From 2a478f5f8ed8e5f2a7be8e49aea5dc4c2c7f0b34 Mon Sep 17 00:00:00 2001
From: weizhichen <weizhichen@microsoft.com>
Date: Wed, 1 Mar 2023 01:24:18 +0000
Subject: [PATCH] fix

---
 .../Azure/go-autorest/autorest/adal/token.go  | 23 ++++++++++++-------
 .../pkg/provider/config/azure_auth.go         | 13 +++++++----
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/vendor/github.com/Azure/go-autorest/autorest/adal/token.go b/vendor/github.com/Azure/go-autorest/autorest/adal/token.go
index c90209a948..b9217aaf11 100644
--- a/vendor/github.com/Azure/go-autorest/autorest/adal/token.go
+++ b/vendor/github.com/Azure/go-autorest/autorest/adal/token.go
@@ -127,6 +127,9 @@ type TokenRefreshCallback func(Token) error
 // TokenRefresh is a type representing a custom callback to refresh a token
 type TokenRefresh func(ctx context.Context, resource string) (*Token, error)
 
+// JWTCallback is the type representing callback that will be called to get the federated OIDC JWT
+type JWTCallback func() (string, error)
+
 // Token encapsulates the access token used to authorize Azure requests.
 // https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#service-to-service-access-token-response
 type Token struct {
@@ -367,14 +370,18 @@ func (secret ServicePrincipalAuthorizationCodeSecret) MarshalJSON() ([]byte, err
 
 // ServicePrincipalFederatedSecret implements ServicePrincipalSecret for Federated JWTs.
 type ServicePrincipalFederatedSecret struct {
-	jwt string
+	jwtCallback JWTCallback
 }
 
 // SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
 // It will populate the form submitted during OAuth Token Acquisition using a JWT signed by an OIDC issuer.
-func (secret *ServicePrincipalFederatedSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
+func (secret *ServicePrincipalFederatedSecret) SetAuthenticationValues(_ *ServicePrincipalToken, v *url.Values) error {
+	jwt, err := secret.jwtCallback()
+	if err != nil {
+		return err
+	}
 
-	v.Set("client_assertion", secret.jwt)
+	v.Set("client_assertion", jwt)
 	v.Set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
 	return nil
 }
@@ -686,8 +693,8 @@ func NewServicePrincipalTokenFromAuthorizationCode(oauthConfig OAuthConfig, clie
 	)
 }
 
-// NewServicePrincipalTokenFromFederatedToken creates a ServicePrincipalToken from the supplied federated OIDC JWT.
-func NewServicePrincipalTokenFromFederatedToken(oauthConfig OAuthConfig, clientID string, jwt string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+// NewServicePrincipalTokenFromFederatedToken creates a ServicePrincipalToken from the supplied federated OIDC JWTCallback.
+func NewServicePrincipalTokenFromFederatedToken(oauthConfig OAuthConfig, clientID string, jwtCallback JWTCallback, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
 	if err := validateOAuthConfig(oauthConfig); err != nil {
 		return nil, err
 	}
@@ -697,15 +704,15 @@ func NewServicePrincipalTokenFromFederatedToken(oauthConfig OAuthConfig, clientI
 	if err := validateStringParam(resource, "resource"); err != nil {
 		return nil, err
 	}
-	if jwt == "" {
-		return nil, fmt.Errorf("parameter 'jwt' cannot be empty")
+	if jwtCallback == nil {
+		return nil, fmt.Errorf("parameter 'jwtCallback' cannot be empty")
 	}
 	return NewServicePrincipalTokenWithSecret(
 		oauthConfig,
 		clientID,
 		resource,
 		&ServicePrincipalFederatedSecret{
-			jwt: jwt,
+			jwtCallback: jwtCallback,
 		},
 		callbacks...,
 	)
diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/config/azure_auth.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/config/azure_auth.go
index e49c6df895..974749a1b3 100644
--- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/config/azure_auth.go
+++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/config/azure_auth.go
@@ -110,11 +110,16 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment, r
 		if err != nil {
 			return nil, fmt.Errorf("failed to create the OAuth config: %w", err)
 		}
-		jwt, err := os.ReadFile(config.AADFederatedTokenFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read a file with a federated token: %w", err)
+
+		jwtCallback := func() (string, error) {
+			jwt, err := os.ReadFile(config.AADFederatedTokenFile)
+			if err != nil {
+				return "", fmt.Errorf("failed to read a file with a federated token: %w", err)
+			}
+			return string(jwt), nil
 		}
-		token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, config.AADClientID, string(jwt), env.ResourceManagerEndpoint)
+
+		token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, config.AADClientID, jwtCallback, env.ResourceManagerEndpoint)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create a workload identity token: %w", err)
 		}