armrest 0.2.1 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8fa3acf6609a37ab249c81102bb915108499631571af0b5884c4d66b33f28376
-  data.tar.gz: 3691659a2058ccd4944397cad38a9c22194fdc96afb89288e6f21957aa2b2131
+  metadata.gz: 24b470eeaa9f31c4bcc4efa090b045b0ff58d3de74999af265a95cbe3d96d09a
+  data.tar.gz: 94aa0baf6c919f13788cf577440a0a071737ed85cdcfe7fec54438ab9ae36ebc
 SHA512:
-  metadata.gz: bf768b1fb7c039488df49baa4e9d68cf6af33db34d238ec49d8063dd215b2b82d8abe8a39b8d04d3806f9c3874aa7d1623992f8e1bd689f8ccff49b2ffcfcbc0
-  data.tar.gz: 17d2bd2bacc9ed0727cca2d9c5b870e0557c86a32aed60af2c10bc73ccb55e0832d08e7343fa6534bb4b33375f309b2ce286921d74362d0f766dec113ae71df8
+  metadata.gz: 140df22800c83018178cc845d41c1bfd82b6129c250a993eadeb8df749396beff3059e2f41c89f0d92ef6b265c69c47fe59c0250d94b6f8ff94eae1f33afbaf2
+  data.tar.gz: 825260ac4874f45aba874b55c22f93cbf7f24251abb91347e15c1c8e476a27d4885feed2975aa7630ec931f57568ae3539bad782b7d267858c8498d25995fc38

data/CHANGELOG.md

@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 This project *loosely tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
 
+## [0.2.3] - 2025-06-25
+- [#9](https://github.com/boltops-tools/armrest/pull/9) Add OIDC authentication provider and update changelog for 0.2.3 release
+- Add federated workload identity support via OIDC auth provider.
+- Update app_credentials method to bypass app_credentials when ARM_USE_OIDC is true
+
+## [0.2.2] - 2023-12-31
+- [#8](https://github.com/boltops-tools/armrest/pull/8) cli auth scope for vault secrets
+
 ## [0.2.1] - 2023-12-22
 - [#6](https://github.com/boltops-tools/armrest/pull/6) Adjust the AZ timeout
 

data/README.md

@@ -35,19 +35,39 @@ Refer to the [boltops-tools/terraspace_plugin_azurerm](https://github.com/boltop
 
 ## Usage: CLI
 
-The main purpose of gem is to be a Ruby library that Terraspace can interact with.  The CLI interface was only built to help quickly test the code with live resources. It's essentially a way to QA.  Here are some examples:
+The main purpose of gem is to be a Ruby library that Terraspace can interact with. The CLI interface was only built to help quickly test the code with live resources. It's essentially a way to QA. Here are some examples:
 
 Auth:
 
     armrest auth app
     armrest auth msi
     armrest auth cli
+    armrest auth oidc
 
-The auth chain is: app -> msi -> cli
+The auth chain is: app -> msi -> cli -> oidc
 
-    armrest auth
+You can disable MSI with `ARMREST_DISABLE_MSI=1`, and you can also enable or disable OIDC explicitly using environment variables (`ARM_USE_OIDC` or `AZURE_USE_OIDC`).
 
-You can disable MSI with `ARMREST_DISABLE_MSI=1`.
+### OIDC Authentication
+
+The OIDC authentication provider allows you to authenticate using OpenID Connect tokens. This is particularly useful for environments like GitHub Actions or Azure DevOps pipelines.
+
+#### Configuration
+
+You can configure OIDC authentication using the following environment variables:
+
+* `ARM_OIDC_TOKEN` or `AZURE_OIDC_TOKEN`: Directly provide the OIDC token.
+* `ARM_OIDC_TOKEN_FILE_PATH` or `AZURE_OIDC_TOKEN_FILE_PATH`: Path to a file containing the OIDC token.
+* `ACTIONS_ID_TOKEN_REQUEST_URL` and `ACTIONS_ID_TOKEN_REQUEST_TOKEN`: GitHub Actions OIDC credentials.
+* `SYSTEM_OIDCREQUESTURI` and `SYSTEM_ACCESSTOKEN`: Azure DevOps OIDC credentials.
+
+#### Example
+
+To use OIDC authentication, set the required environment variables and run:
+
+    armrest auth oidc
+
+This will acquire an OIDC token and exchange it for an Azure access token.
 
 Resource Group:
 
@@ -74,4 +94,6 @@ Add to your Gemfile
 
 Gemfile
 
-    gem "armrest"
+```ruby
+gem "armrest"
+```

data/lib/armrest/api/auth/cli.rb

@@ -22,10 +22,12 @@ module Armrest::Api::Auth
       data.deep_transform_keys { |k| k.underscore } # to normalize the structure to the other classes
     end
 
-    # Looks like az account get-access-token caches the toke in ~/.azure/accessTokens.json
-    # and will update it only when it expires. So dont think we need to handle caching
+    # The az cli command itself has it's own caching. So dont think we need to handle caching
     def get_access_token
       command = "az account get-access-token -o json"
+      if resource.include?("vault.azure.net")
+        command += " --scope https://vault.azure.net/.default"
+      end
       logger.debug "command: #{command}"
       out = `#{command}`
       if $?.success?

data/lib/armrest/api/auth/oidc.rb

@@ -0,0 +1,190 @@
+module Armrest::Api::Auth
+  # OIDC authentication provider for Azure
+  class OIDC < Base
+    include Armrest::Logging
+
+    # Check if OIDC authentication is configured via environment variables
+    def self.configured?
+      # Check for ARM_USE_OIDC explicit flag
+      use_oidc = ENV['ARM_USE_OIDC'] || ENV['AZURE_USE_OIDC']
+      use_oidc = use_oidc.downcase if use_oidc
+      case use_oidc
+      when 'false' then return false
+      when 'true'  then return true
+      when nil
+        return false
+      else
+        logger.warn "Unrecognized OIDC flag value: #{use_oidc}"
+      end
+    end
+
+    # Initialize with required Azure credentials
+    def initialize(options = {})
+      super
+      @client_id = options[:client_id] || ENV['ARM_CLIENT_ID'] || ENV['AZURE_CLIENT_ID']
+      @tenant_id = options[:tenant_id] || ENV['ARM_TENANT_ID'] || ENV['AZURE_TENANT_ID']
+      @subscription_id = options[:subscription_id] || ENV['ARM_SUBSCRIPTION_ID'] || ENV['AZURE_SUBSCRIPTION_ID']
+      
+      # Service connection ID for Azure DevOps
+      @service_connection_id = options[:service_connection_id] || 
+                                ENV['ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID'] || 
+                                ENV['ARM_OIDC_AZURE_SERVICE_CONNECTION_ID']
+      
+      # Debug logging
+      logger.debug "Initialized OIDC Auth Provider with client_id: #{@client_id}, tenant_id: #{@tenant_id}"
+    end
+
+    # Get the authentication token
+    def token
+      @token ||= acquire_token
+    end
+
+    # Get the credentials
+    def creds
+      return @creds if @creds
+      token_info = acquire_token
+      @creds = {
+        'access_token' => token_info['access_token'],
+        'expires_on'   => (Time.now.to_i + token_info['expires_in'].to_i).to_s,
+        'token_type'   => token_info['token_type'] || 'Bearer'
+      }
+    end
+
+    private
+
+    # Acquire token using OIDC flow
+    def acquire_token
+      # First, try to get the OIDC token from various sources
+      oidc_token = get_oidc_token
+      
+      unless oidc_token
+        raise Armrest::Error, "Failed to acquire OIDC token from any source"
+      end
+
+      # Exchange OIDC token for an Azure access token
+      exchange_token_for_access_token(oidc_token)
+    end
+
+    # Get OIDC token from various sources
+    def get_oidc_token
+      # Try direct token
+      return ENV['ARM_OIDC_TOKEN'] || ENV['AZURE_OIDC_TOKEN'] if ENV['ARM_OIDC_TOKEN'] || ENV['AZURE_OIDC_TOKEN']
+      
+      # Try token file
+      token_file = ENV['ARM_OIDC_TOKEN_FILE_PATH'] || ENV['AZURE_OIDC_TOKEN_FILE_PATH']
+      if token_file && File.exist?(token_file)
+        begin
+          return File.read(token_file).strip
+        rescue => e
+          logger.error "Failed to read token file: #{e.message}"
+          return nil
+        end
+      end
+      
+      # Try GitHub Actions
+      if ENV['ACTIONS_ID_TOKEN_REQUEST_URL'] && ENV['ACTIONS_ID_TOKEN_REQUEST_TOKEN']
+        return request_github_actions_token
+      end
+      
+      # Try custom request URL/token
+      if ENV['ARM_OIDC_REQUEST_URL'] && ENV['ARM_OIDC_REQUEST_TOKEN']
+        return request_token_from_provider(
+          ENV['ARM_OIDC_REQUEST_URL'],
+          ENV['ARM_OIDC_REQUEST_TOKEN']
+        )
+      end
+      
+      # Try Azure DevOps
+      if ENV['SYSTEM_OIDCREQUESTURI'] && ENV['SYSTEM_ACCESSTOKEN']
+        return request_token_from_provider(
+          ENV['SYSTEM_OIDCREQUESTURI'],
+          ENV['SYSTEM_ACCESSTOKEN']
+        )
+      end
+      
+      nil
+    end
+
+    # Request token from GitHub Actions
+    def request_github_actions_token
+      request_token_from_provider(
+        ENV['ACTIONS_ID_TOKEN_REQUEST_URL'],
+        ENV['ACTIONS_ID_TOKEN_REQUEST_TOKEN']
+      )
+    end
+
+    # Generic function to request a token from a provider
+    def request_token_from_provider(url, token)
+      require 'net/http'
+      require 'json'
+      require 'uri'
+      
+      uri = URI.parse(url)
+      unless uri.scheme == 'https'
+        logger.error "Insecure request URL detected: #{url}"
+        return nil
+      end
+      
+      request = Net::HTTP::Get.new(uri)
+      request['Authorization'] = "Bearer #{token}"
+      request['Accept'] = 'application/json'
+      
+      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        http.request(request)
+      end
+      
+      if response.is_a?(Net::HTTPSuccess)
+        json_response = JSON.parse(response.body)
+        return json_response['value']
+      else
+        logger.error "Failed to get OIDC token: #{response.code} - #{response.body}"
+        nil
+      end
+    end
+
+    # Exchange OIDC token for Azure access token
+    def exchange_token_for_access_token(oidc_token)
+      require 'net/http'
+      require 'json'
+      require 'uri'
+      
+      token_endpoint = "https://login.microsoftonline.com/#{@tenant_id}/oauth2/v2.0/token"
+      
+      uri = URI.parse(token_endpoint)
+      request = Net::HTTP::Post.new(uri)
+      request['Content-Type'] = 'application/x-www-form-urlencoded'
+      
+      # Prepare form data
+      form_data = {
+        'client_id' => @client_id,
+        'client_assertion_type' => 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+        'client_assertion' => oidc_token,
+        'grant_type' => 'client_credentials',
+        'scope' => 'https://management.azure.com/.default'
+      }
+      
+      # Add service connection ID for Azure DevOps if available
+      form_data['service_connection_id'] = @service_connection_id if @service_connection_id
+      
+      request.set_form_data(form_data)
+      
+      # Debug logging
+      logger.debug "Exchanging OIDC token for access token with endpoint: #{token_endpoint}"
+      
+      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        http.request(request)
+      end
+      
+      if response.is_a?(Net::HTTPSuccess)
+        json_response = JSON.parse(response.body)
+        logger.debug "Received access token (expires in #{json_response['expires_in']} seconds)"
+        # Return the entire JSON so the caller can read token_type, expires_in, etc.
+        return json_response
+      else
+        error_message = "Failed to exchange OIDC token: #{response.code} - #{response.body}"
+        logger.error error_message
+        raise Armrest::Error, error_message
+      end
+    end
+  end
+end

data/lib/armrest/auth.rb

@@ -2,7 +2,7 @@ module Armrest
   class Auth
     include Armrest::Logging
 
-    def initialize(options={})
+    def initialize(options = {})
       @options = options
     end
 
@@ -17,24 +17,32 @@ module Armrest
       nil
     end
 
-  private
+    private
+
     def providers
       if @options[:type]
         ["#{@options[:type]}_credentials"]
       else # full chain
         [
           :app_credentials,
+          :oidc_credentials,
           :msi_credentials,
-          :cli_credentials,
+          :cli_credentials
         ]
       end
     end
 
     def app_credentials
-      return unless ENV['ARM_CLIENT_ID'] || ENV['AZURE_CLIENT_ID']
+      return unless ENV["ARM_CLIENT_ID"] || ENV["AZURE_CLIENT_ID"]
+      return if %w[1 true yes].include?(ENV["ARM_USE_OIDC"])
       Armrest::Api::Auth::Login.new(@options)
     end
 
+    def oidc_credentials
+      return unless Armrest::Api::Auth::OIDC.configured?
+      Armrest::Api::Auth::OIDC.new(@options)
+    end
+
     def msi_credentials
       api = Armrest::Api::Auth::Metadata.new(@options)
       api if api.available?

data/lib/armrest/autoloader.rb

@@ -9,7 +9,7 @@ module Armrest
       end
 
       def self.camelize_map
-        { cli: "CLI", msi: "MSI", version: "VERSION" }
+        { cli: "CLI", oidc: "OIDC", msi: "MSI", version: "VERSION" }
       end
     end
 

data/lib/armrest/cli/help/auth.md

@@ -0,0 +1,9 @@
+## Examples
+
+    armrest auth
+    armrest auth app
+    armrest auth msi
+    armrest auth cli
+    armrest auth oidc
+
+When using "armrest auth oidc", the OIDC provider is used if configured. Otherwise, it will report "Unable to authenticate".

data/lib/armrest/cli.rb

@@ -23,7 +23,7 @@ module Armrest
     long_desc Help.text(:storage_account)
     subcommand "storage_account", StorageAccount
 
-    desc "auth [TYPE]", "Auth to Azure API. When type is not provided the full credentials chain is checked"
+    desc "auth [TYPE]", "Auth to Azure API. When TYPE is not provided, the full credentials chain is checked. Available TYPEs: app, msi, cli, oidc."
     long_desc Help.text(:auth)
     def auth(type=nil)
       Auth.new(options.merge(type: type)).run

data/lib/armrest/version.rb

@@ -1,3 +1,3 @@
 module Armrest
-  VERSION = "0.2.1"
+  VERSION = "0.2.3"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: armrest
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.3
 platform: ruby
 authors:
 - Tung Nguyen
-autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-12-22 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -192,7 +191,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
 email:
 - tongueroo@gmail.com
 executables:
@@ -215,6 +213,7 @@ files:
 - lib/armrest/api/auth/cli.rb
 - lib/armrest/api/auth/login.rb
 - lib/armrest/api/auth/metadata.rb
+- lib/armrest/api/auth/oidc.rb
 - lib/armrest/api/base.rb
 - lib/armrest/api/handle_response.rb
 - lib/armrest/api/main.rb
@@ -230,6 +229,7 @@ files:
 - lib/armrest/cli/blob_container.rb
 - lib/armrest/cli/blob_service.rb
 - lib/armrest/cli/help.rb
+- lib/armrest/cli/help/auth.md
 - lib/armrest/cli/help/blob_service/set_properties.md
 - lib/armrest/cli/help/completion.md
 - lib/armrest/cli/help/completion_script.md
@@ -257,7 +257,6 @@ homepage: https://github.com/boltops-tools/armrest
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -272,8 +271,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.20
-signing_key: 
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Ruby Azure REST API Library
 test_files: