Merge pull request #1255 from karolz-ms/658-azure-sovereign-clouds

Add Azure sovereign cloud support

Author: gtardif

.gitignore

@@ -1,2 +1,3 @@
 bin/
 dist/
+/.vscode/

aci/backend.go

@@ -51,6 +51,7 @@ type LoginParams struct {
 	TenantID     string
 	ClientID     string
 	ClientSecret string
+	CloudName    string
 }
 
 // Validate returns an error if options are not used properly

aci/backend_test.go

@@ -23,7 +23,9 @@ import (
 	"github.com/stretchr/testify/mock"
 	"gotest.tools/v3/assert"
 
+	"github.com/docker/compose-cli/aci/login"
 	"github.com/docker/compose-cli/api/containers"
+	"golang.org/x/oauth2"
 )
 
 func TestGetContainerName(t *testing.T) {
@@ -82,7 +84,7 @@ func TestLoginParamsValidate(t *testing.T) {
 
 func TestLoginServicePrincipal(t *testing.T) {
 	loginService := mockLoginService{}
-	loginService.On("LoginServicePrincipal", "someID", "secret", "tenant").Return(nil)
+	loginService.On("LoginServicePrincipal", "someID", "secret", "tenant", "someCloud").Return(nil)
 	loginBackend := aciCloudService{
 		loginService: &loginService,
 	}
@@ -91,6 +93,7 @@ func TestLoginServicePrincipal(t *testing.T) {
 		ClientID:     "someID",
 		ClientSecret: "secret",
 		TenantID:     "tenant",
+		CloudName:    "someCloud",
 	})
 
 	assert.NilError(t, err)
@@ -99,13 +102,14 @@ func TestLoginServicePrincipal(t *testing.T) {
 func TestLoginWithTenant(t *testing.T) {
 	loginService := mockLoginService{}
 	ctx := context.Background()
-	loginService.On("Login", ctx, "tenant").Return(nil)
+	loginService.On("Login", ctx, "tenant", "someCloud").Return(nil)
 	loginBackend := aciCloudService{
 		loginService: &loginService,
 	}
 
 	err := loginBackend.Login(ctx, LoginParams{
-		TenantID: "tenant",
+		TenantID:  "tenant",
+		CloudName: "someCloud",
 	})
 
 	assert.NilError(t, err)
@@ -114,12 +118,14 @@ func TestLoginWithTenant(t *testing.T) {
 func TestLoginWithoutTenant(t *testing.T) {
 	loginService := mockLoginService{}
 	ctx := context.Background()
-	loginService.On("Login", ctx, "").Return(nil)
+	loginService.On("Login", ctx, "", "someCloud").Return(nil)
 	loginBackend := aciCloudService{
 		loginService: &loginService,
 	}
 
-	err := loginBackend.Login(ctx, LoginParams{})
+	err := loginBackend.Login(ctx, LoginParams{
+		CloudName: "someCloud",
+	})
 
 	assert.NilError(t, err)
 }
@@ -128,17 +134,32 @@ type mockLoginService struct {
 	mock.Mock
 }
 
-func (s *mockLoginService) Login(ctx context.Context, requestedTenantID string) error {
-	args := s.Called(ctx, requestedTenantID)
+func (s *mockLoginService) Login(ctx context.Context, requestedTenantID string, cloudEnvironment string) error {
+	args := s.Called(ctx, requestedTenantID, cloudEnvironment)
 	return args.Error(0)
 }
 
-func (s *mockLoginService) LoginServicePrincipal(clientID string, clientSecret string, tenantID string) error {
-	args := s.Called(clientID, clientSecret, tenantID)
+func (s *mockLoginService) LoginServicePrincipal(clientID string, clientSecret string, tenantID string, cloudEnvironment string) error {
+	args := s.Called(clientID, clientSecret, tenantID, cloudEnvironment)
 	return args.Error(0)
 }
 
 func (s *mockLoginService) Logout(ctx context.Context) error {
 	args := s.Called(ctx)
 	return args.Error(0)
 }
+
+func (s *mockLoginService) GetTenantID() (string, error) {
+	args := s.Called()
+	return args.String(0), args.Error(1)
+}
+
+func (s *mockLoginService) GetCloudEnvironment() (login.CloudEnvironment, error) {
+	args := s.Called()
+	return args.Get(0).(login.CloudEnvironment), args.Error(1)
+}
+
+func (s *mockLoginService) GetValidToken() (oauth2.Token, string, error) {
+	args := s.Called()
+	return args.Get(0).(oauth2.Token), args.String(1), args.Error(2)
+}

aci/cloud.go

@@ -25,18 +25,21 @@ import (
 )
 
 type aciCloudService struct {
-	loginService login.AzureLoginServiceAPI
+	loginService login.AzureLoginService
 }
 
 func (cs *aciCloudService) Login(ctx context.Context, params interface{}) error {
 	opts, ok := params.(LoginParams)
 	if !ok {
 		return errors.New("could not read Azure LoginParams struct from generic parameter")
 	}
+	if opts.CloudName == "" {
+		opts.CloudName = login.AzurePublicCloudName
+	}
 	if opts.ClientID != "" {
-		return cs.loginService.LoginServicePrincipal(opts.ClientID, opts.ClientSecret, opts.TenantID)
+		return cs.loginService.LoginServicePrincipal(opts.ClientID, opts.ClientSecret, opts.TenantID, opts.CloudName)
 	}
-	return cs.loginService.Login(ctx, opts.TenantID)
+	return cs.loginService.Login(ctx, opts.TenantID, opts.CloudName)
 }
 
 func (cs *aciCloudService) Logout(ctx context.Context) error {

aci/convert/registry_credentials.go

@@ -47,7 +47,7 @@ const (
 
 type registryHelper interface {
 	getAllRegistryCredentials() (map[string]types.AuthConfig, error)
-	autoLoginAcr(registry string) error
+	autoLoginAcr(registry string, loginService login.AzureLoginService) error
 }
 
 type cliRegistryHelper struct {
@@ -65,9 +65,19 @@ func newCliRegistryConfLoader() cliRegistryHelper {
 }
 
 func getRegistryCredentials(project compose.Project, helper registryHelper) ([]containerinstance.ImageRegistryCredential, error) {
-	usedRegistries, acrRegistries := getUsedRegistries(project)
+	loginService, err := login.NewAzureLoginService()
+	if err != nil {
+		return nil, err
+	}
+
+	var cloudEnvironment *login.CloudEnvironment = nil
+	if ce, err := loginService.GetCloudEnvironment(); err != nil {
+		cloudEnvironment = &ce
+	}
+
+	usedRegistries, acrRegistries := getUsedRegistries(project, cloudEnvironment)
 	for _, registry := range acrRegistries {
-		err := helper.autoLoginAcr(registry)
+		err := helper.autoLoginAcr(registry, loginService)
 		if err != nil {
 			fmt.Printf("WARNING: %v\n", err)
 			fmt.Printf("Could not automatically login to %s from your Azure login. Assuming you already logged in to the ACR registry\n", registry)
@@ -116,9 +126,10 @@ func getRegistryCredentials(project compose.Project, helper registryHelper) ([]c
 	return registryCreds, nil
 }
 
-func getUsedRegistries(project compose.Project) (map[string]bool, []string) {
+func getUsedRegistries(project compose.Project, ce *login.CloudEnvironment) (map[string]bool, []string) {
 	usedRegistries := map[string]bool{}
 	acrRegistries := []string{}
+
 	for _, service := range project.Services {
 		imageName := service.Image
 		tokens := strings.Split(imageName, "/")
@@ -127,24 +138,18 @@ func getUsedRegistries(project compose.Project) (map[string]bool, []string) {
 			registry = dockerHub
 		} else if !strings.Contains(registry, ".") {
 			registry = dockerHub
-		} else if strings.HasSuffix(registry, login.AcrRegistrySuffix) {
-			acrRegistries = append(acrRegistries, registry)
+		} else if ce != nil {
+			if suffix, present := ce.Suffixes[login.AcrSuffixKey]; present && strings.HasSuffix(registry, suffix) {
+				acrRegistries = append(acrRegistries, registry)
+			}
 		}
 		usedRegistries[registry] = true
 	}
 	return usedRegistries, acrRegistries
 }
 
-func (c cliRegistryHelper) autoLoginAcr(registry string) error {
-	loginService, err := login.NewAzureLoginService()
-	if err != nil {
-		return err
-	}
-	token, err := loginService.GetValidToken()
-	if err != nil {
-		return err
-	}
-	tenantID, err := loginService.GetTenantID()
+func (c cliRegistryHelper) autoLoginAcr(registry string, loginService login.AzureLoginService) error {
+	token, tenantID, err := loginService.GetValidToken()
 	if err != nil {
 		return err
 	}

aci/convert/registry_credentials_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/compose-spec/compose-go/types"
 	cliconfigtypes "github.com/docker/cli/cli/config/types"
+	"github.com/docker/compose-cli/aci/login"
 	"github.com/stretchr/testify/mock"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -255,7 +256,7 @@ func (s *MockRegistryHelper) getAllRegistryCredentials() (map[string]cliconfigty
 	return args.Get(0).(map[string]cliconfigtypes.AuthConfig), args.Error(1)
 }
 
-func (s *MockRegistryHelper) autoLoginAcr(registry string) error {
-	args := s.Called(registry)
+func (s *MockRegistryHelper) autoLoginAcr(registry string, loginService login.AzureLoginService) error {
+	args := s.Called(registry, loginService)
 	return args.Error(0)
 }

aci/login/client.go

@@ -17,13 +17,17 @@
 package login
 
 import (
+	"encoding/json"
+	"strconv"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/profiles/2019-03-01/resources/mgmt/resources"
 	"github.com/Azure/azure-sdk-for-go/profiles/preview/preview/subscription/mgmt/subscription"
 	"github.com/Azure/azure-sdk-for-go/services/containerinstance/mgmt/2019-12-01/containerinstance"
 	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
 	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/adal"
+	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/pkg/errors"
 
 	"github.com/docker/compose-cli/api/errdefs"
@@ -32,8 +36,12 @@ import (
 
 // NewContainerGroupsClient get client toi manipulate containerGrouos
 func NewContainerGroupsClient(subscriptionID string) (containerinstance.ContainerGroupsClient, error) {
-	containerGroupsClient := containerinstance.NewContainerGroupsClient(subscriptionID)
-	err := setupClient(&containerGroupsClient.Client)
+	authorizer, mgmtURL, err := getClientSetupData()
+	if err != nil {
+		return containerinstance.ContainerGroupsClient{}, err
+	}
+	containerGroupsClient := containerinstance.NewContainerGroupsClientWithBaseURI(mgmtURL, subscriptionID)
+	setupClient(&containerGroupsClient.Client, authorizer)
 	if err != nil {
 		return containerinstance.ContainerGroupsClient{}, err
 	}
@@ -43,68 +51,100 @@ func NewContainerGroupsClient(subscriptionID string) (containerinstance.Containe
 	return containerGroupsClient, nil
 }
 
-func setupClient(aciClient *autorest.Client) error {
+func setupClient(aciClient *autorest.Client, auth autorest.Authorizer) {
 	aciClient.UserAgent = internal.UserAgentName + "/" + internal.Version
-	auth, err := NewAuthorizerFromLogin()
-	if err != nil {
-		return err
-	}
 	aciClient.Authorizer = auth
-	return nil
 }
 
 // NewStorageAccountsClient get client to manipulate storage accounts
 func NewStorageAccountsClient(subscriptionID string) (storage.AccountsClient, error) {
-	containerGroupsClient := storage.NewAccountsClient(subscriptionID)
-	err := setupClient(&containerGroupsClient.Client)
+	authorizer, mgmtURL, err := getClientSetupData()
 	if err != nil {
 		return storage.AccountsClient{}, err
 	}
-	containerGroupsClient.PollingDelay = 5 * time.Second
-	containerGroupsClient.RetryAttempts = 30
-	containerGroupsClient.RetryDuration = 1 * time.Second
-	return containerGroupsClient, nil
+	storageAccuntsClient := storage.NewAccountsClientWithBaseURI(mgmtURL, subscriptionID)
+	setupClient(&storageAccuntsClient.Client, authorizer)
+	storageAccuntsClient.PollingDelay = 5 * time.Second
+	storageAccuntsClient.RetryAttempts = 30
+	storageAccuntsClient.RetryDuration = 1 * time.Second
+	return storageAccuntsClient, nil
 }
 
 // NewFileShareClient get client to manipulate file shares
 func NewFileShareClient(subscriptionID string) (storage.FileSharesClient, error) {
-	containerGroupsClient := storage.NewFileSharesClient(subscriptionID)
-	err := setupClient(&containerGroupsClient.Client)
+	authorizer, mgmtURL, err := getClientSetupData()
 	if err != nil {
 		return storage.FileSharesClient{}, err
 	}
-	containerGroupsClient.PollingDelay = 5 * time.Second
-	containerGroupsClient.RetryAttempts = 30
-	containerGroupsClient.RetryDuration = 1 * time.Second
-	return containerGroupsClient, nil
+	fileSharesClient := storage.NewFileSharesClientWithBaseURI(mgmtURL, subscriptionID)
+	setupClient(&fileSharesClient.Client, authorizer)
+	fileSharesClient.PollingDelay = 5 * time.Second
+	fileSharesClient.RetryAttempts = 30
+	fileSharesClient.RetryDuration = 1 * time.Second
+	return fileSharesClient, nil
 }
 
 // NewSubscriptionsClient get subscription client
 func NewSubscriptionsClient() (subscription.SubscriptionsClient, error) {
-	subc := subscription.NewSubscriptionsClient()
-	err := setupClient(&subc.Client)
+	authorizer, mgmtURL, err := getClientSetupData()
 	if err != nil {
 		return subscription.SubscriptionsClient{}, errors.Wrap(errdefs.ErrLoginRequired, err.Error())
 	}
+	subc := subscription.NewSubscriptionsClientWithBaseURI(mgmtURL)
+	setupClient(&subc.Client, authorizer)
 	return subc, nil
 }
 
 // NewGroupsClient get client to manipulate groups
 func NewGroupsClient(subscriptionID string) (resources.GroupsClient, error) {
-	groupsClient := resources.NewGroupsClient(subscriptionID)
-	err := setupClient(&groupsClient.Client)
+	authorizer, mgmtURL, err := getClientSetupData()
 	if err != nil {
 		return resources.GroupsClient{}, err
 	}
+	groupsClient := resources.NewGroupsClientWithBaseURI(mgmtURL, subscriptionID)
+	setupClient(&groupsClient.Client, authorizer)
 	return groupsClient, nil
 }
 
 // NewContainerClient get client to manipulate containers
 func NewContainerClient(subscriptionID string) (containerinstance.ContainersClient, error) {
-	containerClient := containerinstance.NewContainersClient(subscriptionID)
-	err := setupClient(&containerClient.Client)
+	authorizer, mgmtURL, err := getClientSetupData()
 	if err != nil {
 		return containerinstance.ContainersClient{}, err
 	}
+	containerClient := containerinstance.NewContainersClientWithBaseURI(mgmtURL, subscriptionID)
+	setupClient(&containerClient.Client, authorizer)
 	return containerClient, nil
 }
+
+func getClientSetupData() (autorest.Authorizer, string, error) {
+	return getClientSetupDataImpl(GetTokenStorePath())
+}
+
+func getClientSetupDataImpl(tokenStorePath string) (autorest.Authorizer, string, error) {
+	als, err := newAzureLoginServiceFromPath(tokenStorePath, azureAPIHelper{}, CloudEnvironments)
+	if err != nil {
+		return nil, "", err
+	}
+
+	oauthToken, _, err := als.GetValidToken()
+	if err != nil {
+		return nil, "", errors.Wrap(err, "not logged in to azure, you need to run \"docker login azure\" first")
+	}
+
+	ce, err := als.GetCloudEnvironment()
+	if err != nil {
+		return nil, "", err
+	}
+
+	token := adal.Token{
+		AccessToken:  oauthToken.AccessToken,
+		Type:         oauthToken.TokenType,
+		ExpiresIn:    json.Number(strconv.Itoa(int(time.Until(oauthToken.Expiry).Seconds()))),
+		ExpiresOn:    json.Number(strconv.Itoa(int(oauthToken.Expiry.Sub(date.UnixEpoch()).Seconds()))),
+		RefreshToken: "",
+		Resource:     "",
+	}
+
+	return autorest.NewBearerAuthorizer(&token), ce.ResourceManagerURL, nil
+}