Use MSI for storage access in GitHubVulnerabilities2Db (#10197)

drewgillies · web-flow · commit dec8b765ac87 · 2024-10-04T10:08:10.000+10:00
diff --git a/src/GitHubVulnerabilities2Db/Job.cs b/src/GitHubVulnerabilities2Db/Job.cs
@@ -6,6 +6,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Autofac;
+using Azure.Identity;
 using Azure.Storage.Blobs;
 using GitHubVulnerabilities2Db.Configuration;
 using GitHubVulnerabilities2Db.Fakes;
@@ -31,13 +32,14 @@ namespace GitHubVulnerabilities2Db
 {
     public class Job : JsonConfigurationJob, IDisposable
     {
+        private const string ManagedIdentityClientIdKey = "UserManagedIdentityClientId";
         private readonly HttpClient _client = new HttpClient();
 
         public override async Task Run()
         {
             var collector = _serviceProvider.GetRequiredService<IAdvisoryCollector>();
-            while (await collector.ProcessAsync(CancellationToken.None));
-            
+            while (await collector.ProcessAsync(CancellationToken.None)) ;
+
         }
 
         protected override void ConfigureJobServices(IServiceCollection services, IConfigurationRoot configurationRoot)
@@ -59,7 +61,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild
 
             ConfigureQueryServices(containerBuilder);
             ConfigureIngestionServices(containerBuilder);
-            ConfigureCollectorServices(containerBuilder);
+            ConfigureCollectorServices(containerBuilder, configurationRoot);
         }
 
         protected void ConfigureIngestionServices(ContainerBuilder containerBuilder)
@@ -159,14 +161,14 @@ protected void ConfigureQueryServices(ContainerBuilder containerBuilder)
                 .As<IAdvisoryQueryService>();
         }
 
-        protected void ConfigureCollectorServices(ContainerBuilder containerBuilder)
+        protected void ConfigureCollectorServices(ContainerBuilder containerBuilder, IConfigurationRoot configurationRoot)
         {
             containerBuilder
                 .Register(ctx =>
                 {
                     var config = ctx.Resolve<GitHubVulnerabilities2DbConfiguration>();
-                    var connectionString = AzureStorageFactory.PrepareConnectionString(config.StorageConnectionString);
-                    return new BlobServiceClient(connectionString);
+                    var credential = new ManagedIdentityCredential(configurationRoot[ManagedIdentityClientIdKey]);
+                    return new BlobServiceClient(new Uri(config.StorageConnectionString), credential);
                 })
                 .As<BlobServiceClient>();
 

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`	`using System.Threading;`
`7`	`7`	`using System.Threading.Tasks;`
`8`	`8`	`using Autofac;`
	`9`	`+using Azure.Identity;`
`9`	`10`	`using Azure.Storage.Blobs;`
`10`	`11`	`using GitHubVulnerabilities2Db.Configuration;`
`11`	`12`	`using GitHubVulnerabilities2Db.Fakes;`
`@@ -31,13 +32,14 @@ namespace GitHubVulnerabilities2Db`
`31`	`32`	`{`
`32`	`33`	`public class Job : JsonConfigurationJob, IDisposable`
`33`	`34`	`{`
	`35`	`+ private const string ManagedIdentityClientIdKey = "UserManagedIdentityClientId";`
`34`	`36`	`private readonly HttpClient _client = new HttpClient();`
`35`	`37`
`36`	`38`	`public override async Task Run()`
`37`	`39`	`{`
`38`	`40`	`var collector = _serviceProvider.GetRequiredService<IAdvisoryCollector>();`
`39`		`- while (await collector.ProcessAsync(CancellationToken.None));`
`40`		`-`
	`41`	`+ while (await collector.ProcessAsync(CancellationToken.None)) ;`
	`42`	`+`
`41`	`43`	`}`
`42`	`44`
`43`	`45`	`protected override void ConfigureJobServices(IServiceCollection services, IConfigurationRoot configurationRoot)`
`@@ -59,7 +61,7 @@ protected override void ConfigureAutofacServices(ContainerBuilder containerBuild`
`59`	`61`
`60`	`62`	`ConfigureQueryServices(containerBuilder);`
`61`	`63`	`ConfigureIngestionServices(containerBuilder);`
`62`		`- ConfigureCollectorServices(containerBuilder);`
	`64`	`+ ConfigureCollectorServices(containerBuilder, configurationRoot);`
`63`	`65`	`}`
`64`	`66`
`65`	`67`	`protected void ConfigureIngestionServices(ContainerBuilder containerBuilder)`
`@@ -159,14 +161,14 @@ protected void ConfigureQueryServices(ContainerBuilder containerBuilder)`
`159`	`161`	`.As<IAdvisoryQueryService>();`
`160`	`162`	`}`
`161`	`163`
`162`		`- protected void ConfigureCollectorServices(ContainerBuilder containerBuilder)`
	`164`	`+ protected void ConfigureCollectorServices(ContainerBuilder containerBuilder, IConfigurationRoot configurationRoot)`
`163`	`165`	`{`
`164`	`166`	`containerBuilder`
`165`	`167`	`.Register(ctx =>`
`166`	`168`	`{`
`167`	`169`	`var config = ctx.Resolve<GitHubVulnerabilities2DbConfiguration>();`
`168`		`- var connectionString = AzureStorageFactory.PrepareConnectionString(config.StorageConnectionString);`
`169`		`- return new BlobServiceClient(connectionString);`
	`170`	`+ var credential = new ManagedIdentityCredential(configurationRoot[ManagedIdentityClientIdKey]);`
	`171`	`+ return new BlobServiceClient(new Uri(config.StorageConnectionString), credential);`
`170`	`172`	`})`
`171`	`173`	`.As<BlobServiceClient>();`
`172`	`174`