OIDC support (with PS support) (#157)

* Added OIDC support for login action (#147)

* OIDC support for Powershell login (#156)

* OIDC support ps (#155)

ps login support

* Update main.ts

* formatting code

* nit changes

Co-authored-by: Balaga Gayatri <balaga-gayatri@github.com>

lib/main.js

@@ -1,4 +1,23 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -8,13 +27,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
-    result["default"] = mod;
-    return result;
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(require("@actions/core"));
 const exec = __importStar(require("@actions/exec"));
@@ -36,6 +48,7 @@ function main() {
             core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
             core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
             azPath = yield io.which("az", true);
+            core.debug(`az cli version used: ${azPath}`);
             let azureSupportedCloudName = new Set([
                 "azureusgovernment",
                 "azurechinacloud",
@@ -53,26 +66,64 @@ function main() {
             };
             yield executeAzCliCommand("--version", true, execOptions);
             core.debug(`az cli version used:\n${output}`);
-            let creds = core.getInput('creds', { required: true });
-            let secrets = new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON);
-            let servicePrincipalId = secrets.getSecret("$.clientId", false);
-            let servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
-            let tenantId = secrets.getSecret("$.tenantId", false);
-            let subscriptionId = secrets.getSecret("$.subscriptionId", false);
-            let resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
+            let creds = core.getInput('creds', { required: false });
+            let secrets = creds ? new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON) : null;
             let environment = core.getInput("environment").toLowerCase();
             const enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
             const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
-            if (!servicePrincipalId || !servicePrincipalKey || !tenantId) {
-                throw new Error("Not all values are present in the creds object. Ensure clientId, clientSecret and tenantId are supplied.");
+            //Check for the credentials in individual parameters in the workflow.
+            var servicePrincipalId = core.getInput('client-id', { required: false });
+            ;
+            var servicePrincipalKey = null;
+            var tenantId = core.getInput('tenant-id', { required: false });
+            var subscriptionId = core.getInput('subscription-id', { required: false });
+            var resourceManagerEndpointUrl = "https://management.azure.com/";
+            var enableOIDC = true;
+            var federatedToken = null;
+            // If any of the individual credentials (clent_id, tenat_id, subscription_id) is present.
+            if (servicePrincipalId || tenantId || subscriptionId) {
+                //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
+                if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
+                    throw new Error("Few credentials are missing. ClientId,tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
+            }
+            else {
+                if (creds) {
+                    core.debug('using creds JSON...');
+                    enableOIDC = false;
+                    servicePrincipalId = secrets.getSecret("$.clientId", true);
+                    servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
+                    tenantId = secrets.getSecret("$.tenantId", true);
+                    subscriptionId = secrets.getSecret("$.subscriptionId", true);
+                    resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
+                }
+                else {
+                    throw new Error("Credentials are not passed for Login action.");
+                }
+            }
+            //generic checks 
+            //servicePrincipalKey is only required in non-oidc scenario.
+            if (!servicePrincipalId || !tenantId || !(servicePrincipalKey || enableOIDC)) {
+                throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
             }
             if (!subscriptionId && !allowNoSubscriptionsLogin) {
-                throw new Error("Not all values are present in the creds object. Ensure subscriptionId is supplied.");
+                throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
             }
             if (!azureSupportedCloudName.has(environment)) {
                 throw new Error("Unsupported value for environment is passed.The list of supported values for environment are ‘azureusgovernment', ‘azurechinacloud’, ‘azuregermancloud’, ‘azurecloud’ or ’azurestack’");
             }
-            // TODO: refactor this into an Azure stack specific utility.
+            // OIDC specific checks
+            if (enableOIDC) {
+                console.log('Using OIDC authentication...');
+                //generating ID-token
+                federatedToken = yield core.getIDToken('api://AzureADTokenExchange');
+                if (!!federatedToken) {
+                    if (environment != "azurecloud")
+                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                }
+                else {
+                    throw new Error("Could not get ID token for authentication.");
+                }
+            }
             // Attempting Az cli login
             if (environment == "azurestack") {
                 if (!resourceManagerEndpointUrl) {
@@ -105,25 +156,22 @@ function main() {
             yield executeAzCliCommand(`cloud set -n "${environment}"`, false);
             console.log(`Done setting cloud: "${environment}"`);
             // Attempting Az cli login
+            var commonArgs = ["--service-principal",
+                "-u", servicePrincipalId,
+                "--tenant", tenantId
+            ];
             if (allowNoSubscriptionsLogin) {
-                let args = [
-                    "--allow-no-subscriptions",
-                    "--service-principal",
-                    "-u", servicePrincipalId,
-                    "-p", servicePrincipalKey,
-                    "--tenant", tenantId
-                ];
-                yield executeAzCliCommand(`login`, true, {}, args);
+                commonArgs = commonArgs.concat("--allow-no-subscriptions");
+            }
+            if (enableOIDC) {
+                commonArgs = commonArgs.concat("--federated-token", federatedToken);
             }
             else {
-                let args = [
-                    "--service-principal",
-                    "-u", servicePrincipalId,
-                    "-p", servicePrincipalKey,
-                    "--tenant", tenantId
-                ];
-                yield executeAzCliCommand(`login`, true, {}, args);
-                args = [
+                commonArgs = commonArgs.concat("-p", servicePrincipalKey);
+            }
+            yield executeAzCliCommand(`login`, true, {}, commonArgs);
+            if (!allowNoSubscriptionsLogin) {
+                var args = [
                     "--subscription",
                     subscriptionId
                 ];
@@ -133,7 +181,8 @@ function main() {
             if (enableAzPSSession) {
                 // Attempting Az PS login
                 console.log(`Running Azure PS Login`);
-                const spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl);
+                var spnlogin;
+                spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(servicePrincipalId, servicePrincipalKey, federatedToken, tenantId, subscriptionId, allowNoSubscriptionsLogin, environment, resourceManagerEndpointUrl);
                 yield spnlogin.initialize();
                 yield spnlogin.login();
             }