fix: use proper scope for Entra auth (#198)

microsoft · May 30, 2024 · 3ed002a · 3ed002a
1 parent b3a8513
commit 3ed002a
Showing 1 changed file with 22 additions and 17 deletions.
diff --git a/azuread/configuration.go b/azuread/configuration.go
@@ -5,6 +5,8 @@ package azuread
 
 import (
 	"context"
+	"crypto"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"os"
@@ -75,23 +77,23 @@ func parse(dsn string) (*azureFedAuthConfig, error) {
 
 func (p *azureFedAuthConfig) validateParameters(params map[string]string) error {
 
-	fedAuthWorkflow, _ := params["fedauth"]
+	fedAuthWorkflow := params["fedauth"]
 	if fedAuthWorkflow == "" {
 		return nil
 	}
 
 	p.fedAuthLibrary = mssql.FedAuthLibraryADAL
 
-	p.applicationClientID, _ = params["applicationclientid"]
+	p.applicationClientID = params["applicationclientid"]
 
 	switch {
 	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryPassword):
 		if p.applicationClientID == "" {
 			return errors.New("applicationclientid parameter is required for " + ActiveDirectoryPassword)
 		}
 		p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
-		p.user, _ = params["user id"]
-		p.password, _ = params["password"]
+		p.user = params["user id"]
+		p.password = params["password"]
 	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryIntegrated):
 		// Active Directory Integrated authentication is not fully supported:
 		// you can only use this by also implementing an a token provider
@@ -101,7 +103,7 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
 		// When using MSI, to request a specific client ID or user-assigned identity,
 		// provide the ID in the "user id" parameter
 		p.adalWorkflow = mssql.FedAuthADALWorkflowMSI
-		p.resourceID, _ = params["resource id"]
+		p.resourceID = params["resource id"]
 		p.clientID, _ = splitTenantAndClientID(params["user id"])
 	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryApplication) || strings.EqualFold(fedAuthWorkflow, ActiveDirectoryServicePrincipal):
 		p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
@@ -112,9 +114,9 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
 			return errors.New("Must provide 'client id[@tenant id]' as username parameter when using ActiveDirectoryApplication authentication")
 		}
 
-		p.clientSecret, _ = params["password"]
+		p.clientSecret = params["password"]
 
-		p.certificatePath, _ = params["clientcertpath"]
+		p.certificatePath = params["clientcertpath"]
 
 		if p.certificatePath == "" && p.clientSecret == "" {
 			return errors.New("Must provide 'password' parameter when using ActiveDirectoryApplication authentication without cert/key credentials")
@@ -126,13 +128,13 @@ func (p *azureFedAuthConfig) validateParameters(params map[string]string) error
 			return errors.New("applicationclientid parameter is required for " + ActiveDirectoryInteractive)
 		}
 		// user is an optional login hint
-		p.user, _ = params["user id"]
+		p.user = params["user id"]
 		// we don't really have a password but we need to use some value.
 		p.adalWorkflow = mssql.FedAuthADALWorkflowPassword
 	case strings.EqualFold(fedAuthWorkflow, ActiveDirectoryServicePrincipalAccessToken):
 		p.fedAuthLibrary = mssql.FedAuthLibrarySecurityToken
 		p.adalWorkflow = mssql.FedAuthADALWorkflowNone
-		p.password, _ = params["password"]
+		p.password = params["password"]
 
 		if p.password == "" {
 			return errors.New("Must provide 'password' parameter when using ActiveDirectoryServicePrincipalAccessToken authentication")
@@ -156,10 +158,10 @@ func splitTenantAndClientID(user string) (string, string) {
 	return user[0:at], user[at+1:]
 }
 
-func splitAuthorityAndTenant(authorityUrl string) (string, string) {
-	separatorIndex := strings.LastIndex(authorityUrl, "/")
-	tenant := authorityUrl[separatorIndex+1:]
-	authority := authorityUrl[:separatorIndex]
+func splitAuthorityAndTenant(authorityURL string) (string, string) {
+	separatorIndex := strings.LastIndex(authorityURL, "/")
+	tenant := authorityURL[separatorIndex+1:]
+	authority := authorityURL[:separatorIndex]
 	return authority, tenant
 }
 
@@ -171,18 +173,21 @@ func (p *azureFedAuthConfig) provideActiveDirectoryToken(ctx context.Context, se
 	if p.tenantID != "" {
 		tenant = p.tenantID
 	}
-	scope := stsURL
+	scope := serverSPN
 	if !strings.HasSuffix(serverSPN, scopeDefaultSuffix) {
-		scope = strings.TrimRight(serverSPN, "/") + scopeDefaultSuffix
+		scope = serverSPN + scopeDefaultSuffix
 	}
 
 	switch p.fedAuthWorkflow {
 	case ActiveDirectoryServicePrincipal, ActiveDirectoryApplication:
 		switch {
 		case p.certificatePath != "":
-			certData, err := os.ReadFile(p.certificatePath)
+			var certData []byte
+			certData, err = os.ReadFile(p.certificatePath)
 			if err != nil {
-				certs, key, err := azidentity.ParseCertificates(certData, []byte(p.clientSecret))
+				var certs []*x509.Certificate
+				var key crypto.PrivateKey
+				certs, key, err = azidentity.ParseCertificates(certData, []byte(p.clientSecret))
 				if err != nil {
 					cred, err = azidentity.NewClientCertificateCredential(tenant, p.clientID, certs, key, nil)
 				}