tests: use azidentity instead of ADAL

Signed-off-by: Rafael Fonseca <[email protected]>

test/e2e/aks.go

@@ -266,7 +266,7 @@ func GetWorkingAKSKubernetesVersion(ctx context.Context, subscriptionID, locatio
 	if err != nil {
 		return "", errors.Wrap(err, "failed to get settings from environment")
 	}
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to create an Authorizer")
 	}
@@ -336,7 +336,7 @@ func getLatestStableAKSKubernetesVersionOffset(ctx context.Context, subscription
 	if err != nil {
 		return "", errors.Wrap(err, "failed to get settings from environment")
 	}
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to create an Authorizer")
 	}
@@ -564,7 +564,7 @@ func AKSPublicIPPrefixSpec(ctx context.Context, inputGetter func() AKSPublicIPPr
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	auth, err := settings.GetAuthorizer()
+	auth, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 
 	mgmtClient := bootstrapClusterProxy.GetClient()

test/e2e/azure_clusterproxy.go

@@ -212,7 +212,7 @@ func (acp *AzureClusterProxy) collectActivityLogs(ctx context.Context, namespace
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 	activityLogsClient := insights.NewActivityLogsClient(subscriptionID)
 	activityLogsClient.Authorizer = authorizer

test/e2e/azure_logcollector.go

@@ -408,7 +408,7 @@ func collectVMBootLog(ctx context.Context, am *infrav1.AzureMachine, outputPath
 	}
 
 	vmClient := compute.NewVirtualMachinesClient(settings.GetSubscriptionID())
-	vmClient.Authorizer, err = settings.GetAuthorizer()
+	vmClient.Authorizer, err = GetAuthorizer(settings)
 	if err != nil {
 		return errors.Wrap(err, "failed to get authorizer")
 	}
@@ -440,7 +440,7 @@ func collectVMSSBootLog(ctx context.Context, providerID string, outputPath strin
 	}
 
 	vmssClient := compute.NewVirtualMachineScaleSetVMsClient(settings.GetSubscriptionID())
-	vmssClient.Authorizer, err = settings.GetAuthorizer()
+	vmssClient.Authorizer, err = GetAuthorizer(settings)
 	if err != nil {
 		return errors.Wrap(err, "failed to get authorizer")
 	}

test/e2e/azure_privatecluster.go

@@ -182,7 +182,7 @@ func AzurePrivateClusterSpec(ctx context.Context, inputGetter func() AzurePrivat
 		Expect(err).To(BeNil())
 
 		azureBastionClient := network.NewBastionHostsClient(settings.GetSubscriptionID())
-		azureBastionClient.Authorizer, err = settings.GetAuthorizer()
+		azureBastionClient.Authorizer, err = GetAuthorizer(settings)
 		Expect(err).To(BeNil())
 
 		groupName := os.Getenv(AzureResourceGroup)
@@ -222,7 +222,7 @@ func SetupExistingVNet(ctx context.Context, vnetCidr string, cpSubnetCidrs, node
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 	groupClient := resources.NewGroupsClient(subscriptionID)
 	groupClient.Authorizer = authorizer
@@ -455,7 +455,7 @@ func getClientIDforMSI(resourceID string) string {
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 
 	msiClient := msi.NewUserAssignedIdentitiesClient(subscriptionID)

test/e2e/azure_vmextensions.go

@@ -75,7 +75,7 @@ func AzureVMExtensionsSpec(ctx context.Context, inputGetter func() AzureVMExtens
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	auth, err := settings.GetAuthorizer()
+	auth, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 
 	if len(machineList.Items) > 0 {

test/e2e/common.go

@@ -28,8 +28,13 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2020-10-01/resources"
+	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure/auth"
+	"github.com/jongio/azidext/go/azidext"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
@@ -192,13 +197,52 @@ func dumpSpecResourcesAndCleanup(ctx context.Context, input cleanupInput) {
 	}
 }
 
+// GetAuthorizer returns an autorest.Authorizer-compatible object from MSAL
+func GetAuthorizer(settings auth.EnvironmentSettings) (autorest.Authorizer, error) {
+	var config cloud.Configuration
+	switch settings.Environment.Name {
+	case "AzureStackCloud":
+		config = cloud.Configuration{
+			ActiveDirectoryAuthorityHost: settings.Environment.ActiveDirectoryEndpoint,
+			Services: map[cloud.ServiceName]cloud.ServiceConfiguration{
+				cloud.ResourceManager: {
+					Audience: settings.Environment.TokenAudience,
+					Endpoint: settings.Environment.ResourceManagerEndpoint,
+				},
+			},
+		}
+	case "AzureChinaCloud":
+		config = cloud.AzureChina
+	case "AzureUSGovernmentCloud":
+		config = cloud.AzureGovernment
+	default:
+		config = cloud.AzurePublic
+	}
+	options := azidentity.DefaultAzureCredentialOptions{
+		ClientOptions: azcore.ClientOptions{
+			Cloud: config,
+		},
+	}
+	cred, err := azidentity.NewDefaultAzureCredential(&options)
+	if err != nil {
+		return nil, err
+	}
+	// We must use TokenAudience for StackCloud, otherwise we get an
+	// AADSTS500011 error from the API
+	scope := settings.Environment.TokenAudience
+	if !strings.HasSuffix(scope, "/.default") {
+		scope += "/.default"
+	}
+	return azidext.NewTokenCredentialAdapter(cred, []string{scope}), nil
+}
+
 // ExpectResourceGroupToBe404 performs a GET request to Azure to determine if the cluster resource group still exists.
 // If it does still exist, it means the cluster was not deleted and is leaking Azure resources.
 func ExpectResourceGroupToBe404(ctx context.Context) {
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 	groupsClient := resources.NewGroupsClient(subscriptionID)
 	groupsClient.Authorizer = authorizer

test/e2e/helpers.go

@@ -725,7 +725,7 @@ func newImagesClient() compute.VirtualMachineImagesClient {
 	settings, err := auth.GetSettingsFromEnvironment()
 	Expect(err).NotTo(HaveOccurred())
 	subscriptionID := settings.GetSubscriptionID()
-	authorizer, err := settings.GetAuthorizer()
+	authorizer, err := GetAuthorizer(settings)
 	Expect(err).NotTo(HaveOccurred())
 	imagesClient := compute.NewVirtualMachineImagesClient(subscriptionID)
 	imagesClient.Authorizer = authorizer