Adding az installation requirement to login error response (release PR) (#199)

* Update main.ts

* Update main.js

README.md

@@ -22,8 +22,9 @@ With the [Azure Login](https://github.com/Azure/login/blob/master/action.yml) Ac
    3. Within the Job deploying to Azure, add Azure/login action and pass the `client-id`, `tenant-id` and `subscription-id` of the Azure service principal associated with an OIDC Federated Identity Credential credeted in step (i)
 
 Note: 
+   - Ensure the CLI version is 2.30 or above to use OIDC support.
    - OIDC support in Azure is in Public Preview and is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon. 
-   - GitHub runners will soon be updated with the Az CLI and PowerShell versions that support with OIDC. Hence the below sample workflows include scripts to download the same during workflow execution. 
+   - GitHub runners will soon be updating the with the Az CLI and PowerShell versions that support with OIDC. Hence the below sample workflows include explicit instructions to download the same during workflow execution. 
    - By default, Azure access tokens issued during OIDC based login could have limited validity. This expiration time is configurable in Azure.
 
 
@@ -88,32 +89,17 @@ on: [push]
 
 permissions:
       id-token: write
-      
+      contents: read
 jobs: 
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-        
-      # ubuntu Az CLI installation 
-      - name: Install CLI-beta
-        run: |
-           cd ../..
-           CWD="$(pwd)"
-           python3 -m venv oidc-venv
-           . oidc-venv/bin/activate
-           echo "activated environment" 
-           python3 -m pip install --upgrade pip
-           echo "started installing cli beta" 
-           pip install -q --extra-index-url https://azcliprod.blob.core.windows.net/beta/simple/ azure-cli
-           echo "installed cli beta"    
-           echo "$CWD/oidc-venv/bin" >> $GITHUB_PATH   
-  
       - name: 'Az CLI login'
-        uses: azure/login@v1.4.0
+        uses: azure/login@v1
         with:
-          client-id: ${{ secrets.AZURE_CLIENTID }}
-          tenant-id: ${{ secrets.AZURE_TENANTID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   
       - name: 'Run az commands'
         run: |
@@ -121,7 +107,7 @@ jobs:
           az group list
           pwd 
 ```
-This action supports login az powershell as well for both windows and linux runners by setting an input parameter `enable-AzPSSession: true`. Below is the sample workflow for the same using the windows runner. Please note that powershell login is not supported in Macos runners.
+Users can also specify `audience` field for access-token in the input parameters of the action. If not specified, it is defaulted to `api://AzureADTokenExchange`. This action supports login az powershell as well for both windows and linux runners by setting an input parameter `enable-AzPSSession: true`. Below is the sample workflow for the same using the windows runner. Please note that powershell login is not supported in Macos runners.
 
 ## Sample workflow that uses Azure login action using OIDC to run az PowerShell (Windows)
 
@@ -133,38 +119,18 @@ on: [push]
 
 permissions:
       id-token: write
+      contents: read
       
 jobs: 
   Windows-latest:
       runs-on: windows-latest
       steps:
-
-        # windows Az CLI installation 
-        - name: Install CLI-beta
-          run: |
-              cd ../..
-              $CWD = Convert-Path .
-              echo $CWD
-              python --version
-              python -m venv oidc-venv
-              . .\oidc-venv\Scripts\Activate.ps1
-              python -m pip install -q --upgrade pip
-              echo "started installing cli beta" 
-              pip install -q --extra-index-url https://azcliprod.blob.core.windows.net/beta/simple/ azure-cli
-              echo "installed cli beta" 
-              echo "$CWD\oidc-venv\Scripts" >> $env:GITHUB_PATH
-
-        - name: Installing Az.accounts for powershell
-          shell: pwsh
-          run: |
-               Install-Module -Name Az.Accounts -Force -AllowClobber -Repository PSGallery
-  
         - name: OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
-          uses: azure/login@v1.4.0
+          uses: azure/login@v1
           with:
-            client-id: ${{ secrets.AZURE_CLIENTID }}
-            tenant-id: ${{ secrets.AZURE_TENANTID }}
-            subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
             enable-AzPSSession: true
 
         - name: 'Get RG with powershell action'
@@ -260,30 +226,41 @@ Follow the steps to configure Azure Service Principal with a secret:
 You can add federated credentials in the Azure portal or with the Microsoft Graph REST API.
 
 #### Azure portal
-1. Go to **Certificates and secrets**.  In the **Federated credentials** tab, select **Add credential**.  
-1. The **Add a credential** blade opens.
-1. In the **Federated credential scenario** box select **GitHub actions deploying Azure resources**.
-1. Specify the **Organization** and **Repository** for your GitHub Actions workflow which needs to access the Azure resources scoped by this App (Service Principal) 
-1. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance](). 
-1. Add a **Name** for the federated credential.
-1. Click **Add** to configure the federated credential.
+1. [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in Azure Portal
+2. Within the registered application, Go to **Certificates & secrets**.  
+3. In the **Federated credentials** tab, select **Add credential**.  
+4. The **Add a credential** blade opens.
+5. In the **Federated credential scenario** box select **GitHub actions deploying Azure resources**.
+6. Specify the **Organization** and **Repository** for your GitHub Actions workflow which needs to access the Azure resources scoped by this App (Service Principal) 
+7. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance]( https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-[…]dc-claims). 
+8. Add a **Name** for the federated credential.
+9. Click **Add** to configure the federated credential.
 
-For a more detailed overview, see more guidance around [Azure Federated Credentials](). 
+For a more detailed overview, see more guidance around [Azure Federated Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-github). 
 
 #### Microsoft Graph
 
 1. Launch [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) and sign in to your tenant.
 1. Create a federated identity credential
 
-    Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) on your app (specified by the object ID of the app). Substitute the values `APPLICATION-ID`, `CREDENTIAL-NAME`, `SUBJECT`. The options for subject refer to your request filter. These are the conditions that OpenID Connect uses to determine when to issue an authentication token.  
+    Run the following command to [create a new federated identity credential](https://docs.microsoft.com/en-us/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) on your app (specified by the object ID of the app). Substitute the values `APPLICATION-OBJECT-ID`, `CREDENTIAL-NAME`, `SUBJECT`. The options for subject refer to your request filter. These are the conditions that OpenID Connect uses to determine when to issue an authentication token.  
     * specific environment
-    * pull_request events
-    * specific branch
-    * specific tag
-
         ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
         ```
+    * pull_request events
+       ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:pull_request","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+    * specific branch
+       ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Branch}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+    * specific tag
+       ```azurecli
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Tag}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        ```
+
 ## Support for using `allow-no-subscriptions` flag with az login
 
 Capability has been added to support access to tenants without subscriptions for both OIDC and non-OIDC. This can be useful to run tenant level commands, such as `az ad`. The action accepts an optional parameter `allow-no-subscriptions` which is `false` by default.

action.yml

@@ -26,6 +26,10 @@ inputs:
     description: 'Set this value to true to enable support for accessing tenants without subscriptions'
     required: false
     default: false
+  audience:
+    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' 
+    required: false
+    default: 'api://AzureADTokenExchange'
 branding:
   icon: 'login.svg'
   color: 'blue'

lib/PowerShell/ServicePrincipalLogin.js

@@ -59,10 +59,18 @@ class ServicePrincipalLogin {
     login() {
         return __awaiter(this, void 0, void 0, function* () {
             let output = "";
+            let commandStdErr = false;
             const options = {
                 listeners: {
                     stdout: (data) => {
                         output += data.toString();
+                    },
+                    stderr: (data) => {
+                        let error = data.toString();
+                        if (error && error.trim().length !== 0) {
+                            commandStdErr = true;
+                            core.error(error);
+                        }
                     }
                 }
             };

lib/PowerShell/Utilities/PowerShellToolRunner.js

@@ -40,6 +40,7 @@ class PowerShellToolRunner {
     }
     static executePowerShellScriptBlock(scriptBlock, options = {}) {
         return __awaiter(this, void 0, void 0, function* () {
+            //Options for error handling
             yield exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options);
         });
     }

lib/main.js

@@ -39,6 +39,27 @@ var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREP
 function main() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
+            //Options for error handling
+            let commandStdErr = false;
+            const loginOptions = {
+                silent: true,
+                ignoreReturnCode: true,
+                failOnStdErr: true,
+                listeners: {
+                    stderr: (data) => {
+                        let error = data.toString();
+                        //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                        if (error.toLowerCase().startsWith('error')) {
+                            error = error.slice(5);
+                        }
+                        // printing error
+                        if (error && error.trim().length !== 0) {
+                            commandStdErr = true;
+                            core.error(error);
+                        }
+                    }
+                }
+            };
             // Set user agent variable
             var isAzCLISuccess = false;
             let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
@@ -73,7 +94,6 @@ function main() {
             const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
             //Check for the credentials in individual parameters in the workflow.
             var servicePrincipalId = core.getInput('client-id', { required: false });
-            ;
             var servicePrincipalKey = null;
             var tenantId = core.getInput('tenant-id', { required: false });
             var subscriptionId = core.getInput('subscription-id', { required: false });
@@ -84,7 +104,7 @@ function main() {
             if (servicePrincipalId || tenantId || subscriptionId) {
                 //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
                 if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
-                    throw new Error("Few credentials are missing. ClientId,tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
+                    throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
             }
             else {
                 if (creds) {
@@ -115,10 +135,13 @@ function main() {
             if (enableOIDC) {
                 console.log('Using OIDC authentication...');
                 //generating ID-token
-                federatedToken = yield core.getIDToken('api://AzureADTokenExchange');
+                let audience = core.getInput('audience', { required: false });
+                federatedToken = yield core.getIDToken(audience);
                 if (!!federatedToken) {
                     if (environment != "azurecloud")
                         throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                    let [issuer, subjectClaim] = yield jwtParser(federatedToken);
+                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
                 }
                 else {
                     throw new Error("Could not get ID token for authentication.");
@@ -169,13 +192,13 @@ function main() {
             else {
                 commonArgs = commonArgs.concat("-p", servicePrincipalKey);
             }
-            yield executeAzCliCommand(`login`, true, {}, commonArgs);
+            yield executeAzCliCommand(`login`, true, loginOptions, commonArgs);
             if (!allowNoSubscriptionsLogin) {
                 var args = [
                     "--subscription",
                     subscriptionId
                 ];
-                yield executeAzCliCommand(`account set`, true, {}, args);
+                yield executeAzCliCommand(`account set`, true, loginOptions, args);
             }
             isAzCLISuccess = true;
             if (enableAzPSSession) {
@@ -190,12 +213,11 @@ function main() {
         }
         catch (error) {
             if (!isAzCLISuccess) {
-                core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
+                core.setFailed("Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
             }
             else {
-                core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+                core.setFailed(`Azure PowerShell Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
             }
-            core.setFailed(error);
         }
         finally {
             // Reset AZURE_HTTP_USER_AGENT
@@ -207,12 +229,15 @@ function main() {
 function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
     return __awaiter(this, void 0, void 0, function* () {
         execOptions.silent = !!silent;
-        try {
-            yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
-        }
-        catch (error) {
-            throw new Error(error);
-        }
+        yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
+    });
+}
+function jwtParser(federatedToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        let tokenPayload = federatedToken.split('.')[1];
+        let bufferObj = Buffer.from(tokenPayload, "base64");
+        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+        return [decodedPayload['iss'], decodedPayload['sub']];
     });
 }
 main();

src/PowerShell/ServicePrincipalLogin.ts

@@ -45,10 +45,19 @@ export class ServicePrincipalLogin implements IAzurePowerShellSession {
 
     async login() {
         let output: string = "";
+        let commandStdErr = false;
         const options: any = {
             listeners: {
                 stdout: (data: Buffer) => {
                     output += data.toString();
+                },
+                stderr: (data: Buffer) => {
+                    let error = data.toString();
+                    if (error && error.trim().length !== 0)
+                    {
+                        commandStdErr = true;
+                        core.error(error);
+                    }
                 }
             }
         };

src/PowerShell/Utilities/PowerShellToolRunner.ts

@@ -3,7 +3,6 @@ import * as exec from '@actions/exec';
 
 export default class PowerShellToolRunner {
     static psPath: string;
-
     static async init() {
         if(!PowerShellToolRunner.psPath) {
             PowerShellToolRunner.psPath = await io.which("pwsh", true);
@@ -11,6 +10,7 @@ export default class PowerShellToolRunner {
     }
 
     static async executePowerShellScriptBlock(scriptBlock: string, options: any = {}) {
+        //Options for error handling
         await exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options)
     }
 }

src/main.ts

@@ -1,5 +1,6 @@
 import * as core from '@actions/core';
 import * as exec from '@actions/exec';
+import { ExecOptions } from '@actions/exec/lib/interfaces';
 import * as io from '@actions/io';
 import { FormatType, SecretParser } from 'actions-secret-parser';
 import { ServicePrincipalLogin } from './PowerShell/ServicePrincipalLogin';
@@ -10,6 +11,27 @@ var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREP
 
 async function main() {
     try {
+        //Options for error handling
+        let commandStdErr = false;
+        const loginOptions: ExecOptions = {
+            silent: true,
+            ignoreReturnCode: true,
+            failOnStdErr: true,
+            listeners: {
+                stderr: (data: Buffer) => {
+                    let error = data.toString();
+                    //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                    if (error.toLowerCase().startsWith('error')) {
+                        error = error.slice(5);
+                    }
+                    // printing error
+                    if (error && error.trim().length !== 0) {
+                        commandStdErr = true;
+                        core.error(error);
+                    }
+                }
+            }
+        }
         // Set user agent variable
         var isAzCLISuccess = false;
         let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
@@ -46,7 +68,7 @@ async function main() {
         const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
 
         //Check for the credentials in individual parameters in the workflow.
-        var servicePrincipalId = core.getInput('client-id', { required: false });;
+        var servicePrincipalId = core.getInput('client-id', { required: false });
         var servicePrincipalKey = null;
         var tenantId = core.getInput('tenant-id', { required: false });
         var subscriptionId = core.getInput('subscription-id', { required: false });
@@ -59,7 +81,7 @@ async function main() {
 
             //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
             if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
-                throw new Error("Few credentials are missing. ClientId,tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
+                throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
         }
         else {
             if (creds) {
@@ -91,10 +113,13 @@ async function main() {
         if (enableOIDC) {
             console.log('Using OIDC authentication...')
             //generating ID-token
-            federatedToken = await core.getIDToken('api://AzureADTokenExchange');
+            let audience = core.getInput('audience', { required: false });
+            federatedToken = await core.getIDToken(audience);
             if (!!federatedToken) {
                 if (environment != "azurecloud")
                     throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                let [issuer, subjectClaim] = await jwtParser(federatedToken);
+                console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
             }
             else {
                 throw new Error("Could not get ID token for authentication.");
@@ -151,14 +176,14 @@ async function main() {
         else {
             commonArgs = commonArgs.concat("-p", servicePrincipalKey);
         }
-        await executeAzCliCommand(`login`, true, {}, commonArgs);
+        await executeAzCliCommand(`login`, true, loginOptions, commonArgs);
 
         if (!allowNoSubscriptionsLogin) {
             var args = [
                 "--subscription",
                 subscriptionId
             ];
-            await executeAzCliCommand(`account set`, true, {}, args);
+            await executeAzCliCommand(`account set`, true, loginOptions, args);
         }
         isAzCLISuccess = true;
         if (enableAzPSSession) {
@@ -183,12 +208,11 @@ async function main() {
     }
     catch (error) {
         if (!isAzCLISuccess) {
-            core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
+            core.setFailed("Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
         }
         else {
-            core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+            core.setFailed(`Azure PowerShell Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
         }
-        core.setFailed(error);
     }
     finally {
         // Reset AZURE_HTTP_USER_AGENT
@@ -203,12 +227,12 @@ async function executeAzCliCommand(
     execOptions: any = {},
     args: any = []) {
     execOptions.silent = !!silent;
-    try {
-        await exec.exec(`"${azPath}" ${command}`, args, execOptions);
-    }
-    catch (error) {
-        throw new Error(error);
-    }
+    await exec.exec(`"${azPath}" ${command}`, args, execOptions);
+}
+async function jwtParser(federatedToken: string) {
+    let tokenPayload = federatedToken.split('.')[1];
+    let bufferObj = Buffer.from(tokenPayload, "base64");
+    let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
+    return [decodedPayload['iss'], decodedPayload['sub']];
 }
-
 main();