Merge branch 'main' into cleanpipeline

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 2.5.0 (Unreleased)
+**Features**
+- Added `Client Assertion` based authentication for containers. Configure `tenant-id, client-id, aad-application-id and security scope` with `authMode` set to `workloadidentity`.
 
 ## 2.5.0~preview.1 (Unreleased)
 **Features**

README.md

@@ -202,6 +202,18 @@ To learn about a specific command, just include the name of the command (For exa
     * `AZURE_STORAGE_AAD_ENDPOINT`: Specifies a custom AAD endpoint to authenticate against
     * `AZURE_STORAGE_SPN_CLIENT_SECRET`: Specifies the client secret for your application registration.
     * `AZURE_STORAGE_AUTH_RESOURCE` : Scope to be used while requesting for token.
+- Workload Identity auth:
+    * `AZURE_STORAGE_SPN_CLIENT_ID`: Specifies the clientid of the MI assigned to the storage account | clientid of the MI assigned as subject field on a Federated Identity Credential (FIC) on the App Registration
+    * `AZURE_STORAGE_SPN_TENANT_ID`: Specifies the tenant ID for your storage account
+    * `AZURE_STORAGE_IDENTITY_CLIENT_ID`: Specifies the application (client) ID of the App Registration or SPN
+    * `AZURE_STORAGE_AUTH_RESOURCE` : Scope to be used while requesting for token / MI Audience.
+
+            Public Cloud: api://AzureADTokenExchange  (Default)
+
+            US Gov Cloud: api://AzureADTokenExchangeUSGov
+
+            China Cloud operated by 21Vianet: api://AzureADTokenExchangeChina
+
 - Proxy Server:
     * `http_proxy`: The proxy server address. Example: `10.1.22.4:8080`.    
     * `https_proxy`: The proxy server address when https is turned off forcing http. Example: `10.1.22.4:8080`.

blobfuse2-code-coverage.yaml

@@ -538,20 +538,20 @@ stages:
             workingDirectory: $(WORK_DIR)
             displayName: "ADLS Coverage Proxy"
 
-          # -------------------------------------------------------
-          # Coverage report consolidation
-          - script: |
-              echo 'mode: count' > ./blobfuse2_coverage_raw.rpt
-              tail -q -n +2 ./*.cov >> ./blobfuse2_coverage_raw.rpt
-              cat ./blobfuse2_coverage_raw.rpt | grep -v mock_component | grep -v base_component | grep -v loopback | grep -v tools | grep -v "common/log" | grep -v "common/exectime" | grep -v "common/types.go" | grep -v "internal/stats_manager" | grep -v "main.go" | grep -v "component/azstorage/azauthmsi.go" | grep -v "component/azstorage/azauthspn.go" | grep -v "component/stream" | grep -v "component/custom" | grep -v "component/azstorage/azauthcli.go" | grep -v "exported/exported.go" |  grep -v "component/block_cache/stream.go" > ./blobfuse2_coverage.rpt 
-              go tool cover -func blobfuse2_coverage.rpt  > ./blobfuse2_func_cover.rpt
-              go tool cover -html=./blobfuse2_coverage.rpt -o ./blobfuse2_coverage.html
-              go tool cover -html=./blobfuse2_ut.cov -o ./blobfuse2_ut.html
-              cp ./*.rpt  $(Build.ArtifactStagingDirectory)/
-              cp ./*.cov  $(Build.ArtifactStagingDirectory)/
-              cp ./*.html $(Build.ArtifactStagingDirectory)/
-            workingDirectory: $(WORK_DIR)
-            displayName: "Save coverage report"
+            # -------------------------------------------------------
+            # Coverage report consolidation
+            - script: |
+                echo 'mode: count' > ./blobfuse2_coverage_raw.rpt
+                tail -q -n +2 ./*.cov >> ./blobfuse2_coverage_raw.rpt
+                cat ./blobfuse2_coverage_raw.rpt | grep -v mock_component | grep -v base_component | grep -v loopback | grep -v tools | grep -v "common/log" | grep -v "common/exectime" | grep -v "common/types.go" | grep -v "internal/stats_manager" | grep -v "main.go" | grep -v "component/azstorage/azauthmsi.go" | grep -v "component/azstorage/azauthspn.go" | grep -v "component/stream" | grep -v "component/custom" | grep -v "component/azstorage/azauthcli.go" | grep -v "exported/exported.go" |  grep -v "component/block_cache/stream.go"  | grep -v "component/azstorage/azAuthWorkloadIdentity.go" > ./blobfuse2_coverage.rpt 
+                go tool cover -func blobfuse2_coverage.rpt  > ./blobfuse2_func_cover.rpt
+                go tool cover -html=./blobfuse2_coverage.rpt -o ./blobfuse2_coverage.html
+                go tool cover -html=./blobfuse2_ut.cov -o ./blobfuse2_ut.html
+                cp ./*.rpt  $(Build.ArtifactStagingDirectory)/
+                cp ./*.cov  $(Build.ArtifactStagingDirectory)/
+                cp ./*.html $(Build.ArtifactStagingDirectory)/
+              workingDirectory: $(WORK_DIR)
+              displayName: "Save coverage report"
 
           # Publish the Artifacts
           - task: PublishBuildArtifacts@1

common/types.go

@@ -47,7 +47,7 @@ import (
 
 // Standard config default values
 const (
-	blobfuse2Version_ = "2.4.1"
+	blobfuse2Version_ = "2.5.0~preview.1"
 
 	DefaultMaxLogFileSize = 512
 	DefaultLogFileCount   = 10
@@ -322,3 +322,9 @@ func init() {
 	DefaultLogFilePath = filepath.Join(DefaultWorkDir, "blobfuse2.log")
 	StatsConfigFilePath = filepath.Join(DefaultWorkDir, "stats_monitor.cfg")
 }
+
+var azureSpecialContainers = map[string]bool{
+	"web":        true,
+	"logs":       true,
+	"changefeed": true,
+}

common/util.go

@@ -334,7 +334,13 @@ func ExpandPath(path string) string {
 		path = filepath.Join(homeDir, path[2:])
 	}
 
-	path = os.ExpandEnv(path)
+	path = os.Expand(path, func(key string) string {
+		if azureSpecialContainers[key] {
+			return "$" + key // Keep it as is
+		}
+		return os.Getenv(key) // Expand normally
+	})
+
 	path, _ = filepath.Abs(path)
 	return path
 }

common/util_test.go

@@ -257,6 +257,16 @@ func (suite *utilTestSuite) TestExpandPath() {
 	path = ""
 	expandedPath = ExpandPath(path)
 	suite.assert.Equal(expandedPath, path)
+
+	path = "$HOME/.blobfuse2/config_$web.yaml"
+	expandedPath = ExpandPath(path)
+	suite.assert.NotEqual(expandedPath, path)
+	suite.assert.Contains(path, "$web")
+
+	path = "$HOME/.blobfuse2/$web"
+	expandedPath = ExpandPath(path)
+	suite.assert.NotEqual(expandedPath, path)
+	suite.assert.Contains(path, "$web")
 }
 
 func (suite *utilTestSuite) TestGetUSage() {

component/azstorage/azauth.go

@@ -66,8 +66,14 @@ type azAuthConfig struct {
 	WorkloadIdentityToken   string
 	ActiveDirectoryEndpoint string
 
-	Endpoint     string
+	// Client assertions config
+	// This will need ApplicationID, TenantID and ClientID as well
+	UserAssertion string
+
+	// Auth resource / security scope for OAuth
 	AuthResource string
+
+	Endpoint string
 }
 
 // azAuth : Interface to define a generic authentication type
@@ -131,6 +137,12 @@ func getAzBlobAuth(config azAuthConfig) azAuth {
 				azAuthBase: base,
 			},
 		}
+	} else if config.AuthMode == EAuthType.WORKLOADIDENTITY() {
+		return &azAuthBlobWorkloadIdentity{
+			azAuthWorkloadIdentity{
+				azAuthBase: base,
+			},
+		}
 	} else {
 		log.Crit("azAuth::getAzBlobAuth : Auth type %s not supported. Failed to create Auth object", config.AuthMode)
 	}
@@ -169,6 +181,12 @@ func getAzDatalakeAuth(config azAuthConfig) azAuth {
 				azAuthBase: base,
 			},
 		}
+	} else if config.AuthMode == EAuthType.WORKLOADIDENTITY() {
+		return &azAuthDatalakeWorkloadIdentity{
+			azAuthWorkloadIdentity{
+				azAuthBase: base,
+			},
+		}
 	} else {
 		log.Crit("azAuth::getAzDatalakeAuth : Auth type %s not supported. Failed to create Auth object", config.AuthMode)
 	}

component/azstorage/azauthWorkloadIdentity.go

@@ -0,0 +1,162 @@
+/*
+    _____           _____   _____   ____          ______  _____  ------
+   |     |  |      |     | |     | |     |     | |       |            |
+   |     |  |      |     | |     | |     |     | |       |            |
+   | --- |  |      |     | |-----| |---- |     | |-----| |-----  ------
+   |     |  |      |     | |     | |     |     |       | |       |
+   | ____|  |_____ | ____| | ____| |     |_____|  _____| |_____  |_____
+
+
+   Licensed under the MIT License <http://opensource.org/licenses/MIT>.
+
+   Copyright © 2020-2025 Microsoft Corporation. All rights reserved.
+   Author : <blobfusedev@microsoft.com>
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in all
+   copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+   SOFTWARE
+*/
+
+package azstorage
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
+	serviceBfs "github.com/Azure/azure-sdk-for-go/sdk/storage/azdatalake/service"
+	"github.com/Azure/azure-storage-fuse/v2/common/log"
+)
+
+// Verify that the Auth implement the correct AzAuth interfaces
+var _ azAuth = &azAuthBlobWorkloadIdentity{}
+var _ azAuth = &azAuthDatalakeWorkloadIdentity{}
+
+type azAuthWorkloadIdentity struct {
+	azAuthBase
+	azOAuthBase
+}
+
+func (azWorkloadIdentity *azAuthWorkloadIdentity) getTokenCredential() (azcore.TokenCredential, error) {
+	opts := azWorkloadIdentity.getAzIdentityClientOptions(&azWorkloadIdentity.config)
+
+	// Create MSI cred to fetch token
+	msiOpts := &azidentity.ManagedIdentityCredentialOptions{
+		ClientOptions: opts,
+	}
+	msiOpts.ID = azidentity.ClientID(azWorkloadIdentity.config.ApplicationID)
+	cred, err := azidentity.NewManagedIdentityCredential(msiOpts)
+	if err != nil {
+		log.Err("azAuthWorkloadIdentity::getTokenCredential : Failed to create managed identity credential [%s]", err.Error())
+		return nil, err
+	}
+
+	scope := "api://AzureADTokenExchange"
+	if azWorkloadIdentity.config.AuthResource != "" {
+		scope = azWorkloadIdentity.config.AuthResource
+	}
+
+	getClientAssertions := func(context.Context) (string, error) {
+		token, err := cred.GetToken(context.Background(), policy.TokenRequestOptions{
+			Scopes: []string{scope},
+		})
+
+		if err != nil {
+			log.Err("azAuthWorkloadIdentity::getTokenCredential : Failed to get token from managed identity credential [%s]", err.Error())
+			return "", err
+		}
+
+		return token.Token, nil
+	}
+
+	if azWorkloadIdentity.config.UserAssertion == "" {
+		assertOpts := &azidentity.ClientAssertionCredentialOptions{
+			ClientOptions: opts,
+		}
+
+		return azidentity.NewClientAssertionCredential(
+			azWorkloadIdentity.config.TenantID,
+			azWorkloadIdentity.config.ClientID,
+			getClientAssertions,
+			assertOpts)
+	} else {
+		assertOpts := &azidentity.OnBehalfOfCredentialOptions{
+			ClientOptions: opts,
+		}
+
+		return azidentity.NewOnBehalfOfCredentialWithClientAssertions(
+			azWorkloadIdentity.config.TenantID,
+			azWorkloadIdentity.config.ClientID,
+			azWorkloadIdentity.config.UserAssertion,
+			getClientAssertions,
+			assertOpts)
+	}
+}
+
+type azAuthBlobWorkloadIdentity struct {
+	azAuthWorkloadIdentity
+}
+
+// getServiceClient : returns SPN based service client for blob
+func (azWorkloadIdentity *azAuthBlobWorkloadIdentity) getServiceClient(stConfig *AzStorageConfig) (interface{}, error) {
+	cred, err := azWorkloadIdentity.getTokenCredential()
+	if err != nil {
+		log.Err("azAuthBlobWorkloadIdentity::getServiceClient : Failed to get token credential from client assertion [%s]", err.Error())
+		return nil, err
+	}
+
+	opts, err := getAzBlobServiceClientOptions(stConfig)
+	if err != nil {
+		log.Err("azAuthBlobWorkloadIdentity::getServiceClient : Failed to create client options [%s]", err.Error())
+		return nil, err
+	}
+
+	svcClient, err := service.NewClient(azWorkloadIdentity.config.Endpoint, cred, opts)
+	if err != nil {
+		log.Err("azAuthBlobWorkloadIdentity::getServiceClient : Failed to create service client [%s]", err.Error())
+	}
+
+	return svcClient, err
+}
+
+type azAuthDatalakeWorkloadIdentity struct {
+	azAuthWorkloadIdentity
+}
+
+// getServiceClient : returns SPN based service client for blob
+func (azWorkloadIdentity *azAuthDatalakeWorkloadIdentity) getServiceClient(stConfig *AzStorageConfig) (interface{}, error) {
+	cred, err := azWorkloadIdentity.getTokenCredential()
+	if err != nil {
+		log.Err("azAuthDatalakeWorkloadIdentity::getServiceClient : Failed to get token credential from client assertion [%s]", err.Error())
+		return nil, err
+	}
+
+	opts, err := getAzDatalakeServiceClientOptions(stConfig)
+	if err != nil {
+		log.Err("azAuthDatalakeWorkloadIdentity::getServiceClient : Failed to create client options [%s]", err.Error())
+		return nil, err
+	}
+
+	svcClient, err := serviceBfs.NewClient(azWorkloadIdentity.config.Endpoint, cred, opts)
+	if err != nil {
+		log.Err("azAuthDatalakeWorkloadIdentity::getServiceClient : Failed to create service client [%s]", err.Error())
+	}
+
+	return svcClient, err
+}

component/azstorage/config.go

@@ -76,6 +76,10 @@ func (AuthType) AZCLI() AuthType {
 	return AuthType(5)
 }
 
+func (AuthType) WORKLOADIDENTITY() AuthType {
+	return AuthType(6)
+}
+
 func (a AuthType) String() string {
 	return enum.StringInt(a, reflect.TypeOf(a))
 }
@@ -144,6 +148,7 @@ const (
 	EnvAzAuthResource                    = "AZURE_STORAGE_AUTH_RESOURCE"
 	EnvAzStorageCpkEncryptionKey         = "AZURE_STORAGE_CPK_ENCRYPTION_KEY"
 	EnvAzStorageCpkEncryptionKeySha256   = "AZURE_STORAGE_CPK_ENCRYPTION_KEY_SHA256"
+	EnvAzUserAssertion                   = "AZURE_STORAGE_USER_ASSERTION"
 )
 
 type AzStorageOptions struct {
@@ -189,6 +194,7 @@ type AzStorageOptions struct {
 	CPKEncryptionKeySha256  string `config:"cpk-encryption-key-sha256" yaml:"cpk-encryption-key-sha256"`
 	PreserveACL             bool   `config:"preserve-acl" yaml:"preserve-acl"`
 	Filter                  string `config:"filter" yaml:"filter"`
+	UserAssertion           string `config:"user-assertion" yaml:"user-assertions"`
 
 	// v1 support
 	UseAdls        bool   `config:"use-adls" yaml:"-"`
@@ -230,6 +236,7 @@ func RegisterEnvVariables() {
 	config.BindEnv("azstorage.cpk-encryption-key", EnvAzStorageCpkEncryptionKey)
 	config.BindEnv("azstorage.cpk-encryption-key-sha256", EnvAzStorageCpkEncryptionKeySha256)
 
+	config.BindEnv("azstorage.user-assertion", EnvAzUserAssertion)
 }
 
 //    ----------- Config Parsing and Validation  ---------------
@@ -467,6 +474,16 @@ func ParseAndValidateConfig(az *AzStorage, opt AzStorageOptions) error {
 		az.stConfig.authConfig.WorkloadIdentityToken = opt.WorkloadIdentityToken
 	case EAuthType.AZCLI():
 		az.stConfig.authConfig.AuthMode = EAuthType.AZCLI()
+	case EAuthType.WORKLOADIDENTITY():
+		az.stConfig.authConfig.AuthMode = EAuthType.WORKLOADIDENTITY()
+		if opt.ClientID == "" || opt.TenantID == "" || opt.ApplicationID == "" {
+			return errors.New("Client ID, Tenant ID or Application ID not provided")
+		}
+
+		az.stConfig.authConfig.ClientID = opt.ClientID
+		az.stConfig.authConfig.TenantID = opt.TenantID
+		az.stConfig.authConfig.ApplicationID = opt.ApplicationID
+		az.stConfig.authConfig.UserAssertion = opt.UserAssertion
 
 	default:
 		log.Err("ParseAndValidateConfig : Invalid auth mode %s", opt.AuthMode)