Add support for client assertion based authentication (#1620)

Add support for client assertion based authentication

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 2.5.0 (Unreleased)
+**Features**
+- Added `Client Assertion` based authentication for containers. Configure `tenant-id, client-id, aad-application-id and security scope` with `authMode` set to `clientassertion`.
 
 ## 2.5.0~preview.1 (Unreleased)
 **Features**

blobfuse2-code-coverage.yaml

@@ -565,7 +565,7 @@ stages:
             - script: |
                 echo 'mode: count' > ./blobfuse2_coverage_raw.rpt
                 tail -q -n +2 ./*.cov >> ./blobfuse2_coverage_raw.rpt
-                cat ./blobfuse2_coverage_raw.rpt | grep -v mock_component | grep -v base_component | grep -v loopback | grep -v tools | grep -v "common/log" | grep -v "common/exectime" | grep -v "common/types.go" | grep -v "internal/stats_manager" | grep -v "main.go" | grep -v "component/azstorage/azauthmsi.go" | grep -v "component/azstorage/azauthspn.go" | grep -v "component/stream" | grep -v "component/custom" | grep -v "component/azstorage/azauthcli.go" | grep -v "exported/exported.go" |  grep -v "component/block_cache/stream.go" > ./blobfuse2_coverage.rpt 
+                cat ./blobfuse2_coverage_raw.rpt | grep -v mock_component | grep -v base_component | grep -v loopback | grep -v tools | grep -v "common/log" | grep -v "common/exectime" | grep -v "common/types.go" | grep -v "internal/stats_manager" | grep -v "main.go" | grep -v "component/azstorage/azauthmsi.go" | grep -v "component/azstorage/azauthspn.go" | grep -v "component/stream" | grep -v "component/custom" | grep -v "component/azstorage/azauthcli.go" | grep -v "exported/exported.go" |  grep -v "component/block_cache/stream.go"  | grep -v "component/azstorage/azauthclientassertion.go" > ./blobfuse2_coverage.rpt 
                 go tool cover -func blobfuse2_coverage.rpt  > ./blobfuse2_func_cover.rpt
                 go tool cover -html=./blobfuse2_coverage.rpt -o ./blobfuse2_coverage.html
                 go tool cover -html=./blobfuse2_ut.cov -o ./blobfuse2_ut.html

common/types.go

@@ -47,7 +47,7 @@ import (
 
 // Standard config default values
 const (
-	blobfuse2Version_ = "2.4.1"
+	blobfuse2Version_ = "2.5.0~preview.1"
 
 	DefaultMaxLogFileSize = 512
 	DefaultLogFileCount   = 10

component/azstorage/azauth.go

@@ -66,8 +66,14 @@ type azAuthConfig struct {
 	WorkloadIdentityToken   string
 	ActiveDirectoryEndpoint string
 
-	Endpoint     string
+	// Client assertions config
+	// This will need ApplicationID, TenantID and ClientID as well
+	UserAssertion string
+
+	// Auth resource / security scope for OAuth
 	AuthResource string
+
+	Endpoint string
 }
 
 // azAuth : Interface to define a generic authentication type
@@ -131,6 +137,12 @@ func getAzBlobAuth(config azAuthConfig) azAuth {
 				azAuthBase: base,
 			},
 		}
+	} else if config.AuthMode == EAuthType.CLIENTASSERTION() {
+		return &azAuthBlobClientAssertion{
+			azAuthClientAssertion{
+				azAuthBase: base,
+			},
+		}
 	} else {
 		log.Crit("azAuth::getAzBlobAuth : Auth type %s not supported. Failed to create Auth object", config.AuthMode)
 	}
@@ -169,6 +181,12 @@ func getAzDatalakeAuth(config azAuthConfig) azAuth {
 				azAuthBase: base,
 			},
 		}
+	} else if config.AuthMode == EAuthType.CLIENTASSERTION() {
+		return &azAuthDatalakeClientAssertion{
+			azAuthClientAssertion{
+				azAuthBase: base,
+			},
+		}
 	} else {
 		log.Crit("azAuth::getAzDatalakeAuth : Auth type %s not supported. Failed to create Auth object", config.AuthMode)
 	}

component/azstorage/azauthclientassertion.go

@@ -0,0 +1,162 @@
+/*
+    _____           _____   _____   ____          ______  _____  ------
+   |     |  |      |     | |     | |     |     | |       |            |
+   |     |  |      |     | |     | |     |     | |       |            |
+   | --- |  |      |     | |-----| |---- |     | |-----| |-----  ------
+   |     |  |      |     | |     | |     |     |       | |       |
+   | ____|  |_____ | ____| | ____| |     |_____|  _____| |_____  |_____
+
+
+   Licensed under the MIT License <http://opensource.org/licenses/MIT>.
+
+   Copyright © 2020-2025 Microsoft Corporation. All rights reserved.
+   Author : <[email protected]>
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in all
+   copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+   SOFTWARE
+*/
+
+package azstorage
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
+	serviceBfs "github.com/Azure/azure-sdk-for-go/sdk/storage/azdatalake/service"
+	"github.com/Azure/azure-storage-fuse/v2/common/log"
+)
+
+// Verify that the Auth implement the correct AzAuth interfaces
+var _ azAuth = &azAuthBlobClientAssertion{}
+var _ azAuth = &azAuthDatalakeClientAssertion{}
+
+type azAuthClientAssertion struct {
+	azAuthBase
+	azOAuthBase
+}
+
+func (azclientassertion *azAuthClientAssertion) getTokenCredential() (azcore.TokenCredential, error) {
+	opts := azclientassertion.getAzIdentityClientOptions(&azclientassertion.config)
+
+	// Create MSI cred to fetch token
+	msiOpts := &azidentity.ManagedIdentityCredentialOptions{
+		ClientOptions: opts,
+	}
+	msiOpts.ID = azidentity.ClientID(azclientassertion.config.ApplicationID)
+	cred, err := azidentity.NewManagedIdentityCredential(msiOpts)
+	if err != nil {
+		log.Err("azAuthClientAssertion::getTokenCredential : Failed to create managed identity credential [%s]", err.Error())
+		return nil, err
+	}
+
+	scope := "api://AzureADTokenExchange"
+	if azclientassertion.config.AuthResource != "" {
+		scope = azclientassertion.config.AuthResource
+	}
+
+	getClientAssertions := func(context.Context) (string, error) {
+		token, err := cred.GetToken(context.Background(), policy.TokenRequestOptions{
+			Scopes: []string{scope},
+		})
+
+		if err != nil {
+			log.Err("azAuthClientAssertion::getTokenCredential : Failed to get token from managed identity credential [%s]", err.Error())
+			return "", err
+		}
+
+		return token.Token, nil
+	}
+
+	if azclientassertion.config.UserAssertion == "" {
+		assertOpts := &azidentity.ClientAssertionCredentialOptions{
+			ClientOptions: opts,
+		}
+
+		return azidentity.NewClientAssertionCredential(
+			azclientassertion.config.TenantID,
+			azclientassertion.config.ClientID,
+			getClientAssertions,
+			assertOpts)
+	} else {
+		assertOpts := &azidentity.OnBehalfOfCredentialOptions{
+			ClientOptions: opts,
+		}
+
+		return azidentity.NewOnBehalfOfCredentialWithClientAssertions(
+			azclientassertion.config.TenantID,
+			azclientassertion.config.ClientID,
+			azclientassertion.config.UserAssertion,
+			getClientAssertions,
+			assertOpts)
+	}
+}
+
+type azAuthBlobClientAssertion struct {
+	azAuthClientAssertion
+}
+
+// getServiceClient : returns SPN based service client for blob
+func (azclientassertion *azAuthBlobClientAssertion) getServiceClient(stConfig *AzStorageConfig) (interface{}, error) {
+	cred, err := azclientassertion.getTokenCredential()
+	if err != nil {
+		log.Err("azAuthBlobClientAssertion::getServiceClient : Failed to get token credential from client assertion [%s]", err.Error())
+		return nil, err
+	}
+
+	opts, err := getAzBlobServiceClientOptions(stConfig)
+	if err != nil {
+		log.Err("azAuthBlobClientAssertion::getServiceClient : Failed to create client options [%s]", err.Error())
+		return nil, err
+	}
+
+	svcClient, err := service.NewClient(azclientassertion.config.Endpoint, cred, opts)
+	if err != nil {
+		log.Err("azAuthBlobClientAssertion::getServiceClient : Failed to create service client [%s]", err.Error())
+	}
+
+	return svcClient, err
+}
+
+type azAuthDatalakeClientAssertion struct {
+	azAuthClientAssertion
+}
+
+// getServiceClient : returns SPN based service client for blob
+func (azclientassertion *azAuthDatalakeClientAssertion) getServiceClient(stConfig *AzStorageConfig) (interface{}, error) {
+	cred, err := azclientassertion.getTokenCredential()
+	if err != nil {
+		log.Err("azAuthDatalakeClientAssertion::getServiceClient : Failed to get token credential from client assertion [%s]", err.Error())
+		return nil, err
+	}
+
+	opts, err := getAzDatalakeServiceClientOptions(stConfig)
+	if err != nil {
+		log.Err("azAuthDatalakeClientAssertion::getServiceClient : Failed to create client options [%s]", err.Error())
+		return nil, err
+	}
+
+	svcClient, err := serviceBfs.NewClient(azclientassertion.config.Endpoint, cred, opts)
+	if err != nil {
+		log.Err("azAuthDatalakeClientAssertion::getServiceClient : Failed to create service client [%s]", err.Error())
+	}
+
+	return svcClient, err
+}

component/azstorage/config.go

@@ -76,6 +76,10 @@ func (AuthType) AZCLI() AuthType {
 	return AuthType(5)
 }
 
+func (AuthType) CLIENTASSERTION() AuthType {
+	return AuthType(6)
+}
+
 func (a AuthType) String() string {
 	return enum.StringInt(a, reflect.TypeOf(a))
 }
@@ -144,6 +148,7 @@ const (
 	EnvAzAuthResource                    = "AZURE_STORAGE_AUTH_RESOURCE"
 	EnvAzStorageCpkEncryptionKey         = "AZURE_STORAGE_CPK_ENCRYPTION_KEY"
 	EnvAzStorageCpkEncryptionKeySha256   = "AZURE_STORAGE_CPK_ENCRYPTION_KEY_SHA256"
+	EnvAzUserAssertion                   = "AZURE_STORAGE_USER_ASSERTION"
 )
 
 type AzStorageOptions struct {
@@ -189,6 +194,7 @@ type AzStorageOptions struct {
 	CPKEncryptionKeySha256  string `config:"cpk-encryption-key-sha256" yaml:"cpk-encryption-key-sha256"`
 	PreserveACL             bool   `config:"preserve-acl" yaml:"preserve-acl"`
 	Filter                  string `config:"filter" yaml:"filter"`
+	UserAssertion           string `config:"user-assertion" yaml:"user-assertions"`
 
 	// v1 support
 	UseAdls        bool   `config:"use-adls" yaml:"-"`
@@ -230,6 +236,7 @@ func RegisterEnvVariables() {
 	config.BindEnv("azstorage.cpk-encryption-key", EnvAzStorageCpkEncryptionKey)
 	config.BindEnv("azstorage.cpk-encryption-key-sha256", EnvAzStorageCpkEncryptionKeySha256)
 
+	config.BindEnv("azstorage.user-assertion", EnvAzUserAssertion)
 }
 
 //    ----------- Config Parsing and Validation  ---------------
@@ -467,6 +474,16 @@ func ParseAndValidateConfig(az *AzStorage, opt AzStorageOptions) error {
 		az.stConfig.authConfig.WorkloadIdentityToken = opt.WorkloadIdentityToken
 	case EAuthType.AZCLI():
 		az.stConfig.authConfig.AuthMode = EAuthType.AZCLI()
+	case EAuthType.CLIENTASSERTION():
+		az.stConfig.authConfig.AuthMode = EAuthType.CLIENTASSERTION()
+		if opt.ClientID == "" || opt.TenantID == "" || opt.ApplicationID == "" {
+			return errors.New("Client ID, Tenant ID or Application ID not provided")
+		}
+
+		az.stConfig.authConfig.ClientID = opt.ClientID
+		az.stConfig.authConfig.TenantID = opt.TenantID
+		az.stConfig.authConfig.ApplicationID = opt.ApplicationID
+		az.stConfig.authConfig.UserAssertion = opt.UserAssertion
 
 	default:
 		log.Err("ParseAndValidateConfig : Invalid auth mode %s", opt.AuthMode)