Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSAL and OIDC support #2308

Closed
wants to merge 26 commits into from
Closed

MSAL and OIDC support #2308

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
eb30a41
Upgrade auth stack to latest versions
thomas11 Aug 26, 2022
083a045
Factor details of auth better, extra nil check for safety
thomas11 Oct 3, 2022
ab4f7b1
[WIP] Cherry-pick MSAL changes from tkappler/upgrade-azure-helpers.
thomas11 Oct 5, 2022
b502903
Move auth code into its own file
thomas11 Oct 5, 2022
1f0e274
Use correct audience for MSAL Key Vault token #1566
thomas11 Oct 7, 2022
2d27137
Dependency upgrades
thomas11 Oct 10, 2022
dc6b427
Add OIDC config to auth builder creation
thomas11 Feb 7, 2023
23fc749
Temporarily use oidc-test client id and comment client secret to test…
thomas11 Feb 7, 2023
b963e62
need to set ARM_USE_OIDC
thomas11 Feb 7, 2023
b5acb2f
Need UseMicrosoftGraph and write permissions for JWT token
thomas11 Feb 7, 2023
4a37ee7
Temporarily add back some Q logging
thomas11 Feb 9, 2023
cd7e4a0
Split off OIDC test
thomas11 Feb 9, 2023
284bfbb
try to cat q.Q output
thomas11 Feb 9, 2023
e970e89
Rework build tags
thomas11 Feb 9, 2023
d1112fb
Name short test runs accordingly
thomas11 Feb 9, 2023
104c50f
Try echo-ing q.Q again
thomas11 Feb 9, 2023
60b1b16
Fix oidc-only test build
thomas11 Feb 9, 2023
4d2e5c9
Test via az cli as well, get q.Q logs after failures
thomas11 Feb 10, 2023
0396389
Allow the CLI test to fail for now so we get more overall results.
thomas11 Feb 10, 2023
aad5bba
regenerate stuff after rebasing
thomas11 Feb 10, 2023
f3c2c95
Don't need the cli for OICD
thomas11 Mar 15, 2023
12fdd2e
Sync azure-rest-api-specs with master after rebase
thomas11 Mar 15, 2023
76a0f0c
Fall back to ADAL when the CLI is used for auth
thomas11 Mar 15, 2023
cca3737
Different test for az cli, remove q.Q
thomas11 Mar 16, 2023
adff53f
Remove q.Q support from GH action, run nodejs only OIDC tests
thomas11 Mar 16, 2023
d29f8f2
Comment the OIDC via cli test that's not fully supported
thomas11 Mar 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 40 additions & 1 deletion .github/workflows/build-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ env:
ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
PULUMI_API: https://api.pulumi-staging.io

# Required for OIDC auth
permissions:
id-token: write

jobs:
prerequisites:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -134,17 +138,52 @@ jobs:
repo: GoTestTools/gotestfmt

- name: Run tests
env:
TMPDIR: ${{ runner.temp }}
if: "!inputs.short_test"
run: |
set -euo pipefail
cd examples && go test -v -json -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt

- name: Run tests
- name: Run short tests
if: inputs.short_test
run: |
set -euo pipefail
cd examples && go test -v -json -count=1 -cover -timeout 15m -short -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt

- name: Run OIDC tests
if: ${{ matrix.language == 'nodejs' }}
env:
ARM_USE_OIDC: true
ARM_CLIENT_SECRET: ""
# tkappler oidc-test - temporary unless our main app is OIDC-enabled
ARM_CLIENT_ID: 89380e12-5be6-486a-89ef-eea107af2f47
TMPDIR: ${{ runner.temp }}
run: |
set -euo pipefail
cd examples
go test -v -json -count=1 -cover -timeout 15m -tags=${{ matrix.language }},oidc -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt

### tkappler: OIDC via the 'az' cli is generally possible, but the current implementation in
### our dependecies doesn't support it.
# - name: Log in via az CLI for OIDC tests
# if: ${{ matrix.language == 'nodejs' }}
# uses: azure/login@v1
# with:
# # tkappler oidc-test - temporary unless our main app is OIDC-enabled
# client-id: 89380e12-5be6-486a-89ef-eea107af2f47
# tenant-id: ${{ env.ARM_TENANT_ID }}
# subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
# - name: Run OIDC tests via az cli
# if: ${{ matrix.language == 'nodejs' }}
# env:
# ARM_CLIENT_SECRET: ""
# TMPDIR: ${{ runner.temp }}
# run: |
# set -euo pipefail
# cd examples
# go test -v -json -count=1 -cover -timeout 15m -tags=${{ matrix.language }},oidc -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt

- name: Tar SDK folder
if: ${{ matrix.language != 'go' }}
run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
Expand Down
33 changes: 33 additions & 0 deletions examples/examples_nodejs_keyvault_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
// Copyright 2016-2020, Pulumi Corporation. All rights reserved.
//go:build nodejs || (nodejs && oidc) || all

package examples

import (
"github.com/pulumi/pulumi/pkg/v3/testing/integration"
"path/filepath"
"testing"
)

func TestAccKeyVaultTs(t *testing.T) {
skipIfShort(t)
test := getJSBaseOptions2(t).
With(integration.ProgramTestOptions{
Dir: filepath.Join(getCwd(t), "keyvault"),
})

integration.ProgramTest(t, &test)
}

// A copy of getJSBaseOptions from examples_nodejs_test.go because that one
// isn't built when testing with tag=oidc
func getJSBaseOptions2(t *testing.T) integration.ProgramTestOptions {
base := getBaseOptions(t)
baseJS := base.With(integration.ProgramTestOptions{
Dependencies: []string{
"@pulumi/azure-native",
},
})

return baseJS
}
13 changes: 1 addition & 12 deletions examples/examples_nodejs_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
// Copyright 2016-2020, Pulumi Corporation. All rights reserved.
//go:build nodejs || all
// +build nodejs all
//go:build (nodejs && !oidc) || all

package examples

Expand Down Expand Up @@ -43,16 +42,6 @@ func TestAccCosmosDBTs(t *testing.T) {
integration.ProgramTest(t, &test)
}

func TestAccKeyVaultTs(t *testing.T) {
skipIfShort(t)
test := getJSBaseOptions(t).
With(integration.ProgramTestOptions{
Dir: filepath.Join(getCwd(t), "keyvault"),
})

integration.ProgramTest(t, &test)
}

func TestAccSimpleTs(t *testing.T) {
skipIfShort(t)
test := getJSBaseOptions(t).
Expand Down
Loading