From 4b6f9dcf85e7413761f71d8e8b88ed490cdb81a5 Mon Sep 17 00:00:00 2001 From: Ramon de Klein Date: Fri, 3 May 2024 17:55:03 +0200 Subject: [PATCH] Upgrade to non-legacy Azure SDK (#459) --- go.mod | 20 +- go.sum | 60 ++-- internal/keystore/azure/client.go | 341 +++------------------ internal/keystore/azure/create-keyvault.sh | 36 +++ internal/keystore/azure/error.go | 38 ++- internal/keystore/azure/key-vault.go | 182 +++++------ internal/keystore/azure/key-vault_test.go | 97 ++++++ kesconf/config.go | 3 - kesconf/file.go | 26 +- 9 files changed, 334 insertions(+), 469 deletions(-) create mode 100755 internal/keystore/azure/create-keyvault.sh create mode 100644 internal/keystore/azure/key-vault_test.go diff --git a/go.mod b/go.mod index bb9d2f85..0867e0d4 100644 --- a/go.mod +++ b/go.mod @@ -6,8 +6,9 @@ require ( aead.dev/mem v0.2.0 aead.dev/minisign v0.2.1 cloud.google.com/go/secretmanager v1.11.5 - github.com/Azure/go-autorest/autorest v0.11.29 - github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 github.com/aws/aws-sdk-go v1.50.37 github.com/charmbracelet/lipgloss v0.10.0 github.com/fatih/color v1.16.0 @@ -32,25 +33,22 @@ require ( cloud.google.com/go/compute v1.23.3 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.5 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect - github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/dimchansky/utfbom v1.1.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -64,6 +62,7 @@ require ( github.com/hashicorp/hcl v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/kr/text v0.2.0 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect @@ -72,6 +71,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/muesli/reflow v0.3.0 // indirect github.com/philhofer/fwd v1.1.2 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/prometheus/client_model v0.6.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect diff --git a/go.sum b/go.sum index 1018ca80..cd84641a 100644 --- a/go.sum +++ b/go.sum @@ -14,29 +14,18 @@ cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= cloud.google.com/go/secretmanager v1.11.5 h1:82fpF5vBBvu9XW4qj0FU2C6qVMtj1RM/XHwKXUEAfYY= cloud.google.com/go/secretmanager v1.11.5/go.mod h1:eAGv+DaCHkeVyQi0BeXgAHOU0RdrMeZIASKc+S7VqH4= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= -github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= -github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8= -github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0/go.mod h1:LgLGXawqSreJz135Elog0ywTJDsm0Hz2k+N+6ZK35u8= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/aws/aws-sdk-go v1.50.37 h1:gnAf6eYPSTb4QpVwugtWFqD07QXOoX7LewRrtLUx3lI= github.com/aws/aws-sdk-go v1.50.37/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= @@ -59,8 +48,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= -github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -80,10 +69,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= @@ -114,6 +101,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= @@ -150,6 +139,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= @@ -174,6 +165,8 @@ github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8= github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw= github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= @@ -203,7 +196,6 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU= @@ -229,9 +221,6 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -249,7 +238,6 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -273,14 +261,13 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -288,7 +275,6 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= diff --git a/internal/keystore/azure/client.go b/internal/keystore/azure/client.go index 8a0ac5aa..d3be51f0 100644 --- a/internal/keystore/azure/client.go +++ b/internal/keystore/azure/client.go @@ -1,23 +1,17 @@ -// Copyright 2021 - MinIO, Inc. All rights reserved. +// Copyright 2024 - MinIO, Inc. All rights reserved. // Use of this source code is governed by the AGPLv3 // license that can be found in the LICENSE file. package azure import ( - "bytes" "context" - "encoding/json" + "errors" "fmt" - "math" "net/http" - "path" - "strings" "time" - "aead.dev/mem" - "github.com/Azure/go-autorest/autorest" - xhttp "github.com/minio/kes/internal/http" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets" ) // status represents a KeyVault operation results. @@ -32,9 +26,7 @@ type status struct { } type client struct { - Endpoint string - Authorizer autorest.Authorizer - Client xhttp.Retry + azsecretsClient *azsecrets.Client } // CreateSecret creates a KeyVault secret with @@ -47,47 +39,14 @@ type client struct { // then KeyVault will not return an error but create // another version of the secret with the given value. func (c *client) CreateSecret(ctx context.Context, name, value string) (status, error) { - type Request struct { - Value string `json:"value"` - } - body, err := json.Marshal(Request{ - Value: value, - }) - if err != nil { - return status{}, err - } - - uri := endpoint(c.Endpoint, "secrets", name) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodPut, uri, xhttp.RetryReader(bytes.NewReader(body))) - if err != nil { - return status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return status{}, err - } - req.Header.Set("Content-Type", "application/json") - req.ContentLength = int64(len(body)) - - resp, err := c.Client.Do(req) - if err != nil { - return status{}, err - } - defer resp.Body.Close() - if resp.StatusCode == http.StatusOK { - return status{ - StatusCode: http.StatusOK, - }, nil - } - - response, err := parseErrorResponse(resp) + _, err := c.azsecretsClient.SetSecret(ctx, name, azsecrets.SetSecretParameters{ + Value: &value, + }, nil) if err != nil { - return status{}, err + return transportErrToStatus(err) } return status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, + StatusCode: http.StatusOK, }, nil } @@ -108,78 +67,42 @@ func (c *client) CreateSecret(ctx context.Context, name, value string) (status, // if the secret is disabled, expired or should not // be used, yet. func (c *client) GetSecret(ctx context.Context, name, version string) (string, status, error) { - type Response struct { - Value string `json:"value"` - Attr struct { - Enabled bool `json:"enabled"` - - Expiry int64 `json:"exp"` - NotBefore int64 `json:"nbf"` - Created int64 `json:"created"` - Updated int64 `json:"updated"` - } `json:"attributes"` - } - - uri := endpoint(c.Endpoint, "secrets", name, version) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil) - if err != nil { + response, err := c.azsecretsClient.GetSecret(ctx, name, version, nil) + if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { return "", status{}, err } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) if err != nil { - return "", status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return "", status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { - return "", status{}, err - } - return "", status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil - } - - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > mem.MB { - limit = mem.MB - } - var response Response - if err = json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return "", status{}, err + stat, err := transportErrToStatus(err) + return "", stat, err } - - // A secret may not be enabled, should not be used before a certain date or - // should not be used after a certain date. - if !response.Attr.Enabled { + if response.Attributes.Enabled != nil && !*response.Attributes.Enabled { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "ObjectIsDisabled", - Message: fmt.Sprintf("The secret %q is current disabled and cannot be used", name), + Message: fmt.Sprintf("The secret %q is disabled and cannot be used", name), }, nil } - if response.Attr.NotBefore > 0 && time.Since(time.Unix(response.Attr.NotBefore, 0)) <= 0 { + if response.Attributes.NotBefore != nil && time.Since(*response.Attributes.NotBefore) <= 0 { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "ObjectMustNotBeUsed", - Message: fmt.Sprintf("The secret %q must not be used before %v", name, time.Unix(response.Attr.NotBefore, 0)), + Message: fmt.Sprintf("The secret %q must not be used before %v", name, *response.Attributes.NotBefore), }, nil } - if response.Attr.Expiry > 0 && time.Until(time.Unix(response.Attr.Expiry, 0)) <= 0 { + if response.Attributes.Expires != nil && time.Until(*response.Attributes.Expires) <= 0 { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "ObjectIsExpired", Message: fmt.Sprintf("The secret %q is expired and cannot be used", name), }, nil } - return response.Value, status{ + + if response.Value != nil { + return *response.Value, status{ + StatusCode: http.StatusOK, + }, nil + } + return "", status{ StatusCode: http.StatusOK, }, nil } @@ -195,33 +118,9 @@ func (c *client) GetSecret(ctx context.Context, name, version string) (string, s // even if it returns 200 OK. Instead, the secret may be in // a transition state from "active" to (soft) deleted. func (c *client) DeleteSecret(ctx context.Context, name string) (status, error) { - uri := endpoint(c.Endpoint, "secrets", name) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodDelete, uri, nil) - if err != nil { - return status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return status{}, err - } - - resp, err := c.Client.Do(req) + _, err := c.azsecretsClient.DeleteSecret(ctx, name, nil) if err != nil { - return status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { - return status{}, err - } - return status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil - } + return transportErrToStatus(err) } return status{ StatusCode: http.StatusOK, @@ -234,34 +133,15 @@ func (c *client) DeleteSecret(ctx context.Context, name string) (status, error) // recovered. Therefore, deleting a KeyVault secret permanently is // a two-step process. func (c *client) PurgeSecret(ctx context.Context, name string) (status, error) { - uri := endpoint(c.Endpoint, "deletedsecrets", name) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodDelete, uri, nil) + _, err := c.azsecretsClient.PurgeDeletedSecret(ctx, name, nil) if err != nil { - return status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusNoContent { - response, err := parseErrorResponse(resp) - if err != nil { - return status{}, err + stat, err := transportErrToStatus(err) + if stat.StatusCode != http.StatusNoContent && stat.StatusCode != http.StatusOK && stat.StatusCode != http.StatusNotFound { + return stat, err } - return status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil } return status{ - StatusCode: http.StatusNoContent, + StatusCode: http.StatusOK, }, nil } @@ -273,64 +153,20 @@ func (c *client) PurgeSecret(ctx context.Context, name string) (status, error) { // versions of the given secret. When a secret contains more then 25 // versions GetFirstVersions returns a status with a 422 HTTP error code. func (c *client) GetFirstVersion(ctx context.Context, name string) (string, status, error) { - type Response struct { - Versions []struct { - ID string `json:"id"` - Attr struct { - Enabled bool `json:"enabled"` - Created int64 `json:"created"` - Updated int64 `json:"updated"` - } `json:"attributes"` - } `json:"value"` - - NextLink string `json:"nextLink"` - } - // We only inspect 25 versions as some reasonable default limit. - uri := endpoint(c.Endpoint, "secrets", name, "versions") + "?api-version=7.2&maxresults=25" - req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil) - if err != nil { - return "", status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) + pager := c.azsecretsClient.NewListSecretPropertiesVersionsPager(name, nil) + page, err := pager.NextPage(ctx) if err != nil { - return "", status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return "", status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { - return "", status{}, err - } - return "", status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil + stat, err := transportErrToStatus(err) + return "", stat, err } - - const MaxSize = 10 * mem.MiB - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > MaxSize { - limit = MaxSize - } - - var response Response - if err = json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return "", status{}, err - } - if response.NextLink != "" { + if pager.More() { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "TooManyObjectVersions", Message: fmt.Sprintf("There are too many versions of %q.", name), }, nil } - if len(response.Versions) == 0 { + if len(page.SecretPropertiesListResult.Value) == 0 { return "", status{ StatusCode: http.StatusNotFound, ErrorCode: "NoObjectVersions", @@ -338,101 +174,18 @@ func (c *client) GetFirstVersion(ctx context.Context, name string) (string, stat }, nil } var ( - id string // most recent Secret ID - createdAt int64 = math.MaxInt64 // most recent createdAt UNIX timestamp + version string // most recent Secret version + createdAt *time.Time // most recent createdAt UNIX timestamp ) - for _, v := range response.Versions { - if createdAt > v.Attr.Created { - createdAt = v.Attr.Created - id = v.ID - } - } - return path.Base(id), status{ - StatusCode: http.StatusOK, - }, nil -} - -// ListSecrets returns a set of secrets names and an optional continuation -// link. It supports iterating over all secrets in pages. The returned -// continuation link, if not empty, can be used to obtain the next page -// of secrets. -// -// When starting a list iteration the nextLink should be empty. The returned -// continuation link is empty once there are no more pages. -func (c *client) ListSecrets(ctx context.Context, nextLink string) ([]string, string, status, error) { - type Response struct { - Values []struct { - ID string `json:"id"` - Attr struct{} `json:"attributes"` - } `json:"value"` - NextLink string `json:"nextLink"` - } - - if nextLink == "" { - nextLink = endpoint(c.Endpoint, "secrets") + "?maxresults=25&api-version=7.2" - } - req, err := http.NewRequestWithContext(ctx, http.MethodGet, nextLink, nil) - if err != nil { - return nil, "", status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return nil, "", status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return nil, "", status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { - return nil, "", status{}, err + for _, v := range page.SecretPropertiesListResult.Value { + if v.Attributes != nil && v.Attributes.Created != nil && v.ID != nil { + if createdAt == nil || createdAt.After(*v.Attributes.Created) { + createdAt = v.Attributes.Created + version = v.ID.Version() + } } - return nil, "", status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil - } - - const MaxSize = 10 * mem.MiB - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > MaxSize { - limit = MaxSize } - var response Response - if err = json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return nil, "", status{}, err - } - secrets := make([]string, 0, len(response.Values)) - for _, v := range response.Values { - secrets = append(secrets, path.Base(v.ID)) - } - return secrets, response.NextLink, status{ + return version, status{ StatusCode: http.StatusOK, }, nil } - -// endpoint returns an endpoint URL starting with the -// given endpoint followed by the path elements. -// -// For example: -// - endpoint("https://127.0.0.1:7373", "version") => "https://127.0.0.1:7373/version" -// - endpoint("https://127.0.0.1:7373/", "/key/create", "my-key") => "https://127.0.0.1:7373/key/create/my-key" -// -// Any leading or trailing whitespaces are removed from -// the endpoint before it is concatenated with the path -// elements. -// -// The path elements will not be URL-escaped. -func endpoint(endpoint string, elems ...string) string { - endpoint = strings.TrimSpace(endpoint) - endpoint = strings.TrimSuffix(endpoint, "/") - - if len(elems) > 0 && !strings.HasPrefix(elems[0], "/") { - endpoint += "/" - } - return endpoint + path.Join(elems...) -} diff --git a/internal/keystore/azure/create-keyvault.sh b/internal/keystore/azure/create-keyvault.sh new file mode 100755 index 00000000..42fa0008 --- /dev/null +++ b/internal/keystore/azure/create-keyvault.sh @@ -0,0 +1,36 @@ +#!/bin/bash +RESOURCE_GROUP=minio-kes +SERVICE_PRINCIPAL=minio-kes +LOCATION=westus + +AZ_SUBSCRIPTION_NAME=$(az account show -o tsv --query 'name') +AZ_SUBSCRIPTION_ID=$(az account show -o tsv --query 'id') +echo "Running in subscription '$AZ_SUBSCRIPTION_NAME' ($AZ_SUBSCRIPTION_ID)" + +# Create the resource-group (if not exists) +AZ_RESOURCE_GROUP=$(az group show --resource-group $RESOURCE_GROUP 2>/dev/null || echo -n) +if [ -z "$AZ_RESOURCE_GROUP" ]; then + echo "Creating resource group '$RESOURCE_GROUP'" + AZ_RESOURCE_GROUP=$(az group create --resource-group $RESOURCE_GROUP -l $LOCATION || echo -n) +else + echo "Using resource group '$RESOURCE_GROUP'" +fi + +# Create a random key-vault-name (should be globally unique) +KEYVAULT_NAME=$(az keyvault list -g $RESOURCE_GROUP --query '[0].name' -o tsv 2>/dev/null || echo -n) +if [ -z "$KEYVAULT_NAME" ]; then + KEYVAULT_NAME=minio-kes-$(tr -dc a-z /dev/null +else + echo "Using existing key-vault '$KEYVAULT_NAME'" +fi + +# Add admin privileges to the keyvault +IAM_ID=$(az ad signed-in-user show --query 'id' -o tsv) +VAULT_ID=$(az keyvault show -g $RESOURCE_GROUP -n $KEYVAULT_NAME --query 'id' -o tsv) +az role assignment create --role "Key Vault Administrator" --scope $VAULT_ID --assignee $IAM_ID > /dev/null + +# Show command to run +VAULT_URI=$(az keyvault show -g $RESOURCE_GROUP -n $KEYVAULT_NAME --query 'properties.vaultUri' -o tsv) +echo "Run: EndPoint=$VAULT_URI go test ." diff --git a/internal/keystore/azure/error.go b/internal/keystore/azure/error.go index db2fc277..3bc148ee 100644 --- a/internal/keystore/azure/error.go +++ b/internal/keystore/azure/error.go @@ -1,4 +1,4 @@ -// Copyright 2021 - MinIO, Inc. All rights reserved. +// Copyright 2024 - MinIO, Inc. All rights reserved. // Use of this source code is governed by the AGPLv3 // license that can be found in the LICENSE file. @@ -6,9 +6,10 @@ package azure import ( "encoding/json" - "net/http" + "errors" + "log/slog" - "aead.dev/mem" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" ) // errorResponse is a KeyVault secrets API error response. @@ -22,18 +23,23 @@ type errorResponse struct { } `json:"error"` } -// parseErrorResponse parses the response body as -// KeyVault secrets API error response. -func parseErrorResponse(resp *http.Response) (errorResponse, error) { - const MaxSize = 1 * mem.MiB - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > MaxSize { - limit = MaxSize +// transportErrToStatus converts a transport error to a Status. +func transportErrToStatus(err error) (status, error) { + var rerr *azcore.ResponseError + if errors.As(err, &rerr) { + var errorResponse errorResponse + if rerr.RawResponse != nil { + jsonErr := json.NewDecoder(rerr.RawResponse.Body).Decode(&errorResponse) + if jsonErr != nil { + slog.Error("error deserializing Azure KeyVault error message: %v", jsonErr) + return status{}, err + } + } + return status{ + ErrorCode: errorResponse.Error.Inner.Code, + StatusCode: rerr.StatusCode, + Message: errorResponse.Error.Message, + }, nil } - - var response errorResponse - if err := json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return errorResponse{}, err - } - return response, nil + return status{}, err } diff --git a/internal/keystore/azure/key-vault.go b/internal/keystore/azure/key-vault.go index ff0e924a..654d0a23 100644 --- a/internal/keystore/azure/key-vault.go +++ b/internal/keystore/azure/key-vault.go @@ -1,4 +1,4 @@ -// Copyright 2021 - MinIO, Inc. All rights reserved. +// Copyright 2024 - MinIO, Inc. All rights reserved. // Use of this source code is governed by the AGPLv3 // license that can be found in the LICENSE file. @@ -12,8 +12,9 @@ import ( "net/http" "time" - "github.com/Azure/go-autorest/autorest" - "github.com/Azure/go-autorest/autorest/azure/auth" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets" "github.com/minio/kes" "github.com/minio/kes/internal/keystore" kesdk "github.com/minio/kms-go/kes" @@ -44,10 +45,15 @@ type Store struct { func (s *Store) String() string { return "Azure KeyVault: " + s.endpoint } +const ( + delay = 200 * time.Millisecond + jitter = 800 * time.Millisecond +) + // Status returns the current state of the Azure KeyVault instance. // In particular, whether it is reachable and the network latency. func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { - req, err := http.NewRequestWithContext(ctx, http.MethodGet, s.client.Endpoint, nil) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, s.endpoint, nil) if err != nil { return kes.KeyStoreState{}, err } @@ -107,24 +113,19 @@ func (s *Store) Create(ctx context.Context, name string, value []byte) error { if err != nil { return fmt.Errorf("azure: failed to create '%s': %v", name, err) } - if stat.StatusCode == http.StatusConflict && stat.ErrorCode == "ObjectIsDeletedButRecoverable" { - stat, err = s.client.PurgeSecret(ctx, name) + if stat.StatusCode == http.StatusConflict && (stat.ErrorCode == "ObjectIsDeletedButRecoverable" || stat.ErrorCode == "ObjectIsBeingDeleted") { + stat, err = s.purgeWithRetry(ctx, name, 25) if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { return err } if err != nil { return fmt.Errorf("azure: failed to create '%s': failed to purge deleted secret: %v", name, err) } - if stat.StatusCode != http.StatusNoContent { + if stat.StatusCode != http.StatusOK { return fmt.Errorf("azure: failed to create '%s': failed to purge deleted secret: %s (%s)", name, stat.Message, stat.ErrorCode) } - const ( - Retry = 7 - Delay = 200 * time.Millisecond - Jitter = 800 * time.Millisecond - ) - for i := 0; i < Retry; i++ { + for i := 0; i < 7; i++ { stat, err = s.client.CreateSecret(ctx, name, string(value)) if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { return err @@ -133,7 +134,7 @@ func (s *Store) Create(ctx context.Context, name string, value []byte) error { return fmt.Errorf("azure: failed to create '%s': %v", name, err) } if stat.StatusCode == http.StatusConflict && stat.ErrorCode == "ObjectIsBeingDeleted" { - time.Sleep(Delay + time.Duration(rand.Int63n(Jitter.Milliseconds()))*time.Millisecond) + time.Sleep(delay + time.Duration(rand.Int63n(jitter.Milliseconds()))*time.Millisecond) continue } break @@ -216,51 +217,23 @@ func (s *Store) Delete(ctx context.Context, name string) error { if err != nil { return fmt.Errorf("azure: failed to delete '%s': %v", name, err) } - if stat.StatusCode != http.StatusNotFound { - return kesdk.ErrKeyNotFound - } if stat.StatusCode != http.StatusOK && stat.StatusCode != http.StatusNotFound { return fmt.Errorf("azure: failed to delete '%s': %s (%s)", name, stat.Message, stat.ErrorCode) } - // Now, the key either does not exist, is being deleted or - // has been deleted. If the key does not exist then purging - // it will result in a 404 NotFound. - // If the key has been marked as deleted then purging it - // should succeed with 204 NoContent. - // However, if the key is not ready to be purged then we - // retry purging the key a couple of times - hoping that - // KeyVault completes the soft-delete process. - const ( - Retry = 7 - Delay = 200 * time.Millisecond - Jitter = 800 * time.Millisecond - ) - for i := 0; i < Retry; i++ { - stat, err = s.client.PurgeSecret(ctx, name) - if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { - return err - } - if err != nil { - return fmt.Errorf("azure: failed to delete '%s': %s (%s)", name, stat.Message, stat.ErrorCode) - } - switch { - case stat.StatusCode == http.StatusNoContent: - return nil - case stat.StatusCode == http.StatusNotFound: - return nil - case stat.StatusCode == http.StatusForbidden && stat.ErrorCode == "ForbiddenByPolicy": - return nil - case stat.StatusCode == http.StatusConflict && stat.ErrorCode == "ObjectIsBeingDeleted": - time.Sleep(Delay + time.Duration(rand.Int63n(Jitter.Milliseconds()))*time.Millisecond) - continue - } - break + stat, err = s.purgeWithRetry(ctx, name, 10) + if err != nil { + return err } - if stat.StatusCode == http.StatusConflict && stat.ErrorCode == "ObjectIsBeingDeleted" { + + switch { + case stat.StatusCode == http.StatusOK: + return nil + case stat.StatusCode == http.StatusConflict && stat.ErrorCode == "ObjectIsBeingDeleted": return nil + default: + return fmt.Errorf("azure: failed to delete '%s': failed to purge deleted secret: %s (%s)", name, stat.Message, stat.ErrorCode) } - return fmt.Errorf("azure: failed to delete '%s': failed to purge deleted secret: %s (%s)", name, stat.Message, stat.ErrorCode) } // Get returns the first resp. oldest version of the secret. @@ -310,25 +283,26 @@ func (s *Store) Get(ctx context.Context, name string) ([]byte, error) { // or when there are no (more) keys starting with the prefix, the // returned prefix is empty func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error) { - var ( - names []string - nextLink string - ) - for { - secrets, link, status, err := s.client.ListSecrets(ctx, nextLink) - if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { - return nil, "", err - } + var names []string + pager := s.client.azsecretsClient.NewListSecretPropertiesPager(&azsecrets.ListSecretPropertiesOptions{}) + for pager.More() { + page, err := pager.NextPage(ctx) if err != nil { - return nil, "", fmt.Errorf("azure: failed to list keys: %v", err) + if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { + return nil, "", err + } + stat, err := transportErrToStatus(err) + if err != nil { + return nil, "", err + } + return nil, "", fmt.Errorf("azure: failed to list keys: %s (%s)", stat.ErrorCode, stat.Message) } - if status.StatusCode != http.StatusOK { - return nil, "", fmt.Errorf("azure: failed to list keys: %s (%s)", status.Message, status.ErrorCode) + for _, v := range page.SecretPropertiesListResult.Value { + if v.ID != nil { + names = append(names, (*v.ID).Name()) + } } - - nextLink = link - names = append(names, secrets...) - if nextLink == "" { + if page.NextLink == nil || *page.NextLink == "" { break } } @@ -338,43 +312,57 @@ func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, strin // Close closes the Store. func (s *Store) Close() error { return nil } -// ConnectWithCredentials tries to establish a connection to a Azure KeyVault -// instance using Azure client credentials. -func ConnectWithCredentials(_ context.Context, endpoint string, creds Credentials) (*Store, error) { - const Scope = "https://vault.azure.net" - - c := auth.NewClientCredentialsConfig(creds.ClientID, creds.Secret, creds.TenantID) - c.Resource = Scope - token, err := c.ServicePrincipalToken() +// ConnectWithCredentials tries to establish a connection to an Azure KeyVault instance +func ConnectWithCredentials(endpoint string, cred azcore.TokenCredential) (*Store, error) { + azsecretsClient, err := azsecrets.NewClient(endpoint, cred, &azsecrets.ClientOptions{ + ClientOptions: azcore.ClientOptions{ + Retry: policy.RetryOptions{ + MaxRetries: 7, + RetryDelay: 200 * time.Millisecond, + MaxRetryDelay: 800 * time.Millisecond, + }, + }, + }) if err != nil { - return nil, fmt.Errorf("azure: failed to obtain ServicePrincipalToken from client credentials: %v", err) + return nil, fmt.Errorf("azure: failed to create secrets client: %v", err) } return &Store{ endpoint: endpoint, client: client{ - Endpoint: endpoint, - Authorizer: autorest.NewBearerAuthorizer(token), + azsecretsClient: azsecretsClient, }, }, nil } -// ConnectWithIdentity tries to establish a connection to a Azure KeyVault -// instance using an Azure managed identity. -func ConnectWithIdentity(_ context.Context, endpoint string, msi ManagedIdentity) (*Store, error) { - const Scope = "https://vault.azure.net" - - c := auth.NewMSIConfig() - c.Resource = Scope - c.ClientID = msi.ClientID - token, err := c.ServicePrincipalToken() - if err != nil { - return nil, fmt.Errorf("azure: failed to obtain ServicePrincipalToken from managed identity: %v", err) +func (s *Store) purgeWithRetry(ctx context.Context, name string, retries int) (status, error) { + // Now, the key either does not exist, is being deleted or + // has been deleted. If the key does not exist then purging + // it will result in a 404 NotFound. + // If the key has been marked as deleted then purging it + // should succeed with 204 NoContent. + // However, if the key is not ready to be purged then we + // retry purging the key a couple of times - hoping that + // KeyVault completes the soft-delete process. + var stat status + var err error + for i := 0; i < retries; i++ { + stat, err = s.client.PurgeSecret(ctx, name) + if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { + return stat, err + } + if err != nil { + return stat, fmt.Errorf("azure: failed to delete '%s': %s (%s)", name, stat.Message, stat.ErrorCode) + } + switch { + case stat.StatusCode == http.StatusOK || stat.StatusCode == http.StatusNotFound: + return stat, nil + case stat.StatusCode == http.StatusForbidden && stat.ErrorCode == "ForbiddenByPolicy": + return stat, nil + case stat.StatusCode == http.StatusConflict && stat.ErrorCode == "ObjectIsBeingDeleted": + time.Sleep(delay + time.Duration(rand.Int63n(jitter.Milliseconds()))*time.Millisecond) + continue + } + break } - return &Store{ - endpoint: endpoint, - client: client{ - Endpoint: endpoint, - Authorizer: autorest.NewBearerAuthorizer(token), - }, - }, nil + return stat, err } diff --git a/internal/keystore/azure/key-vault_test.go b/internal/keystore/azure/key-vault_test.go new file mode 100644 index 00000000..eb31f13a --- /dev/null +++ b/internal/keystore/azure/key-vault_test.go @@ -0,0 +1,97 @@ +// Copyright 2024 - MinIO, Inc. All rights reserved. +// Use of this source code is governed by the AGPLv3 +// license that can be found in the LICENSE file. + +package azure + +import ( + "context" + "fmt" + "math/rand" + "os" + "testing" + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" +) + +var ( + prefix = fmt.Sprintf("%04d-", rand.Intn(10000)) + keyName = fmt.Sprintf("%skey", prefix) +) + +func TestConnectWithCredentials(t *testing.T) { + EndPoint := os.Getenv("EndPoint") + if EndPoint == "" { + t.Skip("Skipping test due to missing Keyvault endpoint") + } + + c, err := azidentity.NewDefaultAzureCredential(nil) + if err != nil { + t.Fatalf("unable to determine Azure credentials: %v", err) + } + + c1, err := ConnectWithCredentials(EndPoint, c) + if err != nil { + return + } + + ctx := context.Background() + + // create key + keyValue := time.Now().Format(time.RFC3339Nano) + err = c1.Create(ctx, keyName, []byte(keyValue)) + if err != nil { + t.Fatalf("error creating key: %s", err) + } + + // delete key upon termination + defer c1.Delete(ctx, keyName) + + // fetch key and check if the value is correct + data, err := c1.Get(ctx, keyName) + if err != nil { + t.Fatalf("error fetching key: %v", err) + } + if string(data) != keyValue { + t.Fatalf("got %q, but expected %q", string(data), keyValue) + } + + // list keys + list, next, err := c1.List(ctx, prefix, 25) + if err != nil { + t.Fatalf("error listing keys: %v", err) + } + if len(list) != 1 || next != "" { + t.Log("got the following keys:\n") + for _, key := range list { + t.Logf("- %s", key) + t.Fatalf("got %d keys, but only expected key %q", len(list), keyName) + } + } + if list[0] != keyName { + t.Fatalf("got key %q, but expected key %q", list[0], keyName) + } + + // delete the key + err = c1.Delete(ctx, keyName) + if err != nil { + t.Fatalf("error deleting key: %v", err) + } + + // recreate the key (deleted secret should be purged automatically) + keyValue = time.Now().Format(time.RFC3339Nano) + err = c1.Create(ctx, keyName, []byte(keyValue)) + if err != nil { + t.Fatalf("error (re)creating the key: %v", err) + } + + // fetch key and check if the value is correct + data, err = c1.Get(ctx, keyName) + if err != nil { + t.Fatalf("error fetching key %q: %v", keyName, err) + } + if string(data) != keyValue { + t.Errorf("Got value %q, but expected value %q", string(data), keyValue) + } +} diff --git a/kesconf/config.go b/kesconf/config.go index 37c4e122..d9940f43 100644 --- a/kesconf/config.go +++ b/kesconf/config.go @@ -595,9 +595,6 @@ func ymlToKeyStore(y *ymlFile) (KeyStore, error) { if y.KeyStore.Azure.KeyVault.Endpoint.Value == "" { return nil, errors.New("kesconf: invalid Azure keyvault keystore: no endpoint specified") } - if y.KeyStore.Azure.KeyVault.Credentials == nil && y.KeyStore.Azure.KeyVault.ManagedIdentity == nil { - return nil, errors.New("kesconf: invalid Azure keyvault keystore: no authentication method specified") - } if y.KeyStore.Azure.KeyVault.Credentials != nil && y.KeyStore.Azure.KeyVault.ManagedIdentity != nil { return nil, errors.New("kesconf: invalid Azure keyvault keystore: more than one authentication method specified") } diff --git a/kesconf/file.go b/kesconf/file.go index 9dea2fdd..c60218d6 100644 --- a/kesconf/file.go +++ b/kesconf/file.go @@ -16,6 +16,8 @@ import ( "slices" "time" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/minio/kes" "github.com/minio/kes/internal/https" "github.com/minio/kes/internal/keystore/aws" @@ -756,26 +758,26 @@ type AzureKeyVaultKeyStore struct { } // Connect returns a kv.Store that stores key-value pairs on Azure KeyVault. -func (s *AzureKeyVaultKeyStore) Connect(ctx context.Context) (kes.KeyStore, error) { +func (s *AzureKeyVaultKeyStore) Connect(_ context.Context) (kes.KeyStore, error) { if (s.TenantID != "" || s.ClientID != "" || s.ClientSecret != "") && s.ManagedIdentityClientID != "" { return nil, errors.New("edge: failed to connect to Azure KeyVault: more than one authentication method specified") } + var cred azcore.TokenCredential + var err error switch { case s.TenantID != "" || s.ClientID != "" || s.ClientSecret != "": - creds := azure.Credentials{ - TenantID: s.TenantID, - ClientID: s.ClientID, - Secret: s.ClientSecret, - } - return azure.ConnectWithCredentials(ctx, s.Endpoint, creds) + cred, err = azidentity.NewClientSecretCredential(s.TenantID, s.ClientID, s.ClientSecret, nil) case s.ManagedIdentityClientID != "": - creds := azure.ManagedIdentity{ - ClientID: s.ManagedIdentityClientID, - } - return azure.ConnectWithIdentity(ctx, s.Endpoint, creds) + cred, err = azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ + ID: azidentity.ClientID(s.ManagedIdentityClientID), + }) default: - return nil, errors.New("edge: failed to connect to Azure KeyVault: no authentication method specified") + cred, err = azidentity.NewDefaultAzureCredential(nil) + } + if err != nil { + return nil, fmt.Errorf("azure: failed to create default Azure credential: %v", err) } + return azure.ConnectWithCredentials(s.Endpoint, cred) } // EntrustKeyControlKeyStore is a structure containing the