storage: configure resource identifier for storage at runtime, so tha…

…t tokens are scoped to a particular storage account in the configured cloud
hashicorp · Apr 9, 2024 · e398ec6 · e398ec6
1 parent faa31a2
commit e398ec6
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 16 deletions.
diff --git a/internal/clients/builder.go b/internal/clients/builder.go
@@ -135,6 +135,7 @@ func Build(ctx context.Context, builder ClientBuilder) (*Client, error) {
 			AuthorizerFunc:  authorizerFunc,
 		},
 
+		AuthConfig:  builder.AuthConfig,
 		Environment: builder.AuthConfig.Environment,
 		Features:    builder.Features,
 

diff --git a/internal/common/client_options.go b/internal/common/client_options.go
@@ -35,6 +35,7 @@ type ApiAuthorizerFunc func(api environments.Api) (auth.Authorizer, error)
 
 type ClientOptions struct {
 	Authorizers *Authorizers
+	AuthConfig  *auth.Credentials
 	Environment environments.Environment
 	Features    features.UserFeatures
 

diff --git a/internal/services/storage/client/client.go b/internal/services/storage/client/client.go
@@ -34,7 +34,7 @@ type Client struct {
 	BlobServicesClient *storage.BlobServicesClient
 	FileServicesClient *storage.FileServicesClient
 
-	authorizerForAad auth.Authorizer
+	authConfig *auth.Credentials
 }
 
 func NewClient(o *common.ClientOptions) (*Client, error) {
@@ -95,7 +95,7 @@ func NewClient(o *common.ClientOptions) (*Client, error) {
 	}
 
 	if o.StorageUseAzureAD {
-		client.authorizerForAad = o.Authorizers.Storage
+		client.authConfig = o.AuthConfig
 	}
 
 	return &client, nil

diff --git a/internal/services/storage/client/data_plane.go b/internal/services/storage/client/data_plane.go
@@ -44,9 +44,15 @@ func (Client) DataPlaneOperationSupportingOnlySharedKeyAuth() DataPlaneOperation
 	}
 }
 
-func (c Client) configureDataPlane(ctx context.Context, clientName string, baseClient client.BaseClient, account accountDetails, operation DataPlaneOperation) error {
-	if operation.SupportsAadAuthentication && c.authorizerForAad != nil {
-		baseClient.SetAuthorizer(c.authorizerForAad)
+func (c Client) configureDataPlane(ctx context.Context, clientName, resourceIdentifier string, baseClient client.BaseClient, account accountDetails, operation DataPlaneOperation) error {
+	if operation.SupportsAadAuthentication && c.authConfig != nil {
+		api := c.authConfig.Environment.Storage.WithResourceIdentifier(resourceIdentifier)
+		storageAuth, err := auth.NewAuthorizerFromCredentials(ctx, *c.authConfig, api)
+		if err != nil {
+			return fmt.Errorf("unable to build authorizer for Storage API: %+v", err)
+		}
+
+		baseClient.SetAuthorizer(storageAuth)
 		return nil
 	}
 
@@ -82,7 +88,7 @@ func (c Client) AccountsDataPlaneClient(ctx context.Context, account accountDeta
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -104,7 +110,7 @@ func (c Client) BlobsDataPlaneClient(ctx context.Context, account accountDetails
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -126,7 +132,7 @@ func (c Client) ContainersDataPlaneClient(ctx context.Context, account accountDe
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -148,7 +154,7 @@ func (c Client) DataLakeFilesystemsDataPlaneClient(ctx context.Context, account
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -170,7 +176,7 @@ func (c Client) DataLakePathsDataPlaneClient(ctx context.Context, account accoun
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -192,7 +198,7 @@ func (c Client) FileShareDirectoriesDataPlaneClient(ctx context.Context, account
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -214,7 +220,7 @@ func (c Client) FileShareFilesDataPlaneClient(ctx context.Context, account accou
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -236,7 +242,7 @@ func (c Client) FileSharesDataPlaneClient(ctx context.Context, account accountDe
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -258,7 +264,7 @@ func (c Client) QueuesDataPlaneClient(ctx context.Context, account accountDetail
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -280,7 +286,7 @@ func (c Client) TableEntityDataPlaneClient(ctx context.Context, account accountD
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}
@@ -302,7 +308,7 @@ func (c Client) TablesDataPlaneClient(ctx context.Context, account accountDetail
 		return nil, fmt.Errorf("building %s client: %+v", clientName, err)
 	}
 
-	err = c.configureDataPlane(ctx, clientName, apiClient.Client, account, operation)
+	err = c.configureDataPlane(ctx, clientName, *baseUri, apiClient.Client, account, operation)
 	if err != nil {
 		return nil, err
 	}