Manual client secrets on azure

2025-12-15 16:09:39 -05:00 · 2022-08-29 14:18:05 +02:00 · 2022-08-29 14:18:05 +02:00 · 10e5249631
commit 10e5249631
parent 1861dc2744
11 changed files with 84 additions and 80 deletions
--- a/cli/internal/cmd/init.go
+++ b/cli/internal/cmd/init.go
@ -17,6 +17,7 @@ import (
 	"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
 	"github.com/edgelesssys/constellation/cli/internal/gcp"
 	"github.com/edgelesssys/constellation/cli/internal/helm"
+	"github.com/edgelesssys/constellation/internal/azureshared"
 	"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
 	"github.com/edgelesssys/constellation/internal/config"
@ -349,7 +350,13 @@ func getMarschaledServiceAccountURI(provider cloudprovider.Provider, config *con
 		return key.ToCloudServiceAccountURI(), nil

 	case cloudprovider.Azure:
-		return "", fmt.Errorf("TODO")
+		creds := azureshared.ApplicationCredentials{
+			TenantID:          config.Provider.Azure.TenantID,
+			AppClientID:       config.Provider.Azure.AppClientID,
+			ClientSecretValue: config.Provider.Azure.ClientSecretValue,
+			Location:          config.Provider.Azure.Location,
+		}
+		return creds.ToCloudServiceAccountURI(), nil

 	case cloudprovider.QEMU:
 		return "", nil // QEMU does not use service account keys
--- a/cli/internal/cmd/init_test.go
+++ b/cli/internal/cmd/init_test.go
@ -87,12 +87,8 @@ func TestInitialize(t *testing.T) {
 			initServerAPI: &stubInitServer{initResp: testInitResp},
 		},
 		"initialize some azure instances": {
-			state:  testAzureState,
-			idFile: &clusterIDsFile{IP: "192.0.2.1"},
-			configMutator: func(c *config.Config) {
-				c.Provider.Azure.ResourceGroup = "resourceGroup"
-				c.Provider.Azure.UserAssignedIdentity = "userAssignedIdentity"
-			},
+			state:         testAzureState,
+			idFile:        &clusterIDsFile{IP: "192.0.2.1"},
 			initServerAPI: &stubInitServer{initResp: testInitResp},
 		},
 		"initialize some qemu instances": {
@ -109,12 +105,8 @@ func TestInitialize(t *testing.T) {
 			setAutoscaleFlag: true,
 		},
 		"initialize azure with autoscaling": {
-			state:  testAzureState,
-			idFile: &clusterIDsFile{IP: "192.0.2.1"},
-			configMutator: func(c *config.Config) {
-				c.Provider.Azure.ResourceGroup = "resourceGroup"
-				c.Provider.Azure.UserAssignedIdentity = "userAssignedIdentity"
-			},
+			state:            testAzureState,
+			idFile:           &clusterIDsFile{IP: "192.0.2.1"},
 			initServerAPI:    &stubInitServer{initResp: testInitResp},
 			setAutoscaleFlag: true,
 		},
@ -557,6 +549,8 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
 		conf.Provider.Azure.UserAssignedIdentity = "test-identity"
 		conf.Provider.Azure.Image = "some/image/location"
 		conf.Provider.Azure.ResourceGroup = "test-resource-group"
+		conf.Provider.Azure.AppClientID = "test-client-secret-id"
+		conf.Provider.Azure.ClientSecretValue = "test-client-secret"
 		conf.Provider.Azure.Measurements[8] = []byte("00000000000000000000000000000000")
 		conf.Provider.Azure.Measurements[9] = []byte("11111111111111111111111111111111")
 	case cloudprovider.GCP:
--- a/cli/internal/cmd/verify_test.go
+++ b/cli/internal/cmd/verify_test.go
@ -60,7 +60,6 @@ func TestVerify(t *testing.T) {
 	someErr := errors.New("failed")

 	testCases := map[string]struct {
-		setupFs          func(*require.Assertions) afero.Fs
 		provider         cloudprovider.Provider
 		protoClient      *stubVerifyClient
 		nodeEndpointFlag string
@ -72,7 +71,6 @@ func TestVerify(t *testing.T) {
 		wantErr          bool
 	}{
 		"gcp": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			nodeEndpointFlag: "192.0.2.1:1234",
 			ownerIDFlag:      zeroBase64,
@ -80,7 +78,6 @@ func TestVerify(t *testing.T) {
 			wantEndpoint:     "192.0.2.1:1234",
 		},
 		"azure": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.Azure,
 			nodeEndpointFlag: "192.0.2.1:1234",
 			ownerIDFlag:      zeroBase64,
@ -88,7 +85,6 @@ func TestVerify(t *testing.T) {
 			wantEndpoint:     "192.0.2.1:1234",
 		},
 		"default port": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			nodeEndpointFlag: "192.0.2.1",
 			ownerIDFlag:      zeroBase64,
@ -96,14 +92,12 @@ func TestVerify(t *testing.T) {
 			wantEndpoint:     "192.0.2.1:" + strconv.Itoa(constants.VerifyServiceNodePortGRPC),
 		},
 		"endpoint not set": {
-			setupFs:     func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:    cloudprovider.GCP,
 			ownerIDFlag: zeroBase64,
 			protoClient: &stubVerifyClient{},
 			wantErr:     true,
 		},
 		"endpoint from id file": {
-			setupFs:      func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:     cloudprovider.GCP,
 			ownerIDFlag:  zeroBase64,
 			protoClient:  &stubVerifyClient{},
@ -111,7 +105,6 @@ func TestVerify(t *testing.T) {
 			wantEndpoint: "192.0.2.1:" + strconv.Itoa(constants.VerifyServiceNodePortGRPC),
 		},
 		"override endpoint from details file": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			nodeEndpointFlag: "192.0.2.2:1234",
 			ownerIDFlag:      zeroBase64,
@ -120,7 +113,6 @@ func TestVerify(t *testing.T) {
 			wantEndpoint:     "192.0.2.2:1234",
 		},
 		"invalid endpoint": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			nodeEndpointFlag: ":::::",
 			ownerIDFlag:      zeroBase64,
@ -128,13 +120,11 @@ func TestVerify(t *testing.T) {
 			wantErr:          true,
 		},
 		"neither owner id nor cluster id set": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			nodeEndpointFlag: "192.0.2.1:1234",
 			wantErr:          true,
 		},
 		"use owner id from id file": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			nodeEndpointFlag: "192.0.2.1:1234",
 			protoClient:      &stubVerifyClient{},
@ -142,7 +132,6 @@ func TestVerify(t *testing.T) {
 			wantEndpoint:     "192.0.2.1:1234",
 		},
 		"config file not existing": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.GCP,
 			ownerIDFlag:      zeroBase64,
 			nodeEndpointFlag: "192.0.2.1:1234",
@ -150,7 +139,6 @@ func TestVerify(t *testing.T) {
 			wantErr:          true,
 		},
 		"error protoClient GetState": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.Azure,
 			nodeEndpointFlag: "192.0.2.1:1234",
 			ownerIDFlag:      zeroBase64,
@ -158,7 +146,6 @@ func TestVerify(t *testing.T) {
 			wantErr:          true,
 		},
 		"error protoClient GetState not rpc": {
-			setupFs:          func(require *require.Assertions) afero.Fs { return afero.NewMemMapFs() },
 			provider:         cloudprovider.Azure,
 			nodeEndpointFlag: "192.0.2.1:1234",
 			ownerIDFlag:      zeroBase64,
@ -189,7 +176,7 @@ func TestVerify(t *testing.T) {
 			if tc.nodeEndpointFlag != "" {
 				require.NoError(cmd.Flags().Set("node-endpoint", tc.nodeEndpointFlag))
 			}
-			fileHandler := file.NewHandler(tc.setupFs(require))
+			fileHandler := file.NewHandler(afero.NewMemMapFs())

 			config := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
 			require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config))