Job base classes MSI support (#10153)

Co-authored-by: Andrei Grigorev <[email protected]>

Author: drewgillies

src/NuGet.Jobs.Catalog2Registration/DependencyInjectionExtensions.cs

@@ -28,13 +28,8 @@ public static ContainerBuilder AddCatalog2Registration(this ContainerBuilder con
             RegisterCursorStorage(containerBuilder);
 
             containerBuilder
-                .Register<ICloudBlobClient>(c =>
-                {
-                    var options = c.Resolve<IOptionsSnapshot<Catalog2RegistrationConfiguration>>();
-                    return new CloudBlobClientWrapper(
-                        options.Value.StorageConnectionString,
-                        requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
-                });
+                .RegisterStorageAccount<Catalog2RegistrationConfiguration>(c => c.StorageConnectionString, requestTimeout: DefaultBlobRequestOptions.ServerTimeout)
+                .As<ICloudBlobClient>();
 
             containerBuilder.Register(c => new Catalog2RegistrationCommand(
                 c.Resolve<ICollector>(),

src/NuGet.Jobs.Common/JsonConfigurationJob.cs

@@ -167,6 +167,7 @@ protected virtual void ConfigureDefaultJobServices(IServiceCollection services,
             services.Configure<ValidationDbConfiguration>(configurationRoot.GetSection(ValidationDbConfigurationSectionName));
             services.Configure<ServiceBusConfiguration>(configurationRoot.GetSection(ServiceBusConfigurationSectionName));
             services.Configure<ValidationStorageConfiguration>(configurationRoot.GetSection(ValidationStorageConfigurationSectionName));
+            services.ConfigureStorageMsi(configurationRoot);
 
             services.AddSingleton(new TelemetryClient(ApplicationInsightsConfiguration.TelemetryConfiguration));
             services.AddTransient<ITelemetryClient, TelemetryClientWrapper>();
@@ -197,13 +198,7 @@ private void AddScopedSqlConnectionFactory<TDbConfiguration>(IServiceCollection
         public static void ConfigureFeatureFlagAutofacServices(ContainerBuilder containerBuilder)
         {
             containerBuilder
-                .Register(c =>
-                {
-                    var options = c.Resolve<IOptionsSnapshot<FeatureFlagConfiguration>>();
-                    return new CloudBlobClientWrapper(
-                        options.Value.ConnectionString,
-                        requestTimeout: TimeSpan.FromMinutes(2));
-                })
+                .RegisterStorageAccount<FeatureFlagConfiguration>(c => c.ConnectionString, requestTimeout: TimeSpan.FromMinutes(2))
                 .Keyed<ICloudBlobClient>(FeatureFlagBindingKey);
 
             containerBuilder

src/NuGet.Jobs.Common/StorageAccountExtensions.cs

@@ -0,0 +1,135 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Autofac;
+using Autofac.Builder;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using NuGetGallery;
+
+namespace NuGet.Jobs
+{
+    public static class StorageAccountHelper
+    {
+        private const string StorageUseManagedIdentityPropertyName = "Storage_UseManagedIdentity";
+        private const string StorageManagedIdentityClientIdPropertyName = "Storage_ManagedIdentityClientId";
+
+        public static IServiceCollection ConfigureStorageMsi(
+            this IServiceCollection serviceCollection,
+            IConfiguration configuration,
+            string useManageIdentityPropertyName = null,
+            string managedIdentityClientIdPropertyName = null)
+        {
+            if (serviceCollection == null)
+            {
+                throw new ArgumentNullException(nameof(serviceCollection));
+            }
+            if (configuration == null)
+            {
+                throw new ArgumentNullException(nameof(configuration));
+            }
+
+            useManageIdentityPropertyName ??= StorageUseManagedIdentityPropertyName;
+            managedIdentityClientIdPropertyName ??= StorageManagedIdentityClientIdPropertyName;
+
+            string useManagedIdentityStr = configuration[useManageIdentityPropertyName];
+            string managedIdentityClientId = configuration[managedIdentityClientIdPropertyName];
+            bool useManagedIdentity = false;
+            if (!string.IsNullOrWhiteSpace(useManagedIdentityStr))
+            {
+                useManagedIdentity = bool.Parse(useManagedIdentityStr);
+            }
+            return serviceCollection.Configure<StorageMsiConfiguration>(storageConfiguration =>
+            {
+                storageConfiguration.UseManagedIdentity = useManagedIdentity;
+                storageConfiguration.ManagedIdentityClientId = managedIdentityClientId;
+            });
+        }
+
+        public static CloudBlobClientWrapper CreateCloudBlobClient(
+            this IServiceProvider serviceProvider,
+            string storageConnectionString,
+            bool readAccessGeoRedundant = false,
+            TimeSpan? requestTimeout = null)
+        {
+            if (serviceProvider == null)
+            {
+                throw new ArgumentNullException(nameof(serviceProvider));
+            }
+            if (string.IsNullOrWhiteSpace(storageConnectionString))
+            {
+                throw new ArgumentException($"{nameof(storageConnectionString)} cannot be null or empty.", nameof(storageConnectionString));
+            }
+
+            var msiConfiguration = serviceProvider.GetRequiredService<IOptions<StorageMsiConfiguration>>().Value;
+            return CreateCloudBlobClient(
+                msiConfiguration,
+                storageConnectionString,
+                readAccessGeoRedundant,
+                requestTimeout);
+        }
+
+        public static IRegistrationBuilder<CloudBlobClientWrapper, SimpleActivatorData, SingleRegistrationStyle> RegisterStorageAccount<TConfiguration>(
+            this ContainerBuilder builder,
+            Func<TConfiguration, string> getConnectionString,
+            Func<TConfiguration, bool> getReadAccessGeoRedundant = null,
+            TimeSpan? requestTimeout = null)
+            where TConfiguration : class, new()
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+            if (getConnectionString == null)
+            {
+                throw new ArgumentNullException(nameof(getConnectionString));
+            }
+
+            return builder.Register(c =>
+            {
+                var options = c.Resolve<IOptionsSnapshot<TConfiguration>>();
+                string storageConnectionString = getConnectionString(options.Value);
+                bool readAccessGeoRedundant = getReadAccessGeoRedundant?.Invoke(options.Value) ?? false;
+                var msiConfiguration = c.Resolve<IOptions<StorageMsiConfiguration>>().Value;
+                return CreateCloudBlobClient(
+                    msiConfiguration,
+                    storageConnectionString,
+                    readAccessGeoRedundant,
+                    requestTimeout);
+            });
+        }
+
+        private static CloudBlobClientWrapper CreateCloudBlobClient(
+            StorageMsiConfiguration msiConfiguration,
+            string storageConnectionString,
+            bool readAccessGeoRedundant = false,
+            TimeSpan? requestTimeout = null)
+        {
+            if (msiConfiguration.UseManagedIdentity)
+            {
+                if (string.IsNullOrWhiteSpace(msiConfiguration.ManagedIdentityClientId))
+                {
+                    return CloudBlobClientWrapper.UsingDefaultAzureCredential(
+                        storageConnectionString,
+                        readAccessGeoRedundant: readAccessGeoRedundant,
+                        requestTimeout: requestTimeout);
+                }
+                else
+                {
+                    return CloudBlobClientWrapper.UsingMsi(
+                        storageConnectionString,
+                        msiConfiguration.ManagedIdentityClientId,
+                        readAccessGeoRedundant,
+                        requestTimeout);
+                }
+            }
+
+            return new CloudBlobClientWrapper(
+                storageConnectionString,
+                readAccessGeoRedundant,
+                requestTimeout);
+        }
+    }
+}

src/NuGet.Jobs.Common/StorageMsiConfiguration.cs

@@ -0,0 +1,11 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Jobs
+{
+    public class StorageMsiConfiguration
+    {
+        public bool UseManagedIdentity { get; set; }
+        public string ManagedIdentityClientId { get; set; }
+    }
+}

src/NuGet.Jobs.GitHubIndexer/Job.cs

@@ -42,16 +42,15 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
             services.AddTransient<IRepositoriesCache, DiskRepositoriesCache>();
             services.AddTransient<IConfigFileParser, ConfigFileParser>();
             services.AddTransient<IRepoFetcher, RepoFetcher>();
-            services.AddTransient<ICloudBlobClient>(provider => {
-                var config = provider.GetRequiredService<IOptionsSnapshot<GitHubIndexerConfiguration>>();
-                return new CloudBlobClientWrapper(config.Value.StorageConnectionString, config.Value.StorageReadAccessGeoRedundant);
-            });
 
             services.Configure<GitHubIndexerConfiguration>(configurationRoot.GetSection(GitHubIndexerConfigurationSectionName));
         }
 
         protected override void ConfigureAutofacServices(ContainerBuilder containerBuilder, IConfigurationRoot configurationRoot)
         {
+            containerBuilder
+                .RegisterStorageAccount<GitHubIndexerConfiguration>(c => c.StorageConnectionString, c => c.StorageReadAccessGeoRedundant)
+                .As<ICloudBlobClient>();
         }
     }
 }

src/NuGet.Services.AzureSearch/DependencyInjectionExtensions.cs

@@ -19,6 +19,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.Rest;
+using NuGet.Jobs;
 using NuGet.Protocol;
 using NuGet.Services.AzureSearch.Auxiliary2AzureSearch;
 using NuGet.Services.AzureSearch.AuxiliaryFiles;
@@ -108,13 +109,7 @@ private static void RegisterIndexServices(ContainerBuilder containerBuilder, str
         private static void RegisterAzureSearchStorageServices(ContainerBuilder containerBuilder, string key)
         {
             containerBuilder
-                .Register<ICloudBlobClient>(c =>
-                {
-                    var options = c.Resolve<IOptionsSnapshot<AzureSearchConfiguration>>();
-                    return new CloudBlobClientWrapper(
-                        options.Value.StorageConnectionString,
-                        requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
-                })
+                .RegisterStorageAccount<AzureSearchConfiguration>(c => c.StorageConnectionString, requestTimeout: DefaultBlobRequestOptions.ServerTimeout)
                 .Keyed<ICloudBlobClient>(key);
 
             containerBuilder
@@ -221,13 +216,9 @@ private static void RegisterAzureSearchStorageServices(ContainerBuilder containe
         private static void RegisterAuxiliaryDataStorageServices(ContainerBuilder containerBuilder, string key)
         {
             containerBuilder
-                .Register<ICloudBlobClient>(c =>
-                {
-                    var options = c.Resolve<IOptionsSnapshot<AuxiliaryDataStorageConfiguration>>();
-                    return new CloudBlobClientWrapper(
-                        options.Value.AuxiliaryDataStorageConnectionString,
-                        requestTimeout: DefaultBlobRequestOptions.ServerTimeout);
-                })
+                .RegisterStorageAccount<AuxiliaryDataStorageConfiguration>(
+                    c => c.AuxiliaryDataStorageConnectionString,
+                    requestTimeout: DefaultBlobRequestOptions.ServerTimeout)
                 .Keyed<ICloudBlobClient>(key);
 
             containerBuilder

src/NuGet.Services.Validation.Orchestrator/Job.cs

@@ -182,13 +182,6 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
             services.AddTransient<IBrokeredMessageSerializer<PackageValidationMessageData>, PackageValidationMessageDataSerializationAdapter>();
             services.AddTransient<ICriteriaEvaluator<Package>, PackageCriteriaEvaluator>();
             services.AddTransient<IProcessSignatureEnqueuer, ProcessSignatureEnqueuer>();
-            services.AddTransient<ICloudBlobClient>(c =>
-            {
-                var configurationAccessor = c.GetRequiredService<IOptionsSnapshot<ValidationConfiguration>>();
-                return new CloudBlobClientWrapper(
-                    configurationAccessor.Value.ValidationStorageConnectionString,
-                    readAccessGeoRedundant: false);
-            });
             services.AddTransient<ICloudBlobContainerInformationProvider, GalleryCloudBlobContainerInformationProvider>();
             services.AddTransient<ICoreFileStorageService, CloudBlobCoreFileStorageService>();
             services.AddTransient<IFileDownloader, FileDownloader>();
@@ -238,6 +231,10 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
 
         protected override void ConfigureAutofacServices(ContainerBuilder containerBuilder, IConfigurationRoot configurationRoot)
         {
+            containerBuilder
+                .RegisterStorageAccount<ValidationConfiguration>(c => c.ValidationStorageConnectionString)
+                .As<ICloudBlobClient>();
+
             containerBuilder
                 .Register(c =>
                 {
@@ -458,13 +455,7 @@ private static void ConfigureSymbolScanValidator(ContainerBuilder builder)
         private static void ConfigureFlatContainer(ContainerBuilder builder)
         {
             builder
-                .Register<CloudBlobClientWrapper>(c =>
-                {
-                    var configurationAccessor = c.Resolve<IOptionsSnapshot<FlatContainerConfiguration>>();
-                    return new CloudBlobClientWrapper(
-                        configurationAccessor.Value.ConnectionString,
-                        readAccessGeoRedundant: false);
-                })
+                .RegisterStorageAccount<FlatContainerConfiguration>(c => c.ConnectionString)
                 .Keyed<ICloudBlobClient>(FlatContainerBindingKey);
 
             builder

src/Validation.Common.Job/Leases/CloudBlobLeaseService.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.IO;
 using System.Net;
 using System.Threading;
 using System.Threading.Tasks;

src/Validation.Common.Job/ValidationJobBase.cs

@@ -50,13 +50,6 @@ protected override void ConfigureDefaultJobServices(IServiceCollection services,
             services.AddTransient<IFileDownloader, FileDownloader>();
             services.AddTransient<IServiceBusMessageSerializer, ServiceBusMessageSerializer>();
 
-            services.AddTransient<ICloudBlobClient>(c =>
-            {
-                var configurationAccessor = c.GetRequiredService<IOptionsSnapshot<ValidationStorageConfiguration>>();
-                return new CloudBlobClientWrapper(
-                    configurationAccessor.Value.ConnectionString,
-                    readAccessGeoRedundant: false);
-            });
             services.AddTransient<ICoreFileStorageService, CloudBlobCoreFileStorageService>();
             services.AddTransient<ISharedAccessSignatureService, SharedAccessSignatureService>();
 
@@ -97,6 +90,10 @@ protected override void ConfigureDefaultAutofacServices(ContainerBuilder contain
 
             ConfigureFeatureFlagAutofacServices(containerBuilder);
 
+            containerBuilder
+                .RegisterStorageAccount<ValidationStorageConfiguration>(c => c.ConnectionString)
+                .As<ICloudBlobClient>();
+
             containerBuilder
                 .Register(c =>
                 {

src/Validation.Symbols/Job.cs

@@ -5,6 +5,7 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
+using NuGet.Jobs;
 using NuGet.Jobs.Validation;
 using NuGet.Jobs.Validation.Storage;
 using NuGet.Jobs.Validation.Symbols.Core;
@@ -32,16 +33,12 @@ protected override void ConfigureJobServices(IServiceCollection services, IConfi
             {
                 var configurationAccessor = c.GetRequiredService<IOptionsSnapshot<SymbolsValidatorConfiguration>>();
                 var packageStorageService = new CloudBlobCoreFileStorageService(
-                    new CloudBlobClientWrapper(
-                        configurationAccessor.Value.PackageConnectionString,
-                        readAccessGeoRedundant: false),
+                    c.CreateCloudBlobClient(configurationAccessor.Value.PackageConnectionString),
                     c.GetRequiredService<IDiagnosticsService>(),
                     c.GetRequiredService<ICloudBlobContainerInformationProvider>());
 
                 var packageValidationStorageService = new CloudBlobCoreFileStorageService(
-                    new CloudBlobClientWrapper(
-                        configurationAccessor.Value.ValidationPackageConnectionString,
-                        readAccessGeoRedundant: false),
+                    c.CreateCloudBlobClient(configurationAccessor.Value.ValidationPackageConnectionString),
                     c.GetRequiredService<IDiagnosticsService>(),
                     c.GetRequiredService<ICloudBlobContainerInformationProvider>());