[Storage Migration] V3 jobs (#10228)

dannyjdev · web-flow · commit 315ab746bc29 · 2024-11-18T13:00:15.000-08:00
diff --git a/src/Catalog/Persistence/AzureStorage.cs b/src/Catalog/Persistence/AzureStorage.cs
@@ -94,7 +94,7 @@ private static ICloudBlobDirectory GetCloudBlobDirectoryUri(Uri storageBaseUri)
 
             var blobEndpoint = new Uri(storageBaseUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped));
             // Create BlobServiceClient with anonymous credentials
-            var blobServiceClient = new BlobServiceClientFactory(blobEndpoint, new DefaultAzureCredential());
+            var blobServiceClient = new BlobServiceClientFactory(blobEndpoint);
 
             string containerName = pathSegments[0];
             string pathInContainer = string.Join("/", pathSegments.Skip(1));
diff --git a/src/Ng/CommandHelpers.cs b/src/Ng/CommandHelpers.cs
@@ -11,6 +11,7 @@
 using Azure;
 using Azure.Core;
 using Azure.Identity;
+using Azure.Storage;
 using Azure.Storage.Blobs;
 using Azure.Storage.Queues;
 using Microsoft.Extensions.Logging;
@@ -40,6 +41,8 @@ public static class CommandHelpers
         };
         private static readonly IDictionary<string, string> ArgumentNames = new Dictionary<string, string>
         {
+            { Arguments.UseManagedIdentity, Arguments.UseManagedIdentity },
+            { Arguments.ClientId, Arguments.ClientId},
             { Arguments.StorageBaseAddress, Arguments.StorageBaseAddress },
             { Arguments.StorageAccountName, Arguments.StorageAccountName },
             { Arguments.StorageKeyValue, Arguments.StorageKeyValue },
@@ -52,7 +55,6 @@ public static class CommandHelpers
             { Arguments.StorageOperationMaxExecutionTimeInSeconds, Arguments.StorageOperationMaxExecutionTimeInSeconds },
             { Arguments.StorageServerTimeoutInSeconds, Arguments.StorageServerTimeoutInSeconds },
             { Arguments.StorageInitializeContainer, Arguments.StorageInitializeContainer },
-            { Arguments.ClientId, Arguments.ClientId },
         };
 
         public static IDictionary<string, string> GetArguments(string[] args, int start, out ICachingSecretInjector secretInjector)
@@ -164,6 +166,8 @@ public static CatalogStorageFactory CreateSuffixedStorageFactory(
 
             IDictionary<string, string> names = new Dictionary<string, string>
             {
+                { Arguments.UseManagedIdentity, Arguments.UseManagedIdentity },
+                { Arguments.ClientId, Arguments.ClientId},
                 { Arguments.StorageBaseAddress, Arguments.StorageBaseAddress + suffix },
                 { Arguments.StorageAccountName, Arguments.StorageAccountName + suffix },
                 { Arguments.StorageUseManagedIdentity, Arguments.StorageUseManagedIdentity + suffix },
@@ -198,7 +202,6 @@ private static CatalogStorageFactory CreateStorageFactoryImpl(
             if (!string.IsNullOrEmpty(storageBaseAddressStr))
             {
                 storageBaseAddressStr = storageBaseAddressStr.TrimEnd('/') + "/";
-
                 storageBaseAddress = new Uri(storageBaseAddressStr);
             }
 
@@ -427,7 +430,16 @@ private static IBlobServiceClientFactory GetBlobServiceClient(
             IDictionary<string, string> argumentNameMap)
         {
             bool storageUseManagedIdentity = arguments.GetOrDefault(argumentNameMap[Arguments.StorageUseManagedIdentity], defaultValue: false);
-            if (storageUseManagedIdentity)
+            bool useManagedIdentity = storageUseManagedIdentity || arguments.GetOrDefault(argumentNameMap[Arguments.UseManagedIdentity], defaultValue: false);
+
+            var storageKeyValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageKeyValue]);
+            var storageSasValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageSasValue]);
+
+            bool hasStorageKeyOrSas = !string.IsNullOrEmpty(storageKeyValue) || !string.IsNullOrEmpty(storageSasValue);
+
+            // This comparison is due to some jobs using both global and china storages in a single instance.
+            // They require MSI auth for global storage and SAS/SAK auth for china storage.
+            if (useManagedIdentity && !hasStorageKeyOrSas)
             {
                 var managedIdentityClientId = arguments.GetOrThrow<string>(argumentNameMap[Arguments.ClientId]);
                 var identity = new ManagedIdentityCredential(managedIdentityClientId);
@@ -444,7 +456,16 @@ private static QueueServiceClient GetQueueServiceClient(
             IDictionary<string, string> argumentNameMap)
         {
             bool storageUseManagedIdentity = arguments.GetOrDefault(argumentNameMap[Arguments.StorageUseManagedIdentity], defaultValue: false);
-            if (storageUseManagedIdentity)
+            bool useManagedIdentity = storageUseManagedIdentity || arguments.GetOrDefault(argumentNameMap[Arguments.UseManagedIdentity], defaultValue: false);
+
+            var storageKeyValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageKeyValue]);
+            var storageSasValue = arguments.GetOrDefault<string>(argumentNameMap[Arguments.StorageSasValue]);
+
+            bool hasStorageKeyOrSas = !string.IsNullOrEmpty(storageKeyValue) || !string.IsNullOrEmpty(storageSasValue);
+
+            // This comparison is due to some jobs using both global and china storages in a single instance.
+            // They require MSI auth for global storage and SAS/SAK auth for china storage.
+            if (useManagedIdentity && !hasStorageKeyOrSas)
             {
                 var managedIdentityClientId = arguments.GetOrThrow<string>(argumentNameMap[Arguments.ClientId]);
                 var identity = new ManagedIdentityCredential(managedIdentityClientId);
diff --git a/src/Ng/Jobs/Catalog2DnxJob.cs b/src/Ng/Jobs/Catalog2DnxJob.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -45,7 +45,7 @@ public override string GetUsage()
                    + $"-{Arguments.StoragePath} <path> "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false]]] "
                    + $"[-{Arguments.Verbose} true|false] "
@@ -122,4 +122,4 @@ protected override async Task RunInternalAsync(CancellationToken cancellationTok
             }
         }
     }
-}
+}
diff --git a/src/Ng/Jobs/Db2CatalogJob.cs b/src/Ng/Jobs/Db2CatalogJob.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -63,7 +63,7 @@ public override string GetUsage()
                    + $"-{Arguments.StoragePath} <path> "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false]]] "
                    + $"-{Arguments.StorageTypeAuditing} file|azure "
@@ -413,4 +413,4 @@ private async Task<DateTime> Deletes2Catalog(
             return lastDeleted;
         }
     }
-}
+}
diff --git a/src/Ng/Jobs/FixCatalogCachingJob.cs b/src/Ng/Jobs/FixCatalogCachingJob.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -52,7 +52,7 @@ public override string GetUsage()
                    + $"-{Arguments.StoragePath} <path> "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false ]]";
         }
diff --git a/src/Ng/Jobs/LightningJob.cs b/src/Ng/Jobs/LightningJob.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -400,8 +400,10 @@ private void AddStorageCredentialArgument(StringBuilder argument, string sasToke
             {
                 AppendArgument(argument, sasTokenArgument);
             }
-
-            AppendArgument(argument, storageKeyArgument);
+            else if (!string.IsNullOrEmpty(_arguments.GetOrDefault<string>(storageKeyArgument)))
+            {
+                AppendArgument(argument, storageKeyArgument);
+            }
         }
 
         private async Task StrikeAsync()
@@ -504,32 +506,55 @@ private IContainer GetAutofacContainer()
 
             services.Configure<Catalog2RegistrationConfiguration>(config =>
             {
+                config.StorageUseManagedIdentity = _arguments.GetOrDefault<bool>(Arguments.UseManagedIdentity);
+                config.StorageManagedIdentityClientId = _arguments.GetOrDefault<string>(Arguments.ClientId);
+
                 config.LegacyBaseUrl = _arguments.GetOrDefault<string>(Arguments.StorageBaseAddress);
                 config.LegacyStorageContainer = _arguments.GetOrDefault<string>(Arguments.StorageContainer);
-                config.StorageConnectionString = GetConnectionString(
-                    config.StorageConnectionString,
-                    Arguments.StorageAccountName,
-                    Arguments.StorageKeyValue,
-                    Arguments.StorageSasValue,
-                    Arguments.StorageSuffix);
 
                 config.GzippedBaseUrl = _arguments.GetOrDefault<string>(Arguments.CompressedStorageBaseAddress);
                 config.GzippedStorageContainer = _arguments.GetOrDefault<string>(Arguments.CompressedStorageContainer);
-                config.StorageConnectionString = GetConnectionString(
-                   config.StorageConnectionString,
-                   Arguments.CompressedStorageAccountName,
-                   Arguments.CompressedStorageKeyValue,
-                   Arguments.CompressedStorageSasValue,
-                   Arguments.StorageSuffix);
 
                 config.SemVer2BaseUrl = _arguments.GetOrDefault<string>(Arguments.SemVer2StorageBaseAddress);
                 config.SemVer2StorageContainer = _arguments.GetOrDefault<string>(Arguments.SemVer2StorageContainer);
-                config.StorageConnectionString = GetConnectionString(
-                   config.StorageConnectionString,
-                   Arguments.SemVer2StorageAccountName,
-                   Arguments.SemVer2StorageKeyValue,
-                   Arguments.SemVer2StorageSasValue,
-                   Arguments.StorageSuffix);
+
+                config.HasSasToken = new List<string>()
+                {
+                    _arguments.GetOrDefault<string>(Arguments.StorageSasValue),
+                    _arguments.GetOrDefault<string>(Arguments.CompressedStorageSasValue),
+                    _arguments.GetOrDefault<string>(Arguments.SemVer2StorageSasValue)
+                }
+                .All(t => !string.IsNullOrEmpty(t));
+
+                if (config.StorageUseManagedIdentity && !config.HasSasToken)
+                {
+                    var storageAccountName = _arguments.GetOrDefault<string>(Arguments.StorageAccountName);
+                    var storageSuffix = _arguments.GetOrDefault(Arguments.StorageSuffix, "core.windows.net");
+
+                    config.StorageServiceUrl = $"https://{storageAccountName}.blob.{storageSuffix}";
+                    config.StorageConnectionString = $"BlobEndpoint={config.StorageServiceUrl}";
+                }
+                else
+                {
+                    config.StorageConnectionString = GetConnectionString(
+                        config.StorageConnectionString,
+                        Arguments.StorageAccountName,
+                        Arguments.StorageKeyValue,
+                        Arguments.StorageSasValue,
+                        Arguments.StorageSuffix);
+                    config.StorageConnectionString = GetConnectionString(
+                       config.StorageConnectionString,
+                       Arguments.CompressedStorageAccountName,
+                       Arguments.CompressedStorageKeyValue,
+                       Arguments.CompressedStorageSasValue,
+                       Arguments.StorageSuffix);
+                    config.StorageConnectionString = GetConnectionString(
+                       config.StorageConnectionString,
+                       Arguments.SemVer2StorageAccountName,
+                       Arguments.SemVer2StorageKeyValue,
+                       Arguments.SemVer2StorageSasValue,
+                       Arguments.StorageSuffix);
+                }
 
                 config.GalleryBaseUrl = _arguments.GetOrThrow<string>(Arguments.GalleryBaseAddress);
                 var contentBaseAddress = _arguments.GetOrThrow<string>(Arguments.ContentBaseAddress);
@@ -568,7 +593,13 @@ private string GetConnectionString(
             }
             else
             {
-                builder.AppendFormat("SharedAccessSignature={0};", _arguments.GetOrThrow<string>(accountSasArgument));
+                var sasToken = _arguments.GetOrThrow<string>(accountSasArgument);
+                // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
+                if (sasToken.StartsWith("?"))
+                {
+                    sasToken = sasToken.Substring(1);
+                }
+                builder.AppendFormat("SharedAccessSignature={0};", sasToken);
             }
 
             builder.AppendFormat("EndpointSuffix={0}", _arguments.GetOrDefault(endpointSuffixArgument, "core.windows.net"));
diff --git a/src/Ng/Jobs/NgJob.cs b/src/Ng/Jobs/NgJob.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -51,7 +51,7 @@ public static string GetUsageBase()
             return "Usage: ng [" + string.Join("|", NgJobFactory.JobMap.Keys) + "] "
                    + $"[-{Arguments.VaultName} <keyvault-name> "
                    + $"-{Arguments.UseManagedIdentity} true|false "
-                   + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"
+                   + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"
                    + $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"
                    + $"[-{Arguments.ValidateCertificate} true|false]]";
         }
@@ -76,4 +76,4 @@ public virtual async Task RunAsync(IDictionary<string, string> arguments, Cancel
             await RunInternalAsync(cancellationToken);
         }
     }
-}
+}
diff --git a/src/NuGet.Jobs.Catalog2Registration/Catalog2RegistrationConfiguration.cs b/src/NuGet.Jobs.Catalog2Registration/Catalog2RegistrationConfiguration.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -11,6 +11,26 @@ public class Catalog2RegistrationConfiguration : ICommitCollectorConfiguration
     {
         private static readonly int DefaultMaxConcurrentHivesPerId = Enum.GetValues(typeof(HiveType)).Length;
 
+        /// <summary>
+        /// Whether or not managed identity will be used as credential.
+        /// </summary>
+        public bool StorageUseManagedIdentity { get; set; }
+
+        /// <summary>
+        /// Specific manage identity client id.
+        /// </summary>
+        public string StorageManagedIdentityClientId { get; set; }
+
+        /// <summary>
+        /// Whether or not any storage contains a sas token.
+        /// </summary>
+        public bool HasSasToken { get; set; }
+
+        /// <summary>
+        /// Azure storage service uri. e.g. https://<storage>.blob.core.windows.net
+        /// </summary>
+        public string StorageServiceUrl { get; set; }
+
         /// <summary>
         /// The connection string used to connect to an Azure Blob Storage account. The connection string specifies
         /// the account name, the endpoint suffix (e.g. Azure vs. Azure China), and authentication credential (e.g. storage
diff --git a/src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs b/src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs
@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Net.Http;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -31,10 +32,20 @@ public static ContainerBuilder AddCatalog2Registration(this ContainerBuilder con
             containerBuilder.AddV3();
 
             RegisterCursorStorage(containerBuilder);
-
             containerBuilder
-                .RegisterStorageAccount<Catalog2RegistrationConfiguration>(c => c.StorageConnectionString, requestTimeout: DefaultBlobRequestOptions.ServerTimeout)
-                .As<ICloudBlobClient>();
+                .Register<ICloudBlobClient>(c =>
+                {
+                    var options = c.Resolve<IOptionsSnapshot<Catalog2RegistrationConfiguration>>();
+
+                    if (options.Value.StorageUseManagedIdentity && !options.Value.HasSasToken)
+                    {
+                        return CloudBlobClientWrapper.UsingMsi(options.Value.StorageConnectionString, clientId: options.Value.StorageManagedIdentityClientId, requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
+                    }
+
+                    return new CloudBlobClientWrapper(
+                        options.Value.StorageConnectionString,
+                        requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
+                });
 
             containerBuilder.Register(c => new Catalog2RegistrationCommand(
                 c.Resolve<ICollector>(),
@@ -57,7 +68,12 @@ private static void RegisterCursorStorage(ContainerBuilder containerBuilder)
                 {
                     var options = c.Resolve<IOptionsSnapshot<Catalog2RegistrationConfiguration>>();
 
-                    // workaround for https://github.com/Azure/azure-sdk-for-net/issues/44373
+                    if (options.Value.StorageUseManagedIdentity && !options.Value.HasSasToken)
+                    {
+                        var credential = new ManagedIdentityCredential(options.Value.StorageManagedIdentityClientId);
+
+                        return new BlobServiceClientFactory(new Uri(options.Value.StorageServiceUrl), credential);
+                    }
                     var connectionString = options.Value.StorageConnectionString.Replace("SharedAccessSignature=?", "SharedAccessSignature=");
 
                     return new BlobServiceClientFactory(connectionString);
diff --git a/src/NuGet.Jobs.Catalog2Registration/Job.cs b/src/NuGet.Jobs.Catalog2Registration/Job.cs
diff --git a/src/NuGet.Services.Storage/BlobServiceClientAuthType.cs b/src/NuGet.Services.Storage/BlobServiceClientAuthType.cs
diff --git a/src/NuGet.Services.Storage/BlobServiceClientFactory.cs b/src/NuGet.Services.Storage/BlobServiceClientFactory.cs

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) .NET Foundation. All rights reserved.`
	`1`	`+// Copyright (c) .NET Foundation. All rights reserved.`
`2`	`2`	`// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.`
`3`	`3`
`4`	`4`	`using System;`
`@@ -45,7 +45,7 @@ public override string GetUsage()`
`45`	`45`	`+ $"-{Arguments.StoragePath} <path> "`
`46`	`46`	`+ $"[-{Arguments.VaultName} <keyvault-name> "`
`47`	`47`	`+ $"-{Arguments.UseManagedIdentity} true\|false "`
`48`		`- + $"-{Arguments.ClientId} <keyvault-client-id> Should not be set if {Arguments.UseManagedIdentity} is true"`
	`48`	`+ + $"-{Arguments.ClientId} <client-id> If {Arguments.UseManagedIdentity} is true this is used for managed identity authentication, if false, is used for KeyVault certificate authentication"`
`49`	`49`	`+ $"-{Arguments.CertificateThumbprint} <keyvault-certificate-thumbprint> Should not be set if {Arguments.UseManagedIdentity} is true"`
`50`	`50`	`+ $"[-{Arguments.ValidateCertificate} true\|false]]] "`
`51`	`51`	`+ $"[-{Arguments.Verbose} true\|false] "`
`@@ -122,4 +122,4 @@ protected override async Task RunInternalAsync(CancellationToken cancellationTok`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`	`}`
`125`		`-}`
	`125`	`+}`