Support Managed Identity login for self-hosted runner

[MoChilia]

Description

This PR is going to support both system- and user- assigned managed identity login for self-hosted runners on Azure VM.

What's new

• The Action provides a parameter auth-type with value list [SERVICE_PRINCIPAL, IDENTITY] to identify the type of authentication.
  1. If auth-type: SERVICE_PRINCIPAL with clientId, tenantId and clientSecret detected in your input, we will attempt to login by using service principal with the secret.

  #login with secret
  - uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
          auth-type: SERVICE_PRINCIPAL

  2. If auth-type: SERVICE_PRINCIPAL with clientId and tenantId detected in your input, we will attempt to login by using OIDC.

  #login with OIDC
  - uses: azure/login@v1
      with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          auth-type: SERVICE_PRINCIPAL

  3. If auth-type: IDENTITY with clientId detected in your input, we will attempt to login by using user-assigned managed identity.

  #login with user-assigned managed identity
  - uses: azure/login@v1
     with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         auth-type: IDENTITY

  4. If auth-type: IDENTITY without clientId detected in your input, we will attempt to login by using system-assigned managed identity.

  #login with system-assigned managed identity
  - uses: azure/login@v1
   with:
         auth-type: IDENTITY

In order not to introduce breaking change, we set the default value of auth-type to be SERVICE_PRINCIPAL.

• About the parameter subscription-id
  This parameter used to be mandatory if allow-no-subscriptions is not enabled in previous version:
  

  login/src/common/LoginConfig.ts

  Lines 79 to 81 in bed9773

  	if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
  	throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
  	}

  
  However, the two parameters are not relevant. allow-no-subscriptions is used to login tenant-level account and subscription-id is used to specify which subscription to work. Not specifying a subscription should be allowed, then the Action will use the current, active subscription. Hence the limitation is removed in this version with only warning being reported:

  login/src/Cli/AzureCliLogin.ts

  Lines 178 to 184 in 19aba32

  	if (!this.loginConfig.subscriptionId) {
  	if (!this.loginConfig.allowNoSubscriptionsLogin) {
  	core.warning(`No subscription-id is given. Skip setting subscription...
  	If there are mutiple subscriptions under the tenant, please input subscription-id to specify which subscription to use.`);
  	}
  	return;
  	}

• About reading creds from Json
  The items in creds will not overwrite the individual parameters client-id, tenant-id and subscription-id, but as supplementary.
  In the previous code, creds is not compatible with individual parameters. We use creds for login using service principal with secret and individual parameters for OIDC login:
  

  login/src/main.ts

  Lines 78 to 93 in 990b22f

  	if (servicePrincipalId || tenantId || subscriptionId) {
  	//If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
  	if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
  	throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
  	}
  	else {
  	if (creds) {
  	core.debug('using creds JSON...');
  	enableOIDC = false;
  	servicePrincipalId = secrets.getSecret("$.clientId", true);
  	servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
  	tenantId = secrets.getSecret("$.tenantId", true);
  	subscriptionId = secrets.getSecret("$.subscriptionId", true);
  	resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
  	}

  
  In the new version, we aim to fetch the user's input credentials as much as possible:
  

  login/src/common/LoginConfig.ts

  Lines 35 to 42 in b3bc91b

  	if (creds) {
  	core.debug('Reading creds in JSON...');
  	this.servicePrincipalId = this.servicePrincipalId ? this.servicePrincipalId : secrets.getSecret("$.clientId", false);
  	this.servicePrincipalKey = secrets.getSecret("$.clientSecret", false);
  	this.tenantId = this.tenantId ? this.tenantId : secrets.getSecret("$.tenantId", false);
  	this.subscriptionId = this.subscriptionId ? this.subscriptionId : secrets.getSecret("$.subscriptionId", false);
  	this.resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
  	}

• The changes for README.md is in Update README.md for Managed identity #344.