feat: add azure authentication

.trunk/trunk.yaml

@@ -1,25 +1,29 @@
 version: 0.1
 cli:
-  version: 1.19.0
+  version: 1.22.8
 plugins:
   sources:
     - id: trunk
-      ref: v1.2.1
+      ref: v1.6.6
       uri: https://github.com/trunk-io/plugins
 lint:
   enabled:
-    - shellcheck@0.9.0
+    - checkov@3.2.352
+    - osv-scanner@1.9.2
+    - renovate@39.106.0
+    - trufflehog@3.88.2
+    - shellcheck@0.10.0
     - gofmt@1.20.4
-    - taplo@0.8.1
-    - gitleaks@8.18.1
-    - actionlint@1.6.26
+    - taplo@0.9.3
+    - gitleaks@8.22.1
+    - actionlint@1.7.6
     - shfmt@3.6.0
     - git-diff-check
-    - prettier@3.2.4
-    - yamllint@1.33.0
-    - golangci-lint@1.55.2
-    - hadolint@2.12.0
-    - markdownlint@0.38.0
+    - prettier@3.4.2
+    - yamllint@1.35.1
+    - golangci-lint@1.63.4
+    - hadolint@2.12.1-beta
+    - markdownlint@0.43.0
   threshold:
     - linters: [markdownlint]
       level: high
@@ -34,7 +38,7 @@ lint:
 runtimes:
   enabled:
     - go@1.21.6
-    - node@18.12.1
+    - node@18.20.5
     - python@3.10.8
 actions:
   enabled:

auth/azure.go

@@ -0,0 +1,57 @@
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/Azure/go-autorest/autorest"
+	azure "github.com/Azure/go-autorest/autorest/azure/auth"
+)
+
+type AuthType string
+
+type requestBody struct {
+	GrantType string `json:"grant_type"`
+	Jwt       string `json:"jwt,omitempty"`
+}
+
+// Types of supported authentication.
+const (
+	FederatedAzure = AuthType("azure")
+)
+
+// authTypeToGrantType maps authentication type to grant type which will be sent to DSV.
+var authTypeToGrantType = map[AuthType]string{
+	FederatedAzure: "azure",
+}
+
+func (a *authorization) BuildAzureParams() (*requestBody, error) {
+	resource := "https://management.azure.com/"
+	authorizer, err := azure.NewAuthorizerFromEnvironmentWithResource(resource)
+	if err != nil {
+		return nil, fmt.Errorf("create authorizer: %w", err)
+	}
+
+	p := authorizer.WithAuthorization()
+
+	r := &http.Request{}
+	r, err = autorest.CreatePreparer(p).Prepare(r)
+	if err != nil {
+		return nil, fmt.Errorf("generate Azure auth token: %w", err)
+	}
+
+	qualifiedBearer := r.Header.Get("Authorization")
+	lenPrefix := len("Bearer ")
+	if len(qualifiedBearer) < lenPrefix {
+		return nil, errors.New("received invalid bearer token")
+	}
+	bearer := qualifiedBearer[lenPrefix:]
+
+	data := &requestBody{
+		GrantType: authTypeToGrantType[FederatedAzure],
+		Jwt:       bearer,
+	}
+
+	return data, nil
+}

example/azure/README.md

@@ -0,0 +1,97 @@
+# Authentication: Azure
+
+You can use the DSV web UI or the DSV cli to configure authentication using Azure.
+For this doc we will use the DSV cli.
+
+Run <br />
+`dsv config auth-provider search -e yaml`
+<br />
+to see all of your current authentication providers.
+
+Initially, the only authentication provider is Thycotic One, similar to this:
+
+```
+created: "2019-11-11T20:29:20Z"
+createdBy: users:thy-one:admin@company.com
+id: xxxxxxxxxxxxxxxxxxxx
+lastModified: "2020-05-18T03:58:15Z"
+lastModifiedBy: users:thy-one:admin@company.com
+name: thy-one
+properties:
+ baseUri: https://login.thycotic.com/
+ clientId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ clientSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+type: thycoticone
+version: "0"
+```
+
+## Azure Authentication Provider
+
+To add an Azure account to act as an authentication provider:<br />
+`dsv config auth-provider create --name <name> --type azure --azure-tenant-id <Azure tenant ID>`
+where:
+
+- name is the friendly name used in DSV to reference this provider
+- type is the authentication provider type; in this case, azure
+- the property flag for Azure is `--azure-tenant-id`
+
+To view the resulting addition to the config file, you would use:<br />
+`dsv config auth-provider <name> read -e yaml` <br />
+where the example name we will use here is azure-prod
+
+The readout would look similar to this:
+
+```
+created: "2019-11-12T18:34:49Z"
+createdBy: users:thy-one:admin@company.com
+-id: xxxxxxxxxxxxxxxxxxxxx
+lastModified: "2020-05-18T03:58:15Z"
+lastModifiedBy: users:thy-one:admin@company.com
+name: azure-prod
+properties:
+ tenantId: xxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+type: azure
+version: "0"
+```
+
+## Azure User Assigned MSI Example
+
+First you will need to configure the User that corresponds to an [Azure User Assigned MSI](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview).
+The username is a friendly name within DSV. It does not have to match the MSI username, but the provider must match the resource id of the MSI in Azure.<br />
+`dsv user create --username test-api --provider azure-prod --external-id /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/build/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-api`<br />
+
+## DSV Azure code example
+
+```
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/DelineaXPM/dsv-sdk-go/v2/auth"
+	"github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+)
+
+// Azure authentication example
+func main() {
+	dsv, err := vault.New(vault.Configuration{
+		Credentials: vault.ClientCredential{
+			ClientID:     os.Getenv("AZURE_CLIENT_ID"), // CLIENT_ID of the MSI identity you wish to use
+		},
+		Tenant: os.Getenv("DSV_TENANT"), // your tenant name
+		TLD:    os.Getenv("DSV_TLD"), // defaults to com change if your domain is au, eu etc
+		Provider: auth.AZURE, // required to enable Azure authentication
+	})
+	if err != nil {
+		log.Fatalf("failed to configure vault: %v", err)
+	}
+
+	secret, err := dsv.Secret("<secret path or ID")
+	if err != nil {
+		log.Fatalf("failed to fetch secret: %v", err)
+	}
+	fmt.Printf("\nsecret data: %v\n\n", secret.Data)
+}
+```

example/azure/client_azure.go

@@ -0,0 +1,31 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/DelineaXPM/dsv-sdk-go/v2/auth"
+	"github.com/DelineaXPM/dsv-sdk-go/v2/vault"
+)
+
+// Azure authentication example
+func main() {
+	dsv, err := vault.New(vault.Configuration{
+		Credentials: vault.ClientCredential{
+			ClientID: os.Getenv("AZURE_CLIENT_ID"), // CLIENT_ID of the MSI identity you wish to use
+		},
+		Tenant:   os.Getenv("DSV_TENANT"), // your tenant name
+		TLD:      os.Getenv("DSV_TLD"),    // defaults to com change if your domain is au, eu etc
+		Provider: auth.AZURE,              // required to enable Azure authentication
+	})
+	if err != nil {
+		log.Fatalf("failed to configure vault: %v", err)
+	}
+
+	secret, err := dsv.Secret("<secret path or ID")
+	if err != nil {
+		log.Fatalf("failed to fetch secret: %v", err)
+	}
+	fmt.Printf("\nsecret data: %v\n\n", secret.Data)
+}

go.mod

@@ -3,31 +3,52 @@ module github.com/DelineaXPM/dsv-sdk-go/v2
 go 1.21
 
 require (
-	github.com/aws/aws-sdk-go v1.50.3
+	github.com/Azure/go-autorest/autorest v0.11.29
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13
+	github.com/aws/aws-sdk-go v1.53.8
 	github.com/magefile/mage v1.15.0
-	github.com/pterm/pterm v0.12.76
+	github.com/pterm/pterm v0.12.79
 	github.com/sheldonhull/magetools v1.0.1
 )
 
 require (
 	atomicgo.dev/cursor v0.2.0 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	atomicgo.dev/schedule v0.1.0 // indirect
-	github.com/bitfield/script v0.22.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/bitfield/script v0.22.1 // indirect
 	github.com/containerd/console v1.0.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/frankban/quicktest v1.14.6 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/itchyny/gojq v0.12.12 // indirect
+	github.com/itchyny/gojq v0.12.13 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/ztrue/tracerr v0.4.0 // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/term v0.16.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	mvdan.cc/sh/v3 v3.6.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
+	gopkg.in/yaml.v2 v2.3.0 // indirect
+	mvdan.cc/sh/v3 v3.7.0 // indirect
 )