azure_identity/token_credentials/
environment_credentials.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#[cfg(feature = "client_certificate")]
pub use crate::token_credentials::ClientCertificateCredential;
use crate::token_credentials::{
    ClientSecretCredential, TokenCredentialOptions, WorkloadIdentityCredential,
};
use azure_core::{
    auth::{AccessToken, TokenCredential},
    error::{Error, ErrorKind},
};

#[derive(Debug)]
pub(crate) enum EnvironmentCredentialKind {
    ClientSecret(ClientSecretCredential),
    WorkloadIdentity(WorkloadIdentityCredential),
    #[cfg(feature = "client_certificate")]
    ClientCertificate(ClientCertificateCredential),
}

/// Enables authentication with Workflows Identity if either `AZURE_FEDERATED_TOKEN` or `AZURE_FEDERATED_TOKEN_FILE` is set,
/// otherwise enables authentication to Azure Active Directory using client secret, or a username and password.
///
///
/// Details configured in the following environment variables:
///
/// | Variable                            | Description                                      |
/// |-------------------------------------|--------------------------------------------------|
/// | `AZURE_TENANT_ID`                   | The Azure Active Directory tenant(directory) ID. |
/// | `AZURE_CLIENT_ID`                   | The client(application) ID of an App Registration in the tenant. |
/// | `AZURE_CLIENT_SECRET`               | A client secret that was generated for the App Registration. |
/// | `AZURE_FEDERATED_TOKEN_FILE`        | Path to an federated token file. Variable is present in pods with aks workload identities. |
///
/// This credential ultimately uses a `WorkloadIdentityCredential` or a`ClientSecretCredential` to perform the authentication using
/// these details.
/// Please consult the documentation of that class for more details.
#[derive(Debug)]
pub struct EnvironmentCredential {
    source: EnvironmentCredentialKind,
}

impl EnvironmentCredential {
    pub fn create(
        options: impl Into<TokenCredentialOptions>,
    ) -> azure_core::Result<EnvironmentCredential> {
        let options = options.into();
        if let Ok(credential) = WorkloadIdentityCredential::create(options.clone()) {
            return Ok(Self {
                source: EnvironmentCredentialKind::WorkloadIdentity(credential),
            });
        }
        if let Ok(credential) = ClientSecretCredential::create(options.clone()) {
            return Ok(Self {
                source: EnvironmentCredentialKind::ClientSecret(credential),
            });
        }
        #[cfg(feature = "client_certificate")]
        if let Ok(credential) = ClientCertificateCredential::create(options.clone()) {
            return Ok(Self {
                source: EnvironmentCredentialKind::ClientCertificate(credential),
            });
        }
        Err(Error::message(
            ErrorKind::Credential,
            "no valid environment credential providers",
        ))
    }

    #[cfg(test)]
    pub(crate) fn source(&self) -> &EnvironmentCredentialKind {
        &self.source
    }
}

#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl TokenCredential for EnvironmentCredential {
    async fn get_token(&self, scopes: &[&str]) -> azure_core::Result<AccessToken> {
        match &self.source {
            EnvironmentCredentialKind::ClientSecret(credential) => {
                credential.get_token(scopes).await
            }
            EnvironmentCredentialKind::WorkloadIdentity(credential) => {
                credential.get_token(scopes).await
            }
            #[cfg(feature = "client_certificate")]
            EnvironmentCredentialKind::ClientCertificate(credential) => {
                credential.get_token(scopes).await
            }
        }
    }

    async fn clear_cache(&self) -> azure_core::Result<()> {
        match &self.source {
            EnvironmentCredentialKind::ClientSecret(credential) => credential.clear_cache().await,
            EnvironmentCredentialKind::WorkloadIdentity(credential) => {
                credential.clear_cache().await
            }
            #[cfg(feature = "client_certificate")]
            EnvironmentCredentialKind::ClientCertificate(credential) => {
                credential.clear_cache().await
            }
        }
    }
}