private string GetEndpointToken(IAzureAccount account, string targetEndpoint)
{
string tokenKey = AzureAccount.Property.AccessToken;
if (targetEndpoint == AzureEnvironment.Endpoint.Graph)
{
tokenKey = AzureAccount.Property.GraphAccessToken;
}
return(account.GetProperty(tokenKey));
}
private string GetEndpointToken(IAzureAccount account, string targetEndpoint)
{
string tokenKey = AzureAccount.Property.AccessToken;
if (string.Equals(targetEndpoint, AzureEnvironment.Endpoint.Graph, StringComparison.OrdinalIgnoreCase))
{
tokenKey = AzureAccount.Property.GraphAccessToken;
}
if (string.Equals(targetEndpoint, AzureEnvironment.Endpoint.AzureKeyVaultServiceEndpointResourceId, StringComparison.OrdinalIgnoreCase))
{
tokenKey = AzureAccount.Property.KeyVaultAccessToken;
}
return(account.GetProperty(tokenKey));
}
public ManagedServiceAccessToken(IAzureAccount account, IAzureEnvironment environment, string resourceId, string tenant = "Common")
{
if (account == null || string.IsNullOrEmpty(account.Id) || !account.IsPropertySet(AzureAccount.Property.MSILoginUri))
{
throw new ArgumentNullException(nameof(account));
}
if (string.IsNullOrWhiteSpace(tenant))
{
throw new ArgumentNullException(nameof(tenant));
}
if (environment == null)
{
throw new ArgumentNullException(nameof(environment));
}
_account = account;
_resourceId = GetResource(resourceId, environment);
var idType = GetIdentityType(account);
foreach (var uri in BuildTokenUri(_account.GetProperty(AzureAccount.Property.MSILoginUri), account, idType, _resourceId))
{
RequestUris.Enqueue(uri);
}
if (account.IsPropertySet(AzureAccount.Property.MSILoginUriBackup))
{
foreach (var uri in BuildTokenUri(_account.GetProperty(AzureAccount.Property.MSILoginUriBackup), account, idType, _resourceId))
{
RequestUris.Enqueue(uri);
}
}
_tenant = tenant;
IHttpOperationsFactory factory;
if (!AzureSession.Instance.TryGetComponent(HttpClientOperationsFactory.Name, out factory))
{
factory = HttpClientOperationsFactory.Create();
}
_tokenGetter = factory.GetHttpOperations <ManagedServiceTokenInfo>(true).WithHeader("Metadata", new[] { "true" });
if (account.IsPropertySet(AzureAccount.Property.MSILoginSecret))
{
_tokenGetter = _tokenGetter.WithHeader("Secret", new[] { account.GetProperty(AzureAccount.Property.MSILoginSecret) });
}
}
public IAccessToken Authenticate(
IAzureAccount account,
IAzureEnvironment environment,
string tenant,
SecureString password,
string promptBehavior,
Action <string> promptAction,
IAzureTokenCache tokenCache,
string resourceId = AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId)
{
IAccessToken token;
var cache = tokenCache as TokenCache;
if (cache == null)
{
cache = TokenCache.DefaultShared;
}
var configuration = GetAdalConfiguration(environment, tenant, resourceId, cache);
TracingAdapter.Information(
Resources.AdalAuthConfigurationTrace,
configuration.AdDomain,
configuration.AdEndpoint,
configuration.ClientId,
configuration.ClientRedirectUri,
configuration.ResourceClientUri,
configuration.ValidateAuthority);
if (account.IsPropertySet(AzureAccount.Property.CertificateThumbprint))
{
var thumbprint = account.GetProperty(AzureAccount.Property.CertificateThumbprint);
#if !NETSTANDARD
token = TokenProvider.GetAccessTokenWithCertificate(configuration, account.Id, thumbprint, account.Type);
#else
throw new NotSupportedException("Certificate based authentication is not supported in netcore version.");
#endif
}
else
{
token = TokenProvider.GetAccessToken(configuration, promptBehavior, promptAction, account.Id, password, account.Type);
}
account.Id = token.UserId;
return(token);
}
public SimpleAccessToken(IAzureAccount account, string tenantId, string tokenType = _defaultTokenType)
{
if (account == null)
{
throw new ArgumentNullException("account");
}
if (string.IsNullOrWhiteSpace(account.Id))
{
throw new ArgumentOutOfRangeException("account", "AccountId must be provided to use an AccessToken credential.");
}
if (account.Type != AzureAccount.AccountType.AccessToken ||
!account.IsPropertySet(AzureAccount.Property.AccessToken))
{
throw new ArgumentException("To create an access token credential, you must provide an access token account.");
}
this.UserId = account.Id;
this._tokenType = tokenType;
this.AccessToken = account.GetProperty(AzureAccount.Property.AccessToken);
this.TenantId = tenantId;
}
/// <summary>
/// Create a new access token from the given account and tenant id
/// </summary>
/// <param name="account">The account, containing user id, access token information</param>
/// <param name="tenantId">The tenant id for the given access token</param>
/// <param name="tokenType">The token type for the given token.</param>
public SimpleAccessToken(IAzureAccount account, string tenantId, string tokenType = _defaultTokenType)
{
if (account == null)
{
throw new ArgumentNullException("account");
}
if (string.IsNullOrWhiteSpace(account.Id))
{
throw new ArgumentOutOfRangeException("account", Resources.AccessTokenRequiresAccount);
}
if (account.Type != AzureAccount.AccountType.AccessToken ||
!account.IsPropertySet(AzureAccount.Property.AccessToken))
{
throw new ArgumentException(Resources.TypeNotAccessToken);
}
this.UserId = account.Id;
this._tokenType = tokenType;
this.AccessToken = account.GetProperty(AzureAccount.Property.AccessToken);
this.TenantId = tenantId;
}
private IAzureAccount MergeAccountProperties(IAzureAccount account1, IAzureAccount account2)
{
if (account1 == null || account2 == null)
{
throw new ArgumentNullException("account1");
}
if (!string.Equals(account1.Id, account2.Id, StringComparison.InvariantCultureIgnoreCase))
{
throw new ArgumentException("Account Ids do not match.");
}
if (account1.Type != account2.Type)
{
throw new ArgumentException("Account1 types do not match.");
}
AzureAccount mergeAccount = new AzureAccount
{
Id = account1.Id,
Type = account1.Type
};
foreach (var property in account1.ExtendedProperties.Keys.Union(account2.ExtendedProperties.Keys))
{
mergeAccount.SetProperty(property, account1.IsPropertySet(property) ?
account1.GetProperty(property) : account2.GetProperty(property));
}
// Merge Tenants
var tenants = account1.GetPropertyAsArray(AzureAccount.Property.Tenants)
.Union(account2.GetPropertyAsArray(AzureAccount.Property.Tenants), StringComparer.CurrentCultureIgnoreCase);
mergeAccount.SetProperty(AzureAccount.Property.Tenants, tenants.ToArray());
// Merge Subscriptions
var subscriptions = account1.GetPropertyAsArray(AzureAccount.Property.Subscriptions)
.Union(account2.GetPropertyAsArray(AzureAccount.Property.Subscriptions), StringComparer.CurrentCultureIgnoreCase);
mergeAccount.SetProperty(AzureAccount.Property.Subscriptions, subscriptions.ToArray());
return(mergeAccount);
}
public IAccessToken Authenticate(
IAzureAccount account,
IAzureEnvironment environment,
string tenant,
SecureString password,
string promptBehavior,
Action <string> promptAction,
IAzureTokenCache tokenCache,
string resourceId = AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId)
{
IAccessToken token;
var cache = tokenCache as TokenCache;
if (cache == null)
{
cache = TokenCache.DefaultShared;
}
var configuration = GetAdalConfiguration(environment, tenant, resourceId, cache);
TracingAdapter.Information(
Resources.AdalAuthConfigurationTrace,
configuration.AdDomain,
configuration.AdEndpoint,
configuration.ClientId,
configuration.ClientRedirectUri,
configuration.ResourceClientUri,
configuration.ValidateAuthority);
if (account != null && account.Type == AzureAccount.AccountType.ManagedService)
{
token = GetManagedServiceToken(account, environment, tenant, resourceId);
}
else if (account != null && environment != null &&
account.Type == AzureAccount.AccountType.AccessToken)
{
var rawToken = new RawAccessToken
{
TenantId = tenant,
UserId = account.Id,
LoginType = AzureAccount.AccountType.AccessToken
};
if ((string.Equals(resourceId, environment.AzureKeyVaultServiceEndpointResourceId, StringComparison.OrdinalIgnoreCase) ||
string.Equals(AzureEnvironment.Endpoint.AzureKeyVaultServiceEndpointResourceId, resourceId, StringComparison.OrdinalIgnoreCase)) &&
account.IsPropertySet(AzureAccount.Property.KeyVaultAccessToken))
{
rawToken.AccessToken = account.GetProperty(AzureAccount.Property.KeyVaultAccessToken);
}
else if ((string.Equals(resourceId, environment.GraphEndpointResourceId, StringComparison.OrdinalIgnoreCase) ||
string.Equals(AzureEnvironment.Endpoint.GraphEndpointResourceId, resourceId, StringComparison.OrdinalIgnoreCase)) &&
account.IsPropertySet(AzureAccount.Property.GraphAccessToken))
{
rawToken.AccessToken = account.GetProperty(AzureAccount.Property.GraphAccessToken);
}
else if ((string.Equals(resourceId, environment.ActiveDirectoryServiceEndpointResourceId, StringComparison.OrdinalIgnoreCase) ||
string.Equals(AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId, resourceId, StringComparison.OrdinalIgnoreCase)) &&
account.IsPropertySet(AzureAccount.Property.AccessToken))
{
rawToken.AccessToken = account.GetAccessToken();
}
else
{
throw new InvalidOperationException(string.Format(Resources.AccessTokenResourceNotFound, resourceId));
}
token = rawToken;
}
else if (account.IsPropertySet(AzureAccount.Property.CertificateThumbprint))
{
var thumbprint = account.GetProperty(AzureAccount.Property.CertificateThumbprint);
#if !NETSTANDARD
token = TokenProvider.GetAccessTokenWithCertificate(configuration, account.Id, thumbprint, account.Type);
#else
throw new NotSupportedException("Certificate based authentication is not supported in netcore version.");
#endif
}
else
{
token = TokenProvider.GetAccessToken(configuration, promptBehavior, promptAction, account.Id, password, account.Type);
}
account.Id = token.UserId;
return(token);
}
/// <summary>
/// Get the certificate thumbprint for the account
/// </summary>
/// <param name="account">The account to check</param>
/// <returns>The certificate thumbprint, or null if no certificate is set</returns>
public static string GetThumbprint(this IAzureAccount account)
{
return(account.GetProperty(AzureAccount.Property.CertificateThumbprint));
}
/// <summary>
/// Get the Access Token property for the account, if it exists
/// </summary>
/// <param name="account">The account</param>
/// <returns>The access token for the account, or null if there is none</returns>
public static string GetAccessToken(this IAzureAccount account)
{
return(account.GetProperty(AzureAccount.Property.AccessToken));
}
private AuthenticationParameters GetAuthenticationParameters(
PowerShellTokenCacheProvider tokenCacheProvider,
IAzureAccount account,
IAzureEnvironment environment,
string tenant,
SecureString password,
string promptBehavior,
Action <string> promptAction,
IAzureTokenCache tokenCache,
string resourceId = AzureEnvironment.Endpoint.ActiveDirectoryServiceEndpointResourceId)
{
switch (account.Type)
{
case AzureAccount.AccountType.User:
if (password == null)
{
var homeAccountId = account.GetProperty(AzureAccount.Property.HomeAccountId) ?? "";
if (!string.IsNullOrEmpty(account.Id))
{
return(new SilentParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, homeAccountId));
}
if (account.IsPropertySet("UseDeviceAuth"))
{
return(new DeviceCodeParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, homeAccountId));
}
else if (account.IsPropertySet(AzureAccount.Property.UsePasswordAuth))
{
return(new UsernamePasswordParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, password, homeAccountId));
}
return(new InteractiveParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.GetProperty("LoginHint"), homeAccountId, promptAction));
}
return(new UsernamePasswordParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, password, null));
case AzureAccount.AccountType.Certificate:
case AzureAccount.AccountType.ServicePrincipal:
bool?sendCertificateChain = null;
var sendCertificateChainStr = account.GetProperty(AzureAccount.Property.SendCertificateChain);
if (!string.IsNullOrWhiteSpace(sendCertificateChainStr))
{
sendCertificateChain = Boolean.Parse(sendCertificateChainStr);
}
password = password ?? ConvertToSecureString(account.GetProperty(AzureAccount.Property.ServicePrincipalSecret));
var certificatePassword = ConvertToSecureString(account.GetProperty(AzureAccount.Property.CertificatePassword));
return(new ServicePrincipalParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, account.GetProperty(AzureAccount.Property.CertificateThumbprint), account.GetProperty(AzureAccount.Property.CertificatePath),
certificatePassword, password, sendCertificateChain));
case AzureAccount.AccountType.ManagedService:
return(new ManagedServiceIdentityParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account));
case AzureAccount.AccountType.AccessToken:
return(new AccessTokenParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account));
case "ClientAssertion":
password = password ?? ConvertToSecureString(account.GetProperty("ClientAssertion"));
return(new ClientAssertionParameters(tokenCacheProvider, environment, tokenCache, tenant, resourceId, account.Id, password));
default:
return(null);
}
}
