.0
+DIST=$(shell rpm --eval %{dist})
+
+
+rpmbuild/.rpmsetuptree:
+	mkdir -p rpmbuild/BUILD rpmbuild/SOURCES rpmbuild/RPMS rpmbuild/SRPMS rpmbuild/SPECS
+	touch rpmbuild/.rpmsetuptree
+
+rpmbuild/SOURCES/dnf-plugin-azure-auth-$(VERSION).tar.gz: rpmbuild/.rpmsetuptree azure_auth.conf azure_auth.py
+	tar czf dnf-plugin-azure-auth-$(VERSION).tar.gz --xform "s+^+dnf-plugin-azure-auth-$(VERSION)/+" azure_auth.conf azure_auth.py
+	mv dnf-plugin-azure-auth-$(VERSION).tar.gz rpmbuild/SOURCES/
+
+rpmbuild/SPECS/dnf-plugin-azure-auth.spec: dnf-plugin-azure-auth.spec rpmbuild/.rpmsetuptree
+	cp dnf-plugin-azure-auth.spec rpmbuild/SPECS/
+	sed -i "s/%%version%%/$(VERSION)/" rpmbuild/SPECS/dnf-plugin-azure-auth.spec
+
+rpmbuild/RPMS/x86_64/dnf-plugin-azure-auth-$(VERSION)-1$(DIST).x86_64.rpm: rpmbuild/SPECS/dnf-plugin-azure-auth.spec rpmbuild/SOURCES/dnf-plugin-azure-auth-$(VERSION).tar.gz
+	rpmbuild -D "_topdir $(shell pwd)/rpmbuild" -ba rpmbuild/SPECS/dnf-plugin-azure-auth.spec
+
+rpm: rpmbuild/RPMS/x86_64/dnf-plugin-azure-auth-$(VERSION)-1$(DIST).x86_64.rpm

README.md

@@ -1,14 +1,36 @@
-# Project
+# dnf-plugin-azure-auth
 
-> This repo has been populated by an initial template to help get you started. Please
-> make sure to update the content to build a great experience for community-building.
+This is a [dnf](https://github.com/rpm-software-management/dnf) plugin for authenticating against yum/dnf repos in Azure Blob Storage using Azure AD.
 
-As the maintainer of this project, please make a few updates:
+It uses the az cli to authenticate against Azure AD, so can only be used with Azure Blob Storage accounts that are [configured to use Azure AD for authentication](https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory).
 
-- Improving this README.MD file to provide a great experience
-- Updating SUPPORT.MD with content about this project's support experience
-- Understanding the security reporting process in SECURITY.MD
-- Remove this section from the README
+To configure this plugin to be used with a dnf repo, add an entry to `/etc/dnf/plugins/azure_auth.conf` with the following format:
+
+```
+[<repo-id>]
+```
+*<repo-id> is the repository ID in the [dnf/yum configuration](https://www.man7.org/linux/man-pages/man5/dnf.conf.5.html#top_of_page)*
+
+*This plugin doesn't support cross-tenant authentication, if/when this is added the config will be extended so you can specify a tenant.*
+
+## Pregenerated tokens
+
+This plugin also supports the user providing a prenerated token in the environment variable `DNF_PLUGIN_AZURE_AUTH_TOKEN`.
+
+When this is set, the plugin will not use the az cli to generate a token. This allows the plugin to be used in bootstrapping scenarios where the az cli is not available.
+
+This option is not recommended for normal use.
+
+## Installation
+
+For AzureLinux, download the RPM from the releases, then install it with (t)dnf/yum.
+Alternatively build the RPM from source for your target platform.
+
+## Dependencies
+
+This plugin uses the az cli rather than the Azure Python SDK identity library to avoid dependency management problems:
+- the plugin has to install to system python where dnf runs, so has to be distributed as an RPM
+- azure-identity is not available as an RPM on all desired OSs (there is an AzureLinux azure-sdk RPM but it is 100s of MB)
 
 ## Contributing
 
@@ -26,8 +48,8 @@ contact [[email protected]](mailto:[email protected]) with any additio
 
 ## Trademarks
 
-This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft 
-trademarks or logos is subject to and must follow 
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft
+trademarks or logos is subject to and must follow
 [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).
 Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.
 Any use of third-party trademarks or logos are subject to those third-party's policies.

SUPPORT.md

@@ -1,25 +1,13 @@
-# TODO: The maintainer of this repo has not yet edited this file
-
-**REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project?
-
-- **No CSS support:** Fill out this template with information about how to file issues and get help.
-- **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps.
-- **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide.
-
-*Then remove this first heading from this SUPPORT.MD file before publishing your repo.*
-
 # Support
 
-## How to file issues and get help  
+## How to file issues and get help
 
-This project uses GitHub Issues to track bugs and feature requests. Please search the existing 
-issues before filing new issues to avoid duplicates.  For new issues, file your bug or 
+This project uses GitHub Issues to track bugs and feature requests. Please search the existing
+issues before filing new issues to avoid duplicates.  For new issues, file your bug or
 feature request as a new Issue.
 
-For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE 
-FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER
-CHANNEL. WHERE WILL YOU HELP PEOPLE?**.
+For help and questions about using this project, please raise a new GitHub Issue.
 
-## Microsoft Support Policy  
+## Microsoft Support Policy
 
 Support for this **PROJECT or PRODUCT** is limited to the resources listed above.

azure_auth.conf

@@ -0,0 +1,3 @@
+# Add a table for each repo that should use azure_auth. E.g
+# if you have a repo with id my-rpms then add:
+# [my-rpms]

azure_auth.py

@@ -0,0 +1,98 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Highly Confidential Material
+
+import logging
+import dnf
+import json
+import subprocess
+import os
+
+logger = logging.getLogger("dnf.plugin.azure_auth")
+
+AZ_COMMAND = [
+    "az",
+    "account",
+    "get-access-token",
+    "--output",
+    "json",
+    "--resource",
+    "https://storage.azure.com",
+]
+
+
+class AzureAuthConfigParser(object):
+    """Config parser
+
+    Args:
+      conf (libdnf.conf.ConfigParser): Config to parse
+
+    """
+
+    def __init__(self, conf):
+        self.conf = conf
+
+    def parse_config(self):
+        conf = self.conf
+        azure_auth_map = {}
+        # config format is extensible to support per-repo options,
+        # though there are none currently
+        for section in conf.sections():
+            azure_auth_map[section] = {}
+        return azure_auth_map
+
+
+class AzureAuth(dnf.Plugin):
+    name = "azure_auth"
+
+    def __init__(self, base, cli):
+        super(AzureAuth, self).__init__(base, cli)
+
+    def config(self):
+        conf = self.read_config(self.base.conf)
+
+        parser = AzureAuthConfigParser(conf)
+        azure_auth_map = parser.parse_config()
+
+        # Reuse the token between repos (if we add cross-tenant support,
+        # this will need to change to per-tenant tokens), to avoid multiple
+        # browser popups when not `az login`ed
+        token = os.getenv("DNF_PLUGIN_AZURE_AUTH_TOKEN", None)
+        for key in azure_auth_map.keys():
+            repo = self.base.repos.get(key, None)
+            if repo and repo.enabled:
+                if not token:
+                    token = get_token()
+                repo.set_http_headers(
+                    [
+                        "x-ms-version: 2022-11-02",
+                        "Authorization: Bearer {}".format(token),
+                    ]
+                )
+
+
+def get_token():
+    # if SUDO_USER is set, then run az as that account using runuser,
+    # to avoid user's having to be both `az login`ed and `sudo az login`ed
+    if "SUDO_USER" in os.environ:
+        cmd = ["runuser", "-u", os.environ["SUDO_USER"], "--"] + AZ_COMMAND
+    else:
+        cmd = AZ_COMMAND
+
+    try:
+        output = subprocess.run(
+            cmd,
+            check=True,
+            stdout=subprocess.PIPE,
+        )
+    except subprocess.CalledProcessError as e:
+        # Try again if we are running as sudo in case our user has permission but the sudo user doesn't.
+        if "SUDO_USER" in os.environ:
+            output = subprocess.run(
+                AZ_COMMAND,
+                check=True,
+                stdout=subprocess.PIPE,
+            )
+        else:
+            raise e
+
+    return json.loads(output.stdout)["accessToken"]

dnf-plugin-azure-auth.spec

@@ -0,0 +1,38 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Highly Confidential Material
+
+Summary:        DNF plugin for accessing repos in Azure Blob Storage via Azure AD
+Name:           dnf-plugin-azure-auth
+Version:        %%version%%
+Release:        1%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Applications/Tools
+URL:            https://github.com/microsoft/dnf-plugin-azure-auth/
+Source0:        %{name}-%{version}.tar.gz
+%global debug_package %{nil}
+Requires:       python3-dnf
+
+%description
+DNF plugin for accessing repos in Azure Blob Storage via Azure AD
+
+%prep
+%setup -q
+
+%install
+mkdir -p %{buildroot}%{python3_sitelib}/dnf-plugins/
+mkdir -p %{buildroot}%{_sysconfdir}/dnf/plugins/
+cp azure_auth.py %{buildroot}%{python3_sitelib}/dnf-plugins/
+cp azure_auth.conf %{buildroot}%{_sysconfdir}/dnf/plugins/azure_auth.conf
+
+%files
+%defattr(-,root,root)
+%config(noreplace) %{_sysconfdir}/dnf/plugins/azure_auth.conf
+%{python3_sitelib}/dnf-plugins/azure_auth.py
+%{python3_sitelib}/dnf-plugins/__pycache__/azure_auth.*
+
+%changelog
+
+* Thu Sep 19 2024 Tom Fay <[email protected]> - 0.1.0-1
+- Original version