add keyvault specific authorizer

go.mod

@@ -9,8 +9,8 @@ require (
  contrib.go.opencensus.io/exporter/stackdriver v0.13.1
  github.com/Azure/azure-sdk-for-go v42.3.0+incompatible
  github.com/Azure/azure-storage-blob-go v0.8.0
- github.com/Azure/go-autorest/autorest v0.10.2 // indirect
- github.com/Azure/go-autorest/autorest/adal v0.8.3 // indirect
+ github.com/Azure/go-autorest/autorest v0.10.2
+ github.com/Azure/go-autorest/autorest/adal v0.8.3
  github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
  github.com/DataDog/datadog-go v3.7.1+incompatible // indirect
  github.com/Jeffail/gabs/v2 v2.5.0 // indirect

internal/azurekeyvault/authorizer.go

@@ -0,0 +1,72 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package azurekeyvault provides shared functionality between the
+// signing and secret clients for KeyVault
+package azurekeyvault
+
+import (
+ "fmt"
+ "net/url"
+ "os"
+ "strings"
+
+ "github.com/Azure/go-autorest/autorest"
+ "github.com/Azure/go-autorest/autorest/adal"
+ "github.com/Azure/go-autorest/autorest/azure"
+)
+
+// GetKeyVaultAuthorizer prepares a specifc authorizer for keyvault use
+func GetKeyVaultAuthorizer() (autorest.Authorizer, error) {
+ var keyvaultAuthorizer autorest.Authorizer
+ var a autorest.Authorizer
+ azureEnv, _ := azure.EnvironmentFromName("AzurePublicCloud")
+ vaultEndpoint := strings.TrimSuffix(azureEnv.KeyVaultEndpoint, "/")
+ tenant := os.Getenv("AZURE_TENANT_ID")
+ clientID := os.Getenv("AZURE_CLIENT_ID")
+ clientSecret := os.Getenv("AZURE_CLIENT_SECRET")
+
+ alternateEndpoint, err := url.Parse(
+ "https://login.windows.net/" + tenant + "/oauth2/token",
+ )
+ if err != nil {
+ return a, fmt.Errorf("failed parsing Azure Key Vault endpoint: %v", err)
+ }
+
+ oauthconfig, err := adal.NewOAuthConfig(azureEnv.ActiveDirectoryEndpoint, tenant)
+ if err != nil {
+ return a, fmt.Errorf("failed creating OAuth config for Azure Key Vault: %v", err)
+ }
+ oauthconfig.AuthorizeEndpoint = *alternateEndpoint
+
+ token, err := adal.NewServicePrincipalToken(
+ *oauthconfig,
+ clientID,
+ clientSecret,
+ vaultEndpoint,
+ )
+ if err != nil {
+ return a, fmt.Errorf("failed requesting access token for Azure Key Vault: %v", err)
+ }
+
+ a = autorest.NewBearerAuthorizer(token)
+
+ if err == nil {
+ keyvaultAuthorizer = a
+ } else {
+ keyvaultAuthorizer = nil
+ }
+
+ return keyvaultAuthorizer, err
+}

internal/secrets/azure_keyvault.go

@@ -20,7 +20,7 @@ import (
  "strings"
 
  "github.com/Azure/azure-sdk-for-go/profiles/latest/keyvault/keyvault"
- "github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
+ "github.com/google/exposure-notifications-server/internal/azurekeyvault"
 )
 
 // Compile-time check to verify implements interface.
@@ -33,7 +33,7 @@ type AzureKeyVault struct {
 
 // NewAzureKeyVault creates a new KeyVault that can interact fetch secrets.
 func NewAzureKeyVault(ctx context.Context) (SecretManager, error) {
- authorizer, err := auth.NewAuthorizerFromEnvironment()
+ authorizer, err := azurekeyvault.GetKeyVaultAuthorizer()
  if err != nil {
  return nil, fmt.Errorf("secrets.NewAzureKeyVault: auth: %w", err)
  }

internal/signing/azure_keyvault.go

@@ -27,7 +27,7 @@ import (
  "strings"
 
  "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
- "github.com/Azure/go-autorest/autorest/azure/auth"
+ "github.com/google/exposure-notifications-server/internal/azurekeyvault"
  "github.com/google/exposure-notifications-server/internal/base64util"
 )
 
@@ -43,7 +43,7 @@ type AzureKeyVault struct {
 
 // NewAzureKeyVault creates a new KeyVault key manager instance.
 func NewAzureKeyVault(ctx context.Context) (KeyManager, error) {
- authorizer, err := auth.NewAuthorizerFromEnvironment()
+ authorizer, err := azurekeyvault.GetKeyVaultAuthorizer()
  if err != nil {
  return nil, fmt.Errorf("secrets.NewAzureKeyVault: auth: %w", err)
  }