Skip to content

Commit 3ed002a

Browse files
shueybubblesshueybubbles
authored
fix: use proper scope for Entra auth (#198)
1 parent b3a8513 commit 3ed002a

File tree

1 file changed

+22
-17
lines changed

1 file changed

+22
-17
lines changed

azuread/configuration.go

Lines changed: 22 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ package azuread
55

66
import (
77
"context"
8+
"crypto"
9+
"crypto/x509"
810
"errors"
911
"fmt"
1012
"os"
@@ -75,23 +77,23 @@ func parse(dsn string) (*azureFedAuthConfig, error) {
7577

7678
func (p *azureFedAuthConfig) validateParameters(params map[string]string) error {
7779

78-
fedAuthWorkflow, _ := params["fedauth"]
80+
fedAuthWorkflow := params["fedauth"]
7981
if fedAuthWorkflow == "" {
8082
return nil
8183
}
8284

8385
p.fedAuthLibrary = mssql.FedAuthLibraryADAL
8486

85-
p.applicationClientID, _ = params["applicationclientid"]
87+
p.applicationClientID = params["applicationclientid"]
8688

8789
switch {
8890
case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryPassword):
8991
if p.applicationClientID == "" {
9092
return errors.New("applicationclientid parameter is required for " + ActiveDirectoryPassword)
9193
}
9294
p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
93-
p.user, _ = params["user id"]
94-
p.password, _ = params["password"]
95+
p.user = params["user id"]
96+
p.password = params["password"]
9597
case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryIntegrated):
9698
// Active Directory Integrated authentication is not fully supported:
9799
// you can only use this by also implementing an a token provider
@@ -101,7 +103,7 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
101103
// When using MSI, to request a specific client ID or user-assigned identity,
102104
// provide the ID in the "user id" parameter
103105
p.adalWorkflow = mssql.FedAuthADALWorkflowMSI
104-
p.resourceID, _ = params["resource id"]
106+
p.resourceID = params["resource id"]
105107
p.clientID, _ = splitTenantAndClientID(params["user id"])
106108
case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryApplication) || strings.EqualFold(fedAuthWorkflow, ActiveDirectoryServicePrincipal):
107109
p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
@@ -112,9 +114,9 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
112114
return errors.New("Must provide 'client id[@tenant id]' as username parameter when using ActiveDirectoryApplication authentication")
113115
}
114116

115-
p.clientSecret, _ = params["password"]
117+
p.clientSecret = params["password"]
116118

117-
p.certificatePath, _ = params["clientcertpath"]
119+
p.certificatePath = params["clientcertpath"]
118120

119121
if p.certificatePath == "" && p.clientSecret == "" {
120122
return errors.New("Must provide 'password' parameter when using ActiveDirectoryApplication authentication without cert/key credentials")
@@ -126,13 +128,13 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
126128
return errors.New("applicationclientid parameter is required for " + ActiveDirectoryInteractive)
127129
}
128130
// user is an optional login hint
129-
p.user, _ = params["user id"]
131+
p.user = params["user id"]
130132
// we don't really have a password but we need to use some value.
131133
p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
132134
case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryServicePrincipalAccessToken):
133135
p.fedAuthLibrary = mssql.FedAuthLibrarySecurityToken
134136
p.adalWorkflow = mssql.FedAuthADALWorkflowNone
135-
p.password, _ = params["password"]
137+
p.password = params["password"]
136138

137139
if p.password == "" {
138140
return errors.New("Must provide 'password' parameter when using ActiveDirectoryServicePrincipalAccessToken authentication")
@@ -156,10 +158,10 @@ func splitTenantAndClientID(user string) (string, string) {
156158
return user[0:at], user[at+1:]
157159
}
158160

159-
func splitAuthorityAndTenant(authorityUrl string) (string, string) {
160-
separatorIndex := strings.LastIndex(authorityUrl, "/")
161-
tenant := authorityUrl[separatorIndex+1:]
162-
authority := authorityUrl[:separatorIndex]
161+
func splitAuthorityAndTenant(authorityURL string) (string, string) {
162+
separatorIndex := strings.LastIndex(authorityURL, "/")
163+
tenant := authorityURL[separatorIndex+1:]
164+
authority := authorityURL[:separatorIndex]
163165
return authority, tenant
164166
}
165167

@@ -171,18 +173,21 @@ func (p *azureFedAuthConfig) provideActiveDirectoryToken(ctx context.Context, se
171173
if p.tenantID != "" {
172174
tenant = p.tenantID
173175
}
174-
scope := stsURL
176+
scope := serverSPN
175177
if !strings.HasSuffix(serverSPN, scopeDefaultSuffix) {
176-
scope = strings.TrimRight(serverSPN, "/") + scopeDefaultSuffix
178+
scope = serverSPN + scopeDefaultSuffix
177179
}
178180

179181
switch p.fedAuthWorkflow {
180182
case ActiveDirectoryServicePrincipal, ActiveDirectoryApplication:
181183
switch {
182184
case p.certificatePath != "":
183-
certData, err := os.ReadFile(p.certificatePath)
185+
var certData []byte
186+
certData, err = os.ReadFile(p.certificatePath)
184187
if err != nil {
185-
certs, key, err := azidentity.ParseCertificates(certData, []byte(p.clientSecret))
188+
var certs []*x509.Certificate
189+
var key crypto.PrivateKey
190+
certs, key, err = azidentity.ParseCertificates(certData, []byte(p.clientSecret))
186191
if err != nil {
187192
cred, err = azidentity.NewClientCertificateCredential(tenant, p.clientID, certs, key, nil)
188193
}

0 commit comments

Comments
 (0)