Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: regularly check whether the federated token has expired #436

Merged
merged 9 commits into from
Apr 16, 2024
Merged

fix: regularly check whether the federated token has expired #436

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
de46128
support workload identity auth for Azure
wcy-fdu Mar 18, 2024
9e8911b
check is expire for azure storage federated token
wcy-fdu Apr 12, 2024
78f2a98
rebase main, resolve conflict
wcy-fdu Apr 12, 2024
ddf9d01
minor
wcy-fdu Apr 12, 2024
6d2023f
fmt
wcy-fdu Apr 12, 2024
a803425
resolve comments
wcy-fdu Apr 15, 2024
26e1ebf
minor
wcy-fdu Apr 15, 2024
1deb304
fix expires on
wcy-fdu Apr 15, 2024
dfb59be
expires on keep the same with sdk
wcy-fdu Apr 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion src/azure/storage/credential.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
use crate::time::DateTime;

/// Credential that holds the access_key and secret_key.
#[derive(Clone)]
#[cfg_attr(test, derive(Debug))]
Expand All @@ -16,5 +18,32 @@ pub enum Credential {
/// associated with the subscription that contains the storage account.
///
/// ref: <https://docs.microsoft.com/rest/api/storageservices/authorize-with-azure-active-directory>
BearerToken(String),
BearerToken(String, DateTime),
}

impl Credential {
/// is current cred is valid?
pub fn is_valid(&self) -> bool {
if self.is_empty() {
return false;
}
if let Credential::BearerToken(_, expires_on) = self {
let buffer = chrono::TimeDelta::try_seconds(20).expect("in bounds");
if expires_on < &(chrono::Utc::now() + buffer) {
return false;
}
};

true
}

fn is_empty(&self) -> bool {
match self {
Credential::SharedKey(account_name, account_key) => {
account_name.is_empty() || account_key.is_empty()
}
Credential::SharedAccessSignature(sas_token) => sas_token.is_empty(),
Credential::BearerToken(bearer_token, _) => bearer_token.is_empty(),
}
}
}
25 changes: 21 additions & 4 deletions src/azure/storage/loader.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ use std::sync::Mutex;

use anyhow::Result;

use crate::time::{now, parse_rfc3339};

use super::credential::Credential;
use super::imds_credential;
use super::{config::Config, workload_identity_credential};
Expand All @@ -28,8 +30,9 @@ impl Loader {
/// Load credential.
pub async fn load(&self) -> Result<Option<Credential>> {
// Return cached credential if it's valid.
if let Some(cred) = self.credential.lock().expect("lock poisoned").clone() {
return Ok(Some(cred));
match self.credential.lock().expect("lock poisoned").clone() {
Some(cred) if cred.is_valid() => return Ok(Some(cred)),
_ => (),
}
let cred = self.load_inner().await?;

Expand Down Expand Up @@ -71,7 +74,12 @@ impl Loader {
async fn load_via_imds(&self) -> Result<Option<Credential>> {
let token =
imds_credential::get_access_token("https://storage.azure.com/", &self.config).await?;
let cred = Some(Credential::BearerToken(token.access_token));
let expires_on = if token.expires_on.is_empty() {
now() + chrono::TimeDelta::try_minutes(10).expect("in bounds")
} else {
parse_rfc3339(&token.expires_on)?
};
let cred = Some(Credential::BearerToken(token.access_token, expires_on));

Ok(cred)
}
Expand All @@ -80,7 +88,16 @@ impl Loader {
let workload_identity_token =
workload_identity_credential::get_workload_identity_token(&self.config).await?;
match workload_identity_token {
Some(token) => Ok(Some(Credential::BearerToken(token.access_token))),
Some(token) => {
let expires_on_duration = match token.expires_on {
None => now() + chrono::TimeDelta::try_minutes(10).expect("in bounds"),
Some(expires_on) => parse_rfc3339(&expires_on)?,
};
Ok(Some(Credential::BearerToken(
token.access_token,
expires_on_duration,
)))
}
None => Ok(None),
}
}
Expand Down
6 changes: 3 additions & 3 deletions src/azure/storage/signer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ impl Signer {
ctx.query_append(token);
return Ok(ctx);
}
Credential::BearerToken(token) => match method {
Credential::BearerToken(token, _) => match method {
SigningMethod::Query(_) => {
return Err(anyhow!("BearerToken can't be used in query string"));
}
Expand Down Expand Up @@ -269,9 +269,9 @@ mod tests {
use http::Request;

use super::super::config::Config;
use crate::azure::storage::loader::Loader;
use crate::AzureStorageCredential;
use crate::AzureStorageSigner;
use crate::{azure::storage::loader::Loader, time::now};

#[tokio::test]
async fn test_sas_url() {
Expand Down Expand Up @@ -307,7 +307,7 @@ mod tests {
.uri("https://test.blob.core.windows.net/testbucket/testblob")
.body(())
.unwrap();
let cred = AzureStorageCredential::BearerToken("token".to_string());
let cred = AzureStorageCredential::BearerToken("token".to_string(), now());

// Can effectively sign request with SigningMethod::Header
assert!(signer.sign(&mut req, &cred).is_ok());
Expand Down
Loading