diff --git a/go.mod b/go.mod index 06764c1c..6dd408fe 100644 --- a/go.mod +++ b/go.mod @@ -6,8 +6,9 @@ require ( aead.dev/mem v0.2.0 aead.dev/minisign v0.2.1 cloud.google.com/go/secretmanager v1.11.5 - github.com/Azure/go-autorest/autorest v0.11.29 - github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 github.com/aws/aws-sdk-go v1.50.37 github.com/charmbracelet/lipgloss v0.10.0 github.com/fatih/color v1.16.0 @@ -32,25 +33,22 @@ require ( cloud.google.com/go/compute v1.23.3 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.5 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect - github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/dimchansky/utfbom v1.1.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/s2a-go v0.1.7 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -64,6 +62,7 @@ require ( github.com/hashicorp/hcl v1.0.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/kr/text v0.2.0 // indirect + github.com/kylelemons/godebug v1.1.0 // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect @@ -72,6 +71,7 @@ require ( github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/muesli/reflow v0.3.0 // indirect github.com/philhofer/fwd v1.1.2 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/prometheus/client_model v0.6.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect diff --git a/go.sum b/go.sum index aec72c7d..182943c2 100644 --- a/go.sum +++ b/go.sum @@ -14,29 +14,18 @@ cloud.google.com/go/iam v1.1.5 h1:1jTsCu4bcsNsE4iiqNT5SHwrDRCfRmIaaaVFhRveTJI= cloud.google.com/go/iam v1.1.5/go.mod h1:rB6P/Ic3mykPbFio+vo7403drjlgvoWfYpJhMXEbzv8= cloud.google.com/go/secretmanager v1.11.5 h1:82fpF5vBBvu9XW4qj0FU2C6qVMtj1RM/XHwKXUEAfYY= cloud.google.com/go/secretmanager v1.11.5/go.mod h1:eAGv+DaCHkeVyQi0BeXgAHOU0RdrMeZIASKc+S7VqH4= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= -github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= -github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8= -github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk= -github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc= -github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 h1:n1DH8TPV4qqPTje2RcUBYwtrTWlabVp4n46+74X2pn4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0/go.mod h1:HDcZnuGbiyppErN6lB+idp4CKhjbc8gwjto6OPpyggM= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0/go.mod h1:LgLGXawqSreJz135Elog0ywTJDsm0Hz2k+N+6ZK35u8= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= +github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaCgOUdVHxE8QB52S6NiVdDQvGlny1qvPqA= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/aws/aws-sdk-go v1.50.37 h1:gnAf6eYPSTb4QpVwugtWFqD07QXOoX7LewRrtLUx3lI= github.com/aws/aws-sdk-go v1.50.37/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= @@ -59,8 +48,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= -github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -80,10 +69,8 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw= +github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= @@ -114,6 +101,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas= @@ -150,6 +139,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= @@ -174,6 +165,8 @@ github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8= github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw= github.com/philhofer/fwd v1.1.2/go.mod h1:qkPdfjR2SIEbspLqpe1tO4n5yICnr2DY7mqEx2tUTP0= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= @@ -203,7 +196,6 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU= @@ -229,9 +221,6 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -249,7 +238,6 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -273,14 +261,13 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -288,7 +275,6 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= diff --git a/internal/keystore/azure/client.go b/internal/keystore/azure/client.go index 8a0ac5aa..d703d2e4 100644 --- a/internal/keystore/azure/client.go +++ b/internal/keystore/azure/client.go @@ -1,23 +1,19 @@ -// Copyright 2021 - MinIO, Inc. All rights reserved. +// Copyright 2024 - MinIO, Inc. All rights reserved. // Use of this source code is governed by the AGPLv3 // license that can be found in the LICENSE file. package azure import ( - "bytes" "context" - "encoding/json" + "errors" "fmt" "math" "net/http" "path" - "strings" "time" - "aead.dev/mem" - "github.com/Azure/go-autorest/autorest" - xhttp "github.com/minio/kes/internal/http" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets" ) // status represents a KeyVault operation results. @@ -32,9 +28,7 @@ type status struct { } type client struct { - Endpoint string - Authorizer autorest.Authorizer - Client xhttp.Retry + azsecretsClient *azsecrets.Client } // CreateSecret creates a KeyVault secret with @@ -47,47 +41,22 @@ type client struct { // then KeyVault will not return an error but create // another version of the secret with the given value. func (c *client) CreateSecret(ctx context.Context, name, value string) (status, error) { - type Request struct { - Value string `json:"value"` - } - body, err := json.Marshal(Request{ - Value: value, - }) - if err != nil { - return status{}, err - } - - uri := endpoint(c.Endpoint, "secrets", name) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodPut, uri, xhttp.RetryReader(bytes.NewReader(body))) + _, err := c.azsecretsClient.SetSecret(ctx, name, azsecrets.SetSecretParameters{ + Value: &value, + }, &azsecrets.SetSecretOptions{}) if err != nil { - return status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return status{}, err - } - req.Header.Set("Content-Type", "application/json") - req.ContentLength = int64(len(body)) - - resp, err := c.Client.Do(req) - if err != nil { - return status{}, err - } - defer resp.Body.Close() - if resp.StatusCode == http.StatusOK { + azResp, ok := transportErrToResponseError(err) + if !ok { + return status{}, err + } return status{ - StatusCode: http.StatusOK, + StatusCode: azResp.StatusCode, + ErrorCode: azResp.ErrorCode, + Message: azResp.errorResponse.Error.Message, }, nil } - - response, err := parseErrorResponse(resp) - if err != nil { - return status{}, err - } return status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, + StatusCode: http.StatusOK, }, nil } @@ -108,78 +77,49 @@ func (c *client) CreateSecret(ctx context.Context, name, value string) (status, // if the secret is disabled, expired or should not // be used, yet. func (c *client) GetSecret(ctx context.Context, name, version string) (string, status, error) { - type Response struct { - Value string `json:"value"` - Attr struct { - Enabled bool `json:"enabled"` - - Expiry int64 `json:"exp"` - NotBefore int64 `json:"nbf"` - Created int64 `json:"created"` - Updated int64 `json:"updated"` - } `json:"attributes"` - } - - uri := endpoint(c.Endpoint, "secrets", name, version) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil) - if err != nil { + response, err := c.azsecretsClient.GetSecret(ctx, name, version, &azsecrets.GetSecretOptions{}) + if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { return "", status{}, err } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) if err != nil { - return "", status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return "", status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { + azResp, ok := transportErrToResponseError(err) + if !ok { return "", status{}, err } return "", status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, + StatusCode: azResp.StatusCode, + ErrorCode: azResp.ErrorCode, + Message: azResp.errorResponse.Error.Message, }, nil } - - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > mem.MB { - limit = mem.MB - } - var response Response - if err = json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return "", status{}, err - } - - // A secret may not be enabled, should not be used before a certain date or - // should not be used after a certain date. - if !response.Attr.Enabled { + if response.Attributes.Enabled != nil && !*response.Attributes.Enabled { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "ObjectIsDisabled", - Message: fmt.Sprintf("The secret %q is current disabled and cannot be used", name), + Message: fmt.Sprintf("The secret %q is disabled and cannot be used", name), }, nil } - if response.Attr.NotBefore > 0 && time.Since(time.Unix(response.Attr.NotBefore, 0)) <= 0 { + if response.Attributes.NotBefore != nil && time.Since(*response.Attributes.NotBefore) <= 0 { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "ObjectMustNotBeUsed", - Message: fmt.Sprintf("The secret %q must not be used before %v", name, time.Unix(response.Attr.NotBefore, 0)), + Message: fmt.Sprintf("The secret %q must not be used before %v", name, *response.Attributes.NotBefore), }, nil } - if response.Attr.Expiry > 0 && time.Until(time.Unix(response.Attr.Expiry, 0)) <= 0 { + if response.Attributes.Expires != nil && time.Until(*response.Attributes.Expires) <= 0 { return "", status{ StatusCode: http.StatusUnprocessableEntity, ErrorCode: "ObjectIsExpired", Message: fmt.Sprintf("The secret %q is expired and cannot be used", name), }, nil } - return response.Value, status{ + + if response.Value != nil { + return *response.Value, status{ + StatusCode: http.StatusOK, + }, nil + } + return "", status{ StatusCode: http.StatusOK, }, nil } @@ -195,33 +135,17 @@ func (c *client) GetSecret(ctx context.Context, name, version string) (string, s // even if it returns 200 OK. Instead, the secret may be in // a transition state from "active" to (soft) deleted. func (c *client) DeleteSecret(ctx context.Context, name string) (status, error) { - uri := endpoint(c.Endpoint, "secrets", name) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodDelete, uri, nil) + _, err := c.azsecretsClient.DeleteSecret(ctx, name, &azsecrets.DeleteSecretOptions{}) if err != nil { - return status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { - return status{}, err - } - return status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil + azResp, ok := transportErrToResponseError(err) + if !ok { + return status{}, err } + return status{ + StatusCode: azResp.StatusCode, + ErrorCode: azResp.ErrorCode, + Message: azResp.errorResponse.Error.Message, + }, nil } return status{ StatusCode: http.StatusOK, @@ -234,34 +158,20 @@ func (c *client) DeleteSecret(ctx context.Context, name string) (status, error) // recovered. Therefore, deleting a KeyVault secret permanently is // a two-step process. func (c *client) PurgeSecret(ctx context.Context, name string) (status, error) { - uri := endpoint(c.Endpoint, "deletedsecrets", name) + "?api-version=7.2" - req, err := http.NewRequestWithContext(ctx, http.MethodDelete, uri, nil) - if err != nil { - return status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return status{}, err - } - - resp, err := c.Client.Do(req) + _, err := c.azsecretsClient.PurgeDeletedSecret(ctx, name, &azsecrets.PurgeDeletedSecretOptions{}) if err != nil { - return status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusNoContent { - response, err := parseErrorResponse(resp) - if err != nil { + azResp, ok := transportErrToResponseError(err) + if !ok { return status{}, err } return status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, + StatusCode: azResp.StatusCode, + ErrorCode: azResp.ErrorCode, + Message: azResp.errorResponse.Error.Message, }, nil } return status{ - StatusCode: http.StatusNoContent, + StatusCode: http.StatusOK, }, nil } @@ -273,166 +183,53 @@ func (c *client) PurgeSecret(ctx context.Context, name string) (status, error) { // versions of the given secret. When a secret contains more then 25 // versions GetFirstVersions returns a status with a 422 HTTP error code. func (c *client) GetFirstVersion(ctx context.Context, name string) (string, status, error) { - type Response struct { - Versions []struct { - ID string `json:"id"` - Attr struct { - Enabled bool `json:"enabled"` - Created int64 `json:"created"` - Updated int64 `json:"updated"` - } `json:"attributes"` - } `json:"value"` - - NextLink string `json:"nextLink"` - } - // We only inspect 25 versions as some reasonable default limit. - uri := endpoint(c.Endpoint, "secrets", name, "versions") + "?api-version=7.2&maxresults=25" - req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil) - if err != nil { - return "", status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return "", status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return "", status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) + pager := c.azsecretsClient.NewListSecretPropertiesVersionsPager(name, &azsecrets.ListSecretPropertiesVersionsOptions{}) + if pager.More() { + page, err := pager.NextPage(ctx) if err != nil { - return "", status{}, err + azResp, ok := transportErrToResponseError(err) + if !ok { + return "", status{}, err + } + return "", status{ + StatusCode: azResp.StatusCode, + ErrorCode: azResp.ErrorCode, + Message: azResp.errorResponse.Error.Message, + }, nil } - return "", status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, - }, nil - } - - const MaxSize = 10 * mem.MiB - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > MaxSize { - limit = MaxSize - } - - var response Response - if err = json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return "", status{}, err - } - if response.NextLink != "" { - return "", status{ - StatusCode: http.StatusUnprocessableEntity, - ErrorCode: "TooManyObjectVersions", - Message: fmt.Sprintf("There are too many versions of %q.", name), - }, nil - } - if len(response.Versions) == 0 { - return "", status{ - StatusCode: http.StatusNotFound, - ErrorCode: "NoObjectVersions", - Message: fmt.Sprintf("There are no versions of %q.", name), - }, nil - } - var ( - id string // most recent Secret ID - createdAt int64 = math.MaxInt64 // most recent createdAt UNIX timestamp - ) - for _, v := range response.Versions { - if createdAt > v.Attr.Created { - createdAt = v.Attr.Created - id = v.ID + if page.SecretPropertiesListResult.NextLink != nil && *page.SecretPropertiesListResult.NextLink != "" { + return "", status{ + StatusCode: http.StatusUnprocessableEntity, + ErrorCode: "TooManyObjectVersions", + Message: fmt.Sprintf("There are too many versions of %q.", name), + }, nil } - } - return path.Base(id), status{ - StatusCode: http.StatusOK, - }, nil -} - -// ListSecrets returns a set of secrets names and an optional continuation -// link. It supports iterating over all secrets in pages. The returned -// continuation link, if not empty, can be used to obtain the next page -// of secrets. -// -// When starting a list iteration the nextLink should be empty. The returned -// continuation link is empty once there are no more pages. -func (c *client) ListSecrets(ctx context.Context, nextLink string) ([]string, string, status, error) { - type Response struct { - Values []struct { - ID string `json:"id"` - Attr struct{} `json:"attributes"` - } `json:"value"` - NextLink string `json:"nextLink"` - } - - if nextLink == "" { - nextLink = endpoint(c.Endpoint, "secrets") + "?maxresults=25&api-version=7.2" - } - req, err := http.NewRequestWithContext(ctx, http.MethodGet, nextLink, nil) - if err != nil { - return nil, "", status{}, err - } - req, err = autorest.CreatePreparer(c.Authorizer.WithAuthorization()).Prepare(req) - if err != nil { - return nil, "", status{}, err - } - - resp, err := c.Client.Do(req) - if err != nil { - return nil, "", status{}, err - } - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - response, err := parseErrorResponse(resp) - if err != nil { - return nil, "", status{}, err + if len(page.SecretPropertiesListResult.Value) == 0 { + return "", status{ + StatusCode: http.StatusNotFound, + ErrorCode: "NoObjectVersions", + Message: fmt.Sprintf("There are no versions of %q.", name), + }, nil } - return nil, "", status{ - StatusCode: resp.StatusCode, - ErrorCode: response.Error.Inner.Code, - Message: response.Error.Message, + var ( + id string // most recent Secret ID + createdAt int64 = math.MaxInt64 // most recent createdAt UNIX timestamp + ) + for _, v := range page.SecretPropertiesListResult.Value { + if v.Attributes != nil && v.Attributes.Created != nil && v.ID != nil { + if createdAt > (*v.Attributes.Created).Unix() { + createdAt = (*v.Attributes.Created).Unix() + id = v.ID.Version() + } + } + } + return path.Base(id), status{ + StatusCode: http.StatusOK, }, nil } - - const MaxSize = 10 * mem.MiB - limit := mem.Size(resp.ContentLength) - if limit < 0 || limit > MaxSize { - limit = MaxSize - } - var response Response - if err = json.NewDecoder(mem.LimitReader(resp.Body, limit)).Decode(&response); err != nil { - return nil, "", status{}, err - } - secrets := make([]string, 0, len(response.Values)) - for _, v := range response.Values { - secrets = append(secrets, path.Base(v.ID)) - } - return secrets, response.NextLink, status{ - StatusCode: http.StatusOK, + return "", status{ + StatusCode: http.StatusNotFound, + ErrorCode: "NoObjectVersions", + Message: fmt.Sprintf("There are no versions of %q.", name), }, nil } - -// endpoint returns an endpoint URL starting with the -// given endpoint followed by the path elements. -// -// For example: -// - endpoint("https://127.0.0.1:7373", "version") => "https://127.0.0.1:7373/version" -// - endpoint("https://127.0.0.1:7373/", "/key/create", "my-key") => "https://127.0.0.1:7373/key/create/my-key" -// -// Any leading or trailing whitespaces are removed from -// the endpoint before it is concatenated with the path -// elements. -// -// The path elements will not be URL-escaped. -func endpoint(endpoint string, elems ...string) string { - endpoint = strings.TrimSpace(endpoint) - endpoint = strings.TrimSuffix(endpoint, "/") - - if len(elems) > 0 && !strings.HasPrefix(elems[0], "/") { - endpoint += "/" - } - return endpoint + path.Join(elems...) -} diff --git a/internal/keystore/azure/error.go b/internal/keystore/azure/error.go index db2fc277..ea89121c 100644 --- a/internal/keystore/azure/error.go +++ b/internal/keystore/azure/error.go @@ -1,4 +1,4 @@ -// Copyright 2021 - MinIO, Inc. All rights reserved. +// Copyright 2024 - MinIO, Inc. All rights reserved. // Use of this source code is governed by the AGPLv3 // license that can be found in the LICENSE file. diff --git a/internal/keystore/azure/key-vault-error.go b/internal/keystore/azure/key-vault-error.go new file mode 100644 index 00000000..49093d09 --- /dev/null +++ b/internal/keystore/azure/key-vault-error.go @@ -0,0 +1,44 @@ +// Copyright 2024 - MinIO, Inc. All rights reserved. +// Use of this source code is governed by the AGPLv3 +// license that can be found in the LICENSE file. + +package azure + +import ( + "net/http" + "reflect" +) + +type responseError struct { + // ErrorCode is the error code returned by the resource provider if available. + ErrorCode string + + // StatusCode is the HTTP status code as defined in https://pkg.go.dev/net/http#pkg-constants. + StatusCode int + + // RawResponse is the underlying HTTP response. + RawResponse *http.Response + + errorResponse errorResponse +} + +// transportErrToResponseError converts a transport error to a ResponseError. +func transportErrToResponseError(terr error) (*responseError, bool) { + if reflect.TypeOf(terr).String() == "*exported.ResponseError" { + tv := reflect.ValueOf(terr).Elem() + ErrorCode := tv.FieldByName("ErrorCode").String() + StatusCode := int(tv.FieldByName("StatusCode").Int()) + RawResponse, ok := tv.FieldByName("RawResponse").Interface().(*http.Response) + var errorResponse errorResponse + if ok { + errorResponse, _ = parseErrorResponse(RawResponse) + } + return &responseError{ + ErrorCode: ErrorCode, + StatusCode: StatusCode, + RawResponse: RawResponse, + errorResponse: errorResponse, + }, true + } + return nil, false +} diff --git a/internal/keystore/azure/key-vault.go b/internal/keystore/azure/key-vault.go index ff0e924a..77fafdbb 100644 --- a/internal/keystore/azure/key-vault.go +++ b/internal/keystore/azure/key-vault.go @@ -1,4 +1,4 @@ -// Copyright 2021 - MinIO, Inc. All rights reserved. +// Copyright 2024 - MinIO, Inc. All rights reserved. // Use of this source code is governed by the AGPLv3 // license that can be found in the LICENSE file. @@ -10,10 +10,13 @@ import ( "fmt" "math/rand" "net/http" + "os" "time" - "github.com/Azure/go-autorest/autorest" - "github.com/Azure/go-autorest/autorest/azure/auth" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets" "github.com/minio/kes" "github.com/minio/kes/internal/keystore" kesdk "github.com/minio/kms-go/kes" @@ -47,7 +50,7 @@ func (s *Store) String() string { return "Azure KeyVault: " + s.endpoint } // Status returns the current state of the Azure KeyVault instance. // In particular, whether it is reachable and the network latency. func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) { - req, err := http.NewRequestWithContext(ctx, http.MethodGet, s.client.Endpoint, nil) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, s.endpoint, nil) if err != nil { return kes.KeyStoreState{}, err } @@ -310,25 +313,26 @@ func (s *Store) Get(ctx context.Context, name string) ([]byte, error) { // or when there are no (more) keys starting with the prefix, the // returned prefix is empty func (s *Store) List(ctx context.Context, prefix string, n int) ([]string, string, error) { - var ( - names []string - nextLink string - ) - for { - secrets, link, status, err := s.client.ListSecrets(ctx, nextLink) - if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { - return nil, "", err - } + var names []string + pager := s.client.azsecretsClient.NewListSecretPropertiesPager(&azsecrets.ListSecretPropertiesOptions{}) + for pager.More() { + page, err := pager.NextPage(ctx) if err != nil { - return nil, "", fmt.Errorf("azure: failed to list keys: %v", err) + if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) { + return nil, "", err + } + azResp, ok := transportErrToResponseError(err) + if !ok { + return nil, "", err + } + return nil, "", fmt.Errorf("azure: failed to list keys: %s (%s)", azResp.ErrorCode, azResp.errorResponse.Error.Message) } - if status.StatusCode != http.StatusOK { - return nil, "", fmt.Errorf("azure: failed to list keys: %s (%s)", status.Message, status.ErrorCode) + for _, v := range page.SecretPropertiesListResult.Value { + if v.ID != nil { + names = append(names, (*v.ID).Name()) + } } - - nextLink = link - names = append(names, secrets...) - if nextLink == "" { + if page.NextLink == nil || *page.NextLink == "" { break } } @@ -341,19 +345,29 @@ func (s *Store) Close() error { return nil } // ConnectWithCredentials tries to establish a connection to a Azure KeyVault // instance using Azure client credentials. func ConnectWithCredentials(_ context.Context, endpoint string, creds Credentials) (*Store, error) { - const Scope = "https://vault.azure.net" - - c := auth.NewClientCredentialsConfig(creds.ClientID, creds.Secret, creds.TenantID) - c.Resource = Scope - token, err := c.ServicePrincipalToken() + os.Setenv("AZURE_CLIENT_ID", creds.ClientID) + os.Setenv("AZURE_CLIENT_SECRET", creds.Secret) + os.Setenv("AZURE_TENANT_ID", creds.TenantID) + cred, err := azidentity.NewDefaultAzureCredential(nil) + if err != nil { + return nil, fmt.Errorf("azure: failed to create default Azure credential: %v", err) + } + azsecretsClient, err := azsecrets.NewClient(endpoint, cred, &azsecrets.ClientOptions{ + ClientOptions: azcore.ClientOptions{ + Retry: policy.RetryOptions{ + MaxRetries: 7, + RetryDelay: 200 * time.Millisecond, + MaxRetryDelay: 800 * time.Millisecond, + }, + }, + }) if err != nil { - return nil, fmt.Errorf("azure: failed to obtain ServicePrincipalToken from client credentials: %v", err) + return nil, fmt.Errorf("azure: failed to create secrets client: %v", err) } return &Store{ endpoint: endpoint, client: client{ - Endpoint: endpoint, - Authorizer: autorest.NewBearerAuthorizer(token), + azsecretsClient: azsecretsClient, }, }, nil } @@ -361,20 +375,28 @@ func ConnectWithCredentials(_ context.Context, endpoint string, creds Credential // ConnectWithIdentity tries to establish a connection to a Azure KeyVault // instance using an Azure managed identity. func ConnectWithIdentity(_ context.Context, endpoint string, msi ManagedIdentity) (*Store, error) { - const Scope = "https://vault.azure.net" - - c := auth.NewMSIConfig() - c.Resource = Scope - c.ClientID = msi.ClientID - token, err := c.ServicePrincipalToken() + cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{ + ID: azidentity.ClientID(msi.ClientID), + }) + if err != nil { + return nil, fmt.Errorf("azure: failed to create default Azure credential: %v", err) + } + azsecretsClient, err := azsecrets.NewClient(endpoint, cred, &azsecrets.ClientOptions{ + ClientOptions: azcore.ClientOptions{ + Retry: policy.RetryOptions{ + MaxRetries: 7, + RetryDelay: 200 * time.Millisecond, + MaxRetryDelay: 800 * time.Millisecond, + }, + }, + }) if err != nil { - return nil, fmt.Errorf("azure: failed to obtain ServicePrincipalToken from managed identity: %v", err) + return nil, fmt.Errorf("azure: failed to create secrets client: %v", err) } return &Store{ endpoint: endpoint, client: client{ - Endpoint: endpoint, - Authorizer: autorest.NewBearerAuthorizer(token), + azsecretsClient: azsecretsClient, }, }, nil } diff --git a/internal/keystore/azure/key-vault_test.go b/internal/keystore/azure/key-vault_test.go new file mode 100644 index 00000000..2b36dfe8 --- /dev/null +++ b/internal/keystore/azure/key-vault_test.go @@ -0,0 +1,75 @@ +// Copyright 2024 - MinIO, Inc. All rights reserved. +// Use of this source code is governed by the AGPLv3 +// license that can be found in the LICENSE file. + +package azure + +import ( + "context" + "os" + "testing" +) + +func TestConnectWithCredentials(t *testing.T) { + // endpoint + EndPoint := os.Getenv("EndPoint") + // default credential + ClientID := os.Getenv("ClientID") + TenantID := os.Getenv("TenantID") + Secret := os.Getenv("Secret") + if ClientID == "" || TenantID == "" || Secret == "" || EndPoint == "" { + t.Skip("Skipping test due to missing credentials") + } + ctx := context.Background() + c1, err := ConnectWithCredentials(ctx, EndPoint, Credentials{TenantID: TenantID, ClientID: ClientID, Secret: Secret}) + if err != nil { + return + } + { + // delete first + _ = c1.Delete(ctx, "mytestFirst-c1") + // create + err = c1.Create(ctx, "mytestFirst-c1", []byte("hello")) + if err != nil { + t.Error(err) + } + data, err := c1.Get(ctx, "mytestFirst-c1") + t.Logf("data:[%s] err:[%v]\n", data, err) + + list, s, err := c1.List(ctx, "", 25) + t.Logf("list:[%s] s:[%s] err:[%v]\n", list, s, err) + t.Log("-------------------------------") + } + _ = c1 +} + +func TestConnectWithManagedIdentityCredentials(t *testing.T) { + // endpoint + EndPoint := os.Getenv("EndPoint") + // managed identity credential + ManagedIdentityClientID := os.Getenv("ManagedIdentityClientID") + if ManagedIdentityClientID == "" || EndPoint == "" { + t.Skip("Skipping test due to missing credentials") + } + ctx := context.Background() + c1, err := ConnectWithIdentity(ctx, EndPoint, ManagedIdentity{ClientID: ManagedIdentityClientID}) + if err != nil { + return + } + { + // delete first + _ = c1.Delete(ctx, "mytestFirst-c1-m") + // create + err = c1.Create(ctx, "mytestFirst-c1-m", []byte("hello")) + if err != nil { + t.Error(err) + } + data, err := c1.Get(ctx, "mytestFirst-c1-m") + t.Logf("data:[%s] err:[%v]\n", data, err) + + list, s, err := c1.List(ctx, "", 25) + t.Logf("list:[%s] s:[%s] err:[%v]\n", list, s, err) + t.Log("-------------------------------") + } + _ = c1 +}